npm - @iflow-mcp/sinewaveai-agent-security-scanner-mcp - Versions diffs - 3.18.0 - Mend

@iflow-mcp/sinewaveai-agent-security-scanner-mcp 3.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (1870) hide show

package/src/history.js ADDED Viewed

@@ -0,0 +1,159 @@
+// src/history.js — Scan history tracking for team dashboard.
+// Stores results in .scanner/results/ within the scanned project directory.
+import { existsSync, mkdirSync, writeFileSync, readFileSync, readdirSync } from 'fs';
+import { join, basename } from 'path';
+const RESULTS_DIR = '.scanner/results';
+// Format a Date as YYYY-MM-DDTHH-MM-SS (filesystem-safe ISO timestamp)
+function formatTimestamp(date) {
+  const pad = (n) => String(n).padStart(2, '0');
+  return `${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())}T${pad(date.getHours())}-${pad(date.getMinutes())}-${pad(date.getSeconds())}`;
+}
+// Parse a YYYY-MM-DDTHH-MM-SS filename back into a Date
+function parseTimestamp(filename) {
+  // Extract timestamp from filename like "2024-01-15T10-30-45.json"
+  const name = basename(filename, '.json');
+  const match = name.match(/^(\d{4})-(\d{2})-(\d{2})T(\d{2})-(\d{2})-(\d{2})$/);
+  if (!match) return null;
+  const [, year, month, day, hour, min, sec] = match.map(Number);
+  return new Date(year, month - 1, day, hour, min, sec);
+}
+/**
+ * Save a scan result to .scanner/results/YYYY-MM-DDTHH-MM-SS.json
+ *
+ * @param {string} dirPath - The scanned project directory
+ * @param {object} scanResult - The scan result object from scanProject (parsed JSON output)
+ * @returns {string} Path to the saved result file
+ */
+export function saveResult(dirPath, scanResult) {
+  const resultsDir = join(dirPath, RESULTS_DIR);
+  mkdirSync(resultsDir, { recursive: true });
+  const now = new Date();
+  const timestamp = formatTimestamp(now);
+  const filename = `${timestamp}.json`;
+  const filePath = join(resultsDir, filename);
+  const historyEntry = {
+    timestamp: now.toISOString(),
+    directory: scanResult.directory || dirPath,
+    grade: scanResult.grade || 'A',
+    files_scanned: scanResult.files_scanned || 0,
+    issues_count: scanResult.issues_count || scanResult.total || 0,
+    by_severity: scanResult.by_severity || { error: 0, warning: 0, info: 0 },
+    issues: scanResult.issues || [],
+  };
+  writeFileSync(filePath, JSON.stringify(historyEntry, null, 2) + '\n');
+  return filePath;
+}
+/**
+ * Load scan results from .scanner/results/ within the last N days.
+ *
+ * @param {string} dirPath - The scanned project directory
+ * @param {number} days - Number of days to look back (default: 90)
+ * @returns {object[]} Array of history entries, sorted oldest-first
+ */
+export function loadHistory(dirPath, days = 90) {
+  const resultsDir = join(dirPath, RESULTS_DIR);
+  if (!existsSync(resultsDir)) return [];
+  const cutoff = new Date();
+  cutoff.setDate(cutoff.getDate() - days);
+  let files;
+  try {
+    files = readdirSync(resultsDir).filter(f => f.endsWith('.json'));
+  } catch {
+    return [];
+  }
+  const results = [];
+  for (const file of files) {
+    const fileDate = parseTimestamp(file);
+    if (!fileDate || fileDate < cutoff) continue;
+    try {
+      const content = readFileSync(join(resultsDir, file), 'utf-8');
+      const entry = JSON.parse(content);
+      results.push(entry);
+    } catch {
+      // Skip corrupt files
+      continue;
+    }
+  }
+  // Sort oldest-first by timestamp
+  results.sort((a, b) => new Date(a.timestamp) - new Date(b.timestamp));
+  return results;
+}
+/**
+ * Get trend data from scan history.
+ *
+ * @param {string} dirPath - The scanned project directory
+ * @param {number} days - Number of days to look back (default: 90)
+ * @returns {{ grades: Array<{date: string, grade: string}>, issues: Array<{date: string, total: number, critical: number, warning: number, info: number}> }}
+ */
+export function getTrends(dirPath, days = 90) {
+  const history = loadHistory(dirPath, days);
+  const grades = history.map(entry => ({
+    date: entry.timestamp,
+    grade: entry.grade,
+  }));
+  const issues = history.map(entry => {
+    const severity = entry.by_severity || {};
+    return {
+      date: entry.timestamp,
+      total: entry.issues_count || 0,
+      critical: severity.error || 0,
+      warning: severity.warning || 0,
+      info: severity.info || 0,
+    };
+  });
+  return { grades, issues };
+}
+/**
+ * Compare two scan results to find new, fixed, and unchanged issues.
+ * Issues are compared by ruleId + file + line.
+ *
+ * @param {object} current - Current scan result (must have .issues array)
+ * @param {object} previous - Previous scan result (must have .issues array)
+ * @returns {{ new_issues: object[], fixed_issues: object[], unchanged: number }}
+ */
+export function diffResults(current, previous) {
+  const currentIssues = current.issues || [];
+  const previousIssues = previous.issues || [];
+  // Build a key for each issue: ruleId + file + line
+  function issueKey(issue) {
+    return `${issue.ruleId || ''}::${issue.file || ''}::${issue.line || 0}`;
+  }
+  const currentKeys = new Set(currentIssues.map(issueKey));
+  const previousKeys = new Set(previousIssues.map(issueKey));
+  // New issues: in current but not in previous
+  const newIssues = currentIssues.filter(i => !previousKeys.has(issueKey(i)));
+  // Fixed issues: in previous but not in current
+  const fixedIssues = previousIssues.filter(i => !currentKeys.has(issueKey(i)));
+  // Unchanged: in both
+  const unchanged = currentIssues.filter(i => previousKeys.has(issueKey(i))).length;
+  return {
+    new_issues: newIssues,
+    fixed_issues: fixedIssues,
+    unchanged,
+  };
+}

package/src/plugin-config.js ADDED Viewed

@@ -0,0 +1,77 @@
+// src/plugin-config.js — Plugin configuration loader
+// Loads config from ~/.openclaw/scanner-config.json, .scannerrc.json, or .clawproofrc.json
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { homedir } from 'os';
+const DEFAULT_PLUGIN_CONFIG = {
+  version: 1,
+  features: {
+    scan_on_write: true,
+    scan_on_skill_install: true,
+    prompt_firewall: true,
+    package_hallucination: true,
+    config_audit: true,
+  },
+  severity_threshold: 'warning',
+  auto_block: true,
+  output_format: 'json',
+  daemon: {
+    prewarm: true,
+    cache_size: 200,
+  },
+};
+export function loadPluginConfig() {
+  const paths = [
+    join(homedir(), '.openclaw', 'scanner-config.json'),
+    join(process.cwd(), '.clawproofrc.json'),
+    join(process.cwd(), '.scannerrc.json'),
+  ];
+  for (const configPath of paths) {
+    if (existsSync(configPath)) {
+      try {
+        const raw = readFileSync(configPath, 'utf-8');
+        const parsed = JSON.parse(raw);
+        if (!parsed || typeof parsed !== 'object') {
+          continue;
+        }
+        const parsedFeatures = parsed.features && typeof parsed.features === 'object' ? parsed.features : {};
+        const parsedDaemon = parsed.daemon && typeof parsed.daemon === 'object' ? parsed.daemon : {};
+        return {
+          version: typeof parsed.version === 'number' ? parsed.version : DEFAULT_PLUGIN_CONFIG.version,
+          features: {
+            scan_on_write: parsedFeatures.scan_on_write ?? DEFAULT_PLUGIN_CONFIG.features.scan_on_write,
+            scan_on_skill_install: parsedFeatures.scan_on_skill_install ?? DEFAULT_PLUGIN_CONFIG.features.scan_on_skill_install,
+            prompt_firewall: parsedFeatures.prompt_firewall ?? DEFAULT_PLUGIN_CONFIG.features.prompt_firewall,
+            package_hallucination: parsedFeatures.package_hallucination ?? DEFAULT_PLUGIN_CONFIG.features.package_hallucination,
+            config_audit: parsedFeatures.config_audit ?? DEFAULT_PLUGIN_CONFIG.features.config_audit,
+          },
+          severity_threshold: ['info', 'warning', 'error'].includes(parsed.severity_threshold)
+            ? parsed.severity_threshold : DEFAULT_PLUGIN_CONFIG.severity_threshold,
+          auto_block: typeof parsed.auto_block === 'boolean' ? parsed.auto_block : DEFAULT_PLUGIN_CONFIG.auto_block,
+          output_format: ['json', 'text'].includes(parsed.output_format)
+            ? parsed.output_format : DEFAULT_PLUGIN_CONFIG.output_format,
+          daemon: {
+            prewarm: parsedDaemon.prewarm ?? DEFAULT_PLUGIN_CONFIG.daemon.prewarm,
+            cache_size: typeof parsedDaemon.cache_size === 'number' ? parsedDaemon.cache_size : DEFAULT_PLUGIN_CONFIG.daemon.cache_size,
+          },
+          _source: configPath,
+        };
+      } catch {
+        // Malformed config, fall through
+      }
+    }
+  }
+  return { ...DEFAULT_PLUGIN_CONFIG, _source: null };
+}
+export function getDefaultPluginConfig() {
+  return { ...DEFAULT_PLUGIN_CONFIG };
+}

package/src/plugin-health.js ADDED Viewed

@@ -0,0 +1,49 @@
+// src/plugin-health.js — Plugin health check endpoint
+import { getDaemonClient } from './daemon-client.js';
+import { readFileSync } from 'fs';
+import { join, dirname } from 'path';
+import { fileURLToPath } from 'url';
+let __dirname;
+try {
+  __dirname = dirname(fileURLToPath(import.meta.url));
+} catch {
+  __dirname = process.cwd();
+}
+export async function getHealthStatus() {
+  let version = '0.0.0';
+  try {
+    const pkg = JSON.parse(readFileSync(join(__dirname, '..', 'package.json'), 'utf-8'));
+    version = pkg.version || '0.0.0';
+  } catch { /* ignore */ }
+  let daemonHealth = null;
+  try {
+    const client = getDaemonClient();
+    if (client.isAvailable) {
+      daemonHealth = await client.health();
+    }
+  } catch { /* daemon not available */ }
+  // Try to get package stats without failing
+  let packageStats = null;
+  try {
+    const { getPackageStats } = await import('./tools/check-package.js');
+    packageStats = getPackageStats();
+  } catch { /* packages not loaded */ }
+  return {
+    name: 'agent-security-scanner-mcp',
+    version,
+    daemon: daemonHealth ? {
+      status: 'running',
+      pid: daemonHealth.pid,
+      cache_size: daemonHealth.cache_size,
+      uptime_seconds: Math.round(daemonHealth.uptime),
+    } : { status: 'not running' },
+    packages: packageStats,
+    timestamp: new Date().toISOString(),
+  };
+}

package/src/python.js ADDED Viewed

@@ -0,0 +1,54 @@
+// src/python.js — Cross-platform Python command resolution.
+// Resolves the correct Python 3 command for the current platform:
+//   Windows: py -3 → python3 → python
+//   Unix:    python3 → python
+import { execFileSync } from 'child_process';
+import { platform } from 'os';
+let _cached = null;
+/**
+ * Resolve the Python 3 command available on this system.
+ * Caches the result for the lifetime of the process.
+ * Returns 'python3' as a last-resort default if nothing is found
+ * (so callers get a clear "command not found" error rather than silence).
+ */
+export function resolvePythonCommand() {
+  if (_cached !== null) return _cached;
+  const candidates = platform() === 'win32'
+    ? [['py', ['-3', '--version']], ['python3', ['--version']], ['python', ['--version']]]
+    : [['python3', ['--version']], ['python', ['--version']]];
+  for (const [cmd, args] of candidates) {
+    try {
+      const out = execFileSync(cmd, args, {
+        encoding: 'utf-8',
+        timeout: 5000,
+        stdio: ['pipe', 'pipe', 'pipe'],
+      });
+      if (out.includes('3.')) {
+        // For `py -3`, the actual command to use at runtime is ['py', '-3']
+        _cached = cmd === 'py' ? 'py' : cmd;
+        return _cached;
+      }
+    } catch {
+      // Not available, try next
+    }
+  }
+  // Fallback — callers will get "command not found" with a clear error
+  _cached = 'python3';
+  return _cached;
+}
+/**
+ * Returns the argument array prefix for invoking Python.
+ * For Windows `py -3`, returns ['-3']; otherwise returns [].
+ * Use: execFileSync(resolvePythonCommand(), [...pythonArgs(), scriptPath, ...])
+ */
+export function pythonArgs() {
+  const cmd = resolvePythonCommand();
+  return cmd === 'py' ? ['-3'] : [];
+}

package/src/tools/check-package.js ADDED Viewed

@@ -0,0 +1,193 @@
+import { z } from "zod";
+import { readFileSync, existsSync } from "fs";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+import bloomFilters from "bloom-filters";
+const { BloomFilter } = bloomFilters;
+import { findSimilarPackages, checkDependencyConfusion } from '../typosquat.js';
+// Handle both ESM and CJS bundling (Smithery bundles to CJS)
+let __dirname;
+try {
+  __dirname = dirname(fileURLToPath(import.meta.url));
+} catch {
+  __dirname = process.cwd();
+}
+// Load legitimate package lists into memory (hash sets for O(1) lookup)
+const LEGITIMATE_PACKAGES = {
+  dart: new Set(),
+  perl: new Set(),
+  raku: new Set(),
+  npm: new Set(),
+  pypi: new Set(),
+  rubygems: new Set(),
+  crates: new Set()
+};
+// Bloom filters for large package lists (memory-efficient probabilistic lookup)
+const BLOOM_FILTERS = {
+  npm: null,
+  pypi: null,
+  rubygems: null
+};
+// Load package lists on startup
+export function loadPackageLists() {
+  const packagesDir = join(__dirname, '..', '..', 'packages');
+  for (const ecosystem of Object.keys(LEGITIMATE_PACKAGES)) {
+    const filePath = join(packagesDir, `${ecosystem}.txt`);
+    try {
+      if (existsSync(filePath)) {
+        const content = readFileSync(filePath, 'utf-8');
+        const packages = content.split('\n').filter(p => p.trim());
+        LEGITIMATE_PACKAGES[ecosystem] = new Set(packages);
+        console.error(`Loaded ${packages.length} ${ecosystem} packages`);
+      }
+    } catch (error) {
+      console.error(`Warning: Could not load ${ecosystem} packages: ${error.message}`);
+    }
+  }
+  // Load bloom filters for large ecosystems (npm, pypi, rubygems)
+  for (const ecosystem of Object.keys(BLOOM_FILTERS)) {
+    const bloomPath = join(packagesDir, `${ecosystem}-bloom.json`);
+    try {
+      if (existsSync(bloomPath)) {
+        const bloomData = JSON.parse(readFileSync(bloomPath, 'utf-8'));
+        BLOOM_FILTERS[ecosystem] = BloomFilter.fromJSON(bloomData);
+        console.error(`Loaded ${ecosystem} bloom filter (${bloomData._size} bits)`);
+      }
+    } catch (error) {
+      console.error(`Warning: Could not load ${ecosystem} bloom filter: ${error.message}`);
+    }
+  }
+}
+// Check if a package is hallucinated
+export function isHallucinated(packageName, ecosystem) {
+  const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
+  // First check Set-based lookup (exact match)
+  if (legitPackages && legitPackages.size > 0) {
+    return { hallucinated: !legitPackages.has(packageName) };
+  }
+  // Fall back to bloom filter for large ecosystems (npm, pypi, rubygems)
+  const bloomFilter = BLOOM_FILTERS[ecosystem];
+  if (bloomFilter) {
+    // Bloom filter: false = definitely not in set, true = probably in set
+    const mightExist = bloomFilter.has(packageName);
+    return {
+      hallucinated: !mightExist,
+      bloomFilter: true,
+      note: mightExist ? "Package likely exists (bloom filter match)" : "Package not found in bloom filter"
+    };
+  }
+  return { unknown: true, reason: `No package list loaded for ${ecosystem}` };
+}
+// Get total packages count for an ecosystem
+export function getTotalPackages(ecosystem) {
+  return LEGITIMATE_PACKAGES[ecosystem]?.size || 0;
+}
+// Get all package stats
+export function getPackageStats() {
+  const stats = Object.entries(LEGITIMATE_PACKAGES).map(([ecosystem, packages]) => {
+    const bloomFilter = BLOOM_FILTERS[ecosystem];
+    const setSize = packages.size;
+    const hasBloom = !!bloomFilter;
+    return {
+      ecosystem,
+      packages_loaded: setSize,
+      bloom_filter_loaded: hasBloom,
+      status: setSize > 0 ? 'ready' : hasBloom ? 'ready (bloom filter)' : 'not loaded'
+    };
+  });
+  const totalSet = stats.reduce((sum, s) => sum + s.packages_loaded, 0);
+  const bloomEcosystems = stats.filter(s => s.bloom_filter_loaded).map(s => s.ecosystem);
+  return {
+    package_lists: stats,
+    total_packages: totalSet,
+    bloom_filter_ecosystems: bloomEcosystems,
+    note: bloomEcosystems.length > 0
+      ? `Bloom filters provide coverage for: ${bloomEcosystems.join(', ')} (not counted in total_packages)`
+      : undefined
+  };
+}
+// Schema for check_package tool
+export const checkPackageSchema = {
+  package_name: z.string().describe("The package name to verify"),
+  ecosystem: z.enum(["dart", "perl", "raku", "npm", "pypi", "rubygems", "crates"]).describe("The package ecosystem (dart=pub.dev, perl=CPAN, raku=raku.land, npm=npmjs, pypi=PyPI, rubygems=RubyGems, crates=crates.io)")
+};
+// Handler for check_package tool
+export async function checkPackage({ package_name, ecosystem }) {
+  const result = isHallucinated(package_name, ecosystem);
+  if (result.unknown) {
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          package: package_name,
+          ecosystem,
+          status: "unknown",
+          reason: result.reason,
+          suggestion: "Load package list or verify manually at the package registry"
+        }, null, 2)
+      }]
+    };
+  }
+  const exists = !result.hallucinated;
+  const confidence = result.bloomFilter ? "medium" : "high";
+  const totalPackages = getTotalPackages(ecosystem);
+  // Enhanced response with typosquatting and dependency confusion checks
+  const response = {
+    package: package_name,
+    ecosystem,
+    legitimate: exists,
+    hallucinated: !exists,
+    confidence,
+    bloom_filter: !!result.bloomFilter,
+    total_known_packages: totalPackages,
+    recommendation: exists
+      ? "Package exists in registry - safe to use"
+      : "POTENTIAL HALLUCINATION - Package not found in registry. Verify before using!"
+  };
+  // If package not found, check for typosquatting
+  if (!exists) {
+    const similar = findSimilarPackages(package_name, ecosystem);
+    if (similar.length > 0) {
+      response.typosquatting = {
+        similar_packages: similar,
+        warning: `Package '${package_name}' is similar to known packages. This could be a typosquatting attack.`
+      };
+    }
+  }
+  // Check for dependency confusion risk regardless of existence
+  const confusionCheck = checkDependencyConfusion(package_name);
+  if (confusionCheck.risk) {
+    response.dependency_confusion = {
+      risk: true,
+      warning: confusionCheck.warning
+    };
+  }
+  return {
+    content: [{
+      type: "text",
+      text: JSON.stringify(response, null, 2)
+    }]
+  };
+}

package/src/tools/fix-security.js ADDED Viewed

@@ -0,0 +1,142 @@
+// src/tools/fix-security.js
+import { z } from "zod";
+import { existsSync, readFileSync } from "fs";
+import { detectLanguage, runAnalyzerAsync, generateFix } from '../utils.js';
+import { deduplicateFindings } from '../dedup.js';
+import { applyContextFilter, detectFrameworks, applyFrameworkAdjustments } from '../context.js';
+import { loadConfig, shouldExcludeFile, applyConfig } from '../config.js';
+export const fixSecuritySchema = {
+  file_path: z.string().describe("Path to the file to fix"),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level: 'minimal' (summary only), 'compact' (default), 'full' (includes fixed_content)")
+};
+// Verbosity formatters
+function formatFixMinimal(file_path, fixes) {
+  return {
+    file: file_path,
+    fixes_applied: fixes.length,
+    message: fixes.length > 0
+      ? `Applied ${fixes.length} fix(es). Use verbosity='compact' for details.`
+      : "No fixes needed."
+  };
+}
+function formatFixCompact(file_path, fixes) {
+  return {
+    file: file_path,
+    fixes_applied: fixes.length,
+    fixes: fixes.map(f => ({
+      line: f.line,
+      rule: f.rule,
+      description: f.description
+    }))
+  };
+}
+function formatFixFull(file_path, fixes, fixedContent) {
+  return {
+    file: file_path,
+    fixes_applied: fixes.length,
+    fixes: fixes,
+    fixed_content: fixedContent
+  };
+}
+export async function fixSecurity({ file_path, verbosity }) {
+  if (!existsSync(file_path)) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
+    };
+  }
+  // Load project configuration
+  const config = loadConfig(file_path);
+  // Check file exclusion
+  if (shouldExcludeFile(file_path, config)) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({ file: file_path, message: "File excluded by configuration", fixes_applied: 0 }) }]
+    };
+  }
+  const rawIssues = await runAnalyzerAsync(file_path);
+  if (rawIssues.error || !Array.isArray(rawIssues) || rawIssues.length === 0) {
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify({
+          message: rawIssues.error ? "Error scanning file" : "No security issues found",
+          details: rawIssues
+        })
+      }]
+    };
+  }
+  // Cross-engine deduplication
+  const dedupedIssues = deduplicateFindings(rawIssues);
+  // Read and fix the file
+  const content = readFileSync(file_path, 'utf-8');
+  const lines = content.split('\n');
+  const language = detectLanguage(file_path);
+  // Context-aware filtering (suppress known module imports)
+  const contextFiltered = applyContextFilter(dedupedIssues, file_path, language);
+  // Framework-aware severity adjustment
+  const frameworks = detectFrameworks(file_path, language);
+  const frameworkAdjusted = applyFrameworkAdjustments(contextFiltered, frameworks);
+  // Apply .scannerrc configuration (rule suppression, severity/confidence thresholds)
+  const issues = applyConfig(frameworkAdjusted, file_path, config);
+  const fixes = [];
+  // Apply fixes (process in reverse order to preserve line numbers)
+  const sortedIssues = [...issues].sort((a, b) => b.line - a.line);
+  for (const issue of sortedIssues) {
+    const lineIndex = issue.line;
+    if (lineIndex >= 0 && lineIndex < lines.length) {
+      const originalLine = lines[lineIndex];
+      const fix = generateFix(issue, originalLine, language);
+      if (fix.fixed && fix.fixed !== originalLine) {
+        lines[lineIndex] = fix.fixed;
+        fixes.push({
+          line: lineIndex + 1,
+          rule: issue.ruleId,
+          original: originalLine.trim(),
+          fixed: fix.fixed.trim(),
+          description: fix.description
+        });
+      }
+    }
+  }
+  // Determine verbosity (default: compact)
+  const level = verbosity || 'compact';
+  const fixedContent = lines.join('\n');
+  let result;
+  switch (level) {
+    case 'minimal':
+      result = formatFixMinimal(file_path, fixes);
+      break;
+    case 'full':
+      result = formatFixFull(file_path, fixes, fixedContent);
+      break;
+    case 'compact':
+    default:
+      result = formatFixCompact(file_path, fixes);
+  }
+  return {
+    content: [{
+      type: "text",
+      text: JSON.stringify(result, null, 2)
+    }]
+  };
+}