agent-security-scanner-mcp 3.20.0 → 4.0.0

package/code-review-agent/tests/analyzer/semantic.test.ts

@@ -0,0 +1,131 @@
+import { describe, it, expect } from 'vitest';
+import { SemanticAnalyzer } from '../../src/analyzer/semantic.js';
+import { MockLLMProvider } from '../helpers/mock-provider.js';
+import type { FileContext, ProjectContext } from '../../src/types/analysis.js';
+import type { IntentProfile } from '../../src/types/findings.js';
+
+const mockIntent: IntentProfile = {
+  purpose: 'REST API for user management',
+  expectedBehaviors: ['Handle HTTP requests', 'Read/write database'],
+  unexpectedBehaviors: ['Execute system commands', 'Eval user input'],
+  framework: 'express',
+  riskDomain: 'web-api',
+};
+
+const mockProject: ProjectContext = {
+  readme: '# API Server',
+  packageMeta: { name: 'api', dependencies: { express: '^4.0.0' } },
+  directoryTree: 'src/\n  server.js',
+  envVars: [],
+  hasDockerfile: false,
+  hasCI: false,
+  language: 'javascript/typescript',
+  framework: 'express',
+};
+
+const mockFileContext: FileContext = {
+  filePath: 'server.js',
+  content: 'const x = eval(req.query.code);',
+  language: 'javascript',
+  lineCount: 1,
+  imports: ['express'],
+  importedBy: [],
+  siblingFiles: [],
+  isTestFile: false,
+  isConfigFile: false,
+  isGenerated: false,
+};
+
+const mockAnalysisResponse = {
+  findings: [
+    {
+      title: 'eval() on user input',
+      severity: 'critical' as const,
+      category: 'security' as const,
+      location: { file: 'server.js', startLine: 1, endLine: 1 },
+      reasoning: 'eval() with user-controlled input allows arbitrary code execution',
+      intentAlignment: 'violates-intent' as const,
+      confidence: 0.95,
+      suggestedAction: 'Use a safe parser or whitelist approach instead of eval',
+      cwe: 'CWE-94',
+    },
+  ],
+};
+
+const mockTriageResponse = {
+  action: 'analyze' as const,
+  reason: 'File handles HTTP requests and uses eval',
+  areasOfInterest: [{ startLine: 1, endLine: 1, reason: 'eval() call' }],
+};
+
+describe('SemanticAnalyzer', () => {
+  it('analyzes a file and returns findings', async () => {
+    const analysisProvider = new MockLLMProvider({
+      file_analysis: mockAnalysisResponse,
+    });
+    const triageProvider = new MockLLMProvider({
+      triage_decision: mockTriageResponse,
+    });
+
+    const analyzer = new SemanticAnalyzer(analysisProvider, triageProvider);
+    const result = await analyzer.analyzeFile(mockIntent, mockProject, mockFileContext);
+
+    expect(result.findings).toHaveLength(1);
+    expect(result.findings[0].title).toBe('eval() on user input');
+    expect(result.findings[0].severity).toBe('critical');
+    expect(result.findings[0].intentAlignment).toBe('violates-intent');
+    expect(result.findings[0].confidence).toBe(0.95);
+    expect(result.tokensUsed).toBeGreaterThan(0);
+  });
+
+  it('triages a file and returns decision', async () => {
+    const analysisProvider = new MockLLMProvider({});
+    const triageProvider = new MockLLMProvider({
+      triage_decision: mockTriageResponse,
+    });
+
+    const analyzer = new SemanticAnalyzer(analysisProvider, triageProvider);
+    const decision = await analyzer.triageFile(mockProject, mockFileContext);
+
+    expect(decision.action).toBe('analyze');
+    expect(decision.areasOfInterest).toHaveLength(1);
+    expect(triageProvider.structuredCalls[0]?.messages[0]?.content).toContain('UNTRUSTED INPUT');
+  });
+
+  it('returns skip decision for safe files', async () => {
+    const skipResponse = {
+      action: 'skip' as const,
+      reason: 'Test file with no security-relevant code',
+      areasOfInterest: [],
+    };
+
+    const analysisProvider = new MockLLMProvider({});
+    const triageProvider = new MockLLMProvider({
+      triage_decision: skipResponse,
+    });
+
+    const analyzer = new SemanticAnalyzer(analysisProvider, triageProvider);
+    const decision = await analyzer.triageFile(mockProject, {
+      ...mockFileContext,
+      filePath: 'test.test.js',
+      isTestFile: true,
+    });
+
+    expect(decision.action).toBe('skip');
+  });
+
+  it('sets correct file path on findings', async () => {
+    const analysisProvider = new MockLLMProvider({
+      file_analysis: mockAnalysisResponse,
+    });
+    const triageProvider = new MockLLMProvider({});
+
+    const analyzer = new SemanticAnalyzer(analysisProvider, triageProvider);
+    const result = await analyzer.analyzeFile(mockIntent, mockProject, {
+      ...mockFileContext,
+      filePath: 'src/routes/users.js',
+    });
+
+    expect(result.findings[0].location.file).toBe('src/routes/users.js');
+  });
+});

package/code-review-agent/tests/context/file.test.ts

@@ -0,0 +1,21 @@
+import { describe, it, expect } from 'vitest';
+import { isTestFile } from '../../src/context/file.js';
+
+describe('isTestFile', () => {
+  it('matches top-level test directories on POSIX paths', () => {
+    expect(isTestFile('tests/helpers/mock-provider.ts')).toBe(true);
+    expect(isTestFile('test/unit/example.js')).toBe(true);
+    expect(isTestFile('__tests__/parser.test.ts')).toBe(true);
+  });
+
+  it('matches top-level test directories on Windows paths', () => {
+    expect(isTestFile('tests\\helpers\\mock-provider.ts')).toBe(true);
+    expect(isTestFile('test\\unit\\example.js')).toBe(true);
+    expect(isTestFile('__tests__\\parser.test.ts')).toBe(true);
+  });
+
+  it('does not classify regular source files as tests', () => {
+    expect(isTestFile('src/server.js')).toBe(false);
+    expect(isTestFile('fixtures/vuln-api-server/server.js')).toBe(false);
+  });
+});

package/code-review-agent/tests/context/project.test.ts

@@ -0,0 +1,20 @@
+import { describe, it, expect } from 'vitest';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { buildProjectContext } from '../../src/context/project.js';
+
+describe('buildProjectContext', () => {
+  it('detects language from nested source files when manifests are absent', () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cr-project-'));
+    try {
+      fs.mkdirSync(path.join(tmpDir, 'src'));
+      fs.writeFileSync(path.join(tmpDir, 'src', 'server.js'), 'console.log(1);');
+
+      const context = buildProjectContext(tmpDir);
+      expect(context.language).toBe('javascript/typescript');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  });
+});

package/code-review-agent/tests/fixtures/safe-build-tool/README.md

@@ -0,0 +1,19 @@
+# Build Runner
+
+A JavaScript build tool that compiles and bundles project assets. Runs predefined build steps like TypeScript compilation, CSS processing, and asset copying.
+
+## Usage
+
+```bash
+node builder.js build
+node builder.js clean
+node builder.js watch
+```
+
+## Build Steps
+
+1. Clean dist/ directory
+2. Compile TypeScript
+3. Process CSS with PostCSS
+4. Copy static assets
+5. Generate source maps

package/code-review-agent/tests/fixtures/safe-build-tool/builder.js

@@ -0,0 +1,52 @@
+const { execFile } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+const DIST = path.join(__dirname, 'dist');
+
+const BUILD_STEPS = [
+  { name: 'typescript', cmd: 'npx', args: ['tsc', '--outDir', DIST] },
+  { name: 'css', cmd: 'npx', args: ['postcss', 'src/styles/*.css', '--dir', path.join(DIST, 'css')] },
+  { name: 'assets', cmd: 'cp', args: ['-r', 'public/', path.join(DIST, 'public')] },
+];
+
+function clean() {
+  if (fs.existsSync(DIST)) {
+    fs.rmSync(DIST, { recursive: true });
+    console.log('Cleaned dist/');
+  }
+}
+
+async function runStep(step) {
+  return new Promise((resolve, reject) => {
+    console.log(`Running: ${step.name}`);
+    execFile(step.cmd, step.args, { cwd: __dirname }, (error, stdout, stderr) => {
+      if (error) {
+        console.error(`${step.name} failed:`, stderr);
+        reject(error);
+        return;
+      }
+      console.log(`${step.name} done:`, stdout.trim());
+      resolve(stdout);
+    });
+  });
+}
+
+async function build() {
+  fs.mkdirSync(DIST, { recursive: true });
+  for (const step of BUILD_STEPS) {
+    await runStep(step);
+  }
+  console.log('Build complete!');
+}
+
+const command = process.argv[2] || 'build';
+if (command === 'clean') {
+  clean();
+} else if (command === 'build') {
+  clean();
+  build().catch((err) => {
+    console.error('Build failed:', err.message);
+    process.exit(1);
+  });
+}

package/code-review-agent/tests/fixtures/safe-file-manager/README.md

@@ -0,0 +1,16 @@
+# File Organizer
+
+A Python utility that organizes files in a directory by extension. It moves files into categorized subdirectories (images/, docs/, code/, etc.) based on their file type.
+
+## Usage
+
+```bash
+python organizer.py /path/to/messy/directory
+```
+
+## Features
+
+- Sorts files by extension into categorized folders
+- Handles duplicates by appending a number
+- Supports dry-run mode with --dry-run flag
+- Logs all operations to organizer.log

package/code-review-agent/tests/fixtures/safe-file-manager/organizer.py

@@ -0,0 +1,70 @@
+"""File organizer - sorts files into categorized directories."""
+
+import os
+import sys
+import shutil
+import logging
+
+logging.basicConfig(filename='organizer.log', level=logging.INFO)
+logger = logging.getLogger(__name__)
+
+CATEGORIES = {
+    'images': ['.jpg', '.jpeg', '.png', '.gif', '.bmp', '.svg'],
+    'docs': ['.pdf', '.doc', '.docx', '.txt', '.md', '.csv'],
+    'code': ['.py', '.js', '.ts', '.java', '.go', '.rs'],
+    'archives': ['.zip', '.tar', '.gz', '.rar', '.7z'],
+    'media': ['.mp3', '.mp4', '.avi', '.mkv', '.wav'],
+}
+
+
+def get_category(filename):
+    ext = os.path.splitext(filename)[1].lower()
+    for category, extensions in CATEGORIES.items():
+        if ext in extensions:
+            return category
+    return 'other'
+
+
+def organize(directory, dry_run=False):
+    if not os.path.isdir(directory):
+        logger.error(f"Not a directory: {directory}")
+        return
+
+    for filename in os.listdir(directory):
+        filepath = os.path.join(directory, filename)
+        if not os.path.isfile(filepath):
+            continue
+
+        category = get_category(filename)
+        target_dir = os.path.join(directory, category)
+
+        if not dry_run:
+            os.makedirs(target_dir, exist_ok=True)
+            target_path = os.path.join(target_dir, filename)
+
+            # Handle duplicates
+            counter = 1
+            base, ext = os.path.splitext(filename)
+            while os.path.exists(target_path):
+                target_path = os.path.join(target_dir, f"{base}_{counter}{ext}")
+                counter += 1
+
+            shutil.move(filepath, target_path)
+            logger.info(f"Moved {filename} -> {category}/")
+        else:
+            logger.info(f"[DRY RUN] Would move {filename} -> {category}/")
+
+
+def cleanup_empty_dirs(directory):
+    for dirpath, dirnames, filenames in os.walk(directory, topdown=False):
+        if not filenames and not dirnames:
+            os.rmdir(dirpath)
+            logger.info(f"Removed empty directory: {dirpath}")
+
+
+if __name__ == '__main__':
+    target = sys.argv[1] if len(sys.argv) > 1 else '.'
+    dry_run = '--dry-run' in sys.argv
+    organize(target, dry_run)
+    if not dry_run:
+        cleanup_empty_dirs(target)

package/code-review-agent/tests/fixtures/vuln-api-server/README.md

@@ -0,0 +1,17 @@
+# User API Server
+
+A REST API server for managing user accounts. Handles user registration, authentication, and profile management.
+
+## Endpoints
+
+- POST /api/register - Create new account
+- POST /api/login - Authenticate user
+- GET /api/profile/:id - Get user profile
+- PUT /api/profile/:id - Update profile
+- GET /api/search - Search users
+
+## Stack
+
+- Node.js + Express
+- SQLite database
+- JWT authentication

package/code-review-agent/tests/fixtures/vuln-api-server/server.js

@@ -0,0 +1,52 @@
+const express = require('express');
+const sqlite3 = require('sqlite3');
+const fs = require('fs');
+const app = express();
+
+app.use(express.json());
+
+const db = new sqlite3.Database('./users.db');
+
+// User registration
+app.post('/api/register', (req, res) => {
+  const { username, email, password } = req.body;
+  // SQL injection - string concatenation instead of parameterized query
+  const query = `INSERT INTO users (username, email, password) VALUES ('${username}', '${email}', '${password}')`;
+  db.run(query, (err) => {
+    if (err) return res.status(500).json({ error: err.message });
+    res.json({ success: true });
+  });
+});
+
+// User search - eval injection
+app.get('/api/search', (req, res) => {
+  const { filter } = req.query;
+  // eval on user input - command injection
+  const filterFn = eval(`(user) => ${filter}`);
+  db.all('SELECT * FROM users', (err, users) => {
+    if (err) return res.status(500).json({ error: err.message });
+    const filtered = users.filter(filterFn);
+    res.json(filtered);
+  });
+});
+
+// Profile picture upload - path traversal
+app.post('/api/upload', (req, res) => {
+  const { filename, data } = req.body;
+  // Arbitrary file write - no path sanitization
+  fs.writeFile(`./uploads/${filename}`, Buffer.from(data, 'base64'), (err) => {
+    if (err) return res.status(500).json({ error: err.message });
+    res.json({ path: `/uploads/${filename}` });
+  });
+});
+
+// Debug endpoint - exposes server info
+app.get('/api/debug', (req, res) => {
+  res.json({
+    env: process.env,
+    cwd: process.cwd(),
+    memory: process.memoryUsage(),
+  });
+});
+
+app.listen(3000);

package/code-review-agent/tests/fixtures/vuln-ecommerce/README.md

@@ -0,0 +1,18 @@
+# E-Commerce Checkout
+
+A Node.js e-commerce checkout service. Handles shopping cart management, price calculation, payment processing, and order confirmation.
+
+## Features
+
+- Shopping cart with add/remove/update
+- Discount code validation
+- Payment gateway integration (Stripe)
+- Order confirmation emails
+- Inventory management
+
+## API
+
+- POST /cart/add - Add item to cart
+- POST /checkout - Process payment
+- GET /order/:id - Get order status
+- POST /discount/validate - Validate discount code

package/code-review-agent/tests/fixtures/vuln-ecommerce/checkout.js

@@ -0,0 +1,63 @@
+const express = require('express');
+const app = express();
+
+app.use(express.json());
+
+const carts = {};
+
+// Add to cart - prototype pollution via merge
+app.post('/cart/add', (req, res) => {
+  const { userId, item } = req.body;
+  if (!carts[userId]) carts[userId] = { items: [] };
+  // Deep merge without prototype pollution protection
+  merge(carts[userId], item);
+  res.json(carts[userId]);
+});
+
+function merge(target, source) {
+  for (const key in source) {
+    if (typeof source[key] === 'object' && source[key] !== null) {
+      if (!target[key]) target[key] = {};
+      merge(target[key], source[key]);
+    } else {
+      target[key] = source[key];
+    }
+  }
+  return target;
+}
+
+// Apply discount - no auth check, price manipulation
+app.post('/discount/validate', (req, res) => {
+  const { code, cartTotal } = req.body;
+  // User controls the cart total - should be server-side calculation
+  const discounts = { SAVE10: 0.1, SAVE50: 0.5, EMPLOYEE: 1.0 };
+  const discount = discounts[code];
+  if (discount) {
+    res.json({ newTotal: cartTotal * (1 - discount), valid: true });
+  } else {
+    res.json({ valid: false });
+  }
+});
+
+// Checkout - open redirect in success URL
+app.post('/checkout', (req, res) => {
+  const { successUrl } = req.body;
+  // Process payment...
+  // Open redirect - user controls redirect destination
+  res.redirect(successUrl);
+});
+
+// Order lookup - no authorization, IDOR
+app.get('/order/:id', (req, res) => {
+  // No check that requesting user owns this order
+  const order = getOrder(req.params.id);
+  if (!order) return res.status(404).json({ error: 'Not found' });
+  res.json(order);
+});
+
+function getOrder(id) {
+  // Stub
+  return { id, items: [], total: 0, status: 'completed' };
+}
+
+app.listen(3000);

package/code-review-agent/tests/graph/dependency.test.ts

@@ -0,0 +1,136 @@
+import { describe, it, expect } from 'vitest';
+import * as path from 'node:path';
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import { DependencyGraphBuilder } from '../../src/graph/dependency.js';
+
+describe('DependencyGraphBuilder', () => {
+  it('builds a graph from fixture files', () => {
+    const fixtureDir = path.resolve(__dirname, '../fixtures/vuln-api-server');
+    const builder = new DependencyGraphBuilder(fixtureDir);
+    const graph = builder.build(['server.js']);
+
+    expect(graph.nodes.size).toBeGreaterThan(0);
+    expect(graph.entryPoints).toEqual(['server.js']);
+
+    const serverNode = graph.nodes.get('server.js');
+    expect(serverNode).toBeTruthy();
+    expect(serverNode!.file).toBe('server.js');
+  });
+
+  it('resolves local imports', () => {
+    // Create a temp directory with two files that import each other
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cr-test-'));
+    try {
+      fs.writeFileSync(
+        path.join(tmpDir, 'main.js'),
+        "import { helper } from './helper.js';\nconsole.log(helper());",
+      );
+      fs.writeFileSync(
+        path.join(tmpDir, 'helper.js'),
+        "export function helper() { return 'hello'; }",
+      );
+
+      const builder = new DependencyGraphBuilder(tmpDir);
+      const graph = builder.build(['main.js']);
+
+      expect(graph.nodes.size).toBe(2);
+
+      const mainNode = graph.nodes.get('main.js');
+      expect(mainNode?.imports).toContain('helper.js');
+
+      const helperNode = graph.nodes.get('helper.js');
+      expect(helperNode?.importedBy).toContain('main.js');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true });
+    }
+  });
+
+  it('handles cycles without infinite loop', () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cr-cycle-'));
+    try {
+      fs.writeFileSync(
+        path.join(tmpDir, 'a.js'),
+        "import './b.js';",
+      );
+      fs.writeFileSync(
+        path.join(tmpDir, 'b.js'),
+        "import './a.js';",
+      );
+
+      const builder = new DependencyGraphBuilder(tmpDir);
+      const graph = builder.build(['a.js']);
+
+      expect(graph.nodes.size).toBe(2);
+      // Should complete without hanging
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true });
+    }
+  });
+
+  it('getImporters returns files that import a given file', () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cr-importers-'));
+    try {
+      fs.writeFileSync(path.join(tmpDir, 'index.js'), "import './utils.js';");
+      fs.writeFileSync(path.join(tmpDir, 'utils.js'), "export const x = 1;");
+
+      const builder = new DependencyGraphBuilder(tmpDir);
+      builder.build(['index.js']);
+
+      expect(builder.getImporters('utils.js')).toContain('index.js');
+      expect(builder.getImportees('index.js')).toContain('utils.js');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true });
+    }
+  });
+
+  it('ignores non-local imports', () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cr-external-'));
+    try {
+      fs.writeFileSync(
+        path.join(tmpDir, 'app.js'),
+        "import express from 'express';\nimport chalk from 'chalk';",
+      );
+
+      const builder = new DependencyGraphBuilder(tmpDir);
+      const graph = builder.build(['app.js']);
+
+      const appNode = graph.nodes.get('app.js');
+      expect(appNode?.imports).toHaveLength(0);
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true });
+    }
+  });
+
+  it('includes barrel re-export edges in the graph', () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cr-barrel-'));
+    try {
+      fs.writeFileSync(path.join(tmpDir, 'app.js'), "import { value } from './index.js';");
+      fs.writeFileSync(path.join(tmpDir, 'index.js'), "export * from './lib.js';");
+      fs.writeFileSync(path.join(tmpDir, 'lib.js'), 'export const value = 1;');
+
+      const builder = new DependencyGraphBuilder(tmpDir);
+      const graph = builder.build(['app.js']);
+
+      expect(graph.nodes.get('index.js')?.imports).toContain('lib.js');
+      expect(graph.nodes.get('lib.js')?.importedBy).toContain('index.js');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true });
+    }
+  });
+
+  it('keeps supported non-JS entry files in the graph', () => {
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'cr-java-'));
+    try {
+      fs.writeFileSync(path.join(tmpDir, 'Main.java'), 'class Main {}');
+
+      const builder = new DependencyGraphBuilder(tmpDir);
+      const graph = builder.build(['Main.java']);
+
+      expect(graph.entryPoints).toEqual(['Main.java']);
+      expect(graph.nodes.get('Main.java')?.file).toBe('Main.java');
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true });
+    }
+  });
+});

package/code-review-agent/tests/helpers/mock-provider.ts

@@ -0,0 +1,48 @@
+import type { z } from 'zod';
+import type { ChatMessage, LLMProvider } from '../../src/llm/provider.js';
+
+export class MockLLMProvider implements LLMProvider {
+  readonly modelId: string;
+  readonly providerName = 'mock';
+
+  private responses: Map<string, unknown>;
+  public chatCalls: Array<{ messages: ChatMessage[] }> = [];
+  public structuredCalls: Array<{ messages: ChatMessage[]; schemaName: string }> = [];
+
+  constructor(
+    responses: Record<string, unknown>,
+    modelId = 'mock-model',
+  ) {
+    this.responses = new Map(Object.entries(responses));
+    this.modelId = modelId;
+  }
+
+  async chat(messages: ChatMessage[]): Promise<string> {
+    this.chatCalls.push({ messages });
+    return 'mock response';
+  }
+
+  async chatStructured<T>(
+    messages: ChatMessage[],
+    schema: z.ZodType<T>,
+    schemaName: string,
+  ): Promise<T> {
+    this.structuredCalls.push({ messages, schemaName });
+
+    const response = this.responses.get(schemaName);
+    if (!response) {
+      throw new Error(`No mock response for schema: ${schemaName}`);
+    }
+
+    const result = schema.safeParse(response);
+    if (!result.success) {
+      throw new Error(`Mock response failed validation for ${schemaName}: ${result.error.message}`);
+    }
+
+    return result.data;
+  }
+
+  countTokens(text: string): number {
+    return Math.ceil(text.length / 4);
+  }
+}