agent-security-scanner-mcp 3.1.0 → 3.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "3.1.0",
+  "version": "3.2.0",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix. For Claude Code, Cursor, Windsurf, Cline.",
   "main": "index.js",
@@ -76,6 +76,10 @@
     "LICENSE",
     "server.json",
     "index.js",
+    "src/tools/*.js",
+    "src/cli/*.js",
+    "src/fix-patterns.js",
+    "src/utils.js",
     "analyzer.py",
     "ast_parser.py",
     "generic_ast.py",

package/src/analyzer.py

@@ -0,0 +1,119 @@
+import sys
+import json
+import re
+import os
+
+# Add the directory containing this script to the path
+sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
+
+from rules import get_rules, get_rules_for_language, get_rule_stats
+
+# File extension to language mapping
+EXTENSION_MAP = {
+    '.py': 'python',
+    '.js': 'javascript',
+    '.ts': 'typescript',
+    '.tsx': 'typescript',
+    '.jsx': 'javascript',
+    '.java': 'java',
+    '.go': 'go',
+    '.rb': 'ruby',
+    '.php': 'php',
+    '.cs': 'csharp',
+    '.rs': 'rust',
+    '.c': 'c',
+    '.cpp': 'cpp',
+    '.h': 'c',
+    '.hpp': 'cpp',
+    '.sql': 'sql',
+    '.dockerfile': 'dockerfile',
+    '.yaml': 'yaml',
+    '.yml': 'yaml',
+    '.json': 'json',
+    '.tf': 'terraform',
+    '.hcl': 'terraform',
+}
+
+def detect_language(file_path):
+    """Detect the programming language from file extension or name"""
+    basename = os.path.basename(file_path).lower()
+    
+    if basename == 'dockerfile' or basename.startswith('dockerfile.') or basename.startswith('dockerfile_'):
+        return 'dockerfile'
+    
+    _, ext = os.path.splitext(file_path.lower())
+    return EXTENSION_MAP.get(ext, 'generic')
+
+def analyze_file(file_path):
+    """Analyze a single file for security vulnerabilities"""
+    issues = []
+    
+    try:
+        language = detect_language(file_path)
+        rules = get_rules_for_language(language)
+        
+        with open(file_path, 'r', encoding='utf-8') as f:
+            lines = f.readlines()
+            content = ''.join(lines)
+        
+        for line_index, line in enumerate(lines):
+            original_line = line
+            line = line.strip()
+            if not line:
+                continue
+            
+            # Skip comment-only lines (basic detection)
+            if line.startswith('#') or line.startswith('//') or line.startswith('*'):
+                continue
+                
+            for rule_id, rule in rules.items():
+                for pattern in rule['patterns']:
+                    try:
+                        # Use IGNORECASE for better detection (API_KEY vs api_key)
+                        matches = re.finditer(pattern, line, re.IGNORECASE)
+                        for match in matches:
+                            # Calculate column based on original line (preserve indentation)
+                            col_offset = len(original_line) - len(original_line.lstrip())
+                            issues.append({
+                                'ruleId': rule['id'],
+                                'message': f"[{rule['name']}] {rule['message']}",
+                                'line': line_index,
+                                'column': match.start() + col_offset,
+                                'length': match.end() - match.start(),
+                                'severity': rule['severity'],
+                                'metadata': rule.get('metadata', {})
+                            })
+                    except re.error:
+                        # Skip invalid regex patterns
+                        continue
+                        
+    except Exception as e:
+        return {'error': str(e)}
+    
+    # Deduplicate issues (same rule, same line)
+    seen = set()
+    unique_issues = []
+    for issue in issues:
+        key = (issue['ruleId'], issue['line'], issue['column'])
+        if key not in seen:
+            seen.add(key)
+            unique_issues.append(issue)
+        
+    return unique_issues
+
+def main():
+    if len(sys.argv) < 2:
+        print(json.dumps({'error': 'No file path provided'}))
+        sys.exit(1)
+        
+    file_path = sys.argv[1]
+    
+    if not os.path.exists(file_path):
+        print(json.dumps({'error': f'File not found: {file_path}'}))
+        sys.exit(1)
+        
+    results = analyze_file(file_path)
+    print(json.dumps(results))
+
+if __name__ == '__main__':
+    main()

package/src/cli/demo.js

@@ -0,0 +1,238 @@
+import { execFileSync } from "child_process";
+import { writeFileSync, unlinkSync } from "fs";
+import { join } from "path";
+import { createInterface } from "readline";
+import { dirname } from "path";
+import { fileURLToPath } from "url";
+
+// Handle both ESM and CJS bundling (Smithery bundles to CJS)
+let __dirname;
+try {
+  __dirname = dirname(fileURLToPath(import.meta.url));
+} catch {
+  __dirname = process.cwd();
+}
+
+const DEMO_TEMPLATES = {
+  js: {
+    ext: 'js',
+    name: 'JavaScript',
+    code: `const express = require("express");
+const child_process = require("child_process");
+const app = express();
+
+// SQL Injection vulnerability
+app.get("/user", (req, res) => {
+  const userId = req.query.id;
+  db.query("SELECT * FROM users WHERE id = " + userId, (err, result) => {
+    res.send(result);
+  });
+});
+
+// XSS vulnerability
+app.get("/profile", (req, res) => {
+  const name = req.query.name;
+  document.getElementById("welcome").innerHTML = name;
+});
+
+// Command Injection vulnerability
+app.get("/run", (req, res) => {
+  const cmd = req.query.cmd;
+  child_process.exec("ls " + cmd, (err, stdout) => {
+    res.send(stdout);
+  });
+});
+`
+  },
+  py: {
+    ext: 'py',
+    name: 'Python',
+    code: `import pickle
+import subprocess
+import hashlib
+
+API_SECRET = "stripe_test_FAKEFAKEFAKEFAKE1234"
+
+def get_user(user_id):
+    query = f"SELECT * FROM users WHERE id = {user_id}"
+    cursor.execute(query)
+    return cursor.fetchone()
+
+def load_data(data):
+    return pickle.loads(data)
+
+def run_command(cmd):
+    return subprocess.call(cmd, shell=True)
+
+def hash_password(password):
+    return hashlib.md5(password.encode()).hexdigest()
+`
+  },
+  go: {
+    ext: 'go',
+    name: 'Go',
+    code: `package main
+
+import (
+\t"crypto/md5"
+\t"database/sql"
+\t"fmt"
+\t"net/http"
+\t"os/exec"
+)
+
+var dbPassword = "super_secret_password_123"
+
+func getUser(w http.ResponseWriter, r *http.Request) {
+\tid := r.URL.Query().Get("id")
+\tquery := fmt.Sprintf("SELECT * FROM users WHERE id = %s", id)
+\tdb.Query(query)
+}
+
+func runCmd(w http.ResponseWriter, r *http.Request) {
+\tcmd := r.URL.Query().Get("cmd")
+\tout, _ := exec.Command("sh", "-c", cmd).Output()
+\tw.Write(out)
+}
+
+func hashData(data string) string {
+\th := md5.Sum([]byte(data))
+\treturn fmt.Sprintf("%x", h)
+}
+`
+  },
+  java: {
+    ext: 'java',
+    name: 'Java',
+    code: `import java.sql.*;
+import java.io.*;
+import java.security.MessageDigest;
+
+public class VulnDemo {
+    private static final String DB_PASSWORD = "admin123";
+
+    public ResultSet getUser(String userId) throws SQLException {
+        Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/db");
+        Statement stmt = conn.createStatement();
+        return stmt.executeQuery("SELECT * FROM users WHERE id = " + userId);
+    }
+
+    public String runCommand(String cmd) throws IOException {
+        Runtime rt = Runtime.getRuntime();
+        Process proc = rt.exec(cmd);
+        BufferedReader reader = new BufferedReader(new InputStreamReader(proc.getInputStream()));
+        return reader.readLine();
+    }
+
+    public String hashPassword(String password) throws Exception {
+        MessageDigest md = MessageDigest.getInstance("MD5");
+        byte[] hash = md.digest(password.getBytes());
+        return new String(hash);
+    }
+}
+`
+  }
+};
+
+function parseDemoFlags(args) {
+  const flags = { lang: 'js' };
+  let i = 0;
+  while (i < args.length) {
+    const arg = args[i];
+    if ((arg === '--lang' || arg === '-l') && i + 1 < args.length) {
+      flags.lang = args[++i].toLowerCase();
+    } else if (!arg.startsWith('-')) {
+      flags.lang = arg.toLowerCase();
+    }
+    i++;
+  }
+  return flags;
+}
+
+function checkCommand(cmd, args) {
+  try {
+    const out = execFileSync(cmd, args, { timeout: 10000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    return { ok: true, output: out.trim() };
+  } catch {
+    return { ok: false, output: null };
+  }
+}
+
+export async function runDemo(args) {
+  const flags = parseDemoFlags(args);
+  const template = DEMO_TEMPLATES[flags.lang];
+  if (!template) {
+    console.log(`\n  Unknown language: "${flags.lang}"`);
+    console.log(`  Available: ${Object.keys(DEMO_TEMPLATES).join(', ')}\n`);
+    process.exit(1);
+  }
+
+  const filename = `vuln-demo.${template.ext}`;
+  const filepath = join(process.cwd(), filename);
+
+  console.log(`\n  agent-security-scanner-mcp demo\n`);
+  console.log(`  Creating ${filename} with 3 intentional vulnerabilities...\n`);
+
+  // Write the vulnerable file
+  writeFileSync(filepath, template.code);
+
+  // Run the analyzer
+  const analyzerPath = join(__dirname, '..', '..', 'analyzer.py');
+  let pythonCmd = 'python3';
+  const py3 = checkCommand('python3', ['--version']);
+  if (!py3.ok) {
+    const py = checkCommand('python', ['--version']);
+    if (py.ok && py.output.includes('3.')) {
+      pythonCmd = 'python';
+    } else {
+      console.log(`  Error: Python 3 not found. Run "npx agent-security-scanner-mcp doctor" to diagnose.\n`);
+      unlinkSync(filepath);
+      process.exit(1);
+    }
+  }
+
+  let results;
+  try {
+    const output = execFileSync(pythonCmd, [analyzerPath, filepath], { timeout: 30000, encoding: 'utf-8' });
+    results = JSON.parse(output);
+  } catch (e) {
+    console.log(`  Error running analyzer: ${e.message}\n`);
+    unlinkSync(filepath);
+    process.exit(1);
+  }
+
+  // Display results
+  console.log(`  Scanning...\n`);
+
+  if (results.length === 0) {
+    console.log(`  No issues found (unexpected for demo file).\n`);
+  } else {
+    console.log(`  Found ${results.length} issue(s):\n`);
+    for (const issue of results) {
+      const severity = (issue.severity || 'error').toUpperCase();
+      const icon = severity === 'ERROR' ? '\u2717' : severity === 'WARNING' ? '\u2717' : '\u2022';
+      console.log(`    ${icon} ${severity.padEnd(8)} Line ${String(issue.line).padEnd(4)} ${issue.message}`);
+      if (issue.metadata) {
+        const refs = [issue.metadata.cwe, issue.metadata.owasp].filter(Boolean).join(' | ');
+        if (refs) console.log(`      ${refs}`);
+      }
+    }
+    console.log(`\n  ${results.length} vulnerabilities detected.\n`);
+  }
+
+  // Ask to keep or delete
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  const answer = await new Promise((resolve) => {
+    rl.question(`  Keep ${filename} for testing? (y/N): `, (a) => { rl.close(); resolve(a); });
+  });
+
+  if (answer.toLowerCase() === 'y') {
+    console.log(`\n  Kept: ${filepath}`);
+  } else {
+    unlinkSync(filepath);
+    console.log(`\n  Deleted: ${filename}`);
+  }
+
+  console.log(`\n  Next: Connect to your AI coding tool and ask it to`);
+  console.log(`  "scan ${filename} for security issues"\n`);
+}

package/src/cli/doctor.js

@@ -0,0 +1,273 @@
+import { execFileSync } from "child_process";
+import { readFileSync, existsSync, writeFileSync, copyFileSync, mkdirSync } from "fs";
+import { dirname, join } from "path";
+import { homedir, platform } from "os";
+import { fileURLToPath } from "url";
+
+// Handle both ESM and CJS bundling (Smithery bundles to CJS)
+let __dirname;
+try {
+  __dirname = dirname(fileURLToPath(import.meta.url));
+} catch {
+  __dirname = process.cwd();
+}
+
+function vscodeBase() {
+  const os = platform();
+  if (os === 'darwin') return join(homedir(), 'Library', 'Application Support');
+  if (os === 'win32') return process.env.APPDATA || homedir();
+  return join(homedir(), '.config');
+}
+
+const MCP_SERVER_ENTRY = {
+  command: "npx",
+  args: ["-y", "agent-security-scanner-mcp"]
+};
+
+const CLIENT_CONFIGS = {
+  'claude-desktop': {
+    name: 'Claude Desktop',
+    configKey: 'mcpServers',
+    configPath: () => {
+      const os = platform();
+      if (os === 'darwin') return join(homedir(), 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json');
+      if (os === 'win32') return join(process.env.APPDATA || homedir(), 'Claude', 'claude_desktop_config.json');
+      return join(homedir(), '.config', 'Claude', 'claude_desktop_config.json');
+    },
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  },
+  'claude-code': {
+    name: 'Claude Code',
+    configKey: 'mcpServers',
+    configPath: () => join(homedir(), '.claude', 'settings.json'),
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  },
+  'cursor': {
+    name: 'Cursor',
+    configKey: 'mcpServers',
+    configPath: () => join(homedir(), '.cursor', 'mcp.json'),
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  },
+  'windsurf': {
+    name: 'Windsurf',
+    configKey: 'mcpServers',
+    configPath: () => {
+      const os = platform();
+      if (os === 'darwin') return join(homedir(), '.codeium', 'windsurf', 'mcp_config.json');
+      if (os === 'win32') return join(process.env.APPDATA || homedir(), '.codeium', 'windsurf', 'mcp_config.json');
+      return join(homedir(), '.codeium', 'windsurf', 'mcp_config.json');
+    },
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  },
+  'cline': {
+    name: 'Cline',
+    configKey: 'mcpServers',
+    configPath: () => join(vscodeBase(), 'Code', 'User', 'globalStorage', 'saoudrizwan.claude-dev', 'settings', 'cline_mcp_settings.json'),
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  },
+  'kilo-code': {
+    name: 'Kilo Code',
+    configKey: 'mcpServers',
+    configPath: () => join(vscodeBase(), 'Code', 'User', 'globalStorage', 'kilocode.kilo-code', 'settings', 'mcp_settings.json'),
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY, alwaysAllow: ["scan_security", "scan_agent_prompt", "check_package"], disabled: false })
+  },
+  'opencode': {
+    name: 'OpenCode',
+    configKey: 'mcp',
+    configPath: () => join(process.cwd(), 'opencode.jsonc'),
+    buildEntry: () => ({ type: "local", command: ["npx", "-y", "agent-security-scanner-mcp"], enabled: true })
+  },
+  'cody': {
+    name: 'Cody (Sourcegraph)',
+    configKey: 'mcpServers',
+    configPath: () => join(vscodeBase(), 'Code', 'User', 'globalStorage', 'sourcegraph.cody-ai', 'mcp_settings.json'),
+    buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  }
+};
+
+// Timestamp for backup filenames
+function backupTimestamp() {
+  const d = new Date();
+  const pad = (n) => String(n).padStart(2, '0');
+  return `${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}-${pad(d.getHours())}${pad(d.getMinutes())}${pad(d.getSeconds())}`;
+}
+
+function checkCommand(cmd, args) {
+  try {
+    const out = execFileSync(cmd, args, { timeout: 10000, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+    return { ok: true, output: out.trim() };
+  } catch {
+    return { ok: false, output: null };
+  }
+}
+
+export async function runDoctor(args) {
+  const fix = args.includes('--fix') || false;
+  let issues = 0;
+  let fixed = 0;
+
+  console.log('\n  agent-security-scanner-mcp doctor\n');
+
+  // --- Environment checks ---
+  console.log('  Environment');
+
+  // 1. Node version
+  const nodeVer = process.versions.node;
+  const nodeMajor = parseInt(nodeVer.split('.')[0], 10);
+  if (nodeMajor >= 18) {
+    console.log(`    \u2713 Node.js v${nodeVer} (>= 18 required)`);
+  } else {
+    console.log(`    \u2717 Node.js v${nodeVer} — version 18+ required`);
+    console.log(`      Install: https://nodejs.org/`);
+    issues++;
+  }
+
+  // 2. Python 3
+  let pythonCmd = null;
+  const py3 = checkCommand('python3', ['--version']);
+  if (py3.ok) {
+    pythonCmd = 'python3';
+    console.log(`    \u2713 ${py3.output}`);
+  } else {
+    const py = checkCommand('python', ['--version']);
+    if (py.ok && py.output.includes('3.')) {
+      pythonCmd = 'python';
+      console.log(`    \u2713 ${py.output}`);
+    } else {
+      console.log(`    \u2717 Python 3 not found`);
+      console.log(`      Install: https://python.org/downloads/`);
+      issues++;
+    }
+  }
+
+  // 3. analyzer.py reachable
+  const analyzerPath = join(__dirname, '..', '..', 'analyzer.py');
+  if (existsSync(analyzerPath)) {
+    console.log(`    \u2713 analyzer.py found`);
+  } else {
+    console.log(`    \u2717 analyzer.py not found at ${analyzerPath}`);
+    console.log(`      Try reinstalling: npm install -g agent-security-scanner-mcp`);
+    issues++;
+  }
+
+  // 4. Python can import yaml (analyzer dependency check)
+  if (pythonCmd && existsSync(analyzerPath)) {
+    const yamlCheck = checkCommand(pythonCmd, ['-c', 'import yaml; print("ok")']);
+    if (yamlCheck.ok && yamlCheck.output === 'ok') {
+      console.log(`    \u2713 Analyzer engine ready (PyYAML installed)`);
+    } else {
+      // PyYAML missing but analyzer has fallback rules - still works
+      console.log(`    \u2713 Analyzer engine ready (using fallback rules)`);
+    }
+  }
+
+  // 5. tree-sitter AST engine (optional but recommended)
+  if (pythonCmd) {
+    const tsCheck = checkCommand(pythonCmd, ['-c', 'import tree_sitter; print(tree_sitter.__version__)']);
+    if (tsCheck.ok && tsCheck.output) {
+      console.log(`    \u2713 AST engine ready (tree-sitter ${tsCheck.output})`);
+    } else {
+      console.log(`    \u26a0 tree-sitter not installed (regex-only mode)`);
+      console.log(`      For enhanced detection: pip install tree-sitter tree-sitter-python tree-sitter-javascript`);
+    }
+  }
+
+  // --- Client configuration checks ---
+  console.log('\n  Client Configurations');
+
+  for (const [key, client] of Object.entries(CLIENT_CONFIGS)) {
+    let configPath;
+    try { configPath = client.configPath(); } catch { continue; }
+
+    const configDir = dirname(configPath);
+
+    // Check if the tool appears installed (config dir exists)
+    if (!existsSync(configDir)) {
+      console.log(`    \u2014 ${client.name.padEnd(20)} not installed (no config dir)`);
+      continue;
+    }
+
+    // Config file exists?
+    if (!existsSync(configPath)) {
+      console.log(`    \u2717 ${client.name.padEnd(20)} config file not found: ${configPath}`);
+      if (fix) {
+        // Auto-fix: run init for this client
+        const entry = client.buildEntry();
+        const config = { [client.configKey]: { 'security-scanner': entry } };
+        mkdirSync(dirname(configPath), { recursive: true });
+        writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+        console.log(`      \u2713 Fixed: created config with security-scanner entry`);
+        fixed++;
+      } else {
+        console.log(`      Fix: npx agent-security-scanner-mcp init ${key}`);
+        issues++;
+      }
+      continue;
+    }
+
+    // Valid JSON?
+    let config;
+    try {
+      const raw = readFileSync(configPath, 'utf-8');
+      // Only strip comments for .jsonc files (avoid breaking URLs with //)
+      let stripped = raw;
+      if (configPath.endsWith('.jsonc')) {
+        stripped = raw.replace(/\/\/.*$/gm, '').replace(/\/\*[\s\S]*?\*\//g, '');
+      }
+      config = JSON.parse(stripped);
+    } catch (e) {
+      console.log(`    \u2717 ${client.name.padEnd(20)} invalid JSON in config`);
+      console.log(`      Error: ${e.message}`);
+      issues++;
+      continue;
+    }
+
+    // Has config section?
+    const section = config[client.configKey];
+    if (!section) {
+      console.log(`    \u2717 ${client.name.padEnd(20)} missing "${client.configKey}" section`);
+      if (fix) {
+        config[client.configKey] = { 'security-scanner': client.buildEntry() };
+        const backupPath = `${configPath}.bak-${backupTimestamp()}`;
+        copyFileSync(configPath, backupPath);
+        writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+        console.log(`      \u2713 Fixed: added ${client.configKey} with security-scanner entry`);
+        fixed++;
+      } else {
+        console.log(`      Fix: npx agent-security-scanner-mcp init ${key}`);
+        issues++;
+      }
+      continue;
+    }
+
+    // Has our entry? Check common key names
+    const ourEntry = section['security-scanner'] || section['agentic-security'] || section['agent-security-scanner-mcp'];
+    if (ourEntry) {
+      const entryName = section['security-scanner'] ? 'security-scanner' : section['agentic-security'] ? 'agentic-security' : 'agent-security-scanner-mcp';
+      console.log(`    \u2713 ${client.name.padEnd(20)} configured (${entryName})`);
+    } else {
+      console.log(`    \u2717 ${client.name.padEnd(20)} entry missing from config`);
+      if (fix) {
+        config[client.configKey]['security-scanner'] = client.buildEntry();
+        const backupPath = `${configPath}.bak-${backupTimestamp()}`;
+        copyFileSync(configPath, backupPath);
+        writeFileSync(configPath, JSON.stringify(config, null, 2) + '\n');
+        console.log(`      \u2713 Fixed: added security-scanner entry`);
+        fixed++;
+      } else {
+        console.log(`      Fix: npx agent-security-scanner-mcp init ${key}`);
+        issues++;
+      }
+    }
+  }
+
+  // Summary
+  console.log('');
+  if (issues === 0 && fixed === 0) {
+    console.log('  All checks passed. You\'re good to go!\n');
+  } else if (fixed > 0) {
+    console.log(`  Fixed ${fixed} issue(s). ${issues > 0 ? `${issues} remaining issue(s) need manual attention.` : 'All clear!'}\n`);
+  } else {
+    console.log(`  ${issues} issue(s) found. Run with --fix to auto-repair, or use init <client>.\n`);
+  }
+}