gomcp/internal/domain/oracle/correlation.go

package oracle

import (
	"fmt"
	"sort"
	"strings"
)

// CorrelationGroup represents a meta-threat synthesized from multiple related patterns.
type CorrelationGroup struct {
	MetaThreat  string   `json:"meta_threat"`
	Severity    string   `json:"severity"` // CRITICAL, HIGH, MEDIUM
	Patterns    []string `json:"patterns"` // Individual pattern IDs that contribute
	Description string   `json:"description"`
}

// CorrelationRule maps related patterns to a meta-threat.
type CorrelationRule struct {
	RequiredPatterns []string // Pattern IDs that must be present
	MetaThreat       string
	Severity         string
	Description      string
}

// correlationRules defines pattern groupings → meta-threats.
var correlationRules = []CorrelationRule{
	{
		RequiredPatterns: []string{"weak_ssl_config", "hardcoded_localhost_binding"},
		MetaThreat:       "Insecure Network Perimeter Configuration",
		Severity:         "CRITICAL",
		Description:      "Weak SSL combined with localhost-only binding indicates a misconfigured network perimeter. Attackers can intercept unencrypted traffic or bypass binding restrictions via SSRF.",
	},
	{
		RequiredPatterns: []string{"hardcoded_api_key", "no_input_validation"},
		MetaThreat:       "Authentication Bypass Chain",
		Severity:         "CRITICAL",
		Description:      "Hardcoded credentials with no input validation enables trivial authentication bypass and injection attacks.",
	},
	{
		RequiredPatterns: []string{"debug_mode_enabled", "verbose_error_messages"},
		MetaThreat:       "Information Disclosure via Debug Surface",
		Severity:         "HIGH",
		Description:      "Debug mode with verbose errors leaks internal state, stack traces, and configuration to potential attackers.",
	},
	{
		RequiredPatterns: []string{"outdated_dependency", "known_cve_usage"},
		MetaThreat:       "Supply Chain Vulnerability Cluster",
		Severity:         "CRITICAL",
		Description:      "Outdated dependencies with known CVEs indicate an exploitable supply chain attack surface.",
	},
	{
		RequiredPatterns: []string{"weak_entropy_source", "predictable_token_generation"},
		MetaThreat:       "Cryptographic Weakness Chain",
		Severity:         "HIGH",
		Description:      "Weak entropy combined with predictable tokens enables session hijacking and token forgery.",
	},
	{
		RequiredPatterns: []string{"unrestricted_file_upload", "path_traversal"},
		MetaThreat:       "Remote Code Execution via File Upload",
		Severity:         "CRITICAL",
		Description:      "Unrestricted uploads with path traversal can be chained for arbitrary file write and code execution.",
	},
	{
		RequiredPatterns: []string{"sql_injection", "privilege_escalation"},
		MetaThreat:       "Data Exfiltration Pipeline",
		Severity:         "CRITICAL",
		Description:      "SQL injection chained with privilege escalation enables full database compromise and data exfiltration.",
	},
	{
		RequiredPatterns: []string{"cors_misconfiguration", "csrf_no_token"},
		MetaThreat:       "Cross-Origin Attack Surface",
		Severity:         "HIGH",
		Description:      "CORS misconfiguration combined with missing CSRF tokens enables cross-origin request forgery and data theft.",
	},
	// v3.8: Attack Vector rules (MITRE ATT&CK mapping)
	{
		RequiredPatterns: []string{"weak_ssl_config", "open_port"},
		MetaThreat:       "Lateral Movement Vector (T1021)",
		Severity:         "CRITICAL",
		Description:      "Weak SSL on exposed ports enables network-level lateral movement via traffic interception and credential relay.",
	},
	{
		RequiredPatterns: []string{"hardcoded_api_key", "api_endpoint_exposed"},
		MetaThreat:       "Credential Stuffing Pipeline (T1110)",
		Severity:         "CRITICAL",
		Description:      "Hardcoded keys combined with exposed endpoints enable automated credential stuffing and API abuse.",
	},
	{
		RequiredPatterns: []string{"container_escape", "privilege_escalation"},
		MetaThreat:       "Container Breakout Chain (T1611)",
		Severity:         "CRITICAL",
		Description:      "Container escape combined with privilege escalation enables full host compromise from containerized workloads.",
	},
	{
		RequiredPatterns: []string{"outdated_dependency", "deserialization_flaw"},
		MetaThreat:       "Supply Chain RCE (T1195)",
		Severity:         "CRITICAL",
		Description:      "Outdated dependency with unsafe deserialization enables remote code execution via supply chain exploitation.",
	},
	{
		RequiredPatterns: []string{"weak_entropy_source", "session_fixation"},
		MetaThreat:       "Session Hijacking Pipeline (T1563)",
		Severity:         "HIGH",
		Description:      "Weak entropy with session fixation enables prediction and hijacking of authenticated sessions.",
	},
	{
		RequiredPatterns: []string{"dns_poisoning", "subdomain_takeover"},
		MetaThreat:       "C2 Persistence via DNS (T1071.004)",
		Severity:         "CRITICAL",
		Description:      "DNS poisoning combined with subdomain takeover establishes persistent command and control channel.",
	},
	{
		RequiredPatterns: []string{"ssrf", "internal_api_exposed"},
		MetaThreat:       "Internal API Chain Exploitation (T1190)",
		Severity:         "CRITICAL",
		Description:      "SSRF chained with internal API access enables pivoting from external to internal attack surface.",
	},
}

// CorrelatePatterns takes a list of detected pattern IDs and returns
// synthesized meta-threats where multiple related patterns are present.
func CorrelatePatterns(detectedPatterns []string) []CorrelationGroup {
	// Build lookup set.
	detected := make(map[string]bool)
	for _, p := range detectedPatterns {
		detected[strings.ToLower(p)] = true
	}

	var groups []CorrelationGroup
	for _, rule := range correlationRules {
		if allPresent(detected, rule.RequiredPatterns) {
			groups = append(groups, CorrelationGroup{
				MetaThreat:  rule.MetaThreat,
				Severity:    rule.Severity,
				Patterns:    rule.RequiredPatterns,
				Description: rule.Description,
			})
		}
	}

	// Sort by severity (CRITICAL first).
	sort.Slice(groups, func(i, j int) bool {
		return severityRank(groups[i].Severity) > severityRank(groups[j].Severity)
	})

	return groups
}

// CorrelationReport is the full correlation analysis result.
type CorrelationReport struct {
	DetectedPatterns int                `json:"detected_patterns"`
	MetaThreats      []CorrelationGroup `json:"meta_threats"`
	RiskLevel        string             `json:"risk_level"` // CRITICAL, HIGH, MEDIUM, LOW
}

// AnalyzeCorrelations performs full correlation analysis on detected patterns.
func AnalyzeCorrelations(detectedPatterns []string) CorrelationReport {
	groups := CorrelatePatterns(detectedPatterns)

	risk := "LOW"
	for _, g := range groups {
		if severityRank(g.Severity) > severityRank(risk) {
			risk = g.Severity
		}
	}

	return CorrelationReport{
		DetectedPatterns: len(detectedPatterns),
		MetaThreats:      groups,
		RiskLevel:        risk,
	}
}

func allPresent(set map[string]bool, required []string) bool {
	for _, r := range required {
		if !set[strings.ToLower(r)] {
			return false
		}
	}
	return true
}

func severityRank(s string) int {
	switch s {
	case "CRITICAL":
		return 4
	case "HIGH":
		return 3
	case "MEDIUM":
		return 2
	case "LOW":
		return 1
	default:
		return 0
	}
}

// FormatCorrelationReport formats the report for human consumption.
func FormatCorrelationReport(r CorrelationReport) string {
	if len(r.MetaThreats) == 0 {
		return fmt.Sprintf("No correlated threats found (%d patterns analyzed). Risk: %s", r.DetectedPatterns, r.RiskLevel)
	}

	var b strings.Builder
	fmt.Fprintf(&b, "=== Correlation Analysis ===\n")
	fmt.Fprintf(&b, "Patterns: %d | Meta-Threats: %d | Risk: %s\n\n", r.DetectedPatterns, len(r.MetaThreats), r.RiskLevel)

	for i, g := range r.MetaThreats {
		fmt.Fprintf(&b, "%d. [%s] %s\n", i+1, g.Severity, g.MetaThreat)
		fmt.Fprintf(&b, "   Patterns: %s\n", strings.Join(g.Patterns, " + "))
		fmt.Fprintf(&b, "   %s\n\n", g.Description)
	}
	return b.String()
}
initial: Syntrex extraction from sentinel-community (615 files) 2026-03-11 15:12:02 +10:00			`package oracle`

			`import (`
			`"fmt"`
			`"sort"`
			`"strings"`
			`)`

			`// CorrelationGroup represents a meta-threat synthesized from multiple related patterns.`
			`type CorrelationGroup struct {`
			MetaThreat string `json:"meta_threat"`
			Severity string `json:"severity"` // CRITICAL, HIGH, MEDIUM
			Patterns []string `json:"patterns"` // Individual pattern IDs that contribute
			Description string `json:"description"`
			`}`

			`// CorrelationRule maps related patterns to a meta-threat.`
			`type CorrelationRule struct {`
			`RequiredPatterns []string // Pattern IDs that must be present`
			`MetaThreat string`
			`Severity string`
			`Description string`
			`}`

			`// correlationRules defines pattern groupings → meta-threats.`
			`var correlationRules = []CorrelationRule{`
			`{`
			`RequiredPatterns: []string{"weak_ssl_config", "hardcoded_localhost_binding"},`
			`MetaThreat: "Insecure Network Perimeter Configuration",`
			`Severity: "CRITICAL",`
			`Description: "Weak SSL combined with localhost-only binding indicates a misconfigured network perimeter. Attackers can intercept unencrypted traffic or bypass binding restrictions via SSRF.",`
			`},`
			`{`
			`RequiredPatterns: []string{"hardcoded_api_key", "no_input_validation"},`
			`MetaThreat: "Authentication Bypass Chain",`
			`Severity: "CRITICAL",`
			`Description: "Hardcoded credentials with no input validation enables trivial authentication bypass and injection attacks.",`
			`},`
			`{`
			`RequiredPatterns: []string{"debug_mode_enabled", "verbose_error_messages"},`
			`MetaThreat: "Information Disclosure via Debug Surface",`
			`Severity: "HIGH",`
			`Description: "Debug mode with verbose errors leaks internal state, stack traces, and configuration to potential attackers.",`
			`},`
			`{`
			`RequiredPatterns: []string{"outdated_dependency", "known_cve_usage"},`
			`MetaThreat: "Supply Chain Vulnerability Cluster",`
			`Severity: "CRITICAL",`
			`Description: "Outdated dependencies with known CVEs indicate an exploitable supply chain attack surface.",`
			`},`
			`{`
			`RequiredPatterns: []string{"weak_entropy_source", "predictable_token_generation"},`
			`MetaThreat: "Cryptographic Weakness Chain",`
			`Severity: "HIGH",`
			`Description: "Weak entropy combined with predictable tokens enables session hijacking and token forgery.",`
			`},`
			`{`
			`RequiredPatterns: []string{"unrestricted_file_upload", "path_traversal"},`
			`MetaThreat: "Remote Code Execution via File Upload",`
			`Severity: "CRITICAL",`
			`Description: "Unrestricted uploads with path traversal can be chained for arbitrary file write and code execution.",`
			`},`
			`{`
			`RequiredPatterns: []string{"sql_injection", "privilege_escalation"},`
			`MetaThreat: "Data Exfiltration Pipeline",`
			`Severity: "CRITICAL",`
			`Description: "SQL injection chained with privilege escalation enables full database compromise and data exfiltration.",`
			`},`
			`{`
			`RequiredPatterns: []string{"cors_misconfiguration", "csrf_no_token"},`
			`MetaThreat: "Cross-Origin Attack Surface",`
			`Severity: "HIGH",`
			`Description: "CORS misconfiguration combined with missing CSRF tokens enables cross-origin request forgery and data theft.",`
			`},`
			`// v3.8: Attack Vector rules (MITRE ATT&CK mapping)`
			`{`
			`RequiredPatterns: []string{"weak_ssl_config", "open_port"},`
			`MetaThreat: "Lateral Movement Vector (T1021)",`
			`Severity: "CRITICAL",`
			`Description: "Weak SSL on exposed ports enables network-level lateral movement via traffic interception and credential relay.",`
			`},`
			`{`
			`RequiredPatterns: []string{"hardcoded_api_key", "api_endpoint_exposed"},`
			`MetaThreat: "Credential Stuffing Pipeline (T1110)",`
			`Severity: "CRITICAL",`
			`Description: "Hardcoded keys combined with exposed endpoints enable automated credential stuffing and API abuse.",`
			`},`
			`{`
			`RequiredPatterns: []string{"container_escape", "privilege_escalation"},`
			`MetaThreat: "Container Breakout Chain (T1611)",`
			`Severity: "CRITICAL",`
			`Description: "Container escape combined with privilege escalation enables full host compromise from containerized workloads.",`
			`},`
			`{`
			`RequiredPatterns: []string{"outdated_dependency", "deserialization_flaw"},`
			`MetaThreat: "Supply Chain RCE (T1195)",`
			`Severity: "CRITICAL",`
			`Description: "Outdated dependency with unsafe deserialization enables remote code execution via supply chain exploitation.",`
			`},`
			`{`
			`RequiredPatterns: []string{"weak_entropy_source", "session_fixation"},`
			`MetaThreat: "Session Hijacking Pipeline (T1563)",`
			`Severity: "HIGH",`
			`Description: "Weak entropy with session fixation enables prediction and hijacking of authenticated sessions.",`
			`},`
			`{`
			`RequiredPatterns: []string{"dns_poisoning", "subdomain_takeover"},`
			`MetaThreat: "C2 Persistence via DNS (T1071.004)",`
			`Severity: "CRITICAL",`
			`Description: "DNS poisoning combined with subdomain takeover establishes persistent command and control channel.",`
			`},`
			`{`
			`RequiredPatterns: []string{"ssrf", "internal_api_exposed"},`
			`MetaThreat: "Internal API Chain Exploitation (T1190)",`
			`Severity: "CRITICAL",`
			`Description: "SSRF chained with internal API access enables pivoting from external to internal attack surface.",`
			`},`
			`}`

			`// CorrelatePatterns takes a list of detected pattern IDs and returns`
			`// synthesized meta-threats where multiple related patterns are present.`
			`func CorrelatePatterns(detectedPatterns []string) []CorrelationGroup {`
			`// Build lookup set.`
			`detected := make(map[string]bool)`
			`for _, p := range detectedPatterns {`
			`detected[strings.ToLower(p)] = true`
			`}`

			`var groups []CorrelationGroup`
			`for _, rule := range correlationRules {`
			`if allPresent(detected, rule.RequiredPatterns) {`
			`groups = append(groups, CorrelationGroup{`
			`MetaThreat: rule.MetaThreat,`
			`Severity: rule.Severity,`
			`Patterns: rule.RequiredPatterns,`
			`Description: rule.Description,`
			`})`
			`}`
			`}`

			`// Sort by severity (CRITICAL first).`
			`sort.Slice(groups, func(i, j int) bool {`
			`return severityRank(groups[i].Severity) > severityRank(groups[j].Severity)`
			`})`

			`return groups`
			`}`

			`// CorrelationReport is the full correlation analysis result.`
			`type CorrelationReport struct {`
			DetectedPatterns int `json:"detected_patterns"`
			MetaThreats []CorrelationGroup `json:"meta_threats"`
			RiskLevel string `json:"risk_level"` // CRITICAL, HIGH, MEDIUM, LOW
			`}`

			`// AnalyzeCorrelations performs full correlation analysis on detected patterns.`
			`func AnalyzeCorrelations(detectedPatterns []string) CorrelationReport {`
			`groups := CorrelatePatterns(detectedPatterns)`

			`risk := "LOW"`
			`for _, g := range groups {`
			`if severityRank(g.Severity) > severityRank(risk) {`
			`risk = g.Severity`
			`}`
			`}`

			`return CorrelationReport{`
			`DetectedPatterns: len(detectedPatterns),`
			`MetaThreats: groups,`
			`RiskLevel: risk,`
			`}`
			`}`

			`func allPresent(set map[string]bool, required []string) bool {`
			`for _, r := range required {`
			`if !set[strings.ToLower(r)] {`
			`return false`
			`}`
			`}`
			`return true`
			`}`

			`func severityRank(s string) int {`
			`switch s {`
			`case "CRITICAL":`
			`return 4`
			`case "HIGH":`
			`return 3`
			`case "MEDIUM":`
			`return 2`
			`case "LOW":`
			`return 1`
			`default:`
			`return 0`
			`}`
			`}`

			`// FormatCorrelationReport formats the report for human consumption.`
			`func FormatCorrelationReport(r CorrelationReport) string {`
			`if len(r.MetaThreats) == 0 {`
			`return fmt.Sprintf("No correlated threats found (%d patterns analyzed). Risk: %s", r.DetectedPatterns, r.RiskLevel)`
			`}`

			`var b strings.Builder`
			`fmt.Fprintf(&b, "=== Correlation Analysis ===\n")`
			`fmt.Fprintf(&b, "Patterns: %d \| Meta-Threats: %d \| Risk: %s\n\n", r.DetectedPatterns, len(r.MetaThreats), r.RiskLevel)`

			`for i, g := range r.MetaThreats {`
			`fmt.Fprintf(&b, "%d. [%s] %s\n", i+1, g.Severity, g.MetaThreat)`
			`fmt.Fprintf(&b, " Patterns: %s\n", strings.Join(g.Patterns, " + "))`
			`fmt.Fprintf(&b, " %s\n\n", g.Description)`
			`}`
			`return b.String()`
			`}`