@appland/scanner 1.69.0 → 1.70.1

package/CHANGELOG.md

@@ -1,3 +1,31 @@
+# [@appland/scanner-v1.70.1](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.70.0...@appland/scanner-v1.70.1) (2022-09-05)
+
+
+### Bug Fixes
+
+* Skip bad files when running scanner on a directory ([d6d1e4e](https://github.com/applandinc/appmap-js/commit/d6d1e4e4eeac40424802169414b170961dfccc25))
+
+# [@appland/scanner-v1.70.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.69.1...@appland/scanner-v1.70.0) (2022-08-31)
+
+
+### Bug Fixes
+
+* Don't attempt to destructure an undefined value ([b46e358](https://github.com/applandinc/appmap-js/commit/b46e358cf0fd0cc56a7f465268f87f219ab13c55))
+
+
+### Features
+
+* Add scan for presence of JWT signature verification ([a2b382b](https://github.com/applandinc/appmap-js/commit/a2b382bd571cfbc0fcdfa389ad382536f85eb671))
+* Add scanner for usage of JWT with the `none` algorithm ([025ac89](https://github.com/applandinc/appmap-js/commit/025ac89f0538d5b4bfed7f36e3d09788f2a38076))
+
+# [@appland/scanner-v1.69.1](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.69.0...@appland/scanner-v1.69.1) (2022-08-29)
+
+
+### Bug Fixes
+
+* Add missing dependencies ([97a5d02](https://github.com/applandinc/appmap-js/commit/97a5d02ff161b52200430d2123d8d9ab62037220))
+* Don't attempt to resolve a remote app ID if running in watch mode ([8f21ff1](https://github.com/applandinc/appmap-js/commit/8f21ff1a3bc86292f70a2cd1446f682e525869aa))
+
 # [@appland/scanner-v1.69.0](https://github.com/applandinc/appmap-js/compare/@appland/scanner-v1.68.0...@appland/scanner-v1.69.0) (2022-08-23)
 
 

package/built/cli/scan/command.js

@@ -75,7 +75,7 @@ exports.default = {
             if (appmapDir)
                 yield (0, validateFile_1.default)('directory', appmapDir);
             let appId = appIdArg;
-            if (!reportAllFindings)
+            if (!watch && !reportAllFindings)
                 appId = yield (0, resolveAppId_1.default)(appIdArg, appmapDir);
             if (watch) {
                 const watchAppMapDir = appmapDir;

package/built/cli/scan/scanner.js

@@ -35,10 +35,10 @@ class ScannerBase {
         this.configuration = configuration;
         this.files = files;
     }
-    scan() {
+    scan(skipErrors = false) {
         return __awaiter(this, void 0, void 0, function* () {
             const checks = yield (0, configurationProvider_1.loadConfig)(this.configuration);
-            const { appMapMetadata, findings } = yield (0, scan_1.default)(this.files, checks);
+            const { appMapMetadata, findings } = yield (0, scan_1.default)(this.files, checks, skipErrors);
             return new scanResults_1.ScanResults(this.configuration, appMapMetadata, findings, checks);
         });
     }

package/built/cli/scan/singleScan.js

@@ -25,6 +25,7 @@ const validateFile_1 = __importDefault(require("../validateFile"));
 function singleScan(options) {
     return __awaiter(this, void 0, void 0, function* () {
         const { appmapFile, appmapDir, configuration, reportAllFindings, appId, ide, reportFile } = options;
+        const skipErrors = appmapDir !== undefined;
         const files = yield (0, util_1.collectAppMapFiles)(appmapFile, appmapDir);
         yield Promise.all(files.map((file) => __awaiter(this, void 0, void 0, function* () { return (0, validateFile_1.default)('file', file); })));
         const scanner = yield (0, scanner_1.default)(reportAllFindings, configuration, files).catch((error) => {
@@ -32,7 +33,7 @@ function singleScan(options) {
         });
         const startTime = Date.now();
         const [rawScanResults, findingStatuses] = yield Promise.all([
-            scanner.scan(),
+            scanner.scan(skipErrors),
             scanner.fetchFindingStatus(appId, appmapDir),
         ]);
         // Always report the raw data

package/built/cli/scan.js

@@ -18,6 +18,7 @@ const promises_1 = require("fs/promises");
 const models_1 = require("@appland/models");
 const ruleChecker_1 = __importDefault(require("../ruleChecker"));
 const appMapIndex_1 = __importDefault(require("../appMapIndex"));
+const node_assert_1 = __importDefault(require("node:assert"));
 function batch(items, size, process) {
     return __awaiter(this, void 0, void 0, function* () {
         const left = [...items];
@@ -25,7 +26,37 @@ function batch(items, size, process) {
             yield Promise.all(left.splice(0, size).map(process));
     });
 }
-function scan(files, checks) {
+class Progress {
+    constructor(numFiles, numChecks) {
+        this.numFiles = numFiles;
+        this.numChecks = numChecks;
+        this.checks = 0;
+        if (process.stdout.isTTY)
+            this.bar = new cli_progress_1.default.SingleBar({ format: `Scanning [{bar}] {percentage}% | {value}/{total}` }, cli_progress_1.default.Presets.shades_classic);
+        else {
+            this.start = this.check = this.file = this.stop = () => { };
+        }
+    }
+    start() {
+        var _a;
+        (_a = this.bar) === null || _a === void 0 ? void 0 : _a.start(this.numFiles * this.numChecks, 0);
+    }
+    check() {
+        var _a;
+        this.checks += 1;
+        (_a = this.bar) === null || _a === void 0 ? void 0 : _a.increment();
+    }
+    file() {
+        var _a;
+        (_a = this.bar) === null || _a === void 0 ? void 0 : _a.increment(this.numChecks - this.checks);
+        this.checks = 0;
+    }
+    stop() {
+        var _a;
+        (_a = this.bar) === null || _a === void 0 ? void 0 : _a.stop();
+    }
+}
+function scan(files, checks, skipErrors = true) {
     return __awaiter(this, void 0, void 0, function* () {
         // TODO: Improve this by respecting .gitignore, or similar.
         // For now, this addresses the main problem of encountering appmap-js and its appmap.json files
@@ -34,33 +65,37 @@ function scan(files, checks) {
         const checker = new ruleChecker_1.default();
         const appMapMetadata = {};
         const findings = [];
-        function newProgress() {
-            if (process.stdout.isTTY) {
-                return new cli_progress_1.default.SingleBar({ format: `Scanning [{bar}] {percentage}% | {value}/{total}` }, cli_progress_1.default.Presets.shades_classic);
-            }
-            return {
-                increment: () => { },
-                start: () => { },
-                stop: () => { },
-            };
-        }
-        const progress = newProgress();
-        progress.start(files.length * checks.length, 0);
+        const progress = new Progress(files.length, checks.length);
+        let lastError = null;
+        let anySuccess = false;
         yield batch(files, 2, (file) => __awaiter(this, void 0, void 0, function* () {
-            const appMapData = yield (0, promises_1.readFile)(file, 'utf8');
-            const appMap = (0, models_1.buildAppMap)(appMapData).normalize().build();
-            const appMapIndex = new appMapIndex_1.default(appMap);
-            appMapMetadata[file] = appMap.metadata;
-            yield Promise.all(checks.map((check) => __awaiter(this, void 0, void 0, function* () {
-                const matchCount = findings.length;
-                yield checker.check(file, appMapIndex, check, findings);
-                progress.increment();
-                const newMatches = findings.slice(matchCount, findings.length);
-                newMatches.forEach((match) => (match.appMapFile = file));
-            })));
-            return null;
+            try {
+                console.log(`scanning ${file}`);
+                const appMapData = yield (0, promises_1.readFile)(file, 'utf8');
+                const appMap = (0, models_1.buildAppMap)(appMapData).normalize().build();
+                const appMapIndex = new appMapIndex_1.default(appMap);
+                appMapMetadata[file] = appMap.metadata;
+                yield Promise.all(checks.map((check) => __awaiter(this, void 0, void 0, function* () {
+                    const matchCount = findings.length;
+                    yield checker.check(file, appMapIndex, check, findings);
+                    progress.check();
+                    const newMatches = findings.slice(matchCount, findings.length);
+                    newMatches.forEach((match) => (match.appMapFile = file));
+                })));
+                anySuccess = true;
+            }
+            catch (error) {
+                (0, node_assert_1.default)(error instanceof Error);
+                lastError = new Error(`Error processing "${file}"`, { cause: error });
+                if (!skipErrors)
+                    throw lastError;
+                console.warn(lastError);
+            }
+            progress.file();
         }));
         progress.stop();
+        if (!anySuccess && lastError)
+            throw lastError;
         return { appMapMetadata, findings };
     });
 }

package/built/rules/jwtAlgorithmNone.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+function getHeader(jwt) {
+    try {
+        const [header] = jwt.split('.');
+        const decodedHeader = Buffer.from(header, 'base64').toString('utf-8');
+        return JSON.parse(decodedHeader);
+    }
+    catch (_a) {
+        // the JWT is malformed
+        return undefined;
+    }
+}
+class JwtAlgoritmNoneLogic {
+    matcher(event) {
+        if (!event.returnValue)
+            return;
+        const matches = new Array();
+        const { value: jwt } = event.returnValue;
+        const header = getHeader(jwt);
+        if ((header === null || header === void 0 ? void 0 : header.alg) === 'none') {
+            matches.push({ event, message: 'Encoded JWT using the `none` algorithm' });
+        }
+        return matches;
+    }
+    where(event) {
+        return event.labels.has('jwt.encode');
+    }
+}
+class JwtAlgoritmNone {
+    constructor() {
+        this.id = 'jwt-algorithm-none';
+        this.title = "JWT 'none' algorithm";
+        this.impactDomain = 'Security';
+        this.enumerateScope = true;
+        this.description = (0, parseRuleDescription_1.default)('jwtAlgorithmNone');
+        this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-algorithm-none';
+    }
+    build() {
+        return new JwtAlgoritmNoneLogic();
+    }
+}
+exports.default = new JwtAlgoritmNone();

package/built/rules/jwtUnverifiedSignature.js

@@ -0,0 +1,84 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Labels = void 0;
+const parseRuleDescription_1 = __importDefault(require("./lib/parseRuleDescription"));
+const models_1 = require("@appland/models");
+var Labels;
+(function (Labels) {
+    Labels["SignatureVerify"] = "jwt.signature.verify";
+    Labels["JwtDecode"] = "jwt.decode";
+})(Labels = exports.Labels || (exports.Labels = {}));
+// Attempt to identify and return a JWT from an array of parameters
+function findJwt(parameters) {
+    if (!parameters)
+        return;
+    for (const param of parameters) {
+        const tokens = param.value.split('.');
+        if (tokens.length !== 3)
+            return;
+        const [header, payload, signature] = tokens;
+        return { header, payload, signature };
+    }
+}
+// Check if `obj` matches the JWT by value or by reference (receiverId)
+function matchJwt(obj, jwt, receiverId) {
+    const byValue = jwt !== undefined && obj.value.startsWith(`${jwt.header}.${jwt.payload}`);
+    const byReference = receiverId !== undefined && receiverId === obj.object_id;
+    return byValue || byReference;
+}
+class JwtUnverifiedSignatureLogic {
+    matcher(event) {
+        var _a, _b, _c;
+        if (event.labels.has(Labels.SignatureVerify)) {
+            // This method is marked both as decode and signature verify. It is compliant.
+            return;
+        }
+        let verified = false;
+        let receiverId;
+        const jwt = findJwt(event.parameters);
+        const matches = new Array();
+        // Don't track the receiver if it's static. We'll find references of the decoded JWT passed by
+        // function parameter instead.
+        if (!event.isStatic) {
+            receiverId = (_a = event.receiver) === null || _a === void 0 ? void 0 : _a.object_id;
+        }
+        for (const { event: child } of new models_1.EventNavigator(event).following()) {
+            if (!child.labels.has(Labels.SignatureVerify)) {
+                continue;
+            }
+            const matchesReceiver = receiverId !== undefined && receiverId === ((_b = child.receiver) === null || _b === void 0 ? void 0 : _b.object_id);
+            const matchesParameter = (_c = child.parameters) === null || _c === void 0 ? void 0 : _c.find((param) => matchJwt(param, jwt, receiverId));
+            if (matchesReceiver || matchesParameter) {
+                verified = true;
+                break;
+            }
+        }
+        if (!verified) {
+            matches.push({
+                event,
+                message: 'JWT signature is not validated',
+            });
+        }
+        return matches;
+    }
+    where(event) {
+        return event.labels.has('jwt.decode');
+    }
+}
+class JwtUnverifiedSignature {
+    constructor() {
+        this.id = 'jwt-unverified-signature';
+        this.title = 'Unverified signature';
+        this.impactDomain = 'Security';
+        this.enumerateScope = true;
+        this.description = (0, parseRuleDescription_1.default)('jwtUnverifiedSignature');
+        this.url = 'https://appland.com/docs/analysis/rules-reference.html#jwt-unverified-signature';
+    }
+    build() {
+        return new JwtUnverifiedSignatureLogic();
+    }
+}
+exports.default = new JwtUnverifiedSignature();

package/doc/rules/jwt-algorithm-none.md

@@ -0,0 +1,25 @@
+---
+rule: jwt-algorithm-none
+name: Jwt algorithm none
+title: JWT 'none' algorithm
+impactDomain: Security
+---
+
+Finds usage of unsecured JWTs which use the `none` algorithm. When declaring this algorithm, there
+is no signature contained within the token that may be cryptographically verified. As a result, the
+data encoded within the token may be easily forged.
+
+### Rule logic
+
+Any function which encodes a new JWT will have its return value checked for presence of the `none`
+algorithm within the token header.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: jwt-algorithm-none
+```

package/doc/rules/jwt-unverified-signature.md

@@ -0,0 +1,24 @@
+---
+rule: jwt-unverified-signature
+name: Jwt unverified signature
+title: Unverified signature
+impactDomain: Security
+---
+
+Finds cases where a JWT is decoded but the signature is never verified. Without proper signature
+verification, the service will unknowingly accept arbitrary token payloads from any origin.
+
+### Rule logic
+
+Following a function call to decode a JWT, a subsequent function call to verify the token signature
+is expected.
+
+### Options
+
+None
+
+### Examples
+
+```yaml
+- rule: jwt-unverified-signature
+```

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appland/scanner",
-  "version": "1.69.0",
+  "version": "1.70.1",
   "description": "",
   "bin": "built/cli.js",
   "files": [
@@ -49,6 +49,7 @@
     "prettier": "^2.3.2",
     "semantic-release": "^19.0.2",
     "sinon": "^13.0.1",
+    "tmp-promise": "^3.0.3",
     "ts-jest": "^27.1.4",
     "ts-json-schema-generator": "^0.97.0",
     "ts-node": "^10.2.1",
@@ -56,19 +57,21 @@
   },
   "dependencies": {
     "@appland/client": "^1.3.0",
-    "@appland/models": "^1.16.1",
+    "@appland/models": "^1.18.1",
     "@appland/openapi": "1.0.2",
     "@appland/sql-parser": "^1.5.0",
     "@types/cli-progress": "^3.9.2",
     "ajv": "^8.8.2",
     "applicationinsights": "^2.1.4",
     "async": "^3.2.3",
+    "boxen": "^5.0.1",
     "chalk": "^4.1.2",
     "chokidar": "applandinc/chokidar#fix/new-file-new-directory-race-on-linux",
     "cli-progress": "^3.11.0",
     "conf": "^10.0.2",
     "form-data": "^4.0.0",
     "glob": "7.2.3",
+    "inquirer": "^8.1.2",
     "js-yaml": "^4.1.0",
     "lru-cache": "^6.0.0",
     "minimatch": "^3.0.4",