mcp-wordpress 2.4.2 → 2.5.1

package/dist/src/security/SecurityReviewer.js

@@ -0,0 +1,686 @@
+/**
+ * AI-Powered Security Code Reviewer
+ * Provides intelligent security code review and analysis
+ */
+import * as fs from "fs/promises";
+import * as path from "path";
+import { SecurityUtils } from "./SecurityConfig.js";
+import { SecurityValidationError } from "./InputValidator.js";
+import { LoggerFactory } from "../utils/logger.js";
+/**
+ * Comprehensive security review rules
+ */
+const SECURITY_REVIEW_RULES = [
+    // Authentication Rules
+    {
+        id: "auth-001",
+        name: "Hardcoded Credentials",
+        description: "Detects hardcoded passwords, API keys, and secrets",
+        category: "authentication",
+        severity: "critical",
+        pattern: /(password|secret|key|token)\s*[:=]\s*['"][^'"]{8,}['"]/gi,
+        message: "Hardcoded credential detected",
+        recommendation: "Use environment variables or secure credential storage",
+        cweId: "CWE-798",
+        examples: {
+            vulnerable: `const password = "mysecretpassword123";`,
+            secure: `const password = process.env.DB_PASSWORD;`,
+        },
+    },
+    {
+        id: "auth-002",
+        name: "Weak Password Policy",
+        description: "Detects weak password validation",
+        category: "authentication",
+        severity: "medium",
+        pattern: /password.*length.*[<>]\s*[1-7]\b/gi,
+        message: "Weak password length requirement",
+        recommendation: "Enforce minimum 8-character passwords with complexity requirements",
+        cweId: "CWE-521",
+        examples: {
+            vulnerable: `if (password.length < 6) return false;`,
+            secure: `if (password.length < 8 || !/(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)/.test(password)) return false;`,
+        },
+    },
+    {
+        id: "auth-003",
+        name: "JWT Secret Exposure",
+        description: "Detects exposed JWT secrets",
+        category: "authentication",
+        severity: "critical",
+        pattern: /jwt.*secret.*[:=].*['"][^'"]+['"]/gi,
+        message: "JWT secret should not be hardcoded",
+        recommendation: "Store JWT secret in environment variables",
+        cweId: "CWE-798",
+        examples: {
+            vulnerable: `const jwtSecret = "my-jwt-secret-key";`,
+            secure: `const jwtSecret = process.env.JWT_SECRET;`,
+        },
+    },
+    // Input Validation Rules
+    {
+        id: "input-001",
+        name: "SQL Injection Risk",
+        description: "Detects potential SQL injection vulnerabilities",
+        category: "input-validation",
+        severity: "critical",
+        pattern: /(SELECT|INSERT|UPDATE|DELETE).*?[\+].*?(WHERE|FROM|INTO)/gi,
+        message: "Potential SQL injection vulnerability",
+        recommendation: "Use parameterized queries or prepared statements",
+        cweId: "CWE-89",
+        examples: {
+            vulnerable: `query = "SELECT * FROM users WHERE id = " + userId;`,
+            secure: `query = "SELECT * FROM users WHERE id = ?"; db.query(query, [userId]);`,
+        },
+    },
+    {
+        id: "input-002",
+        name: "XSS Vulnerability",
+        description: "Detects potential XSS vulnerabilities",
+        category: "input-validation",
+        severity: "high",
+        pattern: /innerHTML\s*=\s*[^;]+userInput/gi,
+        message: "Potential XSS vulnerability through innerHTML",
+        recommendation: "Use textContent or sanitize input before setting innerHTML",
+        cweId: "CWE-79",
+        examples: {
+            vulnerable: `element.innerHTML = userInput;`,
+            secure: `element.textContent = userInput; // or sanitize userInput`,
+        },
+    },
+    {
+        id: "input-003",
+        name: "Command Injection",
+        description: "Detects potential command injection vulnerabilities",
+        category: "input-validation",
+        severity: "critical",
+        pattern: /exec\(.*?[\+].*?\)/gi,
+        message: "Potential command injection vulnerability",
+        recommendation: "Validate input and use safe APIs",
+        cweId: "CWE-78",
+        examples: {
+            vulnerable: `exec("ls " + userInput);`,
+            secure: `execFile("ls", [userInput]);`,
+        },
+    },
+    // Authorization Rules
+    {
+        id: "authz-001",
+        name: "Missing Authorization Check",
+        description: "Detects endpoints without authorization checks",
+        category: "authorization",
+        severity: "high",
+        pattern: /app\.(get|post|put|delete)\(['"][^'"]*['"],\s*(?!.*auth|.*login)[^)]*\)/gi,
+        message: "Endpoint may be missing authorization check",
+        recommendation: "Add authorization middleware to protected endpoints",
+        cweId: "CWE-862",
+        examples: {
+            vulnerable: `app.get("/admin/users", (req, res) => { ... });`,
+            secure: `app.get("/admin/users", authMiddleware, (req, res) => { ... });`,
+        },
+    },
+    {
+        id: "authz-002",
+        name: "Privilege Escalation Risk",
+        description: "Detects potential privilege escalation",
+        category: "authorization",
+        severity: "high",
+        pattern: /role\s*=\s*['"]admin['"]|isAdmin\s*=\s*true/gi,
+        message: "Potential privilege escalation through role assignment",
+        recommendation: "Validate user permissions before role assignment",
+        cweId: "CWE-269",
+        examples: {
+            vulnerable: `user.role = "admin";`,
+            secure: `if (currentUser.canAssignRole("admin")) user.role = "admin";`,
+        },
+    },
+    // Cryptography Rules
+    {
+        id: "crypto-001",
+        name: "Weak Encryption Algorithm",
+        description: "Detects use of weak encryption algorithms",
+        category: "crypto",
+        severity: "high",
+        pattern: /(md5|sha1|des|rc4|3des)/gi,
+        message: "Weak cryptographic algorithm detected",
+        recommendation: "Use strong algorithms like AES-256, SHA-256, or bcrypt",
+        cweId: "CWE-327",
+        examples: {
+            vulnerable: `const hash = crypto.createHash("md5");`,
+            secure: `const hash = crypto.createHash("sha256");`,
+        },
+    },
+    {
+        id: "crypto-002",
+        name: "Hardcoded Encryption Key",
+        description: "Detects hardcoded encryption keys",
+        category: "crypto",
+        severity: "critical",
+        pattern: /encrypt.*key.*[:=].*['"][^'"]{16,}['"]/gi,
+        message: "Hardcoded encryption key detected",
+        recommendation: "Generate keys securely and store in environment variables",
+        cweId: "CWE-798",
+        examples: {
+            vulnerable: `const encryptionKey = "1234567890abcdef";`,
+            secure: `const encryptionKey = process.env.ENCRYPTION_KEY;`,
+        },
+    },
+    // Session Management Rules
+    {
+        id: "session-001",
+        name: "Insecure Session Configuration",
+        description: "Detects insecure session settings",
+        category: "session",
+        severity: "medium",
+        pattern: /session.*secure\s*:\s*false|httpOnly\s*:\s*false/gi,
+        message: "Insecure session configuration",
+        recommendation: "Enable secure and httpOnly flags for sessions",
+        cweId: "CWE-614",
+        examples: {
+            vulnerable: `session({ secure: false, httpOnly: false })`,
+            secure: `session({ secure: true, httpOnly: true })`,
+        },
+    },
+    {
+        id: "session-002",
+        name: "Session Fixation Risk",
+        description: "Detects potential session fixation vulnerabilities",
+        category: "session",
+        severity: "medium",
+        pattern: /login.*(?!regenerate)/gi,
+        message: "Login may not regenerate session ID",
+        recommendation: "Regenerate session ID after successful login",
+        cweId: "CWE-384",
+        examples: {
+            vulnerable: `// Login without session regeneration`,
+            secure: `req.session.regenerate(() => { /* login success */ });`,
+        },
+    },
+    // Configuration Rules
+    {
+        id: "config-001",
+        name: "Debug Mode in Production",
+        description: "Detects debug mode enabled",
+        category: "config",
+        severity: "medium",
+        pattern: /debug\s*[:=]\s*true|DEBUG\s*=\s*['"]?true['"]?/gi,
+        message: "Debug mode may be enabled in production",
+        recommendation: "Disable debug mode in production environments",
+        cweId: "CWE-489",
+        examples: {
+            vulnerable: `const debug = true;`,
+            secure: `const debug = process.env.NODE_ENV !== 'production';`,
+        },
+    },
+    {
+        id: "config-002",
+        name: "HTTPS Disabled",
+        description: "Detects HTTP instead of HTTPS",
+        category: "config",
+        severity: "medium",
+        pattern: /http:\/\/(?!localhost|127\.0\.0\.1)/gi,
+        message: "HTTP URL detected in production code",
+        recommendation: "Use HTTPS for all external communications",
+        cweId: "CWE-319",
+        examples: {
+            vulnerable: `const apiUrl = "http://api.example.com";`,
+            secure: `const apiUrl = "https://api.example.com";`,
+        },
+    },
+    // General Security Rules
+    {
+        id: "general-001",
+        name: "Error Information Disclosure",
+        description: "Detects potential information disclosure through errors",
+        category: "general",
+        severity: "low",
+        pattern: /throw.*error.*stack|console\.error.*stack/gi,
+        message: "Error may disclose sensitive information",
+        recommendation: "Log detailed errors securely, return generic errors to users",
+        cweId: "CWE-209",
+        examples: {
+            vulnerable: `throw new Error(err.stack);`,
+            secure: `logger.error(err.stack); throw new Error("An error occurred");`,
+        },
+    },
+    {
+        id: "general-002",
+        name: "Unsafe Random Generation",
+        description: "Detects use of unsafe random number generation",
+        category: "general",
+        severity: "medium",
+        pattern: /Math\.random\(\)/gi,
+        message: "Math.random() is not cryptographically secure",
+        recommendation: "Use crypto.randomBytes() for security-sensitive random generation",
+        cweId: "CWE-338",
+        examples: {
+            vulnerable: `const token = Math.random().toString(36);`,
+            secure: `const token = crypto.randomBytes(32).toString('hex');`,
+        },
+    },
+];
+/**
+ * AI-Powered Security Code Reviewer
+ */
+export class SecurityReviewer {
+    reviewHistory = [];
+    /**
+     * Perform comprehensive security review of a file
+     */
+    async reviewFile(filePath, options = {}) {
+        const reviewId = SecurityUtils.generateSecureToken(16);
+        const logger = LoggerFactory.security();
+        logger.info("Reviewing file", { filePath, reviewId });
+        try {
+            const content = await fs.readFile(filePath, "utf-8");
+            const lines = content.split("\n");
+            // Apply security rules
+            const findings = await this.applySecurityRules(content, lines, options);
+            // Perform AI analysis if requested
+            let aiAnalysis;
+            if (options.aiAnalysis) {
+                aiAnalysis = await this.performAIAnalysis(content, findings);
+            }
+            // Generate summary
+            const summary = this.generateSummary(findings);
+            const overallRating = this.calculateOverallRating(summary);
+            const recommendations = this.generateRecommendations(findings, aiAnalysis);
+            const result = {
+                reviewId,
+                timestamp: new Date(),
+                file: filePath,
+                findings,
+                summary,
+                overallRating,
+                recommendations,
+            };
+            this.reviewHistory.push(result);
+            logger.info("Review completed", { filePath, findingsCount: findings.length, reviewId });
+            return result;
+        }
+        catch (error) {
+            logger.error("Review failed", { filePath, reviewId, error: error instanceof Error ? error.message : String(error) });
+            throw new SecurityValidationError("Security review failed", [{ message: String(error) }]);
+        }
+    }
+    /**
+     * Review multiple files
+     */
+    async reviewDirectory(dirPath, options = {}) {
+        const logger = LoggerFactory.security();
+        logger.info("Reviewing directory", { dirPath });
+        const results = [];
+        const filePattern = options.filePattern || /\.(ts|js|jsx|tsx)$/;
+        try {
+            const entries = await fs.readdir(dirPath, { withFileTypes: true });
+            for (const entry of entries) {
+                const fullPath = path.join(dirPath, entry.name);
+                if (entry.isDirectory() && options.recursive && !entry.name.startsWith(".")) {
+                    const subResults = await this.reviewDirectory(fullPath, options);
+                    results.push(...subResults);
+                }
+                else if (entry.isFile() && filePattern.test(entry.name)) {
+                    const result = await this.reviewFile(fullPath, options);
+                    results.push(result);
+                }
+            }
+            return results;
+        }
+        catch (error) {
+            logger.error("Directory review failed", { dirPath, error: error instanceof Error ? error.message : String(error) });
+            throw new SecurityValidationError("Directory review failed", [{ message: String(error) }]);
+        }
+    }
+    /**
+     * Apply security rules to code content
+     */
+    async applySecurityRules(content, lines, options) {
+        const findings = [];
+        const applicableRules = this.getApplicableRules(options);
+        for (const rule of applicableRules) {
+            const matches = Array.from(content.matchAll(rule.pattern));
+            for (const match of matches) {
+                if (match.index !== undefined) {
+                    const lineNumber = this.getLineNumber(content, match.index);
+                    const columnNumber = this.getColumnNumber(content, match.index);
+                    findings.push({
+                        id: `${rule.id}-${Date.now()}-${findings.length}`,
+                        rule: rule.id,
+                        severity: rule.severity,
+                        line: lineNumber,
+                        column: columnNumber,
+                        code: lines[lineNumber - 1]?.trim() || "",
+                        message: rule.message,
+                        recommendation: rule.recommendation,
+                        confidence: this.calculateConfidence(rule, match[0]),
+                        category: rule.category,
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+    /**
+     * Get applicable security rules based on options
+     */
+    getApplicableRules(options) {
+        let rules = SECURITY_REVIEW_RULES;
+        if (options.rules) {
+            rules = rules.filter((rule) => options.rules.includes(rule.id));
+        }
+        if (options.excludeRules) {
+            rules = rules.filter((rule) => !options.excludeRules.includes(rule.id));
+        }
+        return rules;
+    }
+    /**
+     * Perform AI-powered code analysis
+     */
+    async performAIAnalysis(content, findings) {
+        // Simplified AI analysis - in practice this would use machine learning
+        const complexity = this.calculateComplexity(content);
+        const securityScore = this.calculateSecurityScore(findings, content.length);
+        const patterns = this.analyzePatterns(content);
+        const recommendations = this.generateAIRecommendations(findings, patterns);
+        const riskAssessment = this.assessRisk(findings, complexity);
+        return {
+            complexity,
+            securityScore,
+            patterns,
+            recommendations,
+            riskAssessment,
+        };
+    }
+    /**
+     * Calculate code complexity
+     */
+    calculateComplexity(content) {
+        const complexityFactors = [
+            (content.match(/if\s*\(/g) || []).length * 1,
+            (content.match(/for\s*\(/g) || []).length * 2,
+            (content.match(/while\s*\(/g) || []).length * 2,
+            (content.match(/switch\s*\(/g) || []).length * 3,
+            (content.match(/try\s*\{/g) || []).length * 2,
+            (content.match(/catch\s*\(/g) || []).length * 2,
+        ];
+        return complexityFactors.reduce((sum, factor) => sum + factor, 0);
+    }
+    /**
+     * Calculate security score
+     */
+    calculateSecurityScore(findings, codeLength) {
+        const severityWeights = { critical: 10, high: 7, medium: 4, low: 2, info: 1 };
+        const penalty = findings.reduce((sum, finding) => {
+            return sum + severityWeights[finding.severity];
+        }, 0);
+        const normalizedPenalty = penalty / (codeLength / 1000); // Normalize by code size
+        return Math.max(0, 100 - normalizedPenalty);
+    }
+    /**
+     * Analyze code patterns
+     */
+    analyzePatterns(content) {
+        const positive = [];
+        const negative = [];
+        // Positive patterns
+        if (/process\.env\./g.test(content))
+            positive.push("Uses environment variables");
+        if (/try\s*\{[\s\S]*catch/g.test(content))
+            positive.push("Implements error handling");
+        if (/crypto\.randomBytes/g.test(content))
+            positive.push("Uses secure random generation");
+        if (/bcrypt/g.test(content))
+            positive.push("Uses secure password hashing");
+        if (/https:\/\//g.test(content))
+            positive.push("Uses HTTPS URLs");
+        // Negative patterns
+        if (/eval\s*\(/g.test(content))
+            negative.push("Uses dangerous eval() function");
+        if (/innerHTML.*\+/g.test(content))
+            negative.push("Potential XSS through innerHTML concatenation");
+        if (/password.*=.*['"][^'"]{1,7}['"]/g.test(content))
+            negative.push("Weak passwords detected");
+        if (/http:\/\/(?!localhost)/g.test(content))
+            negative.push("Uses insecure HTTP URLs");
+        return { positive, negative };
+    }
+    /**
+     * Generate AI recommendations
+     */
+    generateAIRecommendations(findings, patterns) {
+        const recommendations = [];
+        // High-level recommendations based on findings
+        const criticalFindings = findings.filter((f) => f.severity === "critical");
+        if (criticalFindings.length > 0) {
+            recommendations.push("Address critical security vulnerabilities immediately");
+        }
+        const authFindings = findings.filter((f) => f.category === "authentication");
+        if (authFindings.length > 2) {
+            recommendations.push("Review and strengthen authentication mechanisms");
+        }
+        const inputFindings = findings.filter((f) => f.category === "input-validation");
+        if (inputFindings.length > 0) {
+            recommendations.push("Implement comprehensive input validation and sanitization");
+        }
+        // Recommendations based on patterns
+        if (patterns.negative.length > patterns.positive.length) {
+            recommendations.push("Consider refactoring to follow security best practices");
+        }
+        if (patterns.negative.includes("Uses dangerous eval() function")) {
+            recommendations.push("Replace eval() with safer alternatives like JSON.parse()");
+        }
+        return recommendations;
+    }
+    /**
+     * Assess overall risk
+     */
+    assessRisk(findings, complexity) {
+        const factors = [];
+        let riskScore = 0;
+        // Risk based on findings
+        const criticalCount = findings.filter((f) => f.severity === "critical").length;
+        const highCount = findings.filter((f) => f.severity === "high").length;
+        riskScore += criticalCount * 10 + highCount * 5;
+        if (criticalCount > 0)
+            factors.push(`${criticalCount} critical vulnerabilities`);
+        if (highCount > 0)
+            factors.push(`${highCount} high-severity vulnerabilities`);
+        // Risk based on complexity
+        if (complexity > 50) {
+            riskScore += 10;
+            factors.push("High code complexity");
+        }
+        // Risk based on categories
+        const authVulns = findings.filter((f) => f.category === "authentication").length;
+        if (authVulns > 0) {
+            riskScore += authVulns * 3;
+            factors.push("Authentication vulnerabilities");
+        }
+        // Determine risk level
+        let level;
+        if (riskScore >= 30)
+            level = "critical";
+        else if (riskScore >= 20)
+            level = "high";
+        else if (riskScore >= 10)
+            level = "medium";
+        else
+            level = "low";
+        return { level, factors };
+    }
+    /**
+     * Calculate confidence score for a finding
+     */
+    calculateConfidence(rule, match) {
+        // Base confidence varies by rule type
+        let confidence = 0.7;
+        // Adjust based on match characteristics
+        if (match.length > 50)
+            confidence += 0.1; // Longer matches are more likely to be intentional
+        if (/\w{20,}/.test(match))
+            confidence += 0.1; // Long strings suggest real credentials
+        if (rule.category === "authentication")
+            confidence += 0.1; // Auth issues are commonly overlooked
+        return Math.min(1.0, confidence);
+    }
+    /**
+     * Generate summary of findings
+     */
+    generateSummary(findings) {
+        return {
+            totalFindings: findings.length,
+            criticalFindings: findings.filter((f) => f.severity === "critical").length,
+            highFindings: findings.filter((f) => f.severity === "high").length,
+            mediumFindings: findings.filter((f) => f.severity === "medium").length,
+            lowFindings: findings.filter((f) => f.severity === "low").length,
+            infoFindings: findings.filter((f) => f.severity === "info").length,
+        };
+    }
+    /**
+     * Calculate overall security rating
+     */
+    calculateOverallRating(summary) {
+        if (summary.criticalFindings > 0)
+            return "critical";
+        if (summary.highFindings > 2)
+            return "vulnerable";
+        if (summary.highFindings > 0 || summary.mediumFindings > 3)
+            return "needs-review";
+        return "secure";
+    }
+    /**
+     * Generate recommendations based on findings
+     */
+    generateRecommendations(findings, aiAnalysis) {
+        const recommendations = [];
+        // Priority recommendations based on severity
+        const criticalFindings = findings.filter((f) => f.severity === "critical");
+        if (criticalFindings.length > 0) {
+            recommendations.push("Immediately address critical security vulnerabilities");
+            recommendations.push("Review credential management and move secrets to environment variables");
+        }
+        // Category-specific recommendations
+        const categories = [...new Set(findings.map((f) => f.category))];
+        if (categories.includes("authentication")) {
+            recommendations.push("Strengthen authentication mechanisms and credential handling");
+        }
+        if (categories.includes("input-validation")) {
+            recommendations.push("Implement comprehensive input validation and output encoding");
+        }
+        if (categories.includes("crypto")) {
+            recommendations.push("Update to use strong cryptographic algorithms and secure key management");
+        }
+        // Add AI recommendations if available
+        if (aiAnalysis) {
+            recommendations.push(...aiAnalysis.recommendations);
+        }
+        return [...new Set(recommendations)]; // Remove duplicates
+    }
+    /**
+     * Get line number from character index
+     */
+    getLineNumber(content, index) {
+        return content.substring(0, index).split("\n").length;
+    }
+    /**
+     * Get column number from character index
+     */
+    getColumnNumber(content, index) {
+        const lines = content.substring(0, index).split("\n");
+        return lines[lines.length - 1].length + 1;
+    }
+    /**
+     * Get review history
+     */
+    getReviewHistory() {
+        return [...this.reviewHistory];
+    }
+    /**
+     * Get security rules
+     */
+    getSecurityRules() {
+        return [...SECURITY_REVIEW_RULES];
+    }
+    /**
+     * Add custom security rule
+     */
+    addCustomRule(rule) {
+        SECURITY_REVIEW_RULES.push(rule);
+    }
+    /**
+     * Remove security rule
+     */
+    removeRule(ruleId) {
+        const index = SECURITY_REVIEW_RULES.findIndex((rule) => rule.id === ruleId);
+        if (index !== -1) {
+            SECURITY_REVIEW_RULES.splice(index, 1);
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Generate security report
+     */
+    generateSecurityReport(results) {
+        const summary = {
+            filesReviewed: results.length,
+            totalFindings: results.reduce((sum, r) => sum + r.findings.length, 0),
+            criticalFindings: results.reduce((sum, r) => sum + r.summary.criticalFindings, 0),
+            highFindings: results.reduce((sum, r) => sum + r.summary.highFindings, 0),
+            overallRating: this.calculateProjectRating(results),
+        };
+        const allFindings = results.flatMap((r) => r.findings);
+        const topIssues = allFindings
+            .filter((f) => f.severity === "critical" || f.severity === "high")
+            .sort((a, b) => {
+            const severityOrder = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
+            return severityOrder[b.severity] - severityOrder[a.severity];
+        })
+            .slice(0, 10);
+        const recommendations = [...new Set(results.flatMap((r) => r.recommendations))];
+        const riskFactors = this.identifyRiskFactors(results);
+        return {
+            summary,
+            topIssues,
+            recommendations,
+            riskFactors,
+        };
+    }
+    /**
+     * Calculate overall project security rating
+     */
+    calculateProjectRating(results) {
+        const criticalCount = results.reduce((sum, r) => sum + r.summary.criticalFindings, 0);
+        const highCount = results.reduce((sum, r) => sum + r.summary.highFindings, 0);
+        const criticalFiles = results.filter((r) => r.overallRating === "critical").length;
+        if (criticalCount > 0 || criticalFiles > 0)
+            return "critical";
+        if (highCount > 5 || results.filter((r) => r.overallRating === "vulnerable").length > 2)
+            return "vulnerable";
+        if (highCount > 0 || results.filter((r) => r.overallRating === "needs-review").length > 0)
+            return "needs-review";
+        return "secure";
+    }
+    /**
+     * Identify project-wide risk factors
+     */
+    identifyRiskFactors(results) {
+        const factors = [];
+        const allFindings = results.flatMap((r) => r.findings);
+        const authIssues = allFindings.filter((f) => f.category === "authentication").length;
+        if (authIssues > 3)
+            factors.push("Multiple authentication vulnerabilities");
+        const cryptoIssues = allFindings.filter((f) => f.category === "crypto").length;
+        if (cryptoIssues > 0)
+            factors.push("Cryptographic implementation issues");
+        const inputIssues = allFindings.filter((f) => f.category === "input-validation").length;
+        if (inputIssues > 5)
+            factors.push("Widespread input validation issues");
+        const vulnerableFiles = results.filter((r) => r.overallRating === "vulnerable" || r.overallRating === "critical").length;
+        const totalFiles = results.length;
+        if (vulnerableFiles / totalFiles > 0.3)
+            factors.push("High percentage of vulnerable files");
+        return factors;
+    }
+}
+//# sourceMappingURL=SecurityReviewer.js.map