codeslick-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/README.md +458 -0
  2. package/__tests__/cli-reporter.test.ts +86 -0
  3. package/__tests__/config-loader.test.ts +247 -0
  4. package/__tests__/local-scanner.test.ts +245 -0
  5. package/bin/codeslick.cjs +153 -0
  6. package/dist/packages/cli/src/commands/auth.d.ts +36 -0
  7. package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
  8. package/dist/packages/cli/src/commands/auth.js +226 -0
  9. package/dist/packages/cli/src/commands/auth.js.map +1 -0
  10. package/dist/packages/cli/src/commands/config.d.ts +37 -0
  11. package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
  12. package/dist/packages/cli/src/commands/config.js +196 -0
  13. package/dist/packages/cli/src/commands/config.js.map +1 -0
  14. package/dist/packages/cli/src/commands/init.d.ts +32 -0
  15. package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
  16. package/dist/packages/cli/src/commands/init.js +171 -0
  17. package/dist/packages/cli/src/commands/init.js.map +1 -0
  18. package/dist/packages/cli/src/commands/scan.d.ts +40 -0
  19. package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
  20. package/dist/packages/cli/src/commands/scan.js +204 -0
  21. package/dist/packages/cli/src/commands/scan.js.map +1 -0
  22. package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
  23. package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
  24. package/dist/packages/cli/src/config/config-loader.js +146 -0
  25. package/dist/packages/cli/src/config/config-loader.js.map +1 -0
  26. package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
  27. package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
  28. package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
  29. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
  30. package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
  31. package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
  32. package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
  33. package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
  34. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
  35. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
  36. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
  37. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
  38. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
  39. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
  40. package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
  41. package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
  42. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
  43. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
  44. package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
  45. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
  46. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
  47. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
  48. package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
  49. package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
  50. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
  51. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
  52. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
  53. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
  54. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
  55. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
  56. package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
  57. package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
  58. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
  59. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
  60. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
  61. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
  62. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
  63. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
  64. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
  65. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
  66. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
  67. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  68. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
  69. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
  70. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
  71. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
  72. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
  73. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
  74. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
  75. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
  76. package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
  77. package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
  78. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
  79. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
  80. package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
  81. package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
  82. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
  83. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
  84. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
  85. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
  86. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
  87. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
  88. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
  89. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
  90. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
  91. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
  92. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
  93. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
  94. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
  95. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
  96. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
  97. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
  98. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
  99. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
  100. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
  101. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
  102. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
  103. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
  104. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
  105. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
  106. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
  107. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
  108. package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
  109. package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
  110. package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
  111. package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
  112. package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
  113. package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
  114. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
  115. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
  116. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
  117. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
  118. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
  119. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
  120. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
  121. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
  122. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
  123. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
  124. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
  125. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
  126. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
  127. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
  128. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
  129. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
  130. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
  131. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
  132. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
  133. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
  134. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
  135. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
  136. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
  137. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
  138. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
  139. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
  140. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
  141. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
  142. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
  143. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
  144. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
  145. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
  146. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
  147. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
  148. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
  149. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
  150. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
  151. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  152. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
  153. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
  154. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
  155. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
  156. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
  157. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
  158. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
  159. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
  160. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
  161. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
  162. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
  163. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
  164. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
  165. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
  166. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
  167. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
  168. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
  169. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
  170. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
  171. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
  172. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
  173. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
  174. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
  175. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
  176. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
  177. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
  178. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
  179. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
  180. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
  181. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
  182. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
  183. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
  184. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
  185. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
  186. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
  187. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
  188. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
  189. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
  190. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
  191. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
  192. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
  193. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
  194. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
  195. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
  196. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
  197. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
  198. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
  199. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
  200. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
  201. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
  202. package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
  203. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
  204. package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
  205. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
  206. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
  207. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
  208. package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
  209. package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
  210. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
  211. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
  212. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
  213. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
  214. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
  215. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
  216. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
  217. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
  218. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
  219. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
  220. package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
  221. package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
  222. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
  223. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
  224. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
  225. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
  226. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
  227. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
  228. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
  229. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
  230. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
  231. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
  232. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
  233. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
  234. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
  235. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
  236. package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
  237. package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
  238. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
  239. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
  240. package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
  241. package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
  242. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
  243. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  244. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
  245. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
  246. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
  247. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
  248. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
  249. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
  250. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
  251. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
  252. package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
  253. package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
  254. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
  255. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
  256. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
  257. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
  258. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
  259. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
  260. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
  261. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
  262. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
  263. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
  264. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
  265. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
  266. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
  267. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
  268. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
  269. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
  270. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
  271. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
  272. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
  273. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
  274. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
  275. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
  276. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
  277. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
  278. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
  279. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
  280. package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
  281. package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
  282. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
  283. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
  284. package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
  285. package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
  286. package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
  287. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
  288. package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
  289. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
  290. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
  291. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
  292. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
  293. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
  294. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
  295. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
  296. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
  297. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
  298. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
  299. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
  300. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
  301. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
  302. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
  303. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
  304. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
  305. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
  306. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
  307. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
  308. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
  309. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
  310. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
  311. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
  312. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
  313. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
  314. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
  315. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
  316. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
  317. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
  318. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
  319. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
  320. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
  321. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
  322. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
  323. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
  324. package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
  325. package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
  326. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
  327. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
  328. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
  329. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
  330. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
  331. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
  332. package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
  333. package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
  334. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
  335. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
  336. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
  337. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
  338. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
  339. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
  340. package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
  341. package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
  342. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
  343. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
  344. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
  345. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
  346. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
  347. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
  348. package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
  349. package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
  350. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
  351. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
  352. package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
  353. package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
  354. package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
  355. package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
  356. package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
  357. package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
  358. package/dist/src/lib/analyzers/types.d.ts +92 -0
  359. package/dist/src/lib/analyzers/types.d.ts.map +1 -0
  360. package/dist/src/lib/analyzers/types.js +3 -0
  361. package/dist/src/lib/analyzers/types.js.map +1 -0
  362. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
  363. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
  364. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
  365. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
  366. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
  367. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
  368. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
  369. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
  370. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
  371. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
  372. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
  373. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
  374. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
  375. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
  376. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
  377. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
  378. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
  379. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
  380. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
  381. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
  382. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
  383. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
  384. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
  385. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
  386. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
  387. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  388. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
  389. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
  390. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
  391. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
  392. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
  393. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
  394. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
  395. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
  396. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
  397. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
  398. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
  399. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
  400. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
  401. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
  402. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
  403. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
  404. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
  405. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
  406. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
  407. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
  408. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
  409. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
  410. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
  411. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
  412. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
  413. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
  414. package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
  415. package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
  416. package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
  417. package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
  418. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
  419. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
  420. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
  421. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
  422. package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
  423. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
  424. package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
  425. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
  426. package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
  427. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
  428. package/dist/src/lib/security/compliance-mapping.js +1342 -0
  429. package/dist/src/lib/security/compliance-mapping.js.map +1 -0
  430. package/dist/src/lib/security/severity-scoring.d.ts +47 -0
  431. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
  432. package/dist/src/lib/security/severity-scoring.js +965 -0
  433. package/dist/src/lib/security/severity-scoring.js.map +1 -0
  434. package/dist/src/lib/standards/references.d.ts +16 -0
  435. package/dist/src/lib/standards/references.d.ts.map +1 -0
  436. package/dist/src/lib/standards/references.js +1161 -0
  437. package/dist/src/lib/standards/references.js.map +1 -0
  438. package/dist/src/lib/types/index.d.ts +167 -0
  439. package/dist/src/lib/types/index.d.ts.map +1 -0
  440. package/dist/src/lib/types/index.js +3 -0
  441. package/dist/src/lib/types/index.js.map +1 -0
  442. package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
  443. package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
  444. package/dist/src/lib/utils/code-cleaner.js +283 -0
  445. package/dist/src/lib/utils/code-cleaner.js.map +1 -0
  446. package/package.json +51 -0
  447. package/src/commands/auth.ts +308 -0
  448. package/src/commands/config.ts +226 -0
  449. package/src/commands/init.ts +202 -0
  450. package/src/commands/scan.ts +238 -0
  451. package/src/config/config-loader.ts +175 -0
  452. package/src/reporters/cli-reporter.ts +282 -0
  453. package/src/scanner/local-scanner.ts +250 -0
  454. package/tsconfig.json +24 -0
  455. package/tsconfig.tsbuildinfo +1 -0
package/dist/src/lib/analyzers/python/security-checks/code-quality.js ADDED
@@ -0,0 +1,206 @@
1
+ "use strict";
2
+ /**
3
+ * Python Code Quality and Security Misconfiguration Checks
4
+ * OWASP A05:2021 - Security Misconfiguration, A06:2021 - Vulnerable Components
5
+ *
6
+ * Detects code quality issues that can lead to security vulnerabilities,
7
+ * including dangerous patterns, insecure practices, and configuration problems.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkCodeQuality = checkCodeQuality;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for code quality and misconfiguration issues
14
+ *
15
+ * Covers:
16
+ * - Check #13: assert for security validation (MEDIUM)
17
+ * - Check #14: input() without validation (MEDIUM)
18
+ * - Check #15: Regex DoS (ReDoS) (MEDIUM)
19
+ * - Check #16: Empty except blocks (LOW)
20
+ * - Check #17: print() in production (LOW)
21
+ * - Check #18: tempfile.mktemp() race condition (MEDIUM)
22
+ * - Check #19: __import__() dynamic loading (HIGH)
23
+ * - Check #20: Wildcard imports (MEDIUM)
24
+ * - Check #21: Circular import patterns (MEDIUM)
25
+ *
26
+ * @param lines - Array of code lines
27
+ * @returns Array of security vulnerabilities found
28
+ */
29
+ function checkCodeQuality(lines) {
30
+ const vulnerabilities = [];
31
+ let inMultiLineComment = false;
32
+ lines.forEach((line, index) => {
33
+ const lineNumber = index + 1;
34
+ const trimmed = line.trim();
35
+ // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
36
+ const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
37
+ if (hasTripleQuote) {
38
+ if (!inMultiLineComment) {
39
+ // Start of multi-line comment
40
+ inMultiLineComment = true;
41
+ // Check if it closes on the same line (single-line docstring)
42
+ const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
43
+ if (tripleQuoteCount >= 2) {
44
+ // Opens and closes on same line, reset flag
45
+ inMultiLineComment = false;
46
+ }
47
+ return; // Skip this line
48
+ }
49
+ else {
50
+ // End of multi-line comment
51
+ inMultiLineComment = false;
52
+ return; // Skip this line
53
+ }
54
+ }
55
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
56
+ if (!trimmed ||
57
+ inMultiLineComment ||
58
+ trimmed.startsWith('#')) {
59
+ return;
60
+ }
61
+ // 13. assert for security validation - MEDIUM
62
+ if (trimmed.startsWith('assert ') && trimmed.match(/password|token|auth|admin|secret/i)) {
63
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('assert-security', 'assert statements are removed in optimized Python (-O flag)', 'Use explicit if/raise for security checks', lineNumber, 'assert statements are removed when Python runs with -O (optimize) flag, bypassing security checks entirely in production.', 'assert user.is_admin # Bypassed with python -O, allowing unauthorized access', [
64
+ 'Security checks bypassed in production',
65
+ 'Authentication bypass',
66
+ 'Authorization bypass',
67
+ 'Privilege escalation'
68
+ ], 'assert user.is_admin, "Unauthorized"', 'if not user.is_admin:\n raise SecurityError("Unauthorized access")', 'Never use assert for security validations. Use explicit if/raise statements that cannot be optimized away'));
69
+ }
70
+ // 14. input() without validation - MEDIUM
71
+ if (trimmed.includes('input(') && !trimmed.includes('int(') && !trimmed.includes('float(')) {
72
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('input-no-validation', 'input() without validation can accept malicious data', 'Validate and sanitize all user input with type conversion or regex', lineNumber, 'Python\'s input() accepts any string, which can be manipulated to cause issues if not validated (especially in scripts with system access).', 'filename = input("Enter filename: ") # User enters "../../etc/passwd"', [
73
+ 'Path traversal via user input',
74
+ 'SQL injection in composed queries',
75
+ 'Command injection if passed to shell',
76
+ 'Denial of Service with large inputs'
77
+ ], 'user_age = input("Enter age: ")', 'user_input = input("Enter age: ")\ntry:\n user_age = int(user_input)\n if not 0 <= user_age <= 150:\n raise ValueError("Invalid age")\nexcept ValueError:\n print("Invalid input")', 'Always validate and convert user input. Use int()/float() for numbers, regex for strings, and whitelist validation'));
78
+ }
79
+ // 15. Regex DoS (ReDoS) - MEDIUM
80
+ if (trimmed.match(/re\.(compile|match|search|findall)\s*\(/)) {
81
+ const hasNestedQuantifiers = trimmed.match(/\([^)]*\+[^)]*\)\+|\([^)]*\*[^)]*\)\+|\([^)]*\+[^)]*\)\*/);
82
+ if (hasNestedQuantifiers) {
83
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('regex-dos', 'Regular expression with nested quantifiers can cause ReDoS', 'Simplify regex pattern or implement timeout protection', lineNumber, 'Regular expressions with nested quantifiers have exponential time complexity, allowing attackers to cause Denial of Service with crafted input.', 'pattern = re.compile(r"(a+)+$"); pattern.match("a" * 50 + "!") # Takes exponential time', [
84
+ 'Denial of Service (DoS)',
85
+ 'Application freeze/timeout',
86
+ 'CPU exhaustion',
87
+ 'Service unavailability'
88
+ ], 'pattern = re.compile(r"(a+)+$") # Nested quantifiers', 'pattern = re.compile(r"a+$") # Simplified, linear time\n# Or use timeout with third-party library', 'Avoid nested quantifiers in regex. Simplify patterns or use libraries with timeout protection'));
89
+ }
90
+ }
91
+ // 16. try/except empty (swallow errors) - LOW
92
+ if (trimmed === 'except:' || trimmed.match(/except\s+\w*Error:\s*pass/)) {
93
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('empty-except', 'Empty except blocks hide errors and make debugging impossible', 'Log exceptions or handle them specifically', lineNumber, 'Empty except blocks silently swallow all errors, including security-relevant exceptions, making it impossible to detect attacks or bugs.', 'try:\n risky_operation()\nexcept:\n pass # Silently hides all errors including security violations', [
94
+ 'Security errors hidden',
95
+ 'Impossible to debug',
96
+ 'Attacks go unnoticed',
97
+ 'Data corruption undetected'
98
+ ], 'try:\n risky_operation()\nexcept:\n pass', 'import logging\nlogger = logging.getLogger(__name__)\ntry:\n risky_operation()\nexcept ValueError as e:\n logger.error(f"Operation failed: {e}")\n raise', 'Always log exceptions or handle them specifically. Never use bare except: pass which hides all errors'));
99
+ }
100
+ // 17. print() in production - LOW
101
+ // Only flag print statements with variables (f-strings, format(), concatenation)
102
+ // Don't flag static strings like print("File loaded")
103
+ if (trimmed.startsWith('print(')) {
104
+ // Skip simple static strings: print("text") or print('text')
105
+ const isSimpleStaticString = /^print\(["'][^"']*["']\)/.test(trimmed);
106
+ if (!isSimpleStaticString) {
107
+ const hasPotentialData = trimmed.includes('f"') || trimmed.includes("f'") || // f-strings
108
+ trimmed.includes('.format(') || // .format()
109
+ /print\([^"']*[a-zA-Z_][a-zA-Z0-9_]*/.test(trimmed) || // variables: print(user_name)
110
+ /print\(.*\+.*\)/.test(trimmed); // concatenation: print("User: " + name)
111
+ if (hasPotentialData) {
112
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('print-statement', 'print() can leak sensitive information', 'Use logging module with appropriate levels', lineNumber, 'print() statements can expose sensitive data in logs, stack traces, or console output accessible to unauthorized users.', 'print(f"User logged in: {user.email}, token: {auth_token}") # Exposes credentials', [
113
+ 'Sensitive data exposure in logs',
114
+ 'Credentials leaked',
115
+ 'Internal state revealed',
116
+ 'Debugging info in production'
117
+ ], 'print(f"User: {user.email}, Token: {token}")', 'import logging\nlogger = logging.getLogger(__name__)\nlogger.info(f"User logged in: {user.email}") # No sensitive data', 'Use logging module with appropriate levels. Never log sensitive data (tokens, passwords, keys)'));
118
+ }
119
+ }
120
+ }
121
+ // 18. tempfile.mktemp() - MEDIUM (race condition vulnerability)
122
+ if (trimmed.includes('tempfile.mktemp(')) {
123
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('insecure-temp-file', 'tempfile.mktemp() creates insecure temporary files', 'Use tempfile.NamedTemporaryFile() or tempfile.mkstemp() instead', lineNumber, 'tempfile.mktemp() is deprecated and insecure because it creates a race condition between file name generation and file creation, allowing attackers to create malicious files.', 'temp = tempfile.mktemp(); open(temp, "w") # Attacker can create this file first', [
124
+ 'Race condition attacks',
125
+ 'File content manipulation',
126
+ 'Symlink attacks',
127
+ 'Privilege escalation'
128
+ ], 'import tempfile\ntemp = tempfile.mktemp()\nwith open(temp, "w") as f:\n f.write(data)', 'import tempfile\nwith tempfile.NamedTemporaryFile(mode="w", delete=False) as f:\n f.write(data)\n temp_name = f.name\n# Or use mkstemp(): fd, temp_name = tempfile.mkstemp()', 'Use tempfile.NamedTemporaryFile() or tempfile.mkstemp() which create files atomically without race conditions'));
129
+ }
130
+ // 19. __import__() - HIGH (dynamic module loading)
131
+ if (trimmed.includes('__import__(')) {
132
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('dynamic-import', '__import__() allows arbitrary module loading', 'Use importlib.import_module() with strict validation or a whitelist', lineNumber, '__import__() with user-controlled input allows attackers to load arbitrary Python modules, potentially executing malicious code or accessing sensitive functionality.', '__import__(user_module) where user_module = "os" allows os.system() access', [
133
+ 'Arbitrary code execution',
134
+ 'Access to dangerous modules (os, subprocess)',
135
+ 'Security control bypass',
136
+ 'Data exfiltration'
137
+ ], 'module = __import__(module_name)', 'import importlib\nALLOWED_MODULES = ["json", "math", "datetime"]\nif module_name not in ALLOWED_MODULES:\n raise ValueError("Module not allowed")\nmodule = importlib.import_module(module_name)', 'Never use __import__() with untrusted input. Use importlib.import_module() with strict whitelist validation'));
138
+ }
139
+ // OWASP A05:2021 - Security Misconfiguration
140
+ // 20. Wildcard Imports - MEDIUM (namespace pollution)
141
+ if (trimmed.match(/^from\s+[\w.]+\s+import\s+\*/)) {
142
+ // Extract module name for better reporting
143
+ const moduleMatch = trimmed.match(/from\s+([\w.]+)\s+import\s+\*/);
144
+ const moduleName = moduleMatch ? moduleMatch[1] : 'module';
145
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('wildcard-import', `Wildcard import (from ${moduleName} import *) pollutes namespace`, 'Import specific names: from module import name1, name2', lineNumber, 'Wildcard imports pollute the namespace with all exported names from a module, making code harder to debug, causing name conflicts, and making it unclear where functions come from.', `from django.contrib.auth.models import * # Imports 60+ names, conflicts possible`, [
146
+ 'Namespace pollution',
147
+ 'Name conflicts and shadowing',
148
+ 'Debugging difficulty',
149
+ 'Unclear dependencies',
150
+ 'Potential security issues from unintended imports'
151
+ ], `from ${moduleName} import *`, `from ${moduleName} import ClassName, function_name # Explicit imports only\n# Or: import ${moduleName}; ${moduleName}.ClassName()`, 'Always import specific names explicitly. Wildcard imports make code unpredictable and harder to maintain'));
152
+ }
153
+ // 21. Circular Import Patterns - MEDIUM (runtime errors)
154
+ // Basic detection: Look for common circular import patterns in file
155
+ if (trimmed.match(/^from\s+[\w.]+\s+import/)) {
156
+ const importMatch = trimmed.match(/from\s+([\w.]+)\s+import/);
157
+ if (importMatch) {
158
+ const importedModule = importMatch[1];
159
+ // CRITICAL FIX (2025-11-21): Exclude Django/Flask framework imports
160
+ // False positive: django.views.decorators.csrf is NOT circular with .models
161
+ // Only check user modules (relative imports starting with . or same package)
162
+ const isFrameworkImport = importedModule.startsWith('django.') ||
163
+ importedModule.startsWith('flask.') ||
164
+ importedModule.startsWith('fastapi.') ||
165
+ !importedModule.startsWith('.'); // Absolute imports are usually framework/stdlib
166
+ if (isFrameworkImport) {
167
+ // Skip framework imports - they don't create circular dependencies
168
+ return;
169
+ }
170
+ // Check for common circular import patterns (only user modules)
171
+ // Pattern 1: from .views import X in a models file
172
+ // Pattern 2: from .models import X in a views file
173
+ const commonPatterns = [
174
+ { imports: 'views', suggests: 'models', description: 'models importing views' },
175
+ { imports: 'models', suggests: 'views', description: 'views importing models' },
176
+ { imports: 'serializers', suggests: 'models', description: 'models importing serializers' },
177
+ { imports: 'models', suggests: 'serializers', description: 'serializers importing models' }
178
+ ];
179
+ // Check if this line has potential circular import
180
+ commonPatterns.forEach(pattern => {
181
+ if (importedModule.includes(pattern.imports)) {
182
+ // Look for reciprocal imports in the same file
183
+ const hasReciprocalImport = lines.some((otherLine, otherIndex) => {
184
+ if (otherIndex === index)
185
+ return false;
186
+ const otherTrimmed = otherLine.trim();
187
+ // Only check relative imports (starting with .)
188
+ return otherTrimmed.match(new RegExp(`from\\s+\\.[\\w.]*${pattern.suggests}[\\w.]*\\s+import`));
189
+ });
190
+ if (hasReciprocalImport) {
191
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('circular-import', `Potential circular import detected: ${pattern.description}`, 'Refactor: move shared code to a separate module or use lazy imports', lineNumber, 'Circular imports occur when two modules import each other, causing ImportError at runtime. This happens when module A imports B and B imports A, creating a dependency cycle.', `# models.py: from .views import UserView\\n# views.py: from .models import User # ImportError!`, [
192
+ 'ImportError at runtime',
193
+ 'Application crashes',
194
+ 'Unpredictable behavior',
195
+ 'Initialization order issues',
196
+ 'Difficult to debug'
197
+ ], `from ${importedModule} import ClassName # Circular dependency`, `# Option 1: Move shared code to utils.py\n# Option 2: Use lazy imports inside functions\ndef get_user():\n from ${importedModule} import ClassName\n return ClassName()\n# Option 3: Use TYPE_CHECKING for type hints only\nfrom typing import TYPE_CHECKING\nif TYPE_CHECKING:\n from ${importedModule} import ClassName`, 'Avoid circular imports by refactoring shared code into separate modules or using lazy imports inside functions'));
198
+ }
199
+ }
200
+ });
201
+ }
202
+ }
203
+ });
204
+ return vulnerabilities;
205
+ }
206
+ //# sourceMappingURL=code-quality.js.map
package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"code-quality.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/code-quality.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAsBH,4CA2SC;AA9TD,sEAAiF;AAEjF;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,gBAAgB,CAC9B,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO;YACR,kBAAkB;YAClB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO;QACT,CAAC;QAED,8CAA8C;QAC9C,IAAI,OAAO,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC;YACxF,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,iBAAiB,EACjB,6DAA6D,EAC7D,2CAA2C,EAC3C,UAAU,EACV,2HAA2H,EAC3H,+EAA+E,EAC/E;gBACE,wCAAwC;gBACxC,uBAAuB;gBACvB,sBAAsB;gBACtB,sBAAsB;aACvB,EACD,sCAAsC,EACtC,uEAAuE,EACvE,2GAA2G,CAC5G,CAAC,CAAC;QACL,CAAC;QAED,0CAA0C;QAC1C,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3F,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,qBAAqB,EACrB,sDAAsD,EACtD,oEAAoE,EACpE,UAAU,EACV,6IAA6I,EAC7I,wEAAwE,EACxE;gBACE,+BAA+B;gBAC/B,mCAAmC;gBACnC,sCAAsC;gBACtC,qCAAqC;aACtC,EACD,iCAAiC,EACjC,oMAAoM,EACpM,oHAAoH,CACrH,CAAC,CAAC;QACL,CAAC;QAED,iCAAiC;QACjC,IAAI,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,EAAE,CAAC;YAC7D,MAAM,oBAAoB,GAAG,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;YACvG,IAAI,oBAAoB,EAAE,CAAC;gBACzB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,WAAW,EACX,4DAA4D,EAC5D,wDAAwD,EACxD,UAAU,EACV,iJAAiJ,EACjJ,0FAA0F,EAC1F;oBACE,yBAAyB;oBACzB,4BAA4B;oBAC5B,gBAAgB;oBAChB,wBAAwB;iBACzB,EACD,uDAAuD,EACvD,oGAAoG,EACpG,+FAA+F,CAChG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,EAAE,CAAC;YACxE,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,cAAc,EACd,+DAA+D,EAC/D,4CAA4C,EAC5C,UAAU,EACV,0IAA0I,EAC1I,2GAA2G,EAC3G;gBACE,wBAAwB;gBACxB,qBAAqB;gBACrB,sBAAsB;gBACtB,4BAA4B;aAC7B,EACD,gDAAgD,EAChD,mKAAmK,EACnK,uGAAuG,CACxG,CAAC,CAAC;QACL,CAAC;QAED,kCAAkC;QAClC,iFAAiF;QACjF,sDAAsD;QACtD,IAAI,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,6DAA6D;YAC7D,MAAM,oBAAoB,GAAG,0BAA0B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEtE,IAAI,CAAC,oBAAoB,EAAE,CAAC;gBAC1B,MAAM,gBAAgB,GACpB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAK,YAAY;oBACjE,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAA0B,YAAY;oBAClE,qCAAqC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAK,8BAA8B;oBACtF,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAsB,wCAAwC;gBAEhG,IAAI,gBAAgB,EAAE,CAAC;oBACvB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,iBAAiB,EACjB,wCAAwC,EACxC,4CAA4C,EAC5C,UAAU,EACV,yHAAyH,EACzH,oFAAoF,EACpF;wBACE,iCAAiC;wBACjC,oBAAoB;wBACpB,yBAAyB;wBACzB,8BAA8B;qBAC/B,EACD,8CAA8C,EAC9C,yHAAyH,EACzH,gGAAgG,CACjG,CAAC,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,oBAAoB,EACpB,oDAAoD,EACpD,iEAAiE,EACjE,UAAU,EACV,gLAAgL,EAChL,kFAAkF,EAClF;gBACE,wBAAwB;gBACxB,2BAA2B;gBAC3B,iBAAiB;gBACjB,sBAAsB;aACvB,EACD,0FAA0F,EAC1F,oLAAoL,EACpL,+GAA+G,CAChH,CAAC,CAAC;QACL,CAAC;QAED,mDAAmD;QACnD,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACpC,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,gBAAgB,EAChB,8CAA8C,EAC9C,qEAAqE,EACrE,UAAU,EACV,uKAAuK,EACvK,6EAA6E,EAC7E;gBACE,0BAA0B;gBAC1B,8CAA8C;gBAC9C,yBAAyB;gBACzB,mBAAmB;aACpB,EACD,kCAAkC,EAClC,qMAAqM,EACrM,6GAA6G,CAC9G,CAAC,CAAC;QACL,CAAC;QAED,6CAA6C;QAC7C,sDAAsD;QACtD,IAAI,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,EAAE,CAAC;YAClD,2CAA2C;YAC3C,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACnE,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;YAE3D,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,iBAAiB,EACjB,yBAAyB,UAAU,+BAA+B,EAClE,wDAAwD,EACxD,UAAU,EACV,qLAAqL,EACrL,mFAAmF,EACnF;gBACE,qBAAqB;gBACrB,8BAA8B;gBAC9B,sBAAsB;gBACtB,sBAAsB;gBACtB,mDAAmD;aACpD,EACD,QAAQ,UAAU,WAAW,EAC7B,QAAQ,UAAU,2EAA2E,UAAU,KAAK,UAAU,cAAc,EACpI,0GAA0G,CAC3G,CAAC,CAAC;QACL,CAAC;QAED,yDAAyD;QACzD,oEAAoE;QACpE,IAAI,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;YAC9D,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,cAAc,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;gBAEtC,oEAAoE;gBACpE,4EAA4E;gBAC5E,6EAA6E;gBAC7E,MAAM,iBAAiB,GACrB,cAAc,CAAC,UAAU,CAAC,SAAS,CAAC;oBACpC,cAAc,CAAC,UAAU,CAAC,QAAQ,CAAC;oBACnC,cAAc,CAAC,UAAU,CAAC,UAAU,CAAC;oBACrC,CAAC,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAE,gDAAgD;gBAEpF,IAAI,iBAAiB,EAAE,CAAC;oBACtB,mEAAmE;oBACnE,OAAO;gBACT,CAAC;gBAED,gEAAgE;gBAChE,mDAAmD;gBACnD,mDAAmD;gBACnD,MAAM,cAAc,GAAG;oBACrB,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,wBAAwB,EAAE;oBAC/E,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,wBAAwB,EAAE;oBAC/E,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,8BAA8B,EAAE;oBAC3F,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,aAAa,EAAE,WAAW,EAAE,8BAA8B,EAAE;iBAC5F,CAAC;gBAEF,mDAAmD;gBACnD,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;oBAC/B,IAAI,cAAc,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC7C,+CAA+C;wBAC/C,MAAM,mBAAmB,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,EAAE;4BAC/D,IAAI,UAAU,KAAK,KAAK;gCAAE,OAAO,KAAK,CAAC;4BACvC,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;4BACtC,gDAAgD;4BAChD,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,qBAAqB,OAAO,CAAC,QAAQ,mBAAmB,CAAC,CAAC,CAAC;wBAClG,CAAC,CAAC,CAAC;wBAEH,IAAI,mBAAmB,EAAE,CAAC;4BACxB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,iBAAiB,EACjB,uCAAuC,OAAO,CAAC,WAAW,EAAE,EAC5D,qEAAqE,EACrE,UAAU,EACV,+KAA+K,EAC/K,iGAAiG,EACjG;gCACE,wBAAwB;gCACxB,qBAAqB;gCACrB,wBAAwB;gCACxB,6BAA6B;gCAC7B,oBAAoB;6BACrB,EACD,QAAQ,cAAc,0CAA0C,EAChE,sHAAsH,cAAc,+JAA+J,cAAc,mBAAmB,EACpU,gHAAgH,CACjH,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts ADDED
@@ -0,0 +1,24 @@
1
+ /**
2
+ * Python Credentials and Cryptography Security Checks
3
+ * OWASP A07:2021 - Authentication Failures, A02:2021 - Cryptographic Failures
4
+ *
5
+ * Detects hardcoded credentials, weak cryptographic practices, and insecure
6
+ * random number generation in Python code.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for credential exposure and cryptographic weaknesses
11
+ *
12
+ * Covers:
13
+ * - Check #7: Hardcoded credentials (CRITICAL)
14
+ * - Pattern 1: Simple assignment (API_KEY = "...")
15
+ * - Pattern 2: Dictionary values ('password': '...')
16
+ * - Pattern 3: Flask secret_key (app.secret_key = '...')
17
+ * - Check #8a: random module for security (MEDIUM) - Weak RNG
18
+ * - Check #8b: MD5/SHA1 for password hashing (HIGH) - Broken crypto
19
+ *
20
+ * @param lines - Array of code lines
21
+ * @returns Array of security vulnerabilities found
22
+ */
23
+ export declare function checkCredentialsAndCrypto(lines: string[]): SecurityVulnerability[];
24
+ //# sourceMappingURL=credentials-crypto.d.ts.map
package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credentials-crypto.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/credentials-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAsJzB"}
package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js ADDED
@@ -0,0 +1,113 @@
1
+ "use strict";
2
+ /**
3
+ * Python Credentials and Cryptography Security Checks
4
+ * OWASP A07:2021 - Authentication Failures, A02:2021 - Cryptographic Failures
5
+ *
6
+ * Detects hardcoded credentials, weak cryptographic practices, and insecure
7
+ * random number generation in Python code.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkCredentialsAndCrypto = checkCredentialsAndCrypto;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for credential exposure and cryptographic weaknesses
14
+ *
15
+ * Covers:
16
+ * - Check #7: Hardcoded credentials (CRITICAL)
17
+ * - Pattern 1: Simple assignment (API_KEY = "...")
18
+ * - Pattern 2: Dictionary values ('password': '...')
19
+ * - Pattern 3: Flask secret_key (app.secret_key = '...')
20
+ * - Check #8a: random module for security (MEDIUM) - Weak RNG
21
+ * - Check #8b: MD5/SHA1 for password hashing (HIGH) - Broken crypto
22
+ *
23
+ * @param lines - Array of code lines
24
+ * @returns Array of security vulnerabilities found
25
+ */
26
+ function checkCredentialsAndCrypto(lines) {
27
+ const vulnerabilities = [];
28
+ let inMultiLineComment = false;
29
+ lines.forEach((line, index) => {
30
+ const lineNumber = index + 1;
31
+ const trimmed = line.trim();
32
+ // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
33
+ const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
34
+ if (hasTripleQuote) {
35
+ if (!inMultiLineComment) {
36
+ inMultiLineComment = true;
37
+ const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
38
+ if (tripleQuoteCount >= 2) {
39
+ inMultiLineComment = false;
40
+ }
41
+ return;
42
+ }
43
+ else {
44
+ inMultiLineComment = false;
45
+ return;
46
+ }
47
+ }
48
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
49
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('#')) {
50
+ return;
51
+ }
52
+ // OWASP A07:2021 - Authentication & Identification Failures
53
+ // 7. Hardcoded credentials - CRITICAL
54
+ // Pattern 1: Simple assignment (API_KEY = "...")
55
+ if (trimmed.match(/(password|passwd|pwd|secret|token|api[-_]?key|private[-_]?key|auth_token)\s*=\s*['"]/i) &&
56
+ !trimmed.includes('os.environ') && !trimmed.includes('config.') && !trimmed.includes('getenv')) {
57
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('hardcoded-credentials', 'Hardcoded credentials exposed in source code', 'Use environment variables with os.getenv() or python-dotenv', lineNumber, 'Hardcoded credentials in source code are visible to anyone with repository access and persist in version control history forever.', 'API_KEY = "sk-1234567890abcdef" # Visible in Git history, cannot be rotated', [
58
+ 'Unauthorized access to systems',
59
+ 'Account takeover',
60
+ 'Data breach',
61
+ 'Cannot rotate without code changes',
62
+ 'Exposed in version control history'
63
+ ], 'API_KEY = "sk-1234567890abcdef"', 'import os\nAPI_KEY = os.getenv("API_KEY") # Store in .env file (add to .gitignore)', 'Store secrets in environment variables. Use python-dotenv for local development, AWS Secrets Manager or similar for production'));
64
+ }
65
+ // Pattern 2: Dictionary values (FIX #2a) - 'password': '...'
66
+ if (trimmed.match(/['"](?:password|passwd|pwd|secret|token|api[-_]?key|private[-_]?key|auth_token)['"]\s*:\s*['"]/i) &&
67
+ !trimmed.includes('os.environ') && !trimmed.includes('os.getenv') && !trimmed.includes('config.')) {
68
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('hardcoded-credentials', 'Hardcoded credentials in dictionary/config object', 'Use environment variables with os.getenv() or python-dotenv', lineNumber, 'Hardcoded credentials in configuration dictionaries are visible to anyone with repository access and persist in version control history forever.', '"password": "SuperSecret123!" # Visible in Git history, cannot be rotated', [
69
+ 'Unauthorized database/API access',
70
+ 'Account takeover',
71
+ 'Data breach',
72
+ 'Cannot rotate without code changes',
73
+ 'Exposed in version control history'
74
+ ], 'DATABASE_CONFIG = {"password": "SuperSecret123!"}', 'import os\nDATABASE_CONFIG = {"password": os.getenv("DB_PASSWORD")} # Store in .env file', 'Store secrets in environment variables. Use python-dotenv for local development, AWS Secrets Manager or similar for production'));
75
+ }
76
+ // Pattern 3: Flask secret_key (FIX #2b) - app.secret_key = '...'
77
+ if (trimmed.match(/\.secret_key\s*=\s*['"][^'"]{8,}['"]/)) {
78
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('hardcoded-credentials', 'Hardcoded Flask secret_key exposes session security', 'Use environment variable for Flask secret_key', lineNumber, 'Flask secret_key is used to sign session cookies. A hardcoded secret_key allows attackers to forge session cookies and impersonate any user.', 'app.secret_key = "my-super-secret-flask-key" # Visible in Git, enables session forgery', [
79
+ 'Session cookie forgery',
80
+ 'Authentication bypass',
81
+ 'User impersonation',
82
+ 'Cannot rotate without code changes',
83
+ 'Exposed in version control history'
84
+ ], 'app.secret_key = "my-super-secret-flask-key"', 'import os\napp.secret_key = os.getenv("FLASK_SECRET_KEY") # Store in .env file (add to .gitignore)\n# Generate with: python -c "import secrets; print(secrets.token_hex(32))"', 'Always use environment variables for Flask secret_key. Generate a strong random key with secrets.token_hex(32)'));
85
+ }
86
+ // OWASP A02:2021 - Cryptographic Failures
87
+ // 8. random.random() for security - MEDIUM
88
+ if (trimmed.match(/random\.(random|randint|choice)\(/)) {
89
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-random', 'random module is cryptographically weak', 'Use secrets module for security-sensitive operations', lineNumber, 'The random module uses Mersenne Twister which is predictable and unsuitable for security purposes like token or password generation.', 'token = str(random.randint(100000, 999999)) # Predictable, can be brute-forced', [
90
+ 'Predictable tokens/session IDs',
91
+ 'Session hijacking',
92
+ 'Authentication bypass',
93
+ 'Weak password generation'
94
+ ], 'import random\ntoken = random.randint(100000, 999999)', 'import secrets\ntoken = secrets.token_hex(32) # Cryptographically secure\n# Or: secrets.randbelow(999999) for integers', 'Use secrets module for all security-sensitive random number generation (tokens, passwords, session IDs)'));
95
+ }
96
+ // 8b. MD5/SHA1 for password hashing - HIGH (FIX #4)
97
+ // Detects: hashlib.md5(password) or hashlib.sha1(password)
98
+ if (trimmed.match(/hashlib\.(md5|sha1)\s*\(/) &&
99
+ (trimmed.match(/password|passwd|pwd|credentials?/i) ||
100
+ trimmed.match(/\.encode\(\)/) ||
101
+ line.toLowerCase().includes('password'))) {
102
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-crypto', 'MD5/SHA1 are cryptographically broken for password hashing', 'Use bcrypt, scrypt, or argon2 for password hashing', lineNumber, 'MD5 and SHA1 are fast cryptographic hashes designed for data integrity, not password storage. Modern GPUs can compute billions of MD5/SHA1 hashes per second, making brute-force attacks trivial. Password hashes need slow, adaptive algorithms.', 'hashlib.md5(password.encode()).hexdigest() # Can be cracked at 200+ billion hashes/second', [
103
+ 'Password cracking (rainbow tables, brute force)',
104
+ 'Account takeover',
105
+ 'Data breach',
106
+ 'Credential stuffing attacks',
107
+ 'GPU-accelerated attacks'
108
+ ], 'import hashlib\ndef hash_password(password):\n return hashlib.md5(password.encode()).hexdigest()', 'import bcrypt\n\ndef hash_password(password):\n salt = bcrypt.gensalt(rounds=12) # Adaptive cost factor\n return bcrypt.hashpw(password.encode(), salt)\n\ndef verify_password(password, hashed):\n return bcrypt.checkpw(password.encode(), hashed)', 'Use bcrypt, scrypt, or argon2 for password hashing. These algorithms are intentionally slow and resistant to GPU/ASIC attacks'));
109
+ }
110
+ });
111
+ return vulnerabilities;
112
+ }
113
+ //# sourceMappingURL=credentials-crypto.js.map
package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credentials-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/credentials-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAmBH,8DAwJC;AAxKD,sEAAiF;AAEjF;;;;;;;;;;;;;GAaG;AACH,SAAgB,yBAAyB,CACvC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,4DAA4D;QAC5D,sCAAsC;QACtC,iDAAiD;QACjD,IAAI,OAAO,CAAC,KAAK,CAAC,uFAAuF,CAAC;YACtG,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnG,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,8CAA8C,EAC9C,6DAA6D,EAC7D,UAAU,EACV,mIAAmI,EACnI,6EAA6E,EAC7E;gBACE,gCAAgC;gBAChC,kBAAkB;gBAClB,aAAa;gBACb,oCAAoC;gBACpC,oCAAoC;aACrC,EACD,iCAAiC,EACjC,qFAAqF,EACrF,gIAAgI,CACjI,CAAC,CAAC;QACL,CAAC;QAED,6DAA6D;QAC7D,IAAI,OAAO,CAAC,KAAK,CAAC,iGAAiG,CAAC;YAChH,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACtG,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,mDAAmD,EACnD,6DAA6D,EAC7D,UAAU,EACV,kJAAkJ,EAClJ,2EAA2E,EAC3E;gBACE,kCAAkC;gBAClC,kBAAkB;gBAClB,aAAa;gBACb,oCAAoC;gBACpC,oCAAoC;aACrC,EACD,mDAAmD,EACnD,2FAA2F,EAC3F,gIAAgI,CACjI,CAAC,CAAC;QACL,CAAC;QAED,iEAAiE;QACjE,IAAI,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,EAAE,CAAC;YAC1D,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,qDAAqD,EACrD,+CAA+C,EAC/C,UAAU,EACV,8IAA8I,EAC9I,wFAAwF,EACxF;gBACE,wBAAwB;gBACxB,uBAAuB;gBACvB,oBAAoB;gBACpB,oCAAoC;gBACpC,oCAAoC;aACrC,EACD,8CAA8C,EAC9C,gLAAgL,EAChL,gHAAgH,CACjH,CAAC,CAAC;QACL,CAAC;QAED,0CAA0C;QAC1C,2CAA2C;QAC3C,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,aAAa,EACb,yCAAyC,EACzC,sDAAsD,EACtD,UAAU,EACV,sIAAsI,EACtI,iFAAiF,EACjF;gBACE,gCAAgC;gBAChC,mBAAmB;gBACnB,uBAAuB;gBACvB,0BAA0B;aAC3B,EACD,uDAAuD,EACvD,yHAAyH,EACzH,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,oDAAoD;QACpD,2DAA2D;QAC3D,IAAI,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC;YACzC,CAAC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;gBAC7B,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC9C,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,aAAa,EACb,4DAA4D,EAC5D,oDAAoD,EACpD,UAAU,EACV,mPAAmP,EACnP,4FAA4F,EAC5F;gBACE,iDAAiD;gBACjD,kBAAkB;gBAClB,aAAa;gBACb,6BAA6B;gBAC7B,yBAAyB;aAC1B,EACD,qGAAqG,EACrG,gQAAgQ,EAChQ,+HAA+H,CAChI,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts ADDED
@@ -0,0 +1,20 @@
1
+ /**
2
+ * Python Cryptographic Failures Security Checks
3
+ * OWASP A04:2025 - Cryptographic Failures
4
+ *
5
+ * Detects cryptographic vulnerabilities that can lead to data exposure.
6
+ * This category includes weak algorithms and insecure random generation.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for cryptographic security vulnerabilities in Python code
11
+ *
12
+ * Covers:
13
+ * - Check #1: Weak cryptographic algorithms (HIGH)
14
+ * - Check #2: Insecure random number generation (HIGH)
15
+ *
16
+ * @param lines - Array of code lines
17
+ * @returns Array of security vulnerabilities found
18
+ */
19
+ export declare function checkCryptoFailures(lines: string[]): SecurityVulnerability[];
20
+ //# sourceMappingURL=crypto-failures.d.ts.map
package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"crypto-failures.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/crypto-failures.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAmNzB"}
package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js ADDED
@@ -0,0 +1,129 @@
1
+ "use strict";
2
+ /**
3
+ * Python Cryptographic Failures Security Checks
4
+ * OWASP A04:2025 - Cryptographic Failures
5
+ *
6
+ * Detects cryptographic vulnerabilities that can lead to data exposure.
7
+ * This category includes weak algorithms and insecure random generation.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkCryptoFailures = checkCryptoFailures;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for cryptographic security vulnerabilities in Python code
14
+ *
15
+ * Covers:
16
+ * - Check #1: Weak cryptographic algorithms (HIGH)
17
+ * - Check #2: Insecure random number generation (HIGH)
18
+ *
19
+ * @param lines - Array of code lines
20
+ * @returns Array of security vulnerabilities found
21
+ */
22
+ function checkCryptoFailures(lines) {
23
+ const vulnerabilities = [];
24
+ let inMultiLineComment = false;
25
+ lines.forEach((line, index) => {
26
+ const trimmedLine = line.trim();
27
+ // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
28
+ const hasTripleQuote = trimmedLine.includes('"""') || trimmedLine.includes("'''");
29
+ if (hasTripleQuote) {
30
+ if (!inMultiLineComment) {
31
+ // Start of multi-line comment
32
+ inMultiLineComment = true;
33
+ // Check if it closes on the same line (single-line docstring)
34
+ const tripleQuoteCount = (trimmedLine.match(/"""/g) || []).length + (trimmedLine.match(/'''/g) || []).length;
35
+ if (tripleQuoteCount >= 2) {
36
+ // Opens and closes on same line, reset flag
37
+ inMultiLineComment = false;
38
+ }
39
+ return; // Skip this line
40
+ }
41
+ else {
42
+ // End of multi-line comment
43
+ inMultiLineComment = false;
44
+ return; // Skip this line
45
+ }
46
+ }
47
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
48
+ if (!trimmedLine ||
49
+ inMultiLineComment ||
50
+ trimmedLine.startsWith('#')) {
51
+ return;
52
+ }
53
+ const lowerLine = trimmedLine.toLowerCase();
54
+ // Check #1: Weak cryptographic algorithms
55
+ // Detect weak hash algorithms
56
+ if (lowerLine.includes('hashlib.md5(') ||
57
+ lowerLine.includes('hashlib.md5 (')) {
58
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-crypto-algorithm', 'MD5 is a weak cryptographic hash algorithm - vulnerable to collision attacks', 'Use SHA-256, SHA-512, or bcrypt/argon2 for password hashing', index + 1, 'MD5 hash collisions allow attackers to create forged data with the same hash, bypass integrity checks, or crack passwords faster through rainbow tables and GPU attacks', 'import hashlib\npassword_hash = hashlib.md5(password.encode()).hexdigest() # Easily cracked!', [
59
+ 'Password cracking through precomputed rainbow tables',
60
+ 'Hash collision attacks for data forgery',
61
+ 'Integrity bypass in digital signatures',
62
+ 'Fast brute-force attacks using GPUs'
63
+ ], 'import hashlib\npassword_hash = hashlib.md5(password.encode()).hexdigest()', 'from argon2 import PasswordHasher\nph = PasswordHasher()\npassword_hash = ph.hash(password)', 'Use bcrypt or argon2 for password hashing. For general hashing, use SHA-256 or SHA-512. MD5 is cryptographically broken and should never be used for security purposes.'));
64
+ }
65
+ if (lowerLine.includes('hashlib.sha1(') ||
66
+ lowerLine.includes('hashlib.sha1 (')) {
67
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-crypto-algorithm', 'SHA-1 is a weak cryptographic hash algorithm - deprecated due to collision attacks', 'Use SHA-256 or SHA-512 instead', index + 1, 'SHA-1 collision attacks (demonstrated in 2017) allow attackers to create different inputs with identical hashes, breaking digital signatures, certificates, and integrity checks', 'import hashlib\ntoken = hashlib.sha1(data).hexdigest() # Vulnerable to collision attacks', [
68
+ 'Collision attacks allowing data forgery',
69
+ 'Certificate spoofing and digital signature bypass',
70
+ 'Git commit signature forgery',
71
+ 'PDF and file integrity bypass'
72
+ ], 'import hashlib\ntoken = hashlib.sha1(data).hexdigest()', 'import hashlib\ntoken = hashlib.sha256(data).hexdigest()', 'SHA-1 was officially deprecated in 2017. Use SHA-256 or SHA-512 for all cryptographic hashing needs.'));
73
+ }
74
+ // Detect weak encryption algorithms
75
+ if ((lowerLine.includes('from crypto.cipher import des') && !lowerLine.includes('des3')) ||
76
+ lowerLine.includes('cipher = des.')) {
77
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-crypto-algorithm', 'DES encryption is extremely weak - 56-bit key broken in 1998', 'Use AES-256 or ChaCha20 for encryption', index + 1, 'DES 56-bit keys can be brute-forced in hours using modern hardware, allowing attackers to decrypt all encrypted data', 'from Crypto.Cipher import DES\ncipher = DES.new(key, DES.MODE_ECB) # Broken in 1998!', [
78
+ 'Complete data decryption through brute-force',
79
+ 'Real-time decryption with specialized hardware',
80
+ 'Historical data exposure if keys are compromised',
81
+ 'Compliance violations (PCI-DSS, HIPAA)'
82
+ ], 'from Crypto.Cipher import DES\ncipher = DES.new(key, DES.MODE_ECB)', 'from Crypto.Cipher import AES\ncipher = AES.new(key, AES.MODE_GCM)', 'DES is cryptographically broken. Use AES-256 with GCM mode for authenticated encryption.'));
83
+ }
84
+ if (lowerLine.includes('from crypto.cipher import des3') ||
85
+ lowerLine.includes('cipher = des3.')) {
86
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-crypto-algorithm', '3DES (Triple DES) is deprecated - limited by 64-bit block size', 'Use AES-256 for encryption', index + 1, '3DES suffers from the Sweet32 birthday attack due to 64-bit block size, allowing attackers to recover plaintext after encrypting ~32GB of data', 'from Crypto.Cipher import DES3\ncipher = DES3.new(key, DES3.MODE_CBC, iv) # Deprecated', [
87
+ 'Sweet32 birthday attack after ~32GB encrypted',
88
+ 'Slower performance than modern algorithms',
89
+ 'Compliance violations (NIST deprecated 3DES)',
90
+ 'Limited security margin'
91
+ ], 'from Crypto.Cipher import DES3\ncipher = DES3.new(key, DES3.MODE_CBC, iv)', 'from Crypto.Cipher import AES\ncipher = AES.new(key, AES.MODE_GCM)', '3DES was deprecated by NIST in 2017. Use AES-256 for all encryption needs.'));
92
+ }
93
+ if (lowerLine.includes('from crypto.cipher import blowfish') ||
94
+ lowerLine.includes('cipher = blowfish.')) {
95
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-crypto-algorithm', 'Blowfish encryption is outdated - vulnerable to birthday attacks', 'Use AES-256 or ChaCha20 for encryption', index + 1, 'Blowfish 64-bit block size makes it vulnerable to birthday attacks when encrypting large amounts of data, similar to 3DES', 'from Crypto.Cipher import Blowfish\ncipher = Blowfish.new(key, Blowfish.MODE_CBC) # Outdated', [
96
+ 'Birthday attacks on 64-bit blocks',
97
+ 'Weak key schedule vulnerabilities',
98
+ 'Not recommended by modern security standards',
99
+ 'Better alternatives available (AES)'
100
+ ], 'from Crypto.Cipher import Blowfish\ncipher = Blowfish.new(key, Blowfish.MODE_CBC)', 'from Crypto.Cipher import AES\ncipher = AES.new(key, AES.MODE_GCM)', 'Blowfish is superseded by AES. Use AES-256 for modern encryption needs.'));
101
+ }
102
+ if (lowerLine.includes('from crypto.cipher import arc4') ||
103
+ lowerLine.includes('cipher = arc4.') ||
104
+ lowerLine.includes('from crypto.cipher import rc4')) {
105
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('weak-crypto-algorithm', 'RC4 stream cipher is completely broken - multiple practical attacks exist', 'Use AES-256-GCM or ChaCha20-Poly1305', index + 1, 'RC4 has multiple biases in its keystream that allow practical attacks to recover plaintext, as demonstrated in attacks against WEP, WPA-TKIP, and TLS', 'from Crypto.Cipher import ARC4\ncipher = ARC4.new(key) # Completely broken!', [
106
+ 'Keystream bias exploitation (RC4NOMORE)',
107
+ 'Real-time decryption in TLS (Bar-Mitzvah attack)',
108
+ 'WEP/WPA cracking in seconds',
109
+ 'Compliance violations (prohibited by RFC 7465)'
110
+ ], 'from Crypto.Cipher import ARC4\ncipher = ARC4.new(key)', 'from Crypto.Cipher import AES\ncipher = AES.new(key, AES.MODE_GCM)', 'RC4 is prohibited by RFC 7465. Use AES-GCM or ChaCha20-Poly1305 for stream encryption.'));
111
+ }
112
+ // Check #2: Insecure random number generation
113
+ // Detect insecure random functions used for security purposes
114
+ if (lowerLine.includes('random.random(') ||
115
+ lowerLine.includes('random.randint(') ||
116
+ lowerLine.includes('random.randrange(') ||
117
+ lowerLine.includes('random.choice(') ||
118
+ lowerLine.includes('random.shuffle(')) {
119
+ vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('insecure-random', 'Insecure random number generator used - predictable for security purposes', 'Use secrets module (secrets.token_hex(), secrets.token_urlsafe()) or os.urandom() for cryptographic randomness', index + 1, 'Python\'s random module uses Mersenne Twister which is not cryptographically secure. Attackers can predict future outputs after observing a sequence of values, allowing session hijacking, token forgery, and password prediction', 'import random\ntoken = str(random.random()) # Predictable! Can be guessed', [
120
+ 'Session token prediction and hijacking',
121
+ 'Password/PIN guessing through state recovery',
122
+ 'CSRF token forgery',
123
+ 'API key and authentication bypass'
124
+ ], 'import random\ntoken = str(random.random())\nsession_id = random.randint(1000, 9999)', 'import secrets\ntoken = secrets.token_hex(32)\nsession_id = secrets.randbelow(9000) + 1000', 'Never use random module for security. Use secrets module for tokens, passwords, and security-critical random values. The secrets module uses os.urandom() which is cryptographically secure.'));
125
+ }
126
+ });
127
+ return vulnerabilities;
128
+ }
129
+ //# sourceMappingURL=crypto-failures.js.map
package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"crypto-failures.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/crypto-failures.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAeH,kDAqNC;AAjOD,sEAAiF;AAEjF;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CACjC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,kFAAkF;QAClF,MAAM,cAAc,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAElF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC7G,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,0CAA0C;QAE1C,8BAA8B;QAC9B,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;YAClC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACxC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,uBAAuB,EACvB,8EAA8E,EAC9E,6DAA6D,EAC7D,KAAK,GAAG,CAAC,EACT,yKAAyK,EACzK,+FAA+F,EAC/F;gBACE,sDAAsD;gBACtD,yCAAyC;gBACzC,wCAAwC;gBACxC,qCAAqC;aACtC,EACD,4EAA4E,EAC5E,6FAA6F,EAC7F,yKAAyK,CAC1K,CACF,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,uBAAuB,EACvB,oFAAoF,EACpF,gCAAgC,EAChC,KAAK,GAAG,CAAC,EACT,kLAAkL,EAClL,2FAA2F,EAC3F;gBACE,yCAAyC;gBACzC,mDAAmD;gBACnD,8BAA8B;gBAC9B,+BAA+B;aAChC,EACD,wDAAwD,EACxD,0DAA0D,EAC1D,sGAAsG,CACvG,CACF,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,+BAA+B,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YACpF,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACxC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,uBAAuB,EACvB,8DAA8D,EAC9D,wCAAwC,EACxC,KAAK,GAAG,CAAC,EACT,sHAAsH,EACtH,uFAAuF,EACvF;gBACE,8CAA8C;gBAC9C,gDAAgD;gBAChD,kDAAkD;gBAClD,wCAAwC;aACzC,EACD,oEAAoE,EACpE,oEAAoE,EACpE,0FAA0F,CAC3F,CACF,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,CAAC,QAAQ,CAAC,gCAAgC,CAAC;YACpD,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,uBAAuB,EACvB,gEAAgE,EAChE,4BAA4B,EAC5B,KAAK,GAAG,CAAC,EACT,gJAAgJ,EAChJ,yFAAyF,EACzF;gBACE,+CAA+C;gBAC/C,2CAA2C;gBAC3C,8CAA8C;gBAC9C,yBAAyB;aAC1B,EACD,2EAA2E,EAC3E,oEAAoE,EACpE,4EAA4E,CAC7E,CACF,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,CAAC,QAAQ,CAAC,oCAAoC,CAAC;YACxD,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC7C,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,uBAAuB,EACvB,kEAAkE,EAClE,wCAAwC,EACxC,KAAK,GAAG,CAAC,EACT,2HAA2H,EAC3H,+FAA+F,EAC/F;gBACE,mCAAmC;gBACnC,mCAAmC;gBACnC,8CAA8C;gBAC9C,qCAAqC;aACtC,EACD,mFAAmF,EACnF,oEAAoE,EACpE,yEAAyE,CAC1E,CACF,CAAC;QACJ,CAAC;QAED,IAAI,SAAS,CAAC,QAAQ,CAAC,gCAAgC,CAAC;YACpD,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACpC,SAAS,CAAC,QAAQ,CAAC,+BAA+B,CAAC,EAAE,CAAC;YACxD,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,uBAAuB,EACvB,2EAA2E,EAC3E,sCAAsC,EACtC,KAAK,GAAG,CAAC,EACT,uJAAuJ,EACvJ,8EAA8E,EAC9E;gBACE,yCAAyC;gBACzC,kDAAkD;gBAClD,6BAA6B;gBAC7B,gDAAgD;aACjD,EACD,wDAAwD,EACxD,oEAAoE,EACpE,wFAAwF,CACzF,CACF,CAAC;QACJ,CAAC;QAED,8CAA8C;QAE9C,8DAA8D;QAC9D,IAAI,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACpC,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YACrC,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YACvC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACpC,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAC1C,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,iBAAiB,EACjB,2EAA2E,EAC3E,gHAAgH,EAChH,KAAK,GAAG,CAAC,EACT,oOAAoO,EACpO,4EAA4E,EAC5E;gBACE,wCAAwC;gBACxC,8CAA8C;gBAC9C,oBAAoB;gBACpB,mCAAmC;aACpC,EACD,sFAAsF,EACtF,4FAA4F,EAC5F,8LAA8L,CAC/L,CACF,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts ADDED
@@ -0,0 +1,19 @@
1
+ /**
2
+ * Python Data Integrity Failures Security Checks
3
+ * OWASP A08:2025 - Software and Data Integrity Failures
4
+ *
5
+ * Detects insecure deserialization with pickle module.
6
+ * Updated for OWASP 2025 with enhanced detection patterns.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for data integrity vulnerabilities in Python code
11
+ *
12
+ * Covers:
13
+ * - Check #1: Insecure deserialization with pickle (CRITICAL)
14
+ *
15
+ * @param lines - Array of code lines
16
+ * @returns Array of security vulnerabilities found
17
+ */
18
+ export declare function checkDataIntegrity(lines: string[]): SecurityVulnerability[];
19
+ //# sourceMappingURL=data-integrity.d.ts.map
package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"data-integrity.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/data-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAyFzB"}