@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/engines/hardcoded-secrets-engine.js

@@ -0,0 +1,251 @@
+/**
+ * Hardcoded Secrets Detection Engine
+ * Uses AST analysis + entropy to detect hardcoded secrets
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const crypto = require("crypto");
+const { shouldExcludeFile } = require("./file-filter");
+
+/**
+ * Calculate Shannon entropy for a string
+ */
+function getShannonEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  const len = str.length;
+  const frequencies = {};
+  for (let i = 0; i < len; i++) {
+    const char = str[i];
+    frequencies[char] = (frequencies[char] || 0) + 1;
+  }
+  
+  let entropy = 0;
+  for (const char in frequencies) {
+    const p = frequencies[char] / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+
+/**
+ * Specific secret patterns (high confidence, no entropy needed)
+ */
+const SPECIFIC_PATTERNS = [
+  {
+    pattern: /^sk_live_[a-zA-Z0-9]{20,}$/,
+    label: "Stripe live secret key",
+    severity: "BLOCK",
+  },
+  {
+    pattern: /^sk_test_[a-zA-Z0-9]{20,}$/,
+    label: "Stripe test secret key",
+    severity: "WARN",
+  },
+  {
+    pattern: /^pk_live_[a-zA-Z0-9]{20,}$/,
+    label: "Stripe live publishable key",
+    severity: "BLOCK",
+  },
+  {
+    pattern: /^AKIA[0-9A-Z]{16}$/,
+    label: "AWS Access Key ID",
+    severity: "BLOCK",
+  },
+  {
+    pattern: /^ghp_[a-zA-Z0-9]{36}$/,
+    label: "GitHub Personal Access Token",
+    severity: "BLOCK",
+  },
+  {
+    pattern: /^gho_[a-zA-Z0-9]{36}$/,
+    label: "GitHub OAuth Token",
+    severity: "BLOCK",
+  },
+  {
+    pattern: /^xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}$/,
+    label: "Slack Token",
+    severity: "BLOCK",
+  },
+  {
+    pattern: /^eyJ[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{100,}\.[a-zA-Z0-9_-]{43,}$/,
+    label: "JWT Token (hardcoded)",
+    severity: "WARN",
+  },
+];
+
+/**
+ * Check if string matches a specific secret pattern
+ */
+function matchesSpecificPattern(value) {
+  for (const { pattern, label, severity } of SPECIFIC_PATTERNS) {
+    if (pattern.test(value)) {
+      return { label, severity, confidence: "high" };
+    }
+  }
+  return null;
+}
+
+/**
+ * Check if string looks like a secret based on context and entropy
+ */
+function looksLikeSecret(value, context = {}) {
+  // Skip common false positives
+  if (/^(undefined|null|true|false|localhost|example|placeholder|test|demo|development|production)$/i.test(value)) {
+    return null;
+  }
+  
+  // Skip hex-only strings (likely Git SHAs, image IDs, hashes)
+  if (/^[a-f0-9]{32,}$/i.test(value)) {
+    return null;
+  }
+  
+  // Skip UUIDs (they have high entropy but are not secrets)
+  if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value)) {
+    return null;
+  }
+  
+  // Skip common test/example values
+  if (/^(test|example|sample|demo|placeholder|foo|bar|baz|qux)/i.test(value)) {
+    return null;
+  }
+  
+  // Check entropy
+  const entropy = getShannonEntropy(value);
+  
+  // Context-based checks - require explicit secret context
+  const hasSecretContext = 
+    context.variableName && /(password|secret|key|token|credential|api[_-]?key|private[_-]?key|access[_-]?token)/i.test(context.variableName);
+  
+  // Only flag if we have explicit secret context AND high entropy
+  if (hasSecretContext && value.length >= 12 && entropy >= 4.0) {
+    return {
+      label: `Hardcoded ${context.variableName.match(/(password|secret|key|token|credential|api[_-]?key|private[_-]?key|access[_-]?token)/i)?.[0] || "secret"}`,
+      severity: "WARN",
+      confidence: "med",
+      entropy,
+    };
+  }
+  
+  // Generic high entropy check - be more conservative (require longer strings and higher entropy)
+  if (entropy >= 5.0 && value.length >= 32) {
+    return {
+      label: "Possible hardcoded secret (high entropy)",
+      severity: "WARN",
+      confidence: "low",
+      entropy,
+    };
+  }
+  
+  return null;
+}
+
+/**
+ * Analyze a file for hardcoded secrets
+ */
+function analyzeHardcodedSecrets(code, filePath) {
+  const findings = [];
+  
+  // Skip excluded files (includes .env files)
+  if (shouldExcludeFile(filePath)) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    // Check string literals
+    StringLiteral(path) {
+      const value = path.node.value;
+      if (!value || value.length < 8) return;
+      
+      // Check specific patterns first
+      const specificMatch = matchesSpecificPattern(value);
+      if (specificMatch) {
+        const line = path.node.loc.start.line;
+        findings.push({
+          type: "specific_secret",
+          severity: specificMatch.severity,
+          category: "HardcodedSecret",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: `${specificMatch.label} detected`,
+          message: `${specificMatch.label} found in code`,
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: specificMatch.confidence,
+        });
+        return;
+      }
+      
+      // Check generic patterns with context
+      const parent = path.parent;
+      let variableName = null;
+      
+      if (t.isVariableDeclarator(parent)) {
+        variableName = parent.id.name;
+      } else if (t.isObjectProperty(parent)) {
+        variableName = t.isIdentifier(parent.key) ? parent.key.name : null;
+      } else if (t.isAssignmentExpression(parent)) {
+        if (t.isIdentifier(parent.left)) {
+          variableName = parent.left.name;
+        }
+      }
+      
+      const secretMatch = looksLikeSecret(value, { variableName });
+      if (secretMatch) {
+        const line = path.node.loc.start.line;
+        findings.push({
+          type: "generic_secret",
+          severity: secretMatch.severity,
+          category: "HardcodedSecret",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: secretMatch.label,
+          message: `High entropy string (${secretMatch.entropy.toFixed(2)}) detected${variableName ? ` in variable "${variableName}"` : ""}`,
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: secretMatch.confidence,
+        });
+      }
+    },
+
+    // Check template literals
+    TemplateLiteral(path) {
+      const quasis = path.node.quasis;
+      for (const quasi of quasis) {
+        if (quasi.value && quasi.value.raw) {
+          const value = quasi.value.raw;
+          if (value.length >= 8) {
+            const specificMatch = matchesSpecificPattern(value);
+            if (specificMatch) {
+              const line = path.node.loc.start.line;
+              findings.push({
+                type: "specific_secret",
+                severity: specificMatch.severity,
+                category: "HardcodedSecret",
+                file: filePath,
+                line,
+                column: path.node.loc.start.column,
+                title: `${specificMatch.label} detected`,
+                message: `${specificMatch.label} found in template literal`,
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: specificMatch.confidence,
+              });
+            }
+          }
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzeHardcodedSecrets,
+  parseCode,
+  getShannonEntropy,
+};

package/bin/runners/lib/engines/mock-data-engine.js

@@ -0,0 +1,272 @@
+/**
+ * Mock Data Detection Engine
+ * Uses AST analysis to detect mock/test data patterns in production code
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile } = require("./file-filter");
+
+/**
+ * Check if a string literal looks like mock/test data
+ */
+function isMockString(value) {
+  if (typeof value !== "string") return false;
+  
+  const lower = value.toLowerCase();
+  
+  // Mock data patterns
+  const mockPatterns = [
+    /^(fake|mock|dummy|test|sample|placeholder)[_-]?/i,
+    /@(test|example|fake|demo)\.com$/i,
+    /^(password|admin|test|secret)123$/i,
+    /^test@/i,
+    /^(MOCK|FAKE|DUMMY)_API/i,
+  ];
+  
+  return mockPatterns.some(pattern => pattern.test(value));
+}
+
+/**
+ * Check if a variable name suggests mock data
+ * Be more conservative - only flag explicit mock/test data variables
+ */
+function isMockVariableName(name) {
+  if (!name || typeof name !== "string") return false;
+  
+  const lower = name.toLowerCase();
+  
+  // Only flag explicit mock/test data variable names (exact matches or explicit prefixes)
+  const mockNamePatterns = [
+    /^(fake|mock|dummy)[_-]?(data|user|api|response|value|input)$/i, // Explicit mock prefixes
+    /^mockData$/i,
+    /^fakeData$/i,
+  ];
+  
+  // Exclude common legitimate patterns
+  const legitimatePatterns = [
+    /sample/i, // "sample" is often legitimate
+    /example/i, // "example" is often legitimate
+    /demo/i, // "demo" is often legitimate
+    /test/i, // "test" alone is often legitimate
+  ];
+  
+  // Don't flag if it matches legitimate patterns
+  if (legitimatePatterns.some(pattern => pattern.test(name))) {
+    return false;
+  }
+  
+  return mockNamePatterns.some(pattern => pattern.test(name));
+}
+
+/**
+ * Check if a call expression is generating random/mock data
+ */
+function isRandomDataGeneration(node) {
+  if (!t.isCallExpression(node)) return false;
+  
+  const callee = node.callee;
+  
+  // Math.random() with multiplication
+  if (t.isMemberExpression(callee) &&
+      t.isIdentifier(callee.object) && callee.object.name === "Math" &&
+      t.isIdentifier(callee.property) && callee.property.name === "random") {
+    
+    // Check parent for multiplication or comparison
+    const parent = node.parent;
+    if (t.isBinaryExpression(parent) && 
+        (parent.operator === "*" || parent.operator === "<" || parent.operator === ">")) {
+      return true;
+    }
+  }
+  
+  return false;
+}
+
+/**
+ * Check if setTimeout has suspiciously long delays (simulated delays)
+ */
+function isSuspiciousSetTimeout(node) {
+  if (!t.isCallExpression(node)) return false;
+  
+  const callee = node.callee;
+  if (!t.isIdentifier(callee) || callee.name !== "setTimeout") return false;
+  
+  const args = node.arguments;
+  if (args.length < 2) return false;
+  
+  // Check delay argument
+  const delay = args[1];
+  if (t.isNumericLiteral(delay)) {
+    // Suspicious if > 5000ms (5 seconds)
+    return delay.value > 5000;
+  }
+  
+  return false;
+}
+
+/**
+ * Analyze a file for mock data patterns
+ */
+function analyzeMockData(code, filePath) {
+  const findings = [];
+  
+  // Skip excluded files (test files, examples, etc.)
+  if (shouldExcludeFile(filePath)) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  traverse(ast, {
+    // Check variable declarations
+    VariableDeclarator(path) {
+      const id = path.node.id;
+      const init = path.node.init;
+      
+      // Check variable name
+      if (t.isIdentifier(id) && isMockVariableName(id.name)) {
+        const line = getLineNumber(path.node, code);
+        findings.push({
+          type: "mock_variable",
+          severity: "WARN",
+          category: "MockData",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: `Mock data variable: ${id.name}`,
+          message: `Variable name suggests mock/test data: ${id.name}`,
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "high",
+        });
+      }
+      
+      // Check initializer value
+      if (init && t.isStringLiteral(init) && isMockString(init.value)) {
+        const line = getLineNumber(path.node, code);
+        findings.push({
+          type: "mock_string_literal",
+          severity: "WARN",
+          category: "MockData",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: "Mock/test string literal detected",
+          message: `String value appears to be mock data: "${init.value.substring(0, 50)}"`,
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "med",
+        });
+      }
+    },
+
+    // Check object properties
+    ObjectProperty(path) {
+      const key = path.node.key;
+      const value = path.node.value;
+      
+      if (t.isIdentifier(key) && isMockVariableName(key.name)) {
+        const line = getLineNumber(path.node, code);
+        findings.push({
+          type: "mock_object_property",
+          severity: "WARN",
+          category: "MockData",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: `Mock data property: ${key.name}`,
+          message: `Object property name suggests mock data: ${key.name}`,
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "med",
+        });
+      }
+      
+      if (t.isStringLiteral(value) && isMockString(value.value)) {
+        const line = getLineNumber(path.node, code);
+        findings.push({
+          type: "mock_property_value",
+          severity: "WARN",
+          category: "MockData",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: "Mock string in object property",
+          message: `Property value appears to be mock data: "${value.value.substring(0, 50)}"`,
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "med",
+        });
+      }
+    },
+
+    // Check call expressions for random data generation
+    CallExpression(path) {
+      if (isRandomDataGeneration(path.node)) {
+        const line = getLineNumber(path.node, code);
+        findings.push({
+          type: "random_data_generation",
+          severity: "WARN",
+          category: "MockData",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: "Random data generation detected",
+          message: "Math.random() used for data generation (may be mock data)",
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "low",
+        });
+      }
+      
+      if (isSuspiciousSetTimeout(path.node)) {
+        const line = getLineNumber(path.node, code);
+        findings.push({
+          type: "suspicious_settimeout",
+          severity: "WARN",
+          category: "MockData",
+          file: filePath,
+          line,
+          column: path.node.loc.start.column,
+          title: "Long setTimeout delay (possible simulated delay)",
+          message: "setTimeout with delay > 5000ms may indicate simulated/mock behavior",
+          codeSnippet: lines[line - 1]?.trim(),
+          confidence: "low",
+        });
+      }
+    },
+
+    // Check template literals
+    TemplateLiteral(path) {
+      const quasis = path.node.quasis;
+      for (const quasi of quasis) {
+        if (quasi.value && isMockString(quasi.value.raw)) {
+          const line = getLineNumber(path.node, code);
+          findings.push({
+            type: "mock_template_literal",
+            severity: "WARN",
+            category: "MockData",
+            file: filePath,
+            line,
+            column: path.node.loc.start.column,
+            title: "Mock data in template literal",
+            message: `Template literal contains mock/test data pattern`,
+            codeSnippet: lines[line - 1]?.trim(),
+            confidence: "med",
+          });
+          break;
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+function getLineNumber(node, code) {
+  if (!node || !node.loc) return 1;
+  return node.loc.start.line;
+}
+
+module.exports = {
+  analyzeMockData,
+  parseCode,
+};

package/bin/runners/lib/engines/parallel-processor.js

@@ -0,0 +1,71 @@
+/**
+ * Parallel File Processor
+ * Processes files in parallel with configurable concurrency
+ */
+
+const os = require("os");
+
+/**
+ * Process files in parallel batches
+ */
+async function processFilesInParallel(files, processor, options = {}) {
+  const {
+    concurrency = Math.min(os.cpus().length, 8), // Default to CPU count, max 8
+    onProgress = null,
+  } = options;
+
+  const results = [];
+  const errors = [];
+  
+  // Process in batches
+  for (let i = 0; i < files.length; i += concurrency) {
+    const batch = files.slice(i, i + concurrency);
+    
+    const batchPromises = batch.map(async (file, index) => {
+      try {
+        const result = await processor(file);
+        if (onProgress) {
+          onProgress(i + index + 1, files.length);
+        }
+        return { file, result, error: null };
+      } catch (error) {
+        errors.push({ file, error });
+        return { file, result: null, error };
+      }
+    });
+    
+    const batchResults = await Promise.all(batchPromises);
+    results.push(...batchResults);
+  }
+  
+  return { results, errors };
+}
+
+/**
+ * Process files sequentially (fallback)
+ */
+async function processFilesSequentially(files, processor, onProgress = null) {
+  const results = [];
+  const errors = [];
+  
+  for (let i = 0; i < files.length; i++) {
+    const file = files[i];
+    try {
+      const result = await processor(file);
+      if (onProgress) {
+        onProgress(i + 1, files.length);
+      }
+      results.push({ file, result, error: null });
+    } catch (error) {
+      errors.push({ file, error });
+      results.push({ file, result: null, error });
+    }
+  }
+  
+  return { results, errors };
+}
+
+module.exports = {
+  processFilesInParallel,
+  processFilesSequentially,
+};