@tracelens/shared 0.1.0

package/src/types/security.types.ts

@@ -0,0 +1,172 @@
+// CVE and vulnerability types for TraceLens
+export interface CVERecord {
+  id: string; // CVE-YYYY-NNNN format
+  published: string; // ISO date string
+  lastModified: string; // ISO date string
+  vulnStatus: VulnerabilityStatus;
+  descriptions: CVEDescription[];
+  metrics: CVEMetrics;
+  weaknesses: CVEWeakness[];
+  configurations: CVEConfiguration[];
+  references: CVEReference[];
+  vendorComments?: CVEVendorComment[];
+}
+
+export enum VulnerabilityStatus {
+  ANALYZED = 'Analyzed',
+  MODIFIED = 'Modified',
+  REJECTED = 'Rejected',
+  AWAITING_ANALYSIS = 'Awaiting Analysis',
+  RECEIVED = 'Received'
+}
+
+export interface CVEDescription {
+  lang: string;
+  value: string;
+}
+
+export interface CVEMetrics {
+  cvssMetricV31?: CVSSv31[];
+  cvssMetricV30?: CVSSv30[];
+  cvssMetricV2?: CVSSv2[];
+}
+
+export interface CVSSv31 {
+  source: string;
+  type: 'Primary' | 'Secondary';
+  cvssData: {
+    version: '3.1';
+    vectorString: string;
+    attackVector: 'NETWORK' | 'ADJACENT_NETWORK' | 'LOCAL' | 'PHYSICAL';
+    attackComplexity: 'LOW' | 'HIGH';
+    privilegesRequired: 'NONE' | 'LOW' | 'HIGH';
+    userInteraction: 'NONE' | 'REQUIRED';
+    scope: 'UNCHANGED' | 'CHANGED';
+    confidentialityImpact: 'NONE' | 'LOW' | 'HIGH';
+    integrityImpact: 'NONE' | 'LOW' | 'HIGH';
+    availabilityImpact: 'NONE' | 'LOW' | 'HIGH';
+    baseScore: number;
+    baseSeverity: 'NONE' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+  };
+  exploitabilityScore: number;
+  impactScore: number;
+}
+
+export interface CVSSv30 {
+  source: string;
+  type: 'Primary' | 'Secondary';
+  cvssData: {
+    version: '3.0';
+    vectorString: string;
+    baseScore: number;
+    baseSeverity: 'NONE' | 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+  };
+}
+
+export interface CVSSv2 {
+  source: string;
+  type: 'Primary' | 'Secondary';
+  cvssData: {
+    version: '2.0';
+    vectorString: string;
+    baseScore: number;
+  };
+}
+
+export interface CVEWeakness {
+  source: string;
+  type: 'Primary' | 'Secondary';
+  description: CVEDescription[];
+}
+
+export interface CVEConfiguration {
+  nodes: CVENode[];
+  operator?: 'AND' | 'OR';
+}
+
+export interface CVENode {
+  operator: 'AND' | 'OR';
+  negate?: boolean;
+  cpeMatch: CPEMatch[];
+}
+
+export interface CPEMatch {
+  vulnerable: boolean;
+  criteria: string; // CPE 2.3 format
+  matchCriteriaId: string;
+  versionStartExcluding?: string;
+  versionStartIncluding?: string;
+  versionEndExcluding?: string;
+  versionEndIncluding?: string;
+}
+
+export interface CVEReference {
+  url: string;
+  source: string;
+  tags?: string[];
+}
+
+export interface CVEVendorComment {
+  organization: string;
+  comment: string;
+  lastModified: string;
+}
+
+export interface VulnerabilityAssessment {
+  cveId: string;
+  packageName: string;
+  packageVersion: string;
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'NONE';
+  score: number;
+  vector: string;
+  runtimeRelevant: boolean;
+  executionPaths: string[];
+  exploitability: ExploitabilityAssessment;
+  mitigation: MitigationRecommendation;
+}
+
+export interface ExploitabilityAssessment {
+  isExploitable: boolean;
+  exploitComplexity: 'LOW' | 'MEDIUM' | 'HIGH';
+  requiresUserInteraction: boolean;
+  requiresPrivileges: boolean;
+  networkAccessible: boolean;
+  publicExploitAvailable: boolean;
+}
+
+export interface MitigationRecommendation {
+  action: 'UPDATE' | 'PATCH' | 'WORKAROUND' | 'MONITOR';
+  targetVersion?: string;
+  patchUrl?: string;
+  workaroundDescription?: string;
+  priority: 'IMMEDIATE' | 'HIGH' | 'MEDIUM' | 'LOW';
+  estimatedEffort: 'MINUTES' | 'HOURS' | 'DAYS' | 'WEEKS';
+}
+
+export interface SecurityScan {
+  id: string;
+  projectId: string;
+  timestamp: number;
+  scanType: 'FULL' | 'INCREMENTAL' | 'TARGETED';
+  vulnerabilities: VulnerabilityAssessment[];
+  summary: SecuritySummary;
+  runtimeAnalysis: RuntimeSecurityAnalysis;
+}
+
+export interface SecuritySummary {
+  totalVulnerabilities: number;
+  criticalCount: number;
+  highCount: number;
+  mediumCount: number;
+  lowCount: number;
+  runtimeRelevantCount: number;
+  exploitableCount: number;
+}
+
+export interface RuntimeSecurityAnalysis {
+  executedPackages: string[];
+  vulnerableExecutedPackages: string[];
+  criticalPathVulnerabilities: VulnerabilityAssessment[];
+  riskScore: number;
+  recommendations: MitigationRecommendation[];
+}

package/src/types/trace.types.ts

@@ -0,0 +1,62 @@
+// OpenTelemetry trace definitions for TraceLens
+export interface TraceSpan {
+  traceId: string;
+  spanId: string;
+  parentSpanId?: string;
+  operationName: string;
+  startTime: number; // microseconds since epoch
+  endTime?: number;
+  duration?: number; // microseconds
+  tags: Record<string, string | number | boolean>;
+  logs?: TraceLog[];
+  status: SpanStatus;
+}
+
+export interface TraceLog {
+  timestamp: number;
+  fields: Record<string, string | number | boolean>;
+}
+
+export enum SpanStatus {
+  OK = 'OK',
+  CANCELLED = 'CANCELLED',
+  UNKNOWN = 'UNKNOWN',
+  INVALID_ARGUMENT = 'INVALID_ARGUMENT',
+  DEADLINE_EXCEEDED = 'DEADLINE_EXCEEDED',
+  NOT_FOUND = 'NOT_FOUND',
+  ALREADY_EXISTS = 'ALREADY_EXISTS',
+  PERMISSION_DENIED = 'PERMISSION_DENIED',
+  RESOURCE_EXHAUSTED = 'RESOURCE_EXHAUSTED',
+  FAILED_PRECONDITION = 'FAILED_PRECONDITION',
+  ABORTED = 'ABORTED',
+  OUT_OF_RANGE = 'OUT_OF_RANGE',
+  UNIMPLEMENTED = 'UNIMPLEMENTED',
+  INTERNAL = 'INTERNAL',
+  UNAVAILABLE = 'UNAVAILABLE',
+  DATA_LOSS = 'DATA_LOSS',
+  UNAUTHENTICATED = 'UNAUTHENTICATED'
+}
+
+export interface Trace {
+  traceId: string;
+  spans: TraceSpan[];
+  startTime: number;
+  endTime?: number;
+  duration?: number;
+  rootSpan?: TraceSpan;
+}
+
+export interface TraceContext {
+  traceId: string;
+  spanId: string;
+  traceFlags: number;
+  traceState?: string;
+}
+
+export interface TracingConfig {
+  serviceName: string;
+  serviceVersion: string;
+  environment: string;
+  samplingRate: number;
+  endpoint?: string;
+}

package/src/utils/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["index.ts"],"names":[],"mappings":"AACA,wBAAgB,UAAU,IAAI,MAAM,CAEnC"}

package/src/utils/index.ts

@@ -0,0 +1,6 @@
+// Shared utilities
+export * from './validation';
+
+export function generateId(): string {
+  return Math.random().toString(36).substring(2, 15);
+}

package/src/utils/validation.ts

@@ -0,0 +1,209 @@
+// Data validation utilities for TraceLens
+import { TraceSpan, Trace } from '../types/trace.types';
+import { WebVitalsMetrics, PerformanceEvent } from '../types/performance.types';
+import { DependencySnapshot, PackageDependency } from '../types/dependency.types';
+import { CVERecord, VulnerabilityAssessment } from '../types/security.types';
+
+export class ValidationError extends Error {
+  constructor(
+    message: string,
+    public field: string,
+    public value: unknown
+  ) {
+    super(message);
+    this.name = 'ValidationError';
+  }
+}
+
+export function validateTraceSpan(span: unknown): TraceSpan {
+  if (!span || typeof span !== 'object') {
+    throw new ValidationError('Span must be an object', 'span', span);
+  }
+
+  const s = span as Record<string, unknown>;
+
+  if (!s.traceId || typeof s.traceId !== 'string') {
+    throw new ValidationError('traceId must be a string', 'traceId', s.traceId);
+  }
+
+  if (!s.spanId || typeof s.spanId !== 'string') {
+    throw new ValidationError('spanId must be a string', 'spanId', s.spanId);
+  }
+
+  if (!s.operationName || typeof s.operationName !== 'string') {
+    throw new ValidationError('operationName must be a string', 'operationName', s.operationName);
+  }
+
+  if (!s.startTime || typeof s.startTime !== 'number') {
+    throw new ValidationError('startTime must be a number', 'startTime', s.startTime);
+  }
+
+  if (s.endTime !== undefined && typeof s.endTime !== 'number') {
+    throw new ValidationError('endTime must be a number', 'endTime', s.endTime);
+  }
+
+  if (!s.tags || typeof s.tags !== 'object') {
+    throw new ValidationError('tags must be an object', 'tags', s.tags);
+  }
+
+  return s as unknown as TraceSpan;
+}
+
+export function validateTrace(trace: unknown): Trace {
+  if (!trace || typeof trace !== 'object') {
+    throw new ValidationError('Trace must be an object', 'trace', trace);
+  }
+
+  const t = trace as Record<string, unknown>;
+
+  if (!t.traceId || typeof t.traceId !== 'string') {
+    throw new ValidationError('traceId must be a string', 'traceId', t.traceId);
+  }
+
+  if (!Array.isArray(t.spans)) {
+    throw new ValidationError('spans must be an array', 'spans', t.spans);
+  }
+
+  // Validate each span
+  t.spans.forEach((span, index) => {
+    try {
+      validateTraceSpan(span);
+    } catch (error: unknown) {
+      const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+      throw new ValidationError(
+        `Invalid span at index ${index}: ${errorMessage}`,
+        `spans[${index}]`,
+        span
+      );
+    }
+  });
+
+  return t as unknown as Trace;
+}
+
+export function validatePerformanceEvent(event: unknown): PerformanceEvent {
+  if (!event || typeof event !== 'object') {
+    throw new ValidationError('Event must be an object', 'event', event);
+  }
+
+  const e = event as Record<string, unknown>;
+
+  if (!e.id || typeof e.id !== 'string') {
+    throw new ValidationError('id must be a string', 'id', e.id);
+  }
+
+  if (!e.timestamp || typeof e.timestamp !== 'number') {
+    throw new ValidationError('timestamp must be a number', 'timestamp', e.timestamp);
+  }
+
+  const validTypes = ['web-vitals', 'resource-timing', 'navigation-timing', 'long-task'];
+  if (!e.type || !validTypes.includes(e.type as string)) {
+    throw new ValidationError(
+      `type must be one of: ${validTypes.join(', ')}`,
+      'type',
+      e.type
+    );
+  }
+
+  if (!e.url || typeof e.url !== 'string') {
+    throw new ValidationError('url must be a string', 'url', e.url);
+  }
+
+  return e as unknown as PerformanceEvent;
+}
+
+export function validateDependencySnapshot(snapshot: unknown): DependencySnapshot {
+  if (!snapshot || typeof snapshot !== 'object') {
+    throw new ValidationError('Snapshot must be an object', 'snapshot', snapshot);
+  }
+
+  const s = snapshot as Record<string, unknown>;
+
+  if (!s.id || typeof s.id !== 'string') {
+    throw new ValidationError('id must be a string', 'id', s.id);
+  }
+
+  if (!s.projectId || typeof s.projectId !== 'string') {
+    throw new ValidationError('projectId must be a string', 'projectId', s.projectId);
+  }
+
+  if (!s.timestamp || typeof s.timestamp !== 'number') {
+    throw new ValidationError('timestamp must be a number', 'timestamp', s.timestamp);
+  }
+
+  if (!Array.isArray(s.dependencies)) {
+    throw new ValidationError('dependencies must be an array', 'dependencies', s.dependencies);
+  }
+
+  return s as unknown as DependencySnapshot;
+}
+
+export function validateCVERecord(cve: unknown): CVERecord {
+  if (!cve || typeof cve !== 'object') {
+    throw new ValidationError('CVE must be an object', 'cve', cve);
+  }
+
+  const c = cve as Record<string, unknown>;
+
+  if (!c.id || typeof c.id !== 'string') {
+    throw new ValidationError('id must be a string', 'id', c.id);
+  }
+
+  // Validate CVE ID format
+  const cveIdPattern = /^CVE-\d{4}-\d{4,}$/;
+  if (!cveIdPattern.test(c.id as string)) {
+    throw new ValidationError('id must be in CVE-YYYY-NNNN format', 'id', c.id);
+  }
+
+  if (!c.published || typeof c.published !== 'string') {
+    throw new ValidationError('published must be a string', 'published', c.published);
+  }
+
+  return c as unknown as CVERecord;
+}
+
+export function sanitizeInput(input: string): string {
+  // Remove potentially dangerous characters
+  return input
+    .replace(/[<>]/g, '') // Remove angle brackets
+    .replace(/javascript:/gi, '') // Remove javascript: protocol
+    .replace(/on\w+=/gi, '') // Remove event handlers
+    .trim();
+}
+
+export function validateProjectId(projectId: string): boolean {
+  // Project ID should be alphanumeric with hyphens and underscores
+  const projectIdPattern = /^[a-zA-Z0-9_-]+$/;
+  return projectIdPattern.test(projectId) && projectId.length >= 3 && projectId.length <= 50;
+}
+
+export function validateTimestamp(timestamp: number): boolean {
+  // Timestamp should be a reasonable Unix timestamp (after 2020, before 2050)
+  const minTimestamp = 1577836800000; // 2020-01-01
+  const maxTimestamp = 2524608000000; // 2050-01-01
+  return timestamp >= minTimestamp && timestamp <= maxTimestamp;
+}
+
+export function validateUrl(url: string): boolean {
+  try {
+    new URL(url);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function validateVersion(version: string): boolean {
+  // Validate semantic version format
+  const semverPattern = /^\d+\.\d+\.\d+(?:-[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*)?(?:\+[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)*)?$/;
+  return semverPattern.test(version);
+}
+
+export function isValidJSON(str: string): boolean {
+  try {
+    JSON.parse(str);
+    return true;
+  } catch {
+    return false;
+  }
+}

package/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "@tracelens/tsconfig/base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src"
+  },
+  "include": ["src/**/*"],
+  "exclude": ["dist", "node_modules"]
+}