musubix2 0.5.35 → 0.5.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1 +1 @@
1
- {"generator":"musubix2","version":"0.5.35","timestamp":"2026-07-09T22:59:58.581Z"}
1
+ {"generator":"musubix2","version":"0.5.36","timestamp":"2026-07-09T23:23:30.681Z"}
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "version": "1.0",
3
- "generatedAt": "2026-07-09T22:59:58.610Z",
3
+ "generatedAt": "2026-07-09T23:23:30.711Z",
4
4
  "entries": [
5
5
  {
6
6
  "platform": "copilot",
package/dist/cli.js CHANGED
@@ -8232,7 +8232,8 @@ __export(dist_exports5, {
8232
8232
  createSecretDetector: () => createSecretDetector,
8233
8233
  createSecurityScanner: () => createSecurityScanner,
8234
8234
  isLikelySecret: () => isLikelySecret,
8235
- isNotFormatMarker: () => isNotFormatMarker
8235
+ isNotFormatMarker: () => isNotFormatMarker,
8236
+ isNotUrlPlaceholder: () => isNotUrlPlaceholder
8236
8237
  });
8237
8238
  function getLineNumber(code, index) {
8238
8239
  return code.substring(0, index).split("\n").length;
@@ -8292,6 +8293,14 @@ function isNotFormatMarker(matchText) {
8292
8293
  return false;
8293
8294
  return true;
8294
8295
  }
8296
+ function isNotUrlPlaceholder(matchText) {
8297
+ const pass = matchText.match(/:\/\/[^:@/]+:([^:@/]+)@/)?.[1] ?? "";
8298
+ if (/^(pass(word)?|secret|changeme|example|xxx+|\*+|test)$/i.test(pass))
8299
+ return false;
8300
+ if (/[$#]\{|<|%s|:\w+$/.test(pass))
8301
+ return false;
8302
+ return true;
8303
+ }
8295
8304
  function blankNonCode(code, hashComments) {
8296
8305
  const out = code.split("");
8297
8306
  const n = code.length;
@@ -8426,6 +8435,57 @@ var init_dist5 = __esm({
8426
8435
  cweId: "CWE-798",
8427
8436
  confidence: 0.85
8428
8437
  },
8438
+ {
8439
+ // GitHub personal access / OAuth / server / refresh tokens.
8440
+ regex: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/g,
8441
+ severity: "critical",
8442
+ type: "secret-leak",
8443
+ description: "GitHub token detected",
8444
+ suggestion: "Revoke the token and load it from a secrets manager",
8445
+ cweId: "CWE-798",
8446
+ confidence: 0.95
8447
+ },
8448
+ {
8449
+ // Slack tokens (bot/user/app/refresh/legacy).
8450
+ regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
8451
+ severity: "critical",
8452
+ type: "secret-leak",
8453
+ description: "Slack token detected",
8454
+ suggestion: "Revoke the token and load it from a secrets manager",
8455
+ cweId: "CWE-798",
8456
+ confidence: 0.9
8457
+ },
8458
+ {
8459
+ // Stripe / similar `sk_live_` / `rk_live_` secret keys.
8460
+ regex: /\b[sr]k_live_[A-Za-z0-9]{16,}\b/g,
8461
+ severity: "critical",
8462
+ type: "secret-leak",
8463
+ description: "Stripe live secret key detected",
8464
+ suggestion: "Revoke the key and load it from a secrets manager",
8465
+ cweId: "CWE-798",
8466
+ confidence: 0.95
8467
+ },
8468
+ {
8469
+ // Google API key.
8470
+ regex: /\bAIza[A-Za-z0-9_\-]{35}\b/g,
8471
+ severity: "high",
8472
+ type: "secret-leak",
8473
+ description: "Google API key detected",
8474
+ suggestion: "Restrict/revoke the key and load it from a secrets manager",
8475
+ cweId: "CWE-798",
8476
+ confidence: 0.9
8477
+ },
8478
+ {
8479
+ // Credentials embedded in a connection URL: scheme://user:pass@host.
8480
+ regex: /\b[a-z][a-z0-9+.-]*:\/\/[^\s:'"@/]+:[^\s:'"@/]+@[^\s'"/]+/g,
8481
+ severity: "high",
8482
+ type: "hardcoded-credential",
8483
+ description: "Credentials in a connection string / URL detected",
8484
+ suggestion: "Move the username/password out of the URL into a secrets manager",
8485
+ cweId: "CWE-798",
8486
+ confidence: 0.75,
8487
+ validate: isNotUrlPlaceholder
8488
+ },
8429
8489
  {
8430
8490
  regex: /['"][A-Za-z0-9]{32,}['"]/g,
8431
8491
  severity: "medium",
@@ -8514,6 +8574,120 @@ var init_dist5 = __esm({
8514
8574
  suggestion: "Use parameterized queries instead of template literals",
8515
8575
  cweId: "CWE-89",
8516
8576
  confidence: 0.75
8577
+ },
8578
+ // --- Command injection ---------------------------------------------------
8579
+ {
8580
+ regex: /\bos\.system\s*\(/g,
8581
+ severity: "critical",
8582
+ type: "injection",
8583
+ description: "Use of os.system() \u2014 potential command injection",
8584
+ suggestion: "Use subprocess with an argument list and shell=False",
8585
+ cweId: "CWE-78",
8586
+ confidence: 0.85
8587
+ },
8588
+ {
8589
+ regex: /\bsubprocess\.\w+\([^)]*shell\s*=\s*True/g,
8590
+ severity: "high",
8591
+ type: "injection",
8592
+ description: "subprocess call with shell=True \u2014 potential command injection",
8593
+ suggestion: "Pass an argument list and use shell=False",
8594
+ cweId: "CWE-78",
8595
+ confidence: 0.8
8596
+ },
8597
+ {
8598
+ regex: /(?<![.\w>:])(?:shell_exec|passthru|proc_open|popen)\s*\(/g,
8599
+ severity: "critical",
8600
+ type: "injection",
8601
+ description: "Use of a shell-execution function \u2014 potential command injection",
8602
+ suggestion: "Avoid shell execution of untrusted input; use safe APIs with argument arrays",
8603
+ cweId: "CWE-78",
8604
+ confidence: 0.8
8605
+ },
8606
+ {
8607
+ regex: /(?<![.\w>:])(?<!\bdef\s)(?<!\bfunction\s)system\s*\(/g,
8608
+ severity: "high",
8609
+ type: "injection",
8610
+ description: "Use of system() \u2014 potential command injection",
8611
+ suggestion: "Avoid passing untrusted input to system(); use safe execution APIs",
8612
+ cweId: "CWE-78",
8613
+ confidence: 0.65
8614
+ },
8615
+ {
8616
+ regex: /Runtime\.getRuntime\(\)\s*\.\s*exec\s*\(/g,
8617
+ severity: "critical",
8618
+ type: "injection",
8619
+ description: "Runtime.exec() \u2014 potential command injection",
8620
+ suggestion: "Use ProcessBuilder with an argument list and validate inputs",
8621
+ cweId: "CWE-78",
8622
+ confidence: 0.8
8623
+ },
8624
+ // --- SQL injection (formatting/concatenation in DB calls) ----------------
8625
+ {
8626
+ regex: /\b(?:execute|query|raw|prepare|executemany)\s*\(\s*f['"]/g,
8627
+ severity: "high",
8628
+ type: "injection",
8629
+ description: "Potential SQL injection \u2014 f-string in a database call",
8630
+ suggestion: "Use parameterized queries; never build SQL with f-strings",
8631
+ cweId: "CWE-89",
8632
+ confidence: 0.75
8633
+ },
8634
+ {
8635
+ regex: /\b(?:execute|query|raw|prepare)\s*\([^)]*\.format\s*\(/g,
8636
+ severity: "high",
8637
+ type: "injection",
8638
+ description: "Potential SQL injection \u2014 .format() building a query",
8639
+ suggestion: "Use parameterized queries instead of str.format()",
8640
+ cweId: "CWE-89",
8641
+ confidence: 0.7
8642
+ },
8643
+ {
8644
+ regex: /\b(?:execute|query|raw)\s*\([^)]*\+/g,
8645
+ severity: "high",
8646
+ type: "injection",
8647
+ description: "Potential SQL injection \u2014 string concatenation in a query call",
8648
+ suggestion: "Use parameterized queries instead of string concatenation",
8649
+ cweId: "CWE-89",
8650
+ confidence: 0.7
8651
+ },
8652
+ // --- Insecure deserialization -------------------------------------------
8653
+ // --- Insecure deserialization (low severity: real but commonly intentional
8654
+ // in framework internals; triage with --fail-on) ------------------------
8655
+ {
8656
+ regex: /\bpickle\.loads?\s*\(/g,
8657
+ severity: "low",
8658
+ type: "injection",
8659
+ description: "Insecure deserialization \u2014 pickle.load(s) (unsafe on untrusted data)",
8660
+ suggestion: "Never unpickle untrusted data; use a safe format such as JSON",
8661
+ cweId: "CWE-502",
8662
+ confidence: 0.6
8663
+ },
8664
+ {
8665
+ regex: /\byaml\.load\s*\(/g,
8666
+ severity: "low",
8667
+ type: "injection",
8668
+ description: "Insecure deserialization \u2014 yaml.load() without SafeLoader",
8669
+ suggestion: "Use yaml.safe_load() instead of yaml.load()",
8670
+ cweId: "CWE-502",
8671
+ confidence: 0.6
8672
+ },
8673
+ {
8674
+ regex: /(?<![.\w>:])unserialize\s*\(/g,
8675
+ severity: "low",
8676
+ type: "injection",
8677
+ description: "Insecure deserialization \u2014 unserialize() (unsafe on untrusted data)",
8678
+ suggestion: "Avoid unserialize() on untrusted input; use JSON",
8679
+ cweId: "CWE-502",
8680
+ confidence: 0.6
8681
+ },
8682
+ // --- Weak cryptography (low: often used for non-security checksums) -------
8683
+ {
8684
+ regex: /\bhashlib\.(?:md5|sha1)\s*\(|createHash\s*\(\s*['"](?:md5|sha1)['"]/g,
8685
+ severity: "low",
8686
+ type: "injection",
8687
+ description: "Weak cryptographic hash (MD5/SHA-1) detected",
8688
+ suggestion: "Use SHA-256+ (or bcrypt/argon2 for passwords) instead of MD5/SHA-1",
8689
+ cweId: "CWE-327",
8690
+ confidence: 0.5
8517
8691
  }
8518
8692
  ];
8519
8693
  analyze(code, filePath) {
package/dist/index.js CHANGED
@@ -8232,7 +8232,8 @@ __export(dist_exports5, {
8232
8232
  createSecretDetector: () => createSecretDetector,
8233
8233
  createSecurityScanner: () => createSecurityScanner,
8234
8234
  isLikelySecret: () => isLikelySecret,
8235
- isNotFormatMarker: () => isNotFormatMarker
8235
+ isNotFormatMarker: () => isNotFormatMarker,
8236
+ isNotUrlPlaceholder: () => isNotUrlPlaceholder
8236
8237
  });
8237
8238
  function getLineNumber(code, index) {
8238
8239
  return code.substring(0, index).split("\n").length;
@@ -8292,6 +8293,14 @@ function isNotFormatMarker(matchText) {
8292
8293
  return false;
8293
8294
  return true;
8294
8295
  }
8296
+ function isNotUrlPlaceholder(matchText) {
8297
+ const pass = matchText.match(/:\/\/[^:@/]+:([^:@/]+)@/)?.[1] ?? "";
8298
+ if (/^(pass(word)?|secret|changeme|example|xxx+|\*+|test)$/i.test(pass))
8299
+ return false;
8300
+ if (/[$#]\{|<|%s|:\w+$/.test(pass))
8301
+ return false;
8302
+ return true;
8303
+ }
8295
8304
  function blankNonCode(code, hashComments) {
8296
8305
  const out = code.split("");
8297
8306
  const n = code.length;
@@ -8426,6 +8435,57 @@ var init_dist5 = __esm({
8426
8435
  cweId: "CWE-798",
8427
8436
  confidence: 0.85
8428
8437
  },
8438
+ {
8439
+ // GitHub personal access / OAuth / server / refresh tokens.
8440
+ regex: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/g,
8441
+ severity: "critical",
8442
+ type: "secret-leak",
8443
+ description: "GitHub token detected",
8444
+ suggestion: "Revoke the token and load it from a secrets manager",
8445
+ cweId: "CWE-798",
8446
+ confidence: 0.95
8447
+ },
8448
+ {
8449
+ // Slack tokens (bot/user/app/refresh/legacy).
8450
+ regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
8451
+ severity: "critical",
8452
+ type: "secret-leak",
8453
+ description: "Slack token detected",
8454
+ suggestion: "Revoke the token and load it from a secrets manager",
8455
+ cweId: "CWE-798",
8456
+ confidence: 0.9
8457
+ },
8458
+ {
8459
+ // Stripe / similar `sk_live_` / `rk_live_` secret keys.
8460
+ regex: /\b[sr]k_live_[A-Za-z0-9]{16,}\b/g,
8461
+ severity: "critical",
8462
+ type: "secret-leak",
8463
+ description: "Stripe live secret key detected",
8464
+ suggestion: "Revoke the key and load it from a secrets manager",
8465
+ cweId: "CWE-798",
8466
+ confidence: 0.95
8467
+ },
8468
+ {
8469
+ // Google API key.
8470
+ regex: /\bAIza[A-Za-z0-9_\-]{35}\b/g,
8471
+ severity: "high",
8472
+ type: "secret-leak",
8473
+ description: "Google API key detected",
8474
+ suggestion: "Restrict/revoke the key and load it from a secrets manager",
8475
+ cweId: "CWE-798",
8476
+ confidence: 0.9
8477
+ },
8478
+ {
8479
+ // Credentials embedded in a connection URL: scheme://user:pass@host.
8480
+ regex: /\b[a-z][a-z0-9+.-]*:\/\/[^\s:'"@/]+:[^\s:'"@/]+@[^\s'"/]+/g,
8481
+ severity: "high",
8482
+ type: "hardcoded-credential",
8483
+ description: "Credentials in a connection string / URL detected",
8484
+ suggestion: "Move the username/password out of the URL into a secrets manager",
8485
+ cweId: "CWE-798",
8486
+ confidence: 0.75,
8487
+ validate: isNotUrlPlaceholder
8488
+ },
8429
8489
  {
8430
8490
  regex: /['"][A-Za-z0-9]{32,}['"]/g,
8431
8491
  severity: "medium",
@@ -8514,6 +8574,120 @@ var init_dist5 = __esm({
8514
8574
  suggestion: "Use parameterized queries instead of template literals",
8515
8575
  cweId: "CWE-89",
8516
8576
  confidence: 0.75
8577
+ },
8578
+ // --- Command injection ---------------------------------------------------
8579
+ {
8580
+ regex: /\bos\.system\s*\(/g,
8581
+ severity: "critical",
8582
+ type: "injection",
8583
+ description: "Use of os.system() \u2014 potential command injection",
8584
+ suggestion: "Use subprocess with an argument list and shell=False",
8585
+ cweId: "CWE-78",
8586
+ confidence: 0.85
8587
+ },
8588
+ {
8589
+ regex: /\bsubprocess\.\w+\([^)]*shell\s*=\s*True/g,
8590
+ severity: "high",
8591
+ type: "injection",
8592
+ description: "subprocess call with shell=True \u2014 potential command injection",
8593
+ suggestion: "Pass an argument list and use shell=False",
8594
+ cweId: "CWE-78",
8595
+ confidence: 0.8
8596
+ },
8597
+ {
8598
+ regex: /(?<![.\w>:])(?:shell_exec|passthru|proc_open|popen)\s*\(/g,
8599
+ severity: "critical",
8600
+ type: "injection",
8601
+ description: "Use of a shell-execution function \u2014 potential command injection",
8602
+ suggestion: "Avoid shell execution of untrusted input; use safe APIs with argument arrays",
8603
+ cweId: "CWE-78",
8604
+ confidence: 0.8
8605
+ },
8606
+ {
8607
+ regex: /(?<![.\w>:])(?<!\bdef\s)(?<!\bfunction\s)system\s*\(/g,
8608
+ severity: "high",
8609
+ type: "injection",
8610
+ description: "Use of system() \u2014 potential command injection",
8611
+ suggestion: "Avoid passing untrusted input to system(); use safe execution APIs",
8612
+ cweId: "CWE-78",
8613
+ confidence: 0.65
8614
+ },
8615
+ {
8616
+ regex: /Runtime\.getRuntime\(\)\s*\.\s*exec\s*\(/g,
8617
+ severity: "critical",
8618
+ type: "injection",
8619
+ description: "Runtime.exec() \u2014 potential command injection",
8620
+ suggestion: "Use ProcessBuilder with an argument list and validate inputs",
8621
+ cweId: "CWE-78",
8622
+ confidence: 0.8
8623
+ },
8624
+ // --- SQL injection (formatting/concatenation in DB calls) ----------------
8625
+ {
8626
+ regex: /\b(?:execute|query|raw|prepare|executemany)\s*\(\s*f['"]/g,
8627
+ severity: "high",
8628
+ type: "injection",
8629
+ description: "Potential SQL injection \u2014 f-string in a database call",
8630
+ suggestion: "Use parameterized queries; never build SQL with f-strings",
8631
+ cweId: "CWE-89",
8632
+ confidence: 0.75
8633
+ },
8634
+ {
8635
+ regex: /\b(?:execute|query|raw|prepare)\s*\([^)]*\.format\s*\(/g,
8636
+ severity: "high",
8637
+ type: "injection",
8638
+ description: "Potential SQL injection \u2014 .format() building a query",
8639
+ suggestion: "Use parameterized queries instead of str.format()",
8640
+ cweId: "CWE-89",
8641
+ confidence: 0.7
8642
+ },
8643
+ {
8644
+ regex: /\b(?:execute|query|raw)\s*\([^)]*\+/g,
8645
+ severity: "high",
8646
+ type: "injection",
8647
+ description: "Potential SQL injection \u2014 string concatenation in a query call",
8648
+ suggestion: "Use parameterized queries instead of string concatenation",
8649
+ cweId: "CWE-89",
8650
+ confidence: 0.7
8651
+ },
8652
+ // --- Insecure deserialization -------------------------------------------
8653
+ // --- Insecure deserialization (low severity: real but commonly intentional
8654
+ // in framework internals; triage with --fail-on) ------------------------
8655
+ {
8656
+ regex: /\bpickle\.loads?\s*\(/g,
8657
+ severity: "low",
8658
+ type: "injection",
8659
+ description: "Insecure deserialization \u2014 pickle.load(s) (unsafe on untrusted data)",
8660
+ suggestion: "Never unpickle untrusted data; use a safe format such as JSON",
8661
+ cweId: "CWE-502",
8662
+ confidence: 0.6
8663
+ },
8664
+ {
8665
+ regex: /\byaml\.load\s*\(/g,
8666
+ severity: "low",
8667
+ type: "injection",
8668
+ description: "Insecure deserialization \u2014 yaml.load() without SafeLoader",
8669
+ suggestion: "Use yaml.safe_load() instead of yaml.load()",
8670
+ cweId: "CWE-502",
8671
+ confidence: 0.6
8672
+ },
8673
+ {
8674
+ regex: /(?<![.\w>:])unserialize\s*\(/g,
8675
+ severity: "low",
8676
+ type: "injection",
8677
+ description: "Insecure deserialization \u2014 unserialize() (unsafe on untrusted data)",
8678
+ suggestion: "Avoid unserialize() on untrusted input; use JSON",
8679
+ cweId: "CWE-502",
8680
+ confidence: 0.6
8681
+ },
8682
+ // --- Weak cryptography (low: often used for non-security checksums) -------
8683
+ {
8684
+ regex: /\bhashlib\.(?:md5|sha1)\s*\(|createHash\s*\(\s*['"](?:md5|sha1)['"]/g,
8685
+ severity: "low",
8686
+ type: "injection",
8687
+ description: "Weak cryptographic hash (MD5/SHA-1) detected",
8688
+ suggestion: "Use SHA-256+ (or bcrypt/argon2 for passwords) instead of MD5/SHA-1",
8689
+ cweId: "CWE-327",
8690
+ confidence: 0.5
8517
8691
  }
8518
8692
  ];
8519
8693
  analyze(code, filePath) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "musubix2",
3
- "version": "0.5.35",
3
+ "version": "0.5.36",
4
4
  "description": "MUSUBIX2 — Specification Driven Development System",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",