legacy-squad 1.0.0-beta.5 → 1.0.0-beta.6

package/dist/cli.mjs

@@ -363,11 +363,23 @@ var composerJsonDetector = {
       { name: "php", type: "language", version: composer.require?.php ?? "unknown", source: filePath }
     ];
     const dependencies = [];
+    const FRAMEWORK_MAP = [
+      { pkg: "laravel/framework", name: "laravel" },
+      { pkg: "symfony/framework-bundle", name: "symfony" },
+      { pkg: "symfony/symfony", name: "symfony" },
+      { pkg: "codeigniter4/framework", name: "codeigniter" },
+      { pkg: "codeigniter/framework", name: "codeigniter" }
+    ];
+    const allRequires = { ...composer.require ?? {}, ...composer["require-dev"] ?? {} };
     for (const [name, version] of Object.entries(composer.require ?? {})) {
       if (name === "php") continue;
       dependencies.push({ name, version: String(version), manager: "composer", scope: "runtime" });
-      if (name === "laravel/framework") {
-        stack.push({ name: "laravel", type: "framework", version: String(version), source: filePath });
+    }
+    const seenFrameworks = /* @__PURE__ */ new Set();
+    for (const { pkg, name } of FRAMEWORK_MAP) {
+      if (allRequires[pkg] && !seenFrameworks.has(name)) {
+        seenFrameworks.add(name);
+        stack.push({ name, type: "framework", version: String(allRequires[pkg]), source: filePath });
       }
     }
     return { stack, dependencies, projectType: "backend", projectName: composer.name ?? "php-project" };
@@ -380,12 +392,22 @@ var csprojDetector = {
     const dependencies = [];
     const tfmMatch = content.match(/<TargetFramework>(.*?)<\/TargetFramework>/);
     if (tfmMatch) {
-      stack.push({ name: "dotnet", type: "runtime", version: tfmMatch[1], source: filePath });
+      const tfm = tfmMatch[1];
+      stack.push({ name: "dotnet", type: "runtime", version: tfm, source: filePath });
+      if (/^net4\d|^net35/.test(tfm)) {
+        stack.push({ name: ".net-framework", type: "runtime", version: tfm, source: filePath });
+      }
+    }
+    if (/Sdk\s*=\s*["']Microsoft\.NET\.Sdk\.Web["']/.test(content)) {
+      stack.push({ name: "asp.net", type: "framework", version: "detected", source: filePath });
     }
     const pkgRefRegex = /<PackageReference\s+Include="([^"]+)"\s+Version="([^"]+)"/g;
     let match;
     while ((match = pkgRefRegex.exec(content)) !== null) {
       dependencies.push({ name: match[1], version: match[2], manager: "nuget", scope: "runtime" });
+      if (match[1].startsWith("Microsoft.AspNetCore") && !stack.some((s) => s.name === "asp.net")) {
+        stack.push({ name: "asp.net", type: "framework", version: match[2], source: filePath });
+      }
     }
     return { stack, dependencies, projectType: "backend", projectName: path2.basename(filePath, ".csproj") };
   }
@@ -397,17 +419,34 @@ var pomXmlDetector = {
       { name: "java", type: "language", version: "unknown", source: filePath }
     ];
     const dependencies = [];
-    if (content.includes("spring-boot")) {
+    if (/<artifactId>\s*spring-boot/i.test(content) || content.includes("spring-boot-starter")) {
       stack.push({ name: "spring-boot", type: "framework", version: "detected", source: filePath });
+    } else if (/<artifactId>\s*spring-webmvc\s*<\/artifactId>/i.test(content) || content.includes("spring-webmvc")) {
+      stack.push({ name: "spring-mvc", type: "framework", version: "detected", source: filePath });
     }
     return { stack, dependencies, projectType: "backend", projectName: "java-project" };
   }
 };
+var gradleDetector = {
+  filename: "build.gradle",
+  detect(content, filePath) {
+    const stack = [
+      { name: "java", type: "language", version: "unknown", source: filePath }
+    ];
+    if (content.includes("org.springframework.boot") || content.includes("spring-boot-starter")) {
+      stack.push({ name: "spring-boot", type: "framework", version: "detected", source: filePath });
+    } else if (content.includes("spring-webmvc")) {
+      stack.push({ name: "spring-mvc", type: "framework", version: "detected", source: filePath });
+    }
+    return { stack, dependencies: [], projectType: "backend", projectName: "java-project" };
+  }
+};
 var ALL_DETECTORS = [
   packageJsonDetector,
   composerJsonDetector,
   csprojDetector,
-  pomXmlDetector
+  pomXmlDetector,
+  gradleDetector
 ];
 var MANIFEST_FILES = ALL_DETECTORS.map((d) => d.filename);
 async function detectFromManifests(rootPath, fs) {
@@ -689,14 +728,27 @@ var ContextBuilder = class {
 import path5 from "node:path";
 
 // packages/rules/src/rule-catalog.ts
+var BACKEND_LANGUAGES = [
+  "backend",
+  "php",
+  "laravel",
+  "symfony",
+  "codeigniter",
+  "dotnet",
+  "csharp",
+  "asp.net",
+  "java",
+  "spring-boot",
+  "spring-mvc"
+];
 var SECURITY_RULES = [
   {
     id: "SEC-CRED-001",
     title: "Hardcoded credentials in source code",
     category: "security",
     severity: "critical",
-    appliesTo: ["react-native", "node", "mobile", "backend", "frontend"],
-    frameworks: ["OWASP MASVS V2", "CWE-798"],
+    appliesTo: ["react-native", "node", "mobile", "backend", "frontend", ...BACKEND_LANGUAGES],
+    frameworks: ["OWASP MASVS V2", "OWASP ASVS V2", "CWE-798"],
     detection: {
       type: "pattern",
       patterns: [
@@ -747,7 +799,7 @@ var SECURITY_RULES = [
     title: "Sensitive data (CPF/PII) logged or sent to external service",
     category: "security",
     severity: "high",
-    appliesTo: ["react-native", "node", "mobile", "backend"],
+    appliesTo: ["react-native", "node", "mobile", "backend", ...BACKEND_LANGUAGES],
     frameworks: ["OWASP MASVS V2", "CWE-532", "LGPD"],
     detection: {
       type: "pattern",
@@ -765,7 +817,7 @@ var SECURITY_RULES = [
     title: "Empty catch block swallowing errors silently",
     category: "security",
     severity: "medium",
-    appliesTo: ["react-native", "node", "mobile", "frontend", "backend"],
+    appliesTo: ["react-native", "node", "mobile", "frontend", "backend", ...BACKEND_LANGUAGES],
     frameworks: ["CWE-390", "Clean Code"],
     detection: {
       type: "pattern",
@@ -775,7 +827,7 @@ var SECURITY_RULES = [
       ]
     },
     impact: "Errors are silently discarded, masking bugs and security issues in production.",
-    recommendation: "Log errors to a monitoring service (Sentry, Crashlytics). Never leave catch blocks empty."
+    recommendation: "Log errors to a monitoring service (Sentry, Crashlytics, Application Insights). Never leave catch blocks empty."
   },
   {
     id: "SEC-STORE-001",
@@ -792,6 +844,132 @@ var SECURITY_RULES = [
     },
     impact: "Authentication tokens in AsyncStorage are accessible to other apps on rooted devices.",
     recommendation: "Use expo-secure-store, react-native-keychain, or native Keychain/Keystore APIs."
+  },
+  // ─── Regras multi-linguagem para backend (DT-003) ──────────────────────────
+  {
+    id: "SEC-SQL-001",
+    title: "Possible SQL injection via string concatenation",
+    category: "security",
+    severity: "critical",
+    appliesTo: BACKEND_LANGUAGES,
+    frameworks: ["OWASP ASVS V5", "OWASP Top 10 A03:2021", "CWE-89"],
+    detection: {
+      type: "pattern",
+      patterns: [
+        // PHP: keyword SQL na mesma linha que superglobal
+        "(SELECT|INSERT|UPDATE|DELETE)[^;]*\\$_(GET|POST|REQUEST|COOKIE)",
+        // .NET: SqlCommand/CommandText concatenando string
+        "(SqlCommand|CommandText)[^;{]*\\+\\s*\\w",
+        // Java: execute*/executeQuery/executeUpdate concatenando string
+        '(executeQuery|executeUpdate|execute)\\s*\\([^)]*"\\s*\\+'
+      ]
+    },
+    impact: "Attacker-controlled input concatenated into SQL allows arbitrary query execution, data exfiltration or database compromise.",
+    recommendation: "Use parameterized queries / prepared statements: PDO/mysqli in PHP (?-placeholders), SqlParameter in .NET, PreparedStatement in Java, or ORM bindings (Eloquent, EF Core, Hibernate) without raw concatenation."
+  },
+  {
+    id: "SEC-CRYPTO-001",
+    title: "Weak cryptographic hash (MD5/SHA-1)",
+    category: "security",
+    severity: "high",
+    appliesTo: BACKEND_LANGUAGES,
+    frameworks: ["OWASP ASVS V6", "CWE-327", "CWE-328"],
+    detection: {
+      type: "pattern",
+      patterns: [
+        // PHP: md5($x), sha1($x)
+        "\\b(md5|sha1)\\s*\\(",
+        // .NET: MD5.Create(), SHA1.Create()
+        "\\b(MD5|SHA1)\\.Create\\s*\\(",
+        // Java: MessageDigest.getInstance("MD5"/"SHA-1")
+        `MessageDigest\\.getInstance\\s*\\(\\s*["'](MD5|SHA-?1)["']`
+      ]
+    },
+    impact: "MD5 and SHA-1 are cryptographically broken \u2014 vulnerable to collisions and brute-force. Unsuitable for password hashing or integrity checks.",
+    recommendation: "For passwords: bcrypt/argon2 (password_hash in PHP, BCrypt.Net in .NET, Spring Security in Java). For integrity: SHA-256, SHA-3, or BLAKE2."
+  },
+  {
+    id: "SEC-DESER-001",
+    title: "Insecure deserialization of user-controlled data",
+    category: "security",
+    severity: "high",
+    appliesTo: BACKEND_LANGUAGES,
+    frameworks: ["OWASP ASVS V5", "OWASP Top 10 A08:2021", "CWE-502"],
+    detection: {
+      type: "pattern",
+      patterns: [
+        // PHP: unserialize de superglobais
+        "unserialize\\s*\\(\\s*\\$_(GET|POST|REQUEST|COOKIE)",
+        // .NET: BinaryFormatter/SoapFormatter/NetDataContractSerializer
+        "\\b(BinaryFormatter|SoapFormatter|NetDataContractSerializer)\\b",
+        // Java: chamada readObject() — específica de ObjectInputStream/XMLDecoder
+        "\\.readObject\\s*\\(\\s*\\)"
+      ]
+    },
+    impact: "Deserializing untrusted input can lead to remote code execution via gadget chains.",
+    recommendation: "Avoid native serialization for untrusted input. Prefer JSON with strict schemas (json_decode, System.Text.Json, Jackson with default-typing disabled)."
+  },
+  {
+    id: "SEC-CMD-001",
+    title: "Possible command injection via user-controlled input",
+    category: "security",
+    severity: "critical",
+    appliesTo: BACKEND_LANGUAGES,
+    frameworks: ["OWASP ASVS V5", "CWE-78"],
+    detection: {
+      type: "pattern",
+      patterns: [
+        // PHP: exec/system/passthru/shell_exec/popen com superglobal nos parens
+        "(exec|system|passthru|shell_exec|popen|proc_open)\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)",
+        // .NET: Process.Start com Request
+        "Process\\.Start\\s*\\([^)]*\\bRequest\\b",
+        // Java: Runtime.exec com .getParameter (qualquer variável do servlet)
+        "Runtime\\.getRuntime\\s*\\(\\)\\.exec\\s*\\([^)]*\\.getParameter"
+      ]
+    },
+    impact: "Untrusted input passed to shell execution allows attackers to run arbitrary commands on the host.",
+    recommendation: "Avoid shell invocation when possible. If necessary, validate input against a strict allow-list and pass arguments as an array (not concatenated string)."
+  },
+  {
+    id: "SEC-PATH-001",
+    title: "Possible path traversal via user-controlled input",
+    category: "security",
+    severity: "high",
+    appliesTo: BACKEND_LANGUAGES,
+    frameworks: ["OWASP ASVS V12", "CWE-22"],
+    detection: {
+      type: "pattern",
+      patterns: [
+        // PHP: include/require/file_get_contents/fopen/readfile com superglobal
+        "(file_get_contents|fopen|readfile|file)\\s*\\([^)]*\\$_(GET|POST|REQUEST|COOKIE)",
+        "(include|require|include_once|require_once)\\s*\\(?[^;]*\\$_(GET|POST|REQUEST|COOKIE)",
+        // .NET: File.ReadAllText/OpenRead/Open com Request
+        "File\\.(ReadAllText|ReadAllBytes|OpenRead|Open|ReadAllLines)\\s*\\([^)]*\\bRequest\\b",
+        // Java: new File / new FileInputStream com .getParameter (qualquer var)
+        "(new\\s+File|new\\s+FileInputStream|new\\s+FileReader|Files\\.read)\\s*\\([^)]*\\.getParameter"
+      ]
+    },
+    impact: "User-controlled file paths allow attackers to read or include arbitrary files outside the intended directory.",
+    recommendation: "Validate against an allow-list of filenames, normalize the path (realpath in PHP, Path.GetFullPath in .NET, Path.normalize in Java) and confirm it stays under a known root directory."
+  },
+  {
+    id: "SEC-XSS-001",
+    title: "Cross-site scripting via unescaped output",
+    category: "security",
+    severity: "high",
+    appliesTo: BACKEND_LANGUAGES,
+    frameworks: ["OWASP ASVS V5", "OWASP Top 10 A03:2021", "CWE-79"],
+    detection: {
+      type: "pattern",
+      patterns: [
+        // PHP: echo/print de superglobal sem escape
+        "(echo|print)[^;]*\\$_(GET|POST|REQUEST|COOKIE)",
+        // .NET: Response.Write com Request
+        "Response\\.Write\\s*\\([^)]*\\bRequest\\b"
+      ]
+    },
+    impact: "Reflecting user input into HTML without escaping allows script injection in victims' browsers.",
+    recommendation: "PHP: htmlspecialchars() / Blade {{ }} / Twig auto-escape. .NET: Razor @ syntax (auto-escapes), HttpUtility.HtmlEncode. Java: JSTL <c:out> or Thymeleaf th:text."
   }
 ];
 var CODE_QUALITY_RULES = [
@@ -825,6 +1003,27 @@ var CODE_QUALITY_RULES = [
     },
     impact: "Transitive dependencies may be removed in future updates, causing silent breakage.",
     recommendation: "Declare all used packages explicitly in package.json or replace with native alternatives."
+  },
+  {
+    id: "CQ-DEPRECATED-001",
+    title: "Use of deprecated or removed language API",
+    category: "legacy_code",
+    severity: "medium",
+    appliesTo: BACKEND_LANGUAGES,
+    frameworks: ["Clean Code"],
+    detection: {
+      type: "pattern",
+      patterns: [
+        // PHP: mysql_* extension (removed in PHP 7)
+        "mysql_(connect|query|fetch_array|fetch_assoc|fetch_row|num_rows|real_escape_string|select_db)\\s*\\(",
+        // PHP: ereg/split (removed in PHP 7)
+        "\\b(ereg|eregi|ereg_replace|split)\\s*\\(",
+        // Java: legacy synchronized collections
+        "\\bnew\\s+(Vector|Hashtable)\\s*[(<]"
+      ]
+    },
+    impact: "Deprecated APIs are unsupported and may be removed in future runtime versions, causing breakage. They often have safer modern replacements.",
+    recommendation: "PHP: migrate mysql_* to PDO or mysqli; ereg_* to preg_*. Java: replace Vector with ArrayList and Hashtable with HashMap (or ConcurrentHashMap if thread-safety needed)."
   }
 ];
 var ALL_RULES = [...SECURITY_RULES, ...CODE_QUALITY_RULES];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "legacy-squad",
-  "version": "1.0.0-beta.5",
+  "version": "1.0.0-beta.6",
   "description": "AI-Powered Legacy Modernization Platform — Install-first, IDE-native, evidence-driven framework that transforms legacy systems into modernization-ready assets.",
   "keywords": [
     "legacy",