xploitscan 1.0.9 → 1.0.11

package/README.md

@@ -5,7 +5,7 @@
 
 **Security scanner for AI-generated code.** Find vulnerabilities before attackers do.
 
-Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 151 security rules. Plain-English results. Copy-paste fixes.
+Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 158 security rules. Plain-English results. Copy-paste fixes.
 
 ## Quick Start
 
@@ -17,7 +17,7 @@ No install, no config, no account required. Your code stays 100% local.
 
 ## What It Catches
 
-151 rules across 15+ categories:
+158 rules across 15+ categories:
 
 | Category | Examples | Rules |
 |----------|---------|-------|
@@ -130,7 +130,7 @@ Scan via the web at [xploitscan.com](https://xploitscan.com):
 - SOC2/ISO27001 compliance mapping
 - Slack and Discord webhook notifications
 
-**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 151 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
+**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 158 rules, and all dashboard features. **Team** ($99/mo): everything in Pro plus 5 seats, shared scan history, RBAC, and portfolio reports. Annual plans save 20%.
 
 ## Supported Languages
 

package/dist/index.js

@@ -577,15 +577,19 @@ var xssVulnerability = {
     ];
     const matches = [];
     for (const pattern of patterns) {
-      matches.push(
-        ...findMatches(
-          content,
-          pattern,
-          xssVulnerability,
-          filePath,
-          () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
-        )
+      const raw = findMatches(
+        content,
+        pattern,
+        xssVulnerability,
+        filePath,
+        () => "Sanitize user input before rendering as HTML. Use a library like DOMPurify: DOMPurify.sanitize(userInput)"
       );
+      for (const m of raw) {
+        const lineText = content.split("\n")[m.line - 1] || "";
+        if (/\.innerHTML\s*=\s*['"]/.test(lineText) && !/\$\{/.test(lineText)) continue;
+        if (/\.innerHTML\s*=\s*['"][^'"]*['"]\s*$/.test(lineText)) continue;
+        matches.push(m);
+      }
     }
     return matches;
   }
@@ -688,13 +692,21 @@ var nextPublicSecret = {
     ];
     const matches = [];
     for (const p of patterns) {
-      matches.push(...findMatches(
+      const raw = findMatches(
         content,
         p,
         nextPublicSecret,
         filePath,
         () => "Remove the NEXT_PUBLIC_ prefix. Only use NEXT_PUBLIC_ for values safe to expose in the browser."
-      ));
+      );
+      for (const m of raw) {
+        const lineText = content.split("\n")[m.line - 1] || "";
+        if (/PUBLISHABLE|ANON_KEY|PUBLIC_KEY/i.test(lineText)) continue;
+        if (/CLERK_PUBLISHABLE/i.test(lineText)) continue;
+        if (/STRIPE_PUBLISHABLE/i.test(lineText)) continue;
+        if (/=\s*["']?\s*$|=\s*["']?pk_(?:test|live)_["']?\s*$/.test(lineText)) continue;
+        matches.push(m);
+      }
     }
     return matches;
   }
@@ -766,6 +778,8 @@ var unvalidatedRedirect = {
   category: "Injection",
   description: "Redirecting users to URLs from untrusted input enables phishing attacks.",
   check(content, filePath) {
+    if (isTestFile(filePath)) return [];
+    if (/isAllowedRedirect|validateRedirect|isSafeRedirect|allowedDomains|trustedDomains|whitelist.*url|allowlist.*url/i.test(content)) return [];
     const patterns = [
       /window\.location\s*=\s*(?!["'`]https?:\/\/)/g,
       /window\.location\.href\s*=\s*(?!["'`]https?:\/\/)/g,
@@ -1156,6 +1170,7 @@ var dangerousInnerHTML = {
       const value = m[1].trim();
       if (/^[A-Z][A-Z0-9_]+$/.test(value)) continue;
       if (/^["'`][^$]*["'`]$/.test(value)) continue;
+      if (/JSON\.stringify/i.test(value)) continue;
       const lineNum = content.substring(0, m.index).split("\n").length;
       findings.push({
         rule: "VC063",
@@ -1389,26 +1404,37 @@ var complianceMap = {
   VC148: { owasp: "A09:2021", cwe: "CWE-209" },
   VC149: { owasp: "A07:2021", cwe: "CWE-798" },
   VC150: { owasp: "A07:2021", cwe: "CWE-615" },
-  VC151: { owasp: "A07:2021", cwe: "CWE-214" }
+  VC151: { owasp: "A07:2021", cwe: "CWE-214" },
+  // VC152–VC158: New rules
+  VC152: { owasp: "A08:2021", cwe: "CWE-345" },
+  VC153: { owasp: "A05:2021", cwe: "CWE-942" },
+  VC154: { owasp: "A03:2021", cwe: "CWE-20" },
+  VC155: { owasp: "A04:2021", cwe: "CWE-770" },
+  VC156: { owasp: "A04:2021", cwe: "CWE-770" },
+  VC157: { owasp: "A05:2021", cwe: "CWE-16" },
+  VC158: { owasp: "A01:2021", cwe: "CWE-639" }
 };
 var consoleLogProduction = {
   id: "VC097",
   title: "Console.log Left in Production Code",
-  severity: "medium",
+  severity: "low",
   category: "Performance",
   description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
   check(content, filePath) {
-    if (filePath.match(/test|spec|mock|__tests__|fixture|\.test\.|\.spec\./i)) return [];
+    if (isTestFile(filePath)) return [];
+    if (/(?:migrate|seed|script|cli|setup|dev)\./i.test(filePath)) return [];
     if (!/console\.log\s*\(/g.test(content)) return [];
     const lines = content.split("\n");
+    const logCount = lines.filter((l) => /console\.log\s*\(/.test(l.trim()) && !l.trim().startsWith("//")).length;
+    if (logCount > 5) return [];
     const matches = [];
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i].trim();
       if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
-        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "medium", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a logger that can be disabled in production." });
+        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "low", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a structured logger that can be disabled in production." });
       }
     }
-    return matches.slice(0, 3);
+    return matches.slice(0, 1);
   }
 };
 var todoLeftInCode = {
@@ -1512,6 +1538,8 @@ function runCustomRules(content, filePath, disabledRules = [], tier = "free", ex
   if (/function runScan\(files\)|export function runCustomRules/.test(content) && /const (?:rules|allRules)\s*[:=]/.test(content) && /findMatches/.test(content)) {
     return findings;
   }
+  if (/pro-rules-bundle|\.bundle\./i.test(filePath)) return findings;
+  if (/onboarding|demo-data|example-vulnerable|code-sample/i.test(filePath)) return findings;
   const ruleset = tier === "pro" && extraRules.length > 0 ? [...freeRules, ...extraRules] : freeRules;
   for (const rule of ruleset) {
     if (disabledRules.includes(rule.id)) continue;
@@ -1888,6 +1916,120 @@ function chunkFiles(files, maxChars) {
   return chunks;
 }
 
+// src/scanners/ai-fp-filter.ts
+import Anthropic2 from "@anthropic-ai/sdk";
+var REVIEW_SYSTEM_PROMPT = `You are reviewing security scan findings for false positives. Your job is to look at each finding and the surrounding code to determine if it's a REAL security vulnerability or a FALSE POSITIVE.
+
+Common false positive patterns you should catch:
+- Auth check exists inside the function body (requireUser, requireUserForApi, getSession, etc.) but the scanner only checked the function signature
+- The flagged pattern is in example/documentation/tutorial code, not production code
+- The variable is developer-controlled (constants, config values, static strings), not user input
+- The flagged function is a database method (conn.exec, db.exec, prisma.$executeRaw) not a shell command (child_process.exec)
+- The comparison is a type check (typeof x === "string") not a secret comparison
+- The file is a test, mock, or fixture file
+- The "secret" is a publishable/public key (pk_test_, NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY) designed to be client-side
+- The innerHTML/dangerouslySetInnerHTML uses a static constant or JSON.stringify, not user input
+- The redirect URL has already been validated (isAllowedRedirect, validateRedirect)
+- The webhook endpoint is for a non-Stripe service but flagged as "Stripe webhook"
+- The "sensitive data in URL" is in a comment or documentation, not actual code
+- Package-lock.json URLs flagged as secrets (they're npm registry URLs, not secrets)
+
+For each finding, respond ONLY with a JSON array. No other text.
+Each element: {"index": <number>, "verdict": "real" or "fp", "reason": "<1 sentence>"}`;
+var MAX_FINDINGS_PER_BATCH = 15;
+var MAX_CONTEXT_LINES = 10;
+var MAX_TOTAL_FINDINGS = 50;
+function getExpandedContext(content, line, contextLines = MAX_CONTEXT_LINES) {
+  const lines = content.split("\n");
+  const start = Math.max(0, line - 1 - contextLines);
+  const end = Math.min(lines.length, line + contextLines);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = lineNum === line ? ">>>" : "   ";
+    return `${marker} ${lineNum} | ${l}`;
+  }).join("\n");
+}
+function buildReviewPrompt(findings, fileContent) {
+  const parts = [];
+  for (let i = 0; i < findings.length; i++) {
+    const f = findings[i];
+    const context = getExpandedContext(fileContent, f.line);
+    parts.push(`--- Finding ${i} ---
+Rule: ${f.rule} (${f.title})
+Severity: ${f.severity}
+File: ${f.file}
+Line: ${f.line}
+Description: ${f.description}
+Suggested fix: ${f.fix || "N/A"}
+
+Code context:
+${context}
+`);
+  }
+  return `Review these ${findings.length} security scan findings. For each one, determine if it's a real vulnerability or a false positive based on the code context.
+
+${parts.join("\n")}`;
+}
+function parseReviewResponse(text) {
+  try {
+    const cleaned = text.replace(/```json\n?/g, "").replace(/```\n?/g, "").trim();
+    const parsed = JSON.parse(cleaned);
+    if (!Array.isArray(parsed)) return [];
+    return parsed.filter(
+      (r) => typeof r === "object" && r !== null && "index" in r && "verdict" in r && r.verdict === "real" || r.verdict === "fp"
+    );
+  } catch {
+    return [];
+  }
+}
+async function filterFalsePositives(findings, fileContents) {
+  if (!process.env.ANTHROPIC_API_KEY) return findings;
+  if (findings.length === 0) return findings;
+  const toReview = findings.slice(0, MAX_TOTAL_FINDINGS);
+  const overflow = findings.slice(MAX_TOTAL_FINDINGS);
+  const byFile = /* @__PURE__ */ new Map();
+  for (const f of toReview) {
+    const group = byFile.get(f.file) || [];
+    group.push(f);
+    byFile.set(f.file, group);
+  }
+  let client;
+  try {
+    client = new Anthropic2();
+  } catch {
+    return findings;
+  }
+  const fpIndices = /* @__PURE__ */ new Set();
+  for (const [file, fileFindings] of byFile) {
+    const content = fileContents.get(file);
+    if (!content) continue;
+    for (let i = 0; i < fileFindings.length; i += MAX_FINDINGS_PER_BATCH) {
+      const batch = fileFindings.slice(i, i + MAX_FINDINGS_PER_BATCH);
+      const prompt = buildReviewPrompt(batch, content);
+      try {
+        const response = await client.messages.create({
+          model: "claude-haiku-4-5-20251001",
+          max_tokens: 1024,
+          system: REVIEW_SYSTEM_PROMPT,
+          messages: [{ role: "user", content: prompt }]
+        });
+        const text = response.content.filter((b) => b.type === "text").map((b) => b.text).join("");
+        const results = parseReviewResponse(text);
+        for (const r of results) {
+          if (r.verdict === "fp" && r.index >= 0 && r.index < batch.length) {
+            const globalIndex = toReview.indexOf(batch[r.index]);
+            if (globalIndex !== -1) fpIndices.add(globalIndex);
+          }
+        }
+      } catch {
+        continue;
+      }
+    }
+  }
+  const filtered = toReview.filter((_, i) => !fpIndices.has(i));
+  return [...filtered, ...overflow];
+}
+
 // src/scanners/ast-analyzer.ts
 function stripComments(content) {
   let result = "";
@@ -2540,6 +2682,7 @@ function scanEntropy(files) {
     if (SKIP_FILENAMES.test(basename)) continue;
     if (filePath.includes("node_modules")) continue;
     if (filePath.includes(".min.")) continue;
+    if (/pro-rules-bundle|\.bundle\.|\.chunk\./i.test(filePath)) continue;
     if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;
     const lines = content.split("\n");
     for (let i = 0; i < lines.length; i++) {
@@ -3483,6 +3626,30 @@ async function scanCommand(directory, options) {
       chalk2.gray("Tip: Set ANTHROPIC_API_KEY for AI-powered contextual analysis")
     );
   }
+  if (process.env.ANTHROPIC_API_KEY && allFindings.length > 0) {
+    spinner.text = "AI reviewing findings for false positives...";
+    spinner.color = "cyan";
+    try {
+      const fileContentsMap = /* @__PURE__ */ new Map();
+      for (const f of allFindings) {
+        if (!fileContentsMap.has(f.file)) {
+          const content = readFileContents(dir, f.file);
+          if (content) fileContentsMap.set(f.file, content);
+        }
+      }
+      const beforeCount = allFindings.length;
+      const filtered = await filterFalsePositives(allFindings, fileContentsMap);
+      const removed = beforeCount - filtered.length;
+      if (removed > 0) {
+        allFindings.length = 0;
+        allFindings.push(...filtered);
+      }
+      if (removed > 0 && verbose) {
+        spinner.info(`AI review removed ${removed} false positive${removed !== 1 ? "s" : ""}`);
+      }
+    } catch {
+    }
+  }
   spinner.stop();
   const seen = /* @__PURE__ */ new Set();
   const dedupedFindings = allFindings.filter((f) => {
@@ -3512,9 +3679,9 @@ async function scanCommand(directory, options) {
   if (tier === "free" && !isSilent) {
     console.log("");
     if (userPlan === "anonymous") {
-      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 151 rules \u2192") + chalk2.bold(" xploitscan auth login"));
+      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 158 rules \u2192") + chalk2.bold(" xploitscan auth login"));
     } else {
-      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 151 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
+      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 158 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
     }
     console.log("");
   }