vaspera 2.11.0 → 2.13.0

package/dist/scanners/detection/engines/ast-query.js

@@ -0,0 +1,232 @@
+/**
+ * AST Query Engine
+ *
+ * Pattern-based AST matching using ts-morph for TypeScript/JavaScript.
+ * Supports parameterized patterns with capture groups.
+ *
+ * @module scanners/detection/engines/ast-query
+ */
+import { Project, Node } from "ts-morph";
+import { readFile } from "fs/promises";
+import { glob } from "glob";
+const project = new Project({
+    useInMemoryFileSystem: false,
+    skipFileDependencyResolution: true,
+});
+function parsePattern(pattern) {
+    const parts = [];
+    let i = 0;
+    while (i < pattern.length) {
+        if (pattern[i] === "$" && i + 1 < pattern.length) {
+            const start = i + 1;
+            let end = start;
+            while (end < pattern.length && /[a-zA-Z0-9_]/.test(pattern[end])) {
+                end++;
+            }
+            if (end > start) {
+                parts.push({ type: "capture", value: pattern.slice(start, end), name: pattern.slice(start, end) });
+                i = end;
+                continue;
+            }
+        }
+        if (pattern.slice(i, i + 3) === "...") {
+            parts.push({ type: "wildcard", value: "..." });
+            i += 3;
+            continue;
+        }
+        let literalEnd = i;
+        while (literalEnd < pattern.length && pattern[literalEnd] !== "$" && pattern.slice(literalEnd, literalEnd + 3) !== "...") {
+            literalEnd++;
+        }
+        if (literalEnd > i) {
+            parts.push({ type: "literal", value: pattern.slice(i, literalEnd) });
+            i = literalEnd;
+        }
+    }
+    return parts;
+}
+function matchPattern(text, parts) {
+    const captures = {};
+    let textIdx = 0;
+    for (let i = 0; i < parts.length; i++) {
+        const part = parts[i];
+        if (part.type === "literal") {
+            const literal = part.value.trim();
+            const remaining = text.slice(textIdx).trim();
+            if (!remaining.startsWith(literal)) {
+                return { matched: false, captures: {} };
+            }
+            textIdx = text.indexOf(literal, textIdx) + literal.length;
+        }
+        else if (part.type === "capture") {
+            const nextPart = parts[i + 1];
+            let endIdx;
+            if (!nextPart) {
+                endIdx = text.length;
+            }
+            else if (nextPart.type === "literal") {
+                const nextLiteral = nextPart.value.trim();
+                endIdx = text.indexOf(nextLiteral, textIdx);
+                if (endIdx === -1) {
+                    return { matched: false, captures: {} };
+                }
+            }
+            else {
+                endIdx = text.length;
+            }
+            const captured = text.slice(textIdx, endIdx).trim();
+            if (part.name) {
+                captures[part.name] = captured;
+            }
+            textIdx = endIdx;
+        }
+        else if (part.type === "wildcard") {
+            const nextPart = parts[i + 1];
+            if (!nextPart) {
+                textIdx = text.length;
+            }
+            else if (nextPart.type === "literal") {
+                const nextLiteral = nextPart.value.trim();
+                const idx = text.indexOf(nextLiteral, textIdx);
+                if (idx === -1) {
+                    return { matched: false, captures: {} };
+                }
+                textIdx = idx;
+            }
+        }
+    }
+    return { matched: true, captures };
+}
+function findCallExpressions(sourceFile, pattern) {
+    const matches = [];
+    const parts = parsePattern(pattern);
+    sourceFile.forEachDescendant((node) => {
+        if (Node.isCallExpression(node)) {
+            const text = node.getText();
+            const result = matchPattern(text, parts);
+            if (result.matched) {
+                matches.push({
+                    node,
+                    file: sourceFile.getFilePath(),
+                    line: node.getStartLineNumber(),
+                    column: node.getStartLinePos() - node.getStartLinePos(true) + 1,
+                    endLine: node.getEndLineNumber(),
+                    endColumn: node.getEnd() - node.getStartLinePos(true) + 1,
+                    text,
+                    captures: result.captures,
+                });
+            }
+        }
+    });
+    return matches;
+}
+function findPropertyAccess(sourceFile, pattern) {
+    const matches = [];
+    const parts = parsePattern(pattern);
+    sourceFile.forEachDescendant((node) => {
+        if (Node.isPropertyAccessExpression(node) || Node.isElementAccessExpression(node)) {
+            const text = node.getText();
+            const result = matchPattern(text, parts);
+            if (result.matched) {
+                matches.push({
+                    node,
+                    file: sourceFile.getFilePath(),
+                    line: node.getStartLineNumber(),
+                    column: node.getStartLinePos() - node.getStartLinePos(true) + 1,
+                    endLine: node.getEndLineNumber(),
+                    endColumn: node.getEnd() - node.getStartLinePos(true) + 1,
+                    text,
+                    captures: result.captures,
+                });
+            }
+        }
+    });
+    return matches;
+}
+function findAssignments(sourceFile, pattern) {
+    const matches = [];
+    const parts = parsePattern(pattern);
+    sourceFile.forEachDescendant((node) => {
+        if (Node.isBinaryExpression(node) && node.getOperatorToken().getText() === "=") {
+            const text = node.getText();
+            const result = matchPattern(text, parts);
+            if (result.matched) {
+                matches.push({
+                    node,
+                    file: sourceFile.getFilePath(),
+                    line: node.getStartLineNumber(),
+                    column: node.getStartLinePos() - node.getStartLinePos(true) + 1,
+                    endLine: node.getEndLineNumber(),
+                    endColumn: node.getEnd() - node.getStartLinePos(true) + 1,
+                    text,
+                    captures: result.captures,
+                });
+            }
+        }
+    });
+    return matches;
+}
+export async function queryAST(filePath, config) {
+    try {
+        const content = await readFile(filePath, "utf-8");
+        const sourceFile = project.createSourceFile(`query_${Date.now()}_${Math.random().toString(36).slice(2)}.ts`, content, { overwrite: true });
+        let matches = [];
+        const pattern = config.pattern;
+        if (pattern.includes("(") && pattern.includes(")")) {
+            matches = findCallExpressions(sourceFile, pattern);
+        }
+        else if (pattern.includes(".") || pattern.includes("[")) {
+            matches = findPropertyAccess(sourceFile, pattern);
+        }
+        else if (pattern.includes("=")) {
+            matches = findAssignments(sourceFile, pattern);
+        }
+        else {
+            matches = [
+                ...findCallExpressions(sourceFile, pattern),
+                ...findPropertyAccess(sourceFile, pattern),
+            ];
+        }
+        sourceFile.delete();
+        return matches.map((m) => ({ ...m, file: filePath }));
+    }
+    catch {
+        return [];
+    }
+}
+export async function runASTQueryEngine(projectPath, rules, files) {
+    const matches = [];
+    const targetFiles = files || (await glob("**/*.{ts,tsx,js,jsx}", {
+        cwd: projectPath,
+        ignore: ["**/node_modules/**", "**/dist/**", "**/build/**", "**/.git/**"],
+        absolute: true,
+    }));
+    for (const rule of rules) {
+        if (!rule.engines.astQuery)
+            continue;
+        const config = rule.engines.astQuery;
+        for (const file of targetFiles) {
+            const astMatches = await queryAST(file, config);
+            for (const match of astMatches) {
+                matches.push({
+                    ruleId: rule.id,
+                    file: match.file,
+                    line: match.line,
+                    column: match.column,
+                    endLine: match.endLine,
+                    endColumn: match.endColumn,
+                    message: rule.description,
+                    severity: rule.severity,
+                    confidence: rule.confidence,
+                    category: rule.category,
+                    evidence: match.text,
+                    cweIds: rule.cweIds,
+                    owaspRefs: rule.owaspRefs,
+                    autofixPatternId: rule.autofixPatternId,
+                });
+            }
+        }
+    }
+    return matches;
+}
+//# sourceMappingURL=ast-query.js.map

package/dist/scanners/detection/engines/ast-query.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ast-query.js","sourceRoot":"","sources":["../../../../src/scanners/detection/engines/ast-query.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAA0B,MAAM,UAAU,CAAC;AACjE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAI5B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;IAC1B,qBAAqB,EAAE,KAAK;IAC5B,4BAA4B,EAAE,IAAI;CACnC,CAAC,CAAC;AAmBH,SAAS,YAAY,CAAC,OAAe;IACnC,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEV,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAC1B,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;YACjD,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;YACpB,IAAI,GAAG,GAAG,KAAK,CAAC;YAChB,OAAO,GAAG,GAAG,OAAO,CAAC,MAAM,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBACjE,GAAG,EAAE,CAAC;YACR,CAAC;YACD,IAAI,GAAG,GAAG,KAAK,EAAE,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;gBACnG,CAAC,GAAG,GAAG,CAAC;gBACR,SAAS;YACX,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;YAC/C,CAAC,IAAI,CAAC,CAAC;YACP,SAAS;QACX,CAAC;QAED,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,OAAO,UAAU,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,UAAU,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,GAAG,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;YACzH,UAAU,EAAE,CAAC;QACf,CAAC;QACD,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;YACnB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,EAAE,CAAC,CAAC;YACrE,CAAC,GAAG,UAAU,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,KAAoB;IACtD,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7C,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;YAC1C,CAAC;YACD,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;QAC5D,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACnC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,IAAI,MAAc,CAAC;YAEnB,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YACvB,CAAC;iBAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvC,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC1C,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;gBAC5C,IAAI,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;oBAClB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;gBAC1C,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;YACvB,CAAC;YAED,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YACpD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBACd,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC;YACjC,CAAC;YACD,OAAO,GAAG,MAAM,CAAC;QACnB,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC9B,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC;YACxB,CAAC;iBAAM,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvC,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;gBAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;gBAC/C,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;oBACf,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;gBAC1C,CAAC;gBACD,OAAO,GAAG,GAAG,CAAC;YAChB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;AACrC,CAAC;AAED,SAAS,mBAAmB,CAAC,UAAsB,EAAE,OAAe;IAClE,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAEpC,UAAU,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAEzC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE;oBAC9B,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE;oBAC/B,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBAC/D,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE;oBAChC,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBACzD,IAAI;oBACJ,QAAQ,EAAE,MAAM,CAAC,QAAQ;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAsB,EAAE,OAAe;IACjE,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAEpC,UAAU,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,EAAE,CAAC;YAClF,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAEzC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE;oBAC9B,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE;oBAC/B,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBAC/D,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE;oBAChC,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBACzD,IAAI;oBACJ,QAAQ,EAAE,MAAM,CAAC,QAAQ;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,eAAe,CAAC,UAAsB,EAAE,OAAe;IAC9D,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAEpC,UAAU,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC,OAAO,EAAE,KAAK,GAAG,EAAE,CAAC;YAC/E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAEzC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE;oBAC9B,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE;oBAC/B,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBAC/D,OAAO,EAAE,IAAI,CAAC,gBAAgB,EAAE;oBAChC,SAAS,EAAE,IAAI,CAAC,MAAM,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBACzD,IAAI;oBACJ,QAAQ,EAAE,MAAM,CAAC,QAAQ;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,QAAgB,EAChB,MAAsB;IAEtB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,OAAO,CAAC,gBAAgB,CACzC,SAAS,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,EAC/D,OAAO,EACP,EAAE,SAAS,EAAE,IAAI,EAAE,CACpB,CAAC;QAEF,IAAI,OAAO,GAAe,EAAE,CAAC;QAC7B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAE/B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACnD,OAAO,GAAG,mBAAmB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACrD,CAAC;aAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1D,OAAO,GAAG,kBAAkB,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACpD,CAAC;aAAM,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,OAAO,GAAG,eAAe,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,OAAO,GAAG;gBACR,GAAG,mBAAmB,CAAC,UAAU,EAAE,OAAO,CAAC;gBAC3C,GAAG,kBAAkB,CAAC,UAAU,EAAE,OAAO,CAAC;aAC3C,CAAC;QACJ,CAAC;QAED,UAAU,CAAC,MAAM,EAAE,CAAC;QAEpB,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,WAAmB,EACnB,KAAsB,EACtB,KAAgB;IAEhB,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,MAAM,WAAW,GAAG,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,sBAAsB,EAAE;QAC/D,GAAG,EAAE,WAAW;QAChB,MAAM,EAAE,CAAC,oBAAoB,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,CAAC;QACzE,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC,CAAC;IAEJ,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ;YAAE,SAAS;QAErC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QAErC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAEhD,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;gBAC/B,OAAO,CAAC,IAAI,CAAC;oBACX,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,OAAO,EAAE,KAAK,CAAC,OAAO;oBACtB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,OAAO,EAAE,IAAI,CAAC,WAAW;oBACzB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,KAAK,CAAC,IAAI;oBACpB,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/scanners/detection/engines/data-flow.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Data Flow (Taint Tracking) Engine
+ *
+ * Tracks how untrusted data flows from sources to sinks.
+ * Core of security vulnerability detection.
+ *
+ * @module scanners/detection/engines/data-flow
+ */
+import type { DataFlowConfig, TaintPath, DetectionMatch, DetectionRule } from "../types.js";
+export declare function analyzeDataFlow(filePath: string, config: DataFlowConfig): Promise<TaintPath[]>;
+export declare function runDataFlowEngine(projectPath: string, rules: DetectionRule[], files?: string[]): Promise<DetectionMatch[]>;
+//# sourceMappingURL=data-flow.d.ts.map

package/dist/scanners/detection/engines/data-flow.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-flow.d.ts","sourceRoot":"","sources":["../../../../src/scanners/detection/engines/data-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa,EAAqC,MAAM,aAAa,CAAC;AA4Q/H,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,SAAS,EAAE,CAAC,CAqBtB;AAED,wBAAsB,iBAAiB,CACrC,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,aAAa,EAAE,EACtB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,cAAc,EAAE,CAAC,CAsC3B"}

package/dist/scanners/detection/engines/data-flow.js

@@ -0,0 +1,269 @@
+/**
+ * Data Flow (Taint Tracking) Engine
+ *
+ * Tracks how untrusted data flows from sources to sinks.
+ * Core of security vulnerability detection.
+ *
+ * @module scanners/detection/engines/data-flow
+ */
+import { Project, Node } from "ts-morph";
+import { readFile } from "fs/promises";
+import { glob } from "glob";
+const project = new Project({
+    useInMemoryFileSystem: false,
+    skipFileDependencyResolution: true,
+});
+function matchesPattern(text, pattern) {
+    const normalizedPattern = pattern
+        .replace(/\$[a-zA-Z_][a-zA-Z0-9_]*/g, ".*")
+        .replace(/\{[^}]+\}/g, "[^.]+")
+        .replace(/\./g, "\\.")
+        .replace(/\(/g, "\\(")
+        .replace(/\)/g, "\\)")
+        .replace(/\*/g, ".*");
+    try {
+        const regex = new RegExp(normalizedPattern);
+        return regex.test(text);
+    }
+    catch {
+        return text.includes(pattern.replace(/[${}]/g, ""));
+    }
+}
+function findSources(sourceFile, sources) {
+    const found = [];
+    sourceFile.forEachDescendant((node) => {
+        const text = node.getText();
+        for (const source of sources) {
+            if (matchesPattern(text, source.pattern)) {
+                found.push({
+                    type: "source",
+                    expression: text,
+                    file: sourceFile.getFilePath(),
+                    line: node.getStartLineNumber(),
+                    column: node.getStartLinePos() - node.getStartLinePos(true) + 1,
+                    pattern: source.pattern,
+                });
+                if (Node.isPropertyAccessExpression(node) || Node.isElementAccessExpression(node)) {
+                    const parent = node.getParent();
+                    if (parent && Node.isVariableDeclaration(parent)) {
+                        found[found.length - 1].variable = parent.getName();
+                    }
+                }
+            }
+        }
+    });
+    return found;
+}
+function findSinks(sourceFile, sinks) {
+    const found = [];
+    sourceFile.forEachDescendant((node) => {
+        if (!Node.isCallExpression(node))
+            return;
+        const text = node.getText();
+        const expression = node.getExpression().getText();
+        for (const sink of sinks) {
+            if (matchesPattern(expression, sink.pattern) || matchesPattern(text, sink.pattern)) {
+                found.push({
+                    type: "sink",
+                    expression: text,
+                    file: sourceFile.getFilePath(),
+                    line: node.getStartLineNumber(),
+                    column: node.getStartLinePos() - node.getStartLinePos(true) + 1,
+                    pattern: sink.pattern,
+                });
+            }
+        }
+    });
+    return found;
+}
+function findSanitizers(sourceFile, sanitizers) {
+    const found = [];
+    sourceFile.forEachDescendant((node) => {
+        if (!Node.isCallExpression(node))
+            return;
+        const text = node.getText();
+        for (const sanitizer of sanitizers) {
+            if (matchesPattern(text, sanitizer.pattern)) {
+                found.push({
+                    type: "sanitizer",
+                    expression: text,
+                    file: sourceFile.getFilePath(),
+                    line: node.getStartLineNumber(),
+                    column: node.getStartLinePos() - node.getStartLinePos(true) + 1,
+                    pattern: sanitizer.pattern,
+                });
+            }
+        }
+    });
+    return found;
+}
+function extractVariablesFromExpression(expr) {
+    const identifiers = [];
+    const identifierRegex = /\b([a-zA-Z_][a-zA-Z0-9_]*)\b/g;
+    let match;
+    while ((match = identifierRegex.exec(expr)) !== null) {
+        const id = match[1];
+        if (!["const", "let", "var", "function", "async", "await", "return", "if", "else", "for", "while", "true", "false", "null", "undefined"].includes(id)) {
+            identifiers.push(id);
+        }
+    }
+    return identifiers;
+}
+function traceTaintFlow(sourceFile, sources, sinks, sanitizers) {
+    const paths = [];
+    const taintedVars = new Set();
+    for (const source of sources) {
+        if (source.variable) {
+            taintedVars.add(source.variable);
+        }
+        const sourceVars = extractVariablesFromExpression(source.expression);
+        for (const v of sourceVars) {
+            if (v.includes("req") || v.includes("params") || v.includes("query") || v.includes("body") || v.includes("input")) {
+                taintedVars.add(v);
+            }
+        }
+    }
+    sourceFile.forEachDescendant((node) => {
+        if (Node.isVariableDeclaration(node)) {
+            const init = node.getInitializer();
+            if (init) {
+                const initText = init.getText();
+                const initVars = extractVariablesFromExpression(initText);
+                for (const v of initVars) {
+                    if (taintedVars.has(v)) {
+                        taintedVars.add(node.getName());
+                        break;
+                    }
+                }
+            }
+        }
+        if (Node.isBinaryExpression(node) && node.getOperatorToken().getText() === "=") {
+            const left = node.getLeft();
+            const right = node.getRight();
+            if (Node.isIdentifier(left)) {
+                const rightVars = extractVariablesFromExpression(right.getText());
+                for (const v of rightVars) {
+                    if (taintedVars.has(v)) {
+                        taintedVars.add(left.getText());
+                        break;
+                    }
+                }
+            }
+        }
+    });
+    const sanitizerLines = new Set(sanitizers.map((s) => s.line));
+    for (const sink of sinks) {
+        const sinkVars = extractVariablesFromExpression(sink.expression);
+        let isTainted = false;
+        for (const v of sinkVars) {
+            if (taintedVars.has(v)) {
+                isTainted = true;
+                break;
+            }
+        }
+        if (!isTainted)
+            continue;
+        let sanitized = false;
+        let sanitizerPattern;
+        for (const sanitizer of sanitizers) {
+            if (sanitizer.line < sink.line) {
+                const sanitizerVars = extractVariablesFromExpression(sanitizer.expression);
+                for (const v of sanitizerVars) {
+                    if (sinkVars.includes(v)) {
+                        sanitized = true;
+                        sanitizerPattern = sanitizer.pattern;
+                        break;
+                    }
+                }
+            }
+        }
+        for (const source of sources) {
+            const sourceVars = source.variable
+                ? [source.variable]
+                : extractVariablesFromExpression(source.expression);
+            let connected = false;
+            for (const sv of sourceVars) {
+                if (taintedVars.has(sv)) {
+                    for (const sinkVar of sinkVars) {
+                        if (taintedVars.has(sinkVar)) {
+                            connected = true;
+                            break;
+                        }
+                    }
+                }
+            }
+            if (!connected)
+                continue;
+            paths.push({
+                source: {
+                    pattern: source.pattern || source.expression,
+                    file: source.file,
+                    line: source.line,
+                    column: source.column,
+                    expression: source.expression,
+                },
+                sink: {
+                    pattern: sink.pattern || sink.expression,
+                    file: sink.file,
+                    line: sink.line,
+                    column: sink.column,
+                    expression: sink.expression,
+                },
+                intermediateNodes: [],
+                sanitized,
+                sanitizer: sanitizerPattern,
+            });
+        }
+    }
+    return paths;
+}
+export async function analyzeDataFlow(filePath, config) {
+    try {
+        const content = await readFile(filePath, "utf-8");
+        const sourceFile = project.createSourceFile(`dataflow_${Date.now()}_${Math.random().toString(36).slice(2)}.ts`, content, { overwrite: true });
+        const sources = findSources(sourceFile, config.sources);
+        const sinks = findSinks(sourceFile, config.sinks);
+        const sanitizers = config.sanitizers ? findSanitizers(sourceFile, config.sanitizers) : [];
+        const paths = traceTaintFlow(sourceFile, sources, sinks, sanitizers);
+        sourceFile.delete();
+        return paths.filter((p) => !p.sanitized);
+    }
+    catch {
+        return [];
+    }
+}
+export async function runDataFlowEngine(projectPath, rules, files) {
+    const matches = [];
+    const targetFiles = files || (await glob("**/*.{ts,tsx,js,jsx}", {
+        cwd: projectPath,
+        ignore: ["**/node_modules/**", "**/dist/**", "**/build/**", "**/.git/**"],
+        absolute: true,
+    }));
+    for (const rule of rules) {
+        if (!rule.engines.dataFlow)
+            continue;
+        const config = rule.engines.dataFlow;
+        for (const file of targetFiles) {
+            const paths = await analyzeDataFlow(file, config);
+            for (const path of paths) {
+                matches.push({
+                    ruleId: rule.id,
+                    file: path.sink.file,
+                    line: path.sink.line,
+                    column: path.sink.column,
+                    message: `${rule.description} - Tainted data flows from ${path.source.expression} to ${path.sink.expression}`,
+                    severity: rule.severity,
+                    confidence: rule.confidence,
+                    category: rule.category,
+                    evidence: path.sink.expression,
+                    taintPath: path,
+                    cweIds: rule.cweIds,
+                    owaspRefs: rule.owaspRefs,
+                    autofixPatternId: rule.autofixPatternId,
+                });
+            }
+        }
+    }
+    return matches;
+}
+//# sourceMappingURL=data-flow.js.map

package/dist/scanners/detection/engines/data-flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-flow.js","sourceRoot":"","sources":["../../../../src/scanners/detection/engines/data-flow.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAgF,MAAM,UAAU,CAAC;AACvH,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC;IAC1B,qBAAqB,EAAE,KAAK;IAC5B,4BAA4B,EAAE,IAAI;CACnC,CAAC,CAAC;AAqBH,SAAS,cAAc,CAAC,IAAY,EAAE,OAAe;IACnD,MAAM,iBAAiB,GAAG,OAAO;SAC9B,OAAO,CAAC,2BAA2B,EAAE,IAAI,CAAC;SAC1C,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC;SAC9B,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IAExB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,UAAsB,EAAE,OAAsB;IACjE,MAAM,KAAK,GAAmB,EAAE,CAAC;IAEjC,UAAU,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAE5B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzC,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE,IAAI;oBAChB,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE;oBAC9B,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE;oBAC/B,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBAC/D,OAAO,EAAE,MAAM,CAAC,OAAO;iBACxB,CAAC,CAAC;gBAEH,IAAI,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAClF,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;oBAChC,IAAI,MAAM,IAAI,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,CAAC;wBACjD,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;oBACtD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,SAAS,CAAC,UAAsB,EAAE,KAAkB;IAC3D,MAAM,KAAK,GAAmB,EAAE,CAAC;IAEjC,UAAU,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;YAAE,OAAO;QAEzC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAC5B,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC,OAAO,EAAE,CAAC;QAElD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACnF,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,MAAM;oBACZ,UAAU,EAAE,IAAI;oBAChB,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE;oBAC9B,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE;oBAC/B,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBAC/D,OAAO,EAAE,IAAI,CAAC,OAAO;iBACtB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,UAAsB,EAAE,UAAuB;IACrE,MAAM,KAAK,GAAmB,EAAE,CAAC;IAEjC,UAAU,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC;YAAE,OAAO;QAEzC,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAE5B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,cAAc,CAAC,IAAI,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5C,KAAK,CAAC,IAAI,CAAC;oBACT,IAAI,EAAE,WAAW;oBACjB,UAAU,EAAE,IAAI;oBAChB,IAAI,EAAE,UAAU,CAAC,WAAW,EAAE;oBAC9B,IAAI,EAAE,IAAI,CAAC,kBAAkB,EAAE;oBAC/B,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,GAAG,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC;oBAC/D,OAAO,EAAE,SAAS,CAAC,OAAO;iBAC3B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,8BAA8B,CAAC,IAAY;IAClD,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,MAAM,eAAe,GAAG,+BAA+B,CAAC;IACxD,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACrD,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,CAAC,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACtJ,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,cAAc,CACrB,UAAsB,EACtB,OAAuB,EACvB,KAAqB,EACrB,UAA0B;IAE1B,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;IAEtC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,UAAU,GAAG,8BAA8B,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACrE,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClH,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAED,UAAU,CAAC,iBAAiB,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,IAAI,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;YACnC,IAAI,IAAI,EAAE,CAAC;gBACT,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;gBAChC,MAAM,QAAQ,GAAG,8BAA8B,CAAC,QAAQ,CAAC,CAAC;gBAE1D,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;oBACzB,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;wBACvB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;wBAChC,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC,OAAO,EAAE,KAAK,GAAG,EAAE,CAAC;YAC/E,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAE9B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,MAAM,SAAS,GAAG,8BAA8B,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBAClE,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;oBAC1B,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;wBACvB,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;wBAChC,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAE9D,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,8BAA8B,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjE,IAAI,SAAS,GAAG,KAAK,CAAC;QAEtB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,IAAI,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACvB,SAAS,GAAG,IAAI,CAAC;gBACjB,MAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,CAAC,SAAS;YAAE,SAAS;QAEzB,IAAI,SAAS,GAAG,KAAK,CAAC;QACtB,IAAI,gBAAoC,CAAC;QAEzC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,SAAS,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC/B,MAAM,aAAa,GAAG,8BAA8B,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;gBAC3E,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;oBAC9B,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;wBACzB,SAAS,GAAG,IAAI,CAAC;wBACjB,gBAAgB,GAAG,SAAS,CAAC,OAAO,CAAC;wBACrC,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ;gBAChC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC;gBACnB,CAAC,CAAC,8BAA8B,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YAEtD,IAAI,SAAS,GAAG,KAAK,CAAC;YACtB,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;gBAC5B,IAAI,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;oBACxB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;wBAC/B,IAAI,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;4BAC7B,SAAS,GAAG,IAAI,CAAC;4BACjB,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,KAAK,CAAC,IAAI,CAAC;gBACT,MAAM,EAAE;oBACN,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU;oBAC5C,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,IAAI,EAAE,MAAM,CAAC,IAAI;oBACjB,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,UAAU,EAAE,MAAM,CAAC,UAAU;iBAC9B;gBACD,IAAI,EAAE;oBACJ,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,UAAU;oBACxC,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,UAAU,EAAE,IAAI,CAAC,UAAU;iBAC5B;gBACD,iBAAiB,EAAE,EAAE;gBACrB,SAAS;gBACT,SAAS,EAAE,gBAAgB;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,MAAsB;IAEtB,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,OAAO,CAAC,gBAAgB,CACzC,YAAY,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,EAClE,OAAO,EACP,EAAE,SAAS,EAAE,IAAI,EAAE,CACpB,CAAC;QAEF,MAAM,OAAO,GAAG,WAAW,CAAC,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,SAAS,CAAC,UAAU,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;QAClD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAE1F,MAAM,KAAK,GAAG,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC;QAErE,UAAU,CAAC,MAAM,EAAE,CAAC;QAEpB,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,WAAmB,EACnB,KAAsB,EACtB,KAAgB;IAEhB,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,MAAM,WAAW,GAAG,KAAK,IAAI,CAAC,MAAM,IAAI,CAAC,sBAAsB,EAAE;QAC/D,GAAG,EAAE,WAAW;QAChB,MAAM,EAAE,CAAC,oBAAoB,EAAE,YAAY,EAAE,aAAa,EAAE,YAAY,CAAC;QACzE,QAAQ,EAAE,IAAI;KACf,CAAC,CAAC,CAAC;IAEJ,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ;YAAE,SAAS;QAErC,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC;QAErC,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;YAC/B,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAElD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,OAAO,CAAC,IAAI,CAAC;oBACX,MAAM,EAAE,IAAI,CAAC,EAAE;oBACf,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;oBACpB,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI;oBACpB,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM;oBACxB,OAAO,EAAE,GAAG,IAAI,CAAC,WAAW,8BAA8B,IAAI,CAAC,MAAM,CAAC,UAAU,OAAO,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE;oBAC7G,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,UAAU,EAAE,IAAI,CAAC,UAAU;oBAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,UAAU;oBAC9B,SAAS,EAAE,IAAI;oBACf,MAAM,EAAE,IAAI,CAAC,MAAM;oBACnB,SAAS,EAAE,IAAI,CAAC,SAAS;oBACzB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;iBACxC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/scanners/detection/index.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Detection Engine
+ *
+ * Proprietary security detection engine for Vaspera.
+ * Combines AST query, data flow, and control flow analysis
+ * for high-confidence vulnerability detection.
+ *
+ * @module scanners/detection
+ */
+import type { DetectionContext, DetectionResult } from "./types.js";
+import { getBuiltinRules, getBuiltinRulesByCategory, getBuiltinRuleById, BUILTIN_RULES } from "./rules/builtin.js";
+export * from "./types.js";
+export { queryAST, type ASTMatch } from "./engines/ast-query.js";
+export { analyzeDataFlow } from "./engines/data-flow.js";
+export { loadRulesFromDirectory, loadRuleFromYAML, createRule, RuleValidationError } from "./rules/loader.js";
+export { getBuiltinRules, getBuiltinRuleById, getBuiltinRulesByCategory, BUILTIN_RULES };
+export declare function runDetection(context: DetectionContext): Promise<DetectionResult>;
+export declare function runDetectionWithCustomRules(context: DetectionContext, customRulesDir?: string): Promise<DetectionResult>;
+export declare function listAvailableRules(): {
+    id: string;
+    name: string;
+    category: string;
+    severity: string;
+    enabled: boolean;
+}[];
+export declare function getDetectionCategories(): string[];
+export declare function enableRule(ruleId: string): boolean;
+export declare function disableRule(ruleId: string): boolean;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/detection/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/detection/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAiC,MAAM,YAAY,CAAC;AAGnG,OAAO,EAAE,eAAe,EAAE,yBAAyB,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGnH,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,QAAQ,EAAE,KAAK,QAAQ,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AAC9G,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,aAAa,EAAE,CAAC;AAEzF,wBAAsB,YAAY,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,eAAe,CAAC,CA0EtF;AAiBD,wBAAsB,2BAA2B,CAC/C,OAAO,EAAE,gBAAgB,EACzB,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,eAAe,CAAC,CAa1B;AAED,wBAAgB,kBAAkB,IAAI;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,CAAA;CAAE,EAAE,CAQzH;AAED,wBAAgB,sBAAsB,IAAI,MAAM,EAAE,CAGjD;AAED,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAOlD;AAED,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAOnD"}