@quantracode/vibecheck 0.0.1 → 0.0.2

package/dist/scanners/hallucinations/unused-security-imports.js

@@ -1,309 +0,0 @@
-import { readFileSync, resolvePath } from "../../utils/file-utils.js";
-import { generateFingerprint, generateFindingId } from "../../utils/fingerprint.js";
-const RULE_ID = "VC-HALL-001";
-const RULE_ID_002 = "VC-HALL-002";
-const SECURITY_LIBS = [
-    {
-        name: "zod",
-        category: "validation",
-        severity: "medium",
-        description: "Schema validation library",
-    },
-    {
-        name: "yup",
-        category: "validation",
-        severity: "medium",
-        description: "Schema validation library",
-    },
-    {
-        name: "joi",
-        category: "validation",
-        severity: "medium",
-        description: "Schema validation library",
-    },
-    {
-        name: "helmet",
-        category: "middleware",
-        severity: "medium",
-        description: "Security headers middleware",
-    },
-    {
-        name: "cors",
-        category: "middleware",
-        severity: "low",
-        description: "CORS middleware",
-    },
-    {
-        name: "csurf",
-        category: "middleware",
-        severity: "medium",
-        description: "CSRF protection middleware",
-    },
-    {
-        name: "express-rate-limit",
-        category: "middleware",
-        severity: "medium",
-        description: "Rate limiting middleware",
-    },
-    {
-        name: "bcrypt",
-        category: "auth",
-        severity: "high",
-        description: "Password hashing library",
-    },
-    {
-        name: "argon2",
-        category: "auth",
-        severity: "high",
-        description: "Password hashing library",
-    },
-];
-/**
- * Find imports of security libraries in a file
- */
-export function findSecurityImports(content, libraries) {
-    const imports = [];
-    const lines = content.split("\n");
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        for (const lib of libraries) {
-            // Check each library pattern
-            const patterns = [
-                // import X from 'lib'
-                new RegExp(`^\\s*import\\s+(\\w+)\\s+from\\s+['"]${lib}['"]`),
-                // import { x, y } from 'lib'
-                new RegExp(`^\\s*import\\s+\\{([^}]+)\\}\\s+from\\s+['"]${lib}['"]`),
-                // import * as X from 'lib'
-                new RegExp(`^\\s*import\\s+\\*\\s+as\\s+(\\w+)\\s+from\\s+['"]${lib}['"]`),
-                // import X, { y } from 'lib'
-                new RegExp(`^\\s*import\\s+(\\w+)\\s*,\\s*\\{([^}]+)\\}\\s+from\\s+['"]${lib}['"]`),
-            ];
-            for (let p = 0; p < patterns.length; p++) {
-                const match = line.match(patterns[p]);
-                if (match) {
-                    const importedNames = [];
-                    let isDefaultImport = false;
-                    let isNamespaceImport = false;
-                    if (p === 0) {
-                        // Default import
-                        importedNames.push(match[1]);
-                        isDefaultImport = true;
-                    }
-                    else if (p === 1) {
-                        // Named imports
-                        const names = match[1].split(",").map((n) => n.trim().split(/\s+as\s+/)[0].trim());
-                        importedNames.push(...names.filter(Boolean));
-                    }
-                    else if (p === 2) {
-                        // Namespace import
-                        importedNames.push(match[1]);
-                        isNamespaceImport = true;
-                    }
-                    else if (p === 3) {
-                        // Default + named
-                        importedNames.push(match[1]);
-                        isDefaultImport = true;
-                        const names = match[2].split(",").map((n) => n.trim().split(/\s+as\s+/)[0].trim());
-                        importedNames.push(...names.filter(Boolean));
-                    }
-                    imports.push({
-                        library: lib,
-                        importedNames,
-                        line: i + 1,
-                        snippet: line.trim(),
-                        isDefaultImport,
-                        isNamespaceImport,
-                    });
-                    break;
-                }
-            }
-        }
-    }
-    return imports;
-}
-/**
- * Check if any imported identifiers are used after the import line
- */
-export function checkIdentifierUsage(content, importLine, identifiers, isNamespaceImport) {
-    const lines = content.split("\n");
-    const afterImport = lines.slice(importLine).join("\n");
-    return identifiers.map((id) => {
-        // For namespace imports, check for namespace.something
-        if (isNamespaceImport) {
-            const namespaceRegex = new RegExp(`\\b${id}\\s*\\.`, "g");
-            return { identifier: id, used: namespaceRegex.test(afterImport) };
-        }
-        // For regular imports, check for identifier usage
-        const usageRegex = new RegExp(`\\b${id}\\b`, "g");
-        const matches = afterImport.match(usageRegex);
-        return { identifier: id, used: matches !== null && matches.length > 0 };
-    });
-}
-/**
- * VC-HALL-001: Unused Security Imports
- *
- * Detects when security libraries are imported but not used
- */
-export async function scanUnusedSecurityImports(context) {
-    const { repoRoot, fileIndex } = context;
-    const findings = [];
-    const libNames = SECURITY_LIBS.map((l) => l.name);
-    for (const relFile of fileIndex.allSourceFiles) {
-        const absPath = resolvePath(repoRoot, relFile);
-        const content = readFileSync(absPath);
-        if (!content)
-            continue;
-        const imports = findSecurityImports(content, libNames);
-        for (const imp of imports) {
-            const libInfo = SECURITY_LIBS.find((l) => l.name === imp.library);
-            if (!libInfo)
-                continue;
-            const usageResults = checkIdentifierUsage(content, imp.line, imp.importedNames, imp.isNamespaceImport);
-            const unusedIdentifiers = usageResults
-                .filter((r) => !r.used)
-                .map((r) => r.identifier);
-            if (unusedIdentifiers.length === 0)
-                continue;
-            // All imported identifiers are unused
-            const allUnused = unusedIdentifiers.length === imp.importedNames.length;
-            const evidence = [
-                {
-                    file: relFile,
-                    startLine: imp.line,
-                    endLine: imp.line,
-                    snippet: imp.snippet,
-                    label: allUnused
-                        ? `Unused import of ${imp.library}`
-                        : `Partially unused import: ${unusedIdentifiers.join(", ")}`,
-                },
-            ];
-            const fingerprint = generateFingerprint({
-                ruleId: RULE_ID,
-                file: relFile,
-                symbol: imp.library,
-                startLine: imp.line,
-            });
-            findings.push({
-                id: generateFindingId({
-                    ruleId: RULE_ID,
-                    file: relFile,
-                    symbol: imp.library,
-                    startLine: imp.line,
-                }),
-                severity: libInfo.severity,
-                confidence: allUnused ? 0.9 : 0.75,
-                category: libInfo.category,
-                ruleId: RULE_ID,
-                title: allUnused
-                    ? `Imported ${libInfo.description.toLowerCase()} "${imp.library}" is not used`
-                    : `Partially unused import from "${imp.library}"`,
-                description: allUnused
-                    ? `The security library "${imp.library}" is imported but none of its exports are used. This may indicate incomplete implementation of ${libInfo.category} functionality.`
-                    : `Some exports from "${imp.library}" (${unusedIdentifiers.join(", ")}) are imported but not used. This may indicate incomplete implementation.`,
-                evidence,
-                remediation: {
-                    recommendedFix: allUnused
-                        ? `Either implement ${libInfo.category} using "${imp.library}" or remove the unused import.`
-                        : `Remove unused imports (${unusedIdentifiers.join(", ")}) or implement their usage.`,
-                },
-                fingerprint,
-            });
-        }
-    }
-    return findings;
-}
-/**
- * VC-HALL-002: next-auth present but not enforced
- *
- * Detects when next-auth is installed but there's no middleware
- * or server-side auth enforcement in route handlers
- */
-export async function scanNextAuthNotEnforced(context) {
-    const { repoRoot, fileIndex, repoMeta, helpers } = context;
-    const findings = [];
-    // Only check if next-auth is present
-    if (!repoMeta.hasNextAuth) {
-        return findings;
-    }
-    // Check if middleware exists and uses next-auth
-    if (fileIndex.middlewareFile) {
-        const content = readFileSync(resolvePath(repoRoot, fileIndex.middlewareFile));
-        if (content && /next-auth|withAuth|getToken/.test(content)) {
-            return findings; // Middleware seems to enforce auth
-        }
-    }
-    // Check API routes for auth enforcement
-    let routesWithoutAuth = 0;
-    let totalRoutes = 0;
-    for (const relPath of fileIndex.apiRouteFiles) {
-        const absPath = resolvePath(repoRoot, relPath);
-        const sourceFile = helpers.parseFile(absPath);
-        if (!sourceFile)
-            continue;
-        const handlers = helpers.findRouteHandlers(sourceFile);
-        for (const handler of handlers) {
-            totalRoutes++;
-            if (!helpers.containsAuthCheck(handler.functionNode)) {
-                routesWithoutAuth++;
-            }
-        }
-    }
-    // If most routes lack auth checks, emit finding
-    if (totalRoutes > 0 && routesWithoutAuth / totalRoutes > 0.5) {
-        const evidence = [
-            {
-                file: "package.json",
-                startLine: 1,
-                endLine: 1,
-                label: "next-auth is installed",
-            },
-        ];
-        if (!fileIndex.middlewareFile) {
-            evidence.push({
-                file: "middleware.ts",
-                startLine: 1,
-                endLine: 1,
-                label: "No middleware file exists",
-            });
-        }
-        const fingerprint = generateFingerprint({
-            ruleId: RULE_ID_002,
-            file: "package.json",
-            symbol: "next-auth",
-        });
-        findings.push({
-            id: generateFindingId({
-                ruleId: RULE_ID_002,
-                file: "package.json",
-                symbol: "next-auth",
-            }),
-            ruleId: RULE_ID_002,
-            title: "next-auth installed but not enforced in most routes",
-            description: `next-auth is installed but ${routesWithoutAuth} of ${totalRoutes} API route handlers (${Math.round(routesWithoutAuth / totalRoutes * 100)}%) lack authentication checks. This may indicate incomplete auth implementation.`,
-            severity: "medium",
-            confidence: 0.75,
-            category: "auth",
-            evidence,
-            remediation: {
-                recommendedFix: "Add authentication middleware or explicit auth checks to API routes. See https://next-auth.js.org/configuration/nextjs",
-                patch: `// middleware.ts
-import { withAuth } from "next-auth/middleware";
-
-export default withAuth({
-  callbacks: {
-    authorized: ({ token }) => !!token,
-  },
-});
-
-export const config = {
-  matcher: ["/api/:path*"],
-};`,
-            },
-            links: {
-                owasp: "https://owasp.org/Top10/A01_2021-Broken_Access_Control/",
-            },
-            fingerprint,
-        });
-    }
-    return findings;
-}

package/dist/scanners/helpers/ast-helpers.d.ts

@@ -1,6 +0,0 @@
-import type { AstHelpers, FileProgressCallback } from "../types.js";
-/**
- * Create AST helpers with a ts-morph project
- */
-export declare function createAstHelpers(repoRoot: string, totalFiles?: number, onFileProgress?: FileProgressCallback): AstHelpers;
-//# sourceMappingURL=ast-helpers.d.ts.map

package/dist/scanners/helpers/ast-helpers.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"ast-helpers.d.ts","sourceRoot":"","sources":["../../../src/scanners/helpers/ast-helpers.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,UAAU,EAiBV,oBAAoB,EACrB,MAAM,aAAa,CAAC;AAgDrB;;GAEG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,UAAU,CAAC,EAAE,MAAM,EACnB,cAAc,CAAC,EAAE,oBAAoB,GACpC,UAAU,CA4hCZ"}