secure-scan 1.2.2

package/dist/analyzers/index.js

@@ -0,0 +1,80 @@
+"use strict";
+/**
+ * Analyzers Module Exports
+ * All language analyzers for the SAST tool
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getAllAnalyzers = getAllAnalyzers;
+exports.getAnalyzerForLanguage = getAnalyzerForLanguage;
+exports.initializeAnalyzers = initializeAnalyzers;
+exports.cleanupAnalyzers = cleanupAnalyzers;
+__exportStar(require("./base"), exports);
+__exportStar(require("./javascript"), exports);
+__exportStar(require("./python"), exports);
+__exportStar(require("./php"), exports);
+__exportStar(require("./java"), exports);
+__exportStar(require("./c-cpp"), exports);
+__exportStar(require("./csharp"), exports);
+__exportStar(require("./iac"), exports);
+const javascript_1 = require("./javascript");
+const python_1 = require("./python");
+const php_1 = require("./php");
+const java_1 = require("./java");
+const c_cpp_1 = require("./c-cpp");
+const csharp_1 = require("./csharp");
+const iac_1 = require("./iac");
+/**
+ * Analyzer registry
+ */
+const analyzers = [
+    new javascript_1.JavaScriptAnalyzer(),
+    new python_1.PythonAnalyzer(),
+    new php_1.PHPAnalyzer(),
+    new java_1.JavaAnalyzer(),
+    new c_cpp_1.CppAnalyzer(),
+    new csharp_1.CSharpAnalyzer(),
+    new iac_1.IaCAnalyzer()
+];
+/**
+ * Get all analyzers
+ */
+function getAllAnalyzers() {
+    return analyzers;
+}
+/**
+ * Get analyzer for a specific language
+ */
+function getAnalyzerForLanguage(language) {
+    return analyzers.find(a => a.languages.includes(language));
+}
+/**
+ * Initialize all analyzers
+ */
+async function initializeAnalyzers() {
+    for (const analyzer of analyzers) {
+        await analyzer.initialize();
+    }
+}
+/**
+ * Cleanup all analyzers
+ */
+async function cleanupAnalyzers() {
+    for (const analyzer of analyzers) {
+        await analyzer.cleanup();
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/analyzers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/analyzers/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAoCH,0CAEC;AAKD,wDAEC;AAKD,kDAIC;AAKD,4CAIC;AA7DD,yCAAuB;AACvB,+CAA6B;AAC7B,2CAAyB;AACzB,wCAAsB;AACtB,yCAAuB;AACvB,0CAAwB;AACxB,2CAAyB;AACzB,wCAAsB;AAGtB,6CAAkD;AAClD,qCAA0C;AAC1C,+BAAoC;AACpC,iCAAsC;AACtC,mCAAsC;AACtC,qCAA0C;AAC1C,+BAAoC;AAEpC;;GAEG;AACH,MAAM,SAAS,GAAe;IAC5B,IAAI,+BAAkB,EAAE;IACxB,IAAI,uBAAc,EAAE;IACpB,IAAI,iBAAW,EAAE;IACjB,IAAI,mBAAY,EAAE;IAClB,IAAI,mBAAW,EAAE;IACjB,IAAI,uBAAc,EAAE;IACpB,IAAI,iBAAW,EAAE;CAClB,CAAC;AAEF;;GAEG;AACH,SAAgB,eAAe;IAC7B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,sBAAsB,CAAC,QAA2B;IAChE,OAAO,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,mBAAmB;IACvC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,QAAQ,CAAC,UAAU,EAAE,CAAC;IAC9B,CAAC;AACH,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,gBAAgB;IACpC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,QAAQ,CAAC,OAAO,EAAE,CAAC;IAC3B,CAAC;AACH,CAAC"}

package/dist/analyzers/java/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Java Analyzer Exports
+ */
+export * from './javaAnalyzer';
+//# sourceMappingURL=index.d.ts.map

package/dist/analyzers/java/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/java/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,gBAAgB,CAAC"}

package/dist/analyzers/java/index.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Java Analyzer Exports
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./javaAnalyzer"), exports);
+//# sourceMappingURL=index.js.map

package/dist/analyzers/java/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/java/index.ts"],"names":[],"mappings":";AAAA;;GAEG;;;;;;;;;;;;;;;;AAEH,iDAA+B"}

package/dist/analyzers/java/javaAnalyzer.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Java Analyzer
+ * Specialized analyzer for Java code
+ */
+import { BaseAnalyzer } from '../base';
+import { ScannedFile, Finding, Rule, SupportedLanguage } from '../../types';
+/**
+ * Java Analyzer Class
+ */
+export declare class JavaAnalyzer extends BaseAnalyzer {
+    name: string;
+    languages: SupportedLanguage[];
+    version: string;
+    /**
+     * Analyze Java file
+     */
+    analyze(file: ScannedFile, rules: Rule[]): Promise<Finding[]>;
+    /**
+     * Custom Java-specific analysis
+     */
+    private customAnalysis;
+    /**
+     * Check for deserialization sinks
+     */
+    private checkDeserializationSinks;
+    /**
+     * Check for Runtime.exec
+     */
+    private checkRuntimeExec;
+    /**
+     * Check for SQL injection
+     */
+    private checkSqlInjection;
+    /**
+     * Check for XXE vulnerabilities
+     */
+    private checkXxe;
+    /**
+     * Check for path traversal
+     */
+    private checkPathTraversal;
+    /**
+     * Check for insecure random
+     */
+    private checkInsecureRandom;
+    /**
+     * Check for weak crypto
+     */
+    private checkWeakCrypto;
+    /**
+     * Check for LDAP injection
+     */
+    private checkLdapInjection;
+    /**
+     * Check for SpEL injection
+     */
+    private checkSpelInjection;
+    /**
+     * Create generic finding
+     */
+    private createFinding;
+}
+export default JavaAnalyzer;
+//# sourceMappingURL=javaAnalyzer.d.ts.map

package/dist/analyzers/java/javaAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"javaAnalyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/java/javaAnalyzer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAyC,MAAM,aAAa,CAAC;AAInH;;GAEG;AACH,qBAAa,YAAa,SAAQ,YAAY;IAC5C,IAAI,SAAmB;IACvB,SAAS,EAAE,iBAAiB,EAAE,CAAY;IAC1C,OAAO,SAAW;IAElB;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;IAiBnE;;OAEG;YACW,cAAc;IAwH5B;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAWjC;;OAEG;IACH,OAAO,CAAC,gBAAgB;IASxB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAYzB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAkBhB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAW1B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAI3B;;OAEG;IACH,OAAO,CAAC,eAAe;IASvB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAS1B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAQ1B;;OAEG;IACH,OAAO,CAAC,aAAa;CAmCtB;AAED,eAAe,YAAY,CAAC"}

package/dist/analyzers/java/javaAnalyzer.js

@@ -0,0 +1,224 @@
+"use strict";
+/**
+ * Java Analyzer
+ * Specialized analyzer for Java code
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JavaAnalyzer = void 0;
+const base_1 = require("../base");
+const types_1 = require("../../types");
+const utils_1 = require("../../utils");
+const standards_1 = require("../../rules/standards");
+/**
+ * Java Analyzer Class
+ */
+class JavaAnalyzer extends base_1.BaseAnalyzer {
+    name = 'Java Analyzer';
+    languages = ['java'];
+    version = '1.0.0';
+    /**
+     * Analyze Java file
+     */
+    async analyze(file, rules) {
+        const findings = [];
+        // Filter rules for Java
+        const javaRules = rules.filter(r => r.languages.includes('java'));
+        // Run rule engine
+        const ruleFindings = await this.ruleEngine.analyzeFile(file, javaRules);
+        findings.push(...ruleFindings);
+        // Additional Java-specific analysis
+        const customFindings = await this.customAnalysis(file);
+        findings.push(...customFindings);
+        return findings;
+    }
+    /**
+     * Custom Java-specific analysis
+     */
+    async customAnalysis(file) {
+        const findings = [];
+        const lines = file.content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            const lineNum = i + 1;
+            // Check for ObjectInputStream deserialization
+            if (this.checkDeserializationSinks(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Unsafe Deserialization', 'ObjectInputStream.readObject() can execute arbitrary code.', types_1.Severity.CRITICAL, types_1.ThreatType.INSECURE_DESERIALIZATION));
+            }
+            // Check for Runtime.exec
+            if (this.checkRuntimeExec(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Potential Command Injection', 'Runtime.exec() with dynamic input can lead to command injection.', types_1.Severity.CRITICAL, types_1.ThreatType.COMMAND_INJECTION));
+            }
+            // Check for SQL injection patterns
+            if (this.checkSqlInjection(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Potential SQL Injection', 'String concatenation in SQL query detected. Use PreparedStatement.', types_1.Severity.CRITICAL, types_1.ThreatType.SQL_INJECTION));
+            }
+            // Check for XXE vulnerabilities
+            if (this.checkXxe(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Potential XXE Vulnerability', 'XML parser may be vulnerable to XXE attacks.', types_1.Severity.HIGH, types_1.ThreatType.DANGEROUS_FUNCTION));
+            }
+            // Check for path traversal
+            if (this.checkPathTraversal(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Potential Path Traversal', 'File operations with user-controlled input detected.', types_1.Severity.HIGH, types_1.ThreatType.PATH_TRAVERSAL));
+            }
+            // Check for insecure random
+            if (this.checkInsecureRandom(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Insecure Random Number Generator', 'java.util.Random is not cryptographically secure.', types_1.Severity.MEDIUM, types_1.ThreatType.WEAK_RANDOM));
+            }
+            // Check for weak crypto
+            if (this.checkWeakCrypto(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Weak Cryptographic Algorithm', 'Use of weak or deprecated cryptographic algorithm.', types_1.Severity.MEDIUM, types_1.ThreatType.INSECURE_CRYPTO));
+            }
+            // Check for LDAP injection
+            if (this.checkLdapInjection(line)) {
+                findings.push(this.createFinding(file, lineNum, 'Potential LDAP Injection', 'LDAP query with user-controlled input detected.', types_1.Severity.HIGH, types_1.ThreatType.LDAP_INJECTION));
+            }
+            // Check for Spring Expression Language injection
+            if (this.checkSpelInjection(line)) {
+                findings.push(this.createFinding(file, lineNum, 'SpEL Expression Injection', 'Spring Expression Language with user input can lead to RCE.', types_1.Severity.CRITICAL, types_1.ThreatType.COMMAND_INJECTION));
+            }
+        }
+        return findings;
+    }
+    /**
+     * Check for deserialization sinks
+     */
+    checkDeserializationSinks(line) {
+        const patterns = [
+            /ObjectInputStream\s*\(/,
+            /\.readObject\s*\(\s*\)/,
+            /XMLDecoder\s*\(/,
+            /XStream\s*\(\s*\)/,
+            /ObjectMapper\s*\(\s*\).*enableDefaultTyping/
+        ];
+        return patterns.some(p => p.test(line));
+    }
+    /**
+     * Check for Runtime.exec
+     */
+    checkRuntimeExec(line) {
+        const patterns = [
+            /Runtime\.getRuntime\s*\(\s*\)\.exec\s*\(/,
+            /ProcessBuilder\s*\([^)]*\+/,
+            /new\s+ProcessBuilder\s*\([^)]*\$/
+        ];
+        return patterns.some(p => p.test(line));
+    }
+    /**
+     * Check for SQL injection
+     */
+    checkSqlInjection(line) {
+        const patterns = [
+            /Statement\s*\.\s*execute(?:Query|Update)?\s*\([^)]*\+/,
+            /createStatement\s*\(\s*\).*execute/,
+            /["']SELECT[^'"]*["']\s*\+/i,
+            /["']INSERT[^'"]*["']\s*\+/i,
+            /["']UPDATE[^'"]*["']\s*\+/i,
+            /["']DELETE[^'"]*["']\s*\+/i
+        ];
+        return patterns.some(p => p.test(line));
+    }
+    /**
+     * Check for XXE vulnerabilities
+     */
+    checkXxe(line) {
+        const patterns = [
+            /DocumentBuilderFactory\.newInstance\s*\(\s*\)/,
+            /SAXParserFactory\.newInstance\s*\(\s*\)/,
+            /XMLInputFactory\.newInstance\s*\(\s*\)/,
+            /TransformerFactory\.newInstance\s*\(\s*\)/
+        ];
+        // Only flag if not followed by secure configuration
+        if (patterns.some(p => p.test(line))) {
+            // Check for secure configuration (simplified)
+            if (!/setFeature.*disallow-doctype-decl/i.test(line) &&
+                !/setFeature.*external-general-entities/i.test(line)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check for path traversal
+     */
+    checkPathTraversal(line) {
+        const patterns = [
+            /new\s+File\s*\([^)]*\+/,
+            /new\s+FileInputStream\s*\([^)]*\+/,
+            /new\s+FileOutputStream\s*\([^)]*\+/,
+            /Paths\.get\s*\([^)]*\+/,
+            /Files\.(?:read|write|copy|move)\s*\([^)]*request/i
+        ];
+        return patterns.some(p => p.test(line));
+    }
+    /**
+     * Check for insecure random
+     */
+    checkInsecureRandom(line) {
+        return /new\s+Random\s*\(\s*\)/.test(line) && !/SecureRandom/.test(line);
+    }
+    /**
+     * Check for weak crypto
+     */
+    checkWeakCrypto(line) {
+        const patterns = [
+            /Cipher\.getInstance\s*\(\s*["'](?:DES|DESede|RC2|RC4|Blowfish)["']/i,
+            /MessageDigest\.getInstance\s*\(\s*["'](?:MD5|SHA-1|SHA1)["']/i,
+            /KeyGenerator\.getInstance\s*\(\s*["'](?:DES|DESede)["']/i
+        ];
+        return patterns.some(p => p.test(line));
+    }
+    /**
+     * Check for LDAP injection
+     */
+    checkLdapInjection(line) {
+        const patterns = [
+            /new\s+InitialDirContext\s*\([^)]*\+/,
+            /ctx\.search\s*\([^)]*\+/,
+            /SearchControls/
+        ];
+        return patterns.some(p => p.test(line)) && /\+\s*[a-zA-Z]/.test(line);
+    }
+    /**
+     * Check for SpEL injection
+     */
+    checkSpelInjection(line) {
+        const patterns = [
+            /SpelExpressionParser\s*\(\s*\).*parseExpression\s*\([^)]*\+/,
+            /ExpressionParser.*parseExpression\s*\([^)]*request/i
+        ];
+        return patterns.some(p => p.test(line));
+    }
+    /**
+     * Create generic finding
+     */
+    createFinding(file, lineNum, title, description, severity, threatType) {
+        const context = (0, utils_1.extractCodeContext)(file.content, lineNum, 2);
+        return {
+            id: (0, utils_1.generateId)(),
+            title,
+            description,
+            severity,
+            threatType,
+            category: types_1.FindingCategory.VULNERABILITY,
+            location: {
+                file: file.relativePath,
+                startLine: lineNum,
+                endLine: lineNum
+            },
+            snippet: {
+                code: context.code,
+                contextBefore: context.contextBefore,
+                contextAfter: context.contextAfter
+            },
+            standards: (0, standards_1.getStandardsForThreat)(threatType),
+            remediation: 'Review and fix the identified issue.',
+            confidence: 75,
+            analyzer: this.name,
+            timestamp: new Date(),
+            tags: ['java']
+        };
+    }
+}
+exports.JavaAnalyzer = JavaAnalyzer;
+exports.default = JavaAnalyzer;
+//# sourceMappingURL=javaAnalyzer.js.map

package/dist/analyzers/java/javaAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"javaAnalyzer.js","sourceRoot":"","sources":["../../../src/analyzers/java/javaAnalyzer.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,kCAAuC;AACvC,uCAAmH;AACnH,uCAA6D;AAC7D,qDAA8D;AAE9D;;GAEG;AACH,MAAa,YAAa,SAAQ,mBAAY;IAC5C,IAAI,GAAG,eAAe,CAAC;IACvB,SAAS,GAAwB,CAAC,MAAM,CAAC,CAAC;IAC1C,OAAO,GAAG,OAAO,CAAC;IAElB;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,IAAiB,EAAE,KAAa;QAC5C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,wBAAwB;QACxB,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAElE,kBAAkB;QAClB,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QACxE,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;QAE/B,oCAAoC;QACpC,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QACvD,QAAQ,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC;QAEjC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,cAAc,CAAC,IAAiB;QAC5C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAEvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;YAEtB,8CAA8C;YAC9C,IAAI,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,wBAAwB,EACxB,4DAA4D,EAC5D,gBAAQ,CAAC,QAAQ,EACjB,kBAAU,CAAC,wBAAwB,CACpC,CAAC,CAAC;YACL,CAAC;YAED,yBAAyB;YACzB,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,6BAA6B,EAC7B,kEAAkE,EAClE,gBAAQ,CAAC,QAAQ,EACjB,kBAAU,CAAC,iBAAiB,CAC7B,CAAC,CAAC;YACL,CAAC;YAED,mCAAmC;YACnC,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,yBAAyB,EACzB,oEAAoE,EACpE,gBAAQ,CAAC,QAAQ,EACjB,kBAAU,CAAC,aAAa,CACzB,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,6BAA6B,EAC7B,8CAA8C,EAC9C,gBAAQ,CAAC,IAAI,EACb,kBAAU,CAAC,kBAAkB,CAC9B,CAAC,CAAC;YACL,CAAC;YAED,2BAA2B;YAC3B,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,0BAA0B,EAC1B,sDAAsD,EACtD,gBAAQ,CAAC,IAAI,EACb,kBAAU,CAAC,cAAc,CAC1B,CAAC,CAAC;YACL,CAAC;YAED,4BAA4B;YAC5B,IAAI,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;gBACnC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,kCAAkC,EAClC,mDAAmD,EACnD,gBAAQ,CAAC,MAAM,EACf,kBAAU,CAAC,WAAW,CACvB,CAAC,CAAC;YACL,CAAC;YAED,wBAAwB;YACxB,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC/B,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,8BAA8B,EAC9B,oDAAoD,EACpD,gBAAQ,CAAC,MAAM,EACf,kBAAU,CAAC,eAAe,CAC3B,CAAC,CAAC;YACL,CAAC;YAED,2BAA2B;YAC3B,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,0BAA0B,EAC1B,iDAAiD,EACjD,gBAAQ,CAAC,IAAI,EACb,kBAAU,CAAC,cAAc,CAC1B,CAAC,CAAC;YACL,CAAC;YAED,iDAAiD;YACjD,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAC9B,IAAI,EACJ,OAAO,EACP,2BAA2B,EAC3B,6DAA6D,EAC7D,gBAAQ,CAAC,QAAQ,EACjB,kBAAU,CAAC,iBAAiB,CAC7B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACK,yBAAyB,CAAC,IAAY;QAC5C,MAAM,QAAQ,GAAG;YACf,wBAAwB;YACxB,wBAAwB;YACxB,iBAAiB;YACjB,mBAAmB;YACnB,6CAA6C;SAC9C,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,IAAY;QACnC,MAAM,QAAQ,GAAG;YACf,0CAA0C;YAC1C,4BAA4B;YAC5B,kCAAkC;SACnC,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,IAAY;QACpC,MAAM,QAAQ,GAAG;YACf,uDAAuD;YACvD,oCAAoC;YACpC,4BAA4B;YAC5B,4BAA4B;YAC5B,4BAA4B;YAC5B,4BAA4B;SAC7B,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,QAAQ,CAAC,IAAY;QAC3B,MAAM,QAAQ,GAAG;YACf,+CAA+C;YAC/C,yCAAyC;YACzC,wCAAwC;YACxC,2CAA2C;SAC5C,CAAC;QACF,oDAAoD;QACpD,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACrC,8CAA8C;YAC9C,IAAI,CAAC,oCAAoC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChD,CAAC,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzD,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,IAAY;QACrC,MAAM,QAAQ,GAAG;YACf,wBAAwB;YACxB,mCAAmC;YACnC,oCAAoC;YACpC,wBAAwB;YACxB,mDAAmD;SACpD,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,IAAY;QACtC,OAAO,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3E,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,IAAY;QAClC,MAAM,QAAQ,GAAG;YACf,qEAAqE;YACrE,+DAA+D;YAC/D,0DAA0D;SAC3D,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,IAAY;QACrC,MAAM,QAAQ,GAAG;YACf,qCAAqC;YACrC,yBAAyB;YACzB,gBAAgB;SACjB,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,IAAY;QACrC,MAAM,QAAQ,GAAG;YACf,6DAA6D;YAC7D,qDAAqD;SACtD,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,aAAa,CACnB,IAAiB,EACjB,OAAe,EACf,KAAa,EACb,WAAmB,EACnB,QAAkB,EAClB,UAAsB;QAEtB,MAAM,OAAO,GAAG,IAAA,0BAAkB,EAAC,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAE7D,OAAO;YACL,EAAE,EAAE,IAAA,kBAAU,GAAE;YAChB,KAAK;YACL,WAAW;YACX,QAAQ;YACR,UAAU;YACV,QAAQ,EAAE,uBAAe,CAAC,aAAa;YACvC,QAAQ,EAAE;gBACR,IAAI,EAAE,IAAI,CAAC,YAAY;gBACvB,SAAS,EAAE,OAAO;gBAClB,OAAO,EAAE,OAAO;aACjB;YACD,OAAO,EAAE;gBACP,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,aAAa,EAAE,OAAO,CAAC,aAAa;gBACpC,YAAY,EAAE,OAAO,CAAC,YAAY;aACnC;YACD,SAAS,EAAE,IAAA,iCAAqB,EAAC,UAAU,CAAC;YAC5C,WAAW,EAAE,sCAAsC;YACnD,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,IAAI,EAAE,CAAC,MAAM,CAAC;SACf,CAAC;IACJ,CAAC;CACF;AAhTD,oCAgTC;AAED,kBAAe,YAAY,CAAC"}

package/dist/analyzers/javascript/astUtils.d.ts

@@ -0,0 +1,170 @@
+/**
+ * AST Utilities for JavaScript/TypeScript Analysis
+ * Provides AST parsing and traversal utilities using Babel Parser
+ *
+ * Inspired by Semgrep's AST pattern matching
+ */
+import { NodePath } from '@babel/traverse';
+import * as t from '@babel/types';
+/**
+ * AST Parse Options
+ */
+export interface ASTParseOptions {
+    /** Source type (script, module, unambiguous) */
+    sourceType?: 'script' | 'module' | 'unambiguous';
+    /** Enable TypeScript parsing */
+    typescript?: boolean;
+    /** Enable JSX parsing */
+    jsx?: boolean;
+    /** Allow return outside function */
+    allowReturnOutsideFunction?: boolean;
+    /** Error recovery mode */
+    errorRecovery?: boolean;
+}
+/**
+ * AST Node Location
+ */
+export interface ASTLocation {
+    startLine: number;
+    endLine: number;
+    startColumn: number;
+    endColumn: number;
+}
+/**
+ * Dangerous call detected in AST
+ */
+export interface DangerousCall {
+    /** Name of the dangerous function/method */
+    name: string;
+    /** Full call expression code */
+    code: string;
+    /** Location in source */
+    location: ASTLocation;
+    /** Type of dangerous pattern */
+    patternType: DangerousPatternType;
+    /** Arguments passed to the call */
+    arguments: string[];
+    /** Caller object (for method calls) */
+    callee?: string;
+    /** Additional context */
+    context?: string;
+}
+/**
+ * Types of dangerous patterns
+ */
+export declare enum DangerousPatternType {
+    CODE_EXECUTION = "code_execution",
+    COMMAND_INJECTION = "command_injection",
+    PROTOTYPE_POLLUTION = "prototype_pollution",
+    XSS_SINK = "xss_sink",
+    DYNAMIC_REQUIRE = "dynamic_require",
+    INSECURE_RANDOM = "insecure_random",
+    HARDCODED_SECRET = "hardcoded_secret",
+    DANGEROUS_REGEX = "dangerous_regex",
+    UNSAFE_ASSIGNMENT = "unsafe_assignment",
+    NETWORK_REQUEST = "network_request",
+    FILE_OPERATION = "file_operation",
+    CRYPTO_WEAKNESS = "crypto_weakness"
+}
+/**
+ * AST Pattern definition
+ */
+export interface ASTPattern {
+    /** Pattern type */
+    type: DangerousPatternType;
+    /** Description of the pattern */
+    description: string;
+    /** Matcher function */
+    matcher: (path: NodePath, context: ASTContext) => boolean;
+    /** Extract relevant information */
+    extractor?: (path: NodePath) => Partial<DangerousCall>;
+}
+/**
+ * AST Analysis Context
+ */
+export interface ASTContext {
+    /** Current file path */
+    filePath: string;
+    /** Source content */
+    source: string;
+    /** Detected imports/requires */
+    imports: Map<string, string>;
+    /** Is this TypeScript? */
+    isTypeScript: boolean;
+    /** Is this JSX? */
+    isJSX: boolean;
+}
+/**
+ * AST Utilities Class
+ */
+export declare class ASTUtils {
+    private ast;
+    private source;
+    private context;
+    /**
+     * Parse source code to AST
+     */
+    parse(source: string, options?: ASTParseOptions): t.File | null;
+    /**
+     * Safe AST parsing with automatic feature detection
+     */
+    safeParse(source: string, filePath: string): t.File | null;
+    /**
+     * Find all dangerous calls in the AST
+     */
+    findDangerousCalls(filePath: string): DangerousCall[];
+    /**
+     * Analyze a call expression for dangerous patterns
+     */
+    private analyzeCallExpression;
+    /**
+     * Analyze a method call (obj.method())
+     */
+    private analyzeMemberCall;
+    /**
+     * Analyze new expression: new Function(), etc.
+     */
+    private analyzeNewExpression;
+    /**
+     * Analyze assignment for dangerous patterns
+     */
+    private analyzeAssignment;
+    /**
+     * Analyze member expression for dangerous patterns
+     */
+    private analyzeMemberExpression;
+    /**
+     * Extract imports/requires from the AST
+     */
+    private extractImports;
+    /**
+     * Get the source code for a node
+     */
+    private getNodeCode;
+    /**
+     * Get location information for a node
+     */
+    private getLocation;
+    /**
+     * Extract arguments as strings
+     */
+    private extractArguments;
+    /**
+     * Get full name of member expression
+     */
+    private getMemberExpressionName;
+    /**
+     * Find all string literals that look like hardcoded secrets
+     */
+    findHardcodedSecrets(): DangerousCall[];
+    /**
+     * Find ReDoS-vulnerable regex patterns
+     */
+    findDangerousRegex(): DangerousCall[];
+    /**
+     * Check if code contains anti-debugging techniques
+     */
+    findAntiDebugging(): DangerousCall[];
+}
+export default ASTUtils;
+//# sourceMappingURL=astUtils.d.ts.map

package/dist/analyzers/javascript/astUtils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"astUtils.d.ts","sourceRoot":"","sources":["../../../src/analyzers/javascript/astUtils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAiB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AACrD,OAAO,KAAK,CAAC,MAAM,cAAc,CAAC;AAElC;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,gDAAgD;IAChD,UAAU,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,aAAa,CAAC;IACjD,gCAAgC;IAChC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,yBAAyB;IACzB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,oCAAoC;IACpC,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC,0BAA0B;IAC1B,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,4CAA4C;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,yBAAyB;IACzB,QAAQ,EAAE,WAAW,CAAC;IACtB,gCAAgC;IAChC,WAAW,EAAE,oBAAoB,CAAC;IAClC,mCAAmC;IACnC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,oBAAY,oBAAoB;IAC9B,cAAc,mBAAmB;IACjC,iBAAiB,sBAAsB;IACvC,mBAAmB,wBAAwB;IAC3C,QAAQ,aAAa;IACrB,eAAe,oBAAoB;IACnC,eAAe,oBAAoB;IACnC,gBAAgB,qBAAqB;IACrC,eAAe,oBAAoB;IACnC,iBAAiB,sBAAsB;IACvC,eAAe,oBAAoB;IACnC,cAAc,mBAAmB;IACjC,eAAe,oBAAoB;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,mBAAmB;IACnB,IAAI,EAAE,oBAAoB,CAAC;IAC3B,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,uBAAuB;IACvB,OAAO,EAAE,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,KAAK,OAAO,CAAC;IAC1D,mCAAmC;IACnC,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,QAAQ,KAAK,OAAO,CAAC,aAAa,CAAC,CAAC;CACxD;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,qBAAqB;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,gCAAgC;IAChC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,0BAA0B;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,mBAAmB;IACnB,KAAK,EAAE,OAAO,CAAC;CAChB;AA8CD;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,GAAG,CAAuB;IAClC,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,OAAO,CAA2B;IAE1C;;OAEG;IACH,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,GAAE,eAAoB,GAAG,CAAC,CAAC,IAAI,GAAG,IAAI;IAsDnE;;OAEG;IACH,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,CAAC,CAAC,IAAI,GAAG,IAAI;IAY1D;;OAEG;IACH,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,aAAa,EAAE;IAwCrD;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA4C7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAkEzB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAiC5B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAyCzB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA+B/B;;OAEG;IACH,OAAO,CAAC,cAAc;IA4CtB;;OAEG;IACH,OAAO,CAAC,WAAW;IAQnB;;OAEG;IACH,OAAO,CAAC,WAAW;IASnB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IASxB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAoB/B;;OAEG;IACH,oBAAoB,IAAI,aAAa,EAAE;IAoEvC;;OAEG;IACH,kBAAkB,IAAI,aAAa,EAAE;IA+DrC;;OAEG;IACH,iBAAiB,IAAI,aAAa,EAAE;CAuCrC;AAED,eAAe,QAAQ,CAAC"}