Enhance AI validation logic and add new test case for API10

- Updated the validation logic in `validate.py` to include regex checks for specific API keywords, improving detection accuracy.
- Added a new test case in `test_ai_modules.py` to ensure that the API10 scenario does not trigger false positives for API1, validating the robustness of the classification process.

Author: Av7danger

src/secnodeapi/ai/validate.py

@@ -4,6 +4,7 @@
 
 import asyncio
 import json
+import re
 from typing import List, Optional, Tuple
 
 import structlog
@@ -43,15 +44,18 @@ def _deterministic_validate_result(result: TestResult) -> Optional[Finding]:
     req_snippet = f"{result.test_case.method} {result.request_url}"
     resp_snippet = result.response_body[:500]
 
-    bola_like = any(
-        keyword in category_text
-        for keyword in ("bola", "idor", "api1", "bfla", "api5", "broken object", "broken function")
+    bola_like = (
+        any(keyword in category_text for keyword in ("bola", "idor", "bfla", "broken object", "broken function"))
+        or re.search(r"\bapi1\b", category_text) is not None
+        or re.search(r"\bapi5\b", category_text) is not None
     )
-    mass_assignment_like = any(
-        keyword in category_text for keyword in ("mass assignment", "bopla", "api3")
+    mass_assignment_like = (
+        any(keyword in category_text for keyword in ("mass assignment", "bopla"))
+        or re.search(r"\bapi3\b", category_text) is not None
     )
-    rate_limit_like = any(
-        keyword in category_text for keyword in ("rate limit", "ratelimit", "api4")
+    rate_limit_like = (
+        any(keyword in category_text for keyword in ("rate limit", "ratelimit"))
+        or re.search(r"\bapi4\b", category_text) is not None
     )
 
     if bola_like and is_2xx:

tests/test_ai_modules.py

@@ -152,3 +152,41 @@ async def fake_call_llm(*args, **kwargs):
     assert confirmed == []
     assert len(suspected) == 1
     assert suspected[0].validation_source == "ai-suspected"
+
+
+@pytest.mark.asyncio
+async def test_classify_findings_api10_does_not_trigger_api1_deterministic(monkeypatch) -> None:
+    test_case = TestCase(
+        id="T-API10-1",
+        name="Unsafe consumption scenario",
+        description="Downstream third-party API behavior",
+        owasp_category="API10: Unsafe Consumption of APIs",
+        endpoint="/integrations/provider",
+        method="GET",
+    )
+    result = TestResult(
+        test_case=test_case,
+        status_code=200,
+        response_body='{"status":"ok"}',
+        response_headers={},
+        request_url="https://api.example.com/integrations/provider",
+        request_headers={},
+        request_body=None,
+        response_time_ms=15.0,
+    )
+    called = False
+
+    async def fake_call_llm(*args, **kwargs):
+        nonlocal called
+        called = True
+        return (
+            '{"analysis":"not vulnerable","is_vulnerable":false,"cvss_score":0.0,'
+            '"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",'
+            '"description":"no issue","remediation":"none","confidence":0.9}'
+        )
+
+    monkeypatch.setattr("secnodeapi.ai.validate.call_llm", fake_call_llm)
+    confirmed, suspected = await classify_findings([result])
+    assert called is True
+    assert confirmed == []
+    assert suspected == []