hedra 1.0.0 → 2.0.0

data/config/example_config.yml

@@ -1,17 +1,95 @@
-# Hedra Configuration Example
-# Copy to ~/.hedra/config.yml to customize
+# Hedra Configuration File
+# Place this file at ~/.hedra/config.yml
 
-# HTTP client settings
+# ============================================
+# HTTP Client Settings
+# ============================================
+
+# Request timeout in seconds
 timeout: 10
+
+# Number of concurrent requests for batch operations
 concurrency: 10
-follow_redirects: false
-user_agent: "Hedra/1.0.0"
 
-# Proxy settings (optional)
+# Custom User-Agent header
+user_agent: "Hedra/2.0.0 Security Scanner"
+
+# Follow HTTP redirects automatically
+follow_redirects: true
+
+# Maximum number of retry attempts for failed requests
+max_retries: 3
+
+# ============================================
+# Proxy Settings (optional)
+# ============================================
+
+# HTTP/HTTPS/SOCKS proxy URL
+# Uncomment to use a proxy
 # proxy: "http://127.0.0.1:8080"
 
-# Output preferences
-output_format: table  # table, json, or csv
+# ============================================
+# Cache Settings
+# ============================================
+
+# Enable response caching to speed up repeated scans
+cache_enabled: false
+
+# Cache time-to-live in seconds (1 hour = 3600)
+cache_ttl: 3600
+
+# ============================================
+# Security Check Settings
+# ============================================
+
+# Check SSL/TLS certificate validity and strength
+check_certificates: true
+
+# Check for security.txt file (RFC 9116)
+check_security_txt: false
+
+# ============================================
+# Output Settings
+# ============================================
+
+# Default output format: table, json, csv, html
+output_format: "table"
+
+# Show progress bars for batch operations
+progress_bar: true
+
+# ============================================
+# Rate Limiting (optional)
+# ============================================
+
+# Limit request rate to prevent server overload
+# Format: number/period where period is s (second), m (minute), or h (hour)
+# Examples: "10/s", "100/m", "1000/h"
+# Uncomment to enable
+# rate_limit: "10/s"
+
+# ============================================
+# Circuit Breaker Settings
+# ============================================
+
+# Number of failures before circuit opens
+circuit_breaker_threshold: 5
+
+# Timeout in seconds before attempting to close circuit
+circuit_breaker_timeout: 60
+
+# ============================================
+# Scoring Weights (optional)
+# ============================================
 
-# Rate limiting (optional)
-# rate_limit: "5/s"
+# Customize header importance weights (default shown)
+# scoring:
+#   content-security-policy: 25
+#   strict-transport-security: 25
+#   x-frame-options: 15
+#   x-content-type-options: 10
+#   referrer-policy: 10
+#   permissions-policy: 5
+#   cross-origin-opener-policy: 5
+#   cross-origin-embedder-policy: 3
+#   cross-origin-resource-policy: 2

data/lib/hedra/analyzer.rb

@@ -61,13 +61,15 @@ module Hedra
       }
     }.freeze
 
-    def initialize
+    def initialize(check_certificates: true, check_security_txt: false)
       @plugin_manager = PluginManager.new
       @scorer = Scorer.new
+      @certificate_checker = check_certificates ? CertificateChecker.new : nil
+      @security_txt_checker = check_security_txt ? SecurityTxtChecker.new : nil
       load_custom_rules
     end
 
-    def analyze(url, headers)
+    def analyze(url, headers, http_client: nil)
       normalized_headers = normalize_headers(headers)
       findings = []
 
@@ -94,6 +96,12 @@ module Hedra
       # Run plugin checks
       findings.concat(@plugin_manager.run_checks(normalized_headers))
 
+      # Check SSL certificate
+      findings.concat(@certificate_checker.check(url)) if @certificate_checker
+
+      # Check security.txt
+      findings.concat(@security_txt_checker.check(url, http_client)) if @security_txt_checker && http_client
+
       # Calculate security score
       score = @scorer.calculate(normalized_headers, findings)
 

data/lib/hedra/baseline.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'fileutils'
+
+module Hedra
+  # Manage security baselines for comparison
+  class Baseline
+    BASELINE_DIR = File.join(Config::CONFIG_DIR, 'baselines')
+
+    def initialize
+      FileUtils.mkdir_p(BASELINE_DIR)
+    end
+
+    def save(name, results)
+      baseline_file = File.join(BASELINE_DIR, "#{sanitize_name(name)}.json")
+      data = {
+        name: name,
+        created_at: Time.now.iso8601,
+        results: results
+      }
+      File.write(baseline_file, JSON.pretty_generate(data))
+    end
+
+    def load(name)
+      baseline_file = File.join(BASELINE_DIR, "#{sanitize_name(name)}.json")
+      raise Error, "Baseline not found: #{name}" unless File.exist?(baseline_file)
+
+      JSON.parse(File.read(baseline_file), symbolize_names: true)
+    end
+
+    def list
+      Dir.glob(File.join(BASELINE_DIR, '*.json')).map do |file|
+        data = JSON.parse(File.read(file), symbolize_names: true)
+        {
+          name: data[:name],
+          created_at: data[:created_at],
+          url_count: data[:results].length
+        }
+      end
+    rescue StandardError
+      []
+    end
+
+    def delete(name)
+      baseline_file = File.join(BASELINE_DIR, "#{sanitize_name(name)}.json")
+      raise Error, "Baseline not found: #{name}" unless File.exist?(baseline_file)
+
+      File.delete(baseline_file)
+    end
+
+    def compare(baseline_name, current_results)
+      baseline = load(baseline_name)
+      baseline_results = baseline[:results]
+
+      comparisons = []
+
+      current_results.each do |current|
+        baseline_result = baseline_results.find { |b| b[:url] == current[:url] }
+        next unless baseline_result
+
+        comparison = {
+          url: current[:url],
+          baseline_score: baseline_result[:score],
+          current_score: current[:score],
+          score_change: current[:score] - baseline_result[:score],
+          new_findings: current[:findings] - baseline_result[:findings],
+          resolved_findings: baseline_result[:findings] - current[:findings]
+        }
+
+        comparisons << comparison
+      end
+
+      comparisons
+    end
+
+    private
+
+    def sanitize_name(name)
+      name.gsub(/[^a-zA-Z0-9_-]/, '_')
+    end
+  end
+end

data/lib/hedra/cache.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'digest'
+require 'json'
+require 'fileutils'
+
+module Hedra
+  # Simple file-based cache for HTTP responses
+  class Cache
+    DEFAULT_TTL = 3600 # 1 hour
+
+    def initialize(cache_dir: nil, ttl: DEFAULT_TTL)
+      @cache_dir = cache_dir || File.join(Config::CONFIG_DIR, 'cache')
+      @ttl = ttl
+      FileUtils.mkdir_p(@cache_dir)
+    end
+
+    def get(key)
+      cache_file = cache_path(key)
+      return nil unless File.exist?(cache_file)
+
+      data = JSON.parse(File.read(cache_file))
+      return nil if expired?(data['timestamp'])
+
+      data['value']
+    rescue StandardError => e
+      warn "Cache read error: #{e.message}"
+      nil
+    end
+
+    def set(key, value)
+      cache_file = cache_path(key)
+      data = {
+        'timestamp' => Time.now.to_i,
+        'value' => value
+      }
+      File.write(cache_file, JSON.generate(data))
+    rescue StandardError => e
+      warn "Cache write error: #{e.message}"
+    end
+
+    def clear
+      FileUtils.rm_rf(@cache_dir)
+      FileUtils.mkdir_p(@cache_dir)
+    end
+
+    def clear_expired
+      Dir.glob(File.join(@cache_dir, '*')).each do |file|
+        data = JSON.parse(File.read(file))
+        File.delete(file) if expired?(data['timestamp'])
+      rescue StandardError
+        # Skip invalid cache files
+      end
+    end
+
+    private
+
+    def cache_path(key)
+      hash = Digest::SHA256.hexdigest(key)
+      File.join(@cache_dir, hash)
+    end
+
+    def expired?(timestamp)
+      (Time.now.to_i - timestamp) > @ttl
+    end
+  end
+end

data/lib/hedra/certificate_checker.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'socket'
+require 'uri'
+
+module Hedra
+  # Check SSL/TLS certificate validity and security
+  class CertificateChecker
+    EXPIRY_WARNING_DAYS = 30
+
+    def check(url)
+      uri = URI.parse(url)
+      return nil unless uri.scheme == 'https'
+
+      findings = []
+      cert_info = fetch_certificate(uri.host, uri.port || 443)
+
+      return findings unless cert_info
+
+      # Check expiry
+      days_until_expiry = ((cert_info[:not_after] - Time.now) / 86_400).to_i
+      if days_until_expiry.negative?
+        findings << {
+          header: 'ssl-certificate',
+          issue: 'SSL certificate has expired',
+          severity: :critical,
+          recommended_fix: 'Renew SSL certificate immediately'
+        }
+      elsif days_until_expiry < EXPIRY_WARNING_DAYS
+        findings << {
+          header: 'ssl-certificate',
+          issue: "SSL certificate expires in #{days_until_expiry} days",
+          severity: :warning,
+          recommended_fix: 'Renew SSL certificate soon'
+        }
+      end
+
+      # Check signature algorithm
+      if weak_signature_algorithm?(cert_info[:signature_algorithm])
+        findings << {
+          header: 'ssl-certificate',
+          issue: "Weak signature algorithm: #{cert_info[:signature_algorithm]}",
+          severity: :warning,
+          recommended_fix: 'Use SHA256 or stronger'
+        }
+      end
+
+      # Check key size
+      if cert_info[:key_size] && cert_info[:key_size] < 2048
+        findings << {
+          header: 'ssl-certificate',
+          issue: "Weak key size: #{cert_info[:key_size]} bits",
+          severity: :critical,
+          recommended_fix: 'Use at least 2048-bit RSA or 256-bit ECC'
+        }
+      end
+
+      findings
+    rescue StandardError => e
+      warn "Certificate check failed: #{e.message}"
+      []
+    end
+
+    private
+
+    def fetch_certificate(host, port)
+      tcp_socket = TCPSocket.new(host, port)
+      ssl_context = OpenSSL::SSL::SSLContext.new
+      ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ssl_socket = OpenSSL::SSL::SSLSocket.new(tcp_socket, ssl_context)
+      ssl_socket.connect
+
+      cert = ssl_socket.peer_cert
+
+      {
+        subject: cert.subject.to_s,
+        issuer: cert.issuer.to_s,
+        not_before: cert.not_before,
+        not_after: cert.not_after,
+        signature_algorithm: cert.signature_algorithm,
+        key_size: cert.public_key.respond_to?(:n) ? cert.public_key.n.num_bits : nil
+      }
+    ensure
+      ssl_socket&.close
+      tcp_socket&.close
+    end
+
+    def weak_signature_algorithm?(algorithm)
+      weak_algorithms = %w[md5 sha1]
+      weak_algorithms.any? { |weak| algorithm.downcase.include?(weak) }
+    end
+  end
+end

data/lib/hedra/circuit_breaker.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module Hedra
+  # Circuit breaker pattern to prevent cascading failures
+  class CircuitBreaker
+    FAILURE_THRESHOLD = 5
+    TIMEOUT_SECONDS = 60
+    HALF_OPEN_ATTEMPTS = 3
+
+    attr_reader :state, :failure_count, :last_failure_time
+
+    def initialize(failure_threshold: FAILURE_THRESHOLD, timeout: TIMEOUT_SECONDS)
+      @failure_threshold = failure_threshold
+      @timeout = timeout
+      @failure_count = 0
+      @last_failure_time = nil
+      @state = :closed
+      @half_open_attempts = 0
+    end
+
+    def call
+      raise CircuitOpenError, 'Circuit breaker is open' if open? && !should_attempt_reset?
+
+      if open? && should_attempt_reset?
+        @state = :half_open
+        @half_open_attempts = 0
+      end
+
+      begin
+        result = yield
+        on_success
+        result
+      rescue StandardError => e
+        on_failure
+        raise e
+      end
+    end
+
+    def open?
+      @state == :open
+    end
+
+    def closed?
+      @state == :closed
+    end
+
+    def half_open?
+      @state == :half_open
+    end
+
+    private
+
+    def on_success
+      if half_open?
+        @half_open_attempts += 1
+        if @half_open_attempts >= HALF_OPEN_ATTEMPTS
+          @state = :closed
+          @failure_count = 0
+        end
+      else
+        @failure_count = 0
+      end
+    end
+
+    def on_failure
+      @failure_count += 1
+      @last_failure_time = Time.now
+
+      return unless @failure_count >= @failure_threshold
+
+      @state = :open
+    end
+
+    def should_attempt_reset?
+      @last_failure_time && (Time.now - @last_failure_time) >= @timeout
+    end
+  end
+
+  class CircuitOpenError < Error; end
+end