@activemind/scd 1.4.0

package/lib/config.js

@@ -0,0 +1,325 @@
+const { RESET, YELLOW } = require('./output-constants');
+/**
+ * config.js
+ * Loads per-repo configuration from ~/.scd/repos/{repoId}/config.yml
+ * Never reads from the customer repository — zero repo footprint.
+ */
+
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+
+const CONFIG_FILENAME = 'config.yml'; // lives in global store, not in repo
+
+const DEFAULTS = {
+  trust_level:       'balanced',  // maximum_privacy | balanced | maximum_analysis
+  block_on_critical: true,        // always blocks (cannot be disabled by rule_overrides)
+  block_on_high:     true,        // set to false to warn only
+  scan_mode:         'full',      // 'full' (default) | 'fast' (skips taint analysis)
+  locked_rules: [
+    'SECRET-001', 'SECRET-002', 'SECRET-003',
+    'SECRET-006', 'SECRET-007', 'JWT-001',
+  ],
+  deep_delay_ms:     0,           // ms pause between API calls in scd scan --deep (0 = no delay)
+};
+
+// ── YAML parser ────────────────────────────────────────────────────────────
+// Hand-rolled subset parser – avoids external deps.
+// Supports: top-level scalars, top-level sections (objects), lists of objects,
+// nested object properties (rule_overrides: { RULE: { action, reason } })
+function parseSimpleYaml(content) {
+  const result  = {};
+  const lines   = content.split('\n');
+
+  let currentSection  = null;   // top-level key
+  let currentItem     = null;   // current list item object
+  let currentSubKey   = null;   // e.g. "SECRET-005" inside rule_overrides
+  let inList          = false;
+
+  for (const raw of lines) {
+    const line    = raw.replace(/\r$/, '');
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+
+    const indent = line.match(/^(\s*)/)[1].length;
+
+    // ── Top-level key: value  (indent 0, has colon, not ending with ':')
+    if (indent === 0 && trimmed.includes(':') && !trimmed.endsWith(':')) {
+      const [k, ...vParts] = trimmed.split(':');
+      result[k.trim()] = parseValue(vParts.join(':').trim());
+      currentSection = null; inList = false; currentItem = null; currentSubKey = null;
+      continue;
+    }
+
+    // ── Top-level section header  (indent 0, ends with ':')
+    if (indent === 0 && trimmed.endsWith(':')) {
+      currentSection = trimmed.slice(0, -1);
+      result[currentSection] = {};
+      inList = false; currentItem = null; currentSubKey = null;
+      continue;
+    }
+
+    if (!currentSection) continue;
+
+    // ── List item start  (indent 2, starts with '- ')
+    if (indent === 2 && trimmed.startsWith('- ')) {
+      if (!inList) {
+        result[currentSection] = [];
+        inList = true;
+      }
+      currentItem = {};
+      currentSubKey = null;
+      const rest = trimmed.slice(2).trim();
+      if (rest.includes(':')) {
+        const [k, ...vParts] = rest.split(':');
+        currentItem[k.trim()] = parseValue(vParts.join(':').trim());
+      }
+      result[currentSection].push(currentItem);
+      continue;
+    }
+
+    // ── List item property  (indent 4, inside a list item)
+    if (indent === 4 && inList && currentItem && trimmed.includes(':')) {
+      const [k, ...vParts] = trimmed.split(':');
+      const key = k.trim();
+      const val = vParts.join(':').trim();
+      currentItem[key] = parseLineRangeOrValue(key, val);
+      continue;
+    }
+
+    // ── Sub-key in a section object (e.g. rule_overrides: SECRET-005:)
+    if (indent === 2 && !inList && trimmed.endsWith(':')) {
+      currentSubKey = trimmed.slice(0, -1);
+      result[currentSection][currentSubKey] = {};
+      continue;
+    }
+
+    // ── Property of sub-key  (indent 4, inside rule_overrides.SECRET-005)
+    if (indent === 4 && !inList && currentSubKey && trimmed.includes(':')) {
+      const [k, ...vParts] = trimmed.split(':');
+      result[currentSection][currentSubKey][k.trim()] = parseValue(vParts.join(':').trim());
+      continue;
+    }
+
+    // ── Section scalar  (indent 2, section is plain object, no subkey)
+    if (indent === 2 && !inList && !trimmed.endsWith(':') && trimmed.includes(':')) {
+      const [k, ...vParts] = trimmed.split(':');
+      if (typeof result[currentSection] === 'object' && !Array.isArray(result[currentSection])) {
+        result[currentSection][k.trim()] = parseValue(vParts.join(':').trim());
+      }
+      continue;
+    }
+  }
+
+  return result;
+}
+
+function parseValue(v) {
+  if (v === 'true')  return true;
+  if (v === 'false') return false;
+  if (v === '' || v === null || v === undefined) return null;
+  if (!isNaN(v) && v !== '') return Number(v);
+  return v.replace(/^['"]|['"]$/g, '');
+}
+
+// Parse line_range: [3, 3] as an actual array
+function parseLineRangeOrValue(key, val) {
+  if (key === 'line_range') {
+    const m = val.match(/\[\s*(\d+)\s*,\s*(\d+)\s*\]/);
+    if (m) return [parseInt(m[1]), parseInt(m[2])];
+  }
+  return parseValue(val);
+}
+
+// ── Hash a line for exception matching ────────────────────────────────────
+function hashLine(rawLine) {
+  const normalized = rawLine
+    .trim()
+    .replace(/\s+/g, ' ')
+    .replace(/"/g, "'");
+  return 'sha256:' + crypto.createHash('sha256').update(normalized).digest('hex').slice(0, 16);
+}
+
+// ── Global config keys that can serve as per-repo fallbacks ──────────────
+// These keys in ~/.scd/config (KEY=VALUE format) override code defaults
+// but are overridden by per-repo config.yml values.
+const GLOBAL_FALLBACK_KEYS = [
+  'trust_level', 'block_on_critical', 'block_on_high', 'scan_mode', 'deep_delay_ms',
+];
+
+function parseGlobalBool(val) {
+  if (val === 'true')  return true;
+  if (val === 'false') return false;
+  return undefined;
+}
+
+// ── Load config ────────────────────────────────────────────────────────────
+function loadConfig(repoRoot) {
+  const store      = require('./store');
+  const configPath = store.configPath(repoRoot);
+  let parsed = {};
+
+  if (fs.existsSync(configPath)) {
+    try {
+      const content = fs.readFileSync(configPath, 'utf8');
+      parsed = parseSimpleYaml(content);
+    } catch (err) {
+      console.error(`${YELLOW}[scd] Could not read config: ${err.message}${RESET}`);
+    }
+  }
+
+  // Read global fallback settings from ~/.scd/config
+  // Priority: repo config.yml > global config > code defaults
+  const globalFallback = {};
+  try {
+    const gc = require('./global-config');
+    for (const key of GLOBAL_FALLBACK_KEYS) {
+      const raw = gc.get('REPO_' + key.toUpperCase());
+      if (raw === undefined) continue;
+      if (key === 'block_on_critical' || key === 'block_on_high') {
+        const v = parseGlobalBool(raw);
+        if (v !== undefined) globalFallback[key] = v;
+      } else if (key === 'deep_delay_ms') {
+        const n = parseInt(raw, 10);
+        if (!isNaN(n)) globalFallback[key] = n;
+      } else {
+        globalFallback[key] = raw;
+      }
+    }
+  } catch { /* global-config not available — skip */ }
+
+  return {
+    ...DEFAULTS,
+    ...globalFallback,
+    ...parsed,
+    locked_rules: [
+      ...DEFAULTS.locked_rules,
+      ...(parsed.locked_rules || []),
+    ],
+    exceptions:    Array.isArray(parsed.exceptions)   ? parsed.exceptions   : [],
+    resolutions:   Array.isArray(parsed.resolutions)  ? parsed.resolutions  : [],
+    rule_overrides: parsed.rule_overrides && typeof parsed.rule_overrides === 'object'
+      ? parsed.rule_overrides : {},
+  };
+}
+
+// ── Check if a finding is excepted ────────────────────────────────────────
+function isExcepted(config, finding, lineContent) {
+  const lineHash = lineContent ? hashLine(lineContent) : null;
+
+  for (const exc of config.exceptions) {
+    if (exc.rule !== finding.ruleId) continue;
+
+    // Check expiry first
+    if (exc.expires) {
+      const expiry = new Date(exc.expires);
+      if (expiry < new Date()) {
+        return { excepted: false, expired: true, rejected: false, exception: exc };
+      }
+    }
+
+    // Normalise file paths for comparison
+    const ne = exc.file      ? exc.file.replace(/\\/g,      '/').replace(/^\.\//, '') : null;
+    const nf = finding.filePath ? finding.filePath.replace(/\\/g, '/').replace(/^\.\//, '') : null;
+    const fileMatches = ne && nf && (nf === ne || nf.endsWith('/' + ne));
+
+    // Hash match — three formats supported:
+    // 1. codeHash (32-char hex): stored by addExceptionById — exact match against finding.codeHash
+    // 2. Legacy 16-char hex: old addException computed sha256.slice(0,16) from file content.
+    //    These are a prefix of finding.codeHash (which is sha256.slice(0,32) of the same content).
+    // 3. hashLine() format "sha256:{16hex}": stored by legacy addException path
+    const codeHashMatches = exc.line_hash && finding.codeHash && (
+      exc.line_hash === finding.codeHash ||                              // format 1: exact 32-char
+      (exc.line_hash.length === 16 && finding.codeHash.startsWith(exc.line_hash))  // format 2: legacy 16-char prefix
+    );
+    const lineHashMatches = exc.line_hash && lineHash &&
+      exc.line_hash === lineHash;
+
+    if ((codeHashMatches || lineHashMatches) && fileMatches) {
+      if (exc.status === 'rejected') {
+        return { excepted: false, expired: false, rejected: true, exception: exc };
+      }
+      return { excepted: true, expired: false, rejected: false, exception: exc };
+    }
+
+    // Fallback: line_hash exists in config but lineContent was empty (e.g. secrets rules
+    // that redact lineRaw). Match on rule + file + line instead — the hash cannot be verified
+    // but the finding is specific enough to match safely.
+    if (exc.line_hash && !lineHash && fileMatches && exc.line != null && finding.line === exc.line) {
+      if (exc.status === 'rejected') {
+        return { excepted: false, expired: false, rejected: true, exception: exc };
+      }
+      return { excepted: true, expired: false, rejected: false, exception: exc };
+    }
+
+    // File + line_range match (no hash)
+    if (!exc.line_hash && fileMatches) {
+      if (Array.isArray(exc.line_range) && finding.line != null) {
+        const [from, to] = exc.line_range;
+        if (finding.line >= from && finding.line <= to) {
+          if (exc.status === 'rejected') {
+            return { excepted: false, expired: false, rejected: true, exception: exc };
+          }
+          return { excepted: true, expired: false, rejected: false, exception: exc };
+        }
+        continue;
+      }
+      if (exc.status === 'rejected') {
+        return { excepted: false, expired: false, rejected: true, exception: exc };
+      }
+      return { excepted: true, expired: false, rejected: false, exception: exc };
+    }
+  }
+
+  return { excepted: false, expired: false, rejected: false, exception: null };
+}
+
+// ── Get effective action for a rule ───────────────────────────────────────
+function getRuleAction(config, ruleId, defaultSeverity) {
+  if (config.locked_rules.includes(ruleId)) return 'block';
+
+  const override = config.rule_overrides?.[ruleId];
+  if (override && override.action) return override.action;
+
+  if (defaultSeverity === 'CRITICAL') return config.block_on_critical ? 'block' : 'warn';
+  if (defaultSeverity === 'HIGH')     return config.block_on_high     ? 'block' : 'warn';
+  return 'warn';
+}
+
+// ── Get repo root ──────────────────────────────────────────────────────────
+function getRepoRoot() {
+  try {
+    const { execSync } = require('child_process');
+    return execSync('git rev-parse --show-toplevel', {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'], // suppress stderr – avoids "fatal: not a git repo" leaking to terminal
+    }).trim();
+  } catch {
+    return process.cwd();
+  }
+}
+
+
+// ── Check if an EXPOSURE finding has been resolved ────────────────────────
+function isResolved(config, finding) {
+  const resolutions = config.resolutions || [];
+  for (const res of resolutions) {
+    if (res.rule !== finding.ruleId) continue;
+    if (res.file) {
+      const ne = res.file.replace(/\\/g, '/').replace(/^\.\//, '');
+      const nf = finding.filePath ? finding.filePath.replace(/\\/g, '/').replace(/^\.\//, '') : null;
+      if (nf !== ne && !nf?.endsWith('/' + ne)) continue;
+    }
+    // Check review date
+    if (res.review_date) {
+      const review = new Date(res.review_date);
+      if (review < new Date()) {
+        return { resolved: false, expired: true, record: res };
+      }
+    }
+    return { resolved: true, expired: false, record: res };
+  }
+  return { resolved: false, expired: false, record: null };
+}
+
+module.exports = { loadConfig, isExcepted, isResolved, getRuleAction, hashLine, getRepoRoot, CONFIG_FILENAME };

package/lib/context-modifiers.js

@@ -0,0 +1,211 @@
+/**
+ * context-modifiers.js
+ * Applies file context modifiers to a finding after a rule match.
+ *
+ * Modifiers are cumulative and additive — multiple signals stack.
+ * The effective severity is derived from: base_score + total_modifier.
+ * If effective_score <= SUPPRESS_THRESHOLD, the finding is flagged suppressed.
+ *
+ * This module never touches rule logic. Rules produce findings exactly as before.
+ * File context confirms or adjusts — never replaces rule output.
+ */
+
+'use strict';
+
+// ── Severity score mapping ─────────────────────────────────────────────────
+// Higher score = higher severity. Scores are integers for clean arithmetic.
+const SEVERITY_TO_SCORE = {
+  CRITICAL:  4,
+  HIGH:      3,
+  MEDIUM:    2,
+  EXPOSURE:  1,
+  INFO:      0,
+};
+
+const SCORE_TO_SEVERITY = {
+  4: 'CRITICAL',
+  3: 'HIGH',
+  2: 'MEDIUM',
+  1: 'EXPOSURE',
+  0: 'INFO',
+};
+
+// ── Suppress threshold ─────────────────────────────────────────────────────
+// Fixed at 0 for v1.0.0. Configurable in v1.1.0 via config.yml.
+const SUPPRESS_THRESHOLD = 0;
+
+// ── Modifier table ─────────────────────────────────────────────────────────
+// Values are additive. A file matching multiple signals accumulates all modifiers.
+// Validated against scd-research data after Phase 3 — values may be tuned.
+//
+// Specificity rationale:
+//   fixture  -2 : data intended to trigger rule patterns by design
+//   vendor   -3 : third-party code — never the customer's responsibility
+//   generated -2 : machine-generated — findings are not actionable
+//   test     -1 : test code — lower risk but still customer-owned
+//   docs     -1 : documentation — informational, not deployed
+//   config    0 : config files are production risk — no modifier (may boost post-release)
+//
+// Path segment modifiers stack with fileType modifiers for cumulative effect.
+// Example: Jest test in /fixtures/ → fileType(-2) + path(-1) + framework(-1) = -4
+
+const MODIFIERS = {
+  // ── File type modifiers ──────────────────────────────────────────────────
+  fileType: {
+    fixture:   -2,
+    vendor:    -3,
+    generated: -2,
+    test:      -1,
+    docs:      -1,
+    config:     0,
+    source:     0,
+  },
+
+  // ── Path segment modifiers ───────────────────────────────────────────────
+  // Applied independently of fileType — stacks on top.
+  // Only matched against the normalised filePath (lowercase, forward slashes).
+  pathSegment: [
+    { segment: '/test/',        modifier: -1 },
+    { segment: '/tests/',       modifier: -1 },
+    { segment: '/spec/',        modifier: -1 },
+    { segment: '/specs/',       modifier: -1 },
+    { segment: '/__tests__/',   modifier: -1 },
+    { segment: '/fixtures/',    modifier: -1 },
+    { segment: '/fixture/',     modifier: -1 },
+    { segment: '/__fixtures__/',modifier: -1 },
+    { segment: '/mocks/',       modifier: -1 },
+    { segment: '/__mocks__/',   modifier: -1 },
+    { segment: '/vendor/',      modifier: -2 },
+    { segment: '/node_modules/',modifier: -2 },
+  ],
+
+  // ── Test framework modifiers ─────────────────────────────────────────────
+  // Applied when a specific test framework is detected.
+  // Rationale: confirmed test framework = high confidence it is test code.
+  testFramework: {
+    jest:    -1,
+    vitest:  -1,
+    mocha:   -1,
+    pytest:  -1,
+    phpunit: -1,
+    rspec:   -1,
+  },
+};
+
+// ── Helpers ────────────────────────────────────────────────────────────────
+
+function normalisePath(filePath) {
+  const n = filePath.replace(/\\/g, '/').toLowerCase();
+  return n.startsWith('/') ? n : '/' + n;
+}
+
+/**
+ * Derive effective severity string from a numeric score.
+ * Score is clamped to [0, 4] — never goes negative or above CRITICAL.
+ */
+function scoreToSeverity(score) {
+  const clamped = Math.max(0, Math.min(4, score));
+  return SCORE_TO_SEVERITY[clamped];
+}
+
+// ── Main export ────────────────────────────────────────────────────────────
+
+/**
+ * Apply file context modifiers to a finding.
+ *
+ * Mutates a shallow copy of the finding — never the original object.
+ * Adds: base_severity, context_modifiers[], file_context, suppressed, suppress_reason.
+ * Updates: severity (becomes effective_severity when modifiers apply).
+ *
+ * @param {Object}      finding     - Finding object from buildFinding().
+ * @param {FileContext} fileContext - Context object from buildFileContext().
+ * @returns {Object} Modified finding (new object).
+ */
+function applyContextModifiers(finding, fileContext) {
+  const baseSeverity = finding.severity;
+  const baseScore    = SEVERITY_TO_SCORE[baseSeverity] ?? 0;
+
+  const appliedModifiers = []; // { signal, modifier }
+  let totalModifier = 0;
+
+  // ── 1. File type modifier ────────────────────────────────────────────────
+  const ftMod = MODIFIERS.fileType[fileContext.fileType] ?? 0;
+  if (ftMod !== 0) {
+    appliedModifiers.push({ signal: `fileType: ${fileContext.fileType}`, modifier: ftMod });
+    totalModifier += ftMod;
+  }
+
+  // ── 2. Path segment modifiers ────────────────────────────────────────────
+  const normPath = normalisePath(fileContext.filePath);
+  for (const { segment, modifier } of MODIFIERS.pathSegment) {
+    if (normPath.includes(segment)) {
+      appliedModifiers.push({ signal: `path: ${segment}`, modifier });
+      totalModifier += modifier;
+    }
+  }
+
+  // ── 3. Test framework modifier ───────────────────────────────────────────
+  if (fileContext.testFramework) {
+    const fwMod = MODIFIERS.testFramework[fileContext.testFramework] ?? 0;
+    if (fwMod !== 0) {
+      appliedModifiers.push({ signal: `framework: ${fileContext.testFramework}`, modifier: fwMod });
+      totalModifier += fwMod;
+    }
+  }
+
+  // ── Compute effective score and severity ─────────────────────────────────
+  const effectiveScore    = baseScore + totalModifier;
+  const effectiveSeverity = scoreToSeverity(effectiveScore);
+  const suppressed        = effectiveScore <= SUPPRESS_THRESHOLD;
+
+  // ── Build modified finding ───────────────────────────────────────────────
+  const modified = {
+    ...finding,
+    // Preserve original severity as base_severity for audit trail
+    base_severity:     baseSeverity,
+    // severity reflects effective severity (may be unchanged if no modifiers)
+    severity:          effectiveSeverity,
+    // context_modifiers is always present — empty array when nothing applied
+    context_modifiers: appliedModifiers,
+    // file_context always present — consumers can use it for display/filtering
+    file_context: {
+      file_type:      fileContext.fileType,
+      test_framework: fileContext.testFramework,
+      language:       fileContext.language,
+    },
+    suppressed:      suppressed,
+    suppress_reason: suppressed
+      ? 'Effective score below threshold after context modifiers'
+      : null,
+    // ── Internal trace (written when scan.trace: true in config.yml) ────────
+    // Never shown in terminal output or reports. Available in scan-JSON files
+    // and scd-research snapshots for FP analysis and rule refinement.
+    // Structure mirrors the scan pipeline steps in order:
+    //   manifest → file-context → modifiers → suppress-check
+    // comment_line_type is injected by routeFinding() after comment-map lookup.
+    _trace: {
+      manifest_context:  null,       // injected by routeFinding()
+      file_type:         fileContext.fileType,
+      file_signals:      fileContext.signals      ?? [],
+      tentative:         fileContext.tentative     ?? false,
+      test_framework:    fileContext.testFramework ?? null,
+      comment_line_type: null,       // injected by routeFinding()
+      base_severity:     baseSeverity,
+      base_score:        baseScore,
+      modifiers:         appliedModifiers.map(m => ({
+        step:    m.signal,
+        delta:   m.modifier,
+        reason:  m.signal,
+      })),
+      total_modifier:    totalModifier,
+      effective_score:   effectiveScore,
+      final_severity:    effectiveSeverity,
+      suppressed,
+      suppress_reason:   suppressed ? 'effective_score <= suppress_threshold' : null,
+    },
+  };
+
+  return modified;
+}
+
+module.exports = { applyContextModifiers, MODIFIERS, SEVERITY_TO_SCORE, SUPPRESS_THRESHOLD };