@raghulm/aegis-mcp 1.0.5 → 1.0.7

package/tools/network/port_scanner.py

@@ -1,66 +1,66 @@
-from __future__ import annotations
-
-import socket
-from typing import Any
-
-_COMMON_PORTS: dict[int, str] = {
-    21: "FTP",
-    22: "SSH",
-    23: "Telnet",
-    25: "SMTP",
-    53: "DNS",
-    80: "HTTP",
-    110: "POP3",
-    143: "IMAP",
-    443: "HTTPS",
-    445: "SMB",
-    993: "IMAPS",
-    995: "POP3S",
-    3306: "MySQL",
-    3389: "RDP",
-    5432: "PostgreSQL",
-    6379: "Redis",
-    8080: "HTTP-Alt",
-    8443: "HTTPS-Alt",
-    27017: "MongoDB",
-}
-
-
-def port_scan(host: str, ports: str = "") -> list[dict[str, Any]]:
-    """Perform a basic TCP connect scan on a host.
-
-    Args:
-        host: Target hostname or IP address.
-        ports: Comma-separated port numbers. If empty, scans common service ports.
-
-    Returns:
-        List of port results with port number, status, and service name.
-    """
-    try:
-        resolved_ip = socket.gethostbyname(host)
-    except socket.gaierror as exc:
-        raise RuntimeError(f"Cannot resolve hostname '{host}': {exc}") from exc
-
-    if ports:
-        try:
-            port_list = [int(p.strip()) for p in ports.split(",") if p.strip()]
-        except ValueError as exc:
-            raise RuntimeError(f"Invalid port specification: {exc}") from exc
-    else:
-        port_list = list(_COMMON_PORTS.keys())
-
-    results: list[dict[str, Any]] = []
-    for port in sorted(port_list):
-        try:
-            with socket.create_connection((host, port), timeout=2):
-                status = "open"
-        except (socket.timeout, ConnectionRefusedError, OSError):
-            status = "closed"
-
-        results.append({
-            "port": port,
-            "status": status,
-            "service": _COMMON_PORTS.get(port, "unknown"),
-        })
-
-    return results
+from __future__ import annotations
+
+import socket
+from typing import Any
+
+_COMMON_PORTS: dict[int, str] = {
+    21: "FTP",
+    22: "SSH",
+    23: "Telnet",
+    25: "SMTP",
+    53: "DNS",
+    80: "HTTP",
+    110: "POP3",
+    143: "IMAP",
+    443: "HTTPS",
+    445: "SMB",
+    993: "IMAPS",
+    995: "POP3S",
+    3306: "MySQL",
+    3389: "RDP",
+    5432: "PostgreSQL",
+    6379: "Redis",
+    8080: "HTTP-Alt",
+    8443: "HTTPS-Alt",
+    27017: "MongoDB",
+}
+
+
+def port_scan(host: str, ports: str = "") -> list[dict[str, Any]]:
+    """Perform a basic TCP connect scan on a host.
+
+    Args:
+        host: Target hostname or IP address.
+        ports: Comma-separated port numbers. If empty, scans common service ports.
+
+    Returns:
+        List of port results with port number, status, and service name.
+    """
+    try:
+        resolved_ip = socket.gethostbyname(host)
+    except socket.gaierror as exc:
+        raise RuntimeError(f"Cannot resolve hostname '{host}': {exc}") from exc
+
+    if ports:
+        try:
+            port_list = [int(p.strip()) for p in ports.split(",") if p.strip()]
+        except ValueError as exc:
+            raise RuntimeError(f"Invalid port specification: {exc}") from exc
+    else:
+        port_list = list(_COMMON_PORTS.keys())
+
+    results: list[dict[str, Any]] = []
+    for port in sorted(port_list):
+        try:
+            with socket.create_connection((host, port), timeout=2):
+                status = "open"
+        except (socket.timeout, ConnectionRefusedError, OSError):
+            status = "closed"
+
+        results.append({
+            "port": port,
+            "status": status,
+            "service": _COMMON_PORTS.get(port, "unknown"),
+        })
+
+    return results

package/tools/network/ssl_checker.py

@@ -1,65 +1,65 @@
-from __future__ import annotations
-
-import socket
-import ssl
-from datetime import datetime, timezone
-from typing import Any
-
-
-def check_ssl_certificate(hostname: str, port: int = 443) -> dict[str, Any]:
-    """Check the SSL/TLS certificate for a given hostname.
-
-    Args:
-        hostname: Domain name to check.
-        port: TCP port (default 443).
-
-    Returns:
-        Certificate details including subject, issuer, validity, and expiry info.
-    """
-    context = ssl.create_default_context()
-    try:
-        with socket.create_connection((hostname, port), timeout=10) as sock:
-            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
-                cert = ssock.getpeercert()
-    except socket.gaierror as exc:
-        raise RuntimeError(f"DNS resolution failed for '{hostname}': {exc}") from exc
-    except socket.timeout as exc:
-        raise RuntimeError(f"Connection to '{hostname}:{port}' timed out") from exc
-    except ssl.SSLError as exc:
-        raise RuntimeError(f"SSL error for '{hostname}:{port}': {exc}") from exc
-    except OSError as exc:
-        raise RuntimeError(f"Connection failed to '{hostname}:{port}': {exc}") from exc
-
-    if not cert:
-        raise RuntimeError(f"No certificate returned by '{hostname}:{port}'")
-
-    def _format_name(name_tuples: tuple) -> str:
-        parts = []
-        for attr_group in name_tuples:
-            for key, value in attr_group:
-                parts.append(f"{key}={value}")
-        return ", ".join(parts)
-
-    not_before = datetime.strptime(cert["notBefore"], "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
-    not_after = datetime.strptime(cert["notAfter"], "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
-    now = datetime.now(tz=timezone.utc)
-    days_until_expiry = (not_after - now).days
-
-    san_entries = []
-    for san_type, san_value in cert.get("subjectAltName", ()):
-        san_entries.append(f"{san_type}:{san_value}")
-
-    return {
-        "hostname": hostname,
-        "port": port,
-        "subject": _format_name(cert.get("subject", ())),
-        "issuer": _format_name(cert.get("issuer", ())),
-        "serial_number": cert.get("serialNumber", ""),
-        "version": cert.get("version", ""),
-        "not_before": not_before.isoformat(),
-        "not_after": not_after.isoformat(),
-        "days_until_expiry": days_until_expiry,
-        "expired": days_until_expiry < 0,
-        "subject_alt_names": san_entries,
-        "protocol": "TLSv1.2+",
-    }
+from __future__ import annotations
+
+import socket
+import ssl
+from datetime import datetime, timezone
+from typing import Any
+
+
+def check_ssl_certificate(hostname: str, port: int = 443) -> dict[str, Any]:
+    """Check the SSL/TLS certificate for a given hostname.
+
+    Args:
+        hostname: Domain name to check.
+        port: TCP port (default 443).
+
+    Returns:
+        Certificate details including subject, issuer, validity, and expiry info.
+    """
+    context = ssl.create_default_context()
+    try:
+        with socket.create_connection((hostname, port), timeout=10) as sock:
+            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
+                cert = ssock.getpeercert()
+    except socket.gaierror as exc:
+        raise RuntimeError(f"DNS resolution failed for '{hostname}': {exc}") from exc
+    except socket.timeout as exc:
+        raise RuntimeError(f"Connection to '{hostname}:{port}' timed out") from exc
+    except ssl.SSLError as exc:
+        raise RuntimeError(f"SSL error for '{hostname}:{port}': {exc}") from exc
+    except OSError as exc:
+        raise RuntimeError(f"Connection failed to '{hostname}:{port}': {exc}") from exc
+
+    if not cert:
+        raise RuntimeError(f"No certificate returned by '{hostname}:{port}'")
+
+    def _format_name(name_tuples: tuple) -> str:
+        parts = []
+        for attr_group in name_tuples:
+            for key, value in attr_group:
+                parts.append(f"{key}={value}")
+        return ", ".join(parts)
+
+    not_before = datetime.strptime(cert["notBefore"], "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
+    not_after = datetime.strptime(cert["notAfter"], "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
+    now = datetime.now(tz=timezone.utc)
+    days_until_expiry = (not_after - now).days
+
+    san_entries = []
+    for san_type, san_value in cert.get("subjectAltName", ()):
+        san_entries.append(f"{san_type}:{san_value}")
+
+    return {
+        "hostname": hostname,
+        "port": port,
+        "subject": _format_name(cert.get("subject", ())),
+        "issuer": _format_name(cert.get("issuer", ())),
+        "serial_number": cert.get("serialNumber", ""),
+        "version": cert.get("version", ""),
+        "not_before": not_before.isoformat(),
+        "not_after": not_after.isoformat(),
+        "days_until_expiry": days_until_expiry,
+        "expired": days_until_expiry < 0,
+        "subject_alt_names": san_entries,
+        "protocol": "TLSv1.2+",
+    }

package/tools/security/deps.py

@@ -1,103 +1,103 @@
-from __future__ import annotations
-
-import json
-import os
-import re
-from typing import Any
-
-import requests
-
-
-def _parse_requirements_txt(file_path: str) -> list[dict[str, str]]:
-    packages: list[dict[str, str]] = []
-    with open(file_path, "r", encoding="utf-8") as fh:
-        for line in fh:
-            line = line.strip()
-            if not line or line.startswith("#") or line.startswith("-"):
-                continue
-            match = re.match(r"^([A-Za-z0-9_\-\.]+)\s*(?:[=<>!~]+\s*(.+))?", line)
-            if match:
-                name = match.group(1)
-                version = match.group(2).strip() if match.group(2) else ""
-                packages.append({"name": name, "version": version})
-    return packages
-
-
-def _parse_package_json(file_path: str) -> list[dict[str, str]]:
-    with open(file_path, "r", encoding="utf-8") as fh:
-        data = json.load(fh)
-    packages: list[dict[str, str]] = []
-    for dep_key in ("dependencies", "devDependencies"):
-        for name, version in data.get(dep_key, {}).items():
-            clean_version = re.sub(r"^[\^~>=<]", "", version)
-            packages.append({"name": name, "version": clean_version})
-    return packages
-
-
-def _query_osv(ecosystem: str, package_name: str, version: str) -> list[dict[str, Any]]:
-    """Query the OSV.dev API for known vulnerabilities."""
-    payload: dict[str, Any] = {
-        "package": {"name": package_name, "ecosystem": ecosystem},
-    }
-    if version:
-        payload["version"] = version
-
-    try:
-        resp = requests.post(
-            "https://api.osv.dev/v1/query",
-            json=payload,
-            timeout=10,
-        )
-        resp.raise_for_status()
-    except requests.RequestException:
-        return []
-
-    vulns = resp.json().get("vulns", [])
-    results: list[dict[str, Any]] = []
-    for vuln in vulns:
-        aliases = vuln.get("aliases", [])
-        cve = next((a for a in aliases if a.startswith("CVE-")), aliases[0] if aliases else vuln.get("id", ""))
-        severity_list = vuln.get("severity", [])
-        severity = severity_list[0].get("score", "unknown") if severity_list else "unknown"
-        results.append({
-            "id": vuln.get("id", ""),
-            "cve": cve,
-            "summary": vuln.get("summary", "No summary available"),
-            "severity": severity,
-        })
-    return results
-
-
-def check_dependencies(file_path: str) -> list[dict[str, Any]]:
-    """Scan a dependency file for known vulnerabilities via OSV.dev.
-
-    Args:
-        file_path: Path to requirements.txt or package.json.
-
-    Returns:
-        List of packages with their vulnerability status.
-    """
-    if not os.path.exists(file_path):
-        raise RuntimeError(f"File does not exist: {file_path}")
-
-    basename = os.path.basename(file_path).lower()
-    if basename == "requirements.txt":
-        packages = _parse_requirements_txt(file_path)
-        ecosystem = "PyPI"
-    elif basename == "package.json":
-        packages = _parse_package_json(file_path)
-        ecosystem = "npm"
-    else:
-        raise RuntimeError(f"Unsupported dependency file: {basename}. Use requirements.txt or package.json.")
-
-    results: list[dict[str, Any]] = []
-    for pkg in packages:
-        vulns = _query_osv(ecosystem, pkg["name"], pkg["version"])
-        results.append({
-            "package": pkg["name"],
-            "version": pkg["version"] or "unspecified",
-            "vulnerabilities_found": len(vulns),
-            "vulnerabilities": vulns,
-        })
-
-    return results
+from __future__ import annotations
+
+import json
+import os
+import re
+from typing import Any
+
+import requests
+
+
+def _parse_requirements_txt(file_path: str) -> list[dict[str, str]]:
+    packages: list[dict[str, str]] = []
+    with open(file_path, "r", encoding="utf-8") as fh:
+        for line in fh:
+            line = line.strip()
+            if not line or line.startswith("#") or line.startswith("-"):
+                continue
+            match = re.match(r"^([A-Za-z0-9_\-\.]+)\s*(?:[=<>!~]+\s*(.+))?", line)
+            if match:
+                name = match.group(1)
+                version = match.group(2).strip() if match.group(2) else ""
+                packages.append({"name": name, "version": version})
+    return packages
+
+
+def _parse_package_json(file_path: str) -> list[dict[str, str]]:
+    with open(file_path, "r", encoding="utf-8") as fh:
+        data = json.load(fh)
+    packages: list[dict[str, str]] = []
+    for dep_key in ("dependencies", "devDependencies"):
+        for name, version in data.get(dep_key, {}).items():
+            clean_version = re.sub(r"^[\^~>=<]", "", version)
+            packages.append({"name": name, "version": clean_version})
+    return packages
+
+
+def _query_osv(ecosystem: str, package_name: str, version: str) -> list[dict[str, Any]]:
+    """Query the OSV.dev API for known vulnerabilities."""
+    payload: dict[str, Any] = {
+        "package": {"name": package_name, "ecosystem": ecosystem},
+    }
+    if version:
+        payload["version"] = version
+
+    try:
+        resp = requests.post(
+            "https://api.osv.dev/v1/query",
+            json=payload,
+            timeout=10,
+        )
+        resp.raise_for_status()
+    except requests.RequestException:
+        return []
+
+    vulns = resp.json().get("vulns", [])
+    results: list[dict[str, Any]] = []
+    for vuln in vulns:
+        aliases = vuln.get("aliases", [])
+        cve = next((a for a in aliases if a.startswith("CVE-")), aliases[0] if aliases else vuln.get("id", ""))
+        severity_list = vuln.get("severity", [])
+        severity = severity_list[0].get("score", "unknown") if severity_list else "unknown"
+        results.append({
+            "id": vuln.get("id", ""),
+            "cve": cve,
+            "summary": vuln.get("summary", "No summary available"),
+            "severity": severity,
+        })
+    return results
+
+
+def check_dependencies(file_path: str) -> list[dict[str, Any]]:
+    """Scan a dependency file for known vulnerabilities via OSV.dev.
+
+    Args:
+        file_path: Path to requirements.txt or package.json.
+
+    Returns:
+        List of packages with their vulnerability status.
+    """
+    if not os.path.exists(file_path):
+        raise RuntimeError(f"File does not exist: {file_path}")
+
+    basename = os.path.basename(file_path).lower()
+    if basename == "requirements.txt":
+        packages = _parse_requirements_txt(file_path)
+        ecosystem = "PyPI"
+    elif basename == "package.json":
+        packages = _parse_package_json(file_path)
+        ecosystem = "npm"
+    else:
+        raise RuntimeError(f"Unsupported dependency file: {basename}. Use requirements.txt or package.json.")
+
+    results: list[dict[str, Any]] = []
+    for pkg in packages:
+        vulns = _query_osv(ecosystem, pkg["name"], pkg["version"])
+        results.append({
+            "package": pkg["name"],
+            "version": pkg["version"] or "unspecified",
+            "vulnerabilities_found": len(vulns),
+            "vulnerabilities": vulns,
+        })
+
+    return results

package/tools/security/secrets.py

@@ -1,91 +1,91 @@
-from __future__ import annotations
-
-import os
-import re
-from typing import Any
-
-# Common secret patterns with descriptive names
-_PATTERNS: list[tuple[str, re.Pattern[str]]] = [
-    ("AWS Access Key", re.compile(r"(?:^|[^A-Z0-9])(?:AKIA[0-9A-Z]{16})(?:[^A-Z0-9]|$)")),
-    ("AWS Secret Key", re.compile(
-        r"""(?:aws_secret_access_key|secret_access_key|aws_secret)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Generic API Key", re.compile(
-        r"""(?:api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*['"]?([A-Za-z0-9_\-]{20,60})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Generic Token", re.compile(
-        r"""(?:token|auth[_-]?token|access[_-]?token|bearer)\s*[=:]\s*['"]?([A-Za-z0-9_\-\.]{20,200})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Generic Password", re.compile(
-        r"""(?:password|passwd|pwd|secret)\s*[=:]\s*['"]?([^\s'"]{8,})['"]?""",
-        re.IGNORECASE,
-    )),
-    ("Private Key", re.compile(r"-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----")),
-    ("GitHub Token", re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}")),
-    ("Slack Token", re.compile(r"xox[bporas]-[A-Za-z0-9\-]{10,}")),
-    ("Stripe Key", re.compile(r"(?:sk|pk)_(?:test|live)_[A-Za-z0-9]{20,}")),
-    ("SendGrid Key", re.compile(r"SG\.[A-Za-z0-9_\-]{22,}\.[A-Za-z0-9_\-]{43,}")),
-]
-
-_SKIP_DIRS = {".git", "__pycache__", "node_modules", ".venv", "venv", ".env", ".tox", "dist", "build"}
-_SKIP_EXTENSIONS = {".pyc", ".pyo", ".so", ".dll", ".exe", ".bin", ".jpg", ".png", ".gif", ".ico", ".woff", ".ttf"}
-_MAX_FILE_SIZE = 1_048_576  # 1 MB
-
-
-def _redact(match_text: str, keep: int = 6) -> str:
-    if len(match_text) <= keep:
-        return "***REDACTED***"
-    return match_text[:keep] + "***REDACTED***"
-
-
-def _scan_file(file_path: str) -> list[dict[str, Any]]:
-    findings: list[dict[str, Any]] = []
-    try:
-        if os.path.getsize(file_path) > _MAX_FILE_SIZE:
-            return findings
-        with open(file_path, "r", encoding="utf-8", errors="ignore") as fh:
-            for line_no, line in enumerate(fh, start=1):
-                for pattern_name, pattern in _PATTERNS:
-                    match = pattern.search(line)
-                    if match:
-                        matched_text = match.group(0).strip()
-                        findings.append({
-                            "file": file_path,
-                            "line": line_no,
-                            "pattern": pattern_name,
-                            "match": _redact(matched_text),
-                        })
-    except (OSError, UnicodeDecodeError):
-        pass
-    return findings
-
-
-def scan_secrets(path: str) -> list[dict[str, Any]]:
-    """Scan a file or directory for exposed secrets using regex patterns.
-
-    Args:
-        path: Path to a file or directory to scan.
-
-    Returns:
-        List of findings, each with file, line, pattern name, and redacted match.
-    """
-    if not os.path.exists(path):
-        raise RuntimeError(f"Path does not exist: {path}")
-
-    findings: list[dict[str, Any]] = []
-    if os.path.isfile(path):
-        return _scan_file(path)
-
-    for root, dirs, files in os.walk(path):
-        dirs[:] = [d for d in dirs if d not in _SKIP_DIRS]
-        for fname in files:
-            ext = os.path.splitext(fname)[1].lower()
-            if ext in _SKIP_EXTENSIONS:
-                continue
-            full_path = os.path.join(root, fname)
-            findings.extend(_scan_file(full_path))
-
-    return findings
+from __future__ import annotations
+
+import os
+import re
+from typing import Any
+
+# Common secret patterns with descriptive names
+_PATTERNS: list[tuple[str, re.Pattern[str]]] = [
+    ("AWS Access Key", re.compile(r"(?:^|[^A-Z0-9])(?:AKIA[0-9A-Z]{16})(?:[^A-Z0-9]|$)")),
+    ("AWS Secret Key", re.compile(
+        r"""(?:aws_secret_access_key|secret_access_key|aws_secret)\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic API Key", re.compile(
+        r"""(?:api[_-]?key|apikey|api[_-]?secret)\s*[=:]\s*['"]?([A-Za-z0-9_\-]{20,60})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic Token", re.compile(
+        r"""(?:token|auth[_-]?token|access[_-]?token|bearer)\s*[=:]\s*['"]?([A-Za-z0-9_\-\.]{20,200})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Generic Password", re.compile(
+        r"""(?:password|passwd|pwd|secret)\s*[=:]\s*['"]?([^\s'"]{8,})['"]?""",
+        re.IGNORECASE,
+    )),
+    ("Private Key", re.compile(r"-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----")),
+    ("GitHub Token", re.compile(r"(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}")),
+    ("Slack Token", re.compile(r"xox[bporas]-[A-Za-z0-9\-]{10,}")),
+    ("Stripe Key", re.compile(r"(?:sk|pk)_(?:test|live)_[A-Za-z0-9]{20,}")),
+    ("SendGrid Key", re.compile(r"SG\.[A-Za-z0-9_\-]{22,}\.[A-Za-z0-9_\-]{43,}")),
+]
+
+_SKIP_DIRS = {".git", "__pycache__", "node_modules", ".venv", "venv", ".env", ".tox", "dist", "build"}
+_SKIP_EXTENSIONS = {".pyc", ".pyo", ".so", ".dll", ".exe", ".bin", ".jpg", ".png", ".gif", ".ico", ".woff", ".ttf"}
+_MAX_FILE_SIZE = 1_048_576  # 1 MB
+
+
+def _redact(match_text: str, keep: int = 6) -> str:
+    if len(match_text) <= keep:
+        return "***REDACTED***"
+    return match_text[:keep] + "***REDACTED***"
+
+
+def _scan_file(file_path: str) -> list[dict[str, Any]]:
+    findings: list[dict[str, Any]] = []
+    try:
+        if os.path.getsize(file_path) > _MAX_FILE_SIZE:
+            return findings
+        with open(file_path, "r", encoding="utf-8", errors="ignore") as fh:
+            for line_no, line in enumerate(fh, start=1):
+                for pattern_name, pattern in _PATTERNS:
+                    match = pattern.search(line)
+                    if match:
+                        matched_text = match.group(0).strip()
+                        findings.append({
+                            "file": file_path,
+                            "line": line_no,
+                            "pattern": pattern_name,
+                            "match": _redact(matched_text),
+                        })
+    except (OSError, UnicodeDecodeError):
+        pass
+    return findings
+
+
+def scan_secrets(path: str) -> list[dict[str, Any]]:
+    """Scan a file or directory for exposed secrets using regex patterns.
+
+    Args:
+        path: Path to a file or directory to scan.
+
+    Returns:
+        List of findings, each with file, line, pattern name, and redacted match.
+    """
+    if not os.path.exists(path):
+        raise RuntimeError(f"Path does not exist: {path}")
+
+    findings: list[dict[str, Any]] = []
+    if os.path.isfile(path):
+        return _scan_file(path)
+
+    for root, dirs, files in os.walk(path):
+        dirs[:] = [d for d in dirs if d not in _SKIP_DIRS]
+        for fname in files:
+            ext = os.path.splitext(fname)[1].lower()
+            if ext in _SKIP_EXTENSIONS:
+                continue
+            full_path = os.path.join(root, fname)
+            findings.extend(_scan_file(full_path))
+
+    return findings