@iflow-mcp/sinewaveai-agent-security-scanner-mcp 3.18.0

package/src/config.js

@@ -0,0 +1,250 @@
+// .scannerrc configuration loading and filtering.
+// Supports YAML (.scannerrc.yaml/.yml) and JSON (.scannerrc.json) project configs.
+
+import { existsSync, readFileSync } from 'fs';
+import { dirname, join, resolve, sep } from 'path';
+import { execFileSync } from 'child_process';
+import { resolvePythonCommand, pythonArgs } from './python.js';
+
+const DEFAULT_CONFIG = {
+  version: 1,
+  suppress: [],
+  exclude: ['node_modules/**', 'vendor/**', 'dist/**', '**/*.min.js'],
+  severity_threshold: 'info',
+  confidence_threshold: 'LOW',
+  policy: {
+    block_on: 'error',       // severity that causes a policy failure: 'error', 'warning', 'info'
+    max_critical: null,       // max allowed critical issues (null = no limit)
+    max_warning: null,        // max allowed warnings (null = no limit)
+    required_grade: null,     // minimum required grade: 'A', 'B', 'C', 'D', 'F' (null = no requirement)
+  },
+};
+
+const SEVERITY_ORDER = { info: 0, warning: 1, error: 2 };
+const CONFIDENCE_ORDER = { LOW: 0, MEDIUM: 1, HIGH: 2 };
+
+// Simple glob-to-regex converter (no external dependency)
+function globToRegex(pattern) {
+  let regex = '';
+  let i = 0;
+  while (i < pattern.length) {
+    const c = pattern[i];
+    if (c === '*') {
+      if (pattern[i + 1] === '*') {
+        if (pattern[i + 2] === '/') {
+          regex += '(?:.+/)?';
+          i += 3;
+          continue;
+        }
+        regex += '.*';
+        i += 2;
+        continue;
+      }
+      regex += '[^/]*';
+    } else if (c === '?') {
+      regex += '[^/]';
+    } else if (c === '{') {
+      regex += '(?:';
+    } else if (c === '}') {
+      regex += ')';
+    } else if (c === ',') {
+      regex += '|';
+    } else if ('.+^$|()[]\\'.includes(c)) {
+      regex += '\\' + c;
+    } else {
+      regex += c;
+    }
+    i++;
+  }
+  return new RegExp('^' + regex + '$');
+}
+
+export function matchGlob(filePath, pattern) {
+  // Normalize path separators
+  const normalized = filePath.replace(/\\/g, '/');
+  const re = globToRegex(pattern);
+  // Test against both full path and basename
+  return re.test(normalized) || re.test(normalized.split('/').pop());
+}
+
+// Walk up from filePath to find config file
+function findConfigFile(startPath) {
+  const names = ['.scannerrc.yaml', '.scannerrc.yml', '.scannerrc.json'];
+  let dir = resolve(dirname(startPath));
+  const root = resolve('/');
+
+  for (let i = 0; i < 50; i++) {
+    for (const name of names) {
+      const candidate = join(dir, name);
+      if (existsSync(candidate)) return candidate;
+    }
+    const parent = dirname(dir);
+    if (parent === dir || dir === root) break;
+    dir = parent;
+  }
+  return null;
+}
+
+function parseYaml(filePath) {
+  try {
+    const pyCmd = resolvePythonCommand();
+    const result = execFileSync(pyCmd, [
+      ...pythonArgs(),
+      '-c',
+      'import yaml,json,sys; print(json.dumps(yaml.safe_load(open(sys.argv[1]))))',
+      filePath,
+    ], { encoding: 'utf-8', timeout: 5000 });
+    return JSON.parse(result.trim());
+  } catch {
+    // Fallback: try simple key-value parsing for basic configs
+    return null;
+  }
+}
+
+export function loadConfig(filePath) {
+  const configFile = findConfigFile(filePath);
+  if (!configFile) return { ...DEFAULT_CONFIG };
+
+  try {
+    let parsed;
+    if (configFile.endsWith('.json')) {
+      parsed = JSON.parse(readFileSync(configFile, 'utf-8'));
+    } else {
+      parsed = parseYaml(configFile);
+    }
+
+    if (!parsed || typeof parsed !== 'object') return { ...DEFAULT_CONFIG };
+
+    const parsedPolicy = parsed.policy && typeof parsed.policy === 'object' ? parsed.policy : {};
+    return {
+      version: parsed.version || DEFAULT_CONFIG.version,
+      suppress: Array.isArray(parsed.suppress) ? parsed.suppress : DEFAULT_CONFIG.suppress,
+      exclude: Array.isArray(parsed.exclude) ? parsed.exclude : DEFAULT_CONFIG.exclude,
+      severity_threshold: parsed.severity_threshold || DEFAULT_CONFIG.severity_threshold,
+      confidence_threshold: parsed.confidence_threshold || DEFAULT_CONFIG.confidence_threshold,
+      policy: {
+        block_on: parsedPolicy.block_on || DEFAULT_CONFIG.policy.block_on,
+        max_critical: parsedPolicy.max_critical ?? DEFAULT_CONFIG.policy.max_critical,
+        max_warning: parsedPolicy.max_warning ?? DEFAULT_CONFIG.policy.max_warning,
+        required_grade: parsedPolicy.required_grade ?? DEFAULT_CONFIG.policy.required_grade,
+      },
+    };
+  } catch {
+    return { ...DEFAULT_CONFIG };
+  }
+}
+
+export function shouldExcludeFile(filePath, config) {
+  if (!config.exclude || config.exclude.length === 0) return false;
+  const normalized = filePath.replace(/\\/g, '/');
+  return config.exclude.some(pattern => matchGlob(normalized, pattern));
+}
+
+export function shouldSuppressRule(ruleId, filePath, config) {
+  if (!config.suppress || config.suppress.length === 0) return false;
+
+  for (const entry of config.suppress) {
+    const rule = typeof entry === 'string' ? entry : entry.rule;
+    if (!rule) continue;
+
+    // Check if rule pattern matches
+    const ruleMatches = matchGlob(ruleId, rule);
+    if (!ruleMatches) continue;
+
+    // Check path restriction if present
+    if (entry.paths && Array.isArray(entry.paths)) {
+      const normalized = filePath.replace(/\\/g, '/');
+      const pathMatches = entry.paths.some(p => matchGlob(normalized, p));
+      if (!pathMatches) continue;
+    }
+
+    return true;
+  }
+
+  return false;
+}
+
+export function meetsSeverityThreshold(severity, config) {
+  const threshold = config.severity_threshold || 'info';
+  const severityLevel = SEVERITY_ORDER[severity] ?? 0;
+  const thresholdLevel = SEVERITY_ORDER[threshold] ?? 0;
+  return severityLevel >= thresholdLevel;
+}
+
+export function meetsConfidenceThreshold(confidence, config) {
+  const threshold = config.confidence_threshold || 'LOW';
+  const confidenceLevel = CONFIDENCE_ORDER[confidence] ?? 0;
+  const thresholdLevel = CONFIDENCE_ORDER[threshold] ?? 0;
+  return confidenceLevel >= thresholdLevel;
+}
+
+const GRADE_ORDER = { A: 4, B: 3, C: 2, D: 1, F: 0 };
+
+export function evaluatePolicy(scanResult, config) {
+  const violations = [];
+  const policy = config && config.policy ? config.policy : DEFAULT_CONFIG.policy;
+
+  // Check block_on severity
+  const blockOn = policy.block_on || 'error';
+  const severityKeys = [];
+  if (blockOn === 'info') severityKeys.push('info', 'warning', 'error');
+  else if (blockOn === 'warning') severityKeys.push('warning', 'error');
+  else severityKeys.push('error');
+
+  const bySeverity = scanResult.by_severity || {};
+  for (const key of severityKeys) {
+    if ((bySeverity[key] || 0) > 0) {
+      violations.push(`Policy violation: found ${bySeverity[key]} ${key} issue(s) (block_on: ${blockOn})`);
+      break;
+    }
+  }
+
+  // Check max_critical
+  if (policy.max_critical !== null && policy.max_critical !== undefined) {
+    const criticalCount = bySeverity.error || 0;
+    if (criticalCount > policy.max_critical) {
+      violations.push(`Policy violation: ${criticalCount} critical issue(s) exceeds max_critical (${policy.max_critical})`);
+    }
+  }
+
+  // Check max_warning
+  if (policy.max_warning !== null && policy.max_warning !== undefined) {
+    const warningCount = bySeverity.warning || 0;
+    if (warningCount > policy.max_warning) {
+      violations.push(`Policy violation: ${warningCount} warning(s) exceeds max_warning (${policy.max_warning})`);
+    }
+  }
+
+  // Check required_grade
+  if (policy.required_grade) {
+    const actualGrade = scanResult.grade || 'A';
+    const requiredLevel = GRADE_ORDER[policy.required_grade] ?? 0;
+    const actualLevel = GRADE_ORDER[actualGrade] ?? 0;
+    if (actualLevel < requiredLevel) {
+      violations.push(`Policy violation: grade ${actualGrade} does not meet required_grade (${policy.required_grade})`);
+    }
+  }
+
+  return {
+    passed: violations.length === 0,
+    violations,
+  };
+}
+
+export function applyConfig(findings, filePath, config) {
+  if (!Array.isArray(findings)) return findings;
+  if (!config) return findings;
+
+  return findings.filter(finding => {
+    // Check rule suppression
+    if (shouldSuppressRule(finding.ruleId, filePath, config)) return false;
+
+    // Check severity threshold
+    if (!meetsSeverityThreshold(finding.severity, config)) return false;
+
+    // Check confidence threshold
+    if (!meetsConfidenceThreshold(finding.confidence || 'MEDIUM', config)) return false;
+
+    return true;
+  });
+}

package/src/context.js

@@ -0,0 +1,293 @@
+// Context-aware filtering to reduce false positives.
+// Suppresses findings on import-only lines for known standard/popular modules.
+
+import { existsSync, readFileSync } from 'fs';
+import { dirname, join } from 'path';
+
+// Known safe standard library and popular modules per language
+const KNOWN_MODULES = {
+  javascript: new Set([
+    // Node.js builtins
+    'assert', 'buffer', 'child_process', 'cluster', 'crypto', 'dgram',
+    'dns', 'events', 'fs', 'http', 'http2', 'https', 'net', 'os',
+    'path', 'perf_hooks', 'process', 'querystring', 'readline', 'stream',
+    'string_decoder', 'timers', 'tls', 'tty', 'url', 'util', 'v8',
+    'vm', 'worker_threads', 'zlib',
+    // Popular frameworks/libraries
+    'express', 'koa', 'fastify', 'hapi', 'next', 'nuxt',
+    'react', 'react-dom', 'vue', 'angular', 'svelte',
+    'lodash', 'underscore', 'ramda',
+    'axios', 'node-fetch', 'got', 'superagent',
+    'moment', 'dayjs', 'date-fns', 'luxon',
+    'winston', 'morgan', 'pino', 'bunyan',
+    'helmet', 'cors', 'body-parser', 'cookie-parser', 'compression',
+    'passport', 'jsonwebtoken', 'bcrypt', 'bcryptjs',
+    'jest', 'mocha', 'chai', 'vitest', 'sinon', 'tape',
+    'typescript', 'webpack', 'vite', 'esbuild', 'rollup', 'parcel',
+    'mysql', 'mysql2', 'pg', 'mongodb', 'mongoose', 'redis', 'ioredis',
+    'sequelize', 'knex', 'prisma', 'typeorm', 'drizzle-orm',
+    'zod', 'joi', 'yup', 'ajv',
+    'dotenv', 'config', 'commander', 'yargs',
+    'chalk', 'debug', 'uuid', 'nanoid',
+    'socket.io', 'ws',
+  ]),
+  typescript: new Set([
+    // Same as JavaScript - TS shares the same ecosystem
+    'assert', 'buffer', 'child_process', 'cluster', 'crypto', 'dgram',
+    'dns', 'events', 'fs', 'http', 'http2', 'https', 'net', 'os',
+    'path', 'process', 'querystring', 'readline', 'stream', 'tls',
+    'url', 'util', 'worker_threads', 'zlib',
+    'express', 'koa', 'fastify', 'next', 'nuxt',
+    'react', 'react-dom', 'vue', 'angular', 'svelte',
+    'lodash', 'axios', 'node-fetch',
+    'helmet', 'cors', 'body-parser',
+    'jest', 'mocha', 'vitest',
+    'typescript', 'webpack', 'vite', 'esbuild',
+    'mysql', 'mysql2', 'pg', 'mongodb', 'mongoose', 'redis',
+    'sequelize', 'knex', 'prisma', 'typeorm',
+    'zod', 'joi',
+  ]),
+  python: new Set([
+    // Standard library
+    'os', 'sys', 'json', 'math', 'datetime', 'collections', 're',
+    'pathlib', 'typing', 'abc', 'io', 'subprocess', 'shutil',
+    'hashlib', 'hmac', 'secrets', 'sqlite3', 'csv', 'xml',
+    'urllib', 'http', 'socket', 'ssl', 'email', 'logging',
+    'unittest', 'argparse', 'configparser', 'functools', 'itertools',
+    'contextlib', 'dataclasses', 'enum', 'struct', 'copy', 'pprint',
+    'textwrap', 'string', 'codecs', 'base64', 'binascii',
+    'threading', 'multiprocessing', 'asyncio', 'concurrent',
+    'pickle', 'shelve', 'marshal', 'dbm',
+    'tempfile', 'glob', 'fnmatch', 'stat',
+    'time', 'calendar', 'locale', 'gettext',
+    'random', 'statistics',
+    // Popular packages
+    'pytest', 'mock', 'coverage',
+    'flask', 'django', 'fastapi', 'starlette', 'uvicorn', 'gunicorn',
+    'requests', 'httpx', 'aiohttp', 'urllib3',
+    'sqlalchemy', 'alembic', 'psycopg2', 'pymongo',
+    'celery', 'redis', 'boto3', 'botocore',
+    'numpy', 'pandas', 'scipy', 'matplotlib',
+    'pydantic', 'marshmallow', 'attrs',
+    'click', 'typer', 'rich',
+    'yaml', 'toml', 'dotenv',
+  ]),
+  ruby: new Set([
+    'rails', 'sinatra', 'rack', 'puma', 'unicorn',
+    'bundler', 'rake', 'rspec', 'minitest',
+    'activerecord', 'activesupport', 'actionpack',
+    'devise', 'pundit', 'cancancan',
+    'json', 'yaml', 'csv', 'net/http', 'uri', 'openssl',
+    'fileutils', 'pathname', 'tempfile', 'logger',
+  ]),
+  go: new Set([
+    'fmt', 'os', 'io', 'net', 'net/http', 'encoding/json',
+    'encoding/xml', 'crypto', 'crypto/tls', 'database/sql',
+    'sync', 'context', 'errors', 'strings', 'strconv',
+    'path', 'path/filepath', 'log', 'testing', 'time',
+    'math', 'sort', 'regexp', 'reflect', 'bufio',
+  ]),
+};
+
+// Patterns that identify import-only lines (no actual code execution)
+const IMPORT_ONLY_PATTERNS = [
+  // JS/TS require
+  /^\s*(const|let|var)\s+\w+\s*=\s*require\s*\(\s*['"][^'"]+['"]\s*\)\s*;?\s*$/,
+  /^\s*(const|let|var)\s+\{[^}]+\}\s*=\s*require\s*\(\s*['"][^'"]+['"]\s*\)\s*;?\s*$/,
+  // JS/TS import
+  /^\s*import\s+.*\s+from\s+['"][^'"]+['"]\s*;?\s*$/,
+  /^\s*import\s+['"][^'"]+['"]\s*;?\s*$/,
+  /^\s*import\s+\w+\s*$/,
+  // Python import
+  /^\s*import\s+[a-zA-Z_][\w.]*\s*(,\s*[a-zA-Z_][\w.]*)*\s*$/,
+  /^\s*from\s+[a-zA-Z_][\w.]*\s+import\s+/,
+  // Ruby require
+  /^\s*require\s+['"][^'"]+['"]\s*$/,
+  /^\s*require_relative\s+['"][^'"]+['"]\s*$/,
+  // Go import (single line)
+  /^\s*"[a-zA-Z_][\w/.]*"\s*$/,
+];
+
+export function isImportOnly(line) {
+  let trimmed = line.trim();
+  if (!trimmed) return false;
+  // Strip trailing single-line comments (JS/Python/Ruby)
+  trimmed = trimmed.replace(/\s*\/\/.*$/, '').replace(/\s*#(?!!).*$/, '').trim();
+  if (!trimmed) return false;
+  return IMPORT_ONLY_PATTERNS.some(p => p.test(trimmed));
+}
+
+export function isKnownModule(moduleName, language) {
+  const modules = KNOWN_MODULES[language];
+  if (!modules) return false;
+  // Handle scoped packages (@org/pkg -> check full name)
+  // Handle subpath imports (child_process -> child_process)
+  const baseName = moduleName.split('/')[0];
+  return modules.has(moduleName) || modules.has(baseName);
+}
+
+// Extract module name from a line of code
+function extractModuleName(line) {
+  // JS/TS: require("module") or require('module')
+  const requireMatch = line.match(/require\s*\(\s*['"]([^'"]+)['"]\s*\)/);
+  if (requireMatch) return requireMatch[1];
+
+  // JS/TS: import ... from "module"
+  const importFromMatch = line.match(/from\s+['"]([^'"]+)['"]/);
+  if (importFromMatch) return importFromMatch[1];
+
+  // Python: import module or from module import ...
+  const pyImportMatch = line.match(/^\s*import\s+([a-zA-Z_][\w]*)/);
+  if (pyImportMatch) return pyImportMatch[1];
+
+  const pyFromMatch = line.match(/^\s*from\s+([a-zA-Z_][\w]*)/);
+  if (pyFromMatch) return pyFromMatch[1];
+
+  return null;
+}
+
+// Variable names that indicate non-security use of weak hashing (MD5/SHA1)
+const NON_SECURITY_HASH_VARS = new Set([
+  'checksum', 'digest', 'etag', 'e_tag', 'hash_value', 'file_hash',
+  'content_hash', 'cache_key', 'fingerprint', 'hex_digest', 'hexdigest',
+]);
+
+// Inline suppression comments
+const NOSEC_PATTERN = /(?:\/\/|#|\/\*)\s*nosec\b/i;
+
+// Test file path patterns
+const TEST_FILE_PATTERNS = [
+  /[/\\]tests?[/\\]/i,
+  /[/\\]__tests__[/\\]/i,
+  /[/\\]spec[/\\]/i,
+  /[._](?:test|spec)\.[^.]+$/i,
+  /[/\\]test[-_]?files?[/\\]/i,
+  /[/\\]fixtures?[/\\]/i,
+  /[/\\]__fixtures__[/\\]/i,
+  /[/\\]__mocks__[/\\]/i,
+  /[/\\]mocks?[/\\]/i,
+  /[/\\]demo[/\\]/i,
+  /[/\\]test[-_][^/\\]+\.[^.]+$/i,
+];
+
+// Check if a file path looks like a test file
+export function isTestFile(filePath) {
+  return TEST_FILE_PATTERNS.some(p => p.test(filePath));
+}
+
+// Check if a line has a nosec suppression comment
+export function hasNosecComment(line) {
+  return NOSEC_PATTERN.test(line);
+}
+
+// Check if a variable name on a line suggests non-security hash usage
+function isNonSecurityHashUsage(line) {
+  const lower = line.toLowerCase();
+  for (const varName of NON_SECURITY_HASH_VARS) {
+    if (lower.includes(varName)) return true;
+  }
+  return false;
+}
+
+// Filter findings based on context awareness
+export function applyContextFilter(findings, filePath, language) {
+  if (!Array.isArray(findings) || findings.length === 0) return findings;
+
+  let lines = [];
+  try {
+    if (existsSync(filePath)) {
+      lines = readFileSync(filePath, 'utf-8').split('\n');
+    }
+  } catch {
+    return findings;
+  }
+
+  const inTestFile = isTestFile(filePath);
+
+  return findings.filter(finding => {
+    const line = lines[finding.line] || '';
+    const ruleId = finding.ruleId?.toLowerCase() || '';
+
+    // Inline suppression: // nosec or # nosec
+    if (hasNosecComment(line)) {
+      return false;
+    }
+
+    // Variable-name heuristic: MD5/SHA1 used for checksums → downgrade to info
+    if ((ruleId.includes('md5') || ruleId.includes('sha1')) && isNonSecurityHashUsage(line)) {
+      finding.severity = 'info';
+      finding.contextNote = 'Non-security hash usage (checksum/digest/etag)';
+    }
+
+    // Test file heuristic: downgrade hardcoded secrets in test files to warning
+    if (inTestFile && (ruleId.includes('hardcoded') || ruleId.includes('secret') || ruleId.includes('password') || ruleId.includes('api-key'))) {
+      if (finding.severity === 'error') {
+        finding.severity = 'warning';
+        finding.contextNote = 'Hardcoded secret in test file';
+      }
+    }
+
+    // Import-only filter
+    if (!isImportOnly(line)) return true;
+
+    // Check if the module is known/safe
+    const moduleName = extractModuleName(line);
+    if (moduleName && isKnownModule(moduleName, language)) {
+      return false; // Suppress finding on known module import
+    }
+
+    return true;
+  });
+}
+
+// Framework/middleware detection patterns
+const FRAMEWORK_PATTERNS = {
+  helmet: { pattern: /require\s*\(\s*['"]helmet['"]\s*\)|from\s+['"]helmet['"]|import\s+.*helmet/, languages: ['javascript', 'typescript'] },
+  dompurify: { pattern: /require\s*\(\s*['"](?:dompurify|isomorphic-dompurify)['"]\s*\)|from\s+['"](?:dompurify|isomorphic-dompurify)['"]|import\s+.*(?:dompurify|DOMPurify)/, languages: ['javascript', 'typescript'] },
+  csurf: { pattern: /require\s*\(\s*['"]csurf['"]\s*\)|from\s+['"]csurf['"]/, languages: ['javascript', 'typescript'] },
+  cors: { pattern: /require\s*\(\s*['"]cors['"]\s*\)|from\s+['"]cors['"]/, languages: ['javascript', 'typescript'] },
+  prisma: { pattern: /from\s+prisma|import\s+prisma|@prisma\/client/, languages: ['javascript', 'typescript', 'python'] },
+  bcrypt: { pattern: /import\s+bcrypt|from\s+bcrypt|require\s*\(\s*['"]bcryptjs?['"]\s*\)/, languages: ['javascript', 'typescript', 'python'] },
+};
+
+// Maps framework -> which rule categories it mitigates -> downgraded severity
+const SEVERITY_DOWNGRADE = {
+  helmet: { mitigates: ['xss', 'innerhtml', 'outerhtml', 'document-write', 'cors-wildcard'], to: 'warning' },
+  dompurify: { mitigates: ['xss', 'innerhtml', 'outerhtml', 'dangerouslysetinnerhtml', 'insertadjacenthtml', 'document-write'], to: 'warning' },
+  csurf: { mitigates: ['csrf'], to: 'warning' },
+  cors: { mitigates: ['cors-wildcard'], to: 'info' },
+  prisma: { mitigates: ['sql-injection', 'nosql-injection', 'raw-query'], to: 'warning' },
+  bcrypt: { mitigates: ['md5', 'sha1', 'weak-hash', 'weak-cipher'], to: 'info' },
+};
+
+export function detectFrameworks(filePath, language) {
+  const detected = [];
+  try {
+    if (!existsSync(filePath)) return detected;
+    const content = readFileSync(filePath, 'utf-8');
+    for (const [name, config] of Object.entries(FRAMEWORK_PATTERNS)) {
+      if (config.languages.includes(language) && config.pattern.test(content)) {
+        detected.push(name);
+      }
+    }
+  } catch {
+    // Ignore read errors
+  }
+  return detected;
+}
+
+export function applyFrameworkAdjustments(findings, frameworks) {
+  if (!Array.isArray(findings) || findings.length === 0 || frameworks.length === 0) return findings;
+
+  return findings.map(finding => {
+    const ruleId = finding.ruleId?.toLowerCase() || '';
+    for (const fw of frameworks) {
+      const downgrade = SEVERITY_DOWNGRADE[fw];
+      if (!downgrade) continue;
+      if (downgrade.mitigates.some(m => ruleId.includes(m))) {
+        return { ...finding, severity: downgrade.to, frameworkMitigated: fw };
+      }
+    }
+    return finding;
+  });
+}