@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

package/src/sca/llm-function-extract.js

@@ -0,0 +1,107 @@
+// LLM-assisted vulnerable function extraction for SCA findings.
+//
+// For CVEs without OSV ecosystem_specific data or GHSA fix commits,
+// uses an LLM to extract vulnerable function names from the CVE description.
+//
+// Gated behind AGENTIC_SECURITY_LLM_SCA=1 (opt-in).
+// Uses the same LLM endpoint config as the SAST validator.
+
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const CACHE_DIR = process.env.XDG_CONFIG_HOME
+  ? path.join(process.env.XDG_CONFIG_HOME, 'agentic-security', 'llm-sca-cache')
+  : path.join(process.env.HOME || '/tmp', '.config', 'agentic-security', 'llm-sca-cache');
+
+function _cacheKey(osvId) {
+  return crypto.createHash('sha256').update(`sca-fn:${osvId}`).digest('hex').slice(0, 16);
+}
+
+function _readCache(osvId) {
+  try {
+    const fp = path.join(CACHE_DIR, _cacheKey(osvId) + '.json');
+    return JSON.parse(fs.readFileSync(fp, 'utf8'));
+  } catch { return null; }
+}
+
+function _writeCache(osvId, data) {
+  try {
+    fs.mkdirSync(CACHE_DIR, { recursive: true });
+    fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));
+  } catch { /* cache write failure is non-fatal */ }
+}
+
+export function isLlmScaEnabled() {
+  return process.env.AGENTIC_SECURITY_LLM_SCA === '1';
+}
+
+function _endpointConfig() {
+  const endpoint = process.env.AGENTIC_SECURITY_LLM_ENDPOINT;
+  const apiKey = process.env.AGENTIC_SECURITY_LLM_API_KEY;
+  const model = process.env.AGENTIC_SECURITY_LLM_MODEL || 'unknown';
+  return endpoint ? { endpoint, apiKey, model } : null;
+}
+
+async function _askLlm(prompt, config) {
+  const headers = { 'Content-Type': 'application/json' };
+  if (config.apiKey) headers['Authorization'] = `Bearer ${config.apiKey}`;
+  const resp = await fetch(config.endpoint, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ prompt, model: config.model }),
+    signal: AbortSignal.timeout(15000),
+  });
+  if (!resp.ok) return null;
+  const text = await resp.text();
+  const jsonMatch = text.match(/\{[^{}]*"functions"\s*:\s*\[[^\]]*\][^{}]*\}/);
+  if (!jsonMatch) return null;
+  try { return JSON.parse(jsonMatch[0]); } catch { return null; }
+}
+
+export async function extractVulnFunctionsViaLLM(supplyChain, opts = {}) {
+  if (!isLlmScaEnabled()) return [];
+  const config = _endpointConfig();
+  if (!config) return [];
+
+  const enriched = [];
+  const candidates = (supplyChain || []).filter(sc =>
+    sc.type === 'vulnerable_dep' &&
+    (!sc.osvVulnFunctions || !sc.osvVulnFunctions.length) &&
+    sc.noKnownCallSite &&
+    sc.description
+  );
+
+  const BATCH_LIMIT = 20;
+  for (const sc of candidates.slice(0, BATCH_LIMIT)) {
+    const cached = _readCache(sc.osvId);
+    if (cached) {
+      if (cached.functions && cached.functions.length) {
+        sc.osvVulnFunctions = cached.functions;
+        sc._llmFunctionExtracted = true;
+        enriched.push(sc);
+      }
+      continue;
+    }
+
+    const prompt = `Given security advisory ${sc.osvId || ''} (${sc.cveAliases?.[0] || ''}) affecting npm package "${sc.name}" version ${sc.version}:\n\nDescription: ${sc.description.slice(0, 500)}\n\nWhat specific exported function(s) in this package are vulnerable? Return ONLY a JSON object: { "functions": ["functionName1", "functionName2"] }\n\nIf you cannot determine the specific functions, return: { "functions": [] }`;
+
+    try {
+      const result = await _askLlm(prompt, config);
+      if (result && Array.isArray(result.functions)) {
+        const fns = result.functions.filter(f => typeof f === 'string' && f.length > 0 && f.length < 100);
+        _writeCache(sc.osvId, { functions: fns, model: config.model, extractedAt: new Date().toISOString() });
+        if (fns.length) {
+          sc.osvVulnFunctions = fns;
+          sc._llmFunctionExtracted = true;
+          enriched.push(sc);
+        }
+      } else {
+        _writeCache(sc.osvId, { functions: [], model: config.model, extractedAt: new Date().toISOString() });
+      }
+    } catch {
+      // LLM call failure — skip, don't cache (may be transient)
+    }
+  }
+  return enriched;
+}

package/src/sca/vendor-detect.js

@@ -0,0 +1,91 @@
+// Vendored / copied library detection via version-string fingerprinting.
+//
+// Detects library code copied into src/ that bypasses SCA. Uses version
+// string patterns (_.VERSION, jQuery.fn.jquery, etc.) and characteristic
+// function signatures to identify vendored libraries.
+
+const VERSION_FINGERPRINTS = [
+  { pkg: 'lodash', ecosystem: 'npm', patterns: [
+    { re: /\b(?:lodash|_)\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\b__lodash_hash_undefined__\b/, version: null },
+  ]},
+  { pkg: 'jquery', ecosystem: 'npm', patterns: [
+    { re: /jQuery\.fn\.jquery\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bjQuery\.fn\.init\b/, version: null },
+  ]},
+  { pkg: 'underscore', ecosystem: 'npm', patterns: [
+    { re: /\b_\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'moment', ecosystem: 'npm', patterns: [
+    { re: /\bmoment\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bmoment\.(?:utc|parseZone|duration|locale)\b/, version: null },
+  ]},
+  { pkg: 'handlebars', ecosystem: 'npm', patterns: [
+    { re: /\bHandlebars\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'backbone', ecosystem: 'npm', patterns: [
+    { re: /\bBackbone\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'angular', ecosystem: 'npm', patterns: [
+    { re: /\bangular\.version\s*=\s*\{[^}]*full\s*:\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'vue', ecosystem: 'npm', patterns: [
+    { re: /\bVue\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'react', ecosystem: 'npm', patterns: [
+    { re: /\bReactVersion\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'dompurify', ecosystem: 'npm', patterns: [
+    { re: /\bDOMPurify\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'marked', ecosystem: 'npm', patterns: [
+    { re: /\bmarked\.(?:defaults|setOptions|use|parse)\b[\s\S]{0,200}version\s*[:=]\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'axios', ecosystem: 'npm', patterns: [
+    { re: /\baxios\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'socket.io-client', ecosystem: 'npm', patterns: [
+    { re: /\bio\.protocol\s*=\s*(\d+)/, version: null },
+  ]},
+  { pkg: 'highlight.js', ecosystem: 'npm', patterns: [
+    { re: /\bhljs\.versionString\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'chart.js', ecosystem: 'npm', patterns: [
+    { re: /\bChart\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+];
+
+const SKIP_DIRS = /(?:^|[/\\])(?:node_modules|vendor|dist|build|\.next|__pycache__|\.git)[/\\]/;
+
+export function detectVendoredLibraries(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const detected = [];
+  const seen = new Set();
+
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (!content || typeof content !== 'string') continue;
+    if (SKIP_DIRS.test(fp)) continue;
+    if (content.length < 500) continue;
+
+    for (const lib of VERSION_FINGERPRINTS) {
+      for (const pat of lib.patterns) {
+        const m = content.match(pat.re);
+        if (!m) continue;
+        const version = pat.versionGroup ? m[pat.versionGroup] : null;
+        const key = `${lib.pkg}:${fp}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        detected.push({
+          name: lib.pkg,
+          version: version || 'unknown',
+          ecosystem: lib.ecosystem,
+          file: fp,
+          scope: 'vendored',
+          isVendored: true,
+        });
+        break;
+      }
+    }
+  }
+  return detected;
+}