@aikidosec/safe-chain 0.0.1-immutable-releases-beta

package/src/config/configFile.js

@@ -0,0 +1,327 @@
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { ui } from "../environment/userInteraction.js";
+import { getEcoSystem } from "./settings.js";
+
+/**
+ * @typedef {Object} SafeChainConfig
+ *
+ * We cannot trust the input and should add the necessary validations
+ * @property {unknown | Number} scanTimeout
+ * @property {unknown | Number} minimumPackageAgeHours
+ * @property {unknown | string} malwareListBaseUrl
+ * @property {unknown | SafeChainRegistryConfiguration} npm
+ * @property {unknown | SafeChainRegistryConfiguration} pip
+ *
+ * @typedef {Object} SafeChainRegistryConfiguration
+ * We cannot trust the input and should add the necessary validations.
+ * @property {unknown | string[]} customRegistries
+ * @property {unknown | string[]} minimumPackageAgeExclusions
+ */
+
+/**
+ * @returns {number}
+ */
+export function getScanTimeout() {
+  const config = readConfigFile();
+
+  if (process.env.AIKIDO_SCAN_TIMEOUT_MS) {
+    const scanTimeout = validateTimeout(process.env.AIKIDO_SCAN_TIMEOUT_MS);
+    if (scanTimeout != null) {
+      return scanTimeout;
+    }
+  }
+
+  if (config.scanTimeout) {
+    const scanTimeout = validateTimeout(config.scanTimeout);
+    if (scanTimeout != null) {
+      return scanTimeout;
+    }
+  }
+
+  return 10000; // Default to 10 seconds
+}
+
+/**
+ *
+ * @param {any} value
+ * @returns {number?}
+ */
+function validateTimeout(value) {
+  const timeout = Number(value);
+  if (!Number.isNaN(timeout) && timeout > 0) {
+    return timeout;
+  }
+  return null;
+}
+
+/**
+ * @param {any} value
+ * @returns {number | undefined}
+ */
+function validateMinimumPackageAgeHours(value) {
+  const hours = Number(value);
+  if (!Number.isNaN(hours)) {
+    return hours;
+  }
+  return undefined;
+}
+
+/**
+ * Gets the minimum package age in hours from config file only
+ * @returns {number | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  const config = readConfigFile();
+  if (config.minimumPackageAgeHours !== undefined) {
+    const validated = validateMinimumPackageAgeHours(
+      config.minimumPackageAgeHours
+    );
+    if (validated !== undefined) {
+      return validated;
+    }
+  }
+  return undefined;
+}
+
+/**
+ * Gets the malware list base URL from config file only
+ * @returns {string | undefined}
+ */
+export function getMalwareListBaseUrl() {
+  const config = readConfigFile();
+  if (config.malwareListBaseUrl && typeof config.malwareListBaseUrl === "string") {
+    return config.malwareListBaseUrl;
+  }
+  return undefined;
+}
+
+/**
+ * Gets the custom npm registries from the config file (format parsing only, no validation)
+ * @returns {string[]}
+ */
+export function getNpmCustomRegistries() {
+  const config = readConfigFile();
+
+  if (!config || !config.npm) {
+    return [];
+  }
+
+  // TypeScript needs help understanding that config.npm exists and has customRegistries
+  const npmConfig = /** @type {SafeChainRegistryConfiguration} */ (config.npm);
+  const customRegistries = npmConfig.customRegistries;
+
+  if (!Array.isArray(customRegistries)) {
+    return [];
+  }
+
+  return customRegistries.filter((item) => typeof item === "string");
+}
+
+/**
+ * Gets the custom npm registries from the config file (format parsing only, no validation)
+ * @returns {string[]}
+ */
+export function getPipCustomRegistries() {
+  const config = readConfigFile();
+
+  if (!config || !config.pip) {
+    return [];
+  }
+
+  // TypeScript needs help understanding that config.pip exists and has customRegistries
+  const pipConfig = /** @type {SafeChainRegistryConfiguration} */ (config.pip);
+  const customRegistries = pipConfig.customRegistries;
+
+  if (!Array.isArray(customRegistries)) {
+    return [];
+  }
+
+  return customRegistries.filter((item) => typeof item === "string");
+}
+
+/**
+ * Gets the minimum package age exclusions from the config file for the current ecosystem
+ * @returns {string[]}
+ */
+export function getMinimumPackageAgeExclusions() {
+  const config = readConfigFile();
+  const ecosystem = getEcoSystem();
+  const registryConfig = ecosystem === "py" ? config.pip : config.npm;
+
+  if (!config || !registryConfig) {
+    return [];
+  }
+
+  const typedRegistryConfig =
+    /** @type {SafeChainRegistryConfiguration} */ (registryConfig);
+  const exclusions = typedRegistryConfig.minimumPackageAgeExclusions;
+
+  if (!Array.isArray(exclusions)) {
+    return [];
+  }
+
+  return exclusions.filter((item) => typeof item === "string");
+}
+
+/**
+ * @param {import("../api/aikido.js").MalwarePackage[]} data
+ * @param {string | number} version
+ *
+ * @returns {void}
+ */
+export function writeDatabaseToLocalCache(data, version) {
+  try {
+    const databasePath = getDatabasePath();
+    const versionPath = getDatabaseVersionPath();
+
+    fs.writeFileSync(databasePath, JSON.stringify(data));
+    fs.writeFileSync(versionPath, version.toString());
+  } catch {
+    ui.writeWarning(
+      "Failed to write malware database to local cache, next time the database will be fetched from the server again."
+    );
+  }
+}
+
+/**
+ * @returns {{malwareDatabase: import("../api/aikido.js").MalwarePackage[] | null, version: string | null}}
+ */
+export function readDatabaseFromLocalCache() {
+  try {
+    const databasePath = getDatabasePath();
+    if (!fs.existsSync(databasePath)) {
+      return {
+        malwareDatabase: null,
+        version: null,
+      };
+    }
+    const data = fs.readFileSync(databasePath, "utf8");
+    const malwareDatabase = JSON.parse(data);
+    const versionPath = getDatabaseVersionPath();
+    let version = null;
+    if (fs.existsSync(versionPath)) {
+      version = fs.readFileSync(versionPath, "utf8").trim();
+    }
+    return {
+      malwareDatabase: malwareDatabase,
+      version: version,
+    };
+  } catch {
+    ui.writeWarning(
+      "Failed to read malware database from local cache. Continuing without local cache."
+    );
+    return {
+      malwareDatabase: null,
+      version: null,
+    };
+  }
+}
+
+/**
+ * @returns {SafeChainConfig}
+ */
+function readConfigFile() {
+  /** @type {SafeChainConfig} */
+  const emptyConfig = {
+    scanTimeout: undefined,
+    minimumPackageAgeHours: undefined,
+    malwareListBaseUrl: undefined,
+    npm: {
+      customRegistries: undefined,
+    },
+    pip: {
+      customRegistries: undefined,
+    },
+  };
+
+  const configFilePath = getConfigFilePath();
+
+  if (!fs.existsSync(configFilePath)) {
+    return emptyConfig;
+  }
+
+  try {
+    const data = fs.readFileSync(configFilePath, "utf8");
+    return JSON.parse(data);
+  } catch {
+    return emptyConfig;
+  }
+}
+
+/**
+ * @returns {string}
+ */
+function getDatabasePath() {
+  const aikidoDir = getAikidoDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(aikidoDir, `malwareDatabase_${ecosystem}.json`);
+}
+
+function getDatabaseVersionPath() {
+  const aikidoDir = getAikidoDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(aikidoDir, `version_${ecosystem}.txt`);
+}
+
+/**
+ * @returns {string}
+ */
+export function getNewPackagesListPath() {
+  const safeChainDir = getSafeChainDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(safeChainDir, `newPackagesList_${ecosystem}.json`);
+}
+
+/**
+ * @returns {string}
+ */
+export function getNewPackagesListVersionPath() {
+  const safeChainDir = getSafeChainDirectory();
+  const ecosystem = getEcoSystem();
+  return path.join(safeChainDir, `newPackagesList_version_${ecosystem}.txt`);
+}
+
+/**
+ * @returns {string}
+ */
+function getConfigFilePath() {
+  const primaryPath = path.join(getSafeChainDirectory(), "config.json");
+  if (fs.existsSync(primaryPath)) {
+    return primaryPath;
+  }
+
+  const legacyPath = path.join(getAikidoDirectory(), "config.json");
+  if (fs.existsSync(legacyPath)) {
+    return legacyPath;
+  }
+
+  return primaryPath;
+}
+
+/**
+ * @returns {string}
+ */
+export function getSafeChainDirectory() {
+  const homeDir = os.homedir();
+  const safeChainDir = path.join(homeDir, ".safe-chain");
+
+  if (!fs.existsSync(safeChainDir)) {
+    fs.mkdirSync(safeChainDir, { recursive: true });
+  }
+  return safeChainDir;
+}
+
+/**
+ * @returns {string}
+ */
+function getAikidoDirectory() {
+  const homeDir = os.homedir();
+  const aikidoDir = path.join(homeDir, ".aikido");
+
+  if (!fs.existsSync(aikidoDir)) {
+    fs.mkdirSync(aikidoDir, { recursive: true });
+  }
+  return aikidoDir;
+}

package/src/config/environmentVariables.js

@@ -0,0 +1,57 @@
+/**
+ * Gets the minimum package age in hours from environment variable
+ * @returns {string | undefined}
+ */
+export function getMinimumPackageAgeHours() {
+  return process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS;
+}
+
+/**
+ * Gets the custom npm registries from environment variable
+ * Expected format: comma-separated list of registry domains
+ * Example: "npm.company.com,registry.internal.net"
+ * @returns {string | undefined}
+ */
+export function getNpmCustomRegistries() {
+  return process.env.SAFE_CHAIN_NPM_CUSTOM_REGISTRIES;
+}
+
+/**
+ * Gets the custom pip registries from environment variable
+ * Expected format: comma-separated list of registry domains
+ * Example: "pip.company.com,registry.internal.net"
+ * @returns {string | undefined}
+ */
+export function getPipCustomRegistries() {
+  return process.env.SAFE_CHAIN_PIP_CUSTOM_REGISTRIES;
+}
+
+/**
+ * Gets the logging level from environment variable
+ * Valid values: "silent", "normal", "verbose"
+ * @returns {string | undefined}
+ */
+export function getLoggingLevel() {
+  return process.env.SAFE_CHAIN_LOGGING;
+}
+
+/**
+ * Gets the minimum package age exclusions from environment variable
+ * Expected format: comma-separated list of package names
+ * Example: "react,@aikidosec/safe-chain,lodash"
+ * @returns {string | undefined}
+ */
+export function getMinimumPackageAgeExclusions() {
+  return process.env.SAFE_CHAIN_MINIMUM_PACKAGE_AGE_EXCLUSIONS ||
+    process.env.SAFE_CHAIN_NPM_MINIMUM_PACKAGE_AGE_EXCLUSIONS;
+}
+
+/**
+ * Gets the malware list base URL from environment variable
+ * Expected format: full URL without trailing slash
+ * Example: "https://malware-list.aikido.dev"
+ * @returns {string | undefined}
+ */
+export function getMalwareListBaseUrl() {
+  return process.env.SAFE_CHAIN_MALWARE_LIST_BASE_URL;
+}

package/src/config/settings.js

@@ -0,0 +1,247 @@
+import * as cliArguments from "./cliArguments.js";
+import * as configFile from "./configFile.js";
+import * as environmentVariables from "./environmentVariables.js";
+import { ui } from "../environment/userInteraction.js";
+
+export const LOGGING_SILENT = "silent";
+export const LOGGING_NORMAL = "normal";
+export const LOGGING_VERBOSE = "verbose";
+
+export function getLoggingLevel() {
+  // Priority 1: CLI argument
+  const cliLevel = cliArguments.getLoggingLevel();
+  if (cliLevel === LOGGING_SILENT || cliLevel === LOGGING_VERBOSE) {
+    return cliLevel;
+  }
+  if (cliLevel) {
+    // CLI arg was set but invalid, default to normal for backwards compatibility.
+    return LOGGING_NORMAL;
+  }
+
+  // Priority 2: Environment variable
+  const envLevel = environmentVariables.getLoggingLevel()?.toLowerCase();
+  if (envLevel === LOGGING_SILENT || envLevel === LOGGING_VERBOSE) {
+    return envLevel;
+  }
+
+  return LOGGING_NORMAL;
+}
+
+export const ECOSYSTEM_JS = "js";
+export const ECOSYSTEM_PY = "py";
+
+// Default to JavaScript ecosystem
+const ecosystemSettings = {
+  ecoSystem: ECOSYSTEM_JS,
+};
+
+/** @returns {string} - The current ecosystem setting (ECOSYSTEM_JS or ECOSYSTEM_PY) */
+export function getEcoSystem() {
+  return ecosystemSettings.ecoSystem;
+}
+/**
+ * @param {string} setting - The ecosystem to set (ECOSYSTEM_JS or ECOSYSTEM_PY)
+ */
+export function setEcoSystem(setting) {
+  ecosystemSettings.ecoSystem = setting;
+}
+
+const defaultMinimumPackageAge = 48;
+/** @returns {number} */
+export function getMinimumPackageAgeHours() {
+  // Priority 1: CLI argument
+  const cliValue = validateMinimumPackageAgeHours(
+    cliArguments.getMinimumPackageAgeHours()
+  );
+  if (cliValue !== undefined) {
+    return cliValue;
+  }
+
+  // Priority 2: Environment variable
+  const envValue = validateMinimumPackageAgeHours(
+    environmentVariables.getMinimumPackageAgeHours()
+  );
+  if (envValue !== undefined) {
+    return envValue;
+  }
+
+  // Priority 3: Config file
+  const configValue = configFile.getMinimumPackageAgeHours();
+  if (configValue !== undefined) {
+    return configValue;
+  }
+
+  return defaultMinimumPackageAge;
+}
+
+/**
+ * @param {string | undefined} value
+ * @returns {number | undefined}
+ */
+function validateMinimumPackageAgeHours(value) {
+  if (!value) {
+    return undefined;
+  }
+
+  const numericValue = Number(value);
+  if (Number.isNaN(numericValue)) {
+    return undefined;
+  }
+
+  if (numericValue >= 0) {
+    return numericValue;
+  }
+
+  return undefined;
+}
+
+const defaultSkipMinimumPackageAge = false;
+export function skipMinimumPackageAge() {
+  const cliValue = cliArguments.getSkipMinimumPackageAge();
+
+  if (cliValue === true) {
+    return true;
+  }
+
+  return defaultSkipMinimumPackageAge;
+}
+
+/**
+ * Normalizes a registry URL by removing protocol if present
+ * @param {string} registry
+ * @returns {string}
+ */
+function normalizeRegistry(registry) {
+  // Remove protocol (http://, https://) if present
+  return registry.replace(/^https?:\/\//, "");
+}
+
+/**
+ * Parses comma-separated registries from environment variable
+ * @param {string | undefined} envValue
+ * @returns {string[]}
+ */
+function parseRegistriesFromEnv(envValue) {
+  if (!envValue || typeof envValue !== "string") {
+    return [];
+  }
+
+  // Split by comma and trim whitespace
+  return envValue
+    .split(",")
+    .map((registry) => registry.trim())
+    .filter((registry) => registry.length > 0);
+}
+
+/**
+ * Gets the custom npm registries from both environment variable and config file (merged)
+ * @returns {string[]}
+ */
+export function getNpmCustomRegistries() {
+  const envRegistries = parseRegistriesFromEnv(
+    environmentVariables.getNpmCustomRegistries()
+  );
+  const configRegistries = configFile.getNpmCustomRegistries();
+
+  // Merge both sources and remove duplicates
+  const allRegistries = [...envRegistries, ...configRegistries];
+  const uniqueRegistries = [...new Set(allRegistries)];
+
+  // Normalize each registry (remove protocol if any)
+  return uniqueRegistries.map(normalizeRegistry);
+}
+
+/**
+ * Gets the custom npm registries from both environment variable and config file (merged)
+ * @returns {string[]}
+ */
+export function getPipCustomRegistries() {
+  const envRegistries = parseRegistriesFromEnv(
+    environmentVariables.getPipCustomRegistries()
+  );
+  const configRegistries = configFile.getPipCustomRegistries();
+
+  // Merge both sources and remove duplicates
+  const allRegistries = [...envRegistries, ...configRegistries];
+  const uniqueRegistries = [...new Set(allRegistries)];
+
+  // Normalize each registry (remove protocol if any)
+  return uniqueRegistries.map(normalizeRegistry);
+}
+
+/**
+ * Parses comma-separated exclusions from environment variable
+ * @param {string | undefined} envValue
+ * @returns {string[]}
+ */
+function parseExclusionsFromEnv(envValue) {
+  if (!envValue || typeof envValue !== "string") {
+    return [];
+  }
+
+  return envValue
+    .split(",")
+    .map((exclusion) => exclusion.trim())
+    .filter((exclusion) => exclusion.length > 0);
+}
+
+/**
+ * Gets the minimum package age exclusions from both environment variable and config file (merged)
+ * @returns {string[]}
+ */
+export function getMinimumPackageAgeExclusions() {
+  const envExclusions = parseExclusionsFromEnv(
+    environmentVariables.getMinimumPackageAgeExclusions()
+  );
+  const configExclusions = configFile.getMinimumPackageAgeExclusions();
+
+  // Merge both sources and remove duplicates
+  const allExclusions = [...envExclusions, ...configExclusions];
+  return [...new Set(allExclusions)];
+}
+
+/**
+ * Gets the malware list base URL with priority: CLI argument > environment variable > config file > default
+ * @returns {string}
+ */
+export function getMalwareListBaseUrl() {
+  // Priority 1: CLI argument
+  const cliValue = cliArguments.getMalwareListBaseUrl();
+  if (cliValue) {
+    const url = removeTrailingSlashes(cliValue);
+    ui.writeVerbose(`Fetching malware lists from ${url} as defined by CLI argument --safe-chain-malware-list-base-url`);
+    return url;
+  }
+
+  // Priority 2: Environment variable
+  const envValue = environmentVariables.getMalwareListBaseUrl();
+  if (envValue) {
+    const url = removeTrailingSlashes(envValue);
+    ui.writeVerbose(`Fetching malware lists from ${url} as defined by environment variable SAFE_CHAIN_MALWARE_LIST_BASE_URL`);
+    return url;
+  }
+
+  // Priority 3: Config file
+  const configValue = configFile.getMalwareListBaseUrl();
+  if (configValue) {
+    const url = removeTrailingSlashes(configValue);
+    ui.writeVerbose(`Fetching malware lists from ${url} as defined by config file (malwareListBaseUrl)`);
+    return url;
+  }
+
+  // Default
+  return removeTrailingSlashes("https://malware-list.aikido.dev");
+}
+
+/**
+ * Removes trailing slashes from a URL-like string.
+ * @param {string} value
+ * @returns {string}
+ */
+function removeTrailingSlashes(value) {
+  if (!value || typeof value !== "string") {
+    return value;
+  }
+
+  return value.replace(/\/+$/, "");
+}

package/src/environment/environment.js

@@ -0,0 +1,14 @@
+export function isCi() {
+  const ciEnvironments = [
+    "CI",
+    "TF_BUILD", // Azure devops does not set CI, but TF_BUILD
+  ];
+
+  for (const env of ciEnvironments) {
+    if (process.env[env]) {
+      return true;
+    }
+  }
+
+  return false;
+}