codeslick-cli 1.0.4 → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +31 -13
- package/bin/codeslick.cjs +19 -1
- package/dist/packages/cli/src/commands/scan.d.ts +3 -0
- package/dist/packages/cli/src/commands/scan.d.ts.map +1 -1
- package/dist/packages/cli/src/commands/scan.js +103 -24
- package/dist/packages/cli/src/commands/scan.js.map +1 -1
- package/dist/packages/cli/src/reporters/cli-reporter.d.ts +28 -2
- package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -1
- package/dist/packages/cli/src/reporters/cli-reporter.js +393 -4
- package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -1
- package/dist/packages/cli/src/scanner/local-scanner.d.ts +5 -1
- package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -1
- package/dist/packages/cli/src/scanner/local-scanner.js +110 -16
- package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +24 -16
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +4 -12
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +22 -9
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -1
- package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript-analyzer.js +28 -13
- package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +44 -18
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -1
- package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/python-analyzer.js +21 -13
- package/dist/src/lib/analyzers/python-analyzer.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -1
- package/dist/src/lib/analyzers/secrets/validators/context-checker.js +21 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +4 -12
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +25 -9
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +14 -4
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/type-checker.d.ts +32 -0
- package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/type-checker.js +264 -22
- package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -1
- package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript-analyzer.js +27 -23
- package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -1
- package/package.json +1 -1
- package/src/commands/scan.ts +77 -25
- package/src/reporters/cli-reporter.ts +449 -4
- package/src/scanner/local-scanner.ts +132 -19
|
@@ -76,17 +76,24 @@ function detectLanguage(filePath) {
|
|
|
76
76
|
}
|
|
77
77
|
/**
|
|
78
78
|
* Check if file should be excluded based on patterns
|
|
79
|
+
* Uses fast regex-based pattern matching (no filesystem scanning)
|
|
79
80
|
*/
|
|
80
81
|
function shouldExclude(filePath, excludePatterns) {
|
|
81
82
|
const relativePath = (0, path_1.relative)(process.cwd(), filePath);
|
|
83
|
+
// Also check with forward slashes for cross-platform compatibility
|
|
84
|
+
const normalizedPath = relativePath.replace(/\\/g, '/');
|
|
82
85
|
for (const pattern of excludePatterns) {
|
|
83
|
-
// Convert glob pattern to regex
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
.replace(
|
|
87
|
-
.replace(
|
|
88
|
-
.replace(
|
|
89
|
-
|
|
86
|
+
// Convert glob pattern to regex for fast matching
|
|
87
|
+
// Order matters: escape dots first, then handle glob patterns
|
|
88
|
+
const regexPattern = pattern
|
|
89
|
+
.replace(/\./g, '\\.') // Escape dots
|
|
90
|
+
.replace(/\*\*/g, '<<<GLOBSTAR>>>') // Temp placeholder for **
|
|
91
|
+
.replace(/\*/g, '[^/]*') // * matches anything except /
|
|
92
|
+
.replace(/<<<GLOBSTAR>>>/g, '.*') // ** matches anything including /
|
|
93
|
+
.replace(/\?/g, '.') // ? matches single char
|
|
94
|
+
.replace(/\{([^}]+)\}/g, (_, p1) => `(${p1.split(',').join('|')})`); // {a,b} -> (a|b)
|
|
95
|
+
const regex = new RegExp('^' + regexPattern + '$');
|
|
96
|
+
if (regex.test(normalizedPath) || regex.test(relativePath)) {
|
|
90
97
|
return true;
|
|
91
98
|
}
|
|
92
99
|
}
|
|
@@ -131,30 +138,32 @@ async function scanFile(filePath, config = {}) {
|
|
|
131
138
|
// Read file content
|
|
132
139
|
const code = await (0, promises_1.readFile)(filePath, 'utf-8');
|
|
133
140
|
// Import analyzer dynamically based on language
|
|
141
|
+
// Pass quickMode option to skip expensive type checking
|
|
142
|
+
const analyzerOptions = { quickMode: config.quickMode || false };
|
|
134
143
|
let result;
|
|
135
144
|
switch (language) {
|
|
136
145
|
case 'javascript': {
|
|
137
146
|
const { JavaScriptAnalyzer } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/javascript-analyzer')));
|
|
138
147
|
const analyzer = new JavaScriptAnalyzer();
|
|
139
|
-
result = await analyzer.analyze({ code, filename: filePath });
|
|
148
|
+
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
140
149
|
break;
|
|
141
150
|
}
|
|
142
151
|
case 'typescript': {
|
|
143
152
|
const { TypeScriptAnalyzer } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/typescript-analyzer')));
|
|
144
153
|
const analyzer = new TypeScriptAnalyzer();
|
|
145
|
-
result = await analyzer.analyze({ code, filename: filePath });
|
|
154
|
+
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
146
155
|
break;
|
|
147
156
|
}
|
|
148
157
|
case 'python': {
|
|
149
158
|
const { PythonAnalyzer } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/python-analyzer')));
|
|
150
159
|
const analyzer = new PythonAnalyzer();
|
|
151
|
-
result = await analyzer.analyze({ code, filename: filePath });
|
|
160
|
+
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
152
161
|
break;
|
|
153
162
|
}
|
|
154
163
|
case 'java': {
|
|
155
164
|
const { JavaAnalyzer } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/java-analyzer')));
|
|
156
165
|
const analyzer = new JavaAnalyzer();
|
|
157
|
-
result = await analyzer.analyze({ code, filename: filePath });
|
|
166
|
+
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
158
167
|
break;
|
|
159
168
|
}
|
|
160
169
|
default:
|
|
@@ -179,17 +188,102 @@ async function scanFile(filePath, config = {}) {
|
|
|
179
188
|
/**
|
|
180
189
|
* Scan multiple files for security vulnerabilities
|
|
181
190
|
*
|
|
182
|
-
*
|
|
191
|
+
* OPTIMIZED (Jan 15, 2026): Uses batch TypeScript compilation for 17x speedup
|
|
192
|
+
* - TypeScript files: Batch processed together (single ts.createProgram)
|
|
193
|
+
* - Other files: Processed in parallel as before
|
|
183
194
|
*
|
|
184
195
|
* @param filePaths - Array of absolute file paths
|
|
185
196
|
* @param config - Scanner configuration
|
|
186
197
|
* @returns Array of scan results (excluding skipped files)
|
|
187
198
|
*/
|
|
188
199
|
async function scanFiles(filePaths, config = {}) {
|
|
189
|
-
//
|
|
190
|
-
const
|
|
191
|
-
|
|
192
|
-
|
|
200
|
+
// Separate TypeScript files from others for batch processing
|
|
201
|
+
const tsFiles = [];
|
|
202
|
+
const otherFiles = [];
|
|
203
|
+
for (const filePath of filePaths) {
|
|
204
|
+
const language = detectLanguage(filePath);
|
|
205
|
+
if (language === 'typescript') {
|
|
206
|
+
// Check exclusions before adding to batch
|
|
207
|
+
if (!config.exclude || !shouldExclude(filePath, config.exclude)) {
|
|
208
|
+
tsFiles.push(filePath);
|
|
209
|
+
}
|
|
210
|
+
}
|
|
211
|
+
else if (language) {
|
|
212
|
+
otherFiles.push(filePath);
|
|
213
|
+
}
|
|
214
|
+
}
|
|
215
|
+
const results = [];
|
|
216
|
+
// Batch process TypeScript files (17x faster)
|
|
217
|
+
if (tsFiles.length > 0 && !config.quickMode) {
|
|
218
|
+
const batchResults = await scanTypeScriptBatch(tsFiles, config);
|
|
219
|
+
results.push(...batchResults);
|
|
220
|
+
}
|
|
221
|
+
else if (tsFiles.length > 0 && config.quickMode) {
|
|
222
|
+
// Quick mode: skip type checking, use parallel processing
|
|
223
|
+
const tsResults = await Promise.all(tsFiles.map((path) => scanFile(path, config)));
|
|
224
|
+
results.push(...tsResults.filter((r) => r !== null));
|
|
225
|
+
}
|
|
226
|
+
// Process other files in parallel (JS, Python, Java)
|
|
227
|
+
if (otherFiles.length > 0) {
|
|
228
|
+
const otherResults = await Promise.all(otherFiles.map((path) => scanFile(path, config)));
|
|
229
|
+
results.push(...otherResults.filter((r) => r !== null));
|
|
230
|
+
}
|
|
231
|
+
return results;
|
|
232
|
+
}
|
|
233
|
+
/**
|
|
234
|
+
* Batch scan TypeScript files using single ts.createProgram
|
|
235
|
+
* This is 17x faster than scanning each file individually
|
|
236
|
+
*/
|
|
237
|
+
async function scanTypeScriptBatch(filePaths, _config = {}) {
|
|
238
|
+
const { readFile } = await Promise.resolve().then(() => __importStar(require('fs/promises')));
|
|
239
|
+
const { relative } = await Promise.resolve().then(() => __importStar(require('path')));
|
|
240
|
+
// Import batch diagnostics function
|
|
241
|
+
const { getBatchTypeScriptDiagnostics, convertDiagnosticsToIssues } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/typescript/type-checker')));
|
|
242
|
+
// Get batch diagnostics for all TypeScript files at once
|
|
243
|
+
const batchResult = getBatchTypeScriptDiagnostics(filePaths);
|
|
244
|
+
// Import TypeScript analyzer for security checks (runs separately)
|
|
245
|
+
const { TypeScriptAnalyzer } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/typescript-analyzer')));
|
|
246
|
+
const results = [];
|
|
247
|
+
for (const filePath of filePaths) {
|
|
248
|
+
try {
|
|
249
|
+
const code = await readFile(filePath, 'utf-8');
|
|
250
|
+
// Run security analysis (regex-based, fast)
|
|
251
|
+
const analyzer = new TypeScriptAnalyzer();
|
|
252
|
+
// Use quickMode to skip the per-file type checking (we already did batch)
|
|
253
|
+
const result = await analyzer.analyze({ code, filename: filePath, options: { quickMode: true } });
|
|
254
|
+
// Add batch type diagnostics to the result
|
|
255
|
+
const fileDiagnostics = batchResult.diagnostics.get(filePath) || [];
|
|
256
|
+
if (fileDiagnostics.length > 0) {
|
|
257
|
+
const typeIssues = convertDiagnosticsToIssues(fileDiagnostics);
|
|
258
|
+
const typeVulnerabilities = typeIssues.map((issue) => ({
|
|
259
|
+
severity: issue.severity,
|
|
260
|
+
message: issue.message,
|
|
261
|
+
line: issue.line,
|
|
262
|
+
suggestion: issue.suggestion,
|
|
263
|
+
category: 'type-checking',
|
|
264
|
+
cvssScore: issue.cvssScore,
|
|
265
|
+
exploitLikelihood: issue.exploitLikelihood,
|
|
266
|
+
impact: issue.impact,
|
|
267
|
+
owasp: issue.owasp,
|
|
268
|
+
cwe: issue.cwe
|
|
269
|
+
}));
|
|
270
|
+
result.security.vulnerabilities.push(...typeVulnerabilities);
|
|
271
|
+
}
|
|
272
|
+
// Count vulnerabilities
|
|
273
|
+
const counts = countVulnerabilities(result);
|
|
274
|
+
results.push({
|
|
275
|
+
filePath,
|
|
276
|
+
relativePath: relative(process.cwd(), filePath),
|
|
277
|
+
language: 'typescript',
|
|
278
|
+
result,
|
|
279
|
+
...counts,
|
|
280
|
+
});
|
|
281
|
+
}
|
|
282
|
+
catch (error) {
|
|
283
|
+
console.error(`Error scanning ${filePath}:`, error);
|
|
284
|
+
}
|
|
285
|
+
}
|
|
286
|
+
return results;
|
|
193
287
|
}
|
|
194
288
|
/**
|
|
195
289
|
* Check if scan results meet severity threshold
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"local-scanner.js","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"local-scanner.js","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,wCAoBC;AAMD,sCAwBC;AAKD,oDASC;AAeD,4BA4EC;AAaD,8BAuCC;AAmFD,4CAqBC;AA3VD,0CAAuC;AACvC,+BAAgC;AAgChC;;GAEG;AACH,SAAgB,cAAc,CAAC,QAAgB;IAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEnC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,QAAgB,EAAE,eAAyB;IACvE,MAAM,YAAY,GAAG,IAAA,eAAQ,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;IACvD,mEAAmE;IACnE,MAAM,cAAc,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAExD,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,kDAAkD;QAClD,8DAA8D;QAC9D,MAAM,YAAY,GAAG,OAAO;aACzB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAW,cAAc;aAC9C,OAAO,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAE,0BAA0B;aAC9D,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAS,8BAA8B;aAC9D,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,kCAAkC;aACnE,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAa,wBAAwB;aACxD,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB;QAExF,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,YAAY,GAAG,GAAG,CAAC,CAAC;QAEnD,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAsB;IACzD,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,EAAE,eAAe,IAAI,EAAE,CAAC;IAE/D,OAAO;QACL,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,CAAC,MAAM;QAC5F,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,MAAM;QACpF,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,CAAC,MAAM;QACxF,GAAG,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC,MAAM;KACnF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,QAAQ,CAC5B,QAAgB,EAChB,SAAwB,EAAE;IAE1B,IAAI,CAAC;QACH,kBAAkB;QAClB,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,CAAC,wBAAwB;QACvC,CAAC;QAED,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,IAAI,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC,CAAC,2BAA2B;QAC1C,CAAC;QAED,oBAAoB;QACpB,MAAM,IAAI,GAAG,MAAM,IAAA,mBAAQ,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAE/C,gDAAgD;QAChD,wDAAwD;QACxD,MAAM,eAAe,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK,EAAE,CAAC;QACjE,IAAI,MAAsB,CAAC;QAE3B,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;gBACF,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;gBAC1C,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;gBACF,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;gBAC1C,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,EAAE,cAAc,EAAE,GAAG,wDAAa,+CAA+C,GAAC,CAAC;gBACzF,MAAM,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;gBACtC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,6CAA6C,GAAC,CAAC;gBACrF,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;gBACpC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,oCAAoC;QACpC,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,OAAO;YACL,QAAQ;YACR,YAAY,EAAE,IAAA,eAAQ,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC;YAC/C,QAAQ;YACR,MAAM;YACN,GAAG,MAAM;SACV,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,8CAA8C;QAC9C,OAAO,CAAC,KAAK,CAAC,kBAAkB,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,SAAS,CAC7B,SAAmB,EACnB,SAAwB,EAAE;IAE1B,6DAA6D;IAC7D,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC9B,0CAA0C;YAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,EAAE,CAAC;YACpB,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,8CAA8C;IAC9C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAChC,CAAC;SAAM,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClD,0DAA0D;QAC1D,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED,qDAAqD;IACrD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACzF,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,mBAAmB,CAChC,SAAmB,EACnB,UAAyB,EAAE;IAE3B,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,aAAa,GAAC,CAAC;IACjD,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,MAAM,GAAC,CAAC;IAE1C,oCAAoC;IACpC,MAAM,EAAE,6BAA6B,EAAE,0BAA0B,EAAE,GAAG,wDACpE,uDAAuD,GACxD,CAAC;IAEF,yDAAyD;IACzD,MAAM,WAAW,GAAG,6BAA6B,CAAC,SAAS,CAAC,CAAC;IAE7D,mEAAmE;IACnE,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;IAEF,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAE/C,4CAA4C;YAC5C,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;YAC1C,0EAA0E;YAC1E,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;YAElG,2CAA2C;YAC3C,MAAM,eAAe,GAAG,WAAW,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,0BAA0B,CAAC,eAAe,CAAC,CAAC;gBAC/D,MAAM,mBAAmB,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,KAAU,EAAE,EAAE,CAAC,CAAC;oBAC1D,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;oBACtB,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,QAAQ,EAAE,eAAe;oBACzB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;oBAC1C,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,GAAG,EAAE,KAAK,CAAC,GAAG;iBACf,CAAC,CAAC,CAAC;gBACJ,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,CAAC;YAC/D,CAAC;YAED,wBAAwB;YACxB,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;YAE5C,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ;gBACR,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC;gBAC/C,QAAQ,EAAE,YAAY;gBACtB,MAAM;gBACN,GAAG,MAAM;aACV,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,kBAAkB,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAC9B,OAAyB,EACzB,SAAiD;IAEjD,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAE5D,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,UAAU;YACb,OAAO,aAAa,GAAG,CAAC,CAAC;QAC3B,KAAK,MAAM;YACT,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC;QAC5C,KAAK,QAAQ;YACX,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,IAAI,WAAW,GAAG,CAAC,CAAC;QAC/D,KAAK,KAAK;YACR,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,IAAI,WAAW,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;QAC/E;YACE,OAAO,aAAa,GAAG,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hardcoded-credentials.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/hardcoded-credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,
|
|
1
|
+
{"version":3,"file":"hardcoded-credentials.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/hardcoded-credentials.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CAkLlF"}
|
|
@@ -41,22 +41,30 @@ function checkHardcodedCredentials(lines) {
|
|
|
41
41
|
return;
|
|
42
42
|
}
|
|
43
43
|
// 7. Hardcoded credentials - CRITICAL
|
|
44
|
-
//
|
|
45
|
-
//
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
!trimmed.includes('
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
44
|
+
// Pattern: Direct assignment of string literal to credential variables
|
|
45
|
+
// Matches: apiKey = "...", DB_PASSWORD = "...", authToken = "...", dbPassword = "...", etc.
|
|
46
|
+
const credentialMatch = trimmed.match(/(password|passwd|pwd|secret|apiKey|api[_-]?key|privateKey|private[_-]?key|auth[_-]?token|db[_-]?password|jwt[_-]?secret|credential)\s*=\s*"([^"]{8,})"/i);
|
|
47
|
+
if (credentialMatch &&
|
|
48
|
+
!trimmed.includes('System.getenv') &&
|
|
49
|
+
!trimmed.includes('config.') &&
|
|
50
|
+
!trimmed.includes('properties') &&
|
|
51
|
+
!trimmed.includes('System.out') && // Skip System.out statements
|
|
52
|
+
!trimmed.includes('logger.') && // Skip logger statements
|
|
53
|
+
!trimmed.match(/@[\w.-]+\.[\w.-]+/)) { // Skip email addresses (more specific pattern)
|
|
54
|
+
const credentialValue = credentialMatch[2];
|
|
55
|
+
// Additional validation: check if value looks like a real credential
|
|
56
|
+
const isRealCredential = credentialValue.length >= 8 &&
|
|
57
|
+
!credentialValue.match(/^(test|example|demo|sample|fake|your|placeholder)/i) &&
|
|
58
|
+
!credentialValue.match(/^(.)\1+$/); // Skip repeated characters
|
|
59
|
+
if (isRealCredential) {
|
|
60
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('hardcoded-credentials', 'Hardcoded credentials detected in source code', 'Use environment variables (System.getenv()), configuration files, or secret management services', lineNumber, 'Hardcoded credentials in source code are visible to anyone with access to the codebase, version control history, compiled bytecode, or decompiled classes. This includes developers, contractors, attackers who gain access to repositories, and anyone analyzing JAR files.', 'String password = "SecretPass123"; // Visible in source, Git history, and decompiled bytecode', [
|
|
61
|
+
'Credential exposure in version control',
|
|
62
|
+
'Unauthorized system access',
|
|
63
|
+
'Data breach',
|
|
64
|
+
'Compliance violations (PCI-DSS, GDPR)',
|
|
65
|
+
'Credential reuse across systems'
|
|
66
|
+
], 'String dbPassword = "MySecretP@ssw0rd";\nConnection conn = DriverManager.getConnection(url, username, dbPassword);', 'String dbPassword = System.getenv("DB_PASSWORD"); // From environment variable\n// Or with Spring: @Value("${db.password}") private String dbPassword;\nConnection conn = DriverManager.getConnection(url, username, dbPassword);', 'Store credentials in environment variables, external configuration files, or dedicated secret management services (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault). Never commit credentials to source control'));
|
|
67
|
+
}
|
|
60
68
|
}
|
|
61
69
|
// 7b. AWS credentials - CRITICAL (PRIORITY 1 FIX)
|
|
62
70
|
// Detect AWS Access Key ID (starts with AKIA) and AWS Secret Access Key patterns
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hardcoded-credentials.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/hardcoded-credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAUH,
|
|
1
|
+
{"version":3,"file":"hardcoded-credentials.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/hardcoded-credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAUH,8DAkLC;AAzLD,sEAA+E;AAE/E;;;;GAIG;AACH,SAAgB,yBAAyB,CAAC,KAAe;IACvD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAE7B,wDAAwD;QACxD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,8DAA8D;QAC9D,IAAI,CAAC,OAAO;YACR,kBAAkB;YAClB,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,sCAAsC;QACtC,uEAAuE;QACvE,4FAA4F;QAC5F,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,yJAAyJ,CAAC,CAAC;QAEjM,IAAI,eAAe;YACf,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;YAClC,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC/B,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAO,6BAA6B;YACnE,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAU,yBAAyB;YAC/D,CAAC,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAE,+CAA+C;YAEzF,MAAM,eAAe,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAE3C,qEAAqE;YACrE,MAAM,gBAAgB,GACpB,eAAe,CAAC,MAAM,IAAI,CAAC;gBAC3B,CAAC,eAAe,CAAC,KAAK,CAAC,oDAAoD,CAAC;gBAC5E,CAAC,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,2BAA2B;YAEjE,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,uBAAuB,EACvB,+CAA+C,EAC/C,iGAAiG,EACjG,UAAU,EACV,8QAA8Q,EAC9Q,+FAA+F,EAC/F;oBACE,wCAAwC;oBACxC,4BAA4B;oBAC5B,aAAa;oBACb,uCAAuC;oBACvC,iCAAiC;iBAClC,EACD,oHAAoH,EACpH,mOAAmO,EACnO,uNAAuN,CACxN,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,iFAAiF;QACjF,IAAI,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,oBAAoB;YAC3D,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,IAAI,+CAA+C;YACxF,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC;YACxE,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,uBAAuB,EACvB,mDAAmD,EACnD,oFAAoF,EACpF,UAAU,EACV,kNAAkN,EAClN,iHAAiH,EACjH;gBACE,kCAAkC;gBAClC,wCAAwC;gBACxC,4BAA4B;gBAC5B,2BAA2B;gBAC3B,oCAAoC;aACrC,EACD,gKAAgK,EAChK,0SAA0S,EAC1S,0MAA0M,CAC3M,CAAC,CAAC;QACL,CAAC;QAED,kDAAkD;QAClD,uCAAuC;QACvC,IAAI,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC;YACvD,CAAC,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC;YACnF,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,uBAAuB,EACvB,kDAAkD,EAClD,2EAA2E,EAC3E,UAAU,EACV,0PAA0P,EAC1P,sFAAsF,EACtF;gBACE,iCAAiC;gBACjC,yCAAyC;gBACzC,oBAAoB;gBACpB,yBAAyB;gBACzB,+BAA+B;aAChC,EACD,kFAAkF,EAClF,iMAAiM,EACjM,8MAA8M,CAC/M,CAAC,CAAC;QACL,CAAC;QAED,2DAA2D;QAC3D,sFAAsF;QACtF,IAAI,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC;YACnD,CAAC,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC;gBACnD,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,oCAAoC,CAAC;gBAC1E,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,oCAAoC,CAAC,CAAC,EAAE,CAAC;YAChG,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,uBAAuB,EACvB,iDAAiD,EACjD,0GAA0G,EAC1G,UAAU,EACV,2MAA2M,EAC3M,8GAA8G,EAC9G;gBACE,yBAAyB;gBACzB,8BAA8B;gBAC9B,uBAAuB;gBACvB,gCAAgC;gBAChC,yCAAyC;aAC1C,EACD,wKAAwK,EACxK,yZAAyZ,EACzZ,0MAA0M,CAC3M,CAAC,CAAC;QACL,CAAC;QAED,2EAA2E;QAC3E,mFAAmF;QACnF,6FAA6F;QAC7F,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC;YACpD,+CAA+C;YAC/C,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;YAClC,kFAAkF;YAClF,iFAAiF;YACjF,MAAM,WAAW,GAAG,QAAQ;gBAC1B,QAAQ,CAAC,KAAK,CAAC,+FAA+F,CAAC,CAAC;YAElH,IAAI,WAAW,EAAE,CAAC;gBAChB,eAAe,CAAC,IAAI,CAAC,IAAA,qDAA+B,EAClD,uBAAuB,EACvB,4CAA4C,EAC5C,4EAA4E,EAC5E,UAAU,EACV,mRAAmR,EACnR,4FAA4F,EAC5F;oBACE,wCAAwC;oBACxC,4BAA4B;oBAC5B,uCAAuC;oBACvC,sCAAsC;oBACtC,gCAAgC;iBACjC,EACD,uIAAuI,EACvI,4PAA4P,EAC5P,kPAAkP,CACnP,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ai-generated-code.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/ai-generated-code.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"ai-generated-code.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/ai-generated-code.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAgGpD;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EAAE,EACf,QAAQ,CAAC,EAAE,MAAM,GAChB,qBAAqB,EAAE,CAwJzB"}
|
|
@@ -83,16 +83,7 @@ const HALLUCINATION_PATTERNS = new Map([
|
|
|
83
83
|
correct: '.length or .size()',
|
|
84
84
|
description: 'Arrays use .length property. Maps/Sets use .size property (not method).'
|
|
85
85
|
}],
|
|
86
|
-
//
|
|
87
|
-
['indexOf', {
|
|
88
|
-
correct: '.indexOf() or .findIndex()',
|
|
89
|
-
description: 'Method exists but often misused. Consider .findIndex() for complex searches.'
|
|
90
|
-
}],
|
|
91
|
-
// String method confusion
|
|
92
|
-
['charAt', {
|
|
93
|
-
correct: '[index]',
|
|
94
|
-
description: 'Modern JavaScript prefers bracket notation [index] over .charAt().'
|
|
95
|
-
}],
|
|
86
|
+
// Note: .indexOf() and .charAt() are VALID JavaScript methods - do not flag them
|
|
96
87
|
]);
|
|
97
88
|
/**
|
|
98
89
|
* Detect AI-generated code in JavaScript
|
|
@@ -109,10 +100,11 @@ function checkAIGeneratedCode(lines, filename) {
|
|
|
109
100
|
let hallucinationCount = 0;
|
|
110
101
|
const hallucinationLines = new Set();
|
|
111
102
|
const detectedPatterns = [];
|
|
112
|
-
// Combined regex for
|
|
103
|
+
// Combined regex for hallucination patterns (optimized)
|
|
104
|
+
// Note: indexOf and charAt are VALID JS methods - not included here
|
|
113
105
|
const combinedPattern = new RegExp('\\.' +
|
|
114
106
|
'(append|strip|len|split_by|toUppercase|toLowercase|contains|remove|' +
|
|
115
|
-
'replace_all|substring_of|to_string|is_empty|size
|
|
107
|
+
'replace_all|substring_of|to_string|is_empty|size)' +
|
|
116
108
|
'\\s*\\(', 'g');
|
|
117
109
|
let inMultiLineComment = false;
|
|
118
110
|
// 1. Detect hallucination patterns
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ai-generated-code.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/ai-generated-code.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;
|
|
1
|
+
{"version":3,"file":"ai-generated-code.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/ai-generated-code.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AAyGH,oDA2JC;AAjQD,sEAAqF;AACrF,mFAY+C;AAU/C;;;;;;;GAOG;AACH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAA+B;IACnE,qCAAqC;IACrC,CAAC,QAAQ,EAAE;YACT,OAAO,EAAE,SAAS;YAClB,WAAW,EAAE,wEAAwE;SACtF,CAAC;IACF,CAAC,OAAO,EAAE;YACR,OAAO,EAAE,SAAS;YAClB,WAAW,EAAE,wEAAwE;SACtF,CAAC;IACF,CAAC,KAAK,EAAE;YACN,OAAO,EAAE,SAAS;YAClB,WAAW,EAAE,kFAAkF;SAChG,CAAC;IACF,CAAC,UAAU,EAAE;YACX,OAAO,EAAE,UAAU;YACnB,WAAW,EAAE,sEAAsE;SACpF,CAAC;IAEF,4CAA4C;IAC5C,CAAC,aAAa,EAAE;YACd,OAAO,EAAE,gBAAgB;YACzB,WAAW,EAAE,0EAA0E;SACxF,CAAC;IACF,CAAC,aAAa,EAAE;YACd,OAAO,EAAE,gBAAgB;YACzB,WAAW,EAAE,0EAA0E;SACxF,CAAC;IAEF,wCAAwC;IACxC,CAAC,UAAU,EAAE;YACX,OAAO,EAAE,aAAa;YACtB,WAAW,EAAE,kFAAkF;SAChG,CAAC;IACF,CAAC,QAAQ,EAAE;YACT,OAAO,EAAE,wBAAwB;YACjC,WAAW,EAAE,kEAAkE;SAChF,CAAC;IACF,CAAC,aAAa,EAAE;YACd,OAAO,EAAE,eAAe;YACxB,WAAW,EAAE,kEAAkE;SAChF,CAAC;IACF,CAAC,cAAc,EAAE;YACf,OAAO,EAAE,aAAa;YACtB,WAAW,EAAE,6EAA6E;SAC3F,CAAC;IACF,CAAC,WAAW,EAAE;YACZ,OAAO,EAAE,aAAa;YACtB,WAAW,EAAE,qEAAqE;SACnF,CAAC;IACF,CAAC,UAAU,EAAE;YACX,OAAO,EAAE,eAAe;YACxB,WAAW,EAAE,oFAAoF;SAClG,CAAC;IAEF,wBAAwB;IACxB,CAAC,MAAM,EAAE;YACP,OAAO,EAAE,oBAAoB;YAC7B,WAAW,EAAE,yEAAyE;SACvF,CAAC;IAEF,iFAAiF;CAClF,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAClC,KAAe,EACf,QAAiB;IAEjB,4CAA4C;IAC5C,IAAI,IAAA,oCAAU,EAAC,QAAQ,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAC3B,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAU,CAAC;IAC7C,MAAM,gBAAgB,GAAa,EAAE,CAAC;IAEtC,wDAAwD;IACxD,oEAAoE;IACpE,MAAM,eAAe,GAAG,IAAI,MAAM,CAChC,KAAK;QACL,qEAAqE;QACrE,mDAAmD;QACnD,SAAS,EACT,GAAG,CACJ,CAAC;IAEF,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,mCAAmC;IACnC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,kBAAkB,GAAG,IAAI,CAAC;QACtD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,OAAO;QAEvE,wEAAwE;QACxE,MAAM,WAAW,GAAG,IAAA,kDAAwB,EAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAEjE,+BAA+B;QAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;QAElE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACxB,MAAM,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAEnD,IAAI,OAAO,EAAE,CAAC;gBACZ,kBAAkB,EAAE,CAAC;gBACrB,kBAAkB,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBACnC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChC,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,6BAA6B;IAC7B,MAAM,eAAe,GAAG;QACtB,oBAAoB,EAAE,IAAA,2DAAiC,EAAC,KAAK,CAAC;QAC9D,mBAAmB,EAAE,IAAA,mDAAyB,EAAC,KAAK,CAAC;QACrD,eAAe,EAAE,IAAA,+CAAqB,EAAC,KAAK,CAAC;QAC7C,WAAW,EAAE,IAAA,sDAA4B,EAAC,KAAK,CAAC;QAChD,mBAAmB,EAAE,IAAA,mDAAyB,EAAC,KAAK,CAAC;QACrD,gBAAgB,EAAE,IAAA,gDAAsB,EAAC,KAAK,CAAC;QAC/C,gBAAgB,EAAE,IAAA,sDAA4B,EAAC,KAAK,CAAC;QACrD,mBAAmB,EAAE,IAAA,+DAAqC,EAAC,KAAK,CAAC;KAClE,CAAC;IAEF,uCAAuC;IACvC,MAAM,SAAS,GAAG,IAAA,mDAAyB,EAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;IAEjF,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,EAAE,CAAC,CAAC,gCAAgC;IAC7C,CAAC;IAED,qCAAqC;IACrC,MAAM,UAAU,GACd,SAAS,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC;QAC9D,SAAS,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,0BAA0B,CAAC,CAAC;YAC5D,uBAAuB,CAAC;IAE1B,wCAAwC;IACxC,IAAI,OAAO,GAAG,+BAA+B,SAAS,CAAC,UAAU,gBAAgB,CAAC;IAElF,IAAI,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,GAAG,kBAAkB,+BAA+B,CAAC;QAChE,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACzE,OAAO,IAAI,MAAM,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;QACjD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,IAAI,qFAAqF,CAAC;IACnG,CAAC;IAED,mBAAmB;IACnB,MAAM,UAAU,GAAG,kBAAkB,GAAG,CAAC;QACvC,CAAC,CAAC,4EAA4E,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,kDAAkD;QACpM,CAAC,CAAC,sMAAsM,CAAC;IAE3M,2CAA2C;IAC3C,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,GAAG,CAAC;QAC5C,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,kBAAkB,CAAC;QACjC,CAAC,CAAC,CAAC,CAAC,CAAC,6CAA6C;IAEpD,6DAA6D;IAC7D,MAAM,YAAY,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;IACzC,MAAM,mBAAmB,GAAG,YAAY,CAAC,CAAC,CAAC,sBAAsB,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAE3F,OAAO;QACL,IAAA,2DAAqC,EAAC;YACpC,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC,WAAW,EAAoC;YAC5E,UAAU,EAAE,SAAS,CAAC,UAAU;YAChC,OAAO;YACP,IAAI,EAAE,UAAU;YAChB,UAAU;YACV,KAAK,EAAE,4BAA4B;YACnC,GAAG,EAAE,mBAAmB;YACxB,MAAM,EAAE,KAAK;YACb,WAAW,EAAE;gBACX,WAAW,EACT,uIAAuI;oBACvI,kJAAkJ;oBAClJ,oHAAoH;oBACpH,sGAAsG;gBACxG,MAAM,EAAE,mBAAmB;oBACzB,CAAC,CAAC,SAAS,YAAY,gCAAgC;oBACvD,CAAC,CAAC,gIAAgI;gBACpI,KAAK,EAAE,mBAAmB;oBACxB,CAAC,CAAC,QAAQ,mBAAmB,CAAC,OAAO,yBAAyB;oBAC9D,CAAC,CAAC,6HAA6H;aAClI;YACD,YAAY,EAAE;gBACZ,WAAW,EACT,mIAAmI;oBACnI,gHAAgH;oBAChH,8HAA8H;oBAC9H,gFAAgF;gBAClF,cAAc,EACZ,qCAAqC;oBACrC,qDAAqD;oBACrD,mFAAmF;oBACnF,+EAA+E;gBACjF,eAAe,EAAE;oBACf,qEAAqE;oBACrE,8EAA8E;oBAC9E,4EAA4E;oBAC5E,wEAAwE;oBACxE,yEAAyE;iBAC1E;aACF;SACF,CAAC;KACH,CAAC;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credential-crypto.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/credential-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAClC,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EAAE,EACjB,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,KACf,qBAAqB,CAAC;AAE3B;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,
|
|
1
|
+
{"version":3,"file":"credential-crypto.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/credential-crypto.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAEpD;;GAEG;AACH,MAAM,MAAM,qBAAqB,GAAG,CAClC,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACf,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EAAE,EACjB,WAAW,EAAE,MAAM,EACnB,gBAAgB,EAAE,MAAM,EACxB,UAAU,EAAE,MAAM,KACf,qBAAqB,CAAC;AAE3B;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CAmTzB"}
|
|
@@ -43,18 +43,31 @@ function checkCredentialCrypto(code, createVulnerability) {
|
|
|
43
43
|
}
|
|
44
44
|
// OWASP A07:2021 - Authentication & Identification Failures
|
|
45
45
|
// 1. Hardcoded credentials - CRITICAL
|
|
46
|
-
|
|
47
|
-
|
|
46
|
+
// Pattern: Direct assignment of string literal to credential variables
|
|
47
|
+
const credentialMatch = trimmed.match(/(password|passwd|pwd|secret|api[_-]?key|private[_-]?key|auth[_-]?token|jwt[_-]?secret|db[_-]?password|encryption[_-]?key)\s*[:=]\s*(['"`])([^'"`]{8,})\2/i);
|
|
48
|
+
if (credentialMatch &&
|
|
48
49
|
!trimmed.includes('process.env') &&
|
|
49
50
|
!trimmed.includes('config.') &&
|
|
51
|
+
!trimmed.includes('console.') && // Skip console.log statements
|
|
52
|
+
!trimmed.includes('logger.') && // Skip logger statements
|
|
53
|
+
!trimmed.match(/@[\w.-]+\.[\w.-]+/) && // Skip email addresses (more specific pattern)
|
|
54
|
+
!trimmed.match(/allowedEmails|allowedUsernames/i) && // Skip whitelist arrays
|
|
55
|
+
!trimmed.match(/localStorage|sessionStorage/i) && // Skip storage key names
|
|
50
56
|
!trimmed.startsWith('//')) {
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
57
|
+
const credentialValue = credentialMatch[3];
|
|
58
|
+
// Additional validation: check if value looks like a real credential
|
|
59
|
+
const isRealCredential = credentialValue.length >= 8 &&
|
|
60
|
+
!credentialValue.match(/^(test|example|demo|sample|fake|your|placeholder)/i) &&
|
|
61
|
+
!credentialValue.match(/^(.)\1+$/); // Skip repeated characters
|
|
62
|
+
if (isRealCredential) {
|
|
63
|
+
vulnerabilities.push(createVulnerability('hardcoded-credentials', 'Hardcoded credentials exposed in source code', 'Use environment variables (process.env) or secret management services', lineNumber, 'Hardcoded credentials in source code are visible to anyone with access to the repository, including attackers who gain access to the codebase.', 'const password = "MySecretPass123" // Visible in Git history forever', [
|
|
64
|
+
'Unauthorized access to systems',
|
|
65
|
+
'Account takeover',
|
|
66
|
+
'Data breach',
|
|
67
|
+
'Lateral movement in infrastructure',
|
|
68
|
+
'Cannot be rotated without code changes'
|
|
69
|
+
], 'const apiKey = "sk-1234567890abcdef";', 'const apiKey = process.env.API_KEY; // Store in .env file (add to .gitignore)', 'Store secrets in environment variables or secret management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)'));
|
|
70
|
+
}
|
|
58
71
|
}
|
|
59
72
|
// OWASP A02:2021 - Cryptographic Failures
|
|
60
73
|
// 2. Math.random() for security - MEDIUM
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credential-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/credential-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AA2BH,
|
|
1
|
+
{"version":3,"file":"credential-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/credential-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AA2BH,sDAsTC;AA7TD;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,IAAY,EACZ,mBAA0C;IAE1C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kCAAkC;QAClC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,OAAO;QACT,CAAC;QAED,4DAA4D;QAC5D,sCAAsC;QACtC,uEAAuE;QACvE,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,2JAA2J,CAAC,CAAC;QAEnM,IAAI,eAAe;YACf,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAS,8BAA8B;YACpE,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAU,yBAAyB;YAC/D,CAAC,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAK,+CAA+C;YACvF,CAAC,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC,IAAI,wBAAwB;YAC7E,CAAC,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,IAAO,yBAAyB;YAC9E,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAE9B,MAAM,eAAe,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAE3C,qEAAqE;YACrE,MAAM,gBAAgB,GACpB,eAAe,CAAC,MAAM,IAAI,CAAC;gBAC3B,CAAC,eAAe,CAAC,KAAK,CAAC,oDAAoD,CAAC;gBAC5E,CAAC,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,2BAA2B;YAEjE,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,uBAAuB,EACvB,8CAA8C,EAC9C,uEAAuE,EACvE,UAAU,EACV,gJAAgJ,EAChJ,sEAAsE,EACtE;oBACE,gCAAgC;oBAChC,kBAAkB;oBAClB,aAAa;oBACb,oCAAoC;oBACpC,wCAAwC;iBACzC,EACD,uCAAuC,EACvC,+EAA+E,EAC/E,8HAA8H,CAC/H,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,aAAa,EACb,yDAAyD,EACzD,0EAA0E,EAC1E,UAAU,EACV,oIAAoI,EACpI,8EAA8E,EAC9E;gBACE,gCAAgC;gBAChC,mBAAmB;gBACnB,uBAAuB;gBACvB,yBAAyB;aAC1B,EACD,qDAAqD,EACrD,uJAAuJ,EACvJ,6FAA6F,CAC9F,CAAC,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC;YAC7D,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC;YACtC,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC1C,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,8BAA8B,EAC9B,yEAAyE,EACzE,mDAAmD,EACnD,UAAU,EACV,yMAAyM,EACzM,6FAA6F,EAC7F;gBACE,wBAAwB;gBACxB,oCAAoC;gBACpC,2BAA2B;gBAC3B,2BAA2B;gBAC3B,uCAAuC;aACxC,EACD,mEAAmE,EACnE,iGAAiG,EACjG,iHAAiH,CAClH,CAAC,CAAC;QACL,CAAC;QAED,0CAA0C;QAC1C,IAAI,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC;YACrC,CAAC,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC;gBACvD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC,EAAE,CAAC;YACtF,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,2BAA2B,EAC3B,uEAAuE,EACvE,4DAA4D,EAC5D,UAAU,EACV,8LAA8L,EAC9L,+GAA+G,EAC/G;gBACE,iCAAiC;gBACjC,uBAAuB;gBACvB,kBAAkB;gBAClB,aAAa;gBACb,qCAAqC;aACtC,EACD,kFAAkF,EAClF,yHAAyH,EACzH,yJAAyJ,CAC1J,CAAC,CAAC;QACL,CAAC;QAED,4BAA4B;QAC5B,IAAI,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAChH,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,iBAAiB,EACjB,0CAA0C,EAC1C,kEAAkE,EAClE,UAAU,EACV,6JAA6J,EAC7J,0EAA0E,EAC1E;gBACE,uCAAuC;gBACvC,kBAAkB;gBAClB,sBAAsB;gBACtB,4CAA4C;aAC7C,EACD,4CAA4C,EAC5C,mGAAmG,EACnG,2IAA2I,CAC5I,CAAC,CAAC;QACL,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,wBAAwB,EACxB,qCAAqC,EACrC,oCAAoC,EACpC,UAAU,EACV,gJAAgJ,EAChJ,iEAAiE,EACjE;gBACE,yCAAyC;gBACzC,qCAAqC;gBACrC,mBAAmB;gBACnB,4DAA4D;aAC7D,EACD,0CAA0C,EAC1C,0FAA0F,EAC1F,8IAA8I,CAC/I,CAAC,CAAC;QACL,CAAC;QAED,gDAAgD;QAChD,IAAI,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC;YAC5C,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAAC;YAC5G,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,2BAA2B,EAC3B,+CAA+C,EAC/C,yDAAyD,EACzD,UAAU,EACV,4IAA4I,EAC5I,4GAA4G,EAC5G;gBACE,6CAA6C;gBAC7C,wBAAwB;gBACxB,mBAAmB;gBACnB,uBAAuB;aACxB,EACD,8DAA8D,EAC9D,sHAAsH,EACtH,4GAA4G,CAC7G,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,+DAA+D;QAC/D,gFAAgF;QAEhF,2CAA2C;QAC3C,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;YACjC,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC5D,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,qBAAqB,EACrB,4DAA4D,EAC5D,2DAA2D,EAC3D,UAAU,EACV,iOAAiO,EACjO,8GAA8G,EAC9G;gBACE,yBAAyB;gBACzB,6CAA6C;gBAC7C,6CAA6C;gBAC7C,iCAAiC;aAClC,EACD,mDAAmD,EACnD,oIAAoI,EACpI,sFAAsF,CACvF,CAAC,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC3F,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,yBAAyB,EACzB,6DAA6D,EAC7D,sEAAsE,EACtE,UAAU,EACV,2MAA2M,EAC3M,+FAA+F,EAC/F;gBACE,2BAA2B;gBAC3B,8BAA8B;gBAC9B,uBAAuB;gBACvB,+CAA+C;aAChD,EACD,gDAAgD,EAChD,6KAA6K,EAC7K,iFAAiF,CAClF,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,gEAAgE;QAChE,gFAAgF;QAEhF,sDAAsD;QACtD,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACxE,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,kCAAkC,EAClC,+EAA+E,EAC/E,6EAA6E,EAC7E,UAAU,EACV,mNAAmN,EACnN,iHAAiH,EACjH;gBACE,2BAA2B;gBAC3B,6BAA6B;gBAC7B,kBAAkB;gBAClB,mBAAmB;gBACnB,kCAAkC;aACnC,EACD,2BAA2B,EAC3B,wNAAwN,EACxN,gHAAgH,CACjH,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,MAAM,uBAAuB,GAAG,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QACrG,MAAM,cAAc,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC1D,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC5D,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElF,IAAI,uBAAuB,IAAI,cAAc,EAAE,CAAC;YAC9C,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,sBAAsB,EACtB,8CAA8C,EAC9C,0EAA0E,EAC1E,UAAU,EACV,2KAA2K,EAC3K,qFAAqF,EACrF;gBACE,4BAA4B;gBAC5B,wBAAwB;gBACxB,uBAAuB;gBACvB,+BAA+B;gBAC/B,2BAA2B;aAC5B,EACD,uBAAuB,EACvB,qFAAqF,EACrF,uEAAuE,CACxE,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"javascript-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/javascript-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAIH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAkD,MAAM,SAAS,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AA0C7C,qBAAa,kBAAmB,YAAW,aAAa;IACtD,SAAgB,QAAQ,EAAE,iBAAiB,CAAgB;IAErD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAmEtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAapD,eAAe;;;;;IAQf,OAAO,CAAC,gBAAgB;IAoBxB,OAAO,CAAC,0BAA0B;
|
|
1
|
+
{"version":3,"file":"javascript-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/javascript-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAIH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAkD,MAAM,SAAS,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AA0C7C,qBAAa,kBAAmB,YAAW,aAAa;IACtD,SAAgB,QAAQ,EAAE,iBAAiB,CAAgB;IAErD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAmEtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAapD,eAAe;;;;;IAQf,OAAO,CAAC,gBAAgB;IAoBxB,OAAO,CAAC,0BAA0B;IAkFlC,OAAO,CAAC,2BAA2B;IAsEnC,OAAO,CAAC,yBAAyB;IAmCjC,OAAO,CAAC,oBAAoB;IAsC5B,OAAO,CAAC,mBAAmB;IAoC3B,OAAO,CAAC,iBAAiB;IAuBzB,OAAO,CAAC,sBAAsB;IAgG9B,OAAO,CAAC,qBAAqB;IAiD7B,OAAO,CAAC,cAAc;YAiCR,aAAa;IAmR3B,OAAO,CAAC,aAAa;IAOrB,OAAO,CAAC,2BAA2B;IAoBnC,OAAO,CAAC,sBAAsB;IAyG9B,OAAO,CAAC,qBAAqB;IAgC7B,OAAO,CAAC,sBAAsB;IAqE9B,OAAO,CAAC,uBAAuB;IAwF/B,OAAO,CAAC,uBAAuB;IAwD/B,OAAO,CAAC,kBAAkB;IAkE1B,OAAO,CAAC,oBAAoB;IAyD5B,OAAO,CAAC,mBAAmB;IAsD3B;;;;;;;OAOG;IACH,OAAO,CAAC,wBAAwB;IA0KhC,OAAO,CAAC,cAAc;IAmDtB,OAAO,CAAC,kBAAkB;IAkC1B,OAAO,CAAC,2BAA2B;IAwCnC,OAAO,CAAC,eAAe;IAkwBvB,OAAO,CAAC,gBAAgB;IA2CxB;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,0BAA0B;CAkDnC"}
|
|
@@ -231,13 +231,16 @@ class JavaScriptAnalyzer {
|
|
|
231
231
|
if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*')) {
|
|
232
232
|
return;
|
|
233
233
|
}
|
|
234
|
+
// FIX: Remove inline comments before AI hallucination checks to avoid false positives
|
|
235
|
+
// Example: items.push('x'); // Should be .push() ← comment contains .push() pattern
|
|
236
|
+
const lineWithoutComments = code_cleaner_1.CodeCleaner.removeLineComments(trimmed, 'javascript');
|
|
234
237
|
// AI Hallucination: Check for .push() on strings (Python/list confusion)
|
|
235
238
|
// Strings in JS are immutable, use += or array methods
|
|
236
239
|
// IMPORTANT: This is a SEMANTIC error (runtime TypeError), not syntax error
|
|
237
240
|
// The code IS valid JavaScript - it will parse successfully but fail at runtime
|
|
238
|
-
if (
|
|
239
|
-
|
|
240
|
-
|
|
241
|
+
if (lineWithoutComments.match(/(['"`].*['"`]|String\(|\.toString\(\)|\.toLowerCase\(\)|\.toUpperCase\(\)).*\.push\(/) ||
|
|
242
|
+
lineWithoutComments.match(/\w+\.push\(/) && (lineWithoutComments.includes("''") || lineWithoutComments.includes('""') || lineWithoutComments.includes('``') ||
|
|
243
|
+
lineWithoutComments.match(/=\s*['"`]/))) {
|
|
241
244
|
lineErrors.push({
|
|
242
245
|
line: lineNumber,
|
|
243
246
|
error: 'Strings don\'t have .push() method (common AI hallucination)',
|
|
@@ -1702,20 +1705,32 @@ class JavaScriptAnalyzer {
|
|
|
1702
1705
|
// See lines after forEach loop closes
|
|
1703
1706
|
// OWASP A07:2021 - Authentication & Identification Failures
|
|
1704
1707
|
// 8. Hardcoded credentials - CRITICAL
|
|
1708
|
+
// Pattern: Direct assignment of string literal to credential variables
|
|
1705
1709
|
// Enhanced to support TypeScript type annotations: const API_SECRET: string = 'value'
|
|
1706
|
-
|
|
1707
|
-
if (
|
|
1708
|
-
trimmed.match(/[:=]\s*['"`]/) &&
|
|
1710
|
+
const credentialMatch = trimmed.match(/(password|passwd|pwd|secret|api[_-]?key|private[_-]?key|auth[_-]?token|jwt[_-]?secret|db[_-]?password|encryption[_-]?key)\s*[:=]\s*(['"`])([^'"`]{8,})\2/i);
|
|
1711
|
+
if (credentialMatch &&
|
|
1709
1712
|
!trimmed.includes('process.env') &&
|
|
1710
1713
|
!trimmed.includes('config.') &&
|
|
1714
|
+
!trimmed.includes('console.') && // Skip console.log statements
|
|
1715
|
+
!trimmed.includes('logger.') && // Skip logger statements
|
|
1716
|
+
!trimmed.match(/@[\w.-]+\.[\w.-]+/) && // Skip email addresses (more specific pattern)
|
|
1717
|
+
!trimmed.match(/allowedEmails|allowedUsernames/i) && // Skip whitelist arrays
|
|
1718
|
+
!trimmed.match(/localStorage|sessionStorage/i) && // Skip storage key names
|
|
1711
1719
|
!trimmed.startsWith('//')) {
|
|
1712
|
-
|
|
1713
|
-
|
|
1714
|
-
|
|
1715
|
-
|
|
1716
|
-
|
|
1717
|
-
|
|
1718
|
-
|
|
1720
|
+
const credentialValue = credentialMatch[3];
|
|
1721
|
+
// Additional validation: check if value looks like a real credential
|
|
1722
|
+
const isRealCredential = credentialValue.length >= 8 &&
|
|
1723
|
+
!credentialValue.match(/^(test|example|demo|sample|fake|your|placeholder)/i) &&
|
|
1724
|
+
!credentialValue.match(/^(.)\1+$/); // Skip repeated characters
|
|
1725
|
+
if (isRealCredential) {
|
|
1726
|
+
vulnerabilities.push(this.createSecurityVulnerability('hardcoded-credentials', 'Hardcoded credentials exposed in source code', 'Use environment variables (process.env) or secret management services', lineNumber, 'Hardcoded credentials in source code are visible to anyone with access to the repository, including attackers who gain access to the codebase.', 'const password = "MySecretPass123" // Visible in Git history forever', [
|
|
1727
|
+
'Unauthorized access to systems',
|
|
1728
|
+
'Account takeover',
|
|
1729
|
+
'Data breach',
|
|
1730
|
+
'Lateral movement in infrastructure',
|
|
1731
|
+
'Cannot be rotated without code changes'
|
|
1732
|
+
], 'const apiKey = "sk-1234567890abcdef";', 'const apiKey = process.env.API_KEY; // Store in .env file (add to .gitignore)', 'Store secrets in environment variables or secret management services (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)'));
|
|
1733
|
+
}
|
|
1719
1734
|
}
|
|
1720
1735
|
// OWASP A02:2021 - Cryptographic Failures
|
|
1721
1736
|
// 9. Math.random() for security - MEDIUM
|