npm - @sentriflow/cli - Versions diffs - 0.1.8 → 0.2.0 - Mend

@sentriflow/cli 0.1.8 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -37,6 +37,15 @@ sentriflow --list-vendors
 # List active rules
 sentriflow --list-rules
+# List rules by category
+sentriflow --list-rules --category authentication
+# List all categories
+sentriflow --list-categories
+# Read from stdin
+cat router.conf | sentriflow -
 ```
 ## Usage
@@ -47,7 +56,7 @@ Usage: sentriflow [options] [file]
 SentriFlow Network Configuration Compliance Checker
 Arguments:
-  file                          Path to the configuration file
+  file                          Path to the configuration file (use - for stdin)
 Options:
   -V, --version                 output the version number
@@ -80,10 +89,20 @@ Supported vendors: `cisco-ios`, `juniper-junos`, `palo-alto`, `fortinet`, `arist
 | `--no-config` | Ignore config file |
 | `-d, --disable <ids>` | Comma-separated rule IDs to disable |
 | `--list-rules` | List all active rules and exit |
+| `--list-categories` | List all rule categories with counts |
+| `--category <name>` | Filter `--list-rules` by category |
+| `--list-format <fmt>` | Format for `--list-rules`: `table` (default), `json`, `csv` |
 | `-p, --rule-pack <path>` | Rule pack file to load |
 | `--json-rules <path...>` | Path(s) to JSON rules file(s) |
 | `-r, --rules <path>` | Additional rules file (legacy) |
+### IP Extraction
+| Option | Description |
+|--------|-------------|
+| `--extract-ips` | Extract and display all IP addresses/subnets from configuration |
+| `--copy-ips` | Copy extracted IPs to clipboard (requires xclip/pbcopy) |
 ### Encrypted Rule Packs
 | Option | Description |
@@ -125,7 +144,11 @@ Supported vendors: `cisco-ios`, `juniper-junos`, `palo-alto`, `fortinet`, `arist
       "passed": false,
       "message": "Telnet is enabled - use SSH instead",
       "line": 12,
-      "column": 1
+      "column": 1,
+      "category": "authentication",
+      "tags": [
+        { "type": "security", "label": "plaintext-protocol" }
+      ]
     }
   ]
 }
@@ -159,6 +182,38 @@ Produces SARIF 2.1.0 compliant output for integration with GitHub Code Scanning,
 sentriflow router.conf -f sarif > results.sarif
 ```
+SARIF output includes rule categories and tags in the `properties` block:
+```json
+{
+  "rules": [{
+    "id": "SEC-001",
+    "properties": {
+      "category": "authentication",
+      "tags": ["security:plaintext-protocol"]
+    }
+  }]
+}
+```
+## Rule Categories
+List all available categories:
+```bash
+sentriflow --list-categories
+```
+Filter rules by category:
+```bash
+# List only authentication rules
+sentriflow --list-rules --category authentication
+# Output as JSON
+sentriflow --list-rules --category encryption --list-format json
+```
 ## CI/CD Integration
 ### GitHub Actions

package/dist/index.js CHANGED Viewed

@@ -10334,7 +10334,42 @@ function validateRegex(pattern, flags, path, ctx) {
   }
 }
+// ../core/src/ip/types.ts
+var DEFAULT_MAX_CONTENT_SIZE = 50 * 1024 * 1024;
+var InputValidationError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "InputValidationError";
+  }
+};
 // ../core/src/ip/extractor.ts
+function stripZoneId(ip) {
+  const zoneIndex = ip.indexOf("%");
+  return zoneIndex !== -1 ? ip.substring(0, zoneIndex) : ip;
+}
+function createIPv4Pattern() {
+  return /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b/g;
+}
+function createIPv4CidrPattern() {
+  return /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:3[0-2]|[12]?[0-9])\b/g;
+}
+function createIPv4WithMaskPattern() {
+  return /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
+}
+function createIPv4WithMaskKeywordPattern() {
+  return /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+mask\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/gi;
+}
+function createIPv4WithWildcardPattern() {
+  return /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(0\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
+}
+function createIPv6Pattern() {
+  return /(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::/g;
+}
+function createIPv6CidrPattern() {
+  return /(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::)\/(?:12[0-8]|1[01][0-9]|[1-9]?[0-9])(?!\d)/g;
+}
 function isValidIPv4(ip) {
   if (!ip || typeof ip !== "string") return false;
   const octets = ip.split(".");
@@ -10349,11 +10384,7 @@ function isValidIPv4(ip) {
 }
 function isValidIPv6(ip) {
   if (!ip || typeof ip !== "string") return false;
-  let addr = ip;
-  const zoneIndex = ip.indexOf("%");
-  if (zoneIndex !== -1) {
-    addr = ip.substring(0, zoneIndex);
-  }
+  const addr = stripZoneId(ip);
   if (!addr.includes(":")) return false;
   if (addr.includes(":::")) return false;
   const doubleColonCount = (addr.match(/::/g) || []).length;
@@ -10392,12 +10423,7 @@ function normalizeIPv4(ip) {
   return ip.split(".").map((octet) => parseInt(octet, 10).toString()).join(".");
 }
 function normalizeIPv6(ip) {
-  let addr = ip;
-  const zoneIndex = ip.indexOf("%");
-  if (zoneIndex !== -1) {
-    addr = ip.substring(0, zoneIndex);
-  }
-  addr = addr.toLowerCase();
+  const addr = stripZoneId(ip).toLowerCase();
   if (addr.includes("::")) {
     const sides = addr.split("::");
     const left = sides[0] ? sides[0].split(":").filter((p) => p !== "") : [];
@@ -10424,8 +10450,17 @@ function normalizeIPv6(ip) {
   }
   return result.join(":");
 }
+function clampOctet(n) {
+  if (!Number.isInteger(n)) {
+    return 0;
+  }
+  if (n < 0 || n > 255) {
+    return 0;
+  }
+  return n;
+}
 function ipv4ToNumber(ip) {
-  const octets = ip.split(".").map(Number);
+  const octets = ip.split(".").map((n) => clampOctet(Number(n)));
   const o0 = octets[0] ?? 0;
   const o1 = octets[1] ?? 0;
   const o2 = octets[2] ?? 0;
@@ -10438,11 +10473,7 @@ function compareIPv4(a, b) {
   return numA < numB ? -1 : numA > numB ? 1 : 0;
 }
 function expandIPv6(ip) {
-  let addr = ip;
-  const zoneIndex = ip.indexOf("%");
-  if (zoneIndex !== -1) {
-    addr = ip.substring(0, zoneIndex);
-  }
+  const addr = stripZoneId(ip);
   const parts = addr.split(":");
   const result = [];
   for (let i = 0; i < parts.length; i++) {
@@ -10489,9 +10520,23 @@ function sortIPv6Addresses(ips) {
 }
 function parseSubnet(subnet) {
   const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) {
+    throw new InputValidationError(
+      `Invalid subnet format (missing /): ${subnet}`,
+      "INVALID_FORMAT"
+    );
+  }
+  const prefixStr = subnet.substring(slashIndex + 1);
+  const prefix = parseInt(prefixStr, 10);
+  if (isNaN(prefix)) {
+    throw new InputValidationError(
+      `Invalid subnet prefix: ${prefixStr}`,
+      "INVALID_FORMAT"
+    );
+  }
   return {
     network: subnet.substring(0, slashIndex),
-    prefix: parseInt(subnet.substring(slashIndex + 1), 10)
+    prefix
   };
 }
 function sortSubnets(subnets, type) {
@@ -10541,13 +10586,6 @@ function wildcardToCidr(wildcard) {
   }
   return prefix;
 }
-var IPV4_PATTERN = /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b/g;
-var IPV4_CIDR_PATTERN = /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:3[0-2]|[12]?[0-9])\b/g;
-var IPV4_WITH_MASK_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
-var IPV4_WITH_MASK_KEYWORD_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+mask\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/gi;
-var IPV4_WITH_WILDCARD_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(0\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
-var IPV6_PATTERN = /(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::/g;
-var IPV6_CIDR_PATTERN = /(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::)\/(?:12[0-8]|1[01][0-9]|[1-9]?[0-9])/g;
 function createEmptyIPSummary() {
   return {
     ipv4Addresses: [],
@@ -10567,6 +10605,13 @@ function extractIPSummary(content, options = {}) {
   if (!content || typeof content !== "string") {
     return createEmptyIPSummary();
   }
+  const maxSize = options.maxContentSize ?? DEFAULT_MAX_CONTENT_SIZE;
+  if (content.length > maxSize) {
+    throw new InputValidationError(
+      `Content exceeds maximum size of ${maxSize} bytes`,
+      "SIZE_LIMIT_EXCEEDED"
+    );
+  }
   const ipv4Set = /* @__PURE__ */ new Set();
   const ipv6Set = /* @__PURE__ */ new Set();
   const ipv4SubnetSet = /* @__PURE__ */ new Set();
@@ -10574,7 +10619,7 @@ function extractIPSummary(content, options = {}) {
   const subnetNetworks = /* @__PURE__ */ new Set();
   const ipsWithMasks = /* @__PURE__ */ new Set();
   if (!options.skipSubnets) {
-    const ipv4CidrMatches = content.matchAll(IPV4_CIDR_PATTERN);
+    const ipv4CidrMatches = content.matchAll(createIPv4CidrPattern());
     for (const match of ipv4CidrMatches) {
       const subnet = match[0];
       if (isValidSubnet(subnet)) {
@@ -10584,7 +10629,7 @@ function extractIPSummary(content, options = {}) {
         subnetNetworks.add(normalizedNetwork);
       }
     }
-    const ipMaskMatches = content.matchAll(IPV4_WITH_MASK_PATTERN);
+    const ipMaskMatches = content.matchAll(createIPv4WithMaskPattern());
     for (const match of ipMaskMatches) {
       const ip = match[1];
       const mask = match[2];
@@ -10597,7 +10642,7 @@ function extractIPSummary(content, options = {}) {
         }
       }
     }
-    const ipMaskKeywordMatches = content.matchAll(IPV4_WITH_MASK_KEYWORD_PATTERN);
+    const ipMaskKeywordMatches = content.matchAll(createIPv4WithMaskKeywordPattern());
     for (const match of ipMaskKeywordMatches) {
       const ip = match[1];
       const mask = match[2];
@@ -10610,7 +10655,7 @@ function extractIPSummary(content, options = {}) {
         }
       }
     }
-    const ipWildcardMatches = content.matchAll(IPV4_WITH_WILDCARD_PATTERN);
+    const ipWildcardMatches = content.matchAll(createIPv4WithWildcardPattern());
     for (const match of ipWildcardMatches) {
       const ip = match[1];
       const wildcard = match[2];
@@ -10624,7 +10669,7 @@ function extractIPSummary(content, options = {}) {
       }
     }
   }
-  const ipv4Matches = content.matchAll(IPV4_PATTERN);
+  const ipv4Matches = content.matchAll(createIPv4Pattern());
   for (const match of ipv4Matches) {
     const ip = match[0];
     if (isValidIPv4(ip)) {
@@ -10636,7 +10681,7 @@ function extractIPSummary(content, options = {}) {
   }
   if (!options.skipIPv6) {
     if (!options.skipSubnets) {
-      const ipv6CidrMatches = content.matchAll(IPV6_CIDR_PATTERN);
+      const ipv6CidrMatches = content.matchAll(createIPv6CidrPattern());
       for (const match of ipv6CidrMatches) {
         const subnet = match[0];
         if (isValidSubnet(subnet)) {
@@ -10647,7 +10692,7 @@ function extractIPSummary(content, options = {}) {
         }
       }
     }
-    const ipv6Matches = content.matchAll(IPV6_PATTERN);
+    const ipv6Matches = content.matchAll(createIPv6Pattern());
     for (const match of ipv6Matches) {
       const ip = match[0];
       if (isValidIPv6(ip)) {
@@ -10658,6 +10703,16 @@ function extractIPSummary(content, options = {}) {
       }
     }
   }
+  if (options.includeSubnetNetworks) {
+    for (const subnet of ipv4SubnetSet) {
+      const { network } = parseSubnet(subnet);
+      ipv4Set.add(network);
+    }
+    for (const subnet of ipv6SubnetSet) {
+      const { network } = parseSubnet(subnet);
+      ipv6Set.add(network);
+    }
+  }
   const ipv4Addresses = sortIPv4Addresses([...ipv4Set]);
   const ipv6Addresses = sortIPv6Addresses([...ipv6Set]);
   const ipv4Subnets = sortSubnets([...ipv4SubnetSet], "ipv4");
@@ -10727,16 +10782,22 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
         kinds: ["superset"]
       }));
     }
-    if (secMeta?.cvssScore !== void 0 || secMeta?.cvssVector || secMeta?.tags) {
+    const hasCvss = secMeta?.cvssScore !== void 0 || secMeta?.cvssVector;
+    const hasTags = rule.metadata.tags && rule.metadata.tags.length > 0;
+    const hasCategory = rule.category !== void 0;
+    if (hasCvss || hasTags || hasCategory) {
       base.properties = {};
-      if (secMeta.cvssScore !== void 0) {
+      if (hasCategory) {
+        base.properties.category = rule.category;
+      }
+      if (secMeta?.cvssScore !== void 0) {
         base.properties["security-severity"] = String(secMeta.cvssScore);
       }
-      if (secMeta.cvssVector) {
+      if (secMeta?.cvssVector) {
         base.properties["cvss-vector"] = secMeta.cvssVector;
       }
-      if (secMeta.tags && secMeta.tags.length > 0) {
-        base.properties.tags = secMeta.tags;
+      if (hasTags) {
+        base.properties.tags = rule.metadata.tags.map((t) => t.label);
       }
     }
     return base;
@@ -10752,7 +10813,7 @@ function generateSarif(results, filePath, rules, options = {}, ipSummary) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.8",
+            version: "0.2.0",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10874,16 +10935,22 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         kinds: ["superset"]
       }));
     }
-    if (secMeta?.cvssScore !== void 0 || secMeta?.cvssVector || secMeta?.tags) {
+    const hasCvss = secMeta?.cvssScore !== void 0 || secMeta?.cvssVector;
+    const hasTags = rule.metadata.tags && rule.metadata.tags.length > 0;
+    const hasCategory = rule.category !== void 0;
+    if (hasCvss || hasTags || hasCategory) {
       base.properties = {};
-      if (secMeta.cvssScore !== void 0) {
+      if (hasCategory) {
+        base.properties.category = rule.category;
+      }
+      if (secMeta?.cvssScore !== void 0) {
         base.properties["security-severity"] = String(secMeta.cvssScore);
       }
-      if (secMeta.cvssVector) {
+      if (secMeta?.cvssVector) {
         base.properties["cvss-vector"] = secMeta.cvssVector;
       }
-      if (secMeta.tags && secMeta.tags.length > 0) {
-        base.properties.tags = secMeta.tags;
+      if (hasTags) {
+        base.properties.tags = rule.metadata.tags.map((t) => t.label);
       }
     }
     return base;
@@ -10906,7 +10973,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.8",
+            version: "0.2.0",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -13484,9 +13551,12 @@ var cisco_json_rules_default = {
         description: "Trunk ports should disable DTP (Dynamic Trunking Protocol)",
         remediation: "Add 'switchport nonegotiate' to disable DTP on trunk ports",
         security: {
-          cwe: ["CWE-319"],
-          tags: ["vlan-hopping", "network-security"]
-        }
+          cwe: ["CWE-319"]
+        },
+        tags: [
+          { type: "security", label: "vlan-hopping" },
+          { type: "security", label: "network-security" }
+        ]
       },
       check: {
         type: "and",
@@ -13527,9 +13597,12 @@ var cisco_json_rules_default = {
         description: "VTY lines should have access-class configured for SSH access control",
         remediation: "Add 'access-class <acl> in' to restrict VTY access",
         security: {
-          cwe: ["CWE-284"],
-          tags: ["access-control", "remote-access"]
-        }
+          cwe: ["CWE-284"]
+        },
+        tags: [
+          { type: "security", label: "access-control" },
+          { type: "security", label: "remote-access" }
+        ]
       },
       check: {
         type: "child_not_exists",
@@ -13611,9 +13684,12 @@ var juniper_json_rules_default = {
         description: "SSH should be configured for version 2 only",
         remediation: "Configure 'set system services ssh protocol-version v2'",
         security: {
-          cwe: ["CWE-327"],
-          tags: ["ssh", "encryption"]
-        }
+          cwe: ["CWE-327"]
+        },
+        tags: [
+          { type: "security", label: "ssh" },
+          { type: "security", label: "encryption" }
+        ]
       },
       check: {
         type: "and",
@@ -13644,9 +13720,12 @@ var juniper_json_rules_default = {
         description: "Telnet service should be disabled",
         remediation: "Remove 'set system services telnet' or add 'delete system services telnet'",
         security: {
-          cwe: ["CWE-319"],
-          tags: ["telnet", "cleartext"]
-        }
+          cwe: ["CWE-319"]
+        },
+        tags: [
+          { type: "security", label: "telnet" },
+          { type: "security", label: "cleartext" }
+        ]
       },
       check: {
         type: "helper",
@@ -14856,8 +14935,19 @@ function isStdinRequested(files) {
 }
 // index.ts
+function enrichResultsWithRuleMetadata(results, rules) {
+  const ruleMap = new Map(rules.map((r) => [r.id, r]));
+  return results.map((result) => {
+    const rule = ruleMap.get(result.ruleId);
+    return {
+      ...result,
+      category: rule?.category,
+      tags: rule?.metadata.tags ?? []
+    };
+  });
+}
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.8").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.2.0").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
   "--encrypted-pack <path...>",
   "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
 ).option(
@@ -14873,7 +14963,14 @@ program.name("sentriflow").description("SentriFlow Network Configuration Validat
   "-d, --disable <ids>",
   "Comma-separated rule IDs to disable",
   (val) => val.split(",")
-).option("--list-rules", "List all active rules and exit").option("--relative-paths", "Use relative paths in SARIF output").option(
+).option("--list-rules", "List all active rules and exit").option("--list-categories", "List all rule categories with counts and exit").option(
+  "--category <category>",
+  "Filter rules by category (use with --list-rules)"
+).option(
+  "--list-format <format>",
+  "Output format for --list-rules: table, json, csv (default: table)",
+  "table"
+).option("--relative-paths", "Use relative paths in SARIF output").option(
   "--allow-external",
   "Allow reading files outside the current directory (use with caution)"
 ).option(
@@ -14967,17 +15064,73 @@ Use: sentriflow --vendor <vendor> <file>`);
       allowedBaseDirs
       // SEC-011: Pass allowed base dirs for rule file validation
     });
-    if (options.listRules) {
-      console.log("Active rules:\n");
+    if (options.listCategories) {
+      const counts = /* @__PURE__ */ new Map();
       for (const rule of rules) {
+        const cats = Array.isArray(rule.category) ? rule.category : [rule.category ?? "uncategorized"];
+        for (const cat of cats) {
+          counts.set(cat, (counts.get(cat) ?? 0) + 1);
+        }
+      }
+      const sorted = [...counts.entries()].sort((a, b) => b[1] - a[1]);
+      console.log("CATEGORY              COUNT");
+      console.log("\u2500".repeat(35));
+      for (const [cat, count] of sorted) {
+        console.log(`${cat.padEnd(22)}${count}`);
+      }
+      console.log("\u2500".repeat(35));
+      console.log(`TOTAL                 ${rules.length}`);
+      return;
+    }
+    if (options.listRules) {
+      let filteredRules = rules;
+      if (options.category) {
+        filteredRules = rules.filter((r) => {
+          const cats = Array.isArray(r.category) ? r.category : [r.category];
+          return cats.includes(options.category);
+        });
+      }
+      if (options.listFormat === "json") {
+        const output = filteredRules.map((r) => ({
+          id: r.id,
+          category: r.category,
+          vendor: r.vendor,
+          level: r.metadata.level,
+          obu: r.metadata.obu,
+          description: r.metadata.description,
+          tags: r.metadata.tags
+        }));
+        console.log(JSON.stringify(output, null, 2));
+      } else if (options.listFormat === "csv") {
+        console.log("id,category,vendor,level,obu,description");
+        for (const rule of filteredRules) {
+          const cat = Array.isArray(rule.category) ? rule.category.join(";") : rule.category ?? "";
+          const vendor2 = Array.isArray(rule.vendor) ? rule.vendor.join(";") : rule.vendor ?? "common";
+          const desc = (rule.metadata.description ?? "").replace(/"/g, '""');
+          console.log(
+            `"${rule.id}","${cat}","${vendor2}","${rule.metadata.level}","${rule.metadata.obu}","${desc}"`
+          );
+        }
+      } else {
         console.log(
-          `  ${rule.id} [${rule.metadata.level}] - ${rule.metadata.obu}`
+          "ID                CATEGORY              VENDOR          LEVEL    OBU"
         );
+        console.log("\u2500".repeat(85));
+        for (const rule of filteredRules) {
+          const cat = Array.isArray(rule.category) ? rule.category[0] ?? "general" : rule.category ?? "general";
+          const vendor2 = Array.isArray(rule.vendor) ? rule.vendor[0] ?? "common" : rule.vendor ?? "common";
+          console.log(
+            `${rule.id.padEnd(18)}${cat.padEnd(22)}${vendor2.padEnd(16)}${rule.metadata.level.padEnd(9)}${rule.metadata.obu}`
+          );
+        }
+        console.log("\u2500".repeat(85));
+        console.log(`Total: ${filteredRules.length} rules`);
+        if (options.category) {
+          console.log(`Filtered by category: ${options.category}`);
+        }
       }
-      console.log(`
-Total: ${rules.length} rules`);
       const configFile = findConfigFile(configSearchDir);
-      if (configFile) {
+      if (configFile && options.listFormat === "table") {
         console.log(`
 Config file: ${configFile}`);
       }
@@ -15150,7 +15303,7 @@ Parsing complete: ${allAsts.length} files`);
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2);
+          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -15187,7 +15340,7 @@ Parsing complete: ${allAsts.length} files`);
           files: allFileResults.map((fr) => ({
             file: fr.filePath,
             vendor: fr.vendor,
-            results: fr.results,
+            results: enrichResultsWithRuleMetadata(fr.results, rules),
             ipSummary: fr.ipSummary
           }))
         };
@@ -15264,7 +15417,16 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       if (options.quiet) {
         results2 = results2.filter((r) => !r.passed);
       }
-      const stdinIpSummary = extractIPSummary(content2);
+      let stdinIpSummary;
+      try {
+        stdinIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
+      } catch (error) {
+        if (error instanceof InputValidationError) {
+          console.error(`Input validation error: ${error.message}`);
+          process.exit(2);
+        }
+        throw error;
+      }
       if (options.format === "sarif") {
         const sarifOptions = {
           relativePaths: options.relativePaths,
@@ -15275,7 +15437,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
         const output = {
           file: "<stdin>",
           vendor: { id: vendor2.id, name: vendor2.name },
-          results: results2,
+          results: enrichResultsWithRuleMetadata(results2, stdinRules),
           ipSummary: stdinIpSummary
         };
         console.log(JSON.stringify(output, null, 2));
@@ -15335,7 +15497,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
-          const fileIpSummary = extractIPSummary(content2);
+          const fileIpSummary = extractIPSummary(content2, { includeSubnetNetworks: true });
           allFileResults.push({
             filePath: filePath2,
             results: results2,
@@ -15367,7 +15529,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           files: allFileResults.map((fr) => ({
             file: fr.filePath,
             vendor: fr.vendor,
-            results: fr.results,
+            results: enrichResultsWithRuleMetadata(fr.results, rules),
             ipSummary: fr.ipSummary
           }))
         };
@@ -15453,7 +15615,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     if (options.quiet) {
       results = results.filter((r) => !r.passed);
     }
-    const ipSummary = extractIPSummary(content);
+    const ipSummary = extractIPSummary(content, { includeSubnetNetworks: true });
     if (options.format === "sarif") {
       const sarifOptions = {
         relativePaths: options.relativePaths,
@@ -15468,7 +15630,7 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           id: vendor.id,
           name: vendor.name
         },
-        results,
+        results: enrichResultsWithRuleMetadata(results, singleFileRules),
         ipSummary
       };
       console.log(JSON.stringify(output, null, 2));
@@ -15480,6 +15642,8 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
   } catch (error) {
     if (error instanceof SentriflowError) {
       console.error(`Error: ${error.toUserMessage()}`);
+    } else if (error instanceof InputValidationError) {
+      console.error(`Input validation error: ${error.message}`);
     } else {
       console.error("Error: An unexpected error occurred");
     }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@sentriflow/cli",
-  "version": "0.1.8",
+  "version": "0.2.0",
   "description": "SentriFlow CLI - Network configuration linter and validator",
   "license": "Apache-2.0",
   "main": "dist/index.js",