verification-layer 0.21.0 → 0.22.0

package/dist/scanners/rbac/patterns.js

@@ -0,0 +1,124 @@
+/**
+ * Role-Based Access Control (RBAC) Detection Patterns
+ * Enforces proper authorization and minimum necessary principle per HIPAA
+ */
+/**
+ * RBAC-001: PHI Data Access Without Role/Permission Verification
+ * Detects database queries to PHI tables without authorization checks
+ */
+export const PHI_ACCESS_NO_AUTHZ = {
+    id: 'RBAC-001',
+    name: 'PHI Data Access Without Role/Permission Verification',
+    description: 'Database query accessing PHI data (patient, health, medical, diagnosis, treatment, prescription) without role or permission verification',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.312(a)(1) - Access Control',
+    patterns: [
+        // Database queries to PHI tables
+        /(?:from|FROM)\s+(?:patients?|health_records?|medical_records?|diagnos[ei]s|treatments?|prescriptions?|medications?|encounters?|visits?|lab_results?)/i,
+        /\.(?:from|table)\s*\(\s*['"`](?:patients?|health_records?|medical_records?|diagnos[ei]s|treatments?|prescriptions?|medications?|encounters?|visits?|lab_results?)['"`]/i,
+        // ORM queries
+        /(?:Patient|HealthRecord|MedicalRecord|Diagnosis|Treatment|Prescription|Medication|Encounter|Visit|LabResult)\.(?:find|findOne|findAll|findMany|query|where)/i,
+        // Supabase/Prisma queries
+        /supabase\.from\s*\(\s*['"`](?:patients?|health_records?|medical_records?|diagnos[ei]s|treatments?|prescriptions?|medications?)['"`]/i,
+        /prisma\.(?:patient|healthRecord|medicalRecord|diagnosis|treatment|prescription|medication)\.(?:findMany|findUnique|findFirst)/i,
+    ],
+    negativePatterns: [
+        // Indicators of authorization checks
+        /role/i,
+        /permission/i,
+        /authorize/i,
+        /isAdmin/i,
+        /canAccess/i,
+        /hasPermission/i,
+        /checkAccess/i,
+        /verifyRole/i,
+        /requireRole/i,
+        /isAuthorized/i,
+        /checkPermission/i,
+    ],
+    recommendation: 'Add role/permission verification before accessing PHI data. Example: if (!hasPermission(user, "read:patients")) throw new Error("Unauthorized"). Implement RBAC middleware to verify user roles before database queries.',
+    category: 'access-control',
+};
+/**
+ * RBAC-002: Service Role Keys in Client-Side Code
+ * Detects privileged keys exposed to client, admin defaults, or always-admin conditions
+ */
+export const SERVICE_ROLE_CLIENT_SIDE = {
+    id: 'RBAC-002',
+    name: 'Service Role Key or Admin Default in Client Code',
+    description: 'Privileged service_role key exposed in client-side code, isAdmin set to true as default, or conditions that always grant admin access',
+    severity: 'critical',
+    hipaaReference: '45 CFR §164.312(a)(1) - Access Control',
+    patterns: [
+        // Service role keys in client files
+        /service_role/i,
+        /serviceRole/i,
+        /SERVICE_ROLE/i,
+        // Admin defaults
+        /isAdmin\s*[:=]\s*true/i,
+        /role\s*[:=]\s*['"`]admin['"`]/i,
+        /admin\s*:\s*true/i,
+        // Always-admin conditions
+        /if\s*\(\s*true\s*\).*admin/i,
+        /const\s+isAdmin\s*=\s*true/i,
+        /let\s+isAdmin\s*=\s*true/i,
+        // Hardcoded admin users
+        /userId\s*===?\s*['"`]admin['"`]/i,
+        /email\s*===?\s*['"`]admin@/i,
+    ],
+    negativePatterns: [
+        // Server-side context (API routes, server components)
+        /\/api\//i,
+        /\.server\./i,
+        /getServerSideProps/i,
+        /getStaticProps/i,
+        // Environment variables (should be server-side only)
+        /process\.env/i,
+        // Test files
+        /\.test\./i,
+        /\.spec\./i,
+        /describe\(/i,
+    ],
+    recommendation: 'Remove service_role keys from client-side code - these should only exist in server-side API routes. Never default isAdmin to true. Implement proper role assignment based on authenticated user data from secure backend.',
+    category: 'access-control',
+};
+/**
+ * RBAC-003: SELECT * on PHI Tables (Violates Minimum Necessary)
+ * Detects SELECT * queries that retrieve all columns from PHI tables
+ */
+export const SELECT_ALL_PHI = {
+    id: 'RBAC-003',
+    name: 'SELECT * on PHI Tables Violates Minimum Necessary Principle',
+    description: 'Query uses SELECT * or .select("*") on tables containing PHI, retrieving more data than necessary in violation of HIPAA minimum necessary principle',
+    severity: 'medium',
+    hipaaReference: '45 CFR §164.502(b) - Minimum Necessary Requirement',
+    patterns: [
+        // SQL SELECT *
+        /SELECT\s+\*\s+FROM\s+(?:patients?|health_records?|medical_records?|diagnos[ei]s|treatments?|prescriptions?|medications?|encounters?|visits?|lab_results?)/i,
+        // ORM select all
+        /\.select\s*\(\s*['"`]\*['"`]\s*\)/i,
+        /\.select\s*\(\s*\*\s*\)/i,
+        // Prisma/TypeORM select all fields
+        /\.findMany\s*\(\s*\{[^}]*\}\s*\)(?!.*select)/i,
+        /\.find\s*\(\s*\{[^}]*\}\s*\)(?!.*select)/i,
+        // Supabase select all
+        /supabase\.from\s*\([^)]*(?:patient|health|medical|diagnosis|treatment|prescription)[^)]*\)\.select\s*\(\s*['"`]\*['"`]/i,
+    ],
+    negativePatterns: [
+        // Specific field selection
+        /\.select\s*\(\s*['"`][a-zA-Z_,\s]+['"`]\s*\)/i,
+        /SELECT\s+[a-zA-Z_,\s]+\s+FROM/i,
+        // Projection/pick specific fields
+        /select\s*:\s*\{/i,
+        /pick\s*\(/i,
+        /omit\s*\(/i,
+    ],
+    recommendation: 'Select only the minimum necessary fields required for the operation. Example: Instead of SELECT * FROM patients, use SELECT id, name, dob FROM patients. For ORMs: .select("id, name, dob") or use field projections.',
+    category: 'access-control',
+};
+export const ALL_RBAC_PATTERNS = [
+    PHI_ACCESS_NO_AUTHZ,
+    SERVICE_ROLE_CLIENT_SIDE,
+    SELECT_ALL_PHI,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/rbac/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/rbac/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAcH;;;GAGG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAgB;IAC9C,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,sDAAsD;IAC5D,WAAW,EACT,0IAA0I;IAC5I,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,wCAAwC;IACxD,QAAQ,EAAE;QACR,iCAAiC;QACjC,uJAAuJ;QACvJ,yKAAyK;QAEzK,cAAc;QACd,8JAA8J;QAE9J,0BAA0B;QAC1B,sIAAsI;QACtI,gIAAgI;KACjI;IACD,gBAAgB,EAAE;QAChB,qCAAqC;QACrC,OAAO;QACP,aAAa;QACb,YAAY;QACZ,UAAU;QACV,YAAY;QACZ,gBAAgB;QAChB,cAAc;QACd,aAAa;QACb,cAAc;QACd,eAAe;QACf,kBAAkB;KACnB;IACD,cAAc,EACZ,0NAA0N;IAC5N,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAgB;IACnD,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,kDAAkD;IACxD,WAAW,EACT,uIAAuI;IACzI,QAAQ,EAAE,UAAU;IACpB,cAAc,EAAE,wCAAwC;IACxD,QAAQ,EAAE;QACR,oCAAoC;QACpC,eAAe;QACf,cAAc;QACd,eAAe;QAEf,iBAAiB;QACjB,wBAAwB;QACxB,gCAAgC;QAChC,mBAAmB;QAEnB,0BAA0B;QAC1B,6BAA6B;QAC7B,6BAA6B;QAC7B,2BAA2B;QAE3B,wBAAwB;QACxB,kCAAkC;QAClC,6BAA6B;KAC9B;IACD,gBAAgB,EAAE;QAChB,sDAAsD;QACtD,UAAU;QACV,aAAa;QACb,qBAAqB;QACrB,iBAAiB;QACjB,qDAAqD;QACrD,eAAe;QACf,aAAa;QACb,WAAW;QACX,WAAW;QACX,aAAa;KACd;IACD,cAAc,EACZ,2NAA2N;IAC7N,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAgB;IACzC,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,6DAA6D;IACnE,WAAW,EACT,qJAAqJ;IACvJ,QAAQ,EAAE,QAAQ;IAClB,cAAc,EACZ,oDAAoD;IACtD,QAAQ,EAAE;QACR,eAAe;QACf,4JAA4J;QAE5J,iBAAiB;QACjB,oCAAoC;QACpC,0BAA0B;QAE1B,mCAAmC;QACnC,+CAA+C;QAC/C,2CAA2C;QAE3C,sBAAsB;QACtB,yHAAyH;KAC1H;IACD,gBAAgB,EAAE;QAChB,2BAA2B;QAC3B,+CAA+C;QAC/C,gCAAgC;QAChC,kCAAkC;QAClC,kBAAkB;QAClB,YAAY;QACZ,YAAY;KACb;IACD,cAAc,EACZ,uNAAuN;IACzN,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAkB;IAC9C,mBAAmB;IACnB,wBAAwB;IACxB,cAAc;CACf,CAAC"}

package/dist/scanners/revocation/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Token Revocation Security Scanner
+ * Detects JWT usage without revocation and excessive token expiration
+ */
+import type { Scanner } from '../../types.js';
+export declare const revocationScanner: Scanner;
+export default revocationScanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/revocation/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/revocation/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAGpE,eAAO,MAAM,iBAAiB,EAAE,OAyF/B,CAAC;AAEF,eAAe,iBAAiB,CAAC"}

package/dist/scanners/revocation/index.js

@@ -0,0 +1,83 @@
+/**
+ * Token Revocation Security Scanner
+ * Detects JWT usage without revocation and excessive token expiration
+ */
+import * as fs from 'fs/promises';
+import { ALL_REVOCATION_PATTERNS } from './patterns.js';
+export const revocationScanner = {
+    name: 'Token Revocation Security Scanner',
+    category: 'access-control',
+    async scan(files, options) {
+        const findings = [];
+        // Filter to code files
+        const codeFiles = files.filter((f) => /\.(ts|tsx|js|jsx)$/.test(f));
+        for (const file of codeFiles) {
+            try {
+                const content = await fs.readFile(file, 'utf-8');
+                const lines = content.split('\n');
+                for (let i = 0; i < lines.length; i++) {
+                    const line = lines[i];
+                    const lineNumber = i + 1;
+                    // Skip empty lines and comments
+                    if (/^\s*$/.test(line) || /^\s*\/\//.test(line))
+                        continue;
+                    // Scan each pattern
+                    for (const pattern of ALL_REVOCATION_PATTERNS) {
+                        // Check if line matches violation pattern
+                        const matched = pattern.patterns.some((regex) => regex.test(line));
+                        if (!matched)
+                            continue;
+                        // Get surrounding context (20 lines before and 10 after for REVOKE-001)
+                        // (10 lines before and 5 after for REVOKE-002)
+                        const contextBefore = pattern.id === 'REVOKE-001' ? 20 : 10;
+                        const contextAfter = pattern.id === 'REVOKE-001' ? 10 : 5;
+                        const contextStart = Math.max(0, i - contextBefore);
+                        const contextEnd = Math.min(lines.length, i + contextAfter + 1);
+                        const contextLines = lines.slice(contextStart, contextEnd);
+                        // Filter out comment lines from context
+                        const codeOnlyContext = contextLines
+                            .filter(l => !/^\s*\/\//.test(l) && !/^\s*\/\*/.test(l) && !/^\s*\*/.test(l))
+                            .join('\n');
+                        // Check negative patterns (safe usage indicators)
+                        const isSafe = pattern.negativePatterns?.some((regex) => {
+                            // For REVOKE-001, check wider context for revocation mechanisms
+                            // For REVOKE-002, check current line and immediate context
+                            if (pattern.id === 'REVOKE-001') {
+                                // Check surrounding code for revocation mechanisms
+                                return regex.test(codeOnlyContext);
+                            }
+                            if (pattern.id === 'REVOKE-002') {
+                                // Check if this is a refresh token or other acceptable long-lived token
+                                // Check both the line and surrounding context
+                                return regex.test(line) || regex.test(codeOnlyContext);
+                            }
+                            return regex.test(line);
+                        });
+                        if (isSafe)
+                            continue;
+                        // Create finding
+                        const finding = {
+                            id: pattern.id,
+                            category: pattern.category,
+                            severity: pattern.severity,
+                            title: pattern.name,
+                            description: `${pattern.description}\n\nCode: ${line.trim()}`,
+                            file: file,
+                            line: lineNumber,
+                            recommendation: pattern.recommendation,
+                            hipaaReference: pattern.hipaaReference,
+                            confidence: 'high',
+                        };
+                        findings.push(finding);
+                    }
+                }
+            }
+            catch (error) {
+                // Skip files that can't be read
+            }
+        }
+        return findings;
+    },
+};
+export default revocationScanner;
+//# sourceMappingURL=index.js.map

package/dist/scanners/revocation/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/revocation/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAElC,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAC;AAExD,MAAM,CAAC,MAAM,iBAAiB,GAAY;IACxC,IAAI,EAAE,mCAAmC;IACzC,QAAQ,EAAE,gBAAgB;IAE1B,KAAK,CAAC,IAAI,CAAC,KAAe,EAAE,OAAoB;QAC9C,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,uBAAuB;QACvB,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACnC,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAC7B,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACjD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;oBAEzB,gCAAgC;oBAChC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;wBAAE,SAAS;oBAE1D,oBAAoB;oBACpB,KAAK,MAAM,OAAO,IAAI,uBAAuB,EAAE,CAAC;wBAC9C,0CAA0C;wBAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;wBAEnE,IAAI,CAAC,OAAO;4BAAE,SAAS;wBAEvB,wEAAwE;wBACxE,+CAA+C;wBAC/C,MAAM,aAAa,GAAG,OAAO,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC5D,MAAM,YAAY,GAAG,OAAO,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;wBAE1D,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,CAAC;wBACpD,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,YAAY,GAAG,CAAC,CAAC,CAAC;wBAChE,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC;wBAE3D,wCAAwC;wBACxC,MAAM,eAAe,GAAG,YAAY;6BACjC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;6BAC5E,IAAI,CAAC,IAAI,CAAC,CAAC;wBAEd,kDAAkD;wBAClD,MAAM,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;4BACtD,gEAAgE;4BAChE,2DAA2D;4BAC3D,IAAI,OAAO,CAAC,EAAE,KAAK,YAAY,EAAE,CAAC;gCAChC,mDAAmD;gCACnD,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;4BACrC,CAAC;4BAED,IAAI,OAAO,CAAC,EAAE,KAAK,YAAY,EAAE,CAAC;gCAChC,wEAAwE;gCACxE,8CAA8C;gCAC9C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;4BACzD,CAAC;4BAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAC1B,CAAC,CAAC,CAAC;wBAEH,IAAI,MAAM;4BAAE,SAAS;wBAErB,iBAAiB;wBACjB,MAAM,OAAO,GAAY;4BACvB,EAAE,EAAE,OAAO,CAAC,EAAE;4BACd,QAAQ,EAAE,OAAO,CAAC,QAAe;4BACjC,QAAQ,EAAE,OAAO,CAAC,QAAQ;4BAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;4BACnB,WAAW,EAAE,GAAG,OAAO,CAAC,WAAW,aAAa,IAAI,CAAC,IAAI,EAAE,EAAE;4BAC7D,IAAI,EAAE,IAAI;4BACV,IAAI,EAAE,UAAU;4BAChB,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,cAAc,EAAE,OAAO,CAAC,cAAc;4BACtC,UAAU,EAAE,MAAM;yBACnB,CAAC;wBAEF,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;oBACzB,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,gCAAgC;YAClC,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF,CAAC;AAEF,eAAe,iBAAiB,CAAC"}

package/dist/scanners/revocation/index.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Token Revocation Security Scanner Tests
+ */
+export {};
+//# sourceMappingURL=index.test.d.ts.map

package/dist/scanners/revocation/index.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.d.ts","sourceRoot":"","sources":["../../../src/scanners/revocation/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/scanners/revocation/index.test.js

@@ -0,0 +1,332 @@
+/**
+ * Token Revocation Security Scanner Tests
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { revocationScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('Token Revocation Security Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'revoke-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('REVOKE-001: JWT Without Server-Side Revocation Mechanism', () => {
+        it('should detect jwt.sign without revocation', async () => {
+            const file = await createTestFile('jwt-sign.ts', `
+import jwt from 'jsonwebtoken';
+
+function createToken(userId: string) {
+  const token = jwt.sign({ userId }, SECRET, { expiresIn: '1h' });
+  return token;
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-001');
+            expect(revokeFindings.length).toBeGreaterThan(0);
+            expect(revokeFindings[0].severity).toBe('high');
+        });
+        it('should detect jsonwebtoken.sign without revocation', async () => {
+            const file = await createTestFile('jsonwebtoken.ts', `
+import * as jsonwebtoken from 'jsonwebtoken';
+
+export function generateAccessToken(payload: any) {
+  return jsonwebtoken.sign(payload, process.env.JWT_SECRET);
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-001')).toBe(true);
+        });
+        it('should detect jose SignJWT without revocation', async () => {
+            const file = await createTestFile('jose-sign.ts', `
+import { SignJWT } from 'jose';
+
+async function createJWT(userId: string) {
+  const token = await new SignJWT({ userId })
+    .setProtectedHeader({ alg: 'HS256' })
+    .sign(secret);
+  return token;
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-001')).toBe(true);
+        });
+        it('should detect custom token generation without revocation', async () => {
+            const file = await createTestFile('custom-token.ts', `
+function createAccessToken(user: User) {
+  const payload = { id: user.id, email: user.email };
+  return jwt.sign(payload, SECRET);
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-001')).toBe(true);
+        });
+        it('should NOT flag when blacklist is used', async () => {
+            const file = await createTestFile('jwt-blacklist.ts', `
+import jwt from 'jsonwebtoken';
+import { tokenBlacklist } from './blacklist';
+
+function createToken(userId: string) {
+  const token = jwt.sign({ userId }, SECRET, { expiresIn: '1h' });
+  return token;
+}
+
+async function revokeToken(token: string) {
+  await tokenBlacklist.add(token);
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-001');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag when Redis is used for token storage', async () => {
+            const file = await createTestFile('jwt-redis.ts', `
+import jwt from 'jsonwebtoken';
+import redis from './redis';
+
+async function createToken(userId: string) {
+  const token = jwt.sign({ userId }, SECRET, { expiresIn: '1h' });
+  await redis.set(\`token:\${userId}\`, token, 'EX', 3600);
+  return token;
+}
+
+async function revokeToken(userId: string) {
+  await redis.del(\`token:\${userId}\`);
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-001');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag when tokenStore is used', async () => {
+            const file = await createTestFile('jwt-store.ts', `
+import jwt from 'jsonwebtoken';
+import { tokenStore } from './store';
+
+function createToken(userId: string) {
+  const token = jwt.sign({ userId }, SECRET);
+  tokenStore.save(userId, token);
+  return token;
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-001');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag when revoke function exists', async () => {
+            const file = await createTestFile('jwt-revoke.ts', `
+import jwt from 'jsonwebtoken';
+
+function createToken(userId: string) {
+  return jwt.sign({ userId }, SECRET, { expiresIn: '1h' });
+}
+
+async function revokeUserTokens(userId: string) {
+  await revokedTokens.add(userId);
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-001');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag session-based authentication', async () => {
+            const file = await createTestFile('session-auth.ts', `
+import jwt from 'jsonwebtoken';
+import session from 'express-session';
+
+function createToken(userId: string) {
+  return jwt.sign({ userId, sessionId: req.session.id }, SECRET);
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-001');
+            expect(revokeFindings.length).toBe(0);
+        });
+    });
+    describe('REVOKE-002: Excessive Token Expiration Time', () => {
+        it('should detect expiresIn with 2 days', async () => {
+            const file = await createTestFile('expires-2d.ts', `
+const token = jwt.sign({ userId }, SECRET, { expiresIn: '2d' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBeGreaterThan(0);
+            expect(revokeFindings[0].severity).toBe('medium');
+        });
+        it('should detect expiresIn with 7 days', async () => {
+            const file = await createTestFile('expires-7d.ts', `
+const accessToken = jwt.sign(payload, SECRET, { expiresIn: '7d' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+        it('should detect expiresIn with 30 days', async () => {
+            const file = await createTestFile('expires-30d.ts', `
+const token = jwt.sign({ id: user.id }, SECRET, { expiresIn: '30d' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+        it('should detect expiresIn with 48 hours', async () => {
+            const file = await createTestFile('expires-48h.ts', `
+const token = jwt.sign(data, SECRET, { expiresIn: '48h' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+        it('should detect expiresIn with 72 hours', async () => {
+            const file = await createTestFile('expires-72h.ts', `
+jwt.sign({ userId: user.id }, process.env.SECRET, { expiresIn: '72h' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+        it('should detect expiresIn with 1 week', async () => {
+            const file = await createTestFile('expires-1w.ts', `
+const token = jwt.sign(payload, SECRET, { expiresIn: '1w' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+        it('should detect numeric expiresIn exceeding 24 hours', async () => {
+            const file = await createTestFile('expires-numeric.ts', `
+const token = jwt.sign({ userId }, SECRET, { expiresIn: 172800 });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+        it('should detect excessive maxAge', async () => {
+            const file = await createTestFile('maxage-excessive.ts', `
+res.cookie('token', token, { maxAge: 864000000 });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+        it('should NOT flag expiresIn with 1 hour', async () => {
+            const file = await createTestFile('expires-1h.ts', `
+const token = jwt.sign({ userId }, SECRET, { expiresIn: '1h' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag expiresIn with 15 minutes', async () => {
+            const file = await createTestFile('expires-15m.ts', `
+const token = jwt.sign(payload, SECRET, { expiresIn: '15m' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag expiresIn with 24 hours', async () => {
+            const file = await createTestFile('expires-24h.ts', `
+const accessToken = jwt.sign({ id: user.id }, SECRET, { expiresIn: '24h' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag expiresIn with 1 day', async () => {
+            const file = await createTestFile('expires-1d.ts', `
+const token = jwt.sign({ userId }, SECRET, { expiresIn: '1d' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag refresh tokens with longer expiration', async () => {
+            const file = await createTestFile('refresh-token.ts', `
+const refreshToken = jwt.sign({ userId }, SECRET, { expiresIn: '7d' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag remember me tokens', async () => {
+            const file = await createTestFile('remember-me.ts', `
+if (rememberMe) {
+  const token = jwt.sign(payload, SECRET, { expiresIn: '30d' });
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBe(0);
+        });
+        it('should NOT flag API keys', async () => {
+            const file = await createTestFile('api-key.ts', `
+const apiKey = jwt.sign({ clientId }, SECRET, { expiresIn: '90d' });
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            const revokeFindings = findings.filter((f) => f.id === 'REVOKE-002');
+            expect(revokeFindings.length).toBe(0);
+        });
+    });
+    describe('Combined violations', () => {
+        it('should detect both REVOKE-001 and REVOKE-002 in same file', async () => {
+            const file = await createTestFile('combined.ts', `
+import jwt from 'jsonwebtoken';
+
+function createToken(userId: string) {
+  const token = jwt.sign({ userId }, SECRET, { expiresIn: '7d' });
+  return token;
+}
+`);
+            const findings = await revocationScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'REVOKE-001')).toBe(true);
+            expect(findings.some((f) => f.id === 'REVOKE-002')).toBe(true);
+        });
+    });
+    it('should provide correct HIPAA references', async () => {
+        const file = await createTestFile('hipaa-refs.ts', `
+import jwt from 'jsonwebtoken';
+const token1 = jwt.sign({ userId }, SECRET, { expiresIn: '30d' });
+`);
+        const findings = await revocationScanner.scan([file], scanOptions);
+        expect(findings.length).toBeGreaterThan(0);
+        expect(findings.every((f) => f.hipaaReference?.includes('164.308(a)(3)(ii)(C)'))).toBe(true);
+    });
+    it('should have correct severity levels', async () => {
+        const file1 = await createTestFile('severity-high.ts', `
+import jwt from 'jsonwebtoken';
+const token1 = jwt.sign({ userId }, SECRET, { expiresIn: '1h' });
+`);
+        const file2 = await createTestFile('severity-medium.ts', `
+const token2 = jwt.sign({ userId }, SECRET, { expiresIn: '48h' });
+`);
+        const findings1 = await revocationScanner.scan([file1], scanOptions);
+        const findings2 = await revocationScanner.scan([file2], scanOptions);
+        const revoke001 = findings1.find((f) => f.id === 'REVOKE-001');
+        const revoke002 = findings2.find((f) => f.id === 'REVOKE-002');
+        expect(revoke001?.severity).toBe('high');
+        expect(revoke002?.severity).toBe('medium');
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/revocation/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/revocation/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,cAAc,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,0DAA0D,EAAE,GAAG,EAAE;QACxE,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;;;CAOP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;;;;;;;;;;CAYP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;;;;;;;;CAaP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;;;;;CAUP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;;;;CAOP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,6CAA6C,EAAE,GAAG,EAAE;QAC3D,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjD,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACpD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,qBAAqB,EACrB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;YACrD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YACzD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,KAAK,IAAI,EAAE;YACrE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;YAClD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0BAA0B,EAAE,KAAK,IAAI,EAAE;YACxC,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;YACrE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;YACzE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;;;CAOP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;CAGL,CACI,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;QACnE,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;QAC3C,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,EAAE,QAAQ,CAAC,sBAAsB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,KAAK,GAAG,MAAM,cAAc,CAChC,kBAAkB,EAClB;;;CAGL,CACI,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,cAAc,CAChC,oBAAoB,EACpB;;CAEL,CACI,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC;QACrE,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,EAAE,WAAW,CAAC,CAAC;QAErE,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,YAAY,CAAC,CAAC;QAE/D,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACzC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/revocation/patterns.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Token Revocation Security Detection Patterns
+ * Detects JWT usage without revocation mechanisms and excessive token expiration
+ */
+export interface RevocationPattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'high' | 'medium';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    recommendation: string;
+    category: string;
+}
+/**
+ * REVOKE-001: JWT Without Server-Side Revocation Mechanism
+ * Detects JWT usage without revocation support
+ */
+export declare const JWT_WITHOUT_REVOCATION: RevocationPattern;
+/**
+ * REVOKE-002: Excessive Token Expiration Time
+ * Detects tokens with expirations longer than recommended
+ */
+export declare const EXCESSIVE_TOKEN_EXPIRATION: RevocationPattern;
+export declare const ALL_REVOCATION_PATTERNS: RevocationPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/revocation/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/revocation/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,sBAAsB,EAAE,iBAsDpC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAE,iBA2DxC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,iBAAiB,EAGtD,CAAC"}