getdoorman 1.0.0

package/src/rules/compliance/financial.js

@@ -0,0 +1,421 @@
+function isSourceFile(f) { return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java', '.cs', '.php'].some(e => f.endsWith(e)); }
+
+const financialPattern = /(?:account.*number|routing.*number|credit.*score|income|salary|tax.*return|financial|banking|loan|mortgage|investment|portfolio)/i;
+const npiPattern = /(?:account[_\-.]?number|routing[_\-.]?number|ssn|social[_\-.]?security|credit[_\-.]?score|income|salary|tax[_\-.]?return|net[_\-.]?worth|bank[_\-.]?balance|loan[_\-.]?amount)/i;
+const financialDataPattern = /(?:financial[_\-.]?(?:data|record|report|transaction|statement)|account[_\-.]?(?:balance|number|detail)|transaction|payment|ledger|revenue|expense)/i;
+
+function hasFinancialContext(files) {
+  return [...files.entries()].some(([f, c]) => isSourceFile(f) && financialPattern.test(c));
+}
+
+const rules = [
+  // === GLBA (Gramm-Leach-Bliley Act) Rules ===
+
+  {
+    id: 'COMP-GLBA-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Privacy Notice',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const privacyNoticePattern = /(?:privacy[_\-.]?noti(?:ce|fication)|privacy[_\-.]?policy|privacy[_\-.]?disclosure|glba[_\-.]?notice|gramm[_\-.]?leach|financial[_\-.]?privacy)/i;
+      const hasNotice = [...files.entries()].some(([f, c]) => privacyNoticePattern.test(c) || f.match(/privacy/i));
+      if (!hasNotice) {
+        findings.push({
+          ruleId: 'COMP-GLBA-001', category: 'compliance', severity: 'high',
+          title: 'Financial application without privacy notice/disclosure',
+          description: 'GLBA requires financial institutions to provide customers with a privacy notice explaining what personal financial information is collected, how it is used, and how it is protected.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-GLBA-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'NPI Without Encryption',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const encryptionPattern = /(?:encrypt|cipher|aes|crypto|tls|ssl|https|bcrypt|argon|scrypt|kms|vault|secure[_\-.]?storage)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!npiPattern.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (npiPattern.test(lines[i]) && /(?:store|save|send|transmit|write|insert|log|print|console)/i.test(lines[i])) {
+            const contextBlock = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join('\n');
+            if (!encryptionPattern.test(contextBlock)) {
+              findings.push({
+                ruleId: 'COMP-GLBA-002', category: 'compliance', severity: 'high',
+                title: 'Nonpublic personal information handled without encryption',
+                description: 'GLBA Safeguards Rule requires encryption of nonpublic personal information (NPI) including account numbers, SSNs, and income data both in transit and at rest.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-GLBA-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Information Security Program',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const securityProgramPattern = /(?:security[_\-.]?program|infosec[_\-.]?policy|information[_\-.]?security[_\-.]?(?:policy|program|plan)|safeguards[_\-.]?rule|glba[_\-.]?compliance|security[_\-.]?framework)/i;
+      const hasProgram = [...files.entries()].some(([f, c]) => securityProgramPattern.test(c) || f.match(/security[_\-.]?(?:policy|program)/i));
+      if (!hasProgram) {
+        findings.push({
+          ruleId: 'COMP-GLBA-003', category: 'compliance', severity: 'medium',
+          title: 'Financial application without information security program reference',
+          description: 'GLBA Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program. Reference your security program in the codebase.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-GLBA-004',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Opt-Out for Information Sharing',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const sharingPattern = /(?:share|disclose|transfer|send|provide).*(?:third[_\-.]?party|partner|affiliate|vendor|external)/i;
+      const optOutPattern = /(?:opt[_\-.]?out|do[_\-.]?not[_\-.]?share|unsubscribe|sharing[_\-.]?preference|privacy[_\-.]?choice|consent[_\-.]?management)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!financialPattern.test(content)) continue;
+        if (sharingPattern.test(content) && !optOutPattern.test(content)) {
+          const lines = content.split('\n');
+          for (let i = 0; i < lines.length; i++) {
+            if (sharingPattern.test(lines[i])) {
+              findings.push({
+                ruleId: 'COMP-GLBA-004', category: 'compliance', severity: 'high',
+                title: 'Financial data shared with third parties without opt-out mechanism',
+                description: 'GLBA requires financial institutions to provide customers the right to opt out of having their NPI shared with nonaffiliated third parties.',
+                file: filepath, line: i + 1, fix: null,
+              });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-GLBA-005',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Third-Party Sharing Without Agreement',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const thirdPartyPattern = /(?:vendor|partner|contractor|third[_\-.]?party|external[_\-.]?(?:service|api|provider)|outsource)/i;
+      const agreementPattern = /(?:agreement|contract|dpa|data[_\-.]?processing|service[_\-.]?level|sla|terms|compliance[_\-.]?requirement)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!financialDataPattern.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (thirdPartyPattern.test(lines[i]) && financialDataPattern.test(content)) {
+            const contextBlock = lines.slice(Math.max(0, i - 10), Math.min(lines.length, i + 10)).join('\n');
+            if (!agreementPattern.test(contextBlock) && !agreementPattern.test(content)) {
+              findings.push({
+                ruleId: 'COMP-GLBA-005', category: 'compliance', severity: 'high',
+                title: 'Financial data shared with vendor without service agreement',
+                description: 'GLBA requires contractual agreements with service providers that handle customer financial information, ensuring they maintain appropriate safeguards.',
+                file: filepath, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-GLBA-006',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Risk Assessment',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const riskPattern = /(?:risk[_\-.]?assessment|threat[_\-.]?model|vulnerability[_\-.]?assessment|security[_\-.]?audit|penetration[_\-.]?test|risk[_\-.]?analysis|security[_\-.]?review)/i;
+      const hasRisk = [...files.entries()].some(([f, c]) => riskPattern.test(c) || f.match(/risk/i));
+      if (!hasRisk) {
+        findings.push({
+          ruleId: 'COMP-GLBA-006', category: 'compliance', severity: 'medium',
+          title: 'Financial application without risk assessment reference',
+          description: 'GLBA Safeguards Rule requires regular risk assessments to identify threats to customer information. Reference risk assessment processes in your financial application.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-GLBA-007',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Incident Response Plan',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const incidentPattern = /(?:incident[_\-.]?response|breach[_\-.]?notification|security[_\-.]?incident|incident[_\-.]?plan|playbook|escalation|on[_\-.]?call|pager[_\-.]?duty|alert[_\-.]?handler)/i;
+      const hasIncident = [...files.entries()].some(([f, c]) => incidentPattern.test(c) || f.match(/incident/i));
+      if (!hasIncident) {
+        findings.push({
+          ruleId: 'COMP-GLBA-007', category: 'compliance', severity: 'medium',
+          title: 'Financial application without incident response plan',
+          description: 'GLBA requires financial institutions to have an incident response plan for unauthorized access to customer information. Implement and reference an incident response process.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-GLBA-008',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Employee Access Without Need-to-Know',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const rolePattern = /(?:rbac|role[_\-.]?based|role[_\-.]?check|hasRole|checkRole|requireRole|permission|privilege|need[_\-.]?to[_\-.]?know|least[_\-.]?privilege|access[_\-.]?level)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!financialDataPattern.test(content)) continue;
+        if (/(?:endpoint|route|api|handler|controller)/i.test(content)) {
+          if (!rolePattern.test(content)) {
+            findings.push({
+              ruleId: 'COMP-GLBA-008', category: 'compliance', severity: 'high',
+              title: 'Broad access to financial data without role-based restrictions',
+              description: 'GLBA requires limiting access to customer NPI to employees with a legitimate business need. Implement role-based access controls (RBAC) with need-to-know restrictions.',
+              file: filepath, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // === SOX (Sarbanes-Oxley) Rules ===
+
+  {
+    id: 'COMP-SOX-001',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Financial Data Without Audit Trail',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const auditPattern = /(?:audit[_\-.]?(?:log|trail|record|entry)|access[_\-.]?log|logAccess|auditLog|transaction[_\-.]?log|change[_\-.]?log|history[_\-.]?table|event[_\-.]?sourcing)/i;
+      const transactionPattern = /(?:transaction|transfer|payment|debit|credit|ledger|journal[_\-.]?entry|posting|reconcil)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!transactionPattern.test(content)) continue;
+        if (!financialPattern.test(content)) continue;
+        if (!auditPattern.test(content)) {
+          findings.push({
+            ruleId: 'COMP-SOX-001', category: 'compliance', severity: 'high',
+            title: 'Financial transactions without audit logging',
+            description: 'SOX Section 302/404 requires internal controls over financial reporting, including audit trails for all financial transactions. Implement comprehensive audit logging.',
+            file: filepath, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-SOX-002',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Missing Access Controls on Financial Systems',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const accessControlPattern = /(?:rbac|role[_\-.]?based|authorize|checkPermission|requireRole|access[_\-.]?control|acl|policy[_\-.]?enforcement|auth[_\-.]?middleware)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!financialDataPattern.test(content)) continue;
+        if (/(?:endpoint|route|api|handler|controller)/i.test(content)) {
+          if (!accessControlPattern.test(content)) {
+            findings.push({
+              ruleId: 'COMP-SOX-002', category: 'compliance', severity: 'high',
+              title: 'Financial endpoint without role-based access controls',
+              description: 'SOX requires strict access controls on financial systems. Implement RBAC to ensure only authorized personnel can access financial data and operations.',
+              file: filepath, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-SOX-003',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No Change Management',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const changeManagementPattern = /(?:change[_\-.]?management|change[_\-.]?request|approval[_\-.]?workflow|review[_\-.]?required|code[_\-.]?review|pull[_\-.]?request|merge[_\-.]?approval|change[_\-.]?advisory|cab|release[_\-.]?management)/i;
+      const hasChangeManagement = [...files.entries()].some(([f, c]) =>
+        changeManagementPattern.test(c) || f.match(/\.github\/(?:workflows|CODEOWNERS)/i) || f.match(/CODEOWNERS/i)
+      );
+      if (!hasChangeManagement) {
+        findings.push({
+          ruleId: 'COMP-SOX-003', category: 'compliance', severity: 'medium',
+          title: 'Financial code without change management/approval process',
+          description: 'SOX requires documented change management processes for financial systems. Implement code review requirements, approval workflows, and change tracking.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-SOX-004',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Financial Reports Without Integrity Checks',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const reportPattern = /(?:financial[_\-.]?report|balance[_\-.]?sheet|income[_\-.]?statement|cash[_\-.]?flow|quarterly[_\-.]?report|annual[_\-.]?report|generate[_\-.]?report|report[_\-.]?generat)/i;
+      const integrityPattern = /(?:checksum|hash|signature|verify|validate|integrity|hmac|digest|reconcil|cross[_\-.]?check|balance[_\-.]?check)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!reportPattern.test(content)) continue;
+        if (!integrityPattern.test(content)) {
+          findings.push({
+            ruleId: 'COMP-SOX-004', category: 'compliance', severity: 'high',
+            title: 'Financial report generation without integrity verification',
+            description: 'SOX requires internal controls ensuring the accuracy and integrity of financial reports. Implement checksums, validation, or reconciliation checks in report generation.',
+            file: filepath, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-SOX-005',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Data Retention for Financial Records',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const retentionPattern = /(?:retention|archive|preserve|7[_\-.]?year|seven[_\-.]?year|data[_\-.]?lifecycle|immutable|worm|write[_\-.]?once|long[_\-.]?term[_\-.]?storage)/i;
+      const hasRetention = [...files.entries()].some(([f, c]) => isSourceFile(f) && retentionPattern.test(c) && financialDataPattern.test(c));
+      if (!hasRetention) {
+        const hasFinancialStorage = [...files.entries()].some(([f, c]) =>
+          isSourceFile(f) && financialDataPattern.test(c) && /(?:save|store|insert|create|persist|database|collection|table)/i.test(c)
+        );
+        if (hasFinancialStorage) {
+          findings.push({
+            ruleId: 'COMP-SOX-005', category: 'compliance', severity: 'medium',
+            title: 'Financial data without 7-year retention policy',
+            description: 'SOX requires financial records to be retained for at least 7 years. Implement data retention policies and archival mechanisms for all financial records.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-SOX-006',
+    category: 'compliance',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'No Segregation of Duties',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const sodPattern = /(?:segregat(?:ion|e)[_\-.]?of[_\-.]?dut(?:y|ies)|dual[_\-.]?control|four[_\-.]?eyes|two[_\-.]?person|maker[_\-.]?checker|approval[_\-.]?workflow|separate[_\-.]?approver|cannot[_\-.]?approve[_\-.]?own)/i;
+      const approveExecutePattern = /(?:approve|authorize).*(?:execute|process|submit|transfer|payment)/i;
+      for (const [filepath, content] of files.entries()) {
+        if (!isSourceFile(filepath)) continue;
+        if (!financialDataPattern.test(content)) continue;
+        if (approveExecutePattern.test(content) && !sodPattern.test(content)) {
+          findings.push({
+            ruleId: 'COMP-SOX-006', category: 'compliance', severity: 'high',
+            title: 'Financial operations without segregation of duties',
+            description: 'SOX requires segregation of duties so that the same person cannot both approve and execute financial transactions. Implement maker-checker or dual-control patterns.',
+            file: filepath, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  {
+    id: 'COMP-SOX-007',
+    category: 'compliance',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Financial System Without Backup/Recovery',
+    check({ files }) {
+      const findings = [];
+      if (!hasFinancialContext(files)) return findings;
+      const backupPattern = /(?:backup|disaster[_\-.]?recovery|failover|replicat|snapshot|point[_\-.]?in[_\-.]?time|restore|recovery[_\-.]?point|rpo|rto|business[_\-.]?continuity)/i;
+      const hasBackup = [...files.entries()].some(([f, c]) => backupPattern.test(c) || f.match(/backup|disaster|recovery/i));
+      if (!hasBackup) {
+        findings.push({
+          ruleId: 'COMP-SOX-007', category: 'compliance', severity: 'medium',
+          title: 'Financial application without backup/recovery references',
+          description: 'SOX requires financial systems to have adequate backup and disaster recovery procedures to ensure business continuity and data preservation. Implement backup and recovery mechanisms.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;