postquant 0.1.2 → 0.3.0

package/dist/scanner/code/patterns/javascript.js

@@ -0,0 +1,243 @@
+export const javascriptPatterns = [
+    {
+        id: 'js-rsa-keygen',
+        language: 'javascript',
+        category: 'asymmetric-encryption',
+        algorithm: 'RSA',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /import\s+\{[^}]*generateKeyPair(?:Sync)?\s*[^}]*\}\s+from\s+['"](?:node:)?crypto['"]/,
+            /(?:const|let|var)\s+\{[^}]*generateKeyPair(?:Sync)?\s*[^}]*\}\s*=\s*require\s*\(\s*['"]crypto['"]\s*\)/,
+        ],
+        callPatterns: [
+            /generateKeyPairSync\s*\(\s*['"]rsa['"]/,
+            /generateKeyPairSync\s*\(\s*['"]rsa-pss['"]/,
+            /generateKeyPair\s*\(\s*['"]rsa['"]/,
+        ],
+        keySizeExtractor: /modulusLength\s*:\s*(\d+)/,
+        description: "RSA key generation is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) for encryption or ML-DSA (FIPS 204) for signatures',
+        nistRef: 'FIPS 203/204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-ec-keygen',
+        language: 'javascript',
+        category: 'asymmetric-encryption',
+        algorithm: 'ECDSA',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /generateKeyPairSync\s*\(\s*['"]ec['"]/,
+            /generateKeyPair\s*\(\s*['"]ec['"]/,
+        ],
+        contextPatterns: [/namedCurve\s*:\s*['"](?:P-256|P-384|P-521|secp256k1)['"]/],
+        description: "EC key generation is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for signatures or ML-KEM (FIPS 203) for key exchange',
+        nistRef: 'FIPS 203/204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-ed25519-keygen',
+        language: 'javascript',
+        category: 'digital-signature',
+        algorithm: 'Ed25519',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /generateKeyPairSync\s*\(\s*['"]ed25519['"]\s*\)/,
+            /generateKeyPairSync\s*\(\s*['"]ed448['"]\s*\)/,
+            /generateKeyPairSync\s*\(\s*['"]x25519['"]\s*\)/,
+            /generateKeyPairSync\s*\(\s*['"]x448['"]\s*\)/,
+        ],
+        description: "Ed25519/X25519 key generation is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for signatures or ML-KEM (FIPS 203) for key exchange',
+        nistRef: 'FIPS 203/204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-dsa-keygen',
+        language: 'javascript',
+        category: 'digital-signature',
+        algorithm: 'DSA',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /generateKeyPairSync\s*\(\s*['"]dsa['"]/,
+            /generateKeyPair\s*\(\s*['"]dsa['"]/,
+        ],
+        description: "DSA key generation is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for digital signatures',
+        nistRef: 'FIPS 204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-dh-exchange',
+        language: 'javascript',
+        category: 'key-exchange',
+        algorithm: 'DH',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /import\s+\{[^}]*createDiffieHellman[^}]*\}\s+from\s+['"](?:node:)?crypto['"]/,
+            /(?:const|let|var)\s+\{[^}]*createDiffieHellman[^}]*\}\s*=\s*require\s*\(\s*['"]crypto['"]\s*\)/,
+        ],
+        callPatterns: [/createDiffieHellman\s*\(/],
+        description: "Diffie-Hellman key exchange is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) for key encapsulation',
+        nistRef: 'FIPS 203',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-ecdh-exchange',
+        language: 'javascript',
+        category: 'key-exchange',
+        algorithm: 'ECDH',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [/createECDH\s*\(/],
+        description: "ECDH key exchange is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) for key encapsulation',
+        nistRef: 'FIPS 203',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-md5-hash',
+        language: 'javascript',
+        category: 'weak-hash',
+        algorithm: 'MD5',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /createHash\s*\(\s*['"]md5['"]\s*\)/,
+            /crypto\.subtle\.digest\s*\(\s*['"]MD5['"]/,
+        ],
+        description: 'MD5 is cryptographically broken and unsuitable for any security use',
+        migration: 'Migrate to SHA-256 or SHA-3 for hashing',
+        cweId: 'CWE-328',
+    },
+    {
+        id: 'js-sha1-hash',
+        language: 'javascript',
+        category: 'weak-hash',
+        algorithm: 'SHA-1',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /createHash\s*\(\s*['"]sha1['"]\s*\)/,
+            /crypto\.subtle\.digest\s*\(\s*['"]SHA-1['"]/,
+        ],
+        description: 'SHA-1 is cryptographically broken with practical collision attacks',
+        migration: 'Migrate to SHA-256 or SHA-3 for hashing',
+        cweId: 'CWE-328',
+    },
+    {
+        id: 'js-sha256-hash',
+        language: 'javascript',
+        category: 'safe-hash',
+        algorithm: 'SHA-256',
+        risk: 'safe',
+        confidence: 'high',
+        callPatterns: [
+            /createHash\s*\(\s*['"]sha256['"]\s*\)/,
+            /createHash\s*\(\s*['"]sha384['"]\s*\)/,
+            /createHash\s*\(\s*['"]sha512['"]\s*\)/,
+            /crypto\.subtle\.digest\s*\(\s*['"]SHA-256['"]/,
+            /crypto\.subtle\.digest\s*\(\s*['"]SHA-384['"]/,
+            /crypto\.subtle\.digest\s*\(\s*['"]SHA-512['"]/,
+        ],
+        description: 'SHA-256/384/512 are quantum-resistant hash functions',
+        migration: 'No migration needed — already quantum-safe',
+    },
+    {
+        id: 'js-aes',
+        language: 'javascript',
+        category: 'weak-symmetric',
+        algorithm: 'AES',
+        risk: 'moderate',
+        confidence: 'medium',
+        callPatterns: [
+            /createCipheriv\s*\(\s*['"]aes-\d+-/,
+            /createDecipheriv\s*\(\s*['"]aes-\d+-/,
+        ],
+        keySizeExtractor: /aes-(\d+)/,
+        keySizeRisk: (size) => (size >= 256 ? 'safe' : 'moderate'),
+        description: "AES-128 provides reduced security against quantum attacks (Grover's algorithm)",
+        migration: 'Use AES-256 for quantum-resistant symmetric encryption',
+    },
+    {
+        id: 'js-3des',
+        language: 'javascript',
+        category: 'broken-cipher',
+        algorithm: '3DES',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /createCipheriv\s*\(\s*['"]des-ede3-/,
+            /createDecipheriv\s*\(\s*['"]des-ede3-/,
+        ],
+        description: '3DES is deprecated with inadequate security margins',
+        migration: 'Migrate to AES-256-GCM for symmetric encryption',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-webcrypto-rsa',
+        language: 'javascript',
+        category: 'asymmetric-encryption',
+        algorithm: 'RSA',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /subtle\.generateKey\s*\(\s*\{[^}]*name\s*:\s*['"]RSA-OAEP['"]/,
+            /subtle\.generateKey\s*\(\s*\{[^}]*name\s*:\s*['"]RSA-PSS['"]/,
+            /subtle\.generateKey\s*\(\s*\{[^}]*name\s*:\s*['"]RSASSA-PKCS1-v1_5['"]/,
+            /subtle\.importKey\s*\([^)]*['"]RSA-OAEP['"]/,
+        ],
+        description: "WebCrypto RSA operations are vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) or ML-DSA (FIPS 204) when WebCrypto supports PQC',
+        nistRef: 'FIPS 203/204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-webcrypto-ec',
+        language: 'javascript',
+        category: 'asymmetric-encryption',
+        algorithm: 'ECDSA',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /subtle\.generateKey\s*\(\s*\{[^}]*name\s*:\s*['"]ECDSA['"]/,
+            /subtle\.generateKey\s*\(\s*\{[^}]*name\s*:\s*['"]ECDH['"]/,
+            /subtle\.sign\s*\(\s*\{[^}]*name\s*:\s*['"]ECDSA['"]/,
+        ],
+        description: "WebCrypto EC operations are vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for signatures or ML-KEM (FIPS 203) for key exchange',
+        nistRef: 'FIPS 203/204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'js-jwt-sign',
+        language: 'javascript',
+        category: 'digital-signature',
+        algorithm: 'RSA/ECDSA',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /import\s+.*from\s+['"]jsonwebtoken['"]/,
+            /import\s+\{[^}]*SignJWT[^}]*\}\s+from\s+['"]jose['"]/,
+            /require\s*\(\s*['"]jsonwebtoken['"]\s*\)/,
+        ],
+        callPatterns: [
+            /jwt\.sign\s*\([^)]*algorithm\s*:\s*['"](?:RS|ES|PS)\d{3}['"]/,
+            /jwt\.sign\s*\([^)]*algorithm\s*:\s*['"]EdDSA['"]/,
+            /SignJWT\s*\([^)]*\).*setProtectedHeader\s*\(\s*\{[^}]*alg\s*:\s*['"](?:RS|ES|PS)\d{3}['"]/,
+            /SignJWT\s*\([^)]*\).*setProtectedHeader\s*\(\s*\{[^}]*alg\s*:\s*['"]EdDSA['"]/,
+            /generateKeyPair\s*\(\s*['"](?:RS|ES)\d{3}['"]\s*\)/,
+        ],
+        description: 'JWT signing with RSA/ECDSA/EdDSA uses quantum-vulnerable algorithms',
+        migration: 'Use HMAC-based JWT (HS256) for symmetric signing, or await PQC JWT standards',
+        cweId: 'CWE-327',
+    },
+];
+//# sourceMappingURL=javascript.js.map

package/dist/scanner/code/patterns/javascript.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"javascript.js","sourceRoot":"","sources":["../../../../src/scanner/code/patterns/javascript.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,kBAAkB,GAAoB;IACjD;QACE,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,uBAAuB;QACjC,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,sFAAsF;YACtF,wGAAwG;SACzG;QACD,YAAY,EAAE;YACZ,wCAAwC;YACxC,4CAA4C;YAC5C,oCAAoC;SACrC;QACD,gBAAgB,EAAE,2BAA2B;QAC7C,WAAW,EAAE,0EAA0E;QACvF,SAAS,EAAE,iFAAiF;QAC5F,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,uBAAuB;QACjC,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,uCAAuC;YACvC,mCAAmC;SACpC;QACD,eAAe,EAAE,CAAC,0DAA0D,CAAC;QAC7E,WAAW,EAAE,yEAAyE;QACtF,SAAS,EAAE,mFAAmF;QAC9F,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,mBAAmB;QAC7B,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,iDAAiD;YACjD,+CAA+C;YAC/C,gDAAgD;YAChD,8CAA8C;SAC/C;QACD,WAAW,EAAE,qFAAqF;QAClG,SAAS,EAAE,mFAAmF;QAC9F,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,mBAAmB;QAC7B,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,wCAAwC;YACxC,oCAAoC;SACrC;QACD,WAAW,EAAE,0EAA0E;QACvF,SAAS,EAAE,qDAAqD;QAChE,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,8EAA8E;YAC9E,gGAAgG;SACjG;QACD,YAAY,EAAE,CAAC,0BAA0B,CAAC;QAC1C,WAAW,EAAE,mFAAmF;QAChG,SAAS,EAAE,oDAAoD;QAC/D,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,MAAM;QACjB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,CAAC,iBAAiB,CAAC;QACjC,WAAW,EAAE,yEAAyE;QACtF,SAAS,EAAE,oDAAoD;QAC/D,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,oCAAoC;YACpC,2CAA2C;SAC5C;QACD,WAAW,EAAE,qEAAqE;QAClF,SAAS,EAAE,yCAAyC;QACpD,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,cAAc;QAClB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,qCAAqC;YACrC,6CAA6C;SAC9C;QACD,WAAW,EAAE,oEAAoE;QACjF,SAAS,EAAE,yCAAyC;QACpD,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,uCAAuC;YACvC,uCAAuC;YACvC,uCAAuC;YACvC,+CAA+C;YAC/C,+CAA+C;YAC/C,+CAA+C;SAChD;QACD,WAAW,EAAE,sDAAsD;QACnE,SAAS,EAAE,4CAA4C;KACxD;IACD;QACE,EAAE,EAAE,QAAQ;QACZ,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,gBAAgB;QAC1B,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,QAAQ;QACpB,YAAY,EAAE;YACZ,oCAAoC;YACpC,sCAAsC;SACvC;QACD,gBAAgB,EAAE,WAAW;QAC7B,WAAW,EAAE,CAAC,IAAY,EAAa,EAAE,CAAC,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7E,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,wDAAwD;KACpE;IACD;QACE,EAAE,EAAE,SAAS;QACb,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,eAAe;QACzB,SAAS,EAAE,MAAM;QACjB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,qCAAqC;YACrC,uCAAuC;SACxC;QACD,WAAW,EAAE,qDAAqD;QAClE,SAAS,EAAE,iDAAiD;QAC5D,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,uBAAuB;QACjC,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,+DAA+D;YAC/D,8DAA8D;YAC9D,wEAAwE;YACxE,6CAA6C;SAC9C;QACD,WAAW,EAAE,iFAAiF;QAC9F,SAAS,EAAE,+EAA+E;QAC1F,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,uBAAuB;QACjC,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,4DAA4D;YAC5D,2DAA2D;YAC3D,qDAAqD;SACtD;QACD,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,mFAAmF;QAC9F,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,YAAY;QACtB,QAAQ,EAAE,mBAAmB;QAC7B,SAAS,EAAE,WAAW;QACtB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,wCAAwC;YACxC,sDAAsD;YACtD,0CAA0C;SAC3C;QACD,YAAY,EAAE;YACZ,8DAA8D;YAC9D,kDAAkD;YAClD,2FAA2F;YAC3F,+EAA+E;YAC/E,oDAAoD;SACrD;QACD,WAAW,EAAE,qEAAqE;QAClF,SAAS,EAAE,8EAA8E;QACzF,KAAK,EAAE,SAAS;KACjB;CACF,CAAC"}

package/dist/scanner/code/patterns/python.d.ts

@@ -0,0 +1,3 @@
+import type { CryptoPattern } from '../../../types/index.js';
+export declare const pythonPatterns: CryptoPattern[];
+//# sourceMappingURL=python.d.ts.map

package/dist/scanner/code/patterns/python.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.d.ts","sourceRoot":"","sources":["../../../../src/scanner/code/patterns/python.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAa,MAAM,yBAAyB,CAAC;AAExE,eAAO,MAAM,cAAc,EAAE,aAAa,EA6PzC,CAAC"}

package/dist/scanner/code/patterns/python.js

@@ -0,0 +1,255 @@
+export const pythonPatterns = [
+    {
+        id: 'python-rsa-keygen',
+        language: 'python',
+        category: 'asymmetric-encryption',
+        algorithm: 'RSA',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\s+import\s+rsa/,
+            /from\s+Crypto\.PublicKey\s+import\s+RSA/,
+        ],
+        callPatterns: [
+            /rsa\.generate_private_key\s*\(/,
+            /RSA\.generate\s*\(/,
+        ],
+        keySizeExtractor: /key_size\s*=\s*(\d+)|RSA\.generate\s*\(\s*(\d+)/,
+        description: "RSA key generation is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) for encryption or ML-DSA (FIPS 204) for signatures',
+        nistRef: 'FIPS 203/204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-rsa-sign',
+        language: 'python',
+        category: 'digital-signature',
+        algorithm: 'RSA',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\s+import\s+padding/,
+            /from\s+Crypto\.Signature\s+import/,
+        ],
+        callPatterns: [
+            /\.sign\s*\(.*padding\.(PSS|PKCS1v15)\s*\(/,
+            /pkcs1_15\.new\s*\(/,
+            /pss\.new\s*\(/,
+        ],
+        description: "RSA digital signatures are vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for digital signatures',
+        nistRef: 'FIPS 204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-ec-keygen',
+        language: 'python',
+        category: 'asymmetric-encryption',
+        algorithm: 'ECDSA',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\s+import\s+ec/,
+            /from\s+Crypto\.PublicKey\s+import\s+ECC/,
+        ],
+        callPatterns: [
+            /ec\.generate_private_key\s*\(/,
+            /ECC\.generate\s*\(/,
+        ],
+        contextPatterns: [/SECP256R1|SECP384R1|SECP521R1|P-256|P-384|P-521/],
+        description: "Elliptic curve key generation is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for signatures or ML-KEM (FIPS 203) for key exchange',
+        nistRef: 'FIPS 203/204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-ecdsa-sign',
+        language: 'python',
+        category: 'digital-signature',
+        algorithm: 'ECDSA',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [
+            /\.sign\s*\(.*ec\.ECDSA\s*\(/,
+            /DSS\.new\s*\(/,
+        ],
+        description: "ECDSA digital signatures are vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for digital signatures',
+        nistRef: 'FIPS 204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-ecdh-exchange',
+        language: 'python',
+        category: 'key-exchange',
+        algorithm: 'ECDH',
+        risk: 'critical',
+        confidence: 'high',
+        callPatterns: [/\.exchange\s*\(\s*ec\.ECDH\s*\(\)/],
+        description: "ECDH key exchange is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) for key encapsulation',
+        nistRef: 'FIPS 203',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-x25519',
+        language: 'python',
+        category: 'key-exchange',
+        algorithm: 'X25519',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\.x25519\s+import/,
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\.x448\s+import/,
+        ],
+        callPatterns: [
+            /X25519PrivateKey\.generate\s*\(/,
+            /X448PrivateKey\.generate\s*\(/,
+        ],
+        description: "X25519/X448 key exchange is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) for key encapsulation',
+        nistRef: 'FIPS 203',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-ed25519',
+        language: 'python',
+        category: 'digital-signature',
+        algorithm: 'Ed25519',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\.ed25519\s+import/,
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\.ed448\s+import/,
+        ],
+        callPatterns: [
+            /Ed25519PrivateKey\.generate\s*\(/,
+            /Ed448PrivateKey\.generate\s*\(/,
+        ],
+        description: "Ed25519/Ed448 signatures are vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for digital signatures',
+        nistRef: 'FIPS 204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-dsa-keygen',
+        language: 'python',
+        category: 'digital-signature',
+        algorithm: 'DSA',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\s+import\s+dsa/,
+            /from\s+Crypto\.PublicKey\s+import\s+DSA/,
+        ],
+        callPatterns: [
+            /dsa\.generate_private_key\s*\(/,
+            /DSA\.generate\s*\(/,
+        ],
+        description: "DSA key generation is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-DSA (FIPS 204) for digital signatures',
+        nistRef: 'FIPS 204',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-dh-keygen',
+        language: 'python',
+        category: 'key-exchange',
+        algorithm: 'DH',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.asymmetric\s+import\s+dh/,
+        ],
+        callPatterns: [/dh\.generate_parameters\s*\(/],
+        description: "Diffie-Hellman key exchange is vulnerable to quantum attacks via Shor's algorithm",
+        migration: 'Migrate to ML-KEM (FIPS 203) for key encapsulation',
+        nistRef: 'FIPS 203',
+        cweId: 'CWE-327',
+    },
+    {
+        id: 'python-md5',
+        language: 'python',
+        category: 'weak-hash',
+        algorithm: 'MD5',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /import\s+hashlib/,
+            /from\s+Crypto\.Hash\s+import\s+MD5/,
+        ],
+        callPatterns: [
+            /hashlib\.md5\s*\(/,
+            /hashlib\.new\s*\(\s*['"]md5['"]/,
+            /hashes\.MD5\s*\(/,
+            /MD5\.new\s*\(/,
+        ],
+        description: 'MD5 is cryptographically broken and unsuitable for any security use',
+        migration: 'Migrate to SHA-256 or SHA-3 for hashing',
+        cweId: 'CWE-328',
+    },
+    {
+        id: 'python-sha1',
+        language: 'python',
+        category: 'weak-hash',
+        algorithm: 'SHA-1',
+        risk: 'critical',
+        confidence: 'high',
+        importPatterns: [
+            /import\s+hashlib/,
+            /from\s+Crypto\.Hash\s+import\s+SHA1/,
+        ],
+        callPatterns: [
+            /hashlib\.sha1\s*\(/,
+            /hashlib\.new\s*\(\s*['"]sha1['"]/,
+            /hashes\.SHA1\s*\(/,
+            /SHA1\.new\s*\(/,
+        ],
+        description: 'SHA-1 is cryptographically broken with practical collision attacks',
+        migration: 'Migrate to SHA-256 or SHA-3 for hashing',
+        cweId: 'CWE-328',
+    },
+    {
+        id: 'python-sha256',
+        language: 'python',
+        category: 'safe-hash',
+        algorithm: 'SHA-256',
+        risk: 'safe',
+        confidence: 'high',
+        callPatterns: [
+            /hashlib\.sha256\s*\(/,
+            /hashlib\.sha384\s*\(/,
+            /hashlib\.sha512\s*\(/,
+            /hashlib\.sha3_256\s*\(/,
+            /hashlib\.sha3_384\s*\(/,
+            /hashlib\.sha3_512\s*\(/,
+            /hashes\.SHA256\s*\(/,
+            /hashes\.SHA384\s*\(/,
+            /hashes\.SHA512\s*\(/,
+            /hashes\.SHA3_256\s*\(/,
+        ],
+        description: 'SHA-256/384/512/SHA-3 are quantum-resistant hash functions',
+        migration: 'No migration needed — already quantum-safe',
+    },
+    {
+        id: 'python-aes',
+        language: 'python',
+        category: 'weak-symmetric',
+        algorithm: 'AES',
+        risk: 'moderate',
+        confidence: 'medium',
+        importPatterns: [
+            /from\s+cryptography\.hazmat\.primitives\.ciphers\s+import/,
+            /from\s+Crypto\.Cipher\s+import\s+AES/,
+        ],
+        callPatterns: [
+            /algorithms\.AES\s*\(/,
+            /AES\.new\s*\(/,
+        ],
+        keySizeExtractor: /AES(\d+)|key_size\s*=\s*(\d+)/,
+        keySizeRisk: (size) => (size >= 256 ? 'safe' : 'moderate'),
+        description: "AES-128 provides reduced security against quantum attacks (Grover's algorithm)",
+        migration: 'Use AES-256 for quantum-resistant symmetric encryption',
+    },
+];
+//# sourceMappingURL=python.js.map

package/dist/scanner/code/patterns/python.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"python.js","sourceRoot":"","sources":["../../../../src/scanner/code/patterns/python.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C;QACE,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,uBAAuB;QACjC,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,oEAAoE;YACpE,yCAAyC;SAC1C;QACD,YAAY,EAAE;YACZ,gCAAgC;YAChC,oBAAoB;SACrB;QACD,gBAAgB,EAAE,iDAAiD;QACnE,WAAW,EAAE,0EAA0E;QACvF,SAAS,EAAE,iFAAiF;QAC5F,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,wEAAwE;YACxE,mCAAmC;SACpC;QACD,YAAY,EAAE;YACZ,2CAA2C;YAC3C,oBAAoB;YACpB,eAAe;SAChB;QACD,WAAW,EAAE,+EAA+E;QAC5F,SAAS,EAAE,qDAAqD;QAChE,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,uBAAuB;QACjC,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,mEAAmE;YACnE,yCAAyC;SAC1C;QACD,YAAY,EAAE;YACZ,+BAA+B;YAC/B,oBAAoB;SACrB;QACD,eAAe,EAAE,CAAC,iDAAiD,CAAC;QACpE,WAAW,EAAE,qFAAqF;QAClG,SAAS,EAAE,mFAAmF;QAC9F,OAAO,EAAE,cAAc;QACvB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,6BAA6B;YAC7B,eAAe;SAChB;QACD,WAAW,EAAE,iFAAiF;QAC9F,SAAS,EAAE,qDAAqD;QAChE,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,MAAM;QACjB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE,CAAC,mCAAmC,CAAC;QACnD,WAAW,EAAE,yEAAyE;QACtF,SAAS,EAAE,oDAAoD;QAC/D,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,QAAQ;QACnB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,sEAAsE;YACtE,oEAAoE;SACrE;QACD,YAAY,EAAE;YACZ,iCAAiC;YACjC,+BAA+B;SAChC;QACD,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,oDAAoD;QAC/D,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,uEAAuE;YACvE,qEAAqE;SACtE;QACD,YAAY,EAAE;YACZ,kCAAkC;YAClC,gCAAgC;SACjC;QACD,WAAW,EAAE,iFAAiF;QAC9F,SAAS,EAAE,qDAAqD;QAChE,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,mBAAmB;QACvB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,mBAAmB;QAC7B,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,oEAAoE;YACpE,yCAAyC;SAC1C;QACD,YAAY,EAAE;YACZ,gCAAgC;YAChC,oBAAoB;SACrB;QACD,WAAW,EAAE,0EAA0E;QACvF,SAAS,EAAE,qDAAqD;QAChE,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,cAAc;QACxB,SAAS,EAAE,IAAI;QACf,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,mEAAmE;SACpE;QACD,YAAY,EAAE,CAAC,8BAA8B,CAAC;QAC9C,WAAW,EAAE,mFAAmF;QAChG,SAAS,EAAE,oDAAoD;QAC/D,OAAO,EAAE,UAAU;QACnB,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,kBAAkB;YAClB,oCAAoC;SACrC;QACD,YAAY,EAAE;YACZ,mBAAmB;YACnB,iCAAiC;YACjC,kBAAkB;YAClB,eAAe;SAChB;QACD,WAAW,EAAE,qEAAqE;QAClF,SAAS,EAAE,yCAAyC;QACpD,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,aAAa;QACjB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,OAAO;QAClB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,MAAM;QAClB,cAAc,EAAE;YACd,kBAAkB;YAClB,qCAAqC;SACtC;QACD,YAAY,EAAE;YACZ,oBAAoB;YACpB,kCAAkC;YAClC,mBAAmB;YACnB,gBAAgB;SACjB;QACD,WAAW,EAAE,oEAAoE;QACjF,SAAS,EAAE,yCAAyC;QACpD,KAAK,EAAE,SAAS;KACjB;IACD;QACE,EAAE,EAAE,eAAe;QACnB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,WAAW;QACrB,SAAS,EAAE,SAAS;QACpB,IAAI,EAAE,MAAM;QACZ,UAAU,EAAE,MAAM;QAClB,YAAY,EAAE;YACZ,sBAAsB;YACtB,sBAAsB;YACtB,sBAAsB;YACtB,wBAAwB;YACxB,wBAAwB;YACxB,wBAAwB;YACxB,qBAAqB;YACrB,qBAAqB;YACrB,qBAAqB;YACrB,uBAAuB;SACxB;QACD,WAAW,EAAE,4DAA4D;QACzE,SAAS,EAAE,4CAA4C;KACxD;IACD;QACE,EAAE,EAAE,YAAY;QAChB,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,gBAAgB;QAC1B,SAAS,EAAE,KAAK;QAChB,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,QAAQ;QACpB,cAAc,EAAE;YACd,2DAA2D;YAC3D,sCAAsC;SACvC;QACD,YAAY,EAAE;YACZ,sBAAsB;YACtB,eAAe;SAChB;QACD,gBAAgB,EAAE,+BAA+B;QACjD,WAAW,EAAE,CAAC,IAAY,EAAa,EAAE,CAAC,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7E,WAAW,EAAE,gFAAgF;QAC7F,SAAS,EAAE,wDAAwD;KACpE;CACF,CAAC"}

package/dist/scanner/code/risk-assessor.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Risk Assessment Layer for PostQuant v0.3.0
+ *
+ * Analyzes the CONTEXT of each cryptographic finding to determine
+ * whether the algorithm usage is security-critical or benign.
+ * MD5 in password hashing is critical; MD5 in UUID v3 is informational.
+ */
+import type { CodeFinding, Language, RiskLevel, UsageContext, AdjustedRisk, ContextSignal, AssessedFinding } from '../../types/index.js';
+export interface ResolvedContext {
+    context: UsageContext;
+    influence: 'increases-risk' | 'decreases-risk' | 'neutral';
+}
+export declare function detectFilePathSignals(filePath: string): ContextSignal[];
+export declare function detectNearbyCodeSignals(lines: string[], lineNumber: number, windowSize?: number): ContextSignal[];
+export declare function detectImportSignals(content: string, language: Language): ContextSignal[];
+export declare function detectFunctionNameSignals(matchedLine: string): ContextSignal[];
+export interface ProtocolPatternResult {
+    signal: ContextSignal;
+    contextOverride: UsageContext;
+}
+export declare function detectProtocolPattern(finding: CodeFinding, lines: string[], lineNumber: number, imports: string): ProtocolPatternResult | null;
+export declare function resolveContext(signals: ContextSignal[]): ResolvedContext;
+export declare function computeAdjustedRisk(originalRisk: RiskLevel, context: UsageContext): AdjustedRisk;
+export declare function assessFindings(findings: CodeFinding[], fileContents: Map<string, string>): AssessedFinding[];
+//# sourceMappingURL=risk-assessor.d.ts.map

package/dist/scanner/code/risk-assessor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"risk-assessor.d.ts","sourceRoot":"","sources":["../../../src/scanner/code/risk-assessor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EACV,WAAW,EACX,QAAQ,EACR,SAAS,EACT,YAAY,EACZ,YAAY,EACZ,aAAa,EAEb,eAAe,EAChB,MAAM,sBAAsB,CAAC;AAI9B,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,EAAE,gBAAgB,GAAG,gBAAgB,GAAG,SAAS,CAAC;CAC5D;AAkFD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE,CAcvE;AA4BD,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,MAAM,EAAE,EACf,UAAU,EAAE,MAAM,EAClB,UAAU,GAAE,MAAU,GACrB,aAAa,EAAE,CAsBjB;AA6CD,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,GAAG,aAAa,EAAE,CA4BxF;AAuBD,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,aAAa,EAAE,CAgB9E;AAkDD,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,aAAa,CAAC;IACtB,eAAe,EAAE,YAAY,CAAC;CAC/B;AAUD,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,WAAW,EACpB,KAAK,EAAE,MAAM,EAAE,EACf,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,MAAM,GACd,qBAAqB,GAAG,IAAI,CAuB9B;AAID,wBAAgB,cAAc,CAAC,OAAO,EAAE,aAAa,EAAE,GAAG,eAAe,CAqBxE;AA2DD,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,SAAS,EACvB,OAAO,EAAE,YAAY,GACpB,YAAY,CAEd;AAID,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,WAAW,EAAE,EACvB,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAChC,eAAe,EAAE,CAEnB"}