@capgo/capgo-sec 1.0.4

package/test/rules.test.ts

@@ -0,0 +1,235 @@
+import { describe, expect, test } from 'bun:test';
+import { allRules, ruleCount } from '../src/rules/index';
+import { secretsRules } from '../src/rules/secrets';
+import { storageRules } from '../src/rules/storage';
+import { networkRules } from '../src/rules/network';
+import { capacitorRules } from '../src/rules/capacitor';
+import { androidRules } from '../src/rules/android';
+import { iosRules } from '../src/rules/ios';
+import { authenticationRules } from '../src/rules/authentication';
+import { webviewRules } from '../src/rules/webview';
+import { cryptographyRules } from '../src/rules/cryptography';
+import { loggingRules, debugRules } from '../src/rules/logging';
+
+describe('Security Rules', () => {
+  test('should have correct total rule count', () => {
+    expect(ruleCount).toBeGreaterThan(60);
+    expect(allRules.length).toBe(ruleCount);
+  });
+
+  test('all rules should have required properties', () => {
+    for (const rule of allRules) {
+      expect(rule.id).toBeDefined();
+      expect(rule.name).toBeDefined();
+      expect(rule.description).toBeDefined();
+      expect(rule.severity).toBeDefined();
+      expect(rule.category).toBeDefined();
+      expect(rule.remediation).toBeDefined();
+      expect(['critical', 'high', 'medium', 'low', 'info']).toContain(rule.severity);
+    }
+  });
+
+  test('all rules should have unique IDs', () => {
+    const ids = allRules.map(r => r.id);
+    const uniqueIds = new Set(ids);
+    expect(uniqueIds.size).toBe(ids.length);
+  });
+
+  test('secrets rules should detect hardcoded API keys', () => {
+    const rule = secretsRules.find(r => r.id === 'SEC001');
+    expect(rule).toBeDefined();
+
+    const testCode = `const apiKey = "AKIA1234567890ABCDEF";`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+    expect(findings[0].severity).toBe('critical');
+  });
+
+  test('secrets rules should detect Firebase keys', () => {
+    const rule = secretsRules.find(r => r.id === 'SEC001');
+    expect(rule).toBeDefined();
+
+    const testCode = `const firebase = "AIzaSyDOCAbC123dEf456GhI789jKl012mNo3456";`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('storage rules should detect sensitive data in Preferences', () => {
+    const rule = storageRules.find(r => r.id === 'STO001');
+    expect(rule).toBeDefined();
+
+    const testCode = `Preferences.set({ key: 'userPassword', value: password });`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+    expect(findings[0].severity).toBe('high');
+  });
+
+  test('storage rules should detect localStorage for sensitive data', () => {
+    const rule = storageRules.find(r => r.id === 'STO002');
+    expect(rule).toBeDefined();
+
+    const testCode = `localStorage.setItem("authToken", token);`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('network rules should detect HTTP URLs', () => {
+    const rule = networkRules.find(r => r.id === 'NET001');
+    expect(rule).toBeDefined();
+
+    const testCode = `fetch("http://api.example.com/data");`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+    expect(findings[0].severity).toBe('high');
+  });
+
+  test('network rules should allow localhost HTTP', () => {
+    const rule = networkRules.find(r => r.id === 'NET001');
+    expect(rule).toBeDefined();
+
+    const testCode = `fetch("http://localhost:3000/api");`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBe(0);
+  });
+
+  test('capacitor rules should detect WebView debug mode', () => {
+    const rule = capacitorRules.find(r => r.id === 'CAP001');
+    expect(rule).toBeDefined();
+
+    const testCode = `
+      export default {
+        webContentsDebuggingEnabled: true,
+        appId: 'com.example.app'
+      };
+    `;
+    const findings = rule!.check!(testCode, 'capacitor.config.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+    expect(findings[0].severity).toBe('critical');
+  });
+
+  test('capacitor rules should detect eval usage', () => {
+    const rule = capacitorRules.find(r => r.id === 'CAP006');
+    expect(rule).toBeDefined();
+
+    const testCode = `const result = eval(userInput);`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+    expect(findings[0].severity).toBe('critical');
+  });
+
+  test('android rules should detect cleartext traffic', () => {
+    const rule = androidRules.find(r => r.id === 'AND001');
+    expect(rule).toBeDefined();
+
+    const testXml = `
+      <application
+        android:usesCleartextTraffic="true"
+        android:label="@string/app_name">
+      </application>
+    `;
+    const findings = rule!.check!(testXml, 'AndroidManifest.xml');
+
+    expect(findings.length).toBeGreaterThan(0);
+    expect(findings[0].severity).toBe('critical');
+  });
+
+  test('android rules should detect debug mode', () => {
+    const rule = androidRules.find(r => r.id === 'AND002');
+    expect(rule).toBeDefined();
+
+    const testXml = `
+      <application
+        android:debuggable="true"
+        android:label="@string/app_name">
+      </application>
+    `;
+    const findings = rule!.check!(testXml, 'AndroidManifest.xml');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('ios rules should detect ATS disabled', () => {
+    const rule = iosRules.find(r => r.id === 'IOS001');
+    expect(rule).toBeDefined();
+
+    const testPlist = `
+      <key>NSAppTransportSecurity</key>
+      <dict>
+        <key>NSAllowsArbitraryLoads</key>
+        <true />
+      </dict>
+    `;
+    const findings = rule!.check!(testPlist, 'Info.plist');
+
+    expect(findings.length).toBeGreaterThan(0);
+    expect(findings[0].severity).toBe('critical');
+  });
+
+  test('authentication rules should detect weak JWT validation', () => {
+    const rule = authenticationRules.find(r => r.id === 'AUTH001');
+    expect(rule).toBeDefined();
+
+    const testCode = `const claims = jwtDecode(token);`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('authentication rules should detect Math.random in security context', () => {
+    const rule = authenticationRules.find(r => r.id === 'AUTH003');
+    expect(rule).toBeDefined();
+
+    const testCode = `const token = Math.random().toString(36);`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('webview rules should detect innerHTML usage', () => {
+    const rule = webviewRules.find(r => r.id === 'WEB001');
+    expect(rule).toBeDefined();
+
+    const testCode = `element.innerHTML = userInput;`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('cryptography rules should detect weak algorithms', () => {
+    const rule = cryptographyRules.find(r => r.id === 'CRY001');
+    expect(rule).toBeDefined();
+
+    const testCode = `const hash = crypto.createHash('md5').update(data).digest('hex');`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('logging rules should detect sensitive data in logs', () => {
+    const rule = loggingRules.find(r => r.id === 'LOG001');
+    expect(rule).toBeDefined();
+
+    const testCode = `console.log('User password:', password);`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+
+  test('debug rules should detect debugger statements', () => {
+    const rule = debugRules.find(r => r.id === 'DBG001');
+    expect(rule).toBeDefined();
+
+    const testCode = `function test() { debugger; return 1; }`;
+    const findings = rule!.check!(testCode, 'test.ts');
+
+    expect(findings.length).toBeGreaterThan(0);
+  });
+});

package/test/scanner.test.ts

@@ -0,0 +1,292 @@
+import { describe, expect, test, beforeAll, afterAll } from 'bun:test';
+import { SecurityScanner } from '../src/scanners/engine';
+import { mkdir, rm } from 'fs/promises';
+import { join } from 'path';
+
+const TEST_DIR = '/tmp/capsec-test-project';
+
+describe('SecurityScanner', () => {
+  beforeAll(async () => {
+    // Create test project directory
+    await mkdir(TEST_DIR, { recursive: true });
+    await mkdir(join(TEST_DIR, 'src'), { recursive: true });
+    await mkdir(join(TEST_DIR, 'android/app/src/main'), { recursive: true });
+    await mkdir(join(TEST_DIR, 'ios/App'), { recursive: true });
+
+    // Create test files with vulnerabilities using Bun.write
+    await Bun.write(
+      join(TEST_DIR, 'src/api.ts'),
+      `
+const API_KEY = "AKIA1234567890ABCDEF";
+const secret = "my_secret_key_for_testing_purposes";
+
+export async function fetchData() {
+  return fetch("http://api.example.com/data");
+}
+
+export function processInput(input: string) {
+  return eval(input);
+}
+`
+    );
+
+    await Bun.write(
+      join(TEST_DIR, 'src/auth.ts'),
+      `
+import { jwtDecode } from 'jwt-decode';
+
+export function getUserFromToken(token: string) {
+  const user = jwtDecode(token);
+  console.log('User token:', token);
+  return user;
+}
+
+export function generateSessionId() {
+  return Math.random().toString(36);
+}
+`
+    );
+
+    await Bun.write(
+      join(TEST_DIR, 'capacitor.config.ts'),
+      `
+import { CapacitorConfig } from '@capacitor/cli';
+
+const config: CapacitorConfig = {
+  appId: 'com.example.app',
+  appName: 'Test App',
+  webDir: 'dist',
+  server: {
+    cleartext: true
+  },
+  android: {
+    webContentsDebuggingEnabled: true,
+    allowMixedContent: true
+  }
+};
+
+export default config;
+`
+    );
+
+    await Bun.write(
+      join(TEST_DIR, 'android/app/src/main/AndroidManifest.xml'),
+      `
+<?xml version="1.0" encoding="utf-8"?>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android">
+  <application
+    android:usesCleartextTraffic="true"
+    android:debuggable="true"
+    android:allowBackup="true">
+  </application>
+  <uses-permission android:name="android.permission.READ_SMS"/>
+  <uses-permission android:name="android.permission.RECORD_AUDIO"/>
+</manifest>
+`
+    );
+
+    await Bun.write(
+      join(TEST_DIR, 'ios/App/Info.plist'),
+      `
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN">
+<plist version="1.0">
+<dict>
+  <key>NSAppTransportSecurity</key>
+  <dict>
+    <key>NSAllowsArbitraryLoads</key>
+    <true />
+  </dict>
+</dict>
+</plist>
+`
+    );
+
+    await Bun.write(
+      join(TEST_DIR, 'src/storage.ts'),
+      `
+import { Preferences } from '@capacitor/preferences';
+
+export async function saveCredentials(password: string) {
+  await Preferences.set({ key: 'userPassword', value: password });
+  localStorage.setItem('authToken', 'secret');
+}
+`
+    );
+  });
+
+  afterAll(async () => {
+    // Cleanup test directory
+    await rm(TEST_DIR, { recursive: true, force: true });
+  });
+
+  test('should scan project and find vulnerabilities', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR
+    });
+
+    const result = await scanner.scan();
+
+    expect(result.filesScanned).toBeGreaterThan(0);
+    expect(result.findings.length).toBeGreaterThan(0);
+    expect(result.summary.total).toBeGreaterThan(0);
+  });
+
+  test('should find critical severity issues', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR
+    });
+
+    const result = await scanner.scan();
+
+    expect(result.summary.critical).toBeGreaterThan(0);
+  });
+
+  test('should find high severity issues', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR
+    });
+
+    const result = await scanner.scan();
+
+    expect(result.summary.high).toBeGreaterThan(0);
+  });
+
+  test('should detect secrets in code', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR,
+      categories: ['secrets']
+    });
+
+    const result = await scanner.scan();
+
+    const secretFindings = result.findings.filter(f => f.category === 'secrets');
+    expect(secretFindings.length).toBeGreaterThan(0);
+  });
+
+  test('should detect network issues', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR,
+      categories: ['network']
+    });
+
+    const result = await scanner.scan();
+
+    const networkFindings = result.findings.filter(f => f.category === 'network');
+    expect(networkFindings.length).toBeGreaterThan(0);
+  });
+
+  test('should detect capacitor config issues', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR,
+      categories: ['capacitor']
+    });
+
+    const result = await scanner.scan();
+
+    const capFindings = result.findings.filter(f => f.category === 'capacitor');
+    expect(capFindings.length).toBeGreaterThan(0);
+  });
+
+  test('should detect android issues', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR,
+      categories: ['android']
+    });
+
+    const result = await scanner.scan();
+
+    const androidFindings = result.findings.filter(f => f.category === 'android');
+    expect(androidFindings.length).toBeGreaterThan(0);
+  });
+
+  test('should detect iOS issues', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR,
+      categories: ['ios']
+    });
+
+    const result = await scanner.scan();
+
+    const iosFindings = result.findings.filter(f => f.category === 'ios');
+    expect(iosFindings.length).toBeGreaterThan(0);
+  });
+
+  test('should filter by severity', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR,
+      severity: 'high'  // Show critical and high
+    });
+
+    const result = await scanner.scan();
+
+    // All findings should be critical or high
+    for (const finding of result.findings) {
+      expect(['critical', 'high']).toContain(finding.severity);
+    }
+  });
+
+  test('should return findings sorted by severity', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR
+    });
+
+    const result = await scanner.scan();
+
+    const severityOrder = ['critical', 'high', 'medium', 'low', 'info'];
+    let lastIndex = -1;
+
+    for (const finding of result.findings) {
+      const currentIndex = severityOrder.indexOf(finding.severity);
+      expect(currentIndex).toBeGreaterThanOrEqual(lastIndex);
+      lastIndex = currentIndex;
+    }
+  });
+
+  test('should include remediation for all findings', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR
+    });
+
+    const result = await scanner.scan();
+
+    for (const finding of result.findings) {
+      expect(finding.remediation).toBeDefined();
+      expect(finding.remediation.length).toBeGreaterThan(0);
+    }
+  });
+
+  test('should provide correct summary counts', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR
+    });
+
+    const result = await scanner.scan();
+
+    const countedTotal =
+      result.summary.critical +
+      result.summary.high +
+      result.summary.medium +
+      result.summary.low +
+      result.summary.info;
+
+    expect(countedTotal).toBe(result.summary.total);
+    expect(result.summary.total).toBe(result.findings.length);
+  });
+
+  test('should have timing information', async () => {
+    const scanner = new SecurityScanner({
+      path: TEST_DIR
+    });
+
+    const result = await scanner.scan();
+
+    expect(result.duration).toBeGreaterThan(0);
+    expect(result.timestamp).toBeDefined();
+  });
+
+  test('getRuleCount should return correct count', () => {
+    const count = SecurityScanner.getRuleCount();
+    expect(count).toBeGreaterThan(60);
+  });
+});

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "resolveJsonModule": true,
+    "types": ["bun-types"]
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist", "test"]
+}