secure-scan 1.2.2

package/dist/analyzers/javascript/javascriptAnalyzer.js

@@ -0,0 +1,860 @@
+"use strict";
+/**
+ * JavaScript/TypeScript Security Analyzer v2.0
+ * Advanced SAST analyzer with AST-based detection, taint analysis, and malware detection
+ *
+ * Features:
+ * - AST-based vulnerability detection (Babel Parser)
+ * - Taint analysis (source-to-sink tracking)
+ * - Malware detection (cryptominers, stealers, backdoors, etc.)
+ * - Package.json security analysis
+ * - OWASP/CWE compliance
+ *
+ * @version 2.0.0
+ * @author Secure-Scan Team
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JavaScriptAnalyzer = void 0;
+const base_1 = require("../base");
+const types_1 = require("../../types");
+const utils_1 = require("../../utils");
+const standards_1 = require("../../rules/standards");
+const logger_1 = require("../../utils/logger");
+// Import specialized modules
+const taintAnalyzer_1 = require("./taintAnalyzer");
+const astUtils_1 = require("./astUtils");
+const malwareDetector_1 = require("./malwareDetector");
+const packageJsonAnalyzer_1 = require("./packageJsonAnalyzer");
+/**
+ * Default analyzer options
+ */
+const DEFAULT_OPTIONS = {
+    enableAST: true,
+    enableTaintAnalysis: true,
+    enableMalwareDetection: true,
+    enablePackageAnalysis: true,
+    maxFileSize: 5 * 1024 * 1024, // 5MB
+    fileTimeout: 30000, // 30 seconds
+    minConfidence: 50
+};
+/**
+ * Vulnerability patterns database (regex fallback)
+ */
+const VULNERABILITY_PATTERNS = [
+    // === CODE EXECUTION ===
+    {
+        id: 'JS-EXEC-001',
+        name: 'eval() Usage',
+        pattern: /\beval\s*\(\s*(?!['"`])/g,
+        severity: types_1.Severity.CRITICAL,
+        threatType: types_1.ThreatType.COMMAND_INJECTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Use of eval() with dynamic content can lead to code injection.',
+        remediation: 'Avoid eval(). Use JSON.parse() for JSON data or safer alternatives.',
+        confidence: 85,
+        tags: ['injection', 'rce', 'owasp-a03']
+    },
+    {
+        id: 'JS-EXEC-002',
+        name: 'Function Constructor',
+        pattern: /\bnew\s+Function\s*\(/g,
+        severity: types_1.Severity.CRITICAL,
+        threatType: types_1.ThreatType.COMMAND_INJECTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'new Function() is equivalent to eval() and can execute arbitrary code.',
+        remediation: 'Use predefined functions instead of dynamically creating them.',
+        confidence: 85,
+        tags: ['injection', 'rce', 'owasp-a03']
+    },
+    {
+        id: 'JS-EXEC-003',
+        name: 'setTimeout/setInterval with String',
+        pattern: /\bset(?:Timeout|Interval)\s*\(\s*['"`][^'"`]+['"`]/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.COMMAND_INJECTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'setTimeout/setInterval with string argument acts like eval().',
+        remediation: 'Pass a function reference instead of a string.',
+        confidence: 80,
+        tags: ['injection', 'owasp-a03']
+    },
+    // === COMMAND INJECTION ===
+    {
+        id: 'JS-CMD-001',
+        name: 'child_process exec()',
+        pattern: /(?:child_process\.)?exec\s*\(\s*(?!['"`])/g,
+        severity: types_1.Severity.CRITICAL,
+        threatType: types_1.ThreatType.COMMAND_INJECTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'exec() with dynamic command string is vulnerable to command injection.',
+        remediation: 'Use execFile() with argument array instead of exec().',
+        confidence: 80,
+        tags: ['injection', 'rce', 'owasp-a03']
+    },
+    {
+        id: 'JS-CMD-002',
+        name: 'spawn with shell: true',
+        pattern: /spawn\s*\([^)]*shell\s*:\s*true/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.COMMAND_INJECTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'spawn() with shell option is vulnerable to command injection.',
+        remediation: 'Remove shell: true and pass arguments as an array.',
+        confidence: 85,
+        tags: ['injection', 'rce', 'owasp-a03']
+    },
+    // === XSS VULNERABILITIES ===
+    {
+        id: 'JS-XSS-001',
+        name: 'innerHTML Assignment',
+        pattern: /\.innerHTML\s*=\s*(?!['"`]<)/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.XSS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Direct innerHTML assignment with dynamic content enables XSS.',
+        remediation: 'Use textContent for text, or sanitize with DOMPurify.',
+        confidence: 75,
+        tags: ['xss', 'dom', 'owasp-a03']
+    },
+    {
+        id: 'JS-XSS-002',
+        name: 'document.write()',
+        pattern: /document\.write(?:ln)?\s*\(/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.XSS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'document.write() with dynamic content is vulnerable to XSS.',
+        remediation: 'Use DOM manipulation methods like createElement() and textContent.',
+        confidence: 80,
+        tags: ['xss', 'dom', 'owasp-a03']
+    },
+    {
+        id: 'JS-XSS-003',
+        name: 'insertAdjacentHTML()',
+        pattern: /\.insertAdjacentHTML\s*\(/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.XSS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'insertAdjacentHTML() with unsanitized content enables XSS.',
+        remediation: 'Sanitize HTML content with DOMPurify before insertion.',
+        confidence: 75,
+        tags: ['xss', 'dom', 'owasp-a03']
+    },
+    {
+        id: 'JS-XSS-004',
+        name: 'jQuery .html()',
+        pattern: /\$\([^)]+\)\.html\s*\(\s*(?!['"`]<)/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.XSS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'jQuery .html() with dynamic content is vulnerable to XSS.',
+        remediation: 'Use .text() for text content or sanitize before .html().',
+        confidence: 70,
+        tags: ['xss', 'jquery', 'owasp-a03']
+    },
+    // === PROTOTYPE POLLUTION ===
+    {
+        id: 'JS-PP-001',
+        name: '__proto__ Access',
+        pattern: /\[['"`]?__proto__['"`]?\]|\.__proto__\b/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.DANGEROUS_FUNCTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Direct __proto__ access can lead to prototype pollution.',
+        remediation: 'Use Object.create(null) for safe objects or validate keys.',
+        confidence: 85,
+        tags: ['prototype-pollution', 'owasp-a03']
+    },
+    {
+        id: 'JS-PP-002',
+        name: 'Object.prototype Modification',
+        pattern: /Object\.prototype\s*\.\s*\w+\s*=/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.DANGEROUS_FUNCTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Modifying Object.prototype affects all objects.',
+        remediation: 'Avoid modifying built-in prototypes.',
+        confidence: 90,
+        tags: ['prototype-pollution', 'owasp-a03']
+    },
+    {
+        id: 'JS-PP-003',
+        name: 'constructor.prototype Access',
+        pattern: /constructor\s*\.\s*prototype/g,
+        severity: types_1.Severity.MEDIUM,
+        threatType: types_1.ThreatType.DANGEROUS_FUNCTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Accessing constructor.prototype may indicate prototype pollution.',
+        remediation: 'Validate and sanitize any dynamic property access.',
+        confidence: 70,
+        tags: ['prototype-pollution', 'owasp-a03']
+    },
+    // === INSECURE RANDOMNESS ===
+    {
+        id: 'JS-RAND-001',
+        name: 'Math.random() for Security',
+        pattern: /(?:token|secret|key|password|salt|nonce|iv)\s*[=:]\s*[^;{]*Math\.random/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.WEAK_RANDOM,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Math.random() is not cryptographically secure.',
+        remediation: 'Use crypto.randomBytes() or crypto.getRandomValues().',
+        confidence: 80,
+        tags: ['crypto', 'random', 'owasp-a02']
+    },
+    // === HARDCODED CREDENTIALS ===
+    {
+        id: 'JS-CRED-001',
+        name: 'Hardcoded Password',
+        pattern: /(?:password|passwd|pwd)\s*[=:]\s*['"`][^'"`]{6,}['"`]/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.HARDCODED_CREDENTIALS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Hardcoded password detected in source code.',
+        remediation: 'Use environment variables or a secrets manager.',
+        confidence: 75,
+        tags: ['credentials', 'secrets', 'owasp-a07']
+    },
+    {
+        id: 'JS-CRED-002',
+        name: 'Hardcoded API Key',
+        pattern: /(?:api[_-]?key|apikey)\s*[=:]\s*['"`][a-zA-Z0-9_-]{20,}['"`]/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.HARDCODED_CREDENTIALS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Hardcoded API key detected in source code.',
+        remediation: 'Use environment variables or a secrets manager.',
+        confidence: 80,
+        tags: ['credentials', 'secrets', 'owasp-a07']
+    },
+    {
+        id: 'JS-CRED-003',
+        name: 'Hardcoded Secret/Token',
+        pattern: /(?:secret|token|auth)\s*[=:]\s*['"`][a-zA-Z0-9_-]{20,}['"`]/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.HARDCODED_CREDENTIALS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Hardcoded secret or token detected in source code.',
+        remediation: 'Use environment variables or a secrets manager.',
+        confidence: 75,
+        tags: ['credentials', 'secrets', 'owasp-a07']
+    },
+    // === INSECURE CRYPTO ===
+    {
+        id: 'JS-CRYPTO-001',
+        name: 'MD5 Usage',
+        pattern: /(?:createHash|crypto)\s*\(\s*['"`]md5['"`]\s*\)/gi,
+        severity: types_1.Severity.MEDIUM,
+        threatType: types_1.ThreatType.INSECURE_CRYPTO,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'MD5 is cryptographically broken and should not be used.',
+        remediation: 'Use SHA-256 or stronger for hashing.',
+        confidence: 90,
+        tags: ['crypto', 'hash', 'owasp-a02']
+    },
+    {
+        id: 'JS-CRYPTO-002',
+        name: 'SHA1 Usage',
+        pattern: /(?:createHash|crypto)\s*\(\s*['"`]sha1['"`]\s*\)/gi,
+        severity: types_1.Severity.MEDIUM,
+        threatType: types_1.ThreatType.INSECURE_CRYPTO,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'SHA-1 is deprecated for cryptographic use.',
+        remediation: 'Use SHA-256 or stronger for hashing.',
+        confidence: 85,
+        tags: ['crypto', 'hash', 'owasp-a02']
+    },
+    {
+        id: 'JS-CRYPTO-003',
+        name: 'DES/3DES Usage',
+        pattern: /(?:createCipher|createDecipher)\s*\(\s*['"`](?:des|3des|des-ede3)['"`]/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.INSECURE_CRYPTO,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'DES and 3DES are deprecated encryption algorithms.',
+        remediation: 'Use AES-256-GCM for encryption.',
+        confidence: 90,
+        tags: ['crypto', 'encryption', 'owasp-a02']
+    },
+    // === PATH TRAVERSAL ===
+    {
+        id: 'JS-PATH-001',
+        name: 'Path Traversal in File Read',
+        pattern: /(?:readFile|readFileSync|createReadStream)\s*\([^)]*(?:req\.(?:body|query|params)|process\.argv)/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.PATH_TRAVERSAL,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'File read with user-controlled path enables path traversal.',
+        remediation: 'Validate paths with path.resolve() and check against base directory.',
+        confidence: 80,
+        tags: ['path-traversal', 'file', 'owasp-a01']
+    },
+    // === SQL INJECTION ===
+    {
+        id: 'JS-SQL-001',
+        name: 'SQL Query Concatenation',
+        pattern: /\.query\s*\(\s*['"`](?:SELECT|INSERT|UPDATE|DELETE)[^'"]*\+/gi,
+        severity: types_1.Severity.CRITICAL,
+        threatType: types_1.ThreatType.SQL_INJECTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'SQL query with string concatenation is vulnerable to injection.',
+        remediation: 'Use parameterized queries or prepared statements.',
+        confidence: 85,
+        tags: ['sqli', 'injection', 'owasp-a03']
+    },
+    {
+        id: 'JS-SQL-002',
+        name: 'SQL Template Literal',
+        pattern: /\.query\s*\(\s*`(?:SELECT|INSERT|UPDATE|DELETE)[^`]*\$\{/gi,
+        severity: types_1.Severity.CRITICAL,
+        threatType: types_1.ThreatType.SQL_INJECTION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'SQL query with template literal interpolation is vulnerable.',
+        remediation: 'Use parameterized queries or prepared statements.',
+        confidence: 85,
+        tags: ['sqli', 'injection', 'owasp-a03']
+    },
+    // === SSRF ===
+    {
+        id: 'JS-SSRF-001',
+        name: 'SSRF in fetch()',
+        pattern: /fetch\s*\(\s*(?:req\.(?:body|query|params)|`[^`]*\$\{)/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.SECURITY_MISCONFIGURATION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'fetch() with user-controlled URL enables SSRF attacks.',
+        remediation: 'Validate and whitelist URLs before making requests.',
+        confidence: 75,
+        tags: ['ssrf', 'owasp-a10']
+    },
+    // === INSECURE CONFIGURATION ===
+    {
+        id: 'JS-CONFIG-001',
+        name: 'CORS Wildcard',
+        pattern: /(?:cors|Access-Control-Allow-Origin)\s*[=:]\s*['"*]/gi,
+        severity: types_1.Severity.MEDIUM,
+        threatType: types_1.ThreatType.SECURITY_MISCONFIGURATION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'CORS with wildcard origin allows any domain to access the API.',
+        remediation: 'Specify allowed origins explicitly.',
+        confidence: 80,
+        tags: ['cors', 'config', 'owasp-a05']
+    },
+    {
+        id: 'JS-CONFIG-002',
+        name: 'Disabled CSRF Protection',
+        pattern: /csrf\s*:\s*false|csrfProtection\s*=\s*false/gi,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.CSRF,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'CSRF protection is explicitly disabled.',
+        remediation: 'Enable CSRF protection for state-changing operations.',
+        confidence: 90,
+        tags: ['csrf', 'config', 'owasp-a05']
+    },
+    {
+        id: 'JS-CONFIG-003',
+        name: 'Insecure Cookie Settings',
+        pattern: /(?:secure|httpOnly)\s*:\s*false/gi,
+        severity: types_1.Severity.MEDIUM,
+        threatType: types_1.ThreatType.SECURITY_MISCONFIGURATION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Cookie security flags are explicitly disabled.',
+        remediation: 'Set secure: true and httpOnly: true for session cookies.',
+        confidence: 85,
+        tags: ['cookie', 'config', 'owasp-a05']
+    },
+    // === POSTMESSAGE VULNERABILITIES ===
+    {
+        id: 'JS-PM-001',
+        name: 'postMessage Wildcard Origin',
+        pattern: /postMessage\s*\([^)]+,\s*['"]\*['"]\s*\)/g,
+        severity: types_1.Severity.MEDIUM,
+        threatType: types_1.ThreatType.SECURITY_MISCONFIGURATION,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'postMessage with "*" origin can leak data to any origin.',
+        remediation: 'Specify the target origin explicitly.',
+        confidence: 90,
+        tags: ['postmessage', 'origin', 'owasp-a05']
+    },
+    {
+        id: 'JS-PM-002',
+        name: 'Missing Origin Check',
+        pattern: /addEventListener\s*\(\s*['"`]message['"`][^}]*(?:eval|innerHTML|document\.write)/g,
+        severity: types_1.Severity.HIGH,
+        threatType: types_1.ThreatType.XSS,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Message event handler without origin check enables XSS.',
+        remediation: 'Always validate event.origin before processing messages.',
+        confidence: 75,
+        tags: ['postmessage', 'xss', 'owasp-a03']
+    },
+    // === DANGEROUS PATTERNS ===
+    {
+        id: 'JS-DANGER-001',
+        name: 'debugger Statement',
+        pattern: /\bdebugger\s*;/g,
+        severity: types_1.Severity.LOW,
+        threatType: types_1.ThreatType.SECURITY_MISCONFIGURATION,
+        category: types_1.FindingCategory.CODE_SMELL,
+        description: 'debugger statement should be removed in production.',
+        remediation: 'Remove debugger statements before deployment.',
+        confidence: 100,
+        tags: ['debug', 'cleanup']
+    },
+    {
+        id: 'JS-DANGER-002',
+        name: 'console.log in Production',
+        pattern: /console\.(?:log|debug|trace)\s*\([^)]*(?:password|secret|token|key)/gi,
+        severity: types_1.Severity.MEDIUM,
+        threatType: types_1.ThreatType.INFORMATION_DISCLOSURE,
+        category: types_1.FindingCategory.VULNERABILITY,
+        description: 'Logging sensitive data may expose credentials.',
+        remediation: 'Remove or redact sensitive data from logs.',
+        confidence: 70,
+        tags: ['logging', 'secrets', 'owasp-a09']
+    }
+];
+/**
+ * JavaScript/TypeScript Analyzer Class v2.0
+ */
+class JavaScriptAnalyzer extends base_1.BaseAnalyzer {
+    name = 'JavaScript Analyzer';
+    languages = ['javascript', 'typescript'];
+    version = '2.0.0';
+    // Specialized analyzers
+    taintAnalyzer;
+    astUtils;
+    malwareDetector;
+    packageJsonAnalyzer;
+    // Configuration
+    options;
+    constructor(options = {}) {
+        super();
+        this.options = { ...DEFAULT_OPTIONS, ...options };
+        // Initialize specialized analyzers
+        this.taintAnalyzer = new taintAnalyzer_1.TaintAnalyzer();
+        this.astUtils = new astUtils_1.ASTUtils();
+        this.malwareDetector = new malwareDetector_1.MalwareDetector();
+        this.packageJsonAnalyzer = new packageJsonAnalyzer_1.PackageJsonAnalyzer();
+    }
+    /**
+     * Initialize the analyzer
+     */
+    async initialize() {
+        await super.initialize();
+        logger_1.logger.debug('JavaScript Analyzer v2.0 initialized with AST, Taint, and Malware detection');
+    }
+    /**
+     * Main analysis entry point
+     */
+    async analyze(file, rules) {
+        const findings = [];
+        const startTime = Date.now();
+        try {
+            // Skip files that are too large
+            if (file.size > this.options.maxFileSize) {
+                logger_1.logger.warn(`Skipping ${file.relativePath}: file too large (${file.size} bytes)`);
+                return findings;
+            }
+            // Filter rules for JS/TS
+            const jsRules = rules.filter(r => r.languages.includes('javascript') || r.languages.includes('typescript'));
+            // Run rule engine (inherited from BaseAnalyzer)
+            const ruleFindings = await this.ruleEngine.analyzeFile(file, jsRules);
+            findings.push(...ruleFindings);
+            // Special handling for package.json
+            if (file.relativePath.endsWith('package.json')) {
+                const pkgFindings = await this.analyzePackageJson(file);
+                findings.push(...pkgFindings);
+                return this.filterByConfidence(findings);
+            }
+            // Run parallel analysis for code files
+            const analysisPromises = [];
+            // 1. Pattern-based vulnerability detection (fast, always run)
+            analysisPromises.push(this.runPatternAnalysis(file));
+            // 2. AST-based analysis (accurate, optional)
+            if (this.options.enableAST) {
+                analysisPromises.push(this.runASTAnalysis(file));
+            }
+            // 3. Taint analysis (complex, optional)
+            if (this.options.enableTaintAnalysis) {
+                analysisPromises.push(this.runTaintAnalysis(file));
+            }
+            // 4. Malware detection (comprehensive, optional)
+            if (this.options.enableMalwareDetection) {
+                analysisPromises.push(this.runMalwareAnalysis(file));
+            }
+            // 5. Obfuscation detection
+            analysisPromises.push(this.checkObfuscation(file));
+            // Wait for all analyses with timeout
+            const results = await Promise.race([
+                Promise.all(analysisPromises),
+                this.timeout(this.options.fileTimeout)
+            ]);
+            // Flatten results
+            for (const result of results) {
+                findings.push(...result);
+            }
+            // Deduplicate findings
+            const deduped = this.deduplicateFindings(findings);
+            // Filter by confidence
+            const filtered = this.filterByConfidence(deduped);
+            const elapsed = Date.now() - startTime;
+            logger_1.logger.debug(`Analyzed ${file.relativePath} in ${elapsed}ms, found ${filtered.length} issues`);
+            return filtered;
+        }
+        catch (error) {
+            logger_1.logger.error(`Error analyzing ${file.relativePath}:`, error);
+            return findings;
+        }
+    }
+    /**
+     * Run pattern-based vulnerability detection
+     */
+    async runPatternAnalysis(file) {
+        const findings = [];
+        for (const vuln of VULNERABILITY_PATTERNS) {
+            // Reset regex state
+            vuln.pattern.lastIndex = 0;
+            let match;
+            while ((match = vuln.pattern.exec(file.content)) !== null) {
+                // Find line number
+                const beforeMatch = file.content.substring(0, match.index);
+                const lineNum = beforeMatch.split('\n').length;
+                const context = (0, utils_1.extractCodeContext)(file.content, lineNum, 2);
+                findings.push({
+                    id: (0, utils_1.generateId)(),
+                    title: vuln.name,
+                    description: vuln.description,
+                    severity: vuln.severity,
+                    threatType: vuln.threatType,
+                    category: vuln.category,
+                    location: {
+                        file: file.relativePath,
+                        startLine: lineNum,
+                        endLine: lineNum
+                    },
+                    snippet: {
+                        code: context.code,
+                        contextBefore: context.contextBefore,
+                        contextAfter: context.contextAfter
+                    },
+                    standards: (0, standards_1.getStandardsForThreat)(vuln.threatType),
+                    remediation: vuln.remediation,
+                    confidence: vuln.confidence,
+                    analyzer: this.name,
+                    timestamp: new Date(),
+                    tags: vuln.tags
+                });
+            }
+        }
+        return findings;
+    }
+    /**
+     * Run AST-based analysis
+     */
+    async runASTAnalysis(file) {
+        const findings = [];
+        try {
+            // Parse the file
+            const ast = this.astUtils.safeParse(file.content, file.relativePath);
+            if (!ast) {
+                logger_1.logger.debug(`Could not parse ${file.relativePath} for AST analysis`);
+                return findings;
+            }
+            // Find dangerous calls
+            const dangerousCalls = this.astUtils.findDangerousCalls(file.relativePath);
+            for (const call of dangerousCalls) {
+                findings.push(this.dangerousCallToFinding(call, file));
+            }
+            // Find hardcoded secrets
+            const secrets = this.astUtils.findHardcodedSecrets();
+            for (const secret of secrets) {
+                findings.push(this.dangerousCallToFinding(secret, file));
+            }
+            // Find dangerous regex patterns
+            const regexIssues = this.astUtils.findDangerousRegex();
+            for (const regex of regexIssues) {
+                findings.push(this.dangerousCallToFinding(regex, file));
+            }
+        }
+        catch (error) {
+            logger_1.logger.debug(`AST analysis failed for ${file.relativePath}:`, error);
+        }
+        return findings;
+    }
+    /**
+     * Run taint analysis
+     */
+    async runTaintAnalysis(file) {
+        const findings = [];
+        try {
+            const flows = this.taintAnalyzer.analyze(file.content, file.relativePath);
+            for (const flow of flows) {
+                findings.push(this.taintFlowToFinding(flow, file));
+            }
+        }
+        catch (error) {
+            logger_1.logger.debug(`Taint analysis failed for ${file.relativePath}:`, error);
+        }
+        return findings;
+    }
+    /**
+     * Run malware detection
+     */
+    async runMalwareAnalysis(file) {
+        const findings = [];
+        try {
+            const matches = this.malwareDetector.scan(file.content, file.relativePath);
+            for (const match of matches) {
+                findings.push(this.malwareMatchToFinding(match, file));
+            }
+        }
+        catch (error) {
+            logger_1.logger.debug(`Malware analysis failed for ${file.relativePath}:`, error);
+        }
+        return findings;
+    }
+    /**
+     * Analyze package.json for security issues
+     */
+    async analyzePackageJson(file) {
+        const findings = [];
+        if (!this.options.enablePackageAnalysis) {
+            return findings;
+        }
+        try {
+            const pkgFindings = this.packageJsonAnalyzer.analyze(file.content, file.relativePath);
+            for (const finding of pkgFindings) {
+                findings.push(this.packageFindingToFinding(finding, file));
+            }
+        }
+        catch (error) {
+            logger_1.logger.debug(`Package.json analysis failed for ${file.relativePath}:`, error);
+        }
+        return findings;
+    }
+    /**
+     * Check for obfuscated code
+     */
+    async checkObfuscation(file) {
+        const findings = [];
+        if ((0, utils_1.looksObfuscated)(file.content)) {
+            const entropy = (0, utils_1.calculateEntropy)(file.content);
+            findings.push({
+                id: (0, utils_1.generateId)(),
+                title: 'Heavily Obfuscated Code',
+                description: `This file contains heavily obfuscated code (entropy: ${entropy.toFixed(2)}). This is unusual for legitimate code and may hide malicious functionality.`,
+                severity: types_1.Severity.HIGH,
+                threatType: types_1.ThreatType.OBFUSCATED_CODE,
+                category: types_1.FindingCategory.MALWARE,
+                location: {
+                    file: file.relativePath,
+                    startLine: 1,
+                    endLine: Math.min(10, file.lineCount)
+                },
+                snippet: {
+                    code: file.content.substring(0, 200) + '...'
+                },
+                standards: (0, standards_1.getStandardsForThreat)(types_1.ThreatType.OBFUSCATED_CODE),
+                remediation: 'Deobfuscate and review the code. If this is a third-party library, verify its source and integrity.',
+                confidence: 75,
+                analyzer: this.name,
+                timestamp: new Date(),
+                tags: ['obfuscation', 'suspicious']
+            });
+        }
+        return findings;
+    }
+    /**
+     * Convert DangerousCall to Finding
+     */
+    dangerousCallToFinding(call, file) {
+        const threatTypeMap = {
+            [astUtils_1.DangerousPatternType.CODE_EXECUTION]: types_1.ThreatType.COMMAND_INJECTION,
+            [astUtils_1.DangerousPatternType.COMMAND_INJECTION]: types_1.ThreatType.COMMAND_INJECTION,
+            [astUtils_1.DangerousPatternType.PROTOTYPE_POLLUTION]: types_1.ThreatType.DANGEROUS_FUNCTION,
+            [astUtils_1.DangerousPatternType.XSS_SINK]: types_1.ThreatType.XSS,
+            [astUtils_1.DangerousPatternType.DYNAMIC_REQUIRE]: types_1.ThreatType.DANGEROUS_FUNCTION,
+            [astUtils_1.DangerousPatternType.INSECURE_RANDOM]: types_1.ThreatType.WEAK_RANDOM,
+            [astUtils_1.DangerousPatternType.HARDCODED_SECRET]: types_1.ThreatType.HARDCODED_CREDENTIALS,
+            [astUtils_1.DangerousPatternType.DANGEROUS_REGEX]: types_1.ThreatType.DANGEROUS_FUNCTION,
+            [astUtils_1.DangerousPatternType.UNSAFE_ASSIGNMENT]: types_1.ThreatType.DANGEROUS_FUNCTION,
+            [astUtils_1.DangerousPatternType.NETWORK_REQUEST]: types_1.ThreatType.SUSPICIOUS_NETWORK,
+            [astUtils_1.DangerousPatternType.FILE_OPERATION]: types_1.ThreatType.PATH_TRAVERSAL,
+            [astUtils_1.DangerousPatternType.CRYPTO_WEAKNESS]: types_1.ThreatType.INSECURE_CRYPTO
+        };
+        const severityMap = {
+            [astUtils_1.DangerousPatternType.CODE_EXECUTION]: types_1.Severity.CRITICAL,
+            [astUtils_1.DangerousPatternType.COMMAND_INJECTION]: types_1.Severity.CRITICAL,
+            [astUtils_1.DangerousPatternType.PROTOTYPE_POLLUTION]: types_1.Severity.HIGH,
+            [astUtils_1.DangerousPatternType.XSS_SINK]: types_1.Severity.HIGH,
+            [astUtils_1.DangerousPatternType.DYNAMIC_REQUIRE]: types_1.Severity.MEDIUM,
+            [astUtils_1.DangerousPatternType.INSECURE_RANDOM]: types_1.Severity.MEDIUM,
+            [astUtils_1.DangerousPatternType.HARDCODED_SECRET]: types_1.Severity.HIGH,
+            [astUtils_1.DangerousPatternType.DANGEROUS_REGEX]: types_1.Severity.MEDIUM,
+            [astUtils_1.DangerousPatternType.UNSAFE_ASSIGNMENT]: types_1.Severity.MEDIUM,
+            [astUtils_1.DangerousPatternType.NETWORK_REQUEST]: types_1.Severity.MEDIUM,
+            [astUtils_1.DangerousPatternType.FILE_OPERATION]: types_1.Severity.MEDIUM,
+            [astUtils_1.DangerousPatternType.CRYPTO_WEAKNESS]: types_1.Severity.MEDIUM
+        };
+        const context = (0, utils_1.extractCodeContext)(file.content, call.location.startLine, 2);
+        return {
+            id: (0, utils_1.generateId)(),
+            title: `AST: ${call.name}`,
+            description: call.context || `Dangerous ${call.patternType.replace(/_/g, ' ')} detected via AST analysis`,
+            severity: severityMap[call.patternType] || types_1.Severity.MEDIUM,
+            threatType: threatTypeMap[call.patternType] || types_1.ThreatType.DANGEROUS_FUNCTION,
+            category: types_1.FindingCategory.VULNERABILITY,
+            location: {
+                file: file.relativePath,
+                startLine: call.location.startLine,
+                endLine: call.location.endLine,
+                startColumn: call.location.startColumn,
+                endColumn: call.location.endColumn
+            },
+            snippet: {
+                code: call.code,
+                contextBefore: context.contextBefore,
+                contextAfter: context.contextAfter
+            },
+            standards: (0, standards_1.getStandardsForThreat)(threatTypeMap[call.patternType] || types_1.ThreatType.DANGEROUS_FUNCTION),
+            remediation: 'Review and fix the identified security issue.',
+            confidence: 85,
+            analyzer: `${this.name} (AST)`,
+            timestamp: new Date(),
+            tags: ['ast', call.patternType]
+        };
+    }
+    /**
+     * Convert TaintFlow to Finding
+     */
+    taintFlowToFinding(flow, file) {
+        const sourceDesc = taintAnalyzer_1.TaintAnalyzer.getSourceDescription(flow.source.type);
+        const sinkInfo = taintAnalyzer_1.TaintAnalyzer.getSinkInfo(flow.sink.type);
+        const context = (0, utils_1.extractCodeContext)(file.content, flow.sink.line, 2);
+        // Build detailed description with flow path
+        let description = `Tainted data from ${sourceDesc} flows to ${flow.sink.type} sink.`;
+        if (flow.propagation.length > 0) {
+            description += ` The data passes through ${flow.propagation.length} intermediate assignments.`;
+        }
+        return {
+            id: (0, utils_1.generateId)(),
+            title: `Taint Flow: ${flow.source.type} → ${flow.sink.type}`,
+            description,
+            severity: flow.sink.severity,
+            threatType: flow.sink.threatType,
+            category: types_1.FindingCategory.VULNERABILITY,
+            location: {
+                file: file.relativePath,
+                startLine: flow.sink.line,
+                endLine: flow.sink.line
+            },
+            snippet: {
+                code: flow.sink.code,
+                contextBefore: context.contextBefore,
+                contextAfter: context.contextAfter
+            },
+            standards: (0, standards_1.getStandardsForThreat)(flow.sink.threatType),
+            remediation: sinkInfo?.remediation || 'Validate and sanitize all user input before use.',
+            confidence: flow.confidence,
+            analyzer: `${this.name} (Taint)`,
+            timestamp: new Date(),
+            tags: ['taint-analysis', flow.source.type, flow.sink.type]
+        };
+    }
+    /**
+     * Convert MalwareMatch to Finding
+     */
+    malwareMatchToFinding(match, file) {
+        const context = (0, utils_1.extractCodeContext)(file.content, match.line, 2);
+        return {
+            id: (0, utils_1.generateId)(),
+            title: `Malware: ${match.name}`,
+            description: match.description,
+            severity: match.severity,
+            threatType: malwareDetector_1.MalwareDetector.getThreatType(match.type),
+            category: types_1.FindingCategory.MALWARE,
+            location: {
+                file: file.relativePath,
+                startLine: match.line,
+                endLine: match.line
+            },
+            snippet: {
+                code: match.code,
+                contextBefore: context.contextBefore,
+                contextAfter: context.contextAfter
+            },
+            standards: (0, standards_1.getStandardsForThreat)(malwareDetector_1.MalwareDetector.getThreatType(match.type)),
+            remediation: match.remediation,
+            confidence: match.confidence,
+            analyzer: `${this.name} (Malware)`,
+            timestamp: new Date(),
+            tags: ['malware', match.type, ...(match.mitreAttack || [])]
+        };
+    }
+    /**
+     * Convert PackageJsonFinding to Finding
+     */
+    packageFindingToFinding(pkgFinding, file) {
+        return {
+            id: (0, utils_1.generateId)(),
+            title: pkgFinding.name,
+            description: pkgFinding.description,
+            severity: pkgFinding.severity,
+            threatType: pkgFinding.threatType,
+            category: pkgFinding.category,
+            location: {
+                file: file.relativePath,
+                startLine: 1,
+                endLine: 1
+            },
+            snippet: {
+                code: `"${pkgFinding.field}": "${pkgFinding.value.substring(0, 100)}"`
+            },
+            standards: (0, standards_1.getStandardsForThreat)(pkgFinding.threatType),
+            remediation: pkgFinding.remediation,
+            confidence: pkgFinding.confidence,
+            analyzer: `${this.name} (Package)`,
+            timestamp: new Date(),
+            tags: ['package-json', pkgFinding.type]
+        };
+    }
+    /**
+     * Deduplicate findings based on location and type
+     */
+    deduplicateFindings(findings) {
+        const seen = new Map();
+        for (const finding of findings) {
+            const key = `${finding.location.file}:${finding.location.startLine}:${finding.threatType}`;
+            if (!seen.has(key)) {
+                seen.set(key, finding);
+            }
+            else {
+                // Keep the one with higher confidence
+                const existing = seen.get(key);
+                if (finding.confidence > existing.confidence) {
+                    seen.set(key, finding);
+                }
+            }
+        }
+        return Array.from(seen.values());
+    }
+    /**
+     * Filter findings by minimum confidence
+     */
+    filterByConfidence(findings) {
+        return findings.filter(f => f.confidence >= this.options.minConfidence);
+    }
+    /**
+     * Create a timeout promise
+     */
+    timeout(ms) {
+        return new Promise((_, reject) => {
+            setTimeout(() => reject(new Error('Analysis timeout')), ms);
+        });
+    }
+}
+exports.JavaScriptAnalyzer = JavaScriptAnalyzer;
+exports.default = JavaScriptAnalyzer;
+//# sourceMappingURL=javascriptAnalyzer.js.map