mcp-security-scanner 1.0.0

package/dist/runtime/tool-analyzer.js

@@ -0,0 +1,92 @@
+import { POISONING_PATTERNS, ANSI_PATTERNS, UNICODE_STEGO_PATTERNS } from "../data/poisoning-patterns.js";
+export function analyzePoisoning(tools) {
+    const findings = [];
+    let counter = 1;
+    for (const tool of tools) {
+        const textsToCheck = [
+            { label: "description", value: tool.description ?? "" },
+        ];
+        // Also check schema field descriptions
+        if (tool.inputSchema && typeof tool.inputSchema === "object") {
+            const props = tool.inputSchema.properties;
+            if (props && typeof props === "object") {
+                for (const [key, val] of Object.entries(props)) {
+                    if (val && typeof val === "object" && "description" in val) {
+                        textsToCheck.push({ label: `schema.${key}.description`, value: val.description ?? "" });
+                    }
+                }
+            }
+        }
+        for (const { label, value } of textsToCheck) {
+            for (const pattern of POISONING_PATTERNS) {
+                if (pattern.pattern.test(value)) {
+                    findings.push({
+                        id: `RT-POISON-${String(counter++).padStart(3, "0")}`,
+                        title: `Tool Poisoning: ${pattern.name}`,
+                        severity: pattern.severity,
+                        owasp_mcp: "MCP03",
+                        owasp_mcp_title: "Tool Poisoning via Description Injection",
+                        category: "runtime",
+                        evidence: `Tool "${tool.name}" ${label}: matched pattern "${pattern.name}" — "${value.substring(0, 200)}"`,
+                        remediation: "Review and sanitize tool description. Pin tool definitions and verify hashes regularly.",
+                        cwe: "CWE-94",
+                        references: ["https://invariantlabs.ai/blog/mcp-security-notification-tool-poisoning-attacks"],
+                    });
+                }
+            }
+        }
+    }
+    return findings;
+}
+export function analyzeAnsiInjection(tools) {
+    const findings = [];
+    let counter = 1;
+    for (const tool of tools) {
+        const desc = tool.description ?? "";
+        for (const pattern of ANSI_PATTERNS) {
+            if (pattern.test(desc)) {
+                findings.push({
+                    id: `RT-ANSI-${String(counter++).padStart(3, "0")}`,
+                    title: `ANSI Escape Injection in "${tool.name}"`,
+                    severity: "high",
+                    owasp_mcp: "MCP03",
+                    owasp_mcp_title: "Tool Poisoning via Description Injection",
+                    category: "runtime",
+                    evidence: `Tool "${tool.name}" description contains ANSI escape sequences that can hide text from terminal display while LLM still processes it`,
+                    remediation: "Strip all ANSI escape sequences from tool descriptions. Use a sanitization library.",
+                    cwe: "CWE-116",
+                });
+                break; // one finding per tool for ANSI
+            }
+        }
+    }
+    return findings;
+}
+export function analyzeUnicodeSteganography(tools) {
+    const findings = [];
+    let counter = 1;
+    for (const tool of tools) {
+        const desc = tool.description ?? "";
+        const matched = [];
+        for (const stego of UNICODE_STEGO_PATTERNS) {
+            if (stego.pattern.test(desc)) {
+                matched.push(`${stego.name} (${stego.description})`);
+            }
+        }
+        if (matched.length > 0) {
+            findings.push({
+                id: `RT-UNICODE-${String(counter++).padStart(3, "0")}`,
+                title: `Hidden Unicode Characters in "${tool.name}"`,
+                severity: "high",
+                owasp_mcp: "MCP03",
+                owasp_mcp_title: "Tool Poisoning via Description Injection",
+                category: "runtime",
+                evidence: `Tool "${tool.name}" description contains ${matched.length} hidden Unicode character types: ${matched.join(", ")}`,
+                remediation: "Strip all zero-width and invisible Unicode characters from tool descriptions.",
+                cwe: "CWE-116",
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=tool-analyzer.js.map

package/dist/runtime/tool-analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-analyzer.js","sourceRoot":"","sources":["../../src/runtime/tool-analyzer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,kBAAkB,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AAE1G,MAAM,UAAU,gBAAgB,CAAC,KAAmB;IAClD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,YAAY,GAAG;YACnB,EAAE,KAAK,EAAE,aAAa,EAAE,KAAK,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE;SACxD,CAAC;QAEF,uCAAuC;QACvC,IAAI,IAAI,CAAC,WAAW,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;YAC7D,MAAM,KAAK,GAAI,IAAI,CAAC,WAAmB,CAAC,UAAU,CAAC;YACnD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACvC,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC/C,IAAI,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,aAAa,IAAI,GAAG,EAAE,CAAC;wBAC3D,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,GAAG,cAAc,EAAE,KAAK,EAAG,GAAW,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC,CAAC;oBACnG,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,YAAY,EAAE,CAAC;YAC5C,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;gBACzC,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBAChC,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,aAAa,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACrD,KAAK,EAAE,mBAAmB,OAAO,CAAC,IAAI,EAAE;wBACxC,QAAQ,EAAE,OAAO,CAAC,QAAQ;wBAC1B,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,0CAA0C;wBAC3D,QAAQ,EAAE,SAAS;wBACnB,QAAQ,EAAE,SAAS,IAAI,CAAC,IAAI,KAAK,KAAK,sBAAsB,OAAO,CAAC,IAAI,QAAQ,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG;wBAC1G,WAAW,EAAE,yFAAyF;wBACtG,GAAG,EAAE,QAAQ;wBACb,UAAU,EAAE,CAAC,gFAAgF,CAAC;qBAC/F,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,KAAmB;IACtD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;QACpC,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;YACpC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,WAAW,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACnD,KAAK,EAAE,6BAA6B,IAAI,CAAC,IAAI,GAAG;oBAChD,QAAQ,EAAE,MAAM;oBAChB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,0CAA0C;oBAC3D,QAAQ,EAAE,SAAS;oBACnB,QAAQ,EAAE,SAAS,IAAI,CAAC,IAAI,oHAAoH;oBAChJ,WAAW,EAAE,qFAAqF;oBAClG,GAAG,EAAE,SAAS;iBACf,CAAC,CAAC;gBACH,MAAM,CAAC,gCAAgC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,KAAmB;IAC7D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;QACpC,MAAM,OAAO,GAAa,EAAE,CAAC;QAE7B,KAAK,MAAM,KAAK,IAAI,sBAAsB,EAAE,CAAC;YAC3C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,WAAW,GAAG,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,cAAc,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACtD,KAAK,EAAE,iCAAiC,IAAI,CAAC,IAAI,GAAG;gBACpD,QAAQ,EAAE,MAAM;gBAChB,SAAS,EAAE,OAAO;gBAClB,eAAe,EAAE,0CAA0C;gBAC3D,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,SAAS,IAAI,CAAC,IAAI,0BAA0B,OAAO,CAAC,MAAM,oCAAoC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC5H,WAAW,EAAE,+EAA+E;gBAC5F,GAAG,EAAE,SAAS;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/code-execution.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeCodeExecution(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=code-execution.d.ts.map

package/dist/static/analyzers/code-execution.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-execution.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/code-execution.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAQvD,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAqEzE"}

package/dist/static/analyzers/code-execution.js

@@ -0,0 +1,72 @@
+import { findCallExpressions, getCallName, getQualifiedCallName, getLocation, SyntaxKind } from "../ast-engine.js";
+import { getCallEvidence } from "../taint-tracker.js";
+const DANGEROUS_GLOBALS = new Set(["eval"]);
+const DANGEROUS_QUALIFIED = new Set(["vm.runInNewContext", "vm.runInThisContext", "vm.compileFunction"]);
+const DANGEROUS_NEW = new Set(["Function", "vm.Script"]);
+export function analyzeCodeExecution(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        // Check call expressions
+        const calls = findCallExpressions(sf);
+        for (const call of calls) {
+            const name = getCallName(call);
+            const qname = getQualifiedCallName(call);
+            let found = false;
+            if (DANGEROUS_GLOBALS.has(name))
+                found = true;
+            if (DANGEROUS_QUALIFIED.has(qname))
+                found = true;
+            // setTimeout/setInterval with string argument
+            if ((name === "setTimeout" || name === "setInterval") && call.getArguments().length > 0) {
+                const firstArg = call.getArguments()[0];
+                if (firstArg.getKind() === SyntaxKind.StringLiteral || firstArg.getKind() === SyntaxKind.TemplateExpression) {
+                    found = true;
+                }
+            }
+            if (found) {
+                const loc = getLocation(call);
+                counter++;
+                findings.push({
+                    id: `SAST-EXEC-${String(counter).padStart(3, "0")}`,
+                    title: `Dangerous Code Execution: ${qname || name}()`,
+                    severity: "critical",
+                    owasp_mcp: "MCP05",
+                    owasp_mcp_title: "Command Injection & Code Execution",
+                    category: "static",
+                    file: loc.file,
+                    line: loc.line,
+                    column: loc.column,
+                    evidence: getCallEvidence(call),
+                    remediation: "Remove eval/Function/vm usage entirely. If dynamic behavior is needed, use a safe sandboxing approach or predefined function maps.",
+                    cwe: "CWE-94",
+                });
+            }
+        }
+        // Check new expressions: new Function(...)
+        const newExprs = sf.getDescendantsOfKind(SyntaxKind.NewExpression);
+        for (const expr of newExprs) {
+            const name = expr.getExpression().getText();
+            if (DANGEROUS_NEW.has(name)) {
+                const loc = getLocation(expr);
+                counter++;
+                findings.push({
+                    id: `SAST-EXEC-${String(counter).padStart(3, "0")}`,
+                    title: `Dangerous Code Execution: new ${name}()`,
+                    severity: "critical",
+                    owasp_mcp: "MCP05",
+                    owasp_mcp_title: "Command Injection & Code Execution",
+                    category: "static",
+                    file: loc.file,
+                    line: loc.line,
+                    column: loc.column,
+                    evidence: expr.getText().substring(0, 200),
+                    remediation: "Never use new Function() or new vm.Script() with untrusted input. Use predefined function maps instead.",
+                    cwe: "CWE-94",
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=code-execution.js.map

package/dist/static/analyzers/code-execution.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"code-execution.js","sourceRoot":"","sources":["../../../src/static/analyzers/code-execution.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,oBAAoB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;AAC5C,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,oBAAoB,EAAE,qBAAqB,EAAE,oBAAoB,CAAC,CAAC,CAAC;AACzG,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC;AAEzD,MAAM,UAAU,oBAAoB,CAAC,WAAyB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,yBAAyB;QACzB,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAEzC,IAAI,KAAK,GAAG,KAAK,CAAC;YAClB,IAAI,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,KAAK,GAAG,IAAI,CAAC;YAC9C,IAAI,mBAAmB,CAAC,GAAG,CAAC,KAAK,CAAC;gBAAE,KAAK,GAAG,IAAI,CAAC;YAEjD,8CAA8C;YAC9C,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,aAAa,CAAC,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxF,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC;gBACxC,IAAI,QAAQ,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,aAAa,IAAI,QAAQ,CAAC,OAAO,EAAE,KAAK,UAAU,CAAC,kBAAkB,EAAE,CAAC;oBAC5G,KAAK,GAAG,IAAI,CAAC;gBACf,CAAC;YACH,CAAC;YAED,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;gBAC9B,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,aAAa,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACnD,KAAK,EAAE,6BAA6B,KAAK,IAAI,IAAI,IAAI;oBACrD,QAAQ,EAAE,UAAU;oBACpB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,oCAAoC;oBACrD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;oBAC/B,WAAW,EAAE,oIAAoI;oBACjJ,GAAG,EAAE,QAAQ;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,2CAA2C;QAC3C,MAAM,QAAQ,GAAG,EAAE,CAAC,oBAAoB,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QACnE,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;YAC5C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;gBAC9B,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,aAAa,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACnD,KAAK,EAAE,iCAAiC,IAAI,IAAI;oBAChD,QAAQ,EAAE,UAAU;oBACpB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,oCAAoC;oBACrD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,QAAQ,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,WAAW,EAAE,yGAAyG;oBACtH,GAAG,EAAE,QAAQ;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/command-injection.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeCommandInjection(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=command-injection.d.ts.map

package/dist/static/analyzers/command-injection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-injection.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/command-injection.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAOvD,wBAAgB,uBAAuB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CA2D5E"}

package/dist/static/analyzers/command-injection.js

@@ -0,0 +1,62 @@
+import { findCallExpressions, getCallName, getLocation, containsUserInput, hasShellTrue } from "../ast-engine.js";
+import { getCallEvidence } from "../taint-tracker.js";
+import { COMMAND_INJECTION_SINKS } from "../../data/dangerous-sinks.js";
+const sinkNames = new Set(COMMAND_INJECTION_SINKS.map(s => s.name));
+export function analyzeCommandInjection(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        const calls = findCallExpressions(sf);
+        for (const call of calls) {
+            const name = getCallName(call);
+            if (!sinkNames.has(name))
+                continue;
+            const sink = COMMAND_INJECTION_SINKS.find(s => s.name === name);
+            // For spawn/spawnSync, only flag if shell:true
+            if ((name === "spawn" || name === "spawnSync") && !hasShellTrue(call))
+                continue;
+            // Check if arguments contain user input
+            const tainted = containsUserInput(call);
+            const loc = getLocation(call);
+            if (tainted) {
+                counter++;
+                findings.push({
+                    id: `SAST-CMD-${String(counter).padStart(3, "0")}`,
+                    title: `Command Injection via ${name}()`,
+                    severity: sink.severity,
+                    owasp_mcp: "MCP05",
+                    owasp_mcp_title: "Command Injection & Code Execution",
+                    category: "static",
+                    file: loc.file,
+                    line: loc.line,
+                    column: loc.column,
+                    evidence: getCallEvidence(call),
+                    remediation: name === "exec" || name === "execSync"
+                        ? "Replace exec/execSync with execFile and pass arguments as an array. Never interpolate user input into shell commands."
+                        : "Ensure shell:true is not used with user-controlled arguments. Use argument arrays instead of command strings.",
+                    cwe: "CWE-78",
+                });
+            }
+            else if (name === "exec" || name === "execSync") {
+                // exec/execSync are always risky even without detected taint
+                counter++;
+                findings.push({
+                    id: `SAST-CMD-${String(counter).padStart(3, "0")}`,
+                    title: `Potentially Dangerous ${name}() Usage`,
+                    severity: "medium",
+                    owasp_mcp: "MCP05",
+                    owasp_mcp_title: "Command Injection & Code Execution",
+                    category: "static",
+                    file: loc.file,
+                    line: loc.line,
+                    column: loc.column,
+                    evidence: getCallEvidence(call),
+                    remediation: "Prefer execFile() with argument arrays. Audit all inputs to exec/execSync for injection risks.",
+                    cwe: "CWE-78",
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=command-injection.js.map

package/dist/static/analyzers/command-injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"command-injection.js","sourceRoot":"","sources":["../../../src/static/analyzers/command-injection.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAwB,WAAW,EAAE,iBAAiB,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AACxI,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,+BAA+B,CAAC;AAExE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AAEpE,MAAM,UAAU,uBAAuB,CAAC,WAAyB;IAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAC/B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,uBAAuB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAE,CAAC;YAEjE,+CAA+C;YAC/C,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,WAAW,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEhF,wCAAwC;YACxC,MAAM,OAAO,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAE9B,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBAClD,KAAK,EAAE,yBAAyB,IAAI,IAAI;oBACxC,QAAQ,EAAE,IAAI,CAAC,QAA+B;oBAC9C,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,oCAAoC;oBACrD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;oBAC/B,WAAW,EAAE,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,UAAU;wBACjD,CAAC,CAAC,uHAAuH;wBACzH,CAAC,CAAC,+GAA+G;oBACnH,GAAG,EAAE,QAAQ;iBACd,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,IAAI,KAAK,MAAM,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;gBAClD,6DAA6D;gBAC7D,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBAClD,KAAK,EAAE,yBAAyB,IAAI,UAAU;oBAC9C,QAAQ,EAAE,QAAQ;oBAClB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,oCAAoC;oBACrD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;oBAC/B,WAAW,EAAE,gGAAgG;oBAC7G,GAAG,EAAE,QAAQ;iBACd,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/info-disclosure.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeInfoDisclosure(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=info-disclosure.d.ts.map

package/dist/static/analyzers/info-disclosure.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"info-disclosure.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/info-disclosure.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAIvD,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAiE1E"}

package/dist/static/analyzers/info-disclosure.js

@@ -0,0 +1,65 @@
+import { findCallExpressions, getQualifiedCallName, getLocation, SyntaxKind } from "../ast-engine.js";
+import { getCallEvidence } from "../taint-tracker.js";
+export function analyzeInfoDisclosure(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        const calls = findCallExpressions(sf);
+        for (const call of calls) {
+            const qname = getQualifiedCallName(call);
+            // console.log with sensitive variable names
+            if (qname === "console.log" || qname === "console.debug") {
+                const text = call.getText();
+                if (/(?:apiKey|api_key|secret|password|token|credential|auth)/i.test(text)) {
+                    const loc = getLocation(call);
+                    counter++;
+                    findings.push({
+                        id: `SAST-INFO-${String(counter).padStart(3, "0")}`,
+                        title: "Sensitive Data in Console Log",
+                        severity: "medium",
+                        owasp_mcp: "MCP08",
+                        owasp_mcp_title: "Insufficient Logging & Error Handling",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: getCallEvidence(call),
+                        remediation: "Remove console.log statements that output sensitive data. Use a structured logger with redaction capabilities.",
+                        cwe: "CWE-532",
+                    });
+                }
+            }
+        }
+        // Check for process.env serialization in responses
+        const propAccess = sf.getDescendantsOfKind(SyntaxKind.PropertyAccessExpression);
+        for (const pa of propAccess) {
+            if (pa.getText() === "process.env") {
+                // Check if it's being serialized (JSON.stringify, spread, etc.)
+                const parent = pa.getParent();
+                if (parent) {
+                    const parentText = parent.getText();
+                    if (/JSON\.stringify|\.\.\.process\.env|Object\.(keys|values|entries)\(process\.env\)/.test(parentText)) {
+                        const loc = getLocation(pa);
+                        counter++;
+                        findings.push({
+                            id: `SAST-INFO-${String(counter).padStart(3, "0")}`,
+                            title: "Full process.env Serialization",
+                            severity: "high",
+                            owasp_mcp: "MCP10",
+                            owasp_mcp_title: "Context Over-sharing & Data Exposure",
+                            category: "static",
+                            file: loc.file,
+                            line: loc.line,
+                            column: loc.column,
+                            evidence: parentText.substring(0, 200),
+                            remediation: "Never serialize the entire process.env. Access only the specific environment variables needed.",
+                            cwe: "CWE-200",
+                        });
+                    }
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=info-disclosure.js.map

package/dist/static/analyzers/info-disclosure.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"info-disclosure.js","sourceRoot":"","sources":["../../../src/static/analyzers/info-disclosure.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAe,oBAAoB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AACnH,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,UAAU,qBAAqB,CAAC,WAAyB;IAC7D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAEzC,4CAA4C;YAC5C,IAAI,KAAK,KAAK,aAAa,IAAI,KAAK,KAAK,eAAe,EAAE,CAAC;gBACzD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;gBAC5B,IAAI,2DAA2D,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC3E,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;oBAC9B,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,aAAa,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACnD,KAAK,EAAE,+BAA+B;wBACtC,QAAQ,EAAE,QAAQ;wBAClB,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,uCAAuC;wBACxD,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;wBAC/B,WAAW,EAAE,gHAAgH;wBAC7H,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,MAAM,UAAU,GAAG,EAAE,CAAC,oBAAoB,CAAC,UAAU,CAAC,wBAAwB,CAAC,CAAC;QAChF,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,IAAI,EAAE,CAAC,OAAO,EAAE,KAAK,aAAa,EAAE,CAAC;gBACnC,gEAAgE;gBAChE,MAAM,MAAM,GAAG,EAAE,CAAC,SAAS,EAAE,CAAC;gBAC9B,IAAI,MAAM,EAAE,CAAC;oBACX,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpC,IAAI,kFAAkF,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;wBACxG,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;wBAC5B,OAAO,EAAE,CAAC;wBACV,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,aAAa,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;4BACnD,KAAK,EAAE,gCAAgC;4BACvC,QAAQ,EAAE,MAAM;4BAChB,SAAS,EAAE,OAAO;4BAClB,eAAe,EAAE,sCAAsC;4BACvD,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,MAAM,EAAE,GAAG,CAAC,MAAM;4BAClB,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;4BACtC,WAAW,EAAE,gGAAgG;4BAC7G,GAAG,EAAE,SAAS;yBACf,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/insecure-crypto.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeInsecureCrypto(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=insecure-crypto.d.ts.map

package/dist/static/analyzers/insecure-crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-crypto.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/insecure-crypto.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAIvD,wBAAgB,qBAAqB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAkE1E"}

package/dist/static/analyzers/insecure-crypto.js

@@ -0,0 +1,65 @@
+import { findCallExpressions, getCallName, getQualifiedCallName, getLocation } from "../ast-engine.js";
+import { getCallEvidence } from "../taint-tracker.js";
+export function analyzeInsecureCrypto(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        const calls = findCallExpressions(sf);
+        for (const call of calls) {
+            const name = getCallName(call);
+            const qname = getQualifiedCallName(call);
+            // createHash with weak algorithm
+            if (name === "createHash") {
+                const args = call.getArguments();
+                if (args.length > 0) {
+                    const algo = args[0].getText().replace(/['"]/g, "").toLowerCase();
+                    if (algo === "md5" || algo === "sha1") {
+                        const loc = getLocation(call);
+                        counter++;
+                        findings.push({
+                            id: `SAST-CRYPTO-${String(counter).padStart(3, "0")}`,
+                            title: `Weak Hash Algorithm: ${algo.toUpperCase()}`,
+                            severity: "medium",
+                            owasp_mcp: "MCP05",
+                            owasp_mcp_title: "Command Injection & Code Execution",
+                            category: "static",
+                            file: loc.file,
+                            line: loc.line,
+                            column: loc.column,
+                            evidence: getCallEvidence(call),
+                            remediation: `Replace ${algo} with SHA-256 or SHA-3 for security-sensitive hashing. MD5 and SHA-1 are cryptographically broken.`,
+                            cwe: "CWE-328",
+                        });
+                    }
+                }
+            }
+            // Math.random() for security
+            if (qname === "Math.random") {
+                // Check context — is it used for tokens, keys, nonces?
+                const parent = call.getParent();
+                const grandparent = parent?.getParent();
+                const contextText = (grandparent?.getText() ?? parent?.getText() ?? "").toLowerCase();
+                if (/token|secret|key|nonce|salt|random.*id|session|csrf|otp/.test(contextText)) {
+                    const loc = getLocation(call);
+                    counter++;
+                    findings.push({
+                        id: `SAST-CRYPTO-${String(counter).padStart(3, "0")}`,
+                        title: "Math.random() Used for Security-Sensitive Value",
+                        severity: "high",
+                        owasp_mcp: "MCP05",
+                        owasp_mcp_title: "Command Injection & Code Execution",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: getCallEvidence(call),
+                        remediation: "Use crypto.randomBytes() or crypto.randomUUID() instead of Math.random() for security-sensitive random values.",
+                        cwe: "CWE-338",
+                    });
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=insecure-crypto.js.map

package/dist/static/analyzers/insecure-crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-crypto.js","sourceRoot":"","sources":["../../../src/static/analyzers/insecure-crypto.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,oBAAoB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACvG,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,MAAM,UAAU,qBAAqB,CAAC,WAAyB;IAC7D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAC/B,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;YAEzC,iCAAiC;YACjC,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;gBAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;gBACjC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpB,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;oBAClE,IAAI,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;wBACtC,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;wBAC9B,OAAO,EAAE,CAAC;wBACV,QAAQ,CAAC,IAAI,CAAC;4BACZ,EAAE,EAAE,eAAe,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;4BACrD,KAAK,EAAE,wBAAwB,IAAI,CAAC,WAAW,EAAE,EAAE;4BACnD,QAAQ,EAAE,QAAQ;4BAClB,SAAS,EAAE,OAAO;4BAClB,eAAe,EAAE,oCAAoC;4BACrD,QAAQ,EAAE,QAAQ;4BAClB,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,IAAI,EAAE,GAAG,CAAC,IAAI;4BACd,MAAM,EAAE,GAAG,CAAC,MAAM;4BAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;4BAC/B,WAAW,EAAE,WAAW,IAAI,oGAAoG;4BAChI,GAAG,EAAE,SAAS;yBACf,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;YAED,6BAA6B;YAC7B,IAAI,KAAK,KAAK,aAAa,EAAE,CAAC;gBAC5B,uDAAuD;gBACvD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBAChC,MAAM,WAAW,GAAG,MAAM,EAAE,SAAS,EAAE,CAAC;gBACxC,MAAM,WAAW,GAAG,CAAC,WAAW,EAAE,OAAO,EAAE,IAAI,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;gBAEtF,IAAI,yDAAyD,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;oBAChF,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;oBAC9B,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,eAAe,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBACrD,KAAK,EAAE,iDAAiD;wBACxD,QAAQ,EAAE,MAAM;wBAChB,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,oCAAoC;wBACrD,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;wBAC/B,WAAW,EAAE,gHAAgH;wBAC7H,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/logging-audit.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzeLogging(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=logging-audit.d.ts.map

package/dist/static/analyzers/logging-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logging-audit.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/logging-audit.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAIvD,wBAAgB,cAAc,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAiFnE"}

package/dist/static/analyzers/logging-audit.js

@@ -0,0 +1,81 @@
+import { getLocation, SyntaxKind } from "../ast-engine.js";
+import { findToolHandlers, isEmptyCatch } from "../taint-tracker.js";
+export function analyzeLogging(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        // Check for empty catch blocks
+        const catchClauses = sf.getDescendantsOfKind(SyntaxKind.CatchClause);
+        for (const cc of catchClauses) {
+            if (isEmptyCatch(cc)) {
+                const loc = getLocation(cc);
+                counter++;
+                findings.push({
+                    id: `SAST-LOG-${String(counter).padStart(3, "0")}`,
+                    title: "Empty Catch Block",
+                    severity: "medium",
+                    owasp_mcp: "MCP08",
+                    owasp_mcp_title: "Insufficient Logging & Error Handling",
+                    category: "static",
+                    file: loc.file,
+                    line: loc.line,
+                    column: loc.column,
+                    evidence: "catch block with no statements — errors are silently swallowed",
+                    remediation: "Log or re-throw caught errors. Silent catch blocks hide failures and make debugging impossible.",
+                    cwe: "CWE-390",
+                });
+            }
+            // Check if catch block exposes stack trace
+            const block = cc.getChildrenOfKind(SyntaxKind.Block)[0];
+            if (block) {
+                const text = block.getText();
+                if (/err\.stack|error\.stack|e\.stack/.test(text) && /return|content|text|json|respond/.test(text)) {
+                    const loc = getLocation(cc);
+                    counter++;
+                    findings.push({
+                        id: `SAST-LOG-${String(counter).padStart(3, "0")}`,
+                        title: "Stack Trace Exposure in Response",
+                        severity: "medium",
+                        owasp_mcp: "MCP08",
+                        owasp_mcp_title: "Insufficient Logging & Error Handling",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: "err.stack is included in response — reveals internal paths and code structure",
+                        remediation: "Return generic error messages to clients. Log stack traces server-side only.",
+                        cwe: "CWE-209",
+                    });
+                }
+            }
+        }
+        // Check tool handlers for missing try-catch
+        const handlers = findToolHandlers(sf);
+        for (const handler of handlers) {
+            const body = handler.getText();
+            if (!body.includes("try") && !body.includes("catch")) {
+                // Only flag if the handler has meaningful logic (not just a return)
+                if (body.split("\n").length > 5) {
+                    const loc = getLocation(handler);
+                    counter++;
+                    findings.push({
+                        id: `SAST-LOG-${String(counter).padStart(3, "0")}`,
+                        title: "Tool Handler Without Error Handling",
+                        severity: "low",
+                        owasp_mcp: "MCP08",
+                        owasp_mcp_title: "Insufficient Logging & Error Handling",
+                        category: "static",
+                        file: loc.file,
+                        line: loc.line,
+                        column: loc.column,
+                        evidence: "Tool execute function has no try-catch block",
+                        remediation: "Wrap tool handler bodies in try-catch to handle errors gracefully and return meaningful error messages.",
+                        cwe: "CWE-755",
+                    });
+                }
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=logging-audit.js.map

package/dist/static/analyzers/logging-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logging-audit.js","sourceRoot":"","sources":["../../../src/static/analyzers/logging-audit.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAoB,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEvF,MAAM,UAAU,cAAc,CAAC,WAAyB;IACtD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,+BAA+B;QAC/B,MAAM,YAAY,GAAG,EAAE,CAAC,oBAAoB,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QACrE,KAAK,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC9B,IAAI,YAAY,CAAC,EAAE,CAAC,EAAE,CAAC;gBACrB,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;gBAC5B,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBAClD,KAAK,EAAE,mBAAmB;oBAC1B,QAAQ,EAAE,QAAQ;oBAClB,SAAS,EAAE,OAAO;oBAClB,eAAe,EAAE,uCAAuC;oBACxD,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,IAAI,EAAE,GAAG,CAAC,IAAI;oBACd,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,QAAQ,EAAE,gEAAgE;oBAC1E,WAAW,EAAE,iGAAiG;oBAC9G,GAAG,EAAE,SAAS;iBACf,CAAC,CAAC;YACL,CAAC;YAED,2CAA2C;YAC3C,MAAM,KAAK,GAAG,EAAE,CAAC,iBAAiB,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACxD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,IAAI,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC;gBAC7B,IAAI,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACnG,MAAM,GAAG,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;oBAC5B,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBAClD,KAAK,EAAE,kCAAkC;wBACzC,QAAQ,EAAE,QAAQ;wBAClB,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,uCAAuC;wBACxD,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,+EAA+E;wBACzF,WAAW,EAAE,8EAA8E;wBAC3F,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;YAC/B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACrD,oEAAoE;gBACpE,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAChC,MAAM,GAAG,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;oBACjC,OAAO,EAAE,CAAC;oBACV,QAAQ,CAAC,IAAI,CAAC;wBACZ,EAAE,EAAE,YAAY,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;wBAClD,KAAK,EAAE,qCAAqC;wBAC5C,QAAQ,EAAE,KAAK;wBACf,SAAS,EAAE,OAAO;wBAClB,eAAe,EAAE,uCAAuC;wBACxD,QAAQ,EAAE,QAAQ;wBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,MAAM,EAAE,GAAG,CAAC,MAAM;wBAClB,QAAQ,EAAE,8CAA8C;wBACxD,WAAW,EAAE,yGAAyG;wBACtH,GAAG,EAAE,SAAS;qBACf,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/path-traversal.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzePathTraversal(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=path-traversal.d.ts.map

package/dist/static/analyzers/path-traversal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-traversal.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/path-traversal.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAOvD,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAuCzE"}

package/dist/static/analyzers/path-traversal.js

@@ -0,0 +1,42 @@
+import { findCallExpressions, getCallName, getLocation, containsUserInput } from "../ast-engine.js";
+import { getCallEvidence } from "../taint-tracker.js";
+import { PATH_TRAVERSAL_SINKS } from "../../data/dangerous-sinks.js";
+const sinkNames = new Set(PATH_TRAVERSAL_SINKS.map(s => s.name));
+export function analyzePathTraversal(sourceFiles) {
+    const findings = [];
+    let counter = 0;
+    for (const sf of sourceFiles) {
+        const calls = findCallExpressions(sf);
+        for (const call of calls) {
+            const name = getCallName(call);
+            if (!sinkNames.has(name))
+                continue;
+            const args = call.getArguments();
+            if (args.length === 0)
+                continue;
+            // The first argument is usually the path
+            const pathArg = args[0];
+            if (!containsUserInput(pathArg))
+                continue;
+            const sink = PATH_TRAVERSAL_SINKS.find(s => s.name === name);
+            const loc = getLocation(call);
+            counter++;
+            findings.push({
+                id: `SAST-PATH-${String(counter).padStart(3, "0")}`,
+                title: `Path Traversal via ${name}()`,
+                severity: sink.severity,
+                owasp_mcp: "MCP05",
+                owasp_mcp_title: "Command Injection & Code Execution",
+                category: "static",
+                file: loc.file,
+                line: loc.line,
+                column: loc.column,
+                evidence: getCallEvidence(call),
+                remediation: "Resolve paths with path.resolve() and validate they fall within an allowed base directory. Never pass user input directly to fs operations.",
+                cwe: "CWE-22",
+            });
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=path-traversal.js.map

package/dist/static/analyzers/path-traversal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-traversal.js","sourceRoot":"","sources":["../../../src/static/analyzers/path-traversal.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,WAAW,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACpG,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AAErE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;AAEjE,MAAM,UAAU,oBAAoB,CAAC,WAAyB;IAC5D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,EAAE,IAAI,WAAW,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,mBAAmB,CAAC,EAAE,CAAC,CAAC;QACtC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAC/B,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAEnC,MAAM,IAAI,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEhC,yCAAyC;YACzC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACxB,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC;gBAAE,SAAS;YAE1C,MAAM,IAAI,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAE,CAAC;YAC9D,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;YAC9B,OAAO,EAAE,CAAC;YAEV,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,aAAa,MAAM,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;gBACnD,KAAK,EAAE,sBAAsB,IAAI,IAAI;gBACrC,QAAQ,EAAE,IAAI,CAAC,QAA+B;gBAC9C,SAAS,EAAE,OAAO;gBAClB,eAAe,EAAE,oCAAoC;gBACrD,QAAQ,EAAE,QAAQ;gBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,QAAQ,EAAE,eAAe,CAAC,IAAI,CAAC;gBAC/B,WAAW,EAAE,6IAA6I;gBAC1J,GAAG,EAAE,QAAQ;aACd,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/static/analyzers/prototype-pollution.d.ts

@@ -0,0 +1,4 @@
+import type { SourceFile } from "ts-morph";
+import type { Finding } from "../../types/findings.js";
+export declare function analyzePrototypePollution(sourceFiles: SourceFile[]): Finding[];
+//# sourceMappingURL=prototype-pollution.d.ts.map

package/dist/static/analyzers/prototype-pollution.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prototype-pollution.d.ts","sourceRoot":"","sources":["../../../src/static/analyzers/prototype-pollution.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAIvD,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,UAAU,EAAE,GAAG,OAAO,EAAE,CAiF9E"}