@objectstack/core 0.9.1 → 1.0.0

package/src/security/security-scanner.ts

@@ -0,0 +1,365 @@
+import type { 
+  SecurityVulnerability,
+  SecurityScanResult
+} from '@objectstack/spec/kernel';
+import type { ObjectLogger } from '../logger.js';
+
+/**
+ * Scan Target
+ */
+export interface ScanTarget {
+  pluginId: string;
+  version: string;
+  files?: string[];
+  dependencies?: Record<string, string>;
+}
+
+/**
+ * Security Issue
+ */
+export interface SecurityIssue {
+  id: string;
+  severity: 'critical' | 'high' | 'medium' | 'low' | 'info';
+  category: 'vulnerability' | 'malware' | 'license' | 'code-quality' | 'configuration';
+  title: string;
+  description: string;
+  location?: {
+    file?: string;
+    line?: number;
+    column?: number;
+  };
+  remediation?: string;
+  cve?: string;
+  cvss?: number;
+}
+
+/**
+ * Plugin Security Scanner
+ * 
+ * Scans plugins for security vulnerabilities, malware, and license issues
+ */
+export class PluginSecurityScanner {
+  private logger: ObjectLogger;
+  
+  // Known vulnerabilities database (CVE cache)
+  private vulnerabilityDb = new Map<string, SecurityVulnerability>();
+  
+  // Scan results cache
+  private scanResults = new Map<string, SecurityScanResult>();
+
+  private passThreshold: number = 70;
+
+  constructor(logger: ObjectLogger, config?: { passThreshold?: number }) {
+    this.logger = logger.child({ component: 'SecurityScanner' });
+    if (config?.passThreshold !== undefined) {
+      this.passThreshold = config.passThreshold;
+    }
+  }
+
+  /**
+   * Perform a comprehensive security scan on a plugin
+   */
+  async scan(target: ScanTarget): Promise<SecurityScanResult> {
+    this.logger.info('Starting security scan', { 
+      pluginId: target.pluginId,
+      version: target.version 
+    });
+
+    const issues: SecurityIssue[] = [];
+
+    try {
+      // 1. Scan for code vulnerabilities
+      const codeIssues = await this.scanCode(target);
+      issues.push(...codeIssues);
+
+      // 2. Scan dependencies for known vulnerabilities
+      const depIssues = await this.scanDependencies(target);
+      issues.push(...depIssues);
+
+      // 3. Scan for malware patterns
+      const malwareIssues = await this.scanMalware(target);
+      issues.push(...malwareIssues);
+
+      // 4. Check license compliance
+      const licenseIssues = await this.scanLicenses(target);
+      issues.push(...licenseIssues);
+
+      // 5. Check configuration security
+      const configIssues = await this.scanConfiguration(target);
+      issues.push(...configIssues);
+
+      // Calculate security score (0-100, higher is better)
+      const score = this.calculateSecurityScore(issues);
+
+      const result: SecurityScanResult = {
+        timestamp: new Date().toISOString(),
+        scanner: { name: 'ObjectStack Security Scanner', version: '1.0.0' },
+        status: score >= this.passThreshold ? 'passed' : 'failed',
+        vulnerabilities: issues.map(issue => ({
+          id: issue.id,
+          severity: issue.severity,
+          category: issue.category,
+          title: issue.title,
+          description: issue.description,
+          location: issue.location ? `${issue.location.file}:${issue.location.line}` : undefined,
+          remediation: issue.remediation,
+          affectedVersions: [],
+          exploitAvailable: false,
+          patchAvailable: false,
+        })),
+        summary: {
+          totalVulnerabilities: issues.length,
+          criticalCount: issues.filter(i => i.severity === 'critical').length,
+          highCount: issues.filter(i => i.severity === 'high').length,
+          mediumCount: issues.filter(i => i.severity === 'medium').length,
+          lowCount: issues.filter(i => i.severity === 'low').length,
+          infoCount: issues.filter(i => i.severity === 'info').length,
+        },
+      };
+
+      this.scanResults.set(`${target.pluginId}:${target.version}`, result);
+
+      this.logger.info('Security scan complete', { 
+        pluginId: target.pluginId,
+        score,
+        status: result.status,
+        summary: result.summary
+      });
+
+      return result;
+    } catch (error) {
+      this.logger.error('Security scan failed', { 
+        pluginId: target.pluginId, 
+        error 
+      });
+
+      throw error;
+    }
+  }
+
+  /**
+   * Scan code for vulnerabilities
+   */
+  private async scanCode(target: ScanTarget): Promise<SecurityIssue[]> {
+    const issues: SecurityIssue[] = [];
+
+    // In a real implementation, this would:
+    // - Parse code with AST (e.g., using @typescript-eslint/parser)
+    // - Check for dangerous patterns (eval, Function constructor, etc.)
+    // - Check for XSS vulnerabilities
+    // - Check for SQL injection patterns
+    // - Check for insecure crypto usage
+    // - Check for path traversal vulnerabilities
+
+    this.logger.debug('Code scan complete', { 
+      pluginId: target.pluginId,
+      issuesFound: issues.length 
+    });
+
+    return issues;
+  }
+
+  /**
+   * Scan dependencies for known vulnerabilities
+   */
+  private async scanDependencies(target: ScanTarget): Promise<SecurityIssue[]> {
+    const issues: SecurityIssue[] = [];
+
+    if (!target.dependencies) {
+      return issues;
+    }
+
+    // In a real implementation, this would:
+    // - Query npm audit API
+    // - Check GitHub Advisory Database
+    // - Check Snyk vulnerability database
+    // - Check OSV (Open Source Vulnerabilities)
+
+    for (const [depName, version] of Object.entries(target.dependencies)) {
+      const vulnKey = `${depName}@${version}`;
+      const vulnerability = this.vulnerabilityDb.get(vulnKey);
+
+      if (vulnerability) {
+        issues.push({
+          id: `vuln-${vulnerability.cve || depName}`,
+          severity: vulnerability.severity,
+          category: 'vulnerability',
+          title: `Vulnerable dependency: ${depName}`,
+          description: `${depName}@${version} has known security vulnerabilities`,
+          remediation: vulnerability.fixedIn 
+            ? `Upgrade to ${vulnerability.fixedIn.join(' or ')}`
+            : 'No fix available',
+          cve: vulnerability.cve,
+        });
+      }
+    }
+
+    this.logger.debug('Dependency scan complete', { 
+      pluginId: target.pluginId,
+      dependencies: Object.keys(target.dependencies).length,
+      vulnerabilities: issues.length 
+    });
+
+    return issues;
+  }
+
+  /**
+   * Scan for malware patterns
+   */
+  private async scanMalware(target: ScanTarget): Promise<SecurityIssue[]> {
+    const issues: SecurityIssue[] = [];
+
+    // In a real implementation, this would:
+    // - Check for obfuscated code
+    // - Check for suspicious network activity patterns
+    // - Check for crypto mining patterns
+    // - Check for data exfiltration patterns
+    // - Use ML-based malware detection
+    // - Check file hashes against known malware databases
+
+    this.logger.debug('Malware scan complete', { 
+      pluginId: target.pluginId,
+      issuesFound: issues.length 
+    });
+
+    return issues;
+  }
+
+  /**
+   * Check license compliance
+   */
+  private async scanLicenses(target: ScanTarget): Promise<SecurityIssue[]> {
+    const issues: SecurityIssue[] = [];
+
+    if (!target.dependencies) {
+      return issues;
+    }
+
+    // In a real implementation, this would:
+    // - Check license compatibility
+    // - Detect GPL contamination
+    // - Flag proprietary dependencies
+    // - Check for missing licenses
+    // - Verify SPDX identifiers
+
+    this.logger.debug('License scan complete', { 
+      pluginId: target.pluginId,
+      issuesFound: issues.length 
+    });
+
+    return issues;
+  }
+
+  /**
+   * Check configuration security
+   */
+  private async scanConfiguration(target: ScanTarget): Promise<SecurityIssue[]> {
+    const issues: SecurityIssue[] = [];
+
+    // In a real implementation, this would:
+    // - Check for hardcoded secrets
+    // - Check for weak permissions
+    // - Check for insecure defaults
+    // - Check for missing security headers
+    // - Check CSP policies
+
+    this.logger.debug('Configuration scan complete', { 
+      pluginId: target.pluginId,
+      issuesFound: issues.length 
+    });
+
+    return issues;
+  }
+
+  /**
+   * Calculate security score based on issues
+   */
+  private calculateSecurityScore(issues: SecurityIssue[]): number {
+    // Start with perfect score
+    let score = 100;
+
+    // Deduct points based on severity
+    for (const issue of issues) {
+      switch (issue.severity) {
+        case 'critical':
+          score -= 20;
+          break;
+        case 'high':
+          score -= 10;
+          break;
+        case 'medium':
+          score -= 5;
+          break;
+        case 'low':
+          score -= 2;
+          break;
+        case 'info':
+          score -= 0;
+          break;
+      }
+    }
+
+    // Ensure score doesn't go below 0
+    return Math.max(0, score);
+  }
+
+  /**
+   * Add a vulnerability to the database
+   */
+  addVulnerability(
+    packageName: string,
+    version: string,
+    vulnerability: SecurityVulnerability
+  ): void {
+    const key = `${packageName}@${version}`;
+    this.vulnerabilityDb.set(key, vulnerability);
+    
+    this.logger.debug('Vulnerability added to database', { 
+      package: packageName, 
+      version,
+      cve: vulnerability.cve 
+    });
+  }
+
+  /**
+   * Get scan result from cache
+   */
+  getScanResult(pluginId: string, version: string): SecurityScanResult | undefined {
+    return this.scanResults.get(`${pluginId}:${version}`);
+  }
+
+  /**
+   * Clear scan results cache
+   */
+  clearCache(): void {
+    this.scanResults.clear();
+    this.logger.debug('Scan results cache cleared');
+  }
+
+  /**
+   * Update vulnerability database from external source
+   */
+  async updateVulnerabilityDatabase(): Promise<void> {
+    this.logger.info('Updating vulnerability database');
+
+    // In a real implementation, this would:
+    // - Fetch from GitHub Advisory Database
+    // - Fetch from npm audit
+    // - Fetch from NVD (National Vulnerability Database)
+    // - Parse and cache vulnerability data
+
+    this.logger.info('Vulnerability database updated', { 
+      entries: this.vulnerabilityDb.size 
+    });
+  }
+
+  /**
+   * Shutdown security scanner
+   */
+  shutdown(): void {
+    this.vulnerabilityDb.clear();
+    this.scanResults.clear();
+    
+    this.logger.info('Security scanner shutdown complete');
+  }
+}

package/dist/enhanced-kernel.d.ts

@@ -1,103 +0,0 @@
-import { Plugin } from './types.js';
-import type { LoggerConfig } from '@objectstack/spec/system';
-import { ServiceLifecycle, ServiceFactory } from './plugin-loader.js';
-/**
- * Enhanced Kernel Configuration
- */
-export interface EnhancedKernelConfig {
-    logger?: Partial<LoggerConfig>;
-    /** Default plugin startup timeout in milliseconds */
-    defaultStartupTimeout?: number;
-    /** Whether to enable graceful shutdown */
-    gracefulShutdown?: boolean;
-    /** Graceful shutdown timeout in milliseconds */
-    shutdownTimeout?: number;
-    /** Whether to rollback on startup failure */
-    rollbackOnFailure?: boolean;
-}
-/**
- * Enhanced ObjectKernel with Advanced Plugin Management
- *
- * Extends the basic ObjectKernel with:
- * - Async plugin loading with validation
- * - Version compatibility checking
- * - Plugin signature verification
- * - Configuration validation (Zod)
- * - Factory-based dependency injection
- * - Service lifecycle management (singleton/transient/scoped)
- * - Circular dependency detection
- * - Lazy loading services
- * - Graceful shutdown
- * - Plugin startup timeout control
- * - Startup failure rollback
- * - Plugin health checks
- */
-export declare class EnhancedObjectKernel {
-    private plugins;
-    private services;
-    private hooks;
-    private state;
-    private logger;
-    private context;
-    private pluginLoader;
-    private config;
-    private startedPlugins;
-    private pluginStartTimes;
-    private shutdownHandlers;
-    constructor(config?: EnhancedKernelConfig);
-    /**
-     * Register a plugin with enhanced validation
-     */
-    use(plugin: Plugin): Promise<this>;
-    /**
-     * Register a service factory with lifecycle management
-     */
-    registerServiceFactory<T>(name: string, factory: ServiceFactory<T>, lifecycle?: ServiceLifecycle, dependencies?: string[]): this;
-    /**
-     * Bootstrap the kernel with enhanced features
-     */
-    bootstrap(): Promise<void>;
-    /**
-     * Graceful shutdown with timeout
-     */
-    shutdown(): Promise<void>;
-    /**
-     * Check health of a specific plugin
-     */
-    checkPluginHealth(pluginName: string): Promise<any>;
-    /**
-     * Check health of all plugins
-     */
-    checkAllPluginsHealth(): Promise<Map<string, any>>;
-    /**
-     * Get plugin startup metrics
-     */
-    getPluginMetrics(): Map<string, number>;
-    /**
-     * Get a service (sync helper)
-     */
-    getService<T>(name: string): T;
-    /**
-     * Get a service asynchronously (supports factories)
-     */
-    getServiceAsync<T>(name: string, scopeId?: string): Promise<T>;
-    /**
-     * Check if kernel is running
-     */
-    isRunning(): boolean;
-    /**
-     * Get kernel state
-     */
-    getState(): string;
-    private initPluginWithTimeout;
-    private startPluginWithTimeout;
-    private rollbackStartedPlugins;
-    private performShutdown;
-    private resolveDependencies;
-    private registerShutdownSignals;
-    /**
-     * Register a custom shutdown handler
-     */
-    onShutdown(handler: () => Promise<void>): void;
-}
-//# sourceMappingURL=enhanced-kernel.d.ts.map

package/dist/enhanced-kernel.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"enhanced-kernel.d.ts","sourceRoot":"","sources":["../src/enhanced-kernel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAiB,MAAM,YAAY,CAAC;AAEnD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAgC,gBAAgB,EAAE,cAAc,EAAuB,MAAM,oBAAoB,CAAC;AAEzH;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACjC,MAAM,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAE/B,qDAAqD;IACrD,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAE/B,0CAA0C;IAC1C,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAE3B,gDAAgD;IAChD,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,6CAA6C;IAC7C,iBAAiB,CAAC,EAAE,OAAO,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,oBAAoB;IAC7B,OAAO,CAAC,OAAO,CAA0C;IACzD,OAAO,CAAC,QAAQ,CAA+B;IAC/C,OAAO,CAAC,KAAK,CAA2E;IACxF,OAAO,CAAC,KAAK,CAAwE;IACrF,OAAO,CAAC,MAAM,CAAe;IAC7B,OAAO,CAAC,OAAO,CAAgB;IAC/B,OAAO,CAAC,YAAY,CAAe;IACnC,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,cAAc,CAA0B;IAChD,OAAO,CAAC,gBAAgB,CAAkC;IAC1D,OAAO,CAAC,gBAAgB,CAAkC;gBAE9C,MAAM,GAAE,oBAAyB;IAgE7C;;OAEG;IACG,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAuBxC;;OAEG;IACH,sBAAsB,CAAC,CAAC,EACpB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,EAC1B,SAAS,GAAE,gBAA6C,EACxD,YAAY,CAAC,EAAE,MAAM,EAAE,GACxB,IAAI;IAUP;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,IAAI,CAAC;IAqDhC;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAqC/B;;OAEG;IACG,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAIzD;;OAEG;IACG,qBAAqB,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAWxD;;OAEG;IACH,gBAAgB,IAAI,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC;IAIvC;;OAEG;IACH,UAAU,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,CAAC;IAI9B;;OAEG;IACG,eAAe,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAIpE;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;OAEG;IACH,QAAQ,IAAI,MAAM;YAMJ,qBAAqB;YAerB,sBAAsB;YA6CtB,sBAAsB;YAkBtB,eAAe;IA2B7B,OAAO,CAAC,mBAAmB;IAyC3B,OAAO,CAAC,uBAAuB;IA2B/B;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI;CAGjD"}