vaspera 2.10.1 → 2.12.0

package/dist/scanners/detection/rules/builtin.js

@@ -0,0 +1,307 @@
+/**
+ * Built-in Detection Rules
+ *
+ * Proprietary detection rules that differentiate Vaspera from Semgrep wrappers.
+ * These rules use data flow and control flow analysis for high-confidence detection.
+ *
+ * @module scanners/detection/rules/builtin
+ */
+export const BUILTIN_RULES = [
+    {
+        id: "vaspera:idor:user-controlled-id",
+        name: "User-Controlled ID Without Ownership Check",
+        description: "API endpoint accepts user-controlled ID parameter without verifying the requesting user owns the referenced resource. This allows attackers to access other users' data by manipulating the ID.",
+        category: "idor",
+        severity: "high",
+        confidence: 85,
+        enabled: true,
+        engines: {
+            dataFlow: {
+                sources: [
+                    { pattern: "req.params.$id", description: "URL path parameter" },
+                    { pattern: "req.query.$id", description: "Query string parameter" },
+                    { pattern: "req.body.$id", description: "Request body field" },
+                    { pattern: "request.params.$id" },
+                    { pattern: "ctx.params.$id" },
+                ],
+                sinks: [
+                    { pattern: "findById($source)", description: "Direct ID lookup" },
+                    { pattern: "findOne({ id: $source })" },
+                    { pattern: "findUnique({ where: { id: $source } })" },
+                    { pattern: "where({ id: $source })" },
+                    { pattern: "get($source)" },
+                ],
+                sanitizers: [
+                    { pattern: "verifyOwnership($source, $user)" },
+                    { pattern: "checkAccess($source, $user)" },
+                    { pattern: "belongsTo($source, $user)" },
+                    { pattern: "isOwner($source)" },
+                    { pattern: "canAccess($source)" },
+                ],
+            },
+        },
+        cweIds: ["CWE-639", "CWE-284"],
+        owaspRefs: ["API1:2023", "A01:2021"],
+        autofixPatternId: "add-ownership-check",
+    },
+    {
+        id: "vaspera:bola:mass-assignment",
+        name: "Broken Object Level Authorization via Mass Assignment",
+        description: "Endpoint accepts object updates without filtering sensitive fields or verifying authorization. Attackers can modify fields they shouldn't have access to (e.g., isAdmin, role, balance).",
+        category: "bola",
+        severity: "high",
+        confidence: 80,
+        enabled: true,
+        engines: {
+            dataFlow: {
+                sources: [
+                    { pattern: "req.body", description: "Full request body" },
+                    { pattern: "request.body" },
+                    { pattern: "ctx.request.body" },
+                    { pattern: "{ ...req.body }", description: "Spread request body" },
+                ],
+                sinks: [
+                    { pattern: "update($source)" },
+                    { pattern: "updateOne($source)" },
+                    { pattern: "updateMany($source)" },
+                    { pattern: "save($source)" },
+                    { pattern: "Object.assign($target, $source)" },
+                    { pattern: "{ ...$target, ...$source }" },
+                ],
+                sanitizers: [
+                    { pattern: "pick($source, $fields)", description: "Whitelist fields" },
+                    { pattern: "omit($source, $fields)", description: "Blacklist fields" },
+                    { pattern: "sanitize($source)" },
+                    { pattern: "allowedFields.filter" },
+                ],
+            },
+        },
+        cweIds: ["CWE-915", "CWE-284"],
+        owaspRefs: ["API3:2023", "A01:2021"],
+        autofixPatternId: "add-field-whitelist",
+    },
+    {
+        id: "vaspera:auth-bypass:missing-middleware",
+        name: "Missing Authentication Middleware",
+        description: "Route handler accesses sensitive operations without authentication middleware. The endpoint can be accessed by unauthenticated users.",
+        category: "auth-bypass",
+        severity: "critical",
+        confidence: 75,
+        enabled: true,
+        engines: {
+            astQuery: {
+                pattern: "router.$method($path, $handler)",
+                constraints: {
+                    method: "get|post|put|patch|delete",
+                },
+            },
+            controlFlow: {
+                entryPoints: [
+                    "router.get",
+                    "router.post",
+                    "router.put",
+                    "router.patch",
+                    "router.delete",
+                    "app.get",
+                    "app.post",
+                ],
+                mustReach: [
+                    { pattern: "req.user", description: "Must access authenticated user" },
+                    { pattern: "req.session", description: "Must check session" },
+                    { pattern: "isAuthenticated", description: "Must verify authentication" },
+                    { pattern: "requireAuth", description: "Must require authentication" },
+                ],
+            },
+        },
+        cweIds: ["CWE-306", "CWE-287"],
+        owaspRefs: ["API2:2023", "A07:2021"],
+        autofixPatternId: "add-auth-middleware",
+    },
+    {
+        id: "vaspera:ssrf:user-controlled-url",
+        name: "Server-Side Request Forgery via User-Controlled URL",
+        description: "User-controlled input is used to construct a URL for server-side HTTP requests. Attackers can make the server request internal resources or external malicious endpoints.",
+        category: "ssrf",
+        severity: "high",
+        confidence: 90,
+        enabled: true,
+        engines: {
+            dataFlow: {
+                sources: [
+                    { pattern: "req.body.url" },
+                    { pattern: "req.query.url" },
+                    { pattern: "req.params.url" },
+                    { pattern: "req.body.webhook" },
+                    { pattern: "req.body.callback" },
+                    { pattern: "req.body.redirect" },
+                    { pattern: "req.body.target" },
+                    { pattern: "req.body.host" },
+                    { pattern: "req.query.redirect_uri" },
+                ],
+                sinks: [
+                    { pattern: "fetch($source)" },
+                    { pattern: "axios.get($source)" },
+                    { pattern: "axios.post($source)" },
+                    { pattern: "axios($source)" },
+                    { pattern: "request($source)" },
+                    { pattern: "http.get($source)" },
+                    { pattern: "https.get($source)" },
+                    { pattern: "got($source)" },
+                    { pattern: "superagent.get($source)" },
+                    { pattern: "new URL($source)" },
+                ],
+                sanitizers: [
+                    { pattern: "validateUrl($source)" },
+                    { pattern: "isAllowedUrl($source)" },
+                    { pattern: "sanitizeUrl($source)" },
+                    { pattern: "allowlist.includes($source)" },
+                    { pattern: "ALLOWED_HOSTS.includes" },
+                ],
+            },
+        },
+        cweIds: ["CWE-918"],
+        owaspRefs: ["API8:2023", "A10:2021"],
+        autofixPatternId: "add-url-validation",
+    },
+    {
+        id: "vaspera:race:toctou-file",
+        name: "Time-of-Check to Time-of-Use Race Condition",
+        description: "File existence or permission is checked before use, but the file state may change between check and use. Attackers can exploit this window to manipulate the file.",
+        category: "race-condition",
+        severity: "medium",
+        confidence: 70,
+        enabled: true,
+        engines: {
+            astQuery: {
+                pattern: "existsSync($path)",
+            },
+            dataFlow: {
+                sources: [
+                    { pattern: "fs.existsSync($path)" },
+                    { pattern: "fs.accessSync($path)" },
+                    { pattern: "fs.statSync($path)" },
+                    { pattern: "path.exists($path)" },
+                ],
+                sinks: [
+                    { pattern: "fs.readFileSync($path)" },
+                    { pattern: "fs.writeFileSync($path)" },
+                    { pattern: "fs.unlinkSync($path)" },
+                    { pattern: "fs.readFile($path)" },
+                    { pattern: "fs.writeFile($path)" },
+                    { pattern: "fs.unlink($path)" },
+                    { pattern: "require($path)" },
+                ],
+                sanitizers: [
+                    { pattern: "fs.open($path, $flags)" },
+                    { pattern: "flock($fd)" },
+                    { pattern: "lockFile($path)" },
+                ],
+            },
+        },
+        cweIds: ["CWE-367", "CWE-362"],
+        owaspRefs: ["A04:2021"],
+        autofixPatternId: "use-atomic-operations",
+    },
+    {
+        id: "vaspera:sqli:template-literal",
+        name: "SQL Injection via Template Literal",
+        description: "User input is interpolated directly into SQL query using template literals. Attackers can inject malicious SQL to access, modify, or delete data.",
+        category: "sql-injection",
+        severity: "critical",
+        confidence: 95,
+        enabled: true,
+        engines: {
+            dataFlow: {
+                sources: [
+                    { pattern: "req.params.$param" },
+                    { pattern: "req.query.$param" },
+                    { pattern: "req.body.$field" },
+                ],
+                sinks: [
+                    { pattern: "query(`SELECT ... ${$source} ...`)" },
+                    { pattern: "execute(`... ${$source} ...`)" },
+                    { pattern: "raw(`... ${$source} ...`)" },
+                    { pattern: "$connection.query(`... ${$source} ...`)" },
+                    { pattern: "db.query(`... ${$source} ...`)" },
+                    { pattern: "sql`... ${$source} ...`" },
+                ],
+                sanitizers: [
+                    { pattern: "escape($source)" },
+                    { pattern: "sanitize($source)" },
+                    { pattern: "parseInt($source)" },
+                    { pattern: "Number($source)" },
+                ],
+            },
+        },
+        cweIds: ["CWE-89"],
+        owaspRefs: ["API8:2023", "A03:2021"],
+        autofixPatternId: "parameterize-query",
+    },
+    {
+        id: "vaspera:xss:innerHTML",
+        name: "Cross-Site Scripting via innerHTML",
+        description: "User input is assigned to innerHTML without sanitization. Attackers can inject malicious scripts that execute in other users' browsers.",
+        category: "xss",
+        severity: "high",
+        confidence: 90,
+        enabled: true,
+        engines: {
+            dataFlow: {
+                sources: [
+                    { pattern: "req.body.$field" },
+                    { pattern: "req.query.$param" },
+                    { pattern: "document.location.search" },
+                    { pattern: "window.location.hash" },
+                    { pattern: "searchParams.get($param)" },
+                ],
+                sinks: [
+                    { pattern: "$el.innerHTML = $source" },
+                    { pattern: "$el.outerHTML = $source" },
+                    { pattern: "document.write($source)" },
+                    { pattern: "insertAdjacentHTML($position, $source)" },
+                    { pattern: "dangerouslySetInnerHTML={{ __html: $source }}" },
+                ],
+                sanitizers: [
+                    { pattern: "DOMPurify.sanitize($source)" },
+                    { pattern: "sanitizeHtml($source)" },
+                    { pattern: "escape($source)" },
+                    { pattern: "encodeURIComponent($source)" },
+                    { pattern: "textContent = $source" },
+                ],
+            },
+        },
+        cweIds: ["CWE-79"],
+        owaspRefs: ["A03:2021"],
+        autofixPatternId: "use-textContent",
+    },
+    {
+        id: "vaspera:secrets:hardcoded-credential",
+        name: "Hardcoded Credential in Source Code",
+        description: "API key, password, or other secret is hardcoded in source code. Secrets in code are exposed through version control and can be extracted from compiled artifacts.",
+        category: "secrets",
+        severity: "critical",
+        confidence: 85,
+        enabled: true,
+        engines: {
+            astQuery: {
+                pattern: "const $name = $value",
+                constraints: {
+                    name: "password|apiKey|secret|token|credential|auth",
+                },
+            },
+        },
+        cweIds: ["CWE-798", "CWE-259"],
+        owaspRefs: ["A02:2021"],
+        autofixPatternId: "use-env-variable",
+    },
+];
+export function getBuiltinRules() {
+    return BUILTIN_RULES.filter((r) => r.enabled);
+}
+export function getBuiltinRuleById(id) {
+    return BUILTIN_RULES.find((r) => r.id === id);
+}
+export function getBuiltinRulesByCategory(category) {
+    return BUILTIN_RULES.filter((r) => r.category === category && r.enabled);
+}
+//# sourceMappingURL=builtin.js.map

package/dist/scanners/detection/rules/builtin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"builtin.js","sourceRoot":"","sources":["../../../../src/scanners/detection/rules/builtin.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,MAAM,CAAC,MAAM,aAAa,GAAoB;IAC5C;QACE,EAAE,EAAE,iCAAiC;QACrC,IAAI,EAAE,4CAA4C;QAClD,WAAW,EACT,iMAAiM;QACnM,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE;oBACP,EAAE,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,oBAAoB,EAAE;oBAChE,EAAE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,wBAAwB,EAAE;oBACnE,EAAE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,oBAAoB,EAAE;oBAC9D,EAAE,OAAO,EAAE,oBAAoB,EAAE;oBACjC,EAAE,OAAO,EAAE,gBAAgB,EAAE;iBAC9B;gBACD,KAAK,EAAE;oBACL,EAAE,OAAO,EAAE,mBAAmB,EAAE,WAAW,EAAE,kBAAkB,EAAE;oBACjE,EAAE,OAAO,EAAE,0BAA0B,EAAE;oBACvC,EAAE,OAAO,EAAE,wCAAwC,EAAE;oBACrD,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBACrC,EAAE,OAAO,EAAE,cAAc,EAAE;iBAC5B;gBACD,UAAU,EAAE;oBACV,EAAE,OAAO,EAAE,iCAAiC,EAAE;oBAC9C,EAAE,OAAO,EAAE,6BAA6B,EAAE;oBAC1C,EAAE,OAAO,EAAE,2BAA2B,EAAE;oBACxC,EAAE,OAAO,EAAE,kBAAkB,EAAE;oBAC/B,EAAE,OAAO,EAAE,oBAAoB,EAAE;iBAClC;aACF;SACF;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,SAAS,EAAE,CAAC,WAAW,EAAE,UAAU,CAAC;QACpC,gBAAgB,EAAE,qBAAqB;KACxC;IAED;QACE,EAAE,EAAE,8BAA8B;QAClC,IAAI,EAAE,uDAAuD;QAC7D,WAAW,EACT,0LAA0L;QAC5L,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE;oBACP,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,mBAAmB,EAAE;oBACzD,EAAE,OAAO,EAAE,cAAc,EAAE;oBAC3B,EAAE,OAAO,EAAE,kBAAkB,EAAE;oBAC/B,EAAE,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,qBAAqB,EAAE;iBACnE;gBACD,KAAK,EAAE;oBACL,EAAE,OAAO,EAAE,iBAAiB,EAAE;oBAC9B,EAAE,OAAO,EAAE,oBAAoB,EAAE;oBACjC,EAAE,OAAO,EAAE,qBAAqB,EAAE;oBAClC,EAAE,OAAO,EAAE,eAAe,EAAE;oBAC5B,EAAE,OAAO,EAAE,iCAAiC,EAAE;oBAC9C,EAAE,OAAO,EAAE,4BAA4B,EAAE;iBAC1C;gBACD,UAAU,EAAE;oBACV,EAAE,OAAO,EAAE,wBAAwB,EAAE,WAAW,EAAE,kBAAkB,EAAE;oBACtE,EAAE,OAAO,EAAE,wBAAwB,EAAE,WAAW,EAAE,kBAAkB,EAAE;oBACtE,EAAE,OAAO,EAAE,mBAAmB,EAAE;oBAChC,EAAE,OAAO,EAAE,sBAAsB,EAAE;iBACpC;aACF;SACF;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,SAAS,EAAE,CAAC,WAAW,EAAE,UAAU,CAAC;QACpC,gBAAgB,EAAE,qBAAqB;KACxC;IAED;QACE,EAAE,EAAE,wCAAwC;QAC5C,IAAI,EAAE,mCAAmC;QACzC,WAAW,EACT,uIAAuI;QACzI,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE,iCAAiC;gBAC1C,WAAW,EAAE;oBACX,MAAM,EAAE,2BAA2B;iBACpC;aACF;YACD,WAAW,EAAE;gBACX,WAAW,EAAE;oBACX,YAAY;oBACZ,aAAa;oBACb,YAAY;oBACZ,cAAc;oBACd,eAAe;oBACf,SAAS;oBACT,UAAU;iBACX;gBACD,SAAS,EAAE;oBACT,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,gCAAgC,EAAE;oBACtE,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,oBAAoB,EAAE;oBAC7D,EAAE,OAAO,EAAE,iBAAiB,EAAE,WAAW,EAAE,4BAA4B,EAAE;oBACzE,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,6BAA6B,EAAE;iBACvE;aACF;SACF;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,SAAS,EAAE,CAAC,WAAW,EAAE,UAAU,CAAC;QACpC,gBAAgB,EAAE,qBAAqB;KACxC;IAED;QACE,EAAE,EAAE,kCAAkC;QACtC,IAAI,EAAE,qDAAqD;QAC3D,WAAW,EACT,2KAA2K;QAC7K,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE;oBACP,EAAE,OAAO,EAAE,cAAc,EAAE;oBAC3B,EAAE,OAAO,EAAE,eAAe,EAAE;oBAC5B,EAAE,OAAO,EAAE,gBAAgB,EAAE;oBAC7B,EAAE,OAAO,EAAE,kBAAkB,EAAE;oBAC/B,EAAE,OAAO,EAAE,mBAAmB,EAAE;oBAChC,EAAE,OAAO,EAAE,mBAAmB,EAAE;oBAChC,EAAE,OAAO,EAAE,iBAAiB,EAAE;oBAC9B,EAAE,OAAO,EAAE,eAAe,EAAE;oBAC5B,EAAE,OAAO,EAAE,wBAAwB,EAAE;iBACtC;gBACD,KAAK,EAAE;oBACL,EAAE,OAAO,EAAE,gBAAgB,EAAE;oBAC7B,EAAE,OAAO,EAAE,oBAAoB,EAAE;oBACjC,EAAE,OAAO,EAAE,qBAAqB,EAAE;oBAClC,EAAE,OAAO,EAAE,gBAAgB,EAAE;oBAC7B,EAAE,OAAO,EAAE,kBAAkB,EAAE;oBAC/B,EAAE,OAAO,EAAE,mBAAmB,EAAE;oBAChC,EAAE,OAAO,EAAE,oBAAoB,EAAE;oBACjC,EAAE,OAAO,EAAE,cAAc,EAAE;oBAC3B,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACtC,EAAE,OAAO,EAAE,kBAAkB,EAAE;iBAChC;gBACD,UAAU,EAAE;oBACV,EAAE,OAAO,EAAE,sBAAsB,EAAE;oBACnC,EAAE,OAAO,EAAE,uBAAuB,EAAE;oBACpC,EAAE,OAAO,EAAE,sBAAsB,EAAE;oBACnC,EAAE,OAAO,EAAE,6BAA6B,EAAE;oBAC1C,EAAE,OAAO,EAAE,wBAAwB,EAAE;iBACtC;aACF;SACF;QACD,MAAM,EAAE,CAAC,SAAS,CAAC;QACnB,SAAS,EAAE,CAAC,WAAW,EAAE,UAAU,CAAC;QACpC,gBAAgB,EAAE,oBAAoB;KACvC;IAED;QACE,EAAE,EAAE,0BAA0B;QAC9B,IAAI,EAAE,6CAA6C;QACnD,WAAW,EACT,oKAAoK;QACtK,QAAQ,EAAE,gBAAgB;QAC1B,QAAQ,EAAE,QAAQ;QAClB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE,mBAAmB;aAC7B;YACD,QAAQ,EAAE;gBACR,OAAO,EAAE;oBACP,EAAE,OAAO,EAAE,sBAAsB,EAAE;oBACnC,EAAE,OAAO,EAAE,sBAAsB,EAAE;oBACnC,EAAE,OAAO,EAAE,oBAAoB,EAAE;oBACjC,EAAE,OAAO,EAAE,oBAAoB,EAAE;iBAClC;gBACD,KAAK,EAAE;oBACL,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBACrC,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACtC,EAAE,OAAO,EAAE,sBAAsB,EAAE;oBACnC,EAAE,OAAO,EAAE,oBAAoB,EAAE;oBACjC,EAAE,OAAO,EAAE,qBAAqB,EAAE;oBAClC,EAAE,OAAO,EAAE,kBAAkB,EAAE;oBAC/B,EAAE,OAAO,EAAE,gBAAgB,EAAE;iBAC9B;gBACD,UAAU,EAAE;oBACV,EAAE,OAAO,EAAE,wBAAwB,EAAE;oBACrC,EAAE,OAAO,EAAE,YAAY,EAAE;oBACzB,EAAE,OAAO,EAAE,iBAAiB,EAAE;iBAC/B;aACF;SACF;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,SAAS,EAAE,CAAC,UAAU,CAAC;QACvB,gBAAgB,EAAE,uBAAuB;KAC1C;IAED;QACE,EAAE,EAAE,+BAA+B;QACnC,IAAI,EAAE,oCAAoC;QAC1C,WAAW,EACT,mJAAmJ;QACrJ,QAAQ,EAAE,eAAe;QACzB,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE;oBACP,EAAE,OAAO,EAAE,mBAAmB,EAAE;oBAChC,EAAE,OAAO,EAAE,kBAAkB,EAAE;oBAC/B,EAAE,OAAO,EAAE,iBAAiB,EAAE;iBAC/B;gBACD,KAAK,EAAE;oBACL,EAAE,OAAO,EAAE,oCAAoC,EAAE;oBACjD,EAAE,OAAO,EAAE,+BAA+B,EAAE;oBAC5C,EAAE,OAAO,EAAE,2BAA2B,EAAE;oBACxC,EAAE,OAAO,EAAE,yCAAyC,EAAE;oBACtD,EAAE,OAAO,EAAE,gCAAgC,EAAE;oBAC7C,EAAE,OAAO,EAAE,yBAAyB,EAAE;iBACvC;gBACD,UAAU,EAAE;oBACV,EAAE,OAAO,EAAE,iBAAiB,EAAE;oBAC9B,EAAE,OAAO,EAAE,mBAAmB,EAAE;oBAChC,EAAE,OAAO,EAAE,mBAAmB,EAAE;oBAChC,EAAE,OAAO,EAAE,iBAAiB,EAAE;iBAC/B;aACF;SACF;QACD,MAAM,EAAE,CAAC,QAAQ,CAAC;QAClB,SAAS,EAAE,CAAC,WAAW,EAAE,UAAU,CAAC;QACpC,gBAAgB,EAAE,oBAAoB;KACvC;IAED;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,oCAAoC;QAC1C,WAAW,EACT,yIAAyI;QAC3I,QAAQ,EAAE,KAAK;QACf,QAAQ,EAAE,MAAM;QAChB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE;oBACP,EAAE,OAAO,EAAE,iBAAiB,EAAE;oBAC9B,EAAE,OAAO,EAAE,kBAAkB,EAAE;oBAC/B,EAAE,OAAO,EAAE,0BAA0B,EAAE;oBACvC,EAAE,OAAO,EAAE,sBAAsB,EAAE;oBACnC,EAAE,OAAO,EAAE,0BAA0B,EAAE;iBACxC;gBACD,KAAK,EAAE;oBACL,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACtC,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACtC,EAAE,OAAO,EAAE,yBAAyB,EAAE;oBACtC,EAAE,OAAO,EAAE,wCAAwC,EAAE;oBACrD,EAAE,OAAO,EAAE,+CAA+C,EAAE;iBAC7D;gBACD,UAAU,EAAE;oBACV,EAAE,OAAO,EAAE,6BAA6B,EAAE;oBAC1C,EAAE,OAAO,EAAE,uBAAuB,EAAE;oBACpC,EAAE,OAAO,EAAE,iBAAiB,EAAE;oBAC9B,EAAE,OAAO,EAAE,6BAA6B,EAAE;oBAC1C,EAAE,OAAO,EAAE,uBAAuB,EAAE;iBACrC;aACF;SACF;QACD,MAAM,EAAE,CAAC,QAAQ,CAAC;QAClB,SAAS,EAAE,CAAC,UAAU,CAAC;QACvB,gBAAgB,EAAE,iBAAiB;KACpC;IAED;QACE,EAAE,EAAE,sCAAsC;QAC1C,IAAI,EAAE,qCAAqC;QAC3C,WAAW,EACT,mKAAmK;QACrK,QAAQ,EAAE,SAAS;QACnB,QAAQ,EAAE,UAAU;QACpB,UAAU,EAAE,EAAE;QACd,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP,QAAQ,EAAE;gBACR,OAAO,EAAE,sBAAsB;gBAC/B,WAAW,EAAE;oBACX,IAAI,EAAE,8CAA8C;iBACrD;aACF;SACF;QACD,MAAM,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC;QAC9B,SAAS,EAAE,CAAC,UAAU,CAAC;QACvB,gBAAgB,EAAE,kBAAkB;KACrC;CACF,CAAC;AAEF,MAAM,UAAU,eAAe;IAC7B,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,EAAU;IAC3C,OAAO,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;AAChD,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,QAAgB;IACxD,OAAO,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC;AAC3E,CAAC"}

package/dist/scanners/detection/rules/loader.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Detection Rule Loader
+ *
+ * Loads and validates detection rules from YAML files or inline definitions.
+ *
+ * @module scanners/detection/rules/loader
+ */
+import type { DetectionRule } from "../types.js";
+export declare class RuleValidationError extends Error {
+    ruleId: string;
+    field: string;
+    constructor(ruleId: string, field: string, message: string);
+}
+export declare function loadRuleFromYAML(filePath: string): Promise<DetectionRule>;
+export declare function loadRulesFromDirectory(dirPath: string): Promise<DetectionRule[]>;
+export declare function createRule(config: Omit<DetectionRule, "enabled"> & {
+    enabled?: boolean;
+}): DetectionRule;
+//# sourceMappingURL=loader.d.ts.map

package/dist/scanners/detection/rules/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../../src/scanners/detection/rules/loader.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAKH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAMjD,qBAAa,mBAAoB,SAAQ,KAAK;IAEnC,MAAM,EAAE,MAAM;IACd,KAAK,EAAE,MAAM;gBADb,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM;CAKlB;AA6ED,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAI/E;AAED,wBAAsB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAmBtF;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,IAAI,CAAC,aAAa,EAAE,SAAS,CAAC,GAAG;IAAE,OAAO,CAAC,EAAE,OAAO,CAAA;CAAE,GAAG,aAAa,CAExG"}

package/dist/scanners/detection/rules/loader.js

@@ -0,0 +1,111 @@
+/**
+ * Detection Rule Loader
+ *
+ * Loads and validates detection rules from YAML files or inline definitions.
+ *
+ * @module scanners/detection/rules/loader
+ */
+import { readFile, readdir } from "fs/promises";
+import { join, extname } from "path";
+import { parse as parseYAML } from "yaml";
+const VALID_SEVERITIES = ["critical", "high", "medium", "low", "info"];
+const VALID_ENGINES = ["astQuery", "dataFlow", "controlFlow"];
+export class RuleValidationError extends Error {
+    ruleId;
+    field;
+    constructor(ruleId, field, message) {
+        super(`Rule ${ruleId}: ${field} - ${message}`);
+        this.ruleId = ruleId;
+        this.field = field;
+        this.name = "RuleValidationError";
+    }
+}
+function validateRule(rule, source) {
+    if (typeof rule !== "object" || rule === null) {
+        throw new RuleValidationError(source, "root", "Rule must be an object");
+    }
+    const r = rule;
+    if (typeof r.id !== "string" || !r.id) {
+        throw new RuleValidationError(source, "id", "Required string field");
+    }
+    if (typeof r.name !== "string" || !r.name) {
+        throw new RuleValidationError(r.id, "name", "Required string field");
+    }
+    if (typeof r.description !== "string" || !r.description) {
+        throw new RuleValidationError(r.id, "description", "Required string field");
+    }
+    if (typeof r.category !== "string" || !r.category) {
+        throw new RuleValidationError(r.id, "category", "Required string field");
+    }
+    if (!VALID_SEVERITIES.includes(r.severity)) {
+        throw new RuleValidationError(r.id, "severity", `Must be one of: ${VALID_SEVERITIES.join(", ")}`);
+    }
+    if (typeof r.confidence !== "number" || r.confidence < 0 || r.confidence > 100) {
+        throw new RuleValidationError(r.id, "confidence", "Must be a number between 0 and 100");
+    }
+    if (typeof r.engines !== "object" || r.engines === null) {
+        throw new RuleValidationError(r.id, "engines", "Required object field");
+    }
+    const engines = r.engines;
+    const hasEngine = VALID_ENGINES.some((e) => engines[e] !== undefined);
+    if (!hasEngine) {
+        throw new RuleValidationError(r.id, "engines", `Must have at least one of: ${VALID_ENGINES.join(", ")}`);
+    }
+    if (engines.dataFlow) {
+        const df = engines.dataFlow;
+        if (!Array.isArray(df.sources) || df.sources.length === 0) {
+            throw new RuleValidationError(r.id, "engines.dataFlow.sources", "Required non-empty array");
+        }
+        if (!Array.isArray(df.sinks) || df.sinks.length === 0) {
+            throw new RuleValidationError(r.id, "engines.dataFlow.sinks", "Required non-empty array");
+        }
+    }
+    if (engines.astQuery) {
+        const aq = engines.astQuery;
+        if (typeof aq.pattern !== "string" || !aq.pattern) {
+            throw new RuleValidationError(r.id, "engines.astQuery.pattern", "Required string field");
+        }
+    }
+    return {
+        id: r.id,
+        name: r.name,
+        description: r.description,
+        category: r.category,
+        severity: r.severity,
+        confidence: r.confidence,
+        enabled: r.enabled !== false,
+        engines: r.engines,
+        cweIds: Array.isArray(r.cweIds) ? r.cweIds : undefined,
+        owaspRefs: Array.isArray(r.owaspRefs) ? r.owaspRefs : undefined,
+        autofixPatternId: typeof r.autofixPatternId === "string" ? r.autofixPatternId : undefined,
+        metadata: typeof r.metadata === "object" ? r.metadata : undefined,
+    };
+}
+export async function loadRuleFromYAML(filePath) {
+    const content = await readFile(filePath, "utf-8");
+    const parsed = parseYAML(content);
+    return validateRule(parsed, filePath);
+}
+export async function loadRulesFromDirectory(dirPath) {
+    const rules = [];
+    const entries = await readdir(dirPath, { withFileTypes: true });
+    for (const entry of entries) {
+        if (!entry.isFile())
+            continue;
+        const ext = extname(entry.name).toLowerCase();
+        if (ext !== ".yaml" && ext !== ".yml")
+            continue;
+        try {
+            const rule = await loadRuleFromYAML(join(dirPath, entry.name));
+            rules.push(rule);
+        }
+        catch (error) {
+            console.warn(`Failed to load rule ${entry.name}:`, error);
+        }
+    }
+    return rules;
+}
+export function createRule(config) {
+    return validateRule({ ...config, enabled: config.enabled ?? true }, config.id);
+}
+//# sourceMappingURL=loader.js.map

package/dist/scanners/detection/rules/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../../../src/scanners/detection/rules/loader.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACrC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAI1C,MAAM,gBAAgB,GAAe,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;AACnF,MAAM,aAAa,GAAG,CAAC,UAAU,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;AAE9D,MAAM,OAAO,mBAAoB,SAAQ,KAAK;IAEnC;IACA;IAFT,YACS,MAAc,EACd,KAAa,EACpB,OAAe;QAEf,KAAK,CAAC,QAAQ,MAAM,KAAK,KAAK,MAAM,OAAO,EAAE,CAAC,CAAC;QAJxC,WAAM,GAAN,MAAM,CAAQ;QACd,UAAK,GAAL,KAAK,CAAQ;QAIpB,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;IACpC,CAAC;CACF;AAED,SAAS,YAAY,CAAC,IAAa,EAAE,MAAc;IACjD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,CAAC,GAAG,IAA+B,CAAC;IAE1C,IAAI,OAAO,CAAC,CAAC,EAAE,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,uBAAuB,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,MAAM,EAAE,uBAAuB,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QACxD,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,aAAa,EAAE,uBAAuB,CAAC,CAAC;IAC9E,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;QAClD,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,UAAU,EAAE,uBAAuB,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAoB,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,UAAU,EAAE,mBAAmB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACpG,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,UAAU,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,GAAG,CAAC,IAAI,CAAC,CAAC,UAAU,GAAG,GAAG,EAAE,CAAC;QAC/E,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,YAAY,EAAE,oCAAoC,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,KAAK,IAAI,EAAE,CAAC;QACxD,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,uBAAuB,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,CAAC,OAAkC,CAAC;IACrD,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IAEtE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,8BAA8B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3G,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,EAAE,GAAG,OAAO,CAAC,QAAmC,CAAC;QACvD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,0BAA0B,EAAE,0BAA0B,CAAC,CAAC;QAC9F,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,wBAAwB,EAAE,0BAA0B,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,MAAM,EAAE,GAAG,OAAO,CAAC,QAAmC,CAAC;QACvD,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC;YAClD,MAAM,IAAI,mBAAmB,CAAC,CAAC,CAAC,EAAE,EAAE,0BAA0B,EAAE,uBAAuB,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IAED,OAAO;QACL,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,WAAW,EAAE,CAAC,CAAC,WAAW;QAC1B,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,CAAC,CAAC,QAAoB;QAChC,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,OAAO,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK;QAC5B,OAAO,EAAE,CAAC,CAAC,OAAmC;QAC9C,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;QACtD,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAC/D,gBAAgB,EAAE,OAAO,CAAC,CAAC,gBAAgB,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,SAAS;QACzF,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,QAAmC,CAAC,CAAC,CAAC,SAAS;KAC7F,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,QAAgB;IACrD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;IAClC,OAAO,YAAY,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAAe;IAC1D,MAAM,KAAK,GAAoB,EAAE,CAAC;IAClC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAEhE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;YAAE,SAAS;QAE9B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9C,IAAI,GAAG,KAAK,OAAO,IAAI,GAAG,KAAK,MAAM;YAAE,SAAS;QAEhD,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;YAC/D,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,uBAAuB,KAAK,CAAC,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAA8D;IACvF,OAAO,YAAY,CAAC,EAAE,GAAG,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,IAAI,EAAE,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;AACjF,CAAC"}

package/dist/scanners/detection/types.d.ts

@@ -0,0 +1,171 @@
+/**
+ * Detection Engine Types
+ *
+ * Types for the custom detection engine that provides proprietary
+ * security analysis beyond wrapped tools like Semgrep.
+ *
+ * @module scanners/detection/types
+ */
+import type { Severity } from "../../certification/types.js";
+/**
+ * Supported detection engines
+ */
+export type DetectionEngine = "ast-query" | "data-flow" | "control-flow" | "semantic";
+/**
+ * A taint source - where untrusted data enters
+ */
+export interface TaintSource {
+    pattern: string;
+    description?: string;
+    parameterIndex?: number;
+}
+/**
+ * A taint sink - dangerous operation that consumes data
+ */
+export interface TaintSink {
+    pattern: string;
+    description?: string;
+    parameterIndex?: number;
+}
+/**
+ * A sanitizer that neutralizes tainted data
+ */
+export interface Sanitizer {
+    pattern: string;
+    description?: string;
+}
+/**
+ * Data flow rule configuration
+ */
+export interface DataFlowConfig {
+    sources: TaintSource[];
+    sinks: TaintSink[];
+    sanitizers?: Sanitizer[];
+    requireAllSources?: boolean;
+}
+/**
+ * Control flow rule configuration
+ */
+export interface ControlFlowConfig {
+    entryPoints?: string[];
+    mustReach?: {
+        pattern: string;
+        description?: string;
+    }[];
+    mustNotReach?: {
+        pattern: string;
+        description?: string;
+    }[];
+}
+/**
+ * AST query rule configuration
+ */
+export interface ASTQueryConfig {
+    pattern: string;
+    language?: "typescript" | "javascript" | "python" | "go" | "ruby";
+    capture?: string;
+    constraints?: Record<string, string>;
+}
+/**
+ * Detection rule definition
+ */
+export interface DetectionRule {
+    id: string;
+    name: string;
+    description: string;
+    category: string;
+    severity: Severity;
+    confidence: number;
+    enabled?: boolean;
+    engines: {
+        astQuery?: ASTQueryConfig;
+        dataFlow?: DataFlowConfig;
+        controlFlow?: ControlFlowConfig;
+    };
+    cweIds?: string[];
+    owaspRefs?: string[];
+    autofixPatternId?: string;
+    metadata?: Record<string, unknown>;
+}
+/**
+ * A path from taint source to sink
+ */
+export interface TaintPath {
+    source: {
+        pattern: string;
+        file: string;
+        line: number;
+        column?: number;
+        expression: string;
+    };
+    sink: {
+        pattern: string;
+        file: string;
+        line: number;
+        column?: number;
+        expression: string;
+    };
+    intermediateNodes: {
+        file: string;
+        line: number;
+        expression: string;
+    }[];
+    sanitized: boolean;
+    sanitizer?: string;
+}
+/**
+ * Result from running detection on a single file
+ */
+export interface DetectionMatch {
+    ruleId: string;
+    file: string;
+    line: number;
+    column?: number;
+    endLine?: number;
+    endColumn?: number;
+    message: string;
+    severity: Severity;
+    confidence: number;
+    category: string;
+    evidence: string;
+    taintPath?: TaintPath;
+    cweIds?: string[];
+    owaspRefs?: string[];
+    autofixPatternId?: string;
+}
+/**
+ * Result from running detection engine
+ */
+export interface DetectionResult {
+    success: boolean;
+    matches: DetectionMatch[];
+    rulesEvaluated: number;
+    filesAnalyzed: number;
+    duration: number;
+    errors?: string[];
+}
+/**
+ * Detection engine context
+ */
+export interface DetectionContext {
+    projectPath: string;
+    files?: string[];
+    rules?: DetectionRule[];
+    include?: string[];
+    exclude?: string[];
+    timeout?: number;
+}
+/**
+ * Built-in detection categories
+ */
+export declare const DETECTION_CATEGORIES: readonly ["sql-injection", "xss", "ssrf", "path-traversal", "command-injection", "idor", "bola", "auth-bypass", "race-condition", "secrets", "insecure-deserialization", "xxe", "open-redirect", "csrf"];
+export type DetectionCategory = (typeof DETECTION_CATEGORIES)[number];
+/**
+ * Default confidence thresholds
+ */
+export declare const CONFIDENCE_THRESHOLDS: {
+    readonly high: 85;
+    readonly medium: 60;
+    readonly low: 40;
+};
+//# sourceMappingURL=types.d.ts.map

package/dist/scanners/detection/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/scanners/detection/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAE7D;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,WAAW,GAAG,WAAW,GAAG,cAAc,GAAG,UAAU,CAAC;AAEtF;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,WAAW,EAAE,CAAC;IACvB,KAAK,EAAE,SAAS,EAAE,CAAC;IACnB,UAAU,CAAC,EAAE,SAAS,EAAE,CAAC;IACzB,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACxD,YAAY,CAAC,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;CAC5D;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,YAAY,GAAG,YAAY,GAAG,QAAQ,GAAG,IAAI,GAAG,MAAM,CAAC;IAClE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB,OAAO,EAAE;QACP,QAAQ,CAAC,EAAE,cAAc,CAAC;QAC1B,QAAQ,CAAC,EAAE,cAAc,CAAC;QAC1B,WAAW,CAAC,EAAE,iBAAiB,CAAC;KACjC,CAAC;IAEF,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE;QACN,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,IAAI,EAAE;QACJ,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,iBAAiB,EAAE;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;KACpB,EAAE,CAAC;IACJ,SAAS,EAAE,OAAO,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,EAAE,cAAc,EAAE,CAAC;IAC1B,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,KAAK,CAAC,EAAE,aAAa,EAAE,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,eAAO,MAAM,oBAAoB,0MAevB,CAAC;AAEX,MAAM,MAAM,iBAAiB,GAAG,CAAC,OAAO,oBAAoB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEtE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;CAIxB,CAAC"}