@datahogo/core 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +661 -0
- package/README.md +17 -0
- package/dist/engines/config.d.ts +3 -0
- package/dist/engines/config.d.ts.map +1 -0
- package/dist/engines/config.js +433 -0
- package/dist/engines/config.js.map +1 -0
- package/dist/engines/dast.d.ts +3 -0
- package/dist/engines/dast.d.ts.map +1 -0
- package/dist/engines/dast.js +167 -0
- package/dist/engines/dast.js.map +1 -0
- package/dist/engines/db-rules.d.ts +3 -0
- package/dist/engines/db-rules.d.ts.map +1 -0
- package/dist/engines/db-rules.js +166 -0
- package/dist/engines/db-rules.js.map +1 -0
- package/dist/engines/dependencies.d.ts +3 -0
- package/dist/engines/dependencies.d.ts.map +1 -0
- package/dist/engines/dependencies.js +167 -0
- package/dist/engines/dependencies.js.map +1 -0
- package/dist/engines/github-actions.d.ts +3 -0
- package/dist/engines/github-actions.d.ts.map +1 -0
- package/dist/engines/github-actions.js +215 -0
- package/dist/engines/github-actions.js.map +1 -0
- package/dist/engines/gitleaks.d.ts +3 -0
- package/dist/engines/gitleaks.d.ts.map +1 -0
- package/dist/engines/gitleaks.js +107 -0
- package/dist/engines/gitleaks.js.map +1 -0
- package/dist/engines/npm-audit.d.ts +3 -0
- package/dist/engines/npm-audit.d.ts.map +1 -0
- package/dist/engines/npm-audit.js +113 -0
- package/dist/engines/npm-audit.js.map +1 -0
- package/dist/engines/patterns.d.ts +3 -0
- package/dist/engines/patterns.d.ts.map +1 -0
- package/dist/engines/patterns.js +1330 -0
- package/dist/engines/patterns.js.map +1 -0
- package/dist/engines/secrets.d.ts +4 -0
- package/dist/engines/secrets.d.ts.map +1 -0
- package/dist/engines/secrets.js +260 -0
- package/dist/engines/secrets.js.map +1 -0
- package/dist/engines/semgrep.d.ts +3 -0
- package/dist/engines/semgrep.d.ts.map +1 -0
- package/dist/engines/semgrep.js +173 -0
- package/dist/engines/semgrep.js.map +1 -0
- package/dist/engines/types.d.ts +30 -0
- package/dist/engines/types.d.ts.map +1 -0
- package/dist/engines/types.js +3 -0
- package/dist/engines/types.js.map +1 -0
- package/dist/engines/url-scanner.d.ts +3 -0
- package/dist/engines/url-scanner.d.ts.map +1 -0
- package/dist/engines/url-scanner.js +469 -0
- package/dist/engines/url-scanner.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -0
- package/dist/orchestrator.d.ts +32 -0
- package/dist/orchestrator.d.ts.map +1 -0
- package/dist/orchestrator.js +237 -0
- package/dist/orchestrator.js.map +1 -0
- package/dist/rules/.gitkeep +0 -0
- package/dist/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/api-security.yaml +489 -0
- package/dist/rules/auth-patterns.yaml +406 -0
- package/dist/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/general-security.yaml +588 -0
- package/dist/rules/injection-patterns.yaml +318 -0
- package/dist/rules/nextjs-security.yaml +532 -0
- package/dist/rules/node-security.yaml +380 -0
- package/dist/rules/rules/.gitkeep +0 -0
- package/dist/rules/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/rules/api-security.yaml +489 -0
- package/dist/rules/rules/auth-patterns.yaml +406 -0
- package/dist/rules/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/rules/general-security.yaml +588 -0
- package/dist/rules/rules/injection-patterns.yaml +318 -0
- package/dist/rules/rules/nextjs-security.yaml +532 -0
- package/dist/rules/rules/node-security.yaml +380 -0
- package/dist/rules/rules/supabase-security.yaml +387 -0
- package/dist/rules/supabase-security.yaml +387 -0
- package/dist/scanning/agents/csharp-agent.d.ts +12 -0
- package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
- package/dist/scanning/agents/csharp-agent.js +592 -0
- package/dist/scanning/agents/csharp-agent.js.map +1 -0
- package/dist/scanning/agents/go-agent.d.ts +14 -0
- package/dist/scanning/agents/go-agent.d.ts.map +1 -0
- package/dist/scanning/agents/go-agent.js +641 -0
- package/dist/scanning/agents/go-agent.js.map +1 -0
- package/dist/scanning/agents/java-agent.d.ts +8 -0
- package/dist/scanning/agents/java-agent.d.ts.map +1 -0
- package/dist/scanning/agents/java-agent.js +807 -0
- package/dist/scanning/agents/java-agent.js.map +1 -0
- package/dist/scanning/agents/javascript-agent.d.ts +8 -0
- package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
- package/dist/scanning/agents/javascript-agent.js +77 -0
- package/dist/scanning/agents/javascript-agent.js.map +1 -0
- package/dist/scanning/agents/mobile-agent.d.ts +8 -0
- package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
- package/dist/scanning/agents/mobile-agent.js +916 -0
- package/dist/scanning/agents/mobile-agent.js.map +1 -0
- package/dist/scanning/agents/php-agent.d.ts +8 -0
- package/dist/scanning/agents/php-agent.d.ts.map +1 -0
- package/dist/scanning/agents/php-agent.js +679 -0
- package/dist/scanning/agents/php-agent.js.map +1 -0
- package/dist/scanning/agents/python-agent.d.ts +8 -0
- package/dist/scanning/agents/python-agent.d.ts.map +1 -0
- package/dist/scanning/agents/python-agent.js +701 -0
- package/dist/scanning/agents/python-agent.js.map +1 -0
- package/dist/scanning/agents/supabase-agent.d.ts +8 -0
- package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
- package/dist/scanning/agents/supabase-agent.js +484 -0
- package/dist/scanning/agents/supabase-agent.js.map +1 -0
- package/dist/scanning/orchestrator.d.ts +29 -0
- package/dist/scanning/orchestrator.d.ts.map +1 -0
- package/dist/scanning/orchestrator.js +186 -0
- package/dist/scanning/orchestrator.js.map +1 -0
- package/dist/scanning/tech-detector.d.ts +12 -0
- package/dist/scanning/tech-detector.d.ts.map +1 -0
- package/dist/scanning/tech-detector.js +252 -0
- package/dist/scanning/tech-detector.js.map +1 -0
- package/dist/scanning/types.d.ts +87 -0
- package/dist/scanning/types.d.ts.map +1 -0
- package/dist/scanning/types.js +5 -0
- package/dist/scanning/types.js.map +1 -0
- package/dist/utils/child-process.d.ts +2 -0
- package/dist/utils/child-process.d.ts.map +1 -0
- package/dist/utils/child-process.js +4 -0
- package/dist/utils/child-process.js.map +1 -0
- package/dist/utils/context-classifier.d.ts +11 -0
- package/dist/utils/context-classifier.d.ts.map +1 -0
- package/dist/utils/context-classifier.js +79 -0
- package/dist/utils/context-classifier.js.map +1 -0
- package/dist/utils/exec.d.ts +18 -0
- package/dist/utils/exec.d.ts.map +1 -0
- package/dist/utils/exec.js +51 -0
- package/dist/utils/exec.js.map +1 -0
- package/dist/utils/file-filter.d.ts +4 -0
- package/dist/utils/file-filter.d.ts.map +1 -0
- package/dist/utils/file-filter.js +68 -0
- package/dist/utils/file-filter.js.map +1 -0
- package/dist/utils/fs.d.ts +2 -0
- package/dist/utils/fs.d.ts.map +1 -0
- package/dist/utils/fs.js +5 -0
- package/dist/utils/fs.js.map +1 -0
- package/dist/utils/logger.d.ts +12 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +27 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/utils/post-processor.d.ts +10 -0
- package/dist/utils/post-processor.d.ts.map +1 -0
- package/dist/utils/post-processor.js +183 -0
- package/dist/utils/post-processor.js.map +1 -0
- package/package.json +44 -0
|
@@ -0,0 +1,166 @@
|
|
|
1
|
+
// Database rules parser engine - analyzes Supabase RLS and Firebase security rules
|
|
2
|
+
// Parses user-provided rule text to detect misconfigurations
|
|
3
|
+
export function analyzeDbRules(rulesInput, rulesType) {
|
|
4
|
+
const detectedType = rulesType === "auto" ? detectRulesType(rulesInput) : rulesType;
|
|
5
|
+
if (detectedType === "supabase") {
|
|
6
|
+
return analyzeSupabaseRules(rulesInput);
|
|
7
|
+
}
|
|
8
|
+
if (detectedType === "firebase") {
|
|
9
|
+
return analyzeFirebaseRules(rulesInput);
|
|
10
|
+
}
|
|
11
|
+
return [];
|
|
12
|
+
}
|
|
13
|
+
function detectRulesType(input) {
|
|
14
|
+
if (input.includes("CREATE POLICY") || input.includes("ENABLE ROW LEVEL SECURITY") || input.includes("CREATE TABLE")) {
|
|
15
|
+
return "supabase";
|
|
16
|
+
}
|
|
17
|
+
if (input.includes("allow read") || input.includes("allow write") || input.includes("match /") || input.includes(".read") || input.includes(".write")) {
|
|
18
|
+
return "firebase";
|
|
19
|
+
}
|
|
20
|
+
return "unknown";
|
|
21
|
+
}
|
|
22
|
+
// === Supabase RLS Analysis ===
|
|
23
|
+
function analyzeSupabaseRules(sql) {
|
|
24
|
+
const findings = [];
|
|
25
|
+
// Find all CREATE TABLE statements
|
|
26
|
+
const tableRegex = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(\w+)/gi;
|
|
27
|
+
let tableMatch;
|
|
28
|
+
const tables = [];
|
|
29
|
+
while ((tableMatch = tableRegex.exec(sql)) !== null) {
|
|
30
|
+
tables.push(tableMatch[1]);
|
|
31
|
+
}
|
|
32
|
+
// Check if each table has RLS enabled
|
|
33
|
+
for (const table of tables) {
|
|
34
|
+
const rlsPattern = new RegExp(`ALTER\\s+TABLE\\s+${table}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, "i");
|
|
35
|
+
if (!rlsPattern.test(sql)) {
|
|
36
|
+
findings.push({
|
|
37
|
+
vulnerability_id: 31,
|
|
38
|
+
severity: "critical",
|
|
39
|
+
category: "supabase",
|
|
40
|
+
title: `RLS Not Enabled on Table: ${table}`,
|
|
41
|
+
description_technical: `Table ${table} does not have Row Level Security enabled. All data is accessible without restrictions.`,
|
|
42
|
+
code_snippet: `CREATE TABLE ${table} (...)\n-- Missing: ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;`,
|
|
43
|
+
fix_code: `ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;`,
|
|
44
|
+
status: "open",
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
// Check for USING(true) policies (allow everything)
|
|
49
|
+
const policyUsingTrue = /CREATE\s+POLICY\s+["']?(\w+)["']?\s+ON\s+(\w+)[\s\S]*?USING\s*\(\s*true\s*\)/gi;
|
|
50
|
+
let policyMatch;
|
|
51
|
+
while ((policyMatch = policyUsingTrue.exec(sql)) !== null) {
|
|
52
|
+
findings.push({
|
|
53
|
+
vulnerability_id: 32,
|
|
54
|
+
severity: "critical",
|
|
55
|
+
category: "supabase",
|
|
56
|
+
title: `RLS Policy Allows Everything: ${policyMatch[1]}`,
|
|
57
|
+
description_technical: `Policy "${policyMatch[1]}" on table "${policyMatch[2]}" uses USING(true), which allows all rows to be accessed by any user.`,
|
|
58
|
+
code_snippet: policyMatch[0],
|
|
59
|
+
status: "open",
|
|
60
|
+
});
|
|
61
|
+
}
|
|
62
|
+
// Check for tables with RLS enabled but no policies
|
|
63
|
+
for (const table of tables) {
|
|
64
|
+
const rlsEnabled = new RegExp(`ALTER\\s+TABLE\\s+${table}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, "i").test(sql);
|
|
65
|
+
const hasPolicies = new RegExp(`CREATE\\s+POLICY[\\s\\S]*?ON\\s+${table}\\b`, "i").test(sql);
|
|
66
|
+
if (rlsEnabled && !hasPolicies) {
|
|
67
|
+
findings.push({
|
|
68
|
+
vulnerability_id: 33,
|
|
69
|
+
severity: "high",
|
|
70
|
+
category: "supabase",
|
|
71
|
+
title: `RLS Enabled But No Policies on: ${table}`,
|
|
72
|
+
description_technical: `Table "${table}" has RLS enabled but no policies defined. This blocks ALL access, which may be intentional for service-role-only tables, but verify this is expected.`,
|
|
73
|
+
code_snippet: `ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;\n-- No CREATE POLICY found for this table`,
|
|
74
|
+
status: "open",
|
|
75
|
+
});
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
// Check for RPC functions without auth.uid()
|
|
79
|
+
const functionRegex = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(\w+)[\s\S]*?(?:LANGUAGE\s+plpgsql|LANGUAGE\s+sql)/gi;
|
|
80
|
+
let funcMatch;
|
|
81
|
+
while ((funcMatch = functionRegex.exec(sql)) !== null) {
|
|
82
|
+
const funcBody = funcMatch[0];
|
|
83
|
+
const funcName = funcMatch[1];
|
|
84
|
+
// Skip trigger functions (they use SECURITY DEFINER for a reason)
|
|
85
|
+
if (/RETURNS\s+TRIGGER/i.test(funcBody))
|
|
86
|
+
continue;
|
|
87
|
+
if (!funcBody.includes("auth.uid()") && !funcBody.includes("SECURITY DEFINER")) {
|
|
88
|
+
// Only flag functions that could be called via RPC
|
|
89
|
+
if (!funcName.startsWith("handle_") && !funcName.startsWith("update_")) {
|
|
90
|
+
findings.push({
|
|
91
|
+
vulnerability_id: 36,
|
|
92
|
+
severity: "high",
|
|
93
|
+
category: "supabase",
|
|
94
|
+
title: `RPC Function Without Auth Check: ${funcName}`,
|
|
95
|
+
description_technical: `Function "${funcName}" doesn't check auth.uid(). If exposed via RPC, any user can call it.`,
|
|
96
|
+
code_snippet: funcBody.substring(0, 200),
|
|
97
|
+
status: "open",
|
|
98
|
+
});
|
|
99
|
+
}
|
|
100
|
+
}
|
|
101
|
+
}
|
|
102
|
+
return findings;
|
|
103
|
+
}
|
|
104
|
+
// === Firebase Rules Analysis ===
|
|
105
|
+
function analyzeFirebaseRules(rules) {
|
|
106
|
+
const findings = [];
|
|
107
|
+
// Check for "allow read, write: if true" (Firestore)
|
|
108
|
+
const firestoreOpenRegex = /allow\s+(?:read|write|read,\s*write)\s*:\s*if\s+true/gi;
|
|
109
|
+
let firestoreMatch;
|
|
110
|
+
while ((firestoreMatch = firestoreOpenRegex.exec(rules)) !== null) {
|
|
111
|
+
findings.push({
|
|
112
|
+
vulnerability_id: 39,
|
|
113
|
+
severity: "critical",
|
|
114
|
+
category: "firebase",
|
|
115
|
+
title: "Firestore Rules Allow All Access",
|
|
116
|
+
description_technical: "Rule 'allow read, write: if true' makes your database completely open to anyone.",
|
|
117
|
+
code_snippet: getContextAroundMatch(rules, firestoreMatch.index),
|
|
118
|
+
status: "open",
|
|
119
|
+
});
|
|
120
|
+
}
|
|
121
|
+
// Check for ".read": true or ".write": true (Realtime DB)
|
|
122
|
+
const realtimeOpenRegex = /["']\.(?:read|write)["']\s*:\s*(?:true|"true")/gi;
|
|
123
|
+
let realtimeMatch;
|
|
124
|
+
while ((realtimeMatch = realtimeOpenRegex.exec(rules)) !== null) {
|
|
125
|
+
findings.push({
|
|
126
|
+
vulnerability_id: 40,
|
|
127
|
+
severity: "critical",
|
|
128
|
+
category: "firebase",
|
|
129
|
+
title: "Realtime Database Rules Allow All Access",
|
|
130
|
+
description_technical: "Open .read or .write rules make your database accessible to anyone.",
|
|
131
|
+
code_snippet: getContextAroundMatch(rules, realtimeMatch.index),
|
|
132
|
+
status: "open",
|
|
133
|
+
});
|
|
134
|
+
}
|
|
135
|
+
// Check for permissive storage rules
|
|
136
|
+
const storageOpenRegex = /allow\s+(?:read|write|read,\s*write)\s*:\s*if\s+true[\s\S]*?match\s+\/b\/\{bucket\}\/o\/\{allPaths=\*\*\}/gi;
|
|
137
|
+
if (storageOpenRegex.test(rules)) {
|
|
138
|
+
findings.push({
|
|
139
|
+
vulnerability_id: 41,
|
|
140
|
+
severity: "high",
|
|
141
|
+
category: "firebase",
|
|
142
|
+
title: "Storage Rules Are Permissive",
|
|
143
|
+
description_technical: "Storage rules allow unrestricted access to all files.",
|
|
144
|
+
status: "open",
|
|
145
|
+
});
|
|
146
|
+
}
|
|
147
|
+
// Check for missing request.auth in rules
|
|
148
|
+
if (rules.includes("match /") && !rules.includes("request.auth")) {
|
|
149
|
+
findings.push({
|
|
150
|
+
vulnerability_id: 39,
|
|
151
|
+
severity: "high",
|
|
152
|
+
category: "firebase",
|
|
153
|
+
title: "Firestore Rules Missing Authentication Check",
|
|
154
|
+
description_technical: "Rules don't check request.auth, meaning unauthenticated users may have access.",
|
|
155
|
+
code_snippet: rules.substring(0, 300),
|
|
156
|
+
status: "open",
|
|
157
|
+
});
|
|
158
|
+
}
|
|
159
|
+
return findings;
|
|
160
|
+
}
|
|
161
|
+
function getContextAroundMatch(text, index) {
|
|
162
|
+
const start = Math.max(0, text.lastIndexOf("\n", index - 1));
|
|
163
|
+
const end = text.indexOf("\n", index + 50);
|
|
164
|
+
return text.substring(start, end === -1 ? text.length : end).trim();
|
|
165
|
+
}
|
|
166
|
+
//# sourceMappingURL=db-rules.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"db-rules.js","sourceRoot":"","sources":["../../src/engines/db-rules.ts"],"names":[],"mappings":"AAAA,mFAAmF;AACnF,6DAA6D;AAI7D,MAAM,UAAU,cAAc,CAC5B,UAAkB,EAClB,SAA2C;IAE3C,MAAM,YAAY,GAAG,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAEpF,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,OAAO,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,OAAO,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,2BAA2B,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACrH,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtJ,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,gCAAgC;AAEhC,SAAS,oBAAoB,CAAC,GAAW;IACvC,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,mCAAmC;IACnC,MAAM,UAAU,GAAG,mDAAmD,CAAC;IACvE,IAAI,UAAU,CAAC;IACf,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,sCAAsC;IACtC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,MAAM,CAC3B,qBAAqB,KAAK,wCAAwC,EAClE,GAAG,CACJ,CAAC;QACF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,6BAA6B,KAAK,EAAE;gBAC3C,qBAAqB,EAAE,SAAS,KAAK,yFAAyF;gBAC9H,YAAY,EAAE,gBAAgB,KAAK,mCAAmC,KAAK,6BAA6B;gBACxG,QAAQ,EAAE,eAAe,KAAK,6BAA6B;gBAC3D,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,MAAM,eAAe,GAAG,gFAAgF,CAAC;IACzG,IAAI,WAAW,CAAC;IAChB,OAAO,CAAC,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,iCAAiC,WAAW,CAAC,CAAC,CAAC,EAAE;YACxD,qBAAqB,EAAE,WAAW,WAAW,CAAC,CAAC,CAAC,eAAe,WAAW,CAAC,CAAC,CAAC,uEAAuE;YACpJ,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,oDAAoD;IACpD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,MAAM,CAC3B,qBAAqB,KAAK,wCAAwC,EAClE,GAAG,CACJ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,MAAM,WAAW,GAAG,IAAI,MAAM,CAC5B,mCAAmC,KAAK,KAAK,EAC7C,GAAG,CACJ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,IAAI,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,mCAAmC,KAAK,EAAE;gBACjD,qBAAqB,EAAE,UAAU,KAAK,wJAAwJ;gBAC9L,YAAY,EAAE,eAAe,KAAK,uEAAuE;gBACzG,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,MAAM,aAAa,GAAG,8FAA8F,CAAC;IACrH,IAAI,SAAS,CAAC;IACd,OAAO,CAAC,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtD,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAE9B,kEAAkE;QAClE,IAAI,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,SAAS;QAElD,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC/E,mDAAmD;YACnD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvE,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,EAAE;oBACpB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,oCAAoC,QAAQ,EAAE;oBACrD,qBAAqB,EAAE,aAAa,QAAQ,uEAAuE;oBACnH,YAAY,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBACxC,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,kCAAkC;AAElC,SAAS,oBAAoB,CAAC,KAAa;IACzC,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,qDAAqD;IACrD,MAAM,kBAAkB,GAAG,wDAAwD,CAAC;IACpF,IAAI,cAAc,CAAC;IACnB,OAAO,CAAC,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAClE,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,kCAAkC;YACzC,qBAAqB,EAAE,kFAAkF;YACzG,YAAY,EAAE,qBAAqB,CAAC,KAAK,EAAE,cAAc,CAAC,KAAK,CAAC;YAChE,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,0DAA0D;IAC1D,MAAM,iBAAiB,GAAG,kDAAkD,CAAC;IAC7E,IAAI,aAAa,CAAC;IAClB,OAAO,CAAC,aAAa,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAChE,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,0CAA0C;YACjD,qBAAqB,EAAE,qEAAqE;YAC5F,YAAY,EAAE,qBAAqB,CAAC,KAAK,EAAE,aAAa,CAAC,KAAK,CAAC;YAC/D,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,qCAAqC;IACrC,MAAM,gBAAgB,GAAG,6GAA6G,CAAC;IACvI,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,8BAA8B;YACrC,qBAAqB,EAAE,uDAAuD;YAC9E,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACjE,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,8CAA8C;YACrD,qBAAqB,EAAE,gFAAgF;YACvG,YAAY,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;YACrC,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,KAAa;IACxD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACtE,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../src/engines/dependencies.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAyD9C,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACzB,WAAW,EAAE,CAuFf"}
|
|
@@ -0,0 +1,167 @@
|
|
|
1
|
+
// Dependencies analysis engine - checks for vulnerable packages
|
|
2
|
+
// In production, this calls npm audit and OSV. For now, checks package.json/lock.
|
|
3
|
+
// Known vulnerable packages (subset - in production, use npm audit + OSV API)
|
|
4
|
+
const KNOWN_VULNERABLE = {
|
|
5
|
+
"node-serialize": {
|
|
6
|
+
severity: "critical",
|
|
7
|
+
description: "Remote code execution via deserialization",
|
|
8
|
+
},
|
|
9
|
+
"serialize-javascript": {
|
|
10
|
+
severity: "high",
|
|
11
|
+
description: "Cross-site scripting via crafted regex",
|
|
12
|
+
fixVersion: "3.1.0",
|
|
13
|
+
},
|
|
14
|
+
"lodash": {
|
|
15
|
+
severity: "high",
|
|
16
|
+
description: "Prototype pollution in older versions",
|
|
17
|
+
fixVersion: "4.17.21",
|
|
18
|
+
},
|
|
19
|
+
"minimist": {
|
|
20
|
+
severity: "high",
|
|
21
|
+
description: "Prototype pollution",
|
|
22
|
+
fixVersion: "1.2.6",
|
|
23
|
+
},
|
|
24
|
+
"axios": {
|
|
25
|
+
severity: "medium",
|
|
26
|
+
description: "SSRF via server-side requests",
|
|
27
|
+
fixVersion: "1.6.0",
|
|
28
|
+
},
|
|
29
|
+
"jsonwebtoken": {
|
|
30
|
+
severity: "high",
|
|
31
|
+
description: "Algorithm confusion vulnerability in older versions",
|
|
32
|
+
fixVersion: "9.0.0",
|
|
33
|
+
},
|
|
34
|
+
"express": {
|
|
35
|
+
severity: "medium",
|
|
36
|
+
description: "Open redirect in older versions",
|
|
37
|
+
fixVersion: "4.19.2",
|
|
38
|
+
},
|
|
39
|
+
"yaml": {
|
|
40
|
+
severity: "critical",
|
|
41
|
+
description: "Code execution via yaml.load unsafe",
|
|
42
|
+
fixVersion: "2.0.0",
|
|
43
|
+
},
|
|
44
|
+
};
|
|
45
|
+
// Packages that are suspicious or commonly typosquatted
|
|
46
|
+
const SUSPICIOUS_PACKAGES = [
|
|
47
|
+
"crossenv", // typosquat of cross-env
|
|
48
|
+
"event-stream", // known supply chain attack
|
|
49
|
+
"flatmap-stream", // part of event-stream attack
|
|
50
|
+
"eslint-scope", // known compromised version
|
|
51
|
+
"electron-native-notify", // known malware
|
|
52
|
+
"discord.js-user", // typosquat
|
|
53
|
+
"colors-js", // typosquat of colors
|
|
54
|
+
"node-ipc-2", // typosquat
|
|
55
|
+
];
|
|
56
|
+
export function analyzeDependencies(files) {
|
|
57
|
+
const findings = [];
|
|
58
|
+
const packageJsonContent = files.get("package.json");
|
|
59
|
+
if (!packageJsonContent)
|
|
60
|
+
return findings;
|
|
61
|
+
try {
|
|
62
|
+
const pkg = JSON.parse(packageJsonContent);
|
|
63
|
+
const allDeps = {
|
|
64
|
+
...pkg.dependencies,
|
|
65
|
+
...pkg.devDependencies,
|
|
66
|
+
};
|
|
67
|
+
// Check for known vulnerable packages
|
|
68
|
+
for (const [name, versionRange] of Object.entries(allDeps)) {
|
|
69
|
+
const version = String(versionRange);
|
|
70
|
+
const known = KNOWN_VULNERABLE[name];
|
|
71
|
+
if (known) {
|
|
72
|
+
// If fixVersion exists, check if current version might be vulnerable
|
|
73
|
+
if (known.fixVersion && isVersionPotentiallyFixed(version, known.fixVersion)) {
|
|
74
|
+
continue;
|
|
75
|
+
}
|
|
76
|
+
findings.push({
|
|
77
|
+
vulnerability_id: 3,
|
|
78
|
+
severity: known.severity,
|
|
79
|
+
category: "supply-chain",
|
|
80
|
+
title: `Vulnerable Package: ${name}`,
|
|
81
|
+
description_technical: known.description,
|
|
82
|
+
file_path: "package.json",
|
|
83
|
+
code_snippet: `"${name}": "${version}"`,
|
|
84
|
+
fix_description: known.fixVersion
|
|
85
|
+
? `Update to version ${known.fixVersion} or later`
|
|
86
|
+
: "Remove this package and find a secure alternative",
|
|
87
|
+
owasp_ref: "A06:2021",
|
|
88
|
+
status: "open",
|
|
89
|
+
confidence: known.fixVersion ? "medium" : "high",
|
|
90
|
+
});
|
|
91
|
+
}
|
|
92
|
+
// Check for suspicious packages
|
|
93
|
+
if (SUSPICIOUS_PACKAGES.includes(name)) {
|
|
94
|
+
findings.push({
|
|
95
|
+
vulnerability_id: 137,
|
|
96
|
+
severity: "high",
|
|
97
|
+
category: "supply-chain",
|
|
98
|
+
title: `Suspicious Package: ${name}`,
|
|
99
|
+
description_technical: "This package is known to be malicious or a typosquat of a popular package",
|
|
100
|
+
file_path: "package.json",
|
|
101
|
+
code_snippet: `"${name}": "${version}"`,
|
|
102
|
+
fix_description: "Remove this package immediately and scan for compromises",
|
|
103
|
+
status: "open",
|
|
104
|
+
confidence: "high",
|
|
105
|
+
});
|
|
106
|
+
}
|
|
107
|
+
}
|
|
108
|
+
// Check for unpinned dependencies (using ^ or ~)
|
|
109
|
+
const deps = pkg.dependencies || {};
|
|
110
|
+
let unpinnedCount = 0;
|
|
111
|
+
for (const [, versionRange] of Object.entries(deps)) {
|
|
112
|
+
const version = String(versionRange);
|
|
113
|
+
if (version.startsWith("^") || version.startsWith("~") || version === "*" || version === "latest") {
|
|
114
|
+
unpinnedCount++;
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
// Only flag if most deps are unpinned (common enough to not be noise)
|
|
118
|
+
if (unpinnedCount > 5 && unpinnedCount === Object.keys(deps).length) {
|
|
119
|
+
findings.push({
|
|
120
|
+
vulnerability_id: 60,
|
|
121
|
+
severity: "medium",
|
|
122
|
+
category: "supply-chain",
|
|
123
|
+
title: "All Dependencies Use Ranges Instead of Exact Versions",
|
|
124
|
+
file_path: "package.json",
|
|
125
|
+
code_snippet: `${unpinnedCount} dependencies use ^ or ~ version ranges`,
|
|
126
|
+
fix_description: "Pin exact versions in package.json for reproducible builds",
|
|
127
|
+
status: "open",
|
|
128
|
+
confidence: "low",
|
|
129
|
+
});
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
catch {
|
|
133
|
+
// Invalid JSON - skip
|
|
134
|
+
}
|
|
135
|
+
return findings;
|
|
136
|
+
}
|
|
137
|
+
function isVersionPotentiallyFixed(currentRange, fixVersion) {
|
|
138
|
+
// Simple heuristic: extract version numbers and compare
|
|
139
|
+
const current = extractVersion(currentRange);
|
|
140
|
+
if (!current)
|
|
141
|
+
return false;
|
|
142
|
+
const fix = fixVersion.split(".").map(Number);
|
|
143
|
+
const cur = current.split(".").map(Number);
|
|
144
|
+
for (let i = 0; i < 3; i++) {
|
|
145
|
+
if ((cur[i] || 0) > (fix[i] || 0))
|
|
146
|
+
return true;
|
|
147
|
+
if ((cur[i] || 0) < (fix[i] || 0))
|
|
148
|
+
return false;
|
|
149
|
+
}
|
|
150
|
+
return true; // equal versions = fixed
|
|
151
|
+
}
|
|
152
|
+
function extractVersion(versionRange) {
|
|
153
|
+
// Handle full semver: ^4.17.21, ~4.17.21, >=4.17.21, 4.17.21
|
|
154
|
+
const fullMatch = versionRange.match(/(\d+\.\d+\.\d+)/);
|
|
155
|
+
if (fullMatch)
|
|
156
|
+
return fullMatch[1];
|
|
157
|
+
// Handle partial: ^4.17, ~4.17 → treat as 4.17.0
|
|
158
|
+
const partialMatch = versionRange.match(/(\d+\.\d+)/);
|
|
159
|
+
if (partialMatch)
|
|
160
|
+
return `${partialMatch[1]}.0`;
|
|
161
|
+
// Handle major only: ^4 → treat as 4.0.0
|
|
162
|
+
const majorMatch = versionRange.match(/(\d+)/);
|
|
163
|
+
if (majorMatch)
|
|
164
|
+
return `${majorMatch[1]}.0.0`;
|
|
165
|
+
return null;
|
|
166
|
+
}
|
|
167
|
+
//# sourceMappingURL=dependencies.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependencies.js","sourceRoot":"","sources":["../../src/engines/dependencies.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kFAAkF;AAIlF,8EAA8E;AAC9E,MAAM,gBAAgB,GAA2G;IAC/H,gBAAgB,EAAE;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;KACzD;IACD,sBAAsB,EAAE;QACtB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wCAAwC;QACrD,UAAU,EAAE,OAAO;KACpB;IACD,QAAQ,EAAE;QACR,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,uCAAuC;QACpD,UAAU,EAAE,SAAS;KACtB;IACD,UAAU,EAAE;QACV,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qBAAqB;QAClC,UAAU,EAAE,OAAO;KACpB;IACD,OAAO,EAAE;QACP,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,+BAA+B;QAC5C,UAAU,EAAE,OAAO;KACpB;IACD,cAAc,EAAE;QACd,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qDAAqD;QAClE,UAAU,EAAE,OAAO;KACpB;IACD,SAAS,EAAE;QACT,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,iCAAiC;QAC9C,UAAU,EAAE,QAAQ;KACrB;IACD,MAAM,EAAE;QACN,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qCAAqC;QAClD,UAAU,EAAE,OAAO;KACpB;CACF,CAAC;AAEF,wDAAwD;AACxD,MAAM,mBAAmB,GAAG;IAC1B,UAAU,EAAE,yBAAyB;IACrC,cAAc,EAAE,4BAA4B;IAC5C,gBAAgB,EAAE,8BAA8B;IAChD,cAAc,EAAE,4BAA4B;IAC5C,wBAAwB,EAAE,gBAAgB;IAC1C,iBAAiB,EAAE,YAAY;IAC/B,WAAW,EAAE,sBAAsB;IACnC,YAAY,EAAE,YAAY;CAC3B,CAAC;AAEF,MAAM,UAAU,mBAAmB,CACjC,KAA0B;IAE1B,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,MAAM,kBAAkB,GAAG,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACrD,IAAI,CAAC,kBAAkB;QAAE,OAAO,QAAQ,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG;YACd,GAAG,GAAG,CAAC,YAAY;YACnB,GAAG,GAAG,CAAC,eAAe;SACvB,CAAC;QAEF,sCAAsC;QACtC,KAAK,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;YACrC,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;YAErC,IAAI,KAAK,EAAE,CAAC;gBACV,qEAAqE;gBACrE,IAAI,KAAK,CAAC,UAAU,IAAI,yBAAyB,CAAC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC7E,SAAS;gBACX,CAAC;gBAED,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,CAAC;oBACnB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,uBAAuB,IAAI,EAAE;oBACpC,qBAAqB,EAAE,KAAK,CAAC,WAAW;oBACxC,SAAS,EAAE,cAAc;oBACzB,YAAY,EAAE,IAAI,IAAI,OAAO,OAAO,GAAG;oBACvC,eAAe,EAAE,KAAK,CAAC,UAAU;wBAC/B,CAAC,CAAC,qBAAqB,KAAK,CAAC,UAAU,WAAW;wBAClD,CAAC,CAAC,mDAAmD;oBACvD,SAAS,EAAE,UAAU;oBACrB,MAAM,EAAE,MAAM;oBACd,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM;iBACjD,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,IAAI,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,GAAG;oBACrB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,uBAAuB,IAAI,EAAE;oBACpC,qBAAqB,EAAE,2EAA2E;oBAClG,SAAS,EAAE,cAAc;oBACzB,YAAY,EAAE,IAAI,IAAI,OAAO,OAAO,GAAG;oBACvC,eAAe,EAAE,0DAA0D;oBAC3E,MAAM,EAAE,MAAM;oBACd,UAAU,EAAE,MAAM;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iDAAiD;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QACpC,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,KAAK,MAAM,CAAC,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;YACrC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAClG,aAAa,EAAE,CAAC;YAClB,CAAC;QACH,CAAC;QACD,sEAAsE;QACtE,IAAI,aAAa,GAAG,CAAC,IAAI,aAAa,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;YACpE,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,uDAAuD;gBAC9D,SAAS,EAAE,cAAc;gBACzB,YAAY,EAAE,GAAG,aAAa,yCAAyC;gBACvE,eAAe,EAAE,4DAA4D;gBAC7E,MAAM,EAAE,MAAM;gBACd,UAAU,EAAE,KAAK;aAClB,CAAC,CAAC;QACL,CAAC;IAEH,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB;IACxB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,yBAAyB,CAChC,YAAoB,EACpB,UAAkB;IAElB,wDAAwD;IACxD,MAAM,OAAO,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;IAC7C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAClD,CAAC;IACD,OAAO,IAAI,CAAC,CAAC,yBAAyB;AACxC,CAAC;AAED,SAAS,cAAc,CAAC,YAAoB;IAC1C,6DAA6D;IAC7D,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACxD,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;IAEnC,iDAAiD;IACjD,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACtD,IAAI,YAAY;QAAE,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IAEhD,yCAAyC;IACzC,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,UAAU;QAAE,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;IAE9C,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"github-actions.d.ts","sourceRoot":"","sources":["../../src/engines/github-actions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,WAAW,EAAE,CAe9E"}
|
|
@@ -0,0 +1,215 @@
|
|
|
1
|
+
// GitHub Actions security engine - scans workflow files for common CI/CD vulnerabilities.
|
|
2
|
+
// Operates on the files Map (no filesystem access needed).
|
|
3
|
+
export function analyzeGitHubActions(files) {
|
|
4
|
+
const findings = [];
|
|
5
|
+
for (const [filePath, content] of files) {
|
|
6
|
+
if (!filePath.match(/\.github\/workflows\/.*\.ya?ml$/))
|
|
7
|
+
continue;
|
|
8
|
+
findings.push(...checkUnpinnedActions(content, filePath));
|
|
9
|
+
findings.push(...checkScriptInjection(content, filePath));
|
|
10
|
+
findings.push(...checkSecretsExposure(content, filePath));
|
|
11
|
+
findings.push(...checkExcessivePermissions(content, filePath));
|
|
12
|
+
findings.push(...checkSelfHostedRunners(content, filePath));
|
|
13
|
+
findings.push(...checkPullRequestTarget(content, filePath));
|
|
14
|
+
}
|
|
15
|
+
return findings;
|
|
16
|
+
}
|
|
17
|
+
function checkUnpinnedActions(content, filePath) {
|
|
18
|
+
const findings = [];
|
|
19
|
+
const lines = content.split("\n");
|
|
20
|
+
for (let i = 0; i < lines.length; i++) {
|
|
21
|
+
const line = lines[i];
|
|
22
|
+
const match = line.match(/uses:\s*["']?([^"'\s]+)@([^"'\s]+)/);
|
|
23
|
+
if (!match)
|
|
24
|
+
continue;
|
|
25
|
+
const [, action, ref] = match;
|
|
26
|
+
// Skip Docker and local actions
|
|
27
|
+
if (action.startsWith("docker://") || action.startsWith("./"))
|
|
28
|
+
continue;
|
|
29
|
+
// Flag if using branch ref instead of SHA or version tag
|
|
30
|
+
if (ref === "main" || ref === "master" || ref === "latest" || ref === "dev") {
|
|
31
|
+
findings.push({
|
|
32
|
+
vulnerability_id: 140,
|
|
33
|
+
severity: "medium",
|
|
34
|
+
category: "supply-chain",
|
|
35
|
+
title: `Unpinned Action: ${action}@${ref}`,
|
|
36
|
+
description_technical: `Action ${action} is pinned to branch '${ref}' instead of a SHA or version tag. This is vulnerable to supply chain attacks if the action is compromised.`,
|
|
37
|
+
file_path: filePath,
|
|
38
|
+
line_number: i + 1,
|
|
39
|
+
code_snippet: line.trim(),
|
|
40
|
+
fix_description: `Pin to a specific version tag (e.g., @v4) or full SHA (e.g., @abc123...)`,
|
|
41
|
+
status: "open",
|
|
42
|
+
});
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
return findings;
|
|
46
|
+
}
|
|
47
|
+
function checkScriptInjection(content, filePath) {
|
|
48
|
+
const findings = [];
|
|
49
|
+
const lines = content.split("\n");
|
|
50
|
+
// Dangerous GitHub context expressions in run: blocks
|
|
51
|
+
const dangerousContexts = [
|
|
52
|
+
"github.event.issue.title",
|
|
53
|
+
"github.event.issue.body",
|
|
54
|
+
"github.event.pull_request.title",
|
|
55
|
+
"github.event.pull_request.body",
|
|
56
|
+
"github.event.comment.body",
|
|
57
|
+
"github.event.review.body",
|
|
58
|
+
"github.event.discussion.title",
|
|
59
|
+
"github.event.discussion.body",
|
|
60
|
+
"github.head_ref",
|
|
61
|
+
"github.event.pages.page_name",
|
|
62
|
+
];
|
|
63
|
+
let inRunBlock = false;
|
|
64
|
+
for (let i = 0; i < lines.length; i++) {
|
|
65
|
+
const line = lines[i];
|
|
66
|
+
if (line.match(/^\s*run:\s*[|>]?\s*$/)) {
|
|
67
|
+
inRunBlock = true;
|
|
68
|
+
continue;
|
|
69
|
+
}
|
|
70
|
+
if (line.match(/^\s*run:\s*\S/)) {
|
|
71
|
+
// Single-line run
|
|
72
|
+
inRunBlock = false;
|
|
73
|
+
checkLineForInjection(line, i, filePath, dangerousContexts, findings);
|
|
74
|
+
continue;
|
|
75
|
+
}
|
|
76
|
+
if (inRunBlock && line.match(/^\s*\w+:/)) {
|
|
77
|
+
inRunBlock = false;
|
|
78
|
+
continue;
|
|
79
|
+
}
|
|
80
|
+
if (inRunBlock || line.match(/^\s*run:/)) {
|
|
81
|
+
checkLineForInjection(line, i, filePath, dangerousContexts, findings);
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
return findings;
|
|
85
|
+
}
|
|
86
|
+
function checkLineForInjection(line, lineIndex, filePath, dangerousContexts, findings) {
|
|
87
|
+
for (const context of dangerousContexts) {
|
|
88
|
+
if (line.includes(`\${{ ${context}`) || line.includes(`\${{${context}`)) {
|
|
89
|
+
findings.push({
|
|
90
|
+
vulnerability_id: 76,
|
|
91
|
+
severity: "high",
|
|
92
|
+
category: "injection",
|
|
93
|
+
title: `Script Injection via ${context}`,
|
|
94
|
+
description_technical: `Untrusted input from '${context}' is used in a run: block. An attacker can inject arbitrary commands by crafting a malicious title/body.`,
|
|
95
|
+
file_path: filePath,
|
|
96
|
+
line_number: lineIndex + 1,
|
|
97
|
+
code_snippet: line.trim(),
|
|
98
|
+
fix_description: "Use an environment variable instead: env: TITLE: ${{ github.event.issue.title }} and reference $TITLE in the script",
|
|
99
|
+
owasp_ref: "A03:2021",
|
|
100
|
+
status: "open",
|
|
101
|
+
});
|
|
102
|
+
break; // One finding per line
|
|
103
|
+
}
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
function checkSecretsExposure(content, filePath) {
|
|
107
|
+
const findings = [];
|
|
108
|
+
const lines = content.split("\n");
|
|
109
|
+
for (let i = 0; i < lines.length; i++) {
|
|
110
|
+
const line = lines[i];
|
|
111
|
+
// Check for hardcoded secret-like values in env or with blocks
|
|
112
|
+
if (line.match(/(?:env|with):\s*$/))
|
|
113
|
+
continue; // Block header, skip
|
|
114
|
+
if (line.match(/^\s+\w+:\s*["'][A-Za-z0-9_\-./+=]{20,}["']/)) {
|
|
115
|
+
// Skip if it references secrets context
|
|
116
|
+
if (line.includes("${{ secrets.") || line.includes("${{ github."))
|
|
117
|
+
continue;
|
|
118
|
+
findings.push({
|
|
119
|
+
vulnerability_id: 53,
|
|
120
|
+
severity: "critical",
|
|
121
|
+
category: "vibecoding",
|
|
122
|
+
title: "Hardcoded Secret in Workflow",
|
|
123
|
+
description_technical: "A long string value in the workflow file may be a hardcoded secret. Use GitHub Secrets instead.",
|
|
124
|
+
file_path: filePath,
|
|
125
|
+
line_number: i + 1,
|
|
126
|
+
code_snippet: line.trim().replace(/["'][A-Za-z0-9_\-./+=]{20,}["']/, '"***REDACTED***"'),
|
|
127
|
+
fix_description: "Store the value as a GitHub Secret and reference it via ${{ secrets.SECRET_NAME }}",
|
|
128
|
+
owasp_ref: "A07:2021",
|
|
129
|
+
status: "open",
|
|
130
|
+
});
|
|
131
|
+
}
|
|
132
|
+
}
|
|
133
|
+
return findings;
|
|
134
|
+
}
|
|
135
|
+
function checkExcessivePermissions(content, filePath) {
|
|
136
|
+
const findings = [];
|
|
137
|
+
const lines = content.split("\n");
|
|
138
|
+
for (let i = 0; i < lines.length; i++) {
|
|
139
|
+
const line = lines[i];
|
|
140
|
+
// Check for write-all permissions
|
|
141
|
+
if (line.match(/^\s*permissions:\s*write-all/)) {
|
|
142
|
+
findings.push({
|
|
143
|
+
vulnerability_id: 133,
|
|
144
|
+
severity: "medium",
|
|
145
|
+
category: "serverless",
|
|
146
|
+
title: "Workflow Has write-all Permissions",
|
|
147
|
+
description_technical: "The workflow grants write permissions to all scopes. Follow the principle of least privilege.",
|
|
148
|
+
file_path: filePath,
|
|
149
|
+
line_number: i + 1,
|
|
150
|
+
code_snippet: line.trim(),
|
|
151
|
+
fix_description: "Specify only the permissions needed, e.g., permissions: { contents: read, pull-requests: write }",
|
|
152
|
+
status: "open",
|
|
153
|
+
});
|
|
154
|
+
}
|
|
155
|
+
// Check for no permissions block at top level
|
|
156
|
+
if (i === 0 && !content.includes("permissions:")) {
|
|
157
|
+
findings.push({
|
|
158
|
+
vulnerability_id: 133,
|
|
159
|
+
severity: "low",
|
|
160
|
+
category: "serverless",
|
|
161
|
+
title: "Workflow Missing Permissions Block",
|
|
162
|
+
description_technical: "No permissions block defined. The workflow inherits default permissions which may be broader than needed.",
|
|
163
|
+
file_path: filePath,
|
|
164
|
+
line_number: 1,
|
|
165
|
+
code_snippet: lines.slice(0, 3).join("\n"),
|
|
166
|
+
fix_description: "Add a top-level permissions block to restrict token scope",
|
|
167
|
+
status: "open",
|
|
168
|
+
});
|
|
169
|
+
}
|
|
170
|
+
}
|
|
171
|
+
return findings;
|
|
172
|
+
}
|
|
173
|
+
function checkSelfHostedRunners(content, filePath) {
|
|
174
|
+
const findings = [];
|
|
175
|
+
const lines = content.split("\n");
|
|
176
|
+
for (let i = 0; i < lines.length; i++) {
|
|
177
|
+
const line = lines[i];
|
|
178
|
+
if (line.match(/runs-on:\s*["']?self-hosted/)) {
|
|
179
|
+
findings.push({
|
|
180
|
+
vulnerability_id: 136,
|
|
181
|
+
severity: "info",
|
|
182
|
+
category: "serverless",
|
|
183
|
+
title: "Self-Hosted Runner Used",
|
|
184
|
+
description_technical: "Self-hosted runners can persist state between jobs. Ensure runners are ephemeral or properly hardened.",
|
|
185
|
+
file_path: filePath,
|
|
186
|
+
line_number: i + 1,
|
|
187
|
+
code_snippet: line.trim(),
|
|
188
|
+
status: "open",
|
|
189
|
+
});
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
return findings;
|
|
193
|
+
}
|
|
194
|
+
function checkPullRequestTarget(content, filePath) {
|
|
195
|
+
const findings = [];
|
|
196
|
+
if (content.includes("pull_request_target") && content.includes("actions/checkout")) {
|
|
197
|
+
// This is a dangerous pattern: pull_request_target + checkout = code execution from fork
|
|
198
|
+
const lineNum = content.split("\n").findIndex((l) => l.includes("pull_request_target")) + 1;
|
|
199
|
+
findings.push({
|
|
200
|
+
vulnerability_id: 76,
|
|
201
|
+
severity: "critical",
|
|
202
|
+
category: "injection",
|
|
203
|
+
title: "Dangerous pull_request_target + Checkout Pattern",
|
|
204
|
+
description_technical: "Using pull_request_target with actions/checkout can execute untrusted code from forks with write permissions and secrets access.",
|
|
205
|
+
file_path: filePath,
|
|
206
|
+
line_number: lineNum,
|
|
207
|
+
code_snippet: "on: pull_request_target\n...\nuses: actions/checkout@...",
|
|
208
|
+
fix_description: "Use pull_request instead, or avoid checking out PR code in pull_request_target workflows",
|
|
209
|
+
owasp_ref: "A03:2021",
|
|
210
|
+
status: "open",
|
|
211
|
+
});
|
|
212
|
+
}
|
|
213
|
+
return findings;
|
|
214
|
+
}
|
|
215
|
+
//# sourceMappingURL=github-actions.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"github-actions.js","sourceRoot":"","sources":["../../src/engines/github-actions.ts"],"names":[],"mappings":"AAAA,0FAA0F;AAC1F,2DAA2D;AAI3D,MAAM,UAAU,oBAAoB,CAAC,KAA0B;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,iCAAiC,CAAC;YAAE,SAAS;QAEjE,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,yBAAyB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC5D,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe,EAAE,QAAgB;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAC/D,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;QAE9B,gCAAgC;QAChC,IAAI,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QAExE,yDAAyD;QACzD,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;YAC5E,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,oBAAoB,MAAM,IAAI,GAAG,EAAE;gBAC1C,qBAAqB,EAAE,UAAU,MAAM,yBAAyB,GAAG,6GAA6G;gBAChL,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,eAAe,EAAE,0EAA0E;gBAC3F,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe,EAAE,QAAgB;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,sDAAsD;IACtD,MAAM,iBAAiB,GAAG;QACxB,0BAA0B;QAC1B,yBAAyB;QACzB,iCAAiC;QACjC,gCAAgC;QAChC,2BAA2B;QAC3B,0BAA0B;QAC1B,+BAA+B;QAC/B,8BAA8B;QAC9B,iBAAiB;QACjB,8BAA8B;KAC/B,CAAC;IAEF,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACvC,UAAU,GAAG,IAAI,CAAC;YAClB,SAAS;QACX,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;YAChC,kBAAkB;YAClB,UAAU,GAAG,KAAK,CAAC;YACnB,qBAAqB,CAAC,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,CAAC,CAAC;YACtE,SAAS;QACX,CAAC;QACD,IAAI,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YACzC,UAAU,GAAG,KAAK,CAAC;YACnB,SAAS;QACX,CAAC;QAED,IAAI,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YACzC,qBAAqB,CAAC,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAY,EACZ,SAAiB,EACjB,QAAgB,EAChB,iBAA2B,EAC3B,QAAuB;IAEvB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,OAAO,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,OAAO,EAAE,CAAC,EAAE,CAAC;YACxE,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,wBAAwB,OAAO,EAAE;gBACxC,qBAAqB,EAAE,yBAAyB,OAAO,0GAA0G;gBACjK,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,SAAS,GAAG,CAAC;gBAC1B,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,eAAe,EAAE,qHAAqH;gBACtI,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;YACH,MAAM,CAAC,uBAAuB;QAChC,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe,EAAE,QAAgB;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,+DAA+D;QAC/D,IAAI,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC;YAAE,SAAS,CAAC,qBAAqB;QACpE,IAAI,IAAI,CAAC,KAAK,CAAC,4CAA4C,CAAC,EAAE,CAAC;YAC7D,wCAAwC;YACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAAE,SAAS;YAE5E,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,8BAA8B;gBACrC,qBAAqB,EAAE,iGAAiG;gBACxH,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,iCAAiC,EAAE,kBAAkB,CAAC;gBACxF,eAAe,EAAE,oFAAoF;gBACrG,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,yBAAyB,CAAC,OAAe,EAAE,QAAgB;IAClE,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,kCAAkC;QAClC,IAAI,IAAI,CAAC,KAAK,CAAC,8BAA8B,CAAC,EAAE,CAAC;YAC/C,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,oCAAoC;gBAC3C,qBAAqB,EAAE,+FAA+F;gBACtH,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,eAAe,EAAE,kGAAkG;gBACnH,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,8CAA8C;QAC9C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,oCAAoC;gBAC3C,qBAAqB,EAAE,2GAA2G;gBAClI,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC;gBACd,YAAY,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC1C,eAAe,EAAE,2DAA2D;gBAC5E,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAe,EAAE,QAAgB;IAC/D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,IAAI,CAAC,KAAK,CAAC,6BAA6B,CAAC,EAAE,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,yBAAyB;gBAChC,qBAAqB,EAAE,wGAAwG;gBAC/H,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAe,EAAE,QAAgB;IAC/D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,IAAI,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACpF,yFAAyF;QACzF,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC,GAAG,CAAC,CAAC;QAC5F,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,WAAW;YACrB,KAAK,EAAE,kDAAkD;YACzD,qBAAqB,EAAE,kIAAkI;YACzJ,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,OAAO;YACpB,YAAY,EAAE,0DAA0D;YACxE,eAAe,EAAE,0FAA0F;YAC3G,SAAS,EAAE,UAAU;YACrB,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../src/engines/gitleaks.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAY,MAAM,YAAY,CAAC;AA0DxD,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CA4CzE"}
|