@vibecheckai/cli 3.1.8 → 3.2.0

package/bin/runners/context/security-scanner.js

@@ -1,68 +1,192 @@
 /**
  * Security Scanner Module
  * Scans context for secrets, vulnerabilities, and sensitive data
+ * Enhanced with entropy checking and better false positive prevention
  */
 
 const fs = require("fs");
 const path = require("path");
 const crypto = require("crypto");
 
+/**
+ * Calculate Shannon entropy of a string
+ * Higher entropy = more random = more likely to be a real secret
+ */
+function calculateEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  
+  const freq = {};
+  for (const char of str) {
+    freq[char] = (freq[char] || 0) + 1;
+  }
+  
+  let entropy = 0;
+  const len = str.length;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  
+  return entropy;
+}
+
+/**
+ * Check if a value is a known false positive
+ */
+function isFalsePositive(value, line, filePath) {
+  const lowerValue = value.toLowerCase();
+  const lowerLine = line.toLowerCase();
+  const lowerPath = filePath.toLowerCase();
+  
+  // Common placeholder/test values
+  const falsePositiveValues = [
+    'example', 'test', 'sample', 'demo', 'placeholder', 'mock', 'fake', 'dummy',
+    'your_key', 'your_secret', 'your_token', 'changeme', 'replace_me', 'xxx',
+    'password', 'password123', 'secret', 'admin', '12345', 'qwerty'
+  ];
+  
+  for (const fp of falsePositiveValues) {
+    if (lowerValue.includes(fp)) return true;
+  }
+  
+  // Repeating characters (low entropy)
+  if (/^(.)\1{5,}$/.test(value)) return true;
+  
+  // Sequential characters
+  if (/^(012|123|234|345|456|567|678|789|abc|bcd|cde)/i.test(value)) return true;
+  
+  // Test/example context
+  if (lowerLine.includes('example') || lowerLine.includes('// test')) return true;
+  if (lowerPath.includes('.test.') || lowerPath.includes('.spec.')) return true;
+  if (lowerPath.includes('__tests__') || lowerPath.includes('__mocks__')) return true;
+  if (lowerPath.includes('/fixtures/') || lowerPath.includes('/examples/')) return true;
+  
+  // Documentation context
+  if (lowerPath.endsWith('.md') || lowerPath.includes('/docs/')) return true;
+  
+  // Env template files
+  if (lowerPath.includes('.env.example') || lowerPath.includes('.env.template')) return true;
+  if (lowerPath.includes('.env.sample')) return true;
+  
+  // Type definitions
+  if (lowerLine.includes('type ') || lowerLine.includes('interface ')) return true;
+  
+  // Import statements
+  if (lowerLine.startsWith('import ') || lowerLine.includes('require(')) return true;
+  
+  return false;
+}
+
 /**
  * Secret patterns to detect
+ * Each pattern now includes minEntropy for generic patterns
  */
 const SECRET_PATTERNS = [
-  // API Keys
-  { pattern: /AIza[0-9A-Za-z_-]{35}/, type: "Google API Key" },
-  { pattern: /AKIA[0-9A-Z]{16}/, type: "AWS Access Key" },
-  { pattern: /xoxb-[0-9]{10}-[0-9]{10}/, type: "Slack Bot Token" },
-  { pattern: /ghp_[a-zA-Z0-9]{36}/, type: "GitHub Personal Token" },
-  { pattern: /sk_live_[0-9a-zA-Z]{24}/, type: "Stripe Live Key" },
-  { pattern: /pk_live_[0-9a-zA-Z]{24}/, type: "Stripe Publishable Key" },
-  
-  // Generic patterns
-  { pattern: /['"]?API[_-]?KEY['"]?\s*[:=]\s*['"][^'"]{8,}['"]/, type: "API Key" },
-  { pattern: /['"]?SECRET[_-]?KEY['"]?\s*[:=]\s*['"][^'"]{8,}['"]/, type: "Secret Key" },
-  { pattern: /['"]?PASSWORD['"]?\s*[:=]\s*['"][^'"]{6,}['"]/, type: "Password" },
-  { pattern: /['"]?TOKEN['"]?\s*[:=]\s*['"][^'"]{8,}['"]/, type: "Token" },
-  { pattern: /['"]?PRIVATE[_-]?KEY['"]?\s*[:=]\s*['"][^'"]{16,}['"]/, type: "Private Key" },
-  
-  // Database URLs
-  { pattern: /mongodb:\/\/[^:]+:[^@]+@/, type: "MongoDB URL" },
-  { pattern: /postgres:\/\/[^:]+:[^@]+@/, type: "PostgreSQL URL" },
-  { pattern: /mysql:\/\/[^:]+:[^@]+@/, type: "MySQL URL" },
-  
-  // JWT tokens
-  { pattern: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/, type: "JWT Token" },
+  // API Keys - specific formats (high confidence, no entropy check needed)
+  { pattern: /AIza[0-9A-Za-z_-]{35}/, type: "Google API Key", minEntropy: 3.5 },
+  { pattern: /AKIA[0-9A-Z]{16}/, type: "AWS Access Key", minEntropy: 3.5 },
+  { pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/, type: "Slack Bot Token", minEntropy: 0 },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/, type: "GitHub Personal Token", minEntropy: 3.5 },
+  { pattern: /gho_[a-zA-Z0-9]{36}/, type: "GitHub OAuth Token", minEntropy: 3.5 },
+  { pattern: /sk_live_[0-9a-zA-Z]{24,}/, type: "Stripe Live Key", minEntropy: 3.5 },
+  { pattern: /pk_live_[0-9a-zA-Z]{24,}/, type: "Stripe Publishable Key", minEntropy: 0 },
+  
+  // Generic patterns - require higher entropy to avoid false positives
+  { pattern: /['"]?api[_-]?key['"]?\s*[:=]\s*['"]([^'"]{16,})['"]/, type: "API Key", minEntropy: 4.0, valueGroup: 1 },
+  { pattern: /['"]?secret[_-]?key['"]?\s*[:=]\s*['"]([^'"]{16,})['"]/, type: "Secret Key", minEntropy: 4.0, valueGroup: 1 },
+  { pattern: /['"]?password['"]?\s*[:=]\s*['"]([^'"]{8,})['"]/, type: "Password", minEntropy: 3.0, valueGroup: 1 },
+  { pattern: /['"]?auth[_-]?token['"]?\s*[:=]\s*['"]([^'"]{16,})['"]/, type: "Auth Token", minEntropy: 4.0, valueGroup: 1 },
+  { pattern: /['"]?private[_-]?key['"]?\s*[:=]\s*['"]([^'"]{20,})['"]/, type: "Private Key", minEntropy: 4.0, valueGroup: 1 },
+  
+  // Database URLs (credentials embedded)
+  { pattern: /mongodb(?:\+srv)?:\/\/([^:]+):([^@]+)@/, type: "MongoDB URL", minEntropy: 0 },
+  { pattern: /postgres(?:ql)?:\/\/([^:]+):([^@]+)@/, type: "PostgreSQL URL", minEntropy: 0 },
+  { pattern: /mysql:\/\/([^:]+):([^@]+)@/, type: "MySQL URL", minEntropy: 0 },
+  { pattern: /redis:\/\/([^:]+):([^@]+)@/, type: "Redis URL", minEntropy: 0 },
+  
+  // JWT tokens - validate structure
+  { pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/, type: "JWT Token", minEntropy: 4.0 },
 ];
 
 /**
- * Vulnerability patterns
+ * Vulnerability patterns - refined to reduce false positives
+ * Each pattern now includes contextual requirements
  */
 const VULNERABILITY_PATTERNS = [
-  // SQL Injection
-  { pattern: /query\s*\(\s*['"]\s*\+.*\+\s*['"]/, type: "SQL Injection", severity: "high" },
-  { pattern: /execute\s*\(\s*['"]\s*\+/, type: "SQL Injection", severity: "high" },
-  
-  // XSS
-  { pattern: /dangerouslySetInnerHTML/, type: "XSS Risk", severity: "high" },
-  { pattern: /innerHTML\s*=/, type: "XSS Risk", severity: "medium" },
-  { pattern: /document\.write\s*\(/, type: "XSS Risk", severity: "high" },
-  
-  // Path Traversal
-  { pattern: /\.\.\/\.\./, type: "Path Traversal", severity: "medium" },
-  { pattern: /readFile\s*\(\s*.*\+/, type: "Path Traversal", severity: "high" },
-  
-  // Insecure Crypto
-  { pattern: /md5\s*\(/, type: "Weak Hash", severity: "medium" },
-  { pattern: /sha1\s*\(/, type: "Weak Hash", severity: "medium" },
-  
-  // Hardcoded credentials
-  { pattern: /admin\s*:\s*['"]admin['"]/, type: "Hardcoded Credentials", severity: "high" },
-  { pattern: /root\s*:\s*['"][^'"]{4,}['"]/, type: "Hardcoded Credentials", severity: "high" },
-  
-  // Debug code
-  { pattern: /console\.log\s*\(\s*password/, type: "Password in Log", severity: "high" },
-  { pattern: /console\.log\s*\(\s*token/, type: "Token in Log", severity: "high" },
+  // SQL Injection - require concatenation with user input indicators
+  { 
+    pattern: /(?:query|execute|raw)\s*\(\s*['"`](?:SELECT|INSERT|UPDATE|DELETE|DROP)\s*[^'"]*\+\s*(?:req\.|user|input|param)/i, 
+    type: "SQL Injection", 
+    severity: "critical",
+    contextExclusions: ['parameterized', 'prepared', 'placeholder']
+  },
+  
+  // XSS - dangerouslySetInnerHTML only when value comes from user/external
+  { 
+    pattern: /dangerouslySetInnerHTML\s*=\s*{{\s*__html:\s*(?:props|data|user|input|param)/, 
+    type: "XSS Risk", 
+    severity: "high",
+    contextExclusions: ['sanitize', 'DOMPurify', 'escape']
+  },
+  // innerHTML with dynamic content
+  { 
+    pattern: /\.innerHTML\s*=\s*(?:[^'";\n]*\+|`[^`]*\$\{)/, 
+    type: "XSS Risk", 
+    severity: "high",
+    contextExclusions: ['sanitize', 'escape', 'encode']
+  },
+  // document.write with variables
+  { 
+    pattern: /document\.write\s*\([^)]*(?:\+|\$\{)/, 
+    type: "XSS Risk", 
+    severity: "high" 
+  },
+  
+  // Path Traversal - only flag when path comes from user input
+  { 
+    pattern: /(?:readFile|readdir|open|access)\s*\([^)]*(?:req\.|user|input|param)[^)]*\)/, 
+    type: "Path Traversal", 
+    severity: "high",
+    contextExclusions: ['path.join', 'path.resolve', 'normalize', 'sanitize']
+  },
+  
+  // Insecure Crypto - only for password/credential hashing, not checksums
+  { 
+    pattern: /(?:createHash|crypto)\s*\(\s*['"](?:md5|sha1)['"]\s*\)[^;]*(?:password|credential|secret)/i, 
+    type: "Weak Password Hash", 
+    severity: "high",
+    contextExclusions: ['checksum', 'fingerprint', 'etag', 'cache']
+  },
+  
+  // Hardcoded credentials - more specific patterns
+  { 
+    pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}['"]\s*(?:,|;|$)/, 
+    type: "Hardcoded Credentials", 
+    severity: "high",
+    contextExclusions: ['process.env', 'config.', 'example', 'test', 'placeholder']
+  },
+  
+  // Sensitive data in logs - only when logging actual variables
+  { 
+    pattern: /console\.(?:log|info|debug)\s*\([^)]*(?:password|secret|token|apiKey|auth)[^)]*\)/, 
+    type: "Sensitive Data in Log", 
+    severity: "high",
+    contextExclusions: ['masked', 'redacted', '***', '[REDACTED]']
+  },
+  
+  // Eval with dynamic content
+  {
+    pattern: /\beval\s*\([^)]*(?:\+|`\$\{|concat)/, 
+    type: "Code Injection", 
+    severity: "critical"
+  },
+  
+  // Insecure random for security purposes
+  {
+    pattern: /Math\.random\s*\(\s*\)[^;]*(?:token|secret|key|password|salt|nonce)/i,
+    type: "Insecure Random",
+    severity: "high"
+  },
 ];
 
 /**
@@ -87,24 +211,65 @@ function findFiles(dir, extensions, maxDepth = 5, currentDepth = 0) {
 }
 
 /**
- * Scan file for secrets
+ * Scan file for secrets with entropy checking and false positive filtering
  */
 function scanForSecrets(content, filePath) {
   const secrets = [];
   const lines = content.split("\n");
+  const relativePath = path.relative(process.cwd(), filePath).replace(/\\/g, "/");
   
-  for (const pattern of SECRET_PATTERNS) {
-    const matches = content.matchAll(new RegExp(pattern.pattern.source, 'g'));
-    for (const match of matches) {
+  // Skip known safe file types
+  if (/\.(md|txt|svg|png|jpg|gif|ico|woff|woff2|ttf|eot|map)$/i.test(filePath)) {
+    return secrets;
+  }
+  
+  for (const patternDef of SECRET_PATTERNS) {
+    const regex = new RegExp(patternDef.pattern.source, 'gi');
+    let match;
+    
+    while ((match = regex.exec(content)) !== null) {
       const lineNum = content.substring(0, match.index).split("\n").length;
-      const line = lines[lineNum - 1];
+      const line = lines[lineNum - 1] || '';
+      
+      // Extract the actual secret value (use valueGroup if specified)
+      const secretValue = patternDef.valueGroup !== undefined 
+        ? (match[patternDef.valueGroup] || match[0])
+        : match[0];
+      
+      // Check for false positives first
+      if (isFalsePositive(secretValue, line, filePath)) {
+        continue;
+      }
+      
+      // Check entropy if required
+      if (patternDef.minEntropy && patternDef.minEntropy > 0) {
+        const entropy = calculateEntropy(secretValue);
+        if (entropy < patternDef.minEntropy) {
+          continue; // Too low entropy, likely not a real secret
+        }
+      }
+      
+      // Additional validation for specific types
+      if (patternDef.type === "JWT Token") {
+        // Validate JWT structure
+        const parts = secretValue.split('.');
+        if (parts.length !== 3) continue;
+        // Check if header looks valid (should be base64 JSON starting with eyJ)
+        try {
+          const header = Buffer.from(parts[0], 'base64url').toString();
+          if (!header.includes('{') || !header.includes('alg')) continue;
+        } catch {
+          continue;
+        }
+      }
       
       secrets.push({
-        type: pattern.type,
-        file: path.relative(process.cwd(), filePath).replace(/\\/g, "/"),
+        type: patternDef.type,
+        file: relativePath,
         line: lineNum,
-        content: line.trim(),
-        severity: "critical",
+        content: maskSensitiveLine(line.trim()),
+        severity: getSeverity(patternDef.type),
+        entropy: calculateEntropy(secretValue).toFixed(2),
       });
     }
   }
@@ -113,25 +278,97 @@ function scanForSecrets(content, filePath) {
 }
 
 /**
- * Scan file for vulnerabilities
+ * Mask sensitive values in the line for safe display
+ */
+function maskSensitiveLine(line) {
+  // Mask potential secret values (keep first 4 and last 4 chars if long enough)
+  return line.replace(/(['"])[A-Za-z0-9_\-/+=]{12,}(['"])/g, (match, q1, q2) => {
+    const inner = match.slice(1, -1);
+    if (inner.length > 12) {
+      return `${q1}${inner.slice(0, 4)}****${inner.slice(-4)}${q2}`;
+    }
+    return `${q1}****${q2}`;
+  });
+}
+
+/**
+ * Get severity based on secret type
+ */
+function getSeverity(type) {
+  const criticalTypes = [
+    "AWS Access Key", "Stripe Live Key", "GitHub Personal Token", 
+    "GitHub OAuth Token", "Private Key", "Secret Key"
+  ];
+  const highTypes = [
+    "Google API Key", "Slack Bot Token", "MongoDB URL", 
+    "PostgreSQL URL", "MySQL URL", "Redis URL", "Password", "Auth Token"
+  ];
+  
+  if (criticalTypes.includes(type)) return "critical";
+  if (highTypes.includes(type)) return "high";
+  return "medium";
+}
+
+/**
+ * Scan file for vulnerabilities with context-aware filtering
  */
 function scanForVulnerabilities(content, filePath) {
   const vulnerabilities = [];
   const lines = content.split("\n");
+  const relativePath = path.relative(process.cwd(), filePath).replace(/\\/g, "/");
+  const lowerPath = relativePath.toLowerCase();
+  
+  // Skip test files for vulnerability scanning (tests often contain intentional "bad" patterns)
+  if (lowerPath.includes('.test.') || lowerPath.includes('.spec.') || 
+      lowerPath.includes('__tests__') || lowerPath.includes('__mocks__')) {
+    return vulnerabilities;
+  }
   
-  for (const pattern of VULNERABILITY_PATTERNS) {
-    const matches = content.matchAll(new RegExp(pattern.pattern.source, 'g'));
-    for (const match of matches) {
+  // Skip documentation and examples
+  if (lowerPath.endsWith('.md') || lowerPath.includes('/docs/') || 
+      lowerPath.includes('/examples/')) {
+    return vulnerabilities;
+  }
+  
+  for (const patternDef of VULNERABILITY_PATTERNS) {
+    const regex = new RegExp(patternDef.pattern.source, 'gi');
+    let match;
+    
+    while ((match = regex.exec(content)) !== null) {
       const lineNum = content.substring(0, match.index).split("\n").length;
-      const line = lines[lineNum - 1];
+      const line = lines[lineNum - 1] || '';
+      const lowerLine = line.toLowerCase();
+      
+      // Check context exclusions - skip if any exclusion pattern is present
+      if (patternDef.contextExclusions) {
+        const excluded = patternDef.contextExclusions.some(exclusion => 
+          lowerLine.includes(exclusion.toLowerCase())
+        );
+        if (excluded) continue;
+      }
+      
+      // Skip if the line is a comment
+      const trimmedLine = line.trim();
+      if (trimmedLine.startsWith('//') || trimmedLine.startsWith('/*') || 
+          trimmedLine.startsWith('*') || trimmedLine.startsWith('#')) {
+        continue;
+      }
+      
+      // Skip if in a multi-line comment context
+      const beforeMatch = content.substring(0, match.index);
+      const lastCommentStart = beforeMatch.lastIndexOf('/*');
+      const lastCommentEnd = beforeMatch.lastIndexOf('*/');
+      if (lastCommentStart > lastCommentEnd) {
+        continue; // We're inside a multi-line comment
+      }
       
       vulnerabilities.push({
-        type: pattern.type,
-        file: path.relative(process.cwd(), filePath).replace(/\\/g, "/"),
+        type: patternDef.type,
+        file: relativePath,
         line: lineNum,
-        content: line.trim(),
-        severity: pattern.severity || "medium",
-        recommendation: getRecommendation(pattern.type),
+        content: trimmedLine.substring(0, 100), // Limit line length
+        severity: patternDef.severity || "medium",
+        recommendation: getRecommendation(patternDef.type),
       });
     }
   }
@@ -144,13 +381,14 @@ function scanForVulnerabilities(content, filePath) {
  */
 function getRecommendation(type) {
   const recommendations = {
-    "SQL Injection": "Use parameterized queries or prepared statements",
-    "XSS Risk": "Sanitize user input and use textContent instead of innerHTML",
-    "Path Traversal": "Validate and sanitize file paths, use path.join()",
-    "Weak Hash": "Use stronger hashing algorithms like bcrypt or Argon2",
-    "Hardcoded Credentials": "Use environment variables for credentials",
-    "Password in Log": "Remove sensitive data from logs",
-    "Token in Log": "Remove sensitive data from logs",
+    "SQL Injection": "Use parameterized queries or prepared statements. Never concatenate user input into SQL.",
+    "XSS Risk": "Sanitize user input with DOMPurify or similar. Use textContent instead of innerHTML when possible.",
+    "Path Traversal": "Validate and sanitize file paths. Use path.join() and verify paths don't escape the base directory.",
+    "Weak Password Hash": "Use bcrypt, Argon2, or scrypt for password hashing. MD5/SHA1 are cryptographically broken.",
+    "Hardcoded Credentials": "Use environment variables or a secrets manager. Never commit credentials to version control.",
+    "Sensitive Data in Log": "Remove or mask sensitive data before logging. Use structured logging with redaction.",
+    "Code Injection": "Never use eval() with user input. Consider safer alternatives like JSON.parse() or a sandboxed environment.",
+    "Insecure Random": "Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values.",
   };
   
   return recommendations[type] || "Review and fix the security issue";