npm - codeslick-cli - Versions diffs - 1.1.6 → 1.2.0 - Mend

codeslick-cli 1.1.6 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (90) hide show

package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"credentials-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/credentials-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAiBH,8DA+SC;AA7TD,sEAA6E;AAE7E;;;;;;;;;;;GAWG;AACH,SAAgB,yBAAyB,CAAC,KAAe;IACvD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,6DAA6D;IAC7D,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,mBAAmB,GAAG,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC/D,MAAM,iBAAiB,GAAG,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE3D,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,sEAAsE;QACtE,gFAAgF;QAChF,sBAAsB;QACtB,yBAAyB;QACzB,yCAAyC;QACzC,oCAAoC;QACpC,gCAAgC;QAChC,oCAAoC;QAEpC,2DAA2D;QAC3D,8EAA8E;QAC9E,MAAM,yBAAyB,GAAG,OAAO,CAAC,KAAK,CAC7C,sMAAsM,CACvM,CAAC;QAEF,IACE,yBAAyB;YACzB,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YACjC,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YACzB,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAC9B,CAAC;YACD,MAAM,eAAe,GAAG,yBAAyB,CAAC,CAAC,CAAC,CAAC;YAErD,0DAA0D;YAC1D,MAAM,gBAAgB,GACpB,eAAe,CAAC,MAAM,IAAI,CAAC;gBAC3B,CAAC,eAAe,CAAC,KAAK,CAAC,iEAAiE,CAAC;gBACzF,CAAC,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,8CAA8C;YAEpF,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,0BAA0B;oBACpC,QAAQ,EAAE,UAAU;oBACpB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,8CAA8C;oBACvD,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,iEAAiE;oBAC7E,KAAK,EAAE,uDAAuD;oBAC9D,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,gBAAgB;oBACxB,WAAW,EAAE;wBACX,WAAW,EACT,qLAAqL;wBACvL,MAAM,EAAE,sCAAsC;wBAC9C,KAAK,EAAE,oFAAoF;qBAC5F;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,uIAAuI;wBACzI,cAAc,EAAE,wGAAwG;wBACxH,eAAe,EAAE;4BACf,2DAA2D;4BAC3D,2CAA2C;4BAC3C,8BAA8B;4BAC9B,oDAAoD;4BACpD,gDAAgD;yBACjD;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CACpC,0KAA0K,CAC3K,CAAC;QAEF,IACE,gBAAgB;YAChB,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;YACjC,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EACzB,CAAC;YACD,MAAM,eAAe,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;YAE5C,MAAM,gBAAgB,GACpB,eAAe,CAAC,MAAM,IAAI,CAAC;gBAC3B,CAAC,eAAe,CAAC,KAAK,CAAC,iEAAiE,CAAC;gBACzF,CAAC,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAErC,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,0BAA0B;oBACpC,QAAQ,EAAE,UAAU;oBACpB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,gDAAgD;oBACzD,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,iEAAiE;oBAC7E,KAAK,EAAE,uDAAuD;oBAC9D,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,gBAAgB;oBACxB,WAAW,EAAE;wBACX,WAAW,EACT,6JAA6J;wBAC/J,MAAM,EAAE,0DAA0D;wBAClE,KAAK,EAAE,8EAA8E;qBACtF;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,uIAAuI;wBACzI,cAAc,EAAE,0GAA0G;wBAC1H,eAAe,EAAE;4BACf,qCAAqC;4BACrC,kBAAkB;4BAClB,aAAa;4BACb,oCAAoC;4BACpC,mDAAmD;yBACpD;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,6CAA6C;QAC7C,gFAAgF;QAChF,kBAAkB;QAClB,sDAAsD;QAEtD,MAAM,kBAAkB,GAAG,sCAAsC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChF,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,eAAe,GAAG,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE5D,+CAA+C;QAC/C,yFAAyF;QACzF,MAAM,sBAAsB,GAAG,sCAAsC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAExF,IAAI,CAAC,kBAAkB,IAAI,WAAW,CAAC,IAAI,CAAC,eAAe,IAAI,sBAAsB,CAAC,EAAE,CAAC;YACvF,gEAAgE;YAChE,MAAM,mBAAmB,GACvB,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;YAEtF,IAAI,mBAAmB,IAAI,CAAC,eAAe,IAAI,sBAAsB,CAAC,EAAE,CAAC;gBACvE,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,iBAAiB;oBAC3B,QAAQ,EAAE,MAAM;oBAChB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,8DAA8D;oBACvE,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,oDAAoD;oBAChE,KAAK,EAAE,mCAAmC;oBAC1C,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,eAAe;oBACvB,WAAW,EAAE;wBACX,WAAW,EACT,4NAA4N;wBAC9N,MAAM,EAAE,wDAAwD;wBAChE,KAAK,EAAE,mHAAmH;qBAC3H;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,uLAAuL;wBACzL,cAAc,EAAE,wGAAwG;wBACxH,eAAe,EAAE;4BACf,mEAAmE;4BACnE,4DAA4D;4BAC5D,uCAAuC;4BACvC,wCAAwC;yBACzC;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,sDAAsD;QACtD,gFAAgF;QAChF,kBAAkB;QAClB,gEAAgE;QAEhE,MAAM,kBAAkB,GACtB,iEAAiE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClF,MAAM,gBAAgB,GACpB,2CAA2C,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE3F,gBAAgB;QAChB,kDAAkD;QAClD,8CAA8C;QAC9C,2CAA2C;QAC3C,MAAM,gBAAgB,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,YAAY,GAChB,gBAAgB,IAAI,CAAC,gBAAgB,IAAI,CAAC,iBAAiB,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;QAExF,IAAI,kBAAkB,IAAI,YAAY,EAAE,CAAC;YACvC,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;gBAC5B,QAAQ,EAAE,gBAAgB;gBAC1B,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,2EAA2E;gBACpF,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,gEAAgE;gBAC5E,KAAK,EAAE,mCAAmC;gBAC1C,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,eAAe;gBACvB,WAAW,EAAE;oBACX,WAAW,EACT,8NAA8N;oBAChO,MAAM,EAAE,gEAAgE;oBACxE,KAAK,EAAE,uJAAuJ;iBAC/J;gBACD,YAAY,EAAE;oBACZ,WAAW,EACT,kLAAkL;oBACpL,cAAc,EAAE,wHAAwH;oBACxI,eAAe,EAAE;wBACf,wCAAwC;wBACxC,6CAA6C;wBAC7C,iDAAiD;wBACjD,yDAAyD;qBAC1D;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,oDAAoD;QACpD,MAAM,gBAAgB,GAAG,OAAO,KAAK,oBAAoB,IAAI,OAAO,KAAK,aAAa,CAAC;QAEvF,IAAI,gBAAgB,IAAI,iBAAiB,EAAE,CAAC;YAC1C,2DAA2D;YAC3D,MAAM,mBAAmB,GACvB,6DAA6D,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC;YAEhG,IAAI,mBAAmB,EAAE,CAAC;gBACxB,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,gBAAgB;oBAC1B,QAAQ,EAAE,MAAM;oBAChB,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,yEAAyE;oBAClF,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,yEAAyE;oBACrF,KAAK,EAAE,mCAAmC;oBAC1C,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,eAAe;oBACvB,WAAW,EAAE;wBACX,WAAW,EACT,8JAA8J;wBAChK,MAAM,EAAE,oBAAoB;wBAC5B,KAAK,EAAE,sBAAsB;qBAC9B;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,wHAAwH;wBAC1H,cAAc,EAAE,gFAAgF;wBAChG,eAAe,EAAE;4BACf,gCAAgC;4BAChC,mBAAmB;4BACnB,uBAAuB;4BACvB,8BAA8B;yBAC/B;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/go/security-checks/deserialization.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Go Deserialization Security Checks
+ * OWASP A08:2025 - Software and Data Integrity Failures
+ *
+ * Detects unsafe deserialization vulnerabilities in Go code, particularly
+ * with gob encoding and JSON unmarshaling from untrusted sources.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for unsafe deserialization practices
+ *
+ * Covers:
+ * - Check #1: Unsafe gob/JSON deserialization from untrusted sources (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkDeserialization(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=deserialization.d.ts.map

package/dist/src/lib/analyzers/go/security-checks/deserialization.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"deserialization.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/deserialization.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CAsO7E"}

package/dist/src/lib/analyzers/go/security-checks/deserialization.js ADDED Viewed

@@ -0,0 +1,210 @@
+"use strict";
+/**
+ * Go Deserialization Security Checks
+ * OWASP A08:2025 - Software and Data Integrity Failures
+ *
+ * Detects unsafe deserialization vulnerabilities in Go code, particularly
+ * with gob encoding and JSON unmarshaling from untrusted sources.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkDeserialization = checkDeserialization;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for unsafe deserialization practices
+ *
+ * Covers:
+ * - Check #1: Unsafe gob/JSON deserialization from untrusted sources (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkDeserialization(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    // First pass: Check for deserialization imports
+    const fileContent = lines.join('\n');
+    const hasGobImport = /encoding\/gob|gob\./i.test(fileContent);
+    const hasJSONImport = /encoding\/json|json\./i.test(fileContent);
+    // Track user input sources (HTTP requests, external files, network)
+    const userInputVars = new Set();
+    // First pass: Identify user input sources
+    lines.forEach((line, index) => {
+        const trimmed = line.trim();
+        // HTTP request body
+        const bodyMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*(?:r\.Body|req\.Body|request\.Body)/i);
+        if (bodyMatch) {
+            userInputVars.add(bodyMatch[1]);
+        }
+        // HTTP request parameters
+        const paramMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*(?:r\.(?:URL\.Query\(\)|FormValue|PostFormValue|Header\.Get)|chi\.URLParam|mux\.Vars|c\.(?:Query|Param))/i);
+        if (paramMatch) {
+            userInputVars.add(paramMatch[1]);
+        }
+        // File reading
+        const fileMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*(?:os\.Open|ioutil\.ReadFile|os\.ReadFile)\s*\(/i);
+        if (fileMatch) {
+            userInputVars.add(fileMatch[1]);
+        }
+        // Network connections (assignments and function parameters)
+        const netMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*(?:net\.Dial|http\.Get|http\.Post)\s*\(/i);
+        if (netMatch) {
+            userInputVars.add(netMatch[1]);
+        }
+        // Function parameters with net.Conn, io.Reader types (external input)
+        const paramTypeMatch = trimmed.match(/func\s+\w+\s*\([^)]*?(\w+)\s+(?:net\.Conn|io\.Reader)/i);
+        if (paramTypeMatch) {
+            userInputVars.add(paramTypeMatch[1]);
+        }
+    });
+    // Second pass: Check for unsafe deserialization
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comments (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
+            return;
+        }
+        // =============================================================================
+        // Check #1: Unsafe Deserialization from Untrusted Sources
+        // =============================================================================
+        // CVSS 8.0 - HIGH
+        // Detects gob.Decode or json.Unmarshal from user-controlled input
+        // Check for gob.Decode
+        if (hasGobImport && /gob\.(?:NewDecoder|Decode)/i.test(trimmed)) {
+            // Look for user input in surrounding ±10 lines
+            let hasUserInput = false;
+            const startLine = Math.max(0, index - 10);
+            const endLine = Math.min(lines.length, index + 10);
+            for (let i = startLine; i < endLine; i++) {
+                const contextLine = lines[i].trim();
+                // Check if any tracked user input variable is used
+                for (const userVar of userInputVars) {
+                    if (new RegExp(`\\b${userVar}\\b`, 'i').test(contextLine)) {
+                        hasUserInput = true;
+                        break;
+                    }
+                }
+                // Direct patterns indicating external input
+                if (/r\.Body|req\.Body|request\.Body|os\.Open|net\.Dial|http\.Get|http\.Post/i.test(contextLine)) {
+                    hasUserInput = true;
+                    break;
+                }
+                if (hasUserInput)
+                    break;
+            }
+            // Also check for validation/signature verification
+            let hasValidation = false;
+            for (let i = startLine; i < endLine; i++) {
+                const contextLine = lines[i].trim();
+                if (/hmac|verify|signature|authenticate|crypto\.subtle|jwt\.Parse/i.test(contextLine)) {
+                    hasValidation = true;
+                    break;
+                }
+            }
+            if (hasUserInput && !hasValidation) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-unsafe-deserialization',
+                    severity: 'high',
+                    confidence: 'high',
+                    message: 'Unsafe deserialization: gob.Decode used on untrusted input without validation',
+                    line: lineNumber,
+                    suggestion: 'Validate and sanitize input before deserialization, or use safer formats like JSON with schema validation',
+                    owasp: 'A08:2025 - Software and Data Integrity Failures',
+                    cwe: 'CWE-502',
+                    pciDss: 'PCI DSS 6.5.8',
+                    remediation: {
+                        explanation: 'gob encoding can execute arbitrary code during deserialization if the input is malicious. Always validate input, use HMAC signatures, or prefer safer formats like JSON with strict schema validation.',
+                        before: `// UNSAFE\ndecoder := gob.NewDecoder(r.Body)\nvar data MyStruct\ndecoder.Decode(&data) // Can execute malicious code!`,
+                        after: `// SAFE - Validate with HMAC\nmac := hmac.New(sha256.New, secretKey)\nif !hmac.Equal(receivedMAC, mac.Sum(nil)) {\n    return errors.New("invalid signature")\n}\ndecoder := gob.NewDecoder(validatedReader)\nvar data MyStruct\ndecoder.Decode(&data)`
+                    },
+                    attackVector: {
+                        description: 'gob deserialization can trigger arbitrary code execution through specially crafted payloads. Attackers can exploit this to execute commands, modify memory, or bypass security controls.',
+                        exploitExample: `// Attacker sends malicious gob payload:\nPOST /api/process\nContent-Type: application/gob\n\n<malicious gob data with embedded code>\n\n// Server blindly deserializes:\ngob.NewDecoder(r.Body).Decode(&data)\n// Attacker gains code execution!`,
+                        realWorldImpact: [
+                            'Remote code execution (RCE)',
+                            'Complete server compromise',
+                            'Data exfiltration and modification',
+                            'Privilege escalation',
+                            'Bypassing authentication and authorization'
+                        ]
+                    }
+                }));
+            }
+        }
+        // Check for json.Unmarshal from untrusted sources
+        if (hasJSONImport && /json\.(?:Unmarshal|NewDecoder)\s*\(/i.test(trimmed)) {
+            // Look for user input in surrounding ±10 lines
+            let hasUserInput = false;
+            let hasInterfaceType = false;
+            const startLine = Math.max(0, index - 10);
+            const endLine = Math.min(lines.length, index + 10);
+            for (let i = startLine; i < endLine; i++) {
+                const contextLine = lines[i].trim();
+                // Check for user input sources
+                for (const userVar of userInputVars) {
+                    if (new RegExp(`\\b${userVar}\\b`, 'i').test(contextLine)) {
+                        hasUserInput = true;
+                        break;
+                    }
+                }
+                if (/r\.Body|req\.Body|request\.Body|os\.Open|net\.Dial|http\.Get|http\.Post/i.test(contextLine)) {
+                    hasUserInput = true;
+                }
+                // Check if unmarshaling into interface{} or map[string]interface{}
+                if (/interface\s*\{\}|map\s*\[\s*string\s*\]\s*interface/i.test(contextLine)) {
+                    hasInterfaceType = true;
+                }
+                if (hasUserInput && hasInterfaceType)
+                    break;
+            }
+            // Check for schema validation
+            let hasSchemaValidation = false;
+            for (let i = startLine; i < endLine; i++) {
+                const contextLine = lines[i].trim();
+                if (/validate|schema|sanitize|whitelist/i.test(contextLine)) {
+                    hasSchemaValidation = true;
+                    break;
+                }
+            }
+            if (hasUserInput && hasInterfaceType && !hasSchemaValidation) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-unsafe-deserialization',
+                    severity: 'high',
+                    confidence: 'medium',
+                    message: 'Unsafe JSON deserialization: Unmarshaling untrusted input into interface{} without validation',
+                    line: lineNumber,
+                    suggestion: 'Use strongly-typed structs and validate input against a schema before unmarshaling',
+                    owasp: 'A08:2025 - Software and Data Integrity Failures',
+                    cwe: 'CWE-502',
+                    pciDss: 'PCI DSS 6.5.8',
+                    remediation: {
+                        explanation: 'Unmarshaling JSON into interface{} or map[string]interface{} from untrusted sources allows attackers to inject unexpected data types and structures. Use strongly-typed structs with validation.',
+                        before: `// UNSAFE\nvar data interface{}\njson.NewDecoder(r.Body).Decode(&data)\n// Attacker can inject any JSON structure`,
+                        after: `// SAFE\ntype UserRequest struct {\n    Name  string \`json:"name" validate:"required,max=100"\`\n    Email string \`json:"email" validate:"required,email"\`\n}\nvar data UserRequest\nif err := json.NewDecoder(r.Body).Decode(&data); err != nil {\n    return err\n}\nif err := validate.Struct(data); err != nil {\n    return err\n}`
+                    },
+                    attackVector: {
+                        description: 'Deserializing JSON into interface{} allows attackers to inject unexpected data types, nested objects, or large payloads causing DoS, logic errors, or security bypasses.',
+                        exploitExample: `// Expected: {"userId": 123}\n// Attacker sends: {"userId": {"$ne": 0}}\n// Code: var data interface{}\njson.Unmarshal(input, &data)\n// NoSQL injection or logic bypass!`,
+                        realWorldImpact: [
+                            'NoSQL injection via type confusion',
+                            'Denial of Service (memory exhaustion)',
+                            'Logic errors and security bypasses',
+                            'Mass assignment vulnerabilities',
+                            'Data corruption'
+                        ]
+                    }
+                }));
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=deserialization.js.map

package/dist/src/lib/analyzers/go/security-checks/deserialization.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"deserialization.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/deserialization.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAcH,oDAsOC;AAjPD,sEAA6E;AAE7E;;;;;;;;GAQG;AACH,SAAgB,oBAAoB,CAAC,KAAe;IAClD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,gDAAgD;IAChD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,YAAY,GAAG,sBAAsB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC9D,MAAM,aAAa,GAAG,wBAAwB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAEjE,oEAAoE;IACpE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,0CAA0C;IAC1C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,oBAAoB;QACpB,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC3F,IAAI,SAAS,EAAE,CAAC;YACd,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,0BAA0B;QAC1B,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAC9B,8HAA8H,CAC/H,CAAC;QACF,IAAI,UAAU,EAAE,CAAC;YACf,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC;QAED,eAAe;QACf,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,qEAAqE,CAAC,CAAC;QACvG,IAAI,SAAS,EAAE,CAAC;YACd,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,4DAA4D;QAC5D,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QAC9F,IAAI,QAAQ,EAAE,CAAC;YACb,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC;QAED,sEAAsE;QACtE,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC/F,IAAI,cAAc,EAAE,CAAC;YACnB,aAAa,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC;QACvC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,gDAAgD;IAChD,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,0DAA0D;QAC1D,gFAAgF;QAChF,kBAAkB;QAClB,kEAAkE;QAElE,uBAAuB;QACvB,IAAI,YAAY,IAAI,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAChE,+CAA+C;YAC/C,IAAI,YAAY,GAAG,KAAK,CAAC;YACzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;YAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;gBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEpC,mDAAmD;gBACnD,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;oBACpC,IAAI,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBAC1D,YAAY,GAAG,IAAI,CAAC;wBACpB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,4CAA4C;gBAC5C,IACE,0EAA0E,CAAC,IAAI,CAAC,WAAW,CAAC,EAC5F,CAAC;oBACD,YAAY,GAAG,IAAI,CAAC;oBACpB,MAAM;gBACR,CAAC;gBAED,IAAI,YAAY;oBAAE,MAAM;YAC1B,CAAC;YAED,mDAAmD;YACnD,IAAI,aAAa,GAAG,KAAK,CAAC;YAC1B,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;gBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACpC,IACE,+DAA+D,CAAC,IAAI,CAAC,WAAW,CAAC,EACjF,CAAC;oBACD,aAAa,GAAG,IAAI,CAAC;oBACrB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,YAAY,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnC,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,2BAA2B;oBACrC,QAAQ,EAAE,MAAM;oBAChB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,+EAA+E;oBACxF,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,2GAA2G;oBACvH,KAAK,EAAE,iDAAiD;oBACxD,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,eAAe;oBACvB,WAAW,EAAE;wBACX,WAAW,EACT,wMAAwM;wBAC1M,MAAM,EAAE,uHAAuH;wBAC/H,KAAK,EAAE,wPAAwP;qBAChQ;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,0LAA0L;wBAC5L,cAAc,EAAE,mPAAmP;wBACnQ,eAAe,EAAE;4BACf,6BAA6B;4BAC7B,4BAA4B;4BAC5B,oCAAoC;4BACpC,sBAAsB;4BACtB,4CAA4C;yBAC7C;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,IAAI,aAAa,IAAI,sCAAsC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC1E,+CAA+C;YAC/C,IAAI,YAAY,GAAG,KAAK,CAAC;YACzB,IAAI,gBAAgB,GAAG,KAAK,CAAC;YAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;YAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;gBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEpC,+BAA+B;gBAC/B,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;oBACpC,IAAI,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBAC1D,YAAY,GAAG,IAAI,CAAC;wBACpB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,IACE,0EAA0E,CAAC,IAAI,CAAC,WAAW,CAAC,EAC5F,CAAC;oBACD,YAAY,GAAG,IAAI,CAAC;gBACtB,CAAC;gBAED,mEAAmE;gBACnE,IAAI,sDAAsD,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC7E,gBAAgB,GAAG,IAAI,CAAC;gBAC1B,CAAC;gBAED,IAAI,YAAY,IAAI,gBAAgB;oBAAE,MAAM;YAC9C,CAAC;YAED,8BAA8B;YAC9B,IAAI,mBAAmB,GAAG,KAAK,CAAC;YAChC,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;gBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,qCAAqC,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBAC5D,mBAAmB,GAAG,IAAI,CAAC;oBAC3B,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,YAAY,IAAI,gBAAgB,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBAC7D,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,2BAA2B;oBACrC,QAAQ,EAAE,MAAM;oBAChB,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,+FAA+F;oBACxG,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,oFAAoF;oBAChG,KAAK,EAAE,iDAAiD;oBACxD,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,eAAe;oBACvB,WAAW,EAAE;wBACX,WAAW,EACT,kMAAkM;wBACpM,MAAM,EAAE,mHAAmH;wBAC3H,KAAK,EAAE,4UAA4U;qBACpV;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,0KAA0K;wBAC5K,cAAc,EAAE,2KAA2K;wBAC3L,eAAe,EAAE;4BACf,oCAAoC;4BACpC,uCAAuC;4BACvC,oCAAoC;4BACpC,iCAAiC;4BACjC,iBAAiB;yBAClB;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/go/security-checks/error-handling.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+/**
+ * Go Error Handling Security Checks
+ * OWASP A09:2025 - Security Logging and Monitoring Failures
+ *
+ * Detects improper error handling and insufficient security logging in Go code.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for error handling and logging issues
+ *
+ * Covers:
+ * - Check #1: Ignored errors (blank identifier _) (LOW)
+ * - Check #2: Missing security event logging (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkErrorHandling(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=error-handling.d.ts.map

package/dist/src/lib/analyzers/go/security-checks/error-handling.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"error-handling.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/error-handling.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CA6M3E"}

package/dist/src/lib/analyzers/go/security-checks/error-handling.js ADDED Viewed

@@ -0,0 +1,192 @@
+"use strict";
+/**
+ * Go Error Handling Security Checks
+ * OWASP A09:2025 - Security Logging and Monitoring Failures
+ *
+ * Detects improper error handling and insufficient security logging in Go code.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkErrorHandling = checkErrorHandling;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for error handling and logging issues
+ *
+ * Covers:
+ * - Check #1: Ignored errors (blank identifier _) (LOW)
+ * - Check #2: Missing security event logging (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkErrorHandling(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    const fileContent = lines.join('\n');
+    const hasLoggingImport = /log\.|logrus\.|zap\.|zerolog\./i.test(fileContent);
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comments (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
+            return;
+        }
+        // =============================================================================
+        // Check #1: Ignored Errors (Blank Identifier _)
+        // =============================================================================
+        // CVSS 3.1 - LOW
+        // Detects errors being explicitly ignored with _
+        // Pattern:
+        // - _, anything := or anything, _ := (multi-value assignment with blank identifier)
+        // - _ = someFunc() (single-value assignment)
+        // BUT exclude inline error checks: if _, err := ...; err != nil
+        const hasIgnoredError = /\w+\s*,\s*_\s*:=|_\s*,\s*\w+\s*:=|_\s*=\s*[\w.]+\s*\(/i.test(trimmed);
+        // Inline error check pattern matches both: if _, err := ...; err != and if result, _ := ...; result !=
+        const isInlineErrorCheck = /if\s+[_\w]+\s*,\s*[_\w]+\s*:=.*;\s*\w+\s*!=/i.test(trimmed);
+        if (hasIgnoredError && !isInlineErrorCheck) {
+            // Check if this is a security-critical operation
+            const isSecurityCritical = /db\.|sql\.|crypto|tls\.|rand\.|auth|password|token|session|encrypt|decrypt|sign|verify|validate|jwt|bcrypt|hash/i.test(trimmed);
+            if (isSecurityCritical) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-ignored-error',
+                    severity: 'low',
+                    confidence: 'medium',
+                    message: 'Error ignored in security-critical operation',
+                    line: lineNumber,
+                    suggestion: 'Always check and handle errors from security-critical operations',
+                    owasp: 'A09:2025 - Security Logging and Monitoring Failures',
+                    cwe: 'CWE-391',
+                    pciDss: 'PCI DSS 10.1',
+                    remediation: {
+                        explanation: 'Ignoring errors from security-critical operations can lead to silent failures. Database errors, cryptographic failures, and authentication issues must be detected and handled.',
+                        before: `_, err := db.Exec("UPDATE users SET password = ?", hash)\n// Silent failure - password not updated!`,
+                        after: `result, err := db.Exec("UPDATE users SET password = ?", hash)\nif err != nil {\n    log.Printf("Password update failed: %v", err)\n    return err\n}`
+                    },
+                    attackVector: {
+                        description: 'Silent failures in security operations can leave the system in an insecure state. For example, ignored encryption errors might result in unencrypted data storage.',
+                        exploitExample: `// Encryption error ignored:\nencrypted, _ := encrypt(sensitiveData)\ndb.Save(encrypted) // Actually saved plaintext due to error!`,
+                        realWorldImpact: [
+                            'Silent security failures go undetected',
+                            'Data stored unencrypted despite encryption attempts',
+                            'Authentication bypasses due to ignored validation errors',
+                            'Audit trail gaps from unreported failures',
+                            'Difficult troubleshooting and incident response'
+                        ]
+                    }
+                }));
+            }
+        }
+        // =============================================================================
+        // Check #2: Missing Security Event Logging
+        // =============================================================================
+        // CVSS 4.0 - MEDIUM
+        // Detects security-relevant operations without logging
+        // Check for authentication/authorization without logging
+        const isAuthOperation = /Login|Authenticate|Authorize|SignIn|SignOut|ChangePassword|ResetPassword|Grant|Revoke/i.test(trimmed);
+        const isFunctionDeclaration = /func\s+(\w+)/i.test(trimmed);
+        if (isAuthOperation && isFunctionDeclaration) {
+            const funcMatch = trimmed.match(/func\s+(\w+)/i);
+            if (funcMatch) {
+                const funcName = funcMatch[1];
+                // Look ahead in function body (next 40 lines) for logging
+                let hasLogging = false;
+                for (let i = index; i < Math.min(index + 40, lines.length); i++) {
+                    const bodyLine = lines[i].trim();
+                    // Stop at next function
+                    if (i > index && /^func\s+\w+/.test(bodyLine)) {
+                        break;
+                    }
+                    // Check for logging statements
+                    if (/log\.|logrus\.|zap\.|zerolog\.|slog\./i.test(bodyLine)) {
+                        hasLogging = true;
+                        break;
+                    }
+                }
+                if (!hasLogging && !hasLoggingImport) {
+                    vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                        category: 'go-missing-sec-logging',
+                        severity: 'medium',
+                        confidence: 'medium',
+                        message: `Missing security event logging in authentication function '${funcName}'`,
+                        line: lineNumber,
+                        suggestion: 'Log all authentication/authorization attempts with user ID, timestamp, and outcome',
+                        owasp: 'A09:2025 - Security Logging and Monitoring Failures',
+                        cwe: 'CWE-778',
+                        pciDss: 'PCI DSS 10.2',
+                        remediation: {
+                            explanation: 'Security events must be logged for audit trails, incident response, and compliance. PCI DSS requires logging all authentication attempts, access to cardholder data, and administrative actions.',
+                            before: `func Login(username, password string) error {\n    if !validateCredentials(username, password) {\n        return errors.New("invalid credentials")\n    }\n    return nil\n}`,
+                            after: `func Login(username, password string) error {\n    if !validateCredentials(username, password) {\n        log.Printf("Failed login attempt for user: %s from IP: %s", username, getClientIP())\n        return errors.New("invalid credentials")\n    }\n    log.Printf("Successful login for user: %s from IP: %s", username, getClientIP())\n    return nil\n}`
+                        },
+                        attackVector: {
+                            description: 'Without security event logging, attacks go undetected. Brute force attempts, privilege escalations, and unauthorized access leave no audit trail for investigation.',
+                            exploitExample: `// Attacker attempts 1000 passwords:\nfor pwd in passwords:\n    Login(username, pwd)\n// No logs = no detection = eventual success`,
+                            realWorldImpact: [
+                                'Brute force attacks go undetected',
+                                'No audit trail for forensic investigation',
+                                'Compliance violations (PCI DSS 10.2, SOC 2)',
+                                'Cannot detect account takeover attempts',
+                                'No evidence for incident response',
+                                'Regulatory fines and penalties'
+                            ]
+                        }
+                    }));
+                }
+            }
+        }
+        // Also check for sensitive data access without logging
+        const isSensitiveDataAccess = /SELECT.*FROM.*(?:users|accounts|cards|payments|credentials)|UPDATE.*(?:users|accounts)/i.test(trimmed);
+        const isDBQuery = /db\.Query|db\.Exec|\.Find|\.Where/i.test(trimmed);
+        if (isSensitiveDataAccess && isDBQuery) {
+            // Look for logging in surrounding ±10 lines
+            let hasLogging = false;
+            const startLine = Math.max(0, index - 10);
+            const endLine = Math.min(lines.length, index + 10);
+            for (let i = startLine; i < endLine; i++) {
+                const contextLine = lines[i].trim();
+                if (/log\.|logrus\.|zap\.|zerolog\./i.test(contextLine)) {
+                    hasLogging = true;
+                    break;
+                }
+            }
+            if (!hasLogging && !hasLoggingImport) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-missing-sec-logging',
+                    severity: 'medium',
+                    confidence: 'low',
+                    message: 'Missing logging for sensitive data access',
+                    line: lineNumber,
+                    suggestion: 'Log access to sensitive data tables with user ID and timestamp',
+                    owasp: 'A09:2025 - Security Logging and Monitoring Failures',
+                    cwe: 'CWE-778',
+                    pciDss: 'PCI DSS 10.2',
+                    remediation: {
+                        explanation: 'Access to sensitive data (user accounts, payment info, credentials) must be logged for audit compliance and security monitoring.',
+                        before: `rows, err := db.Query("SELECT * FROM users WHERE role = 'admin'")\n// No audit trail of who accessed admin data`,
+                        after: `log.Printf("Admin user query by: %s at: %v", currentUser, time.Now())\nrows, err := db.Query("SELECT * FROM users WHERE role = 'admin'")`
+                    },
+                    attackVector: {
+                        description: 'Unlogged access to sensitive data prevents detection of insider threats, privilege abuse, and data exfiltration.',
+                        exploitExample: `// Insider threat:\nfor all users:\n    SELECT * FROM payment_cards WHERE user_id = ?\n// No logs = no detection`,
+                        realWorldImpact: [
+                            'Insider threats go undetected',
+                            'Data exfiltration without audit trail',
+                            'Compliance violations (GDPR Article 32, PCI DSS 10.2)',
+                            'Cannot prove data breach scope',
+                            'Regulatory investigations and fines'
+                        ]
+                    }
+                }));
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=error-handling.js.map

package/dist/src/lib/analyzers/go/security-checks/error-handling.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"error-handling.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/error-handling.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAeH,gDA6MC;AAzND,sEAA6E;AAE7E;;;;;;;;;GASG;AACH,SAAgB,kBAAkB,CAAC,KAAe;IAChD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,gBAAgB,GAAG,iCAAiC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE7E,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,gDAAgD;QAChD,gFAAgF;QAChF,iBAAiB;QACjB,iDAAiD;QAEjD,WAAW;QACX,oFAAoF;QACpF,6CAA6C;QAC7C,gEAAgE;QAChE,MAAM,eAAe,GAAG,wDAAwD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC/F,uGAAuG;QACvG,MAAM,kBAAkB,GAAG,8CAA8C,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAExF,IAAI,eAAe,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAC3C,iDAAiD;YACjD,MAAM,kBAAkB,GACtB,kHAAkH,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAEnI,IAAI,kBAAkB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,kBAAkB;oBAC5B,QAAQ,EAAE,KAAK;oBACf,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,8CAA8C;oBACvD,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,kEAAkE;oBAC9E,KAAK,EAAE,qDAAqD;oBAC5D,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,cAAc;oBACtB,WAAW,EAAE;wBACX,WAAW,EACT,iLAAiL;wBACnL,MAAM,EAAE,qGAAqG;wBAC7G,KAAK,EAAE,sJAAsJ;qBAC9J;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,oKAAoK;wBACtK,cAAc,EAAE,oIAAoI;wBACpJ,eAAe,EAAE;4BACf,wCAAwC;4BACxC,qDAAqD;4BACrD,0DAA0D;4BAC1D,2CAA2C;4BAC3C,iDAAiD;yBAClD;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,2CAA2C;QAC3C,gFAAgF;QAChF,oBAAoB;QACpB,uDAAuD;QAEvD,yDAAyD;QACzD,MAAM,eAAe,GACnB,wFAAwF,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzG,MAAM,qBAAqB,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE5D,IAAI,eAAe,IAAI,qBAAqB,EAAE,CAAC;YAC7C,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;YACjD,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;gBAE9B,0DAA0D;gBAC1D,IAAI,UAAU,GAAG,KAAK,CAAC;gBACvB,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBAChE,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAEjC,wBAAwB;oBACxB,IAAI,CAAC,GAAG,KAAK,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC9C,MAAM;oBACR,CAAC;oBAED,+BAA+B;oBAC/B,IAAI,wCAAwC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC5D,UAAU,GAAG,IAAI,CAAC;wBAClB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,UAAU,IAAI,CAAC,gBAAgB,EAAE,CAAC;oBACrC,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;wBAC5B,QAAQ,EAAE,wBAAwB;wBAClC,QAAQ,EAAE,QAAQ;wBAClB,UAAU,EAAE,QAAQ;wBACpB,OAAO,EAAE,8DAA8D,QAAQ,GAAG;wBAClF,IAAI,EAAE,UAAU;wBAChB,UAAU,EAAE,oFAAoF;wBAChG,KAAK,EAAE,qDAAqD;wBAC5D,GAAG,EAAE,SAAS;wBACd,MAAM,EAAE,cAAc;wBACtB,WAAW,EAAE;4BACX,WAAW,EACT,kMAAkM;4BACpM,MAAM,EAAE,8KAA8K;4BACtL,KAAK,EAAE,kWAAkW;yBAC1W;wBACD,YAAY,EAAE;4BACZ,WAAW,EACT,qKAAqK;4BACvK,cAAc,EAAE,qIAAqI;4BACrJ,eAAe,EAAE;gCACf,mCAAmC;gCACnC,2CAA2C;gCAC3C,6CAA6C;gCAC7C,yCAAyC;gCACzC,mCAAmC;gCACnC,gCAAgC;6BACjC;yBACF;qBACF,CAAC,CACH,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,uDAAuD;QACvD,MAAM,qBAAqB,GACzB,yFAAyF,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1G,MAAM,SAAS,GAAG,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAErE,IAAI,qBAAqB,IAAI,SAAS,EAAE,CAAC;YACvC,4CAA4C;YAC5C,IAAI,UAAU,GAAG,KAAK,CAAC;YACvB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;YAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;gBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACpC,IAAI,iCAAiC,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBACxD,UAAU,GAAG,IAAI,CAAC;oBAClB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,CAAC,UAAU,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACrC,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,wBAAwB;oBAClC,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,KAAK;oBACjB,OAAO,EAAE,2CAA2C;oBACpD,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,gEAAgE;oBAC5E,KAAK,EAAE,qDAAqD;oBAC5D,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,cAAc;oBACtB,WAAW,EAAE;wBACX,WAAW,EACT,kIAAkI;wBACpI,MAAM,EAAE,iHAAiH;wBACzH,KAAK,EAAE,0IAA0I;qBAClJ;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,kHAAkH;wBACpH,cAAc,EAAE,kHAAkH;wBAClI,eAAe,EAAE;4BACf,+BAA+B;4BAC/B,uCAAuC;4BACvC,uDAAuD;4BACvD,gCAAgC;4BAChC,qCAAqC;yBACtC;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/go/security-checks/injection-attacks.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Go Injection Attack Security Checks
+ * OWASP A03:2025 - Injection
+ *
+ * Detects SQL injection, command injection, LDAP injection, NoSQL injection,
+ * and XXE vulnerabilities in Go code. These are among the most critical security risks.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for injection attack vulnerabilities in Go code
+ *
+ * Covers:
+ * - Check #1: SQL Injection - String concatenation in database queries (CRITICAL)
+ * - Check #2: Command Injection - exec.Command with shell and user input (CRITICAL)
+ * - Check #3: LDAP Injection - Unsafe LDAP filter construction (HIGH)
+ * - Check #4: NoSQL Injection - MongoDB query construction with user input (HIGH)
+ * - Check #5: XXE - Unsafe XML parsing without DisallowDTD (HIGH)
+ * - Check #6: Template Injection - Unsafe template.HTML construction (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkInjectionAttacks(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=injection-attacks.d.ts.map

package/dist/src/lib/analyzers/go/security-checks/injection-attacks.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"injection-attacks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/injection-attacks.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CA6b9E"}