codeslick-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/README.md +458 -0
  2. package/__tests__/cli-reporter.test.ts +86 -0
  3. package/__tests__/config-loader.test.ts +247 -0
  4. package/__tests__/local-scanner.test.ts +245 -0
  5. package/bin/codeslick.cjs +153 -0
  6. package/dist/packages/cli/src/commands/auth.d.ts +36 -0
  7. package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
  8. package/dist/packages/cli/src/commands/auth.js +226 -0
  9. package/dist/packages/cli/src/commands/auth.js.map +1 -0
  10. package/dist/packages/cli/src/commands/config.d.ts +37 -0
  11. package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
  12. package/dist/packages/cli/src/commands/config.js +196 -0
  13. package/dist/packages/cli/src/commands/config.js.map +1 -0
  14. package/dist/packages/cli/src/commands/init.d.ts +32 -0
  15. package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
  16. package/dist/packages/cli/src/commands/init.js +171 -0
  17. package/dist/packages/cli/src/commands/init.js.map +1 -0
  18. package/dist/packages/cli/src/commands/scan.d.ts +40 -0
  19. package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
  20. package/dist/packages/cli/src/commands/scan.js +204 -0
  21. package/dist/packages/cli/src/commands/scan.js.map +1 -0
  22. package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
  23. package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
  24. package/dist/packages/cli/src/config/config-loader.js +146 -0
  25. package/dist/packages/cli/src/config/config-loader.js.map +1 -0
  26. package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
  27. package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
  28. package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
  29. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
  30. package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
  31. package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
  32. package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
  33. package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
  34. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
  35. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
  36. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
  37. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
  38. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
  39. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
  40. package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
  41. package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
  42. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
  43. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
  44. package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
  45. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
  46. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
  47. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
  48. package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
  49. package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
  50. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
  51. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
  52. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
  53. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
  54. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
  55. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
  56. package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
  57. package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
  58. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
  59. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
  60. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
  61. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
  62. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
  63. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
  64. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
  65. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
  66. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
  67. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  68. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
  69. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
  70. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
  71. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
  72. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
  73. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
  74. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
  75. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
  76. package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
  77. package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
  78. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
  79. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
  80. package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
  81. package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
  82. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
  83. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
  84. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
  85. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
  86. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
  87. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
  88. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
  89. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
  90. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
  91. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
  92. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
  93. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
  94. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
  95. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
  96. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
  97. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
  98. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
  99. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
  100. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
  101. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
  102. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
  103. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
  104. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
  105. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
  106. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
  107. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
  108. package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
  109. package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
  110. package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
  111. package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
  112. package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
  113. package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
  114. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
  115. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
  116. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
  117. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
  118. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
  119. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
  120. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
  121. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
  122. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
  123. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
  124. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
  125. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
  126. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
  127. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
  128. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
  129. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
  130. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
  131. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
  132. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
  133. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
  134. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
  135. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
  136. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
  137. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
  138. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
  139. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
  140. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
  141. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
  142. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
  143. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
  144. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
  145. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
  146. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
  147. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
  148. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
  149. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
  150. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
  151. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  152. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
  153. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
  154. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
  155. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
  156. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
  157. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
  158. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
  159. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
  160. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
  161. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
  162. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
  163. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
  164. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
  165. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
  166. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
  167. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
  168. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
  169. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
  170. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
  171. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
  172. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
  173. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
  174. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
  175. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
  176. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
  177. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
  178. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
  179. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
  180. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
  181. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
  182. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
  183. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
  184. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
  185. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
  186. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
  187. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
  188. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
  189. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
  190. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
  191. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
  192. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
  193. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
  194. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
  195. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
  196. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
  197. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
  198. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
  199. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
  200. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
  201. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
  202. package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
  203. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
  204. package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
  205. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
  206. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
  207. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
  208. package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
  209. package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
  210. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
  211. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
  212. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
  213. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
  214. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
  215. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
  216. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
  217. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
  218. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
  219. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
  220. package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
  221. package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
  222. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
  223. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
  224. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
  225. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
  226. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
  227. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
  228. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
  229. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
  230. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
  231. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
  232. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
  233. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
  234. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
  235. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
  236. package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
  237. package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
  238. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
  239. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
  240. package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
  241. package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
  242. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
  243. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  244. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
  245. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
  246. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
  247. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
  248. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
  249. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
  250. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
  251. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
  252. package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
  253. package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
  254. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
  255. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
  256. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
  257. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
  258. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
  259. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
  260. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
  261. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
  262. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
  263. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
  264. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
  265. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
  266. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
  267. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
  268. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
  269. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
  270. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
  271. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
  272. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
  273. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
  274. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
  275. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
  276. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
  277. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
  278. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
  279. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
  280. package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
  281. package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
  282. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
  283. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
  284. package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
  285. package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
  286. package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
  287. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
  288. package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
  289. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
  290. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
  291. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
  292. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
  293. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
  294. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
  295. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
  296. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
  297. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
  298. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
  299. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
  300. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
  301. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
  302. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
  303. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
  304. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
  305. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
  306. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
  307. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
  308. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
  309. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
  310. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
  311. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
  312. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
  313. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
  314. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
  315. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
  316. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
  317. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
  318. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
  319. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
  320. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
  321. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
  322. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
  323. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
  324. package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
  325. package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
  326. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
  327. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
  328. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
  329. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
  330. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
  331. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
  332. package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
  333. package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
  334. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
  335. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
  336. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
  337. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
  338. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
  339. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
  340. package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
  341. package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
  342. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
  343. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
  344. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
  345. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
  346. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
  347. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
  348. package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
  349. package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
  350. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
  351. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
  352. package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
  353. package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
  354. package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
  355. package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
  356. package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
  357. package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
  358. package/dist/src/lib/analyzers/types.d.ts +92 -0
  359. package/dist/src/lib/analyzers/types.d.ts.map +1 -0
  360. package/dist/src/lib/analyzers/types.js +3 -0
  361. package/dist/src/lib/analyzers/types.js.map +1 -0
  362. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
  363. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
  364. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
  365. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
  366. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
  367. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
  368. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
  369. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
  370. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
  371. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
  372. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
  373. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
  374. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
  375. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
  376. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
  377. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
  378. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
  379. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
  380. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
  381. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
  382. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
  383. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
  384. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
  385. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
  386. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
  387. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  388. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
  389. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
  390. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
  391. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
  392. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
  393. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
  394. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
  395. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
  396. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
  397. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
  398. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
  399. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
  400. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
  401. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
  402. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
  403. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
  404. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
  405. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
  406. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
  407. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
  408. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
  409. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
  410. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
  411. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
  412. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
  413. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
  414. package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
  415. package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
  416. package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
  417. package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
  418. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
  419. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
  420. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
  421. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
  422. package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
  423. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
  424. package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
  425. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
  426. package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
  427. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
  428. package/dist/src/lib/security/compliance-mapping.js +1342 -0
  429. package/dist/src/lib/security/compliance-mapping.js.map +1 -0
  430. package/dist/src/lib/security/severity-scoring.d.ts +47 -0
  431. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
  432. package/dist/src/lib/security/severity-scoring.js +965 -0
  433. package/dist/src/lib/security/severity-scoring.js.map +1 -0
  434. package/dist/src/lib/standards/references.d.ts +16 -0
  435. package/dist/src/lib/standards/references.d.ts.map +1 -0
  436. package/dist/src/lib/standards/references.js +1161 -0
  437. package/dist/src/lib/standards/references.js.map +1 -0
  438. package/dist/src/lib/types/index.d.ts +167 -0
  439. package/dist/src/lib/types/index.d.ts.map +1 -0
  440. package/dist/src/lib/types/index.js +3 -0
  441. package/dist/src/lib/types/index.js.map +1 -0
  442. package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
  443. package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
  444. package/dist/src/lib/utils/code-cleaner.js +283 -0
  445. package/dist/src/lib/utils/code-cleaner.js.map +1 -0
  446. package/package.json +51 -0
  447. package/src/commands/auth.ts +308 -0
  448. package/src/commands/config.ts +226 -0
  449. package/src/commands/init.ts +202 -0
  450. package/src/commands/scan.ts +238 -0
  451. package/src/config/config-loader.ts +175 -0
  452. package/src/reporters/cli-reporter.ts +282 -0
  453. package/src/scanner/local-scanner.ts +250 -0
  454. package/tsconfig.json +24 -0
  455. package/tsconfig.tsbuildinfo +1 -0
package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js ADDED
@@ -0,0 +1,221 @@
1
+ "use strict";
2
+ /**
3
+ * Java AI-Generated Code Detection Module
4
+ *
5
+ * Detects AI-generated code patterns as SECURITY RISKS:
6
+ * - 12 hallucination patterns (Python/JavaScript/Rust influence)
7
+ * - 8 code smell heuristics (over-engineering, inconsistency)
8
+ * - Confidence scoring (HIGH/MEDIUM/LOW)
9
+ *
10
+ * OWASP A04:2025 - Insecure Design
11
+ * CWE-1120 - Excessive Code Complexity
12
+ * CWE-758 - Reliance on Undefined Behavior
13
+ *
14
+ * Phase 1.5, Week 5-7 (AI-Generated Code Detection)
15
+ * Created: January 8, 2026
16
+ */
17
+ Object.defineProperty(exports, "__esModule", { value: true });
18
+ exports.checkAIGeneratedCode = checkAIGeneratedCode;
19
+ const createVulnerability_1 = require("../utils/createVulnerability");
20
+ const ai_code_detection_utils_1 = require("../../helpers/ai-code-detection-utils");
21
+ /**
22
+ * Java hallucination patterns (12 patterns)
23
+ *
24
+ * AI code generators hallucinate methods from other languages:
25
+ * - Python influence: .append(), .len()
26
+ * - JavaScript influence: .push()
27
+ * - Rust influence: .to_string(), .is_empty()
28
+ * - Property/method confusion: .length()
29
+ */
30
+ const HALLUCINATION_PATTERNS = new Map([
31
+ // Python-style methods in Java
32
+ ['append', {
33
+ correct: '.add() for List',
34
+ description: 'Java Lists use .add(), not .append(). This is a Python method. Note: StringBuilder uses .append().'
35
+ }],
36
+ ['len', {
37
+ correct: '.length() or .size()',
38
+ description: 'Java uses .length() for arrays, .size() for Collections, or .length for Strings. Not .len(). This is Python syntax.'
39
+ }],
40
+ // JavaScript-style methods in Java
41
+ ['push', {
42
+ correct: '.add()',
43
+ description: 'Java Collections use .add(), not .push(). This is a JavaScript/TypeScript method.'
44
+ }],
45
+ // Property/method confusion
46
+ ['length', {
47
+ correct: '.length (no parentheses)',
48
+ description: 'Java String.length is a method .length(), not a property. Arrays use .length property (no parentheses).'
49
+ }],
50
+ // Rust/Python influence
51
+ ['to_string', {
52
+ correct: '.toString()',
53
+ description: 'Java uses camelCase: .toString(), not snake_case to_string(). This is Rust/Python syntax.'
54
+ }],
55
+ ['is_empty', {
56
+ correct: '.isEmpty()',
57
+ description: 'Java uses camelCase: .isEmpty(), not snake_case is_empty(). This is Rust/Python syntax.'
58
+ }],
59
+ // Non-existent methods (hallucinations)
60
+ ['trim_', {
61
+ correct: '.trim()',
62
+ description: 'Non-existent method. Java uses .trim() with no trailing underscore.'
63
+ }],
64
+ ['substring_of', {
65
+ correct: '.contains()',
66
+ description: 'Non-existent method. Use .contains() to check if string contains substring.'
67
+ }],
68
+ ['split_by', {
69
+ correct: '.split()',
70
+ description: 'Non-existent method. Java uses .split() with camelCase naming.'
71
+ }],
72
+ ['remove_at', {
73
+ correct: '.remove(index)',
74
+ description: 'Non-existent method. Use .remove(index) for Lists to remove element at specific position.'
75
+ }],
76
+ ['contains_key', {
77
+ correct: '.containsKey()',
78
+ description: 'Case sensitivity error. Java Maps use .containsKey() with capital K, not underscore.'
79
+ }],
80
+ // String.format confusion
81
+ ['format_', {
82
+ correct: 'String.format()',
83
+ description: 'Non-existent method. Java uses String.format() static method, not instance method with underscore.'
84
+ }],
85
+ ]);
86
+ /**
87
+ * Detect AI-generated code in Java
88
+ *
89
+ * @param lines - Array of code lines
90
+ * @param filename - Optional filename (to skip test files)
91
+ * @returns Array of security vulnerabilities (0-1 aggregated vulnerability)
92
+ */
93
+ function checkAIGeneratedCode(lines, filename) {
94
+ // Skip test files to reduce false positives
95
+ if ((0, ai_code_detection_utils_1.isTestFile)(filename)) {
96
+ return [];
97
+ }
98
+ let hallucinationCount = 0;
99
+ const hallucinationLines = new Set();
100
+ const detectedPatterns = [];
101
+ // Combined regex for all 12 hallucination patterns (optimized)
102
+ const combinedPattern = new RegExp('\\.' +
103
+ '(append|len|push|length|to_string|is_empty|trim_|substring_of|' +
104
+ 'split_by|remove_at|contains_key|format_)' +
105
+ '\\s*\\(', 'g');
106
+ let inMultiLineComment = false;
107
+ // 1. Detect hallucination patterns
108
+ lines.forEach((line, index) => {
109
+ const lineNumber = index + 1;
110
+ const trimmed = line.trim();
111
+ // Track multi-line comments (/* ... */)
112
+ if (trimmed.includes('/*'))
113
+ inMultiLineComment = true;
114
+ if (trimmed.includes('*/')) {
115
+ inMultiLineComment = false;
116
+ return;
117
+ }
118
+ // Skip comments and empty lines
119
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//'))
120
+ return;
121
+ // Remove string literals to avoid false positives
122
+ const cleanedLine = (0, ai_code_detection_utils_1.removeCommentsAndStrings)(line, 'java');
123
+ // Match hallucination patterns
124
+ const matches = Array.from(cleanedLine.matchAll(combinedPattern));
125
+ for (const match of matches) {
126
+ const method = match[1];
127
+ const details = HALLUCINATION_PATTERNS.get(method);
128
+ if (details) {
129
+ hallucinationCount++;
130
+ hallucinationLines.add(lineNumber);
131
+ detectedPatterns.push(method);
132
+ }
133
+ }
134
+ });
135
+ // 2. Run heuristic detectors
136
+ const heuristicScores = {
137
+ overEngineeredErrors: (0, ai_code_detection_utils_1.detectOverEngineeredErrorHandling)(lines),
138
+ unnecessaryWrappers: (0, ai_code_detection_utils_1.detectUnnecessaryWrappers)(lines),
139
+ verboseComments: (0, ai_code_detection_utils_1.detectVerboseComments)(lines),
140
+ mixedNaming: (0, ai_code_detection_utils_1.detectMixedNamingConventions)(lines), // Detects snake_case in Java
141
+ redundantNullChecks: (0, ai_code_detection_utils_1.detectRedundantNullChecks)(lines),
142
+ unnecessaryAsync: (0, ai_code_detection_utils_1.detectUnnecessaryAsync)(lines),
143
+ genericVariables: (0, ai_code_detection_utils_1.detectGenericVariableOveruse)(lines),
144
+ inconsistentStrings: (0, ai_code_detection_utils_1.detectInconsistentStringConcatenation)(lines),
145
+ };
146
+ // 3. Calculate confidence and severity
147
+ const detection = (0, ai_code_detection_utils_1.calculateAICodeConfidence)(hallucinationCount, heuristicScores);
148
+ if (!detection) {
149
+ return []; // No AI-generated code detected
150
+ }
151
+ // 4. Create aggregated vulnerability
152
+ const categoryId = detection.severity === 'CRITICAL' ? 'ai-generated-code-high' :
153
+ detection.severity === 'HIGH' ? 'ai-generated-code-medium' :
154
+ 'ai-generated-code-low';
155
+ // Build message based on detection type
156
+ let message = `AI-generated code detected (${detection.confidence} confidence): `;
157
+ if (hallucinationCount > 0) {
158
+ message += `${hallucinationCount} hallucinated method(s) found`;
159
+ if (detectedPatterns.length > 0) {
160
+ const uniquePatterns = Array.from(new Set(detectedPatterns)).slice(0, 3);
161
+ message += ` (.${uniquePatterns.join(', .')})`;
162
+ }
163
+ }
164
+ else {
165
+ message += 'Multiple code smell patterns detected (over-engineering, snake_case naming, etc.)';
166
+ }
167
+ // Build suggestion
168
+ const suggestion = hallucinationCount > 0
169
+ ? `Replace hallucinated methods with correct Java equivalents. Found: ${Array.from(new Set(detectedPatterns)).map(p => `.${p}()`).join(', ')}. Review and rewrite AI-generated code sections.`
170
+ : 'Simplify code structure, use consistent naming conventions (camelCase), and follow Java idioms. Remove unnecessary async functions, redundant null checks, and over-engineered error handling.';
171
+ // Find first occurrence line for reporting
172
+ const reportLine = hallucinationLines.size > 0
173
+ ? Math.min(...hallucinationLines)
174
+ : 1; // Use first line if only heuristics detected
175
+ // Get first detected pattern details for remediation example
176
+ const firstPattern = detectedPatterns[0];
177
+ const firstPatternDetails = firstPattern ? HALLUCINATION_PATTERNS.get(firstPattern) : null;
178
+ return [
179
+ (0, createVulnerability_1.createJavaSecurityVulnerability)({
180
+ category: categoryId,
181
+ severity: detection.severity.toLowerCase(),
182
+ confidence: detection.confidence,
183
+ message,
184
+ line: reportLine,
185
+ suggestion,
186
+ owasp: 'A04:2025 - Insecure Design',
187
+ cwe: 'CWE-1120, CWE-758',
188
+ pciDss: '6.5',
189
+ remediation: {
190
+ explanation: 'AI code generators (like GitHub Copilot, ChatGPT, Claude) can hallucinate non-existent methods or generate over-engineered patterns. ' +
191
+ 'This creates reliability issues and potential security vulnerabilities. Hallucinated methods cause runtime exceptions that expose stack traces with ' +
192
+ 'sensitive information. Over-engineered code patterns make security audits difficult, hiding real vulnerabilities. ' +
193
+ 'Always verify AI-generated code matches Java specifications and follows security best practices.',
194
+ before: firstPatternDetails
195
+ ? `list.${firstPattern}(item) // Hallucinated method`
196
+ : '// Over-engineered or inconsistent code patterns\n// Example: try { ... } catch (Exception e) { if (...) { if (...) { if (...) { } } } }',
197
+ after: firstPatternDetails
198
+ ? `list${firstPatternDetails.correct} // Correct Java`
199
+ : '// Simplified, idiomatic code following Java conventions\n// Example: try { ... } catch (Exception e) { logger.error("Error", e); throw e; }',
200
+ },
201
+ attackVector: {
202
+ description: 'AI-generated code with hallucinated methods creates runtime exceptions exposing system internals through stack traces. ' +
203
+ 'Attackers can trigger these errors repeatedly to map application structure and identify vulnerable endpoints. ' +
204
+ 'Inconsistent code patterns (mixing snake_case and camelCase) make security reviews difficult, allowing real vulnerabilities to hide among AI-generated noise. ' +
205
+ 'Over-engineered error handling may leak sensitive information in catch blocks.',
206
+ exploitExample: "User triggers: list.append(item)\n" +
207
+ "Result: NoSuchMethodError: 'append' in class 'ArrayList'\n" +
208
+ "Stack trace reveals: Internal file paths, class names, database schema hints\n" +
209
+ "Attacker uses this to map application architecture and plan targeted attacks.",
210
+ realWorldImpact: [
211
+ 'Runtime errors revealing sensitive stack traces with internal paths',
212
+ 'Logic bugs in access control or validation code (AI-generated if statements)',
213
+ 'Performance degradation from inefficient AI-generated loops and algorithms',
214
+ 'Maintenance burden: Developers spend hours debugging AI hallucinations',
215
+ 'Hidden security vulnerabilities masked by over-engineered code patterns',
216
+ ],
217
+ },
218
+ })
219
+ ];
220
+ }
221
+ //# sourceMappingURL=ai-generated-code.js.map
package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"ai-generated-code.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/ai-generated-code.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAwGH,oDA0JC;AA/PD,sEAA+E;AAC/E,mFAY+C;AAU/C;;;;;;;;GAQG;AACH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAA+B;IACnE,+BAA+B;IAC/B,CAAC,QAAQ,EAAE;YACT,OAAO,EAAE,iBAAiB;YAC1B,WAAW,EAAE,oGAAoG;SAClH,CAAC;IACF,CAAC,KAAK,EAAE;YACN,OAAO,EAAE,sBAAsB;YAC/B,WAAW,EAAE,qHAAqH;SACnI,CAAC;IAEF,mCAAmC;IACnC,CAAC,MAAM,EAAE;YACP,OAAO,EAAE,QAAQ;YACjB,WAAW,EAAE,mFAAmF;SACjG,CAAC;IAEF,4BAA4B;IAC5B,CAAC,QAAQ,EAAE;YACT,OAAO,EAAE,0BAA0B;YACnC,WAAW,EAAE,yGAAyG;SACvH,CAAC;IAEF,wBAAwB;IACxB,CAAC,WAAW,EAAE;YACZ,OAAO,EAAE,aAAa;YACtB,WAAW,EAAE,2FAA2F;SACzG,CAAC;IACF,CAAC,UAAU,EAAE;YACX,OAAO,EAAE,YAAY;YACrB,WAAW,EAAE,yFAAyF;SACvG,CAAC;IAEF,wCAAwC;IACxC,CAAC,OAAO,EAAE;YACR,OAAO,EAAE,SAAS;YAClB,WAAW,EAAE,qEAAqE;SACnF,CAAC;IACF,CAAC,cAAc,EAAE;YACf,OAAO,EAAE,aAAa;YACtB,WAAW,EAAE,6EAA6E;SAC3F,CAAC;IACF,CAAC,UAAU,EAAE;YACX,OAAO,EAAE,UAAU;YACnB,WAAW,EAAE,gEAAgE;SAC9E,CAAC;IACF,CAAC,WAAW,EAAE;YACZ,OAAO,EAAE,gBAAgB;YACzB,WAAW,EAAE,2FAA2F;SACzG,CAAC;IACF,CAAC,cAAc,EAAE;YACf,OAAO,EAAE,gBAAgB;YACzB,WAAW,EAAE,sFAAsF;SACpG,CAAC;IAEF,0BAA0B;IAC1B,CAAC,SAAS,EAAE;YACV,OAAO,EAAE,iBAAiB;YAC1B,WAAW,EAAE,oGAAoG;SAClH,CAAC;CACH,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAClC,KAAe,EACf,QAAiB;IAEjB,4CAA4C;IAC5C,IAAI,IAAA,oCAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAC3B,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC7C,MAAM,gBAAgB,GAAa,EAAE,CAAC;IAEtC,+DAA+D;IAC/D,MAAM,eAAe,GAAG,IAAI,MAAM,CAChC,KAAK;QACL,gEAAgE;QAChE,0CAA0C;QAC1C,SAAS,EACT,GAAG,CACJ,CAAC;IAEF,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,mCAAmC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,kBAAkB,GAAG,IAAI,CAAC;QACtD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO;QAEvE,kDAAkD;QAClD,MAAM,WAAW,GAAG,IAAA,kDAAwB,EAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAE3D,+BAA+B;QAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;QAElE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACxB,MAAM,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAEnD,IAAI,OAAO,EAAE,CAAC;gBACZ,kBAAkB,EAAE,CAAC;gBACrB,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBACnC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,6BAA6B;IAC7B,MAAM,eAAe,GAAG;QACtB,oBAAoB,EAAE,IAAA,2DAAiC,EAAC,KAAK,CAAC;QAC9D,mBAAmB,EAAE,IAAA,mDAAyB,EAAC,KAAK,CAAC;QACrD,eAAe,EAAE,IAAA,+CAAqB,EAAC,KAAK,CAAC;QAC7C,WAAW,EAAE,IAAA,sDAA4B,EAAC,KAAK,CAAC,EAAE,6BAA6B;QAC/E,mBAAmB,EAAE,IAAA,mDAAyB,EAAC,KAAK,CAAC;QACrD,gBAAgB,EAAE,IAAA,gDAAsB,EAAC,KAAK,CAAC;QAC/C,gBAAgB,EAAE,IAAA,sDAA4B,EAAC,KAAK,CAAC;QACrD,mBAAmB,EAAE,IAAA,+DAAqC,EAAC,KAAK,CAAC;KAClE,CAAC;IAEF,uCAAuC;IACvC,MAAM,SAAS,GAAG,IAAA,mDAAyB,EAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;IAEjF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,EAAE,CAAC,CAAC,gCAAgC;IAC7C,CAAC;IAED,qCAAqC;IACrC,MAAM,UAAU,GACd,SAAS,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC;QAC9D,SAAS,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC;YAC5D,uBAAuB,CAAC;IAE1B,wCAAwC;IACxC,IAAI,OAAO,GAAG,+BAA+B,SAAS,CAAC,UAAU,gBAAgB,CAAC;IAElF,IAAI,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,GAAG,kBAAkB,+BAA+B,CAAC;QAChE,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACzE,OAAO,IAAI,MAAM,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;QACjD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,IAAI,mFAAmF,CAAC;IACjG,CAAC;IAED,mBAAmB;IACnB,MAAM,UAAU,GAAG,kBAAkB,GAAG,CAAC;QACvC,CAAC,CAAC,sEAAsE,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,kDAAkD;QAC9L,CAAC,CAAC,gMAAgM,CAAC;IAErM,2CAA2C;IAC3C,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC;QAC5C,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC;QACjC,CAAC,CAAC,CAAC,CAAC,CAAC,6CAA6C;IAEpD,6DAA6D;IAC7D,MAAM,YAAY,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;IACzC,MAAM,mBAAmB,GAAG,YAAY,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE3F,OAAO;QACL,IAAA,qDAA+B,EAAC;YAC9B,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAoC;YAC5E,UAAU,EAAE,SAAS,CAAC,UAAU;YAChC,OAAO;YACP,IAAI,EAAE,UAAU;YAChB,UAAU;YACV,KAAK,EAAE,4BAA4B;YACnC,GAAG,EAAE,mBAAmB;YACxB,MAAM,EAAE,KAAK;YACb,WAAW,EAAE;gBACX,WAAW,EACT,uIAAuI;oBACvI,sJAAsJ;oBACtJ,oHAAoH;oBACpH,kGAAkG;gBACpG,MAAM,EAAE,mBAAmB;oBACzB,CAAC,CAAC,QAAQ,YAAY,gCAAgC;oBACtD,CAAC,CAAC,0IAA0I;gBAC9I,KAAK,EAAE,mBAAmB;oBACxB,CAAC,CAAC,OAAO,mBAAmB,CAAC,OAAO,mBAAmB;oBACvD,CAAC,CAAC,8IAA8I;aACnJ;YACD,YAAY,EAAE;gBACZ,WAAW,EACT,yHAAyH;oBACzH,gHAAgH;oBAChH,gKAAgK;oBAChK,gFAAgF;gBAClF,cAAc,EACZ,oCAAoC;oBACpC,4DAA4D;oBAC5D,gFAAgF;oBAChF,+EAA+E;gBACjF,eAAe,EAAE;oBACf,qEAAqE;oBACrE,8EAA8E;oBAC9E,4EAA4E;oBAC5E,wEAAwE;oBACxE,yEAAyE;iBAC1E;aACF;SACF,CAAC;KACH,CAAC;AACJ,CAAC"}
package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts ADDED
@@ -0,0 +1,18 @@
1
+ /**
2
+ * Code Quality Security Module
3
+ *
4
+ * Detects code quality issues with security implications in Java source code including:
5
+ * - God Class (overly large classes)
6
+ * - System.out.println in production
7
+ * - printStackTrace() usage
8
+ *
9
+ * SOLID & Enterprise Patterns
10
+ */
11
+ import { SecurityVulnerability } from '../../types';
12
+ /**
13
+ * Check for code quality issues with security implications in Java code
14
+ * @param lines - Array of code lines to analyze
15
+ * @returns Array of security vulnerabilities found
16
+ */
17
+ export declare function checkCodeQuality(lines: string[], code: string): SecurityVulnerability[];
18
+ //# sourceMappingURL=code-quality.d.ts.map
package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"code-quality.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/code-quality.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,MAAM,GAAG,qBAAqB,EAAE,CA0GvF"}
package/dist/src/lib/analyzers/java/security-checks/code-quality.js ADDED
@@ -0,0 +1,84 @@
1
+ "use strict";
2
+ /**
3
+ * Code Quality Security Module
4
+ *
5
+ * Detects code quality issues with security implications in Java source code including:
6
+ * - God Class (overly large classes)
7
+ * - System.out.println in production
8
+ * - printStackTrace() usage
9
+ *
10
+ * SOLID & Enterprise Patterns
11
+ */
12
+ Object.defineProperty(exports, "__esModule", { value: true });
13
+ exports.checkCodeQuality = checkCodeQuality;
14
+ const createVulnerability_1 = require("../utils/createVulnerability");
15
+ /**
16
+ * Check for code quality issues with security implications in Java code
17
+ * @param lines - Array of code lines to analyze
18
+ * @returns Array of security vulnerabilities found
19
+ */
20
+ function checkCodeQuality(lines, code) {
21
+ const vulnerabilities = [];
22
+ let inMultiLineComment = false;
23
+ lines.forEach((line, index) => {
24
+ const trimmed = line.trim();
25
+ const lineNumber = index + 1;
26
+ // CRITICAL: Track multi-line comment blocks (/* ... */)
27
+ if (trimmed.includes('/*')) {
28
+ inMultiLineComment = true;
29
+ }
30
+ if (trimmed.includes('*/')) {
31
+ inMultiLineComment = false;
32
+ return; // Skip the line with */
33
+ }
34
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
35
+ // FIX (Dec 6, 2025): Added proper multi-line comment tracking
36
+ if (!trimmed ||
37
+ inMultiLineComment ||
38
+ trimmed.startsWith('//')) {
39
+ return;
40
+ }
41
+ // 15. God Class (very large class) - LOW
42
+ // FIXED: Skip commented lines and only check file size (class-level tracking done in detectGodClasses method)
43
+ if (trimmed.match(/class\s+\w+/) &&
44
+ code.split('\n').length > 500) {
45
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('god-class', 'God Class detected - class is too large (>500 lines)', 'Refactor into smaller, focused classes following Single Responsibility Principle', lineNumber, 'Very large classes (God Classes) violate the Single Responsibility Principle, making code hard to maintain, test, and review for security issues. Security vulnerabilities are easier to hide in large classes, and changes to one functionality can inadvertently affect others.', 'A 1000-line User class handling authentication, profile management, permissions, and notifications is hard to audit', [
46
+ 'Security vulnerabilities harder to find',
47
+ 'Code review ineffectiveness',
48
+ 'Difficult to test thoroughly',
49
+ 'Higher bug introduction risk',
50
+ 'Maintenance complexity'
51
+ ], 'public class UserManager { // 800 lines\n // Authentication, profile, permissions, notifications, logging...\n}', 'public class AuthenticationService { // 100 lines - focused\n // Only authentication logic\n}\npublic class UserProfileService { // 80 lines\n // Only profile management\n}\npublic class PermissionService { // 120 lines\n // Only permission checks\n}', 'Break large classes into smaller, focused classes with single responsibilities. Each class should have one reason to change, making security reviews and testing more effective'));
52
+ }
53
+ // 16. System.out.println in production - LOW
54
+ // FIX (Dec 6, 2025): Skip System.out.println inside main() methods (acceptable for CLI apps)
55
+ // Example acceptable: public static void main(String[] args) { System.out.println("Hello"); }
56
+ // Now checks: previous 5 lines for "public static void main(" to skip CLI apps
57
+ if (trimmed.match(/System\s*\.\s*out\s*\.\s*print/)) {
58
+ // Check if we're inside main() method (previous 5-15 lines)
59
+ const prevLines = lines.slice(Math.max(0, index - 15), index);
60
+ const isInMainMethod = prevLines.some(l => l.includes('public static void main(') || l.includes('public static void main ('));
61
+ if (!isInMainMethod) {
62
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('system-out-println', 'System.out.println detected - inappropriate for production code', 'Use a proper logging framework (SLF4J, Log4j2, Logback) with appropriate log levels', lineNumber, 'System.out.println writes directly to standard output without any controls. In production, this can expose sensitive data in logs, create performance bottlenecks, lacks log levels/filtering, and makes it impossible to centralize or secure log management.', 'System.out.println("User password: " + password); // Logs plaintext password to stdout', [
63
+ 'Sensitive data exposure in logs',
64
+ 'Performance degradation (synchronous I/O)',
65
+ 'No log level control',
66
+ 'Difficult to disable or redirect',
67
+ 'Compliance violations (logging PII)'
68
+ ], 'System.out.println("Processing user: " + username + " with password: " + password);', 'import org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nprivate static final Logger logger = LoggerFactory.getLogger(MyClass.class);\n\nlogger.info("Processing user: {}", username); // No password logged\n// Use appropriate log levels: debug, info, warn, error', 'Use a logging framework (SLF4J/Logback/Log4j2) that provides log levels, filtering, secure handling, and centralized configuration. Never log sensitive data like passwords or tokens'));
69
+ }
70
+ }
71
+ // 17. printStackTrace() - LOW
72
+ if (trimmed.match(/\.printStackTrace\s*\(/)) {
73
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('printstacktrace', 'printStackTrace() usage detected - can leak sensitive information', 'Use proper logging: logger.error("Error occurred", exception)', lineNumber, 'printStackTrace() outputs the full stack trace to standard error, including class names, method names, line numbers, and potentially sensitive data in exception messages. In production, this can expose internal application structure, file paths, database schemas, and business logic to attackers.', 'catch (SQLException e) { e.printStackTrace(); } // Exposes SQL query, table names, connection details', [
74
+ 'Internal structure disclosure',
75
+ 'File path exposure',
76
+ 'Database schema leakage',
77
+ 'Business logic revelation',
78
+ 'Attack surface mapping'
79
+ ], 'try {\n // database operation\n} catch (SQLException e) {\n e.printStackTrace(); // Prints stack trace to stderr\n}', 'import org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\n\nprivate static final Logger logger = LoggerFactory.getLogger(MyClass.class);\n\ntry {\n // database operation\n} catch (SQLException e) {\n logger.error("Database error occurred", e); // Controlled logging\n}', 'Use a logging framework that can be configured to control what gets logged, where it\'s logged, and who can access it. This prevents information leakage while maintaining debugging capability'));
80
+ }
81
+ });
82
+ return vulnerabilities;
83
+ }
84
+ //# sourceMappingURL=code-quality.js.map
package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"code-quality.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/code-quality.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAUH,4CA0GC;AAjHD,sEAA+E;AAE/E;;;;GAIG;AACH,SAAgB,gBAAgB,CAAC,KAAe,EAAE,IAAY;IAC5D,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAE7B,wDAAwD;QACxD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,8DAA8D;QAC9D,IAAI,CAAC,OAAO;YACR,kBAAkB;YAClB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,yCAAyC;QACzC,8GAA8G;QAC9G,IAAI,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YAClC,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,WAAW,EACX,sDAAsD,EACtD,kFAAkF,EAClF,UAAU,EACV,mRAAmR,EACnR,qHAAqH,EACrH;gBACE,yCAAyC;gBACzC,6BAA6B;gBAC7B,8BAA8B;gBAC9B,8BAA8B;gBAC9B,wBAAwB;aACzB,EACD,kHAAkH,EAClH,+PAA+P,EAC/P,iLAAiL,CAClL,CAAC,CAAC;QACL,CAAC;QAED,6CAA6C;QAC7C,6FAA6F;QAC7F,8FAA8F;QAC9F,+EAA+E;QAC/E,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC;YACpD,4DAA4D;YAC5D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;YAC9D,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACxC,CAAC,CAAC,QAAQ,CAAC,0BAA0B,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAClF,CAAC;YAEF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,oBAAoB,EACpB,iEAAiE,EACjE,qFAAqF,EACrF,UAAU,EACV,gQAAgQ,EAChQ,wFAAwF,EACxF;oBACE,iCAAiC;oBACjC,2CAA2C;oBAC3C,sBAAsB;oBACtB,kCAAkC;oBAClC,qCAAqC;iBACtC,EACD,qFAAqF,EACrF,2QAA2Q,EAC3Q,uLAAuL,CACxL,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,IAAI,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC5C,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,iBAAiB,EACjB,mEAAmE,EACnE,+DAA+D,EAC/D,UAAU,EACV,0SAA0S,EAC1S,uGAAuG,EACvG;gBACE,+BAA+B;gBAC/B,oBAAoB;gBACpB,yBAAyB;gBACzB,2BAA2B;gBAC3B,wBAAwB;aACzB,EACD,uHAAuH,EACvH,iRAAiR,EACjR,iMAAiM,CAClM,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts ADDED
@@ -0,0 +1,18 @@
1
+ /**
2
+ * Cryptography Validation Module
3
+ *
4
+ * Detects weak cryptographic practices in Java source code including:
5
+ * - Use of java.util.Random for security-sensitive operations
6
+ * - Weak hash algorithms (MD5, SHA-1)
7
+ * - Insecure encryption modes (ECB)
8
+ *
9
+ * OWASP A02:2021 - Cryptographic Failures
10
+ */
11
+ import { SecurityVulnerability } from '../../types';
12
+ /**
13
+ * Check for weak cryptographic practices in Java code
14
+ * @param lines - Array of code lines to analyze
15
+ * @returns Array of security vulnerabilities found
16
+ */
17
+ export declare function checkCryptoValidation(lines: string[]): SecurityVulnerability[];
18
+ //# sourceMappingURL=crypto-validation.d.ts.map
package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"crypto-validation.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/crypto-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CA2Q9E"}
package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js ADDED
@@ -0,0 +1,161 @@
1
+ "use strict";
2
+ /**
3
+ * Cryptography Validation Module
4
+ *
5
+ * Detects weak cryptographic practices in Java source code including:
6
+ * - Use of java.util.Random for security-sensitive operations
7
+ * - Weak hash algorithms (MD5, SHA-1)
8
+ * - Insecure encryption modes (ECB)
9
+ *
10
+ * OWASP A02:2021 - Cryptographic Failures
11
+ */
12
+ Object.defineProperty(exports, "__esModule", { value: true });
13
+ exports.checkCryptoValidation = checkCryptoValidation;
14
+ const createVulnerability_1 = require("../utils/createVulnerability");
15
+ /**
16
+ * Check for weak cryptographic practices in Java code
17
+ * @param lines - Array of code lines to analyze
18
+ * @returns Array of security vulnerabilities found
19
+ */
20
+ function checkCryptoValidation(lines) {
21
+ const vulnerabilities = [];
22
+ let inMultiLineComment = false;
23
+ lines.forEach((line, index) => {
24
+ const trimmed = line.trim();
25
+ const lineNumber = index + 1;
26
+ // Track multi-line comment blocks (/* ... */)
27
+ if (trimmed.includes('/*')) {
28
+ inMultiLineComment = true;
29
+ }
30
+ if (trimmed.includes('*/')) {
31
+ inMultiLineComment = false;
32
+ return;
33
+ }
34
+ // Skip comments and empty lines
35
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
36
+ return;
37
+ // 8. Random() for security - MEDIUM
38
+ // Fix: Check method context (previous AND next 3 lines) for security keywords
39
+ // FIX (Dec 9, 2025): Added otp, 2fa, mfa keywords to detect OTP generation with weak Random
40
+ // FIX (Dec 22, 2025 Phase B): Check next lines too, not just previous
41
+ const hasRandomCreation = trimmed.match(/new\s+Random\s*\(/);
42
+ if (hasRandomCreation) {
43
+ const hasSameLineKeyword = trimmed.match(/password|token|key|secret|salt|nonce|session|auth|otp|2fa|mfa/i);
44
+ const prevLines = lines.slice(Math.max(0, index - 3), index);
45
+ const nextLines = lines.slice(index + 1, Math.min(lines.length, index + 4));
46
+ const hasContextKeyword = [...prevLines, ...nextLines].some(l => l.match(/password|token|key|secret|salt|nonce|session|auth|otp|2fa|mfa|generate/i) ||
47
+ l.match(/(public|private|protected)\s+\w+\s+(generate|create)(Token|Key|Password|Secret|Session|Auth|Otp)/i));
48
+ if (hasSameLineKeyword || hasContextKeyword) {
49
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('weak-random', 'Cryptographically weak random number generator detected', 'Use java.security.SecureRandom for security-sensitive operations', lineNumber, 'java.util.Random uses a predictable linear congruential generator algorithm. If an attacker observes a few random values, they can predict all future values. This makes it unsuitable for security purposes like generating session IDs, tokens, passwords, or cryptographic keys.', 'Random rand = new Random(); sessionId = rand.nextLong(); // Predictable, attacker can guess next session IDs', [
50
+ 'Session hijacking',
51
+ 'Token prediction',
52
+ 'Weak password generation',
53
+ 'Cryptographic key compromise',
54
+ 'Authentication bypass'
55
+ ], 'Random random = new Random();\nString token = String.valueOf(random.nextLong()); // Predictable', 'import java.security.SecureRandom;\nSecureRandom secureRandom = new SecureRandom();\nbyte[] tokenBytes = new byte[32];\nsecureRandom.nextBytes(tokenBytes);\nString token = Base64.getEncoder().encodeToString(tokenBytes); // Cryptographically secure', 'SecureRandom uses cryptographically strong algorithms (like SHA1PRNG) that are unpredictable even if an attacker sees previous values. Always use it for security-sensitive random generation'));
56
+ }
57
+ }
58
+ // 9. MD5/SHA1 - MEDIUM
59
+ if (trimmed.match(/MessageDigest\s*\.\s*getInstance\s*\(\s*["'](?:MD5|SHA-1|SHA1)['"]\s*\)/)) {
60
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('weak-hash-md5', 'Weak cryptographic hash algorithm detected (MD5/SHA-1)', 'Use SHA-256, SHA-512 for integrity checks, or bcrypt/Argon2id for password hashing', lineNumber, 'MD5 and SHA-1 are cryptographically broken hash algorithms. MD5 collisions can be generated in seconds, and SHA-1 collisions have been demonstrated. Attackers can create two different inputs that produce the same hash, bypassing integrity checks, forging signatures, or cracking password hashes using rainbow tables.', 'MessageDigest.getInstance("MD5").digest(password) can be reversed using rainbow tables or brute force in minutes', [
61
+ 'Password hash cracking (rainbow tables)',
62
+ 'Collision attacks (forge signatures)',
63
+ 'Data integrity bypass',
64
+ 'Certificate forgery',
65
+ 'Authentication bypass'
66
+ ], 'MessageDigest md = MessageDigest.getInstance("MD5");\nbyte[] hash = md.digest(password.getBytes()); // Weak, easily cracked', 'import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;\nBCryptPasswordEncoder encoder = new BCryptPasswordEncoder();\nString hashedPassword = encoder.encode(password); // Strong, salted, adaptive', 'For password hashing, use bcrypt, scrypt, or Argon2id which are designed to be slow and include salts. For general hashing (integrity checks), use SHA-256 or SHA-512'));
67
+ }
68
+ // 10. ECB mode encryption - MEDIUM
69
+ if (trimmed.match(/Cipher\s*\.\s*getInstance\s*\(.*\/ECB\//)) {
70
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('ecb-mode-encryption', 'Insecure ECB (Electronic Codebook) encryption mode detected', 'Use authenticated encryption: Cipher.getInstance("AES/GCM/NoPadding") with unique IV', lineNumber, 'ECB mode encrypts identical plaintext blocks into identical ciphertext blocks, revealing patterns in the data. This allows attackers to detect repeated data, manipulate ciphertext blocks, or use known-plaintext attacks to decrypt portions of the message without the key.', 'Encrypting an image with ECB mode reveals the outline of the original image in the ciphertext (famous ECB penguin example)', [
71
+ 'Data pattern disclosure',
72
+ 'Block manipulation attacks',
73
+ 'Known-plaintext attacks',
74
+ 'Message structure leakage',
75
+ 'Weak confidentiality guarantees'
76
+ ], 'Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); // Insecure mode\ncipher.init(Cipher.ENCRYPT_MODE, key);\nbyte[] ciphertext = cipher.doFinal(plaintext);', 'Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); // Authenticated encryption\nbyte[] iv = new byte[12]; // 96-bit IV\nnew SecureRandom().nextBytes(iv);\nGCMParameterSpec spec = new GCMParameterSpec(128, iv);\ncipher.init(Cipher.ENCRYPT_MODE, key, spec);\nbyte[] ciphertext = cipher.doFinal(plaintext);', 'Use GCM (Galois/Counter Mode) which provides both confidentiality and authenticity. Always use a unique IV for each encryption operation'));
77
+ }
78
+ // 11. DES/3DES weak encryption algorithms - HIGH (Phase B)
79
+ if (trimmed.match(/Cipher\s*\.\s*getInstance\s*\(\s*["'](DES|DESede|TripleDES)/i)) {
80
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('weak-encryption-des', 'Weak encryption algorithm detected (DES/3DES)', 'Use AES-256-GCM for modern encryption with authenticated encryption', lineNumber, 'DES (Data Encryption Standard) has a 56-bit key which can be brute-forced in hours using modern hardware. 3DES (Triple DES) is deprecated and vulnerable to Sweet32 attacks when encrypting large amounts of data. Both are considered cryptographically weak and should not be used for new applications.', 'DES encryption with 56-bit key can be broken in ~24 hours on modern GPUs using brute force', [
81
+ 'Brute force key recovery (DES: hours, 3DES: theoretical)',
82
+ 'Sweet32 birthday attack on 3DES (64-bit block)',
83
+ 'Insufficient key length for modern security',
84
+ 'Data confidentiality compromise',
85
+ 'Compliance violations (PCI-DSS, HIPAA)'
86
+ ], 'Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding"); // 56-bit key, broken\ncipher.init(Cipher.ENCRYPT_MODE, key);', 'Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); // 256-bit key, modern\nSecureRandom random = new SecureRandom();\nbyte[] iv = new byte[12];\nrandom.nextBytes(iv);\nGCMParameterSpec spec = new GCMParameterSpec(128, iv);\ncipher.init(Cipher.ENCRYPT_MODE, key, spec);', 'Migrate to AES-256-GCM which provides both strong encryption (256-bit keys) and authentication. AES is the current standard approved by NIST and used globally'));
87
+ }
88
+ // 11b. RC4 weak stream cipher - HIGH (Phase 7B Day 8)
89
+ if (trimmed.match(/Cipher\s*\.\s*getInstance\s*\(\s*["'](RC4|ARCFOUR)/i)) {
90
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('weak-cipher-rc4', 'Weak stream cipher RC4 detected - vulnerable to multiple attacks', 'Use AES-256-GCM for modern authenticated encryption', lineNumber, 'RC4 (Rivest Cipher 4) is a deprecated stream cipher with multiple known vulnerabilities including biased keystream output, related-key attacks, and the NOMORE attack. It has been prohibited by IETF (RFC 7465) and removed from TLS 1.3. RC4 is completely broken for modern cryptographic use.', 'RC4 cipher broken by statistical biases - attackers can recover plaintext from intercepted TLS traffic', [
91
+ 'Keystream bias attacks (RC4 NOMORE attack)',
92
+ 'Related-key cryptanalysis',
93
+ 'Plaintext recovery from encrypted traffic',
94
+ 'IETF prohibits RC4 use (RFC 7465)',
95
+ 'Removed from TLS 1.2+ and modern protocols'
96
+ ], 'Cipher cipher = Cipher.getInstance("RC4"); // Completely broken stream cipher\ncipher.init(Cipher.ENCRYPT_MODE, key);', 'Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding"); // Modern AEAD cipher\nSecureRandom random = new SecureRandom();\nbyte[] iv = new byte[12];\nrandom.nextBytes(iv);\nGCMParameterSpec spec = new GCMParameterSpec(128, iv);\ncipher.init(Cipher.ENCRYPT_MODE, key, spec);', 'RC4 is completely broken and banned from modern cryptographic standards. Migrate to AES-GCM immediately'));
97
+ }
98
+ // 12. Hardcoded encryption keys - CRITICAL (Phase B)
99
+ // Check if current line has new SecretKeySpec AND nearby lines have string literal with .getBytes()
100
+ if (trimmed.match(/\bnew\s+SecretKeySpec\s*\(/) &&
101
+ (trimmed.match(/["'][A-Za-z0-9+/=]{8,}["']\.getBytes/) ||
102
+ lines.slice(Math.max(0, index - 2), Math.min(lines.length, index + 2)).some(l => l.match(/["'][A-Za-z0-9+/=]{8,}["']\.getBytes\s*\(\s*\)/)))) {
103
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('hardcoded-encryption-key', 'Hardcoded encryption key detected', 'Use KeyStore or secure key management system (AWS KMS, HashiCorp Vault, Azure Key Vault)', lineNumber, 'Hardcoded cryptographic keys in source code can be easily extracted by attackers through decompilation, repository access, or binary analysis. Once extracted, all data encrypted with that key can be decrypted. Keys should be stored securely and rotated regularly.', 'Hardcoded key in source code allows attacker who obtains the .jar file to decrypt all encrypted data', [
104
+ 'Complete encryption bypass',
105
+ 'Mass data decryption',
106
+ 'Cannot rotate compromised keys',
107
+ 'Source code disclosure reveals key',
108
+ 'Compliance violations (PCI-DSS 3.6.4)'
109
+ ], 'byte[] keyBytes = "hardcoded1234567".getBytes(); // Key in source code\nSecretKeySpec key = new SecretKeySpec(keyBytes, "AES");', 'import java.security.KeyStore;\n// Load key from secure keystore\nKeyStore keyStore = KeyStore.getInstance("JCEKS");\nkeyStore.load(new FileInputStream("keystore.jks"), password);\nKey key = keyStore.getKey("mykey", keyPassword);\n// OR use cloud KMS\nKmsClient kms = KmsClient.create();\nDecryptResponse response = kms.decrypt(req -> req.ciphertextBlob(encryptedKey));', 'Store keys in KeyStore, environment variables (with restrictions), or use cloud key management services (AWS KMS, Azure Key Vault). Never commit keys to version control. Implement key rotation policies'));
110
+ }
111
+ // 13. Static IV (Initialization Vector) - HIGH (Phase B)
112
+ const prevLine = index > 0 ? lines[index - 1] : '';
113
+ if ((trimmed.match(/\bIvParameterSpec\s*\(\s*new\s+byte\s*\[/) && !prevLine.match(/nextBytes|SecureRandom/)) ||
114
+ (trimmed.match(/\bIvParameterSpec/) && (trimmed.match(/\{\s*0/) || prevLine.match(/=\s*new\s+byte\s*\[/) && !prevLine.match(/nextBytes/)))) {
115
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('static-iv', 'Static or zero initialization vector (IV) detected', 'Generate unique random IV for each encryption operation using SecureRandom', lineNumber, 'Using the same IV (initialization vector) for multiple encryption operations with the same key allows attackers to detect patterns, compare messages, and potentially decrypt data. The IV must be unique and unpredictable for each encryption to ensure security. Zero IVs provide no randomness at all.', 'Encrypting two messages with same key and IV allows attacker to XOR ciphertexts and recover plaintext differences', [
116
+ 'Pattern analysis across encrypted messages',
117
+ 'Chosen-plaintext attacks',
118
+ 'Message forgery',
119
+ 'Partial plaintext recovery',
120
+ 'Breaks semantic security'
121
+ ], 'byte[] iv = new byte[16]; // All zeros\nIvParameterSpec ivSpec = new IvParameterSpec(iv); // Static IV, insecure', 'SecureRandom random = new SecureRandom();\nbyte[] iv = new byte[16];\nrandom.nextBytes(iv); // Unique random IV\nIvParameterSpec ivSpec = new IvParameterSpec(iv);\n// Store IV with ciphertext (IV is not secret)', 'Generate a new random IV for every encryption operation. The IV should be stored alongside the ciphertext (it does not need to be secret). For GCM mode, use 96-bit (12-byte) IVs'));
122
+ }
123
+ // 14. Insecure TLS configuration - CRITICAL (Phase B)
124
+ // Pattern 1: TrustManager that accepts all certificates
125
+ if (trimmed.match(/new\s+X509TrustManager\s*\(\s*\)/) ||
126
+ trimmed.match(/checkServerTrusted\s*\(/) && trimmed.match(/\{\s*\}/)) {
127
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('insecure-tls-trustmanager', 'Insecure TLS configuration - Trust all certificates detected', 'Use default TrustManager or configure proper certificate validation', lineNumber, 'Implementing a TrustManager that accepts all certificates (empty checkServerTrusted) disables certificate validation, making the application vulnerable to man-in-the-middle attacks. Attackers can intercept HTTPS traffic by presenting fake certificates, compromising all transmitted data including credentials and sensitive information.', 'Attacker uses self-signed certificate to intercept HTTPS traffic, capturing all transmitted data including API keys and passwords', [
128
+ 'Man-in-the-middle attacks',
129
+ 'Complete HTTPS security bypass',
130
+ 'Credential interception',
131
+ 'Data manipulation in transit',
132
+ 'Session hijacking'
133
+ ], 'TrustManager[] trustAll = new TrustManager[] {\n new X509TrustManager() {\n public void checkServerTrusted(X509Certificate[] certs, String authType) {} // Accepts all\n }\n};', '// Use default trust manager (validates certificates properly)\nSSLContext context = SSLContext.getInstance("TLSv1.3");\ncontext.init(null, null, null); // Uses default TrustManager\n// OR configure custom trust store with proper validation', 'Never disable certificate validation. Use the default TrustManager which validates against system trust store. If custom certificates are needed, add them to a KeyStore and configure a TrustManager that validates against it'));
134
+ }
135
+ // 15. Weak TLS versions - HIGH (Phase B)
136
+ if (trimmed.match(/SSLContext\s*\.\s*getInstance\s*\(\s*["'](SSL|SSLv2|SSLv3|TLSv1\.0|TLSv1\.1|TLSv1)['"]\s*\)/)) {
137
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('weak-tls-version', 'Weak TLS/SSL protocol version detected', 'Use TLSv1.2 or TLSv1.3: SSLContext.getInstance("TLSv1.3")', lineNumber, 'SSLv2, SSLv3, TLSv1.0, and TLSv1.1 have known vulnerabilities (POODLE, BEAST, CRIME) that allow attackers to decrypt traffic. These protocols are deprecated and should not be used. Modern applications must use TLS 1.2 (minimum) or TLS 1.3 (recommended) for secure communication.', 'TLSv1.0 vulnerable to BEAST attack allows attacker to decrypt HTTPS cookies and session tokens', [
138
+ 'POODLE attack (SSLv3)',
139
+ 'BEAST attack (TLSv1.0)',
140
+ 'CRIME/BREACH attacks',
141
+ 'Weak cipher suites',
142
+ 'Compliance violations (PCI-DSS requires TLS 1.2+)'
143
+ ], 'SSLContext context = SSLContext.getInstance("TLSv1"); // Weak, vulnerable to BEAST', 'SSLContext context = SSLContext.getInstance("TLSv1.3"); // Modern, secure\ncontext.init(null, null, null);', 'Use TLS 1.3 for new applications (best security and performance). TLS 1.2 is acceptable for compatibility. Disable all older protocols (SSLv2, SSLv3, TLSv1.0, TLSv1.1). Configure strong cipher suites'));
144
+ }
145
+ // 16. Disabled hostname verification - CRITICAL (Phase B)
146
+ // Detect lambda patterns: (hostname, session) -> true or ALLOW_ALL constant
147
+ if ((trimmed.includes('HostnameVerifier') && (trimmed.includes('-> true') || trimmed.includes('->true'))) ||
148
+ (trimmed.includes('HostnameVerifier') && trimmed.includes('return true')) ||
149
+ trimmed.includes('ALLOW_ALL_HOSTNAME_VERIFIER')) {
150
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('disabled-hostname-verification', 'Hostname verification disabled in TLS connection', 'Use default hostname verifier or implement proper hostname validation', lineNumber, 'Disabling hostname verification allows attackers to present valid certificates for different domains in man-in-the-middle attacks. Even with certificate validation, the attacker can use a legitimately issued certificate for a different domain they control to intercept traffic.', 'Attacker with certificate for evil.com can intercept traffic to bank.com because hostname is not verified', [
151
+ 'Man-in-the-middle with valid certificates',
152
+ 'Domain impersonation',
153
+ 'Certificate mismatch attacks',
154
+ 'Complete HTTPS bypass with legitimate certs',
155
+ 'Credential theft'
156
+ ], 'HttpsURLConnection.setDefaultHostnameVerifier((hostname, session) -> true); // Accepts any hostname', '// Use default hostname verifier (validates hostname matches certificate)\nHttpsURLConnection conn = (HttpsURLConnection) url.openConnection();\n// Default verifier is secure, no need to override', 'Never disable hostname verification. The default hostname verifier ensures the certificate common name (CN) or subject alternative name (SAN) matches the requested hostname. This is critical for preventing MITM attacks'));
157
+ }
158
+ });
159
+ return vulnerabilities;
160
+ }
161
+ //# sourceMappingURL=crypto-validation.js.map
package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"crypto-validation.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/crypto-validation.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAUH,sDA2QC;AAlRD,sEAA+E;AAE/E;;;;GAIG;AACH,SAAgB,qBAAqB,CAAC,KAAe;IACnD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAE7B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,oCAAoC;QACpC,8EAA8E;QAC9E,4FAA4F;QAC5F,sEAAsE;QACtE,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAC7D,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;YAC3G,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YAC7D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;YAC5E,MAAM,iBAAiB,GAAG,CAAC,GAAG,SAAS,EAAE,GAAG,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC9D,CAAC,CAAC,KAAK,CAAC,yEAAyE,CAAC;gBAClF,CAAC,CAAC,KAAK,CAAC,mGAAmG,CAAC,CAC7G,CAAC;YAEF,IAAI,kBAAkB,IAAI,iBAAiB,EAAE,CAAC;gBAC5C,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,aAAa,EACb,yDAAyD,EACzD,kEAAkE,EAClE,UAAU,EACV,qRAAqR,EACrR,8GAA8G,EAC9G;oBACE,mBAAmB;oBACnB,kBAAkB;oBAClB,0BAA0B;oBAC1B,8BAA8B;oBAC9B,uBAAuB;iBACxB,EACD,iGAAiG,EACjG,yPAAyP,EACzP,+LAA+L,CAChM,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,uBAAuB;QACvB,IAAI,OAAO,CAAC,KAAK,CAAC,yEAAyE,CAAC,EAAE,CAAC;YAC7F,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,eAAe,EACf,wDAAwD,EACxD,oFAAoF,EACpF,UAAU,EACV,8TAA8T,EAC9T,kHAAkH,EAClH;gBACE,yCAAyC;gBACzC,sCAAsC;gBACtC,uBAAuB;gBACvB,qBAAqB;gBACrB,uBAAuB;aACxB,EACD,6HAA6H,EAC7H,uNAAuN,EACvN,uKAAuK,CACxK,CAAC,CAAC;QACL,CAAC;QAED,mCAAmC;QACnC,IAAI,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,EAAE,CAAC;YAC7D,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,qBAAqB,EACrB,6DAA6D,EAC7D,sFAAsF,EACtF,UAAU,EACV,gRAAgR,EAChR,4HAA4H,EAC5H;gBACE,yBAAyB;gBACzB,4BAA4B;gBAC5B,yBAAyB;gBACzB,2BAA2B;gBAC3B,iCAAiC;aAClC,EACD,sKAAsK,EACtK,uTAAuT,EACvT,0IAA0I,CAC3I,CAAC,CAAC;QACL,CAAC;QAED,2DAA2D;QAC3D,IAAI,OAAO,CAAC,KAAK,CAAC,8DAA8D,CAAC,EAAE,CAAC;YAClF,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,qBAAqB,EACrB,+CAA+C,EAC/C,qEAAqE,EACrE,UAAU,EACV,4SAA4S,EAC5S,4FAA4F,EAC5F;gBACE,0DAA0D;gBAC1D,gDAAgD;gBAChD,6CAA6C;gBAC7C,iCAAiC;gBACjC,wCAAwC;aACzC,EACD,2HAA2H,EAC3H,oRAAoR,EACpR,gKAAgK,CACjK,CAAC,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,CAAC,KAAK,CAAC,qDAAqD,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,iBAAiB,EACjB,kEAAkE,EAClE,qDAAqD,EACrD,UAAU,EACV,mSAAmS,EACnS,wGAAwG,EACxG;gBACE,4CAA4C;gBAC5C,2BAA2B;gBAC3B,2CAA2C;gBAC3C,mCAAmC;gBACnC,4CAA4C;aAC7C,EACD,uHAAuH,EACvH,mRAAmR,EACnR,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,qDAAqD;QACrD,oGAAoG;QACpG,IAAI,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC;YAC3C,CAAC,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC;gBACrD,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC9E,CAAC,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,0BAA0B,EAC1B,mCAAmC,EACnC,0FAA0F,EAC1F,UAAU,EACV,yQAAyQ,EACzQ,sGAAsG,EACtG;gBACE,4BAA4B;gBAC5B,sBAAsB;gBACtB,gCAAgC;gBAChC,oCAAoC;gBACpC,uCAAuC;aACxC,EACD,iIAAiI,EACjI,mXAAmX,EACnX,2MAA2M,CAC5M,CAAC,CAAC;QACL,CAAC;QAED,yDAAyD;QACzD,MAAM,QAAQ,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;YACxG,CAAC,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,qBAAqB,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;YAC/I,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,WAAW,EACX,oDAAoD,EACpD,4EAA4E,EAC5E,UAAU,EACV,4SAA4S,EAC5S,mHAAmH,EACnH;gBACE,4CAA4C;gBAC5C,0BAA0B;gBAC1B,iBAAiB;gBACjB,4BAA4B;gBAC5B,0BAA0B;aAC3B,EACD,kHAAkH,EAClH,oNAAoN,EACpN,mLAAmL,CACpL,CAAC,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,wDAAwD;QACxD,IAAI,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC;YACjD,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,2BAA2B,EAC3B,8DAA8D,EAC9D,qEAAqE,EACrE,UAAU,EACV,iVAAiV,EACjV,mIAAmI,EACnI;gBACE,2BAA2B;gBAC3B,gCAAgC;gBAChC,yBAAyB;gBACzB,8BAA8B;gBAC9B,mBAAmB;aACpB,EACD,qLAAqL,EACrL,kPAAkP,EAClP,iOAAiO,CAClO,CAAC,CAAC;QACL,CAAC;QAED,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,6FAA6F,CAAC,EAAE,CAAC;YACjH,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,kBAAkB,EAClB,wCAAwC,EACxC,2DAA2D,EAC3D,UAAU,EACV,wRAAwR,EACxR,gGAAgG,EAChG;gBACE,uBAAuB;gBACvB,wBAAwB;gBACxB,sBAAsB;gBACtB,oBAAoB;gBACpB,mDAAmD;aACpD,EACD,oFAAoF,EACpF,4GAA4G,EAC5G,yMAAyM,CAC1M,CAAC,CAAC;QACL,CAAC;QAED,0DAA0D;QAC1D,4EAA4E;QAC5E,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YACrG,CAAC,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACzE,OAAO,CAAC,QAAQ,CAAC,6BAA6B,CAAC,EAAE,CAAC;YACpD,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,gCAAgC,EAChC,kDAAkD,EAClD,uEAAuE,EACvE,UAAU,EACV,uRAAuR,EACvR,2GAA2G,EAC3G;gBACE,2CAA2C;gBAC3C,sBAAsB;gBACtB,8BAA8B;gBAC9B,6CAA6C;gBAC7C,kBAAkB;aACnB,EACD,qGAAqG,EACrG,qMAAqM,EACrM,4NAA4N,CAC7N,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts ADDED
@@ -0,0 +1,20 @@
1
+ /**
2
+ * Java Deserialization and XXE Detection Module
3
+ *
4
+ * OWASP A08:2021 - Software and Data Integrity Failures
5
+ *
6
+ * This module detects vulnerabilities related to unsafe data processing:
7
+ * - Insecure Deserialization (CRITICAL)
8
+ * - XML External Entity (XXE) attacks (HIGH)
9
+ *
10
+ * Both vulnerabilities can lead to Remote Code Execution and severe data breaches.
11
+ */
12
+ import { SecurityVulnerability } from '../../types';
13
+ /**
14
+ * Checks for deserialization and XXE vulnerabilities in Java code
15
+ *
16
+ * @param lines - Array of code lines to analyze
17
+ * @returns Array of detected security vulnerabilities
18
+ */
19
+ export declare function checkDeserializationAndXXE(lines: string[]): SecurityVulnerability[];
20
+ //# sourceMappingURL=deserialization-xxe.d.ts.map
package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"deserialization-xxe.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/deserialization-xxe.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CA+LnF"}