acidtest 0.7.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/acidtest-pr-comment.yml +219 -0
- package/README.md +155 -30
- package/dist/analysis/dataflow-graph.d.ts +19 -0
- package/dist/analysis/dataflow-graph.d.ts.map +1 -0
- package/dist/analysis/dataflow-graph.js +365 -0
- package/dist/analysis/dataflow-graph.js.map +1 -0
- package/dist/analysis/dataflow-types.d.ts +86 -0
- package/dist/analysis/dataflow-types.d.ts.map +1 -0
- package/dist/analysis/dataflow-types.js +8 -0
- package/dist/analysis/dataflow-types.js.map +1 -0
- package/dist/analysis/dataflow.test.d.ts +7 -0
- package/dist/analysis/dataflow.test.d.ts.map +1 -0
- package/dist/analysis/dataflow.test.js +257 -0
- package/dist/analysis/dataflow.test.js.map +1 -0
- package/dist/analysis/taint-propagation.d.ts +30 -0
- package/dist/analysis/taint-propagation.d.ts.map +1 -0
- package/dist/analysis/taint-propagation.js +207 -0
- package/dist/analysis/taint-propagation.js.map +1 -0
- package/dist/index.js +1 -1
- package/dist/layers/code.d.ts +1 -1
- package/dist/layers/code.d.ts.map +1 -1
- package/dist/layers/code.js +282 -3
- package/dist/layers/code.js.map +1 -1
- package/dist/layers/code.test.js +196 -0
- package/dist/layers/code.test.js.map +1 -1
- package/dist/layers/crossref.d.ts.map +1 -1
- package/dist/layers/crossref.js +6 -3
- package/dist/layers/crossref.js.map +1 -1
- package/dist/layers/dataflow.d.ts +29 -0
- package/dist/layers/dataflow.d.ts.map +1 -0
- package/dist/layers/dataflow.js +217 -0
- package/dist/layers/dataflow.js.map +1 -0
- package/dist/layers/permissions.d.ts.map +1 -1
- package/dist/layers/permissions.js +2 -1
- package/dist/layers/permissions.js.map +1 -1
- package/dist/mcp-server.js +1 -1
- package/dist/parsers/parser-interface.d.ts +31 -0
- package/dist/parsers/parser-interface.d.ts.map +1 -0
- package/dist/parsers/parser-interface.js +6 -0
- package/dist/parsers/parser-interface.js.map +1 -0
- package/dist/parsers/parsers.test.d.ts +5 -0
- package/dist/parsers/parsers.test.d.ts.map +1 -0
- package/dist/parsers/parsers.test.js +111 -0
- package/dist/parsers/parsers.test.js.map +1 -0
- package/dist/parsers/python-parser.d.ts +18 -0
- package/dist/parsers/python-parser.d.ts.map +1 -0
- package/dist/parsers/python-parser.js +120 -0
- package/dist/parsers/python-parser.js.map +1 -0
- package/dist/parsers/typescript-parser.d.ts +16 -0
- package/dist/parsers/typescript-parser.d.ts.map +1 -0
- package/dist/parsers/typescript-parser.js +112 -0
- package/dist/parsers/typescript-parser.js.map +1 -0
- package/dist/patterns/dangerous-calls-python.json +220 -0
- package/dist/patterns/dangerous-imports-python.json +256 -0
- package/dist/patterns/insecure-crypto.json +163 -0
- package/dist/patterns/prototype-pollution.json +72 -0
- package/dist/patterns/python-deserialization.json +94 -0
- package/dist/patterns/regex-dos.json +50 -0
- package/dist/patterns/sql-injection.json +91 -0
- package/dist/patterns/xss-injection.json +115 -0
- package/dist/scanner.d.ts +1 -1
- package/dist/scanner.d.ts.map +1 -1
- package/dist/scanner.js +51 -4
- package/dist/scanner.js.map +1 -1
- package/dist/schemas/pattern.schema.json +139 -0
- package/dist/test-corpus/validate-corpus.d.ts +7 -0
- package/dist/test-corpus/validate-corpus.d.ts.map +1 -0
- package/dist/test-corpus/validate-corpus.js +341 -0
- package/dist/test-corpus/validate-corpus.js.map +1 -0
- package/dist/types.d.ts +2 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/validation/pattern-validator.d.ts +34 -0
- package/dist/validation/pattern-validator.d.ts.map +1 -0
- package/dist/validation/pattern-validator.js +168 -0
- package/dist/validation/pattern-validator.js.map +1 -0
- package/dist/validation/pattern-validator.test.d.ts +5 -0
- package/dist/validation/pattern-validator.test.d.ts.map +1 -0
- package/dist/validation/pattern-validator.test.js +222 -0
- package/dist/validation/pattern-validator.test.js.map +1 -0
- package/dist/validation/validate-patterns.d.ts +6 -0
- package/dist/validation/validate-patterns.d.ts.map +1 -0
- package/dist/validation/validate-patterns.js +55 -0
- package/dist/validation/validate-patterns.js.map +1 -0
- package/package.json +11 -4
|
@@ -0,0 +1,91 @@
|
|
|
1
|
+
{
|
|
2
|
+
"category": "sql-injection",
|
|
3
|
+
"patterns": [
|
|
4
|
+
{
|
|
5
|
+
"id": "sql-001",
|
|
6
|
+
"name": "SQL query with string concatenation",
|
|
7
|
+
"description": "SQL query constructed using string concatenation, vulnerable to SQL injection",
|
|
8
|
+
"severity": "CRITICAL",
|
|
9
|
+
"match": {
|
|
10
|
+
"type": "regex",
|
|
11
|
+
"value": "(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER).*\\+.*['\"`]",
|
|
12
|
+
"flags": "i"
|
|
13
|
+
},
|
|
14
|
+
"layer": "code",
|
|
15
|
+
"category": "sql-injection",
|
|
16
|
+
"remediation": {
|
|
17
|
+
"title": "Use parameterized queries",
|
|
18
|
+
"suggestions": [
|
|
19
|
+
"Use prepared statements or parameterized queries instead of string concatenation",
|
|
20
|
+
"For TypeScript: Use libraries like pg, mysql2, or an ORM like Prisma/TypeORM",
|
|
21
|
+
"For Python: Use parameterized queries with psycopg2, mysql-connector, or SQLAlchemy",
|
|
22
|
+
"Never concatenate user input directly into SQL queries"
|
|
23
|
+
]
|
|
24
|
+
}
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
"id": "sql-002",
|
|
28
|
+
"name": "SQL query with template literal",
|
|
29
|
+
"description": "SQL query using template literals, potentially vulnerable to SQL injection",
|
|
30
|
+
"severity": "HIGH",
|
|
31
|
+
"match": {
|
|
32
|
+
"type": "regex",
|
|
33
|
+
"value": "`(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER).*\\$\\{",
|
|
34
|
+
"flags": "i"
|
|
35
|
+
},
|
|
36
|
+
"layer": "code",
|
|
37
|
+
"category": "sql-injection",
|
|
38
|
+
"remediation": {
|
|
39
|
+
"title": "Use parameterized queries",
|
|
40
|
+
"suggestions": [
|
|
41
|
+
"Avoid template literals for SQL queries",
|
|
42
|
+
"Use parameterized queries with placeholders ($1, $2, etc.)",
|
|
43
|
+
"Use an ORM or query builder that handles escaping automatically"
|
|
44
|
+
]
|
|
45
|
+
}
|
|
46
|
+
},
|
|
47
|
+
{
|
|
48
|
+
"id": "sql-003",
|
|
49
|
+
"name": "SQL query with string formatting (Python)",
|
|
50
|
+
"description": "SQL query using Python string formatting (.format() or f-strings), vulnerable to SQL injection",
|
|
51
|
+
"severity": "CRITICAL",
|
|
52
|
+
"match": {
|
|
53
|
+
"type": "regex",
|
|
54
|
+
"value": "(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER).*(\\.format\\(|f['\"])",
|
|
55
|
+
"flags": "i"
|
|
56
|
+
},
|
|
57
|
+
"layer": "code",
|
|
58
|
+
"category": "sql-injection",
|
|
59
|
+
"remediation": {
|
|
60
|
+
"title": "Use parameterized queries",
|
|
61
|
+
"suggestions": [
|
|
62
|
+
"Use parameterized queries with %s placeholders",
|
|
63
|
+
"For psycopg2: cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,))",
|
|
64
|
+
"For SQLAlchemy: Use ORM or text() with bindparams",
|
|
65
|
+
"Never use f-strings or .format() for SQL queries"
|
|
66
|
+
]
|
|
67
|
+
}
|
|
68
|
+
},
|
|
69
|
+
{
|
|
70
|
+
"id": "sql-004",
|
|
71
|
+
"name": "Database execute with formatting",
|
|
72
|
+
"description": "Direct execution of formatted SQL query",
|
|
73
|
+
"severity": "CRITICAL",
|
|
74
|
+
"match": {
|
|
75
|
+
"type": "regex",
|
|
76
|
+
"value": "(execute|query|raw)\\([^)]*\\.(format|replace)\\(",
|
|
77
|
+
"flags": "i"
|
|
78
|
+
},
|
|
79
|
+
"layer": "code",
|
|
80
|
+
"category": "sql-injection",
|
|
81
|
+
"remediation": {
|
|
82
|
+
"title": "Use parameterized queries",
|
|
83
|
+
"suggestions": [
|
|
84
|
+
"Pass parameters separately to execute() method",
|
|
85
|
+
"Use the database library's parameter binding features",
|
|
86
|
+
"Never format strings before passing to execute()"
|
|
87
|
+
]
|
|
88
|
+
}
|
|
89
|
+
}
|
|
90
|
+
]
|
|
91
|
+
}
|
|
@@ -0,0 +1,115 @@
|
|
|
1
|
+
{
|
|
2
|
+
"category": "xss-injection",
|
|
3
|
+
"patterns": [
|
|
4
|
+
{
|
|
5
|
+
"id": "xss-001",
|
|
6
|
+
"name": "dangerouslySetInnerHTML usage",
|
|
7
|
+
"description": "React's dangerouslySetInnerHTML can introduce XSS vulnerabilities",
|
|
8
|
+
"severity": "HIGH",
|
|
9
|
+
"match": {
|
|
10
|
+
"type": "regex",
|
|
11
|
+
"value": "dangerouslySetInnerHTML",
|
|
12
|
+
"flags": "i"
|
|
13
|
+
},
|
|
14
|
+
"layer": "code",
|
|
15
|
+
"category": "xss-injection",
|
|
16
|
+
"remediation": {
|
|
17
|
+
"title": "Sanitize HTML content",
|
|
18
|
+
"suggestions": [
|
|
19
|
+
"Use DOMPurify or similar library to sanitize HTML before rendering",
|
|
20
|
+
"Prefer using React's default JSX rendering which auto-escapes",
|
|
21
|
+
"If HTML rendering is necessary, use a sanitization library like 'isomorphic-dompurify'",
|
|
22
|
+
"Validate that HTML content comes from trusted sources only"
|
|
23
|
+
]
|
|
24
|
+
}
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
"id": "xss-002",
|
|
28
|
+
"name": "innerHTML property assignment",
|
|
29
|
+
"description": "Direct innerHTML assignment can lead to XSS vulnerabilities",
|
|
30
|
+
"severity": "HIGH",
|
|
31
|
+
"match": {
|
|
32
|
+
"type": "regex",
|
|
33
|
+
"value": "\\.innerHTML\\s*=",
|
|
34
|
+
"flags": ""
|
|
35
|
+
},
|
|
36
|
+
"layer": "code",
|
|
37
|
+
"category": "xss-injection",
|
|
38
|
+
"remediation": {
|
|
39
|
+
"title": "Use safe DOM manipulation",
|
|
40
|
+
"suggestions": [
|
|
41
|
+
"Use textContent instead of innerHTML for text-only content",
|
|
42
|
+
"Use createElement() and appendChild() for safe DOM manipulation",
|
|
43
|
+
"If HTML is required, sanitize with DOMPurify first",
|
|
44
|
+
"Consider using a framework that auto-escapes by default"
|
|
45
|
+
]
|
|
46
|
+
}
|
|
47
|
+
},
|
|
48
|
+
{
|
|
49
|
+
"id": "xss-003",
|
|
50
|
+
"name": "document.write usage",
|
|
51
|
+
"description": "document.write can introduce XSS and is generally considered harmful",
|
|
52
|
+
"severity": "MEDIUM",
|
|
53
|
+
"match": {
|
|
54
|
+
"type": "regex",
|
|
55
|
+
"value": "document\\.write(ln)?\\(",
|
|
56
|
+
"flags": ""
|
|
57
|
+
},
|
|
58
|
+
"layer": "code",
|
|
59
|
+
"category": "xss-injection",
|
|
60
|
+
"remediation": {
|
|
61
|
+
"title": "Use modern DOM manipulation",
|
|
62
|
+
"suggestions": [
|
|
63
|
+
"Use createElement() and appendChild() instead",
|
|
64
|
+
"Use innerHTML with sanitization if necessary",
|
|
65
|
+
"document.write is obsolete and should be avoided",
|
|
66
|
+
"Can cause issues with page loading and XSS vulnerabilities"
|
|
67
|
+
]
|
|
68
|
+
}
|
|
69
|
+
},
|
|
70
|
+
{
|
|
71
|
+
"id": "xss-004",
|
|
72
|
+
"name": "eval with HTML/DOM strings",
|
|
73
|
+
"description": "Using eval with HTML strings can lead to XSS",
|
|
74
|
+
"severity": "CRITICAL",
|
|
75
|
+
"match": {
|
|
76
|
+
"type": "regex",
|
|
77
|
+
"value": "eval\\([^)]*(<[^>]+>|innerHTML|outerHTML)",
|
|
78
|
+
"flags": "i"
|
|
79
|
+
},
|
|
80
|
+
"layer": "code",
|
|
81
|
+
"category": "xss-injection",
|
|
82
|
+
"remediation": {
|
|
83
|
+
"title": "Never use eval with HTML",
|
|
84
|
+
"suggestions": [
|
|
85
|
+
"Remove eval usage entirely",
|
|
86
|
+
"Use JSON.parse() for data parsing",
|
|
87
|
+
"Use proper DOM APIs for HTML manipulation",
|
|
88
|
+
"eval is dangerous and should be avoided in all cases"
|
|
89
|
+
]
|
|
90
|
+
}
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
"id": "xss-005",
|
|
94
|
+
"name": "location.href with user input",
|
|
95
|
+
"description": "Assigning user input to location.href can enable XSS via javascript: URLs",
|
|
96
|
+
"severity": "HIGH",
|
|
97
|
+
"match": {
|
|
98
|
+
"type": "regex",
|
|
99
|
+
"value": "location\\.(href|replace|assign)\\s*=\\s*[^'\"]*\\$",
|
|
100
|
+
"flags": ""
|
|
101
|
+
},
|
|
102
|
+
"layer": "code",
|
|
103
|
+
"category": "xss-injection",
|
|
104
|
+
"remediation": {
|
|
105
|
+
"title": "Validate and sanitize URLs",
|
|
106
|
+
"suggestions": [
|
|
107
|
+
"Validate that URLs start with http:// or https://",
|
|
108
|
+
"Reject javascript:, data:, and vbscript: URL schemes",
|
|
109
|
+
"Use URL parsing to validate URL structure",
|
|
110
|
+
"Consider using window.location.origin + path instead of full user-controlled URLs"
|
|
111
|
+
]
|
|
112
|
+
}
|
|
113
|
+
}
|
|
114
|
+
]
|
|
115
|
+
}
|
package/dist/scanner.d.ts
CHANGED
package/dist/scanner.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAmB,UAAU,EAAW,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,OAAO,KAAK,EAAmB,UAAU,EAAW,MAAM,YAAY,CAAC;AAgBvE;;;GAGG;AACH,wBAAsB,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,YAAY,GAAE,OAAe,GAAG,OAAO,CAAC,UAAU,CAAC,CA4FrG;AAiPD;;GAEG;AACH,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAuD5E"}
|
package/dist/scanner.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Main scanner orchestrator
|
|
3
|
-
* Coordinates all
|
|
3
|
+
* Coordinates all five scanning layers
|
|
4
4
|
*/
|
|
5
5
|
import { readFileSync, existsSync, statSync } from "fs";
|
|
6
6
|
import { join, basename, extname, dirname } from "path";
|
|
@@ -10,10 +10,11 @@ import { scanPermissions } from "./layers/permissions.js";
|
|
|
10
10
|
import { scanInjection } from "./layers/injection.js";
|
|
11
11
|
import { scanCode } from "./layers/code.js";
|
|
12
12
|
import { scanCrossReference } from "./layers/crossref.js";
|
|
13
|
+
import { scanDataflow } from "./layers/dataflow.js";
|
|
13
14
|
import { calculateScore, determineStatus, generateRecommendation, } from "./scoring.js";
|
|
14
15
|
import { detectMCPManifest, parseMCPManifest } from "./loaders/mcp-loader.js";
|
|
15
16
|
import { loadConfig, mergeConfig } from "./config.js";
|
|
16
|
-
const VERSION = "0.
|
|
17
|
+
const VERSION = "1.0.0";
|
|
17
18
|
/**
|
|
18
19
|
* Main scan function
|
|
19
20
|
* Scans a skill directory or SKILL.md file
|
|
@@ -30,7 +31,7 @@ export async function scanSkill(skillPath, showProgress = false) {
|
|
|
30
31
|
// Load configuration
|
|
31
32
|
const userConfig = loadConfig(skillPath);
|
|
32
33
|
const config = mergeConfig(userConfig);
|
|
33
|
-
// Run all
|
|
34
|
+
// Run all five scanning layers
|
|
34
35
|
if (spinner)
|
|
35
36
|
spinner.text = 'Layer 1: Checking permissions...';
|
|
36
37
|
const layer1 = await scanPermissions(skill);
|
|
@@ -49,12 +50,16 @@ export async function scanSkill(skillPath, showProgress = false) {
|
|
|
49
50
|
if (spinner)
|
|
50
51
|
spinner.text = 'Layer 4: Cross-referencing behaviors...';
|
|
51
52
|
const layer4 = await scanCrossReference(skill, previousFindings);
|
|
53
|
+
if (spinner)
|
|
54
|
+
spinner.text = 'Layer 5: Analyzing dataflow...';
|
|
55
|
+
const layer5 = await scanDataflow(skill);
|
|
52
56
|
// Combine all findings
|
|
53
57
|
let allFindings = [
|
|
54
58
|
...layer1.findings,
|
|
55
59
|
...layer2.findings,
|
|
56
60
|
...layer3.findings,
|
|
57
61
|
...layer4.findings,
|
|
62
|
+
...layer5.findings,
|
|
58
63
|
];
|
|
59
64
|
// Apply ignore filters from config
|
|
60
65
|
if (config.ignore?.patterns && config.ignore.patterns.length > 0) {
|
|
@@ -63,6 +68,10 @@ export async function scanSkill(skillPath, showProgress = false) {
|
|
|
63
68
|
if (config.ignore?.categories && config.ignore.categories.length > 0) {
|
|
64
69
|
allFindings = allFindings.filter(f => !config.ignore.categories.includes(f.category));
|
|
65
70
|
}
|
|
71
|
+
// Apply MCP-specific severity adjustments
|
|
72
|
+
if (skill.isMCP) {
|
|
73
|
+
allFindings = adjustFindingsForMCP(allFindings);
|
|
74
|
+
}
|
|
66
75
|
// Calculate score and status
|
|
67
76
|
const score = calculateScore(allFindings);
|
|
68
77
|
const status = determineStatus(score);
|
|
@@ -155,6 +164,7 @@ async function loadMCPServer(skillDir, manifestPath) {
|
|
|
155
164
|
metadata: manifest.metadata,
|
|
156
165
|
markdownContent,
|
|
157
166
|
codeFiles,
|
|
167
|
+
isMCP: true, // Flag this as an MCP server
|
|
158
168
|
};
|
|
159
169
|
}
|
|
160
170
|
/**
|
|
@@ -185,12 +195,13 @@ function normalizePermissions(metadata) {
|
|
|
185
195
|
*/
|
|
186
196
|
async function findCodeFiles(skillDir) {
|
|
187
197
|
const codeFiles = [];
|
|
188
|
-
// Search for .ts, .js, .mjs, .cjs files
|
|
198
|
+
// Search for .ts, .js, .mjs, .cjs, .py files
|
|
189
199
|
const patterns = [
|
|
190
200
|
join(skillDir, "**/*.ts"),
|
|
191
201
|
join(skillDir, "**/*.js"),
|
|
192
202
|
join(skillDir, "**/*.mjs"),
|
|
193
203
|
join(skillDir, "**/*.cjs"),
|
|
204
|
+
join(skillDir, "**/*.py"),
|
|
194
205
|
];
|
|
195
206
|
for (const pattern of patterns) {
|
|
196
207
|
try {
|
|
@@ -204,6 +215,7 @@ async function findCodeFiles(skillDir) {
|
|
|
204
215
|
"**/test/**",
|
|
205
216
|
"**/*.test.{js,ts,mjs,cjs}",
|
|
206
217
|
"**/*.spec.{js,ts,mjs,cjs}",
|
|
218
|
+
"**/*.d.ts", // Exclude TypeScript declaration files
|
|
207
219
|
"**/fixtures/**",
|
|
208
220
|
"**/examples/**",
|
|
209
221
|
"**/.git/**",
|
|
@@ -219,6 +231,14 @@ async function findCodeFiles(skillDir) {
|
|
|
219
231
|
});
|
|
220
232
|
for (const filePath of files) {
|
|
221
233
|
try {
|
|
234
|
+
// Skip TypeScript declaration files (.d.ts)
|
|
235
|
+
if (filePath.endsWith('.d.ts')) {
|
|
236
|
+
continue;
|
|
237
|
+
}
|
|
238
|
+
// Skip test files
|
|
239
|
+
if (filePath.includes('.spec.') || filePath.includes('.test.')) {
|
|
240
|
+
continue;
|
|
241
|
+
}
|
|
222
242
|
const content = readFileSync(filePath, "utf-8");
|
|
223
243
|
const ext = extname(filePath).slice(1); // Remove leading dot
|
|
224
244
|
// Determine extension type
|
|
@@ -229,6 +249,8 @@ async function findCodeFiles(skillDir) {
|
|
|
229
249
|
extension = "mjs";
|
|
230
250
|
else if (ext === "cjs")
|
|
231
251
|
extension = "cjs";
|
|
252
|
+
else if (ext === "py")
|
|
253
|
+
extension = "py";
|
|
232
254
|
else
|
|
233
255
|
extension = "js";
|
|
234
256
|
codeFiles.push({
|
|
@@ -249,6 +271,31 @@ async function findCodeFiles(skillDir) {
|
|
|
249
271
|
}
|
|
250
272
|
return codeFiles;
|
|
251
273
|
}
|
|
274
|
+
/**
|
|
275
|
+
* Adjust finding severities for MCP servers
|
|
276
|
+
* MCP servers are API clients and have different threat models than AgentSkills
|
|
277
|
+
*/
|
|
278
|
+
function adjustFindingsForMCP(findings) {
|
|
279
|
+
return findings.map(finding => {
|
|
280
|
+
// Lower severity for legitimate API client patterns (by patternId)
|
|
281
|
+
const mcpLegitimatePatternIds = [
|
|
282
|
+
'ex-001', // fetch-call - API clients make HTTP requests
|
|
283
|
+
'cp-006', // process-env-access - Need env vars for API keys
|
|
284
|
+
'ob-001', // base64-decode - Common for encoding
|
|
285
|
+
'ex-006', // http-url-literal - API endpoints are hardcoded
|
|
286
|
+
];
|
|
287
|
+
if (mcpLegitimatePatternIds.includes(finding.patternId || '')) {
|
|
288
|
+
// Reduce severity by one level for MCP servers
|
|
289
|
+
if (finding.severity === 'MEDIUM') {
|
|
290
|
+
return { ...finding, severity: 'LOW' };
|
|
291
|
+
}
|
|
292
|
+
if (finding.severity === 'LOW') {
|
|
293
|
+
return { ...finding, severity: 'INFO' };
|
|
294
|
+
}
|
|
295
|
+
}
|
|
296
|
+
return finding;
|
|
297
|
+
});
|
|
298
|
+
}
|
|
252
299
|
/**
|
|
253
300
|
* Scan multiple skills/MCP servers in a directory
|
|
254
301
|
*/
|
package/dist/scanner.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EACL,cAAc,EACd,eAAe,EACf,sBAAsB,GACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC9E,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,MAAM,OAAO,GAAG,OAAO,CAAC;AAExB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,SAAiB,EAAE,eAAwB,KAAK;IAC9E,IAAI,OAAO,GAAQ,IAAI,CAAC;IAExB,oEAAoE;IACpE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;QAC1C,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,CAAC;IAC5C,CAAC;IAED,iBAAiB;IACjB,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAEzC,qBAAqB;IACrB,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAEvC,+BAA+B;IAC/B,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,kCAAkC,CAAC;IAC/D,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;IAE5C,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,0CAA0C,CAAC;IACvE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;IAE1C,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,4BAA4B,CAAC;IACzD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;IAErC,uDAAuD;IACvD,MAAM,gBAAgB,GAAG;QACvB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;KACnB,CAAC;IAEF,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,yCAAyC,CAAC;IACtE,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAEjE,uBAAuB;IACvB,IAAI,WAAW,GAAc;QAC3B,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;KACnB,CAAC;IAEF,mCAAmC;IACnC,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,MAAO,CAAC,QAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAChE,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,EAAE,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrE,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,MAAM,CAAC,MAAO,CAAC,UAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CACjD,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,MAAM,KAAK,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,sBAAsB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAEnE,2CAA2C;IAC3C,MAAM,MAAM,GAAe;QACzB,aAAa,EAAE,OAAO;QACtB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,OAAO;QAChB,KAAK,EAAE;YACL,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;SACjB;QACD,KAAK;QACL,MAAM;QACN,WAAW,EAAE,oBAAoB,CAAC,KAAK,CAAC,QAAQ,CAAC;QACjD,QAAQ,EAAE,WAAW;QACrB,cAAc;KACf,CAAC;IAEF,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,IAAI,QAAgB,CAAC;IAErB,2CAA2C;IAC3C,IAAI,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/D,QAAQ,GAAG,SAAS,CAAC;IACvB,CAAC;SAAM,IACL,QAAQ,CAAC,SAAS,CAAC,KAAK,UAAU;QAClC,QAAQ,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EACrC,CAAC;QACD,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5B,OAAO,MAAM,cAAc,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,6BAA6B;IAC7B,MAAM,eAAe,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO,MAAM,aAAa,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,IAAI,KAAK,CACb,mDAAmD,QAAQ,EAAE,CAC9D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,WAAmB;IAEnB,0BAA0B;IAC1B,MAAM,YAAY,GAAG,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IAEpC,gCAAgC;IAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC;IAC7B,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC;IAEvC,uBAAuB;IACvB,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC;IAEzE,6CAA6C;IAC7C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEhD,OAAO;QACL,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,QAAQ;QACd,QAAQ;QACR,eAAe;QACf,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC1B,QAAgB,EAChB,YAAoB;IAEpB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAEhD,oDAAoD;IACpD,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAEpE,wBAAwB;IACxB,MAAM,UAAU,GACd,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,oBAAoB,CAAC;IAEvE,sBAAsB;IACtB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEhD,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,eAAe;QACf,SAAS;
|
|
1
|
+
{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,EACL,cAAc,EACd,eAAe,EACf,sBAAsB,GACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC9E,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAEtD,MAAM,OAAO,GAAG,OAAO,CAAC;AAExB;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,SAAiB,EAAE,eAAwB,KAAK;IAC9E,IAAI,OAAO,GAAQ,IAAI,CAAC;IAExB,oEAAoE;IACpE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;QAC1C,OAAO,GAAG,GAAG,CAAC,kBAAkB,CAAC,CAAC,KAAK,EAAE,CAAC;IAC5C,CAAC;IAED,iBAAiB;IACjB,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAEzC,qBAAqB;IACrB,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,CAAC;IAEvC,+BAA+B;IAC/B,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,kCAAkC,CAAC;IAC/D,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,KAAK,CAAC,CAAC;IAE5C,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,0CAA0C,CAAC;IACvE,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,KAAK,CAAC,CAAC;IAE1C,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,4BAA4B,CAAC;IACzD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;IAErC,uDAAuD;IACvD,MAAM,gBAAgB,GAAG;QACvB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;KACnB,CAAC;IAEF,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,yCAAyC,CAAC;IACtE,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAEjE,IAAI,OAAO;QAAE,OAAO,CAAC,IAAI,GAAG,gCAAgC,CAAC;IAC7D,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,CAAC;IAEzC,uBAAuB;IACvB,IAAI,WAAW,GAAc;QAC3B,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;QAClB,GAAG,MAAM,CAAC,QAAQ;KACnB,CAAC;IAEF,mCAAmC;IACnC,IAAI,MAAM,CAAC,MAAM,EAAE,QAAQ,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjE,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,MAAO,CAAC,QAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAChE,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,EAAE,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrE,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACnC,CAAC,MAAM,CAAC,MAAO,CAAC,UAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CACjD,CAAC;IACJ,CAAC;IAED,0CAA0C;IAC1C,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,WAAW,GAAG,oBAAoB,CAAC,WAAW,CAAC,CAAC;IAClD,CAAC;IAED,6BAA6B;IAC7B,MAAM,KAAK,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACtC,MAAM,cAAc,GAAG,sBAAsB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAEnE,2CAA2C;IAC3C,MAAM,MAAM,GAAe;QACzB,aAAa,EAAE,OAAO;QACtB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,OAAO;QAChB,KAAK,EAAE;YACL,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;SACjB;QACD,KAAK;QACL,MAAM;QACN,WAAW,EAAE,oBAAoB,CAAC,KAAK,CAAC,QAAQ,CAAC;QACjD,QAAQ,EAAE,WAAW;QACrB,cAAc;KACf,CAAC;IAEF,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,IAAI,QAAgB,CAAC;IAErB,2CAA2C;IAC3C,IAAI,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QAC/D,QAAQ,GAAG,SAAS,CAAC;IACvB,CAAC;SAAM,IACL,QAAQ,CAAC,SAAS,CAAC,KAAK,UAAU;QAClC,QAAQ,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EACrC,CAAC;QACD,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CACb,8DAA8D,CAC/D,CAAC;IACJ,CAAC;IAED,qDAAqD;IACrD,MAAM,WAAW,GAAG,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC5B,OAAO,MAAM,cAAc,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,6BAA6B;IAC7B,MAAM,eAAe,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,eAAe,EAAE,CAAC;QACpB,OAAO,MAAM,aAAa,CAAC,QAAQ,EAAE,eAAe,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,IAAI,KAAK,CACb,mDAAmD,QAAQ,EAAE,CAC9D,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,WAAmB;IAEnB,0BAA0B;IAC1B,MAAM,YAAY,GAAG,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACxD,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IAEpC,gCAAgC;IAChC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC;IAC7B,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC;IAEvC,uBAAuB;IACvB,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,eAAe,CAAC;IAEzE,6CAA6C;IAC7C,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEhD,OAAO;QACL,IAAI,EAAE,SAAS;QACf,IAAI,EAAE,QAAQ;QACd,QAAQ;QACR,eAAe;QACf,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC1B,QAAgB,EAChB,YAAoB;IAEpB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,YAAY,CAAC,CAAC;IAEhD,oDAAoD;IACpD,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAEpE,wBAAwB;IACxB,MAAM,UAAU,GACd,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,oBAAoB,CAAC;IAEvE,sBAAsB;IACtB,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,QAAQ,CAAC,CAAC;IAEhD,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,QAAQ,CAAC,QAAQ;QAC3B,eAAe;QACf,SAAS;QACT,KAAK,EAAE,IAAI,EAAE,6BAA6B;KAC3C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,QAAa;IAKzC,cAAc;IACd,IAAI,IAAI,GAAa,EAAE,CAAC;IACxB,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;QAClB,IAAI,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC;IAED,aAAa;IACb,IAAI,GAAG,GAAa,EAAE,CAAC;IACvB,IAAI,QAAQ,CAAC,GAAG,EAAE,CAAC;QACjB,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACpE,CAAC;IAED,uBAAuB;IACvB,IAAI,KAAK,GAAa,EAAE,CAAC;IACzB,IAAI,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC9B,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;YAC9C,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC;YAC3B,CAAC,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,QAAgB;IAC3C,MAAM,SAAS,GAAe,EAAE,CAAC;IAEjC,6CAA6C;IAC7C,MAAM,QAAQ,GAAG;QACf,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC;QACzB,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC;QACzB,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;QAC1B,IAAI,CAAC,QAAQ,EAAE,UAAU,CAAC;QAC1B,IAAI,CAAC,QAAQ,EAAE,SAAS,CAAC;KAC1B,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE;gBAChC,MAAM,EAAE;oBACN,oBAAoB;oBACpB,YAAY;oBACZ,aAAa;oBACb,iBAAiB;oBACjB,aAAa;oBACb,YAAY;oBACZ,2BAA2B;oBAC3B,2BAA2B;oBAC3B,WAAW,EAAE,uCAAuC;oBACpD,gBAAgB;oBAChB,gBAAgB;oBAChB,YAAY;oBACZ,cAAc;oBACd,aAAa;oBACb,aAAa;oBACb,cAAc;oBACd,gBAAgB;oBAChB,aAAa;oBACb,cAAc;oBACd,cAAc;iBACf;aACF,CAAC,CAAC;YAEH,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;gBAC7B,IAAI,CAAC;oBACH,4CAA4C;oBAC5C,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC/B,SAAS;oBACX,CAAC;oBAED,kBAAkB;oBAClB,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;wBAC/D,SAAS;oBACX,CAAC;oBAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;oBAChD,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,qBAAqB;oBAE7D,2BAA2B;oBAC3B,IAAI,SAA6C,CAAC;oBAClD,IAAI,GAAG,KAAK,IAAI;wBAAE,SAAS,GAAG,IAAI,CAAC;yBAC9B,IAAI,GAAG,KAAK,KAAK;wBAAE,SAAS,GAAG,KAAK,CAAC;yBACrC,IAAI,GAAG,KAAK,KAAK;wBAAE,SAAS,GAAG,KAAK,CAAC;yBACrC,IAAI,GAAG,KAAK,IAAI;wBAAE,SAAS,GAAG,IAAI,CAAC;;wBACnC,SAAS,GAAG,IAAI,CAAC;oBAEtB,SAAS,CAAC,IAAI,CAAC;wBACb,IAAI,EAAE,QAAQ;wBACd,OAAO;wBACP,SAAS;qBACV,CAAC,CAAC;gBACL,CAAC;gBAAC,OAAO,KAAK,EAAE,CAAC;oBACf,gCAAgC;oBAChC,OAAO,CAAC,IAAI,CAAC,iCAAiC,QAAQ,EAAE,CAAC,CAAC;gBAC5D,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,6BAA6B;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,QAAmB;IAC/C,OAAO,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE;QAC5B,mEAAmE;QACnE,MAAM,uBAAuB,GAAG;YAC9B,QAAQ,EAAG,8CAA8C;YACzD,QAAQ,EAAG,kDAAkD;YAC7D,QAAQ,EAAG,sCAAsC;YACjD,QAAQ,EAAG,iDAAiD;SAC7D,CAAC;QAEF,IAAI,uBAAuB,CAAC,QAAQ,CAAC,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9D,+CAA+C;YAC/C,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBAClC,OAAO,EAAE,GAAG,OAAO,EAAE,QAAQ,EAAE,KAAc,EAAE,CAAC;YAClD,CAAC;YACD,IAAI,OAAO,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;gBAC/B,OAAO,EAAE,GAAG,OAAO,EAAE,QAAQ,EAAE,MAAe,EAAE,CAAC;YACnD,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,gDAAgD;IAEnF,0BAA0B;IAC1B,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;IACpD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE;QAC1C,MAAM,EAAE,CAAC,oBAAoB,CAAC;KAC/B,CAAC,CAAC;IAEH,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACpC,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,SAAS;QACpC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;YAC1C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CACV,oCAAoC,SAAS,GAAG,EAC/C,KAAe,CAAC,OAAO,CACzB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,WAAW,GAAG;QAClB,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC;QAC9B,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC;KAClC,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,OAAO,EAAE;YACxC,MAAM,EAAE,CAAC,oBAAoB,CAAC;SAC/B,CAAC,CAAC;QAEH,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;YACzC,MAAM,WAAW,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;YAC1C,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;gBAAE,SAAS;YACvC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YAEzB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,YAAY,CAAC,CAAC;gBAC7C,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACvB,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CACV,yCAAyC,YAAY,GAAG,EACvD,KAAe,CAAC,OAAO,CACzB,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
3
|
+
"$id": "https://acidtest.dev/schemas/pattern.schema.json",
|
|
4
|
+
"title": "AcidTest Pattern Schema",
|
|
5
|
+
"description": "JSON Schema for AcidTest security pattern detection files",
|
|
6
|
+
"type": "object",
|
|
7
|
+
"required": ["category", "patterns"],
|
|
8
|
+
"additionalProperties": false,
|
|
9
|
+
"properties": {
|
|
10
|
+
"category": {
|
|
11
|
+
"type": "string",
|
|
12
|
+
"description": "The category identifier for this pattern file",
|
|
13
|
+
"minLength": 1,
|
|
14
|
+
"pattern": "^[a-z0-9-]+$"
|
|
15
|
+
},
|
|
16
|
+
"patterns": {
|
|
17
|
+
"type": "array",
|
|
18
|
+
"description": "Array of detection patterns",
|
|
19
|
+
"minItems": 1,
|
|
20
|
+
"items": {
|
|
21
|
+
"$ref": "#/definitions/pattern"
|
|
22
|
+
}
|
|
23
|
+
}
|
|
24
|
+
},
|
|
25
|
+
"definitions": {
|
|
26
|
+
"pattern": {
|
|
27
|
+
"type": "object",
|
|
28
|
+
"required": ["id", "name", "severity", "match", "layer"],
|
|
29
|
+
"additionalProperties": false,
|
|
30
|
+
"properties": {
|
|
31
|
+
"id": {
|
|
32
|
+
"type": "string",
|
|
33
|
+
"description": "Unique pattern identifier",
|
|
34
|
+
"pattern": "^[a-z0-9]+-[0-9]+$"
|
|
35
|
+
},
|
|
36
|
+
"name": {
|
|
37
|
+
"type": "string",
|
|
38
|
+
"description": "Human-readable pattern name",
|
|
39
|
+
"minLength": 1
|
|
40
|
+
},
|
|
41
|
+
"description": {
|
|
42
|
+
"type": "string",
|
|
43
|
+
"description": "Detailed description of what this pattern detects"
|
|
44
|
+
},
|
|
45
|
+
"severity": {
|
|
46
|
+
"type": "string",
|
|
47
|
+
"description": "Severity level of findings from this pattern",
|
|
48
|
+
"enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"]
|
|
49
|
+
},
|
|
50
|
+
"match": {
|
|
51
|
+
"$ref": "#/definitions/patternMatch"
|
|
52
|
+
},
|
|
53
|
+
"layer": {
|
|
54
|
+
"type": "string",
|
|
55
|
+
"description": "Which layer this pattern scans",
|
|
56
|
+
"enum": ["permissions", "markdown", "code", "crossref"]
|
|
57
|
+
},
|
|
58
|
+
"category": {
|
|
59
|
+
"type": "string",
|
|
60
|
+
"description": "Optional category override for this specific pattern"
|
|
61
|
+
},
|
|
62
|
+
"remediation": {
|
|
63
|
+
"$ref": "#/definitions/remediation"
|
|
64
|
+
}
|
|
65
|
+
}
|
|
66
|
+
},
|
|
67
|
+
"patternMatch": {
|
|
68
|
+
"type": "object",
|
|
69
|
+
"required": ["type", "value"],
|
|
70
|
+
"additionalProperties": false,
|
|
71
|
+
"properties": {
|
|
72
|
+
"type": {
|
|
73
|
+
"type": "string",
|
|
74
|
+
"description": "Type of pattern matching to use",
|
|
75
|
+
"enum": ["regex", "ast", "exact"]
|
|
76
|
+
},
|
|
77
|
+
"value": {
|
|
78
|
+
"type": "string",
|
|
79
|
+
"description": "The pattern value (regex string, AST query, or exact string)",
|
|
80
|
+
"minLength": 1
|
|
81
|
+
},
|
|
82
|
+
"flags": {
|
|
83
|
+
"type": "string",
|
|
84
|
+
"description": "Regex flags (e.g., 'i', 'g', 'ig')",
|
|
85
|
+
"pattern": "^[igmsuy]*$"
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
},
|
|
89
|
+
"remediation": {
|
|
90
|
+
"type": "object",
|
|
91
|
+
"required": ["title", "suggestions"],
|
|
92
|
+
"additionalProperties": false,
|
|
93
|
+
"properties": {
|
|
94
|
+
"title": {
|
|
95
|
+
"type": "string",
|
|
96
|
+
"description": "Title for the remediation guidance",
|
|
97
|
+
"minLength": 1
|
|
98
|
+
},
|
|
99
|
+
"suggestions": {
|
|
100
|
+
"type": "array",
|
|
101
|
+
"description": "List of remediation suggestions",
|
|
102
|
+
"minItems": 1,
|
|
103
|
+
"items": {
|
|
104
|
+
"type": "string",
|
|
105
|
+
"minLength": 1
|
|
106
|
+
}
|
|
107
|
+
},
|
|
108
|
+
"autofix": {
|
|
109
|
+
"type": "boolean",
|
|
110
|
+
"description": "Whether this issue can be automatically fixed"
|
|
111
|
+
},
|
|
112
|
+
"fixAction": {
|
|
113
|
+
"$ref": "#/definitions/fixAction"
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
},
|
|
117
|
+
"fixAction": {
|
|
118
|
+
"type": "object",
|
|
119
|
+
"required": ["type", "pattern", "replacement"],
|
|
120
|
+
"additionalProperties": false,
|
|
121
|
+
"properties": {
|
|
122
|
+
"type": {
|
|
123
|
+
"type": "string",
|
|
124
|
+
"description": "Type of fix action",
|
|
125
|
+
"enum": ["replace"]
|
|
126
|
+
},
|
|
127
|
+
"pattern": {
|
|
128
|
+
"type": "string",
|
|
129
|
+
"description": "Pattern to find for replacement",
|
|
130
|
+
"minLength": 1
|
|
131
|
+
},
|
|
132
|
+
"replacement": {
|
|
133
|
+
"type": "string",
|
|
134
|
+
"description": "Replacement string"
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
}
|
|
139
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"validate-corpus.d.ts","sourceRoot":"","sources":["../../src/test-corpus/validate-corpus.ts"],"names":[],"mappings":";AAEA;;;GAGG"}
|