@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

package/src/sast/sensitive-data-logging.js

@@ -0,0 +1,73 @@
+// Sensitive data logging detector.
+//
+// Flags PII-named variables sent to logging sinks without sanitization.
+// Covers JS (console/winston/pino/bunyan), Python (logging/print),
+// Go (log/fmt.Printf).
+
+const PII_CONTEXT = /\b(email|ssn|password|phone|dob|date_of_birth|credit_card|card_number|social_security|passport|medical_record|ip_address|first_name|last_name|address|zip_code|bank_account)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const LANG_SINKS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    sinks: [
+      /\bconsole\.(?:log|warn|error|info|debug|trace)\s*\(/g,
+      /\blogger\.(?:log|info|warn|error|debug|trace|fatal)\s*\(/g,
+      /\b(?:winston|pino|bunyan|log4js)(?:\.\w+)*\.(?:info|warn|error|debug|log)\s*\(/g,
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    sinks: [
+      /\blogging\.(?:info|warning|error|debug|critical)\s*\(/g,
+      /\blogger\.(?:info|warning|error|debug|critical)\s*\(/g,
+      /\bprint\s*\(/g,
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    sinks: [
+      /\blog\.(?:Printf|Println|Print|Fatalf|Fatal)\s*\(/g,
+      /\bfmt\.(?:Printf|Println|Print|Fprintf)\s*\(/g,
+    ],
+  },
+};
+
+export function scanSensitiveDataLogging(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const v of Object.values(LANG_SINKS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const sinkRe of lang.sinks) {
+    sinkRe.lastIndex = 0;
+    for (const m of raw.matchAll(sinkRe)) {
+      const lineNum = _line(raw, m.index);
+      const lineEnd = raw.indexOf('\n', m.index);
+      const lineText = raw.slice(m.index, lineEnd > 0 ? lineEnd : m.index + 200);
+      if (!PII_CONTEXT.test(lineText)) continue;
+      // Skip if the line contains redaction/masking
+      if (/\b(?:redact|mask|sanitize|censor|scrub|\*{3,}|\.{3}|slice\s*\(\s*0\s*,\s*\d\s*\))\b/i.test(lineText)) continue;
+      findings.push({
+        id: `sensitive-log:${fp}:${lineNum}`,
+        file: fp, line: lineNum,
+        vuln: 'Sensitive Data Logged — PII-named variable sent to logger without sanitization',
+        severity: 'medium',
+        family: 'sensitive-data-logging',
+        cwe: 'CWE-532',
+        parser: 'PII-LOG',
+        confidence: 0.70,
+        description: 'A variable with a PII-related name (email, password, ssn, etc.) is logged without redaction. Log aggregators, crash reporters, and stdout can expose this data.',
+        remediation: 'Redact sensitive fields before logging: logger.info("Login", { email: email.slice(0, 3) + "***" }). Never log passwords, SSNs, or credit card numbers.',
+        snippet: lineText.trim().slice(0, 100),
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/weak-password-hash.js

@@ -0,0 +1,77 @@
+// Weak password hashing detector.
+//
+// Context-gated: only fires when the hash input variable is named
+// password/secret/credential or the enclosing function is password-related.
+// Detects MD5/SHA1 without salt for password storage.
+
+const PASSWORD_CONTEXT = /\b(password|passwd|pwd|secret|credential|passphrase|pass_hash|user_pass)\b/i;
+const PASSWORD_FUNC = /\b(hashPassword|encryptPassword|checkPassword|verifyPassword|createHash|setPassword|validatePassword|hash_password|check_password)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const PATTERNS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    rules: [
+      { re: /\bcreateHash\s*\(\s*['"](?:md5|sha1|sha-1|md4)['"]\s*\)[\s\S]{0,60}\.update\s*\(\s*(\w+)/g, label: 'createHash with weak algorithm' },
+      { re: /\bmd5\s*\(\s*(\w+)/g, label: 'md5() function call' },
+      { re: /\bsha1\s*\(\s*(\w+)/g, label: 'sha1() function call' },
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    rules: [
+      { re: /\bhashlib\.(?:md5|sha1)\s*\(\s*(\w+)/g, label: 'hashlib.md5/sha1' },
+      { re: /\bhashlib\.new\s*\(\s*['"](?:md5|sha1)['"]\s*\)[\s\S]{0,40}\.update\s*\(\s*(\w+)/g, label: 'hashlib.new with weak algorithm' },
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    rules: [
+      { re: /\bmd5\.(?:Sum|New)\s*\(\s*(?:\[\]byte\s*\(\s*)?(\w+)/g, label: 'md5.Sum/New' },
+      { re: /\bsha1\.(?:Sum|New)\s*\(\s*(?:\[\]byte\s*\(\s*)?(\w+)/g, label: 'sha1.Sum/New' },
+    ],
+  },
+};
+
+export function scanWeakPasswordHash(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const v of Object.values(PATTERNS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const { re, label } of lang.rules) {
+    re.lastIndex = 0;
+    for (const m of raw.matchAll(re)) {
+      const inputVar = m[1] || '';
+      const line = _line(raw, m.index);
+      // Check context: password-named variable or password-related function
+      const funcStart = raw.lastIndexOf('\n', Math.max(0, m.index - 500));
+      const context = raw.slice(funcStart, m.index + m[0].length + 100);
+      if (!PASSWORD_CONTEXT.test(inputVar) && !PASSWORD_CONTEXT.test(context) && !PASSWORD_FUNC.test(context)) continue;
+      // Check for salt within 10 lines before
+      const before = raw.slice(Math.max(0, m.index - 400), m.index);
+      const hasSalt = /\b(salt|randomBytes|urandom|os\.urandom|crypto\.randomBytes|bcrypt|argon2|scrypt|pbkdf2)\b/i.test(before);
+      if (hasSalt) continue;
+
+      findings.push({
+        id: `weak-pw-hash:${fp}:${line}`,
+        file: fp, line,
+        vuln: `Weak Password Hashing — ${label} for password without salt`,
+        severity: 'critical',
+        family: 'weak-password-hash',
+        cwe: 'CWE-916',
+        parser: 'WEAK-PW-HASH',
+        confidence: 0.80,
+        description: `${label} used on a password-context variable without salt. MD5/SHA1 are fast hashes trivially reversed via rainbow tables. Unsalted hashes are cracked in seconds.`,
+        remediation: 'Use bcrypt (cost ≥ 12), argon2id, or scrypt. Never use MD5/SHA1/SHA256 for password storage.',
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/weak-randomness.js

@@ -0,0 +1,100 @@
+// Cross-language insecure randomness detector.
+//
+// Flags usage of non-cryptographic PRNGs when the result is assigned to a
+// security-sensitive variable (token, session, nonce, key, secret, etc.).
+//
+// Coverage:
+//   JS/TS: Math.random()
+//   Python: random.random(), random.randint(), random.choice(), random.uniform()
+//   Go: rand.Intn(), rand.Int(), rand.Float64(), rand.Int31(), rand.Int63()
+//   Ruby: rand(), Random.rand, Random.new.rand
+//   PHP: rand(), mt_rand(), array_rand(), shuffle()
+
+const SECURITY_CONTEXT = /\b(token|session|nonce|key|secret|password|otp|csrf|salt|code|pin|auth|reset|verify|captcha|challenge|ticket)\b/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+const LANG_PATTERNS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    patterns: [
+      { re: /\bMath\.random\s*\(\s*\)/g, label: 'Math.random()' },
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    patterns: [
+      { re: /\brandom\.(?:random|randint|choice|uniform|randrange|sample|getrandbits)\s*\(/g, label: 'random module (non-crypto)' },
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    patterns: [
+      { re: /\brand\.(?:Intn|Int|Float64|Float32|Int31|Int63|Int31n|Int63n|Uint32|Uint64)\s*\(/g, label: 'math/rand (non-crypto)' },
+    ],
+  },
+  rb: {
+    ext: /\.rb$/i,
+    patterns: [
+      { re: /\b(?:rand\s*\(|Random\.(?:rand|new\.rand)\s*\()/g, label: 'Kernel.rand / Random.rand' },
+    ],
+  },
+  php: {
+    ext: /\.(?:php|phtml)$/i,
+    patterns: [
+      { re: /\b(?:rand|mt_rand|array_rand)\s*\(/g, label: 'rand() / mt_rand()' },
+    ],
+  },
+};
+
+export function scanWeakRandomness(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const [k, v] of Object.entries(LANG_PATTERNS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const { re, label } of lang.patterns) {
+    re.lastIndex = 0;
+    for (const m of raw.matchAll(re)) {
+      const line = _line(raw, m.index);
+      const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+      const lineEnd = raw.indexOf('\n', m.index);
+      const lineText = raw.slice(lineStart, lineEnd > 0 ? lineEnd : raw.length);
+      if (!SECURITY_CONTEXT.test(lineText)) {
+        const prevLineStart = raw.lastIndexOf('\n', lineStart - 2) + 1;
+        const prevLine = raw.slice(prevLineStart, lineStart - 1);
+        if (!SECURITY_CONTEXT.test(prevLine)) continue;
+      }
+      findings.push({
+        id: `weak-rng:${fp}:${line}`,
+        file: fp,
+        line,
+        vuln: `Insecure Randomness — ${label} used for security-sensitive value`,
+        severity: 'high',
+        family: 'weak-rng',
+        cwe: 'CWE-330',
+        parser: 'WEAK-RNG',
+        confidence: 0.80,
+        description: `${label} is not cryptographically secure. An attacker can predict the output and forge tokens, bypass OTP, or guess session identifiers.`,
+        remediation: _remediation(fp),
+        snippet: lineText.trim().slice(0, 80),
+      });
+    }
+  }
+  return findings;
+}
+
+function _remediation(fp) {
+  if (/\.py$/i.test(fp)) return 'Use secrets.token_hex(32), secrets.token_urlsafe(32), or secrets.randbelow(n).';
+  if (/\.go$/i.test(fp)) return 'Use crypto/rand: n, _ := rand.Int(rand.Reader, big.NewInt(999999)).';
+  if (/\.rb$/i.test(fp)) return 'Use SecureRandom.hex(32) or SecureRandom.uuid.';
+  if (/\.(?:php|phtml)$/i.test(fp)) return 'Use random_bytes(32) or random_int(0, $max).';
+  return 'Use crypto.randomBytes(32).toString("hex") or crypto.getRandomValues().';
+}