omamori 0.1.0

data/demo/xss_vulnerability.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'sinatra'
+
+# XSS (Cross-Site Scripting) の脆弱性を含むデモコード
+# ユーザーからの入力を適切にエスケープせずにHTMLに出力している例
+
+get '/greet' do
+  # ユーザーからの入力 (name) を取得
+  name = params['name']
+
+  # 取得した入力をそのままHTMLに埋め込んで出力
+  # ここにXSSの脆弱性がある
+  "<h1>Hello, #{name}!</h1>"
+end
+
+# 実行方法:
+# 1. このファイルを保存
+# 2. ターミナルで `ruby demo/xss_vulnerability.rb` を実行
+# 3. ブラウザで `http://localhost:4567/greet?name=<script>alert('XSS')</script>` にアクセス
+#    アラートが表示されれば脆弱性がある

data/exe/omamori

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+
+# frozen_string_literal: true
+
+require "omamori"
+
+# Main entry point for the omamori CLI
+module Omamori
+  class CLI
+    def self.start(args)
+      CoreRunner.new(args).run
+    end
+  end
+end
+
+Omamori::CLI.start(ARGV)

data/lib/omamori/ai_analysis_engine/diff_splitter.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module Omamori
+  module AIAnalysisEngine
+    class DiffSplitter
+      # TODO: Determine appropriate chunk size based on token limits
+      # Gemini 1.5 Pro has a large context window (1 million tokens),
+      # but splitting might still be necessary for very large inputs
+      # or to manage cost/latency.
+      DEFAULT_CHUNK_SIZE = 8000 # Characters as a proxy for tokens
+
+      def initialize(chunk_size: DEFAULT_CHUNK_SIZE)
+        @chunk_size = chunk_size
+      end
+
+      def split(content)
+        chunks = []
+        current_chunk = ""
+        content.each_line do |line|
+          if (current_chunk.length + line.length) > @chunk_size
+            chunks << current_chunk unless current_chunk.empty?
+            current_chunk = line
+          else
+            current_chunk += line
+          end
+        end
+        chunks << current_chunk unless current_chunk.empty?
+        chunks
+      end
+
+      def process_in_chunks(content, gemini_client, json_schema, prompt_manager, risks_to_check, model: "gemini-1.5-pro-latest")
+        all_results = []
+        chunks = split(content)
+
+        puts "Splitting content into #{chunks.size} chunks..."
+
+        chunks.each_with_index do |chunk, index|
+          puts "Processing chunk #{index + 1}/#{chunks.size}..."
+          prompt = prompt_manager.build_prompt(chunk, risks_to_check, json_schema)
+          result = gemini_client.analyze(prompt, json_schema, model: model)
+          all_results << result
+          # TODO: Handle potential rate limits or errors between chunks
+        end
+
+        # TODO: Combine results from all chunks
+        combine_results(all_results)
+      end
+
+      private
+
+      def combine_results(results)
+        # This is a placeholder. Combining results from multiple AI responses
+        # requires careful consideration of overlapping findings, context, etc.
+        # For now, just flatten the list of security risks.
+        combined_risks = results.flat_map do |result|
+          result && result["security_risks"] ? result["security_risks"] : []
+        end
+        { "security_risks" => combined_risks }
+      end
+    end
+  end
+end

data/lib/omamori/ai_analysis_engine/gemini_client.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require 'gemini'
+
+module Omamori
+  module AIAnalysisEngine
+    class GeminiClient
+      def initialize(api_key)
+        @api_key = api_key || ENV["GEMINI_API_KEY"]
+        @client = nil # Initialize client later
+      end
+
+      def analyze(prompt, json_schema, model: "gemini-1.5-pro-latest")
+        # Ensure the client is initialized
+        client
+
+        begin
+          response = @client.generate_content(
+            prompt,
+            model: model,
+            response_schema: json_schema # Use response_schema for Structured Output
+          )
+
+          # Debug: Inspect the response object
+          # puts "Debug: response object: #{response.inspect}"
+          # puts "Debug: response methods: #{response.methods.sort}"
+
+          # Extract and parse JSON from the response text
+          json_string = response.text.gsub(/\A```json\n|```\z/, '').strip
+          begin
+            parsed_response = JSON.parse(json_string)
+            # Validate the parsed output structure
+            if parsed_response.is_a?(Hash) && parsed_response.key?('security_risks')
+              # Return the parsed JSON data
+              parsed_response
+            else
+              puts "Warning: Unexpected AI analysis response structure."
+              puts "Raw response text: #{response.text}"
+              nil # Return nil if the structure is unexpected
+            end
+          rescue JSON::ParserError
+            puts "Warning: Failed to parse response text as JSON."
+            puts "Raw response text: #{response.text}"
+            nil # Or handle the error appropriately
+          end
+        rescue Faraday::Error => e
+          puts "API Error: #{e.message}"
+          puts "Response body: #{e.response[:body]}" if e.response
+          nil # Handle API errors
+        rescue => e
+          puts "An unexpected error occurred during API call: #{e.message}"
+          nil # Handle other errors
+        end
+      end
+
+      private
+
+      def client
+        @client ||= begin
+          # Configure the client with the API key
+          Gemini.configure do |config|
+            config.api_key = @api_key
+          end
+          # Create a new client instance
+          Gemini::Client.new
+        end
+      end
+    end
+  end
+end

data/lib/omamori/ai_analysis_engine/prompt_manager.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module Omamori
+  module AIAnalysisEngine
+    class PromptManager
+      # TODO: Load prompt templates from config file
+    DEFAULT_PROMPT_TEMPLATE = <<~TEXT
+      You are a security expert specializing in Ruby. Analyze the following code and detect any potential security risks.
+      Focus particularly on identifying the following types of vulnerabilities: %{risk_list}
+      Report any detected risks in the format specified by the following JSON Schema:
+      %{json_schema}
+      If no risks are found, output an empty list for the "security_risks" array.
+      Please provide your response in %{language}.
+
+      【Code to Analyze】:
+      %{code_content}
+    TEXT
+
+
+      RISK_PROMPTS = {
+        xss: "Cross-Site Scripting (XSS): A vulnerability where user input is not properly escaped and is embedded into HTML or JavaScript, leading to arbitrary script execution in the victim’s browser. Look for unsanitized input and missing output encoding.",
+        csrf: "Cross-Site Request Forgery (CSRF): An attack that forces an authenticated user to perform unwanted actions via forged requests. Detect missing CSRF tokens or absence of referer/origin validation.",
+        idor: "Insecure Direct Object Reference (IDOR): Occurs when object identifiers (e.g., IDs) are exposed and access control is missing, allowing unauthorized access to other users’ data.",
+        open_redirect: "Open Redirect: Redirecting users to external URLs based on user-supplied input without proper validation. Check for lack of domain or whitelist restrictions.",
+        ssrf: "Server-Side Request Forgery (SSRF): The server makes HTTP requests to an arbitrary destination supplied by the user, potentially exposing internal resources or metadata.",
+        session_fixation: "Session Fixation: The server accepts a pre-supplied session ID, allowing an attacker to hijack the session after authentication. Look for missing session ID regeneration after login.",
+        inappropriate_cookie_attributes: "Insecure Cookie Attributes: Missing HttpOnly, Secure, or SameSite flags, which may lead to session theft or CSRF.",
+        insufficient_encryption: "Insufficient Encryption: Use of weak algorithms (e.g., MD5, SHA1) or lack of encryption for sensitive data. Check for insecure hash functions or plain-text handling.",
+        insecure_deserialization_rce: "Insecure Deserialization leading to RCE: Deserializing untrusted data can lead to arbitrary code execution. Detect unsafe use of deserialization functions without validation.",
+        directory_traversal: "Directory Traversal: Allows attackers to access files outside the intended directory using ../ patterns. Check for path manipulation and missing canonicalization.",
+        dangerous_eval: "Dangerous Code Execution (eval, exec): Dynamic code execution using untrusted input, allowing arbitrary code injection.",
+        inappropriate_file_permissions: "Insecure File Permissions: Files or directories with overly permissive modes (e.g., 777), allowing unauthorized read/write/execute access.",
+        temporary_backup_file_leak: "Temporary or Backup File Exposure: Sensitive files like .bak, .tmp, or ~ versions are publicly accessible due to poor file handling.",
+        overly_detailed_errors: "Excessive Error Information Disclosure: Stack traces or internal error messages exposed to users, leaking implementation details.",
+        csp_not_set: "Missing Content Security Policy (CSP): Absence of CSP headers increases risk of XSS. Look for missing Content-Security-Policy header.",
+        mime_sniffing_vulnerability: "MIME Sniffing Vulnerability: Missing X-Content-Type-Options: nosniff header can allow browsers to misinterpret content types.",
+        clickjacking_vulnerability: "Clickjacking Protection Missing: Absence of X-Frame-Options or frame-ancestors directive allows malicious framing of pages.",
+        auto_index_exposure: "Auto Indexing Enabled: Directory listing is active, exposing files and internal structure to users.",
+        inappropriate_password_policy: "Weak Password Policy: Inadequate rules such as short length, lack of complexity, or missing brute-force protections.",
+        two_factor_auth_missing: "Missing Two-Factor Authentication (2FA): Lack of secondary authentication factor for sensitive operations.",
+        race_condition: "Race Condition: Concurrent access without proper locking can lead to inconsistent states or privilege escalation.",
+        server_error_information_exposure: "Server Error Information Exposure: Internal errors (e.g., 500) reveal stack traces or server information in responses.",
+        dependency_trojan_package: "Dependency Trojan Package Risk: Installation of malicious or typosquatted packages from untrusted sources.",
+        api_overexposure: "Excessive API Exposure: Public APIs exposed without authentication, leading to data leakage or unauthorized access.",
+        security_middleware_disabled: "Security Middleware Disabled: Important protections (e.g., CSRF tokens, input sanitization) are turned off or removed.",
+        security_header_inconsistency: "Security Header Inconsistency: Inconsistent or missing security headers across environments or routes.",
+        excessive_login_attempts: "Excessive Login Attempts Allowed: Lack of rate limiting allows brute-force login attempts.",
+        inappropriate_cache_settings: "Insecure Cache Settings: Sensitive pages are cached publicly (e.g., with Cache-Control: public), risking data leakage.",
+        secret_key_committed: "Secret Key Committed to Repository: Credentials, JWT secrets, or API keys are hardcoded or pushed to version control.",
+        third_party_script_validation_missing: "Missing Validation for Third-Party Scripts: External scripts are loaded without integrity checks (e.g., Subresource Integrity).",
+        over_logging: "Over-Logging: Logging sensitive information such as passwords, tokens, or personal data.",
+        fail_open_design: "Fail-Open Design: On error or exception, access is granted instead of safely denied.",
+        environment_differences: "Uncontrolled Environment Differences: Security settings differ between development and production without strict controls.",
+        audit_log_missing: "Missing Audit Logging: Lack of logging for critical actions or authorization checks prevents accountability.",
+        time_based_side_channel: "Time-Based Side Channel: Execution time differences can leak secrets (e.g., timing attacks in string comparison)."
+      }.freeze
+      
+
+      def initialize(config = {})
+        # Load custom templates and language from config, merge with default
+        custom_templates = config.get("prompt_templates", {}) # Use get instead of fetch
+        @prompt_templates = { default: DEFAULT_PROMPT_TEMPLATE }.merge(custom_templates)
+        @risk_prompts = RISK_PROMPTS
+        @language = config.get("language", "en") # Get language from config, default to 'en'
+      end
+
+      def build_prompt(code_content, risks_to_check, json_schema, template_key: :default)
+        # Use the template from @prompt_templates, defaulting to :default if template_key is not found
+        template = @prompt_templates.fetch(template_key, @prompt_templates[:default])
+        risk_list = risks_to_check.map { |risk_key| @risk_prompts[risk_key] }.compact.join(", ")
+
+        template % { risk_list: risk_list, code_content: code_content, json_schema: json_schema.to_json, language: @language}
+      end
+    end
+  end
+end

data/lib/omamori/config.rb

@@ -0,0 +1,144 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Omamori
+  class Config
+    DEFAULT_CONFIG_PATH = ".omamorirc"
+
+    def initialize(config_path = DEFAULT_CONFIG_PATH)
+      @config_path = config_path
+      @config = load_config
+      validate_config # Add validation after loading
+    end
+
+    def get(key, default = nil)
+      @config.fetch(key.to_s, default)
+    end
+
+    # Add validation methods
+    private
+
+    def validate_config
+      validate_api_key
+      validate_model
+      validate_checks
+      validate_prompt_templates
+      validate_report_settings
+      validate_static_analyser_settings
+      validate_ci_setup_settings # Add CI setup validation
+      validate_language # Add language validation
+    end
+
+    def validate_api_key
+      api_key = @config["api_key"]
+      if api_key && !api_key.is_a?(String)
+        puts "Warning: Config 'api_key' should be a string."
+      end
+    end
+
+    def validate_model
+      model = @config["model"]
+      if model && !model.is_a?(String)
+        puts "Warning: Config 'model' should be a string."
+      end
+    end
+
+    def validate_checks
+      checks = @config["checks"]
+      if checks && !checks.is_a?(Array)
+        puts "Warning: Config 'checks' should be an array."
+      end
+    end
+
+    def validate_prompt_templates
+      prompt_templates = @config["prompt_templates"]
+      if prompt_templates && !prompt_templates.is_a?(Hash)
+        puts "Warning: Config 'prompt_templates' should be a hash."
+      end
+    end
+
+    def validate_report_settings
+      report = @config["report"]
+      if report
+        unless report.is_a?(Hash)
+          puts "Warning: Config 'report' should be a hash."
+          return
+        end
+        if report.key?("output_path") && !report["output_path"].is_a?(String)
+          puts "Warning: Config 'report.output_path' should be a string."
+        end
+        if report.key?("html_template") && !report["html_template"].is_a?(String)
+          puts "Warning: Config 'report.html_template' should be a string."
+        end
+      end
+    end
+
+    def validate_static_analyser_settings
+      static_analysers = @config["static_analysers"]
+      if static_analysers
+        unless static_analysers.is_a?(Hash)
+          puts "Warning: Config 'static_analysers' should be a hash."
+          return
+        end
+        if static_analysers.key?("brakeman")
+          brakeman_config = static_analysers["brakeman"]
+          unless brakeman_config.is_a?(Hash)
+            puts "Warning: Config 'static_analysers.brakeman' should be a hash."
+          else
+            if brakeman_config.key?("options") && !brakeman_config["options"].is_a?(String)
+              puts "Warning: Config 'static_analysers.brakeman.options' should be a string."
+            end
+          end
+        end
+        if static_analysers.key?("bundler_audit")
+          bundler_audit_config = static_analysers["bundler_audit"]
+          unless bundler_audit_config.is_a?(Hash)
+            puts "Warning: Config 'static_analysers.bundler_audit' should be a hash."
+          else
+            if bundler_audit_config.key?("options") && !bundler_audit_config["options"].is_a?(String)
+              puts "Warning: Config 'static_analysers.bundler_audit.options' should be a string."
+            end
+          end
+        end
+      end
+    end
+
+
+    def validate_ci_setup_settings
+      ci_setup = @config["ci_setup"]
+      if ci_setup
+        unless ci_setup.is_a?(Hash)
+          puts "Warning: Config 'ci_setup' should be a hash."
+          return
+        end
+        if ci_setup.key?("github_actions_path") && !ci_setup["github_actions_path"].is_a?(String)
+          puts "Warning: Config 'ci_setup.github_actions_path' should be a string."
+        end
+        if ci_setup.key?("gitlab_ci_path") && !ci_setup["gitlab_ci_path"].is_a?(String)
+          puts "Warning: Config 'ci_setup.gitlab_ci_path' should be a string."
+        end
+      end
+    end
+
+    def validate_language
+      language = @config["language"]
+      if language && !language.is_a?(String)
+        puts "Warning: Config 'language' should be a string."
+      end
+    end
+
+    def load_config
+      if File.exist?(@config_path)
+        begin
+          YAML.load_file(@config_path) || {}
+        rescue Psych::SyntaxError => e
+          puts "Error parsing config file #{@config_path}: #{e.message}"
+          {}
+        end
+      else
+        {} # Return empty hash if config file does not exist
+      end
+    end
+  end
+end