npm - pqaudit - Versions diffs - 0.1.0 - Mend

pqaudit 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/LICENSE +21 -0
package/README.md +180 -0
package/dist/cli.d.ts +3 -0
package/dist/cli.d.ts.map +1 -0
package/dist/cli.js +69 -0
package/dist/cli.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +6 -0
package/dist/index.js.map +1 -0
package/dist/reporter/cbom.d.ts +8 -0
package/dist/reporter/cbom.d.ts.map +1 -0
package/dist/reporter/cbom.js +153 -0
package/dist/reporter/cbom.js.map +1 -0
package/dist/reporter/json.d.ts +3 -0
package/dist/reporter/json.d.ts.map +1 -0
package/dist/reporter/json.js +4 -0
package/dist/reporter/json.js.map +1 -0
package/dist/reporter/sarif.d.ts +7 -0
package/dist/reporter/sarif.d.ts.map +1 -0
package/dist/reporter/sarif.js +91 -0
package/dist/reporter/sarif.js.map +1 -0
package/dist/reporter/text.d.ts +3 -0
package/dist/reporter/text.d.ts.map +1 -0
package/dist/reporter/text.js +84 -0
package/dist/reporter/text.js.map +1 -0
package/dist/scanner/dependency-scanner.d.ts +3 -0
package/dist/scanner/dependency-scanner.d.ts.map +1 -0
package/dist/scanner/dependency-scanner.js +133 -0
package/dist/scanner/dependency-scanner.js.map +1 -0
package/dist/scanner/engine.d.ts +3 -0
package/dist/scanner/engine.d.ts.map +1 -0
package/dist/scanner/engine.js +109 -0
package/dist/scanner/engine.js.map +1 -0
package/dist/scanner/file-scanner.d.ts +5 -0
package/dist/scanner/file-scanner.d.ts.map +1 -0
package/dist/scanner/file-scanner.js +163 -0
package/dist/scanner/file-scanner.js.map +1 -0
package/dist/scanner/rules.d.ts +4 -0
package/dist/scanner/rules.d.ts.map +1 -0
package/dist/scanner/rules.js +25 -0
package/dist/scanner/rules.js.map +1 -0
package/dist/types.d.ts +102 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +9 -0
package/dist/types.js.map +1 -0
package/package.json +62 -0
package/rules/crypto-patterns.yaml +350 -0

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,102 @@
+/** Severity of a cryptographic finding */
+export type Severity = "critical" | "high" | "medium" | "low" | "safe";
+/** Category of cryptographic operation */
+export type CryptoCategory = "kem" | "signature" | "hash" | "symmetric" | "protocol" | "kdf";
+/** How the finding was detected */
+export type DetectionMethod = "regex" | "ast" | "dependency" | "network";
+/** Migration effort required */
+export type MigrationEffort = "trivial" | "moderate" | "complex" | "breaking";
+/** A single cryptographic finding in a codebase */
+export interface Finding {
+    /** Unique rule ID that triggered this finding */
+    ruleId: string;
+    /** Human-readable description */
+    description: string;
+    /** Severity classification */
+    severity: Severity;
+    /** Cryptographic category */
+    category: CryptoCategory;
+    /** The algorithm or protocol identified */
+    algorithm: string;
+    /** Recommended PQC replacement */
+    replacement: string | null;
+    /** Migration effort estimate */
+    effort: MigrationEffort;
+    /** Source location */
+    location: FindingLocation;
+    /** How this was detected */
+    detectionMethod: DetectionMethod;
+    /** Confidence score 0.0-1.0 */
+    confidence: number;
+}
+export interface FindingLocation {
+    /** File path relative to scan root */
+    file: string;
+    /** Line number (1-indexed), if known */
+    line?: number;
+    /** Column number (1-indexed), if known */
+    column?: number;
+    /** The matched source text snippet */
+    snippet?: string;
+}
+/** A detection rule loaded from YAML */
+export interface DetectionRule {
+    /** Unique rule identifier */
+    id: string;
+    /** Human-readable description */
+    description: string;
+    /** Severity when matched */
+    severity: Severity;
+    /** Cryptographic category */
+    category: CryptoCategory;
+    /** Algorithm name for display */
+    algorithm: string;
+    /** Recommended replacement */
+    replacement: string | null;
+    /** Migration effort */
+    effort: MigrationEffort;
+    /** Languages this rule applies to (empty = all) */
+    languages: string[];
+    /** Regex patterns to match */
+    patterns: string[];
+}
+/** Scan configuration */
+export interface ScanConfig {
+    /** Root directory to scan */
+    target: string;
+    /** Output format */
+    format: "json" | "cbom" | "sarif" | "html" | "text";
+    /** Output file path (stdout if not set) */
+    output?: string;
+    /** File patterns to include */
+    include?: string[];
+    /** File patterns to exclude */
+    exclude?: string[];
+    /** Minimum severity to report */
+    minSeverity: Severity;
+    /** Scan dependencies */
+    scanDependencies: boolean;
+    /** Custom rules directory */
+    rulesDir?: string;
+}
+/** Scan result summary */
+export interface ScanResult {
+    /** Timestamp of scan */
+    timestamp: string;
+    /** Target that was scanned */
+    target: string;
+    /** All findings */
+    findings: Finding[];
+    /** Summary statistics */
+    summary: ScanSummary;
+}
+export interface ScanSummary {
+    filesScanned: number;
+    findingsTotal: number;
+    bySeverity: Record<Severity, number>;
+    byCategory: Record<CryptoCategory, number>;
+    pqcReady: boolean;
+}
+/** Severity ordering for comparisons */
+export declare const SEVERITY_ORDER: Record<Severity, number>;
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;AAEvE,0CAA0C;AAC1C,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,WAAW,GAAG,MAAM,GAAG,WAAW,GAAG,UAAU,GAAG,KAAK,CAAC;AAE7F,mCAAmC;AACnC,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,KAAK,GAAG,YAAY,GAAG,SAAS,CAAC;AAEzE,gCAAgC;AAChC,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,UAAU,GAAG,SAAS,GAAG,UAAU,CAAC;AAE9E,mDAAmD;AACnD,MAAM,WAAW,OAAO;IACtB,iDAAiD;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,8BAA8B;IAC9B,QAAQ,EAAE,QAAQ,CAAC;IACnB,6BAA6B;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,2CAA2C;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,gCAAgC;IAChC,MAAM,EAAE,eAAe,CAAC;IACxB,sBAAsB;IACtB,QAAQ,EAAE,eAAe,CAAC;IAC1B,4BAA4B;IAC5B,eAAe,EAAE,eAAe,CAAC;IACjC,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,wCAAwC;IACxC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,wCAAwC;AACxC,MAAM,WAAW,aAAa;IAC5B,6BAA6B;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,4BAA4B;IAC5B,QAAQ,EAAE,QAAQ,CAAC;IACnB,6BAA6B;IAC7B,QAAQ,EAAE,cAAc,CAAC;IACzB,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,uBAAuB;IACvB,MAAM,EAAE,eAAe,CAAC;IACxB,mDAAmD;IACnD,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,8BAA8B;IAC9B,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,yBAAyB;AACzB,MAAM,WAAW,UAAU;IACzB,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,oBAAoB;IACpB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;IACpD,2CAA2C;IAC3C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,+BAA+B;IAC/B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,iCAAiC;IACjC,WAAW,EAAE,QAAQ,CAAC;IACtB,wBAAwB;IACxB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,6BAA6B;IAC7B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,0BAA0B;AAC1B,MAAM,WAAW,UAAU;IACzB,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,8BAA8B;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,yBAAyB;IACzB,OAAO,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACrC,UAAU,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAC3C,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,wCAAwC;AACxC,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAMnD,CAAC"}

package/dist/types.js ADDED Viewed

@@ -0,0 +1,9 @@
+/** Severity ordering for comparisons */
+export const SEVERITY_ORDER = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    safe: 4,
+};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AA6GA,wCAAwC;AACxC,MAAM,CAAC,MAAM,cAAc,GAA6B;IACtD,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,62 @@
+{
+  "name": "pqaudit",
+  "version": "0.1.0",
+  "description": "Post-quantum cryptography readiness scanner. Finds quantum-vulnerable cryptography in your codebase and generates CycloneDX CBOM.",
+  "type": "module",
+  "bin": {
+    "pqaudit": "./dist/cli.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist",
+    "rules"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsx src/cli.ts",
+    "test": "vitest",
+    "test:run": "vitest run",
+    "lint": "eslint src/",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "pqc",
+    "post-quantum",
+    "cryptography",
+    "security",
+    "scanner",
+    "cbom",
+    "cyclonedx",
+    "quantum",
+    "audit",
+    "ml-kem",
+    "ml-dsa"
+  ],
+  "author": "PQCWorld",
+  "license": "MIT",
+  "homepage": "https://pqcworld.com",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/PQCWorld/pqaudit"
+  },
+  "bugs": {
+    "url": "https://github.com/PQCWorld/pqaudit/issues"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "dependencies": {
+    "glob": "^11.0.0",
+    "yaml": "^2.7.0",
+    "chalk": "^5.4.0",
+    "commander": "^13.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.13.0",
+    "eslint": "^9.20.0",
+    "tsx": "^4.19.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  }
+}

package/rules/crypto-patterns.yaml ADDED Viewed

@@ -0,0 +1,350 @@
+# PQC Audit Detection Rules
+# Each rule defines a pattern to detect quantum-vulnerable (or safe) cryptography
+#
+# Severity levels:
+#   critical - Broken by Shor's algorithm (RSA, ECC, DH key exchange/signatures)
+#   high     - Weakened by Grover's algorithm (AES-128, small key sizes)
+#   medium   - Already weak classically (MD5, SHA-1, 3DES)
+#   low      - Safe but worth documenting for inventory
+#   safe     - Already quantum-resistant (ML-KEM, ML-DSA, AES-256, SHA-256)
+# =============================================================================
+# CRITICAL: Quantum-vulnerable asymmetric cryptography (Shor's algorithm)
+# =============================================================================
+- id: RSA_KEY_GEN
+  description: "RSA key generation — all RSA key sizes are vulnerable to Shor's algorithm"
+  severity: critical
+  category: kem
+  algorithm: RSA
+  replacement: ML-KEM-768 (FIPS 203) for encryption, ML-DSA-65 (FIPS 204) for signatures
+  effort: complex
+  languages: []
+  patterns:
+    - "rsa\\.GenerateKey"
+    - "RSA\\.generate"
+    - "rsa_generate_key"
+    - "generateKeyPair\\s*\\(.*['\"]RSA['\"]"
+    - "KeyPairGenerator\\.getInstance\\s*\\(.*['\"]RSA['\"]"
+    - "crypto\\.generateKeyPairSync\\s*\\(.*['\"]rsa['\"]"
+    - "new\\s+RSAKeyGenParameterSpec"
+    - "RSA_generate_key_ex"
+    - "openssl_pkey_new.*RSA"
+- id: RSA_ENCRYPT
+  description: "RSA encryption — vulnerable to quantum factoring"
+  severity: critical
+  category: kem
+  algorithm: RSA
+  replacement: ML-KEM-768 (FIPS 203)
+  effort: complex
+  languages: []
+  patterns:
+    - "RSA/ECB/"
+    - "RSA/NONE/"
+    - "RSAES-OAEP"
+    - "RSA_public_encrypt"
+    - "rsa\\.encrypt"
+    - "PKCS1_OAEP"
+    - "PKCS1_v1_5"
+    - "crypto\\.publicEncrypt"
+    - "crypto\\.privateDecrypt"
+- id: RSA_SIGN
+  description: "RSA signature — vulnerable to quantum factoring"
+  severity: critical
+  category: signature
+  algorithm: RSA
+  replacement: ML-DSA-65 (FIPS 204)
+  effort: complex
+  languages: []
+  patterns:
+    - "SHA256withRSA"
+    - "SHA384withRSA"
+    - "SHA512withRSA"
+    - "RS256"
+    - "RS384"
+    - "RS512"
+    - "PS256"
+    - "PS384"
+    - "PS512"
+    - "RSASSA-PSS"
+    - "RSA_sign"
+    - "rsa\\.sign"
+- id: ECDSA_USAGE
+  description: "ECDSA signatures — vulnerable to Shor's algorithm on elliptic curves"
+  severity: critical
+  category: signature
+  algorithm: ECDSA
+  replacement: ML-DSA-65 (FIPS 204)
+  effort: complex
+  languages: []
+  patterns:
+    - "ECDSA"
+    - "ES256"
+    - "ES384"
+    - "ES512"
+    - "SHA256withECDSA"
+    - "ec\\.sign"
+    - "ec\\.verify"
+    - "ECDSA_sign"
+    - "ECDSA_verify"
+    - "secp256k1"
+    - "secp256r1"
+    - "secp384r1"
+    - "prime256v1"
+    - "P-256"
+    - "P-384"
+    - "P-521"
+- id: ED25519_USAGE
+  description: "Ed25519 signatures — elliptic curve, vulnerable to Shor's algorithm"
+  severity: critical
+  category: signature
+  algorithm: Ed25519
+  replacement: ML-DSA-65 (FIPS 204) or hybrid Ed25519+ML-DSA-65
+  effort: moderate
+  languages: []
+  patterns:
+    - "ed25519"
+    - "Ed25519"
+    - "ED25519"
+    - "@noble/ed25519"
+    - "ed25519-dalek"
+    - "crypto\\.sign\\s*\\(.*ed25519"
+    - "nacl\\.sign"
+    - "tweetnacl.*sign"
+    - "sodium.*sign"
+    - "EdDSA"
+- id: ECDH_KEY_EXCHANGE
+  description: "ECDH key exchange — vulnerable to Shor's algorithm"
+  severity: critical
+  category: kem
+  algorithm: ECDH
+  replacement: ML-KEM-768 (FIPS 203) or hybrid X25519+ML-KEM-768
+  effort: complex
+  languages: []
+  patterns:
+    - "ECDH"
+    - "ecdh\\.computeSecret"
+    - "X25519"
+    - "x25519"
+    - "Curve25519"
+    - "curve25519"
+    - "createECDH"
+    - "diffieHellman"
+    - "DiffieHellman"
+    - "KeyAgreement.*EC"
+- id: DH_KEY_EXCHANGE
+  description: "Diffie-Hellman key exchange — vulnerable to Shor's algorithm"
+  severity: critical
+  category: kem
+  algorithm: DH
+  replacement: ML-KEM-768 (FIPS 203)
+  effort: complex
+  languages: []
+  patterns:
+    - "DiffieHellman"
+    - "createDiffieHellman"
+    - "DH_generate_key"
+    - "DHParameterSpec"
+    - "dh\\.generateKeys"
+    - "dh\\.computeSecret"
+- id: DSA_USAGE
+  description: "DSA signatures — vulnerable to Shor's algorithm"
+  severity: critical
+  category: signature
+  algorithm: DSA
+  replacement: ML-DSA-65 (FIPS 204)
+  effort: complex
+  languages: []
+  patterns:
+    - "DSA\\.generate"
+    - "KeyPairGenerator.*DSA"
+    - "SHA256withDSA"
+    - "DSA_generate_key"
+# =============================================================================
+# HIGH: Weakened by Grover's algorithm
+# =============================================================================
+- id: AES_128
+  description: "AES-128 — Grover's algorithm reduces effective security to 64 bits"
+  severity: high
+  category: symmetric
+  algorithm: AES-128
+  replacement: AES-256 (trivial upgrade — same API, different key size)
+  effort: trivial
+  languages: []
+  patterns:
+    - "AES-128"
+    - "aes-128"
+    - "AES/.*128"
+    - "createCipheriv\\s*\\(.*aes-128"
+    - "Cipher\\.getInstance.*AES.*128"
+# =============================================================================
+# MEDIUM: Already weak classically
+# =============================================================================
+- id: MD5_USAGE
+  description: "MD5 — broken classically, trivially broken by quantum"
+  severity: medium
+  category: hash
+  algorithm: MD5
+  replacement: SHA-256 or SHA-3
+  effort: trivial
+  languages: []
+  patterns:
+    - "md5"
+    - "MD5"
+    - "createHash\\s*\\(.*['\"]md5['\"]"
+    - "MessageDigest.*MD5"
+    - "hashlib\\.md5"
+- id: SHA1_USAGE
+  description: "SHA-1 — collision attacks known, should migrate regardless of quantum"
+  severity: medium
+  category: hash
+  algorithm: SHA-1
+  replacement: SHA-256 or SHA-3
+  effort: trivial
+  languages: []
+  patterns:
+    - "sha-?1(?!\\d)"
+    - "SHA-?1(?!\\d)"
+    - "createHash\\s*\\(.*['\"]sha1['\"]"
+    - "MessageDigest.*SHA.1"
+    - "hashlib\\.sha1"
+- id: DES_3DES
+  description: "DES/3DES — deprecated, 64-bit block size"
+  severity: medium
+  category: symmetric
+  algorithm: 3DES
+  replacement: AES-256
+  effort: moderate
+  languages: []
+  patterns:
+    - "DES"
+    - "3DES"
+    - "DESede"
+    - "TripleDES"
+    - "des-ede3"
+    - "des-cbc"
+# =============================================================================
+# SAFE: Already quantum-resistant (document for inventory)
+# =============================================================================
+- id: ML_KEM
+  description: "ML-KEM (Kyber) — NIST FIPS 203 post-quantum key encapsulation"
+  severity: safe
+  category: kem
+  algorithm: ML-KEM
+  replacement: null
+  effort: trivial
+  languages: []
+  patterns:
+    - "ml.kem"
+    - "ML-KEM"
+    - "ML_KEM"
+    - "mlKem"
+    - "kyber"
+    - "KYBER"
+    - "Kyber768"
+    - "Kyber1024"
+    - "@noble/post-quantum.*kem"
+- id: ML_DSA
+  description: "ML-DSA (Dilithium) — NIST FIPS 204 post-quantum signatures"
+  severity: safe
+  category: signature
+  algorithm: ML-DSA
+  replacement: null
+  effort: trivial
+  languages: []
+  patterns:
+    - "ml.dsa"
+    - "ML-DSA"
+    - "ML_DSA"
+    - "mlDsa"
+    - "dilithium"
+    - "DILITHIUM"
+    - "Dilithium"
+    - "@noble/post-quantum.*dsa"
+- id: SLH_DSA
+  description: "SLH-DSA (SPHINCS+) — NIST FIPS 205 hash-based post-quantum signatures"
+  severity: safe
+  category: signature
+  algorithm: SLH-DSA
+  replacement: null
+  effort: trivial
+  languages: []
+  patterns:
+    - "slh.dsa"
+    - "SLH-DSA"
+    - "SLH_DSA"
+    - "sphincs"
+    - "SPHINCS"
+- id: AES_256
+  description: "AES-256 — 128-bit post-quantum security, sufficient"
+  severity: safe
+  category: symmetric
+  algorithm: AES-256
+  replacement: null
+  effort: trivial
+  languages: []
+  patterns:
+    - "AES-256"
+    - "aes-256"
+    - "aes-256-gcm"
+    - "aes-256-cbc"
+- id: CHACHA20
+  description: "ChaCha20-Poly1305 — symmetric AEAD, quantum-resistant"
+  severity: safe
+  category: symmetric
+  algorithm: ChaCha20-Poly1305
+  replacement: null
+  effort: trivial
+  languages: []
+  patterns:
+    - "chacha20"
+    - "ChaCha20"
+    - "CHACHA20"
+    - "chacha20-poly1305"
+    - "xchacha20"
+- id: SHA256_SAFE
+  description: "SHA-256 — quantum-resistant hash (Grover reduces to 128-bit, still safe)"
+  severity: safe
+  category: hash
+  algorithm: SHA-256
+  replacement: null
+  effort: trivial
+  languages: []
+  patterns:
+    - "sha-?256"
+    - "SHA-?256"
+    - "createHash\\s*\\(.*['\"]sha256['\"]"
+- id: SHA3_SAFE
+  description: "SHA-3 — quantum-resistant hash"
+  severity: safe
+  category: hash
+  algorithm: SHA-3
+  replacement: null
+  effort: trivial
+  languages: []
+  patterns:
+    - "sha-?3"
+    - "SHA-?3"
+    - "keccak"
+    - "KECCAK"