codeslick-cli 1.0.0

package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js

@@ -0,0 +1,121 @@
+"use strict";
+/**
+ * TypeScript Logging and Monitoring Security Checks
+ * OWASP A09:2025 - Security Logging and Monitoring Failures
+ *
+ * Detects critical logging vulnerabilities:
+ * - Check #92: Missing audit logging for critical operations
+ * - Check #93: Sensitive data in logs
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkLoggingFailures = checkLoggingFailures;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for logging and monitoring failures in TypeScript code
+ *
+ * Covers:
+ * - Check #92: Missing audit logging for critical operations (MEDIUM)
+ * - Check #93: Sensitive data logged (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkLoggingFailures(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comment blocks (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
+            return;
+        // OWASP A09:2025 - Security Logging and Monitoring Failures
+        // Check #92: Missing Audit Logging for Critical Operations - MEDIUM
+        // Pattern: DELETE FROM users / UPDATE users / DROP TABLE (without logging)
+        // Detects critical database operations without audit logging
+        // Look for critical database operations
+        const criticalDbPattern = /(db\.query|db\.execute|connection\.query|pool\.query|sequelize\.query|prisma\.\w+\.delete|prisma\.\w+\.update)\s*\(\s*['"`]?\s*(DELETE|UPDATE|DROP|TRUNCATE)/i;
+        if (trimmed.match(criticalDbPattern)) {
+            // Check surrounding lines for audit logging
+            const surroundingLines = lines.slice(Math.max(0, index - 3), Math.min(index + 5, lines.length));
+            // Check for logging statements (skip comments to avoid false positives)
+            const hasAuditLog = surroundingLines.some(l => {
+                const trimmedLine = l.trim();
+                // Skip full-line comments and empty lines
+                if (!trimmedLine || trimmedLine.startsWith('//') || trimmedLine.startsWith('*') || trimmedLine.startsWith('/*')) {
+                    return false;
+                }
+                // Remove inline comments (everything after //) to avoid false positives from comments
+                const codeOnly = trimmedLine.split('//')[0].trim();
+                const lowerLine = codeOnly.toLowerCase();
+                return ((lowerLine.includes('logger.') || lowerLine.includes('log.') || lowerLine.includes('audit')) &&
+                    (lowerLine.includes('info') || lowerLine.includes('warn') || lowerLine.includes('audit') || lowerLine.includes('security'))) ||
+                    lowerLine.includes('auditlog') ||
+                    lowerLine.includes('securitylog');
+            });
+            // Check if this is in an admin/management context (likely needs auditing)
+            const isAdminContext = surroundingLines.some(l => {
+                const lowerLine = l.toLowerCase();
+                return (lowerLine.includes('admin') ||
+                    lowerLine.includes('delete') ||
+                    lowerLine.includes('remove') ||
+                    lowerLine.includes('modify') ||
+                    lowerLine.includes('permission'));
+            });
+            if (!hasAuditLog && isAdminContext) {
+                vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('missing-audit-logging', 'Critical database operation without audit logging - cannot track who performed this action', 'Add audit logging: logger.audit({ action: \'DELETE_USER\', adminId, targetUserId, timestamp })', lineNumber, 'Critical operations like DELETE, UPDATE on user data must be logged for security auditing and compliance. Without audit logs, you cannot detect insider threats, unauthorized access, or data manipulation. This violates GDPR, SOC 2, PCI-DSS, and HIPAA requirements for audit trails.', 'Admin deletes user account → No log entry → Insider threat goes undetected → Compliance audit fails → Regulatory fines', [
+                    'Cannot detect unauthorized data deletion',
+                    'Insider threats go undetected',
+                    'Compliance violations (GDPR Art. 30, PCI-DSS 10.2, SOC 2)',
+                    'No forensic evidence for security incidents',
+                    'Cannot prove who performed critical actions',
+                    'Failed security audits',
+                    'Regulatory penalties and fines'
+                ], 'app.delete(\'/api/users/:id\', async (req, res) => {\n  await db.query(\'DELETE FROM users WHERE id = ?\', [userId]);\n  res.json({ success: true });\n});', 'app.delete(\'/api/users/:id\', async (req, res) => {\n  const adminId = req.user.id;\n  await db.query(\'DELETE FROM users WHERE id = ?\', [userId]);\n  \n  // Audit logging\n  logger.audit({\n    action: \'DELETE_USER\',\n    adminId,\n    targetUserId: userId,\n    timestamp: new Date(),\n    ip: req.ip\n  });\n  \n  res.json({ success: true });\n});', 'Always log critical security events: user deletion, permission changes, data modification, authentication failures, access to sensitive data. Include: who (userId/adminId), what (action), when (timestamp), where (IP address). Store logs securely with tamper-proof mechanisms.'));
+            }
+        }
+        // OWASP A09:2025 - Security Logging and Monitoring Failures
+        // Check #93: Sensitive Data in Logs - HIGH
+        // Pattern: console.log / logger.info with password, token, ssn, credit card
+        // Detects logging of sensitive information that should never be logged
+        // Look for logging statements
+        const loggingPattern = /(console\.(log|info|debug|warn|error)|logger\.(info|debug|warn|error)|log\.(info|debug))\s*\(/i;
+        if (trimmed.match(loggingPattern)) {
+            // Check if the logged content contains sensitive data keywords
+            const sensitiveDataPattern = /(password|pwd|passwd|token|secret|apikey|api_key|ssn|social_security|credit_card|creditcard|cvv|pin\b)/i;
+            // Extract the logged content (between parentheses)
+            const logContentMatch = trimmed.match(/\((.*)\)/);
+            if (logContentMatch) {
+                const logContent = logContentMatch[1];
+                // Check if sensitive keywords are in the logged content
+                if (logContent.match(sensitiveDataPattern)) {
+                    // Additional check: make sure it's not just a string label
+                    // Allow: console.log('Password validation failed')
+                    // Block: console.log('Password:', password)
+                    const hasVariable = logContent.includes(',') || logContent.includes('+') || logContent.includes('$');
+                    if (hasVariable) {
+                        vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('sensitive-data-in-logs', 'Sensitive data (password, token, PII) logged - exposes credentials and violates privacy regulations', 'Remove sensitive data from logs or use redaction: logger.info({ userId: user.id }) // Don\'t log password/token', lineNumber, 'Logging sensitive data like passwords, tokens, SSNs, or credit cards exposes this information to anyone with access to log files. Logs are often stored insecurely, backed up to multiple locations, and accessible to many team members. This violates GDPR, PCI-DSS, and HIPAA regulations.', 'logger.info({ password, ssn }) → Logs stored in CloudWatch → Junior developer has read access → Extracts credentials → Account takeover', [
+                            'Credential exposure to all log viewers',
+                            'Privacy violations (GDPR, CCPA)',
+                            'PCI-DSS violation (never log credit cards)',
+                            'Insider threat amplification',
+                            'Logs backed up to insecure locations',
+                            'Credentials in log aggregation systems',
+                            'Cannot delete/redact logs after exposure'
+                        ], 'console.log(\'User login:\', { username, email, password, token });', '// ONLY log non-sensitive identifiers\nconsole.log(\'User login:\', { userId: user.id, timestamp: new Date() });\n// Password and token should NEVER be logged', 'NEVER log: passwords, tokens, API keys, SSNs, credit cards, CVVs, PINs, auth cookies, private keys. Only log: userIds, timestamps, IP addresses, action types. Use structured logging with automatic redaction for sensitive fields.'));
+                    }
+                }
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=logging-failures.js.map

package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logging-failures.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/logging-failures.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AAeH,oDA4IC;AAxJD,sEAAqF;AAErF;;;;;;;;;GASG;AACH,SAAgB,oBAAoB,CAClC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,4DAA4D;QAC5D,oEAAoE;QACpE,2EAA2E;QAC3E,6DAA6D;QAE7D,wCAAwC;QACxC,MAAM,iBAAiB,GAAG,+JAA+J,CAAC;QAE1L,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrC,4CAA4C;YAC5C,MAAM,gBAAgB,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAEhG,wEAAwE;YACxE,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC5C,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7B,0CAA0C;gBAC1C,IAAI,CAAC,WAAW,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChH,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,sFAAsF;gBACtF,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACnD,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACzC,OAAO,CACL,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC5F,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAC5H;oBACD,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAC9B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;YAEH,0EAA0E;YAC1E,MAAM,cAAc,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CACL,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAC3B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAC5B,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAC5B,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CACjC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,WAAW,IAAI,cAAc,EAAE,CAAC;gBACnC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,uBAAuB,EACvB,4FAA4F,EAC5F,gGAAgG,EAChG,UAAU,EACV,0RAA0R,EAC1R,wHAAwH,EACxH;oBACE,0CAA0C;oBAC1C,+BAA+B;oBAC/B,2DAA2D;oBAC3D,6CAA6C;oBAC7C,6CAA6C;oBAC7C,wBAAwB;oBACxB,gCAAgC;iBACjC,EACD,4JAA4J,EAC5J,oWAAoW,EACpW,qRAAqR,CACtR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,2CAA2C;QAC3C,4EAA4E;QAC5E,uEAAuE;QAEvE,8BAA8B;QAC9B,MAAM,cAAc,GAAG,gGAAgG,CAAC;QAExH,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAClC,+DAA+D;YAC/D,MAAM,oBAAoB,GAAG,yGAAyG,CAAC;YAEvI,mDAAmD;YACnD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAClD,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;gBAEtC,wDAAwD;gBACxD,IAAI,UAAU,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;oBAC3C,2DAA2D;oBAC3D,mDAAmD;oBACnD,4CAA4C;oBAC5C,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;oBAErG,IAAI,WAAW,EAAE,CAAC;wBAChB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,wBAAwB,EACxB,qGAAqG,EACrG,iHAAiH,EACjH,UAAU,EACV,+RAA+R,EAC/R,yIAAyI,EACzI;4BACE,wCAAwC;4BACxC,iCAAiC;4BACjC,4CAA4C;4BAC5C,8BAA8B;4BAC9B,sCAAsC;4BACtC,wCAAwC;4BACxC,0CAA0C;yBAC3C,EACD,qEAAqE,EACrE,gKAAgK,EAChK,sOAAsO,CACvO,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts

@@ -0,0 +1,27 @@
+/**
+ * TypeScript Security Misconfiguration Checks
+ * OWASP A02:2025 - Security Misconfiguration
+ *
+ * Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
+ * Focus: TypeScript compiler configs, strict mode, type safety, etc.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for security misconfiguration vulnerabilities in TypeScript code
+ *
+ * Covers:
+ * - Check #1: TypeScript strict mode disabled (MEDIUM)
+ * - Check #2: Any type usage bypassing type safety (MEDIUM)
+ * - Check #3: TSX without React imports (HIGH)
+ * - Check #4: Unsafe type assertions (MEDIUM)
+ * - Check #5: Missing null checks with strict nulls disabled (MEDIUM)
+ * - Check #6: Console.log in production builds (LOW)
+ * - Check #7: Development-only code in production (MEDIUM)
+ * - Check #8: Unsafe JSON parsing without validation (HIGH)
+ * - Check #10: Missing or misconfigured Helmet middleware (HIGH) - Phase B
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkSecurityMisconfiguration(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=security-misconfiguration.d.ts.map

package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-misconfiguration.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/security-misconfiguration.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAsWzB"}

package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js

@@ -0,0 +1,213 @@
+"use strict";
+/**
+ * TypeScript Security Misconfiguration Checks
+ * OWASP A02:2025 - Security Misconfiguration
+ *
+ * Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
+ * Focus: TypeScript compiler configs, strict mode, type safety, etc.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSecurityMisconfiguration = checkSecurityMisconfiguration;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for security misconfiguration vulnerabilities in TypeScript code
+ *
+ * Covers:
+ * - Check #1: TypeScript strict mode disabled (MEDIUM)
+ * - Check #2: Any type usage bypassing type safety (MEDIUM)
+ * - Check #3: TSX without React imports (HIGH)
+ * - Check #4: Unsafe type assertions (MEDIUM)
+ * - Check #5: Missing null checks with strict nulls disabled (MEDIUM)
+ * - Check #6: Console.log in production builds (LOW)
+ * - Check #7: Development-only code in production (MEDIUM)
+ * - Check #8: Unsafe JSON parsing without validation (HIGH)
+ * - Check #10: Missing or misconfigured Helmet middleware (HIGH) - Phase B
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkSecurityMisconfiguration(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    let hasCsrfMiddleware = false; // Track if csurf middleware is used
+    lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        // CRITICAL: Track multi-line comment blocks (/* ... */)
+        if (trimmedLine.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmedLine.includes('*/')) {
+            inMultiLineComment = false;
+            return; // Skip the line with */
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmedLine ||
+            inMultiLineComment ||
+            trimmedLine.startsWith('//') ||
+            trimmedLine.startsWith('*')) {
+            return;
+        }
+        const lowerLine = trimmedLine.toLowerCase();
+        // Check #1: TypeScript strict mode disabled
+        if (lowerLine.includes('"strict"') && lowerLine.includes('false')) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('strict-mode-disabled', 'TypeScript strict mode disabled reduces type safety', 'Enable strict mode in tsconfig.json for better type safety', index + 1, 'Loose type checking can lead to runtime errors and unexpected behavior', 'tsconfig.json with "strict": false allows unsafe operations', [
+                'Runtime type errors and crashes',
+                'Null pointer exceptions',
+                'Implicit type coercion vulnerabilities',
+                'Reduced code reliability and security'
+            ], '"strict": false', '"strict": true', 'Disabled strict mode allows unsafe operations and reduces type checking effectiveness'));
+        }
+        // Check #2: Excessive any type usage bypassing type safety
+        if (lowerLine.includes(': any') || lowerLine.includes(' any[]') ||
+            lowerLine.includes('as any') || lowerLine.includes('<any>')) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('any-type-usage', 'Using "any" type bypasses TypeScript type safety', 'Use specific types or unknown instead of any for better type safety', index + 1, 'Type safety bypass can lead to unexpected data structures and security vulnerabilities', 'const userData: any = untrustedInput; // bypasses all type checking', [
+                'Injection attacks through unexpected data types',
+                'Property access errors and crashes',
+                'Data validation bypass',
+                'Security control circumvention'
+            ], 'const userData: any = response.data;', 'const userData: UserData = response.data; // or unknown if type is unclear', 'The any type disables type checking and can lead to runtime errors'));
+        }
+        // Check #3: TSX without proper React imports
+        // ENHANCED: Exclude template literals, string literals, and Express response methods
+        const isTemplateOrStringLiteral = trimmedLine.includes('`') ||
+            trimmedLine.match(/['"]\s*<[^>]+>\s*['"]/) ||
+            trimmedLine.match(/(res|response)\.(send|write)/);
+        if ((trimmedLine.includes('<') && trimmedLine.includes('>') &&
+            !lowerLine.includes('import') && !lowerLine.includes('require')) &&
+            !isTemplateOrStringLiteral &&
+            !lines.slice(0, index + 1).some(prevLine => prevLine.toLowerCase().includes('import') && prevLine.toLowerCase().includes('react'))) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('tsx-missing-import', 'TSX elements used without proper React imports', 'Import React properly when using TSX elements', index + 1, 'Misconfigured TSX can lead to XSS vulnerabilities and runtime errors', 'const element = <div dangerouslySetInnerHTML={{__html: userInput}} />;', [
+                'Cross-site scripting (XSS) vulnerabilities',
+                'Runtime errors and application crashes',
+                'Improper content rendering',
+                'Component state corruption'
+            ], 'const element = <div>Hello</div>;', 'import React from "react";\nconst element = <div>Hello</div>;', 'TSX without React imports can cause runtime errors and unexpected behavior'));
+        }
+        // Check #4: Unsafe type assertions
+        if (lowerLine.includes(' as ') &&
+            (lowerLine.includes('as string') || lowerLine.includes('as number') ||
+                lowerLine.includes('as object'))) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('unsafe-type-assertion', 'Unsafe type assertion without runtime validation', 'Add runtime type validation before type assertions', index + 1, 'Unsafe type assertions can cause runtime errors with malicious or unexpected data', 'const value = (untrustedInput as string).toUpperCase(); // crashes if not string', [
+                'Runtime type errors and crashes',
+                'Injection attacks through type confusion',
+                'Unexpected method calls on wrong types',
+                'Data corruption and security bypass'
+            ], 'const value = (userData.field as string).toUpperCase();', 'const field = userData.field;\nif (typeof field === "string") {\n  const value = field.toUpperCase();\n}', 'Type assertions without validation can cause runtime errors with untrusted data'));
+        }
+        // Check #5: Missing null checks with potentially unsafe operations
+        if ((lowerLine.includes('.') &&
+            (lowerLine.includes('length') || lowerLine.includes('push') || lowerLine.includes('pop'))) &&
+            !lowerLine.includes('if') && !lowerLine.includes('&&') && !lowerLine.includes('?.')) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('missing-null-checks', 'Potentially unsafe operation without null checks', 'Use optional chaining (?.) or null checks before property access', index + 1, 'Null pointer access can cause application crashes and denial of service', 'const length = possiblyNullArray.length; // crashes if null', [
+                'Application crashes and downtime',
+                'Null pointer exceptions',
+                'Service unavailability',
+                'User experience degradation'
+            ], 'const length = array.length;', 'const length = array?.length || 0;', 'Accessing properties without null checks can cause runtime errors'));
+        }
+        // Check #6: Console.log in production builds - REMOVED (Duplicate)
+        // This check is already handled by code-quality.ts Check #17
+        // Removing to fix duplicate detection issue (lines 27, 84 reported twice)
+        // Check #7: Development-only code in production
+        if (lowerLine.includes('process.env.node_env') && lowerLine.includes('development')) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('development-code', 'Development environment checks may indicate debugging code', 'Ensure development-only code is properly excluded from production builds', index + 1, 'Development code in production can expose debugging information and security flaws', 'if (process.env.NODE_ENV === "development") { console.log(secrets); }', [
+                'Debugging information exposure',
+                'Performance degradation',
+                'Security feature bypass',
+                'Sensitive data logging'
+            ], 'if (process.env.NODE_ENV === "development") {\n  console.log(sensitiveData);\n}', '// Development code should be removed or properly configured for production', 'Development code should be excluded from production to avoid security risks'));
+        }
+        // Check #8: Unsafe JSON parsing without validation
+        if (lowerLine.includes('json.parse') && !lowerLine.includes('try') &&
+            !lines.slice(Math.max(0, index - 2), index + 3).some(nearLine => nearLine.toLowerCase().includes('try') || nearLine.toLowerCase().includes('catch'))) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('unsafe-json-parse', 'Unsafe JSON parsing without error handling or validation', 'Wrap JSON.parse in try-catch and validate the parsed data structure', index + 1, 'Malformed JSON can cause crashes and enable prototype pollution attacks', 'const data = JSON.parse(untrustedInput); // can crash or pollute prototype', [
+                'Application crashes from malformed JSON',
+                'Prototype pollution attacks',
+                'Denial of service through parsing errors',
+                'Injection attacks through unvalidated data'
+            ], 'const data = JSON.parse(userInput);', 'try {\n  const data = JSON.parse(userInput);\n  // Validate data structure here\n} catch (error) {\n  // Handle parsing errors\n}', 'Unhandled JSON parsing can cause crashes and enable injection attacks'));
+        }
+        // =============================================================================
+        // PHASE B - Enhanced Helmet Configuration Detection (Dec 20, 2025)
+        // =============================================================================
+        // 10. Missing or misconfigured Helmet middleware - HIGH
+        // Pattern: helmet() with disabled security features or missing entirely
+        // Detect helmet() with disabled features
+        if (trimmedLine.includes('helmet(') && trimmedLine.includes('{')) {
+            // Check for disabled CSP
+            if (trimmedLine.includes('contentSecurityPolicy') && trimmedLine.includes('false')) {
+                vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('helmet-misconfiguration', 'Helmet CSP (Content Security Policy) disabled - leaves app vulnerable to XSS', 'Enable CSP with strict directives', index + 1, 'Content Security Policy is one of the most important security headers. Disabling it removes a critical defense against XSS attacks, allowing attackers to inject malicious scripts.', 'app.use(helmet({ contentSecurityPolicy: false })); // Attack: XSS payloads execute freely', [
+                    'Cross-Site Scripting (XSS) attacks',
+                    'Data theft via malicious scripts',
+                    'Session hijacking',
+                    'Phishing attacks',
+                    'Malware distribution'
+                ], 'app.use(helmet({ contentSecurityPolicy: false }));', 'app.use(helmet({\n  contentSecurityPolicy: {\n    directives: {\n      defaultSrc: ["\'self\'"],\n      scriptSrc: ["\'self\'"],\n      styleSrc: ["\'self\'"]\n    }\n  }\n}));', 'Always enable CSP with strict directives. Never set contentSecurityPolicy: false in production.'));
+            }
+            // Check for disabled HSTS
+            if (trimmedLine.includes('hsts') && trimmedLine.includes('false')) {
+                vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('helmet-misconfiguration', 'Helmet HSTS (Strict-Transport-Security) disabled - allows downgrade attacks', 'Enable HSTS with maxAge >= 31536000', index + 1, 'HTTP Strict Transport Security forces browsers to use HTTPS. Disabling it allows man-in-the-middle attacks to downgrade connections to unencrypted HTTP.', 'app.use(helmet({ hsts: false })); // Attack: MITM downgrades HTTPS to HTTP', [
+                    'Man-in-the-middle attacks',
+                    'SSL stripping attacks',
+                    'Session hijacking',
+                    'Credential theft',
+                    'Traffic eavesdropping'
+                ], 'app.use(helmet({ hsts: false }));', 'app.use(helmet({\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n    preload: true\n  }\n}));', 'Always enable HSTS with maxAge of at least 1 year (31536000 seconds). Include subdomains and consider preload.'));
+            }
+            // Check for unsafe CSP directives
+            if ((trimmedLine.includes('unsafe-inline') || trimmedLine.includes('unsafe-eval') ||
+                (trimmedLine.includes('defaultSrc') && trimmedLine.includes('*'))) &&
+                trimmedLine.includes('contentSecurityPolicy')) {
+                vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('helmet-misconfiguration', 'Helmet CSP with unsafe directives (unsafe-inline, unsafe-eval, or *)', 'Remove unsafe-inline, unsafe-eval, and * from CSP directives', index + 1, 'Using unsafe-inline, unsafe-eval, or wildcard (*) in Content Security Policy defeats its purpose by allowing execution of inline scripts and eval(), which are primary XSS attack vectors.', 'helmet({ contentSecurityPolicy: { directives: { scriptSrc: ["\'unsafe-inline\'"] } } })', [
+                    'XSS attacks despite CSP being enabled',
+                    'Inline script execution',
+                    'eval() code execution',
+                    'Loading scripts from any origin (*)'
+                ], 'app.use(helmet({\n  contentSecurityPolicy: {\n    directives: { scriptSrc: ["\'unsafe-inline\'", "*"] }\n  }\n}));', 'app.use(helmet({\n  contentSecurityPolicy: {\n    directives: {\n      defaultSrc: ["\'self\'"],\n      scriptSrc: ["\'self\'"],\n      styleSrc: ["\'self\'"]\n    }\n  }\n}));', 'Never use unsafe-inline, unsafe-eval, or * in CSP directives. Use nonces or hashes for inline scripts if needed.'));
+            }
+        }
+        // =============================================================================
+        // PHASE B - Missing CSRF Protection Detection (Dec 20, 2025)
+        // =============================================================================
+        // Track CSRF middleware usage
+        if (trimmedLine.includes('csurf') || trimmedLine.includes('csrf')) {
+            hasCsrfMiddleware = true;
+        }
+        // 11. Missing CSRF Protection on state-changing routes - HIGH
+        // Pattern: POST/PUT/DELETE/PATCH routes without CSRF middleware
+        const stateChangingRoute = trimmedLine.match(/\.(post|put|delete|patch)\s*\(/);
+        if (stateChangingRoute && !hasCsrfMiddleware) {
+            const method = stateChangingRoute[1].toUpperCase();
+            // Check if route handles sensitive operations
+            const isSensitiveRoute = trimmedLine.includes('/login') ||
+                trimmedLine.includes('/signup') ||
+                trimmedLine.includes('/register') ||
+                trimmedLine.includes('/transfer') ||
+                trimmedLine.includes('/payment') ||
+                trimmedLine.includes('/delete') ||
+                trimmedLine.includes('/update') ||
+                trimmedLine.includes('/create');
+            if (isSensitiveRoute) {
+                vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('missing-csrf-protection', `Missing CSRF protection on ${method} route - vulnerable to cross-site request forgery`, 'Add CSRF middleware (csurf) to protect state-changing routes', index + 1, 'Cross-Site Request Forgery (CSRF) allows attackers to trick authenticated users into executing unwanted actions. Without CSRF tokens, an attacker can forge requests using the victim\'s session cookies.', 'app.post(\'/transfer\', (req, res) => { transferMoney(req.body.amount, req.body.to); }); // Attack: Victim clicks malicious link, money transferred', [
+                    'Unauthorized state changes (money transfer, password change)',
+                    'Account takeover via forced actions',
+                    'Data manipulation and deletion',
+                    'Privilege escalation attacks'
+                ], `app.${stateChangingRoute[1]}(...)`, 'import csrf from \'csurf\';\nconst csrfProtection = csrf({ cookie: true });\napp.use(csrfProtection);\n' + `app.${stateChangingRoute[1]}(..., csrfProtection, handler);`, 'Always use CSRF protection for state-changing routes (POST, PUT, DELETE, PATCH) that use cookie-based authentication'));
+            }
+        }
+        // 12. Cookie session without SameSite attribute - HIGH
+        // Pattern: session cookies without SameSite protection
+        if ((trimmedLine.includes('session(') || trimmedLine.includes('cookie(')) &&
+            trimmedLine.includes('{') &&
+            !trimmedLine.includes('sameSite')) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('missing-samesite-cookie', 'Session cookie without SameSite attribute - vulnerable to CSRF', 'Set SameSite attribute to \'Strict\' or \'Lax\' for session cookies', index + 1, 'Without the SameSite cookie attribute, browsers send cookies with cross-origin requests, enabling CSRF attacks. The SameSite attribute prevents browsers from sending cookies with cross-site requests.', 'app.use(session({ secret: \'key\', cookie: { httpOnly: true } })); // Missing SameSite', [
+                'Cross-Site Request Forgery (CSRF) attacks',
+                'Session hijacking via cross-origin requests',
+                'Unauthorized actions on behalf of authenticated users'
+            ], 'cookie: { httpOnly: true }', 'cookie: { httpOnly: true, sameSite: \'Strict\', secure: true }', 'Always set SameSite attribute for session cookies. Use \'Strict\' for maximum protection or \'Lax\' for better compatibility'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=security-misconfiguration.js.map

package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-misconfiguration.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/security-misconfiguration.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAsBH,sEAwWC;AA3XD,sEAAqF;AAErF;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,6BAA6B,CAC3C,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAC/B,IAAI,iBAAiB,GAAG,KAAK,CAAC,CAAC,oCAAoC;IAEnE,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,4CAA4C;QAC5C,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAClE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,sBAAsB,EACtB,qDAAqD,EACrD,4DAA4D,EAC5D,KAAK,GAAG,CAAC,EACT,wEAAwE,EACxE,6DAA6D,EAC7D;gBACE,iCAAiC;gBACjC,yBAAyB;gBACzB,wCAAwC;gBACxC,uCAAuC;aACxC,EACD,iBAAiB,EACjB,gBAAgB,EAChB,uFAAuF,CACxF,CACF,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC3D,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAChE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,gBAAgB,EAChB,kDAAkD,EAClD,qEAAqE,EACrE,KAAK,GAAG,CAAC,EACT,wFAAwF,EACxF,qEAAqE,EACrE;gBACE,iDAAiD;gBACjD,oCAAoC;gBACpC,wBAAwB;gBACxB,gCAAgC;aACjC,EACD,sCAAsC,EACtC,4EAA4E,EAC5E,oEAAoE,CACrE,CACF,CAAC;QACJ,CAAC;QAED,6CAA6C;QAC7C,qFAAqF;QACrF,MAAM,yBAAyB,GAAG,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;YACxB,WAAW,CAAC,KAAK,CAAC,uBAAuB,CAAC;YAC1C,WAAW,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAErF,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;YACtD,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACjE,CAAC,yBAAyB;YAC1B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACzC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAC7F,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,oBAAoB,EACpB,gDAAgD,EAChD,+CAA+C,EAC/C,KAAK,GAAG,CAAC,EACT,sEAAsE,EACtE,wEAAwE,EACxE;gBACE,4CAA4C;gBAC5C,wCAAwC;gBACxC,4BAA4B;gBAC5B,4BAA4B;aAC7B,EACD,mCAAmC,EACnC,+DAA+D,EAC/D,4EAA4E,CAC7E,CACF,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC1B,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClE,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,kDAAkD,EAClD,oDAAoD,EACpD,KAAK,GAAG,CAAC,EACT,mFAAmF,EACnF,kFAAkF,EAClF;gBACE,iCAAiC;gBACjC,0CAA0C;gBAC1C,wCAAwC;gBACxC,qCAAqC;aACtC,EACD,yDAAyD,EACzD,0GAA0G,EAC1G,iFAAiF,CAClF,CACF,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YACvB,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;YAC3F,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACxF,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,qBAAqB,EACrB,kDAAkD,EAClD,kEAAkE,EAClE,KAAK,GAAG,CAAC,EACT,yEAAyE,EACzE,6DAA6D,EAC7D;gBACE,kCAAkC;gBAClC,yBAAyB;gBACzB,wBAAwB;gBACxB,6BAA6B;aAC9B,EACD,8BAA8B,EAC9B,oCAAoC,EACpC,mEAAmE,CACpE,CACF,CAAC;QACJ,CAAC;QAED,mEAAmE;QACnE,6DAA6D;QAC7D,0EAA0E;QAE1E,gDAAgD;QAChD,IAAI,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACpF,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,kBAAkB,EAClB,4DAA4D,EAC5D,0EAA0E,EAC1E,KAAK,GAAG,CAAC,EACT,oFAAoF,EACpF,uEAAuE,EACvE;gBACE,gCAAgC;gBAChC,yBAAyB;gBACzB,yBAAyB;gBACzB,wBAAwB;aACzB,EACD,iFAAiF,EACjF,6EAA6E,EAC7E,6EAA6E,CAC9E,CACF,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC9D,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAC9D,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAC1F,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,0DAA0D,EAC1D,qEAAqE,EACrE,KAAK,GAAG,CAAC,EACT,yEAAyE,EACzE,4EAA4E,EAC5E;gBACE,yCAAyC;gBACzC,6BAA6B;gBAC7B,0CAA0C;gBAC1C,4CAA4C;aAC7C,EACD,qCAAqC,EACrC,mIAAmI,EACnI,uEAAuE,CACxE,CACF,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,mEAAmE;QACnE,gFAAgF;QAEhF,wDAAwD;QACxD,wEAAwE;QAExE,yCAAyC;QACzC,IAAI,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACjE,yBAAyB;YACzB,IAAI,WAAW,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnF,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,yBAAyB,EACzB,8EAA8E,EAC9E,mCAAmC,EACnC,KAAK,GAAG,CAAC,EACT,qLAAqL,EACrL,2FAA2F,EAC3F;oBACE,oCAAoC;oBACpC,kCAAkC;oBAClC,mBAAmB;oBACnB,kBAAkB;oBAClB,sBAAsB;iBACvB,EACD,oDAAoD,EACpD,kLAAkL,EAClL,iGAAiG,CAClG,CAAC,CAAC;YACL,CAAC;YAED,0BAA0B;YAC1B,IAAI,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClE,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,yBAAyB,EACzB,6EAA6E,EAC7E,qCAAqC,EACrC,KAAK,GAAG,CAAC,EACT,0JAA0J,EAC1J,4EAA4E,EAC5E;oBACE,2BAA2B;oBAC3B,uBAAuB;oBACvB,mBAAmB;oBACnB,kBAAkB;oBAClB,uBAAuB;iBACxB,EACD,mCAAmC,EACnC,gHAAgH,EAChH,gHAAgH,CACjH,CAAC,CAAC;YACL,CAAC;YAED,kCAAkC;YAClC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC5E,CAAC,WAAW,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;gBACnE,WAAW,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;gBAClD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,yBAAyB,EACzB,sEAAsE,EACtE,8DAA8D,EAC9D,KAAK,GAAG,CAAC,EACT,4LAA4L,EAC5L,yFAAyF,EACzF;oBACE,uCAAuC;oBACvC,yBAAyB;oBACzB,uBAAuB;oBACvB,qCAAqC;iBACtC,EACD,oHAAoH,EACpH,kLAAkL,EAClL,kHAAkH,CACnH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,6DAA6D;QAC7D,gFAAgF;QAEhF,8BAA8B;QAC9B,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAClE,iBAAiB,GAAG,IAAI,CAAC;QAC3B,CAAC;QAED,8DAA8D;QAC9D,gEAAgE;QAChE,MAAM,kBAAkB,GAAG,WAAW,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAC/E,IAAI,kBAAkB,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC7C,MAAM,MAAM,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;YAEnD,8CAA8C;YAC9C,MAAM,gBAAgB,GACpB,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC9B,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC/B,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACjC,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACjC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChC,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC/B,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC/B,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAElC,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,yBAAyB,EACzB,8BAA8B,MAAM,mDAAmD,EACvF,8DAA8D,EAC9D,KAAK,GAAG,CAAC,EACT,2MAA2M,EAC3M,qJAAqJ,EACrJ;oBACE,8DAA8D;oBAC9D,qCAAqC;oBACrC,gCAAgC;oBAChC,8BAA8B;iBAC/B,EACD,OAAO,kBAAkB,CAAC,CAAC,CAAC,OAAO,EACnC,yGAAyG,GAAG,OAAO,kBAAkB,CAAC,CAAC,CAAC,iCAAiC,EACzK,sHAAsH,CACvH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,uDAAuD;QACvD,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACrE,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;YACzB,CAAC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,yBAAyB,EACzB,gEAAgE,EAChE,qEAAqE,EACrE,KAAK,GAAG,CAAC,EACT,yMAAyM,EACzM,wFAAwF,EACxF;gBACE,2CAA2C;gBAC3C,6CAA6C;gBAC7C,uDAAuD;aACxD,EACD,4BAA4B,EAC5B,gEAAgE,EAChE,8HAA8H,CAC/H,CAAC,CAAC;QACL,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts

@@ -0,0 +1,19 @@
+/**
+ * TypeScript Type Security Checks
+ * TypeScript-specific security issues related to type assertions and type safety
+ *
+ * Detects dangerous type assertions and type safety bypasses in security-sensitive contexts.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for TypeScript-specific security vulnerabilities related to type safety
+ *
+ * Covers:
+ * - Check #19: Type assertion "as any" in sensitive contexts (HIGH)
+ * - Check #20: Non-null assertions (!) in security code (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkTypeSecurity(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=type-security.d.ts.map

package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"type-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/type-security.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAC/B,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAgEzB"}

package/dist/src/lib/analyzers/typescript/security-checks/type-security.js

@@ -0,0 +1,59 @@
+"use strict";
+/**
+ * TypeScript Type Security Checks
+ * TypeScript-specific security issues related to type assertions and type safety
+ *
+ * Detects dangerous type assertions and type safety bypasses in security-sensitive contexts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkTypeSecurity = checkTypeSecurity;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for TypeScript-specific security vulnerabilities related to type safety
+ *
+ * Covers:
+ * - Check #19: Type assertion "as any" in sensitive contexts (HIGH)
+ * - Check #20: Non-null assertions (!) in security code (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkTypeSecurity(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comment blocks (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
+            return;
+        // TypeScript-specific: 19. 'as any' in security-sensitive contexts - HIGH
+        if (trimmed.includes('as any') && (trimmed.includes('eval') || trimmed.includes('innerHTML'))) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('type-assertion-security', 'Type assertion "as any" in sensitive context', 'Use specific types to maintain security', lineNumber, 'Using "as any" bypasses TypeScript\'s type checking, potentially allowing unsafe values to reach security-critical operations like eval() or innerHTML.', '(userInput as any).eval(); // Bypasses type safety, allows arbitrary code execution', [
+                'Type safety bypass',
+                'Runtime security vulnerabilities',
+                'Code injection risks',
+                'XSS vulnerabilities'
+            ], 'const unsafeCode = userInput as any;\neval(unsafeCode); // DANGEROUS: no type validation', 'const validatedCode: string = validateCode(userInput);\n// Don\'t use eval() at all, but if necessary, ensure proper validation', 'Avoid "as any" in security-sensitive contexts. Use proper type guards and validation instead of type assertions'));
+        }
+        // TypeScript-specific: 20. Non-null assertions in security contexts - MEDIUM
+        if (trimmed.includes('!') && trimmed.match(/password|token|secret|auth/i)) {
+            vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('non-null-assertion-security', 'Non-null assertion (!) in security code', 'Explicitly check for null/undefined', lineNumber, 'Non-null assertion operator (!) bypasses null checks in security-critical code, potentially causing authentication bypasses or crashes.', 'if (user.authToken!) { authenticate(); } // If authToken is null/undefined, it may still proceed incorrectly', [
+                'Authentication bypass',
+                'Authorization failures',
+                'Runtime crashes exposing sensitive errors',
+                'Security check bypass'
+            ], 'const token = getAuthToken()!; // Assumes token exists, crashes if null', 'const token = getAuthToken();\nif (!token) throw new Error("Missing auth token");\n// Now safely use token', 'Always explicitly check for null/undefined in security-critical code. Never use ! operator on authentication/authorization values'));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=type-security.js.map

package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"type-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/type-security.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAeH,8CAkEC;AA9ED,sEAAqF;AAErF;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAC/B,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,0EAA0E;QAC1E,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YAC9F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,yBAAyB,EACzB,8CAA8C,EAC9C,yCAAyC,EACzC,UAAU,EACV,yJAAyJ,EACzJ,qFAAqF,EACrF;gBACE,oBAAoB;gBACpB,kCAAkC;gBAClC,sBAAsB;gBACtB,qBAAqB;aACtB,EACD,0FAA0F,EAC1F,iIAAiI,EACjI,iHAAiH,CAClH,CAAC,CAAC;QACL,CAAC;QAED,6EAA6E;QAC7E,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,EAAE,CAAC;YAC1E,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,6BAA6B,EAC7B,yCAAyC,EACzC,qCAAqC,EACrC,UAAU,EACV,yIAAyI,EACzI,8GAA8G,EAC9G;gBACE,uBAAuB;gBACvB,wBAAwB;gBACxB,2CAA2C;gBAC3C,uBAAuB;aACxB,EACD,yEAAyE,EACzE,4GAA4G,EAC5G,mIAAmI,CACpI,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/typescript/type-checker.d.ts

@@ -0,0 +1,17 @@
+import * as ts from 'typescript';
+import { SecurityIssue } from '../../types';
+export interface TypeCheckOptions {
+    strict: boolean;
+    strictNullChecks: boolean;
+    noImplicitAny: boolean;
+    strictFunctionTypes: boolean;
+    strictPropertyInitialization: boolean;
+}
+/**
+ * TypeScript Compiler API Integration
+ * Purpose: Detect actual TypeScript type errors (95%+ coverage)
+ * Created: 2025-12-02 to address critical detection gap (5% → 95%+)
+ */
+export declare function getTypeScriptDiagnostics(code: string, fileName?: string, options?: Partial<TypeCheckOptions>): ts.Diagnostic[];
+export declare function convertDiagnosticsToIssues(diagnostics: ts.Diagnostic[]): SecurityIssue[];
+//# sourceMappingURL=type-checker.d.ts.map

package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"type-checker.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/typescript/type-checker.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,YAAY,CAAC;AACjC,OAAO,EAAE,aAAa,EAAoC,MAAM,aAAa,CAAC;AAE9E,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,OAAO,CAAC;IAChB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,aAAa,EAAE,OAAO,CAAC;IACvB,mBAAmB,EAAE,OAAO,CAAC;IAC7B,4BAA4B,EAAE,OAAO,CAAC;CACvC;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,MAAM,EACZ,QAAQ,SAAY,EACpB,OAAO,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC,GAClC,EAAE,CAAC,UAAU,EAAE,CAgQjB;AA+CD,wBAAgB,0BAA0B,CACxC,WAAW,EAAE,EAAE,CAAC,UAAU,EAAE,GAC3B,aAAa,EAAE,CAuBjB"}