pinata-security-cli 0.5.3 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pinata-security-cli",
-  "version": "0.5.3",
+  "version": "0.6.0",
   "description": "AI-powered test coverage analysis and generation tool. Find security blind spots before attackers do.",
   "type": "module",
   "main": "dist/index.js",
@@ -75,6 +75,9 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.39.2",
+    "@stryker-mutator/core": "^9.5.1",
+    "@stryker-mutator/typescript-checker": "^9.5.1",
+    "@stryker-mutator/vitest-runner": "^9.5.1",
     "@types/js-yaml": "^4.0.9",
     "@types/minimatch": "^5.1.2",
     "@types/node": "^20.14.10",

package/src/categories/definitions/concurrency/idempotency-missing.yml

@@ -35,8 +35,8 @@ detectionPatterns:
     type: regex
     language: python
     pattern: "\\+=\\s*1|counter\\s*\\+|increment\\("
-    confidence: low
-    description: Detects counter increments (verify idempotency)
+    confidence: medium
+    description: Detects counter increments (may need idempotency guards in retry contexts)
 
   - id: python-payment-no-idem
     type: regex
@@ -69,9 +69,9 @@ detectionPatterns:
   - id: ts-counter-update
     type: regex
     language: typescript
-    pattern: "\\+\\+|\\+=\\s*1|\\$inc"
-    confidence: low
-    description: Detects counter updates (verify idempotency)
+    pattern: "\\$inc|\\$push(?!.*idempotency|.*idempotent)"
+    confidence: medium
+    description: Detects MongoDB counter/array updates without idempotency
 
   - id: ts-webhook-no-dedup
     type: regex

package/src/categories/definitions/concurrency/race-condition.yml

@@ -65,9 +65,9 @@ detectionPatterns:
   - id: ts-check-then-act
     type: regex
     language: typescript
-    pattern: "if\\s*\\(.*exists.*\\).*\\{.*create|if\\s*\\(!.*\\).*\\{"
+    pattern: "if\\s*\\(.*exists.*\\).*\\{.*(create|write|mkdir|insert)|if\\s*\\(!.*exists.*\\).*\\{.*(create|write|mkdir|insert)"
     confidence: medium
-    description: Detects check-then-act pattern
+    description: Detects check-then-act TOCTOU pattern (check existence then create)
 
   - id: ts-promise-race-unsafe
     type: regex

package/src/categories/definitions/data/data-race.yml

@@ -28,19 +28,12 @@ detectionPatterns:
     confidence: medium
     description: Detects mutable global state
 
-  - id: python-read-modify-write
+  - id: python-thread-no-lock
     type: regex
     language: python
-    pattern: "\\w+\\s*\\+=|\\w+\\s*-=|\\w+\\s*=\\s*\\w+\\s*\\+\\s*1"
-    confidence: low
-    description: Detects increment/decrement (may need locking)
-
-  - id: python-no-lock
-    type: regex
-    language: python
-    pattern: "threading\\.Thread|multiprocessing\\.Process"
-    confidence: low
-    description: Detects threading (verify locking)
+    pattern: "threading\\.Thread.*(?!Lock\\(|RLock\\(|Semaphore\\()"
+    confidence: medium
+    description: Detects thread creation without visible locking in same scope
     negativePattern: "Lock\\(|RLock\\(|Semaphore\\("
 
   - id: python-check-then-act
@@ -50,12 +43,12 @@ detectionPatterns:
     confidence: medium
     description: Detects check-then-act pattern (TOCTOU)
 
-  - id: ts-shared-variable
+  - id: ts-var-declaration
     type: regex
     language: typescript
-    pattern: "let\\s+\\w+\\s*=|var\\s+\\w+\\s*="
-    confidence: low
-    description: Detects mutable shared state (verify thread safety)
+    pattern: "\\bvar\\s+\\w+\\s*="
+    confidence: medium
+    description: Detects var declarations (function-scoped, potential unintended sharing)
 
   - id: ts-async-race
     type: regex
@@ -68,7 +61,7 @@ detectionPatterns:
     type: regex
     language: typescript
     pattern: "\\w+\\s*=\\s*\\w+\\s*\\+\\s*1|\\w+\\+\\+"
-    confidence: low
+    confidence: medium
     description: Detects non-atomic increment
 
   - id: ts-database-upsert

package/src/categories/definitions/data/encoding-mismatch.yml

@@ -56,7 +56,7 @@ detectionPatterns:
     type: regex
     language: typescript
     pattern: "new TextDecoder\\(\\)|TextDecoder\\(\\)"
-    confidence: low
+    confidence: medium
     description: Detects TextDecoder without explicit encoding
 
   - id: ts-buffer-tostring-default
@@ -76,9 +76,9 @@ detectionPatterns:
   - id: ts-length-emoji
     type: regex
     language: typescript
-    pattern: "\\.length(?!\\s*[=!<>])"
-    confidence: low
-    description: Detects string length (verify emoji handling)
+    pattern: "\\.length\\s*[<>]=?\\s*\\d+.*\\.charAt|\\.length.*\\.charCodeAt|\\.split\\(.*\\)\\.length"
+    confidence: medium
+    description: Detects string length used with char operations (may be wrong for emoji)
     negativePattern: "\\[\\.\\.\\.\\w+\\]\\.length|Array\\.from\\("
 
 testTemplates:

package/src/categories/definitions/data/null-handling.yml

@@ -41,12 +41,12 @@ detectionPatterns:
     confidence: high
     description: Detects arithmetic with potential None values
 
-  - id: python-json-null
+  - id: python-json-no-default
     type: regex
     language: python
-    pattern: "json\\.loads|json\\.load"
-    confidence: low
-    description: Detects JSON parsing (verify null handling)
+    pattern: "json\\.loads?\\(.*\\)\\[|json\\.loads?\\(.*\\)\\."
+    confidence: medium
+    description: Detects JSON parse result accessed without null check
     negativePattern: "or\\s+\\{\\}|or\\s+\\[\\]|\\.get\\("
 
   - id: ts-null-vs-undefined
@@ -56,27 +56,12 @@ detectionPatterns:
     confidence: medium
     description: Detects checking only null or undefined, not both
 
-  - id: ts-optional-chain-missing
-    type: regex
-    language: typescript
-    pattern: "\\w+\\.\\w+\\.\\w+(?!\\.?)"
-    confidence: low
-    description: Detects deep property access without optional chaining
-    negativePattern: "\\?\\."
-
-  - id: ts-nullable-db-field
+  - id: ts-json-parse-no-try
     type: regex
     language: typescript
-    pattern: "String\\s*\\|\\s*null|number\\s*\\|\\s*null"
-    confidence: low
-    description: Detects nullable types (verify null handling)
-
-  - id: ts-json-parse-null
-    type: regex
-    language: typescript
-    pattern: "JSON\\.parse\\s*\\("
-    confidence: low
-    description: Detects JSON parsing (verify null handling)
+    pattern: "JSON\\.parse\\s*\\((?!.*try|.*catch)"
+    confidence: medium
+    description: Detects JSON.parse without visible error handling
 
 testTemplates:
   - id: pytest-null-handling

package/src/categories/definitions/input/boundary-testing.yml

@@ -21,54 +21,19 @@ references:
   - https://en.wikipedia.org/wiki/Boundary_testing
 
 detectionPatterns:
-  - id: python-range-access
+  - id: python-unchecked-index-user-input
     type: regex
     language: python
-    pattern: "\\[\\w+\\]|\\[\\w+\\s*-\\s*1\\]|\\[\\w+\\s*\\+\\s*1\\]"
-    confidence: low
-    description: Detects array index access (verify boundary checks)
+    pattern: "\\w+\\[\\s*(request\\.|params\\.|args\\.|input)"
+    confidence: medium
+    description: Detects array indexing with user-controlled input without bounds check
 
-  - id: python-comparison-boundary
-    type: regex
-    language: python
-    pattern: "if\\s+\\w+\\s*[<>]=?\\s*\\d+|if\\s+\\d+\\s*[<>]=?\\s*\\w+"
-    confidence: low
-    description: Detects numeric comparisons (verify off-by-one)
-
-  - id: python-slice-operation
-    type: regex
-    language: python
-    pattern: "\\[:\\d+\\]|\\[\\d+:\\]|\\[-\\d+:\\]"
-    confidence: low
-    description: Detects slice operations (verify bounds)
-
-  - id: python-loop-range
-    type: regex
-    language: python
-    pattern: "for\\s+\\w+\\s+in\\s+range\\("
-    confidence: low
-    description: Detects range loops (verify inclusive/exclusive)
-
-  - id: ts-array-access
-    type: regex
-    language: typescript
-    pattern: "\\[\\w+\\]|\\[\\.length\\s*-\\s*1\\]"
-    confidence: low
-    description: Detects array index access
-
-  - id: ts-comparison-boundary
-    type: regex
-    language: typescript
-    pattern: "if\\s*\\(.*[<>]=?\\s*\\d+|\\w+\\s*[<>]=?\\s*\\w+\\.length"
-    confidence: low
-    description: Detects numeric/length comparisons
-
-  - id: ts-substring
+  - id: ts-unchecked-index-user-input
     type: regex
     language: typescript
-    pattern: "\\.substring\\s*\\(|\\.slice\\s*\\(|\\.substr\\s*\\("
-    confidence: low
-    description: Detects string slicing operations
+    pattern: "\\w+\\[\\s*(req\\.|params\\.|query\\.|body\\.|input)"
+    confidence: medium
+    description: Detects array indexing with user-controlled input without bounds check
 
 testTemplates:
   - id: pytest-boundary-testing

package/src/categories/definitions/input/null-undefined.yml

@@ -20,54 +20,12 @@ references:
   - https://cwe.mitre.org/data/definitions/457.html
 
 detectionPatterns:
-  - id: python-no-none-check
-    type: regex
-    language: python
-    pattern: "\\w+\\.\\w+(?!.*if.*is\\s+not\\s+None)"
-    confidence: low
-    description: Detects attribute access without None check
-
-  - id: python-dict-access-no-get
-    type: regex
-    language: python
-    pattern: "\\w+\\[[\"']\\w+[\"']\\](?!.*\\.get\\()"
-    confidence: medium
-    description: Detects dict access that may raise KeyError
-
-  - id: python-optional-no-default
-    type: regex
-    language: python
-    pattern: "Optional\\[.*\\](?!.*=\\s*None)"
-    confidence: medium
-    description: Detects Optional type without default value
-
-  - id: ts-no-null-check
-    type: regex
-    language: typescript
-    pattern: "\\w+\\.\\w+(?!.*\\?\\.|.*&&|.*\\|\\|)"
-    confidence: low
-    description: Detects property access without null check
-
-  - id: ts-undefined-equality
-    type: regex
-    language: typescript
-    pattern: "===\\s*undefined(?!.*null)|!==\\s*undefined(?!.*null)"
-    confidence: medium
-    description: Detects undefined check without null check
-
   - id: ts-non-null-assertion
     type: regex
     language: typescript
     pattern: "\\w+!\\.|\\w+!\\["
     confidence: high
-    description: Detects non-null assertion operator
-
-  - id: ts-optional-chaining-missing
-    type: regex
-    language: typescript
-    pattern: "\\w+\\.\\w+\\.\\w+(?!\\?\\.)"
-    confidence: low
-    description: Detects deep access without optional chaining
+    description: Detects non-null assertion operator (unsafe type narrowing bypass)
 
 testTemplates:
   - id: pytest-null-undefined

package/src/categories/definitions/network/connection-failure.yml

@@ -71,7 +71,7 @@ detectionPatterns:
     type: regex
     language: typescript
     pattern: "catch\\s*\\([^)]*\\)\\s*\\{(?!.*ECONNREFUSED|.*code)"
-    confidence: low
+    confidence: medium
     description: Detects catch block not checking error codes
 
   - id: ts-socket-no-error-event

package/src/categories/definitions/resource/memory-leak.yml

@@ -25,19 +25,12 @@ references:
   - https://developer.chrome.com/docs/devtools/memory-problems/
 
 detectionPatterns:
-  - id: python-cache-no-limit
+  - id: python-global-list-append
     type: regex
     language: python
-    pattern: "\\{\\}|dict\\(\\)(?!.*maxsize|.*lru_cache|.*TTLCache)"
-    confidence: low
-    description: Detects unbounded dict cache (verify eviction)
-
-  - id: python-list-append-loop
-    type: regex
-    language: python
-    pattern: "while.*\\.append\\(|for.*\\.append\\("
-    confidence: low
-    description: Detects list growing in loop (verify bounds)
+    pattern: "^\\w+\\s*=\\s*\\[\\].*\\.append\\("
+    confidence: medium
+    description: Detects module-level list accumulation without bounds
 
   - id: python-global-accumulator
     type: regex
@@ -60,12 +53,12 @@ detectionPatterns:
     confidence: medium
     description: Detects potential circular references
 
-  - id: ts-cache-no-limit
+  - id: ts-module-level-map
     type: regex
     language: typescript
-    pattern: "new\\s+Map\\(\\)|new\\s+Set\\(\\)|\\{\\}\\s*as\\s+Record"
-    confidence: low
-    description: Detects unbounded cache structures
+    pattern: "^(?:export\\s+)?const\\s+\\w+\\s*=\\s*new\\s+Map\\(\\)"
+    confidence: medium
+    description: Detects module-level Map without eviction (potential memory leak in long-running servers)
 
   - id: ts-event-listener-no-remove
     type: regex