@oculum/scanner 1.0.11 → 1.0.12

package/src/formatters/ide/__tests__/ide.test.ts

@@ -0,0 +1,319 @@
+/**
+ * IDE Integration Tests
+ */
+
+import { existsSync, mkdirSync, writeFileSync, rmSync } from 'fs'
+import { join } from 'path'
+import { tmpdir } from 'os'
+import {
+  formatCursorRules,
+  formatWindsurfRules,
+  formatClaudeCodeSection,
+  detectIDEConfigs,
+  writeIDEFile,
+  updateClaudeMdSection,
+  clearIDEFiles,
+} from '../index'
+import type { ScanResult, Vulnerability } from '../../../types'
+
+const createMockVulnerability = (overrides: Partial<Vulnerability> = {}): Vulnerability => ({
+  id: 'test-vuln-1',
+  filePath: 'src/api/users.ts',
+  lineNumber: 42,
+  lineContent: 'const query = `SELECT * FROM users WHERE id = ${userId}`',
+  severity: 'high',
+  category: 'sql_injection',
+  title: 'SQL Injection Vulnerability',
+  description: 'User input is directly concatenated into SQL query without parameterization.',
+  suggestedFix: 'Use parameterized queries instead of string concatenation.',
+  confidence: 'high',
+  layer: 2,
+  fixSteps: [
+    'Replace string concatenation with parameterized query',
+    'Use prepared statements or an ORM',
+  ],
+  ...overrides,
+})
+
+const createMockScanResult = (vulnerabilities: Vulnerability[] = []): ScanResult => ({
+  repoName: 'test-repo',
+  repoUrl: 'https://github.com/test/test-repo',
+  branch: 'main',
+  filesScanned: 50,
+  filesSkipped: 5,
+  vulnerabilities,
+  severityCounts: {
+    critical: vulnerabilities.filter(v => v.severity === 'critical').length,
+    high: vulnerabilities.filter(v => v.severity === 'high').length,
+    medium: vulnerabilities.filter(v => v.severity === 'medium').length,
+    low: vulnerabilities.filter(v => v.severity === 'low').length,
+    info: vulnerabilities.filter(v => v.severity === 'info').length,
+  },
+  categoryCounts: {},
+  hasBlockingIssues: vulnerabilities.some(v => v.severity === 'critical' || v.severity === 'high'),
+  scanDuration: 1500,
+  timestamp: '2024-01-15T10:30:00.000Z',
+})
+
+describe('formatCursorRules', () => {
+  it('should generate MDC format with frontmatter', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatCursorRules(result)
+
+    // Check frontmatter
+    expect(output).toContain('---')
+    expect(output).toContain('description: Oculum Security Findings')
+    expect(output).toContain('alwaysApply: false')
+    expect(output).toContain('---')
+  })
+
+  it('should include glob patterns for affected files', () => {
+    const vulns = [
+      createMockVulnerability({ filePath: 'src/api/users.ts' }),
+      createMockVulnerability({ id: 'v2', filePath: 'src/api/orders.ts' }),
+      createMockVulnerability({ id: 'v3', filePath: 'src/config/db.ts' }),
+    ]
+    const result = createMockScanResult(vulns)
+
+    const output = formatCursorRules(result)
+
+    // Should include globs for affected directories
+    expect(output).toContain('globs:')
+    expect(output).toContain('src/api/**')
+    expect(output).toContain('src/config/**')
+  })
+
+  it('should include security findings', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatCursorRules(result)
+
+    expect(output).toContain('SQL Injection Vulnerability')
+    expect(output).toContain('src/api/users.ts:42')
+  })
+
+  it('should include fix instructions', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatCursorRules(result)
+
+    expect(output).toContain('DO NOT')
+    // The fix shows example code with '?' instead of the word 'parameterized'
+    expect(output).toContain('GOOD')
+    expect(output).toContain("'SELECT * FROM users WHERE id = ?'")
+  })
+
+  it('should return minimal output for zero findings', () => {
+    const result = createMockScanResult([])
+
+    const output = formatCursorRules(result)
+
+    expect(output).toContain('description: Oculum Security Findings')
+    expect(output).toContain('No security issues found')
+  })
+})
+
+describe('formatWindsurfRules', () => {
+  it('should generate markdown security rules', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatWindsurfRules(result)
+
+    expect(output).toContain('# Oculum Security Rules')
+    expect(output).toContain('## Security Issues')
+  })
+
+  it('should list findings by file', () => {
+    const vulns = [
+      createMockVulnerability({ filePath: 'src/api/users.ts' }),
+      createMockVulnerability({ id: 'v2', filePath: 'src/api/orders.ts' }),
+    ]
+    const result = createMockScanResult(vulns)
+
+    const output = formatWindsurfRules(result)
+
+    expect(output).toContain('src/api/users.ts')
+    expect(output).toContain('src/api/orders.ts')
+    expect(output).toContain('Line 42')
+  })
+
+  it('should include code patterns section', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatWindsurfRules(result)
+
+    expect(output).toContain('## Code Patterns')
+    expect(output).toContain('ALWAYS')
+  })
+})
+
+describe('formatClaudeCodeSection', () => {
+  it('should return section with markers', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatClaudeCodeSection(result)
+
+    expect(output).toContain('<!-- OCULUM_SECURITY_START -->')
+    expect(output).toContain('<!-- OCULUM_SECURITY_END -->')
+  })
+
+  it('should include security issues', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatClaudeCodeSection(result)
+
+    expect(output).toContain('## Security Issues')
+    expect(output).toContain('SQL Injection')
+    expect(output).toContain('src/api/users.ts:42')
+  })
+
+  it('should include verification instructions', () => {
+    const vuln = createMockVulnerability()
+    const result = createMockScanResult([vuln])
+
+    const output = formatClaudeCodeSection(result)
+
+    expect(output).toContain('oculum scan')
+  })
+})
+
+describe('detectIDEConfigs', () => {
+  const testDir = join(tmpdir(), 'oculum-ide-detect-test-' + Date.now())
+
+  beforeAll(() => {
+    mkdirSync(testDir, { recursive: true })
+  })
+
+  afterAll(() => {
+    try {
+      rmSync(testDir, { recursive: true, force: true })
+    } catch {
+      // Ignore cleanup errors
+    }
+  })
+
+  it('should detect .cursor directory', () => {
+    // Create .cursor directory
+    mkdirSync(join(testDir, '.cursor'), { recursive: true })
+
+    const detected = detectIDEConfigs(testDir)
+
+    expect(detected).toContain('cursor')
+  })
+
+  it('should detect CLAUDE.md file', () => {
+    // Create CLAUDE.md file
+    writeFileSync(join(testDir, 'CLAUDE.md'), '# Claude Code\n')
+
+    const detected = detectIDEConfigs(testDir)
+
+    expect(detected).toContain('claude-code')
+  })
+
+  it('should return array of detected IDEs', () => {
+    const detected = detectIDEConfigs(testDir)
+
+    expect(Array.isArray(detected)).toBe(true)
+  })
+})
+
+describe('IDE file operations', () => {
+  const testDir = join(tmpdir(), 'oculum-ide-ops-test-' + Date.now())
+
+  beforeAll(() => {
+    mkdirSync(testDir, { recursive: true })
+  })
+
+  afterAll(() => {
+    try {
+      rmSync(testDir, { recursive: true, force: true })
+    } catch {
+      // Ignore cleanup errors
+    }
+  })
+
+  it('should write IDE file and create directories', () => {
+    const result = writeIDEFile(
+      testDir,
+      '.cursor/rules/security.mdc',
+      '# Security Rules'
+    )
+
+    expect(result.success).toBe(true)
+    expect(existsSync(join(testDir, '.cursor/rules/security.mdc'))).toBe(true)
+  })
+
+  it('should update CLAUDE.md section between markers', () => {
+    // Create initial CLAUDE.md
+    const initialContent = `# Project
+
+Some existing content.
+
+<!-- OCULUM_SECURITY_START -->
+Old security content
+<!-- OCULUM_SECURITY_END -->
+
+More content.
+`
+    writeFileSync(join(testDir, 'CLAUDE.md'), initialContent)
+
+    // Update section
+    const result = updateClaudeMdSection(
+      testDir,
+      '<!-- OCULUM_SECURITY_START -->\nNew security content\n<!-- OCULUM_SECURITY_END -->'
+    )
+
+    expect(result.success).toBe(true)
+
+    // Read and verify
+    const { readFileSync } = require('fs')
+    const updated = readFileSync(join(testDir, 'CLAUDE.md'), 'utf-8')
+
+    expect(updated).toContain('New security content')
+    expect(updated).not.toContain('Old security content')
+    expect(updated).toContain('Some existing content')
+    expect(updated).toContain('More content')
+  })
+
+  it('should append section if no markers exist', () => {
+    // Create CLAUDE.md without markers
+    const noMarkersDir = join(testDir, 'no-markers')
+    mkdirSync(noMarkersDir, { recursive: true })
+    writeFileSync(join(noMarkersDir, 'CLAUDE.md'), '# Project\n\nSome content.\n')
+
+    const result = updateClaudeMdSection(
+      noMarkersDir,
+      '<!-- OCULUM_SECURITY_START -->\nSecurity content\n<!-- OCULUM_SECURITY_END -->'
+    )
+
+    expect(result.success).toBe(true)
+
+    const { readFileSync } = require('fs')
+    const updated = readFileSync(join(noMarkersDir, 'CLAUDE.md'), 'utf-8')
+
+    expect(updated).toContain('Security content')
+    expect(updated).toContain('Some content')
+  })
+
+  it('should clear IDE files', () => {
+    // Create some IDE files
+    const clearDir = join(testDir, 'clear-test')
+    mkdirSync(join(clearDir, '.cursor/rules'), { recursive: true })
+    writeFileSync(join(clearDir, '.cursor/rules/security.mdc'), 'content')
+    writeFileSync(join(clearDir, '.windsurfrules'), 'content')
+
+    const result = clearIDEFiles(clearDir)
+
+    expect(result.success).toBe(true)
+    expect(existsSync(join(clearDir, '.cursor/rules/security.mdc'))).toBe(false)
+    expect(existsSync(join(clearDir, '.windsurfrules'))).toBe(false)
+  })
+})

package/src/formatters/ide/claude-code.ts

@@ -0,0 +1,110 @@
+/**
+ * Claude Code IDE Integration
+ * Generates CLAUDE.md section format
+ */
+
+import type { ScanResult, Vulnerability, VulnerabilityCategory } from '../../types'
+import { sortBySeverity } from '../grouping'
+
+/** Start marker for Oculum section in CLAUDE.md */
+export const OCULUM_SECTION_START = '<!-- OCULUM_SECURITY_START -->'
+
+/** End marker for Oculum section in CLAUDE.md */
+export const OCULUM_SECTION_END = '<!-- OCULUM_SECURITY_END -->'
+
+/**
+ * Get "ALWAYS" rule for a category
+ */
+function getAlwaysRule(category: VulnerabilityCategory): string | null {
+  const rules: Partial<Record<VulnerabilityCategory, string>> = {
+    sql_injection: 'Use parameterized queries for all database operations',
+    xss: 'Escape or sanitize user input before rendering in HTML',
+    hardcoded_secret: 'Use environment variables for secrets and API keys',
+    high_entropy_string: 'Store credentials in secure vaults, not in code',
+    missing_auth: 'Add authentication middleware to API endpoints',
+    dangerous_function: 'Avoid eval() and exec() - use safe alternatives',
+    command_injection: 'Sanitize all input passed to shell commands',
+    data_exposure: 'Never log sensitive data or expose it in responses',
+    weak_crypto: 'Use modern cryptographic algorithms (SHA-256+, AES-256)',
+    ai_prompt_injection: 'Sanitize user input before including in prompts',
+    ai_unsafe_execution: 'Validate AI-generated code before execution',
+  }
+
+  return rules[category] || null
+}
+
+/**
+ * Format scan result as CLAUDE.md section
+ *
+ * @param result - The scan result to format
+ * @returns Markdown string with markers for CLAUDE.md
+ */
+export function formatClaudeCodeSection(result: ScanResult): string {
+  const { vulnerabilities, timestamp } = result
+
+  // Sort by severity
+  const sorted = sortBySeverity(vulnerabilities)
+
+  let md = ''
+
+  // Section markers
+  md += `${OCULUM_SECTION_START}\n`
+  md += `## Security Issues (Auto-Generated)\n\n`
+  md += `> Last scan: ${timestamp}\n\n`
+
+  // No findings case
+  if (vulnerabilities.length === 0) {
+    md += `No security issues detected.\n\n`
+    md += `Run \`oculum scan\` to scan for vulnerabilities.\n`
+    md += `${OCULUM_SECTION_END}\n`
+    return md
+  }
+
+  // Summary
+  const { severityCounts, hasBlockingIssues } = result
+  if (hasBlockingIssues) {
+    md += `**BLOCKING ISSUES:** ${severityCounts.critical + severityCounts.high} issues must be fixed.\n\n`
+  }
+
+  // DO NOT section - list findings
+  md += `**DO NOT** ignore these findings:\n\n`
+
+  let count = 0
+  for (const vuln of sorted.slice(0, 10)) {
+    count++
+    const severityLabel =
+      vuln.severity === 'critical' ? 'CRITICAL' :
+      vuln.severity === 'high' ? 'HIGH' :
+      vuln.severity.toUpperCase()
+
+    md += `${count}. **${vuln.title}** [${severityLabel}] in \`${vuln.filePath}:${vuln.lineNumber}\`\n`
+  }
+
+  if (sorted.length > 10) {
+    md += `\n... and ${sorted.length - 10} more issues.\n`
+  }
+  md += '\n'
+
+  // ALWAYS section - best practices
+  const alwaysRules = new Set<string>()
+  for (const vuln of vulnerabilities) {
+    const rule = getAlwaysRule(vuln.category)
+    if (rule) {
+      alwaysRules.add(rule)
+    }
+  }
+
+  if (alwaysRules.size > 0) {
+    md += `**ALWAYS:**\n`
+    for (const rule of alwaysRules) {
+      md += `- ${rule}\n`
+    }
+    md += '\n'
+  }
+
+  // Verification instructions
+  md += `Run \`oculum scan\` to verify fixes.\n`
+  md += `${OCULUM_SECTION_END}\n`
+
+  return md
+}

package/src/formatters/ide/cursor.ts

@@ -0,0 +1,147 @@
+/**
+ * Cursor IDE Integration
+ * Generates .cursor/rules/security.mdc format
+ */
+
+import type { ScanResult, Vulnerability } from '../../types'
+import { sortBySeverity } from '../grouping'
+
+/**
+ * Extract unique directory paths from vulnerabilities for glob patterns
+ */
+function extractGlobPatterns(vulnerabilities: Vulnerability[]): string[] {
+  const directories = new Set<string>()
+
+  for (const vuln of vulnerabilities) {
+    // Get directory path (e.g., 'src/api' from 'src/api/users.ts')
+    const parts = vuln.filePath.split('/')
+    if (parts.length > 1) {
+      // Take up to 2 levels of directory
+      const dir = parts.slice(0, Math.min(parts.length - 1, 2)).join('/')
+      directories.add(`${dir}/**`)
+    }
+  }
+
+  return Array.from(directories).sort()
+}
+
+/**
+ * Format fix pattern (DO NOT / DO) for a vulnerability
+ */
+function formatFixPattern(vuln: Vulnerability): string {
+  const category = vuln.category
+  let md = ''
+
+  // Common patterns by category
+  switch (category) {
+    case 'sql_injection':
+      md += `**DO NOT** concatenate user input into SQL queries.\n\n`
+      md += `\`\`\`typescript\n// BAD\nconst query = \`SELECT * FROM users WHERE id = \${userId}\`\n\n// GOOD\nconst query = 'SELECT * FROM users WHERE id = ?'\n\`\`\`\n`
+      break
+
+    case 'xss':
+      md += `**DO NOT** insert user input into HTML without escaping.\n\n`
+      md += `\`\`\`typescript\n// BAD\nelement.innerHTML = userInput\n\n// GOOD\nelement.textContent = userInput\n\`\`\`\n`
+      break
+
+    case 'hardcoded_secret':
+    case 'high_entropy_string':
+      md += `**DO NOT** hardcode secrets or API keys in source code.\n\n`
+      md += `\`\`\`typescript\n// BAD\nconst apiKey = 'sk-abc123...'\n\n// GOOD\nconst apiKey = process.env.API_KEY\n\`\`\`\n`
+      break
+
+    case 'missing_auth':
+      md += `**DO NOT** expose endpoints without authentication.\n\n`
+      md += `\`\`\`typescript\n// BAD\napp.get('/api/data', handler)\n\n// GOOD\napp.get('/api/data', authMiddleware, handler)\n\`\`\`\n`
+      break
+
+    case 'dangerous_function':
+      md += `**DO NOT** use eval() or similar dangerous functions with user input.\n\n`
+      md += `\`\`\`typescript\n// BAD\neval(userInput)\n\n// GOOD\nJSON.parse(userInput)\n\`\`\`\n`
+      break
+
+    default:
+      // Generic fix pattern
+      if (vuln.fixSteps && vuln.fixSteps.length > 0) {
+        md += `**FIX:**\n`
+        vuln.fixSteps.forEach((step, i) => {
+          md += `${i + 1}. ${step}\n`
+        })
+      } else if (vuln.suggestedFix) {
+        md += `**FIX:** ${vuln.suggestedFix}\n`
+      }
+  }
+
+  return md
+}
+
+/**
+ * Format scan result as Cursor MDC rules
+ *
+ * @param result - The scan result to format
+ * @returns MDC format string for .cursor/rules/security.mdc
+ */
+export function formatCursorRules(result: ScanResult): string {
+  const { vulnerabilities, timestamp } = result
+
+  // Sort by severity
+  const sorted = sortBySeverity(vulnerabilities)
+
+  // Extract glob patterns
+  const globs = extractGlobPatterns(sorted)
+
+  let md = ''
+
+  // MDC Frontmatter
+  md += `---\n`
+  md += `description: Oculum Security Findings\n`
+  if (globs.length > 0) {
+    md += `globs: "${globs.join(',')}"\n`
+  }
+  md += `alwaysApply: false\n`
+  md += `---\n\n`
+
+  // No findings case
+  if (vulnerabilities.length === 0) {
+    md += `# Security Scan Results\n\n`
+    md += `No security issues found. Last scan: ${timestamp}\n\n`
+    md += `*Run \`oculum scan --cursor --clear\` to remove this file.*\n`
+    return md
+  }
+
+  // Header
+  md += `# Security Issues (${vulnerabilities.length})\n\n`
+  md += `> Last scan: ${timestamp}\n\n`
+
+  // Group by severity
+  const bySeverity = new Map<string, Vulnerability[]>()
+  for (const vuln of sorted) {
+    const group = bySeverity.get(vuln.severity) || []
+    group.push(vuln)
+    bySeverity.set(vuln.severity, group)
+  }
+
+  // Output by severity
+  for (const [severity, vulns] of bySeverity) {
+    md += `## ${severity.toUpperCase()} (${vulns.length})\n\n`
+
+    for (const vuln of vulns.slice(0, 10)) {
+      md += `### ${vuln.title}\n\n`
+      md += `**File:** \`${vuln.filePath}:${vuln.lineNumber}\`\n\n`
+
+      // Add fix pattern
+      md += formatFixPattern(vuln)
+      md += '\n'
+    }
+
+    if (vulns.length > 10) {
+      md += `> + ${vulns.length - 10} more ${severity} issues\n\n`
+    }
+  }
+
+  // Footer
+  md += `---\n\n`
+  md += `*Run \`oculum scan --cursor --clear\` after fixing to remove this file.*\n`
+
+  return md
+}