@vibecheckai/cli 3.2.2 → 3.2.4

package/bin/runners/lib/engines/performance-issues-engine.js

@@ -0,0 +1,265 @@
+/**
+ * Performance Issues Detection Engine
+ * Detects memory leaks, inefficient loops, large bundle sizes, and performance anti-patterns
+ */
+
+const { getAST } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile } = require("./file-filter");
+
+/**
+ * Analyze a file for performance issues
+ */
+function analyzePerformanceIssues(code, filePath) {
+  const findings = [];
+  
+  // Skip excluded files
+  if (shouldExcludeFile(filePath)) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  // Memory leaks: Event listeners not removed
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      // Check for addEventListener without corresponding removeEventListener
+      if (t.isMemberExpression(node.callee)) {
+        const prop = node.callee.property;
+        
+        if (t.isIdentifier(prop) && prop.name === "addEventListener") {
+          // Check if there's a corresponding removeEventListener in the same scope
+          const scope = path.scope;
+          const hasRemoveListener = scope.getAllBindings().some((binding, name) => {
+            return name.includes("removeEventListener") || name.includes("removeListener");
+          });
+          
+          // Also check if it's in a useEffect cleanup (React)
+          const parent = path.findParent(p => 
+            t.isCallExpression(p.node) && 
+            t.isIdentifier(p.node.callee, { name: "useEffect" })
+          );
+          
+          if (!hasRemoveListener && !parent) {
+            const line = node.loc.start.line;
+            findings.push({
+              type: "memory_leak",
+              severity: "WARN",
+              category: "Performance",
+              file: filePath,
+              line,
+              column: node.loc.start.column,
+              title: "Potential memory leak: Event listener not removed",
+              message: "addEventListener called without corresponding removeEventListener",
+              codeSnippet: lines[line - 1]?.trim(),
+              confidence: "med",
+            });
+          }
+        }
+      }
+    },
+  });
+
+  // Inefficient loops: nested loops with O(n²) complexity
+  // Only flag if depth >= 4 (3 levels is often acceptable)
+  let loopDepth = 0;
+  traverse(ast, {
+    enter(path) {
+      if (t.isForStatement(path.node) || 
+          t.isForInStatement(path.node) || 
+          t.isForOfStatement(path.node) ||
+          t.isWhileStatement(path.node)) {
+        loopDepth++;
+        
+        // Only flag deeply nested loops (4+ levels)
+        if (loopDepth >= 4) {
+          const line = path.node.loc.start.line;
+          findings.push({
+            type: "nested_loops",
+            severity: "WARN",
+            category: "Performance",
+            file: filePath,
+            line,
+            column: path.node.loc.start.column,
+            title: "Deeply nested loops detected",
+            message: `Nested loop depth: ${loopDepth} - consider optimizing with early returns or data structures`,
+            codeSnippet: lines[line - 1]?.trim(),
+            confidence: "med",
+          });
+        }
+      }
+    },
+    exit(path) {
+      if (t.isForStatement(path.node) || 
+          t.isForInStatement(path.node) || 
+          t.isForOfStatement(path.node) ||
+          t.isWhileStatement(path.node)) {
+        loopDepth--;
+      }
+    },
+  });
+
+  // Large array operations without pagination
+  // Only flag if it's clearly a large dataset from API
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      // Array methods that process all elements
+      if (t.isMemberExpression(node.callee)) {
+        const prop = node.callee.property;
+        
+        if (t.isIdentifier(prop) && 
+            ["map", "filter", "forEach", "reduce"].includes(prop.name)) {
+          
+          // Only flag if array comes directly from fetch AND there's no pagination logic nearby
+          const obj = node.callee.object;
+          if (t.isCallExpression(obj) && 
+              t.isIdentifier(obj.callee, { name: "fetch" })) {
+            
+            // Check if there's pagination logic in the same function
+            const functionParent = path.findParent(p => 
+              t.isFunctionDeclaration(p.node) || 
+              t.isArrowFunctionExpression(p.node) ||
+              t.isFunctionExpression(p.node)
+            );
+            
+            if (functionParent) {
+              const funcCode = code.substring(functionParent.node.start, functionParent.node.end);
+              const hasPagination = /page|limit|offset|pagination/i.test(funcCode);
+              
+              if (!hasPagination) {
+                const line = node.loc.start.line;
+                findings.push({
+                  type: "large_array_operation",
+                  severity: "WARN",
+                  category: "Performance",
+                  file: filePath,
+                  line,
+                  column: node.loc.start.column,
+                  title: "Large array operation without pagination",
+                  message: "Processing entire dataset from API - consider pagination or server-side filtering",
+                  codeSnippet: lines[line - 1]?.trim(),
+                  confidence: "low",
+                });
+              }
+            }
+          }
+        }
+      }
+    },
+  });
+
+  // Synchronous file operations in async contexts
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      if (t.isMemberExpression(node.callee) && 
+          t.isIdentifier(node.callee.object, { name: "fs" })) {
+        const prop = node.callee.property;
+        
+        if (t.isIdentifier(prop) && prop.name.endsWith("Sync")) {
+          // Check if we're in an async function
+          const asyncParent = path.findParent(p => 
+            t.isFunctionDeclaration(p.node) || t.isArrowFunctionExpression(p.node)
+          );
+          
+          if (asyncParent && asyncParent.node.async) {
+            const line = node.loc.start.line;
+            findings.push({
+              type: "sync_in_async",
+              severity: "WARN",
+              category: "Performance",
+              file: filePath,
+              line,
+              column: node.loc.start.column,
+              title: "Synchronous operation in async context",
+              message: `Using ${prop.name} in async function - use async version instead`,
+              codeSnippet: lines[line - 1]?.trim(),
+              confidence: "med",
+            });
+          }
+        }
+      }
+    },
+  });
+
+  // Unnecessary re-renders: setState in render
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      if (t.isMemberExpression(node.callee)) {
+        const prop = node.callee.property;
+        
+        if (t.isIdentifier(prop) && 
+            (prop.name.startsWith("set") || prop.name === "forceUpdate")) {
+          
+          // Check if we're in a render function or component body
+          const functionParent = path.findParent(p => 
+            t.isFunctionDeclaration(p.node) || t.isArrowFunctionExpression(p.node)
+          );
+          
+          if (functionParent) {
+            const funcName = functionParent.node.id?.name || "";
+            if (funcName.includes("render") || funcName.includes("Render")) {
+              const line = node.loc.start.line;
+              findings.push({
+                type: "setstate_in_render",
+                severity: "WARN",
+                category: "Performance",
+                file: filePath,
+                line,
+                column: node.loc.start.column,
+                title: "State update in render function",
+                message: "Calling setState in render causes infinite re-render loop",
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: "high",
+              });
+            }
+          }
+        }
+      }
+    },
+  });
+
+  // Large bundle imports: importing entire libraries
+  traverse(ast, {
+    ImportDeclaration(path) {
+      const node = path.node;
+      
+      // Check for wildcard imports from large libraries
+      if (node.specifiers.some(s => t.isImportNamespaceSpecifier(s))) {
+        const source = node.source.value;
+        const largeLibraries = ["lodash", "moment", "rxjs", "ramda"];
+        
+        if (largeLibraries.some(lib => source.includes(lib))) {
+          const line = node.loc.start.line;
+          findings.push({
+            type: "large_import",
+            severity: "WARN",
+            category: "Performance",
+            file: filePath,
+            line,
+            column: node.loc.start.column,
+            title: "Large library import",
+            message: `Importing entire ${source} library - use tree-shaking or import specific functions`,
+            codeSnippet: lines[line - 1]?.trim(),
+            confidence: "med",
+          });
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+module.exports = {
+  analyzePerformanceIssues,
+};

package/bin/runners/lib/engines/security-vulnerabilities-engine.js

@@ -0,0 +1,243 @@
+/**
+ * Security Vulnerabilities Detection Engine
+ * Detects SQL injection, XSS, command injection, path traversal, and other security issues
+ */
+
+const { getAST } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile } = require("./file-filter");
+
+/**
+ * Analyze a file for security vulnerabilities
+ */
+function analyzeSecurityVulnerabilities(code, filePath) {
+  const findings = [];
+  
+  // Skip excluded files
+  if (shouldExcludeFile(filePath)) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+
+  // SQL Injection patterns
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      // Check for SQL query construction with user input
+      if (t.isMemberExpression(node.callee)) {
+        const obj = node.callee.object;
+        const prop = node.callee.property;
+        
+        // Database query methods
+        if (t.isIdentifier(prop) && 
+            ["query", "execute", "exec", "run"].includes(prop.name)) {
+          
+          // Check if arguments contain template literals or string concatenation
+          for (const arg of node.arguments) {
+            if (t.isTemplateLiteral(arg) || 
+                (t.isBinaryExpression(arg) && arg.operator === "+")) {
+              const line = node.loc.start.line;
+              findings.push({
+                type: "sql_injection",
+                severity: "BLOCK",
+                category: "Security",
+                file: filePath,
+                line,
+                column: node.loc.start.column,
+                title: "Potential SQL injection vulnerability",
+                message: "SQL query constructed with user input without parameterization",
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: "high",
+              });
+              break;
+            }
+          }
+        }
+      }
+    },
+  });
+
+  // XSS vulnerabilities
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      // Dangerous DOM manipulation methods
+      if (t.isMemberExpression(node.callee)) {
+        const obj = node.callee.object;
+        const prop = node.callee.property;
+        
+        if (t.isIdentifier(prop) && 
+            ["innerHTML", "outerHTML", "insertAdjacentHTML"].includes(prop.name)) {
+          
+          // Check if argument comes from user input or URL params
+          for (const arg of node.arguments) {
+            if (t.isIdentifier(arg) || t.isMemberExpression(arg)) {
+              const line = node.loc.start.line;
+              findings.push({
+                type: "xss",
+                severity: "BLOCK",
+                category: "Security",
+                file: filePath,
+                line,
+                column: node.loc.start.column,
+                title: "Potential XSS vulnerability",
+                message: `Using ${prop.name} with potentially unsafe content`,
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: "med",
+              });
+              break;
+            }
+          }
+        }
+      }
+    },
+  });
+
+  // Command injection
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      // Dangerous command execution methods
+      if (t.isIdentifier(node.callee)) {
+        const dangerousMethods = ["exec", "spawn", "execSync", "spawnSync"];
+        
+        if (dangerousMethods.includes(node.callee.name)) {
+          // Check if arguments contain user input
+          for (const arg of node.arguments) {
+            if (t.isTemplateLiteral(arg) || 
+                (t.isBinaryExpression(arg) && arg.operator === "+")) {
+              const line = node.loc.start.line;
+              findings.push({
+                type: "command_injection",
+                severity: "BLOCK",
+                category: "Security",
+                file: filePath,
+                line,
+                column: node.loc.start.column,
+                title: "Potential command injection vulnerability",
+                message: "Command execution with potentially unsafe user input",
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: "high",
+              });
+              break;
+            }
+          }
+        }
+      }
+    },
+  });
+
+  // Path traversal
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      // File system operations
+      if (t.isMemberExpression(node.callee) && 
+          t.isIdentifier(node.callee.object, { name: "fs" })) {
+        const prop = node.callee.property;
+        
+        if (t.isIdentifier(prop) && 
+            ["readFile", "writeFile", "readFileSync", "writeFileSync", "unlink"].includes(prop.name)) {
+          
+          // Check if path contains user input or "../"
+          for (const arg of node.arguments) {
+            if (t.isTemplateLiteral(arg)) {
+              const template = code.substring(arg.start, arg.end);
+              if (template.includes("../") || template.includes("..\\")) {
+                const line = node.loc.start.line;
+                findings.push({
+                  type: "path_traversal",
+                  severity: "BLOCK",
+                  category: "Security",
+                  file: filePath,
+                  line,
+                  column: node.loc.start.column,
+                  title: "Potential path traversal vulnerability",
+                  message: "File operation with path containing '..' - validate and sanitize paths",
+                  codeSnippet: lines[line - 1]?.trim(),
+                  confidence: "high",
+                });
+                break;
+              }
+            }
+          }
+        }
+      }
+    },
+  });
+
+  // Insecure random number generation
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      if (t.isMemberExpression(node.callee) && 
+          t.isIdentifier(node.callee.object, { name: "Math" }) &&
+          t.isIdentifier(node.callee.property, { name: "random" })) {
+        
+        // Check if used for security-sensitive purposes (crypto, tokens, etc.)
+        const parent = path.parentPath;
+        if (parent && parent.isCallExpression()) {
+          const parentCallee = parent.node.callee;
+          if (t.isMemberExpression(parentCallee) && 
+              t.isIdentifier(parentCallee.object, { name: "crypto" })) {
+            const line = node.loc.start.line;
+            findings.push({
+              type: "insecure_random",
+              severity: "WARN",
+              category: "Security",
+              file: filePath,
+              line,
+              column: node.loc.start.column,
+              title: "Insecure random number generation",
+              message: "Math.random() is not cryptographically secure - use crypto.randomBytes()",
+              codeSnippet: lines[line - 1]?.trim(),
+              confidence: "high",
+            });
+          }
+        }
+      }
+    },
+  });
+
+  // Weak encryption algorithms
+  const weakCryptoPatterns = [
+    /crypto\.createHash\s*\(\s*['"]md5['"]/i,
+    /crypto\.createHash\s*\(\s*['"]sha1['"]/i,
+    /crypto\.createCipher\s*\(/i, // Deprecated, insecure
+  ];
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pattern of weakCryptoPatterns) {
+      if (pattern.test(line)) {
+        findings.push({
+          type: "weak_crypto",
+          severity: "WARN",
+          category: "Security",
+          file: filePath,
+          line: i + 1,
+          column: 0,
+          title: "Weak or deprecated encryption algorithm",
+          message: "MD5, SHA1, or createCipher are insecure - use modern algorithms",
+          codeSnippet: line.trim(),
+          confidence: "high",
+        });
+        break;
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  analyzeSecurityVulnerabilities,
+};

package/bin/runners/lib/engines/todo-fixme-engine.js

@@ -0,0 +1,115 @@
+/**
+ * TODO/FIXME Detection Engine
+ * Uses AST analysis to detect TODO/FIXME comments with better context
+ */
+
+const { getAST, parseCode } = require("./ast-cache");
+const traverse = require("@babel/traverse").default;
+const t = require("@babel/types");
+const { shouldExcludeFile } = require("./file-filter");
+
+/**
+ * Check if comment contains TODO/FIXME markers
+ */
+function extractTodoMarkers(comment) {
+  const text = comment.value || "";
+  const markers = [];
+  
+  // Block comments can have multiple markers
+  const patterns = [
+    { rx: /\bTODO\b[\s:]/i, type: "TODO", severity: "WARN" },
+    { rx: /\bFIXME\b[\s:]/i, type: "FIXME", severity: "WARN" },
+    { rx: /\bHACK\b[\s:]/i, type: "HACK", severity: "WARN" },
+    { rx: /\bXXX\b[\s:]/i, type: "XXX", severity: "WARN" },
+    { rx: /\bBUG\b[\s:]/i, type: "BUG", severity: "BLOCK" },
+    { rx: /\bBROKEN\b[\s:]/i, type: "BROKEN", severity: "BLOCK" },
+    { rx: /\bURGENT\b[\s:]/i, type: "URGENT", severity: "BLOCK" },
+    { rx: /\bSECURITY\b[\s:]/i, type: "SECURITY", severity: "BLOCK" },
+    { rx: /\bDANGER\b[\s:]/i, type: "DANGER", severity: "BLOCK" },
+  ];
+  
+  for (const { rx, type, severity } of patterns) {
+    if (rx.test(text)) {
+      const match = text.match(rx);
+      const afterMarker = text.substring(text.indexOf(match[0]) + match[0].length).trim();
+      markers.push({
+        type,
+        severity,
+        text: afterMarker.substring(0, 100), // First 100 chars
+        fullText: text,
+      });
+    }
+  }
+  
+  return markers;
+}
+
+/**
+ * Analyze a file for TODO/FIXME comments
+ */
+function analyzeTodoFixme(code, filePath) {
+  const findings = [];
+  
+  // Skip excluded files
+  if (shouldExcludeFile(filePath)) return findings;
+  
+  const ast = getAST(code, filePath);
+  if (!ast) return findings;
+
+  const lines = code.split("\n");
+  const MAX_FINDINGS = 20;
+  
+  // Process all comments
+  const comments = ast.comments || [];
+  let todoCount = 0;
+  let fixmeCount = 0;
+  
+  for (const comment of comments) {
+    const markers = extractTodoMarkers(comment);
+    
+    for (const marker of markers) {
+      if (marker.type === "TODO") todoCount++;
+      if (marker.type === "FIXME") fixmeCount++;
+      
+      if (findings.length < MAX_FINDINGS) {
+        const line = comment.loc.start.line;
+        const snippet = lines[line - 1]?.trim() || "";
+        
+        findings.push({
+          type: marker.type.toLowerCase(),
+          severity: marker.severity,
+          category: "TodoFixme",
+          file: filePath,
+          line,
+          column: comment.loc.start.column,
+          title: `${marker.type} comment`,
+          message: marker.text || marker.type,
+          codeSnippet: snippet.substring(0, 80),
+          confidence: "high",
+        });
+      }
+    }
+  }
+  
+  // Add summary if there are many
+  const totalTodos = todoCount + fixmeCount;
+  if (totalTodos > MAX_FINDINGS) {
+    findings.push({
+      type: "summary",
+      severity: "WARN",
+      category: "TodoFixme",
+      file: filePath,
+      line: 0,
+      title: `${totalTodos} TODO/FIXME comments found (${totalTodos - MAX_FINDINGS} more not shown)`,
+      message: `Found ${totalTodos} TODO/FIXME comments in this file`,
+      confidence: "high",
+    });
+  }
+  
+  return findings;
+}
+
+module.exports = {
+  analyzeTodoFixme,
+  parseCode,
+};