codeslick-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/README.md +458 -0
  2. package/__tests__/cli-reporter.test.ts +86 -0
  3. package/__tests__/config-loader.test.ts +247 -0
  4. package/__tests__/local-scanner.test.ts +245 -0
  5. package/bin/codeslick.cjs +153 -0
  6. package/dist/packages/cli/src/commands/auth.d.ts +36 -0
  7. package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
  8. package/dist/packages/cli/src/commands/auth.js +226 -0
  9. package/dist/packages/cli/src/commands/auth.js.map +1 -0
  10. package/dist/packages/cli/src/commands/config.d.ts +37 -0
  11. package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
  12. package/dist/packages/cli/src/commands/config.js +196 -0
  13. package/dist/packages/cli/src/commands/config.js.map +1 -0
  14. package/dist/packages/cli/src/commands/init.d.ts +32 -0
  15. package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
  16. package/dist/packages/cli/src/commands/init.js +171 -0
  17. package/dist/packages/cli/src/commands/init.js.map +1 -0
  18. package/dist/packages/cli/src/commands/scan.d.ts +40 -0
  19. package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
  20. package/dist/packages/cli/src/commands/scan.js +204 -0
  21. package/dist/packages/cli/src/commands/scan.js.map +1 -0
  22. package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
  23. package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
  24. package/dist/packages/cli/src/config/config-loader.js +146 -0
  25. package/dist/packages/cli/src/config/config-loader.js.map +1 -0
  26. package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
  27. package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
  28. package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
  29. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
  30. package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
  31. package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
  32. package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
  33. package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
  34. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
  35. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
  36. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
  37. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
  38. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
  39. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
  40. package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
  41. package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
  42. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
  43. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
  44. package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
  45. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
  46. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
  47. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
  48. package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
  49. package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
  50. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
  51. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
  52. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
  53. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
  54. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
  55. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
  56. package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
  57. package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
  58. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
  59. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
  60. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
  61. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
  62. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
  63. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
  64. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
  65. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
  66. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
  67. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  68. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
  69. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
  70. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
  71. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
  72. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
  73. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
  74. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
  75. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
  76. package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
  77. package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
  78. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
  79. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
  80. package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
  81. package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
  82. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
  83. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
  84. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
  85. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
  86. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
  87. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
  88. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
  89. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
  90. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
  91. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
  92. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
  93. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
  94. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
  95. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
  96. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
  97. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
  98. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
  99. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
  100. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
  101. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
  102. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
  103. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
  104. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
  105. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
  106. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
  107. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
  108. package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
  109. package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
  110. package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
  111. package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
  112. package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
  113. package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
  114. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
  115. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
  116. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
  117. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
  118. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
  119. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
  120. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
  121. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
  122. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
  123. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
  124. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
  125. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
  126. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
  127. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
  128. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
  129. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
  130. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
  131. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
  132. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
  133. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
  134. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
  135. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
  136. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
  137. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
  138. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
  139. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
  140. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
  141. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
  142. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
  143. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
  144. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
  145. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
  146. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
  147. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
  148. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
  149. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
  150. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
  151. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  152. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
  153. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
  154. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
  155. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
  156. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
  157. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
  158. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
  159. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
  160. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
  161. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
  162. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
  163. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
  164. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
  165. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
  166. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
  167. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
  168. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
  169. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
  170. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
  171. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
  172. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
  173. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
  174. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
  175. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
  176. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
  177. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
  178. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
  179. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
  180. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
  181. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
  182. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
  183. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
  184. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
  185. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
  186. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
  187. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
  188. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
  189. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
  190. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
  191. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
  192. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
  193. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
  194. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
  195. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
  196. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
  197. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
  198. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
  199. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
  200. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
  201. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
  202. package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
  203. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
  204. package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
  205. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
  206. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
  207. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
  208. package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
  209. package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
  210. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
  211. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
  212. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
  213. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
  214. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
  215. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
  216. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
  217. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
  218. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
  219. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
  220. package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
  221. package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
  222. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
  223. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
  224. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
  225. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
  226. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
  227. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
  228. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
  229. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
  230. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
  231. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
  232. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
  233. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
  234. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
  235. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
  236. package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
  237. package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
  238. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
  239. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
  240. package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
  241. package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
  242. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
  243. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  244. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
  245. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
  246. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
  247. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
  248. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
  249. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
  250. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
  251. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
  252. package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
  253. package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
  254. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
  255. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
  256. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
  257. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
  258. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
  259. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
  260. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
  261. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
  262. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
  263. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
  264. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
  265. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
  266. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
  267. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
  268. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
  269. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
  270. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
  271. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
  272. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
  273. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
  274. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
  275. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
  276. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
  277. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
  278. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
  279. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
  280. package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
  281. package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
  282. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
  283. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
  284. package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
  285. package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
  286. package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
  287. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
  288. package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
  289. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
  290. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
  291. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
  292. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
  293. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
  294. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
  295. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
  296. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
  297. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
  298. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
  299. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
  300. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
  301. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
  302. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
  303. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
  304. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
  305. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
  306. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
  307. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
  308. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
  309. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
  310. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
  311. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
  312. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
  313. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
  314. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
  315. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
  316. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
  317. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
  318. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
  319. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
  320. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
  321. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
  322. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
  323. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
  324. package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
  325. package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
  326. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
  327. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
  328. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
  329. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
  330. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
  331. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
  332. package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
  333. package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
  334. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
  335. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
  336. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
  337. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
  338. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
  339. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
  340. package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
  341. package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
  342. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
  343. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
  344. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
  345. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
  346. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
  347. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
  348. package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
  349. package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
  350. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
  351. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
  352. package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
  353. package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
  354. package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
  355. package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
  356. package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
  357. package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
  358. package/dist/src/lib/analyzers/types.d.ts +92 -0
  359. package/dist/src/lib/analyzers/types.d.ts.map +1 -0
  360. package/dist/src/lib/analyzers/types.js +3 -0
  361. package/dist/src/lib/analyzers/types.js.map +1 -0
  362. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
  363. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
  364. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
  365. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
  366. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
  367. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
  368. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
  369. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
  370. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
  371. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
  372. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
  373. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
  374. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
  375. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
  376. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
  377. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
  378. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
  379. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
  380. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
  381. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
  382. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
  383. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
  384. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
  385. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
  386. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
  387. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  388. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
  389. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
  390. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
  391. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
  392. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
  393. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
  394. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
  395. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
  396. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
  397. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
  398. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
  399. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
  400. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
  401. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
  402. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
  403. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
  404. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
  405. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
  406. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
  407. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
  408. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
  409. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
  410. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
  411. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
  412. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
  413. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
  414. package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
  415. package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
  416. package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
  417. package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
  418. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
  419. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
  420. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
  421. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
  422. package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
  423. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
  424. package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
  425. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
  426. package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
  427. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
  428. package/dist/src/lib/security/compliance-mapping.js +1342 -0
  429. package/dist/src/lib/security/compliance-mapping.js.map +1 -0
  430. package/dist/src/lib/security/severity-scoring.d.ts +47 -0
  431. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
  432. package/dist/src/lib/security/severity-scoring.js +965 -0
  433. package/dist/src/lib/security/severity-scoring.js.map +1 -0
  434. package/dist/src/lib/standards/references.d.ts +16 -0
  435. package/dist/src/lib/standards/references.d.ts.map +1 -0
  436. package/dist/src/lib/standards/references.js +1161 -0
  437. package/dist/src/lib/standards/references.js.map +1 -0
  438. package/dist/src/lib/types/index.d.ts +167 -0
  439. package/dist/src/lib/types/index.d.ts.map +1 -0
  440. package/dist/src/lib/types/index.js +3 -0
  441. package/dist/src/lib/types/index.js.map +1 -0
  442. package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
  443. package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
  444. package/dist/src/lib/utils/code-cleaner.js +283 -0
  445. package/dist/src/lib/utils/code-cleaner.js.map +1 -0
  446. package/package.json +51 -0
  447. package/src/commands/auth.ts +308 -0
  448. package/src/commands/config.ts +226 -0
  449. package/src/commands/init.ts +202 -0
  450. package/src/commands/scan.ts +238 -0
  451. package/src/config/config-loader.ts +175 -0
  452. package/src/reporters/cli-reporter.ts +282 -0
  453. package/src/scanner/local-scanner.ts +250 -0
  454. package/tsconfig.json +24 -0
  455. package/tsconfig.tsbuildinfo +1 -0
package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js ADDED
@@ -0,0 +1,113 @@
1
+ "use strict";
2
+ /**
3
+ * JavaScript Enhanced Supply Chain Security Checks
4
+ * OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
5
+ *
6
+ * Enhanced supply chain security checks building on existing dependency scanning.
7
+ * Focuses on runtime dependencies, package integrity, and malicious code patterns.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkEnhancedSupplyChain = checkEnhancedSupplyChain;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for enhanced supply chain security vulnerabilities in JavaScript code
14
+ *
15
+ * Covers:
16
+ * - Check #1: Dynamic imports without integrity validation (HIGH)
17
+ * - Check #2: Runtime dependency loading (MEDIUM)
18
+ * - Check #3: Suspicious package patterns (HIGH)
19
+ * - Check #4: Unrestricted CDN usage (MEDIUM)
20
+ * - Check #5: Package typosquatting patterns (MEDIUM)
21
+ *
22
+ * @param lines - Array of code lines
23
+ * @returns Array of security vulnerabilities found
24
+ */
25
+ function checkEnhancedSupplyChain(lines) {
26
+ const vulnerabilities = [];
27
+ let inMultiLineComment = false;
28
+ lines.forEach((line, index) => {
29
+ const trimmedLine = line.trim();
30
+ // CRITICAL: Track multi-line comment blocks (/* ... */)
31
+ // But handle inline comments (/* */ on same line) correctly
32
+ if (trimmedLine.includes('/*') && !trimmedLine.includes('*/')) {
33
+ inMultiLineComment = true;
34
+ }
35
+ if (trimmedLine.includes('*/') && inMultiLineComment) {
36
+ inMultiLineComment = false;
37
+ return; // Skip the line with */
38
+ }
39
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
40
+ if (!trimmedLine ||
41
+ inMultiLineComment ||
42
+ trimmedLine.startsWith('//') ||
43
+ trimmedLine.startsWith('*')) {
44
+ return;
45
+ }
46
+ const lowerLine = trimmedLine.toLowerCase();
47
+ // Check #1: Dynamic imports without integrity validation
48
+ // Exclude localhost and 127.0.0.1 (development URLs)
49
+ if ((lowerLine.includes('import(') || lowerLine.includes('require(')) &&
50
+ (lowerLine.includes('http://') || lowerLine.includes('https://')) &&
51
+ !lowerLine.includes('localhost') && !lowerLine.includes('127.0.0.1') &&
52
+ !lowerLine.includes('integrity') && !lowerLine.includes('sha')) {
53
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('dynamic-import-no-integrity', 'Dynamic import from URL without integrity validation', 'Use subresource integrity (SRI) or validate package hashes for remote imports', index + 1, 'Dynamic imports without integrity validation can load malicious code from compromised sources', 'import("https://cdn.example.com/lib.js") // no integrity check', [
54
+ 'Malicious code injection from compromised CDNs',
55
+ 'Supply chain attacks through modified packages',
56
+ 'Man-in-the-middle attacks on package loading',
57
+ 'Runtime code modification and backdoor installation'
58
+ ], 'import("https://cdn.example.com/lib.js")', 'import("https://cdn.example.com/lib.js").then(validateIntegrity)', 'Dynamic imports from remote sources should validate package integrity to prevent supply chain attacks'));
59
+ }
60
+ // Check #2: Runtime dependency loading with eval or Function
61
+ if ((lowerLine.includes('eval(') || lowerLine.includes('function(')) &&
62
+ (lowerLine.includes('require') || lowerLine.includes('import') ||
63
+ lowerLine.includes('fetch'))) {
64
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('runtime-dependency-loading', 'Runtime dependency loading using eval or Function constructor', 'Use static imports or validated dynamic imports instead of runtime code evaluation', index + 1, 'Runtime dependency loading can execute arbitrary code and enable supply chain attacks', 'eval(`require("${userInput}")`) // arbitrary package loading', [
65
+ 'Arbitrary package execution from user input',
66
+ 'Supply chain attacks through malicious packages',
67
+ 'Code injection via dependency names',
68
+ 'Bypass of static analysis and security tools'
69
+ ], 'eval(`require("${packageName}")`)', 'const allowedPackages = ["safe-pkg1", "safe-pkg2"]; if (allowedPackages.includes(packageName)) { require(packageName) }', 'Runtime dependency loading bypasses security controls and enables arbitrary code execution'));
70
+ }
71
+ // Check #3: Suspicious package patterns (common typosquatting names)
72
+ if ((lowerLine.includes('require(') || lowerLine.includes('import ')) &&
73
+ (lowerLine.includes('"lodahs"') || lowerLine.includes("'lodahs'") ||
74
+ lowerLine.includes('"expres"') || lowerLine.includes("'expres'") ||
75
+ lowerLine.includes('"reqwest"') || lowerLine.includes("'reqwest'") ||
76
+ lowerLine.includes('"socket.i0"') || lowerLine.includes("'socket.i0'") ||
77
+ lowerLine.includes('"babeljs"') || lowerLine.includes("'babeljs'"))) {
78
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('suspicious-package-pattern', 'Potentially typosquatted package name detected', 'Verify package names carefully and use official package registries', index + 1, 'Typosquatting packages can contain malicious code that mimics legitimate packages', 'require("lodahs") // should be "lodash"', [
79
+ 'Malicious code execution from fake packages',
80
+ 'Data theft and credential harvesting',
81
+ 'Backdoor installation and remote access',
82
+ 'Supply chain compromise through package confusion'
83
+ ], 'require("lodahs")', 'require("lodash") // verify correct package name', 'Typosquatting packages exploit common typos to distribute malicious code'));
84
+ }
85
+ // Check #4: Unrestricted CDN usage
86
+ if ((lowerLine.includes('src=') || lowerLine.includes('href=')) &&
87
+ (lowerLine.includes('unpkg.com') || lowerLine.includes('jsdelivr.net') ||
88
+ lowerLine.includes('cdnjs.cloudflare.com')) &&
89
+ !lowerLine.includes('integrity=')) {
90
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('unrestricted-cdn-usage', 'CDN resource loaded without subresource integrity', 'Add integrity attribute with SHA hash for CDN resources', index + 1, 'CDN resources without integrity checks can be compromised and serve malicious content', '<script src="https://unpkg.com/lib@1.0.0/dist/lib.js"></script> // no integrity', [
91
+ 'CDN compromise serving malicious scripts',
92
+ 'Supply chain attacks through modified CDN content',
93
+ 'Man-in-the-middle attacks on CDN requests',
94
+ 'Unauthorized code modification and injection'
95
+ ], 'src="https://unpkg.com/lib@1.0.0/dist/lib.js"', 'src="https://unpkg.com/lib@1.0.0/dist/lib.js" integrity="sha384-..."', 'CDN resources should use subresource integrity to prevent tampering'));
96
+ }
97
+ // Check #5: Package typosquatting patterns in strings
98
+ if ((lowerLine.includes('npm install') || lowerLine.includes('yarn add')) &&
99
+ (lowerLine.includes('reactjs') || lowerLine.includes('react-js') ||
100
+ lowerLine.includes('vue-js') || lowerLine.includes('vuejs') ||
101
+ lowerLine.includes('angularjs') || lowerLine.includes('angular-js') ||
102
+ lowerLine.includes('jquery-') || lowerLine.includes('jqeury'))) {
103
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('package-typosquatting-pattern', 'Package name follows common typosquatting pattern', 'Verify official package names and avoid packages with suspicious naming patterns', index + 1, 'Package names that mimic popular packages may contain malicious code', 'npm install reactjs // should be "react"', [
104
+ 'Installation of malicious packages instead of legitimate ones',
105
+ 'Supply chain attacks through package confusion',
106
+ 'Backdoor code execution in development and production',
107
+ 'Credential theft and data exfiltration'
108
+ ], 'npm install reactjs', 'npm install react // use official package name', 'Package names should be verified against official registries to avoid typosquatting attacks'));
109
+ }
110
+ });
111
+ return vulnerabilities;
112
+ }
113
+ //# sourceMappingURL=enhanced-supply-chain.js.map
package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkBH,4DAqKC;AApLD,sEAAqF;AAErF;;;;;;;;;;;;GAYG;AACH,SAAgB,wBAAwB,CACtC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,4DAA4D;QAC5D,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9D,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,kBAAkB,EAAE,CAAC;YACrD,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,yDAAyD;QACzD,qDAAqD;QACrD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACjE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACjE,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;YACpE,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,6BAA6B,EAC7B,sDAAsD,EACtD,+EAA+E,EAC/E,KAAK,GAAG,CAAC,EACT,+FAA+F,EAC/F,gEAAgE,EAChE;gBACE,gDAAgD;gBAChD,gDAAgD;gBAChD,8CAA8C;gBAC9C,qDAAqD;aACtD,EACD,0CAA0C,EAC1C,kEAAkE,EAClE,uGAAuG,CACxG,CACF,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAChE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAClC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,4BAA4B,EAC5B,+DAA+D,EAC/D,oFAAoF,EACpF,KAAK,GAAG,CAAC,EACT,uFAAuF,EACvF,8DAA8D,EAC9D;gBACE,6CAA6C;gBAC7C,iDAAiD;gBACjD,qCAAqC;gBACrC,8CAA8C;aAC/C,EACD,mCAAmC,EACnC,yHAAyH,EACzH,4FAA4F,CAC7F,CACF,CAAC;QACJ,CAAC;QAED,qEAAqE;QACrE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACjE,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChE,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChE,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClE,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;gBACtE,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,4BAA4B,EAC5B,gDAAgD,EAChD,oEAAoE,EACpE,KAAK,GAAG,CAAC,EACT,mFAAmF,EACnF,yCAAyC,EACzC;gBACE,6CAA6C;gBAC7C,sCAAsC;gBACtC,yCAAyC;gBACzC,mDAAmD;aACpD,EACD,mBAAmB,EACnB,kDAAkD,EAClD,0EAA0E,CAC3E,CACF,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACrE,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;YAC5C,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,wBAAwB,EACxB,mDAAmD,EACnD,yDAAyD,EACzD,KAAK,GAAG,CAAC,EACT,uFAAuF,EACvF,iFAAiF,EACjF;gBACE,0CAA0C;gBAC1C,mDAAmD;gBACnD,2CAA2C;gBAC3C,8CAA8C;aAC/C,EACD,+CAA+C,EAC/C,sEAAsE,EACtE,qEAAqE,CACtE,CACF,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACrE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC/D,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAC3D,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;gBACnE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YACpE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,+BAA+B,EAC/B,mDAAmD,EACnD,kFAAkF,EAClF,KAAK,GAAG,CAAC,EACT,sEAAsE,EACtE,0CAA0C,EAC1C;gBACE,+DAA+D;gBAC/D,gDAAgD;gBAChD,uDAAuD;gBACvD,wCAAwC;aACzC,EACD,qBAAqB,EACrB,gDAAgD,EAChD,6FAA6F,CAC9F,CACF,CAAC;QACJ,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts ADDED
@@ -0,0 +1,28 @@
1
+ /**
2
+ * JavaScript Exception Handling Security Checks
3
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
4
+ *
5
+ * Detects improper exception handling that can lead to security vulnerabilities.
6
+ * This is a completely NEW category in OWASP 2025.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for exception handling security vulnerabilities in JavaScript code
11
+ *
12
+ * Covers (Enhanced Dec 30, 2025 - Phase 3):
13
+ * - Check #1: Unhandled Promise rejections (HIGH)
14
+ * - Check #2: Empty catch blocks (MEDIUM) - FIXED pattern
15
+ * - Check #3: Catching and ignoring errors (MEDIUM)
16
+ * - Check #4: Error objects exposed in responses (HIGH)
17
+ * - Check #5: Resource cleanup missing in exceptions (MEDIUM)
18
+ * - Check #6: Missing audit logging for security events (HIGH) - NEW
19
+ * - Check #7: Missing failure logging (authentication/authorization) (MEDIUM) - NEW
20
+ * - Check #8: Sensitive data in logs (CRITICAL) - NEW
21
+ * - Check #9: Log injection vulnerabilities (HIGH) - NEW
22
+ * - Check #10: Missing error logging in critical operations (MEDIUM) - NEW
23
+ *
24
+ * @param lines - Array of code lines
25
+ * @returns Array of security vulnerabilities found
26
+ */
27
+ export declare function checkExceptionHandling(lines: string[]): SecurityVulnerability[];
28
+ //# sourceMappingURL=exception-handling.d.ts.map
package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"exception-handling.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/exception-handling.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAmWzB"}
package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js ADDED
@@ -0,0 +1,227 @@
1
+ "use strict";
2
+ /**
3
+ * JavaScript Exception Handling Security Checks
4
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
5
+ *
6
+ * Detects improper exception handling that can lead to security vulnerabilities.
7
+ * This is a completely NEW category in OWASP 2025.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkExceptionHandling = checkExceptionHandling;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for exception handling security vulnerabilities in JavaScript code
14
+ *
15
+ * Covers (Enhanced Dec 30, 2025 - Phase 3):
16
+ * - Check #1: Unhandled Promise rejections (HIGH)
17
+ * - Check #2: Empty catch blocks (MEDIUM) - FIXED pattern
18
+ * - Check #3: Catching and ignoring errors (MEDIUM)
19
+ * - Check #4: Error objects exposed in responses (HIGH)
20
+ * - Check #5: Resource cleanup missing in exceptions (MEDIUM)
21
+ * - Check #6: Missing audit logging for security events (HIGH) - NEW
22
+ * - Check #7: Missing failure logging (authentication/authorization) (MEDIUM) - NEW
23
+ * - Check #8: Sensitive data in logs (CRITICAL) - NEW
24
+ * - Check #9: Log injection vulnerabilities (HIGH) - NEW
25
+ * - Check #10: Missing error logging in critical operations (MEDIUM) - NEW
26
+ *
27
+ * @param lines - Array of code lines
28
+ * @returns Array of security vulnerabilities found
29
+ */
30
+ function checkExceptionHandling(lines) {
31
+ const vulnerabilities = [];
32
+ let inMultiLineComment = false;
33
+ lines.forEach((line, index) => {
34
+ const trimmedLine = line.trim();
35
+ // CRITICAL: Track multi-line comment blocks (/* ... */)
36
+ if (trimmedLine.includes('/*')) {
37
+ inMultiLineComment = true;
38
+ }
39
+ if (trimmedLine.includes('*/')) {
40
+ inMultiLineComment = false;
41
+ return; // Skip the line with */
42
+ }
43
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
44
+ if (!trimmedLine ||
45
+ inMultiLineComment ||
46
+ trimmedLine.startsWith('//') ||
47
+ trimmedLine.startsWith('*')) {
48
+ return;
49
+ }
50
+ const lowerLine = trimmedLine.toLowerCase();
51
+ // Check #1: Unhandled Promise rejections
52
+ // Only trigger on lines that START a promise chain (not continuation lines)
53
+ if ((lowerLine.includes('promise') ||
54
+ (lowerLine.includes('.then(') && !trimmedLine.startsWith('.'))) &&
55
+ !lowerLine.includes('.catch(') &&
56
+ !lines.slice(index, Math.min(index + 5, lines.length)).some(nextLine => nextLine.toLowerCase().includes('.catch('))) {
57
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('unhandled-promise-rejection', 'Promise without catch handler may cause unhandled rejections', 'Add .catch() handler or use try-catch with async/await', index + 1, 'Unhandled promise rejections can crash Node.js applications and expose error details', 'fetch("/api/data").then(data => process(data)); // no error handling', [
58
+ 'Application crashes in Node.js environment',
59
+ 'Sensitive error information exposure',
60
+ 'Service unavailability and denial of service',
61
+ 'Memory leaks from unresolved promises'
62
+ ], 'fetch("/api/data").then(data => process(data));', 'fetch("/api/data").then(data => process(data)).catch(err => logger.error("Request failed"));', 'Unhandled promise rejections can crash applications and expose sensitive debugging information'));
63
+ }
64
+ // Check #2: Empty catch blocks
65
+ // FIX (Dec 30, 2025): Handle spaces in empty blocks: { } and {}
66
+ // Detect: catch (e) {}, catch (e) { }, catch { } on same line OR multi-line empty blocks
67
+ const emptyCatchPattern = /catch\s*(?:\([^)]*\))?\s*\{\s*\}/i; // Matches { } and {}
68
+ const isEmptyCatchSameLine = trimmedLine.match(emptyCatchPattern);
69
+ const isEmptyCatchMultiLine = lowerLine.includes('catch') &&
70
+ lowerLine.includes('{') &&
71
+ index + 1 < lines.length &&
72
+ lines[index + 1].trim() === '}';
73
+ if (isEmptyCatchSameLine || isEmptyCatchMultiLine) {
74
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('empty-catch-block', 'Empty catch block silently ignores exceptions', 'Add proper error handling, logging, or re-throw the exception', index + 1, 'Silent exception suppression can hide security issues and cause unpredictable behavior', 'try { riskyOperation(); } catch (e) {} // error completely ignored', [
75
+ 'Security vulnerabilities hidden and undetected',
76
+ 'Application state corruption from ignored errors',
77
+ 'Debugging difficulties and maintenance issues',
78
+ 'Potential for cascading failures'
79
+ ], 'try { operation(); } catch (e) {}', 'try { operation(); } catch (e) { logger.error("Operation failed", e); throw e; }', 'Empty catch blocks prevent error visibility and can hide security-critical failures'));
80
+ }
81
+ // Check #3: Catching and ignoring specific errors
82
+ if (lowerLine.includes('catch') &&
83
+ (lowerLine.includes('// ignore') || lowerLine.includes('/* ignore') ||
84
+ lowerLine.includes('return') || lowerLine.includes('continue'))) {
85
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('ignored-exception', 'Exception caught but improperly ignored or suppressed', 'Log the exception and handle it appropriately instead of ignoring', index + 1, 'Ignoring exceptions can mask security vulnerabilities and lead to unpredictable application behavior', 'catch (SecurityError) { return; } // security error silently ignored', [
86
+ 'Security exceptions masked and unaddressed',
87
+ 'Authentication and authorization bypasses',
88
+ 'Data integrity issues from ignored validation errors',
89
+ 'Audit trail gaps from suppressed security events'
90
+ ], 'catch (e) { return; } // ignore error', 'catch (e) { logger.warn("Operation failed, using fallback", e); return fallbackValue; }', 'Ignoring exceptions without proper handling can hide security-critical issues'));
91
+ }
92
+ // Check #4: Error objects exposed in HTTP responses
93
+ if ((lowerLine.includes('res.send') || lowerLine.includes('response.send') ||
94
+ lowerLine.includes('res.json') || lowerLine.includes('response.json')) &&
95
+ (lowerLine.includes('error') || lowerLine.includes('err')) &&
96
+ lowerLine.includes('.')) {
97
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('error-object-exposure', 'Error object may be exposed in HTTP response', 'Return generic error messages to clients, log detailed errors server-side', index + 1, 'Exposing error objects reveals sensitive internal information including stack traces and file paths', 'res.json({ error: err.stack }); // exposes full stack trace to client', [
98
+ 'Internal application structure exposure',
99
+ 'File paths and directory structure revelation',
100
+ 'Database schema and connection details disclosure',
101
+ 'Third-party service configuration exposure'
102
+ ], 'res.send(error.message);', 'logger.error("Request failed", error); res.status(500).send("Internal server error");', 'Error objects contain sensitive debugging information that should not be exposed to clients'));
103
+ }
104
+ // Check #5: Resource cleanup missing in exception scenarios
105
+ if ((lowerLine.includes('connection') || lowerLine.includes('stream') ||
106
+ lowerLine.includes('file') || lowerLine.includes('socket') ||
107
+ lowerLine.includes('db.') || lowerLine.includes('database')) &&
108
+ (lowerLine.includes('.open') || lowerLine.includes('.connect') ||
109
+ lowerLine.includes('.create') || lowerLine.includes('new ')) &&
110
+ !lines.slice(index, Math.min(index + 10, lines.length)).some(nextLine => nextLine.toLowerCase().includes('finally') ||
111
+ nextLine.toLowerCase().includes('.close') ||
112
+ nextLine.toLowerCase().includes('.end'))) {
113
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('missing-resource-cleanup', 'Resource may not be properly cleaned up in exception scenarios', 'Use finally blocks or try-with-resources pattern to ensure cleanup', index + 1, 'Improper resource cleanup during exceptions can lead to resource leaks and denial of service', 'const conn = database.connect(); // no finally block for cleanup', [
114
+ 'Memory leaks from unclosed resources',
115
+ 'File descriptor exhaustion',
116
+ 'Database connection pool depletion',
117
+ 'Denial of service from resource exhaustion'
118
+ ], 'const connection = db.connect();', 'const connection = db.connect(); try { /* operations */ } finally { connection.close(); }', 'Resources opened without guaranteed cleanup can cause leaks when exceptions occur'));
119
+ }
120
+ // =============================================================================
121
+ // PHASE 3 ENHANCEMENTS (Dec 30, 2025) - A09 Logging & Monitoring
122
+ // =============================================================================
123
+ // Check #6: Missing audit logging for security events (HIGH)
124
+ // Pattern: Login success without logging the event
125
+ const loginSuccessPattern = /(req\.session\.userId|session\.user|jwt\.sign|res\.json.*token|res\.cookie.*token)/i;
126
+ const isLoginRoute = /\.(post|put)\s*\(\s*['"`]\/(login|auth|signin)/i.test(trimmedLine);
127
+ if (trimmedLine.match(loginSuccessPattern) || isLoginRoute) {
128
+ // Check for logging in nearby lines
129
+ const contextLines = lines.slice(Math.max(0, index - 5), Math.min(index + 10, lines.length));
130
+ const hasLogging = contextLines.some(l => {
131
+ const lowerContextLine = l.toLowerCase();
132
+ return lowerContextLine.includes('logger.') ||
133
+ lowerContextLine.includes('log.') ||
134
+ lowerContextLine.includes('console.log') ||
135
+ lowerContextLine.includes('audit') ||
136
+ lowerContextLine.includes('logEvent');
137
+ });
138
+ if (!hasLogging && (trimmedLine.match(loginSuccessPattern) || isLoginRoute)) {
139
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('missing-audit-logging', 'Security event (login/authentication) not logged - audit trail gap', 'Log all security events: logger.info("Login successful", { userId, ip: req.ip, timestamp })', index + 1, 'Missing audit logs for security-critical events prevents incident detection, forensic analysis, and compliance with regulatory requirements (SOC 2, PCI-DSS, HIPAA).', 'User logs in successfully → No log entry → Account takeover undetected → No forensic trail', [
140
+ 'Impossible to detect unauthorized access',
141
+ 'No forensic evidence for security incidents',
142
+ 'Compliance violations (SOC 2, PCI-DSS 10.2, HIPAA)',
143
+ 'Cannot track login patterns or anomalies',
144
+ 'Accountability gaps for security events'
145
+ ], 'req.session.userId = user.id; // No audit log', 'logger.info("Login successful", { userId: user.id, ip: req.ip, userAgent: req.headers["user-agent"], timestamp: new Date() });\nreq.session.userId = user.id;', 'Log ALL security events: successful logins, failed logins, logouts, password changes, privilege escalations, access denials. Include: user ID, IP, timestamp, user agent.'));
146
+ }
147
+ }
148
+ // Check #7: Missing failure logging (authentication/authorization) (MEDIUM)
149
+ // Pattern: 401/403 responses without logging
150
+ const failureResponsePattern = /res\.status\s*\(\s*(401|403)\s*\)/i;
151
+ if (trimmedLine.match(failureResponsePattern)) {
152
+ // Check for logging before the response
153
+ const previousLines = lines.slice(Math.max(0, index - 5), index);
154
+ const hasFailureLogging = previousLines.some(l => {
155
+ const lowerLine = l.toLowerCase();
156
+ return lowerLine.includes('logger.') ||
157
+ lowerLine.includes('log.') ||
158
+ lowerLine.includes('console.log');
159
+ });
160
+ if (!hasFailureLogging) {
161
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('missing-failure-logging', 'Authentication/authorization failure not logged - security monitoring gap', 'Log failures: logger.warn("Auth failed", { userId, ip, reason, timestamp })', index + 1, 'Failing to log authentication and authorization failures prevents detection of brute-force attacks, credential stuffing, and privilege escalation attempts.', '100 failed login attempts → Not logged → Brute-force attack undetected → Account compromised', [
162
+ 'Brute-force attacks go undetected',
163
+ 'Credential stuffing attempts invisible',
164
+ 'Cannot implement account lockout',
165
+ 'No anomaly detection possible',
166
+ 'Compliance violations (PCI-DSS 10.2.4, 10.2.5)'
167
+ ], 'return res.status(401).send("Unauthorized"); // No log', 'logger.warn("Authentication failed", { email: req.body.email, ip: req.ip, reason: "invalid credentials" });\nreturn res.status(401).send("Unauthorized");', 'Log ALL authentication and authorization failures with user identifier, IP address, timestamp, and failure reason.'));
168
+ }
169
+ }
170
+ // Check #8: Sensitive data in logs (CRITICAL)
171
+ // Pattern: Logging passwords, tokens, credit cards, SSN, etc.
172
+ const sensitiveDataPattern = /(logger|console\.log|log\.).*\b(password|passwd|pwd|token|secret|apikey|api_key|creditcard|ssn|cvv|pin)\b/i;
173
+ if (trimmedLine.match(sensitiveDataPattern)) {
174
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('sensitive-data-in-logs', 'CRITICAL: Sensitive data (password/token/secret) logged - credential exposure risk', 'Never log sensitive data. Redact passwords, tokens, and PII before logging', index + 1, 'Logging sensitive data (passwords, tokens, API keys, credit cards, SSN) exposes credentials in log files, which are often stored insecurely, backed up, or accessible to multiple teams.', 'logger.info("Login attempt", req.body) → Password in logs → Log file stolen → All credentials exposed', [
175
+ 'Credential exposure in log files',
176
+ 'API keys and secrets leaked',
177
+ 'Credit card data exposure (PCI-DSS violation)',
178
+ 'PII leakage (GDPR/CCPA violation)',
179
+ 'Log aggregation tools expose secrets',
180
+ 'Permanent record of sensitive data'
181
+ ], 'logger.info("User data:", { password, token, creditCard });', 'logger.info("User data:", { email, role }); // Exclude sensitive fields\n// OR use redaction:\nconst safeData = { ...userData, password: "[REDACTED]", token: "[REDACTED]" };', 'NEVER log passwords, tokens, secrets, API keys, credit cards, SSN, or other sensitive data. Implement automatic redaction for sensitive fields.'));
182
+ }
183
+ // Check #9: Log injection vulnerabilities (HIGH)
184
+ // Pattern: User input directly in log messages without sanitization
185
+ const logInjectionPattern = /(logger|console\.log|log\.).*\b(req\.body|req\.query|req\.params|userInput|user\.\w+)\b/i;
186
+ if (trimmedLine.match(logInjectionPattern)) {
187
+ // Check if input is sanitized
188
+ const hasSanitization = trimmedLine.includes('JSON.stringify') ||
189
+ trimmedLine.includes('.replace') ||
190
+ trimmedLine.includes('sanitize') ||
191
+ trimmedLine.includes('escape');
192
+ if (!hasSanitization) {
193
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('log-injection', 'Log injection: User input in logs without sanitization - enables log poisoning', 'Sanitize user input before logging: logger.info("Input:", JSON.stringify(req.body))', index + 1, 'Including unsanitized user input in log messages enables log injection attacks, where attackers can inject newlines and fake log entries to hide malicious activity or trigger log parsing vulnerabilities.', 'logger.info("User: " + req.body.username) → Attacker sends username="admin\\n[SUCCESS] Logged in as admin" → Fake admin login in logs', [
194
+ 'Log poisoning and fake entries',
195
+ 'Hiding malicious activity in logs',
196
+ 'Log parsing vulnerabilities',
197
+ 'SIEM evasion',
198
+ 'Forensic evidence corruption'
199
+ ], 'logger.info("User input: " + req.body.name);', 'logger.info("User input:", JSON.stringify(req.body.name)); // Safely serialized', 'Always sanitize or serialize user input before including in logs. Use JSON.stringify() or remove newlines to prevent log injection.'));
200
+ }
201
+ }
202
+ // Check #10: Missing error logging in critical operations (MEDIUM)
203
+ // Pattern: Database operations, payment processing without error logging
204
+ const criticalOperationPattern = /(db\.|database\.|stripe\.|payment\.|charge\.|transfer\.).*\.(create|update|delete|charge|transfer)/i;
205
+ if (trimmedLine.match(criticalOperationPattern)) {
206
+ // Check for error handling with logging
207
+ const nextLines = lines.slice(index, Math.min(index + 10, lines.length));
208
+ const hasTryCatch = nextLines.some(l => l.toLowerCase().includes('try') || l.toLowerCase().includes('catch'));
209
+ const hasLogging = nextLines.some(l => {
210
+ const lowerLine = l.toLowerCase();
211
+ return (lowerLine.includes('catch') || lowerLine.includes('error')) &&
212
+ (lowerLine.includes('logger.') || lowerLine.includes('log.'));
213
+ });
214
+ if (!hasTryCatch || !hasLogging) {
215
+ vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('missing-critical-error-logging', 'Critical operation (database/payment) without error logging', 'Wrap in try-catch with logging: try { operation } catch (err) { logger.error("Op failed", err) }', index + 1, 'Critical operations (database writes, payments, transfers) without error logging make it impossible to detect and diagnose failures, financial errors, or security incidents.', 'Database write fails silently → Data loss undetected → Business impact unknown', [
216
+ 'Silent failures in critical operations',
217
+ 'Financial transaction errors undetected',
218
+ 'Data loss without notification',
219
+ 'Impossible to diagnose production issues',
220
+ 'Compliance gaps for financial operations'
221
+ ], 'await db.users.update({ id }, { role: "admin" }); // No error handling', 'try {\n await db.users.update({ id }, { role: "admin" });\n logger.info("User role updated", { userId: id, newRole: "admin" });\n} catch (err) {\n logger.error("Failed to update user role", { userId: id, error: err });\n throw err;\n}', 'Wrap all critical operations in try-catch blocks with comprehensive error logging including context (user, operation, timestamp).'));
222
+ }
223
+ }
224
+ });
225
+ return vulnerabilities;
226
+ }
227
+ //# sourceMappingURL=exception-handling.js.map
package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"exception-handling.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/exception-handling.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAuBH,wDAqWC;AAzXD,sEAAqF;AAErF;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,sBAAsB,CACpC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,yCAAyC;QACzC,4EAA4E;QAC5E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC7B,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;YAChE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC9B,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACrE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,6BAA6B,EAC7B,8DAA8D,EAC9D,wDAAwD,EACxD,KAAK,GAAG,CAAC,EACT,sFAAsF,EACtF,sEAAsE,EACtE;gBACE,4CAA4C;gBAC5C,sCAAsC;gBACtC,8CAA8C;gBAC9C,uCAAuC;aACxC,EACD,iDAAiD,EACjD,8FAA8F,EAC9F,gGAAgG,CACjG,CACF,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,gEAAgE;QAChE,yFAAyF;QACzF,MAAM,iBAAiB,GAAG,mCAAmC,CAAC,CAAC,qBAAqB;QACpF,MAAM,oBAAoB,GAAG,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAClE,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC1B,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YACvB,KAAK,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM;YACxB,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC;QAE/D,IAAI,oBAAoB,IAAI,qBAAqB,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,+CAA+C,EAC/C,+DAA+D,EAC/D,KAAK,GAAG,CAAC,EACT,wFAAwF,EACxF,oEAAoE,EACpE;gBACE,gDAAgD;gBAChD,kDAAkD;gBAClD,+CAA+C;gBAC/C,kCAAkC;aACnC,EACD,mCAAmC,EACnC,kFAAkF,EAClF,qFAAqF,CACtF,CACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC3B,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,uDAAuD,EACvD,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,sGAAsG,EACtG,sEAAsE,EACtE;gBACE,4CAA4C;gBAC5C,2CAA2C;gBAC3C,sDAAsD;gBACtD,kDAAkD;aACnD,EACD,uCAAuC,EACvC,yFAAyF,EACzF,+EAA+E,CAChF,CACF,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACrE,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;YACvE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1D,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,8CAA8C,EAC9C,2EAA2E,EAC3E,KAAK,GAAG,CAAC,EACT,qGAAqG,EACrG,uEAAuE,EACvE;gBACE,yCAAyC;gBACzC,+CAA+C;gBAC/C,mDAAmD;gBACnD,4CAA4C;aAC7C,EACD,0BAA0B,EAC1B,uFAAuF,EACvF,6FAA6F,CAC9F,CACF,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAChE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1D,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC7D,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACtE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC1C,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACzC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAC/C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,0BAA0B,EAC1B,gEAAgE,EAChE,oEAAoE,EACpE,KAAK,GAAG,CAAC,EACT,8FAA8F,EAC9F,kEAAkE,EAClE;gBACE,sCAAsC;gBACtC,4BAA4B;gBAC5B,oCAAoC;gBACpC,4CAA4C;aAC7C,EACD,kCAAkC,EAClC,2FAA2F,EAC3F,mFAAmF,CACpF,CACF,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,iEAAiE;QACjE,gFAAgF;QAEhF,6DAA6D;QAC7D,mDAAmD;QACnD,MAAM,mBAAmB,GAAG,qFAAqF,CAAC;QAClH,MAAM,YAAY,GAAG,iDAAiD,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEzF,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,YAAY,EAAE,CAAC;YAC3D,oCAAoC;YACpC,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7F,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACvC,MAAM,gBAAgB,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACpC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACjC,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACxC,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAClC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC;gBAC5E,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,oEAAoE,EACpE,6FAA6F,EAC7F,KAAK,GAAG,CAAC,EACT,sKAAsK,EACtK,4FAA4F,EAC5F;oBACE,0CAA0C;oBAC1C,6CAA6C;oBAC7C,oDAAoD;oBACpD,0CAA0C;oBAC1C,yCAAyC;iBAC1C,EACD,+CAA+C,EAC/C,+JAA+J,EAC/J,2KAA2K,CAC5K,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,6CAA6C;QAC7C,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;QAEpE,IAAI,WAAW,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC9C,wCAAwC;YACxC,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YACjE,MAAM,iBAAiB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC7B,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC1B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,yBAAyB,EACzB,2EAA2E,EAC3E,6EAA6E,EAC7E,KAAK,GAAG,CAAC,EACT,6JAA6J,EAC7J,8FAA8F,EAC9F;oBACE,mCAAmC;oBACnC,wCAAwC;oBACxC,kCAAkC;oBAClC,+BAA+B;oBAC/B,gDAAgD;iBACjD,EACD,wDAAwD,EACxD,2JAA2J,EAC3J,oHAAoH,CACrH,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,8DAA8D;QAC9D,MAAM,oBAAoB,GAAG,4GAA4G,CAAC;QAE1I,IAAI,WAAW,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC5C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,wBAAwB,EACxB,oFAAoF,EACpF,4EAA4E,EAC5E,KAAK,GAAG,CAAC,EACT,0LAA0L,EAC1L,uGAAuG,EACvG;gBACE,kCAAkC;gBAClC,6BAA6B;gBAC7B,+CAA+C;gBAC/C,mCAAmC;gBACnC,sCAAsC;gBACtC,oCAAoC;aACrC,EACD,6DAA6D,EAC7D,+KAA+K,EAC/K,iJAAiJ,CAClJ,CACF,CAAC;QACJ,CAAC;QAED,iDAAiD;QACjD,oEAAoE;QACpE,MAAM,mBAAmB,GAAG,0FAA0F,CAAC;QAEvH,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC3C,8BAA8B;YAC9B,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACtC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChC,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAEvD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,eAAe,EACf,gFAAgF,EAChF,qFAAqF,EACrF,KAAK,GAAG,CAAC,EACT,6MAA6M,EAC7M,uIAAuI,EACvI;oBACE,gCAAgC;oBAChC,mCAAmC;oBACnC,6BAA6B;oBAC7B,cAAc;oBACd,8BAA8B;iBAC/B,EACD,8CAA8C,EAC9C,iFAAiF,EACjF,qIAAqI,CACtI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,yEAAyE;QACzE,MAAM,wBAAwB,GAAG,qGAAqG,CAAC;QAEvI,IAAI,WAAW,CAAC,KAAK,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAChD,wCAAwC;YACxC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9G,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACpC,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC5D,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACvE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,gCAAgC,EAChC,6DAA6D,EAC7D,kGAAkG,EAClG,KAAK,GAAG,CAAC,EACT,+KAA+K,EAC/K,gFAAgF,EAChF;oBACE,wCAAwC;oBACxC,yCAAyC;oBACzC,gCAAgC;oBAChC,0CAA0C;oBAC1C,0CAA0C;iBAC3C,EACD,wEAAwE,EACxE,gPAAgP,EAChP,mIAAmI,CACpI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts ADDED
@@ -0,0 +1,32 @@
1
+ /**
2
+ * JavaScript Injection Attack Detection Module
3
+ *
4
+ * Detects critical injection vulnerabilities:
5
+ * - Code injection (eval, Function constructor, setTimeout/setInterval)
6
+ * - SQL injection patterns
7
+ * - Command injection
8
+ * - Path traversal
9
+ * - Regex DoS (ReDoS)
10
+ *
11
+ * Part of modularized JavaScript analyzer (150-300 LOC per module)
12
+ * Extracted from monolithic javascript-analyzer.ts (2,672 LOC)
13
+ *
14
+ * @module injection-attacks
15
+ */
16
+ import { SecurityVulnerability } from '../../types';
17
+ export interface InjectionCheckResult {
18
+ vulnerabilities: SecurityVulnerability[];
19
+ }
20
+ /**
21
+ * Type for createSecurityVulnerability function
22
+ */
23
+ export type CreateVulnerabilityFn = (id: string, message: string, fix: string, lineNumber: number, explanation: string, example: string, impacts: string[], codeExample: string, fixedCodeExample: string, fixDetails: string) => SecurityVulnerability;
24
+ /**
25
+ * Check for injection attack vulnerabilities in JavaScript code
26
+ *
27
+ * @param code - Full source code
28
+ * @param createVulnerability - Function to create vulnerability objects
29
+ * @returns Array of detected vulnerabilities
30
+ */
31
+ export declare function checkInjectionAttacks(code: string, createVulnerability: CreateVulnerabilityFn): SecurityVulnerability[];
32
+ //# sourceMappingURL=injection-attacks.d.ts.map
package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"injection-attacks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/injection-attacks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD,MAAM,WAAW,oBAAoB;IACnC,eAAe,EAAE,qBAAqB,EAAE,CAAC;CAC1C;AAED;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAClC,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EAAE,EACjB,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,KACf,qBAAqB,CAAC;AAE3B;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CAmSzB"}