thuban 0.4.0 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (209) hide show
  1. package/dist/package.json +63 -0
  2. package/dist/packages/crucible/rules/code-scanner-core.json +129 -0
  3. package/dist/packages/crucible/rules/command-injection.json +411 -0
  4. package/dist/packages/crucible/rules/crypto-misuse.json +35 -0
  5. package/dist/packages/crucible/rules/deserialization.json +152 -0
  6. package/dist/packages/crucible/rules/env-injection.json +46 -0
  7. package/dist/packages/crucible/rules/eval-abuse.json +104 -0
  8. package/dist/packages/crucible/rules/file-upload.json +46 -0
  9. package/dist/packages/crucible/rules/hallucination.json +22 -0
  10. package/dist/packages/crucible/rules/hardcoded-secret.json +397 -0
  11. package/dist/packages/crucible/rules/hardcoded-url.json +13 -0
  12. package/dist/packages/crucible/rules/insecure-crypto.json +302 -0
  13. package/dist/packages/crucible/rules/integer-overflow.json +35 -0
  14. package/dist/packages/crucible/rules/log-injection.json +33 -0
  15. package/dist/packages/crucible/rules/mass-assignment.json +112 -0
  16. package/dist/packages/crucible/rules/open-redirect.json +196 -0
  17. package/dist/packages/crucible/rules/path-traversal.json +422 -0
  18. package/dist/packages/crucible/rules/prototype-pollution.json +22 -0
  19. package/dist/packages/crucible/rules/sql-injection.json +597 -0
  20. package/dist/packages/crucible/rules/ssrf.json +557 -0
  21. package/dist/packages/crucible/rules/timing-attack.json +55 -0
  22. package/dist/packages/crucible/rules/unsafe-block.json +24 -0
  23. package/dist/packages/crucible/rules/xss.json +641 -0
  24. package/dist/packages/crucible/rules/xxe.json +66 -0
  25. package/dist/packages/crucible/rules/yaml-deserialization.json +22 -0
  26. package/dist/packages/crucible/rules/yaml-injection.json +22 -0
  27. package/dist/packages/scanner/executive-report.js +1 -1
  28. package/dist/packages/scanner/hallucination-detector.js +1 -1
  29. package/dist/packages/scanner/secret-scanner.js +1 -1
  30. package/package.json +7 -4
  31. package/dist/packages/crucible/seeds/python/seed-021 3.py +0 -37
  32. package/dist/packages/crucible/seeds/python/seed-022 3.py +0 -34
  33. package/dist/packages/crucible/seeds/python/seed-023 3.py +0 -37
  34. package/dist/packages/crucible/seeds/python/seed-024 3.py +0 -38
  35. package/dist/packages/crucible/seeds/python/seed-025 3.py +0 -40
  36. package/dist/packages/crucible/seeds/python/seed-026 3.py +0 -35
  37. package/dist/packages/crucible/seeds/python/seed-027 3.py +0 -35
  38. package/dist/packages/crucible/seeds/python/seed-028 3.py +0 -42
  39. package/dist/packages/crucible/seeds/python/seed-030 3.py +0 -37
  40. package/dist/packages/crucible/seeds/python/seed-031 3.py +0 -34
  41. package/dist/packages/crucible/seeds/python/seed-036 3.py +0 -33
  42. package/dist/packages/crucible/seeds/python/seed-037 3.py +0 -41
  43. package/dist/packages/crucible/seeds/python/seed-038 3.py +0 -33
  44. package/dist/packages/crucible/seeds/python/seed-039 3.py +0 -39
  45. package/dist/packages/crucible/seeds/python/seed-040 3.py +0 -39
  46. package/dist/packages/crucible/seeds/python/seed-041 3.py +0 -37
  47. package/dist/packages/crucible/seeds/python/seed-042 3.py +0 -38
  48. package/dist/packages/crucible/seeds/python/seed-043 3.py +0 -32
  49. package/dist/packages/crucible/seeds/python/seed-044 3.py +0 -38
  50. package/dist/packages/crucible/seeds/python/seed-045 3.py +0 -36
  51. package/dist/packages/crucible/seeds/python/seed-046 3.py +0 -33
  52. package/dist/packages/crucible/seeds/python/seed-047 3.py +0 -44
  53. package/dist/packages/crucible/seeds/python/seed-048 3.py +0 -35
  54. package/dist/packages/crucible/seeds/python/seed-049 3.py +0 -39
  55. package/dist/packages/crucible/seeds/python/seed-050 3.py +0 -39
  56. package/dist/packages/crucible/seeds/python/seed-051 3.py +0 -38
  57. package/dist/packages/crucible/seeds/python/seed-052 3.py +0 -41
  58. package/dist/packages/crucible/seeds/ruby/seed-001 3.rb +0 -15
  59. package/dist/packages/crucible/seeds/ruby/seed-002 3.rb +0 -22
  60. package/dist/packages/crucible/seeds/ruby/seed-003 3.rb +0 -25
  61. package/dist/packages/crucible/seeds/ruby/seed-004 3.rb +0 -17
  62. package/dist/packages/crucible/seeds/ruby/seed-005 3.rb +0 -21
  63. package/dist/packages/crucible/seeds/ruby/seed-006 3.rb +0 -17
  64. package/dist/packages/crucible/seeds/ruby/seed-007 3.rb +0 -16
  65. package/dist/packages/crucible/seeds/ruby/seed-008 3.rb +0 -18
  66. package/dist/packages/crucible/seeds/ruby/seed-009 3.rb +0 -20
  67. package/dist/packages/crucible/seeds/ruby/seed-010 3.rb +0 -24
  68. package/dist/packages/crucible/seeds/ruby/seed-011 3.rb +0 -21
  69. package/dist/packages/crucible/seeds/ruby/seed-012 3.rb +0 -22
  70. package/dist/packages/crucible/seeds/ruby/seed-013 3.rb +0 -21
  71. package/dist/packages/crucible/seeds/ruby/seed-014 3.rb +0 -16
  72. package/dist/packages/crucible/seeds/ruby/seed-015 3.rb +0 -18
  73. package/dist/packages/crucible/seeds/ruby/seed-016 3.rb +0 -17
  74. package/dist/packages/crucible/seeds/ruby/seed-017 3.rb +0 -25
  75. package/dist/packages/crucible/seeds/ruby/seed-018 3.rb +0 -23
  76. package/dist/packages/crucible/seeds/ruby/seed-019 3.rb +0 -20
  77. package/dist/packages/crucible/seeds/ruby/seed-020 3.rb +0 -17
  78. package/dist/packages/crucible/seeds/ruby/seed-021 3.rb +0 -20
  79. package/dist/packages/crucible/seeds/ruby/seed-022 3.rb +0 -21
  80. package/dist/packages/crucible/seeds/ruby/seed-023 3.rb +0 -19
  81. package/dist/packages/crucible/seeds/ruby/seed-024 3.rb +0 -17
  82. package/dist/packages/crucible/seeds/ruby/seed-025 3.rb +0 -17
  83. package/dist/packages/crucible/seeds/ruby/seed-026 3.rb +0 -18
  84. package/dist/packages/crucible/seeds/ruby/seed-027 3.rb +0 -21
  85. package/dist/packages/crucible/seeds/ruby/seed-028 3.rb +0 -22
  86. package/dist/packages/crucible/seeds/ruby/seed-029 3.rb +0 -19
  87. package/dist/packages/crucible/seeds/ruby/seed-030 3.rb +0 -20
  88. package/dist/packages/crucible/seeds/ruby/seed-031 3.rb +0 -17
  89. package/dist/packages/crucible/seeds/ruby/seed-032 3.rb +0 -22
  90. package/dist/packages/crucible/seeds/ruby/seed-033 3.rb +0 -18
  91. package/dist/packages/crucible/seeds/ruby/seed-034 3.rb +0 -19
  92. package/dist/packages/crucible/seeds/ruby/seed-035 3.rb +0 -19
  93. package/dist/packages/crucible/seeds/ruby/seed-036 3.rb +0 -18
  94. package/dist/packages/crucible/seeds/ruby/seed-037 3.rb +0 -21
  95. package/dist/packages/crucible/seeds/ruby/seed-038 3.rb +0 -24
  96. package/dist/packages/crucible/seeds/ruby/seed-039 3.rb +0 -24
  97. package/dist/packages/crucible/seeds/ruby/seed-040 3.rb +0 -22
  98. package/dist/packages/crucible/seeds/ruby/seed-041 3.rb +0 -23
  99. package/dist/packages/crucible/seeds/ruby/seed-042 3.rb +0 -25
  100. package/dist/packages/crucible/seeds/ruby/seed-043 3.rb +0 -23
  101. package/dist/packages/crucible/seeds/ruby/seed-044 3.rb +0 -16
  102. package/dist/packages/crucible/seeds/ruby/seed-045 3.rb +0 -22
  103. package/dist/packages/crucible/seeds/ruby/seed-046 3.rb +0 -27
  104. package/dist/packages/crucible/seeds/ruby/seed-047 3.rb +0 -26
  105. package/dist/packages/crucible/seeds/ruby/seed-048 3.rb +0 -24
  106. package/dist/packages/crucible/seeds/ruby/seed-049 3.rb +0 -20
  107. package/dist/packages/crucible/seeds/ruby/seed-050 3.rb +0 -27
  108. package/dist/packages/crucible/seeds/rust/seed-001 3.rs +0 -25
  109. package/dist/packages/crucible/seeds/rust/seed-002 3.rs +0 -20
  110. package/dist/packages/crucible/seeds/rust/seed-003 3.rs +0 -23
  111. package/dist/packages/crucible/seeds/rust/seed-004 3.rs +0 -21
  112. package/dist/packages/crucible/seeds/rust/seed-005 3.rs +0 -21
  113. package/dist/packages/crucible/seeds/rust/seed-006 3.rs +0 -24
  114. package/dist/packages/crucible/seeds/rust/seed-007 3.rs +0 -20
  115. package/dist/packages/crucible/seeds/rust/seed-008 3.rs +0 -19
  116. package/dist/packages/crucible/seeds/rust/seed-009 3.rs +0 -28
  117. package/dist/packages/crucible/seeds/rust/seed-010 3.rs +0 -28
  118. package/dist/packages/crucible/seeds/rust/seed-011 3.rs +0 -25
  119. package/dist/packages/crucible/seeds/rust/seed-012 3.rs +0 -31
  120. package/dist/packages/crucible/seeds/rust/seed-013 3.rs +0 -27
  121. package/dist/packages/crucible/seeds/rust/seed-014 3.rs +0 -30
  122. package/dist/packages/crucible/seeds/rust/seed-015 3.rs +0 -33
  123. package/dist/packages/crucible/seeds/rust/seed-016 3.rs +0 -22
  124. package/dist/packages/crucible/seeds/rust/seed-017 3.rs +0 -28
  125. package/dist/packages/crucible/seeds/rust/seed-018 3.rs +0 -21
  126. package/dist/packages/crucible/seeds/rust/seed-019 3.rs +0 -36
  127. package/dist/packages/crucible/seeds/rust/seed-020 3.rs +0 -27
  128. package/dist/packages/crucible/seeds/rust/seed-021 3.rs +0 -26
  129. package/dist/packages/crucible/seeds/rust/seed-022 3.rs +0 -23
  130. package/dist/packages/crucible/seeds/rust/seed-023 3.rs +0 -22
  131. package/dist/packages/crucible/seeds/rust/seed-024 3.rs +0 -24
  132. package/dist/packages/crucible/seeds/rust/seed-025 3.rs +0 -29
  133. package/dist/packages/crucible/seeds/rust/seed-026 3.rs +0 -23
  134. package/dist/packages/crucible/seeds/rust/seed-027 3.rs +0 -24
  135. package/dist/packages/crucible/seeds/rust/seed-028 3.rs +0 -25
  136. package/dist/packages/crucible/seeds/rust/seed-029 3.rs +0 -25
  137. package/dist/packages/crucible/seeds/rust/seed-030 3.rs +0 -30
  138. package/dist/packages/crucible/seeds/rust/seed-031 3.rs +0 -22
  139. package/dist/packages/crucible/seeds/rust/seed-032 3.rs +0 -25
  140. package/dist/packages/crucible/seeds/rust/seed-033 3.rs +0 -25
  141. package/dist/packages/crucible/seeds/rust/seed-034 3.rs +0 -20
  142. package/dist/packages/crucible/seeds/rust/seed-035 3.rs +0 -28
  143. package/dist/packages/crucible/seeds/rust/seed-036 3.rs +0 -26
  144. package/dist/packages/crucible/seeds/rust/seed-037 3.rs +0 -31
  145. package/dist/packages/crucible/seeds/rust/seed-038 3.rs +0 -25
  146. package/dist/packages/crucible/seeds/rust/seed-039 3.rs +0 -28
  147. package/dist/packages/crucible/seeds/rust/seed-040 3.rs +0 -27
  148. package/dist/packages/crucible/seeds/rust/seed-041 3.rs +0 -32
  149. package/dist/packages/crucible/seeds/rust/seed-042 3.rs +0 -27
  150. package/dist/packages/crucible/seeds/rust/seed-043 3.rs +0 -29
  151. package/dist/packages/crucible/seeds/rust/seed-044 3.rs +0 -25
  152. package/dist/packages/crucible/seeds/rust/seed-045 3.rs +0 -28
  153. package/dist/packages/crucible/seeds/rust/seed-046 3.rs +0 -25
  154. package/dist/packages/crucible/seeds/rust/seed-047 3.rs +0 -34
  155. package/dist/packages/crucible/seeds/rust/seed-048 3.rs +0 -21
  156. package/dist/packages/crucible/seeds/rust/seed-049 3.rs +0 -26
  157. package/dist/packages/crucible/seeds/rust/seed-050 3.rs +0 -23
  158. package/dist/packages/crucible/seeds/ts/seed-001 3.ts +0 -32
  159. package/dist/packages/crucible/seeds/ts/seed-002 3.ts +0 -34
  160. package/dist/packages/crucible/seeds/ts/seed-003 3.ts +0 -28
  161. package/dist/packages/crucible/seeds/ts/seed-004 3.ts +0 -34
  162. package/dist/packages/crucible/seeds/ts/seed-005 3.ts +0 -32
  163. package/dist/packages/crucible/seeds/ts/seed-006 3.ts +0 -31
  164. package/dist/packages/crucible/seeds/ts/seed-007 3.ts +0 -28
  165. package/dist/packages/crucible/seeds/ts/seed-008 3.ts +0 -40
  166. package/dist/packages/crucible/seeds/ts/seed-009 3.ts +0 -31
  167. package/dist/packages/crucible/seeds/ts/seed-010 3.ts +0 -33
  168. package/dist/packages/crucible/seeds/ts/seed-011 3.ts +0 -29
  169. package/dist/packages/crucible/seeds/ts/seed-012 3.ts +0 -34
  170. package/dist/packages/crucible/seeds/ts/seed-013 3.ts +0 -31
  171. package/dist/packages/crucible/seeds/ts/seed-014 3.ts +0 -36
  172. package/dist/packages/crucible/seeds/ts/seed-015 3.ts +0 -31
  173. package/dist/packages/crucible/seeds/ts/seed-016 3.ts +0 -37
  174. package/dist/packages/crucible/seeds/ts/seed-017 3.ts +0 -44
  175. package/dist/packages/crucible/seeds/ts/seed-018 3.ts +0 -33
  176. package/dist/packages/crucible/seeds/ts/seed-019 3.ts +0 -32
  177. package/dist/packages/crucible/seeds/ts/seed-020 3.ts +0 -33
  178. package/dist/packages/crucible/seeds/ts/seed-021 3.ts +0 -33
  179. package/dist/packages/crucible/seeds/ts/seed-022 3.ts +0 -34
  180. package/dist/packages/crucible/seeds/ts/seed-023 3.ts +0 -33
  181. package/dist/packages/crucible/seeds/ts/seed-024 3.ts +0 -35
  182. package/dist/packages/crucible/seeds/ts/seed-025 3.ts +0 -29
  183. package/dist/packages/crucible/seeds/ts/seed-026 3.ts +0 -36
  184. package/dist/packages/crucible/seeds/ts/seed-027 3.ts +0 -30
  185. package/dist/packages/crucible/seeds/ts/seed-028 3.ts +0 -32
  186. package/dist/packages/crucible/seeds/ts/seed-029 3.ts +0 -34
  187. package/dist/packages/crucible/seeds/ts/seed-030 3.ts +0 -37
  188. package/dist/packages/crucible/seeds/ts/seed-031 3.ts +0 -31
  189. package/dist/packages/crucible/seeds/ts/seed-032 3.ts +0 -32
  190. package/dist/packages/crucible/seeds/ts/seed-033 3.ts +0 -32
  191. package/dist/packages/crucible/seeds/ts/seed-034 3.ts +0 -34
  192. package/dist/packages/crucible/seeds/ts/seed-035 3.ts +0 -29
  193. package/dist/packages/crucible/seeds/ts/seed-036 3.ts +0 -34
  194. package/dist/packages/crucible/seeds/ts/seed-037 3.ts +0 -33
  195. package/dist/packages/crucible/seeds/ts/seed-038 3.ts +0 -29
  196. package/dist/packages/crucible/seeds/ts/seed-039 3.ts +0 -35
  197. package/dist/packages/crucible/seeds/ts/seed-040 3.ts +0 -31
  198. package/dist/packages/crucible/seeds/ts/seed-041 3.ts +0 -29
  199. package/dist/packages/crucible/seeds/ts/seed-042 3.ts +0 -33
  200. package/dist/packages/crucible/seeds/ts/seed-043 3.ts +0 -32
  201. package/dist/packages/crucible/seeds/ts/seed-044 3.ts +0 -36
  202. package/dist/packages/crucible/seeds/ts/seed-045 3.ts +0 -39
  203. package/dist/packages/crucible/seeds/ts/seed-046 3.ts +0 -41
  204. package/dist/packages/crucible/seeds/ts/seed-047 3.ts +0 -33
  205. package/dist/packages/crucible/seeds/ts/seed-048 3.ts +0 -33
  206. package/dist/packages/crucible/seeds/ts/seed-049 3.ts +0 -34
  207. package/dist/packages/crucible/seeds/ts/seed-050 3.ts +0 -41
  208. package/dist/packages/crucible/seeds/ts/seed-051 3.ts +0 -34
  209. package/dist/packages/crucible/seeds/ts/seed-052 3.ts +0 -36
@@ -0,0 +1,63 @@
1
+ {
2
+ "name": "thuban",
3
+ "version": "0.4.2",
4
+ "description": "The safety layer for AI-coded software. Detect hallucinated APIs, ghost code, tech debt, and architecture drift. One command. Minimal dependencies.",
5
+ "bin": {
6
+ "thuban": "./dist/cli.js"
7
+ },
8
+ "scripts": {
9
+ "scan": "node cli.js scan",
10
+ "test": "node cli.js scan . --json > NUL",
11
+ "build": "node build.js",
12
+ "prepublishOnly": "npm run build"
13
+ },
14
+ "keywords": [
15
+ "code-quality",
16
+ "static-analysis",
17
+ "ai-hallucination",
18
+ "hallucination-detection",
19
+ "ghost-code",
20
+ "tech-debt",
21
+ "ai-code-review",
22
+ "code-health",
23
+ "pre-commit",
24
+ "copilot",
25
+ "cursor",
26
+ "ai-safety",
27
+ "developer-tools",
28
+ "devtools",
29
+ "linter",
30
+ "code-scanner"
31
+ ],
32
+ "author": "Silverwings Benefits <hello@thuban.dev>",
33
+ "license": "SEE LICENSE IN LICENSE",
34
+ "homepage": "https://thuban.dev",
35
+ "repository": {
36
+ "type": "git",
37
+ "url": "https://github.com/SilverwingsBenefitsGit/thuban.git"
38
+ },
39
+ "bugs": {
40
+ "url": "https://github.com/SilverwingsBenefitsGit/thuban/issues"
41
+ },
42
+ "engines": {
43
+ "node": ">=16.0.0"
44
+ },
45
+ "files": [
46
+ "dist/cli.js",
47
+ "dist/packages/scanner/*.js",
48
+ "dist/packages/crucible/*.js",
49
+ "dist/packages/crucible/seeds/**",
50
+ "dist/packages/crucible/.golden/",
51
+ "dist/packages/crucible/rules/**",
52
+ "dist/README.md",
53
+ "dist/LICENSE",
54
+ "dist/package.json"
55
+ ],
56
+ "dependencies": {
57
+ "@babel/parser": "^8.0.0",
58
+ "docx": "^9.7.1"
59
+ },
60
+ "devDependencies": {
61
+ "terser": "^5.48.0"
62
+ }
63
+ }
@@ -0,0 +1,129 @@
1
+ [
2
+ {
3
+ "id": "SEC001",
4
+ "name": "Hardcoded API Key",
5
+ "type": "hardcoded_secret",
6
+ "pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]|['\"][a-zA-Z0-9]{32,}['\"]",
7
+ "flags": "",
8
+ "severity": "critical",
9
+ "message": "Possible hardcoded API key or secret detected",
10
+ "context": "(api[_-]?key|apikey|secret[_\\s]*key|token|credential|bearer)",
11
+ "contextFlags": "i",
12
+ "skipIfSafe": true
13
+ },
14
+ {
15
+ "id": "SEC001B",
16
+ "name": "Hardcoded API Key (bare)",
17
+ "type": "hardcoded_secret",
18
+ "pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]",
19
+ "flags": "",
20
+ "severity": "critical",
21
+ "message": "Possible hardcoded API key or secret detected",
22
+ "skipIfSafe": true
23
+ },
24
+ {
25
+ "id": "SEC002",
26
+ "name": "Hardcoded Password",
27
+ "type": "hardcoded_secret",
28
+ "pattern": "password\\s*[:=]\\s*['\"][^'\"]+['\"]",
29
+ "flags": "i",
30
+ "severity": "critical",
31
+ "message": "Hardcoded password detected",
32
+ "skipIfSafe": true,
33
+ "skipInTests": true
34
+ },
35
+ {
36
+ "id": "SEC002B",
37
+ "name": "Hardcoded Password (JSON key)",
38
+ "type": "hardcoded_secret",
39
+ "pattern": "[\"']password[\"']\\s*:\\s*[\"'][^\"']+[\"']",
40
+ "flags": "i",
41
+ "severity": "critical",
42
+ "message": "Hardcoded password detected",
43
+ "skipIfSafe": true,
44
+ "skipInTests": true
45
+ },
46
+ {
47
+ "id": "SEC003",
48
+ "name": "SQL Injection Risk",
49
+ "type": "sql_injection",
50
+ "pattern": "\\b(?:SELECT|INSERT\\s+INTO|UPDATE|DELETE\\s+FROM|WHERE)\\b.*(\\$\\{|\\+\\s*['\"]|\\+\\s*\\w+|f['\"].*\\{|%s|%d)",
51
+ "flags": "i",
52
+ "severity": "error",
53
+ "message": "Potential SQL injection - use parameterized queries"
54
+ },
55
+ {
56
+ "id": "SEC004",
57
+ "name": "eval() Usage",
58
+ "type": "eval_abuse",
59
+ "pattern": "\\beval\\s*\\(",
60
+ "flags": "",
61
+ "severity": "error",
62
+ "message": "eval() is dangerous and should be avoided"
63
+ },
64
+ {
65
+ "id": "SEC004B",
66
+ "name": "eval() Usage (unicode-escaped)",
67
+ "type": "eval_abuse",
68
+ "pattern": "\\\\u0065\\\\u0076\\\\u0061\\\\u006[cC]",
69
+ "flags": "",
70
+ "severity": "error",
71
+ "message": "Obfuscated eval() usage (unicode escapes) is dangerous and should be avoided"
72
+ },
73
+ {
74
+ "id": "SEC005",
75
+ "name": "innerHTML/document.write Assignment",
76
+ "type": "xss",
77
+ "pattern": "\\.innerHTML\\s*=|\\bdocument\\.write\\s*\\(",
78
+ "flags": "",
79
+ "severity": "warning",
80
+ "message": "innerHTML/document.write can cause XSS - consider using textContent or sanitization"
81
+ },
82
+ {
83
+ "id": "SEC006",
84
+ "name": "Disabled Security",
85
+ "type": "insecure_config",
86
+ "pattern": "rejectUnauthorized\\s*:\\s*false|verify\\s*=\\s*False|InsecureSkipVerify\\s*:\\s*true",
87
+ "flags": "",
88
+ "severity": "error",
89
+ "message": "SSL certificate validation disabled"
90
+ },
91
+ {
92
+ "id": "SEC007",
93
+ "name": "Exposed .env Reference",
94
+ "type": "insecure_config",
95
+ "pattern": "\\.env['\"]",
96
+ "flags": "",
97
+ "severity": "warning",
98
+ "message": "Direct .env file manipulation - ensure not exposed",
99
+ "context": "fs\\.(read|write)|path\\.join|open\\s*\\(|os\\.Open",
100
+ "contextFlags": "i"
101
+ },
102
+ {
103
+ "id": "SEC008",
104
+ "name": "Unsafe Block (Rust)",
105
+ "type": "memory_safety",
106
+ "pattern": "\\bunsafe\\s*\\{",
107
+ "flags": "",
108
+ "severity": "warning",
109
+ "message": "Rust unsafe block - verify memory safety guarantees"
110
+ },
111
+ {
112
+ "id": "SEC009",
113
+ "name": "Shell Execution (PHP/Ruby)",
114
+ "type": "command_injection",
115
+ "pattern": "\\bshell_exec\\s*\\(|\\bpassthru\\s*\\(|`[^`]+`",
116
+ "flags": "",
117
+ "severity": "error",
118
+ "message": "Shell execution function - command injection risk if input unsanitized"
119
+ },
120
+ {
121
+ "id": "SEC010",
122
+ "name": "Prototype Pollution",
123
+ "type": "prototype_pollution",
124
+ "pattern": "\\[\\s*['\"]__proto__['\"]\\s*\\]|\\.__proto__\\s*(=|\\[)|constructor\\s*\\[\\s*['\"]prototype['\"]\\s*\\]|constructor\\.prototype\\s*(=|\\[)|['\"]__proto__['\"]\\s*:",
125
+ "flags": "",
126
+ "severity": "error",
127
+ "message": "Possible prototype pollution via __proto__/constructor.prototype"
128
+ }
129
+ ]
@@ -0,0 +1,411 @@
1
+ [
2
+ {
3
+ "id": "CMD001",
4
+ "pattern": "exec(?:Sync|FileSync)?\\s*\\([^)]*\\+|os\\.system\\s*\\(|exec\\.Command\\s*\\([^)]*\\+",
5
+ "flags": "",
6
+ "category": "command_injection",
7
+ "description": "Command injection (original)",
8
+ "language": [
9
+ "js",
10
+ "ts",
11
+ "python",
12
+ "java",
13
+ "go",
14
+ "csharp",
15
+ "php",
16
+ "ruby",
17
+ "rust",
18
+ "kotlin"
19
+ ],
20
+ "severity": "critical"
21
+ },
22
+ {
23
+ "id": "CMD002",
24
+ "pattern": "spawn\\s*\\([^)]*shell\\s*:\\s*true",
25
+ "flags": "",
26
+ "category": "command_injection",
27
+ "description": "Command injection — JS/TS: spawn with shell:true, execa",
28
+ "language": [
29
+ "js",
30
+ "ts"
31
+ ],
32
+ "severity": "critical"
33
+ },
34
+ {
35
+ "id": "CMD003",
36
+ "pattern": "execa(?:\\.command)?\\s*\\(",
37
+ "flags": "",
38
+ "category": "command_injection",
39
+ "description": "Command injection — JS/TS: spawn with shell:true, execa",
40
+ "language": [
41
+ "js",
42
+ "ts"
43
+ ],
44
+ "severity": "critical"
45
+ },
46
+ {
47
+ "id": "CMD004",
48
+ "pattern": "subprocess\\s*\\.\\s*(?:call|check_output|Popen|run)\\s*\\([^)]*shell\\s*=\\s*True",
49
+ "flags": "",
50
+ "category": "command_injection",
51
+ "description": "Command injection — Python: subprocess variants with shell=True, os.popen, paramiko",
52
+ "language": [
53
+ "python"
54
+ ],
55
+ "severity": "critical"
56
+ },
57
+ {
58
+ "id": "CMD005",
59
+ "pattern": "os\\s*\\.\\s*popen\\s*\\(",
60
+ "flags": "",
61
+ "category": "command_injection",
62
+ "description": "Command injection — Python: subprocess variants with shell=True, os.popen, paramiko",
63
+ "language": [
64
+ "python"
65
+ ],
66
+ "severity": "critical"
67
+ },
68
+ {
69
+ "id": "CMD006",
70
+ "pattern": "\\.exec_command\\s*\\(",
71
+ "flags": "",
72
+ "category": "command_injection",
73
+ "description": "Command injection — Python: subprocess variants with shell=True, os.popen, paramiko",
74
+ "language": [
75
+ "python"
76
+ ],
77
+ "severity": "critical"
78
+ },
79
+ {
80
+ "id": "CMD007",
81
+ "pattern": "`[^`]*#\\{[^}]+\\}[^`]*`",
82
+ "flags": "",
83
+ "category": "command_injection",
84
+ "description": "Command injection — Ruby: backtick with interpolation, system, exec, Open3, IO.popen",
85
+ "language": [
86
+ "ruby"
87
+ ],
88
+ "severity": "critical"
89
+ },
90
+ {
91
+ "id": "CMD008",
92
+ "pattern": "\\b(?:system|exec)\\s*\\(\\s*[\"'`]?[^\"'`\\n]*#\\{|\\b(?:system|exec)\\s*\\(\\s*[\"'][^\"']*[\"']\\s*\\+",
93
+ "flags": "",
94
+ "category": "command_injection",
95
+ "description": "Command injection — Ruby: backtick with interpolation, system, exec, Open3, IO.popen",
96
+ "language": [
97
+ "ruby"
98
+ ],
99
+ "severity": "critical"
100
+ },
101
+ {
102
+ "id": "CMD009",
103
+ "pattern": "\\bIO\\.popen\\s*\\(|Open3\\.\\w+\\s*\\(",
104
+ "flags": "",
105
+ "category": "command_injection",
106
+ "description": "Command injection — Ruby: backtick with interpolation, system, exec, Open3, IO.popen",
107
+ "language": [
108
+ "ruby"
109
+ ],
110
+ "severity": "critical"
111
+ },
112
+ {
113
+ "id": "CMD010",
114
+ "pattern": "Runtime\\s*\\.\\s*getRuntime\\s*\\(\\s*\\)\\s*\\.\\s*exec\\s*\\(",
115
+ "flags": "",
116
+ "category": "command_injection",
117
+ "description": "Command injection — Java/Kotlin: Runtime.exec, ProcessBuilder",
118
+ "language": [
119
+ "kotlin",
120
+ "java"
121
+ ],
122
+ "severity": "critical"
123
+ },
124
+ {
125
+ "id": "CMD011",
126
+ "pattern": "new\\s+ProcessBuilder\\s*\\(",
127
+ "flags": "",
128
+ "category": "command_injection",
129
+ "description": "Command injection — Java/Kotlin: Runtime.exec, ProcessBuilder",
130
+ "language": [
131
+ "kotlin",
132
+ "java"
133
+ ],
134
+ "severity": "critical"
135
+ },
136
+ {
137
+ "id": "CMD012",
138
+ "pattern": "Process\\s*\\.\\s*Start\\s*\\(|new\\s+ProcessStartInfo\\s*[({]",
139
+ "flags": "",
140
+ "category": "command_injection",
141
+ "description": "Command injection — C#: Process.Start / ProcessStartInfo",
142
+ "language": [
143
+ "csharp"
144
+ ],
145
+ "severity": "critical"
146
+ },
147
+ {
148
+ "id": "CMD013",
149
+ "pattern": "Command\\s*::\\s*new\\s*\\(",
150
+ "flags": "",
151
+ "category": "command_injection",
152
+ "description": "Command injection — Rust: Command::new",
153
+ "language": [
154
+ "rust"
155
+ ],
156
+ "severity": "critical"
157
+ },
158
+ {
159
+ "id": "CMD014",
160
+ "pattern": "\\bshell_exec\\s*\\(|\\bpassthru\\s*\\(|\\bpopen\\s*\\(",
161
+ "flags": "",
162
+ "category": "command_injection",
163
+ "description": "Command injection — PHP: shell_exec, system, passthru, popen, backtick with variable",
164
+ "language": [
165
+ "php"
166
+ ],
167
+ "severity": "critical"
168
+ },
169
+ {
170
+ "id": "CMD015",
171
+ "pattern": "\\bsystem\\s*\\(\\s*[\"'][^\"']*[\"']\\s*\\.\\s*\\$|\\bsystem\\s*\\(\\s*\\$",
172
+ "flags": "",
173
+ "category": "command_injection",
174
+ "description": "Command injection — PHP: shell_exec, system, passthru, popen, backtick with variable",
175
+ "language": [
176
+ "php"
177
+ ],
178
+ "severity": "critical"
179
+ },
180
+ {
181
+ "id": "CMD016",
182
+ "pattern": "`[^`]*\\$(?:_GET|_POST|_REQUEST|_COOKIE|\\w+)[^`]*`",
183
+ "flags": "",
184
+ "category": "command_injection",
185
+ "description": "Command injection — PHP: shell_exec, system, passthru, popen, backtick with variable",
186
+ "language": [
187
+ "php"
188
+ ],
189
+ "severity": "critical"
190
+ },
191
+ {
192
+ "id": "CMD017",
193
+ "pattern": "exec\\s*\\.\\s*Command\\s*\\([^)]*fmt\\.Sprintf|exec\\s*\\.\\s*Command\\s*\\([^)]*parts\\b",
194
+ "flags": "",
195
+ "category": "command_injection",
196
+ "description": "Command injection — Go: exec.Command with fmt.Sprintf, user-split args, or /bin/sh -c pattern",
197
+ "language": [
198
+ "go"
199
+ ],
200
+ "severity": "critical"
201
+ },
202
+ {
203
+ "id": "CMD018",
204
+ "pattern": "exec\\s*\\.\\s*Command\\s*\\(\\s*[\"']\\/bin\\/(?:sh|bash)[\"']\\s*,\\s*[\"']-c[\"']",
205
+ "flags": "",
206
+ "category": "command_injection",
207
+ "description": "Command injection — Go: exec.Command with fmt.Sprintf, user-split args, or /bin/sh -c pattern",
208
+ "language": [
209
+ "go"
210
+ ],
211
+ "severity": "critical"
212
+ },
213
+ {
214
+ "id": "CMD019",
215
+ "pattern": "\\bexec\\s*\\(\\s*[\"'][^\"']*[\"']\\s*\\.\\s*\\$|\\bexec\\s*\\(\\s*\\$",
216
+ "flags": "",
217
+ "category": "command_injection",
218
+ "description": "Command injection — PHP: exec() with user input",
219
+ "language": [
220
+ "php"
221
+ ],
222
+ "severity": "critical"
223
+ },
224
+ {
225
+ "id": "CMD020",
226
+ "pattern": "ProcessStartInfo\\s*\\{[^}]*Arguments\\s*=\\s*\\$[\"']",
227
+ "flags": "i",
228
+ "category": "command_injection",
229
+ "description": "C# command injection: ProcessStartInfo / Process.Start with user input",
230
+ "language": [
231
+ "csharp"
232
+ ],
233
+ "severity": "critical"
234
+ },
235
+ {
236
+ "id": "CMD021",
237
+ "pattern": "Arguments\\s*=\\s*\\$[\"'][^\"']*\\{(?:host|cmd|args|input|filename|email|script)",
238
+ "flags": "i",
239
+ "category": "command_injection",
240
+ "description": "C# command injection: ProcessStartInfo / Process.Start with user input",
241
+ "language": [
242
+ "csharp"
243
+ ],
244
+ "severity": "critical"
245
+ },
246
+ {
247
+ "id": "CMD022",
248
+ "pattern": "new ProcessStartInfo\\s*\\(\\s*[\"'][^\"']*(?:bash|sh|cmd)[\"']",
249
+ "flags": "i",
250
+ "category": "command_injection",
251
+ "description": "C# command injection: ProcessStartInfo / Process.Start with user input",
252
+ "language": [
253
+ "csharp"
254
+ ],
255
+ "severity": "critical"
256
+ },
257
+ {
258
+ "id": "CMD023",
259
+ "pattern": "`[^`]*#\\{[^`]*`",
260
+ "flags": "",
261
+ "category": "command_injection",
262
+ "description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
263
+ "language": [
264
+ "ruby"
265
+ ],
266
+ "severity": "critical"
267
+ },
268
+ {
269
+ "id": "CMD024",
270
+ "pattern": "\\bsystem\\s*\\([^)]*#\\{",
271
+ "flags": "i",
272
+ "category": "command_injection",
273
+ "description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
274
+ "language": [
275
+ "ruby"
276
+ ],
277
+ "severity": "critical"
278
+ },
279
+ {
280
+ "id": "CMD025",
281
+ "pattern": "\\bexec\\s*\\([^)]*#\\{",
282
+ "flags": "i",
283
+ "category": "command_injection",
284
+ "description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
285
+ "language": [
286
+ "ruby"
287
+ ],
288
+ "severity": "critical"
289
+ },
290
+ {
291
+ "id": "CMD026",
292
+ "pattern": "Open3\\.capture2\\s*\\(.*(?:#\\{|cmd)",
293
+ "flags": "i",
294
+ "category": "command_injection",
295
+ "description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
296
+ "language": [
297
+ "ruby"
298
+ ],
299
+ "severity": "critical"
300
+ },
301
+ {
302
+ "id": "CMD027",
303
+ "pattern": "IO\\.popen\\s*\\([^)]*#\\{",
304
+ "flags": "i",
305
+ "category": "command_injection",
306
+ "description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
307
+ "language": [
308
+ "ruby"
309
+ ],
310
+ "severity": "critical"
311
+ },
312
+ {
313
+ "id": "CMD028",
314
+ "pattern": "\\bspawn\\s*\\([^)]*#\\{",
315
+ "flags": "i",
316
+ "category": "command_injection",
317
+ "description": "Ruby command injection: backtick, system(), exec(), Open3, IO.popen",
318
+ "language": [
319
+ "ruby"
320
+ ],
321
+ "severity": "critical"
322
+ },
323
+ {
324
+ "id": "CMD029",
325
+ "pattern": "\\bexec\\s*\\(\\s*[\"'][^\"']*[\"']?\\s*\\.\\s*\\$(?:_GET|_POST|host|cmd|ip)",
326
+ "flags": "i",
327
+ "category": "command_injection",
328
+ "description": "PHP command injection",
329
+ "language": [
330
+ "php"
331
+ ],
332
+ "severity": "critical"
333
+ },
334
+ {
335
+ "id": "CMD030",
336
+ "pattern": "shell_exec\\s*\\([^)]*\\$(?:_GET|_POST|domain|ip|host|cmd|server)",
337
+ "flags": "i",
338
+ "category": "command_injection",
339
+ "description": "PHP command injection",
340
+ "language": [
341
+ "php"
342
+ ],
343
+ "severity": "critical"
344
+ },
345
+ {
346
+ "id": "CMD031",
347
+ "pattern": "\\bsystem\\s*\\([^)]*\\$(?:_GET|_POST|src|dest|format|file)",
348
+ "flags": "i",
349
+ "category": "command_injection",
350
+ "description": "PHP command injection",
351
+ "language": [
352
+ "php"
353
+ ],
354
+ "severity": "critical"
355
+ },
356
+ {
357
+ "id": "CMD032",
358
+ "pattern": "passthru\\s*\\([^)]*\\$(?:_POST|_GET|archive|zip|dest)",
359
+ "flags": "i",
360
+ "category": "command_injection",
361
+ "description": "PHP command injection",
362
+ "language": [
363
+ "php"
364
+ ],
365
+ "severity": "critical"
366
+ },
367
+ {
368
+ "id": "CMD033",
369
+ "pattern": "popen\\s*\\(\\s*[\"'][^\"']*[\"']?\\s*\\.\\s*\\$(?:_GET|pattern|logfile)",
370
+ "flags": "i",
371
+ "category": "command_injection",
372
+ "description": "PHP command injection",
373
+ "language": [
374
+ "php"
375
+ ],
376
+ "severity": "critical"
377
+ },
378
+ {
379
+ "id": "CMD034",
380
+ "pattern": "exec\\.Command\\s*\\(\\s*[\"'][^\"']*(?:bash|sh)[\"'][^)]*\"-c\"",
381
+ "flags": "i",
382
+ "category": "command_injection",
383
+ "description": "Go command injection",
384
+ "language": [
385
+ "go"
386
+ ],
387
+ "severity": "critical"
388
+ },
389
+ {
390
+ "id": "CMD035",
391
+ "pattern": "exec\\.Command\\s*\\(\\s*[\"'][^\"']*(?:sh|bash)[\"'][^)]*cmdStr",
392
+ "flags": "i",
393
+ "category": "command_injection",
394
+ "description": "Go command injection",
395
+ "language": [
396
+ "go"
397
+ ],
398
+ "severity": "critical"
399
+ },
400
+ {
401
+ "id": "CMD036",
402
+ "pattern": "cmd\\s*:=\\s*exec\\.Command\\s*\\([^)]*\\+",
403
+ "flags": "i",
404
+ "category": "command_injection",
405
+ "description": "Go command injection",
406
+ "language": [
407
+ "go"
408
+ ],
409
+ "severity": "critical"
410
+ }
411
+ ]
@@ -0,0 +1,35 @@
1
+ [
2
+ {
3
+ "id": "CMISUSE001",
4
+ "pattern": "use\\s+md5\\b|md5::compute|ecb_encrypt|AesCipher|nonce\\s*=\\s*0\\b",
5
+ "flags": "i",
6
+ "category": "crypto_misuse",
7
+ "description": "crypto_misuse (Rust-specific)",
8
+ "language": [
9
+ "rust"
10
+ ],
11
+ "severity": "medium"
12
+ },
13
+ {
14
+ "id": "CMISUSE002",
15
+ "pattern": "\\bxor_encrypt\\b|\\bxor_decrypt\\b|\\brot13\\b|\\bcaesar_cipher\\b",
16
+ "flags": "i",
17
+ "category": "crypto_misuse",
18
+ "description": "Rust: crypto misuse (homegrown ciphers)",
19
+ "language": [
20
+ "rust"
21
+ ],
22
+ "severity": "medium"
23
+ },
24
+ {
25
+ "id": "CMISUSE003",
26
+ "pattern": "struct\\s+Rc4\\b|\\brc4\\b",
27
+ "flags": "i",
28
+ "category": "crypto_misuse",
29
+ "description": "Rust: crypto misuse (homegrown ciphers)",
30
+ "language": [
31
+ "rust"
32
+ ],
33
+ "severity": "medium"
34
+ }
35
+ ]