@oculum/scanner 1.0.9 → 1.0.11

package/src/layer3/__tests__/osv-check.test.ts

@@ -0,0 +1,384 @@
+/**
+ * OSV Check Unit Tests
+ *
+ * Tests for the OSV.dev security advisory integration.
+ * Mocks fetch to avoid live API calls during tests.
+ *
+ * Run: npx jest src/layer3/__tests__/osv-check.test.ts
+ */
+
+import {
+  checkPackageAdvisories,
+  queryOSV,
+  queryOSVBatch,
+  mapOSVSeverity,
+  isMaliciousPackage,
+  getCacheKey,
+  advisoryCache,
+} from '../osv-check'
+
+// Mock fetch globally
+const mockFetch = jest.fn()
+global.fetch = mockFetch
+
+// Helper to create OSV vulnerability response
+function createOSVVuln(options: {
+  id: string
+  summary?: string
+  cvssScore?: number
+  malicious?: boolean
+  dbSeverity?: string
+}) {
+  return {
+    id: options.id,
+    summary: options.summary || 'Test vulnerability',
+    severity: options.cvssScore
+      ? [{ type: 'CVSS_V3', score: options.cvssScore.toString() }]
+      : undefined,
+    database_specific: {
+      malicious: options.malicious,
+      severity: options.dbSeverity,
+    },
+  }
+}
+
+describe('OSV Check', () => {
+  beforeEach(() => {
+    // Clear cache and mocks before each test
+    advisoryCache.clear()
+    mockFetch.mockReset()
+  })
+
+  describe('mapOSVSeverity()', () => {
+    it('returns critical for malicious packages', () => {
+      const vuln = createOSVVuln({ id: 'MAL-123', malicious: true })
+      expect(mapOSVSeverity(vuln)).toBe('critical')
+    })
+
+    it('maps CVSS scores correctly', () => {
+      expect(mapOSVSeverity(createOSVVuln({ id: 'CVE-1', cvssScore: 9.5 }))).toBe('critical')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'CVE-2', cvssScore: 9.0 }))).toBe('critical')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'CVE-3', cvssScore: 7.5 }))).toBe('high')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'CVE-4', cvssScore: 7.0 }))).toBe('high')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'CVE-5', cvssScore: 5.0 }))).toBe('medium')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'CVE-6', cvssScore: 4.0 }))).toBe('medium')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'CVE-7', cvssScore: 2.0 }))).toBe('low')
+    })
+
+    it('maps database_specific severity when no CVSS', () => {
+      expect(mapOSVSeverity(createOSVVuln({ id: 'X-1', dbSeverity: 'critical' }))).toBe('critical')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'X-2', dbSeverity: 'high' }))).toBe('high')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'X-3', dbSeverity: 'moderate' }))).toBe('medium')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'X-4', dbSeverity: 'medium' }))).toBe('medium')
+      expect(mapOSVSeverity(createOSVVuln({ id: 'X-5', dbSeverity: 'low' }))).toBe('low')
+    })
+
+    it('defaults to high for unknown severity', () => {
+      const vuln = createOSVVuln({ id: 'UNKNOWN-1' })
+      expect(mapOSVSeverity(vuln)).toBe('high')
+    })
+  })
+
+  describe('isMaliciousPackage()', () => {
+    it('detects MAL- prefixed IDs', () => {
+      const vuln = createOSVVuln({ id: 'MAL-2023-1234' })
+      expect(isMaliciousPackage(vuln)).toBe(true)
+    })
+
+    it('detects malicious flag in database_specific', () => {
+      const vuln = createOSVVuln({ id: 'GHSA-xxxx', malicious: true })
+      expect(isMaliciousPackage(vuln)).toBe(true)
+    })
+
+    it('detects "malicious" in summary', () => {
+      const vuln = createOSVVuln({
+        id: 'GHSA-xxxx',
+        summary: 'This package contains malicious code',
+      })
+      expect(isMaliciousPackage(vuln)).toBe(true)
+    })
+
+    it('returns false for normal vulnerabilities', () => {
+      const vuln = createOSVVuln({
+        id: 'CVE-2024-1234',
+        summary: 'SQL injection vulnerability',
+      })
+      expect(isMaliciousPackage(vuln)).toBe(false)
+    })
+  })
+
+  describe('getCacheKey()', () => {
+    it('creates cache keys with lowercase package names', () => {
+      expect(getCacheKey('React', 'npm')).toBe('npm:react')
+      expect(getCacheKey('Django', 'PyPI')).toBe('PyPI:django')
+    })
+  })
+
+  describe('queryOSV()', () => {
+    it('returns cached results on subsequent calls', async () => {
+      // First call - API returns vulns
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ vulns: [createOSVVuln({ id: 'CVE-1' })] }),
+      })
+
+      const first = await queryOSV('test-package', 'npm')
+      expect(first).toHaveLength(1)
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+
+      // Second call - should use cache
+      const second = await queryOSV('test-package', 'npm')
+      expect(second).toHaveLength(1)
+      expect(mockFetch).toHaveBeenCalledTimes(1) // Still 1, used cache
+    })
+
+    it('returns empty array when API returns non-ok response', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+      })
+
+      const result = await queryOSV('error-package', 'npm')
+      expect(result).toEqual([])
+    })
+
+    it('returns empty array on network error', async () => {
+      mockFetch.mockRejectedValueOnce(new Error('Network error'))
+
+      const result = await queryOSV('network-error-package', 'npm')
+      expect(result).toEqual([])
+    })
+  })
+
+  describe('queryOSVBatch()', () => {
+    it('uses cache for previously queried packages', async () => {
+      // Pre-populate cache
+      advisoryCache.set('npm:cached-pkg', {
+        timestamp: Date.now(),
+        advisories: [createOSVVuln({ id: 'CACHED-1' })],
+      })
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          results: [{ vulns: [createOSVVuln({ id: 'NEW-1' })] }],
+        }),
+      })
+
+      const results = await queryOSVBatch([
+        { name: 'cached-pkg', ecosystem: 'npm' },
+        { name: 'new-pkg', ecosystem: 'npm' },
+      ])
+
+      // Should have results for both
+      expect(results.get('npm:cached-pkg')).toHaveLength(1)
+      expect(results.get('npm:new-pkg')).toHaveLength(1)
+
+      // API should only be called once (for new-pkg batch)
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+    })
+
+    it('returns empty arrays on API error', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 503,
+      })
+
+      const results = await queryOSVBatch([
+        { name: 'pkg1', ecosystem: 'npm' },
+        { name: 'pkg2', ecosystem: 'npm' },
+      ])
+
+      expect(results.get('npm:pkg1')).toEqual([])
+      expect(results.get('npm:pkg2')).toEqual([])
+    })
+  })
+
+  describe('checkPackageAdvisories()', () => {
+    it('returns vulnerabilities for packages with advisories', async () => {
+      // Mock OSV batch response
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          results: [
+            {
+              vulns: [
+                createOSVVuln({
+                  id: 'MAL-2023-1234',
+                  summary: 'Malicious package',
+                  malicious: true,
+                }),
+              ],
+            },
+          ],
+        }),
+      })
+
+      const packageJson = JSON.stringify({
+        dependencies: {
+          'malicious-pkg': '1.0.0',
+        },
+      })
+
+      const findings = await checkPackageAdvisories(packageJson, 'package.json')
+
+      expect(findings).toHaveLength(1)
+      expect(findings[0].category).toBe('ai_package_malicious')
+      expect(findings[0].severity).toBe('critical')
+      expect(findings[0].title).toContain('Malicious package')
+    })
+
+    it('returns empty array for clean packages', async () => {
+      // Mock OSV batch response - no vulns
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          results: [{ vulns: [] }],
+        }),
+      })
+
+      const packageJson = JSON.stringify({
+        dependencies: {
+          'clean-pkg': '1.0.0',
+        },
+      })
+
+      const findings = await checkPackageAdvisories(packageJson, 'package.json')
+      expect(findings).toHaveLength(0)
+    })
+
+    it('handles requirements.txt files', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          results: [
+            {
+              vulns: [
+                createOSVVuln({
+                  id: 'CVE-2024-1234',
+                  summary: 'Critical vulnerability',
+                  cvssScore: 9.8,
+                }),
+              ],
+            },
+          ],
+        }),
+      })
+
+      const requirements = `requests==2.28.0
+flask>=2.0.0`
+
+      const findings = await checkPackageAdvisories(requirements, 'requirements.txt')
+
+      expect(findings).toHaveLength(1)
+      expect(findings[0].category).toBe('suspicious_package')
+      expect(findings[0].severity).toBe('critical')
+    })
+
+    it('returns empty for unsupported file types', async () => {
+      const findings = await checkPackageAdvisories('some content', 'random.txt')
+      expect(findings).toHaveLength(0)
+    })
+
+    it('categorizes vulnerable (non-malicious) packages correctly', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          results: [
+            {
+              vulns: [
+                createOSVVuln({
+                  id: 'CVE-2024-5678',
+                  summary: 'XSS vulnerability in template rendering',
+                  cvssScore: 7.5,
+                }),
+              ],
+            },
+          ],
+        }),
+      })
+
+      const packageJson = JSON.stringify({
+        dependencies: {
+          'vuln-pkg': '1.0.0',
+        },
+      })
+
+      const findings = await checkPackageAdvisories(packageJson, 'package.json')
+
+      expect(findings).toHaveLength(1)
+      expect(findings[0].category).toBe('suspicious_package')
+      expect(findings[0].severity).toBe('high')
+      expect(findings[0].title).toContain('Vulnerable package')
+    })
+
+    it('sets requiresAIValidation to false (authoritative data)', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          results: [
+            {
+              vulns: [createOSVVuln({ id: 'CVE-1', cvssScore: 5.0 })],
+            },
+          ],
+        }),
+      })
+
+      const packageJson = JSON.stringify({
+        dependencies: {
+          'test-pkg': '1.0.0',
+        },
+      })
+
+      const findings = await checkPackageAdvisories(packageJson, 'package.json')
+
+      expect(findings).toHaveLength(1)
+      expect(findings[0].requiresAIValidation).toBe(false)
+    })
+
+    it('gracefully handles API failures', async () => {
+      mockFetch.mockRejectedValueOnce(new Error('Network error'))
+
+      const packageJson = JSON.stringify({
+        dependencies: {
+          'some-pkg': '1.0.0',
+        },
+      })
+
+      const findings = await checkPackageAdvisories(packageJson, 'package.json')
+      expect(findings).toHaveLength(0) // Graceful degradation
+    })
+
+    it('aggregates multiple advisories for same package', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({
+          results: [
+            {
+              vulns: [
+                createOSVVuln({ id: 'CVE-1', cvssScore: 5.0, summary: 'Low risk' }),
+                createOSVVuln({ id: 'CVE-2', cvssScore: 9.0, summary: 'High risk' }),
+                createOSVVuln({ id: 'CVE-3', cvssScore: 7.0, summary: 'Medium risk' }),
+              ],
+            },
+          ],
+        }),
+      })
+
+      const packageJson = JSON.stringify({
+        dependencies: {
+          'multi-vuln-pkg': '1.0.0',
+        },
+      })
+
+      const findings = await checkPackageAdvisories(packageJson, 'package.json')
+
+      expect(findings).toHaveLength(1) // Single aggregated finding
+      expect(findings[0].severity).toBe('critical') // Uses highest severity
+      expect(findings[0].title).toContain('3 advisories')
+      expect(findings[0].description).toContain('CVE-1')
+      expect(findings[0].description).toContain('CVE-2')
+      expect(findings[0].description).toContain('CVE-3')
+    })
+  })
+})

package/src/layer3/anthropic/auto-dismiss.ts

@@ -0,0 +1,212 @@
+/**
+ * Smart Auto-Dismiss Rules
+ *
+ * Instant filtering rules that don't require AI validation.
+ * These rules catch obvious false positives before sending to AI.
+ */
+
+import type { Vulnerability } from '../../types'
+import type { AutoDismissRule } from './types'
+import {
+  isTestOrMockFile,
+  isExampleFile,
+  isScannerOrFixtureFile,
+  isEnvVarReference,
+  isPublicEndpoint,
+  isComment,
+} from '../../utils/context-helpers'
+import { getTierForCategory } from '../../tiers'
+
+// ============================================================================
+// Auto-Dismiss Rules
+// ============================================================================
+
+const AUTO_DISMISS_RULES: AutoDismissRule[] = [
+  // Test files - often contain intentional "vulnerable" patterns for testing
+  {
+    name: 'test_file',
+    check: (finding) => isTestOrMockFile(finding.filePath),
+    reason: 'Finding in test/mock file',
+  },
+
+  // Example/demo code - not production code
+  {
+    name: 'example_file',
+    check: (finding) => isExampleFile(finding.filePath),
+    reason: 'Finding in example/demo file',
+  },
+
+  // Documentation files
+  {
+    name: 'documentation_file',
+    check: (finding) => /\.(md|mdx|txt|rst)$/i.test(finding.filePath),
+    reason: 'Finding in documentation file',
+  },
+
+  // Scanner/security tool code itself
+  {
+    name: 'scanner_code',
+    check: (finding) => isScannerOrFixtureFile(finding.filePath),
+    reason: 'Finding in scanner/fixture code',
+  },
+
+  // Environment variable references (not hardcoded secrets)
+  {
+    name: 'env_var_reference',
+    check: (finding) => {
+      if (finding.category !== 'hardcoded_secret' && finding.category !== 'high_entropy_string') {
+        return false
+      }
+      return isEnvVarReference(finding.lineContent)
+    },
+    reason: 'Uses environment variable (not hardcoded)',
+  },
+
+  // Public health check endpoints don't need auth
+  {
+    name: 'health_check_endpoint',
+    check: (finding) => {
+      if (finding.category !== 'missing_auth') return false
+      return isPublicEndpoint(finding.lineContent, finding.filePath)
+    },
+    reason: 'Public health check endpoint (auth not required)',
+  },
+
+  // CSS/Tailwind classes flagged as high entropy
+  {
+    name: 'css_classes',
+    check: (finding) => {
+      if (finding.category !== 'high_entropy_string') return false
+      const cssIndicators = ['flex', 'grid', 'text-', 'bg-', 'px-', 'py-', 'rounded', 'shadow', 'hover:', 'dark:']
+      const lowerLine = finding.lineContent.toLowerCase()
+      const matchCount = cssIndicators.filter(ind => lowerLine.includes(ind)).length
+      return matchCount >= 2
+    },
+    reason: 'CSS/Tailwind classes (not a secret)',
+  },
+
+  // Comment lines shouldn't be flagged for most categories
+  {
+    name: 'comment_line',
+    check: (finding) => {
+      // Some categories are valid in comments (e.g., TODO security)
+      if (finding.category === 'ai_pattern') return false
+      return isComment(finding.lineContent)
+    },
+    reason: 'Code comment (not executable)',
+  },
+
+  // Info severity already - no need to validate
+  // BUT: Only auto-dismiss info-severity for Tier A (core) findings
+  // Tier B (ai_assisted) findings MUST go through AI validation even at info severity
+  // because detectors may have pre-downgraded them based on partial context
+  {
+    name: 'info_severity_core_only',
+    check: (finding) => {
+      if (finding.severity !== 'info') return false
+      // Only auto-dismiss info-severity for Tier A (core) findings
+      // Tier B should always go through AI for proper validation
+      const tier = getTierForCategory(finding.category, finding.layer)
+      return tier === 'core'
+    },
+    reason: 'Already info severity for core detector (low priority)',
+  },
+
+  // Generic success/error messages in ai_pattern
+  {
+    name: 'generic_message',
+    check: (finding) => {
+      if (finding.category !== 'ai_pattern') return false
+      const genericPatterns = [
+        /['"`](success|done|ok|completed|finished|saved|updated|deleted|created)['"`]/i,
+        /['"`]something went wrong['"`]/i,
+        /['"`]an error occurred['"`]/i,
+        /console\.(log|info|debug)\s*\(\s*['"`][^'"]+['"`]\s*\)/i,
+      ]
+      return genericPatterns.some(p => p.test(finding.lineContent))
+    },
+    reason: 'Generic UI message (not security-relevant)',
+  },
+
+  // Type definitions with 'any' - often necessary for third-party libs
+  {
+    name: 'type_definition_any',
+    check: (finding) => {
+      if (finding.category !== 'ai_pattern') return false
+      if (!finding.title.toLowerCase().includes('any')) return false
+      // Check if it's in a .d.ts file or type definition context
+      if (finding.filePath.includes('.d.ts')) return true
+      const typeDefPatterns = [/^type\s+\w+\s*=/, /^interface\s+\w+/, /declare\s+(const|let|var|function|class)/]
+      return typeDefPatterns.some(p => p.test(finding.lineContent.trim()))
+    },
+    reason: 'Type definition (not runtime code)',
+  },
+
+  // setTimeout/setInterval magic numbers - code style, not security
+  {
+    name: 'timeout_magic_number',
+    check: (finding) => {
+      if (finding.category !== 'ai_pattern') return false
+      return /set(Timeout|Interval)\s*\([^,]+,\s*\d+\s*\)/.test(finding.lineContent)
+    },
+    reason: 'Timeout value (code style, not security)',
+  },
+]
+
+// ============================================================================
+// Apply Auto-Dismiss Rules
+// ============================================================================
+
+/**
+ * Rules that should NOT be applied to direct-surface findings.
+ * These rules are designed to reduce AI validation costs, not to suppress findings entirely.
+ */
+const VALIDATION_ONLY_RULES = new Set([
+  'info_severity_core_only',  // Info findings should surface, just not go through expensive AI validation
+])
+
+/**
+ * Apply smart auto-dismiss rules to filter obvious false positives
+ * Returns findings that should be sent to AI validation
+ *
+ * @param findings - Array of vulnerabilities to filter
+ * @param mode - 'validation' applies all rules (for AI validation candidates),
+ *               'surface' excludes cost-saving rules (for direct-surface findings)
+ */
+export function applyAutoDismissRules(
+  findings: Vulnerability[],
+  mode: 'validation' | 'surface' = 'validation'
+): {
+  toValidate: Vulnerability[]
+  dismissed: Array<{ finding: Vulnerability; rule: string; reason: string }>
+} {
+  const toValidate: Vulnerability[] = []
+  const dismissed: Array<{ finding: Vulnerability; rule: string; reason: string }> = []
+
+  // Filter rules based on mode
+  const applicableRules = mode === 'surface'
+    ? AUTO_DISMISS_RULES.filter(rule => !VALIDATION_ONLY_RULES.has(rule.name))
+    : AUTO_DISMISS_RULES
+
+  for (const finding of findings) {
+    let wasDismissed = false
+
+    for (const rule of applicableRules) {
+      if (rule.check(finding)) {
+        dismissed.push({
+          finding,
+          rule: rule.name,
+          reason: rule.reason,
+        })
+        wasDismissed = true
+        break
+      }
+    }
+
+    if (!wasDismissed) {
+      toValidate.push(finding)
+    }
+  }
+
+  return { toValidate, dismissed }
+}

package/src/layer3/anthropic/clients.ts

@@ -0,0 +1,84 @@
+/**
+ * AI Provider Client Factories
+ *
+ * Provides lazy-initialized clients for OpenAI and Anthropic APIs.
+ */
+
+import Anthropic from '@anthropic-ai/sdk'
+import OpenAI from 'openai'
+
+// ============================================================================
+// Anthropic Client
+// ============================================================================
+
+/**
+ * Initialize Anthropic client
+ */
+export function getAnthropicClient(): Anthropic {
+  const apiKey = process.env.ANTHROPIC_API_KEY
+  if (!apiKey) {
+    throw new Error('ANTHROPIC_API_KEY environment variable is not set')
+  }
+  return new Anthropic({ apiKey })
+}
+
+// ============================================================================
+// OpenAI Client
+// ============================================================================
+
+// Singleton instance for connection reuse
+let openaiClient: OpenAI | null = null
+
+/**
+ * Initialize OpenAI client (singleton)
+ */
+export function getOpenAIClient(): OpenAI {
+  if (!openaiClient) {
+    const apiKey = process.env.OPENAI_API_KEY
+    if (!apiKey) {
+      throw new Error('OPENAI_API_KEY environment variable is not set')
+    }
+    openaiClient = new OpenAI({ apiKey })
+  }
+  return openaiClient
+}
+
+// ============================================================================
+// Pricing Constants
+// ============================================================================
+
+/**
+ * GPT-5-mini pricing constants (per 1M tokens)
+ */
+export const GPT5_MINI_PRICING = {
+  input: 0.25,      // $0.25 per 1M tokens
+  cached: 0.025,    // $0.025 per 1M tokens (10% of input)
+  output: 2.00,     // $2.00 per 1M tokens
+}
+
+/**
+ * Claude 3.5 Haiku pricing constants (per 1M tokens)
+ */
+export const HAIKU_PRICING = {
+  input: 0.80,       // $0.80 per 1M tokens
+  cacheWrite: 1.00,  // $1.00 per 1M tokens (5m cache)
+  cacheRead: 0.08,   // $0.08 per 1M tokens
+  output: 4.00,      // $4.00 per 1M tokens
+}
+
+// ============================================================================
+// Batching Configuration
+// ============================================================================
+
+/**
+ * Number of files to include in each API call (Phase 2 optimization)
+ * Batching multiple files reduces API overhead and leverages prompt caching better
+ */
+export const FILES_PER_API_BATCH = 8
+
+/**
+ * Number of API batches to process in parallel (Phase 3 optimization)
+ * Higher values = faster scans but more API load
+ * OpenAI/GPT-5-mini handles this well
+ */
+export const PARALLEL_API_BATCHES = 6