@capgo/capgo-sec 1.0.4

package/src/scanners/engine.ts

@@ -0,0 +1,233 @@
+import fg from 'fast-glob';
+import { allRules, ruleCount } from '../rules/index.js';
+import type { Rule, Finding, ScanResult, ScanOptions, RuleCategory, Severity } from '../types.js';
+
+const DEFAULT_EXCLUDE = [
+  '**/node_modules/**',
+  '**/dist/**',
+  '**/build/**',
+  '**/.git/**',
+  '**/coverage/**',
+  '**/*.min.js',
+  '**/*.bundle.js',
+  '**/vendor/**',
+  '**/.next/**',
+  '**/.nuxt/**',
+  '**/android/app/build/**',
+  '**/ios/Pods/**',
+  '**/ios/build/**'
+];
+
+export class SecurityScanner {
+  private rules: Rule[];
+  private options: ScanOptions;
+
+  constructor(options: ScanOptions) {
+    this.options = options;
+    this.rules = this.filterRules(allRules);
+  }
+
+  private filterRules(rules: Rule[]): Rule[] {
+    let filtered = rules;
+
+    // Filter by severity
+    if (this.options.severity) {
+      const severityOrder: Severity[] = ['critical', 'high', 'medium', 'low', 'info'];
+      const minIndex = severityOrder.indexOf(this.options.severity);
+      filtered = filtered.filter(rule => {
+        const ruleIndex = severityOrder.indexOf(rule.severity);
+        return ruleIndex <= minIndex;
+      });
+    }
+
+    // Filter by category
+    if (this.options.categories && this.options.categories.length > 0) {
+      filtered = filtered.filter(rule => this.options.categories!.includes(rule.category));
+    }
+
+    return filtered;
+  }
+
+  async scan(): Promise<ScanResult> {
+    const startTime = Date.now();
+    const findings: Finding[] = [];
+
+    // Get all files to scan
+    const files = await this.getFiles();
+
+    // Process each file
+    for (const file of files) {
+      const fileFindings = await this.scanFile(file);
+      findings.push(...fileFindings);
+    }
+
+    const duration = Date.now() - startTime;
+
+    return {
+      projectPath: this.options.path,
+      timestamp: new Date().toISOString(),
+      duration,
+      filesScanned: files.length,
+      findings: this.sortFindings(findings),
+      summary: this.generateSummary(findings)
+    };
+  }
+
+  private async getFiles(): Promise<string[]> {
+    const excludePatterns = [...DEFAULT_EXCLUDE, ...(this.options.exclude || [])];
+
+    // Collect all unique file patterns from rules
+    const patterns = new Set<string>();
+    for (const rule of this.rules) {
+      if (rule.filePatterns) {
+        rule.filePatterns.forEach(p => patterns.add(p));
+      }
+    }
+
+    // If no patterns, use common source files
+    if (patterns.size === 0) {
+      patterns.add('**/*.ts');
+      patterns.add('**/*.tsx');
+      patterns.add('**/*.js');
+      patterns.add('**/*.jsx');
+      patterns.add('**/*.json');
+      patterns.add('**/*.html');
+      patterns.add('**/AndroidManifest.xml');
+      patterns.add('**/Info.plist');
+    }
+
+    const files = await fg(Array.from(patterns), {
+      cwd: this.options.path,
+      ignore: excludePatterns,
+      absolute: true,
+      onlyFiles: true
+    });
+
+    return files;
+  }
+
+  private async scanFile(filePath: string): Promise<Finding[]> {
+    const findings: Finding[] = [];
+
+    try {
+      const content = await Bun.file(filePath).text();
+
+      // Get rules that match this file
+      const applicableRules = this.rules.filter(rule => {
+        if (!rule.filePatterns) return true;
+        return rule.filePatterns.some(pattern => {
+          // Convert glob pattern to regex for matching
+          // First escape dots, then handle glob patterns
+          const regexPattern = pattern
+            .replace(/\./g, '\\.')
+            .replace(/\*\*/g, '.*')
+            .replace(/(?<!\.)(\*)/g, '[^/]*');
+          return new RegExp(regexPattern).test(filePath);
+        });
+      });
+
+      // Apply each rule
+      for (const rule of applicableRules) {
+        if (rule.check) {
+          const ruleFindings = rule.check(content, filePath);
+          findings.push(...ruleFindings);
+        } else if (rule.patterns) {
+          // Simple pattern matching
+          for (const pattern of rule.patterns) {
+            let match;
+            const regex = new RegExp(pattern.source, pattern.flags);
+            const lines = content.split('\n');
+
+            while ((match = regex.exec(content)) !== null) {
+              const lineNum = content.substring(0, match.index).split('\n').length;
+              findings.push({
+                ruleId: rule.id,
+                ruleName: rule.name,
+                severity: rule.severity,
+                category: rule.category,
+                message: rule.description,
+                filePath,
+                line: lineNum,
+                codeSnippet: lines[lineNum - 1]?.trim(),
+                remediation: rule.remediation,
+                references: rule.references
+              });
+            }
+          }
+        }
+      }
+    } catch (error) {
+      if (this.options.verbose) {
+        console.error(`Error scanning ${filePath}:`, error);
+      }
+    }
+
+    return findings;
+  }
+
+  private sortFindings(findings: Finding[]): Finding[] {
+    const severityOrder: Record<Severity, number> = {
+      critical: 0,
+      high: 1,
+      medium: 2,
+      low: 3,
+      info: 4
+    };
+
+    return findings.sort((a, b) => {
+      const severityDiff = severityOrder[a.severity] - severityOrder[b.severity];
+      if (severityDiff !== 0) return severityDiff;
+      return a.filePath.localeCompare(b.filePath);
+    });
+  }
+
+  private generateSummary(findings: Finding[]) {
+    const byCategory: Record<RuleCategory, number> = {
+      storage: 0,
+      network: 0,
+      authentication: 0,
+      secrets: 0,
+      cryptography: 0,
+      logging: 0,
+      capacitor: 0,
+      debug: 0,
+      android: 0,
+      ios: 0,
+      config: 0,
+      webview: 0,
+      permissions: 0
+    };
+
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let info = 0;
+
+    for (const finding of findings) {
+      byCategory[finding.category]++;
+
+      switch (finding.severity) {
+        case 'critical': critical++; break;
+        case 'high': high++; break;
+        case 'medium': medium++; break;
+        case 'low': low++; break;
+        case 'info': info++; break;
+      }
+    }
+
+    return {
+      total: findings.length,
+      critical,
+      high,
+      medium,
+      low,
+      info,
+      byCategory
+    };
+  }
+
+  static getRuleCount(): number {
+    return ruleCount;
+  }
+}

package/src/types.ts

@@ -0,0 +1,96 @@
+export type Severity = 'critical' | 'high' | 'medium' | 'low' | 'info';
+
+export type RuleCategory =
+  | 'storage'
+  | 'network'
+  | 'authentication'
+  | 'secrets'
+  | 'cryptography'
+  | 'logging'
+  | 'capacitor'
+  | 'debug'
+  | 'android'
+  | 'ios'
+  | 'config'
+  | 'webview'
+  | 'permissions';
+
+export interface Rule {
+  id: string;
+  name: string;
+  description: string;
+  severity: Severity;
+  category: RuleCategory;
+  patterns?: RegExp[];
+  filePatterns?: string[];
+  check?: (content: string, filePath: string, ast?: any) => Finding[];
+  remediation: string;
+  references?: string[];
+}
+
+export interface Finding {
+  ruleId: string;
+  ruleName: string;
+  severity: Severity;
+  category: RuleCategory;
+  message: string;
+  filePath: string;
+  line?: number;
+  column?: number;
+  codeSnippet?: string;
+  remediation: string;
+  references?: string[];
+}
+
+export interface ScanResult {
+  projectPath: string;
+  timestamp: string;
+  duration: number;
+  filesScanned: number;
+  findings: Finding[];
+  summary: {
+    total: number;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+    info: number;
+    byCategory: Record<RuleCategory, number>;
+  };
+}
+
+export interface ScanOptions {
+  path: string;
+  output?: 'cli' | 'json' | 'html';
+  outputFile?: string;
+  severity?: Severity;
+  categories?: RuleCategory[];
+  exclude?: string[];
+  changedOnly?: boolean;
+  ci?: boolean;
+  verbose?: boolean;
+}
+
+export interface CapacitorConfig {
+  appId?: string;
+  appName?: string;
+  webDir?: string;
+  plugins?: Record<string, any>;
+  android?: {
+    allowMixedContent?: boolean;
+    captureInput?: boolean;
+    webContentsDebuggingEnabled?: boolean;
+    loggingBehavior?: string;
+  };
+  ios?: {
+    allowsLinkPreview?: boolean;
+    scrollEnabled?: boolean;
+    webContentsDebuggingEnabled?: boolean;
+    loggingBehavior?: string;
+  };
+  server?: {
+    url?: string;
+    cleartext?: boolean;
+    allowNavigation?: string[];
+  };
+}

package/src/utils/reporter.ts

@@ -0,0 +1,209 @@
+import type { ScanResult, Finding, Severity } from '../types.js';
+
+const SEVERITY_COLORS = {
+  critical: '\x1b[41m\x1b[37m', // Red background, white text
+  high: '\x1b[31m',             // Red
+  medium: '\x1b[33m',           // Yellow
+  low: '\x1b[36m',              // Cyan
+  info: '\x1b[90m'              // Gray
+};
+
+const RESET = '\x1b[0m';
+const BOLD = '\x1b[1m';
+const DIM = '\x1b[2m';
+
+export function formatCliReport(result: ScanResult): string {
+  const lines: string[] = [];
+
+  // Header
+  lines.push('');
+  lines.push(`${BOLD}╔══════════════════════════════════════════════════════════════╗${RESET}`);
+  lines.push(`${BOLD}║              CAPSEC Security Scan Report                     ║${RESET}`);
+  lines.push(`${BOLD}╚══════════════════════════════════════════════════════════════╝${RESET}`);
+  lines.push('');
+
+  // Summary
+  lines.push(`${BOLD}Summary${RESET}`);
+  lines.push(`${'─'.repeat(60)}`);
+  lines.push(`Project: ${result.projectPath}`);
+  lines.push(`Scanned: ${result.filesScanned} files in ${result.duration}ms`);
+  lines.push(`Time: ${result.timestamp}`);
+  lines.push('');
+
+  // Severity breakdown
+  lines.push(`${BOLD}Findings by Severity${RESET}`);
+  lines.push(`${'─'.repeat(60)}`);
+
+  if (result.summary.critical > 0) {
+    lines.push(`${SEVERITY_COLORS.critical} CRITICAL ${RESET} ${result.summary.critical}`);
+  }
+  if (result.summary.high > 0) {
+    lines.push(`${SEVERITY_COLORS.high}● HIGH${RESET}     ${result.summary.high}`);
+  }
+  if (result.summary.medium > 0) {
+    lines.push(`${SEVERITY_COLORS.medium}● MEDIUM${RESET}   ${result.summary.medium}`);
+  }
+  if (result.summary.low > 0) {
+    lines.push(`${SEVERITY_COLORS.low}● LOW${RESET}      ${result.summary.low}`);
+  }
+  if (result.summary.info > 0) {
+    lines.push(`${SEVERITY_COLORS.info}● INFO${RESET}     ${result.summary.info}`);
+  }
+
+  lines.push('');
+  lines.push(`${BOLD}Total: ${result.summary.total} findings${RESET}`);
+  lines.push('');
+
+  // Findings
+  if (result.findings.length > 0) {
+    lines.push(`${BOLD}Detailed Findings${RESET}`);
+    lines.push(`${'═'.repeat(60)}`);
+    lines.push('');
+
+    let currentSeverity: Severity | null = null;
+
+    for (const finding of result.findings) {
+      if (finding.severity !== currentSeverity) {
+        currentSeverity = finding.severity;
+        lines.push(`${SEVERITY_COLORS[finding.severity]}${BOLD}── ${finding.severity.toUpperCase()} ──${RESET}`);
+        lines.push('');
+      }
+
+      lines.push(formatFinding(finding));
+    }
+  } else {
+    lines.push(`${BOLD}\x1b[32m✓ No security issues found!${RESET}`);
+    lines.push('');
+  }
+
+  // Footer
+  lines.push(`${'─'.repeat(60)}`);
+  lines.push(`${DIM}Powered by capsec - https://capacitor-sec.dev${RESET}`);
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+function formatFinding(finding: Finding): string {
+  const lines: string[] = [];
+  const severityColor = SEVERITY_COLORS[finding.severity];
+
+  lines.push(`${severityColor}[${finding.ruleId}]${RESET} ${BOLD}${finding.ruleName}${RESET}`);
+  lines.push(`  ${DIM}File:${RESET} ${finding.filePath}${finding.line ? `:${finding.line}` : ''}`);
+  lines.push(`  ${DIM}Issue:${RESET} ${finding.message}`);
+
+  if (finding.codeSnippet) {
+    lines.push(`  ${DIM}Code:${RESET} ${finding.codeSnippet.substring(0, 80)}${finding.codeSnippet.length > 80 ? '...' : ''}`);
+  }
+
+  lines.push(`  ${DIM}Fix:${RESET} ${finding.remediation}`);
+
+  if (finding.references && finding.references.length > 0) {
+    lines.push(`  ${DIM}Refs:${RESET} ${finding.references[0]}`);
+  }
+
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+export function formatJsonReport(result: ScanResult): string {
+  return JSON.stringify(result, null, 2);
+}
+
+export function formatHtmlReport(result: ScanResult): string {
+  const severityClasses: Record<Severity, string> = {
+    critical: 'bg-red-600 text-white',
+    high: 'bg-red-500 text-white',
+    medium: 'bg-yellow-500 text-black',
+    low: 'bg-blue-500 text-white',
+    info: 'bg-gray-500 text-white'
+  };
+
+  const findingsHtml = result.findings.map(finding => `
+    <div class="finding border-l-4 ${finding.severity === 'critical' ? 'border-red-600' : finding.severity === 'high' ? 'border-red-500' : finding.severity === 'medium' ? 'border-yellow-500' : finding.severity === 'low' ? 'border-blue-500' : 'border-gray-500'} bg-white shadow-md rounded-r-lg p-4 mb-4">
+      <div class="flex items-center gap-2 mb-2">
+        <span class="px-2 py-1 rounded text-xs font-bold ${severityClasses[finding.severity]}">${finding.severity.toUpperCase()}</span>
+        <span class="text-gray-500 text-sm">${finding.ruleId}</span>
+        <span class="font-semibold">${finding.ruleName}</span>
+      </div>
+      <p class="text-gray-700 mb-2">${finding.message}</p>
+      <p class="text-sm text-gray-500 mb-2">
+        <span class="font-mono">${finding.filePath}${finding.line ? `:${finding.line}` : ''}</span>
+      </p>
+      ${finding.codeSnippet ? `<pre class="bg-gray-100 p-2 rounded text-sm overflow-x-auto mb-2"><code>${escapeHtml(finding.codeSnippet)}</code></pre>` : ''}
+      <p class="text-sm"><strong>Remediation:</strong> ${finding.remediation}</p>
+      ${finding.references && finding.references.length > 0 ? `<p class="text-sm text-blue-600 mt-2"><a href="${finding.references[0]}" target="_blank" rel="noopener">Learn more →</a></p>` : ''}
+    </div>
+  `).join('');
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Capsec Security Report</title>
+  <script src="https://cdn.tailwindcss.com"></script>
+  <style>
+    body { font-family: system-ui, -apple-system, sans-serif; }
+  </style>
+</head>
+<body class="bg-gray-100 min-h-screen">
+  <div class="container mx-auto px-4 py-8 max-w-4xl">
+    <header class="bg-gradient-to-r from-purple-600 to-indigo-600 text-white rounded-lg shadow-lg p-8 mb-8">
+      <h1 class="text-3xl font-bold mb-2">🔒 Capsec Security Report</h1>
+      <p class="opacity-80">Capacitor Security Scanner</p>
+    </header>
+
+    <section class="bg-white rounded-lg shadow-md p-6 mb-8">
+      <h2 class="text-xl font-bold mb-4">Summary</h2>
+      <div class="grid grid-cols-2 md:grid-cols-4 gap-4 mb-4">
+        <div class="text-center p-4 bg-gray-50 rounded">
+          <div class="text-2xl font-bold">${result.filesScanned}</div>
+          <div class="text-gray-500 text-sm">Files Scanned</div>
+        </div>
+        <div class="text-center p-4 bg-gray-50 rounded">
+          <div class="text-2xl font-bold">${result.summary.total}</div>
+          <div class="text-gray-500 text-sm">Total Findings</div>
+        </div>
+        <div class="text-center p-4 bg-gray-50 rounded">
+          <div class="text-2xl font-bold">${result.duration}ms</div>
+          <div class="text-gray-500 text-sm">Scan Duration</div>
+        </div>
+        <div class="text-center p-4 bg-gray-50 rounded">
+          <div class="text-2xl font-bold">${new Date(result.timestamp).toLocaleDateString()}</div>
+          <div class="text-gray-500 text-sm">Scan Date</div>
+        </div>
+      </div>
+
+      <div class="flex flex-wrap gap-2">
+        ${result.summary.critical > 0 ? `<span class="px-3 py-1 rounded-full text-sm font-bold bg-red-600 text-white">${result.summary.critical} Critical</span>` : ''}
+        ${result.summary.high > 0 ? `<span class="px-3 py-1 rounded-full text-sm font-bold bg-red-500 text-white">${result.summary.high} High</span>` : ''}
+        ${result.summary.medium > 0 ? `<span class="px-3 py-1 rounded-full text-sm font-bold bg-yellow-500 text-black">${result.summary.medium} Medium</span>` : ''}
+        ${result.summary.low > 0 ? `<span class="px-3 py-1 rounded-full text-sm font-bold bg-blue-500 text-white">${result.summary.low} Low</span>` : ''}
+        ${result.summary.info > 0 ? `<span class="px-3 py-1 rounded-full text-sm font-bold bg-gray-500 text-white">${result.summary.info} Info</span>` : ''}
+      </div>
+    </section>
+
+    <section>
+      <h2 class="text-xl font-bold mb-4">Findings</h2>
+      ${result.findings.length > 0 ? findingsHtml : '<p class="text-green-600 text-lg font-semibold">✓ No security issues found!</p>'}
+    </section>
+
+    <footer class="text-center text-gray-500 text-sm mt-8 pt-8 border-t">
+      <p>Generated by <a href="https://capacitor-sec.dev" class="text-purple-600 hover:underline">capsec</a> - Capacitor Security Scanner</p>
+      <p class="mt-2">Project: ${result.projectPath}</p>
+    </footer>
+  </div>
+</body>
+</html>`;
+}
+
+function escapeHtml(text: string): string {
+  return text
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#039;');
+}