@veraxhq/verax 0.2.1 → 0.4.0

package/src/verax/core/security/supplychain.policy.js

@@ -0,0 +1,334 @@
+/**
+ * PHASE 21.8 — Supply-Chain Policy
+ * 
+ * Enforces supply-chain security policies:
+ * - License allowlist/denylist
+ * - Integrity hash requirements
+ * - Postinstall script restrictions
+ */
+
+import { readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+
+const DEFAULT_POLICY = JSON.parse(
+  readFileSync(new URL('./supplychain.defaults.json', import.meta.url), 'utf-8')
+);
+
+/**
+ * Load supply-chain policy
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Policy object
+ */
+export function loadSupplyChainPolicy(projectDir) {
+  const customPath = resolve(projectDir, 'supplychain.policy.json');
+  
+  if (existsSync(customPath)) {
+    try {
+  // @ts-expect-error - readFileSync with encoding returns string
+      const custom = JSON.parse(readFileSync(customPath, 'utf-8'));
+      // Merge with defaults (custom overrides)
+      return {
+        ...DEFAULT_POLICY,
+        ...custom,
+        licensePolicy: {
+          ...DEFAULT_POLICY.licensePolicy,
+          ...(custom.licensePolicy || {})
+        },
+        integrityPolicy: {
+          ...DEFAULT_POLICY.integrityPolicy,
+          ...(custom.integrityPolicy || {})
+        },
+        scriptPolicy: {
+          ...DEFAULT_POLICY.scriptPolicy,
+          ...(custom.scriptPolicy || {})
+        },
+        sourcePolicy: {
+          ...DEFAULT_POLICY.sourcePolicy,
+          ...(custom.sourcePolicy || {})
+        }
+      };
+    } catch {
+      // Invalid custom policy, use defaults
+    }
+  }
+  
+  return DEFAULT_POLICY;
+}
+
+/**
+ * Get package.json dependencies
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Dependencies
+ */
+function getDependencies(projectDir) {
+  try {
+    const pkgPath = resolve(projectDir, 'package.json');
+    if (!existsSync(pkgPath)) {
+      return { dependencies: {}, devDependencies: {} };
+    }
+  // @ts-expect-error - readFileSync with encoding returns string
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return {
+      dependencies: pkg.dependencies || {},
+      devDependencies: pkg.devDependencies || {}
+    };
+  } catch {
+    return { dependencies: {}, devDependencies: {} };
+  }
+}
+
+/**
+ * Get package license from node_modules
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {string} packageName - Package name
+ * @returns {string|null} License or null
+ */
+function getPackageLicense(projectDir, packageName) {
+  try {
+    const pkgPath = resolve(projectDir, 'node_modules', packageName, 'package.json');
+    if (!existsSync(pkgPath)) {
+      return null;
+    }
+  // @ts-expect-error - readFileSync with encoding returns string
+    const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    
+    if (typeof pkg.license === 'string') {
+      return pkg.license;
+    } else if (pkg.license && pkg.license.type) {
+      return pkg.license.type;
+    } else if (Array.isArray(pkg.licenses) && pkg.licenses.length > 0) {
+      return pkg.licenses[0].type || pkg.licenses[0];
+    }
+    
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check package-lock.json for integrity hashes
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object} Integrity check results
+ */
+function checkIntegrityHashes(projectDir) {
+  const lockPath = resolve(projectDir, 'package-lock.json');
+  const missing = [];
+  
+  if (!existsSync(lockPath)) {
+    return { missing: [], total: 0 };
+  }
+  
+  try {
+  // @ts-expect-error - readFileSync with encoding returns string
+    const lock = JSON.parse(readFileSync(lockPath, 'utf-8'));
+    const packages = lock.packages || {};
+    let total = 0;
+    
+    for (const [path, pkg] of Object.entries(packages)) {
+      if (path && pkg && pkg.version) {
+        total++;
+        if (!pkg.integrity && !pkg.resolved?.includes('file:')) {
+          missing.push({
+            package: pkg.name || path,
+            path: path,
+            version: pkg.version
+          });
+        }
+      }
+    }
+    
+    return { missing, total };
+  } catch {
+    return { missing: [], total: 0 };
+  }
+}
+
+/**
+ * Check for postinstall scripts
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Array} Packages with postinstall scripts
+ */
+function checkPostinstallScripts(projectDir) {
+  const packages = [];
+  const nodeModulesPath = resolve(projectDir, 'node_modules');
+  
+  if (!existsSync(nodeModulesPath)) {
+    return packages;
+  }
+  
+  try {
+    const { readdirSync } = require('fs');
+    const entries = readdirSync(nodeModulesPath, { withFileTypes: true });
+    
+    for (const entry of entries) {
+      if (entry.isDirectory() && !entry.name.startsWith('.')) {
+        const pkgPath = resolve(nodeModulesPath, entry.name, 'package.json');
+        if (existsSync(pkgPath)) {
+          try {
+  // @ts-expect-error - readFileSync with encoding returns string
+            const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+            if (pkg.scripts) {
+              if (pkg.scripts.postinstall || pkg.scripts.preinstall || pkg.scripts.install) {
+                packages.push({
+                  name: pkg.name || entry.name,
+                  version: pkg.version || 'unknown',
+                  scripts: Object.keys(pkg.scripts).filter(s => 
+                    ['postinstall', 'preinstall', 'install'].includes(s)
+                  )
+                });
+              }
+            }
+          } catch {
+            // Skip invalid packages
+          }
+        }
+      }
+    }
+  } catch {
+    // If scanning fails, return empty
+  }
+  
+  return packages;
+}
+
+/**
+ * Evaluate supply-chain policy
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Promise<Object>} Evaluation results
+ */
+export async function evaluateSupplyChainPolicy(projectDir) {
+  const policy = loadSupplyChainPolicy(projectDir);
+  const deps = getDependencies(projectDir);
+  const violations = [];
+  const warnings = [];
+  
+  // Check licenses
+  const allDeps = { ...deps.dependencies, ...deps.devDependencies };
+  for (const [packageName] of Object.entries(allDeps)) {
+    const license = getPackageLicense(projectDir, packageName);
+    
+    if (license) {
+      // Check denylist
+      if (policy.licensePolicy.denylist.includes(license)) {
+        violations.push({
+          type: 'FORBIDDEN_LICENSE',
+          package: packageName,
+          license: license,
+          severity: 'BLOCKING',
+          message: `Package ${packageName} uses forbidden license: ${license}`
+        });
+      }
+      
+      // Check allowlist (if strict mode)
+      if (policy.licensePolicy.strictMode && !policy.licensePolicy.allowlist.includes(license)) {
+        violations.push({
+          type: 'UNALLOWED_LICENSE',
+          package: packageName,
+          license: license,
+          severity: 'BLOCKING',
+          message: `Package ${packageName} uses unallowed license: ${license}`
+        });
+      }
+    } else {
+      warnings.push({
+        type: 'MISSING_LICENSE',
+        package: packageName,
+        message: `Package ${packageName} has no license information`
+      });
+    }
+  }
+  
+  // Check integrity hashes
+  if (policy.integrityPolicy.requireIntegrityHash) {
+    const integrityCheck = checkIntegrityHashes(projectDir);
+    for (const missing of integrityCheck.missing) {
+      if (!policy.integrityPolicy.allowedMissingIntegrity.includes(missing.package)) {
+        violations.push({
+          type: 'MISSING_INTEGRITY',
+          package: missing.package,
+          version: missing.version,
+          severity: 'BLOCKING',
+          message: `Package ${missing.package}@${missing.version} missing integrity hash`
+        });
+      }
+    }
+  }
+  
+  // Check postinstall scripts
+  if (policy.scriptPolicy.forbidPostinstall || 
+      policy.scriptPolicy.forbidPreinstall || 
+      policy.scriptPolicy.forbidInstall) {
+    const scripts = checkPostinstallScripts(projectDir);
+    for (const pkg of scripts) {
+      const forbiddenScripts = pkg.scripts.filter(s => {
+        if (s === 'postinstall' && policy.scriptPolicy.forbidPostinstall) return true;
+        if (s === 'preinstall' && policy.scriptPolicy.forbidPreinstall) return true;
+        if (s === 'install' && policy.scriptPolicy.forbidInstall) return true;
+        return false;
+      });
+      
+      if (forbiddenScripts.length > 0 && !policy.scriptPolicy.allowlist.includes(pkg.name)) {
+        violations.push({
+          type: 'FORBIDDEN_SCRIPT',
+          package: pkg.name,
+          version: pkg.version,
+          scripts: forbiddenScripts,
+          severity: 'BLOCKING',
+          message: `Package ${pkg.name} has forbidden scripts: ${forbiddenScripts.join(', ')}`
+        });
+      }
+    }
+  }
+  
+  const ok = violations.length === 0;
+  
+  return {
+    ok,
+    violations,
+    warnings,
+    summary: {
+      totalViolations: violations.length,
+      totalWarnings: warnings.length,
+      byType: violations.reduce((acc, v) => {
+        acc[v.type] = (acc[v.type] || 0) + 1;
+        return acc;
+      }, {}),
+      evaluatedAt: new Date().toISOString()
+    },
+    policy: {
+      version: policy.version,
+      licensePolicy: {
+        allowlist: policy.licensePolicy.allowlist,
+        denylist: policy.licensePolicy.denylist,
+        strictMode: policy.licensePolicy.strictMode
+      }
+    }
+  };
+}
+
+/**
+ * Write supply-chain report
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} report - Evaluation results
+ * @returns {string} Path to written file
+ */
+export function writeSupplyChainReport(projectDir, report) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'security.supplychain.report.json');
+  writeFileSync(outputPath, JSON.stringify(report, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+

package/src/verax/core/security/vuln.scan.js

@@ -0,0 +1,265 @@
+/**
+ * PHASE 21.8 — Vulnerability Scanner
+ * 
+ * Scans dependencies for vulnerabilities using npm audit.
+ * HIGH/CRITICAL = BLOCKING, MEDIUM = WARNING (configurable).
+ */
+
+import { readFileSync as _readFileSync, existsSync, writeFileSync, mkdirSync } from 'fs';
+import { resolve } from 'path';
+import { execSync } from 'child_process';
+
+/**
+ * Check if OSV scanner is available
+ * 
+ * @returns {boolean} Whether osv-scanner is available
+ */
+function checkOSVAvailable() {
+  try {
+    execSync('osv-scanner --version', {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      timeout: 5000
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Run npm audit
+ * 
+ * @param {string} projectDir - Project directory
+ * @returns {Object|null} Audit results or null
+ */
+function runNpmAudit(projectDir) {
+  try {
+    const result = execSync('npm audit --json', {
+      cwd: projectDir,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'pipe']
+    });
+    
+    return JSON.parse(result);
+  } catch (error) {
+    // npm audit exits with non-zero on vulnerabilities
+    try {
+      const stderr = error.stderr?.toString() || '';
+      const stdout = error.stdout?.toString() || '';
+      const output = stdout || stderr;
+      
+      if (output) {
+        return JSON.parse(output);
+      }
+    } catch {
+      // Failed to parse
+    }
+    
+    return null;
+  }
+}
+
+/**
+ * Parse vulnerabilities from audit results
+ * 
+ * @param {Object} auditResults - npm audit JSON output
+ * @returns {Array} Array of vulnerabilities
+ */
+function parseVulnerabilities(auditResults) {
+  const vulnerabilities = [];
+  
+  if (!auditResults || !auditResults.vulnerabilities) {
+    return vulnerabilities;
+  }
+  
+  for (const [packageName, vulnData] of Object.entries(auditResults.vulnerabilities)) {
+    if (Array.isArray(vulnData)) {
+      for (const vuln of vulnData) {
+        vulnerabilities.push({
+          package: packageName,
+          severity: vuln.severity?.toUpperCase() || 'UNKNOWN',
+          title: vuln.title || vuln.name || 'Unknown vulnerability',
+          url: vuln.url || null,
+          dependencyOf: vuln.dependencyOf || null,
+          via: vuln.via || null
+        });
+      }
+    } else if (vulnData.vulnerabilities) {
+      for (const vuln of vulnData.vulnerabilities) {
+        vulnerabilities.push({
+          package: packageName,
+          severity: vuln.severity?.toUpperCase() || 'UNKNOWN',
+          title: vuln.title || vuln.name || 'Unknown vulnerability',
+          url: vuln.url || null,
+          dependencyOf: vulnData.dependencyOf || null,
+          via: vuln.via || null
+        });
+      }
+    }
+  }
+  
+  return vulnerabilities;
+}
+
+/**
+ * Scan for vulnerabilities
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} options - Options
+ * @param {boolean} options.blockMedium - Block MEDIUM severity (default: false)
+ * @param {boolean} options.requireOSV - Require OSV scanner (default: false)
+ * @returns {Promise<Object>} Scan results
+ */
+export async function scanVulnerabilities(projectDir, options = { blockMedium: false, requireOSV: false }) {
+  const { blockMedium = false, requireOSV = false } = options;
+  
+  // Check OSV availability
+  const osvAvailable = checkOSVAvailable();
+  let osvResults = null;
+  
+  if (osvAvailable) {
+    try {
+      // Run OSV scanner
+      const osvOutput = execSync('osv-scanner --format=json .', {
+        cwd: projectDir,
+        encoding: 'utf-8',
+        stdio: ['ignore', 'pipe', 'pipe'],
+        timeout: 60000
+      });
+      try {
+        osvResults = JSON.parse(osvOutput);
+      } catch {
+        // OSV scanner may output non-JSON on errors
+      }
+    } catch {
+      // OSV scanner failed, fall back to npm audit
+    }
+  }
+  
+  // Always try npm audit as fallback
+  const auditResults = runNpmAudit(projectDir);
+  
+  if (!auditResults && !osvResults) {
+    if (requireOSV && !osvAvailable) {
+      return {
+        ok: false,
+        error: 'OSV scanner not available',
+        availability: 'NOT_AVAILABLE',
+        tool: null,
+        vulnerabilities: [],
+        summary: {
+          total: 0,
+          critical: 0,
+          high: 0,
+          medium: 0,
+          low: 0,
+          scannedAt: new Date().toISOString()
+        }
+      };
+    }
+    
+    return {
+      ok: false,
+      error: 'Failed to run npm audit',
+      availability: 'FAILED',
+      tool: 'NPM_AUDIT',
+      vulnerabilities: [],
+      summary: {
+        total: 0,
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        scannedAt: new Date().toISOString()
+      }
+    };
+  }
+  
+  // Parse vulnerabilities from npm audit (primary source)
+  let vulnerabilities = [];
+  if (auditResults) {
+    vulnerabilities = parseVulnerabilities(auditResults);
+  }
+  
+  // Merge OSV results if available
+  if (osvResults && osvResults.results) {
+    for (const result of osvResults.results) {
+      if (result.packages && Array.isArray(result.packages)) {
+        for (const pkg of result.packages) {
+          if (result.vulnerabilities && Array.isArray(result.vulnerabilities)) {
+            for (const vuln of result.vulnerabilities) {
+              // Avoid duplicates (merge by package + ID)
+              const existing = vulnerabilities.find(v => 
+                v.package === pkg.package?.name && 
+                v.osvId === vuln.id
+              );
+              if (!existing) {
+                vulnerabilities.push({
+                  package: pkg.package?.name || 'unknown',
+                  severity: vuln.severity?.toUpperCase() || 'UNKNOWN',
+                  title: vuln.summary || vuln.id || 'Unknown vulnerability',
+                  url: vuln.database_specific?.url || vuln.id ? `https://osv.dev/vulnerability/${vuln.id}` : null,
+                  osvId: vuln.id,
+                  source: 'OSV'
+                });
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  
+  const critical = vulnerabilities.filter(v => v.severity === 'CRITICAL');
+  const high = vulnerabilities.filter(v => v.severity === 'HIGH');
+  const medium = vulnerabilities.filter(v => v.severity === 'MEDIUM');
+  const low = vulnerabilities.filter(v => v.severity === 'LOW');
+  
+  // BLOCKING: CRITICAL or HIGH
+  // WARNING: MEDIUM (blocking if blockMedium=true)
+  const blocking = critical.length > 0 || high.length > 0 || (blockMedium && medium.length > 0);
+  
+  return {
+    ok: !blocking,
+    blocking,
+    availability: osvAvailable ? 'AVAILABLE' : 'NOT_AVAILABLE',
+    tool: osvAvailable ? 'OSV_SCANNER' : (auditResults ? 'NPM_AUDIT' : null),
+    osvAvailable,
+    vulnerabilities,
+    summary: {
+      total: vulnerabilities.length,
+      critical: critical.length,
+      high: high.length,
+      medium: medium.length,
+      low: low.length,
+      blocking,
+      warnings: blockMedium ? 0 : medium.length,
+      scannedAt: new Date().toISOString()
+    },
+    metadata: {
+      auditVersion: auditResults?.auditReportVersion || null,
+      npmVersion: auditResults?.npmVersion || null,
+      osvVersion: osvAvailable ? 'detected' : null
+    }
+  };
+}
+
+/**
+ * Write vulnerability report
+ * 
+ * @param {string} projectDir - Project directory
+ * @param {Object} report - Scan results
+ * @returns {string} Path to written file
+ */
+export function writeVulnReport(projectDir, report) {
+  const outputDir = resolve(projectDir, 'release');
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+  
+  const outputPath = resolve(outputDir, 'security.vuln.report.json');
+  writeFileSync(outputPath, JSON.stringify(report, null, 2), 'utf-8');
+  
+  return outputPath;
+}
+