omen-sec-cli 1.0.16 → 1.0.18

package/core/remote-scanner.js

@@ -36,47 +36,54 @@ export async function scanRemoteTarget(targetUrl) {
       headers_analysis["Strict-Transport-Security"] = "Missing";
       vulnerabilities.push({
         id: `REM-VULN-${Date.now()}-1`,
-        category: 'Hardening',
-        confidence: 'High',
-        severity: 'Medium',
-        description: `HSTS Header is missing. This lacks forced HTTPS enforcement for browsers that have already visited the site.`,
+        kind: 'header',
+        category: 'hardening',
+        confidence: 'high',
+        severity: 'medium',
+        title: 'HSTS Header Missing',
+        description: `HTTP Strict-Transport-Security (HSTS) header is missing. This prevents the browser from enforcing HTTPS-only connections for future visits.`,
         cwe: 'CWE-319',
         evidence: { 
           request: { headers: { ...response.request.headers } }, 
           response: { status: response.status, headers: response.headers },
           reason: 'Security header "Strict-Transport-Security" not found in server response.'
-        }
+        },
+        remediation: 'Implement the Strict-Transport-Security header with a long max-age (e.g., 31536000) and the includeSubDomains directive.'
       });
-    } else {
-      headers_analysis["Strict-Transport-Security"] = headers['strict-transport-security'];
     }
 
     if (!headers['content-security-policy']) {
       headers_analysis["Content-Security-Policy"] = "Missing";
       vulnerabilities.push({
         id: `REM-VULN-${Date.now()}-2`,
-        category: 'Confirmed',
-        confidence: 'High',
-        severity: 'High',
+        kind: 'header',
+        category: 'confirmed',
+        confidence: 'high',
+        severity: 'high',
+        title: 'Content-Security-Policy Missing',
         description: `CSP header is missing. Without a strict Content-Security-Policy, the application is highly vulnerable to Cross-Site Scripting (XSS) and data injection attacks.`,
         cwe: 'CWE-1022',
         evidence: { 
           request: { headers: { ...response.request.headers } }, 
           response: { status: response.status, headers: response.headers },
           reason: 'Security header "Content-Security-Policy" not found in server response.'
-        }
+        },
+        remediation: 'Define a strict Content-Security-Policy to restrict source domains for scripts, styles, and other resources.'
       });
     } else {
       headers_analysis["Content-Security-Policy"] = headers['content-security-policy'];
       if (headers['content-security-policy'].includes("unsafe-inline")) {
         vulnerabilities.push({
           id: `REM-VULN-${Date.now()}-3`,
-          category: 'Confirmed',
-          confidence: 'High',
-          severity: 'High',
-          description: `Weak CSP detected: 'unsafe-inline' is allowed.`,
+          kind: 'header',
+          category: 'confirmed',
+          confidence: 'high',
+          severity: 'high',
+          title: 'Insecure CSP (unsafe-inline)',
+          description: `The Content-Security-Policy allows 'unsafe-inline' for scripts or styles, significantly weakening protection against XSS.`,
           cwe: 'CWE-16',
-          evidence: { finding: `policy: ${headers['content-security-policy']}` }
+          evidence: { finding: `policy: ${headers['content-security-policy']}` },
+          remediation: 'Refactor the application to avoid inline scripts and styles, then remove "unsafe-inline" from the CSP.'
         });
       }
     }
@@ -86,50 +93,101 @@ export async function scanRemoteTarget(targetUrl) {
       headers_analysis["X-Frame-Options"] = "Missing";
       vulnerabilities.push({
         id: `REM-VULN-${Date.now()}-4`,
-        category: 'Hardening',
-        confidence: 'High',
-        severity: 'Low',
-        description: `Missing X-Frame-Options. Increases risk of Clickjacking.`,
+        kind: 'header',
+        category: 'hardening',
+        confidence: 'high',
+        severity: 'low',
+        title: 'X-Frame-Options Missing',
+        description: `Missing X-Frame-Options header. This allows the application to be embedded in an iframe on other domains, increasing Clickjacking risk.`,
         cwe: 'CWE-1021',
         evidence: { 
           request: { headers: { ...response.request.headers } }, 
           response: { status: response.status, headers: response.headers },
           reason: 'Security header "X-Frame-Options" not found. This allows the site to be embedded in iframes on third-party domains.'
-        }
+        },
+        remediation: 'Set the X-Frame-Options header to DENY or SAMEORIGIN.'
+      });
+    }
+
+    // 3.1 Analisar X-Content-Type-Options
+    if (!headers['x-content-type-options']) {
+      headers_analysis["X-Content-Type-Options"] = "Missing";
+      vulnerabilities.push({
+        id: `REM-VULN-${Date.now()}-6`,
+        kind: 'header',
+        category: 'hardening',
+        confidence: 'high',
+        severity: 'low',
+        title: 'X-Content-Type-Options Missing',
+        description: `The X-Content-Type-Options: nosniff header is missing. This could allow the browser to "sniff" the content type, potentially leading to MIME-type sniffing attacks.`,
+        cwe: 'CWE-116',
+        evidence: { response: { headers: response.headers } },
+        remediation: 'Add the "X-Content-Type-Options: nosniff" header to all responses.'
       });
-    } else {
-      headers_analysis["X-Frame-Options"] = headers['x-frame-options'];
     }
 
     // 4. Server Header Leak
-    if (headers['server']) {
+    if (headers['server'] && !headers['server'].includes('Cloudflare') && !headers['server'].includes('Vercel')) {
       headers_analysis["Server"] = headers['server'];
       vulnerabilities.push({
         id: `REM-VULN-${Date.now()}-5`,
-        category: 'Informational',
-        confidence: 'High',
-        severity: 'Low',
-        description: `Server header leaks technology stack: ${headers['server']}`,
+        kind: 'tech',
+        category: 'informational',
+        confidence: 'high',
+        severity: 'low',
+        title: 'Server Header Disclosure',
+        description: `Server header leaks technology stack information: ${headers['server']}`,
         cwe: 'CWE-200',
-        evidence: { finding: `Server: ${headers['server']}` }
+        evidence: { finding: `Server: ${headers['server']}` },
+        remediation: 'Configure the web server to hide or spoof the "Server" header.'
       });
-    } else {
-      headers_analysis["Server"] = "Hidden (Good)";
     }
 
-    // 5. X-Powered-By Leak
-    if (headers['x-powered-by']) {
-      vulnerabilities.push({
-        id: `REM-VULN-${Date.now()}-6`,
-        category: 'Informational',
-        confidence: 'High',
-        severity: 'Low',
-        description: `X-Powered-By header leaks framework: ${headers['x-powered-by']}`,
-        cwe: 'CWE-200',
-        evidence: { finding: `X-Powered-By: ${headers['x-powered-by']}` }
-      });
+    // 6. CORS Analysis
+    if (headers['access-control-allow-origin']) {
+      const cors = headers['access-control-allow-origin'];
+      if (cors === '*') {
+        vulnerabilities.push({
+          id: `REM-CORS-${Date.now()}`,
+          kind: 'header',
+          category: 'confirmed',
+          confidence: 'high',
+          severity: 'high',
+          title: 'Permissive CORS Policy',
+          description: `The application allows Cross-Origin Resource Sharing from any domain (Access-Control-Allow-Origin: *).`,
+          cwe: 'CWE-942',
+          evidence: { finding: `Access-Control-Allow-Origin: ${cors}` },
+          remediation: 'Restrict Access-Control-Allow-Origin to trusted domains only.'
+        });
+      }
     }
 
+    // 7. Cookie Security
+    const setCookies = headers['set-cookie'] || [];
+    const cookies = Array.isArray(setCookies) ? setCookies : [setCookies];
+    cookies.forEach(cookie => {
+      const issues = [];
+      if (!cookie.toLowerCase().includes('secure')) issues.push('Missing "Secure" flag');
+      if (!cookie.toLowerCase().includes('httponly')) issues.push('Missing "HttpOnly" flag');
+      if (!cookie.toLowerCase().includes('samesite')) issues.push('Missing "SameSite" attribute');
+
+      if (issues.length > 0) {
+        vulnerabilities.push({
+          id: `REM-COOKIE-${Date.now()}`,
+          kind: 'header',
+          category: 'confirmed',
+          confidence: 'high',
+          severity: 'medium',
+          title: 'Insecure Cookie Configuration',
+          description: `Cookie detected with missing security flags: ${issues.join(', ')}.`,
+          cwe: 'CWE-614',
+          evidence: { cookie: cookie.split(';')[0] + '...', issues },
+          remediation: 'Apply Secure, HttpOnly, and SameSite=Strict/Lax attributes to all sensitive cookies.'
+        });
+      }
+    });
+
+
     // --- SPIDER / CRAWLER (DEEP) ---
     if (typeof html === 'string') {
       const $ = cheerio.load(html);
@@ -175,6 +233,22 @@ export async function scanRemoteTarget(targetUrl) {
       });
     }
 
+    // --- TECHNOLOGY FINGERPRINTING (Update categories) ---
+    if (techStack.length > 0) {
+      vulnerabilities.push({
+        id: `REM-TECH-${Date.now()}`,
+        kind: 'tech',
+        category: 'informational',
+        confidence: 'high',
+        severity: 'info',
+        title: 'Technology Stack Identified',
+        description: `Fingerprinting identified the following technologies: ${techStack.join(', ')}`,
+        cwe: 'CWE-200',
+        evidence: { tech_stack: techStack },
+        remediation: 'Minimal tech disclosure is recommended to prevent targeted attacks.'
+      });
+    }
+
     // --- DEEP CRAWL: robots.txt, sitemap.xml, and JS files ---
     const robotsUrl = new URL('/robots.txt', targetUrl).href;
     try {
@@ -228,41 +302,32 @@ export async function scanRemoteTarget(targetUrl) {
         const fuzzUrl = new URL(path, targetUrl).href;
         const fuzzRes = await axios.get(fuzzUrl, {
           timeout: 5000,
-          validateStatus: (status) => status === 200 || status === 403
+          validateStatus: (status) => status >= 200 && status < 500
         });
 
-        if (fuzzRes.status === 200) {
-          vulnerabilities.push({
-            id: `REM-FUZZ-${Date.now()}-${path.replace(/\//g, '-')}`,
-            type: 'Sensitive Path Exposed',
-            severity: path.includes('.env') || path.includes('.git') || path.includes('.ssh') ? 'Critical' : 'High',
-            description: `Exposed sensitive path discovered: ${fuzzUrl}. This path reveals internal configurations or credentials.`,
-            cwe: 'CWE-200'
-          });
-        } else if (fuzzRes.status === 403) {
-          vulnerabilities.push({
-            id: `REM-FUZZ-${Date.now()}-${path.replace(/\//g, '-')}`,
-            type: 'Potential Sensitive Path',
-            severity: 'Low',
-            description: `Path discovered but access forbidden (403): ${fuzzUrl}. Might indicate internal structure exposure.`,
-            cwe: 'CWE-204'
-          });
+        const finding = await validateFuzzerFinding(path, fuzzRes, fuzzUrl);
+        if (finding) {
+          vulnerabilities.push(finding);
         }
-      } catch (e) {}
+      } catch (e) {
+        // Silently skip if path doesn't exist or times out
+      }
     }
 
     // --- OFFENSIVE PARAMETER FUZZING ---
     const injectionPayloads = [
-      { type: 'SQLi', param: "' OR 1=1--", severity: 'Critical' },
-      { type: 'XSS', param: "<script>alert('OMEN')</script>", severity: 'High' },
-      { type: 'LFI', param: "/etc/passwd", severity: 'Critical' }
+      { type: 'SQLi', param: "' OR '1'='1", severity: 'Critical', cwe: 'CWE-89' },
+      { type: 'SQLi', param: '" OR "1"="1', severity: 'Critical', cwe: 'CWE-89' },
+      { type: 'XSS', param: "<script>alert('OMEN')</script>", severity: 'High', cwe: 'CWE-79' },
+      { type: 'XSS', param: "javascript:alert('OMEN')", severity: 'High', cwe: 'CWE-79' },
+      { type: 'LFI', param: "../../../../../etc/passwd", severity: 'Critical', cwe: 'CWE-22' }
     ];
 
     // Combine params from links and forms
     const allParams = Array.from(discoveredParams);
     discoveredForms.forEach(f => f.inputs.forEach(i => allParams.push(i)));
     
-    const uniqueParams = [...new Set(allParams)].slice(0, 5); // Fuzz top 5 params
+    const uniqueParams = [...new Set(allParams)].slice(0, 10); // Fuzz top 10 params
 
     for (const param of uniqueParams) {
       for (const payload of injectionPayloads) {
@@ -270,26 +335,68 @@ export async function scanRemoteTarget(targetUrl) {
           const testUrl = new URL(targetUrl);
           testUrl.searchParams.append(param, payload.param);
           
-          const res = await axios.get(testUrl.href, { timeout: 5000, validateStatus: () => true });
+          const res = await axios.get(testUrl.href, { 
+            timeout: 5000, 
+            validateStatus: () => true,
+            headers: { 'User-Agent': 'OMEN-SEC-CLI/1.0.17 (Security Audit)' }
+          });
           
+          const evidence = {
+            request: { url: testUrl.href, method: 'GET', parameter: param, payload: payload.param },
+            response: { status: res.status, body_snippet: typeof res.data === 'string' ? res.data.substring(0, 200) : '' }
+          };
+
           if (payload.type === 'XSS' && typeof res.data === 'string' && res.data.includes(payload.param)) {
             vulnerabilities.push({
-              id: `REM-INJ-${Date.now()}-XSS`,
-              type: 'Reflected XSS',
-              severity: 'High',
-              description: `Confirmed XSS at ${targetUrl} via parameter '${param}'. Payload was reflected in HTML.`,
-              cwe: 'CWE-79'
+              id: `REM-INJ-${Date.now()}-XSS-${param}`,
+              kind: 'injection',
+              category: 'confirmed',
+              confidence: 'high',
+              severity: payload.severity,
+              title: 'Reflected Cross-Site Scripting (XSS)',
+              description: `Confirmed reflected XSS at ${targetUrl} via parameter '${param}'. The payload was reflected verbatim in the response body.`,
+              cwe: payload.cwe,
+              evidence,
+              remediation: 'Sanitize all user inputs before reflecting them in the HTML. Use output encoding libraries.'
             });
           }
           
-          if (payload.type === 'SQLi' && (res.status === 500 || (typeof res.data === 'string' && /SQL|database|syntax/i.test(res.data)))) {
-            vulnerabilities.push({
-              id: `REM-INJ-${Date.now()}-SQLI`,
-              type: 'SQL Injection',
-              severity: 'Critical',
-              description: `Potential SQLi detected via parameter '${param}'. Server showed error patterns on payload.`,
-              cwe: 'CWE-89'
-            });
+          const sqliPatterns = [
+            /SQL syntax/i, /mysql_fetch/i, /PostgreSQL.*ERROR/i, /Oracle.*Error/i, 
+            /SQLite3::/i, /Dynamic SQL/i, /Syntax error.*in query/i
+          ];
+
+          if (payload.type === 'SQLi') {
+            const hasErrorPattern = typeof res.data === 'string' && sqliPatterns.some(p => p.test(res.data));
+            if (hasErrorPattern || res.status === 500) {
+              vulnerabilities.push({
+                id: `REM-INJ-${Date.now()}-SQLI-${param}`,
+                kind: 'injection',
+                category: 'probable',
+                confidence: hasErrorPattern ? 'high' : 'medium',
+                severity: payload.severity,
+                title: 'Potential SQL Injection',
+                description: `Potential SQLi detected via parameter '${param}'. The server returned a 500 error or a known SQL error pattern.`,
+                cwe: payload.cwe,
+                evidence,
+                remediation: 'Use parameterized queries or an ORM. Never concatenate user input directly into SQL strings.'
+              });
+            }
+          }
+
+          if (payload.type === 'LFI' && typeof res.data === 'string' && (res.data.includes('root:x:0:0') || res.data.includes('[boot loader]'))) {
+             vulnerabilities.push({
+                id: `REM-INJ-${Date.now()}-LFI-${param}`,
+                kind: 'injection',
+                category: 'confirmed',
+                confidence: 'high',
+                severity: payload.severity,
+                title: 'Local File Inclusion (LFI)',
+                description: `Confirmed LFI at ${targetUrl} via parameter '${param}'. System file content was detected in the response.`,
+                cwe: payload.cwe,
+                evidence,
+                remediation: 'Validate file paths against a whitelist and avoid using user-supplied input for file operations.'
+              });
           }
         } catch (e) {}
       }
@@ -335,22 +442,28 @@ async function validateFuzzerFinding(path, response, url) {
     if (typeof data === 'string' && !data.trim().startsWith('<html')) {
       return {
         id: `REM-CONFIRMED-FILE-${Date.now()}`,
-        category: 'Confirmed',
-        confidence: 'High',
-        severity: 'Critical',
+        kind: 'content',
+        category: 'confirmed',
+        confidence: 'high',
+        severity: 'critical',
+        title: 'Sensitive File Exposed',
         description: `CRITICAL: Sensitive file exposed at ${url}. Contents contain raw configuration data.`,
         cwe: 'CWE-538',
-        evidence: { ...evidence, reason: 'Raw sensitive file content detected (Non-HTML response on sensitive path)' }
+        evidence: { ...evidence, reason: 'Raw sensitive file content detected (Non-HTML response on sensitive path)' },
+        remediation: 'Immediately remove the file from the web server and ensure sensitive files are not publicly accessible.'
       };
     } else {
       return {
         id: `REM-POTENTIAL-FILE-${Date.now()}`,
-        category: 'Informational',
-        confidence: 'Low',
-        severity: 'Info',
+        kind: 'path',
+        category: 'informational',
+        confidence: 'low',
+        severity: 'info',
+        title: 'Potential Sensitive Path Discovered',
         description: `Potential sensitive path found at ${url}, but returned HTML content. Likely a redirect or custom error page.`,
         cwe: 'CWE-200',
-        evidence: { ...evidence, reason: 'HTML response on sensitive file path' }
+        evidence: { ...evidence, reason: 'HTML response on sensitive file path' },
+        remediation: 'Verify if this path should be accessible and ensure no sensitive information is leaked through custom error pages.'
       };
     }
   }
@@ -361,23 +474,29 @@ async function validateFuzzerFinding(path, response, url) {
     if (typeof data === 'string' && /password|login/i.test(data)) {
       return {
         id: `REM-INFO-LOGIN-${Date.now()}`,
-        category: 'Informational',
-        confidence: 'High',
-        severity: 'Info',
+        kind: 'path',
+        category: 'informational',
+        confidence: 'high',
+        severity: 'info',
+        title: 'Admin Login Page Discovered',
         description: `Admin login page discovered at ${url}.`,
         cwe: 'CWE-200',
-        evidence: { ...evidence, reason: '200 OK with login/password patterns detected in HTML.' }
+        evidence: { ...evidence, reason: '200 OK with login/password patterns detected in HTML.' },
+        remediation: 'Ensure the admin login page is protected by strong authentication and not easily discoverable if not necessary.'
       };
     }
     // If it's a 200 but not a login page, it could be an exposed panel
     return {
       id: `REM-PROBABLE-PANEL-${Date.now()}`,
-      category: 'Probable',
-      confidence: 'Low',
-      severity: 'Medium',
+      kind: 'path',
+      category: 'probable',
+      confidence: 'low',
+      severity: 'medium',
+      title: 'Potential Admin Panel Exposure',
       description: `Potential exposed admin panel or dashboard at ${url}. Manual verification required.`,
       cwe: 'CWE-284',
-      evidence: { ...evidence, reason: '200 OK on admin-like path, but no explicit login form detected. Could be an unauthorized dashboard.' }
+      evidence: { ...evidence, reason: '200 OK on admin-like path, but no explicit login form detected. Could be an unauthorized dashboard.' },
+      remediation: 'Restrict access to the admin panel using IP whitelisting or other access control mechanisms.'
     };
   }
 
@@ -385,15 +504,18 @@ async function validateFuzzerFinding(path, response, url) {
   if (status === 403) {
     return {
       id: `REM-INFO-FORBIDDEN-${Date.now()}`,
-      category: 'Informational',
-      confidence: 'Medium',
-      severity: 'Info',
+      kind: 'path',
+      category: 'informational',
+      confidence: 'medium',
+      severity: 'info',
+      title: 'Protected Path Discovered',
       description: `Potential protected path discovered (403 Forbidden): ${url}. This confirms the path exists but access is restricted.`,
       cwe: 'CWE-204',
       evidence: { 
         ...evidence, 
         reason: 'Server returned 403 Forbidden. This confirms path existence but access control is active. No immediate exposure detected.' 
-      }
+      },
+      remediation: 'None required, but ensure that the 403 response does not leak information about the internal structure.'
     };
   }
 

package/core/reporters/fix-plan-reporter.js

@@ -0,0 +1,46 @@
+export function generateFixPlan(scanData) {
+  let md = `# 🛡️ OMEN Security Fix Plan: ${scanData.target || 'Local Project'}\n\n`;
+  md += `> **Data do Scan:** ${scanData.timestamp || new Date().toLocaleString()}  \n`;
+  md += `> **Score Atual:** ${scanData.score || 0}/100  \n`;
+  md += `> **Vulnerabilidades:** ${scanData.vulnerabilities?.length || 0}\n\n`;
+  
+  md += `Este documento é um guia passo-a-passo para remediar as falhas encontradas. Após aplicar as correções, execute \`omen verify\` para confirmar a resolução.\n\n`;
+
+  const vulnerabilities = scanData.vulnerabilities || [];
+  const prioritized = [...vulnerabilities].sort((a, b) => {
+    const weights = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
+    return (weights[b.severity] || 0) - (weights[a.severity] || 0);
+  });
+
+  md += `## 🚨 Checklist de Remediação\n\n`;
+  
+  if (prioritized.length === 0) {
+    md += `✅ Nenhuma vulnerabilidade encontrada que exija ação imediata.\n`;
+  } else {
+    prioritized.forEach((v, index) => {
+      const severityEmoji = v.severity === 'critical' ? '🔴' : v.severity === 'high' ? '🟠' : v.severity === 'medium' ? '🟡' : '🔵';
+      
+      md += `### [ ] ${severityEmoji} [${v.severity.toUpperCase()}] ${v.title || v.description}\n`;
+      md += `- **ID:** \`${v.id}\`  \n`;
+      md += `- **CWE:** ${v.cwe || 'N/A'}  \n`;
+      md += `- **Confiança:** ${v.confidence || 'medium'}  \n\n`;
+      
+      if (v.evidence) {
+        md += `#### 🔍 Evidência\n`;
+        if (v.evidence.file) md += `- **Arquivo:** \`${v.evidence.file}\`${v.evidence.line ? ` (Linha ${v.evidence.line})` : ''}  \n`;
+        if (v.evidence.code) md += `\`\`\`javascript\n${v.evidence.code}\n\`\`\`\n`;
+        if (v.evidence.finding) md += `- **Detalhe:** ${v.evidence.finding}  \n`;
+      }
+
+      md += `#### 🛠️ Estratégia de Correção\n`;
+      md += `${v.remediation || 'Consulte a documentação de segurança para mitigar este risco.'}\n\n`;
+      
+      md += `#### ✅ Comando de Verificação\n`;
+      md += `\`npx omen-sec-cli verify --id ${v.id}\` (ou apenas \`omen verify\` para checar tudo)\n\n`;
+      md += `---\n\n`;
+    });
+  }
+
+  md += `\n*Gerado automaticamente pelo OMEN SEC-CLI v1.0.17 - Protocolo Zero-Copy AI Ativo*\n`;
+  return md;
+}

package/core/reporters/markdown-reporter.js

@@ -0,0 +1,25 @@
+export function generateMarkdownReport(scanData) {
+  let md = `# OMEN Audit Report: ${scanData.target}\n\n`;
+  md += `**Scan ID:** \`${scanData.scan_id}\`  \n`;
+  md += `**Timestamp:** ${scanData.timestamp}  \n`;
+  md += `**Security Score:** ${scanData.score}/100  \n`;
+  md += `**Risk Level:** ${scanData.riskLevel}\n\n`;
+
+  md += `## Executive Summary\n`;
+  md += `The security audit identified ${scanData.vulnerabilities.length} total issues. `;
+  const confirmed = scanData.vulnerabilities.filter(v => v.category === 'confirmed').length;
+  md += `Of these, ${confirmed} are confirmed vulnerabilities that require immediate attention.\n\n`;
+
+  md += `## Detailed Findings\n\n`;
+  scanData.vulnerabilities.forEach(v => {
+    md += `### [${v.severity.toUpperCase()}] ${v.title || v.description}\n`;
+    md += `- **Category:** ${v.category}\n`;
+    md += `- **Confidence:** ${v.confidence}\n`;
+    md += `- **CWE:** ${v.cwe}\n\n`;
+    md += `#### Description\n${v.description}\n\n`;
+    md += `#### Remediation\n${v.remediation || 'Follow security best practices.'}\n\n`;
+    md += `---\n\n`;
+  });
+
+  return md;
+}

package/core/runners/local-app-runner.js

@@ -0,0 +1,39 @@
+import { execa } from 'execa';
+import chalk from 'chalk';
+import axios from 'axios';
+
+export async function bootLocalApp(command, port = 3000, timeout = 30000) {
+  if (!command) return { success: false, error: 'No boot strategy found' };
+
+  console.log(chalk.cyan(`[Runner] Starting local app with: ${command}...`));
+  
+  const [cmd, ...args] = command.split(' ');
+  const subprocess = execa(cmd, args, {
+    cleanup: true,
+    all: true
+  });
+
+  let bootLogs = '';
+  subprocess.all.on('data', (chunk) => {
+    bootLogs += chunk.toString();
+  });
+
+  // Wait for healthcheck or timeout
+  const start = Date.now();
+  while (Date.now() - start < timeout) {
+    try {
+      const res = await axios.get(`http://localhost:${port}`, { timeout: 1000, validateStatus: () => true });
+      if (res.status < 500) {
+        console.log(chalk.green(`[Runner] App is up and running on port ${port}!`));
+        return { success: true, subprocess, logs: bootLogs, port };
+      }
+    } catch (e) {
+      // Not up yet
+    }
+    await new Promise(r => setTimeout(r, 2000));
+  }
+
+  // If we reach here, boot failed or timed out
+  subprocess.kill();
+  return { success: false, error: 'App failed to start or healthcheck timed out', logs: bootLogs };
+}

package/core/scanner.js

@@ -48,39 +48,49 @@ export async function runScannerSteps(target, flags) {
     spinner.succeed(`[${i + 1}/${steps.length}] ${step.text}`);
   }
 
+  const scanData = {
+    schema_version: "1.0",
+    target: target,
+    scan_id: `OMEN-${Date.now()}`,
+    timestamp: new Date().toISOString(),
+    score: 100,
+    riskLevel: 'Low',
+    attack_surface: {
+      endpoints: attack_surface.endpoints || [],
+      parameters: attack_surface.parameters || [],
+      forms: attack_surface.forms || [],
+      tech_stack: attack_surface.tech_stack || []
+    },
+    vulnerabilities: allVulnerabilities
+  };
+
   // Calculate dynamic score based on confidence and severity
-  const baseScore = 100;
-  const penalties = allVulnerabilities.reduce((acc, v) => {
+  let penalties = scanData.vulnerabilities.reduce((acc, v) => {
     // Only penalize for Confirmed or Probable issues
-    if (v.category !== 'Confirmed' && v.category !== 'Probable') return acc;
+    if (v.category !== 'confirmed' && v.category !== 'probable') return acc;
 
     let severityWeight = 0;
-    if (v.severity === 'Critical') severityWeight = 25;
-    else if (v.severity === 'High') severityWeight = 15;
-    else if (v.severity === 'Medium') severityWeight = 10;
-    else if (v.severity === 'Low') severityWeight = 5;
+    if (v.severity === 'critical') severityWeight = 25;
+    else if (v.severity === 'high') severityWeight = 15;
+    else if (v.severity === 'medium') severityWeight = 10;
+    else if (v.severity === 'low') severityWeight = 5;
+
+    // Reduzir peso de achados baseados em caminhos (potential/enumeration)
+    if (v.kind === 'path' && v.category === 'probable') severityWeight *= 0.5;
 
     let confidenceMultiplier = 1;
-    if (v.confidence === 'Medium') confidenceMultiplier = 0.6;
-    if (v.confidence === 'Low') confidenceMultiplier = 0.3;
+    if (v.confidence === 'medium') confidenceMultiplier = 0.6;
+    if (v.confidence === 'low') confidenceMultiplier = 0.3;
 
     return acc + (severityWeight * confidenceMultiplier);
   }, 0);
   
-  const finalScore = Math.max(0, Math.round(baseScore - penalties));
-  let riskLevel = 'Low';
-  if (finalScore < 50) riskLevel = 'Critical';
-  else if (finalScore < 70) riskLevel = 'High';
-  else if (finalScore < 90) riskLevel = 'Medium';
+  scanData.score = Math.max(0, Math.round(100 - penalties));
 
-  return {
-    target,
-    scan_id: `OMEN-REQ-${Date.now()}`,
-    timestamp: new Date().toISOString(),
-    score: finalScore,
-    riskLevel: riskLevel,
-    attack_surface,
-    headers_analysis,
-    vulnerabilities: allVulnerabilities.length > 0 ? allVulnerabilities : [{ id: 'INFO', type: 'Clean', severity: 'Info', description: 'No immediate vulnerabilities detected in the surface scan.' }]
-  };
+  if (scanData.score < 40) scanData.riskLevel = 'Critical';
+  else if (scanData.score < 60) scanData.riskLevel = 'High';
+  else if (scanData.score < 80) scanData.riskLevel = 'Medium';
+  else scanData.riskLevel = 'Low';
+
+  return scanData;
 }