codeslick-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/README.md +458 -0
  2. package/__tests__/cli-reporter.test.ts +86 -0
  3. package/__tests__/config-loader.test.ts +247 -0
  4. package/__tests__/local-scanner.test.ts +245 -0
  5. package/bin/codeslick.cjs +153 -0
  6. package/dist/packages/cli/src/commands/auth.d.ts +36 -0
  7. package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
  8. package/dist/packages/cli/src/commands/auth.js +226 -0
  9. package/dist/packages/cli/src/commands/auth.js.map +1 -0
  10. package/dist/packages/cli/src/commands/config.d.ts +37 -0
  11. package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
  12. package/dist/packages/cli/src/commands/config.js +196 -0
  13. package/dist/packages/cli/src/commands/config.js.map +1 -0
  14. package/dist/packages/cli/src/commands/init.d.ts +32 -0
  15. package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
  16. package/dist/packages/cli/src/commands/init.js +171 -0
  17. package/dist/packages/cli/src/commands/init.js.map +1 -0
  18. package/dist/packages/cli/src/commands/scan.d.ts +40 -0
  19. package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
  20. package/dist/packages/cli/src/commands/scan.js +204 -0
  21. package/dist/packages/cli/src/commands/scan.js.map +1 -0
  22. package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
  23. package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
  24. package/dist/packages/cli/src/config/config-loader.js +146 -0
  25. package/dist/packages/cli/src/config/config-loader.js.map +1 -0
  26. package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
  27. package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
  28. package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
  29. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
  30. package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
  31. package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
  32. package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
  33. package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
  34. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
  35. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
  36. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
  37. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
  38. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
  39. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
  40. package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
  41. package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
  42. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
  43. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
  44. package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
  45. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
  46. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
  47. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
  48. package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
  49. package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
  50. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
  51. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
  52. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
  53. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
  54. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
  55. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
  56. package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
  57. package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
  58. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
  59. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
  60. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
  61. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
  62. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
  63. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
  64. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
  65. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
  66. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
  67. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  68. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
  69. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
  70. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
  71. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
  72. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
  73. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
  74. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
  75. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
  76. package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
  77. package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
  78. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
  79. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
  80. package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
  81. package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
  82. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
  83. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
  84. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
  85. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
  86. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
  87. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
  88. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
  89. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
  90. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
  91. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
  92. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
  93. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
  94. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
  95. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
  96. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
  97. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
  98. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
  99. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
  100. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
  101. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
  102. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
  103. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
  104. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
  105. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
  106. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
  107. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
  108. package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
  109. package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
  110. package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
  111. package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
  112. package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
  113. package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
  114. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
  115. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
  116. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
  117. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
  118. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
  119. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
  120. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
  121. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
  122. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
  123. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
  124. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
  125. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
  126. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
  127. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
  128. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
  129. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
  130. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
  131. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
  132. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
  133. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
  134. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
  135. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
  136. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
  137. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
  138. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
  139. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
  140. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
  141. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
  142. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
  143. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
  144. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
  145. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
  146. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
  147. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
  148. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
  149. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
  150. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
  151. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  152. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
  153. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
  154. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
  155. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
  156. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
  157. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
  158. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
  159. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
  160. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
  161. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
  162. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
  163. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
  164. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
  165. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
  166. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
  167. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
  168. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
  169. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
  170. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
  171. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
  172. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
  173. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
  174. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
  175. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
  176. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
  177. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
  178. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
  179. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
  180. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
  181. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
  182. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
  183. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
  184. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
  185. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
  186. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
  187. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
  188. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
  189. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
  190. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
  191. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
  192. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
  193. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
  194. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
  195. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
  196. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
  197. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
  198. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
  199. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
  200. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
  201. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
  202. package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
  203. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
  204. package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
  205. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
  206. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
  207. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
  208. package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
  209. package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
  210. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
  211. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
  212. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
  213. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
  214. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
  215. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
  216. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
  217. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
  218. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
  219. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
  220. package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
  221. package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
  222. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
  223. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
  224. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
  225. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
  226. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
  227. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
  228. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
  229. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
  230. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
  231. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
  232. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
  233. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
  234. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
  235. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
  236. package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
  237. package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
  238. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
  239. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
  240. package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
  241. package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
  242. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
  243. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  244. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
  245. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
  246. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
  247. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
  248. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
  249. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
  250. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
  251. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
  252. package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
  253. package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
  254. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
  255. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
  256. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
  257. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
  258. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
  259. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
  260. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
  261. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
  262. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
  263. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
  264. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
  265. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
  266. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
  267. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
  268. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
  269. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
  270. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
  271. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
  272. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
  273. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
  274. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
  275. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
  276. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
  277. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
  278. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
  279. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
  280. package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
  281. package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
  282. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
  283. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
  284. package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
  285. package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
  286. package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
  287. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
  288. package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
  289. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
  290. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
  291. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
  292. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
  293. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
  294. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
  295. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
  296. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
  297. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
  298. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
  299. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
  300. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
  301. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
  302. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
  303. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
  304. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
  305. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
  306. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
  307. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
  308. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
  309. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
  310. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
  311. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
  312. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
  313. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
  314. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
  315. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
  316. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
  317. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
  318. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
  319. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
  320. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
  321. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
  322. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
  323. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
  324. package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
  325. package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
  326. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
  327. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
  328. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
  329. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
  330. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
  331. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
  332. package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
  333. package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
  334. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
  335. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
  336. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
  337. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
  338. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
  339. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
  340. package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
  341. package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
  342. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
  343. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
  344. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
  345. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
  346. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
  347. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
  348. package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
  349. package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
  350. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
  351. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
  352. package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
  353. package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
  354. package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
  355. package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
  356. package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
  357. package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
  358. package/dist/src/lib/analyzers/types.d.ts +92 -0
  359. package/dist/src/lib/analyzers/types.d.ts.map +1 -0
  360. package/dist/src/lib/analyzers/types.js +3 -0
  361. package/dist/src/lib/analyzers/types.js.map +1 -0
  362. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
  363. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
  364. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
  365. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
  366. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
  367. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
  368. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
  369. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
  370. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
  371. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
  372. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
  373. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
  374. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
  375. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
  376. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
  377. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
  378. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
  379. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
  380. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
  381. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
  382. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
  383. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
  384. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
  385. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
  386. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
  387. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  388. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
  389. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
  390. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
  391. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
  392. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
  393. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
  394. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
  395. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
  396. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
  397. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
  398. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
  399. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
  400. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
  401. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
  402. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
  403. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
  404. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
  405. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
  406. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
  407. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
  408. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
  409. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
  410. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
  411. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
  412. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
  413. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
  414. package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
  415. package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
  416. package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
  417. package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
  418. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
  419. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
  420. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
  421. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
  422. package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
  423. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
  424. package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
  425. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
  426. package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
  427. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
  428. package/dist/src/lib/security/compliance-mapping.js +1342 -0
  429. package/dist/src/lib/security/compliance-mapping.js.map +1 -0
  430. package/dist/src/lib/security/severity-scoring.d.ts +47 -0
  431. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
  432. package/dist/src/lib/security/severity-scoring.js +965 -0
  433. package/dist/src/lib/security/severity-scoring.js.map +1 -0
  434. package/dist/src/lib/standards/references.d.ts +16 -0
  435. package/dist/src/lib/standards/references.d.ts.map +1 -0
  436. package/dist/src/lib/standards/references.js +1161 -0
  437. package/dist/src/lib/standards/references.js.map +1 -0
  438. package/dist/src/lib/types/index.d.ts +167 -0
  439. package/dist/src/lib/types/index.d.ts.map +1 -0
  440. package/dist/src/lib/types/index.js +3 -0
  441. package/dist/src/lib/types/index.js.map +1 -0
  442. package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
  443. package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
  444. package/dist/src/lib/utils/code-cleaner.js +283 -0
  445. package/dist/src/lib/utils/code-cleaner.js.map +1 -0
  446. package/package.json +51 -0
  447. package/src/commands/auth.ts +308 -0
  448. package/src/commands/config.ts +226 -0
  449. package/src/commands/init.ts +202 -0
  450. package/src/commands/scan.ts +238 -0
  451. package/src/config/config-loader.ts +175 -0
  452. package/src/reporters/cli-reporter.ts +282 -0
  453. package/src/scanner/local-scanner.ts +250 -0
  454. package/tsconfig.json +24 -0
  455. package/tsconfig.tsbuildinfo +1 -0
package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js ADDED
@@ -0,0 +1,222 @@
1
+ "use strict";
2
+ /**
3
+ * JavaScript Authentication Failures Security Checks
4
+ * OWASP A07:2025 - Identification and Authentication Failures
5
+ *
6
+ * Detects missing MFA/2FA and lack of rate limiting on authentication endpoints.
7
+ * Phase 7B Week 3 Day 11: Cross-language authentication checks
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkAuthenticationFailures = checkAuthenticationFailures;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for authentication failure vulnerabilities in JavaScript code
14
+ *
15
+ * Covers (Enhanced Dec 30, 2025 - Phase 2):
16
+ * - Check #94: Missing MFA/2FA on login endpoints (MEDIUM)
17
+ * - Check #95: No rate limiting on login routes (MEDIUM)
18
+ * - Check #96: Plain-text password storage (CRITICAL) - NEW
19
+ * - Check #97: Weak password comparison (HIGH) - NEW
20
+ * - Check #98: Missing password hashing (CRITICAL) - NEW
21
+ * - Check #99: Session fixation vulnerability (HIGH) - NEW
22
+ * - Check #100: JWT without expiration (HIGH) - NEW
23
+ * - Check #101: Insecure session timeout (MEDIUM) - NEW
24
+ * - Check #102: Weak password requirements (LOW) - NEW
25
+ *
26
+ * @param lines - Array of code lines
27
+ * @returns Array of security vulnerabilities found
28
+ */
29
+ function checkAuthenticationFailures(lines) {
30
+ const vulnerabilities = [];
31
+ let inMultiLineComment = false;
32
+ lines.forEach((line, index) => {
33
+ const lineNumber = index + 1;
34
+ const trimmed = line.trim();
35
+ // Track multi-line comment blocks (/* ... */)
36
+ if (trimmed.includes('/*')) {
37
+ inMultiLineComment = true;
38
+ }
39
+ if (trimmed.includes('*/')) {
40
+ inMultiLineComment = false;
41
+ return;
42
+ }
43
+ // Skip comments and empty lines
44
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
45
+ return;
46
+ // OWASP A07:2025 - Authentication Failures
47
+ // Check #94: Missing MFA/2FA - MEDIUM
48
+ // Pattern: Login routes that authenticate but don't check MFA
49
+ const loginRoutePattern = /\.(post|put)\s*\(\s*['"`]\/(login|auth|signin)/i;
50
+ if (trimmed.match(loginRoutePattern)) {
51
+ // Check next 20 lines for MFA verification
52
+ const nextLines = lines.slice(index, Math.min(index + 20, lines.length));
53
+ const hasMfaCheck = nextLines.some(l => {
54
+ const lowerLine = l.toLowerCase();
55
+ return lowerLine.includes('totp') ||
56
+ lowerLine.includes('mfa') ||
57
+ lowerLine.includes('2fa') ||
58
+ lowerLine.includes('twofa') ||
59
+ lowerLine.includes('twofactor') ||
60
+ lowerLine.includes('otp') ||
61
+ lowerLine.includes('verifycode') ||
62
+ lowerLine.includes('authenticationcode');
63
+ });
64
+ if (!hasMfaCheck) {
65
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('missing-mfa', 'Login endpoint missing multi-factor authentication (MFA/2FA)', 'Implement MFA: Verify TOTP/SMS code after password validation', lineNumber, 'Authentication relying solely on passwords is vulnerable to credential theft, phishing, and brute-force attacks. MFA adds critical defense layer.', 'User credentials stolen via phishing → Attacker logs in with password alone → Account compromised', [
66
+ 'Account takeover from stolen credentials',
67
+ 'Unauthorized access despite password theft',
68
+ 'Phishing attack success',
69
+ 'Credential stuffing attacks',
70
+ 'Compliance violations (PCI-DSS, SOC 2, NIST 800-63)'
71
+ ], 'app.post("/login", async (req, res) => {\n if (validPassword) {\n req.session.userId = user.id; // No MFA\n }\n});', 'app.post("/login", async (req, res) => {\n if (validPassword) {\n if (!verifyTotp(user.secret, req.body.totpCode)) {\n return res.status(401).send("Invalid MFA code");\n }\n req.session.userId = user.id;\n }\n});', 'Implement TOTP-based MFA (Google Authenticator, Authy) or SMS-based verification as second authentication factor'));
72
+ }
73
+ // OWASP A07:2025 - Authentication Failures
74
+ // Check #95: No rate limiting on login - MEDIUM
75
+ // Check if route has rate limiting middleware
76
+ const hasRateLimiting = trimmed.includes('rateLimit') ||
77
+ trimmed.includes('rateLimiter') ||
78
+ trimmed.includes('limiter') ||
79
+ trimmed.includes('slowDown') ||
80
+ trimmed.includes('expressRateLimit');
81
+ if (!hasRateLimiting) {
82
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('no-rate-limiting', 'Login endpoint missing rate limiting - vulnerable to brute-force attacks', 'Add rate limiting middleware: app.post("/login", rateLimit({ max: 5, windowMs: 15*60*1000 }), handler)', lineNumber, 'Login endpoints without rate limiting allow unlimited authentication attempts, enabling brute-force and credential stuffing attacks.', 'Attacker tries 10,000 passwords per minute → Eventually cracks weak passwords → Account compromised', [
83
+ 'Brute-force password attacks',
84
+ 'Credential stuffing with leaked password databases',
85
+ 'Account enumeration',
86
+ 'Denial of service from excessive login attempts',
87
+ 'Server resource exhaustion'
88
+ ], 'app.post("/login", (req, res) => {\n // No rate limiting - unlimited attempts\n});', 'const loginLimiter = rateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 5 // 5 attempts\n});\napp.post("/login", loginLimiter, (req, res) => {\n // Rate limited\n});', 'Use express-rate-limit or similar middleware to limit login attempts to 5 per 15 minutes per IP address'));
89
+ }
90
+ }
91
+ // =============================================================================
92
+ // PHASE 2 ENHANCEMENTS (Dec 30, 2025) - A07 Authentication Improvements
93
+ // =============================================================================
94
+ // Check #96: Plain-text password storage (CRITICAL)
95
+ // Pattern: Arrays or objects with password fields containing plain-text values
96
+ // User test case: const users = [{ id: "1", password: "admin123" }]
97
+ const plainTextPasswordPattern = /(?:password|passwd|pwd)\s*:\s*['"`][^'"`]+['"`]/i;
98
+ const userArrayPattern = /(const|let|var)\s+(users|accounts|credentials)\s*=\s*\[/i;
99
+ if (trimmed.match(plainTextPasswordPattern)) {
100
+ // Check if it's in a data structure (not env var or config)
101
+ const isNotEnvVar = !trimmed.includes('process.env') &&
102
+ !trimmed.includes('config.') &&
103
+ !trimmed.includes('process.env');
104
+ if (isNotEnvVar) {
105
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('plaintext-password-storage', 'CRITICAL: Plain-text password stored in code - passwords must be hashed', 'Never store passwords in plain-text. Use bcrypt, argon2, or scrypt to hash passwords', lineNumber, 'Storing passwords in plain-text allows anyone with code access to read all user passwords. If the database or code is compromised, all user credentials are immediately exposed.', 'const users = [{ email: "admin", password: "pass123" }] → Database leaked → All passwords exposed', [
106
+ 'Complete credential exposure on any code/database leak',
107
+ 'Mass account takeover',
108
+ 'Users passwords stolen (often reused across sites)',
109
+ 'Regulatory violations (GDPR, CCPA, PCI-DSS)',
110
+ 'Reputation damage and legal liability',
111
+ 'Impossible to comply with "right to be forgotten"'
112
+ ], 'const users = [{ email: "admin@test.com", password: "admin123" }];', 'const users = [{ email: "admin@test.com", passwordHash: "$2b$10$..." }]; // Use bcrypt\n\n// When creating user:\nconst hash = await bcrypt.hash(password, 10);\nawait db.users.create({ email, passwordHash: hash });', 'NEVER store passwords in plain-text. Always use bcrypt.hash() with salt rounds >= 10, or argon2, or scrypt.'));
113
+ }
114
+ }
115
+ // Check #97: Weak password comparison (HIGH)
116
+ // Pattern: if (user.password === inputPassword) or if (password === req.body.password)
117
+ // User test case: if (user.password === inputPassword)
118
+ const weakPasswordComparison = /(user\.password|stored(?:Password|Pwd)|dbPassword|account\.password)\s*===?\s*(input(?:Password|Pwd)|req\.body\.password|password)/i;
119
+ if (trimmed.match(weakPasswordComparison)) {
120
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('weak-password-comparison', 'HIGH: Direct password comparison instead of bcrypt.compare() - timing attacks possible', 'Use bcrypt.compare(inputPassword, user.passwordHash) for secure password verification', lineNumber, 'Direct string comparison of passwords (=== or ==) is vulnerable to timing attacks and indicates passwords are stored in plain-text. Password verification must use constant-time comparison via bcrypt.compare().', 'if (user.password === inputPassword) → Timing attack reveals password length → Brute force faster', [
121
+ 'Timing attacks reveal password information',
122
+ 'Indicates plain-text password storage',
123
+ 'No protection against rainbow tables',
124
+ 'Vulnerable to brute-force attacks',
125
+ 'Non-constant-time comparison leaks data'
126
+ ], 'if (user.password === inputPassword) {\n return res.json({ message: "Login successful" });\n}', 'const validPassword = await bcrypt.compare(inputPassword, user.passwordHash);\nif (validPassword) {\n return res.json({ message: "Login successful" });\n}', 'Use bcrypt.compare() or argon2.verify() for password verification. Never use === or == to compare passwords.'));
127
+ }
128
+ // Check #98: Missing password hashing before storage (CRITICAL)
129
+ // Pattern: Saving password to database without hashing
130
+ const passwordSavePattern = /\.(create|save|insert|update)\s*\([^)]*password[^)]*\)/i;
131
+ const hasBcryptPattern = /bcrypt|argon2|scrypt|pbkdf2/i;
132
+ if (trimmed.match(passwordSavePattern)) {
133
+ // Check previous 10 lines for hashing
134
+ const previousLines = lines.slice(Math.max(0, index - 10), index);
135
+ const hasHashing = previousLines.some(l => l.match(hasBcryptPattern));
136
+ if (!hasHashing && !trimmed.match(hasBcryptPattern)) {
137
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('missing-password-hashing', 'CRITICAL: Password saved to database without hashing - use bcrypt.hash() first', 'Hash password before saving: const hash = await bcrypt.hash(password, 10); db.users.create({ passwordHash: hash })', lineNumber, 'Saving passwords to the database without hashing creates a massive security vulnerability. If the database is compromised, all user passwords are immediately exposed in plain-text.', 'await db.users.create({ email, password }); → Database hacked → All passwords stolen', [
138
+ 'Database compromise exposes all passwords',
139
+ 'Mass account takeover',
140
+ 'Credential reuse across sites exploited',
141
+ 'Regulatory violations (GDPR Article 32, PCI-DSS 8.2.1)',
142
+ 'Class-action lawsuits and fines',
143
+ 'Permanent reputation damage'
144
+ ], 'await db.users.create({ email, password: req.body.password });', 'const passwordHash = await bcrypt.hash(req.body.password, 10);\nawait db.users.create({ email, passwordHash });', 'Always hash passwords with bcrypt (10+ rounds), argon2, or scrypt before saving to database. NEVER save plain-text passwords.'));
145
+ }
146
+ }
147
+ // Check #99: Session fixation vulnerability (HIGH)
148
+ // Pattern: Setting session.userId without regenerating session ID
149
+ const sessionAssignmentPattern = /(req\.session|session)\.\w+\s*=\s*user/i;
150
+ if (trimmed.match(sessionAssignmentPattern)) {
151
+ // Check for session regeneration in nearby lines
152
+ const contextLines = lines.slice(Math.max(0, index - 5), Math.min(index + 5, lines.length));
153
+ const hasSessionRegeneration = contextLines.some(l => {
154
+ const lowerLine = l.toLowerCase();
155
+ return lowerLine.includes('session.regenerate') ||
156
+ lowerLine.includes('regeneratesession') ||
157
+ lowerLine.includes('session.save');
158
+ });
159
+ if (!hasSessionRegeneration) {
160
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('session-fixation', 'Session assigned without regeneration - vulnerable to session fixation attacks', 'Regenerate session ID after authentication: req.session.regenerate(() => { req.session.userId = user.id })', lineNumber, 'Setting session data without regenerating the session ID allows session fixation attacks, where an attacker can pre-set a victim\'s session ID and hijack their authenticated session.', 'Attacker gets session ID before login → Victim logs in with that ID → Attacker hijacks authenticated session', [
161
+ 'Session hijacking after authentication',
162
+ 'Session fixation attacks',
163
+ 'Unauthorized access to authenticated sessions',
164
+ 'Account takeover',
165
+ 'Bypass of authentication controls'
166
+ ], 'app.post("/login", (req, res) => {\n req.session.userId = user.id; // Session fixation!\n});', 'app.post("/login", (req, res) => {\n req.session.regenerate((err) => {\n if (err) return res.status(500).send("Error");\n req.session.userId = user.id; // New session ID\n res.json({ success: true });\n });\n});', 'Always call req.session.regenerate() before setting authentication data to prevent session fixation attacks.'));
167
+ }
168
+ }
169
+ // Check #100: JWT without expiration (HIGH)
170
+ // Pattern: jwt.sign({ userId }, secret) without expiresIn option
171
+ const jwtSignPattern = /jwt\.sign\s*\(\s*\{[^}]*\}\s*,\s*[^,)]+(?:\s*,\s*\{[^}]*\})?/i;
172
+ if (trimmed.match(jwtSignPattern)) {
173
+ const hasExpiration = trimmed.includes('expiresIn') ||
174
+ trimmed.includes('exp:') ||
175
+ trimmed.includes('exp :');
176
+ if (!hasExpiration) {
177
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('jwt-no-expiration', 'JWT token issued without expiration - stolen tokens valid forever', 'Add expiration: jwt.sign({ userId }, secret, { expiresIn: "1h" })', lineNumber, 'JWTs without expiration never expire, meaning stolen tokens remain valid indefinitely. An attacker who obtains a token can use it forever unless the secret is rotated.', 'jwt.sign({ userId }, secret) → Token stolen → Attacker has permanent access', [
178
+ 'Stolen tokens valid indefinitely',
179
+ 'No token rotation possible',
180
+ 'Account takeover persists forever',
181
+ 'Cannot revoke compromised tokens',
182
+ 'Compliance violations (session timeout requirements)'
183
+ ], 'const token = jwt.sign({ userId }, secret);', 'const token = jwt.sign({ userId }, secret, { expiresIn: "1h" }); // 1 hour expiration', 'Always set expiresIn option when signing JWTs. Recommended: 1-24 hours for access tokens, 7-30 days for refresh tokens.'));
184
+ }
185
+ }
186
+ // Check #101: Insecure session timeout (MEDIUM)
187
+ // Pattern: session({ cookie: { maxAge: X }}) where X > 24 hours
188
+ const sessionConfigPattern = /session\s*\(\s*\{[^}]*cookie\s*:\s*\{[^}]*maxAge\s*:\s*(\d+)/i;
189
+ const match = trimmed.match(sessionConfigPattern);
190
+ if (match) {
191
+ const maxAge = parseInt(match[1], 10);
192
+ const oneDayMs = 24 * 60 * 60 * 1000;
193
+ if (maxAge > oneDayMs) {
194
+ const days = Math.floor(maxAge / oneDayMs);
195
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('insecure-session-timeout', `Session timeout too long (${days} days) - should be <= 24 hours for security`, 'Set session maxAge to <= 24 hours: session({ cookie: { maxAge: 24 * 60 * 60 * 1000 }})', lineNumber, 'Long session timeouts increase the window of opportunity for session hijacking and unauthorized access. Best practice is 1-24 hours depending on sensitivity.', `Session valid for ${days} days → Device stolen/shared → Attacker has ${days} days of access`, [
196
+ 'Extended window for session hijacking',
197
+ 'Unauthorized access from shared/stolen devices',
198
+ 'Compliance violations (PCI-DSS, SOC 2)',
199
+ 'Stale authentication state',
200
+ 'Increased attack surface'
201
+ ], `session({ cookie: { maxAge: ${maxAge} }})`, 'session({ cookie: { maxAge: 24 * 60 * 60 * 1000 }}) // 24 hours max', 'Limit session timeout to 1-24 hours based on application sensitivity. Financial apps: 15-60 minutes.'));
202
+ }
203
+ }
204
+ // Check #102: Weak password requirements (LOW)
205
+ // Pattern: Password length checks < 12 characters
206
+ const passwordLengthCheck = /password\.length\s*[<>=!]+\s*(\d+)/i;
207
+ const lengthMatch = trimmed.match(passwordLengthCheck);
208
+ if (lengthMatch) {
209
+ const minLength = parseInt(lengthMatch[1], 10);
210
+ if (minLength < 12) {
211
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('weak-password-requirements', `Weak password minimum length (${minLength} chars) - NIST recommends >= 12 characters`, 'Increase minimum password length to 12-16 characters minimum', lineNumber, 'Short password requirements make brute-force attacks easier. NIST SP 800-63B recommends minimum 12 characters for user-generated passwords.', `8-character password: ~2 hours to crack → 12-character password: ~200 years to crack`, [
212
+ 'Easier brute-force attacks',
213
+ 'Reduced entropy/password strength',
214
+ 'Compliance issues (NIST 800-63B)',
215
+ 'Dictionary attacks more effective'
216
+ ], `if (password.length < ${minLength}) return res.status(400).send("Too short");`, 'if (password.length < 12) return res.status(400).send("Password must be at least 12 characters");', 'Set minimum password length to 12-16 characters per NIST guidelines. Encourage passphrases over complex short passwords.'));
217
+ }
218
+ }
219
+ });
220
+ return vulnerabilities;
221
+ }
222
+ //# sourceMappingURL=authentication-failures.js.map
package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"authentication-failures.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/authentication-failures.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAsBH,kEAmUC;AAtVD,sEAAqF;AAErF;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,2BAA2B,CACzC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,2CAA2C;QAC3C,sCAAsC;QACtC,8DAA8D;QAC9D,MAAM,iBAAiB,GAAG,iDAAiD,CAAC;QAE5E,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,2CAA2C;YAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACrC,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC1B,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;oBACzB,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;oBACzB,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAC3B,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAC/B,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;oBACzB,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAChC,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC;YAClD,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,aAAa,EACb,8DAA8D,EAC9D,+DAA+D,EAC/D,UAAU,EACV,mJAAmJ,EACnJ,mGAAmG,EACnG;oBACE,0CAA0C;oBAC1C,4CAA4C;oBAC5C,yBAAyB;oBACzB,6BAA6B;oBAC7B,qDAAqD;iBACtD,EACD,yHAAyH,EACzH,sOAAsO,EACtO,kHAAkH,CACnH,CAAC,CAAC;YACL,CAAC;YAED,2CAA2C;YAC3C,gDAAgD;YAChD,8CAA8C;YAC9C,MAAM,eAAe,GAAG,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC7B,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC/B,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC3B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC5B,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC;YAE7D,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,kBAAkB,EAClB,0EAA0E,EAC1E,wGAAwG,EACxG,UAAU,EACV,sIAAsI,EACtI,qGAAqG,EACrG;oBACE,8BAA8B;oBAC9B,oDAAoD;oBACpD,qBAAqB;oBACrB,iDAAiD;oBACjD,4BAA4B;iBAC7B,EACD,qFAAqF,EACrF,oLAAoL,EACpL,yGAAyG,CAC1G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,wEAAwE;QACxE,gFAAgF;QAEhF,oDAAoD;QACpD,+EAA+E;QAC/E,oEAAoE;QACpE,MAAM,wBAAwB,GAAG,kDAAkD,CAAC;QACpF,MAAM,gBAAgB,GAAG,0DAA0D,CAAC;QAEpF,IAAI,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC5C,4DAA4D;YAC5D,MAAM,WAAW,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAChC,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC5B,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAErD,IAAI,WAAW,EAAE,CAAC;gBAChB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,4BAA4B,EAC5B,yEAAyE,EACzE,sFAAsF,EACtF,UAAU,EACV,kLAAkL,EAClL,mGAAmG,EACnG;oBACE,wDAAwD;oBACxD,uBAAuB;oBACvB,oDAAoD;oBACpD,6CAA6C;oBAC7C,uCAAuC;oBACvC,mDAAmD;iBACpD,EACD,oEAAoE,EACpE,wNAAwN,EACxN,6GAA6G,CAC9G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,6CAA6C;QAC7C,uFAAuF;QACvF,uDAAuD;QACvD,MAAM,sBAAsB,GAAG,qIAAqI,CAAC;QAErK,IAAI,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,0BAA0B,EAC1B,wFAAwF,EACxF,uFAAuF,EACvF,UAAU,EACV,mNAAmN,EACnN,mGAAmG,EACnG;gBACE,4CAA4C;gBAC5C,uCAAuC;gBACvC,sCAAsC;gBACtC,mCAAmC;gBACnC,yCAAyC;aAC1C,EACD,gGAAgG,EAChG,6JAA6J,EAC7J,8GAA8G,CAC/G,CAAC,CAAC;QACL,CAAC;QAED,gEAAgE;QAChE,uDAAuD;QACvD,MAAM,mBAAmB,GAAG,yDAAyD,CAAC;QACtF,MAAM,gBAAgB,GAAG,8BAA8B,CAAC;QAExD,IAAI,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACvC,sCAAsC;YACtC,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;YAClE,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC,CAAC;YAEtE,IAAI,CAAC,UAAU,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACpD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,0BAA0B,EAC1B,gFAAgF,EAChF,oHAAoH,EACpH,UAAU,EACV,sLAAsL,EACtL,sFAAsF,EACtF;oBACE,2CAA2C;oBAC3C,uBAAuB;oBACvB,yCAAyC;oBACzC,wDAAwD;oBACxD,iCAAiC;oBACjC,6BAA6B;iBAC9B,EACD,gEAAgE,EAChE,iHAAiH,EACjH,+HAA+H,CAChI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,kEAAkE;QAClE,MAAM,wBAAwB,GAAG,yCAAyC,CAAC;QAE3E,IAAI,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC5C,iDAAiD;YACjD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5F,MAAM,sBAAsB,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACnD,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC;oBACxC,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC;oBACvC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;YAC5C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,sBAAsB,EAAE,CAAC;gBAC5B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,kBAAkB,EAClB,gFAAgF,EAChF,4GAA4G,EAC5G,UAAU,EACV,wLAAwL,EACxL,8GAA8G,EAC9G;oBACE,wCAAwC;oBACxC,0BAA0B;oBAC1B,+CAA+C;oBAC/C,kBAAkB;oBAClB,mCAAmC;iBACpC,EACD,+FAA+F,EAC/F,gOAAgO,EAChO,8GAA8G,CAC/G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,iEAAiE;QACjE,MAAM,cAAc,GAAG,+DAA+D,CAAC;QAEvF,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAClC,MAAM,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC9B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;gBACxB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAE/C,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,mBAAmB,EACnB,mEAAmE,EACnE,mEAAmE,EACnE,UAAU,EACV,yKAAyK,EACzK,6EAA6E,EAC7E;oBACE,kCAAkC;oBAClC,4BAA4B;oBAC5B,mCAAmC;oBACnC,kCAAkC;oBAClC,sDAAsD;iBACvD,EACD,6CAA6C,EAC7C,uFAAuF,EACvF,yHAAyH,CAC1H,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gDAAgD;QAChD,gEAAgE;QAChE,MAAM,oBAAoB,GAAG,+DAA+D,CAAC;QAC7F,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAElD,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACtC,MAAM,QAAQ,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;YAErC,IAAI,MAAM,GAAG,QAAQ,EAAE,CAAC;gBACtB,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,QAAQ,CAAC,CAAC;gBAC3C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,0BAA0B,EAC1B,6BAA6B,IAAI,6CAA6C,EAC9E,wFAAwF,EACxF,UAAU,EACV,+JAA+J,EAC/J,qBAAqB,IAAI,+CAA+C,IAAI,iBAAiB,EAC7F;oBACE,uCAAuC;oBACvC,gDAAgD;oBAChD,wCAAwC;oBACxC,4BAA4B;oBAC5B,0BAA0B;iBAC3B,EACD,+BAA+B,MAAM,MAAM,EAC3C,qEAAqE,EACrE,sGAAsG,CACvG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,+CAA+C;QAC/C,kDAAkD;QAClD,MAAM,mBAAmB,GAAG,qCAAqC,CAAC;QAClE,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAEvD,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAE/C,IAAI,SAAS,GAAG,EAAE,EAAE,CAAC;gBACnB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,4BAA4B,EAC5B,iCAAiC,SAAS,4CAA4C,EACtF,8DAA8D,EAC9D,UAAU,EACV,6IAA6I,EAC7I,sFAAsF,EACtF;oBACE,4BAA4B;oBAC5B,mCAAmC;oBACnC,kCAAkC;oBAClC,mCAAmC;iBACpC,EACD,yBAAyB,SAAS,6CAA6C,EAC/E,mGAAmG,EACnG,0HAA0H,CAC3H,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts ADDED
@@ -0,0 +1,28 @@
1
+ /**
2
+ * JavaScript Credential and Cryptography Security Detection Module
3
+ *
4
+ * Detects authentication and cryptographic vulnerabilities:
5
+ * - Hardcoded credentials (passwords, API keys, tokens)
6
+ * - Weak random number generation (Math.random)
7
+ * - Weak cryptographic algorithms (MD5, SHA1)
8
+ * - Insecure storage of sensitive data
9
+ *
10
+ * Part of modularized JavaScript analyzer (150-300 LOC per module)
11
+ * Extracted from monolithic javascript-analyzer.ts (2,672 LOC)
12
+ *
13
+ * @module credential-crypto
14
+ */
15
+ import { SecurityVulnerability } from '../../types';
16
+ /**
17
+ * Type for createSecurityVulnerability function
18
+ */
19
+ export type CreateVulnerabilityFn = (id: string, message: string, fix: string, lineNumber: number, explanation: string, example: string, impacts: string[], codeExample: string, fixedCodeExample: string, fixDetails: string) => SecurityVulnerability;
20
+ /**
21
+ * Check for credential and cryptography vulnerabilities in JavaScript code
22
+ *
23
+ * @param code - Full source code
24
+ * @param createVulnerability - Function to create vulnerability objects
25
+ * @returns Array of detected vulnerabilities
26
+ */
27
+ export declare function checkCredentialCrypto(code: string, createVulnerability: CreateVulnerabilityFn): SecurityVulnerability[];
28
+ //# sourceMappingURL=credential-crypto.d.ts.map
package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credential-crypto.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/credential-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAClC,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EAAE,EACjB,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,KACf,qBAAqB,CAAC;AAE3B;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CAiSzB"}
package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js ADDED
@@ -0,0 +1,176 @@
1
+ "use strict";
2
+ /**
3
+ * JavaScript Credential and Cryptography Security Detection Module
4
+ *
5
+ * Detects authentication and cryptographic vulnerabilities:
6
+ * - Hardcoded credentials (passwords, API keys, tokens)
7
+ * - Weak random number generation (Math.random)
8
+ * - Weak cryptographic algorithms (MD5, SHA1)
9
+ * - Insecure storage of sensitive data
10
+ *
11
+ * Part of modularized JavaScript analyzer (150-300 LOC per module)
12
+ * Extracted from monolithic javascript-analyzer.ts (2,672 LOC)
13
+ *
14
+ * @module credential-crypto
15
+ */
16
+ Object.defineProperty(exports, "__esModule", { value: true });
17
+ exports.checkCredentialCrypto = checkCredentialCrypto;
18
+ /**
19
+ * Check for credential and cryptography vulnerabilities in JavaScript code
20
+ *
21
+ * @param code - Full source code
22
+ * @param createVulnerability - Function to create vulnerability objects
23
+ * @returns Array of detected vulnerabilities
24
+ */
25
+ function checkCredentialCrypto(code, createVulnerability) {
26
+ const vulnerabilities = [];
27
+ const lines = code.split('\n');
28
+ let inMultiLineComment = false;
29
+ lines.forEach((line, index) => {
30
+ const lineNumber = index + 1;
31
+ const trimmed = line.trim();
32
+ // Track multi-line comment blocks
33
+ if (trimmed.includes('/*')) {
34
+ inMultiLineComment = true;
35
+ }
36
+ if (trimmed.includes('*/')) {
37
+ inMultiLineComment = false;
38
+ return;
39
+ }
40
+ // Skip comments and empty lines
41
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
42
+ return;
43
+ }
44
+ // OWASP A07:2021 - Authentication & Identification Failures
45
+ // 1. Hardcoded credentials - CRITICAL
46
+ if (trimmed.match(/(password|passwd|pwd|secret|token|api[-_]?key|private[-_]?key|auth|encryption[-_]?key)/i) &&
47
+ trimmed.match(/[:=]\s*['"`]/) &&
48
+ !trimmed.includes('process.env') &&
49
+ !trimmed.includes('config.') &&
50
+ !trimmed.startsWith('//')) {
51
+ vulnerabilities.push(createVulnerability('hardcoded-credentials', 'Hardcoded credentials exposed in source code', 'Use environment variables (process.env) or secret management services', lineNumber, 'Hardcoded credentials in source code are visible to anyone with access to the repository, including attackers who gain access to the codebase.', 'const password = "MySecretPass123" // Visible in Git history forever', [
52
+ 'Unauthorized access to systems',
53
+ 'Account takeover',
54
+ 'Data breach',
55
+ 'Lateral movement in infrastructure',
56
+ 'Cannot be rotated without code changes'
57
+ ], 'const apiKey = "sk-1234567890abcdef";', 'const apiKey = process.env.API_KEY; // Store in .env file (add to .gitignore)', 'Store secrets in environment variables or secret management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)'));
58
+ }
59
+ // OWASP A02:2021 - Cryptographic Failures
60
+ // 2. Math.random() for security - MEDIUM
61
+ if (trimmed.match(/Math\.random\(\)/)) {
62
+ vulnerabilities.push(createVulnerability('weak-random', 'Math.random() is cryptographically weak and predictable', 'Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (Browser)', lineNumber, 'Math.random() uses a pseudorandom number generator that is predictable and unsuitable for security purposes like token generation.', 'const token = Math.random().toString(36) // Predictable, can be brute-forced', [
63
+ 'Predictable tokens/session IDs',
64
+ 'Session hijacking',
65
+ 'Authentication bypass',
66
+ 'Weak cryptographic keys'
67
+ ], 'const token = Math.random().toString(36).substr(2);', '// Node.js:\nconst token = require("crypto").randomBytes(32).toString("hex");\n// Browser:\nconst token = crypto.getRandomValues(new Uint8Array(32));', 'Use cryptographically secure random number generators for all security-sensitive operations'));
68
+ }
69
+ // 3. Weak cryptographic algorithms (MD5, SHA1) - HIGH
70
+ if (trimmed.match(/createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/i) ||
71
+ trimmed.match(/crypto\.(?:md5|sha1)/i) ||
72
+ trimmed.match(/\.(?:md5|sha1)\s*\(/i)) {
73
+ vulnerabilities.push(createVulnerability('weak-cryptographic-algorithm', 'Weak cryptographic algorithm (MD5/SHA1) vulnerable to collision attacks', 'Use SHA-256 or stronger (SHA-384, SHA-512, SHA-3)', lineNumber, 'MD5 and SHA-1 are cryptographically broken and vulnerable to collision attacks. Attackers can generate different inputs that produce the same hash, compromising data integrity and digital signatures.', 'crypto.createHash("md5").update(password).digest("hex") // Attacker can generate collisions', [
74
+ 'Hash collision attacks',
75
+ 'Password cracking (rainbow tables)',
76
+ 'Digital signature forgery',
77
+ 'Data integrity compromise',
78
+ 'Compliance violations (PCI-DSS, FIPS)'
79
+ ], 'const hash = crypto.createHash("md5").update(data).digest("hex");', 'const hash = crypto.createHash("sha256").update(data).digest("hex"); // Use SHA-256 or stronger', 'Replace MD5/SHA-1 with SHA-256, SHA-384, SHA-512, or SHA-3. For password hashing, use bcrypt, scrypt, or Argon2'));
80
+ }
81
+ // 4. Insecure password hashing - CRITICAL
82
+ if (trimmed.match(/password|passwd|pwd/i) &&
83
+ (trimmed.match(/createHash\s*\(\s*['"]sha256['"]\s*\)/i) ||
84
+ trimmed.match(/\.hash\s*\(/i) && !trimmed.match(/bcrypt|scrypt|argon2|pbkdf2/i))) {
85
+ vulnerabilities.push(createVulnerability('insecure-password-hashing', 'Password hashed with fast algorithm vulnerable to brute-force attacks', 'Use bcrypt, scrypt, Argon2, or PBKDF2 for password hashing', lineNumber, 'Fast hash algorithms like SHA-256 allow attackers to try billions of password combinations per second. Password-specific algorithms like bcrypt intentionally slow down the hashing process.', 'const hash = crypto.createHash("sha256").update(password).digest("hex") // Can test 10B+ passwords/sec on GPU', [
86
+ 'Password cracking (brute-force)',
87
+ 'Rainbow table attacks',
88
+ 'Account takeover',
89
+ 'Data breach',
90
+ 'Compliance violations (NIST, OWASP)'
91
+ ], 'const passwordHash = crypto.createHash("sha256").update(password).digest("hex");', 'const bcrypt = require("bcrypt");\nconst passwordHash = await bcrypt.hash(password, 10); // 10 rounds = ~100ms per hash', 'Use bcrypt (recommended), scrypt, Argon2, or PBKDF2 for password hashing. These algorithms are designed to be slow and resistant to brute-force attacks'));
92
+ }
93
+ // 5. Weak JWT secret - HIGH
94
+ if (trimmed.match(/jwt\.sign|jsonwebtoken/i) && trimmed.match(/['"`].*['"`]/) && !trimmed.match(/process\.env/)) {
95
+ vulnerabilities.push(createVulnerability('weak-jwt-secret', 'JWT signed with weak or hardcoded secret', 'Use strong, randomly generated secret from environment variables', lineNumber, 'Weak JWT secrets allow attackers to forge authentication tokens, bypassing authentication entirely. Hardcoded secrets in source code are easily discovered.', 'jwt.sign(payload, "secret123") // Weak secret, attacker can forge tokens', [
96
+ 'Authentication bypass (forged tokens)',
97
+ 'Account takeover',
98
+ 'Privilege escalation',
99
+ 'Unauthorized access to protected resources'
100
+ ], 'const token = jwt.sign(payload, "secret");', 'const token = jwt.sign(payload, process.env.JWT_SECRET); // Strong random secret (32+ characters)', 'Generate a cryptographically random JWT secret (32+ characters) and store in environment variables. Never hardcode secrets in source code'));
101
+ }
102
+ // 6. Missing JWT expiration - MEDIUM
103
+ if (trimmed.match(/jwt\.sign/i) && !trimmed.match(/expiresIn|exp:/i)) {
104
+ vulnerabilities.push(createVulnerability('missing-jwt-expiration', 'JWT created without expiration time', 'Add expiresIn option to jwt.sign()', lineNumber, 'JWTs without expiration remain valid forever, even if a user logs out or their account is compromised. Stolen tokens can be used indefinitely.', 'jwt.sign(payload, secret) // Token never expires, valid forever', [
105
+ 'Stolen tokens remain valid indefinitely',
106
+ 'No way to revoke compromised tokens',
107
+ 'Session hijacking',
108
+ 'Compliance violations (require periodic re-authentication)'
109
+ ], 'const token = jwt.sign(payload, secret);', 'const token = jwt.sign(payload, secret, { expiresIn: "1h" }); // Token expires in 1 hour', 'Always set an expiration time for JWTs using expiresIn option. Use short expiration times (1-24 hours) and implement token refresh if needed'));
110
+ }
111
+ // 7. Insecure random for security tokens - HIGH
112
+ if (trimmed.match(/token|sessionId|nonce|salt/i) &&
113
+ (trimmed.match(/Math\.random/) || trimmed.match(/Date\.now/) || trimmed.match(/new Date\(\)\.getTime/))) {
114
+ vulnerabilities.push(createVulnerability('insecure-token-generation', 'Security token generated with weak randomness', 'Use crypto.randomBytes() for generating security tokens', lineNumber, 'Tokens generated with Math.random(), timestamps, or other weak sources can be predicted by attackers, allowing them to guess valid tokens.', 'const sessionId = Date.now() + Math.random() // Predictable pattern, attacker can enumerate valid sessions', [
115
+ 'Session hijacking (predictable session IDs)',
116
+ 'Token guessing attacks',
117
+ 'CSRF token bypass',
118
+ 'Authentication bypass'
119
+ ], 'const token = Date.now() + "-" + Math.random().toString(36);', 'const crypto = require("crypto");\nconst token = crypto.randomBytes(32).toString("hex"); // Cryptographically secure', 'Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (browser) for all security-sensitive tokens'));
120
+ }
121
+ // =============================================================================
122
+ // PHASE B - Weak Encryption (AES-ECB) Detection (Dec 21, 2025)
123
+ // =============================================================================
124
+ // 8. Weak Encryption - AES-ECB Mode - HIGH
125
+ if (trimmed.includes('crypto.create') &&
126
+ (trimmed.includes('Cipher') || trimmed.includes('Decipher')) &&
127
+ (trimmed.includes('ecb') || trimmed.includes('ECB'))) {
128
+ vulnerabilities.push(createVulnerability('weak-encryption-ecb', 'Weak encryption - AES-ECB mode does not hide data patterns', 'Use AES-GCM or AES-CBC mode with proper IV instead of ECB', lineNumber, 'Electronic Codebook (ECB) mode is insecure because identical plaintext blocks produce identical ciphertext blocks, revealing data patterns. This allows attackers to detect repeated data and perform pattern analysis attacks.', 'const cipher = crypto.createCipheriv(\'aes-256-ecb\', key, null); // Identical blocks = identical ciphertext', [
129
+ 'Data pattern disclosure',
130
+ 'Plaintext recovery through pattern analysis',
131
+ 'Cryptographic attacks (block rearrangement)',
132
+ 'Weak confidentiality protection'
133
+ ], 'crypto.createCipheriv(\'aes-256-ecb\', key, null)', 'const iv = crypto.randomBytes(16);\nconst cipher = crypto.createCipheriv(\'aes-256-gcm\', key, iv); // GCM provides authentication', 'Never use ECB mode. Use AES-GCM (authenticated encryption) or AES-CBC with random IV'));
134
+ }
135
+ // 9. Insecure crypto.createCipher (deprecated) - HIGH
136
+ if (trimmed.includes('crypto.createCipher(') || trimmed.includes('crypto.createDecipher(')) {
137
+ vulnerabilities.push(createVulnerability('deprecated-createcipher', 'Deprecated crypto.createCipher uses weak MD5 key derivation', 'Use crypto.createCipheriv with properly derived keys (PBKDF2/scrypt)', lineNumber, 'crypto.createCipher is deprecated because it uses weak MD5-based key derivation, making it vulnerable to brute force and rainbow table attacks. Modern standards require proper key derivation functions.', 'const cipher = crypto.createCipher(\'aes-256-cbc\', \'password\'); // Weak MD5 key derivation', [
138
+ 'Weak key derivation (MD5)',
139
+ 'Password brute force attacks',
140
+ 'Rainbow table attacks',
141
+ 'Insufficient protection against cryptanalysis'
142
+ ], 'crypto.createCipher(\'aes-256-cbc\', password)', 'const key = crypto.pbkdf2Sync(password, salt, 100000, 32, \'sha256\');\nconst iv = crypto.randomBytes(16);\nconst cipher = crypto.createCipheriv(\'aes-256-gcm\', key, iv);', 'Use createCipheriv with PBKDF2 or scrypt for key derivation, never createCipher'));
143
+ }
144
+ // =============================================================================
145
+ // PHASE B - Insecure TLS Configuration Detection (Dec 21, 2025)
146
+ // =============================================================================
147
+ // 10. Insecure TLS - rejectUnauthorized: false - HIGH
148
+ if (trimmed.includes('rejectUnauthorized') && trimmed.includes('false')) {
149
+ vulnerabilities.push(createVulnerability('insecure-tls-reject-unauthorized', 'TLS certificate validation disabled - vulnerable to man-in-the-middle attacks', 'Never set rejectUnauthorized: false in production - use proper certificates', lineNumber, 'Disabling certificate validation (rejectUnauthorized: false) allows man-in-the-middle attackers to intercept encrypted connections by presenting fake certificates. This defeats the entire purpose of TLS/HTTPS.', 'https.request({ hostname: \'api.example.com\', rejectUnauthorized: false }); // Attack: MITM intercepts traffic', [
150
+ 'Man-in-the-middle attacks',
151
+ 'Data interception and theft',
152
+ 'Credential theft',
153
+ 'Session hijacking',
154
+ 'Complete loss of confidentiality'
155
+ ], 'rejectUnauthorized: false', '// Use valid certificates instead of disabling validation\n// For development: Use self-signed certs with NODE_EXTRA_CA_CERTS\nconst options = { hostname: \'api.example.com\' }; // Default: rejectUnauthorized: true', 'Never disable certificate validation. Use proper CA-signed certificates or NODE_EXTRA_CA_CERTS for development'));
156
+ }
157
+ // 11. Insecure TLS - minVersion < TLS 1.2 - HIGH
158
+ const hasMinVersionOrProtocol = trimmed.includes('minVersion') || trimmed.includes('secureProtocol');
159
+ const hasInsecureTLS = (trimmed.includes('TLSv1.0') || trimmed.includes('TLSv1.1') ||
160
+ (trimmed.includes('TLSv1\'') && !trimmed.includes('TLSv1.')) ||
161
+ (trimmed.includes('TLSv1"') && !trimmed.includes('TLSv1.')) ||
162
+ trimmed.includes('SSLv') ||
163
+ trimmed.includes('TLS1_0') || trimmed.includes('TLS1_1'));
164
+ if (hasMinVersionOrProtocol && hasInsecureTLS) {
165
+ vulnerabilities.push(createVulnerability('insecure-tls-version', 'Insecure TLS version - use TLS 1.2 or higher', 'Set minVersion to \'TLSv1.2\' or \'TLSv1.3\' to enforce secure protocols', lineNumber, 'TLS 1.0 and 1.1 are deprecated and vulnerable to attacks like BEAST, POODLE, and downgrade attacks. Modern standards require TLS 1.2 or higher for secure communications.', 'tls.createServer({ minVersion: \'TLSv1\' }); // Vulnerable to BEAST, POODLE attacks', [
166
+ 'Protocol downgrade attacks',
167
+ 'BEAST attack (TLS 1.0)',
168
+ 'POODLE attack (SSLv3)',
169
+ 'Weak cipher suite negotiation',
170
+ 'Man-in-the-middle attacks'
171
+ ], 'minVersion: \'TLSv1\'', 'const options = { minVersion: \'TLSv1.2\' }; // Or \'TLSv1.3\' for maximum security', 'Use TLS 1.2 or 1.3. TLS 1.0/1.1 and SSLv3 are deprecated and insecure'));
172
+ }
173
+ });
174
+ return vulnerabilities;
175
+ }
176
+ //# sourceMappingURL=credential-crypto.js.map
package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credential-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/credential-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AA2BH,sDAoSC;AA3SD;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,IAAY,EACZ,mBAA0C;IAE1C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kCAAkC;QAClC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,OAAO;QACT,CAAC;QAED,4DAA4D;QAC5D,sCAAsC;QACtC,IAAI,OAAO,CAAC,KAAK,CAAC,yFAAyF,CAAC;YACxG,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;YAC7B,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,uBAAuB,EACvB,8CAA8C,EAC9C,uEAAuE,EACvE,UAAU,EACV,gJAAgJ,EAChJ,sEAAsE,EACtE;gBACE,gCAAgC;gBAChC,kBAAkB;gBAClB,aAAa;gBACb,oCAAoC;gBACpC,wCAAwC;aACzC,EACD,uCAAuC,EACvC,+EAA+E,EAC/E,8HAA8H,CAC/H,CAAC,CAAC;QACL,CAAC;QAED,0CAA0C;QAC1C,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,aAAa,EACb,yDAAyD,EACzD,0EAA0E,EAC1E,UAAU,EACV,oIAAoI,EACpI,8EAA8E,EAC9E;gBACE,gCAAgC;gBAChC,mBAAmB;gBACnB,uBAAuB;gBACvB,yBAAyB;aAC1B,EACD,qDAAqD,EACrD,uJAAuJ,EACvJ,6FAA6F,CAC9F,CAAC,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC;YAC7D,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC;YACtC,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC1C,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,8BAA8B,EAC9B,yEAAyE,EACzE,mDAAmD,EACnD,UAAU,EACV,yMAAyM,EACzM,6FAA6F,EAC7F;gBACE,wBAAwB;gBACxB,oCAAoC;gBACpC,2BAA2B;gBAC3B,2BAA2B;gBAC3B,uCAAuC;aACxC,EACD,mEAAmE,EACnE,iGAAiG,EACjG,iHAAiH,CAClH,CAAC,CAAC;QACL,CAAC;QAED,0CAA0C;QAC1C,IAAI,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC;YACrC,CAAC,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC;gBACvD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC,EAAE,CAAC;YACtF,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,2BAA2B,EAC3B,uEAAuE,EACvE,4DAA4D,EAC5D,UAAU,EACV,8LAA8L,EAC9L,+GAA+G,EAC/G;gBACE,iCAAiC;gBACjC,uBAAuB;gBACvB,kBAAkB;gBAClB,aAAa;gBACb,qCAAqC;aACtC,EACD,kFAAkF,EAClF,yHAAyH,EACzH,yJAAyJ,CAC1J,CAAC,CAAC;QACL,CAAC;QAED,4BAA4B;QAC5B,IAAI,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAChH,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,iBAAiB,EACjB,0CAA0C,EAC1C,kEAAkE,EAClE,UAAU,EACV,6JAA6J,EAC7J,0EAA0E,EAC1E;gBACE,uCAAuC;gBACvC,kBAAkB;gBAClB,sBAAsB;gBACtB,4CAA4C;aAC7C,EACD,4CAA4C,EAC5C,mGAAmG,EACnG,2IAA2I,CAC5I,CAAC,CAAC;QACL,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,wBAAwB,EACxB,qCAAqC,EACrC,oCAAoC,EACpC,UAAU,EACV,gJAAgJ,EAChJ,iEAAiE,EACjE;gBACE,yCAAyC;gBACzC,qCAAqC;gBACrC,mBAAmB;gBACnB,4DAA4D;aAC7D,EACD,0CAA0C,EAC1C,0FAA0F,EAC1F,8IAA8I,CAC/I,CAAC,CAAC;QACL,CAAC;QAED,gDAAgD;QAChD,IAAI,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC;YAC5C,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC;YAC5G,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,2BAA2B,EAC3B,+CAA+C,EAC/C,yDAAyD,EACzD,UAAU,EACV,4IAA4I,EAC5I,4GAA4G,EAC5G;gBACE,6CAA6C;gBAC7C,wBAAwB;gBACxB,mBAAmB;gBACnB,uBAAuB;aACxB,EACD,8DAA8D,EAC9D,sHAAsH,EACtH,4GAA4G,CAC7G,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,+DAA+D;QAC/D,gFAAgF;QAEhF,2CAA2C;QAC3C,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;YACjC,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC5D,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,qBAAqB,EACrB,4DAA4D,EAC5D,2DAA2D,EAC3D,UAAU,EACV,iOAAiO,EACjO,8GAA8G,EAC9G;gBACE,yBAAyB;gBACzB,6CAA6C;gBAC7C,6CAA6C;gBAC7C,iCAAiC;aAClC,EACD,mDAAmD,EACnD,oIAAoI,EACpI,sFAAsF,CACvF,CAAC,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC3F,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,yBAAyB,EACzB,6DAA6D,EAC7D,sEAAsE,EACtE,UAAU,EACV,2MAA2M,EAC3M,+FAA+F,EAC/F;gBACE,2BAA2B;gBAC3B,8BAA8B;gBAC9B,uBAAuB;gBACvB,+CAA+C;aAChD,EACD,gDAAgD,EAChD,6KAA6K,EAC7K,iFAAiF,CAClF,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,gEAAgE;QAChE,gFAAgF;QAEhF,sDAAsD;QACtD,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACxE,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,kCAAkC,EAClC,+EAA+E,EAC/E,6EAA6E,EAC7E,UAAU,EACV,mNAAmN,EACnN,iHAAiH,EACjH;gBACE,2BAA2B;gBAC3B,6BAA6B;gBAC7B,kBAAkB;gBAClB,mBAAmB;gBACnB,kCAAkC;aACnC,EACD,2BAA2B,EAC3B,wNAAwN,EACxN,gHAAgH,CACjH,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,MAAM,uBAAuB,GAAG,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QACrG,MAAM,cAAc,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC1D,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC5D,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElF,IAAI,uBAAuB,IAAI,cAAc,EAAE,CAAC;YAC9C,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,sBAAsB,EACtB,8CAA8C,EAC9C,0EAA0E,EAC1E,UAAU,EACV,2KAA2K,EAC3K,qFAAqF,EACrF;gBACE,4BAA4B;gBAC5B,wBAAwB;gBACxB,uBAAuB;gBACvB,+BAA+B;gBAC/B,2BAA2B;aAC5B,EACD,uBAAuB,EACvB,qFAAqF,EACrF,uEAAuE,CACxE,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts ADDED
@@ -0,0 +1,23 @@
1
+ /**
2
+ * JavaScript Enhanced Supply Chain Security Checks
3
+ * OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
4
+ *
5
+ * Enhanced supply chain security checks building on existing dependency scanning.
6
+ * Focuses on runtime dependencies, package integrity, and malicious code patterns.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for enhanced supply chain security vulnerabilities in JavaScript code
11
+ *
12
+ * Covers:
13
+ * - Check #1: Dynamic imports without integrity validation (HIGH)
14
+ * - Check #2: Runtime dependency loading (MEDIUM)
15
+ * - Check #3: Suspicious package patterns (HIGH)
16
+ * - Check #4: Unrestricted CDN usage (MEDIUM)
17
+ * - Check #5: Package typosquatting patterns (MEDIUM)
18
+ *
19
+ * @param lines - Array of code lines
20
+ * @returns Array of security vulnerabilities found
21
+ */
22
+ export declare function checkEnhancedSupplyChain(lines: string[]): SecurityVulnerability[];
23
+ //# sourceMappingURL=enhanced-supply-chain.d.ts.map
package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAmKzB"}