thuban 0.4.3 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (747) hide show
  1. package/LICENSE +21 -21
  2. package/README.md +437 -187
  3. package/dist/LICENSE +21 -21
  4. package/dist/README.md +437 -187
  5. package/dist/cli.js +1 -1
  6. package/dist/package.json +64 -63
  7. package/dist/packages/crucible/.golden/golden-master.json +413 -413
  8. package/dist/packages/crucible/mutation-engine.js +1 -1
  9. package/dist/packages/crucible/pattern-learner.js +1 -1
  10. package/dist/packages/crucible/rule-loader.js +1 -1
  11. package/dist/packages/crucible/rules/code-scanner-core.json +281 -147
  12. package/dist/packages/crucible/rules/command-injection.json +411 -411
  13. package/dist/packages/crucible/rules/crypto-misuse.json +35 -35
  14. package/dist/packages/crucible/rules/deserialization.json +152 -152
  15. package/dist/packages/crucible/rules/env-injection.json +46 -46
  16. package/dist/packages/crucible/rules/eval-abuse.json +104 -104
  17. package/dist/packages/crucible/rules/file-upload.json +46 -46
  18. package/dist/packages/crucible/rules/hallucination.json +22 -22
  19. package/dist/packages/crucible/rules/hardcoded-secret.json +397 -397
  20. package/dist/packages/crucible/rules/hardcoded-url.json +13 -13
  21. package/dist/packages/crucible/rules/insecure-crypto.json +302 -302
  22. package/dist/packages/crucible/rules/integer-overflow.json +35 -35
  23. package/dist/packages/crucible/rules/log-injection.json +33 -33
  24. package/dist/packages/crucible/rules/mass-assignment.json +112 -112
  25. package/dist/packages/crucible/rules/open-redirect.json +196 -196
  26. package/dist/packages/crucible/rules/path-traversal.json +422 -422
  27. package/dist/packages/crucible/rules/prototype-pollution.json +22 -22
  28. package/dist/packages/crucible/rules/sql-injection.json +619 -619
  29. package/dist/packages/crucible/rules/ssrf.json +557 -557
  30. package/dist/packages/crucible/rules/timing-attack.json +55 -55
  31. package/dist/packages/crucible/rules/unsafe-block.json +24 -24
  32. package/dist/packages/crucible/rules/xss.json +663 -663
  33. package/dist/packages/crucible/rules/xxe.json +66 -66
  34. package/dist/packages/crucible/rules/yaml-deserialization.json +22 -22
  35. package/dist/packages/crucible/rules/yaml-injection.json +22 -22
  36. package/dist/packages/crucible/seeding-engine.js +1 -1
  37. package/dist/packages/crucible/seeds/csharp/seed-001.cs +28 -28
  38. package/dist/packages/crucible/seeds/csharp/seed-002.cs +24 -24
  39. package/dist/packages/crucible/seeds/csharp/seed-003.cs +30 -30
  40. package/dist/packages/crucible/seeds/csharp/seed-004.cs +31 -31
  41. package/dist/packages/crucible/seeds/csharp/seed-005.cs +28 -28
  42. package/dist/packages/crucible/seeds/csharp/seed-006.cs +25 -25
  43. package/dist/packages/crucible/seeds/csharp/seed-007.cs +34 -34
  44. package/dist/packages/crucible/seeds/csharp/seed-008.cs +23 -23
  45. package/dist/packages/crucible/seeds/csharp/seed-009.cs +27 -27
  46. package/dist/packages/crucible/seeds/csharp/seed-010.cs +29 -29
  47. package/dist/packages/crucible/seeds/csharp/seed-011.cs +32 -32
  48. package/dist/packages/crucible/seeds/csharp/seed-012.cs +27 -27
  49. package/dist/packages/crucible/seeds/csharp/seed-013.cs +27 -27
  50. package/dist/packages/crucible/seeds/csharp/seed-014.cs +26 -26
  51. package/dist/packages/crucible/seeds/csharp/seed-015.cs +33 -33
  52. package/dist/packages/crucible/seeds/csharp/seed-016.cs +25 -25
  53. package/dist/packages/crucible/seeds/csharp/seed-017.cs +22 -22
  54. package/dist/packages/crucible/seeds/csharp/seed-018.cs +26 -26
  55. package/dist/packages/crucible/seeds/csharp/seed-019.cs +25 -25
  56. package/dist/packages/crucible/seeds/csharp/seed-020.cs +22 -22
  57. package/dist/packages/crucible/seeds/csharp/seed-021.cs +28 -28
  58. package/dist/packages/crucible/seeds/csharp/seed-022.cs +25 -25
  59. package/dist/packages/crucible/seeds/csharp/seed-023.cs +33 -33
  60. package/dist/packages/crucible/seeds/csharp/seed-024.cs +31 -31
  61. package/dist/packages/crucible/seeds/csharp/seed-025.cs +31 -31
  62. package/dist/packages/crucible/seeds/csharp/seed-026.cs +25 -25
  63. package/dist/packages/crucible/seeds/csharp/seed-027.cs +29 -29
  64. package/dist/packages/crucible/seeds/csharp/seed-028.cs +25 -25
  65. package/dist/packages/crucible/seeds/csharp/seed-029.cs +27 -27
  66. package/dist/packages/crucible/seeds/csharp/seed-030.cs +27 -27
  67. package/dist/packages/crucible/seeds/csharp/seed-031.cs +28 -28
  68. package/dist/packages/crucible/seeds/csharp/seed-032.cs +30 -30
  69. package/dist/packages/crucible/seeds/csharp/seed-033.cs +27 -27
  70. package/dist/packages/crucible/seeds/csharp/seed-034.cs +25 -25
  71. package/dist/packages/crucible/seeds/csharp/seed-035.cs +32 -32
  72. package/dist/packages/crucible/seeds/csharp/seed-036.cs +28 -28
  73. package/dist/packages/crucible/seeds/csharp/seed-037.cs +29 -29
  74. package/dist/packages/crucible/seeds/csharp/seed-038.cs +28 -28
  75. package/dist/packages/crucible/seeds/csharp/seed-039.cs +29 -29
  76. package/dist/packages/crucible/seeds/csharp/seed-040.cs +28 -28
  77. package/dist/packages/crucible/seeds/csharp/seed-041.cs +33 -33
  78. package/dist/packages/crucible/seeds/csharp/seed-042.cs +27 -27
  79. package/dist/packages/crucible/seeds/csharp/seed-043.cs +27 -27
  80. package/dist/packages/crucible/seeds/csharp/seed-044.cs +25 -25
  81. package/dist/packages/crucible/seeds/csharp/seed-045.cs +30 -30
  82. package/dist/packages/crucible/seeds/csharp/seed-046.cs +29 -29
  83. package/dist/packages/crucible/seeds/csharp/seed-047.cs +26 -26
  84. package/dist/packages/crucible/seeds/csharp/seed-048.cs +31 -31
  85. package/dist/packages/crucible/seeds/csharp/seed-049.cs +27 -27
  86. package/dist/packages/crucible/seeds/csharp/seed-050.cs +30 -30
  87. package/dist/packages/crucible/seeds/csharp/seed-051.cs +34 -34
  88. package/dist/packages/crucible/seeds/csharp/seed-052.cs +36 -36
  89. package/dist/packages/crucible/seeds/go/seed-001.go +29 -29
  90. package/dist/packages/crucible/seeds/go/seed-002.go +27 -27
  91. package/dist/packages/crucible/seeds/go/seed-003.go +31 -31
  92. package/dist/packages/crucible/seeds/go/seed-004.go +27 -27
  93. package/dist/packages/crucible/seeds/go/seed-005.go +27 -27
  94. package/dist/packages/crucible/seeds/go/seed-006.go +29 -29
  95. package/dist/packages/crucible/seeds/go/seed-007.go +24 -24
  96. package/dist/packages/crucible/seeds/go/seed-008.go +25 -25
  97. package/dist/packages/crucible/seeds/go/seed-009.go +30 -30
  98. package/dist/packages/crucible/seeds/go/seed-010.go +35 -35
  99. package/dist/packages/crucible/seeds/go/seed-011.go +24 -24
  100. package/dist/packages/crucible/seeds/go/seed-012.go +24 -24
  101. package/dist/packages/crucible/seeds/go/seed-013.go +31 -31
  102. package/dist/packages/crucible/seeds/go/seed-014.go +35 -35
  103. package/dist/packages/crucible/seeds/go/seed-015.go +25 -25
  104. package/dist/packages/crucible/seeds/go/seed-016.go +19 -19
  105. package/dist/packages/crucible/seeds/go/seed-017.go +23 -23
  106. package/dist/packages/crucible/seeds/go/seed-018.go +23 -23
  107. package/dist/packages/crucible/seeds/go/seed-019.go +22 -22
  108. package/dist/packages/crucible/seeds/go/seed-020.go +31 -31
  109. package/dist/packages/crucible/seeds/go/seed-021.go +22 -22
  110. package/dist/packages/crucible/seeds/go/seed-022.go +29 -29
  111. package/dist/packages/crucible/seeds/go/seed-023.go +26 -26
  112. package/dist/packages/crucible/seeds/go/seed-024.go +27 -27
  113. package/dist/packages/crucible/seeds/go/seed-025.go +23 -23
  114. package/dist/packages/crucible/seeds/go/seed-026.go +29 -29
  115. package/dist/packages/crucible/seeds/go/seed-027.go +26 -26
  116. package/dist/packages/crucible/seeds/go/seed-028.go +23 -23
  117. package/dist/packages/crucible/seeds/go/seed-029.go +28 -28
  118. package/dist/packages/crucible/seeds/go/seed-030.go +27 -27
  119. package/dist/packages/crucible/seeds/go/seed-031.go +28 -28
  120. package/dist/packages/crucible/seeds/go/seed-032.go +27 -27
  121. package/dist/packages/crucible/seeds/go/seed-033.go +29 -29
  122. package/dist/packages/crucible/seeds/go/seed-034.go +22 -22
  123. package/dist/packages/crucible/seeds/go/seed-035.go +32 -32
  124. package/dist/packages/crucible/seeds/go/seed-036.go +27 -27
  125. package/dist/packages/crucible/seeds/go/seed-037.go +27 -27
  126. package/dist/packages/crucible/seeds/go/seed-038.go +27 -27
  127. package/dist/packages/crucible/seeds/go/seed-039.go +26 -26
  128. package/dist/packages/crucible/seeds/go/seed-040.go +37 -37
  129. package/dist/packages/crucible/seeds/go/seed-041.go +23 -23
  130. package/dist/packages/crucible/seeds/go/seed-042.go +32 -32
  131. package/dist/packages/crucible/seeds/go/seed-043.go +35 -35
  132. package/dist/packages/crucible/seeds/go/seed-044.go +25 -25
  133. package/dist/packages/crucible/seeds/go/seed-045.go +26 -26
  134. package/dist/packages/crucible/seeds/go/seed-046.go +34 -34
  135. package/dist/packages/crucible/seeds/go/seed-047.go +26 -26
  136. package/dist/packages/crucible/seeds/go/seed-048.go +29 -29
  137. package/dist/packages/crucible/seeds/go/seed-049.go +24 -24
  138. package/dist/packages/crucible/seeds/go/seed-050.go +27 -27
  139. package/dist/packages/crucible/seeds/go/seed-051.go +38 -38
  140. package/dist/packages/crucible/seeds/go/seed-052.go +27 -27
  141. package/dist/packages/crucible/seeds/java/seed-001.java +23 -23
  142. package/dist/packages/crucible/seeds/java/seed-002.java +22 -22
  143. package/dist/packages/crucible/seeds/java/seed-003.java +28 -28
  144. package/dist/packages/crucible/seeds/java/seed-004.java +26 -26
  145. package/dist/packages/crucible/seeds/java/seed-005.java +33 -33
  146. package/dist/packages/crucible/seeds/java/seed-006.java +22 -22
  147. package/dist/packages/crucible/seeds/java/seed-007.java +21 -21
  148. package/dist/packages/crucible/seeds/java/seed-008.java +29 -29
  149. package/dist/packages/crucible/seeds/java/seed-009.java +24 -24
  150. package/dist/packages/crucible/seeds/java/seed-010.java +30 -30
  151. package/dist/packages/crucible/seeds/java/seed-011.java +25 -25
  152. package/dist/packages/crucible/seeds/java/seed-012.java +20 -20
  153. package/dist/packages/crucible/seeds/java/seed-013.java +26 -26
  154. package/dist/packages/crucible/seeds/java/seed-014.java +23 -23
  155. package/dist/packages/crucible/seeds/java/seed-015.java +25 -25
  156. package/dist/packages/crucible/seeds/java/seed-016.java +22 -22
  157. package/dist/packages/crucible/seeds/java/seed-017.java +24 -24
  158. package/dist/packages/crucible/seeds/java/seed-018.java +24 -24
  159. package/dist/packages/crucible/seeds/java/seed-019.java +38 -38
  160. package/dist/packages/crucible/seeds/java/seed-020.java +24 -24
  161. package/dist/packages/crucible/seeds/java/seed-021.java +22 -22
  162. package/dist/packages/crucible/seeds/java/seed-022.java +22 -22
  163. package/dist/packages/crucible/seeds/java/seed-023.java +22 -22
  164. package/dist/packages/crucible/seeds/java/seed-024.java +25 -25
  165. package/dist/packages/crucible/seeds/java/seed-025.java +27 -27
  166. package/dist/packages/crucible/seeds/java/seed-026.java +25 -25
  167. package/dist/packages/crucible/seeds/java/seed-027.java +22 -22
  168. package/dist/packages/crucible/seeds/java/seed-028.java +21 -21
  169. package/dist/packages/crucible/seeds/java/seed-029.java +28 -28
  170. package/dist/packages/crucible/seeds/java/seed-030.java +27 -27
  171. package/dist/packages/crucible/seeds/java/seed-031.java +23 -23
  172. package/dist/packages/crucible/seeds/java/seed-032.java +22 -22
  173. package/dist/packages/crucible/seeds/java/seed-033.java +24 -24
  174. package/dist/packages/crucible/seeds/java/seed-034.java +24 -24
  175. package/dist/packages/crucible/seeds/java/seed-035.java +29 -29
  176. package/dist/packages/crucible/seeds/java/seed-036.java +25 -25
  177. package/dist/packages/crucible/seeds/java/seed-037.java +30 -30
  178. package/dist/packages/crucible/seeds/java/seed-038.java +29 -29
  179. package/dist/packages/crucible/seeds/java/seed-039.java +26 -26
  180. package/dist/packages/crucible/seeds/java/seed-040.java +31 -31
  181. package/dist/packages/crucible/seeds/java/seed-041.java +20 -20
  182. package/dist/packages/crucible/seeds/java/seed-042.java +26 -26
  183. package/dist/packages/crucible/seeds/java/seed-043.java +31 -31
  184. package/dist/packages/crucible/seeds/java/seed-044.java +22 -22
  185. package/dist/packages/crucible/seeds/java/seed-045.java +25 -25
  186. package/dist/packages/crucible/seeds/java/seed-046.java +22 -22
  187. package/dist/packages/crucible/seeds/java/seed-047.java +26 -26
  188. package/dist/packages/crucible/seeds/java/seed-048.java +24 -24
  189. package/dist/packages/crucible/seeds/java/seed-049.java +28 -28
  190. package/dist/packages/crucible/seeds/java/seed-050.java +29 -29
  191. package/dist/packages/crucible/seeds/java/seed-051.java +25 -25
  192. package/dist/packages/crucible/seeds/java/seed-052.java +32 -32
  193. package/dist/packages/crucible/seeds/js/seed-001.js +27 -27
  194. package/dist/packages/crucible/seeds/js/seed-002.js +28 -28
  195. package/dist/packages/crucible/seeds/js/seed-003.js +30 -30
  196. package/dist/packages/crucible/seeds/js/seed-004.js +28 -28
  197. package/dist/packages/crucible/seeds/js/seed-005.js +31 -31
  198. package/dist/packages/crucible/seeds/js/seed-006.js +28 -28
  199. package/dist/packages/crucible/seeds/js/seed-007.js +26 -26
  200. package/dist/packages/crucible/seeds/js/seed-008.js +30 -30
  201. package/dist/packages/crucible/seeds/js/seed-009.js +30 -30
  202. package/dist/packages/crucible/seeds/js/seed-010.js +29 -29
  203. package/dist/packages/crucible/seeds/js/seed-011.js +34 -34
  204. package/dist/packages/crucible/seeds/js/seed-012.js +32 -32
  205. package/dist/packages/crucible/seeds/js/seed-013.js +29 -29
  206. package/dist/packages/crucible/seeds/js/seed-014.js +29 -29
  207. package/dist/packages/crucible/seeds/js/seed-015.js +31 -31
  208. package/dist/packages/crucible/seeds/js/seed-016.js +31 -31
  209. package/dist/packages/crucible/seeds/js/seed-017.js +30 -30
  210. package/dist/packages/crucible/seeds/js/seed-018.js +29 -29
  211. package/dist/packages/crucible/seeds/js/seed-019.js +32 -32
  212. package/dist/packages/crucible/seeds/js/seed-020.js +29 -29
  213. package/dist/packages/crucible/seeds/js/seed-021.js +31 -31
  214. package/dist/packages/crucible/seeds/js/seed-022.js +31 -31
  215. package/dist/packages/crucible/seeds/js/seed-023.js +29 -29
  216. package/dist/packages/crucible/seeds/js/seed-024.js +29 -29
  217. package/dist/packages/crucible/seeds/js/seed-025.js +34 -34
  218. package/dist/packages/crucible/seeds/js/seed-026.js +31 -31
  219. package/dist/packages/crucible/seeds/js/seed-027.js +31 -31
  220. package/dist/packages/crucible/seeds/js/seed-028.js +33 -33
  221. package/dist/packages/crucible/seeds/js/seed-029.js +33 -33
  222. package/dist/packages/crucible/seeds/js/seed-030.js +30 -30
  223. package/dist/packages/crucible/seeds/js/seed-031.js +31 -31
  224. package/dist/packages/crucible/seeds/js/seed-032.js +34 -34
  225. package/dist/packages/crucible/seeds/js/seed-033.js +33 -33
  226. package/dist/packages/crucible/seeds/js/seed-034.js +33 -33
  227. package/dist/packages/crucible/seeds/js/seed-035.js +30 -30
  228. package/dist/packages/crucible/seeds/js/seed-036.js +30 -30
  229. package/dist/packages/crucible/seeds/js/seed-037.js +29 -29
  230. package/dist/packages/crucible/seeds/js/seed-038.js +31 -31
  231. package/dist/packages/crucible/seeds/js/seed-039.js +34 -34
  232. package/dist/packages/crucible/seeds/js/seed-040.js +35 -35
  233. package/dist/packages/crucible/seeds/js/seed-041.js +32 -32
  234. package/dist/packages/crucible/seeds/js/seed-042.js +32 -32
  235. package/dist/packages/crucible/seeds/js/seed-043.js +27 -27
  236. package/dist/packages/crucible/seeds/js/seed-044.js +29 -29
  237. package/dist/packages/crucible/seeds/js/seed-045.js +33 -33
  238. package/dist/packages/crucible/seeds/js/seed-046.js +33 -33
  239. package/dist/packages/crucible/seeds/js/seed-047.js +29 -29
  240. package/dist/packages/crucible/seeds/js/seed-048.js +29 -29
  241. package/dist/packages/crucible/seeds/js/seed-049.js +34 -34
  242. package/dist/packages/crucible/seeds/js/seed-050.js +34 -34
  243. package/dist/packages/crucible/seeds/js/seed-051.js +30 -30
  244. package/dist/packages/crucible/seeds/js/seed-052.js +30 -30
  245. package/dist/packages/crucible/seeds/js/seed-053.js +26 -26
  246. package/dist/packages/crucible/seeds/js/seed-054.js +35 -35
  247. package/dist/packages/crucible/seeds/js/seed-055.js +33 -33
  248. package/dist/packages/crucible/seeds/kotlin/seed-001.kt +24 -24
  249. package/dist/packages/crucible/seeds/kotlin/seed-002.kt +27 -27
  250. package/dist/packages/crucible/seeds/kotlin/seed-003.kt +29 -29
  251. package/dist/packages/crucible/seeds/kotlin/seed-004.kt +24 -24
  252. package/dist/packages/crucible/seeds/kotlin/seed-005.kt +29 -29
  253. package/dist/packages/crucible/seeds/kotlin/seed-006.kt +21 -21
  254. package/dist/packages/crucible/seeds/kotlin/seed-007.kt +23 -23
  255. package/dist/packages/crucible/seeds/kotlin/seed-008.kt +25 -25
  256. package/dist/packages/crucible/seeds/kotlin/seed-009.kt +21 -21
  257. package/dist/packages/crucible/seeds/kotlin/seed-010.kt +28 -28
  258. package/dist/packages/crucible/seeds/kotlin/seed-011.kt +22 -22
  259. package/dist/packages/crucible/seeds/kotlin/seed-012.kt +25 -25
  260. package/dist/packages/crucible/seeds/kotlin/seed-013.kt +30 -30
  261. package/dist/packages/crucible/seeds/kotlin/seed-014.kt +27 -27
  262. package/dist/packages/crucible/seeds/kotlin/seed-015.kt +24 -24
  263. package/dist/packages/crucible/seeds/kotlin/seed-016.kt +28 -28
  264. package/dist/packages/crucible/seeds/kotlin/seed-017.kt +33 -33
  265. package/dist/packages/crucible/seeds/kotlin/seed-018.kt +31 -31
  266. package/dist/packages/crucible/seeds/kotlin/seed-019.kt +28 -28
  267. package/dist/packages/crucible/seeds/kotlin/seed-020.kt +31 -31
  268. package/dist/packages/crucible/seeds/kotlin/seed-021.kt +34 -34
  269. package/dist/packages/crucible/seeds/kotlin/seed-022.kt +29 -29
  270. package/dist/packages/crucible/seeds/kotlin/seed-023.kt +20 -20
  271. package/dist/packages/crucible/seeds/kotlin/seed-024.kt +23 -23
  272. package/dist/packages/crucible/seeds/kotlin/seed-025.kt +23 -23
  273. package/dist/packages/crucible/seeds/kotlin/seed-026.kt +26 -26
  274. package/dist/packages/crucible/seeds/kotlin/seed-027.kt +29 -29
  275. package/dist/packages/crucible/seeds/kotlin/seed-028.kt +24 -24
  276. package/dist/packages/crucible/seeds/kotlin/seed-029.kt +27 -27
  277. package/dist/packages/crucible/seeds/kotlin/seed-030.kt +26 -26
  278. package/dist/packages/crucible/seeds/kotlin/seed-031.kt +28 -28
  279. package/dist/packages/crucible/seeds/kotlin/seed-032.kt +29 -29
  280. package/dist/packages/crucible/seeds/kotlin/seed-033.kt +30 -30
  281. package/dist/packages/crucible/seeds/kotlin/seed-034.kt +26 -26
  282. package/dist/packages/crucible/seeds/kotlin/seed-035.kt +33 -33
  283. package/dist/packages/crucible/seeds/kotlin/seed-036.kt +25 -25
  284. package/dist/packages/crucible/seeds/kotlin/seed-037.kt +26 -26
  285. package/dist/packages/crucible/seeds/kotlin/seed-038.kt +25 -25
  286. package/dist/packages/crucible/seeds/kotlin/seed-039.kt +29 -29
  287. package/dist/packages/crucible/seeds/kotlin/seed-040.kt +28 -28
  288. package/dist/packages/crucible/seeds/kotlin/seed-041.kt +31 -31
  289. package/dist/packages/crucible/seeds/kotlin/seed-042.kt +27 -27
  290. package/dist/packages/crucible/seeds/kotlin/seed-043.kt +26 -26
  291. package/dist/packages/crucible/seeds/kotlin/seed-044.kt +27 -27
  292. package/dist/packages/crucible/seeds/kotlin/seed-045.kt +27 -27
  293. package/dist/packages/crucible/seeds/kotlin/seed-046.kt +33 -33
  294. package/dist/packages/crucible/seeds/kotlin/seed-047.kt +32 -32
  295. package/dist/packages/crucible/seeds/kotlin/seed-048.kt +20 -20
  296. package/dist/packages/crucible/seeds/kotlin/seed-049.kt +23 -23
  297. package/dist/packages/crucible/seeds/kotlin/seed-050.kt +19 -19
  298. package/dist/packages/crucible/seeds/php/seed-001.php +23 -23
  299. package/dist/packages/crucible/seeds/php/seed-002.php +18 -18
  300. package/dist/packages/crucible/seeds/php/seed-003.php +25 -25
  301. package/dist/packages/crucible/seeds/php/seed-004.php +21 -21
  302. package/dist/packages/crucible/seeds/php/seed-005.php +21 -21
  303. package/dist/packages/crucible/seeds/php/seed-006.php +21 -21
  304. package/dist/packages/crucible/seeds/php/seed-007.php +18 -18
  305. package/dist/packages/crucible/seeds/php/seed-008.php +19 -19
  306. package/dist/packages/crucible/seeds/php/seed-009.php +24 -24
  307. package/dist/packages/crucible/seeds/php/seed-010.php +24 -24
  308. package/dist/packages/crucible/seeds/php/seed-011.php +18 -18
  309. package/dist/packages/crucible/seeds/php/seed-012.php +24 -24
  310. package/dist/packages/crucible/seeds/php/seed-013.php +23 -23
  311. package/dist/packages/crucible/seeds/php/seed-014.php +20 -20
  312. package/dist/packages/crucible/seeds/php/seed-015.php +18 -18
  313. package/dist/packages/crucible/seeds/php/seed-016.php +18 -18
  314. package/dist/packages/crucible/seeds/php/seed-017.php +18 -18
  315. package/dist/packages/crucible/seeds/php/seed-018.php +17 -17
  316. package/dist/packages/crucible/seeds/php/seed-019.php +24 -24
  317. package/dist/packages/crucible/seeds/php/seed-020.php +19 -19
  318. package/dist/packages/crucible/seeds/php/seed-021.php +22 -22
  319. package/dist/packages/crucible/seeds/php/seed-022.php +15 -15
  320. package/dist/packages/crucible/seeds/php/seed-023.php +24 -24
  321. package/dist/packages/crucible/seeds/php/seed-024.php +22 -22
  322. package/dist/packages/crucible/seeds/php/seed-025.php +20 -20
  323. package/dist/packages/crucible/seeds/php/seed-026.php +22 -22
  324. package/dist/packages/crucible/seeds/php/seed-027.php +15 -15
  325. package/dist/packages/crucible/seeds/php/seed-028.php +15 -15
  326. package/dist/packages/crucible/seeds/php/seed-029.php +21 -21
  327. package/dist/packages/crucible/seeds/php/seed-030.php +21 -21
  328. package/dist/packages/crucible/seeds/php/seed-031.php +23 -23
  329. package/dist/packages/crucible/seeds/php/seed-032.php +18 -18
  330. package/dist/packages/crucible/seeds/php/seed-033.php +18 -18
  331. package/dist/packages/crucible/seeds/php/seed-034.php +24 -24
  332. package/dist/packages/crucible/seeds/php/seed-035.php +22 -22
  333. package/dist/packages/crucible/seeds/php/seed-036.php +17 -17
  334. package/dist/packages/crucible/seeds/php/seed-037.php +19 -19
  335. package/dist/packages/crucible/seeds/php/seed-038.php +20 -20
  336. package/dist/packages/crucible/seeds/php/seed-039.php +15 -15
  337. package/dist/packages/crucible/seeds/php/seed-040.php +21 -21
  338. package/dist/packages/crucible/seeds/php/seed-041.php +20 -20
  339. package/dist/packages/crucible/seeds/php/seed-042.php +21 -21
  340. package/dist/packages/crucible/seeds/php/seed-043.php +21 -21
  341. package/dist/packages/crucible/seeds/php/seed-044.php +25 -25
  342. package/dist/packages/crucible/seeds/php/seed-045.php +25 -25
  343. package/dist/packages/crucible/seeds/php/seed-046.php +20 -20
  344. package/dist/packages/crucible/seeds/php/seed-047.php +21 -21
  345. package/dist/packages/crucible/seeds/php/seed-048.php +19 -19
  346. package/dist/packages/crucible/seeds/php/seed-049.php +18 -18
  347. package/dist/packages/crucible/seeds/php/seed-050.php +20 -20
  348. package/dist/packages/crucible/seeds/python/seed-001.py +33 -33
  349. package/dist/packages/crucible/seeds/python/seed-002.py +39 -39
  350. package/dist/packages/crucible/seeds/python/seed-003.py +31 -31
  351. package/dist/packages/crucible/seeds/python/seed-004.py +33 -33
  352. package/dist/packages/crucible/seeds/python/seed-005.py +33 -33
  353. package/dist/packages/crucible/seeds/python/seed-006.py +34 -34
  354. package/dist/packages/crucible/seeds/python/seed-007.py +33 -33
  355. package/dist/packages/crucible/seeds/python/seed-008.py +38 -38
  356. package/dist/packages/crucible/seeds/python/seed-009.py +38 -38
  357. package/dist/packages/crucible/seeds/python/seed-010.py +42 -42
  358. package/dist/packages/crucible/seeds/python/seed-011.py +30 -30
  359. package/dist/packages/crucible/seeds/python/seed-012.py +35 -35
  360. package/dist/packages/crucible/seeds/python/seed-013.py +33 -33
  361. package/dist/packages/crucible/seeds/python/seed-014.py +40 -40
  362. package/dist/packages/crucible/seeds/python/seed-015.py +33 -33
  363. package/dist/packages/crucible/seeds/python/seed-016.py +34 -34
  364. package/dist/packages/crucible/seeds/python/seed-017.py +34 -34
  365. package/dist/packages/crucible/seeds/python/seed-018.py +30 -30
  366. package/dist/packages/crucible/seeds/python/seed-019.py +33 -33
  367. package/dist/packages/crucible/seeds/python/seed-020.py +37 -37
  368. package/dist/packages/crucible/seeds/python/seed-021 2.py +37 -37
  369. package/dist/packages/crucible/seeds/python/seed-021.py +37 -37
  370. package/dist/packages/crucible/seeds/python/seed-022 2.py +34 -34
  371. package/dist/packages/crucible/seeds/python/seed-022.py +34 -34
  372. package/dist/packages/crucible/seeds/python/seed-023 2.py +37 -37
  373. package/dist/packages/crucible/seeds/python/seed-023.py +37 -37
  374. package/dist/packages/crucible/seeds/python/seed-024 2.py +38 -38
  375. package/dist/packages/crucible/seeds/python/seed-024.py +38 -38
  376. package/dist/packages/crucible/seeds/python/seed-025 2.py +40 -40
  377. package/dist/packages/crucible/seeds/python/seed-025.py +40 -40
  378. package/dist/packages/crucible/seeds/python/seed-026 2.py +35 -35
  379. package/dist/packages/crucible/seeds/python/seed-026.py +35 -35
  380. package/dist/packages/crucible/seeds/python/seed-027 2.py +35 -35
  381. package/dist/packages/crucible/seeds/python/seed-027.py +35 -35
  382. package/dist/packages/crucible/seeds/python/seed-028 2.py +42 -42
  383. package/dist/packages/crucible/seeds/python/seed-028.py +42 -42
  384. package/dist/packages/crucible/seeds/python/seed-029.py +42 -42
  385. package/dist/packages/crucible/seeds/python/seed-030 2.py +37 -37
  386. package/dist/packages/crucible/seeds/python/seed-030.py +37 -37
  387. package/dist/packages/crucible/seeds/python/seed-031 2.py +34 -34
  388. package/dist/packages/crucible/seeds/python/seed-031.py +34 -34
  389. package/dist/packages/crucible/seeds/python/seed-032.py +33 -33
  390. package/dist/packages/crucible/seeds/python/seed-033.py +32 -32
  391. package/dist/packages/crucible/seeds/python/seed-034.py +38 -38
  392. package/dist/packages/crucible/seeds/python/seed-035.py +35 -35
  393. package/dist/packages/crucible/seeds/python/seed-036 2.py +33 -33
  394. package/dist/packages/crucible/seeds/python/seed-036.py +33 -33
  395. package/dist/packages/crucible/seeds/python/seed-037 2.py +41 -41
  396. package/dist/packages/crucible/seeds/python/seed-037.py +41 -41
  397. package/dist/packages/crucible/seeds/python/seed-038 2.py +33 -33
  398. package/dist/packages/crucible/seeds/python/seed-038.py +33 -33
  399. package/dist/packages/crucible/seeds/python/seed-039 2.py +39 -39
  400. package/dist/packages/crucible/seeds/python/seed-039.py +39 -39
  401. package/dist/packages/crucible/seeds/python/seed-040 2.py +39 -39
  402. package/dist/packages/crucible/seeds/python/seed-040.py +39 -39
  403. package/dist/packages/crucible/seeds/python/seed-041 2.py +37 -37
  404. package/dist/packages/crucible/seeds/python/seed-041.py +37 -37
  405. package/dist/packages/crucible/seeds/python/seed-042 2.py +38 -38
  406. package/dist/packages/crucible/seeds/python/seed-042.py +38 -38
  407. package/dist/packages/crucible/seeds/python/seed-043 2.py +32 -32
  408. package/dist/packages/crucible/seeds/python/seed-043.py +32 -32
  409. package/dist/packages/crucible/seeds/python/seed-044 2.py +38 -38
  410. package/dist/packages/crucible/seeds/python/seed-044.py +38 -38
  411. package/dist/packages/crucible/seeds/python/seed-045 2.py +36 -36
  412. package/dist/packages/crucible/seeds/python/seed-045.py +36 -36
  413. package/dist/packages/crucible/seeds/python/seed-046 2.py +33 -33
  414. package/dist/packages/crucible/seeds/python/seed-046.py +33 -33
  415. package/dist/packages/crucible/seeds/python/seed-047 2.py +44 -44
  416. package/dist/packages/crucible/seeds/python/seed-047.py +44 -44
  417. package/dist/packages/crucible/seeds/python/seed-048 2.py +35 -35
  418. package/dist/packages/crucible/seeds/python/seed-048.py +35 -35
  419. package/dist/packages/crucible/seeds/python/seed-049 2.py +39 -39
  420. package/dist/packages/crucible/seeds/python/seed-049.py +39 -39
  421. package/dist/packages/crucible/seeds/python/seed-050 2.py +39 -39
  422. package/dist/packages/crucible/seeds/python/seed-050.py +39 -39
  423. package/dist/packages/crucible/seeds/python/seed-051 2.py +38 -38
  424. package/dist/packages/crucible/seeds/python/seed-051.py +38 -38
  425. package/dist/packages/crucible/seeds/python/seed-052 2.py +41 -41
  426. package/dist/packages/crucible/seeds/python/seed-052.py +41 -41
  427. package/dist/packages/crucible/seeds/ruby/seed-001 2.rb +15 -15
  428. package/dist/packages/crucible/seeds/ruby/seed-001.rb +15 -15
  429. package/dist/packages/crucible/seeds/ruby/seed-002 2.rb +22 -22
  430. package/dist/packages/crucible/seeds/ruby/seed-002.rb +22 -22
  431. package/dist/packages/crucible/seeds/ruby/seed-003 2.rb +25 -25
  432. package/dist/packages/crucible/seeds/ruby/seed-003.rb +25 -25
  433. package/dist/packages/crucible/seeds/ruby/seed-004 2.rb +17 -17
  434. package/dist/packages/crucible/seeds/ruby/seed-004.rb +17 -17
  435. package/dist/packages/crucible/seeds/ruby/seed-005 2.rb +21 -21
  436. package/dist/packages/crucible/seeds/ruby/seed-005.rb +21 -21
  437. package/dist/packages/crucible/seeds/ruby/seed-006 2.rb +17 -17
  438. package/dist/packages/crucible/seeds/ruby/seed-006.rb +17 -17
  439. package/dist/packages/crucible/seeds/ruby/seed-007 2.rb +16 -16
  440. package/dist/packages/crucible/seeds/ruby/seed-007.rb +16 -16
  441. package/dist/packages/crucible/seeds/ruby/seed-008 2.rb +18 -18
  442. package/dist/packages/crucible/seeds/ruby/seed-008.rb +18 -18
  443. package/dist/packages/crucible/seeds/ruby/seed-009 2.rb +20 -20
  444. package/dist/packages/crucible/seeds/ruby/seed-009.rb +20 -20
  445. package/dist/packages/crucible/seeds/ruby/seed-010 2.rb +24 -24
  446. package/dist/packages/crucible/seeds/ruby/seed-010.rb +24 -24
  447. package/dist/packages/crucible/seeds/ruby/seed-011 2.rb +21 -21
  448. package/dist/packages/crucible/seeds/ruby/seed-011.rb +21 -21
  449. package/dist/packages/crucible/seeds/ruby/seed-012 2.rb +22 -22
  450. package/dist/packages/crucible/seeds/ruby/seed-012.rb +22 -22
  451. package/dist/packages/crucible/seeds/ruby/seed-013 2.rb +21 -21
  452. package/dist/packages/crucible/seeds/ruby/seed-013.rb +21 -21
  453. package/dist/packages/crucible/seeds/ruby/seed-014 2.rb +16 -16
  454. package/dist/packages/crucible/seeds/ruby/seed-014.rb +16 -16
  455. package/dist/packages/crucible/seeds/ruby/seed-015 2.rb +18 -18
  456. package/dist/packages/crucible/seeds/ruby/seed-015.rb +18 -18
  457. package/dist/packages/crucible/seeds/ruby/seed-016 2.rb +17 -17
  458. package/dist/packages/crucible/seeds/ruby/seed-016.rb +17 -17
  459. package/dist/packages/crucible/seeds/ruby/seed-017 2.rb +25 -25
  460. package/dist/packages/crucible/seeds/ruby/seed-017.rb +25 -25
  461. package/dist/packages/crucible/seeds/ruby/seed-018 2.rb +23 -23
  462. package/dist/packages/crucible/seeds/ruby/seed-018.rb +23 -23
  463. package/dist/packages/crucible/seeds/ruby/seed-019 2.rb +20 -20
  464. package/dist/packages/crucible/seeds/ruby/seed-019.rb +20 -20
  465. package/dist/packages/crucible/seeds/ruby/seed-020 2.rb +17 -17
  466. package/dist/packages/crucible/seeds/ruby/seed-020.rb +17 -17
  467. package/dist/packages/crucible/seeds/ruby/seed-021 2.rb +20 -20
  468. package/dist/packages/crucible/seeds/ruby/seed-021.rb +20 -20
  469. package/dist/packages/crucible/seeds/ruby/seed-022 2.rb +21 -21
  470. package/dist/packages/crucible/seeds/ruby/seed-022.rb +21 -21
  471. package/dist/packages/crucible/seeds/ruby/seed-023 2.rb +19 -19
  472. package/dist/packages/crucible/seeds/ruby/seed-023.rb +19 -19
  473. package/dist/packages/crucible/seeds/ruby/seed-024 2.rb +17 -17
  474. package/dist/packages/crucible/seeds/ruby/seed-024.rb +17 -17
  475. package/dist/packages/crucible/seeds/ruby/seed-025 2.rb +17 -17
  476. package/dist/packages/crucible/seeds/ruby/seed-025.rb +17 -17
  477. package/dist/packages/crucible/seeds/ruby/seed-026 2.rb +18 -18
  478. package/dist/packages/crucible/seeds/ruby/seed-026.rb +18 -18
  479. package/dist/packages/crucible/seeds/ruby/seed-027 2.rb +21 -21
  480. package/dist/packages/crucible/seeds/ruby/seed-027.rb +21 -21
  481. package/dist/packages/crucible/seeds/ruby/seed-028 2.rb +22 -22
  482. package/dist/packages/crucible/seeds/ruby/seed-028.rb +22 -22
  483. package/dist/packages/crucible/seeds/ruby/seed-029 2.rb +19 -19
  484. package/dist/packages/crucible/seeds/ruby/seed-029.rb +19 -19
  485. package/dist/packages/crucible/seeds/ruby/seed-030 2.rb +20 -20
  486. package/dist/packages/crucible/seeds/ruby/seed-030.rb +20 -20
  487. package/dist/packages/crucible/seeds/ruby/seed-031 2.rb +17 -17
  488. package/dist/packages/crucible/seeds/ruby/seed-031.rb +17 -17
  489. package/dist/packages/crucible/seeds/ruby/seed-032 2.rb +22 -22
  490. package/dist/packages/crucible/seeds/ruby/seed-032.rb +22 -22
  491. package/dist/packages/crucible/seeds/ruby/seed-033 2.rb +18 -18
  492. package/dist/packages/crucible/seeds/ruby/seed-033.rb +18 -18
  493. package/dist/packages/crucible/seeds/ruby/seed-034 2.rb +19 -19
  494. package/dist/packages/crucible/seeds/ruby/seed-034.rb +19 -19
  495. package/dist/packages/crucible/seeds/ruby/seed-035 2.rb +19 -19
  496. package/dist/packages/crucible/seeds/ruby/seed-035.rb +19 -19
  497. package/dist/packages/crucible/seeds/ruby/seed-036 2.rb +18 -18
  498. package/dist/packages/crucible/seeds/ruby/seed-036.rb +18 -18
  499. package/dist/packages/crucible/seeds/ruby/seed-037 2.rb +21 -21
  500. package/dist/packages/crucible/seeds/ruby/seed-037.rb +21 -21
  501. package/dist/packages/crucible/seeds/ruby/seed-038 2.rb +24 -24
  502. package/dist/packages/crucible/seeds/ruby/seed-038.rb +24 -24
  503. package/dist/packages/crucible/seeds/ruby/seed-039 2.rb +24 -24
  504. package/dist/packages/crucible/seeds/ruby/seed-039.rb +24 -24
  505. package/dist/packages/crucible/seeds/ruby/seed-040 2.rb +22 -22
  506. package/dist/packages/crucible/seeds/ruby/seed-040.rb +22 -22
  507. package/dist/packages/crucible/seeds/ruby/seed-041 2.rb +23 -23
  508. package/dist/packages/crucible/seeds/ruby/seed-041.rb +23 -23
  509. package/dist/packages/crucible/seeds/ruby/seed-042 2.rb +25 -25
  510. package/dist/packages/crucible/seeds/ruby/seed-042.rb +25 -25
  511. package/dist/packages/crucible/seeds/ruby/seed-043 2.rb +23 -23
  512. package/dist/packages/crucible/seeds/ruby/seed-043.rb +23 -23
  513. package/dist/packages/crucible/seeds/ruby/seed-044 2.rb +16 -16
  514. package/dist/packages/crucible/seeds/ruby/seed-044.rb +16 -16
  515. package/dist/packages/crucible/seeds/ruby/seed-045 2.rb +22 -22
  516. package/dist/packages/crucible/seeds/ruby/seed-045.rb +22 -22
  517. package/dist/packages/crucible/seeds/ruby/seed-046 2.rb +27 -27
  518. package/dist/packages/crucible/seeds/ruby/seed-046.rb +27 -27
  519. package/dist/packages/crucible/seeds/ruby/seed-047 2.rb +26 -26
  520. package/dist/packages/crucible/seeds/ruby/seed-047.rb +26 -26
  521. package/dist/packages/crucible/seeds/ruby/seed-048 2.rb +24 -24
  522. package/dist/packages/crucible/seeds/ruby/seed-048.rb +24 -24
  523. package/dist/packages/crucible/seeds/ruby/seed-049 2.rb +20 -20
  524. package/dist/packages/crucible/seeds/ruby/seed-049.rb +20 -20
  525. package/dist/packages/crucible/seeds/ruby/seed-050 2.rb +27 -27
  526. package/dist/packages/crucible/seeds/ruby/seed-050.rb +27 -27
  527. package/dist/packages/crucible/seeds/rust/seed-001 2.rs +25 -25
  528. package/dist/packages/crucible/seeds/rust/seed-001.rs +25 -25
  529. package/dist/packages/crucible/seeds/rust/seed-002 2.rs +20 -20
  530. package/dist/packages/crucible/seeds/rust/seed-002.rs +20 -20
  531. package/dist/packages/crucible/seeds/rust/seed-003 2.rs +23 -23
  532. package/dist/packages/crucible/seeds/rust/seed-003.rs +23 -23
  533. package/dist/packages/crucible/seeds/rust/seed-004 2.rs +21 -21
  534. package/dist/packages/crucible/seeds/rust/seed-004.rs +21 -21
  535. package/dist/packages/crucible/seeds/rust/seed-005 2.rs +21 -21
  536. package/dist/packages/crucible/seeds/rust/seed-005.rs +21 -21
  537. package/dist/packages/crucible/seeds/rust/seed-006 2.rs +24 -24
  538. package/dist/packages/crucible/seeds/rust/seed-006.rs +24 -24
  539. package/dist/packages/crucible/seeds/rust/seed-007 2.rs +20 -20
  540. package/dist/packages/crucible/seeds/rust/seed-007.rs +20 -20
  541. package/dist/packages/crucible/seeds/rust/seed-008 2.rs +19 -19
  542. package/dist/packages/crucible/seeds/rust/seed-008.rs +19 -19
  543. package/dist/packages/crucible/seeds/rust/seed-009 2.rs +28 -28
  544. package/dist/packages/crucible/seeds/rust/seed-009.rs +28 -28
  545. package/dist/packages/crucible/seeds/rust/seed-010 2.rs +28 -28
  546. package/dist/packages/crucible/seeds/rust/seed-010.rs +28 -28
  547. package/dist/packages/crucible/seeds/rust/seed-011 2.rs +25 -25
  548. package/dist/packages/crucible/seeds/rust/seed-011.rs +25 -25
  549. package/dist/packages/crucible/seeds/rust/seed-012 2.rs +31 -31
  550. package/dist/packages/crucible/seeds/rust/seed-012.rs +31 -31
  551. package/dist/packages/crucible/seeds/rust/seed-013 2.rs +27 -27
  552. package/dist/packages/crucible/seeds/rust/seed-013.rs +27 -27
  553. package/dist/packages/crucible/seeds/rust/seed-014 2.rs +30 -30
  554. package/dist/packages/crucible/seeds/rust/seed-014.rs +30 -30
  555. package/dist/packages/crucible/seeds/rust/seed-015 2.rs +33 -33
  556. package/dist/packages/crucible/seeds/rust/seed-015.rs +33 -33
  557. package/dist/packages/crucible/seeds/rust/seed-016 2.rs +22 -22
  558. package/dist/packages/crucible/seeds/rust/seed-016.rs +22 -22
  559. package/dist/packages/crucible/seeds/rust/seed-017 2.rs +28 -28
  560. package/dist/packages/crucible/seeds/rust/seed-017.rs +28 -28
  561. package/dist/packages/crucible/seeds/rust/seed-018 2.rs +21 -21
  562. package/dist/packages/crucible/seeds/rust/seed-018.rs +21 -21
  563. package/dist/packages/crucible/seeds/rust/seed-019 2.rs +36 -36
  564. package/dist/packages/crucible/seeds/rust/seed-019.rs +36 -36
  565. package/dist/packages/crucible/seeds/rust/seed-020 2.rs +27 -27
  566. package/dist/packages/crucible/seeds/rust/seed-020.rs +27 -27
  567. package/dist/packages/crucible/seeds/rust/seed-021 2.rs +26 -26
  568. package/dist/packages/crucible/seeds/rust/seed-021.rs +26 -26
  569. package/dist/packages/crucible/seeds/rust/seed-022 2.rs +23 -23
  570. package/dist/packages/crucible/seeds/rust/seed-022.rs +23 -23
  571. package/dist/packages/crucible/seeds/rust/seed-023 2.rs +22 -22
  572. package/dist/packages/crucible/seeds/rust/seed-023.rs +22 -22
  573. package/dist/packages/crucible/seeds/rust/seed-024 2.rs +24 -24
  574. package/dist/packages/crucible/seeds/rust/seed-024.rs +24 -24
  575. package/dist/packages/crucible/seeds/rust/seed-025 2.rs +29 -29
  576. package/dist/packages/crucible/seeds/rust/seed-025.rs +29 -29
  577. package/dist/packages/crucible/seeds/rust/seed-026 2.rs +23 -23
  578. package/dist/packages/crucible/seeds/rust/seed-026.rs +23 -23
  579. package/dist/packages/crucible/seeds/rust/seed-027 2.rs +24 -24
  580. package/dist/packages/crucible/seeds/rust/seed-027.rs +24 -24
  581. package/dist/packages/crucible/seeds/rust/seed-028 2.rs +25 -25
  582. package/dist/packages/crucible/seeds/rust/seed-028.rs +25 -25
  583. package/dist/packages/crucible/seeds/rust/seed-029 2.rs +25 -25
  584. package/dist/packages/crucible/seeds/rust/seed-029.rs +25 -25
  585. package/dist/packages/crucible/seeds/rust/seed-030 2.rs +30 -30
  586. package/dist/packages/crucible/seeds/rust/seed-030.rs +30 -30
  587. package/dist/packages/crucible/seeds/rust/seed-031 2.rs +22 -22
  588. package/dist/packages/crucible/seeds/rust/seed-031.rs +22 -22
  589. package/dist/packages/crucible/seeds/rust/seed-032 2.rs +25 -25
  590. package/dist/packages/crucible/seeds/rust/seed-032.rs +25 -25
  591. package/dist/packages/crucible/seeds/rust/seed-033 2.rs +25 -25
  592. package/dist/packages/crucible/seeds/rust/seed-033.rs +25 -25
  593. package/dist/packages/crucible/seeds/rust/seed-034 2.rs +20 -20
  594. package/dist/packages/crucible/seeds/rust/seed-034.rs +20 -20
  595. package/dist/packages/crucible/seeds/rust/seed-035 2.rs +28 -28
  596. package/dist/packages/crucible/seeds/rust/seed-035.rs +28 -28
  597. package/dist/packages/crucible/seeds/rust/seed-036 2.rs +26 -26
  598. package/dist/packages/crucible/seeds/rust/seed-036.rs +26 -26
  599. package/dist/packages/crucible/seeds/rust/seed-037 2.rs +31 -31
  600. package/dist/packages/crucible/seeds/rust/seed-037.rs +31 -31
  601. package/dist/packages/crucible/seeds/rust/seed-038 2.rs +25 -25
  602. package/dist/packages/crucible/seeds/rust/seed-038.rs +25 -25
  603. package/dist/packages/crucible/seeds/rust/seed-039 2.rs +28 -28
  604. package/dist/packages/crucible/seeds/rust/seed-039.rs +28 -28
  605. package/dist/packages/crucible/seeds/rust/seed-040 2.rs +27 -27
  606. package/dist/packages/crucible/seeds/rust/seed-040.rs +27 -27
  607. package/dist/packages/crucible/seeds/rust/seed-041 2.rs +32 -32
  608. package/dist/packages/crucible/seeds/rust/seed-041.rs +32 -32
  609. package/dist/packages/crucible/seeds/rust/seed-042 2.rs +27 -27
  610. package/dist/packages/crucible/seeds/rust/seed-042.rs +27 -27
  611. package/dist/packages/crucible/seeds/rust/seed-043 2.rs +29 -29
  612. package/dist/packages/crucible/seeds/rust/seed-043.rs +29 -29
  613. package/dist/packages/crucible/seeds/rust/seed-044 2.rs +25 -25
  614. package/dist/packages/crucible/seeds/rust/seed-044.rs +25 -25
  615. package/dist/packages/crucible/seeds/rust/seed-045 2.rs +28 -28
  616. package/dist/packages/crucible/seeds/rust/seed-045.rs +28 -28
  617. package/dist/packages/crucible/seeds/rust/seed-046 2.rs +25 -25
  618. package/dist/packages/crucible/seeds/rust/seed-046.rs +25 -25
  619. package/dist/packages/crucible/seeds/rust/seed-047 2.rs +34 -34
  620. package/dist/packages/crucible/seeds/rust/seed-047.rs +34 -34
  621. package/dist/packages/crucible/seeds/rust/seed-048 2.rs +21 -21
  622. package/dist/packages/crucible/seeds/rust/seed-048.rs +21 -21
  623. package/dist/packages/crucible/seeds/rust/seed-049 2.rs +26 -26
  624. package/dist/packages/crucible/seeds/rust/seed-049.rs +26 -26
  625. package/dist/packages/crucible/seeds/rust/seed-050 2.rs +23 -23
  626. package/dist/packages/crucible/seeds/rust/seed-050.rs +23 -23
  627. package/dist/packages/crucible/seeds/ts/seed-001 2.ts +32 -32
  628. package/dist/packages/crucible/seeds/ts/seed-001.ts +32 -32
  629. package/dist/packages/crucible/seeds/ts/seed-002 2.ts +34 -34
  630. package/dist/packages/crucible/seeds/ts/seed-002.ts +34 -34
  631. package/dist/packages/crucible/seeds/ts/seed-003 2.ts +28 -28
  632. package/dist/packages/crucible/seeds/ts/seed-003.ts +28 -28
  633. package/dist/packages/crucible/seeds/ts/seed-004 2.ts +34 -34
  634. package/dist/packages/crucible/seeds/ts/seed-004.ts +34 -34
  635. package/dist/packages/crucible/seeds/ts/seed-005 2.ts +32 -32
  636. package/dist/packages/crucible/seeds/ts/seed-005.ts +32 -32
  637. package/dist/packages/crucible/seeds/ts/seed-006 2.ts +31 -31
  638. package/dist/packages/crucible/seeds/ts/seed-006.ts +31 -31
  639. package/dist/packages/crucible/seeds/ts/seed-007 2.ts +28 -28
  640. package/dist/packages/crucible/seeds/ts/seed-007.ts +28 -28
  641. package/dist/packages/crucible/seeds/ts/seed-008 2.ts +40 -40
  642. package/dist/packages/crucible/seeds/ts/seed-008.ts +40 -40
  643. package/dist/packages/crucible/seeds/ts/seed-009 2.ts +31 -31
  644. package/dist/packages/crucible/seeds/ts/seed-009.ts +31 -31
  645. package/dist/packages/crucible/seeds/ts/seed-010 2.ts +33 -33
  646. package/dist/packages/crucible/seeds/ts/seed-010.ts +33 -33
  647. package/dist/packages/crucible/seeds/ts/seed-011 2.ts +29 -29
  648. package/dist/packages/crucible/seeds/ts/seed-011.ts +29 -29
  649. package/dist/packages/crucible/seeds/ts/seed-012 2.ts +34 -34
  650. package/dist/packages/crucible/seeds/ts/seed-012.ts +34 -34
  651. package/dist/packages/crucible/seeds/ts/seed-013 2.ts +31 -31
  652. package/dist/packages/crucible/seeds/ts/seed-013.ts +31 -31
  653. package/dist/packages/crucible/seeds/ts/seed-014 2.ts +36 -36
  654. package/dist/packages/crucible/seeds/ts/seed-014.ts +36 -36
  655. package/dist/packages/crucible/seeds/ts/seed-015 2.ts +31 -31
  656. package/dist/packages/crucible/seeds/ts/seed-015.ts +31 -31
  657. package/dist/packages/crucible/seeds/ts/seed-016 2.ts +37 -37
  658. package/dist/packages/crucible/seeds/ts/seed-016.ts +37 -37
  659. package/dist/packages/crucible/seeds/ts/seed-017 2.ts +44 -44
  660. package/dist/packages/crucible/seeds/ts/seed-017.ts +44 -44
  661. package/dist/packages/crucible/seeds/ts/seed-018 2.ts +33 -33
  662. package/dist/packages/crucible/seeds/ts/seed-018.ts +33 -33
  663. package/dist/packages/crucible/seeds/ts/seed-019 2.ts +32 -32
  664. package/dist/packages/crucible/seeds/ts/seed-019.ts +32 -32
  665. package/dist/packages/crucible/seeds/ts/seed-020 2.ts +33 -33
  666. package/dist/packages/crucible/seeds/ts/seed-020.ts +33 -33
  667. package/dist/packages/crucible/seeds/ts/seed-021 2.ts +33 -33
  668. package/dist/packages/crucible/seeds/ts/seed-021.ts +33 -33
  669. package/dist/packages/crucible/seeds/ts/seed-022 2.ts +34 -34
  670. package/dist/packages/crucible/seeds/ts/seed-022.ts +34 -34
  671. package/dist/packages/crucible/seeds/ts/seed-023 2.ts +33 -33
  672. package/dist/packages/crucible/seeds/ts/seed-023.ts +33 -33
  673. package/dist/packages/crucible/seeds/ts/seed-024 2.ts +35 -35
  674. package/dist/packages/crucible/seeds/ts/seed-024.ts +35 -35
  675. package/dist/packages/crucible/seeds/ts/seed-025 2.ts +29 -29
  676. package/dist/packages/crucible/seeds/ts/seed-025.ts +29 -29
  677. package/dist/packages/crucible/seeds/ts/seed-026 2.ts +36 -36
  678. package/dist/packages/crucible/seeds/ts/seed-026.ts +36 -36
  679. package/dist/packages/crucible/seeds/ts/seed-027 2.ts +30 -30
  680. package/dist/packages/crucible/seeds/ts/seed-027.ts +30 -30
  681. package/dist/packages/crucible/seeds/ts/seed-028 2.ts +32 -32
  682. package/dist/packages/crucible/seeds/ts/seed-028.ts +32 -32
  683. package/dist/packages/crucible/seeds/ts/seed-029 2.ts +34 -34
  684. package/dist/packages/crucible/seeds/ts/seed-029.ts +34 -34
  685. package/dist/packages/crucible/seeds/ts/seed-030 2.ts +37 -37
  686. package/dist/packages/crucible/seeds/ts/seed-030.ts +37 -37
  687. package/dist/packages/crucible/seeds/ts/seed-031 2.ts +31 -31
  688. package/dist/packages/crucible/seeds/ts/seed-031.ts +31 -31
  689. package/dist/packages/crucible/seeds/ts/seed-032 2.ts +32 -32
  690. package/dist/packages/crucible/seeds/ts/seed-032.ts +32 -32
  691. package/dist/packages/crucible/seeds/ts/seed-033 2.ts +32 -32
  692. package/dist/packages/crucible/seeds/ts/seed-033.ts +32 -32
  693. package/dist/packages/crucible/seeds/ts/seed-034 2.ts +34 -34
  694. package/dist/packages/crucible/seeds/ts/seed-034.ts +34 -34
  695. package/dist/packages/crucible/seeds/ts/seed-035 2.ts +29 -29
  696. package/dist/packages/crucible/seeds/ts/seed-035.ts +29 -29
  697. package/dist/packages/crucible/seeds/ts/seed-036 2.ts +34 -34
  698. package/dist/packages/crucible/seeds/ts/seed-036.ts +34 -34
  699. package/dist/packages/crucible/seeds/ts/seed-037 2.ts +33 -33
  700. package/dist/packages/crucible/seeds/ts/seed-037.ts +33 -33
  701. package/dist/packages/crucible/seeds/ts/seed-038 2.ts +29 -29
  702. package/dist/packages/crucible/seeds/ts/seed-038.ts +29 -29
  703. package/dist/packages/crucible/seeds/ts/seed-039 2.ts +35 -35
  704. package/dist/packages/crucible/seeds/ts/seed-039.ts +35 -35
  705. package/dist/packages/crucible/seeds/ts/seed-040 2.ts +31 -31
  706. package/dist/packages/crucible/seeds/ts/seed-040.ts +31 -31
  707. package/dist/packages/crucible/seeds/ts/seed-041 2.ts +29 -29
  708. package/dist/packages/crucible/seeds/ts/seed-041.ts +29 -29
  709. package/dist/packages/crucible/seeds/ts/seed-042 2.ts +33 -33
  710. package/dist/packages/crucible/seeds/ts/seed-042.ts +33 -33
  711. package/dist/packages/crucible/seeds/ts/seed-043 2.ts +32 -32
  712. package/dist/packages/crucible/seeds/ts/seed-043.ts +32 -32
  713. package/dist/packages/crucible/seeds/ts/seed-044 2.ts +36 -36
  714. package/dist/packages/crucible/seeds/ts/seed-044.ts +36 -36
  715. package/dist/packages/crucible/seeds/ts/seed-045 2.ts +39 -39
  716. package/dist/packages/crucible/seeds/ts/seed-045.ts +39 -39
  717. package/dist/packages/crucible/seeds/ts/seed-046 2.ts +41 -41
  718. package/dist/packages/crucible/seeds/ts/seed-046.ts +41 -41
  719. package/dist/packages/crucible/seeds/ts/seed-047 2.ts +33 -33
  720. package/dist/packages/crucible/seeds/ts/seed-047.ts +33 -33
  721. package/dist/packages/crucible/seeds/ts/seed-048 2.ts +33 -33
  722. package/dist/packages/crucible/seeds/ts/seed-048.ts +33 -33
  723. package/dist/packages/crucible/seeds/ts/seed-049 2.ts +34 -34
  724. package/dist/packages/crucible/seeds/ts/seed-049.ts +34 -34
  725. package/dist/packages/crucible/seeds/ts/seed-050 2.ts +41 -41
  726. package/dist/packages/crucible/seeds/ts/seed-050.ts +41 -41
  727. package/dist/packages/crucible/seeds/ts/seed-051 2.ts +34 -34
  728. package/dist/packages/crucible/seeds/ts/seed-051.ts +34 -34
  729. package/dist/packages/crucible/seeds/ts/seed-052 2.ts +36 -36
  730. package/dist/packages/crucible/seeds/ts/seed-052.ts +36 -36
  731. package/dist/packages/scanner/ai-confidence-scorer.js +1 -1
  732. package/dist/packages/scanner/baseline-manager.js +1 -1
  733. package/dist/packages/scanner/code-scanner.js +1 -1
  734. package/dist/packages/scanner/codebase-passport.js +1 -1
  735. package/dist/packages/scanner/copy-paste-detector.js +1 -1
  736. package/dist/packages/scanner/dependency-graph.js +1 -1
  737. package/dist/packages/scanner/drift-detector.js +1 -1
  738. package/dist/packages/scanner/export-verifier.js +1 -1
  739. package/dist/packages/scanner/file-collector.js +1 -1
  740. package/dist/packages/scanner/ghost-code-detector.js +1 -1
  741. package/dist/packages/scanner/hallucination-detector.js +1 -1
  742. package/dist/packages/scanner/license-manager.js +1 -1
  743. package/dist/packages/scanner/pre-commit-gate.js +1 -1
  744. package/dist/packages/scanner/read-file.js +1 -0
  745. package/dist/packages/scanner/taint-tracker.js +1 -1
  746. package/dist/packages/scanner/tech-debt-analyzer.js +1 -1
  747. package/package.json +64 -63
@@ -1 +1 @@
1
- "use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equality — security bypass risk)",apply:e=>e.replace(/===/g,"==").replace(/!==/g,"!=")},{name:"operator_flip_and",description:"Replace && with & (bitwise — can bypass auth checks)",apply:e=>e.replace(/if\s*\(([^)]+)\)/g,(e,t)=>"if ("+t.replace(/&&/g,"&")+")")},{name:"operator_flip_or",description:"Replace || with | (bitwise — default value bypass)",apply:e=>e.replace(/if\s*\(([^)]+)\)/g,(e,t)=>"if ("+t.replace(/\|\|/g,"|")+")")},{name:"string_concat_to_template",description:'Convert "a" + b to `a${b}` (template literal — SQL injection risk)',apply:e=>e.replace(/"([^"]{1,40}?)"\s*\+\s*(\w+)/g,(e,t,s)=>"`"+t+"${"+s+"}`")},{name:"string_split_concat",description:"Split a hardcoded string across two literals (obfuscation)",apply:e=>e.replace(/'([a-zA-Z0-9_\-]{8,24})'/g,(e,t)=>{const s=Math.floor(t.length/2);return`'${t.slice(0,s)}' + '${t.slice(s)}'`})},{name:"base64_encode_string",description:'Wrap a string value in Buffer.from().toString("base64") (obfuscation)',apply:(e,t)=>["js","ts","javascript","typescript"].includes(t)?e.replace(/'(password|secret|key|token|api_?key)':\s*'([^']+)'/gi,(e,t,s)=>`'${t}': Buffer.from('${Buffer.from(s).toString("base64")}', 'base64').toString('utf8')`):e},{name:"require_to_dynamic_import",description:"Convert require() to eval-based dynamic require (evades static analysis)",apply(e,t){if(!["js","javascript"].includes(t))return e;let s=0;return e.replace(/require\('([^']+)'\)/g,(e,t)=>s++>0?e:`eval("require")('${t}')`)}},{name:"import_alias_obfuscation",description:"Add an alias variable to obscure dangerous function names",apply(e,t){if(!["js","ts","javascript","typescript"].includes(t))return e;if(/\bexecSync\b/.test(e)){const t="_"+crypto.randomBytes(3).toString("hex");e=(e="const "+t+' = require("child_process").execSync;\n'+e).replace(/\bexecSync\b/g,t)}return e}},{name:"if_negation_flip",description:"Flip if/else branches (may invert security checks)",apply:e=>e.replace(/if\s*\(!\s*(\w+)\)\s*\{([^}]*)\}\s*else\s*\{([^}]*)\}/g,(e,t,s,n)=>`if (${t}) {${n}} else {${s}}`)},{name:"early_return_removal",description:"Remove early return guards (bypass validation)",apply:e=>e.replace(/^\s*if\s*\([^)]+\)\s*\{\s*return\s*(?:null|false|undefined|0|''|"")?\s*;\s*\}\s*$/gm,"")},{name:"async_await_strip",description:"Remove await from async calls (timing/race condition potential)",apply:e=>e.replace(/const\s+(\w+)\s*=\s*await\s+/g,"const $1 = ")},{name:"todo_injection",description:"Add misleading TODO/SAFE comments near vulnerable code",apply(e){const t=["// TODO: add validation here later","// SAFE: this is sanitized upstream","// SECURITY: reviewed by team — OK","// NOTE: user input is trusted at this point"],s=Math.floor(t.length/2),n=e.split("\n");return n.splice(Math.min(5,n.length-1),0,t[s]),n.join("\n")}},{name:"variable_rename_obfuscate",description:"Rename obvious danger variables to innocuous names",apply(e){const t=[[/\bexecCommand\b/g,"processInput"],[/\bsqlQuery\b/g,"queryStr"],[/\brawInput\b/g,"data"],[/\buserInput\b/g,"val"],[/\bpassword\b/g,"pwd"]];for(const[s,n]of t)e=e.replace(s,n);return e}},{name:"dead_code_injection",description:"Inject plausible-looking but unreachable safe code",apply:e=>e+"\n\n// Dead code: sanitization that never runs\nfunction _sanitize(input) {\n return String(input).replace(/[<>\"';&]/g, '');\n}\n"},{name:"hex_string_encoding",description:"Encode a dangerous string value as hex (evades simple pattern matching)",apply:(e,t)=>["js","javascript","ts","typescript"].includes(t)?e.replace(/'(SELECT|INSERT|UPDATE|DELETE|DROP|UNION)([^']{0,30})'/gi,(e,t,s)=>{const n=t+s;return`Buffer.from('${Buffer.from(n).toString("hex")}', 'hex').toString()`}):e},{name:"prototype_chain_obfuscate",description:"Use bracket notation to access __proto__ (avoids literal detection)",apply:e=>e.replace(/\.__proto__/g,'["__proto__"]').replace(/\.constructor\.prototype/g,'["constructor"]["prototype"]')},{name:"path_concat_to_join",description:"Convert path concatenation to path.join (still traversable)",apply:e=>e.replace(/(\w+)\s*\+\s*(['"]\/[^'"]+['"])/g,"path.join($1, $2)")}];class MutationEngine{constructor(e={}){this.prngseed="number"==typeof e.prngseed?e.prngseed:42,this.maxMutationsPerFile=e.maxMutationsPerFile||3,this._sessionDir=null}createSession(){if(!this._sessionDir){const e=crypto.randomUUID?crypto.randomUUID():crypto.randomBytes(16).toString("hex");this._sessionDir=path.join(os.tmpdir(),`thuban-crucible-${e}`),fs.mkdirSync(this._sessionDir,{recursive:!0})}return this._sessionDir}cleanup(){if(this._sessionDir&&fs.existsSync(this._sessionDir)){try{fs.rmSync(this._sessionDir,{recursive:!0,force:!0})}catch{}this._sessionDir=null}}_createPRNG(){let e=this.prngseed>>>0;return function(){e|=0,e=e+1831565813|0;let t=Math.imul(e^e>>>15,1|e);return t=t+Math.imul(t^t>>>7,61|t)^t,((t^t>>>14)>>>0)/4294967296}}_pickMutations(e,t){const s=MUTATIONS.slice();for(let t=s.length-1;t>0;t--){const n=Math.floor(e()*(t+1));[s[t],s[n]]=[s[n],s[t]]}return s.slice(0,t)}_detectLang(e){return{".js":"js",".mjs":"js",".cjs":"js",".ts":"ts",".tsx":"ts",".py":"python",".java":"java",".cs":"csharp",".go":"go",".kt":"kotlin",".kts":"kotlin",".rs":"rust",".php":"php",".rb":"ruby"}[path.extname(e).toLowerCase()]||"unknown"}applyMutation(e,t,s="js"){const n=MUTATIONS.find(e=>e.name===t);if(!n)throw new Error(`Unknown mutation: ${t}`);try{return n.apply(e,s)}catch{return e}}applyRandomMutations(e,t="js",s){const n=null!=s?s:this.maxMutationsPerFile,a=this._createPRNG(),i=this._pickMutations(a,n),r=[];let o=e;for(const e of i)try{const s=e.apply(o,t);s!==o&&(r.push(e.name),o=s)}catch{}return{mutatedCode:o,applied:r}}mutateFile(e,t={}){const s=this.createSession(),n=this._detectLang(e),a=fs.readFileSync(e,"utf-8");let i,r;if(t.only&&t.only.length){r=a,i=[];for(const e of t.only){const t=this.applyMutation(r,e,n);t!==r&&i.push(e),r=t}}else{const e=this.applyRandomMutations(a,n,t.mutations);r=e.mutatedCode,i=e.applied}const o=path.basename(e),p=path.parse(o).name,c=path.extname(o),l=`${p}-mutated-${crypto.randomBytes(3).toString("hex")}${c}`,u=path.join(s,l);return fs.writeFileSync(u,r,"utf-8"),{tempPath:u,applied:i,lang:n,original:a,mutated:r}}async mutateFiles(e,t){this.createSession();const s=[];try{for(const t of e)try{const e=this.mutateFile(t);s.push({...e,error:null})}catch(e){s.push({tempPath:null,applied:[],lang:null,error:e.message})}return await t(s)}finally{this.cleanup()}}static listMutations(){return MUTATIONS.map(e=>({name:e.name,description:e.description}))}static get mutationCount(){return MUTATIONS.length}}module.exports={MutationEngine:MutationEngine,MUTATIONS:MUTATIONS};
1
+ "use strict";const fs=require("fs"),path=require("path"),os=require("os"),crypto=require("crypto"),MUTATIONS=[{name:"operator_flip_eq",description:"Replace === with == (loose equality — security bypass risk)",apply:e=>e.replace(/===/g,"==").replace(/!==/g,"!=")},{name:"operator_flip_and",description:"Replace && with & (bitwise — can bypass auth checks)",apply:e=>e.replace(/if\s*\(([^)]+)\)/g,(e,t)=>"if ("+t.replace(/&&/g,"&")+")")},{name:"operator_flip_or",description:"Replace || with | (bitwise — default value bypass)",apply:e=>e.replace(/if\s*\(([^)]+)\)/g,(e,t)=>"if ("+t.replace(/\|\|/g,"|")+")")},{name:"string_concat_to_template",description:'Convert "a" + b to `a${b}` (template literal — SQL injection risk)',apply:e=>e.replace(/"([^"]{1,40}?)"\s*\+\s*(\w+)/g,(e,t,s)=>"`"+t+"${"+s+"}`")},{name:"string_split_concat",description:"Split a hardcoded string across two literals (obfuscation)",apply:e=>e.replace(/'([a-zA-Z0-9_\-]{8,24})'/g,(e,t)=>{const s=Math.floor(t.length/2);return`'${t.slice(0,s)}' + '${t.slice(s)}'`})},{name:"base64_encode_string",description:'Wrap a string value in Buffer.from().toString("base64") (obfuscation)',apply:(e,t)=>["js","ts","javascript","typescript"].includes(t)?e.replace(/'(password|secret|key|token|api_?key)':\s*'([^']+)'/gi,(e,t,s)=>`'${t}': Buffer.from('${Buffer.from(s).toString("base64")}', 'base64').toString('utf8')`):e},{name:"require_to_dynamic_import",description:"Convert require() to eval-based dynamic require (evades static analysis)",apply(e,t){if(!["js","javascript"].includes(t))return e;let s=0;return e.replace(/require\('([^']+)'\)/g,(e,t)=>s++>0?e:`eval("require")('${t}')`)}},{name:"import_alias_obfuscation",description:"Add an alias variable to obscure dangerous function names",apply(e,t){if(!["js","ts","javascript","typescript"].includes(t))return e;if(/\bexecSync\b/.test(e)){const t="_"+crypto.randomBytes(3).toString("hex");e=(e="const "+t+' = require("child_process").execSync;\n'+e).replace(/\bexecSync\b/g,t)}return e}},{name:"if_negation_flip",description:"Flip if/else branches (may invert security checks)",apply:e=>e.replace(/if\s*\(!\s*(\w+)\)\s*\{([^}]*)\}\s*else\s*\{([^}]*)\}/g,(e,t,s,n)=>`if (${t}) {${n}} else {${s}}`)},{name:"early_return_removal",description:"Remove early return guards (bypass validation)",apply:e=>e.replace(/^\s*if\s*\([^)]+\)\s*\{\s*return\s*(?:null|false|undefined|0|''|"")?\s*;\s*\}\s*$/gm,"")},{name:"async_await_strip",description:"Remove await from async calls (timing/race condition potential)",apply:e=>e.replace(/const\s+(\w+)\s*=\s*await\s+/g,"const $1 = ")},{name:"todo_injection",description:"Add misleading TODO/SAFE comments near vulnerable code",apply(e){const t=["// TODO: add validation here later","// SAFE: this is sanitized upstream","// SECURITY: reviewed by team — OK","// NOTE: user input is trusted at this point"],s=Math.floor(t.length/2),n=e.split(/\r?\n/);return n.splice(Math.min(5,n.length-1),0,t[s]),n.join("\n")}},{name:"variable_rename_obfuscate",description:"Rename obvious danger variables to innocuous names",apply(e){const t=[[/\bexecCommand\b/g,"processInput"],[/\bsqlQuery\b/g,"queryStr"],[/\brawInput\b/g,"data"],[/\buserInput\b/g,"val"],[/\bpassword\b/g,"pwd"]];for(const[s,n]of t)e=e.replace(s,n);return e}},{name:"dead_code_injection",description:"Inject plausible-looking but unreachable safe code",apply:e=>e+"\n\n// Dead code: sanitization that never runs\nfunction _sanitize(input) {\n return String(input).replace(/[<>\"';&]/g, '');\n}\n"},{name:"hex_string_encoding",description:"Encode a dangerous string value as hex (evades simple pattern matching)",apply:(e,t)=>["js","javascript","ts","typescript"].includes(t)?e.replace(/'(SELECT|INSERT|UPDATE|DELETE|DROP|UNION)([^']{0,30})'/gi,(e,t,s)=>{const n=t+s;return`Buffer.from('${Buffer.from(n).toString("hex")}', 'hex').toString()`}):e},{name:"prototype_chain_obfuscate",description:"Use bracket notation to access __proto__ (avoids literal detection)",apply:e=>e.replace(/\.__proto__/g,'["__proto__"]').replace(/\.constructor\.prototype/g,'["constructor"]["prototype"]')},{name:"path_concat_to_join",description:"Convert path concatenation to path.join (still traversable)",apply:e=>e.replace(/(\w+)\s*\+\s*(['"]\/[^'"]+['"])/g,"path.join($1, $2)")}];class MutationEngine{constructor(e={}){this.prngseed="number"==typeof e.prngseed?e.prngseed:42,this.maxMutationsPerFile=e.maxMutationsPerFile||3,this._sessionDir=null}createSession(){if(!this._sessionDir){const e=crypto.randomUUID?crypto.randomUUID():crypto.randomBytes(16).toString("hex");this._sessionDir=path.join(os.tmpdir(),`thuban-crucible-${e}`),fs.mkdirSync(this._sessionDir,{recursive:!0})}return this._sessionDir}cleanup(){if(this._sessionDir&&fs.existsSync(this._sessionDir)){try{fs.rmSync(this._sessionDir,{recursive:!0,force:!0})}catch{}this._sessionDir=null}}_createPRNG(){let e=this.prngseed>>>0;return function(){e|=0,e=e+1831565813|0;let t=Math.imul(e^e>>>15,1|e);return t=t+Math.imul(t^t>>>7,61|t)^t,((t^t>>>14)>>>0)/4294967296}}_pickMutations(e,t){const s=MUTATIONS.slice();for(let t=s.length-1;t>0;t--){const n=Math.floor(e()*(t+1));[s[t],s[n]]=[s[n],s[t]]}return s.slice(0,t)}_detectLang(e){return{".js":"js",".mjs":"js",".cjs":"js",".ts":"ts",".tsx":"ts",".py":"python",".java":"java",".cs":"csharp",".go":"go",".kt":"kotlin",".kts":"kotlin",".rs":"rust",".php":"php",".rb":"ruby"}[path.extname(e).toLowerCase()]||"unknown"}applyMutation(e,t,s="js"){const n=MUTATIONS.find(e=>e.name===t);if(!n)throw new Error(`Unknown mutation: ${t}`);try{return n.apply(e,s)}catch{return e}}applyRandomMutations(e,t="js",s){const n=null!=s?s:this.maxMutationsPerFile,a=this._createPRNG(),i=this._pickMutations(a,n),r=[];let o=e;for(const e of i)try{const s=e.apply(o,t);s!==o&&(r.push(e.name),o=s)}catch{}return{mutatedCode:o,applied:r}}mutateFile(e,t={}){const s=this.createSession(),n=this._detectLang(e),a=fs.readFileSync(e,"utf-8").replace(/\r\n/g,"\n");let i,r;if(t.only&&t.only.length){r=a,i=[];for(const e of t.only){const t=this.applyMutation(r,e,n);t!==r&&i.push(e),r=t}}else{const e=this.applyRandomMutations(a,n,t.mutations);r=e.mutatedCode,i=e.applied}const o=path.basename(e),p=path.parse(o).name,c=path.extname(o),l=`${p}-mutated-${crypto.randomBytes(3).toString("hex")}${c}`,u=path.join(s,l);return fs.writeFileSync(u,r,"utf-8"),{tempPath:u,applied:i,lang:n,original:a,mutated:r}}async mutateFiles(e,t){this.createSession();const s=[];try{for(const t of e)try{const e=this.mutateFile(t);s.push({...e,error:null})}catch(e){s.push({tempPath:null,applied:[],lang:null,error:e.message})}return await t(s)}finally{this.cleanup()}}static listMutations(){return MUTATIONS.map(e=>({name:e.name,description:e.description}))}static get mutationCount(){return MUTATIONS.length}}module.exports={MutationEngine:MutationEngine,MUTATIONS:MUTATIONS};
@@ -1 +1 @@
1
- "use strict";const fs=require("fs"),path=require("path"),RULES_DIR=path.join(__dirname,"rules"),COMMUNITY_FILENAME="community-discovered.json",COMMUNITY_FILE=path.join(RULES_DIR,COMMUNITY_FILENAME),MISSED_PATTERNS_FILE=path.join(__dirname,"missed-patterns.json"),MAX_PATTERN_LENGTH=500,MAX_QUANTIFIERS=20,MAX_ALTERNATIONS=30;class PatternLearner{constructor(e={}){this.rulesDir=e.rulesDir||RULES_DIR,this.communityFile=e.communityFile||path.join(this.rulesDir,COMMUNITY_FILENAME),this.missedPatternsFile=e.missedPatternsFile||MISSED_PATTERNS_FILE}_readJsonArray(e){if(!fs.existsSync(e))return[];try{const t=JSON.parse(fs.readFileSync(e,"utf-8"));if(!Array.isArray(t))return[];for(const e of t)e&&"object"==typeof e&&(delete e.__proto__,delete e.constructor,delete e.prototype);return t}catch{return[]}}_writeJsonArray(e,t){fs.mkdirSync(path.dirname(e),{recursive:!0}),fs.writeFileSync(e,JSON.stringify(t,null,2)+"\n","utf-8")}_invalidateRuleCache(){try{delete require.cache[require.resolve("./rule-loader.js")]}catch{}}_nextId(e,t){if(!/^[A-Z]+$/.test(t))throw new Error(`[PatternLearner] _nextId prefix must be uppercase alpha, got: "${t}"`);let r=0;const n=new RegExp(`^${t}(\\d+)$`);for(const t of e){const e=n.exec(t.id||"");e&&(r=Math.max(r,parseInt(e[1],10)))}return t+String(r+1).padStart("MISS"===t?4:3,"0")}_deriveTrigger(e){if(!e||"string"!=typeof e)return null;const t=e.split("\n").map(e=>e.trim()).filter(Boolean).find(e=>!e.startsWith("//")&&!e.startsWith("#")&&!e.startsWith("*")&&!e.startsWith("/*")&&!/^(import|from|using|package|require|namespace)\b/.test(e)&&e.length>=8&&e.length<=240);if(!t)return null;const r=t.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");return this._checkRegexComplexity(r).safe?r:null}_checkRegexComplexity(e){if("string"!=typeof e||!e)return{safe:!1,reason:"pattern must be a non-empty string"};if(e.length>500)return{safe:!1,reason:"pattern exceeds max length of 500 characters"};let t=0,r=0;const n=[];for(let s=0;s<e.length;s++){const i=e[s];if("\\"!==i)if("("!==i){if(")"===i){const r=n.pop();if(!r)continue;const i=/^\{\d+(,\d*)?\}/.exec(e.slice(s+1)),a=e[s+1];if("+"===a||"*"===a||"?"===a||i){if(t++,r.hasQuantifier||r.hasAlternation)return{safe:!1,reason:"nested quantifier detected (potential catastrophic backtracking)"};n.length>0&&(n[n.length-1].hasQuantifier=!0)}continue}if("+"!==i&&"*"!==i&&"?"!==i){if("{"===i){/^\{\d+(,\d*)?\}/.exec(e.slice(s))&&(t++,n.length>0&&(n[n.length-1].hasQuantifier=!0));continue}"|"!==i||(r++,n.length>0&&(n[n.length-1].hasAlternation=!0))}else t++,n.length>0&&(n[n.length-1].hasQuantifier=!0)}else n.push({hasQuantifier:!1,hasAlternation:!1});else s++}return t>20?{safe:!1,reason:`pattern has ${t} quantifiers, exceeding max of 20`}:r>30?{safe:!1,reason:`pattern has ${r} alternations, exceeding max of 30`}:{safe:!0,reason:null}}patternExists(e,t){if(!fs.existsSync(this.rulesDir))return!1;const r=fs.readdirSync(this.rulesDir).filter(e=>e.endsWith(".json"));for(const n of r){const r=this._readJsonArray(path.join(this.rulesDir,n));for(const n of r)if(null==e){if(n.category===t)return!0}else if(n.pattern===e&&n.category===t)return!0}return!1}categoryCovered(e){return this.patternExists(null,e)}recordNewPattern(e={}){const{pattern:t,flags:r="gi",category:n,description:s,language:i=[],severity:a="medium",source:o}=e;if(!t||!n)throw new Error('[PatternLearner] recordNewPattern requires "pattern" and "category"');new RegExp(t,r);const d=this._checkRegexComplexity(t);if(!d.safe)throw new Error(`[PatternLearner] recordNewPattern rejected unsafe pattern: ${d.reason}`);if(this.patternExists(t,n))return{added:!1,reason:"duplicate",id:null};const c=this._readJsonArray(this.communityFile),u=this._nextId(c,"COMM"),l={id:u,pattern:t,flags:r,category:n,description:s||`Community-discovered pattern for "${n}"`,language:i,severity:a,discoveredAt:(new Date).toISOString(),source:o||"crucible-run"};return c.push(l),this._writeJsonArray(this.communityFile,c),this._invalidateRuleCache(),{added:!0,reason:null,id:u,entry:l}}recordDiscoveredIfUncovered(e={}){const{category:t,language:r,content:n,severity:s,seedId:i}=e;if(!t)return{added:!1,reason:"no-category"};if(this.categoryCovered(t))return{added:!1,reason:"already-covered"};const a=this._deriveTrigger(n);return a?this.recordNewPattern({pattern:a,flags:"gi",category:t,description:`Auto-discovered pattern for previously-uncovered category "${t}"`+(i?` (seed ${i})`:""),language:r?[r]:[],severity:s||"medium",source:`crucible-auto-discovery:${i||"unknown"}`}):{added:!1,reason:"no-derivable-trigger"}}recordMissedPattern(e={}){const{seedId:t,content:r,expectedCategory:n,language:s,scannerOutput:i,severity:a="medium",meta:o={}}=e;if(!n)throw new Error('[PatternLearner] recordMissedPattern requires "expectedCategory"');const d=this._readJsonArray(this.missedPatternsFile),c=`${t||""}|${n}|${s||""}`,u=d.find(e=>`${e.seedId||""}|${e.expectedCategory}|${e.language||""}`===c);if(u)return u.timesSeen=(u.timesSeen||1)+1,u.lastSeenAt=(new Date).toISOString(),this._writeJsonArray(this.missedPatternsFile,d),{added:!1,reason:"duplicate-updated",entry:u};const l={id:this._nextId(d,"MISS"),seedId:t||null,expectedCategory:n,language:s||null,severity:a,content:r||null,scannerOutput:i||null,status:"pending",discoveredAt:(new Date).toISOString(),timesSeen:1,meta:o};return d.push(l),this._writeJsonArray(this.missedPatternsFile,d),{added:!0,reason:null,entry:l}}getMissedPatterns(e={}){const t=this._readJsonArray(this.missedPatternsFile);return e.status?t.filter(t=>t.status===e.status):t}reviewMissedPattern(e,t){if("confirmed"!==t&&"rejected"!==t)throw new Error('[PatternLearner] decision must be "confirmed" or "rejected"');const r=this._readJsonArray(this.missedPatternsFile),n=r.find(t=>t.id===e);return n?(n.status=t,n.reviewedAt=(new Date).toISOString(),this._writeJsonArray(this.missedPatternsFile,r),n):null}promoteToScannerRule(e,t={}){const{pattern:r,flags:n="gi",description:s,language:i,severity:a}=t,o=this._readJsonArray(this.missedPatternsFile),d=o.find(t=>t.id===e);if(!d)throw new Error(`[PatternLearner] missed-pattern "${e}" not found`);if("confirmed"!==d.status)throw new Error(`[PatternLearner] missed-pattern "${e}" must be status "confirmed" before promotion (current: "${d.status}")`);if(!r)throw new Error('[PatternLearner] promoteToScannerRule requires an explicit "pattern" regex source');const c=this.recordNewPattern({pattern:r,flags:n,category:d.expectedCategory,description:s||`Promoted from missed-pattern ${e}: ${d.expectedCategory}`,language:i||(d.language?[d.language]:[]),severity:a||d.severity||"medium",source:`learn:${e}`});return c.added&&(d.status="promoted",d.promotedAt=(new Date).toISOString(),d.promotedRuleId=c.id,this._writeJsonArray(this.missedPatternsFile,o)),Object.assign({},c,{missedEntry:d})}autoPromoteMissedPatterns(){const e=this._readJsonArray(this.missedPatternsFile),t=this._readJsonArray(this.communityFile);let r=0,n=0,s=0;const i=[];for(const a of e){if("pending"!==a.status)continue;r++;const e=this._deriveTrigger(a.content);if(!e){a.status="rejected",a.reviewedAt=(new Date).toISOString(),a.reviewNote="auto-review: no derivable pattern from stored content",s++;continue}if(this.patternExists(e,a.expectedCategory)){a.status="rejected",a.reviewedAt=(new Date).toISOString(),a.reviewNote="auto-review: derived pattern already covered by an existing rule",s++;continue}a.status="confirmed",a.reviewedAt=(new Date).toISOString(),a.reviewNote="auto-confirmed: derivable pattern found";const o=this._nextId(t,"COMM");t.push({id:o,pattern:e,flags:"gi",category:a.expectedCategory,description:`Auto-promoted from missed-pattern ${a.id}: ${a.expectedCategory}`,language:a.language?[a.language]:[],severity:a.severity||"medium",discoveredAt:(new Date).toISOString(),source:`learn:${a.id}`}),a.status="promoted",a.promotedAt=(new Date).toISOString(),a.promotedRuleId=o,n++,i.push(o)}return n>0&&(this._writeJsonArray(this.communityFile,t),this._invalidateRuleCache()),r>0&&this._writeJsonArray(this.missedPatternsFile,e),{reviewed:r,promoted:n,skipped:s,promotedIds:i}}}module.exports={PatternLearner:PatternLearner,RULES_DIR:RULES_DIR,COMMUNITY_FILE:COMMUNITY_FILE,MISSED_PATTERNS_FILE:MISSED_PATTERNS_FILE};
1
+ "use strict";const fs=require("fs"),path=require("path"),RULES_DIR=path.join(__dirname,"rules"),COMMUNITY_FILENAME="community-discovered.json",COMMUNITY_FILE=path.join(RULES_DIR,COMMUNITY_FILENAME),MISSED_PATTERNS_FILE=path.join(__dirname,"missed-patterns.json"),MAX_PATTERN_LENGTH=500,MAX_QUANTIFIERS=20,MAX_ALTERNATIONS=30;class PatternLearner{constructor(e={}){this.rulesDir=e.rulesDir||RULES_DIR,this.communityFile=e.communityFile||path.join(this.rulesDir,COMMUNITY_FILENAME),this.missedPatternsFile=e.missedPatternsFile||MISSED_PATTERNS_FILE}_readJsonArray(e){if(!fs.existsSync(e))return[];try{const t=JSON.parse(fs.readFileSync(e,"utf-8"));if(!Array.isArray(t))return[];for(const e of t)e&&"object"==typeof e&&(delete e.__proto__,delete e.constructor,delete e.prototype);return t}catch{return[]}}_writeJsonArray(e,t){fs.mkdirSync(path.dirname(e),{recursive:!0}),fs.writeFileSync(e,JSON.stringify(t,null,2)+"\n","utf-8")}_invalidateRuleCache(){try{delete require.cache[require.resolve("./rule-loader.js")]}catch{}}_nextId(e,t){if(!/^[A-Z]+$/.test(t))throw new Error(`[PatternLearner] _nextId prefix must be uppercase alpha, got: "${t}"`);let r=0;const n=new RegExp(`^${t}(\\d+)$`);for(const t of e){const e=n.exec(t.id||"");e&&(r=Math.max(r,parseInt(e[1],10)))}return t+String(r+1).padStart("MISS"===t?4:3,"0")}_deriveTrigger(e){if(!e||"string"!=typeof e)return null;const t=e.split(/\r?\n/).map(e=>e.trim()).filter(Boolean).find(e=>!e.startsWith("//")&&!e.startsWith("#")&&!e.startsWith("*")&&!e.startsWith("/*")&&!/^(import|from|using|package|require|namespace)\b/.test(e)&&e.length>=8&&e.length<=240);if(!t)return null;const r=t.replace(/[.*+?^${}()|[\]\\]/g,"\\$&");return this._checkRegexComplexity(r).safe?r:null}_checkRegexComplexity(e){if("string"!=typeof e||!e)return{safe:!1,reason:"pattern must be a non-empty string"};if(e.length>500)return{safe:!1,reason:"pattern exceeds max length of 500 characters"};let t=0,r=0;const n=[];for(let s=0;s<e.length;s++){const i=e[s];if("\\"!==i)if("("!==i){if(")"===i){const r=n.pop();if(!r)continue;const i=/^\{\d+(,\d*)?\}/.exec(e.slice(s+1)),a=e[s+1];if("+"===a||"*"===a||"?"===a||i){if(t++,r.hasQuantifier||r.hasAlternation)return{safe:!1,reason:"nested quantifier detected (potential catastrophic backtracking)"};n.length>0&&(n[n.length-1].hasQuantifier=!0)}continue}if("+"!==i&&"*"!==i&&"?"!==i){if("{"===i){/^\{\d+(,\d*)?\}/.exec(e.slice(s))&&(t++,n.length>0&&(n[n.length-1].hasQuantifier=!0));continue}"|"!==i||(r++,n.length>0&&(n[n.length-1].hasAlternation=!0))}else t++,n.length>0&&(n[n.length-1].hasQuantifier=!0)}else n.push({hasQuantifier:!1,hasAlternation:!1});else s++}return t>20?{safe:!1,reason:`pattern has ${t} quantifiers, exceeding max of 20`}:r>30?{safe:!1,reason:`pattern has ${r} alternations, exceeding max of 30`}:{safe:!0,reason:null}}patternExists(e,t){if(!fs.existsSync(this.rulesDir))return!1;const r=fs.readdirSync(this.rulesDir).filter(e=>e.endsWith(".json"));for(const n of r){const r=this._readJsonArray(path.join(this.rulesDir,n));for(const n of r)if(null==e){if(n.category===t)return!0}else if(n.pattern===e&&n.category===t)return!0}return!1}categoryCovered(e){return this.patternExists(null,e)}recordNewPattern(e={}){const{pattern:t,flags:r="gi",category:n,description:s,language:i=[],severity:a="medium",source:o}=e;if(!t||!n)throw new Error('[PatternLearner] recordNewPattern requires "pattern" and "category"');new RegExp(t,r);const d=this._checkRegexComplexity(t);if(!d.safe)throw new Error(`[PatternLearner] recordNewPattern rejected unsafe pattern: ${d.reason}`);if(this.patternExists(t,n))return{added:!1,reason:"duplicate",id:null};const c=this._readJsonArray(this.communityFile),u=this._nextId(c,"COMM"),l={id:u,pattern:t,flags:r,category:n,description:s||`Community-discovered pattern for "${n}"`,language:i,severity:a,discoveredAt:(new Date).toISOString(),source:o||"crucible-run"};return c.push(l),this._writeJsonArray(this.communityFile,c),this._invalidateRuleCache(),{added:!0,reason:null,id:u,entry:l}}recordDiscoveredIfUncovered(e={}){const{category:t,language:r,content:n,severity:s,seedId:i}=e;if(!t)return{added:!1,reason:"no-category"};if(this.categoryCovered(t))return{added:!1,reason:"already-covered"};const a=this._deriveTrigger(n);return a?this.recordNewPattern({pattern:a,flags:"gi",category:t,description:`Auto-discovered pattern for previously-uncovered category "${t}"`+(i?` (seed ${i})`:""),language:r?[r]:[],severity:s||"medium",source:`crucible-auto-discovery:${i||"unknown"}`}):{added:!1,reason:"no-derivable-trigger"}}recordMissedPattern(e={}){const{seedId:t,content:r,expectedCategory:n,language:s,scannerOutput:i,severity:a="medium",meta:o={}}=e;if(!n)throw new Error('[PatternLearner] recordMissedPattern requires "expectedCategory"');const d=this._readJsonArray(this.missedPatternsFile),c=`${t||""}|${n}|${s||""}`,u=d.find(e=>`${e.seedId||""}|${e.expectedCategory}|${e.language||""}`===c);if(u)return u.timesSeen=(u.timesSeen||1)+1,u.lastSeenAt=(new Date).toISOString(),this._writeJsonArray(this.missedPatternsFile,d),{added:!1,reason:"duplicate-updated",entry:u};const l={id:this._nextId(d,"MISS"),seedId:t||null,expectedCategory:n,language:s||null,severity:a,content:r||null,scannerOutput:i||null,status:"pending",discoveredAt:(new Date).toISOString(),timesSeen:1,meta:o};return d.push(l),this._writeJsonArray(this.missedPatternsFile,d),{added:!0,reason:null,entry:l}}getMissedPatterns(e={}){const t=this._readJsonArray(this.missedPatternsFile);return e.status?t.filter(t=>t.status===e.status):t}reviewMissedPattern(e,t){if("confirmed"!==t&&"rejected"!==t)throw new Error('[PatternLearner] decision must be "confirmed" or "rejected"');const r=this._readJsonArray(this.missedPatternsFile),n=r.find(t=>t.id===e);return n?(n.status=t,n.reviewedAt=(new Date).toISOString(),this._writeJsonArray(this.missedPatternsFile,r),n):null}promoteToScannerRule(e,t={}){const{pattern:r,flags:n="gi",description:s,language:i,severity:a}=t,o=this._readJsonArray(this.missedPatternsFile),d=o.find(t=>t.id===e);if(!d)throw new Error(`[PatternLearner] missed-pattern "${e}" not found`);if("confirmed"!==d.status)throw new Error(`[PatternLearner] missed-pattern "${e}" must be status "confirmed" before promotion (current: "${d.status}")`);if(!r)throw new Error('[PatternLearner] promoteToScannerRule requires an explicit "pattern" regex source');const c=this.recordNewPattern({pattern:r,flags:n,category:d.expectedCategory,description:s||`Promoted from missed-pattern ${e}: ${d.expectedCategory}`,language:i||(d.language?[d.language]:[]),severity:a||d.severity||"medium",source:`learn:${e}`});return c.added&&(d.status="promoted",d.promotedAt=(new Date).toISOString(),d.promotedRuleId=c.id,this._writeJsonArray(this.missedPatternsFile,o)),Object.assign({},c,{missedEntry:d})}autoPromoteMissedPatterns(){const e=this._readJsonArray(this.missedPatternsFile),t=this._readJsonArray(this.communityFile);let r=0,n=0,s=0;const i=[];for(const a of e){if("pending"!==a.status)continue;r++;const e=this._deriveTrigger(a.content);if(!e){a.status="rejected",a.reviewedAt=(new Date).toISOString(),a.reviewNote="auto-review: no derivable pattern from stored content",s++;continue}if(this.patternExists(e,a.expectedCategory)){a.status="rejected",a.reviewedAt=(new Date).toISOString(),a.reviewNote="auto-review: derived pattern already covered by an existing rule",s++;continue}a.status="confirmed",a.reviewedAt=(new Date).toISOString(),a.reviewNote="auto-confirmed: derivable pattern found";const o=this._nextId(t,"COMM");t.push({id:o,pattern:e,flags:"gi",category:a.expectedCategory,description:`Auto-promoted from missed-pattern ${a.id}: ${a.expectedCategory}`,language:a.language?[a.language]:[],severity:a.severity||"medium",discoveredAt:(new Date).toISOString(),source:`learn:${a.id}`}),a.status="promoted",a.promotedAt=(new Date).toISOString(),a.promotedRuleId=o,n++,i.push(o)}return n>0&&(this._writeJsonArray(this.communityFile,t),this._invalidateRuleCache()),r>0&&this._writeJsonArray(this.missedPatternsFile,e),{reviewed:r,promoted:n,skipped:s,promotedIds:i}}}module.exports={PatternLearner:PatternLearner,RULES_DIR:RULES_DIR,COMMUNITY_FILE:COMMUNITY_FILE,MISSED_PATTERNS_FILE:MISSED_PATTERNS_FILE};
@@ -1 +1 @@
1
- "use strict";const fs=require("fs"),path=require("path"),RULES_DIR=path.join(__dirname,"rules"),MAX_PATTERN_LENGTH=500,MAX_QUANTIFIERS=20,MAX_ALTERNATIONS=30;function _checkRegexComplexity(e){if("string"!=typeof e||!e)return{safe:!1,reason:"pattern must be a non-empty string"};if(e.length>500)return{safe:!1,reason:"pattern exceeds max length of 500"};let t=0,n=0;const r=[];for(let s=0;s<e.length;s++){const a=e[s];if("\\"!==a)if("("!==a){if(")"===a){const n=r.pop();if(!n)continue;const a=/^\{\d+(,\d*)?\}/.exec(e.slice(s+1)),i=e[s+1];if("+"===i||"*"===i||"?"===i||a){if(t++,n.hasQuantifier)return{safe:!1,reason:"nested quantifier detected (potential catastrophic backtracking)"};r.length>0&&(r[r.length-1].hasQuantifier=!0)}continue}if("+"!==a&&"*"!==a&&"?"!==a){if("{"===a){/^\{\d+(,\d*)?\}/.exec(e.slice(s))&&(t++,r.length>0&&(r[r.length-1].hasQuantifier=!0));continue}"|"!==a||(n++,r.length>0&&(r[r.length-1].hasAlternation=!0))}else t++,r.length>0&&(r[r.length-1].hasQuantifier=!0)}else{if("?"===e[s+1]){const t=e[s+2];":"===t||"="===t||"!"===t?s+=2:"<"===t&&(s+=3)}r.push({hasQuantifier:!1,hasAlternation:!1})}else s++}return t>20?{safe:!1,reason:`pattern has ${t} quantifiers, exceeding max of 20`}:n>30?{safe:!1,reason:`pattern has ${n} alternations, exceeding max of 30`}:{safe:!0,reason:null}}let _compiledPatterns=null;function getPatterns(){if(_compiledPatterns)return _compiledPatterns;const e=fs.readdirSync(RULES_DIR).filter(e=>e.endsWith(".json")).sort(),t=[];for(const n of e){const e=path.join(RULES_DIR,n);let r;try{const t=fs.readFileSync(e,"utf-8");r=JSON.parse(t)}catch(e){throw new Error(`[rule-loader] Failed to read/parse rule file "${n}": ${e.message}`)}if(!Array.isArray(r))throw new Error(`[rule-loader] Rule file "${n}" must export a JSON array, got: ${typeof r}`);for(const e of r){if(e.pattern){const t=_checkRegexComplexity(e.pattern);if(!t.safe){console.warn(`[rule-loader] WARNING: Skipping rule "${e.id}" in "${n}" — ${t.reason}`);continue}}let r,s;try{r=new RegExp(e.pattern,e.flags||"")}catch(t){throw new Error(`[rule-loader] Failed to compile rule "${e&&e.id}" in file "${n}": ${t.message}\n pattern: ${e&&e.pattern}\n flags: ${e&&e.flags}`)}if(e.context)try{s=new RegExp(e.context,e.contextFlags||"")}catch(t){throw new Error(`[rule-loader] Failed to compile context for rule "${e&&e.id}" in file "${n}": ${t.message}`)}t.push({regex:r,category:e.category,id:e.id,description:e.description,language:e.language,severity:e.severity,name:e.name,type:e.type,message:e.message,context:s,skipIfSafe:e.skipIfSafe,skipInTests:e.skipInTests,sourceFile:n})}}return _compiledPatterns=t,_compiledPatterns}function getCodeScannerPatterns(){return getPatterns().filter(e=>"code-scanner-core.json"===e.sourceFile).map(e=>{const t={id:e.id,name:e.name,type:e.type,pattern:e.regex,severity:e.severity,message:e.message};return e.context&&(t.context=e.context),e.skipIfSafe&&(t.skipIfSafe=!0),e.skipInTests&&(t.skipInTests=!0),t})}module.exports={getPatterns:getPatterns,getCodeScannerPatterns:getCodeScannerPatterns};
1
+ "use strict";const fs=require("fs"),path=require("path"),RULES_DIR=path.join(__dirname,"rules"),MAX_PATTERN_LENGTH=500,MAX_QUANTIFIERS=20,MAX_ALTERNATIONS=30;function _checkRegexComplexity(e){if("string"!=typeof e||!e)return{safe:!1,reason:"pattern must be a non-empty string"};if(e.length>500)return{safe:!1,reason:"pattern exceeds max length of 500"};let t=0,n=0;const r=[];for(let s=0;s<e.length;s++){const a=e[s];if("\\"!==a)if("("!==a){if(")"===a){const n=r.pop();if(!n)continue;const a=/^\{\d+(,\d*)?\}/.exec(e.slice(s+1)),i=e[s+1];if("+"===i||"*"===i||"?"===i||a){if(t++,n.hasQuantifier)return{safe:!1,reason:"nested quantifier detected (potential catastrophic backtracking)"};r.length>0&&(r[r.length-1].hasQuantifier=!0)}continue}if("+"!==a&&"*"!==a&&"?"!==a){if("{"===a){/^\{\d+(,\d*)?\}/.exec(e.slice(s))&&(t++,r.length>0&&(r[r.length-1].hasQuantifier=!0));continue}"|"!==a||(n++,r.length>0&&(r[r.length-1].hasAlternation=!0))}else t++,r.length>0&&(r[r.length-1].hasQuantifier=!0)}else{if("?"===e[s+1]){const t=e[s+2];":"===t||"="===t||"!"===t?s+=2:"<"===t&&(s+=3)}r.push({hasQuantifier:!1,hasAlternation:!1})}else s++}return t>20?{safe:!1,reason:`pattern has ${t} quantifiers, exceeding max of 20`}:n>30?{safe:!1,reason:`pattern has ${n} alternations, exceeding max of 30`}:{safe:!0,reason:null}}let _compiledPatterns=null;function getPatterns(){if(_compiledPatterns)return _compiledPatterns;const e=fs.readdirSync(RULES_DIR).filter(e=>e.endsWith(".json")).sort(),t=[];for(const n of e){const e=path.join(RULES_DIR,n);let r;try{const t=fs.readFileSync(e,"utf-8");r=JSON.parse(t)}catch(e){throw new Error(`[rule-loader] Failed to read/parse rule file "${n}": ${e.message}`)}if(!Array.isArray(r))throw new Error(`[rule-loader] Rule file "${n}" must export a JSON array, got: ${typeof r}`);for(const e of r){if(e.pattern){const t=_checkRegexComplexity(e.pattern);if(!t.safe){console.warn(`[rule-loader] WARNING: Skipping rule "${e.id}" in "${n}" — ${t.reason}`);continue}}let r,s;try{r=new RegExp(e.pattern,e.flags||"")}catch(t){throw new Error(`[rule-loader] Failed to compile rule "${e&&e.id}" in file "${n}": ${t.message}\n pattern: ${e&&e.pattern}\n flags: ${e&&e.flags}`)}if(e.context)try{s=new RegExp(e.context,e.contextFlags||"")}catch(t){throw new Error(`[rule-loader] Failed to compile context for rule "${e&&e.id}" in file "${n}": ${t.message}`)}t.push({regex:r,category:e.category,id:e.id,description:e.description,language:e.language,severity:e.severity,name:e.name,type:e.type,message:e.message,context:s,skipIfSafe:e.skipIfSafe,skipInTests:e.skipInTests,excludeExtensions:e.excludeExtensions,owasp:e.owasp,cwe:e.cwe,sourceFile:n})}}return _compiledPatterns=t,_compiledPatterns}function getCodeScannerPatterns(){return getPatterns().filter(e=>"code-scanner-core.json"===e.sourceFile).map(e=>{const t={id:e.id,name:e.name,type:e.type,pattern:e.regex,severity:e.severity,message:e.message};return e.context&&(t.context=e.context),e.skipIfSafe&&(t.skipIfSafe=!0),e.skipInTests&&(t.skipInTests=!0),e.excludeExtensions&&(t.excludeExtensions=e.excludeExtensions),e.owasp&&(t.owasp=e.owasp),e.cwe&&(t.cwe=e.cwe),t})}module.exports={getPatterns:getPatterns,getCodeScannerPatterns:getCodeScannerPatterns};
@@ -1,147 +1,281 @@
1
- [
2
- {
3
- "id": "SEC001",
4
- "name": "Hardcoded API Key",
5
- "type": "hardcoded_secret",
6
- "pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]|['\"][a-zA-Z0-9]{32,}['\"]",
7
- "flags": "",
8
- "severity": "critical",
9
- "message": "Possible hardcoded API key or secret detected",
10
- "context": "(api[_-]?key|apikey|secret[_\\s]*key|token|credential|bearer)",
11
- "contextFlags": "i",
12
- "skipIfSafe": true
13
- },
14
- {
15
- "id": "SEC001B",
16
- "name": "Hardcoded API Key (bare)",
17
- "type": "hardcoded_secret",
18
- "pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]",
19
- "flags": "",
20
- "severity": "critical",
21
- "message": "Possible hardcoded API key or secret detected",
22
- "skipIfSafe": true
23
- },
24
- {
25
- "id": "SEC002",
26
- "name": "Hardcoded Password",
27
- "type": "hardcoded_secret",
28
- "pattern": "password\\s*[:=]\\s*['\"][^'\"]+['\"]",
29
- "flags": "i",
30
- "severity": "critical",
31
- "message": "Hardcoded password detected",
32
- "skipIfSafe": true,
33
- "skipInTests": true
34
- },
35
- {
36
- "id": "SEC002B",
37
- "name": "Hardcoded Password (JSON key)",
38
- "type": "hardcoded_secret",
39
- "pattern": "[\"']password[\"']\\s*:\\s*[\"'][^\"']+[\"']",
40
- "flags": "i",
41
- "severity": "critical",
42
- "message": "Hardcoded password detected",
43
- "skipIfSafe": true,
44
- "skipInTests": true
45
- },
46
- {
47
- "id": "SEC003",
48
- "name": "SQL Injection Risk",
49
- "type": "sql_injection",
50
- "pattern": "\\b(?:SELECT|INSERT\\s+INTO|UPDATE|DELETE\\s+FROM|WHERE)\\b.*(\\$\\{|\\+\\s*['\"]|\\+\\s*\\w+|f['\"].*\\{|%s|%d)",
51
- "flags": "i",
52
- "severity": "error",
53
- "message": "Potential SQL injection - use parameterized queries"
54
- },
55
- {
56
- "id": "SEC004",
57
- "name": "eval() Usage",
58
- "type": "eval_abuse",
59
- "pattern": "\\beval\\s*\\(",
60
- "flags": "",
61
- "severity": "error",
62
- "message": "eval() is dangerous and should be avoided"
63
- },
64
- {
65
- "id": "SEC004B",
66
- "name": "eval() Usage (unicode-escaped)",
67
- "type": "eval_abuse",
68
- "pattern": "\\\\u0065\\\\u0076\\\\u0061\\\\u006[cC]",
69
- "flags": "",
70
- "severity": "error",
71
- "message": "Obfuscated eval() usage (unicode escapes) is dangerous and should be avoided"
72
- },
73
- {
74
- "id": "SEC005",
75
- "name": "innerHTML/document.write Assignment",
76
- "type": "xss",
77
- "pattern": "\\.innerHTML\\s*=|\\bdocument\\.write\\s*\\(",
78
- "flags": "",
79
- "severity": "warning",
80
- "message": "innerHTML/document.write can cause XSS - consider using textContent or sanitization"
81
- },
82
- {
83
- "id": "SEC006",
84
- "name": "Disabled Security",
85
- "type": "insecure_config",
86
- "pattern": "rejectUnauthorized\\s*:\\s*false|verify\\s*=\\s*False|InsecureSkipVerify\\s*:\\s*true",
87
- "flags": "",
88
- "severity": "error",
89
- "message": "SSL certificate validation disabled"
90
- },
91
- {
92
- "id": "SEC007",
93
- "name": "Exposed .env Reference",
94
- "type": "insecure_config",
95
- "pattern": "\\.env['\"]",
96
- "flags": "",
97
- "severity": "warning",
98
- "message": "Direct .env file manipulation - ensure not exposed",
99
- "context": "fs\\.(read|write)|path\\.join|open\\s*\\(|os\\.Open",
100
- "contextFlags": "i"
101
- },
102
- {
103
- "id": "SEC008",
104
- "name": "Unsafe Block (Rust)",
105
- "type": "memory_safety",
106
- "pattern": "\\bunsafe\\s*\\{",
107
- "flags": "",
108
- "severity": "warning",
109
- "message": "Rust unsafe block - verify memory safety guarantees"
110
- },
111
- {
112
- "id": "SEC009",
113
- "name": "Shell Execution (PHP/Ruby/Python)",
114
- "type": "command_injection",
115
- "pattern": "\\bshell_exec\\s*\\(|\\bpassthru\\s*\\(|`[^`]+`|\\bos\\.system\\s*\\(|\\bos\\.popen\\s*\\(|\\bsubprocess\\.(?:call|run|Popen|check_output)\\s*\\([^)]*shell\\s*=\\s*True",
116
- "flags": "",
117
- "severity": "error",
118
- "message": "Shell/OS execution function — command injection risk if input unsanitized"
119
- },
120
- {
121
- "id": "SEC010",
122
- "name": "Prototype Pollution",
123
- "type": "prototype_pollution",
124
- "pattern": "\\[\\s*['\"]__proto__['\"]\\s*\\]|\\.__proto__\\s*(=|\\[)|constructor\\s*\\[\\s*['\"]prototype['\"]\\s*\\]|constructor\\.prototype\\s*(=|\\[)|['\"]__proto__['\"]\\s*:",
125
- "flags": "",
126
- "severity": "error",
127
- "message": "Possible prototype pollution via __proto__/constructor.prototype"
128
- },
129
- {
130
- "id": "SEC011",
131
- "name": "PHP SQL Injection (dot concatenation)",
132
- "type": "sql_injection",
133
- "pattern": "\"SELECT[^\"]*WHERE[^\"]*\"\\s*\\.\\s*\\$[a-zA-Z_]|\"UPDATE[^\"]*SET[^\"]*\"\\s*\\.\\s*\\$[a-zA-Z_]|\"DELETE[^\"]*WHERE[^\"]*\"\\s*\\.\\s*\\$[a-zA-Z_]|\\$(?:query|sql|qry)\\s*\\.=\\s*\\$(?:_GET|_POST|_REQUEST|_COOKIE)",
134
- "flags": "i",
135
- "severity": "critical",
136
- "message": "PHP SQL injection: user input concatenated into SQL query with dot operator — use PDO prepared statements"
137
- },
138
- {
139
- "id": "SEC012",
140
- "name": "PHP XSS (echo with user input)",
141
- "type": "xss",
142
- "pattern": "echo\\s+(?!htmlspecialchars|htmlentities|strip_tags|esc_html).*\\$(?:_GET|_POST|_REQUEST|_COOKIE)|echo\\s+[\"'][^\"']*[\"']\\s*\\.\\s*\\$(?:_GET|_POST|_REQUEST|_COOKIE)|print\\s+\\$(?:_GET|_POST|_REQUEST|_COOKIE)",
143
- "flags": "i",
144
- "severity": "error",
145
- "message": "PHP XSS: unescaped user input echoed to page — use htmlspecialchars()"
146
- }
147
- ]
1
+ [
2
+ {
3
+ "id": "SEC001",
4
+ "name": "Hardcoded API Key",
5
+ "type": "hardcoded_secret",
6
+ "pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]|['\"][a-zA-Z0-9]{32,}['\"]",
7
+ "flags": "",
8
+ "severity": "critical",
9
+ "message": "Possible hardcoded API key or secret detected",
10
+ "context": "(api[_-]?key|apikey|secret[_\\s]*key|token|credential|bearer)",
11
+ "contextFlags": "i",
12
+ "skipIfSafe": true,
13
+ "owasp": "A02:2021 Cryptographic Failures",
14
+ "cwe": "CWE-798"
15
+ },
16
+ {
17
+ "id": "SEC001B",
18
+ "name": "Hardcoded API Key (bare)",
19
+ "type": "hardcoded_secret",
20
+ "pattern": "['\"](?:sk-|pk-|xox[pboa]-|AKIA|ghp_|gho_|github_pat_)[a-zA-Z0-9_-]{10,}['\"]",
21
+ "flags": "",
22
+ "severity": "critical",
23
+ "message": "Possible hardcoded API key or secret detected",
24
+ "skipIfSafe": true,
25
+ "owasp": "A02:2021 Cryptographic Failures",
26
+ "cwe": "CWE-798"
27
+ },
28
+ {
29
+ "id": "SEC002",
30
+ "name": "Hardcoded Password",
31
+ "type": "hardcoded_secret",
32
+ "pattern": "password\\s*[:=]\\s*['\"][^'\"]+['\"]",
33
+ "flags": "i",
34
+ "severity": "critical",
35
+ "message": "Hardcoded password detected",
36
+ "skipIfSafe": true,
37
+ "skipInTests": true,
38
+ "owasp": "A02:2021 Cryptographic Failures",
39
+ "cwe": "CWE-798"
40
+ },
41
+ {
42
+ "id": "SEC002B",
43
+ "name": "Hardcoded Password (JSON key)",
44
+ "type": "hardcoded_secret",
45
+ "pattern": "[\"']password[\"']\\s*:\\s*[\"'][^\"']+[\"']",
46
+ "flags": "i",
47
+ "severity": "critical",
48
+ "message": "Hardcoded password detected",
49
+ "skipIfSafe": true,
50
+ "skipInTests": true,
51
+ "owasp": "A02:2021 Cryptographic Failures",
52
+ "cwe": "CWE-798"
53
+ },
54
+ {
55
+ "id": "SEC003",
56
+ "name": "SQL Injection Risk",
57
+ "type": "sql_injection",
58
+ "pattern": "\\b(?:SELECT|INSERT\\s+INTO|UPDATE|DELETE\\s+FROM|WHERE)\\b.*(\\$\\{|\\+\\s*['\"]|\\+\\s*\\w+|f['\"].*\\{|%s|%d)",
59
+ "flags": "i",
60
+ "severity": "error",
61
+ "message": "Potential SQL injection - use parameterized queries",
62
+ "owasp": "A03:2021 Injection",
63
+ "cwe": "CWE-89"
64
+ },
65
+ {
66
+ "id": "SEC004",
67
+ "name": "eval() Usage",
68
+ "type": "eval_abuse",
69
+ "pattern": "\\beval\\s*\\(",
70
+ "flags": "",
71
+ "severity": "error",
72
+ "message": "eval() is dangerous and should be avoided",
73
+ "owasp": "A03:2021 Injection",
74
+ "cwe": "CWE-95"
75
+ },
76
+ {
77
+ "id": "SEC004B",
78
+ "name": "eval() Usage (unicode-escaped)",
79
+ "type": "eval_abuse",
80
+ "pattern": "\\\\u0065\\\\u0076\\\\u0061\\\\u006[cC]",
81
+ "flags": "",
82
+ "severity": "error",
83
+ "message": "Obfuscated eval() usage (unicode escapes) is dangerous and should be avoided",
84
+ "owasp": "A03:2021 Injection",
85
+ "cwe": "CWE-95"
86
+ },
87
+ {
88
+ "id": "SEC005",
89
+ "name": "innerHTML/document.write Assignment",
90
+ "type": "xss",
91
+ "pattern": "\\.innerHTML\\s*=|\\bdocument\\.write\\s*\\(",
92
+ "flags": "",
93
+ "severity": "warning",
94
+ "message": "innerHTML/document.write can cause XSS - consider using textContent or sanitization",
95
+ "owasp": "A03:2021 Injection",
96
+ "cwe": "CWE-79"
97
+ },
98
+ {
99
+ "id": "SEC006",
100
+ "name": "Disabled Security",
101
+ "type": "insecure_config",
102
+ "pattern": "rejectUnauthorized\\s*:\\s*false|verify\\s*=\\s*False|InsecureSkipVerify\\s*:\\s*true",
103
+ "flags": "",
104
+ "severity": "error",
105
+ "message": "SSL certificate validation disabled",
106
+ "owasp": "A02:2021 Cryptographic Failures",
107
+ "cwe": "CWE-295"
108
+ },
109
+ {
110
+ "id": "SEC007",
111
+ "name": "Exposed .env Reference",
112
+ "type": "insecure_config",
113
+ "pattern": "\\.env['\"]",
114
+ "flags": "",
115
+ "severity": "warning",
116
+ "message": "Direct .env file manipulation - ensure not exposed",
117
+ "context": "fs\\.(read|write)|path\\.join|open\\s*\\(|os\\.Open",
118
+ "contextFlags": "i",
119
+ "owasp": "A05:2021 Security Misconfiguration",
120
+ "cwe": "CWE-538"
121
+ },
122
+ {
123
+ "id": "SEC008",
124
+ "name": "Unsafe Block (Rust)",
125
+ "type": "memory_safety",
126
+ "pattern": "\\bunsafe\\s*\\{",
127
+ "flags": "",
128
+ "severity": "warning",
129
+ "message": "Rust unsafe block - verify memory safety guarantees",
130
+ "owasp": "A06:2021 Vulnerable and Outdated Components",
131
+ "cwe": "CWE-787"
132
+ },
133
+ {
134
+ "id": "SEC009",
135
+ "name": "Shell Execution (PHP/Ruby/Python)",
136
+ "type": "command_injection",
137
+ "pattern": "\\bshell_exec\\s*\\(|\\bpassthru\\s*\\(|\\bos\\.system\\s*\\(|\\bos\\.popen\\s*\\(|\\bsubprocess\\.(?:call|run|Popen|check_output)\\s*\\([^)]*shell\\s*=\\s*True|\\bexec\\s*\\(\\s*[\"']|\\bsystem\\s*\\(\\s*[\"']",
138
+ "flags": "",
139
+ "severity": "error",
140
+ "message": "Shell/OS execution function command injection risk if input unsanitized",
141
+ "excludeExtensions": [".js", ".ts", ".jsx", ".tsx", ".mjs", ".cjs"],
142
+ "owasp": "A03:2021 Injection",
143
+ "cwe": "CWE-78"
144
+ },
145
+ {
146
+ "id": "SEC010",
147
+ "name": "Prototype Pollution",
148
+ "type": "prototype_pollution",
149
+ "pattern": "\\[\\s*['\"]__proto__['\"]\\s*\\]|\\.__proto__\\s*(=|\\[)|constructor\\s*\\[\\s*['\"]prototype['\"]\\s*\\]|constructor\\.prototype\\s*(=|\\[)|['\"]__proto__['\"]\\s*:",
150
+ "flags": "",
151
+ "severity": "error",
152
+ "message": "Possible prototype pollution via __proto__/constructor.prototype",
153
+ "owasp": "A03:2021 Injection",
154
+ "cwe": "CWE-1321"
155
+ },
156
+ {
157
+ "id": "SEC011",
158
+ "name": "PHP SQL Injection (dot concatenation)",
159
+ "type": "sql_injection",
160
+ "pattern": "\"SELECT[^\"]*WHERE[^\"]*\"\\s*\\.\\s*\\$[a-zA-Z_]|\"UPDATE[^\"]*SET[^\"]*\"\\s*\\.\\s*\\$[a-zA-Z_]|\"DELETE[^\"]*WHERE[^\"]*\"\\s*\\.\\s*\\$[a-zA-Z_]|\\$(?:query|sql|qry)\\s*\\.=\\s*\\$(?:_GET|_POST|_REQUEST|_COOKIE)",
161
+ "flags": "i",
162
+ "severity": "critical",
163
+ "message": "PHP SQL injection: user input concatenated into SQL query with dot operator — use PDO prepared statements",
164
+ "owasp": "A03:2021 Injection",
165
+ "cwe": "CWE-89"
166
+ },
167
+ {
168
+ "id": "SEC012",
169
+ "name": "PHP XSS (echo with user input)",
170
+ "type": "xss",
171
+ "pattern": "echo\\s+(?!htmlspecialchars|htmlentities|strip_tags|esc_html).*\\$(?:_GET|_POST|_REQUEST|_COOKIE)|echo\\s+[\"'][^\"']*[\"']\\s*\\.\\s*\\$(?:_GET|_POST|_REQUEST|_COOKIE)|print\\s+\\$(?:_GET|_POST|_REQUEST|_COOKIE)",
172
+ "flags": "i",
173
+ "severity": "error",
174
+ "message": "PHP XSS: unescaped user input echoed to page — use htmlspecialchars()",
175
+ "owasp": "A03:2021 Injection",
176
+ "cwe": "CWE-79"
177
+ },
178
+ {
179
+ "id": "SEC013",
180
+ "name": "Hardcoded JWT Token",
181
+ "type": "hardcoded_secret",
182
+ "pattern": "['\"]eyJ[A-Za-z0-9_-]{20,}\\.[A-Za-z0-9_-]{20,}\\.[A-Za-z0-9_-]{20,}['\"]",
183
+ "flags": "",
184
+ "severity": "critical",
185
+ "message": "Hardcoded JWT token detected — rotate immediately and use environment variables",
186
+ "skipIfSafe": true,
187
+ "skipInTests": true,
188
+ "owasp": "A02:2021 Cryptographic Failures",
189
+ "cwe": "CWE-798"
190
+ },
191
+ {
192
+ "id": "SEC014",
193
+ "name": "Hardcoded PEM Private Key",
194
+ "type": "hardcoded_secret",
195
+ "pattern": "-----BEGIN (?:RSA |EC )?PRIVATE KEY-----",
196
+ "flags": "",
197
+ "severity": "critical",
198
+ "message": "Private key embedded in source code — move to secure key store or environment variable",
199
+ "owasp": "A02:2021 Cryptographic Failures",
200
+ "cwe": "CWE-321"
201
+ },
202
+ {
203
+ "id": "SEC015",
204
+ "name": "Hardcoded AWS Secret Access Key",
205
+ "type": "hardcoded_secret",
206
+ "pattern": "(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY|SecretAccessKey)\\s*[:=]\\s*['\"][A-Za-z0-9/+=]{40}['\"]",
207
+ "flags": "",
208
+ "severity": "critical",
209
+ "message": "AWS Secret Access Key hardcoded — use IAM roles or environment variables",
210
+ "skipIfSafe": true,
211
+ "owasp": "A02:2021 Cryptographic Failures",
212
+ "cwe": "CWE-798"
213
+ },
214
+ {
215
+ "id": "SEC016",
216
+ "name": "Rust Hardcoded Secret (const &str)",
217
+ "type": "hardcoded_secret",
218
+ "pattern": "const\\s+(?:PASSWORD|SECRET|API_KEY|TOKEN|PRIVATE_KEY|DB_PASS)\\s*:\\s*&str\\s*=\\s*\"[^\"]+\"",
219
+ "flags": "i",
220
+ "severity": "critical",
221
+ "message": "Hardcoded secret in Rust const — use environment variables at runtime",
222
+ "skipInTests": true,
223
+ "owasp": "A02:2021 Cryptographic Failures",
224
+ "cwe": "CWE-798"
225
+ },
226
+ {
227
+ "id": "SEC017",
228
+ "name": "Rust format! SQL Injection",
229
+ "type": "sql_injection",
230
+ "pattern": "format!\\s*\\(\\s*\"(?:SELECT|INSERT|UPDATE|DELETE|WHERE)[^\"]*\\{",
231
+ "flags": "i",
232
+ "severity": "error",
233
+ "message": "SQL query built with format!() macro — use parameterized queries (sqlx::query! or bind)",
234
+ "owasp": "A03:2021 Injection",
235
+ "cwe": "CWE-89"
236
+ },
237
+ {
238
+ "id": "SEC018",
239
+ "name": "Ruby String Interpolation XSS/Injection",
240
+ "type": "xss",
241
+ "pattern": "[\"'](?:SELECT|INSERT|UPDATE|DELETE|WHERE|<)[^\"']*#\\{[^}]*(?:params|request|input|user|cookies|session)[^}]*\\}",
242
+ "flags": "i",
243
+ "severity": "error",
244
+ "message": "User input interpolated via Ruby #{} into SQL/HTML — use parameterized queries or sanitize",
245
+ "owasp": "A03:2021 Injection",
246
+ "cwe": "CWE-89"
247
+ },
248
+ {
249
+ "id": "SEC019",
250
+ "name": "Go format SQL Injection",
251
+ "type": "sql_injection",
252
+ "pattern": "fmt\\.Sprintf\\s*\\(\\s*\"(?:SELECT|INSERT|UPDATE|DELETE|WHERE)[^\"]*%[sv]",
253
+ "flags": "i",
254
+ "severity": "error",
255
+ "message": "SQL query built with fmt.Sprintf — use parameterized queries (db.Query with $1/? placeholders)",
256
+ "owasp": "A03:2021 Injection",
257
+ "cwe": "CWE-89"
258
+ },
259
+ {
260
+ "id": "RUST001",
261
+ "name": "Rust Deprecated API (mem::uninitialized)",
262
+ "type": "deprecated_api",
263
+ "pattern": "mem::uninitialized\\s*\\(|MaybeUninit::uninit\\(\\)\\.assume_init\\(\\)",
264
+ "flags": "",
265
+ "severity": "error",
266
+ "message": "mem::uninitialized is UB since Rust 1.39 — use MaybeUninit::zeroed() or MaybeUninit with proper init",
267
+ "owasp": "A06:2021 Vulnerable and Outdated Components",
268
+ "cwe": "CWE-908"
269
+ },
270
+ {
271
+ "id": "RUST002",
272
+ "name": "Rust Deprecated trim_left/trim_right",
273
+ "type": "deprecated_api",
274
+ "pattern": "\\.trim_left\\(\\)|\\.trim_right\\(\\)|\\.trim_left_matches\\(|\\.trim_right_matches\\(",
275
+ "flags": "",
276
+ "severity": "warning",
277
+ "message": "trim_left/trim_right deprecated since Rust 1.33 — use trim_start/trim_end",
278
+ "owasp": "A06:2021 Vulnerable and Outdated Components",
279
+ "cwe": "CWE-477"
280
+ }
281
+ ]