0xkobold 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (128) hide show
  1. package/dist/package.json +5 -4
  2. package/dist/src/agent/types/definitions.js +2 -1
  3. package/dist/src/agent/types/definitions.js.map +1 -1
  4. package/dist/src/cli/commands/setup.js +0 -3
  5. package/dist/src/cli/commands/setup.js.map +1 -1
  6. package/dist/src/config/loader.js +0 -3
  7. package/dist/src/config/loader.js.map +1 -1
  8. package/dist/src/event-bus/index.js.map +1 -1
  9. package/dist/src/extensions/core/agent-orchestrator-extension.js +19 -2
  10. package/dist/src/extensions/core/agent-orchestrator-extension.js.map +1 -1
  11. package/dist/src/extensions/core/auto-security-scan-extension.js +41 -0
  12. package/dist/src/extensions/core/auto-security-scan-extension.js.map +1 -0
  13. package/dist/src/extensions/core/task-manager-extension.js +20 -3
  14. package/dist/src/extensions/core/task-manager-extension.js.map +1 -1
  15. package/dist/src/index.js +0 -1
  16. package/dist/src/index.js.map +1 -1
  17. package/dist/src/pi-config.js +2 -0
  18. package/dist/src/pi-config.js.map +1 -1
  19. package/package.json +5 -4
  20. package/skills/kobold-scan-skill/README.md +218 -0
  21. package/skills/kobold-scan-skill/config/default.json +14 -0
  22. package/skills/kobold-scan-skill/examples/vulnerable.js +56 -0
  23. package/skills/kobold-scan-skill/examples/vulnerable.sol +38 -0
  24. package/skills/kobold-scan-skill/index.js +130 -0
  25. package/skills/kobold-scan-skill/node_modules/.package-lock.json +172 -0
  26. package/skills/kobold-scan-skill/node_modules/ansi-styles/index.d.ts +345 -0
  27. package/skills/kobold-scan-skill/node_modules/ansi-styles/index.js +163 -0
  28. package/skills/kobold-scan-skill/node_modules/ansi-styles/license +9 -0
  29. package/skills/kobold-scan-skill/node_modules/ansi-styles/package.json +56 -0
  30. package/skills/kobold-scan-skill/node_modules/ansi-styles/readme.md +152 -0
  31. package/skills/kobold-scan-skill/node_modules/balanced-match/.github/FUNDING.yml +2 -0
  32. package/skills/kobold-scan-skill/node_modules/balanced-match/LICENSE.md +21 -0
  33. package/skills/kobold-scan-skill/node_modules/balanced-match/README.md +97 -0
  34. package/skills/kobold-scan-skill/node_modules/balanced-match/index.js +62 -0
  35. package/skills/kobold-scan-skill/node_modules/balanced-match/package.json +48 -0
  36. package/skills/kobold-scan-skill/node_modules/brace-expansion/.github/FUNDING.yml +2 -0
  37. package/skills/kobold-scan-skill/node_modules/brace-expansion/LICENSE +21 -0
  38. package/skills/kobold-scan-skill/node_modules/brace-expansion/README.md +135 -0
  39. package/skills/kobold-scan-skill/node_modules/brace-expansion/index.js +203 -0
  40. package/skills/kobold-scan-skill/node_modules/brace-expansion/package.json +49 -0
  41. package/skills/kobold-scan-skill/node_modules/chalk/index.d.ts +415 -0
  42. package/skills/kobold-scan-skill/node_modules/chalk/license +9 -0
  43. package/skills/kobold-scan-skill/node_modules/chalk/package.json +68 -0
  44. package/skills/kobold-scan-skill/node_modules/chalk/readme.md +341 -0
  45. package/skills/kobold-scan-skill/node_modules/chalk/source/index.js +229 -0
  46. package/skills/kobold-scan-skill/node_modules/chalk/source/templates.js +134 -0
  47. package/skills/kobold-scan-skill/node_modules/chalk/source/util.js +39 -0
  48. package/skills/kobold-scan-skill/node_modules/color-convert/CHANGELOG.md +54 -0
  49. package/skills/kobold-scan-skill/node_modules/color-convert/LICENSE +21 -0
  50. package/skills/kobold-scan-skill/node_modules/color-convert/README.md +68 -0
  51. package/skills/kobold-scan-skill/node_modules/color-convert/conversions.js +839 -0
  52. package/skills/kobold-scan-skill/node_modules/color-convert/index.js +81 -0
  53. package/skills/kobold-scan-skill/node_modules/color-convert/package.json +48 -0
  54. package/skills/kobold-scan-skill/node_modules/color-convert/route.js +97 -0
  55. package/skills/kobold-scan-skill/node_modules/color-name/LICENSE +8 -0
  56. package/skills/kobold-scan-skill/node_modules/color-name/README.md +11 -0
  57. package/skills/kobold-scan-skill/node_modules/color-name/index.js +152 -0
  58. package/skills/kobold-scan-skill/node_modules/color-name/package.json +28 -0
  59. package/skills/kobold-scan-skill/node_modules/commander/LICENSE +22 -0
  60. package/skills/kobold-scan-skill/node_modules/commander/Readme.md +1129 -0
  61. package/skills/kobold-scan-skill/node_modules/commander/esm.mjs +16 -0
  62. package/skills/kobold-scan-skill/node_modules/commander/index.js +27 -0
  63. package/skills/kobold-scan-skill/node_modules/commander/lib/argument.js +147 -0
  64. package/skills/kobold-scan-skill/node_modules/commander/lib/command.js +2179 -0
  65. package/skills/kobold-scan-skill/node_modules/commander/lib/error.js +45 -0
  66. package/skills/kobold-scan-skill/node_modules/commander/lib/help.js +461 -0
  67. package/skills/kobold-scan-skill/node_modules/commander/lib/option.js +326 -0
  68. package/skills/kobold-scan-skill/node_modules/commander/lib/suggestSimilar.js +100 -0
  69. package/skills/kobold-scan-skill/node_modules/commander/package-support.json +16 -0
  70. package/skills/kobold-scan-skill/node_modules/commander/package.json +80 -0
  71. package/skills/kobold-scan-skill/node_modules/commander/typings/index.d.ts +891 -0
  72. package/skills/kobold-scan-skill/node_modules/fs.realpath/LICENSE +43 -0
  73. package/skills/kobold-scan-skill/node_modules/fs.realpath/README.md +33 -0
  74. package/skills/kobold-scan-skill/node_modules/fs.realpath/index.js +66 -0
  75. package/skills/kobold-scan-skill/node_modules/fs.realpath/old.js +303 -0
  76. package/skills/kobold-scan-skill/node_modules/fs.realpath/package.json +26 -0
  77. package/skills/kobold-scan-skill/node_modules/glob/LICENSE +15 -0
  78. package/skills/kobold-scan-skill/node_modules/glob/README.md +399 -0
  79. package/skills/kobold-scan-skill/node_modules/glob/common.js +244 -0
  80. package/skills/kobold-scan-skill/node_modules/glob/glob.js +790 -0
  81. package/skills/kobold-scan-skill/node_modules/glob/package.json +55 -0
  82. package/skills/kobold-scan-skill/node_modules/glob/sync.js +486 -0
  83. package/skills/kobold-scan-skill/node_modules/has-flag/index.d.ts +39 -0
  84. package/skills/kobold-scan-skill/node_modules/has-flag/index.js +8 -0
  85. package/skills/kobold-scan-skill/node_modules/has-flag/license +9 -0
  86. package/skills/kobold-scan-skill/node_modules/has-flag/package.json +46 -0
  87. package/skills/kobold-scan-skill/node_modules/has-flag/readme.md +89 -0
  88. package/skills/kobold-scan-skill/node_modules/inflight/LICENSE +15 -0
  89. package/skills/kobold-scan-skill/node_modules/inflight/README.md +37 -0
  90. package/skills/kobold-scan-skill/node_modules/inflight/inflight.js +54 -0
  91. package/skills/kobold-scan-skill/node_modules/inflight/package.json +29 -0
  92. package/skills/kobold-scan-skill/node_modules/inherits/LICENSE +16 -0
  93. package/skills/kobold-scan-skill/node_modules/inherits/README.md +42 -0
  94. package/skills/kobold-scan-skill/node_modules/inherits/inherits.js +9 -0
  95. package/skills/kobold-scan-skill/node_modules/inherits/inherits_browser.js +27 -0
  96. package/skills/kobold-scan-skill/node_modules/inherits/package.json +29 -0
  97. package/skills/kobold-scan-skill/node_modules/minimatch/LICENSE +15 -0
  98. package/skills/kobold-scan-skill/node_modules/minimatch/README.md +259 -0
  99. package/skills/kobold-scan-skill/node_modules/minimatch/lib/path.js +4 -0
  100. package/skills/kobold-scan-skill/node_modules/minimatch/minimatch.js +944 -0
  101. package/skills/kobold-scan-skill/node_modules/minimatch/package.json +35 -0
  102. package/skills/kobold-scan-skill/node_modules/once/LICENSE +15 -0
  103. package/skills/kobold-scan-skill/node_modules/once/README.md +79 -0
  104. package/skills/kobold-scan-skill/node_modules/once/once.js +42 -0
  105. package/skills/kobold-scan-skill/node_modules/once/package.json +33 -0
  106. package/skills/kobold-scan-skill/node_modules/supports-color/browser.js +5 -0
  107. package/skills/kobold-scan-skill/node_modules/supports-color/index.js +135 -0
  108. package/skills/kobold-scan-skill/node_modules/supports-color/license +9 -0
  109. package/skills/kobold-scan-skill/node_modules/supports-color/package.json +53 -0
  110. package/skills/kobold-scan-skill/node_modules/supports-color/readme.md +76 -0
  111. package/skills/kobold-scan-skill/node_modules/wrappy/LICENSE +15 -0
  112. package/skills/kobold-scan-skill/node_modules/wrappy/README.md +36 -0
  113. package/skills/kobold-scan-skill/node_modules/wrappy/package.json +29 -0
  114. package/skills/kobold-scan-skill/node_modules/wrappy/wrappy.js +33 -0
  115. package/skills/kobold-scan-skill/package-lock.json +188 -0
  116. package/skills/kobold-scan-skill/package.json +34 -0
  117. package/skills/kobold-scan-skill/rules/general.json +30 -0
  118. package/skills/kobold-scan-skill/rules/javascript.json +44 -0
  119. package/skills/kobold-scan-skill/rules/solidity.json +30 -0
  120. package/skills/kobold-scan-skill/src/formatters/json.js +7 -0
  121. package/skills/kobold-scan-skill/src/formatters/terminal.js +66 -0
  122. package/skills/kobold-scan-skill/src/scanner-engine.js +139 -0
  123. package/skills/kobold-scan-skill/src/scanners/general.js +83 -0
  124. package/skills/kobold-scan-skill/src/scanners/javascript.js +182 -0
  125. package/skills/kobold-scan-skill/src/scanners/solidity.js +131 -0
  126. package/skills/kobold-scan-skill/src/utils/config-manager.js +37 -0
  127. package/skills/kobold-scan-skill/src/utils/rule-loader.js +24 -0
  128. package/skills/kobold-scan.ts +107 -0
@@ -0,0 +1,188 @@
1
+ {
2
+ "name": "kobold-scan",
3
+ "version": "1.0.0",
4
+ "lockfileVersion": 3,
5
+ "requires": true,
6
+ "packages": {
7
+ "": {
8
+ "name": "kobold-scan",
9
+ "version": "1.0.0",
10
+ "license": "MIT",
11
+ "dependencies": {
12
+ "chalk": "^4.1.2",
13
+ "commander": "^9.4.1",
14
+ "glob": "^8.1.0"
15
+ },
16
+ "bin": {
17
+ "kobold-scan": "index.js"
18
+ },
19
+ "engines": {
20
+ "node": ">=14.0.0"
21
+ }
22
+ },
23
+ "node_modules/ansi-styles": {
24
+ "version": "4.3.0",
25
+ "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
26
+ "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
27
+ "license": "MIT",
28
+ "dependencies": {
29
+ "color-convert": "^2.0.1"
30
+ },
31
+ "engines": {
32
+ "node": ">=8"
33
+ },
34
+ "funding": {
35
+ "url": "https://github.com/chalk/ansi-styles?sponsor=1"
36
+ }
37
+ },
38
+ "node_modules/balanced-match": {
39
+ "version": "1.0.2",
40
+ "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
41
+ "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==",
42
+ "license": "MIT"
43
+ },
44
+ "node_modules/brace-expansion": {
45
+ "version": "2.0.2",
46
+ "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
47
+ "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
48
+ "license": "MIT",
49
+ "dependencies": {
50
+ "balanced-match": "^1.0.0"
51
+ }
52
+ },
53
+ "node_modules/chalk": {
54
+ "version": "4.1.2",
55
+ "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
56
+ "integrity": "sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==",
57
+ "license": "MIT",
58
+ "dependencies": {
59
+ "ansi-styles": "^4.1.0",
60
+ "supports-color": "^7.1.0"
61
+ },
62
+ "engines": {
63
+ "node": ">=10"
64
+ },
65
+ "funding": {
66
+ "url": "https://github.com/chalk/chalk?sponsor=1"
67
+ }
68
+ },
69
+ "node_modules/color-convert": {
70
+ "version": "2.0.1",
71
+ "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
72
+ "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
73
+ "license": "MIT",
74
+ "dependencies": {
75
+ "color-name": "~1.1.4"
76
+ },
77
+ "engines": {
78
+ "node": ">=7.0.0"
79
+ }
80
+ },
81
+ "node_modules/color-name": {
82
+ "version": "1.1.4",
83
+ "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
84
+ "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
85
+ "license": "MIT"
86
+ },
87
+ "node_modules/commander": {
88
+ "version": "9.5.0",
89
+ "resolved": "https://registry.npmjs.org/commander/-/commander-9.5.0.tgz",
90
+ "integrity": "sha512-KRs7WVDKg86PWiuAqhDrAQnTXZKraVcCc6vFdL14qrZ/DcWwuRo7VoiYXalXO7S5GKpqYiVEwCbgFDfxNHKJBQ==",
91
+ "license": "MIT",
92
+ "engines": {
93
+ "node": "^12.20.0 || >=14"
94
+ }
95
+ },
96
+ "node_modules/fs.realpath": {
97
+ "version": "1.0.0",
98
+ "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
99
+ "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
100
+ "license": "ISC"
101
+ },
102
+ "node_modules/glob": {
103
+ "version": "8.1.0",
104
+ "resolved": "https://registry.npmjs.org/glob/-/glob-8.1.0.tgz",
105
+ "integrity": "sha512-r8hpEjiQEYlF2QU0df3dS+nxxSIreXQS1qRhMJM0Q5NDdR386C7jb7Hwwod8Fgiuex+k0GFjgft18yvxm5XoCQ==",
106
+ "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
107
+ "license": "ISC",
108
+ "dependencies": {
109
+ "fs.realpath": "^1.0.0",
110
+ "inflight": "^1.0.4",
111
+ "inherits": "2",
112
+ "minimatch": "^5.0.1",
113
+ "once": "^1.3.0"
114
+ },
115
+ "engines": {
116
+ "node": ">=12"
117
+ },
118
+ "funding": {
119
+ "url": "https://github.com/sponsors/isaacs"
120
+ }
121
+ },
122
+ "node_modules/has-flag": {
123
+ "version": "4.0.0",
124
+ "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
125
+ "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
126
+ "license": "MIT",
127
+ "engines": {
128
+ "node": ">=8"
129
+ }
130
+ },
131
+ "node_modules/inflight": {
132
+ "version": "1.0.6",
133
+ "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
134
+ "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
135
+ "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
136
+ "license": "ISC",
137
+ "dependencies": {
138
+ "once": "^1.3.0",
139
+ "wrappy": "1"
140
+ }
141
+ },
142
+ "node_modules/inherits": {
143
+ "version": "2.0.4",
144
+ "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
145
+ "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
146
+ "license": "ISC"
147
+ },
148
+ "node_modules/minimatch": {
149
+ "version": "5.1.6",
150
+ "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-5.1.6.tgz",
151
+ "integrity": "sha512-lKwV/1brpG6mBUFHtb7NUmtABCb2WZZmm2wNiOA5hAb8VdCS4B3dtMWyvcoViccwAW/COERjXLt0zP1zXUN26g==",
152
+ "license": "ISC",
153
+ "dependencies": {
154
+ "brace-expansion": "^2.0.1"
155
+ },
156
+ "engines": {
157
+ "node": ">=10"
158
+ }
159
+ },
160
+ "node_modules/once": {
161
+ "version": "1.4.0",
162
+ "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
163
+ "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
164
+ "license": "ISC",
165
+ "dependencies": {
166
+ "wrappy": "1"
167
+ }
168
+ },
169
+ "node_modules/supports-color": {
170
+ "version": "7.2.0",
171
+ "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
172
+ "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
173
+ "license": "MIT",
174
+ "dependencies": {
175
+ "has-flag": "^4.0.0"
176
+ },
177
+ "engines": {
178
+ "node": ">=8"
179
+ }
180
+ },
181
+ "node_modules/wrappy": {
182
+ "version": "1.0.2",
183
+ "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
184
+ "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
185
+ "license": "ISC"
186
+ }
187
+ }
188
+ }
@@ -0,0 +1,34 @@
1
+ {
2
+ "name": "kobold-scan",
3
+ "version": "1.0.0",
4
+ "description": "Security vulnerability scanner and code review tool for the KOBOLDS ecosystem",
5
+ "main": "index.js",
6
+ "bin": {
7
+ "kobold-scan": "./index.js"
8
+ },
9
+ "scripts": {
10
+ "test": "echo \"Error: no test specified\" && exit 1"
11
+ },
12
+ "keywords": [
13
+ "security",
14
+ "scanner",
15
+ "vulnerability",
16
+ "solidity",
17
+ "smart-contracts",
18
+ "kobolds"
19
+ ],
20
+ "author": "Shalom Assistant",
21
+ "license": "MIT",
22
+ "dependencies": {
23
+ "chalk": "^4.1.2",
24
+ "glob": "^8.1.0",
25
+ "commander": "^9.4.1"
26
+ },
27
+ "engines": {
28
+ "node": ">=14.0.0"
29
+ },
30
+ "repository": {
31
+ "type": "git",
32
+ "url": "https://github.com/MoikasLabs/kobold-scan"
33
+ }
34
+ }
@@ -0,0 +1,30 @@
1
+ [
2
+ {
3
+ "id": "GEN-001",
4
+ "name": "TODO/FIXME Markers",
5
+ "severity": "low",
6
+ "description": "Technical debt markers in code",
7
+ "remediation": "Resolve or track in issue tracker"
8
+ },
9
+ {
10
+ "id": "GEN-002",
11
+ "name": "Magic Numbers",
12
+ "severity": "low",
13
+ "description": "Numeric literals without context",
14
+ "remediation": "Extract to named constants"
15
+ },
16
+ {
17
+ "id": "GEN-003",
18
+ "name": "Deep Nesting",
19
+ "severity": "medium",
20
+ "description": "Code blocks nested 4+ levels deep",
21
+ "remediation": "Extract to functions, early returns"
22
+ },
23
+ {
24
+ "id": "GEN-008",
25
+ "name": "World-Writable Permissions",
26
+ "severity": "high",
27
+ "description": "chmod 777 or equivalent - security risk",
28
+ "remediation": "Use least-privilege permissions (755 or less)"
29
+ }
30
+ ]
@@ -0,0 +1,44 @@
1
+ [
2
+ {
3
+ "id": "JS-001",
4
+ "name": "eval() Usage",
5
+ "severity": "critical",
6
+ "description": "Dangerous eval() allows arbitrary code execution",
7
+ "remediation": "Use JSON.parse for data, avoid dynamic code execution"
8
+ },
9
+ {
10
+ "id": "JS-002",
11
+ "name": "Hardcoded Secrets",
12
+ "severity": "critical",
13
+ "description": "API keys, passwords, or tokens hardcoded in source",
14
+ "remediation": "Use environment variables or secure vaults"
15
+ },
16
+ {
17
+ "id": "JS-004",
18
+ "name": "SQL Injection",
19
+ "severity": "high",
20
+ "description": "String concatenation in SQL queries allows injection",
21
+ "remediation": "Use parameterized queries/prepared statements"
22
+ },
23
+ {
24
+ "id": "JS-005",
25
+ "name": "Path Traversal",
26
+ "severity": "high",
27
+ "description": "User input used directly in file paths",
28
+ "remediation": "Sanitize/validate paths, use path.normalize()"
29
+ },
30
+ {
31
+ "id": "JS-006",
32
+ "name": "Prototype Pollution",
33
+ "severity": "high",
34
+ "description": "Modifying Object.prototype allows property injection",
35
+ "remediation": "Use Object.freeze(), validate input keys"
36
+ },
37
+ {
38
+ "id": "JS-007",
39
+ "name": "console.log in Production",
40
+ "severity": "low",
41
+ "description": "Debug logging statements left in production code",
42
+ "remediation": "Remove or use proper logging library with levels"
43
+ }
44
+ ]
@@ -0,0 +1,30 @@
1
+ [
2
+ {
3
+ "id": "SOL-001",
4
+ "name": "Reentrancy",
5
+ "severity": "critical",
6
+ "description": "External call before state update - reentrancy vulnerability",
7
+ "remediation": "Update state before external calls, or use ReentrancyGuard"
8
+ },
9
+ {
10
+ "id": "SOL-003",
11
+ "name": "Integer Overflow",
12
+ "severity": "high",
13
+ "description": "Potential integer overflow/underflow in arithmetic operations",
14
+ "remediation": "Use Solidity 0.8+ or SafeMath library"
15
+ },
16
+ {
17
+ "id": "SOL-004",
18
+ "name": "tx.origin Authentication",
19
+ "severity": "critical",
20
+ "description": "Using tx.origin for authentication allows phishing attacks",
21
+ "remediation": "Use msg.sender instead of tx.origin"
22
+ },
23
+ {
24
+ "id": "SOL-006",
25
+ "name": "Delegatecall Injection",
26
+ "severity": "critical",
27
+ "description": "Delegatecall to user-controlled address - proxy pattern risk",
28
+ "remediation": "Validate implementation addresses before delegatecall"
29
+ }
30
+ ]
@@ -0,0 +1,7 @@
1
+ class JSONFormatter {
2
+ static format(results) {
3
+ return JSON.stringify(results, null, 2);
4
+ }
5
+ }
6
+
7
+ module.exports = JSONFormatter;
@@ -0,0 +1,66 @@
1
+ const chalk = require('chalk');
2
+
3
+ class TerminalFormatter {
4
+ static format(results) {
5
+ let output = '\n';
6
+ output += chalk.bold.cyan('╔════════════════════════════════════════════════════════╗\n');
7
+ output += chalk.bold.cyan('║ 🔍 KOBOLD-SCAN RESULTS ║\n');
8
+ output += chalk.bold.cyan('╚════════════════════════════════════════════════════════╝\n\n');
9
+
10
+ if (results.vulnerabilities.length === 0) {
11
+ output += chalk.green.bold('✅ No vulnerabilities found!\n');
12
+ return output;
13
+ }
14
+
15
+ // Group by severity
16
+ const bySeverity = {
17
+ critical: [],
18
+ high: [],
19
+ medium: [],
20
+ low: []
21
+ };
22
+
23
+ results.vulnerabilities.forEach(v => {
24
+ if (bySeverity[v.severity]) {
25
+ bySeverity[v.severity].push(v);
26
+ }
27
+ });
28
+
29
+ const severityConfig = {
30
+ critical: { label: 'CRITICAL', color: chalk.bgRed.white, icon: '💀' },
31
+ high: { label: 'HIGH', color: chalk.red, icon: '⚠️' },
32
+ medium: { label: 'MEDIUM', color: chalk.yellow, icon: '⚡' },
33
+ low: { label: 'LOW', color: chalk.gray, icon: 'ℹ️' }
34
+ };
35
+
36
+ Object.entries(bySeverity).forEach(([severity, issues]) => {
37
+ if (issues.length === 0) return;
38
+
39
+ const cfg = severityConfig[severity];
40
+ output += cfg.color.bold(` ${cfg.icon} ${cfg.label} (${issues.length}) `) + '\n';
41
+ output += chalk.gray('─'.repeat(60)) + '\n';
42
+
43
+ issues.forEach(issue => {
44
+ output += ` ${chalk.bold(issue.rule)}: ${issue.message}\n`;
45
+ output += ` ${chalk.gray(`at ${issue.file}:${issue.line}`)}\n`;
46
+ if (issue.code) {
47
+ output += ` ${chalk.cyan('>')} ${issue.code}\n`;
48
+ }
49
+ output += '\n';
50
+ });
51
+ });
52
+
53
+ // Summary
54
+ output += '\n' + chalk.bold('📊 Summary:\n');
55
+ output += ` Files scanned: ${results.filesScanned || 0}\n`;
56
+ output += ` Total issues: ${results.vulnerabilities.length}\n`;
57
+ output += ` Critical: ${bySeverity.critical.length}\n`;
58
+ output += ` High: ${bySeverity.high.length}\n`;
59
+ output += ` Medium: ${bySeverity.medium.length}\n`;
60
+ output += ` Low: ${bySeverity.low.length}\n`;
61
+
62
+ return output;
63
+ }
64
+ }
65
+
66
+ module.exports = TerminalFormatter;
@@ -0,0 +1,139 @@
1
+ const fs = require('fs');
2
+ const path = require('path');
3
+
4
+ const SolidityScanner = require('./scanners/solidity');
5
+ const JavaScriptScanner = require('./scanners/javascript');
6
+ const GeneralScanner = require('./scanners/general');
7
+
8
+ class ScannerEngine {
9
+ constructor(config) {
10
+ this.config = config;
11
+ this.scanners = {
12
+ '.sol': new SolidityScanner(config),
13
+ '.js': new JavaScriptScanner(config),
14
+ '.ts': new JavaScriptScanner(config),
15
+ '.jsx': new JavaScriptScanner(config),
16
+ '.tsx': new JavaScriptScanner(config),
17
+ 'general': new GeneralScanner(config)
18
+ };
19
+ this.supportedExts = new Set(['.sol', '.js', '.ts', '.jsx', '.tsx']);
20
+ }
21
+
22
+ async scan(targetPath) {
23
+ const vulnerabilities = [];
24
+ let filesScanned = 0;
25
+
26
+ // Resolve to absolute path
27
+ const resolvedPath = path.resolve(targetPath);
28
+
29
+ // Determine if path is file or directory
30
+ const stats = fs.statSync(resolvedPath);
31
+
32
+ if (stats.isFile()) {
33
+ const result = await this.scanFile(resolvedPath);
34
+ if (result.length > 0) {
35
+ vulnerabilities.push(...result);
36
+ }
37
+ filesScanned = 1;
38
+ } else {
39
+ // Recursively find files
40
+ const files = this.findFiles(resolvedPath);
41
+
42
+ for (const file of files) {
43
+ const result = await this.scanFile(file);
44
+ if (result.length > 0) {
45
+ vulnerabilities.push(...result);
46
+ }
47
+ filesScanned++;
48
+ }
49
+ }
50
+
51
+ return {
52
+ vulnerabilities,
53
+ filesScanned,
54
+ timestamp: new Date().toISOString(),
55
+ config: this.config
56
+ };
57
+ }
58
+
59
+ shouldIgnore(fullPath) {
60
+ const basename = path.basename(fullPath);
61
+
62
+ return this.config.exclude.some(pattern => {
63
+ // Simple pattern matching
64
+ if (pattern.includes('node_modules')) {
65
+ return fullPath.includes('node_modules');
66
+ }
67
+ if (pattern.includes('.git')) {
68
+ return fullPath.includes('.git');
69
+ }
70
+ if (pattern.includes('build')) {
71
+ return basename === 'build' || fullPath.includes('/build/');
72
+ }
73
+ if (pattern.includes('dist')) {
74
+ return basename === 'dist' || fullPath.includes('/dist/');
75
+ }
76
+ return false;
77
+ });
78
+ }
79
+
80
+ findFiles(dir) {
81
+ const files = [];
82
+
83
+ const traverse = (currentDir) => {
84
+ try {
85
+ const entries = fs.readdirSync(currentDir, { withFileTypes: true });
86
+
87
+ for (const entry of entries) {
88
+ const fullPath = path.join(currentDir, entry.name);
89
+
90
+ if (this.shouldIgnore(fullPath)) {
91
+ continue;
92
+ }
93
+
94
+ if (entry.isDirectory()) {
95
+ traverse(fullPath);
96
+ } else if (entry.isFile()) {
97
+ const ext = path.extname(entry.name).toLowerCase();
98
+ if (this.supportedExts.has(ext)) {
99
+ files.push(fullPath);
100
+ }
101
+ }
102
+ }
103
+ } catch (err) {
104
+ // Ignore permission errors
105
+ }
106
+ };
107
+
108
+ traverse(dir);
109
+ return files;
110
+ }
111
+
112
+ async scanFile(filePath) {
113
+ const ext = path.extname(filePath).toLowerCase();
114
+ let content;
115
+
116
+ try {
117
+ content = fs.readFileSync(filePath, 'utf8');
118
+ } catch (err) {
119
+ return []; // Skip files we can't read
120
+ }
121
+
122
+ const vulnerabilities = [];
123
+
124
+ // Run language-specific scanner
125
+ const scanner = this.scanners[ext];
126
+ if (scanner) {
127
+ const results = scanner.scan(content, filePath);
128
+ vulnerabilities.push(...results);
129
+ }
130
+
131
+ // Always run general scanner
132
+ const generalResults = this.scanners.general.scan(content, filePath);
133
+ vulnerabilities.push(...generalResults);
134
+
135
+ return vulnerabilities;
136
+ }
137
+ }
138
+
139
+ module.exports = ScannerEngine;
@@ -0,0 +1,83 @@
1
+ class GeneralScanner {
2
+ constructor(config) {
3
+ this.config = config;
4
+ }
5
+
6
+ scan(content, filePath) {
7
+ const vulnerabilities = [];
8
+ const lines = content.split('\n');
9
+
10
+ // GEN-001: TODO/FIXME comments
11
+ const todoPattern = /\/\/.*TODO|\/\/.*FIXME|\/\/.*HACK|\/\*.*TODO|\/\*.*FIXME/;
12
+
13
+ // GEN-002: Magic numbers (not perfect, catches common cases)
14
+ const magicNumberPattern = /[^\w](\d{3,})(?!\d*['"])[^\w]/;
15
+
16
+ // GEN-003: Deep nesting (4+ levels of indentation)
17
+ const deepNestingPattern = /^\s{16,}/;
18
+
19
+ // GEN-008: World-writable permissions
20
+ const chmodPattern = /chmod\s+777|chmod\s+a\+rw|chmod\s+o\+w/;
21
+
22
+ let consecutiveEmpty = 0;
23
+
24
+ lines.forEach((line, index) => {
25
+ // Check TODO/FIXME
26
+ if (todoPattern.test(line)) {
27
+ vulnerabilities.push({
28
+ rule: 'GEN-001',
29
+ severity: 'low',
30
+ message: 'Technical debt marker (TODO/FIXME/HACK)',
31
+ file: filePath,
32
+ line: index + 1,
33
+ code: line.trim()
34
+ });
35
+ }
36
+
37
+ // Check magic numbers
38
+ if (magicNumberPattern.test(line)) {
39
+ const match = line.match(magicNumberPattern);
40
+ const num = match ? match[1] : '';
41
+ // Exclude common non-magic numbers
42
+ if (!['100', '200', '404', '500', '1000', '1024', '2000', '3000', '4000', '5000', '8000', '8080', '443', '80'].includes(num)) {
43
+ vulnerabilities.push({
44
+ rule: 'GEN-002',
45
+ severity: 'low',
46
+ message: `Magic number detected: ${num} (consider named constant)`,
47
+ file: filePath,
48
+ line: index + 1,
49
+ code: line.trim()
50
+ });
51
+ }
52
+ }
53
+
54
+ // Check deep nesting
55
+ if (deepNestingPattern.test(line)) {
56
+ vulnerabilities.push({
57
+ rule: 'GEN-003',
58
+ severity: 'medium',
59
+ message: 'Deep nesting detected (>4 levels) - consider refactoring',
60
+ file: filePath,
61
+ line: index + 1,
62
+ code: line.trim().substring(0, 50) + '...'
63
+ });
64
+ }
65
+
66
+ // Check world-writable permissions
67
+ if (chmodPattern.test(line)) {
68
+ vulnerabilities.push({
69
+ rule: 'GEN-008',
70
+ severity: 'high',
71
+ message: 'World-writable file permissions - security risk',
72
+ file: filePath,
73
+ line: index + 1,
74
+ code: line.trim()
75
+ });
76
+ }
77
+ });
78
+
79
+ return vulnerabilities;
80
+ }
81
+ }
82
+
83
+ module.exports = GeneralScanner;