codeslick-cli 1.0.0

package/dist/src/lib/analyzers/python/security-checks/data-integrity.js

@@ -0,0 +1,90 @@
+"use strict";
+/**
+ * Python Data Integrity Failures Security Checks
+ * OWASP A08:2025 - Software and Data Integrity Failures
+ *
+ * Detects insecure deserialization with pickle module.
+ * Updated for OWASP 2025 with enhanced detection patterns.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkDataIntegrity = checkDataIntegrity;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for data integrity vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: Insecure deserialization with pickle (CRITICAL)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkDataIntegrity(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmedLine.includes('"""') || trimmedLine.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                // Start of multi-line comment
+                inMultiLineComment = true;
+                // Check if it closes on the same line (single-line docstring)
+                const tripleQuoteCount = (trimmedLine.match(/"""/g) || []).length + (trimmedLine.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    // Opens and closes on same line, reset flag
+                    inMultiLineComment = false;
+                }
+                return; // Skip this line
+            }
+            else {
+                // End of multi-line comment
+                inMultiLineComment = false;
+                return; // Skip this line
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmedLine ||
+            inMultiLineComment ||
+            trimmedLine.startsWith('#')) {
+            return;
+        }
+        const lowerLine = trimmedLine.toLowerCase();
+        // Check #1: Insecure deserialization with pickle
+        // Detect pickle module usage (all variants)
+        const hasPickleUsage = 
+        // Standard pickle operations
+        lowerLine.includes('pickle.load(') ||
+            lowerLine.includes('pickle.loads(') ||
+            lowerLine.includes('pickle.dump(') ||
+            lowerLine.includes('pickle.dumps(') ||
+            lowerLine.includes('pickle.unpickler(') ||
+            // Import variants
+            /from\s+pickle\s+import\s+(load|loads|dump|dumps|unpickler)/i.test(trimmedLine) ||
+            // Direct usage after import
+            (/\b(load|loads|dump|dumps|unpickler)\s*\(/.test(lowerLine) &&
+                // Make sure we have imported pickle earlier
+                lines.slice(0, index).some(l => /from\s+pickle\s+import/i.test(l.trim()))) ||
+            // cPickle (Python 2)
+            lowerLine.includes('cpickle.load(') ||
+            lowerLine.includes('cpickle.loads(') ||
+            lowerLine.includes('cpickle.dump(') ||
+            lowerLine.includes('cpickle.dumps(') ||
+            // _pickle (internal module)
+            lowerLine.includes('_pickle.load(') ||
+            lowerLine.includes('_pickle.loads(') ||
+            lowerLine.includes('_pickle.dump(') ||
+            lowerLine.includes('_pickle.dumps(');
+        if (hasPickleUsage) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('insecure-deserialization', 'Insecure deserialization with pickle - allows arbitrary code execution when deserializing untrusted data', 'Use safe serialization formats (JSON, MessagePack) or implement strict validation before pickle deserialization', index + 1, 'Pickle can execute arbitrary Python code during deserialization. If an attacker controls the serialized data, they can achieve Remote Code Execution (RCE), install backdoors, steal credentials, or completely compromise the server. This is one of the most critical Python vulnerabilities.', 'import pickle\ndata = pickle.loads(request.data)  # CRITICAL: RCE vulnerability!', [
+                'Remote Code Execution (RCE) when deserializing attacker-controlled data',
+                'Complete server compromise and backdoor installation',
+                'Data exfiltration and credential theft',
+                'Privilege escalation to system/root access',
+                'Chain attacks to internal infrastructure'
+            ], 'import pickle\ndef load_user_session(session_data):\n    return pickle.loads(session_data)  # Dangerous!', 'import json\ndef load_user_session(session_data):\n    return json.loads(session_data)  # Safe - JSON cannot execute code', 'Never use pickle for untrusted data. Prefer JSON (json.loads), MessagePack (msgpack.unpackb), or Protocol Buffers. If pickle is absolutely required, implement HMAC signature verification, use restricted Unpickler with safe_load(), and validate all data in isolated sandbox.'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=data-integrity.js.map

package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-integrity.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/data-integrity.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAcH,gDA2FC;AAtGD,sEAAiF;AAEjF;;;;;;;;GAQG;AACH,SAAgB,kBAAkB,CAChC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,kFAAkF;QAClF,MAAM,cAAc,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAElF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC7G,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,iDAAiD;QAEjD,4CAA4C;QAC5C,MAAM,cAAc;QAClB,6BAA6B;QAC7B,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;YAClC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;YAClC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YACvC,kBAAkB;YAClB,6DAA6D,CAAC,IAAI,CAAC,WAAW,CAAC;YAC/E,4BAA4B;YAC5B,CAAC,0CAA0C,CAAC,IAAI,CAAC,SAAS,CAAC;gBAC1D,4CAA4C;gBAC5C,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,yBAAyB,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;YAC3E,qBAAqB;YACrB,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACpC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACpC,4BAA4B;YAC5B,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YACpC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAEvC,IAAI,cAAc,EAAE,CAAC;YACnB,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,0BAA0B,EAC1B,0GAA0G,EAC1G,iHAAiH,EACjH,KAAK,GAAG,CAAC,EACT,iSAAiS,EACjS,kFAAkF,EAClF;gBACE,yEAAyE;gBACzE,sDAAsD;gBACtD,wCAAwC;gBACxC,4CAA4C;gBAC5C,0CAA0C;aAC3C,EACD,0GAA0G,EAC1G,2HAA2H,EAC3H,mRAAmR,CACpR,CACF,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Python Deserialization Security Checks
+ * OWASP A08:2021 - Software and Data Integrity Failures
+ *
+ * Detects insecure deserialization vulnerabilities in Python code,
+ * particularly with pickle and YAML libraries.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for insecure deserialization vulnerabilities
+ *
+ * Covers:
+ * - Check #9: pickle.load() (HIGH) - Arbitrary code execution via pickle
+ * - Check #10: yaml.load() without SafeLoader (HIGH) - Code execution via YAML
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkDeserialization(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=deserialization.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deserialization.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/deserialization.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAyEzB"}

package/dist/src/lib/analyzers/python/security-checks/deserialization.js

@@ -0,0 +1,68 @@
+"use strict";
+/**
+ * Python Deserialization Security Checks
+ * OWASP A08:2021 - Software and Data Integrity Failures
+ *
+ * Detects insecure deserialization vulnerabilities in Python code,
+ * particularly with pickle and YAML libraries.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkDeserialization = checkDeserialization;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for insecure deserialization vulnerabilities
+ *
+ * Covers:
+ * - Check #9: pickle.load() (HIGH) - Arbitrary code execution via pickle
+ * - Check #10: yaml.load() without SafeLoader (HIGH) - Code execution via YAML
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkDeserialization(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                inMultiLineComment = true;
+                const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    inMultiLineComment = false;
+                }
+                return;
+            }
+            else {
+                inMultiLineComment = false;
+                return;
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('#')) {
+            return;
+        }
+        // 9. pickle with untrusted data - HIGH
+        if (trimmed.match(/pickle\.load[s]?\(/) && !trimmed.includes('# trusted')) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('unsafe-pickle', 'pickle.load() can execute arbitrary code', 'Use json or msgpack for serialization, never unpickle untrusted data', lineNumber, 'Pickle deserialization can execute arbitrary Python code embedded in the pickled data, making it extremely dangerous with untrusted input.', 'pickle.loads(user_data)  # Can execute __reduce__ methods with malicious code', [
+                'Remote Code Execution (RCE)',
+                'Complete system compromise',
+                'Data theft',
+                'Malware installation'
+            ], 'import pickle\ndata = pickle.load(untrusted_file)', 'import json\ndata = json.load(file)  # Safe, only data deserialization\n# Or use msgpack for binary', 'Never unpickle data from untrusted sources. Use json for text data or msgpack for binary serialization'));
+        }
+        // 10. yaml.load() without SafeLoader - HIGH
+        if (trimmed.match(/yaml\.load\(/) && !trimmed.includes('SafeLoader')) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('unsafe-yaml-load', 'yaml.load() without SafeLoader can execute arbitrary code', 'Use yaml.safe_load() or yaml.load() with SafeLoader', lineNumber, 'yaml.load() with default Loader can instantiate arbitrary Python objects, including those that execute code during construction.', 'yaml.load(user_config)  # Can execute !!python/object/apply', [
+                'Remote Code Execution (RCE)',
+                'Object instantiation attacks',
+                'System compromise'
+            ], 'import yaml\nconfig = yaml.load(file)', 'import yaml\nconfig = yaml.safe_load(file)  # Safe, only loads basic types\n# Or: yaml.load(file, Loader=yaml.SafeLoader)', 'Always use yaml.safe_load() or explicitly pass Loader=yaml.SafeLoader to yaml.load()'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=deserialization.js.map

package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deserialization.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/deserialization.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAeH,oDA2EC;AAvFD,sEAAiF;AAEjF;;;;;;;;;GASG;AACH,SAAgB,oBAAoB,CAClC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,IAAI,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YAC1E,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,eAAe,EACf,0CAA0C,EAC1C,sEAAsE,EACtE,UAAU,EACV,4IAA4I,EAC5I,+EAA+E,EAC/E;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,YAAY;gBACZ,sBAAsB;aACvB,EACD,mDAAmD,EACnD,qGAAqG,EACrG,wGAAwG,CACzG,CAAC,CAAC;QACL,CAAC;QAED,4CAA4C;QAC5C,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,kBAAkB,EAClB,2DAA2D,EAC3D,qDAAqD,EACrD,UAAU,EACV,kIAAkI,EAClI,6DAA6D,EAC7D;gBACE,6BAA6B;gBAC7B,8BAA8B;gBAC9B,mBAAmB;aACpB,EACD,uCAAuC,EACvC,2HAA2H,EAC3H,sFAAsF,CACvF,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Django Framework Security Checks
+ * OWASP A03:2021 - Injection, A01:2021 - Broken Access Control, A02:2021 - Cryptographic Failures
+ *
+ * Detects Django-specific security vulnerabilities including CSRF issues,
+ * configuration errors, XSS bypasses, and authentication problems.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for Django framework security vulnerabilities
+ *
+ * Covers:
+ * - Check #22: @csrf_exempt (HIGH) - Disables CSRF protection
+ * - Check #23: DEBUG=True (CRITICAL) - Information disclosure
+ * - Check #24: mark_safe() with user input (HIGH) - XSS vulnerability
+ * - Check #25: ORM raw() SQL injection (CRITICAL) - SQL injection via raw queries
+ * - Check #26: Missing @login_required (MEDIUM) - Missing authentication
+ * - Check #27: Weak SECRET_KEY (CRITICAL) - Cryptographic weakness
+ *
+ * @param lines - Array of code lines
+ * @param unsafeSqlVariables - Map of variable names with unsafe SQL string formatting
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkDjangoSecurity(lines: string[], unsafeSqlVariables: Map<string, number>): SecurityVulnerability[];
+//# sourceMappingURL=django-security.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"django-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/django-security.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EAAE,EACf,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACtC,qBAAqB,EAAE,CAgPzB"}

package/dist/src/lib/analyzers/python/security-checks/django-security.js

@@ -0,0 +1,180 @@
+"use strict";
+/**
+ * Django Framework Security Checks
+ * OWASP A03:2021 - Injection, A01:2021 - Broken Access Control, A02:2021 - Cryptographic Failures
+ *
+ * Detects Django-specific security vulnerabilities including CSRF issues,
+ * configuration errors, XSS bypasses, and authentication problems.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkDjangoSecurity = checkDjangoSecurity;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for Django framework security vulnerabilities
+ *
+ * Covers:
+ * - Check #22: @csrf_exempt (HIGH) - Disables CSRF protection
+ * - Check #23: DEBUG=True (CRITICAL) - Information disclosure
+ * - Check #24: mark_safe() with user input (HIGH) - XSS vulnerability
+ * - Check #25: ORM raw() SQL injection (CRITICAL) - SQL injection via raw queries
+ * - Check #26: Missing @login_required (MEDIUM) - Missing authentication
+ * - Check #27: Weak SECRET_KEY (CRITICAL) - Cryptographic weakness
+ *
+ * @param lines - Array of code lines
+ * @param unsafeSqlVariables - Map of variable names with unsafe SQL string formatting
+ * @returns Array of security vulnerabilities found
+ */
+function checkDjangoSecurity(lines, unsafeSqlVariables) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                inMultiLineComment = true;
+                const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    inMultiLineComment = false;
+                }
+                return;
+            }
+            else {
+                inMultiLineComment = false;
+                return;
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('#')) {
+            return;
+        }
+        // 22. Django CSRF Exempt - HIGH (disables CSRF protection)
+        if (trimmed.includes('@csrf_exempt') && !trimmed.startsWith('#')) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('django-csrf-exempt', '@csrf_exempt decorator disables CSRF protection', 'Remove @csrf_exempt or ensure alternative CSRF protection is in place', lineNumber, 'The @csrf_exempt decorator disables Django\'s built-in CSRF protection, leaving the view vulnerable to Cross-Site Request Forgery attacks where attackers can perform unauthorized actions.', '@csrf_exempt\\ndef upload_file(request): # Attacker can forge POST requests', [
+                'Cross-Site Request Forgery (CSRF)',
+                'Unauthorized state-changing operations',
+                'Account takeover',
+                'Data manipulation',
+                'Privilege escalation'
+            ], '@csrf_exempt\\ndef process_payment(request):', 'def process_payment(request):\\n    # CSRF protection enabled by default\\n    if request.method == "POST":\\n        # Verify CSRF token automatically', 'Only use @csrf_exempt for APIs with alternative authentication (e.g., API tokens). Never exempt user-facing forms'));
+        }
+        // 23. Django DEBUG=True - CRITICAL (information disclosure)
+        if (trimmed.match(/DEBUG\s*=\s*True/)) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('django-debug-true', 'DEBUG = True exposes sensitive information in production', 'Set DEBUG = False in production settings', lineNumber, 'Running Django with DEBUG=True in production exposes detailed error pages with stack traces, settings, environment variables, and SQL queries to end users, revealing sensitive application internals.', 'DEBUG = True  # Exposes SECRET_KEY, database credentials, file paths', [
+                'Information disclosure',
+                'Exposure of secret keys and credentials',
+                'Exposure of application structure',
+                'Stack trace information leakage',
+                'Potential for targeted attacks'
+            ], 'DEBUG = True', 'import os\\nDEBUG = os.environ.get("DEBUG", "False") == "True"  # False by default\\n# Or: DEBUG = False  # Production', 'Always set DEBUG=False in production. Use environment variables to control debug mode'));
+        }
+        // 24. Django mark_safe() - HIGH (XSS vulnerability)
+        // CRITICAL FIX (2025-11-21): Expanded detection pattern
+        // Old: Only detected mark_safe() with 'request.', 'user_', 'input' keywords
+        // New: Detects mark_safe() with ANY variable, f-string, or dynamic content
+        if (trimmed.includes('mark_safe(')) {
+            const hasDynamicContent = trimmed.includes('request.') || // request.GET, request.POST
+                trimmed.includes('user.') || // user.bio, user.name
+                trimmed.match(/user_\w+/) || // user_input, user_data
+                trimmed.includes('input') || // input variable
+                trimmed.match(/mark_safe\([^)]*\{/) || // f-string interpolation: f"...{var}..."
+                trimmed.match(/mark_safe\([^)]*\+/) || // string concatenation
+                trimmed.match(/mark_safe\([^)]*\.format\(/) || // .format() method
+                trimmed.match(/mark_safe\([^)]*%/) || // % string formatting
+                trimmed.match(/mark_safe\(\w+\)/) || // variable: mark_safe(content)
+                trimmed.match(/mark_safe\([^)]*\[/); // array/dict access: mark_safe(data['key'])
+            if (hasDynamicContent) {
+                vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('django-mark-safe-xss', 'mark_safe() with user input bypasses XSS protection', 'Sanitize user input or use Django template auto-escaping instead', lineNumber, 'Django\'s mark_safe() function tells the template engine to trust the HTML content. When used with user input, it bypasses XSS protection and allows attackers to inject malicious scripts.', 'html = mark_safe(request.GET["content"])  # Attacker: ?content=<script>alert(1)</script>', [
+                    'Cross-Site Scripting (XSS)',
+                    'Session hijacking',
+                    'Credential theft',
+                    'Malicious script injection',
+                    'Client-side code execution'
+                ], 'from django.utils.safestring import mark_safe\\nhtml = mark_safe(user_input)', 'from django.utils.html import escape\\n# Let Django auto-escape in templates\\nhtml = escape(user_input)  # Sanitizes HTML\\n# Or use template: {{ user_input }}  (auto-escaped)', 'Never use mark_safe() with user-controlled input. Use Django\'s template auto-escaping'));
+            }
+        }
+        // 25. Django ORM Raw SQL Injection - CRITICAL (with data flow analysis)
+        if (trimmed.includes('.raw(')) {
+            // Check 1: Inline string formatting (same line as .raw())
+            const hasInlineFormatting = trimmed.includes('f"') ||
+                trimmed.includes('f\'') ||
+                trimmed.includes('%s"') ||
+                trimmed.includes('+') ||
+                trimmed.includes('.format(');
+            // Check 2: Using tracked unsafe variable
+            let usesUnsafeVariable = false;
+            let unsafeVarLine = 0;
+            let varName = '';
+            // Extract variable name from .raw(variable) call
+            const rawCallMatch = trimmed.match(/\.raw\((\w+)/);
+            if (rawCallMatch) {
+                varName = rawCallMatch[1];
+                if (unsafeSqlVariables.has(varName)) {
+                    usesUnsafeVariable = true;
+                    unsafeVarLine = unsafeSqlVariables.get(varName);
+                }
+            }
+            if (hasInlineFormatting || usesUnsafeVariable) {
+                const message = usesUnsafeVariable
+                    ? `Django ORM raw() uses unsafe query variable '${varName}' (defined on line ${unsafeVarLine})`
+                    : 'Django ORM raw() with string formatting allows SQL injection';
+                vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('django-orm-sql-injection', message, 'Use parameterized queries with .raw() or switch to ORM query methods', lineNumber, 'Using string formatting (f-strings, %, +, .format()) with Django\'s .raw() method allows SQL injection attacks. Attackers can manipulate queries to access unauthorized data or modify the database.', 'User.objects.raw(f"SELECT * FROM users WHERE name = \'{name}\'")  # name = "admin\'--" → bypasses WHERE', [
+                    'SQL injection',
+                    'Unauthorized data access',
+                    'Data exfiltration',
+                    'Data manipulation/deletion',
+                    'Authentication bypass'
+                ], 'query = f"SELECT * FROM users WHERE id = {user_id}"\\nUser.objects.raw(query)', '# Use parameterized queries\\nUser.objects.raw("SELECT * FROM users WHERE id = %s", [user_id])\\n# Or use ORM: User.objects.filter(id=user_id)', 'Always use parameterized queries with .raw(). Prefer Django ORM methods over raw SQL'));
+            }
+        }
+        // 26. Django Missing login_required - MEDIUM (missing authentication)
+        // PHASE 6 FIX (2025-11-22): Broadened detection to include admin, settings, dashboard, financial operations
+        const lowerTrimmed = trimmed.toLowerCase();
+        const sensitiveKeywords = [
+            'admin', 'delete', 'remove', 'update', 'edit',
+            'settings', 'dashboard', 'manage', 'create', 'transfer',
+            'invoice', 'payment', 'billing'
+        ];
+        if ((trimmed.includes('def ') || trimmed.includes('class ')) &&
+            trimmed.includes('(request') && // Django view signature
+            sensitiveKeywords.some(keyword => lowerTrimmed.includes(keyword))) {
+            // Check if @login_required is in previous lines (must be actual decorator, not in comments)
+            const hasAuthRequired = lines.slice(Math.max(0, index - 5), index).some(prevLine => {
+                const prevTrimmed = prevLine.trim();
+                return !prevTrimmed.startsWith('#') && (prevTrimmed.includes('@login_required') || prevTrimmed.includes('@permission_required'));
+            });
+            if (!hasAuthRequired) {
+                vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('django-missing-login-required', 'Sensitive view missing @login_required decorator', 'Add @login_required decorator to restrict access to authenticated users', lineNumber, 'Django views that perform sensitive operations (delete, update, admin actions, settings) should require authentication. Without @login_required, anonymous users can access these functions.', 'def admin_dashboard(request):  # No @login_required → Anyone can access admin panel', [
+                    'Unauthorized access to sensitive functions',
+                    'Data manipulation by anonymous users',
+                    'Privilege escalation',
+                    'Missing access control',
+                    'OWASP A01:2021 - Broken Access Control'
+                ], 'def admin_dashboard(request):', 'from django.contrib.auth.decorators import login_required\\n\\n@login_required\\ndef admin_dashboard(request):\\n    # Only authenticated users can access', 'Always use @login_required for sensitive views. Consider @permission_required for role-based access'));
+            }
+        }
+        // 27. Django Weak SECRET_KEY - CRITICAL (cryptographic weakness)
+        if (trimmed.match(/SECRET_KEY\s*=\s*['"]/)) {
+            const secretKeyMatch = trimmed.match(/SECRET_KEY\s*=\s*['"]([^'"]+)['"]/);
+            if (secretKeyMatch) {
+                const secretKey = secretKeyMatch[1];
+                const isWeak = secretKey.length < 50 ||
+                    /^(secret|django|12345|password|key|test|abc|demo)/i.test(secretKey) ||
+                    secretKey === 'your-secret-key-here';
+                if (isWeak) {
+                    vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('django-weak-secret-key', 'Django SECRET_KEY is weak or hardcoded', 'Generate a strong random SECRET_KEY and store in environment variables', lineNumber, 'Django\'s SECRET_KEY is used for cryptographic signing of sessions, cookies, and password reset tokens. A weak or hardcoded key allows attackers to forge sessions and decrypt sensitive data.', 'SECRET_KEY = "12345"  # Attacker can forge session cookies and impersonate any user', [
+                        'Session forgery',
+                        'Cookie tampering',
+                        'Password reset token forgery',
+                        'CSRF token bypass',
+                        'Cryptographic attack on signed data'
+                    ], 'SECRET_KEY = "django-insecure-123"', 'import os\\nfrom django.core.management.utils import get_random_secret_key\\n\\nSECRET_KEY = os.environ.get("DJANGO_SECRET_KEY")\\nif not SECRET_KEY:\\n    raise ValueError("DJANGO_SECRET_KEY environment variable not set")', 'Generate with: python -c \'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())\''));
+                }
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=django-security.js.map

package/dist/src/lib/analyzers/python/security-checks/django-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"django-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/django-security.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAoBH,kDAmPC;AApQD,sEAAiF;AAEjF;;;;;;;;;;;;;;GAcG;AACH,SAAgB,mBAAmB,CACjC,KAAe,EACf,kBAAuC;IAEvC,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,2DAA2D;QAC3D,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACjE,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,oBAAoB,EACpB,iDAAiD,EACjD,uEAAuE,EACvE,UAAU,EACV,6LAA6L,EAC7L,6EAA6E,EAC7E;gBACE,mCAAmC;gBACnC,wCAAwC;gBACxC,kBAAkB;gBAClB,mBAAmB;gBACnB,sBAAsB;aACvB,EACD,8CAA8C,EAC9C,yJAAyJ,EACzJ,mHAAmH,CACpH,CAAC,CAAC;QACL,CAAC;QAED,4DAA4D;QAC5D,IAAI,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,0DAA0D,EAC1D,0CAA0C,EAC1C,UAAU,EACV,wMAAwM,EACxM,sEAAsE,EACtE;gBACE,wBAAwB;gBACxB,yCAAyC;gBACzC,mCAAmC;gBACnC,iCAAiC;gBACjC,gCAAgC;aACjC,EACD,cAAc,EACd,wHAAwH,EACxH,uFAAuF,CACxF,CAAC,CAAC;QACL,CAAC;QAED,oDAAoD;QACpD,wDAAwD;QACxD,4EAA4E;QAC5E,2EAA2E;QAC3E,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACnC,MAAM,iBAAiB,GACrB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAY,4BAA4B;gBACpE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAe,sBAAsB;gBAC9D,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,IAAe,wBAAwB;gBAChE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAe,iBAAiB;gBACzD,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAK,yCAAyC;gBACjF,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAK,uBAAuB;gBAC/D,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC,IAAI,mBAAmB;gBAClE,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAM,sBAAsB;gBAC9D,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAO,+BAA+B;gBACvE,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC,CAAI,4CAA4C;YAEtF,IAAI,iBAAiB,EAAE,CAAC;gBACtB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,sBAAsB,EACtB,qDAAqD,EACrD,kEAAkE,EAClE,UAAU,EACV,6LAA6L,EAC7L,0FAA0F,EAC1F;oBACE,4BAA4B;oBAC5B,mBAAmB;oBACnB,kBAAkB;oBAClB,4BAA4B;oBAC5B,4BAA4B;iBAC7B,EACD,8EAA8E,EAC9E,kLAAkL,EAClL,wFAAwF,CACzF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,0DAA0D;YAC1D,MAAM,mBAAmB,GACvB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;gBACtB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;gBACvB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC;gBACvB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;gBACrB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAE/B,yCAAyC;YACzC,IAAI,kBAAkB,GAAG,KAAK,CAAC;YAC/B,IAAI,aAAa,GAAG,CAAC,CAAC;YACtB,IAAI,OAAO,GAAG,EAAE,CAAC;YAEjB,iDAAiD;YACjD,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;YACnD,IAAI,YAAY,EAAE,CAAC;gBACjB,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;gBAC1B,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpC,kBAAkB,GAAG,IAAI,CAAC;oBAC1B,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;gBACnD,CAAC;YACH,CAAC;YAED,IAAI,mBAAmB,IAAI,kBAAkB,EAAE,CAAC;gBAC9C,MAAM,OAAO,GAAG,kBAAkB;oBAChC,CAAC,CAAC,gDAAgD,OAAO,sBAAsB,aAAa,GAAG;oBAC/F,CAAC,CAAC,8DAA8D,CAAC;gBAEnE,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,0BAA0B,EAC1B,OAAO,EACP,sEAAsE,EACtE,UAAU,EACV,sMAAsM,EACtM,yGAAyG,EACzG;oBACE,eAAe;oBACf,0BAA0B;oBAC1B,mBAAmB;oBACnB,4BAA4B;oBAC5B,uBAAuB;iBACxB,EACD,+EAA+E,EAC/E,gJAAgJ,EAChJ,sFAAsF,CACvF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,sEAAsE;QACtE,4GAA4G;QAC5G,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAC3C,MAAM,iBAAiB,GAAG;YACxB,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM;YAC7C,UAAU,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU;YACvD,SAAS,EAAE,SAAS,EAAE,SAAS;SAChC,CAAC;QAEF,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACxD,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAK,wBAAwB;YACzD,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACtE,4FAA4F;YAC5F,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBACjF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACpC,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CACrC,WAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CACxF,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,+BAA+B,EAC/B,kDAAkD,EAClD,yEAAyE,EACzE,UAAU,EACV,8LAA8L,EAC9L,qFAAqF,EACrF;oBACE,4CAA4C;oBAC5C,sCAAsC;oBACtC,sBAAsB;oBACtB,wBAAwB;oBACxB,wCAAwC;iBACzC,EACD,+BAA+B,EAC/B,4JAA4J,EAC5J,qGAAqG,CACtG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,IAAI,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,EAAE,CAAC;YAC3C,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;YAC1E,IAAI,cAAc,EAAE,CAAC;gBACnB,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;gBACpC,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,EAAE;oBACrB,oDAAoD,CAAC,IAAI,CAAC,SAAS,CAAC;oBACpE,SAAS,KAAK,sBAAsB,CAAC;gBAEpD,IAAI,MAAM,EAAE,CAAC;oBACX,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,wBAAwB,EACxB,wCAAwC,EACxC,wEAAwE,EACxE,UAAU,EACV,gMAAgM,EAChM,qFAAqF,EACrF;wBACE,iBAAiB;wBACjB,kBAAkB;wBAClB,8BAA8B;wBAC9B,mBAAmB;wBACnB,qCAAqC;qBACtC,EACD,oCAAoC,EACpC,gOAAgO,EAChO,6HAA6H,CAC9H,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Python Enhanced Supply Chain Security Checks
+ * OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
+ *
+ * Enhanced supply chain security checks building on existing dependency scanning.
+ * Focuses on runtime dependencies, package integrity, and malicious code patterns.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for enhanced supply chain security vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: Dynamic imports without validation (HIGH)
+ * - Check #2: Runtime package installation (HIGH)
+ * - Check #3: Suspicious package patterns (HIGH)
+ * - Check #4: Untrusted package sources (MEDIUM)
+ * - Check #5: Package typosquatting patterns (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkEnhancedSupplyChain(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=enhanced-supply-chain.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAkLzB"}

package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js

@@ -0,0 +1,127 @@
+"use strict";
+/**
+ * Python Enhanced Supply Chain Security Checks
+ * OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
+ *
+ * Enhanced supply chain security checks building on existing dependency scanning.
+ * Focuses on runtime dependencies, package integrity, and malicious code patterns.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkEnhancedSupplyChain = checkEnhancedSupplyChain;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for enhanced supply chain security vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: Dynamic imports without validation (HIGH)
+ * - Check #2: Runtime package installation (HIGH)
+ * - Check #3: Suspicious package patterns (HIGH)
+ * - Check #4: Untrusted package sources (MEDIUM)
+ * - Check #5: Package typosquatting patterns (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkEnhancedSupplyChain(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmedLine.includes('"""') || trimmedLine.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                // Start of multi-line comment
+                inMultiLineComment = true;
+                // Check if it closes on the same line (single-line docstring)
+                const tripleQuoteCount = (trimmedLine.match(/"""/g) || []).length + (trimmedLine.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    // Opens and closes on same line, reset flag
+                    inMultiLineComment = false;
+                }
+                return; // Skip this line
+            }
+            else {
+                // End of multi-line comment
+                inMultiLineComment = false;
+                return; // Skip this line
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmedLine ||
+            inMultiLineComment ||
+            trimmedLine.startsWith('#')) {
+            return;
+        }
+        const lowerLine = trimmedLine.toLowerCase();
+        // Check #1: Dynamic imports without validation
+        if ((lowerLine.includes('__import__(') || lowerLine.includes('importlib.import_module(')) &&
+            (lowerLine.includes('input(') || lowerLine.includes('sys.argv') ||
+                lowerLine.includes('request.') || lowerLine.includes('os.environ'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('dynamic-import-no-validation', 'Dynamic import from user input without validation', 'Validate and whitelist allowed module names before dynamic imports', index + 1, 'Dynamic imports from user input can execute arbitrary code and enable supply chain attacks', '__import__(user_input) # arbitrary module loading', [
+                'Arbitrary module execution from user input',
+                'Supply chain attacks through malicious packages',
+                'Code injection via module names',
+                'Bypass of static analysis and security tools'
+            ], '__import__(user_input)', 'allowed_modules = ["safe_module"]; if module_name in allowed_modules: __import__(module_name)', 'Dynamic imports should validate module names against a whitelist to prevent arbitrary code execution'));
+        }
+        // Check #2: Runtime package installation
+        if ((lowerLine.includes('subprocess.') || lowerLine.includes('os.system(')) &&
+            (lowerLine.includes('pip install') || lowerLine.includes('pip3 install') ||
+                lowerLine.includes('easy_install') || lowerLine.includes('conda install'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('runtime-package-installation', 'Runtime package installation detected', 'Pre-install packages during build time instead of runtime installation', index + 1, 'Runtime package installation can introduce malicious code and supply chain vulnerabilities', 'subprocess.run(["pip", "install", user_package]) # runtime installation', [
+                'Installation of malicious packages at runtime',
+                'Supply chain attacks through compromised packages',
+                'Privilege escalation through package installation',
+                'Environment contamination with untrusted code'
+            ], 'subprocess.run(["pip", "install", package_name])', '# Pre-install packages in requirements.txt or Dockerfile', 'Runtime package installation bypasses security controls and enables arbitrary code execution'));
+        }
+        // Check #3: Suspicious package patterns (common typosquatting names)
+        // Don't flag legitimate packages: bs4, requests, urllib, numpy, pandas (use word boundaries!)
+        const legitimatePackages = ['bs4', 'requests', 'urllib', 'numpy', 'pandas'];
+        const hasLegitimatePackage = legitimatePackages.some(pkg => {
+            // Match exact package name with word boundaries (import numpy, from numpy, import urllib.parse)
+            const importPattern = new RegExp(`\\b(import|from)\\s+${pkg}\\b`, 'i');
+            return importPattern.test(trimmedLine);
+        });
+        if ((lowerLine.includes('import ') || lowerLine.includes('from ')) &&
+            !hasLegitimatePackage &&
+            (lowerLine.includes('reqeusts') || lowerLine.includes('beautifulsoup') ||
+                lowerLine.includes('urlib') || lowerLine.includes('numpyy') ||
+                lowerLine.includes('pandass') || lowerLine.includes('pythn'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('suspicious-package-pattern', 'Potentially typosquatted package name detected', 'Verify package names carefully against PyPI official packages', index + 1, 'Typosquatting packages can contain malicious code that mimics legitimate packages', 'import reqeusts # should be "requests"', [
+                'Malicious code execution from fake packages',
+                'Data theft and credential harvesting',
+                'Backdoor installation and remote access',
+                'Supply chain compromise through package confusion'
+            ], 'import reqeusts', 'import requests # verify correct package name', 'Typosquatting packages exploit common typos to distribute malicious code'));
+        }
+        // Check #4: Untrusted package sources
+        if ((lowerLine.includes('pip install') || lowerLine.includes('pip3 install')) &&
+            (lowerLine.includes('--index-url') || lowerLine.includes('-i ') ||
+                lowerLine.includes('--extra-index-url') || lowerLine.includes('--find-links'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('untrusted-package-source', 'Package installation from non-standard or untrusted source', 'Use official PyPI repository or verify custom repository security', index + 1, 'Installing packages from untrusted sources can introduce malicious code', 'pip install --index-url http://suspicious-repo.com/simple/ package', [
+                'Malicious packages from compromised repositories',
+                'Supply chain attacks through untrusted sources',
+                'Man-in-the-middle attacks on package downloads',
+                'Installation of backdoored or modified packages'
+            ], 'pip install --index-url http://custom-repo.com/simple/ package', 'pip install package # use official PyPI or verify custom repo security', 'Custom package repositories should be verified for security before use'));
+        }
+        // Check #5: Package typosquatting patterns in pip commands
+        if ((lowerLine.includes('pip install') || lowerLine.includes('pip3 install')) &&
+            (lowerLine.includes('django-admin') || lowerLine.includes('flask-admin') ||
+                lowerLine.includes('python-') || lowerLine.includes('py-') ||
+                lowerLine.includes('djangoo') || lowerLine.includes('flaskk') ||
+                lowerLine.includes('requestss') || lowerLine.includes('numpy-') ||
+                lowerLine.includes('pandas-'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('package-typosquatting-pattern', 'Package name follows common typosquatting pattern', 'Verify official package names on PyPI before installation', index + 1, 'Package names that mimic popular packages may contain malicious code', 'pip install djangoo # should be "django"', [
+                'Installation of malicious packages instead of legitimate ones',
+                'Supply chain attacks through package confusion',
+                'Backdoor code execution in development and production',
+                'Credential theft and data exfiltration'
+            ], 'pip install djangoo', 'pip install django # use official package name from PyPI', 'Package names should be verified against official PyPI listings to avoid typosquatting attacks'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=enhanced-supply-chain.js.map

package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkBH,4DAoLC;AAnMD,sEAAiF;AAEjF;;;;;;;;;;;;GAYG;AACH,SAAgB,wBAAwB,CACtC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,kFAAkF;QAClF,MAAM,cAAc,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAElF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC7G,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,+CAA+C;QAC/C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,0BAA0B,CAAC,CAAC;YACrF,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC9D,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,8BAA8B,EAC9B,mDAAmD,EACnD,oEAAoE,EACpE,KAAK,GAAG,CAAC,EACT,4FAA4F,EAC5F,mDAAmD,EACnD;gBACE,4CAA4C;gBAC5C,iDAAiD;gBACjD,iCAAiC;gBACjC,8CAA8C;aAC/C,EACD,wBAAwB,EACxB,+FAA+F,EAC/F,sGAAsG,CACvG,CACF,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACvE,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACvE,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC;YAChF,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,8BAA8B,EAC9B,uCAAuC,EACvC,wEAAwE,EACxE,KAAK,GAAG,CAAC,EACT,4FAA4F,EAC5F,yEAAyE,EACzE;gBACE,+CAA+C;gBAC/C,mDAAmD;gBACnD,mDAAmD;gBACnD,+CAA+C;aAChD,EACD,kDAAkD,EAClD,0DAA0D,EAC1D,8FAA8F,CAC/F,CACF,CAAC;QACJ,CAAC;QAED,qEAAqE;QACrE,8FAA8F;QAC9F,MAAM,kBAAkB,GAAG,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC5E,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;YACzD,gGAAgG;YAChG,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,uBAAuB,GAAG,KAAK,EAAE,GAAG,CAAC,CAAC;YACvE,OAAO,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC9D,CAAC,oBAAoB;YACrB,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;gBACrE,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC3D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACnE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,4BAA4B,EAC5B,gDAAgD,EAChD,+DAA+D,EAC/D,KAAK,GAAG,CAAC,EACT,mFAAmF,EACnF,wCAAwC,EACxC;gBACE,6CAA6C;gBAC7C,sCAAsC;gBACtC,yCAAyC;gBACzC,mDAAmD;aACpD,EACD,iBAAiB,EACjB,+CAA+C,EAC/C,0EAA0E,CAC3E,CACF,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;YACzE,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC9D,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;YACpF,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,0BAA0B,EAC1B,4DAA4D,EAC5D,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,yEAAyE,EACzE,oEAAoE,EACpE;gBACE,kDAAkD;gBAClD,gDAAgD;gBAChD,gDAAgD;gBAChD,iDAAiD;aAClD,EACD,gEAAgE,EAChE,wEAAwE,EACxE,wEAAwE,CACzE,CACF,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;YACzE,CAAC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;gBACvE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC1D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC/D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YACpC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,+BAA+B,EAC/B,mDAAmD,EACnD,2DAA2D,EAC3D,KAAK,GAAG,CAAC,EACT,sEAAsE,EACtE,0CAA0C,EAC1C;gBACE,+DAA+D;gBAC/D,gDAAgD;gBAChD,uDAAuD;gBACvD,wCAAwC;aACzC,EACD,qBAAqB,EACrB,0DAA0D,EAC1D,gGAAgG,CACjG,CACF,CAAC;QACJ,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Python Exception Handling Security Checks
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
+ *
+ * Detects improper exception handling that can lead to security vulnerabilities.
+ * This is a completely NEW category in OWASP 2025.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for exception handling security vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: Bare except clauses (HIGH)
+ * - Check #2: Exception details exposed in responses (HIGH)
+ * - Check #3: Silent exception suppression (MEDIUM)
+ * - Check #4: Resource cleanup missing in exceptions (MEDIUM)
+ * - Check #5: Incorrect exception handling patterns (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkExceptionHandling(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=exception-handling.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"exception-handling.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/exception-handling.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA6KzB"}