@reliabilityworks/core 0.1.0

package/src/frameworks.ts

@@ -0,0 +1,202 @@
+import { readFile, stat } from 'node:fs/promises'
+import type { Stats } from 'node:fs'
+import path from 'node:path'
+
+import fg from 'fast-glob'
+
+import type { FrameworkDetection, FrameworkId } from './types'
+
+type PackageJson = {
+  dependencies?: Record<string, string>
+  devDependencies?: Record<string, string>
+}
+
+const WORKSPACE_IGNORES = [
+  '**/.git/**',
+  '**/node_modules/**',
+  '**/dist/**',
+  '**/build/**',
+  '**/coverage/**',
+  '**/.next/**',
+  '**/.turbo/**',
+  '**/.cache/**',
+  '**/.yarn/**',
+  '**/.pnpm/**',
+]
+
+async function pathStat(p: string): Promise<Stats | null> {
+  try {
+    return await stat(p)
+  } catch {
+    return null
+  }
+}
+
+async function hasFile(rootDir: string, relativePath: string): Promise<boolean> {
+  const fileStat = await pathStat(path.join(rootDir, relativePath))
+  return fileStat?.isFile() ?? false
+}
+
+async function hasDir(rootDir: string, relativePath: string): Promise<boolean> {
+  const dirStat = await pathStat(path.join(rootDir, relativePath))
+  return dirStat?.isDirectory() ?? false
+}
+
+async function readPackageJson(rootDir: string): Promise<PackageJson | null> {
+  const packageJsonPath = path.join(rootDir, 'package.json')
+  const fileStat = await pathStat(packageJsonPath)
+  if (!fileStat?.isFile()) return null
+
+  try {
+    const raw = await readFile(packageJsonPath, 'utf8')
+    return JSON.parse(raw) as PackageJson
+  } catch {
+    return null
+  }
+}
+
+function packageHasDep(pkg: PackageJson | null, name: string): boolean {
+  if (!pkg) return false
+  return Boolean(pkg.dependencies?.[name] ?? pkg.devDependencies?.[name])
+}
+
+function pushIf(value: string, condition: boolean, into: string[]) {
+  if (condition) into.push(value)
+}
+
+function confidenceFromEvidenceCount(count: number): FrameworkDetection['confidence'] {
+  if (count >= 3) return 'high'
+  if (count >= 2) return 'medium'
+  return 'low'
+}
+
+function makeDetection(id: FrameworkId, evidence: string[]): FrameworkDetection {
+  return {
+    id,
+    confidence: confidenceFromEvidenceCount(evidence.length),
+    evidence,
+  }
+}
+
+function sortFrameworks(frameworks: FrameworkDetection[]): void {
+  frameworks.sort((a, b) => {
+    const score = (d: FrameworkDetection) =>
+      d.confidence === 'high' ? 3 : d.confidence === 'medium' ? 2 : 1
+    return score(b) - score(a)
+  })
+}
+
+export async function detectFrameworks(rootDir: string): Promise<FrameworkDetection[]> {
+  const pkg = await readPackageJson(rootDir)
+
+  const hasNextDep = packageHasDep(pkg, 'next')
+  const hasNextEnv = await hasFile(rootDir, 'next-env.d.ts')
+
+  const nextEvidence: string[] = []
+  pushIf('dependency: next', hasNextDep, nextEvidence)
+  pushIf('file: next-env.d.ts', hasNextEnv, nextEvidence)
+  pushIf('dir: app/', await hasDir(rootDir, 'app'), nextEvidence)
+  pushIf('dir: pages/', await hasDir(rootDir, 'pages'), nextEvidence)
+
+  const nextConfigFiles = ['next.config.js', 'next.config.mjs', 'next.config.cjs', 'next.config.ts']
+  for (const f of nextConfigFiles) {
+    pushIf(`file: ${f}`, await hasFile(rootDir, f), nextEvidence)
+  }
+
+  const hasReactNativeDep = packageHasDep(pkg, 'react-native')
+
+  const rnEvidence: string[] = []
+  pushIf('dependency: react-native', hasReactNativeDep, rnEvidence)
+  pushIf('dir: ios/', await hasDir(rootDir, 'ios'), rnEvidence)
+  pushIf('dir: android/', await hasDir(rootDir, 'android'), rnEvidence)
+  pushIf('file: metro.config.js', await hasFile(rootDir, 'metro.config.js'), rnEvidence)
+
+  const expoEvidence: string[] = []
+  pushIf('dependency: expo', packageHasDep(pkg, 'expo'), expoEvidence)
+  pushIf('file: app.json', await hasFile(rootDir, 'app.json'), expoEvidence)
+  pushIf('file: app.config.js', await hasFile(rootDir, 'app.config.js'), expoEvidence)
+  pushIf('file: app.config.ts', await hasFile(rootDir, 'app.config.ts'), expoEvidence)
+  pushIf('file: eas.json', await hasFile(rootDir, 'eas.json'), expoEvidence)
+
+  const expressEvidence: string[] = []
+  pushIf('dependency: express', packageHasDep(pkg, 'express'), expressEvidence)
+
+  const hasSvelteKitDep = packageHasDep(pkg, '@sveltejs/kit')
+
+  const kitEvidence: string[] = []
+  pushIf('dependency: @sveltejs/kit', hasSvelteKitDep, kitEvidence)
+  pushIf('file: svelte.config.js', await hasFile(rootDir, 'svelte.config.js'), kitEvidence)
+  pushIf('file: svelte.config.ts', await hasFile(rootDir, 'svelte.config.ts'), kitEvidence)
+  pushIf('dir: src/routes/', await hasDir(rootDir, path.join('src', 'routes')), kitEvidence)
+
+  const frameworks: FrameworkDetection[] = []
+
+  if (hasNextDep || hasNextEnv) frameworks.push(makeDetection('nextjs', nextEvidence))
+
+  if (hasReactNativeDep) {
+    const combined = Array.from(new Set([...rnEvidence, ...expoEvidence]))
+    frameworks.push(makeDetection('react-native', combined))
+  }
+
+  if (expoEvidence.length > 0) frameworks.push(makeDetection('expo', expoEvidence))
+
+  if (expressEvidence.length > 0) frameworks.push(makeDetection('express', expressEvidence))
+
+  if (hasSvelteKitDep) frameworks.push(makeDetection('sveltekit', kitEvidence))
+
+  sortFrameworks(frameworks)
+
+  return frameworks
+}
+
+export async function listWorkspaceProjectRoots(rootDir: string): Promise<string[]> {
+  const packageJsonPaths = await fg('**/package.json', {
+    cwd: rootDir,
+    dot: true,
+    onlyFiles: true,
+    followSymbolicLinks: false,
+    ignore: WORKSPACE_IGNORES,
+  })
+
+  const resolvedRoot = path.resolve(rootDir)
+
+  const roots = Array.from(
+    new Set(packageJsonPaths.map((relativePath) => path.join(rootDir, path.dirname(relativePath)))),
+  )
+    .map((p) => path.resolve(p))
+    .filter((p) => p !== resolvedRoot)
+
+  roots.sort()
+
+  return roots
+}
+
+export async function detectFrameworksInWorkspace(rootDir: string): Promise<FrameworkDetection[]> {
+  const roots = await listWorkspaceProjectRoots(rootDir)
+
+  const byFramework = new Map<FrameworkId, Set<string>>()
+
+  for (const projectRoot of roots) {
+    const detections = await detectFrameworks(projectRoot)
+    if (detections.length === 0) continue
+
+    const relativeRoot = path.relative(rootDir, projectRoot) || '.'
+    for (const detection of detections) {
+      const existing = byFramework.get(detection.id) ?? new Set<string>()
+      for (const evidence of detection.evidence) {
+        existing.add(`${relativeRoot}: ${evidence}`)
+      }
+      byFramework.set(detection.id, existing)
+    }
+  }
+
+  const frameworks: FrameworkDetection[] = []
+
+  for (const [id, evidenceSet] of byFramework.entries()) {
+    frameworks.push(makeDetection(id, Array.from(evidenceSet)))
+  }
+
+  sortFrameworks(frameworks)
+
+  return frameworks
+}

package/src/index.ts

@@ -0,0 +1,5 @@
+export * from './frameworks'
+export * from './reporters/html'
+export * from './reporters/sarif'
+export * from './scan'
+export * from './types'

package/src/picomatch.d.ts

@@ -0,0 +1,10 @@
+declare module 'picomatch' {
+  export type PicomatchOptions = {
+    dot?: boolean
+  }
+
+  export default function picomatch(
+    patterns: string | string[],
+    options?: PicomatchOptions,
+  ): (path: string) => boolean
+}

package/src/reporters/html.ts

@@ -0,0 +1,65 @@
+import type { ScanResult } from '../types'
+
+function escapeHtml(input: string): string {
+  return input
+    .replaceAll('&', '&')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;')
+}
+
+export function toHtml(result: ScanResult): string {
+  const frameworks = result.frameworks.map((f) => escapeHtml(f.id)).join(', ')
+  const findings = result.findings
+    .map((f) => {
+      const location = `${escapeHtml(f.location.path)}:${f.location.startLine}`
+      const title = escapeHtml(f.ruleTitle)
+      const message = escapeHtml(f.message)
+      const severity = escapeHtml(f.severity.toUpperCase())
+
+      return `
+        <div class="finding">
+          <div class="finding__header">
+            <span class="badge badge--${f.severity}">${severity}</span>
+            <span class="finding__rule">${escapeHtml(f.ruleId)}</span>
+          </div>
+          <div class="finding__title">${title}</div>
+          <div class="finding__location">${location}</div>
+          <div class="finding__message">${message}</div>
+        </div>
+      `
+    })
+    .join('\n')
+
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>VibeSec report</title>
+    <style>
+      body { font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; margin: 24px; color: #e5e7eb; background: #0b1220; }
+      h1 { margin: 0 0 8px 0; }
+      .meta { color: #9ca3af; margin-bottom: 16px; }
+      .finding { border: 1px solid #1f2937; border-radius: 10px; padding: 12px; margin: 12px 0; background: #0f172a; }
+      .finding__header { display: flex; gap: 10px; align-items: center; margin-bottom: 8px; }
+      .finding__rule { color: #cbd5e1; font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono"; font-size: 12px; }
+      .finding__title { font-weight: 600; margin-bottom: 6px; }
+      .finding__location { color: #9ca3af; font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono"; font-size: 12px; margin-bottom: 6px; }
+      .finding__message { color: #e5e7eb; }
+      .badge { display: inline-block; padding: 2px 8px; border-radius: 999px; font-size: 12px; font-weight: 700; text-transform: uppercase; letter-spacing: .02em; }
+      .badge--critical { background: #7f1d1d; color: #fecaca; }
+      .badge--high { background: #9a3412; color: #ffedd5; }
+      .badge--medium { background: #92400e; color: #fef3c7; }
+      .badge--low { background: #1f2937; color: #e5e7eb; }
+    </style>
+  </head>
+  <body>
+    <h1>VibeSec report</h1>
+    <div class="meta">Frameworks: ${frameworks || 'none'} · Findings: ${result.findings.length}</div>
+    ${findings || '<div class="meta">No findings.</div>'}
+  </body>
+</html>
+`
+}

package/src/reporters/sarif.ts

@@ -0,0 +1,115 @@
+import type { Finding, ScanResult, SeverityName } from '../types'
+
+type SarifLevel = 'error' | 'warning' | 'note'
+
+type SarifReport = {
+  version: '2.1.0'
+  $schema: string
+  runs: Array<{
+    tool: {
+      driver: {
+        name: string
+        version: string
+        informationUri?: string
+        rules?: Array<{
+          id: string
+          name?: string
+          shortDescription: { text: string }
+          fullDescription?: { text: string }
+          help?: { text: string }
+          properties?: Record<string, unknown>
+        }>
+      }
+    }
+    results: Array<{
+      ruleId: string
+      level: SarifLevel
+      message: { text: string }
+      locations: Array<{
+        physicalLocation: {
+          artifactLocation: { uri: string }
+          region: { startLine: number; startColumn: number }
+        }
+      }>
+      partialFingerprints?: Record<string, string>
+      properties?: Record<string, unknown>
+    }>
+  }>
+}
+
+function sarifLevel(severity: SeverityName): SarifLevel {
+  switch (severity) {
+    case 'critical':
+    case 'high':
+      return 'error'
+    case 'medium':
+      return 'warning'
+    case 'low':
+      return 'note'
+  }
+}
+
+function ruleKey(finding: Finding): string {
+  return finding.ruleId
+}
+
+export function toSarif(result: ScanResult): SarifReport {
+  const rulesById = new Map<string, Finding>()
+  for (const finding of result.findings) {
+    const id = ruleKey(finding)
+    if (!rulesById.has(id)) rulesById.set(id, finding)
+  }
+
+  const rules = Array.from(rulesById.values()).map((finding) => ({
+    id: finding.ruleId,
+    name: finding.ruleId,
+    shortDescription: { text: finding.ruleTitle },
+    fullDescription: finding.ruleDescription ? { text: finding.ruleDescription } : undefined,
+    help: { text: finding.message },
+    properties: {
+      severity: finding.severity,
+    },
+  }))
+
+  const results = result.findings.map((finding) => ({
+    ruleId: finding.ruleId,
+    level: sarifLevel(finding.severity),
+    message: { text: finding.message },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: { uri: finding.location.path },
+          region: {
+            startLine: finding.location.startLine,
+            startColumn: finding.location.startColumn,
+          },
+        },
+      },
+    ],
+    partialFingerprints: {
+      'vibesec/fingerprint': finding.fingerprint,
+    },
+    properties: {
+      severity: finding.severity,
+      fingerprint: finding.fingerprint,
+    },
+  }))
+
+  return {
+    version: '2.1.0',
+    $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: 'vibesec',
+            version: '0.0.0',
+            informationUri: 'https://github.com/Reliability-Works/vibesec',
+            rules,
+          },
+        },
+        results,
+      },
+    ],
+  }
+}