npm - @etcsec-com/etc-collector - Versions diffs - 1.4.0 - Mend

@etcsec-com/etc-collector 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (617) hide show

package/.env.example +60 -0
package/.env.test.example +33 -0
package/.github/workflows/ci.yml +83 -0
package/.github/workflows/release.yml +246 -0
package/.prettierrc.json +10 -0
package/CHANGELOG.md +15 -0
package/Dockerfile +57 -0
package/LICENSE +190 -0
package/README.md +194 -0
package/dist/api/controllers/audit.controller.d.ts +21 -0
package/dist/api/controllers/audit.controller.d.ts.map +1 -0
package/dist/api/controllers/audit.controller.js +179 -0
package/dist/api/controllers/audit.controller.js.map +1 -0
package/dist/api/controllers/auth.controller.d.ts +16 -0
package/dist/api/controllers/auth.controller.d.ts.map +1 -0
package/dist/api/controllers/auth.controller.js +146 -0
package/dist/api/controllers/auth.controller.js.map +1 -0
package/dist/api/controllers/export.controller.d.ts +27 -0
package/dist/api/controllers/export.controller.d.ts.map +1 -0
package/dist/api/controllers/export.controller.js +80 -0
package/dist/api/controllers/export.controller.js.map +1 -0
package/dist/api/controllers/health.controller.d.ts +5 -0
package/dist/api/controllers/health.controller.d.ts.map +1 -0
package/dist/api/controllers/health.controller.js +16 -0
package/dist/api/controllers/health.controller.js.map +1 -0
package/dist/api/controllers/jobs.controller.d.ts +13 -0
package/dist/api/controllers/jobs.controller.d.ts.map +1 -0
package/dist/api/controllers/jobs.controller.js +125 -0
package/dist/api/controllers/jobs.controller.js.map +1 -0
package/dist/api/controllers/providers.controller.d.ts +15 -0
package/dist/api/controllers/providers.controller.d.ts.map +1 -0
package/dist/api/controllers/providers.controller.js +112 -0
package/dist/api/controllers/providers.controller.js.map +1 -0
package/dist/api/dto/AuditRequest.dto.d.ts +6 -0
package/dist/api/dto/AuditRequest.dto.d.ts.map +1 -0
package/dist/api/dto/AuditRequest.dto.js +3 -0
package/dist/api/dto/AuditRequest.dto.js.map +1 -0
package/dist/api/dto/AuditResponse.dto.d.ts +17 -0
package/dist/api/dto/AuditResponse.dto.d.ts.map +1 -0
package/dist/api/dto/AuditResponse.dto.js +3 -0
package/dist/api/dto/AuditResponse.dto.js.map +1 -0
package/dist/api/dto/TokenRequest.dto.d.ts +6 -0
package/dist/api/dto/TokenRequest.dto.d.ts.map +1 -0
package/dist/api/dto/TokenRequest.dto.js +3 -0
package/dist/api/dto/TokenRequest.dto.js.map +1 -0
package/dist/api/dto/TokenResponse.dto.d.ts +12 -0
package/dist/api/dto/TokenResponse.dto.d.ts.map +1 -0
package/dist/api/dto/TokenResponse.dto.js +3 -0
package/dist/api/dto/TokenResponse.dto.js.map +1 -0
package/dist/api/middlewares/authenticate.d.ts +12 -0
package/dist/api/middlewares/authenticate.d.ts.map +1 -0
package/dist/api/middlewares/authenticate.js +141 -0
package/dist/api/middlewares/authenticate.js.map +1 -0
package/dist/api/middlewares/errorHandler.d.ts +3 -0
package/dist/api/middlewares/errorHandler.d.ts.map +1 -0
package/dist/api/middlewares/errorHandler.js +30 -0
package/dist/api/middlewares/errorHandler.js.map +1 -0
package/dist/api/middlewares/rateLimit.d.ts +3 -0
package/dist/api/middlewares/rateLimit.d.ts.map +1 -0
package/dist/api/middlewares/rateLimit.js +34 -0
package/dist/api/middlewares/rateLimit.js.map +1 -0
package/dist/api/middlewares/validate.d.ts +4 -0
package/dist/api/middlewares/validate.d.ts.map +1 -0
package/dist/api/middlewares/validate.js +31 -0
package/dist/api/middlewares/validate.js.map +1 -0
package/dist/api/routes/audit.routes.d.ts +5 -0
package/dist/api/routes/audit.routes.d.ts.map +1 -0
package/dist/api/routes/audit.routes.js +24 -0
package/dist/api/routes/audit.routes.js.map +1 -0
package/dist/api/routes/auth.routes.d.ts +6 -0
package/dist/api/routes/auth.routes.d.ts.map +1 -0
package/dist/api/routes/auth.routes.js +22 -0
package/dist/api/routes/auth.routes.js.map +1 -0
package/dist/api/routes/export.routes.d.ts +5 -0
package/dist/api/routes/export.routes.d.ts.map +1 -0
package/dist/api/routes/export.routes.js +16 -0
package/dist/api/routes/export.routes.js.map +1 -0
package/dist/api/routes/health.routes.d.ts +4 -0
package/dist/api/routes/health.routes.d.ts.map +1 -0
package/dist/api/routes/health.routes.js +11 -0
package/dist/api/routes/health.routes.js.map +1 -0
package/dist/api/routes/index.d.ts +10 -0
package/dist/api/routes/index.d.ts.map +1 -0
package/dist/api/routes/index.js +20 -0
package/dist/api/routes/index.js.map +1 -0
package/dist/api/routes/providers.routes.d.ts +5 -0
package/dist/api/routes/providers.routes.d.ts.map +1 -0
package/dist/api/routes/providers.routes.js +13 -0
package/dist/api/routes/providers.routes.js.map +1 -0
package/dist/api/validators/audit.schemas.d.ts +60 -0
package/dist/api/validators/audit.schemas.d.ts.map +1 -0
package/dist/api/validators/audit.schemas.js +55 -0
package/dist/api/validators/audit.schemas.js.map +1 -0
package/dist/api/validators/auth.schemas.d.ts +17 -0
package/dist/api/validators/auth.schemas.d.ts.map +1 -0
package/dist/api/validators/auth.schemas.js +21 -0
package/dist/api/validators/auth.schemas.js.map +1 -0
package/dist/app.d.ts +3 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +62 -0
package/dist/app.js.map +1 -0
package/dist/config/config.schema.d.ts +65 -0
package/dist/config/config.schema.d.ts.map +1 -0
package/dist/config/config.schema.js +95 -0
package/dist/config/config.schema.js.map +1 -0
package/dist/config/index.d.ts +4 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/config/index.js +75 -0
package/dist/config/index.js.map +1 -0
package/dist/container.d.ts +47 -0
package/dist/container.d.ts.map +1 -0
package/dist/container.js +137 -0
package/dist/container.js.map +1 -0
package/dist/data/database.d.ts +13 -0
package/dist/data/database.d.ts.map +1 -0
package/dist/data/database.js +68 -0
package/dist/data/database.js.map +1 -0
package/dist/data/jobs/token-cleanup.job.d.ts +23 -0
package/dist/data/jobs/token-cleanup.job.d.ts.map +1 -0
package/dist/data/jobs/token-cleanup.job.js +96 -0
package/dist/data/jobs/token-cleanup.job.js.map +1 -0
package/dist/data/migrations/migration.runner.d.ts +13 -0
package/dist/data/migrations/migration.runner.d.ts.map +1 -0
package/dist/data/migrations/migration.runner.js +136 -0
package/dist/data/migrations/migration.runner.js.map +1 -0
package/dist/data/models/Token.model.d.ts +30 -0
package/dist/data/models/Token.model.d.ts.map +1 -0
package/dist/data/models/Token.model.js +3 -0
package/dist/data/models/Token.model.js.map +1 -0
package/dist/data/repositories/token.repository.d.ts +16 -0
package/dist/data/repositories/token.repository.d.ts.map +1 -0
package/dist/data/repositories/token.repository.js +97 -0
package/dist/data/repositories/token.repository.js.map +1 -0
package/dist/providers/azure/auth.provider.d.ts +5 -0
package/dist/providers/azure/auth.provider.d.ts.map +1 -0
package/dist/providers/azure/auth.provider.js +13 -0
package/dist/providers/azure/auth.provider.js.map +1 -0
package/dist/providers/azure/azure-errors.d.ts +40 -0
package/dist/providers/azure/azure-errors.d.ts.map +1 -0
package/dist/providers/azure/azure-errors.js +121 -0
package/dist/providers/azure/azure-errors.js.map +1 -0
package/dist/providers/azure/azure-retry.d.ts +41 -0
package/dist/providers/azure/azure-retry.d.ts.map +1 -0
package/dist/providers/azure/azure-retry.js +85 -0
package/dist/providers/azure/azure-retry.js.map +1 -0
package/dist/providers/azure/graph-client.d.ts +26 -0
package/dist/providers/azure/graph-client.d.ts.map +1 -0
package/dist/providers/azure/graph-client.js +146 -0
package/dist/providers/azure/graph-client.js.map +1 -0
package/dist/providers/azure/graph.provider.d.ts +23 -0
package/dist/providers/azure/graph.provider.d.ts.map +1 -0
package/dist/providers/azure/graph.provider.js +161 -0
package/dist/providers/azure/graph.provider.js.map +1 -0
package/dist/providers/azure/queries/app.queries.d.ts +6 -0
package/dist/providers/azure/queries/app.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/app.queries.js +9 -0
package/dist/providers/azure/queries/app.queries.js.map +1 -0
package/dist/providers/azure/queries/policy.queries.d.ts +6 -0
package/dist/providers/azure/queries/policy.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/policy.queries.js +9 -0
package/dist/providers/azure/queries/policy.queries.js.map +1 -0
package/dist/providers/azure/queries/user.queries.d.ts +7 -0
package/dist/providers/azure/queries/user.queries.d.ts.map +1 -0
package/dist/providers/azure/queries/user.queries.js +10 -0
package/dist/providers/azure/queries/user.queries.js.map +1 -0
package/dist/providers/interfaces/IGraphProvider.d.ts +31 -0
package/dist/providers/interfaces/IGraphProvider.d.ts.map +1 -0
package/dist/providers/interfaces/IGraphProvider.js +3 -0
package/dist/providers/interfaces/IGraphProvider.js.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts +37 -0
package/dist/providers/interfaces/ILDAPProvider.d.ts.map +1 -0
package/dist/providers/interfaces/ILDAPProvider.js +3 -0
package/dist/providers/interfaces/ILDAPProvider.js.map +1 -0
package/dist/providers/ldap/acl-parser.d.ts +8 -0
package/dist/providers/ldap/acl-parser.d.ts.map +1 -0
package/dist/providers/ldap/acl-parser.js +157 -0
package/dist/providers/ldap/acl-parser.js.map +1 -0
package/dist/providers/ldap/ad-mappers.d.ts +8 -0
package/dist/providers/ldap/ad-mappers.d.ts.map +1 -0
package/dist/providers/ldap/ad-mappers.js +162 -0
package/dist/providers/ldap/ad-mappers.js.map +1 -0
package/dist/providers/ldap/ldap-client.d.ts +33 -0
package/dist/providers/ldap/ldap-client.d.ts.map +1 -0
package/dist/providers/ldap/ldap-client.js +195 -0
package/dist/providers/ldap/ldap-client.js.map +1 -0
package/dist/providers/ldap/ldap-errors.d.ts +48 -0
package/dist/providers/ldap/ldap-errors.d.ts.map +1 -0
package/dist/providers/ldap/ldap-errors.js +120 -0
package/dist/providers/ldap/ldap-errors.js.map +1 -0
package/dist/providers/ldap/ldap-retry.d.ts +14 -0
package/dist/providers/ldap/ldap-retry.d.ts.map +1 -0
package/dist/providers/ldap/ldap-retry.js +102 -0
package/dist/providers/ldap/ldap-retry.js.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts +12 -0
package/dist/providers/ldap/ldap-sanitizer.d.ts.map +1 -0
package/dist/providers/ldap/ldap-sanitizer.js +104 -0
package/dist/providers/ldap/ldap-sanitizer.js.map +1 -0
package/dist/providers/ldap/ldap.provider.d.ts +21 -0
package/dist/providers/ldap/ldap.provider.d.ts.map +1 -0
package/dist/providers/ldap/ldap.provider.js +165 -0
package/dist/providers/ldap/ldap.provider.js.map +1 -0
package/dist/providers/ldap/queries/computer.queries.d.ts +6 -0
package/dist/providers/ldap/queries/computer.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/computer.queries.js +9 -0
package/dist/providers/ldap/queries/computer.queries.js.map +1 -0
package/dist/providers/ldap/queries/group.queries.d.ts +6 -0
package/dist/providers/ldap/queries/group.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/group.queries.js +9 -0
package/dist/providers/ldap/queries/group.queries.js.map +1 -0
package/dist/providers/ldap/queries/user.queries.d.ts +7 -0
package/dist/providers/ldap/queries/user.queries.d.ts.map +1 -0
package/dist/providers/ldap/queries/user.queries.js +10 -0
package/dist/providers/ldap/queries/user.queries.js.map +1 -0
package/dist/providers/smb/smb.provider.d.ts +68 -0
package/dist/providers/smb/smb.provider.d.ts.map +1 -0
package/dist/providers/smb/smb.provider.js +382 -0
package/dist/providers/smb/smb.provider.js.map +1 -0
package/dist/server.d.ts +2 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +44 -0
package/dist/server.js.map +1 -0
package/dist/services/audit/ad-audit.service.d.ts +70 -0
package/dist/services/audit/ad-audit.service.d.ts.map +1 -0
package/dist/services/audit/ad-audit.service.js +1019 -0
package/dist/services/audit/ad-audit.service.js.map +1 -0
package/dist/services/audit/attack-graph.service.d.ts +62 -0
package/dist/services/audit/attack-graph.service.d.ts.map +1 -0
package/dist/services/audit/attack-graph.service.js +702 -0
package/dist/services/audit/attack-graph.service.js.map +1 -0
package/dist/services/audit/audit.service.d.ts +4 -0
package/dist/services/audit/audit.service.d.ts.map +1 -0
package/dist/services/audit/audit.service.js +10 -0
package/dist/services/audit/audit.service.js.map +1 -0
package/dist/services/audit/azure-audit.service.d.ts +37 -0
package/dist/services/audit/azure-audit.service.d.ts.map +1 -0
package/dist/services/audit/azure-audit.service.js +153 -0
package/dist/services/audit/azure-audit.service.js.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts +37 -0
package/dist/services/audit/detectors/ad/accounts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/accounts.detector.js +881 -0
package/dist/services/audit/detectors/ad/accounts.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts +21 -0
package/dist/services/audit/detectors/ad/adcs.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/adcs.detector.js +227 -0
package/dist/services/audit/detectors/ad/adcs.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts +63 -0
package/dist/services/audit/detectors/ad/advanced.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/advanced.detector.js +867 -0
package/dist/services/audit/detectors/ad/advanced.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts +16 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js +369 -0
package/dist/services/audit/detectors/ad/attack-paths.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts +28 -0
package/dist/services/audit/detectors/ad/compliance.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/compliance.detector.js +896 -0
package/dist/services/audit/detectors/ad/compliance.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts +30 -0
package/dist/services/audit/detectors/ad/computers.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/computers.detector.js +799 -0
package/dist/services/audit/detectors/ad/computers.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/gpo.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/gpo.detector.js +257 -0
package/dist/services/audit/detectors/ad/gpo.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts +19 -0
package/dist/services/audit/detectors/ad/groups.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/groups.detector.js +488 -0
package/dist/services/audit/detectors/ad/groups.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/index.d.ts +15 -0
package/dist/services/audit/detectors/ad/index.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/index.js +51 -0
package/dist/services/audit/detectors/ad/index.js.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts +17 -0
package/dist/services/audit/detectors/ad/kerberos.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js +293 -0
package/dist/services/audit/detectors/ad/kerberos.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts +23 -0
package/dist/services/audit/detectors/ad/monitoring.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js +328 -0
package/dist/services/audit/detectors/ad/monitoring.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts +39 -0
package/dist/services/audit/detectors/ad/network.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/network.detector.js +257 -0
package/dist/services/audit/detectors/ad/network.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts +14 -0
package/dist/services/audit/detectors/ad/password.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/password.detector.js +235 -0
package/dist/services/audit/detectors/ad/password.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts +20 -0
package/dist/services/audit/detectors/ad/permissions.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/permissions.detector.js +392 -0
package/dist/services/audit/detectors/ad/permissions.detector.js.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts +11 -0
package/dist/services/audit/detectors/ad/trusts.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/ad/trusts.detector.js +186 -0
package/dist/services/audit/detectors/ad/trusts.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts +11 -0
package/dist/services/audit/detectors/azure/app-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/app-security.detector.js +184 -0
package/dist/services/audit/detectors/azure/app-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts +10 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js +130 -0
package/dist/services/audit/detectors/azure/conditional-access.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts +8 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js +113 -0
package/dist/services/audit/detectors/azure/privilege-security.detector.js.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts +14 -0
package/dist/services/audit/detectors/azure/user-security.detector.d.ts.map +1 -0
package/dist/services/audit/detectors/azure/user-security.detector.js +198 -0
package/dist/services/audit/detectors/azure/user-security.detector.js.map +1 -0
package/dist/services/audit/detectors/index.d.ts +2 -0
package/dist/services/audit/detectors/index.d.ts.map +1 -0
package/dist/services/audit/detectors/index.js +38 -0
package/dist/services/audit/detectors/index.js.map +1 -0
package/dist/services/audit/response-formatter.d.ts +176 -0
package/dist/services/audit/response-formatter.d.ts.map +1 -0
package/dist/services/audit/response-formatter.js +240 -0
package/dist/services/audit/response-formatter.js.map +1 -0
package/dist/services/audit/scoring.service.d.ts +15 -0
package/dist/services/audit/scoring.service.d.ts.map +1 -0
package/dist/services/audit/scoring.service.js +139 -0
package/dist/services/audit/scoring.service.js.map +1 -0
package/dist/services/auth/crypto.service.d.ts +19 -0
package/dist/services/auth/crypto.service.d.ts.map +1 -0
package/dist/services/auth/crypto.service.js +135 -0
package/dist/services/auth/crypto.service.js.map +1 -0
package/dist/services/auth/errors.d.ts +19 -0
package/dist/services/auth/errors.d.ts.map +1 -0
package/dist/services/auth/errors.js +46 -0
package/dist/services/auth/errors.js.map +1 -0
package/dist/services/auth/token.service.d.ts +41 -0
package/dist/services/auth/token.service.d.ts.map +1 -0
package/dist/services/auth/token.service.js +208 -0
package/dist/services/auth/token.service.js.map +1 -0
package/dist/services/config/config.service.d.ts +6 -0
package/dist/services/config/config.service.d.ts.map +1 -0
package/dist/services/config/config.service.js +64 -0
package/dist/services/config/config.service.js.map +1 -0
package/dist/services/export/export.service.d.ts +28 -0
package/dist/services/export/export.service.d.ts.map +1 -0
package/dist/services/export/export.service.js +28 -0
package/dist/services/export/export.service.js.map +1 -0
package/dist/services/export/formatters/csv.formatter.d.ts +8 -0
package/dist/services/export/formatters/csv.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/csv.formatter.js +46 -0
package/dist/services/export/formatters/csv.formatter.js.map +1 -0
package/dist/services/export/formatters/json.formatter.d.ts +40 -0
package/dist/services/export/formatters/json.formatter.d.ts.map +1 -0
package/dist/services/export/formatters/json.formatter.js +58 -0
package/dist/services/export/formatters/json.formatter.js.map +1 -0
package/dist/services/jobs/azure-job-runner.d.ts +38 -0
package/dist/services/jobs/azure-job-runner.d.ts.map +1 -0
package/dist/services/jobs/azure-job-runner.js +199 -0
package/dist/services/jobs/azure-job-runner.js.map +1 -0
package/dist/services/jobs/index.d.ts +4 -0
package/dist/services/jobs/index.d.ts.map +1 -0
package/dist/services/jobs/index.js +20 -0
package/dist/services/jobs/index.js.map +1 -0
package/dist/services/jobs/job-runner.d.ts +64 -0
package/dist/services/jobs/job-runner.d.ts.map +1 -0
package/dist/services/jobs/job-runner.js +952 -0
package/dist/services/jobs/job-runner.js.map +1 -0
package/dist/services/jobs/job-store.d.ts +27 -0
package/dist/services/jobs/job-store.d.ts.map +1 -0
package/dist/services/jobs/job-store.js +261 -0
package/dist/services/jobs/job-store.js.map +1 -0
package/dist/services/jobs/job.types.d.ts +67 -0
package/dist/services/jobs/job.types.d.ts.map +1 -0
package/dist/services/jobs/job.types.js +36 -0
package/dist/services/jobs/job.types.js.map +1 -0
package/dist/types/ad.types.d.ts +74 -0
package/dist/types/ad.types.d.ts.map +1 -0
package/dist/types/ad.types.js +3 -0
package/dist/types/ad.types.js.map +1 -0
package/dist/types/adcs.types.d.ts +58 -0
package/dist/types/adcs.types.d.ts.map +1 -0
package/dist/types/adcs.types.js +38 -0
package/dist/types/adcs.types.js.map +1 -0
package/dist/types/attack-graph.types.d.ts +135 -0
package/dist/types/attack-graph.types.d.ts.map +1 -0
package/dist/types/attack-graph.types.js +58 -0
package/dist/types/attack-graph.types.js.map +1 -0
package/dist/types/audit.types.d.ts +34 -0
package/dist/types/audit.types.d.ts.map +1 -0
package/dist/types/audit.types.js +3 -0
package/dist/types/audit.types.js.map +1 -0
package/dist/types/azure.types.d.ts +61 -0
package/dist/types/azure.types.d.ts.map +1 -0
package/dist/types/azure.types.js +3 -0
package/dist/types/azure.types.js.map +1 -0
package/dist/types/config.types.d.ts +63 -0
package/dist/types/config.types.d.ts.map +1 -0
package/dist/types/config.types.js +3 -0
package/dist/types/config.types.js.map +1 -0
package/dist/types/error.types.d.ts +33 -0
package/dist/types/error.types.d.ts.map +1 -0
package/dist/types/error.types.js +70 -0
package/dist/types/error.types.js.map +1 -0
package/dist/types/finding.types.d.ts +133 -0
package/dist/types/finding.types.d.ts.map +1 -0
package/dist/types/finding.types.js +3 -0
package/dist/types/finding.types.js.map +1 -0
package/dist/types/gpo.types.d.ts +39 -0
package/dist/types/gpo.types.d.ts.map +1 -0
package/dist/types/gpo.types.js +15 -0
package/dist/types/gpo.types.js.map +1 -0
package/dist/types/token.types.d.ts +26 -0
package/dist/types/token.types.d.ts.map +1 -0
package/dist/types/token.types.js +3 -0
package/dist/types/token.types.js.map +1 -0
package/dist/types/trust.types.d.ts +45 -0
package/dist/types/trust.types.d.ts.map +1 -0
package/dist/types/trust.types.js +71 -0
package/dist/types/trust.types.js.map +1 -0
package/dist/utils/entity-converter.d.ts +17 -0
package/dist/utils/entity-converter.d.ts.map +1 -0
package/dist/utils/entity-converter.js +285 -0
package/dist/utils/entity-converter.js.map +1 -0
package/dist/utils/graph.util.d.ts +66 -0
package/dist/utils/graph.util.d.ts.map +1 -0
package/dist/utils/graph.util.js +382 -0
package/dist/utils/graph.util.js.map +1 -0
package/dist/utils/logger.d.ts +7 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +86 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/type-name-normalizer.d.ts +5 -0
package/dist/utils/type-name-normalizer.d.ts.map +1 -0
package/dist/utils/type-name-normalizer.js +218 -0
package/dist/utils/type-name-normalizer.js.map +1 -0
package/docker-compose.yml +26 -0
package/docs/api/README.md +178 -0
package/docs/api/openapi.yaml +1524 -0
package/eslint.config.js +54 -0
package/jest.config.js +38 -0
package/package.json +97 -0
package/scripts/fetch-ad-cert.sh +142 -0
package/src/.gitkeep +0 -0
package/src/api/.gitkeep +0 -0
package/src/api/controllers/.gitkeep +0 -0
package/src/api/controllers/audit.controller.ts +313 -0
package/src/api/controllers/auth.controller.ts +258 -0
package/src/api/controllers/export.controller.ts +153 -0
package/src/api/controllers/health.controller.ts +16 -0
package/src/api/controllers/jobs.controller.ts +187 -0
package/src/api/controllers/providers.controller.ts +165 -0
package/src/api/dto/.gitkeep +0 -0
package/src/api/dto/AuditRequest.dto.ts +8 -0
package/src/api/dto/AuditResponse.dto.ts +19 -0
package/src/api/dto/TokenRequest.dto.ts +8 -0
package/src/api/dto/TokenResponse.dto.ts +14 -0
package/src/api/middlewares/.gitkeep +0 -0
package/src/api/middlewares/authenticate.ts +203 -0
package/src/api/middlewares/errorHandler.ts +54 -0
package/src/api/middlewares/rateLimit.ts +35 -0
package/src/api/middlewares/validate.ts +32 -0
package/src/api/routes/.gitkeep +0 -0
package/src/api/routes/audit.routes.ts +77 -0
package/src/api/routes/auth.routes.ts +71 -0
package/src/api/routes/export.routes.ts +34 -0
package/src/api/routes/health.routes.ts +14 -0
package/src/api/routes/index.ts +40 -0
package/src/api/routes/providers.routes.ts +24 -0
package/src/api/validators/.gitkeep +0 -0
package/src/api/validators/audit.schemas.ts +59 -0
package/src/api/validators/auth.schemas.ts +59 -0
package/src/app.ts +87 -0
package/src/config/.gitkeep +0 -0
package/src/config/config.schema.ts +108 -0
package/src/config/index.ts +82 -0
package/src/container.ts +221 -0
package/src/data/.gitkeep +0 -0
package/src/data/database.ts +78 -0
package/src/data/jobs/token-cleanup.job.ts +166 -0
package/src/data/migrations/.gitkeep +0 -0
package/src/data/migrations/001_initial_schema.sql +47 -0
package/src/data/migrations/migration.runner.ts +125 -0
package/src/data/models/.gitkeep +0 -0
package/src/data/models/Token.model.ts +35 -0
package/src/data/repositories/.gitkeep +0 -0
package/src/data/repositories/token.repository.ts +160 -0
package/src/providers/.gitkeep +0 -0
package/src/providers/azure/.gitkeep +0 -0
package/src/providers/azure/auth.provider.ts +14 -0
package/src/providers/azure/azure-errors.ts +189 -0
package/src/providers/azure/azure-retry.ts +168 -0
package/src/providers/azure/graph-client.ts +315 -0
package/src/providers/azure/graph.provider.ts +294 -0
package/src/providers/azure/queries/app.queries.ts +9 -0
package/src/providers/azure/queries/policy.queries.ts +9 -0
package/src/providers/azure/queries/user.queries.ts +10 -0
package/src/providers/interfaces/.gitkeep +0 -0
package/src/providers/interfaces/IGraphProvider.ts +117 -0
package/src/providers/interfaces/ILDAPProvider.ts +142 -0
package/src/providers/ldap/.gitkeep +0 -0
package/src/providers/ldap/acl-parser.ts +231 -0
package/src/providers/ldap/ad-mappers.ts +280 -0
package/src/providers/ldap/ldap-client.ts +259 -0
package/src/providers/ldap/ldap-errors.ts +188 -0
package/src/providers/ldap/ldap-retry.ts +267 -0
package/src/providers/ldap/ldap-sanitizer.ts +273 -0
package/src/providers/ldap/ldap.provider.ts +293 -0
package/src/providers/ldap/queries/computer.queries.ts +9 -0
package/src/providers/ldap/queries/group.queries.ts +9 -0
package/src/providers/ldap/queries/user.queries.ts +10 -0
package/src/providers/smb/smb.provider.ts +653 -0
package/src/server.ts +60 -0
package/src/services/.gitkeep +0 -0
package/src/services/audit/.gitkeep +0 -0
package/src/services/audit/ad-audit.service.ts +1481 -0
package/src/services/audit/attack-graph.service.ts +1104 -0
package/src/services/audit/audit.service.ts +12 -0
package/src/services/audit/azure-audit.service.ts +286 -0
package/src/services/audit/detectors/ad/accounts.detector.ts +1232 -0
package/src/services/audit/detectors/ad/adcs.detector.ts +449 -0
package/src/services/audit/detectors/ad/advanced.detector.ts +1270 -0
package/src/services/audit/detectors/ad/attack-paths.detector.ts +600 -0
package/src/services/audit/detectors/ad/compliance.detector.ts +1421 -0
package/src/services/audit/detectors/ad/computers.detector.ts +1188 -0
package/src/services/audit/detectors/ad/gpo.detector.ts +485 -0
package/src/services/audit/detectors/ad/groups.detector.ts +685 -0
package/src/services/audit/detectors/ad/index.ts +84 -0
package/src/services/audit/detectors/ad/kerberos.detector.ts +424 -0
package/src/services/audit/detectors/ad/monitoring.detector.ts +501 -0
package/src/services/audit/detectors/ad/network.detector.ts +538 -0
package/src/services/audit/detectors/ad/password.detector.ts +324 -0
package/src/services/audit/detectors/ad/permissions.detector.ts +637 -0
package/src/services/audit/detectors/ad/trusts.detector.ts +315 -0
package/src/services/audit/detectors/azure/app-security.detector.ts +246 -0
package/src/services/audit/detectors/azure/conditional-access.detector.ts +186 -0
package/src/services/audit/detectors/azure/privilege-security.detector.ts +176 -0
package/src/services/audit/detectors/azure/user-security.detector.ts +280 -0
package/src/services/audit/detectors/index.ts +18 -0
package/src/services/audit/response-formatter.ts +604 -0
package/src/services/audit/scoring.service.ts +234 -0
package/src/services/auth/.gitkeep +0 -0
package/src/services/auth/crypto.service.ts +230 -0
package/src/services/auth/errors.ts +47 -0
package/src/services/auth/token.service.ts +420 -0
package/src/services/config/.gitkeep +0 -0
package/src/services/config/config.service.ts +75 -0
package/src/services/export/.gitkeep +0 -0
package/src/services/export/export.service.ts +99 -0
package/src/services/export/formatters/csv.formatter.ts +124 -0
package/src/services/export/formatters/json.formatter.ts +160 -0
package/src/services/jobs/azure-job-runner.ts +312 -0
package/src/services/jobs/index.ts +9 -0
package/src/services/jobs/job-runner.ts +1280 -0
package/src/services/jobs/job-store.ts +384 -0
package/src/services/jobs/job.types.ts +182 -0
package/src/types/.gitkeep +0 -0
package/src/types/ad.types.ts +91 -0
package/src/types/adcs.types.ts +107 -0
package/src/types/attack-graph.types.ts +260 -0
package/src/types/audit.types.ts +42 -0
package/src/types/azure.types.ts +68 -0
package/src/types/config.types.ts +79 -0
package/src/types/error.types.ts +69 -0
package/src/types/finding.types.ts +284 -0
package/src/types/gpo.types.ts +72 -0
package/src/types/smb2.d.ts +73 -0
package/src/types/token.types.ts +32 -0
package/src/types/trust.types.ts +140 -0
package/src/utils/.gitkeep +0 -0
package/src/utils/entity-converter.ts +453 -0
package/src/utils/graph.util.ts +609 -0
package/src/utils/logger.ts +111 -0
package/src/utils/type-name-normalizer.ts +302 -0
package/tests/.gitkeep +0 -0
package/tests/e2e/.gitkeep +0 -0
package/tests/fixtures/.gitkeep +0 -0
package/tests/integration/.gitkeep +0 -0
package/tests/integration/README.md +156 -0
package/tests/integration/ad-audit.integration.test.ts +216 -0
package/tests/integration/api/.gitkeep +0 -0
package/tests/integration/api/endpoints.integration.test.ts +431 -0
package/tests/integration/auth/jwt-authentication.integration.test.ts +358 -0
package/tests/integration/providers/.gitkeep +0 -0
package/tests/integration/providers/azure-basic.integration.test.ts +167 -0
package/tests/integration/providers/ldap-basic.integration.test.ts +152 -0
package/tests/integration/providers/ldap-connectivity.test.ts +44 -0
package/tests/integration/providers/ldap-provider.integration.test.ts +347 -0
package/tests/mocks/.gitkeep +0 -0
package/tests/setup.ts +16 -0
package/tests/unit/.gitkeep +0 -0
package/tests/unit/api/middlewares/authenticate.test.ts +446 -0
package/tests/unit/providers/.gitkeep +0 -0
package/tests/unit/providers/azure/azure-errors.test.ts +193 -0
package/tests/unit/providers/azure/azure-retry.test.ts +254 -0
package/tests/unit/providers/azure/graph-provider.test.ts +313 -0
package/tests/unit/providers/ldap/ad-mappers.test.ts +392 -0
package/tests/unit/providers/ldap/ldap-provider.test.ts +376 -0
package/tests/unit/providers/ldap/ldap-retry.test.ts +377 -0
package/tests/unit/providers/ldap/ldap-sanitizer.test.ts +301 -0
package/tests/unit/sample.test.ts +19 -0
package/tests/unit/services/.gitkeep +0 -0
package/tests/unit/services/audit/detectors/ad/accounts.detector.test.ts +393 -0
package/tests/unit/services/audit/detectors/ad/advanced.detector.test.ts +380 -0
package/tests/unit/services/audit/detectors/ad/computers.detector.test.ts +440 -0
package/tests/unit/services/audit/detectors/ad/groups.detector.test.ts +276 -0
package/tests/unit/services/audit/detectors/ad/kerberos.detector.test.ts +215 -0
package/tests/unit/services/audit/detectors/ad/password.detector.test.ts +226 -0
package/tests/unit/services/audit/detectors/ad/permissions.detector.test.ts +244 -0
package/tests/unit/services/audit/detectors/azure/app-security.detector.test.ts +349 -0
package/tests/unit/services/audit/detectors/azure/conditional-access.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/privilege-security.detector.test.ts +374 -0
package/tests/unit/services/audit/detectors/azure/user-security.detector.test.ts +297 -0
package/tests/unit/services/auth/crypto.service.test.ts +296 -0
package/tests/unit/services/auth/token.service.test.ts +579 -0
package/tests/unit/services/export/export.service.test.ts +241 -0
package/tests/unit/services/export/formatters/csv.formatter.test.ts +270 -0
package/tests/unit/services/export/formatters/json.formatter.test.ts +258 -0
package/tests/unit/utils/.gitkeep +0 -0
package/tsconfig.json +50 -0

package/src/services/audit/detectors/ad/trusts.detector.ts ADDED Viewed

@@ -0,0 +1,315 @@
+/**
+ * Domain Trusts Security Vulnerability Detector
+ *
+ * Analyzes trust relationships for security risks.
+ *
+ * Vulnerabilities detected (7):
+ * HIGH (4):
+ * - TRUST_SID_FILTERING_DISABLED: SID history attacks possible
+ * - TRUST_EXTERNAL_NO_SELECTIVE_AUTH: External trust without selective authentication
+ * - TRUST_AES_DISABLED: AES encryption not supported on trust
+ * - TRUST_RC4_ONLY: Trust only supports weak RC4 encryption
+ *
+ * MEDIUM (3):
+ * - TRUST_BIDIRECTIONAL: Two-way trust enables lateral movement
+ * - TRUST_FOREST_TRANSITIVE: Transitive forest trust increases attack surface
+ * - TRUST_INACTIVE: Trust relationship not modified in 180+ days
+ */
+import { Finding } from '../../../../types/finding.types';
+import {
+  ADTrustExtended,
+  TRUST_ATTRIBUTE_QUARANTINED_DOMAIN,
+  TRUST_ATTRIBUTE_CROSS_ORGANIZATION,
+  TRUST_ATTRIBUTE_FOREST_TRANSITIVE,
+  TRUST_ATTRIBUTE_WITHIN_FOREST,
+  TRUST_DIRECTION_BIDIRECTIONAL,
+} from '../../../../types/trust.types';
+/**
+ * TRUST_SID_FILTERING_DISABLED: SID filtering not enabled
+ * Allows SID history injection attacks across trust boundary
+ */
+export function detectTrustSidFilteringDisabled(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding {
+  // SID filtering should be enabled (TRUST_ATTRIBUTE_QUARANTINED_DOMAIN)
+  // except for trusts within the same forest
+  const affected = trusts.filter((t) => {
+    // Skip intra-forest trusts (parent-child) - SID filtering not applicable
+    if ((t.trustAttributes & TRUST_ATTRIBUTE_WITHIN_FOREST) !== 0) {
+      return false;
+    }
+    // Check if SID filtering is disabled (QUARANTINED_DOMAIN flag NOT set)
+    const sidFilteringDisabled = (t.trustAttributes & TRUST_ATTRIBUTE_QUARANTINED_DOMAIN) === 0;
+    return sidFilteringDisabled;
+  });
+  return {
+    type: 'TRUST_SID_FILTERING_DISABLED',
+    severity: 'high',
+    category: 'trusts',
+    title: 'SID Filtering Disabled on Trust',
+    description:
+      'Trust relationships without SID filtering allow SID history injection attacks, enabling attackers to impersonate any user in the trusted domain.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation: 'Enable SID filtering (quarantine) on external and forest trusts.',
+          }
+        : undefined,
+  };
+}
+/**
+ * TRUST_EXTERNAL_NO_SELECTIVE_AUTH: External trust without selective authentication
+ * All users from trusted domain can authenticate to any resource
+ */
+export function detectTrustExternalNoSelectiveAuth(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding {
+  // Selective authentication should be enabled for external trusts
+  // to limit which users can authenticate
+  const affected = trusts.filter((t) => {
+    // Only check external trusts (not forest or intra-forest)
+    const isExternal =
+      (t.trustAttributes & TRUST_ATTRIBUTE_FOREST_TRANSITIVE) === 0 &&
+      (t.trustAttributes & TRUST_ATTRIBUTE_WITHIN_FOREST) === 0;
+    if (!isExternal) return false;
+    // Check if selective authentication is disabled
+    const selectiveAuthDisabled = (t.trustAttributes & TRUST_ATTRIBUTE_CROSS_ORGANIZATION) === 0;
+    return selectiveAuthDisabled;
+  });
+  return {
+    type: 'TRUST_EXTERNAL_NO_SELECTIVE_AUTH',
+    severity: 'high',
+    category: 'trusts',
+    title: 'External Trust Without Selective Authentication',
+    description:
+      'External trust without selective authentication allows any user from the trusted domain to authenticate to any resource in this domain.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation:
+              'Enable selective authentication and explicitly grant access only to required resources.',
+          }
+        : undefined,
+  };
+}
+/**
+ * TRUST_BIDIRECTIONAL: Two-way trust relationship
+ * Increases attack surface - compromise in either domain affects both
+ */
+export function detectTrustBidirectional(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding {
+  const affected = trusts.filter((t) => {
+    // Skip intra-forest trusts (parent-child are always bidirectional by design)
+    if ((t.trustAttributes & TRUST_ATTRIBUTE_WITHIN_FOREST) !== 0) {
+      return false;
+    }
+    return t.trustDirection === TRUST_DIRECTION_BIDIRECTIONAL;
+  });
+  return {
+    type: 'TRUST_BIDIRECTIONAL',
+    severity: 'medium',
+    category: 'trusts',
+    title: 'Bidirectional Trust Relationship',
+    description:
+      'Two-way trust allows authentication in both directions, increasing the attack surface. A compromise in either domain can lead to lateral movement to the other.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation:
+              'Consider using one-way trusts where possible. Implement selective authentication.',
+          }
+        : undefined,
+  };
+}
+/**
+ * TRUST_FOREST_TRANSITIVE: Transitive forest trust
+ * Trust extends to all domains in the trusted forest
+ */
+export function detectTrustForestTransitive(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding {
+  const affected = trusts.filter((t) => {
+    return (t.trustAttributes & TRUST_ATTRIBUTE_FOREST_TRANSITIVE) !== 0;
+  });
+  return {
+    type: 'TRUST_FOREST_TRANSITIVE',
+    severity: 'medium',
+    category: 'trusts',
+    title: 'Transitive Forest Trust',
+    description:
+      'Forest trust is transitive, meaning all domains in the trusted forest can access this domain. This significantly increases the trust boundary.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation:
+              'Review necessity of forest trust. Consider selective authentication and SID filtering.',
+          }
+        : undefined,
+  };
+}
+// Encryption type bit flags from msDS-SupportedEncryptionTypes
+const ENC_TYPE_DES_CBC_CRC = 0x1;
+const ENC_TYPE_DES_CBC_MD5 = 0x2;
+const ENC_TYPE_RC4_HMAC = 0x4;
+const ENC_TYPE_AES128 = 0x8;
+const ENC_TYPE_AES256 = 0x10;
+const ENC_WEAK_ONLY = ENC_TYPE_DES_CBC_CRC | ENC_TYPE_DES_CBC_MD5 | ENC_TYPE_RC4_HMAC;
+const ENC_AES_TYPES = ENC_TYPE_AES128 | ENC_TYPE_AES256;
+/**
+ * TRUST_AES_DISABLED: AES encryption not enabled on trust
+ * Forces use of weaker encryption algorithms
+ */
+export function detectTrustAesDisabled(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding {
+  const affected = trusts.filter((t) => {
+    // Skip if encryption types not available
+    if (t.supportedEncryptionTypes === undefined) return false;
+    // Check if AES is NOT supported (neither AES128 nor AES256)
+    return (t.supportedEncryptionTypes & ENC_AES_TYPES) === 0;
+  });
+  return {
+    type: 'TRUST_AES_DISABLED',
+    severity: 'high',
+    category: 'trusts',
+    title: 'AES Encryption Disabled on Trust',
+    description:
+      'Trust relationship does not support AES encryption. This forces the use of weaker encryption algorithms (RC4/DES) which are more vulnerable to offline cracking.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation:
+              'Enable AES128 and AES256 encryption on trust relationship. Ensure both domains support AES.',
+          }
+        : undefined,
+  };
+}
+/**
+ * TRUST_RC4_ONLY: Trust only supports RC4 encryption
+ * RC4 is deprecated and vulnerable to offline attacks
+ */
+export function detectTrustRc4Only(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding {
+  const affected = trusts.filter((t) => {
+    // Skip if encryption types not available
+    if (t.supportedEncryptionTypes === undefined) return false;
+    // Check if ONLY weak encryption is supported (RC4/DES only, no AES)
+    const hasOnlyWeak =
+      (t.supportedEncryptionTypes & ENC_WEAK_ONLY) !== 0 &&
+      (t.supportedEncryptionTypes & ENC_AES_TYPES) === 0;
+    // Specifically RC4 only (not DES)
+    const isRc4Only =
+      hasOnlyWeak && (t.supportedEncryptionTypes & ENC_TYPE_RC4_HMAC) !== 0;
+    return isRc4Only;
+  });
+  return {
+    type: 'TRUST_RC4_ONLY',
+    severity: 'high',
+    category: 'trusts',
+    title: 'Trust Only Supports RC4 Encryption',
+    description:
+      'Trust relationship only supports RC4 encryption (no AES). RC4 is deprecated and Kerberos tickets encrypted with RC4 are vulnerable to offline cracking attacks.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation:
+              'Enable AES encryption on trust. If the partner domain does not support AES, plan an upgrade path.',
+          }
+        : undefined,
+  };
+}
+/**
+ * TRUST_INACTIVE: Trust not modified in 180+ days
+ * May indicate abandoned or forgotten trust relationships
+ */
+export function detectTrustInactive(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding {
+  const now = Date.now();
+  const sixMonthsAgo = now - 180 * 24 * 60 * 60 * 1000;
+  const affected = trusts.filter((t) => {
+    // Skip if whenChanged not available
+    if (!t.whenChanged) return false;
+    // Check if trust hasn't been modified in 180+ days
+    return t.whenChanged.getTime() < sixMonthsAgo;
+  });
+  return {
+    type: 'TRUST_INACTIVE',
+    severity: 'medium',
+    category: 'trusts',
+    title: 'Inactive Trust Relationship',
+    description:
+      'Trust relationship has not been modified in over 180 days. May indicate an abandoned or forgotten trust that should be reviewed for necessity.',
+    count: affected.length,
+    affectedEntities: includeDetails ? affected.map((t) => t.name) : undefined,
+    details:
+      affected.length > 0
+        ? {
+            recommendation:
+              'Review necessity of inactive trusts. Remove trusts that are no longer needed to reduce attack surface.',
+          }
+        : undefined,
+  };
+}
+/**
+ * Aggregate function: Detect all trust vulnerabilities
+ */
+export function detectTrustVulnerabilities(
+  trusts: ADTrustExtended[],
+  includeDetails: boolean
+): Finding[] {
+  return [
+    detectTrustSidFilteringDisabled(trusts, includeDetails),
+    detectTrustExternalNoSelectiveAuth(trusts, includeDetails),
+    detectTrustBidirectional(trusts, includeDetails),
+    detectTrustForestTransitive(trusts, includeDetails),
+    detectTrustAesDisabled(trusts, includeDetails),
+    detectTrustRc4Only(trusts, includeDetails),
+    detectTrustInactive(trusts, includeDetails),
+  ].filter((finding) => finding.count > 0);
+}

package/src/services/audit/detectors/azure/app-security.detector.ts ADDED Viewed

@@ -0,0 +1,246 @@
+/**
+ * App Security Vulnerability Detector for Azure AD
+ *
+ * Detects application and service principal vulnerabilities in Azure AD/Entra ID.
+ * Story 1.8: Azure Vulnerability Detection Engine
+ *
+ * Vulnerabilities detected (7):
+ * CRITICAL (1):
+ * - AZURE_APP_EXCESSIVE_GRAPH_PERMS
+ *
+ * HIGH (3):
+ * - AZURE_APP_CREDENTIAL_EXPIRED
+ * - AZURE_APP_LONG_LIVED_CREDS
+ * - AZURE_APP_MULTITENANT_UNVERIFIED
+ *
+ * MEDIUM (3):
+ * - AZURE_APP_CREDENTIAL_EXPIRING
+ * - AZURE_SP_DISABLED_WITH_CREDS
+ * - AZURE_APP_NO_OWNER
+ */
+import { AzureApp } from '../../../../types/azure.types';
+import { Finding } from '../../../../types/finding.types';
+import { toAffectedAppEntities } from '../../../../utils/entity-converter';
+/**
+ * Check for applications with excessive Microsoft Graph permissions
+ */
+export function detectAppExcessiveGraphPerms(apps: AzureApp[], includeDetails: boolean): Finding {
+  // Well-known Microsoft Graph Application Permission GUIDs
+  const dangerousPermissionIds = [
+    '1bfefb4e-e0b5-418b-a88f-73c46d1986e9', // Application.ReadWrite.All
+    '19dbc75e-c2e2-444c-a770-ec69d8559fc7', // Directory.ReadWrite.All
+    '9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8', // RoleManagement.ReadWrite.Directory
+    '741f803b-c850-494e-b5df-cde7c675a1ca', // User.ReadWrite.All
+    '62a82d76-70ea-41e2-9197-370581804d09', // Group.ReadWrite.All
+  ];
+  const dangerousPermissionNames = [
+    'Application.ReadWrite.All',
+    'Directory.ReadWrite.All',
+    'RoleManagement.ReadWrite.Directory',
+    'User.ReadWrite.All',
+    'Group.ReadWrite.All',
+  ];
+  const affected = apps.filter((app) => {
+    const permissions = (app as any).requiredResourceAccess || [];
+    return permissions.some((resource: any) => {
+      if (resource.resourceAppId === '00000003-0000-0000-c000-000000000000') {
+        // Microsoft Graph
+        return resource.resourceAccess?.some((access: any) => {
+          // Check by GUID
+          if (dangerousPermissionIds.includes(access.id)) {
+            return true;
+          }
+          // Check by permission name (if available)
+          if (access.value && dangerousPermissionNames.includes(access.value)) {
+            return true;
+          }
+          return false;
+        });
+      }
+      return false;
+    });
+  });
+  return {
+    type: 'AZURE_APP_EXCESSIVE_GRAPH_PERMS',
+    severity: 'critical',
+    category: 'applications',
+    title: 'Excessive Microsoft Graph Permissions',
+    description: 'Application with high-privilege Graph API permissions. Can access sensitive data across tenant.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedAppEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for applications with expired credentials
+ */
+export function detectAppCredentialExpired(apps: AzureApp[], includeDetails: boolean): Finding {
+  const now = Date.now();
+  const affected = apps.filter((app) => {
+    const credentials = [
+      ...((app as any).passwordCredentials || []),
+      ...((app as any).keyCredentials || []),
+    ];
+    return credentials.some((cred: any) => {
+      if (!cred.endDateTime) return false;
+      return new Date(cred.endDateTime).getTime() < now;
+    });
+  });
+  return {
+    type: 'AZURE_APP_CREDENTIAL_EXPIRED',
+    severity: 'high',
+    category: 'applications',
+    title: 'Application Credential Expired',
+    description: 'Application with expired secret or certificate. May cause service disruption.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedAppEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for applications with long-lived credentials (>1 year)
+ */
+export function detectAppLongLivedCreds(apps: AzureApp[], includeDetails: boolean): Finding {
+  const now = Date.now();
+  const oneYearFromNow = now + 365 * 24 * 60 * 60 * 1000;
+  const affected = apps.filter((app) => {
+    const credentials = [
+      ...((app as any).passwordCredentials || []),
+      ...((app as any).keyCredentials || []),
+    ];
+    return credentials.some((cred: any) => {
+      if (!cred.endDateTime) return false;
+      return new Date(cred.endDateTime).getTime() > oneYearFromNow;
+    });
+  });
+  return {
+    type: 'AZURE_APP_LONG_LIVED_CREDS',
+    severity: 'high',
+    category: 'applications',
+    title: 'Long-Lived Application Credentials',
+    description: 'Application credential valid for more than 1 year. Increases risk if credential is compromised.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedAppEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for unverified multi-tenant applications
+ */
+export function detectAppMultitenantUnverified(apps: AzureApp[], includeDetails: boolean): Finding {
+  const affected = apps.filter((app) => {
+    const isMultiTenant = app.signInAudience === 'AzureADMultipleOrgs' || app.signInAudience === 'AzureADandPersonalMicrosoftAccount';
+    const isVerified = (app as any).publisherDomain && (app as any).verifiedPublisher;
+    return isMultiTenant && !isVerified;
+  });
+  return {
+    type: 'AZURE_APP_MULTITENANT_UNVERIFIED',
+    severity: 'high',
+    category: 'applications',
+    title: 'Unverified Multi-Tenant Application',
+    description: 'Multi-tenant application without verified publisher. Users from other tenants may be at risk.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedAppEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for applications with credentials expiring soon (30 days)
+ */
+export function detectAppCredentialExpiring(apps: AzureApp[], includeDetails: boolean): Finding {
+  const now = Date.now();
+  const thirtyDaysFromNow = now + 30 * 24 * 60 * 60 * 1000;
+  const affected = apps.filter((app) => {
+    const credentials = [
+      ...((app as any).passwordCredentials || []),
+      ...((app as any).keyCredentials || []),
+    ];
+    return credentials.some((cred: any) => {
+      if (!cred.endDateTime) return false;
+      const expiry = new Date(cred.endDateTime).getTime();
+      return expiry > now && expiry < thirtyDaysFromNow;
+    });
+  });
+  return {
+    type: 'AZURE_APP_CREDENTIAL_EXPIRING',
+    severity: 'medium',
+    category: 'applications',
+    title: 'Application Credential Expiring Soon',
+    description: 'Application credential expiring within 30 days. Action required to avoid service disruption.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedAppEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for disabled service principals with credentials
+ */
+export function detectSpDisabledWithCreds(apps: AzureApp[], includeDetails: boolean): Finding {
+  const affected = apps.filter((app) => {
+    const isDisabled = (app as any).accountEnabled === false;
+    const hasCredentials = ((app as any).passwordCredentials?.length > 0) || ((app as any).keyCredentials?.length > 0);
+    return isDisabled && hasCredentials;
+  });
+  return {
+    type: 'AZURE_SP_DISABLED_WITH_CREDS',
+    severity: 'medium',
+    category: 'applications',
+    title: 'Disabled Service Principal with Credentials',
+    description: 'Disabled service principal still has active credentials. Credentials should be removed.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedAppEntities(affected) : undefined,
+  };
+}
+/**
+ * Check for applications without owners
+ */
+export function detectAppNoOwner(apps: AzureApp[], includeDetails: boolean): Finding {
+  const affected = apps.filter((app) => {
+    const owners = (app as any).owners || [];
+    return owners.length === 0;
+  });
+  return {
+    type: 'AZURE_APP_NO_OWNER',
+    severity: 'medium',
+    category: 'applications',
+    title: 'Application without Owner',
+    description: 'Application has no assigned owners. Orphaned applications are difficult to manage.',
+    count: affected.length,
+    affectedEntities: includeDetails ? toAffectedAppEntities(affected) : undefined,
+  };
+}
+/**
+ * Detect all application security vulnerabilities
+ */
+export function detectAppSecurityVulnerabilities(apps: AzureApp[], includeDetails: boolean): Finding[] {
+  return [
+    detectAppExcessiveGraphPerms(apps, includeDetails),
+    detectAppCredentialExpired(apps, includeDetails),
+    detectAppLongLivedCreds(apps, includeDetails),
+    detectAppMultitenantUnverified(apps, includeDetails),
+    detectAppCredentialExpiring(apps, includeDetails),
+    detectSpDisabledWithCreds(apps, includeDetails),
+    detectAppNoOwner(apps, includeDetails),
+  ].filter((finding) => finding.count > 0);
+}