codeslick-cli 1.0.0

package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Python Web Security Checks
+ * OWASP A01:2021 - Broken Access Control, A03:2021 - Injection (XSS)
+ *
+ * Detects path traversal vulnerabilities and XSS issues in Python web applications.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for web security vulnerabilities
+ *
+ * Covers:
+ * - Check #11: Path Traversal (HIGH)
+ *   - Pattern 1: String concatenation/interpolation in open()
+ *   - Pattern 2: open() with user input variable (data flow)
+ *   - Pattern 3: os.path.join() with variables
+ * - Check #12: HTML rendering without escape (HIGH) - XSS
+ *
+ * @param lines - Array of code lines
+ * @param userInputVariables - Map of variable names assigned from user input
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkWebSecurity(lines: string[], userInputVariables: Map<string, number>): SecurityVulnerability[];
+//# sourceMappingURL=web-security.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"web-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/web-security.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,EAAE,EACf,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACtC,qBAAqB,EAAE,CAgJzB"}

package/dist/src/lib/analyzers/python/security-checks/web-security.js

@@ -0,0 +1,117 @@
+"use strict";
+/**
+ * Python Web Security Checks
+ * OWASP A01:2021 - Broken Access Control, A03:2021 - Injection (XSS)
+ *
+ * Detects path traversal vulnerabilities and XSS issues in Python web applications.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkWebSecurity = checkWebSecurity;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for web security vulnerabilities
+ *
+ * Covers:
+ * - Check #11: Path Traversal (HIGH)
+ *   - Pattern 1: String concatenation/interpolation in open()
+ *   - Pattern 2: open() with user input variable (data flow)
+ *   - Pattern 3: os.path.join() with variables
+ * - Check #12: HTML rendering without escape (HIGH) - XSS
+ *
+ * @param lines - Array of code lines
+ * @param userInputVariables - Map of variable names assigned from user input
+ * @returns Array of security vulnerabilities found
+ */
+function checkWebSecurity(lines, userInputVariables) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                inMultiLineComment = true;
+                const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    inMultiLineComment = false;
+                }
+                return;
+            }
+            else {
+                inMultiLineComment = false;
+                return;
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('#')) {
+            return;
+        }
+        // OWASP A01:2021 - Broken Access Control
+        // 11. Path Traversal - HIGH
+        // Pattern 1: String concatenation/interpolation in open()
+        if ((trimmed.includes('open(') || trimmed.match(/Path\(/)) &&
+            (trimmed.includes('..') || trimmed.includes('+') || trimmed.includes('f"') || trimmed.includes("f'"))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('path-traversal', 'Path Traversal vulnerability - unrestricted file access', 'Use pathlib.Path.resolve() and validate against allowed base directory', lineNumber, 'Path traversal allows attackers to access files outside intended directories using "../" sequences, potentially reading sensitive system files.', 'open(user_path)  where user_path = "../../../etc/passwd"', [
+                'Unauthorized file access',
+                'Sensitive data exposure (passwords, keys, config)',
+                'Source code theft',
+                'Configuration file access'
+            ], 'with open(base_dir + "/" + user_file) as f:', 'from pathlib import Path\nsafe_path = (Path(base_dir) / user_file).resolve()\nif not safe_path.is_relative_to(base_dir):\n    raise ValueError("Invalid path")\nwith open(safe_path) as f:', 'Always resolve paths and validate they stay within allowed base directory using Path.resolve() and is_relative_to()'));
+        }
+        // Pattern 2: open() with user input variable (FIX #3)
+        // Detects: filename = request.args.get('file'); open(filename)
+        if (trimmed.match(/\bopen\s*\(\s*(\w+)/)) {
+            const openVarMatch = trimmed.match(/\bopen\s*\(\s*(\w+)/);
+            if (openVarMatch) {
+                const varName = openVarMatch[1];
+                // Check if variable comes from user input (request.args, request.form, etc.)
+                if (userInputVariables.has(varName)) {
+                    const userInputLine = userInputVariables.get(varName);
+                    vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('path-traversal', `Path Traversal via user input variable '${varName}' (from line ${userInputLine})`, 'Use pathlib.Path.resolve() and validate against allowed base directory', lineNumber, `Variable '${varName}' contains user-controlled input (line ${userInputLine}), then used in open() without path validation. Attackers can use "../" sequences to access arbitrary files.`, `filename = request.args.get('file')  # Line ${userInputLine}\nwith open(filename) as f:  # Line ${lineNumber} - Vulnerable! Can access /etc/passwd`, [
+                        'Unauthorized file access',
+                        'Sensitive data exposure (passwords, keys, config)',
+                        'Source code theft',
+                        'Configuration file access',
+                        'System file reading'
+                    ], `# Line ${userInputLine}:\nfilename = request.args.get('file')\n# Line ${lineNumber}:\nwith open(filename, 'r') as f:`, 'from pathlib import Path\n\nBASE_DIR = Path("/allowed/directory")\nuser_file = request.args.get("file")\nsafe_path = (BASE_DIR / user_file).resolve()\n\nif not safe_path.is_relative_to(BASE_DIR):\n    raise ValueError("Invalid path")\n\nwith open(safe_path) as f:', 'Always validate file paths from user input. Use Path.resolve() and is_relative_to() to ensure paths stay within allowed directories'));
+                }
+            }
+        }
+        // Pattern 3: os.path.join() with variables (FIX #5)
+        // Detects: os.path.join('/base/', filename) where filename could be '../../../etc/passwd'
+        // Even with a base path, os.path.join() is vulnerable to path traversal
+        if (trimmed.match(/os\.path\.join\s*\(/)) {
+            // Check if second argument (or later) is a variable (not a string literal)
+            const joinMatch = trimmed.match(/os\.path\.join\s*\([^,]+,\s*(\w+)/);
+            if (joinMatch) {
+                const pathVar = joinMatch[1];
+                // Flag as vulnerable if the variable name suggests user input or is a parameter
+                const isLikelyUserInput = pathVar.match(/^(filename|file|path|name|user|param|input|upload)/i);
+                if (isLikelyUserInput) {
+                    vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('path-traversal', `Path Traversal risk in os.path.join() with variable '${pathVar}'`, 'Validate filename does not contain ".." before using os.path.join()', lineNumber, `os.path.join() does not prevent path traversal. If '${pathVar}' contains "../" sequences, attackers can escape the base directory and access arbitrary files.`, `os.path.join('/var/uploads/', filename) where filename = '../../../etc/passwd' results in '/var/uploads/../../../etc/passwd'`, [
+                        'Path traversal attacks',
+                        'Unauthorized file access',
+                        'Sensitive data exposure',
+                        'Reading system files (/etc/passwd, /etc/shadow)',
+                        'Source code theft'
+                    ], `file_path = os.path.join('/var/uploads/', ${pathVar})`, `from pathlib import Path\n\n# Validate filename doesn't contain path traversal\nif '..' in ${pathVar} or ${pathVar}.startsWith('/'):\n    raise ValueError("Invalid filename")\n\n# Use pathlib for safer path construction\nBASE_DIR = Path('/var/uploads')\nsafe_path = (BASE_DIR / ${pathVar}).resolve()\n\nif not safe_path.is_relative_to(BASE_DIR):\n    raise ValueError("Path traversal detected")\n\nwith open(safe_path) as f:`, 'Always validate that filenames do not contain ".." before using os.path.join(). Use pathlib.Path.resolve() and is_relative_to() for robust path validation'));
+                }
+            }
+        }
+        // OWASP A03:2021 - XSS (for web frameworks)
+        // 12. HTML rendering without escape - HIGH
+        if (trimmed.match(/render_template_string\(/) ||
+            (trimmed.match(/\.format\(/) && (trimmed.includes('html') || trimmed.includes('HTML')))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('xss', 'HTML rendering without escape can cause XSS', 'Use Jinja2 autoescaping, Django templates, or html.escape()', lineNumber, 'Rendering user input in HTML without escaping allows XSS attacks where malicious scripts can steal sessions or modify page content.', 'render_template_string(f"<div>{user_input}</div>")  where user_input = "<script>alert(document.cookie)</script>"', [
+                'Cross-site scripting (XSS)',
+                'Session hijacking',
+                'Credential theft',
+                'Phishing attacks'
+            ], 'from flask import render_template_string\nhtml = render_template_string(f"<div>{user_content}</div>")', 'from flask import render_template_string\nimport html\nhtml = render_template_string(f"<div>{html.escape(user_content)}</div>")\n# Or use Jinja2 with autoescaping enabled', 'Always escape user content in HTML. Use Jinja2 with autoescaping, Django templates, or html.escape() for manual escaping'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=web-security.js.map

package/dist/src/lib/analyzers/python/security-checks/web-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"web-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/web-security.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAmBH,4CAmJC;AAnKD,sEAAiF;AAEjF;;;;;;;;;;;;;GAaG;AACH,SAAgB,gBAAgB,CAC9B,KAAe,EACf,kBAAuC;IAEvC,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,yCAAyC;QACzC,4BAA4B;QAC5B,0DAA0D;QAC1D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC1G,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,gBAAgB,EAChB,yDAAyD,EACzD,wEAAwE,EACxE,UAAU,EACV,iJAAiJ,EACjJ,0DAA0D,EAC1D;gBACE,0BAA0B;gBAC1B,mDAAmD;gBACnD,mBAAmB;gBACnB,2BAA2B;aAC5B,EACD,6CAA6C,EAC7C,4LAA4L,EAC5L,qHAAqH,CACtH,CAAC,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,+DAA+D;QAC/D,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;YAC1D,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;gBAChC,6EAA6E;gBAC7E,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpC,MAAM,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;oBACvD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,gBAAgB,EAChB,2CAA2C,OAAO,gBAAgB,aAAa,GAAG,EAClF,wEAAwE,EACxE,UAAU,EACV,aAAa,OAAO,0CAA0C,aAAa,8GAA8G,EACzL,+CAA+C,aAAa,uCAAuC,UAAU,uCAAuC,EACpJ;wBACE,0BAA0B;wBAC1B,mDAAmD;wBACnD,mBAAmB;wBACnB,2BAA2B;wBAC3B,qBAAqB;qBACtB,EACD,UAAU,aAAa,kDAAkD,UAAU,mCAAmC,EACtH,yQAAyQ,EACzQ,qIAAqI,CACtI,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,0FAA0F;QAC1F,wEAAwE;QACxE,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,2EAA2E;YAC3E,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,CAAC;YACrE,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,OAAO,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;gBAC7B,gFAAgF;gBAChF,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;gBAE/F,IAAI,iBAAiB,EAAE,CAAC;oBACtB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,gBAAgB,EAChB,wDAAwD,OAAO,GAAG,EAClE,qEAAqE,EACrE,UAAU,EACV,uDAAuD,OAAO,iGAAiG,EAC/J,8HAA8H,EAC9H;wBACE,wBAAwB;wBACxB,0BAA0B;wBAC1B,yBAAyB;wBACzB,iDAAiD;wBACjD,mBAAmB;qBACpB,EACD,6CAA6C,OAAO,GAAG,EACvD,8FAA8F,OAAO,OAAO,OAAO,sKAAsK,OAAO,0IAA0I,EAC1a,4JAA4J,CAC7J,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,2CAA2C;QAC3C,IAAI,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC;YACzC,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5F,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,KAAK,EACL,6CAA6C,EAC7C,6DAA6D,EAC7D,UAAU,EACV,qIAAqI,EACrI,kHAAkH,EAClH;gBACE,4BAA4B;gBAC5B,mBAAmB;gBACnB,kBAAkB;gBAClB,kBAAkB;aACnB,EACD,uGAAuG,EACvG,4KAA4K,EAC5K,0HAA0H,CAC3H,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Utility function to create security vulnerability objects for Python analyzer
+ *
+ * This module provides a standardized way to create SecurityVulnerability objects
+ * with proper CVSS scoring, OWASP mapping, and compliance information.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Parameters for creating a security vulnerability object
+ */
+interface VulnerabilityParams {
+    category: string;
+    severity: string;
+    confidence: string;
+    message: string;
+    line: number;
+    suggestion: string;
+    owasp: string;
+    cwe: string;
+    pciDss: string;
+    securityRelevant?: boolean;
+    remediation: {
+        explanation: string;
+        before: string;
+        after: string;
+    };
+    attackVector: {
+        description: string;
+        exploitExample?: string;
+        realWorldImpact: string[];
+    };
+}
+/**
+ * Creates a standardized security vulnerability object for Python code
+ * Supports both object parameter style (OWASP 2025) and legacy individual parameters
+ *
+ * @param params - Object containing all vulnerability parameters (OWASP 2025 style)
+ * @returns SecurityVulnerability object with all required fields
+ */
+export declare function createPythonSecurityVulnerability(params: VulnerabilityParams): SecurityVulnerability;
+/**
+ * Legacy function signature for backward compatibility
+ *
+ * @param vulnerabilityType - Type identifier for severity scoring (e.g., 'sql-injection')
+ * @param message - User-friendly vulnerability message
+ * @param suggestion - Remediation suggestion
+ * @param lineNumber - Line number where vulnerability was detected
+ * @param attackDescription - Detailed description of the attack vector
+ * @param exploitExample - Example of how the vulnerability can be exploited
+ * @param realWorldImpact - Array of potential real-world impacts
+ * @param remediationBefore - Code example showing vulnerable pattern
+ * @param remediationAfter - Code example showing secure pattern
+ * @param remediationExplanation - Explanation of why the fix works
+ * @returns SecurityVulnerability object with all required fields
+ */
+export declare function createPythonSecurityVulnerability(vulnerabilityType: string, message: string, suggestion: string, lineNumber: number, attackDescription: string, exploitExample: string, realWorldImpact: string[], remediationBefore: string, remediationAfter: string, remediationExplanation: string): SecurityVulnerability;
+export {};
+//# sourceMappingURL=createVulnerability.d.ts.map

package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createVulnerability.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/utils/createVulnerability.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAIpD;;GAEG;AACH,UAAU,mBAAmB;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,WAAW,EAAE;QACX,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,YAAY,EAAE;QACZ,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;CACH;AAED;;;;;;GAMG;AACH,wBAAgB,iCAAiC,CAC/C,MAAM,EAAE,mBAAmB,GAC1B,qBAAqB,CAAC;AAEzB;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,iCAAiC,CAC/C,iBAAiB,EAAE,MAAM,EACzB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,MAAM,EACzB,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,EAAE,EACzB,iBAAiB,EAAE,MAAM,EACzB,gBAAgB,EAAE,MAAM,EACxB,sBAAsB,EAAE,MAAM,GAC7B,qBAAqB,CAAC"}

package/dist/src/lib/analyzers/python/utils/createVulnerability.js

@@ -0,0 +1,71 @@
+"use strict";
+/**
+ * Utility function to create security vulnerability objects for Python analyzer
+ *
+ * This module provides a standardized way to create SecurityVulnerability objects
+ * with proper CVSS scoring, OWASP mapping, and compliance information.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createPythonSecurityVulnerability = createPythonSecurityVulnerability;
+const severity_scoring_1 = require("../../../security/severity-scoring");
+const compliance_mapping_1 = require("../../../security/compliance-mapping");
+function createPythonSecurityVulnerability(paramsOrType, message, suggestion, lineNumber, attackDescription, exploitExample, realWorldImpact, remediationBefore, remediationAfter, remediationExplanation) {
+    // Check if using new object-style parameters (OWASP 2025)
+    if (typeof paramsOrType === 'object') {
+        const params = paramsOrType;
+        const scoring = (0, severity_scoring_1.calculateSeverityScore)(params.category);
+        const compliance = (0, compliance_mapping_1.getComplianceMapping)(params.category);
+        return {
+            severity: params.severity.toUpperCase(),
+            message: params.message,
+            suggestion: params.suggestion,
+            line: params.line,
+            category: params.category,
+            securityRelevant: params.securityRelevant, // P3: Propagate security relevance flag
+            cvssScore: scoring.cvssScore,
+            exploitLikelihood: scoring.exploitLikelihood,
+            impact: scoring.impact,
+            owasp: params.owasp,
+            cwe: params.cwe,
+            pciDss: params.pciDss,
+            attackVector: {
+                description: params.attackVector.description,
+                exploitExample: params.attackVector.exploitExample || '',
+                realWorldImpact: params.attackVector.realWorldImpact
+            },
+            remediation: {
+                before: params.remediation.before,
+                after: params.remediation.after,
+                explanation: params.remediation.explanation
+            }
+        };
+    }
+    // Legacy 10-parameter signature (backward compatibility)
+    const vulnerabilityType = paramsOrType;
+    const scoring = (0, severity_scoring_1.calculateSeverityScore)(vulnerabilityType);
+    const compliance = (0, compliance_mapping_1.getComplianceMapping)(vulnerabilityType);
+    return {
+        severity: scoring.severity,
+        message: message,
+        suggestion: suggestion,
+        line: lineNumber,
+        category: vulnerabilityType,
+        cvssScore: scoring.cvssScore,
+        exploitLikelihood: scoring.exploitLikelihood,
+        impact: scoring.impact,
+        owasp: compliance.owasp,
+        cwe: compliance.cwe,
+        pciDss: compliance.pciDss,
+        attackVector: {
+            description: attackDescription,
+            exploitExample: exploitExample,
+            realWorldImpact: realWorldImpact
+        },
+        remediation: {
+            before: remediationBefore,
+            after: remediationAfter,
+            explanation: remediationExplanation
+        }
+    };
+}
+//# sourceMappingURL=createVulnerability.js.map

package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createVulnerability.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/utils/createVulnerability.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAuEH,8EAyEC;AA7ID,yEAA4E;AAC5E,6EAA4E;AAmE5E,SAAgB,iCAAiC,CAC/C,YAA0C,EAC1C,OAAgB,EAChB,UAAmB,EACnB,UAAmB,EACnB,iBAA0B,EAC1B,cAAuB,EACvB,eAA0B,EAC1B,iBAA0B,EAC1B,gBAAyB,EACzB,sBAA+B;IAE/B,0DAA0D;IAC1D,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,YAAmC,CAAC;QAEnD,MAAM,OAAO,GAAG,IAAA,yCAAsB,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,IAAA,yCAAoB,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEzD,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAS;YAC9C,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,EAAE,wCAAwC;YACnF,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;YAC5C,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,YAAY,EAAE;gBACZ,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,WAAW;gBAC5C,cAAc,EAAE,MAAM,CAAC,YAAY,CAAC,cAAc,IAAI,EAAE;gBACxD,eAAe,EAAE,MAAM,CAAC,YAAY,CAAC,eAAe;aACrD;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;gBACjC,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK;gBAC/B,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,WAAW;aAC5C;SACF,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,MAAM,iBAAiB,GAAG,YAAsB,CAAC;IACjD,MAAM,OAAO,GAAG,IAAA,yCAAsB,EAAC,iBAAiB,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,IAAA,yCAAoB,EAAC,iBAAiB,CAAC,CAAC;IAE3D,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,OAAO,EAAE,OAAQ;QACjB,UAAU,EAAE,UAAW;QACvB,IAAI,EAAE,UAAW;QACjB,QAAQ,EAAE,iBAAiB;QAC3B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,UAAU,CAAC,KAAK;QACvB,GAAG,EAAE,UAAU,CAAC,GAAG;QACnB,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,YAAY,EAAE;YACZ,WAAW,EAAE,iBAAkB;YAC/B,cAAc,EAAE,cAAe;YAC/B,eAAe,EAAE,eAAgB;SAClC;QACD,WAAW,EAAE;YACX,MAAM,EAAE,iBAAkB;YAC1B,KAAK,EAAE,gBAAiB;YACxB,WAAW,EAAE,sBAAuB;SACrC;KACF,CAAC;AACJ,CAAC"}

package/dist/src/lib/analyzers/python-analyzer.d.ts

@@ -0,0 +1,111 @@
+/**
+ * ⚠️ SHARED MODULE: Python Security Analyzer
+ *
+ * CRITICAL: This module is used by BOTH WebTool and GitHub App
+ *
+ * WebTool uses this for:
+ * - /api/analyze endpoint - Interactive single-file analysis (<3s target)
+ * - Real-time vulnerability detection for individual developers
+ *
+ * GitHub App uses this for:
+ * - /api/github/webhook - Batch PR analysis (10-30s OK)
+ * - Automated security checks for professional teams
+ *
+ * ⚠️ BEFORE MODIFYING THIS FILE:
+ * 1. Run all 96 analyzer tests: npm test analyzers
+ * 2. Test WebTool: Paste Python code at /analyze → Verify results
+ * 3. Test GitHub: Open PR with Python → Verify webhook comment
+ * 4. Verify performance: Analysis must complete in <2s per file
+ * 5. Check detection rate: All 19 Python checks must still detect
+ *
+ * CRITICAL OUTPUT FORMAT (DO NOT CHANGE):
+ * - result.security.vulnerabilities - Used by both systems
+ * - Each vulnerability has: line, message, severity, cvssScore, owasp, cwe
+ * - Changing this structure breaks BOTH WebTool and GitHub UI parsing
+ *
+ * See: docs/technical/WEBTOOL_GITHUB_SEPARATION.md
+ *
+ * Last modified: 2025-11-18
+ * Last verified (both systems): 2025-11-18
+ */
+import { ICodeAnalyzer, AnalyzerInput, AnalyzerResult } from './types';
+import { SupportedLanguage } from '../types';
+export declare class PythonAnalyzer implements ICodeAnalyzer {
+    readonly language: SupportedLanguage;
+    analyze(input: AnalyzerInput): Promise<AnalyzerResult>;
+    validateSyntax(code: string): Promise<boolean>;
+    getLanguageInfo(): {
+        name: string;
+        extensions: string[];
+        description: string;
+    };
+    private analyzeSyntax;
+    private checkBracketBalance;
+    private analyzeQuality;
+    private analyzePerformance;
+    private createSecurityVulnerability;
+    private analyzeSecurity;
+    /**
+     * Deduplicate vulnerabilities by line number
+     * When multiple checks flag the same line, keep only the one with highest CVSS score
+     *
+     * Common duplicates:
+     * - Hardcoded credentials detected by both credentials-crypto.ts and security-misconfiguration.ts
+     * - Flask debug mode detected by both flask-security.ts and security-misconfiguration.ts
+     * - Random module detected by credentials-crypto.ts, crypto-failures.ts, and authentication-flaws.ts
+     * - Pickle detected by deserialization.ts and data-integrity.ts
+     * - MD5 detected by crypto-failures.ts and credentials-crypto.ts
+     */
+    private deduplicateVulnerabilities;
+    private calculateMetrics;
+    /**
+     * Check for missing imports - detects usage of common modules without imports
+     */
+    private checkMissingImports;
+    /**
+     * Check for unbalanced parentheses in function/method calls
+     */
+    private checkUnbalancedParentheses;
+    /**
+     * Detect AI Hallucinations - Common method name errors
+     * Similar to JavaScript analyzer but for Python-specific methods
+     */
+    private detectAIHallucinations;
+    /**
+     * Detect indentation errors (IndentationError, TabError)
+     */
+    private detectIndentationErrors;
+    /**
+     * Detect TypeError patterns
+     */
+    private detectTypeErrors;
+    /**
+     * Detect NameError - undefined variables
+     */
+    private detectNameErrors;
+    /**
+     * Detect AttributeError - accessing non-existent attributes
+     */
+    private detectAttributeErrors;
+    /**
+     * Detect IndexError - list index out of range
+     */
+    private detectIndexErrors;
+    /**
+     * Detect KeyError - dictionary key access without checking
+     */
+    private detectKeyErrors;
+    /**
+     * Detect mutable default arguments
+     */
+    private detectMutableDefaults;
+    /**
+     * Detect loop modification - modifying list/dict while iterating
+     */
+    private detectLoopModification;
+    /**
+     * Detect scope issues - global/nonlocal misuse
+     */
+    private detectScopeIssues;
+}
+//# sourceMappingURL=python-analyzer.d.ts.map

package/dist/src/lib/analyzers/python-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"python-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/python-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAkD,MAAM,SAAS,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AA2B7C,qBAAa,cAAe,YAAW,aAAa;IAClD,SAAgB,QAAQ,EAAE,iBAAiB,CAAY;IAEjD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IA4BtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAsBpD,eAAe;;;;;IAQf,OAAO,CAAC,aAAa;IA0arB,OAAO,CAAC,mBAAmB;IA4H3B,OAAO,CAAC,cAAc;IA2DtB,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,2BAA2B;IAuCnC,OAAO,CAAC,eAAe;IA6MvB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,0BAA0B;IAqIlC,OAAO,CAAC,gBAAgB;IAoBxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmE3B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAsElC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAwF9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+BxB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAiGxB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAwC7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAoCzB;;OAEG;IACH,OAAO,CAAC,eAAe;IA8BvB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAoB7B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAiD1B"}