@nahisaho/musubix-security 1.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +105 -0
- package/bin/musubix-security-mcp.js +12 -0
- package/bin/musubix-security.js +12 -0
- package/dist/analysis/dependency-auditor.d.ts +30 -0
- package/dist/analysis/dependency-auditor.d.ts.map +1 -0
- package/dist/analysis/dependency-auditor.js +325 -0
- package/dist/analysis/dependency-auditor.js.map +1 -0
- package/dist/analysis/index.d.ts +9 -0
- package/dist/analysis/index.d.ts.map +1 -0
- package/dist/analysis/index.js +9 -0
- package/dist/analysis/index.js.map +1 -0
- package/dist/analysis/secret-detector.d.ts +44 -0
- package/dist/analysis/secret-detector.d.ts.map +1 -0
- package/dist/analysis/secret-detector.js +465 -0
- package/dist/analysis/secret-detector.js.map +1 -0
- package/dist/analysis/taint-analyzer.d.ts +62 -0
- package/dist/analysis/taint-analyzer.d.ts.map +1 -0
- package/dist/analysis/taint-analyzer.js +519 -0
- package/dist/analysis/taint-analyzer.js.map +1 -0
- package/dist/analysis/vulnerability-scanner.d.ts +58 -0
- package/dist/analysis/vulnerability-scanner.d.ts.map +1 -0
- package/dist/analysis/vulnerability-scanner.js +417 -0
- package/dist/analysis/vulnerability-scanner.js.map +1 -0
- package/dist/cli/commands.d.ts +15 -0
- package/dist/cli/commands.d.ts.map +1 -0
- package/dist/cli/commands.js +405 -0
- package/dist/cli/commands.js.map +1 -0
- package/dist/cli/index.d.ts +6 -0
- package/dist/cli/index.d.ts.map +1 -0
- package/dist/cli/index.js +6 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/index.d.ts +42 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +66 -0
- package/dist/index.js.map +1 -0
- package/dist/infrastructure/ast-parser.d.ts +87 -0
- package/dist/infrastructure/ast-parser.d.ts.map +1 -0
- package/dist/infrastructure/ast-parser.js +273 -0
- package/dist/infrastructure/ast-parser.js.map +1 -0
- package/dist/infrastructure/cache.d.ts +100 -0
- package/dist/infrastructure/cache.d.ts.map +1 -0
- package/dist/infrastructure/cache.js +288 -0
- package/dist/infrastructure/cache.js.map +1 -0
- package/dist/infrastructure/config-loader.d.ts +35 -0
- package/dist/infrastructure/config-loader.d.ts.map +1 -0
- package/dist/infrastructure/config-loader.js +358 -0
- package/dist/infrastructure/config-loader.js.map +1 -0
- package/dist/infrastructure/file-scanner.d.ts +94 -0
- package/dist/infrastructure/file-scanner.d.ts.map +1 -0
- package/dist/infrastructure/file-scanner.js +189 -0
- package/dist/infrastructure/file-scanner.js.map +1 -0
- package/dist/infrastructure/index.d.ts +9 -0
- package/dist/infrastructure/index.d.ts.map +1 -0
- package/dist/infrastructure/index.js +9 -0
- package/dist/infrastructure/index.js.map +1 -0
- package/dist/mcp/index.d.ts +7 -0
- package/dist/mcp/index.d.ts.map +1 -0
- package/dist/mcp/index.js +7 -0
- package/dist/mcp/index.js.map +1 -0
- package/dist/mcp/server.d.ts +34 -0
- package/dist/mcp/server.d.ts.map +1 -0
- package/dist/mcp/server.js +88 -0
- package/dist/mcp/server.js.map +1 -0
- package/dist/mcp/tools.d.ts +88 -0
- package/dist/mcp/tools.d.ts.map +1 -0
- package/dist/mcp/tools.js +443 -0
- package/dist/mcp/tools.js.map +1 -0
- package/dist/services/fix-generator.d.ts +56 -0
- package/dist/services/fix-generator.d.ts.map +1 -0
- package/dist/services/fix-generator.js +346 -0
- package/dist/services/fix-generator.js.map +1 -0
- package/dist/services/fix-verifier.d.ts +62 -0
- package/dist/services/fix-verifier.d.ts.map +1 -0
- package/dist/services/fix-verifier.js +224 -0
- package/dist/services/fix-verifier.js.map +1 -0
- package/dist/services/index.d.ts +9 -0
- package/dist/services/index.d.ts.map +1 -0
- package/dist/services/index.js +13 -0
- package/dist/services/index.js.map +1 -0
- package/dist/services/report-generator.d.ts +87 -0
- package/dist/services/report-generator.d.ts.map +1 -0
- package/dist/services/report-generator.js +463 -0
- package/dist/services/report-generator.js.map +1 -0
- package/dist/services/security-service.d.ts +151 -0
- package/dist/services/security-service.d.ts.map +1 -0
- package/dist/services/security-service.js +279 -0
- package/dist/services/security-service.js.map +1 -0
- package/dist/types/config.d.ts +188 -0
- package/dist/types/config.d.ts.map +1 -0
- package/dist/types/config.js +89 -0
- package/dist/types/config.js.map +1 -0
- package/dist/types/dependency.d.ts +266 -0
- package/dist/types/dependency.d.ts.map +1 -0
- package/dist/types/dependency.js +7 -0
- package/dist/types/dependency.js.map +1 -0
- package/dist/types/fix.d.ts +213 -0
- package/dist/types/fix.d.ts.map +1 -0
- package/dist/types/fix.js +7 -0
- package/dist/types/fix.js.map +1 -0
- package/dist/types/index.d.ts +14 -0
- package/dist/types/index.d.ts.map +1 -0
- package/dist/types/index.js +8 -0
- package/dist/types/index.js.map +1 -0
- package/dist/types/secret.d.ts +151 -0
- package/dist/types/secret.d.ts.map +1 -0
- package/dist/types/secret.js +91 -0
- package/dist/types/secret.js.map +1 -0
- package/dist/types/taint.d.ts +182 -0
- package/dist/types/taint.d.ts.map +1 -0
- package/dist/types/taint.js +24 -0
- package/dist/types/taint.js.map +1 -0
- package/dist/types/vulnerability.d.ts +136 -0
- package/dist/types/vulnerability.d.ts.map +1 -0
- package/dist/types/vulnerability.js +7 -0
- package/dist/types/vulnerability.js.map +1 -0
- package/package.json +87 -0
|
@@ -0,0 +1,465 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Secret detection engine
|
|
3
|
+
* @module @nahisaho/musubix-security/analysis/secret-detector
|
|
4
|
+
* @trace REQ-SEC-SECRET-001, REQ-SEC-SECRET-002
|
|
5
|
+
*/
|
|
6
|
+
import { createHash } from 'node:crypto';
|
|
7
|
+
import { createFileScanner } from '../infrastructure/file-scanner.js';
|
|
8
|
+
/**
|
|
9
|
+
* Generate secret ID
|
|
10
|
+
*/
|
|
11
|
+
let secretCounter = 0;
|
|
12
|
+
function generateSecretId() {
|
|
13
|
+
const date = new Date();
|
|
14
|
+
const dateStr = date.toISOString().slice(0, 10).replace(/-/g, '');
|
|
15
|
+
return `SEC-${dateStr}-${String(++secretCounter).padStart(3, '0')}`;
|
|
16
|
+
}
|
|
17
|
+
/**
|
|
18
|
+
* Reset secret counter (for testing)
|
|
19
|
+
*/
|
|
20
|
+
export function resetSecretCounter() {
|
|
21
|
+
secretCounter = 0;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Built-in secret patterns with regex
|
|
25
|
+
*/
|
|
26
|
+
const SECRET_PATTERNS = [
|
|
27
|
+
// AWS
|
|
28
|
+
{
|
|
29
|
+
id: 'aws-access-key',
|
|
30
|
+
name: 'AWS Access Key ID',
|
|
31
|
+
type: 'aws-access-key',
|
|
32
|
+
regex: /\b(AKIA[0-9A-Z]{16})\b/g,
|
|
33
|
+
severity: 'critical',
|
|
34
|
+
description: 'AWS Access Key ID',
|
|
35
|
+
enabled: true,
|
|
36
|
+
testValuePatterns: [/AKIAIOSFODNN7EXAMPLE/],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: 'aws-secret-key',
|
|
40
|
+
name: 'AWS Secret Access Key',
|
|
41
|
+
type: 'aws-secret-key',
|
|
42
|
+
regex: /\b([A-Za-z0-9/+=]{40})\b/g,
|
|
43
|
+
keyPatterns: [/aws.?secret/i, /secret.?key/i],
|
|
44
|
+
severity: 'critical',
|
|
45
|
+
description: 'AWS Secret Access Key',
|
|
46
|
+
enabled: true,
|
|
47
|
+
testValuePatterns: [/wJalrXUtnFEMI\/K7MDENG\/bPxRfiCYEXAMPLEKEY/],
|
|
48
|
+
},
|
|
49
|
+
// GitHub
|
|
50
|
+
{
|
|
51
|
+
id: 'github-pat',
|
|
52
|
+
name: 'GitHub Personal Access Token',
|
|
53
|
+
type: 'github-token',
|
|
54
|
+
regex: /\b(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36})\b/g,
|
|
55
|
+
severity: 'critical',
|
|
56
|
+
description: 'GitHub Personal Access Token',
|
|
57
|
+
enabled: true,
|
|
58
|
+
},
|
|
59
|
+
{
|
|
60
|
+
id: 'github-oauth',
|
|
61
|
+
name: 'GitHub OAuth Access Token',
|
|
62
|
+
type: 'github-token',
|
|
63
|
+
regex: /\b(gho_[a-zA-Z0-9]{36})\b/g,
|
|
64
|
+
severity: 'critical',
|
|
65
|
+
description: 'GitHub OAuth Access Token',
|
|
66
|
+
enabled: true,
|
|
67
|
+
},
|
|
68
|
+
// Private keys
|
|
69
|
+
{
|
|
70
|
+
id: 'private-key-rsa',
|
|
71
|
+
name: 'RSA Private Key',
|
|
72
|
+
type: 'private-key',
|
|
73
|
+
regex: /-----BEGIN RSA PRIVATE KEY-----[\s\S]*?-----END RSA PRIVATE KEY-----/g,
|
|
74
|
+
severity: 'critical',
|
|
75
|
+
description: 'RSA Private Key',
|
|
76
|
+
enabled: true,
|
|
77
|
+
},
|
|
78
|
+
{
|
|
79
|
+
id: 'private-key-ec',
|
|
80
|
+
name: 'EC Private Key',
|
|
81
|
+
type: 'private-key',
|
|
82
|
+
regex: /-----BEGIN EC PRIVATE KEY-----[\s\S]*?-----END EC PRIVATE KEY-----/g,
|
|
83
|
+
severity: 'critical',
|
|
84
|
+
description: 'EC Private Key',
|
|
85
|
+
enabled: true,
|
|
86
|
+
},
|
|
87
|
+
{
|
|
88
|
+
id: 'private-key-openssh',
|
|
89
|
+
name: 'OpenSSH Private Key',
|
|
90
|
+
type: 'ssh-key',
|
|
91
|
+
regex: /-----BEGIN OPENSSH PRIVATE KEY-----[\s\S]*?-----END OPENSSH PRIVATE KEY-----/g,
|
|
92
|
+
severity: 'critical',
|
|
93
|
+
description: 'OpenSSH Private Key',
|
|
94
|
+
enabled: true,
|
|
95
|
+
},
|
|
96
|
+
// Azure
|
|
97
|
+
{
|
|
98
|
+
id: 'azure-storage-key',
|
|
99
|
+
name: 'Azure Storage Account Key',
|
|
100
|
+
type: 'azure-connection-string',
|
|
101
|
+
regex: /AccountKey=[a-zA-Z0-9+/=]{86,88}/g,
|
|
102
|
+
severity: 'critical',
|
|
103
|
+
description: 'Azure Storage Account Key',
|
|
104
|
+
enabled: true,
|
|
105
|
+
},
|
|
106
|
+
{
|
|
107
|
+
id: 'azure-connection-string',
|
|
108
|
+
name: 'Azure Connection String',
|
|
109
|
+
type: 'azure-connection-string',
|
|
110
|
+
regex: /DefaultEndpointsProtocol=https?;AccountName=[^;]+;AccountKey=[a-zA-Z0-9+/=]+/g,
|
|
111
|
+
severity: 'critical',
|
|
112
|
+
description: 'Azure Storage Connection String',
|
|
113
|
+
enabled: true,
|
|
114
|
+
},
|
|
115
|
+
// Stripe
|
|
116
|
+
{
|
|
117
|
+
id: 'stripe-live-key',
|
|
118
|
+
name: 'Stripe Live API Key',
|
|
119
|
+
type: 'stripe-key',
|
|
120
|
+
regex: /\b(sk_live_[a-zA-Z0-9]{24,})\b/g,
|
|
121
|
+
severity: 'critical',
|
|
122
|
+
description: 'Stripe Live Secret Key',
|
|
123
|
+
enabled: true,
|
|
124
|
+
},
|
|
125
|
+
{
|
|
126
|
+
id: 'stripe-test-key',
|
|
127
|
+
name: 'Stripe Test API Key',
|
|
128
|
+
type: 'stripe-key',
|
|
129
|
+
regex: /\b(sk_test_[a-zA-Z0-9]{24,})\b/g,
|
|
130
|
+
severity: 'low',
|
|
131
|
+
description: 'Stripe Test Secret Key',
|
|
132
|
+
enabled: true,
|
|
133
|
+
},
|
|
134
|
+
// Slack
|
|
135
|
+
{
|
|
136
|
+
id: 'slack-webhook',
|
|
137
|
+
name: 'Slack Webhook URL',
|
|
138
|
+
type: 'slack-webhook',
|
|
139
|
+
regex: /https:\/\/hooks\.slack\.com\/services\/[A-Z0-9]+\/[A-Z0-9]+\/[a-zA-Z0-9]+/g,
|
|
140
|
+
severity: 'medium',
|
|
141
|
+
description: 'Slack Incoming Webhook URL',
|
|
142
|
+
enabled: true,
|
|
143
|
+
},
|
|
144
|
+
{
|
|
145
|
+
id: 'slack-token',
|
|
146
|
+
name: 'Slack Token',
|
|
147
|
+
type: 'api-key',
|
|
148
|
+
regex: /\b(xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,})\b/g,
|
|
149
|
+
severity: 'high',
|
|
150
|
+
description: 'Slack Bot/User Token',
|
|
151
|
+
enabled: true,
|
|
152
|
+
},
|
|
153
|
+
// Database URLs
|
|
154
|
+
{
|
|
155
|
+
id: 'database-url-postgres',
|
|
156
|
+
name: 'PostgreSQL Connection String',
|
|
157
|
+
type: 'database-url',
|
|
158
|
+
regex: /postgres(?:ql)?:\/\/[^:]+:[^@]+@[^/]+\/[^\s'"]+/gi,
|
|
159
|
+
severity: 'high',
|
|
160
|
+
description: 'PostgreSQL connection string with credentials',
|
|
161
|
+
enabled: true,
|
|
162
|
+
},
|
|
163
|
+
{
|
|
164
|
+
id: 'database-url-mysql',
|
|
165
|
+
name: 'MySQL Connection String',
|
|
166
|
+
type: 'database-url',
|
|
167
|
+
regex: /mysql:\/\/[^:]+:[^@]+@[^/]+\/[^\s'"]+/gi,
|
|
168
|
+
severity: 'high',
|
|
169
|
+
description: 'MySQL connection string with credentials',
|
|
170
|
+
enabled: true,
|
|
171
|
+
},
|
|
172
|
+
{
|
|
173
|
+
id: 'database-url-mongodb',
|
|
174
|
+
name: 'MongoDB Connection String',
|
|
175
|
+
type: 'database-url',
|
|
176
|
+
regex: /mongodb(\+srv)?:\/\/[^:]+:[^@]+@[^/]+\/[^\s'"]+/gi,
|
|
177
|
+
severity: 'high',
|
|
178
|
+
description: 'MongoDB connection string with credentials',
|
|
179
|
+
enabled: true,
|
|
180
|
+
},
|
|
181
|
+
// JWT
|
|
182
|
+
{
|
|
183
|
+
id: 'jwt-token',
|
|
184
|
+
name: 'JWT Token',
|
|
185
|
+
type: 'jwt-secret',
|
|
186
|
+
regex: /\beyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+\b/g,
|
|
187
|
+
severity: 'medium',
|
|
188
|
+
description: 'JSON Web Token (may contain sensitive claims)',
|
|
189
|
+
enabled: true,
|
|
190
|
+
},
|
|
191
|
+
// Generic API keys
|
|
192
|
+
{
|
|
193
|
+
id: 'generic-api-key',
|
|
194
|
+
name: 'Generic API Key',
|
|
195
|
+
type: 'api-key',
|
|
196
|
+
regex: /\b[a-f0-9]{32}\b/gi,
|
|
197
|
+
keyPatterns: [/api.?key/i, /apikey/i, /secret/i, /token/i, /password/i],
|
|
198
|
+
severity: 'medium',
|
|
199
|
+
description: 'Generic API key pattern',
|
|
200
|
+
enabled: true,
|
|
201
|
+
falsePositiveRate: 0.4,
|
|
202
|
+
},
|
|
203
|
+
// Password patterns
|
|
204
|
+
{
|
|
205
|
+
id: 'hardcoded-password',
|
|
206
|
+
name: 'Hardcoded Password',
|
|
207
|
+
type: 'password',
|
|
208
|
+
regex: /(?:password|passwd|pwd)\s*[=:]\s*['"][^'"]{8,}['"]/gi,
|
|
209
|
+
severity: 'high',
|
|
210
|
+
description: 'Hardcoded password in code',
|
|
211
|
+
enabled: true,
|
|
212
|
+
},
|
|
213
|
+
];
|
|
214
|
+
/**
|
|
215
|
+
* Common test/example value patterns
|
|
216
|
+
*/
|
|
217
|
+
const TEST_VALUE_PATTERNS = [
|
|
218
|
+
/example/i,
|
|
219
|
+
/test/i,
|
|
220
|
+
/dummy/i,
|
|
221
|
+
/sample/i,
|
|
222
|
+
/placeholder/i,
|
|
223
|
+
/your.?key/i,
|
|
224
|
+
/xxx+/i,
|
|
225
|
+
/000+/,
|
|
226
|
+
/123456/,
|
|
227
|
+
/abcdef/,
|
|
228
|
+
];
|
|
229
|
+
/**
|
|
230
|
+
* Detect context from surrounding code
|
|
231
|
+
*/
|
|
232
|
+
function detectContext(content, matchIndex) {
|
|
233
|
+
const before = content.slice(Math.max(0, matchIndex - 50), matchIndex);
|
|
234
|
+
const after = content.slice(matchIndex, matchIndex + 50);
|
|
235
|
+
if (/\/\/|\/\*|\*/.test(before))
|
|
236
|
+
return 'comment';
|
|
237
|
+
if (/['"]/.test(before) && /['"]/.test(after))
|
|
238
|
+
return 'string-literal';
|
|
239
|
+
if (/`/.test(before))
|
|
240
|
+
return 'template-literal';
|
|
241
|
+
if (/[{,]\s*\w+\s*:\s*$/.test(before))
|
|
242
|
+
return 'object-property';
|
|
243
|
+
if (/\[\s*$/.test(before))
|
|
244
|
+
return 'array-element';
|
|
245
|
+
if (/\.(env|config|json|ya?ml)$/.test(content.slice(0, 100)))
|
|
246
|
+
return 'config-file';
|
|
247
|
+
return 'source-code';
|
|
248
|
+
}
|
|
249
|
+
/**
|
|
250
|
+
* Mask a secret value
|
|
251
|
+
*/
|
|
252
|
+
function maskValue(value) {
|
|
253
|
+
if (value.length <= 8) {
|
|
254
|
+
return '*'.repeat(value.length);
|
|
255
|
+
}
|
|
256
|
+
return `${value.slice(0, 4)}${'*'.repeat(value.length - 8)}${value.slice(-4)}`;
|
|
257
|
+
}
|
|
258
|
+
/**
|
|
259
|
+
* Hash a value for deduplication
|
|
260
|
+
*/
|
|
261
|
+
function hashValue(value) {
|
|
262
|
+
return createHash('sha256').update(value).digest('hex');
|
|
263
|
+
}
|
|
264
|
+
/**
|
|
265
|
+
* Check if a value looks like a test/example
|
|
266
|
+
*/
|
|
267
|
+
function isTestValue(value, pattern) {
|
|
268
|
+
// Check pattern-specific test values
|
|
269
|
+
if (pattern.testValuePatterns) {
|
|
270
|
+
for (const testPattern of pattern.testValuePatterns) {
|
|
271
|
+
if (testPattern.test(value)) {
|
|
272
|
+
return true;
|
|
273
|
+
}
|
|
274
|
+
}
|
|
275
|
+
}
|
|
276
|
+
// Check generic test patterns
|
|
277
|
+
for (const testPattern of TEST_VALUE_PATTERNS) {
|
|
278
|
+
if (testPattern.test(value)) {
|
|
279
|
+
return true;
|
|
280
|
+
}
|
|
281
|
+
}
|
|
282
|
+
return false;
|
|
283
|
+
}
|
|
284
|
+
/**
|
|
285
|
+
* Get line number from index in content
|
|
286
|
+
*/
|
|
287
|
+
function getLineNumber(content, index) {
|
|
288
|
+
return content.slice(0, index).split('\n').length;
|
|
289
|
+
}
|
|
290
|
+
/**
|
|
291
|
+
* Get column from index in content
|
|
292
|
+
*/
|
|
293
|
+
function getColumn(content, index) {
|
|
294
|
+
const lastNewline = content.lastIndexOf('\n', index - 1);
|
|
295
|
+
return index - lastNewline - 1;
|
|
296
|
+
}
|
|
297
|
+
/**
|
|
298
|
+
* Secret detector engine
|
|
299
|
+
*/
|
|
300
|
+
export class SecretDetector {
|
|
301
|
+
patterns;
|
|
302
|
+
fileScanner;
|
|
303
|
+
options;
|
|
304
|
+
constructor(options = {}) {
|
|
305
|
+
this.options = options;
|
|
306
|
+
this.fileScanner = createFileScanner({
|
|
307
|
+
extensions: ['.ts', '.tsx', '.js', '.jsx', '.json', '.yml', '.yaml', '.env', '.config', '.md'],
|
|
308
|
+
excludePatterns: options.excludePatterns,
|
|
309
|
+
maxFileSize: options.maxFileSize,
|
|
310
|
+
});
|
|
311
|
+
// Initialize patterns
|
|
312
|
+
this.patterns = SECRET_PATTERNS.filter((p) => {
|
|
313
|
+
if (!p.enabled)
|
|
314
|
+
return false;
|
|
315
|
+
if (options.disablePatterns?.includes(p.id))
|
|
316
|
+
return false;
|
|
317
|
+
return true;
|
|
318
|
+
});
|
|
319
|
+
// Add custom patterns
|
|
320
|
+
if (options.customPatterns) {
|
|
321
|
+
this.patterns.push(...options.customPatterns);
|
|
322
|
+
}
|
|
323
|
+
}
|
|
324
|
+
/**
|
|
325
|
+
* Scan file content for secrets
|
|
326
|
+
*/
|
|
327
|
+
scanContent(content, filePath) {
|
|
328
|
+
const secrets = [];
|
|
329
|
+
const seenHashes = new Set();
|
|
330
|
+
for (const pattern of this.patterns) {
|
|
331
|
+
// Reset regex state
|
|
332
|
+
pattern.regex.lastIndex = 0;
|
|
333
|
+
// Check key patterns first if defined (for context-sensitive detection)
|
|
334
|
+
if (pattern.keyPatterns) {
|
|
335
|
+
let hasKeyContext = false;
|
|
336
|
+
for (const keyPattern of pattern.keyPatterns) {
|
|
337
|
+
if (keyPattern.test(content)) {
|
|
338
|
+
hasKeyContext = true;
|
|
339
|
+
break;
|
|
340
|
+
}
|
|
341
|
+
}
|
|
342
|
+
if (!hasKeyContext)
|
|
343
|
+
continue;
|
|
344
|
+
}
|
|
345
|
+
let match;
|
|
346
|
+
while ((match = pattern.regex.exec(content)) !== null) {
|
|
347
|
+
const value = match[1] || match[0];
|
|
348
|
+
const hash = hashValue(value);
|
|
349
|
+
// Skip duplicates
|
|
350
|
+
if (seenHashes.has(hash))
|
|
351
|
+
continue;
|
|
352
|
+
seenHashes.add(hash);
|
|
353
|
+
// Check if test value
|
|
354
|
+
const testValue = isTestValue(value, pattern);
|
|
355
|
+
if (this.options.ignoreTestValues && testValue)
|
|
356
|
+
continue;
|
|
357
|
+
const lineNumber = getLineNumber(content, match.index);
|
|
358
|
+
const column = getColumn(content, match.index);
|
|
359
|
+
// Extract key name if possible
|
|
360
|
+
const beforeMatch = content.slice(Math.max(0, match.index - 50), match.index);
|
|
361
|
+
const keyNameMatch = beforeMatch.match(/(\w+)\s*[=:]\s*['"]?\s*$/);
|
|
362
|
+
const keyName = keyNameMatch ? keyNameMatch[1] : undefined;
|
|
363
|
+
const location = {
|
|
364
|
+
file: filePath,
|
|
365
|
+
startLine: lineNumber,
|
|
366
|
+
endLine: lineNumber,
|
|
367
|
+
startColumn: column,
|
|
368
|
+
endColumn: column + value.length,
|
|
369
|
+
};
|
|
370
|
+
secrets.push({
|
|
371
|
+
id: generateSecretId(),
|
|
372
|
+
type: pattern.type,
|
|
373
|
+
location,
|
|
374
|
+
maskedValue: maskValue(value),
|
|
375
|
+
valueHash: hash,
|
|
376
|
+
keyName,
|
|
377
|
+
context: detectContext(content, match.index),
|
|
378
|
+
confidence: pattern.falsePositiveRate ? 1 - pattern.falsePositiveRate : 0.9,
|
|
379
|
+
isTestValue: testValue,
|
|
380
|
+
patternId: pattern.id,
|
|
381
|
+
detectedAt: new Date(),
|
|
382
|
+
severity: pattern.severity,
|
|
383
|
+
});
|
|
384
|
+
}
|
|
385
|
+
}
|
|
386
|
+
return secrets;
|
|
387
|
+
}
|
|
388
|
+
/**
|
|
389
|
+
* Scan a single file
|
|
390
|
+
*/
|
|
391
|
+
async scanFile(filePath) {
|
|
392
|
+
const content = await this.fileScanner.readFile(filePath);
|
|
393
|
+
return this.scanContent(content, filePath);
|
|
394
|
+
}
|
|
395
|
+
/**
|
|
396
|
+
* Scan a directory for secrets
|
|
397
|
+
*/
|
|
398
|
+
async scan(rootPath) {
|
|
399
|
+
const startTime = Date.now();
|
|
400
|
+
const files = await this.fileScanner.scan(rootPath);
|
|
401
|
+
const allSecrets = [];
|
|
402
|
+
let scannedFiles = 0;
|
|
403
|
+
let skippedFiles = 0;
|
|
404
|
+
for (const file of files) {
|
|
405
|
+
try {
|
|
406
|
+
const content = await this.fileScanner.readFileSafe(file.path);
|
|
407
|
+
if (!content) {
|
|
408
|
+
skippedFiles++;
|
|
409
|
+
continue;
|
|
410
|
+
}
|
|
411
|
+
const secrets = this.scanContent(content, file.path);
|
|
412
|
+
allSecrets.push(...secrets);
|
|
413
|
+
scannedFiles++;
|
|
414
|
+
}
|
|
415
|
+
catch (error) {
|
|
416
|
+
console.warn(`Warning: Failed to scan ${file.path}: ${error}`);
|
|
417
|
+
skippedFiles++;
|
|
418
|
+
}
|
|
419
|
+
}
|
|
420
|
+
const duration = Date.now() - startTime;
|
|
421
|
+
// Build summary
|
|
422
|
+
const byType = {};
|
|
423
|
+
let testValuesCount = 0;
|
|
424
|
+
const bySeverity = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
|
|
425
|
+
for (const secret of allSecrets) {
|
|
426
|
+
byType[secret.type] = (byType[secret.type] || 0) + 1;
|
|
427
|
+
bySeverity[secret.severity]++;
|
|
428
|
+
if (secret.isTestValue)
|
|
429
|
+
testValuesCount++;
|
|
430
|
+
}
|
|
431
|
+
return {
|
|
432
|
+
secrets: allSecrets,
|
|
433
|
+
scannedFiles,
|
|
434
|
+
skippedFiles,
|
|
435
|
+
duration,
|
|
436
|
+
timestamp: new Date(),
|
|
437
|
+
options: this.options,
|
|
438
|
+
summary: {
|
|
439
|
+
byType,
|
|
440
|
+
bySeverity,
|
|
441
|
+
total: allSecrets.length,
|
|
442
|
+
testValues: testValuesCount,
|
|
443
|
+
},
|
|
444
|
+
};
|
|
445
|
+
}
|
|
446
|
+
/**
|
|
447
|
+
* Add a custom pattern
|
|
448
|
+
*/
|
|
449
|
+
addPattern(pattern) {
|
|
450
|
+
this.patterns.push(pattern);
|
|
451
|
+
}
|
|
452
|
+
/**
|
|
453
|
+
* Get all patterns
|
|
454
|
+
*/
|
|
455
|
+
getPatterns() {
|
|
456
|
+
return [...this.patterns];
|
|
457
|
+
}
|
|
458
|
+
}
|
|
459
|
+
/**
|
|
460
|
+
* Create a secret detector
|
|
461
|
+
*/
|
|
462
|
+
export function createSecretDetector(options) {
|
|
463
|
+
return new SecretDetector(options);
|
|
464
|
+
}
|
|
465
|
+
//# sourceMappingURL=secret-detector.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"secret-detector.js","sourceRoot":"","sources":["../../src/analysis/secret-detector.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAWzC,OAAO,EAAe,iBAAiB,EAAE,MAAM,mCAAmC,CAAC;AAEnF;;GAEG;AACH,IAAI,aAAa,GAAG,CAAC,CAAC;AACtB,SAAS,gBAAgB;IACvB,MAAM,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAClE,OAAO,OAAO,OAAO,IAAI,MAAM,CAAC,EAAE,aAAa,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;AACtE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,aAAa,GAAG,CAAC,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,eAAe,GAAoB;IACvC,MAAM;IACN;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,yBAAyB;QAChC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,mBAAmB;QAChC,OAAO,EAAE,IAAI;QACb,iBAAiB,EAAE,CAAC,sBAAsB,CAAC;KAC5C;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,uBAAuB;QAC7B,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EAAE,CAAC,cAAc,EAAE,cAAc,CAAC;QAC7C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uBAAuB;QACpC,OAAO,EAAE,IAAI;QACb,iBAAiB,EAAE,CAAC,4CAA4C,CAAC;KAClE;IACD,SAAS;IACT;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,4GAA4G;QACnH,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,8BAA8B;QAC3C,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,cAAc;QAClB,IAAI,EAAE,2BAA2B;QACjC,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,4BAA4B;QACnC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,IAAI;KACd;IACD,eAAe;IACf;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,uEAAuE;QAC9E,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iBAAiB;QAC9B,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,aAAa;QACnB,KAAK,EAAE,qEAAqE;QAC5E,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,gBAAgB;QAC7B,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,+EAA+E;QACtF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qBAAqB;QAClC,OAAO,EAAE,IAAI;KACd;IACD,QAAQ;IACR;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,2BAA2B;QACjC,IAAI,EAAE,yBAAyB;QAC/B,KAAK,EAAE,mCAAmC;QAC1C,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2BAA2B;QACxC,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,IAAI,EAAE,yBAAyB;QAC/B,IAAI,EAAE,yBAAyB;QAC/B,KAAK,EAAE,+EAA+E;QACtF,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,iCAAiC;QAC9C,OAAO,EAAE,IAAI;KACd;IACD,SAAS;IACT;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,iCAAiC;QACxC,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,wBAAwB;QACrC,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,qBAAqB;QAC3B,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,iCAAiC;QACxC,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,wBAAwB;QACrC,OAAO,EAAE,IAAI;KACd;IACD,QAAQ;IACR;QACE,EAAE,EAAE,eAAe;QACnB,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,eAAe;QACrB,KAAK,EAAE,4EAA4E;QACnF,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,aAAa;QACjB,IAAI,EAAE,aAAa;QACnB,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,8DAA8D;QACrE,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,sBAAsB;QACnC,OAAO,EAAE,IAAI;KACd;IACD,gBAAgB;IAChB;QACE,EAAE,EAAE,uBAAuB;QAC3B,IAAI,EAAE,8BAA8B;QACpC,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,mDAAmD;QAC1D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,yBAAyB;QAC/B,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,yCAAyC;QAChD,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,0CAA0C;QACvD,OAAO,EAAE,IAAI;KACd;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,IAAI,EAAE,2BAA2B;QACjC,IAAI,EAAE,cAAc;QACpB,KAAK,EAAE,mDAAmD;QAC1D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4CAA4C;QACzD,OAAO,EAAE,IAAI;KACd;IACD,MAAM;IACN;QACE,EAAE,EAAE,WAAW;QACf,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,2DAA2D;QAClE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,IAAI;KACd;IACD,mBAAmB;IACnB;QACE,EAAE,EAAE,iBAAiB;QACrB,IAAI,EAAE,iBAAiB;QACvB,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,CAAC,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,CAAC;QACvE,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,yBAAyB;QACtC,OAAO,EAAE,IAAI;QACb,iBAAiB,EAAE,GAAG;KACvB;IACD,oBAAoB;IACpB;QACE,EAAE,EAAE,oBAAoB;QACxB,IAAI,EAAE,oBAAoB;QAC1B,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,sDAAsD;QAC7D,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,4BAA4B;QACzC,OAAO,EAAE,IAAI;KACd;CACF,CAAC;AAEF;;GAEG;AACH,MAAM,mBAAmB,GAAG;IAC1B,UAAU;IACV,OAAO;IACP,QAAQ;IACR,SAAS;IACT,cAAc;IACd,YAAY;IACZ,OAAO;IACP,MAAM;IACN,QAAQ;IACR,QAAQ;CACT,CAAC;AAEF;;GAEG;AACH,SAAS,aAAa,CAAC,OAAe,EAAE,UAAkB;IACxD,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,GAAG,EAAE,CAAC,EAAE,UAAU,CAAC,CAAC;IACvE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,UAAU,EAAE,UAAU,GAAG,EAAE,CAAC,CAAC;IAEzD,IAAI,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAC;IAClD,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACvE,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,kBAAkB,CAAC;IAChD,IAAI,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,iBAAiB,CAAC;IAChE,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC;QAAE,OAAO,eAAe,CAAC;IAClD,IAAI,4BAA4B,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAAE,OAAO,aAAa,CAAC;IAEnF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACjF,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,KAAa,EAAE,OAAsB;IACxD,qCAAqC;IACrC,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,KAAK,MAAM,WAAW,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YACpD,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC5B,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,KAAK,MAAM,WAAW,IAAI,mBAAmB,EAAE,CAAC;QAC9C,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,OAAe,EAAE,KAAa;IACnD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,OAAe,EAAE,KAAa;IAC/C,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;IACzD,OAAO,KAAK,GAAG,WAAW,GAAG,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,cAAc;IACjB,QAAQ,CAAkB;IAC1B,WAAW,CAAc;IACzB,OAAO,CAAoB;IAEnC,YAAY,UAA6B,EAAE;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,IAAI,CAAC,WAAW,GAAG,iBAAiB,CAAC;YACnC,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC;YAC9F,eAAe,EAAE,OAAO,CAAC,eAAe;YACxC,WAAW,EAAE,OAAO,CAAC,WAAW;SACjC,CAAC,CAAC;QAEH,sBAAsB;QACtB,IAAI,CAAC,QAAQ,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;YAC3C,IAAI,CAAC,CAAC,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;YAC7B,IAAI,OAAO,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;gBAAE,OAAO,KAAK,CAAC;YAC1D,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,sBAAsB;QACtB,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;YAC3B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC;QAChD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,OAAe,EAAE,QAAgB;QAC3C,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;QAErC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,oBAAoB;YACpB,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC;YAE5B,wEAAwE;YACxE,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;gBACxB,IAAI,aAAa,GAAG,KAAK,CAAC;gBAC1B,KAAK,MAAM,UAAU,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;oBAC7C,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC7B,aAAa,GAAG,IAAI,CAAC;wBACrB,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,CAAC,aAAa;oBAAE,SAAS;YAC/B,CAAC;YAED,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACtD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC;gBACnC,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;gBAE9B,kBAAkB;gBAClB,IAAI,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC;oBAAE,SAAS;gBACnC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAErB,sBAAsB;gBACtB,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;gBAC9C,IAAI,IAAI,CAAC,OAAO,CAAC,gBAAgB,IAAI,SAAS;oBAAE,SAAS;gBAEzD,MAAM,UAAU,GAAG,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACvD,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAE/C,+BAA+B;gBAC/B,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBAC9E,MAAM,YAAY,GAAG,WAAW,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBACnE,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;gBAE3D,MAAM,QAAQ,GAAmB;oBAC/B,IAAI,EAAE,QAAQ;oBACd,SAAS,EAAE,UAAU;oBACrB,OAAO,EAAE,UAAU;oBACnB,WAAW,EAAE,MAAM;oBACnB,SAAS,EAAE,MAAM,GAAG,KAAK,CAAC,MAAM;iBACjC,CAAC;gBAEF,OAAO,CAAC,IAAI,CAAC;oBACX,EAAE,EAAE,gBAAgB,EAAE;oBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,QAAQ;oBACR,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC;oBAC7B,SAAS,EAAE,IAAI;oBACf,OAAO;oBACP,OAAO,EAAE,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC;oBAC5C,UAAU,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC,CAAC,GAAG;oBAC3E,WAAW,EAAE,SAAS;oBACtB,SAAS,EAAE,OAAO,CAAC,EAAE;oBACrB,UAAU,EAAE,IAAI,IAAI,EAAE;oBACtB,QAAQ,EAAE,OAAO,CAAC,QAAQ;iBAC3B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ,CAAC,QAAgB;QAC7B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1D,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,IAAI,CAAC,QAAgB;QACzB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAEpD,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC/D,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,YAAY,EAAE,CAAC;oBACf,SAAS;gBACX,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;gBACrD,UAAU,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,CAAC;gBAC5B,YAAY,EAAE,CAAC;YACjB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,2BAA2B,IAAI,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC,CAAC;gBAC/D,YAAY,EAAE,CAAC;YACjB,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,gBAAgB;QAChB,MAAM,MAAM,GAAwC,EAAE,CAAC;QACvD,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,MAAM,UAAU,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAElG,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;YAChC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;YACrD,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9B,IAAI,MAAM,CAAC,WAAW;gBAAE,eAAe,EAAE,CAAC;QAC5C,CAAC;QAED,OAAO;YACL,OAAO,EAAE,UAAU;YACnB,YAAY;YACZ,YAAY;YACZ,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,OAAO,EAAE;gBACP,MAAM;gBACN,UAAU;gBACV,KAAK,EAAE,UAAU,CAAC,MAAM;gBACxB,UAAU,EAAE,eAAe;aAC5B;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAAsB;QAC/B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC5B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAA2B;IAC9D,OAAO,IAAI,cAAc,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC"}
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @fileoverview Taint analysis engine
|
|
3
|
+
* @module @nahisaho/musubix-security/analysis/taint-analyzer
|
|
4
|
+
* @trace REQ-SEC-TAINT-001, REQ-SEC-TAINT-002, REQ-SEC-TAINT-003, REQ-SEC-TAINT-004
|
|
5
|
+
*/
|
|
6
|
+
import type { TaintSource, TaintSink, TaintResult, TaintAnalysisOptions } from '../types/index.js';
|
|
7
|
+
/**
|
|
8
|
+
* Reset counters (for testing)
|
|
9
|
+
*/
|
|
10
|
+
export declare function resetTaintCounters(): void;
|
|
11
|
+
/**
|
|
12
|
+
* Taint analyzer engine
|
|
13
|
+
*/
|
|
14
|
+
export declare class TaintAnalyzer {
|
|
15
|
+
private parser;
|
|
16
|
+
private fileScanner;
|
|
17
|
+
private options;
|
|
18
|
+
private sourcePatterns;
|
|
19
|
+
private sinkPatterns;
|
|
20
|
+
constructor(options?: TaintAnalysisOptions);
|
|
21
|
+
/**
|
|
22
|
+
* Analyze a single file for taint issues
|
|
23
|
+
*/
|
|
24
|
+
analyzeFile(filePath: string): {
|
|
25
|
+
sources: TaintSource[];
|
|
26
|
+
sinks: TaintSink[];
|
|
27
|
+
};
|
|
28
|
+
/**
|
|
29
|
+
* Find taint sources in a source file
|
|
30
|
+
*/
|
|
31
|
+
private findSources;
|
|
32
|
+
/**
|
|
33
|
+
* Find taint sinks in a source file
|
|
34
|
+
*/
|
|
35
|
+
private findSinks;
|
|
36
|
+
/**
|
|
37
|
+
* Trace taint flow from sources to sinks (simplified)
|
|
38
|
+
* Note: Full interprocedural analysis would require more sophisticated data flow analysis
|
|
39
|
+
*/
|
|
40
|
+
private tracePaths;
|
|
41
|
+
/**
|
|
42
|
+
* Check if source and sink could be connected
|
|
43
|
+
*/
|
|
44
|
+
private checkConnection;
|
|
45
|
+
/**
|
|
46
|
+
* Check if there's sanitization between source and sink
|
|
47
|
+
*/
|
|
48
|
+
private checkSanitization;
|
|
49
|
+
/**
|
|
50
|
+
* Build flow steps between source and sink
|
|
51
|
+
*/
|
|
52
|
+
private buildFlowSteps;
|
|
53
|
+
/**
|
|
54
|
+
* Analyze a directory for taint issues
|
|
55
|
+
*/
|
|
56
|
+
analyze(rootPath: string): Promise<TaintResult>;
|
|
57
|
+
}
|
|
58
|
+
/**
|
|
59
|
+
* Create a taint analyzer
|
|
60
|
+
*/
|
|
61
|
+
export declare function createTaintAnalyzer(options?: TaintAnalysisOptions): TaintAnalyzer;
|
|
62
|
+
//# sourceMappingURL=taint-analyzer.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"taint-analyzer.d.ts","sourceRoot":"","sources":["../../src/analysis/taint-analyzer.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EACV,WAAW,EACX,SAAS,EAGT,WAAW,EACX,oBAAoB,EAIrB,MAAM,mBAAmB,CAAC;AA6B3B;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,IAAI,CAIzC;AAyLD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAY;IAC1B,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,OAAO,CAAuB;IACtC,OAAO,CAAC,cAAc,CAAkB;IACxC,OAAO,CAAC,YAAY,CAAgB;gBAExB,OAAO,GAAE,oBAAyB;IAgC9C;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,WAAW,EAAE,CAAC;QAAC,KAAK,EAAE,SAAS,EAAE,CAAA;KAAE;IAQ7E;;OAEG;IACH,OAAO,CAAC,WAAW;IA6DnB;;OAEG;IACH,OAAO,CAAC,SAAS;IA+BjB;;;OAGG;IACH,OAAO,CAAC,UAAU;IAgDlB;;OAEG;IACH,OAAO,CAAC,eAAe;IAYvB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAgDzB;;OAEG;IACH,OAAO,CAAC,cAAc;IAyBtB;;OAEG;IACG,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CAsFtD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE,oBAAoB,GAAG,aAAa,CAEjF"}
|