xploitscan 1.0.10 → 1.0.12

package/README.md

@@ -5,7 +5,7 @@
 
 **Security scanner for AI-generated code.** Find vulnerabilities before attackers do.
 
-Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 151 security rules. Plain-English results. Copy-paste fixes.
+Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 158 security rules. Plain-English results. Copy-paste fixes.
 
 ## Quick Start
 
@@ -17,7 +17,7 @@ No install, no config, no account required. Your code stays 100% local.
 
 ## What It Catches
 
-151 rules across 15+ categories:
+158 rules across 15+ categories:
 
 | Category | Examples | Rules |
 |----------|---------|-------|
@@ -130,7 +130,7 @@ Scan via the web at [xploitscan.com](https://xploitscan.com):
 - SOC2/ISO27001 compliance mapping
 - Slack and Discord webhook notifications
 
-**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 151 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
+**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 158 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
 
 ## Supported Languages
 

package/dist/index.js

@@ -1170,6 +1170,7 @@ var dangerousInnerHTML = {
       const value = m[1].trim();
       if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
       if (/^["'`][^$]*["'`]$/.test(value)) continue;
+      if (/JSON\.stringify/i.test(value)) continue;
       const lineNum = content.substring(0, m.index).split("\n").length;
       findings.push({
         rule: "VC063",
@@ -1403,7 +1404,15 @@ var complianceMap = {
   VC148: { owasp: "A09:2021", cwe: "CWE-209" },
   VC149: { owasp: "A07:2021", cwe: "CWE-798" },
   VC150: { owasp: "A07:2021", cwe: "CWE-615" },
-  VC151: { owasp: "A07:2021", cwe: "CWE-214" }
+  VC151: { owasp: "A07:2021", cwe: "CWE-214" },
+  // VC152–VC158: New rules
+  VC152: { owasp: "A08:2021", cwe: "CWE-345" },
+  VC153: { owasp: "A05:2021", cwe: "CWE-942" },
+  VC154: { owasp: "A03:2021", cwe: "CWE-20" },
+  VC155: { owasp: "A04:2021", cwe: "CWE-770" },
+  VC156: { owasp: "A04:2021", cwe: "CWE-770" },
+  VC157: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC158: { owasp: "A01:2021", cwe: "CWE-639" }
 };
 var consoleLogProduction = {
   id: "VC097",
@@ -1529,6 +1538,8 @@ function runCustomRules(content, filePath, disabledRules = [], tier = "free", ex
   if (/function runScan\(files\)|export function runCustomRules/.test(content) && /const (?:rules|allRules)\s*[:=]/.test(content) && /findMatches/.test(content)) {
     return findings;
   }
+  if (/pro-rules-bundle|\.bundle\./i.test(filePath)) return findings;
+  if (/onboarding|demo-data|example-vulnerable|code-sample/i.test(filePath)) return findings;
   const ruleset = tier === "pro" && extraRules.length > 0 ? [...freeRules, ...extraRules] : freeRules;
   for (const rule of ruleset) {
     if (disabledRules.includes(rule.id)) continue;
@@ -1905,6 +1916,121 @@ function chunkFiles(files, maxChars) {
   return chunks;
 }
 
+// src/scanners/ai-fp-filter.ts
+import Anthropic2 from "@anthropic-ai/sdk";
+var REVIEW_SYSTEM_PROMPT = `You are reviewing security scan findings for false positives. Your job is to look at each finding and the surrounding code to determine if it's a REAL security vulnerability or a FALSE POSITIVE.
+
+Common false positive patterns you should catch:
+- Auth check exists inside the function body (requireUser, requireUserForApi, getSession, etc.) but the scanner only checked the function signature
+- The flagged pattern is in example/documentation/tutorial code, not production code
+- The variable is developer-controlled (constants, config values, static strings), not user input
+- The flagged function is a database method (conn.exec, db.exec, prisma.$executeRaw) not a shell command (child_process.exec)
+- The comparison is a type check (typeof x === "string") not a secret comparison
+- The file is a test, mock, or fixture file
+- The "secret" is a publishable/public key (pk_test_, NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY) designed to be client-side
+- The innerHTML/dangerouslySetInnerHTML uses a static constant or JSON.stringify, not user input
+- The redirect URL has already been validated (isAllowedRedirect, validateRedirect)
+- The webhook endpoint is for a non-Stripe service but flagged as "Stripe webhook"
+- The "sensitive data in URL" is in a comment or documentation, not actual code
+- Package-lock.json URLs flagged as secrets (they're npm registry URLs, not secrets)
+
+For each finding, respond ONLY with a JSON array. No other text.
+Each element: {"index": <number>, "verdict": "real" or "fp", "reason": "<1 sentence>"}`;
+var MAX_FINDINGS_PER_BATCH = 15;
+var MAX_CONTEXT_LINES = 10;
+var MAX_TOTAL_FINDINGS = 50;
+function getExpandedContext(content, line, contextLines = MAX_CONTEXT_LINES) {
+  const lines = content.split("\n");
+  const start = Math.max(0, line - 1 - contextLines);
+  const end = Math.min(lines.length, line + contextLines);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = lineNum === line ? ">>>" : "   ";
+    return `${marker} ${lineNum} | ${l}`;
+  }).join("\n");
+}
+function buildReviewPrompt(findings, fileContent) {
+  const parts = [];
+  for (let i = 0; i < findings.length; i++) {
+    const f = findings[i];
+    const context = getExpandedContext(fileContent, f.line);
+    parts.push(`--- Finding ${i} ---
+Rule: ${f.rule} (${f.title})
+Severity: ${f.severity}
+File: ${f.file}
+Line: ${f.line}
+Description: ${f.description}
+Suggested fix: ${f.fix || "N/A"}
+
+Code context:
+${context}
+`);
+  }
+  return `Review these ${findings.length} security scan findings. For each one, determine if it's a real vulnerability or a false positive based on the code context.
+
+${parts.join("\n")}`;
+}
+function parseReviewResponse(text) {
+  try {
+    const cleaned = text.replace(/```json\n?/g, "").replace(/```\n?/g, "").trim();
+    const parsed = JSON.parse(cleaned);
+    if (!Array.isArray(parsed)) return [];
+    return parsed.filter(
+      (r) => typeof r === "object" && r !== null && "index" in r && "verdict" in r && r.verdict === "real" || r.verdict === "fp"
+    );
+  } catch {
+    return [];
+  }
+}
+async function filterFalsePositives(findings, fileContents) {
+  if (!process.env.ANTHROPIC_API_KEY) return { findings, aiReviewed: false, removedCount: 0 };
+  if (findings.length === 0) return { findings, aiReviewed: false, removedCount: 0 };
+  const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
+  const overflow = findings.slice(MAX_TOTAL_FINDINGS);
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of toReview) {
+    const group = byFile.get(f.file) || [];
+    group.push(f);
+    byFile.set(f.file, group);
+  }
+  let client;
+  try {
+    client = new Anthropic2();
+  } catch {
+    return { findings, aiReviewed: false, removedCount: 0 };
+  }
+  const fpIndices = /* @__PURE__ */ new Set();
+  for (const [file, fileFindings] of byFile) {
+    const content = fileContents.get(file);
+    if (!content) continue;
+    for (let i = 0; i < fileFindings.length; i += MAX_FINDINGS_PER_BATCH) {
+      const batch = fileFindings.slice(i, i + MAX_FINDINGS_PER_BATCH);
+      const prompt = buildReviewPrompt(batch, content);
+      try {
+        const response = await client.messages.create({
+          model: "claude-haiku-4-5-20251001",
+          max_tokens: 1024,
+          system: REVIEW_SYSTEM_PROMPT,
+          messages: [{ role: "user", content: prompt }]
+        });
+        const text = response.content.filter((b) => b.type === "text").map((b) => b.text).join("");
+        const results = parseReviewResponse(text);
+        for (const r of results) {
+          if (r.verdict === "fp" && r.index >= 0 && r.index < batch.length) {
+            const globalIndex = toReview.indexOf(batch[r.index]);
+            if (globalIndex !== -1) fpIndices.add(globalIndex);
+          }
+        }
+      } catch {
+        continue;
+      }
+    }
+  }
+  const filtered = toReview.filter((_, i) => !fpIndices.has(i));
+  const result = [...filtered, ...overflow];
+  return { findings: result, aiReviewed: true, removedCount: fpIndices.size };
+}
+
 // src/scanners/ast-analyzer.ts
 function stripComments(content) {
   let result = "";
@@ -2557,6 +2683,7 @@ function scanEntropy(files) {
     if (SKIP_FILENAMES.test(basename)) continue;
     if (filePath.includes("node_modules")) continue;
     if (filePath.includes(".min.")) continue;
+    if (/pro-rules-bundle|\.bundle\.|\.chunk\./i.test(filePath)) continue;
     if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
     const lines = content.split("\n");
     for (let i = 0; i < lines.length; i++) {
@@ -3500,6 +3627,29 @@ async function scanCommand(directory, options) {
       chalk2.gray("Tip: Set ANTHROPIC_API_KEY for AI-powered contextual analysis")
     );
   }
+  let aiReviewed = false;
+  let aiRemovedCount = 0;
+  if (process.env.ANTHROPIC_API_KEY && allFindings.length > 0) {
+    spinner.text = "AI reviewing findings for false positives...";
+    spinner.color = "cyan";
+    try {
+      const fileContentsMap = /* @__PURE__ */ new Map();
+      for (const f of allFindings) {
+        if (!fileContentsMap.has(f.file)) {
+          const content = readFileContents(dir, f.file);
+          if (content) fileContentsMap.set(f.file, content);
+        }
+      }
+      const result2 = await filterFalsePositives(allFindings, fileContentsMap);
+      aiReviewed = result2.aiReviewed;
+      aiRemovedCount = result2.removedCount;
+      if (result2.removedCount > 0) {
+        allFindings.length = 0;
+        allFindings.push(...result2.findings);
+      }
+    } catch {
+    }
+  }
   spinner.stop();
   const seen = /* @__PURE__ */ new Set();
   const dedupedFindings = allFindings.filter((f) => {
@@ -3526,12 +3676,17 @@ async function scanCommand(directory, options) {
       renderTerminalReport(result, fileContentsForAnalysis);
       break;
   }
+  if (aiReviewed && !isSilent) {
+    const msg = aiRemovedCount > 0 ? `  AI review: ${aiRemovedCount} false positive${aiRemovedCount !== 1 ? "s" : ""} removed, ${dedupedFindings.length} verified finding${dedupedFindings.length !== 1 ? "s" : ""} remain` : `  AI review: all ${dedupedFindings.length} finding${dedupedFindings.length !== 1 ? "s" : ""} verified`;
+    console.log("");
+    console.log(chalk2.cyan("\u{1F916} ") + chalk2.gray(msg));
+  }
   if (tier === "free" && !isSilent) {
     console.log("");
     if (userPlan === "anonymous") {
-      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 151 rules \u2192") + chalk2.bold(" xploitscan auth login"));
+      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 158 rules \u2192") + chalk2.bold(" xploitscan auth login"));
     } else {
-      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 151 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
+      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 158 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
     }
     console.log("");
   }