slowcoder360
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/frameworkDetection.ts‎
Lines changed: 151 additions & 0 deletions b/‎src/frameworkDetection.ts‎
Lines changed: 151 additions & 0 deletions
diff --git a/‎src/index.ts‎
Lines changed: 34 additions & 7 deletions b/‎src/index.ts‎
Lines changed: 34 additions & 7 deletions
diff --git a/‎src/reporting/aiSuggestions.ts‎
Lines changed: 3 additions & 3 deletions b/‎src/reporting/aiSuggestions.ts‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/scanners/dependencies.ts‎
Lines changed: 6 additions & 0 deletions b/‎src/scanners/dependencies.ts‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎src/scanners/endpoints.ts‎
Lines changed: 10 additions & 5 deletions b/‎src/scanners/endpoints.ts‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎src/scanners/httpClient.ts‎
Lines changed: 7 additions & 1 deletion b/‎src/scanners/httpClient.ts‎
Lines changed: 7 additions & 1 deletion
@@ -11,7 +11,7 @@ VibeSafe helps developers quickly check their projects for common security issue
 *   **Configuration Scanning:** Checks JSON and YAML files for common insecure settings (e.g., `DEBUG = true`, `devMode = true`, permissive CORS like `origin: '*'`)
 *   **HTTP Client Issues:** Detects potential missing timeout or cancellation configurations in calls using `axios`, `fetch`, `got`, and `request`. (*See Limitations below*).
 *   **Unvalidated Upload Detection:** Identifies potential missing file size/type restrictions in common upload libraries (`multer`, `formidable`, `express-fileupload`, `busboy`) and generic patterns (`new FormData()`, `<input type="file">`).
-*   **Exposed Endpoint Detection:** Flags potentially sensitive endpoints (e.g., `/admin`, `/debug`, `/status`, `/info`, `/metrics`) in Express/Node.js applications using common routing patterns or string literals.
+*   **Exposed Endpoint Detection:** Flags potentially sensitive endpoints (e.g., `/admin`, `/debug`, `/status`, `/info`, `/metrics`) in Node.js web applications using common routing patterns or string literals.
 *   **Rate Limit Check (Heuristic):** Issues a project-level advisory if API routes are detected but no known rate-limiting package (e.g., `express-rate-limit`, `@upstash/ratelimit`) is found in dependencies.
 *   **Improper Logging Detection:** Flags potential logging of full error objects (e.g., `console.error(err)`), which can leak stack traces, and detects logging of potentially sensitive data based on keywords (e.g., `password`, `email`, `token`).
 *   **Multiple Output Formats:** Provides results via console output (with colors!), JSON (`--output`), or a Markdown report (`--report` with default `VIBESAFE-REPORT.md`).
 
@@ -0,0 +1,151 @@
+/**
+ * frameworkDetection.ts
+ * 
+ * Exports categorized lists of common JavaScript package names to help identify 
+ * the technologies used in a scanned project.
+ */
+
+// Frontend Frameworks & Libraries
+export const frontendPackages: string[] = [
+  'react', 
+  '@angular/core', 
+  'vue', 
+  'svelte', 
+  'next', // Also backend/fullstack, but strongly indicative of frontend presence
+  'nuxt', // Also backend/fullstack
+  'gatsby', 
+  'remix', // Also backend/fullstack 
+  'solid-js', 
+  'preact',
+  '@emotion/react', // Common styling library often with React
+  'styled-components', // Common styling library
+  'jquery' // Still common in older projects or specific use cases
+];
+
+// Backend Frameworks & Libraries
+export const backendPackages: string[] = [
+  'express', 
+  'fastify', 
+  'koa', 
+  '@hapi/hapi', // Hapi v17+ scoped package
+  'hapi', // Older Hapi
+  '@nestjs/core', 
+  'sails', 
+  '@adonisjs/core', 
+  'loopback', 
+  'polka',
+  'restify',
+  'connect', // Base middleware framework, often used directly
+  'meteor-base', // Meteor framework indicator
+  'next' // Added Next.js here as well, since it includes a backend
+];
+
+// Authentication & Authorization Libraries
+export const authPackages: string[] = [
+  'passport', 
+  'jsonwebtoken', 
+  'bcrypt', 
+  'bcryptjs', // Alternative bcrypt implementation
+  '@hapi/basic', // Hapi basic auth
+  'express-session', 
+  'cookie-session', 
+  '@fastify/session', 
+  '@fastify/jwt',
+  'next-auth',
+  'node-jose', // JOSE standards (JWT, JWS, JWE)
+  'oidc-provider', // OpenID Connect provider
+  'keycloak-connect', // Keycloak adapter for Node.js
+  'auth0', // Auth0 SDK
+  '@clerk/nextjs', // Added Clerk for Next.js
+  '@clerk/clerk-js' // Added Clerk core JS library
+];
+
+// Common Middleware Packages (excluding auth, cors, file upload listed separately)
+export const middlewarePackages: string[] = [
+  'helmet', 
+  'body-parser', // Very common, though often built-in now
+  'morgan', 
+  'compression', 
+  'express-validator', 
+  'cookie-parser', 
+  'csurf', // CSRF protection
+  'connect-timeout', // Request timeout middleware
+  'response-time', // Response time header middleware
+  'rate-limiter-flexible', // Rate limiting
+  'express-rate-limit', // Rate limiting for Express
+  '@fastify/rate-limit', // Rate limiting for Fastify
+  '@fastify/helmet', // Helmet for Fastify
+  '@fastify/cookie', // Cookie parsing for Fastify
+  'pino-http' // Logging middleware (Pino)
+];
+
+// HTTP Client Libraries
+export const httpClientPackages: string[] = [
+  'axios', 
+  'node-fetch', 
+  'got', 
+  'superagent', 
+  'request', // Deprecated but still widely used
+  'needle',
+  'ky', 
+  'undici', // Node.js built-in fetch, also available as package
+  '@actions/http-client' // For GitHub Actions
+];
+
+// CORS Helper Libraries
+export const corsPackages: string[] = [
+  'cors', // Standard CORS middleware for Express/Connect
+  '@fastify/cors', // CORS plugin for Fastify
+  '@koa/cors' // CORS middleware for Koa
+];
+
+// File Upload Libraries
+export const fileUploadPackages: string[] = [
+  'multer', 
+  'busboy', // Stream-based parser, often used by other libs
+  'formidable', 
+  'express-fileupload',
+  '@fastify/multipart',
+  'connect-busboy' // Busboy middleware for Connect
+];
+
+// Combine all lists for potential generic checks or easier iteration
+export const allKnownPackages: string[] = [
+  ...frontendPackages,
+  ...backendPackages,
+  ...authPackages,
+  ...middlewarePackages,
+  ...httpClientPackages,
+  ...corsPackages,
+  ...fileUploadPackages,
+];
+
+// Simple check function (example - can be expanded)
+export const detectTechnologies = (dependencies: string[]): Record<string, boolean> => {
+  const detected: Record<string, boolean> = {
+    hasFrontend: false,
+    hasBackend: false,
+    hasAuth: false,
+    hasMiddleware: false, // Generic middleware detection
+    hasHttpClient: false,
+    hasCors: false,
+    hasFileUpload: false,
+  };
+
+  const depSet = new Set(dependencies); // Keep Set for efficient lookups of other packages
+
+  if (frontendPackages.some(pkg => depSet.has(pkg))) detected.hasFrontend = true;
+  if (backendPackages.some(pkg => depSet.has(pkg))) detected.hasBackend = true;
+  
+  // Modified Auth Check: Check predefined list OR if any dependency starts with @clerk/
+  if (authPackages.some(pkg => depSet.has(pkg)) || dependencies.some(dep => dep.startsWith('@clerk/'))) {
+      detected.hasAuth = true;
+  }
+  
+  if (middlewarePackages.some(pkg => depSet.has(pkg))) detected.hasMiddleware = true;
+  if (httpClientPackages.some(pkg => depSet.has(pkg))) detected.hasHttpClient = true;
+  if (corsPackages.some(pkg => depSet.has(pkg))) detected.hasCors = true;
+  if (fileUploadPackages.some(pkg => depSet.has(pkg))) detected.hasFileUpload = true;
+    
+  return detected;
+}; 
@@ -17,6 +17,7 @@ import { scanForExposedEndpoints, EndpointFinding } from './scanners/endpoints';
 import { checkRateLimitHeuristic, RateLimitFinding } from './scanners/rateLimiting';
 import { scanForLoggingIssues, LoggingFinding } from './scanners/logging';
 import { scanForHttpClientIssues, HttpClientFinding } from './scanners/httpClient';
+import { detectTechnologies } from './frameworkDetection';
 
 // Define a combined finding type if needed later
 
@@ -95,8 +96,34 @@ program.command('scan')
 
     // --- Parse Dependencies (Phase 3.2) ---
     const dependencyInfoList = parseDependencies(detectedManagers);
+    let detectedTech: Record<string, boolean> = {};
     if (dependencyInfoList.length > 0) {
         console.log(`Parsed ${dependencyInfoList.length} dependencies.`);
+        // --- Detect Technologies (Phase 0 Integration) ---
+        const dependencyNames = dependencyInfoList.map(dep => dep.name);
+        detectedTech = detectTechnologies(dependencyNames);
+        // console.log('Detected Technologies:', detectedTech); // Remove raw log
+
+        // --- Log Detected Technologies --- 
+        const detectedCategories = Object.entries(detectedTech)
+            .filter(([, value]) => value)
+            .map(([key]) => key);
+
+        if (detectedCategories.length > 0) {
+            console.log(chalk.blue('Detected Technology Categories:'));
+            detectedCategories.forEach(categoryKey => {
+                // Simple conversion from camelCase key to Title Case string
+                const categoryName = categoryKey
+                    .replace('has', '') // Remove 'has' prefix
+                    .replace(/([A-Z])/g, ' $1') // Add space before capital letters
+                    .replace(/^./, str => str.toUpperCase()) // Capitalize first letter
+                    .trim(); 
+                console.log(chalk.blue(`  - ${categoryName}`));
+            });
+        } else {
+            // Optionally log if nothing specific was detected
+            // console.log(chalk.dim('No specific framework/library categories detected based on dependencies.'));
+        }
     }
 
     // --- Secrets Scan (Phase 2.1 / 2.3) ---
@@ -133,7 +160,7 @@ program.command('scan')
     filesForUploadScan.forEach(filePath => {
         try {
             const content = fs.readFileSync(filePath, 'utf-8');
-            const findings = scanForUnvalidatedUploads(filePath, content);
+            const findings = scanForUnvalidatedUploads(filePath, content, detectedTech.hasBackend);
             const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
             allUploadFindings = allUploadFindings.concat(relativeFindings);
         } catch (error: any) {
@@ -150,7 +177,7 @@ program.command('scan')
     filesForEndpointScan.forEach(filePath => {
         try {
             const content = fs.readFileSync(filePath, 'utf-8');
-            const findings = scanForExposedEndpoints(filePath, content);
+            const findings = scanForExposedEndpoints(filePath, content, detectedTech.hasBackend);
             const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
             allEndpointFindings = allEndpointFindings.concat(relativeFindings);
         } catch (error: any) {
@@ -161,8 +188,8 @@ program.command('scan')
 
     // --- Rate Limit Heuristic Check (Phase 6.4 - Revised) ---
     console.log('Checking for presence of known rate limiting packages and API routes...');
-    // Pass all parsed dependencies and the files likely containing routes
-    allRateLimitFindings = checkRateLimitHeuristic(dependencyInfoList, filesForEndpointScan);
+    // Pass all parsed dependencies, files, and detected tech context
+    allRateLimitFindings = checkRateLimitHeuristic(dependencyInfoList, filesForEndpointScan, detectedTech);
     if (allRateLimitFindings.length > 0) {
         console.log(chalk.yellow('Found API routes but no known rate-limiting package in dependencies. Added project-level advisory.'));
     } else {
@@ -174,7 +201,7 @@ program.command('scan')
     filesForEndpointScan.forEach(filePath => {
         try {
             const content = fs.readFileSync(filePath, 'utf-8');
-            const findings = scanForLoggingIssues(filePath, content);
+            const findings = scanForLoggingIssues(filePath, content, detectedTech.hasBackend);
             const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
             allLoggingFindings = allLoggingFindings.concat(relativeFindings);
         } catch (error: any) {
@@ -187,7 +214,7 @@ program.command('scan')
     filesForEndpointScan.forEach(filePath => {
         try {
             const content = fs.readFileSync(filePath, 'utf-8');
-            const findings = scanForHttpClientIssues(filePath, content);
+            const findings = scanForHttpClientIssues(filePath, content, detectedTech.hasBackend);
             const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
             allHttpClientFindings = allHttpClientFindings.concat(relativeFindings);
         } catch (error: any) {
@@ -275,7 +302,7 @@ program.command('scan')
             uploads: reportUploadFindings,
             endpoints: reportEndpointFindings,
             rateLimiting: reportRateLimitFindings,
-            logging: allLoggingFindings, // Use the full list here
+            logging: reportLoggingFindings,
             httpClients: reportHttpClientFindings,
             info: infoSecretFindings,
             gitignoreWarnings: gitignoreWarnings,
 
@@ -7,9 +7,9 @@ import { EndpointFinding } from '../scanners/endpoints';
 import { RateLimitFinding } from '../scanners/rateLimiting';
 import { LoggingFinding } from '../scanners/logging';
 import { HttpClientFinding } from '../scanners/httpClient';
-import ora from 'ora';
-import { GitignoreWarning } from '../utils/fileTraversal';
 import chalk from 'chalk';
+import { GitignoreWarning } from '../utils/fileTraversal';
+
 
 // Initialize OpenAI client
 // The constructor automatically looks for process.env.OPENAI_API_KEY
@@ -108,7 +108,7 @@ export async function generateAISuggestions(reportData: ReportData, apiKey: stri
 
     try {
         const completion = await openai.chat.completions.create({
-            model: "gpt-4o-mini",
+            model: "gpt-4.1-nano",
             messages: [
                 { role: "system", content: "You are a helpful security assistant providing fix suggestions for code vulnerabilities." },
                 { role: "user", content: prompt }
 
@@ -260,6 +260,12 @@ export function parseDependencies(detectedFiles: { [key in PackageManager]?: { m
     // Flag to ensure we only parse node deps once
     let nodeDepsParsed = false;
 
+    // TODO: Implement package-lock.json (and yarn.lock, pnpm-lock.yaml) parsing.
+    // - If a lock file is detected (detectedFiles[manager].lock), prioritize parsing it 
+    //   to get exact installed versions and transitive dependencies.
+    // - Pass the resulting DependencyInfo list (with exact versions) to lookupCves.
+    // - Fall back to parsing the manifest file (e.g., package.json) only if no lock file exists.
+
     for (const manager in detectedFiles) {
         const files = detectedFiles[manager as PackageManager];
         if (!files || !files.manifest) continue; // Need manifest to parse deps
 
@@ -11,9 +11,9 @@ export interface EndpointFinding {
 }
 
 // Regex patterns for common debug/admin paths
-// Includes common framework patterns (like Express) and simple string literals
-// - Looks for .get, .post, .put, .delete, .use, .all followed by ('/admin...') or similar
-// - Looks for string literals like '/admin', "/debug" etc.
+// Includes common web framework patterns and simple string literals
+// - Looks for common HTTP method/routing function calls (.get, .post, .use, etc.) followed by a sensitive path string
+// - Looks for sensitive path string literals like '/admin', "/debug" etc.
 const DEBUG_ADMIN_ENDPOINT_REGEX = /(\.get|\.post|\.put|\.delete|\.use|\.all)\s*\(\s*['"](\/debug|\/admin|\/status|\/info|\/healthz?|\/metrics|\/console|\/manage|\/config)[\/\w\-\:]*['"]/gi;
 const DEBUG_ADMIN_STRING_LITERAL_REGEX = /['"](\/debug|\/admin|\/status|\/info|\/healthz?|\/metrics|\/console|\/manage|\/config)[\/\w\-\:]*['"]/gi;
 
@@ -24,13 +24,18 @@ const DEBUG_ADMIN_STRING_LITERAL_REGEX = /['"](\/debug|\/admin|\/status|\/info|\
  * @param content The content of the file.
  * @returns An array of EndpointFinding objects.
  */
-export function scanForExposedEndpoints(filePath: string, content: string): EndpointFinding[] {
+export function scanForExposedEndpoints(filePath: string, content: string, hasBackend: boolean): EndpointFinding[] {
+    // If no backend framework detected, skip this scan
+    if (!hasBackend) {
+        return [];
+    }
+
     const findings: EndpointFinding[] = [];
     const lines = content.split('\n');
 
     let match;
 
-    // Check for framework patterns first (e.g., app.get('/admin'))
+    // Check for framework-style route definition patterns first (e.g., app.get('/admin'))
     DEBUG_ADMIN_ENDPOINT_REGEX.lastIndex = 0;
     while ((match = DEBUG_ADMIN_ENDPOINT_REGEX.exec(content)) !== null) {
         const fullMatch = match[0];
 
@@ -18,9 +18,15 @@ export interface HttpClientFinding {
  * TODO: Implement retry logic checks.
  * @param filePath Absolute path to the file.
  * @param content The content of the file.
+ * @param hasBackend Indicates whether the file is likely a backend context.
  * @returns An array of HttpClientFinding objects.
  */
-export function scanForHttpClientIssues(filePath: string, content: string): HttpClientFinding[] {
+export function scanForHttpClientIssues(filePath: string, content: string, hasBackend: boolean): HttpClientFinding[] {
+    // Skip if not likely a backend context
+    if (!hasBackend) {
+        return [];
+    }
+
     const findings: HttpClientFinding[] = [];
     try {
         const ast = parse(content, { loc: true, range: true, comment: false }); // loc: true gives line/column numbers