agent-security-scanner-mcp 3.3.0 → 3.4.0

package/src/tools/fix-security.js

@@ -2,6 +2,9 @@
 import { z } from "zod";
 import { existsSync, readFileSync } from "fs";
 import { detectLanguage, runAnalyzer, generateFix } from '../utils.js';
+import { deduplicateFindings } from '../dedup.js';
+import { applyContextFilter, detectFrameworks, applyFrameworkAdjustments } from '../context.js';
+import { loadConfig, shouldExcludeFile, applyConfig } from '../config.js';
 
 export const fixSecuritySchema = {
   file_path: z.string().describe("Path to the file to fix"),
@@ -47,24 +50,48 @@ export async function fixSecurity({ file_path, verbosity }) {
     };
   }
 
-  const issues = runAnalyzer(file_path);
+  // Load project configuration
+  const config = loadConfig(file_path);
 
-  if (issues.error || !Array.isArray(issues) || issues.length === 0) {
+  // Check file exclusion
+  if (shouldExcludeFile(file_path, config)) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({ file: file_path, message: "File excluded by configuration", fixes_applied: 0 }) }]
+    };
+  }
+
+  const rawIssues = runAnalyzer(file_path);
+
+  if (rawIssues.error || !Array.isArray(rawIssues) || rawIssues.length === 0) {
     return {
       content: [{
         type: "text",
         text: JSON.stringify({
-          message: issues.error ? "Error scanning file" : "No security issues found",
-          details: issues
+          message: rawIssues.error ? "Error scanning file" : "No security issues found",
+          details: rawIssues
         })
       }]
     };
   }
 
+  // Cross-engine deduplication
+  const dedupedIssues = deduplicateFindings(rawIssues);
+
   // Read and fix the file
   const content = readFileSync(file_path, 'utf-8');
   const lines = content.split('\n');
   const language = detectLanguage(file_path);
+
+  // Context-aware filtering (suppress known module imports)
+  const contextFiltered = applyContextFilter(dedupedIssues, file_path, language);
+
+  // Framework-aware severity adjustment
+  const frameworks = detectFrameworks(file_path, language);
+  const frameworkAdjusted = applyFrameworkAdjustments(contextFiltered, frameworks);
+
+  // Apply .scannerrc configuration (rule suppression, severity/confidence thresholds)
+  const issues = applyConfig(frameworkAdjusted, file_path, config);
+
   const fixes = [];
 
   // Apply fixes (process in reverse order to preserve line numbers)

package/src/tools/scan-diff.js

@@ -0,0 +1,151 @@
+// src/tools/scan-diff.js
+import { z } from "zod";
+import { execFileSync } from "child_process";
+import { existsSync } from "fs";
+import { scanSecurity } from './scan-security.js';
+
+export const scanDiffSchema = {
+  base_ref: z.string().optional().describe("Base git ref (default: HEAD~1)"),
+  target_ref: z.string().optional().describe("Target git ref (default: HEAD)"),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level")
+};
+
+// Parse unified diff output to extract changed files and line ranges
+function parseDiffOutput(diffOutput) {
+  const changes = new Map(); // filePath -> Set<lineNumber>
+  let currentFile = null;
+
+  for (const line of diffOutput.split('\n')) {
+    // Match diff header: +++ b/path/to/file
+    const fileMatch = line.match(/^\+\+\+ b\/(.+)$/);
+    if (fileMatch) {
+      currentFile = fileMatch[1];
+      if (!changes.has(currentFile)) {
+        changes.set(currentFile, new Set());
+      }
+      continue;
+    }
+
+    // Match hunk header: @@ -old,count +new,count @@
+    const hunkMatch = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,(\d+))? @@/);
+    if (hunkMatch && currentFile) {
+      const start = parseInt(hunkMatch[1], 10);
+      const count = parseInt(hunkMatch[2] || '1', 10);
+      const fileChanges = changes.get(currentFile);
+      for (let i = start; i < start + count; i++) {
+        fileChanges.add(i);
+      }
+    }
+  }
+
+  return changes;
+}
+
+export async function scanDiff({ base_ref, target_ref, verbosity }) {
+  const base = base_ref || 'HEAD~1';
+  const target = target_ref || 'HEAD';
+
+  // Get diff output
+  let diffOutput;
+  try {
+    diffOutput = execFileSync('git', ['diff', '--unified=0', `${base}...${target}`], {
+      encoding: 'utf-8',
+      timeout: 30000,
+      maxBuffer: 10 * 1024 * 1024
+    });
+  } catch (err) {
+    // Try without three-dot notation (for uncommitted changes)
+    try {
+      diffOutput = execFileSync('git', ['diff', '--unified=0', base, target], {
+        encoding: 'utf-8',
+        timeout: 30000,
+        maxBuffer: 10 * 1024 * 1024
+      });
+    } catch (err2) {
+      return {
+        content: [{ type: "text", text: JSON.stringify({ error: `Git diff failed: ${err2.message}` }) }]
+      };
+    }
+  }
+
+  if (!diffOutput.trim()) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({ message: "No changes found between refs", base, target, issues_count: 0 }) }]
+    };
+  }
+
+  // Parse diff to get changed files and lines
+  const changes = parseDiffOutput(diffOutput);
+  const allIssues = [];
+  const scannedFiles = [];
+
+  // Scan each changed file
+  for (const [filePath, changedLines] of changes) {
+    if (!existsSync(filePath)) continue;
+
+    const result = await scanSecurity({ file_path: filePath, verbosity: 'full' });
+    const parsed = JSON.parse(result.content[0].text);
+
+    if (parsed.issues && Array.isArray(parsed.issues)) {
+      // Filter to only issues on changed lines
+      const diffIssues = parsed.issues.filter(issue => {
+        const issueLine = (issue.line || 0) + 1; // convert 0-indexed to 1-indexed
+        return changedLines.has(issueLine);
+      });
+
+      for (const issue of diffIssues) {
+        allIssues.push({ ...issue, file: filePath });
+      }
+    }
+    scannedFiles.push(filePath);
+  }
+
+  // Format based on verbosity
+  const level = verbosity || 'compact';
+
+  if (level === 'minimal') {
+    const bySeverity = { error: 0, warning: 0, info: 0 };
+    allIssues.forEach(i => bySeverity[i.severity] = (bySeverity[i.severity] || 0) + 1);
+    return {
+      content: [{ type: "text", text: JSON.stringify({
+        base, target,
+        files_scanned: scannedFiles.length,
+        total: allIssues.length,
+        critical: bySeverity.error,
+        warning: bySeverity.warning,
+        info: bySeverity.info,
+        message: allIssues.length > 0
+          ? `Found ${allIssues.length} new issue(s) in changed code.`
+          : "No new security issues in changed code."
+      }) }]
+    };
+  }
+
+  if (level === 'compact') {
+    return {
+      content: [{ type: "text", text: JSON.stringify({
+        base, target,
+        files_scanned: scannedFiles.length,
+        issues_count: allIssues.length,
+        issues: allIssues.map(i => ({
+          file: i.file,
+          line: (i.line || 0) + 1,
+          ruleId: i.ruleId,
+          severity: i.severity,
+          message: i.message
+        }))
+      }, null, 2) }]
+    };
+  }
+
+  // full
+  return {
+    content: [{ type: "text", text: JSON.stringify({
+      base, target,
+      files_scanned: scannedFiles.length,
+      issues_count: allIssues.length,
+      issues: allIssues,
+      changed_files: Array.from(changes.keys())
+    }, null, 2) }]
+  };
+}

package/src/tools/scan-project.js

@@ -0,0 +1,308 @@
+// src/tools/scan-project.js
+import { z } from "zod";
+import { existsSync, readFileSync, readdirSync, statSync } from "fs";
+import { join, resolve, relative, extname, basename } from "path";
+import { execFileSync } from "child_process";
+import { scanSecurity } from './scan-security.js';
+import { matchGlob, loadConfig, shouldExcludeFile } from '../config.js';
+import { detectLanguage } from '../utils.js';
+
+export const scanProjectSchema = {
+  directory_path: z.string().describe("Path to the directory to scan"),
+  recursive: z.boolean().optional().describe("Scan subdirectories recursively (default: true)"),
+  include_patterns: z.array(z.string()).optional().describe("Glob patterns to include (e.g. ['**/*.py', '**/*.js'])"),
+  exclude_patterns: z.array(z.string()).optional().describe("Glob patterns to exclude (e.g. ['*test*', 'vendor/**'])"),
+  diff_only: z.boolean().optional().describe("Only scan git-changed files"),
+  cross_file: z.boolean().optional().describe("Enable cross-file taint analysis (max 50 files)"),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level")
+};
+
+// Scannable file extensions
+const SCANNABLE_EXTENSIONS = new Set([
+  '.py', '.js', '.ts', '.tsx', '.jsx', '.java', '.go', '.rb', '.php',
+  '.rs', '.c', '.cpp', '.cc', '.cxx', '.h', '.hpp', '.cs',
+  '.tf', '.hcl', '.sql',
+]);
+
+// Parse .gitignore into patterns
+function parseGitignore(dirPath) {
+  const gitignorePath = join(dirPath, '.gitignore');
+  if (!existsSync(gitignorePath)) return [];
+
+  try {
+    const content = readFileSync(gitignorePath, 'utf-8');
+    return content.split('\n')
+      .map(line => line.trim())
+      .filter(line => line && !line.startsWith('#'))
+      .map(line => {
+        // Normalize: remove trailing slash for directories
+        if (line.endsWith('/')) return line.slice(0, -1) + '/**';
+        return line;
+      });
+  } catch {
+    return [];
+  }
+}
+
+// Check if a file path matches gitignore patterns
+function isGitignored(filePath, patterns) {
+  const normalized = filePath.replace(/\\/g, '/');
+  return patterns.some(pattern => matchGlob(normalized, pattern));
+}
+
+// Recursively walk a directory, respecting exclusions
+function walkDirectory(dirPath, options = {}) {
+  const { recursive = true, includePatterns = [], excludePatterns = [], gitignorePatterns = [], config } = options;
+  const files = [];
+
+  function walk(currentDir) {
+    let entries;
+    try {
+      entries = readdirSync(currentDir);
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      // Skip hidden directories/files
+      if (entry.startsWith('.')) continue;
+
+      const fullPath = join(currentDir, entry);
+      const relativePath = relative(dirPath, fullPath);
+
+      let stat;
+      try {
+        stat = statSync(fullPath);
+      } catch {
+        continue;
+      }
+
+      if (stat.isDirectory()) {
+        // Skip common non-source directories
+        if (['node_modules', 'vendor', 'dist', 'build', '__pycache__', '.git',
+             'venv', 'env', '.venv', 'target', 'coverage'].includes(entry)) continue;
+
+        // Skip gitignored directories
+        if (isGitignored(relativePath, gitignorePatterns)) continue;
+
+        if (recursive) walk(fullPath);
+      } else if (stat.isFile()) {
+        const ext = extname(entry).toLowerCase();
+        const base = basename(entry).toLowerCase();
+
+        // Check extension or special filenames
+        if (!SCANNABLE_EXTENSIONS.has(ext) && base !== 'dockerfile') continue;
+
+        // Check gitignore
+        if (isGitignored(relativePath, gitignorePatterns)) continue;
+
+        // Check config exclusions
+        if (config && shouldExcludeFile(relativePath, config)) continue;
+
+        // Check include patterns (if specified, only include matching files)
+        if (includePatterns.length > 0) {
+          const matches = includePatterns.some(p => matchGlob(relativePath, p));
+          if (!matches) continue;
+        }
+
+        // Check exclude patterns (if specified, skip matching files)
+        if (excludePatterns.length > 0) {
+          const excluded = excludePatterns.some(p => matchGlob(relativePath, p) || relativePath.includes(p) || entry.includes(p));
+          if (excluded) continue;
+        }
+
+        files.push(fullPath);
+      }
+    }
+  }
+
+  walk(dirPath);
+  return files;
+}
+
+// Get git-changed files in a directory
+function getGitChangedFiles(dirPath) {
+  try {
+    const output = execFileSync('git', ['diff', '--name-only', 'HEAD'], {
+      cwd: dirPath, encoding: 'utf-8', timeout: 10000
+    });
+    const untrackedOutput = execFileSync('git', ['ls-files', '--others', '--exclude-standard'], {
+      cwd: dirPath, encoding: 'utf-8', timeout: 10000
+    });
+    const allFiles = [...output.trim().split('\n'), ...untrackedOutput.trim().split('\n')]
+      .filter(f => f.trim())
+      .map(f => resolve(dirPath, f))
+      .filter(f => existsSync(f));
+    return [...new Set(allFiles)];
+  } catch {
+    return [];
+  }
+}
+
+// Calculate security grade based on findings
+function calculateGrade(totalIssues, totalFiles, errorCount) {
+  if (totalFiles === 0) return 'A';
+  const density = totalIssues / totalFiles;
+
+  if (errorCount === 0 && density === 0) return 'A';
+  if (errorCount === 0 && density < 0.5) return 'B';
+  if (errorCount <= 2 && density < 1.5) return 'C';
+  if (errorCount <= 5 && density < 3) return 'D';
+  return 'F';
+}
+
+export async function scanProject({ directory_path, recursive, include_patterns, exclude_patterns, diff_only, cross_file, verbosity }) {
+  const dirPath = resolve(directory_path);
+
+  if (!existsSync(dirPath)) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({ error: "Directory not found" }) }]
+    };
+  }
+
+  // Load config from directory
+  const config = loadConfig(join(dirPath, 'dummy.js'));
+  const gitignorePatterns = parseGitignore(dirPath);
+
+  // Get files to scan
+  let files;
+  if (diff_only) {
+    files = getGitChangedFiles(dirPath);
+  } else {
+    files = walkDirectory(dirPath, {
+      recursive: recursive !== false,
+      includePatterns: include_patterns || [],
+      excludePatterns: exclude_patterns || [],
+      gitignorePatterns,
+      config
+    });
+  }
+
+  // Filter to scannable extensions
+  files = files.filter(f => {
+    const ext = extname(f).toLowerCase();
+    const base = basename(f).toLowerCase();
+    return SCANNABLE_EXTENSIONS.has(ext) || base === 'dockerfile';
+  });
+
+  if (files.length === 0) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({
+        directory: dirPath,
+        message: "No scannable files found",
+        files_scanned: 0,
+        grade: 'A'
+      }) }]
+    };
+  }
+
+  // Scan each file
+  const allIssues = [];
+  const byFile = {};
+  const bySeverity = { error: 0, warning: 0, info: 0 };
+  const byCategory = {};
+
+  for (const filePath of files) {
+    const result = await scanSecurity({ file_path: filePath, verbosity: 'full' });
+    const parsed = JSON.parse(result.content[0].text);
+
+    if (parsed.issues && Array.isArray(parsed.issues)) {
+      const relativePath = relative(dirPath, filePath);
+      byFile[relativePath] = parsed.issues.length;
+
+      for (const issue of parsed.issues) {
+        allIssues.push({ ...issue, file: relativePath });
+        bySeverity[issue.severity] = (bySeverity[issue.severity] || 0) + 1;
+        const category = issue.ruleId?.split('.')[0] || 'other';
+        byCategory[category] = (byCategory[category] || 0) + 1;
+      }
+    }
+  }
+
+  // Cross-file taint analysis (opt-in, max 50 files)
+  let crossFileIssues = [];
+  if (cross_file && files.length <= 50) {
+    try {
+      const { runCrossFileAnalyzer } = await import('../utils.js');
+      if (typeof runCrossFileAnalyzer === 'function') {
+        const crossResults = runCrossFileAnalyzer(files);
+        if (Array.isArray(crossResults)) {
+          crossFileIssues = crossResults;
+          for (const issue of crossFileIssues) {
+            const relativePath = relative(dirPath, issue.file || '');
+            allIssues.push({ ...issue, file: relativePath });
+            bySeverity[issue.severity] = (bySeverity[issue.severity] || 0) + 1;
+          }
+        }
+      }
+    } catch {
+      // Cross-file analysis not available
+    }
+  }
+
+  const grade = calculateGrade(allIssues.length, files.length, bySeverity.error);
+  const level = verbosity || 'compact';
+
+  if (level === 'minimal') {
+    return {
+      content: [{ type: "text", text: JSON.stringify({
+        directory: dirPath,
+        files_scanned: files.length,
+        total: allIssues.length,
+        critical: bySeverity.error,
+        warning: bySeverity.warning,
+        info: bySeverity.info,
+        grade,
+        message: allIssues.length > 0
+          ? `Found ${allIssues.length} issue(s) across ${files.length} files. Grade: ${grade}`
+          : `No issues found in ${files.length} files. Grade: ${grade}`
+      }) }]
+    };
+  }
+
+  if (level === 'compact') {
+    // Show top issues per file, sorted by severity
+    const topIssues = allIssues
+      .sort((a, b) => {
+        const order = { error: 0, warning: 1, info: 2 };
+        return (order[a.severity] || 2) - (order[b.severity] || 2);
+      })
+      .slice(0, 50)
+      .map(i => ({
+        file: i.file,
+        line: (i.line || 0) + 1,
+        ruleId: i.ruleId,
+        severity: i.severity,
+        message: i.message
+      }));
+
+    return {
+      content: [{ type: "text", text: JSON.stringify({
+        directory: dirPath,
+        files_scanned: files.length,
+        issues_count: allIssues.length,
+        grade,
+        by_severity: bySeverity,
+        by_category: byCategory,
+        cross_file_issues: crossFileIssues.length > 0 ? crossFileIssues.length : undefined,
+        issues: topIssues
+      }, null, 2) }]
+    };
+  }
+
+  // full
+  return {
+    content: [{ type: "text", text: JSON.stringify({
+      directory: dirPath,
+      files_scanned: files.length,
+      issues_count: allIssues.length,
+      grade,
+      by_severity: bySeverity,
+      by_category: byCategory,
+      by_file: byFile,
+      cross_file_issues: crossFileIssues.length > 0 ? crossFileIssues : undefined,
+      issues: allIssues,
+      scanned_files: files.map(f => relative(dirPath, f))
+    }, null, 2) }]
+  };
+}

package/src/tools/scan-security.js

@@ -2,11 +2,15 @@
 import { z } from "zod";
 import { existsSync, readFileSync } from "fs";
 import { detectLanguage, runAnalyzer, generateFix, toSarif } from '../utils.js';
+import { deduplicateFindings } from '../dedup.js';
+import { applyContextFilter, detectFrameworks, applyFrameworkAdjustments } from '../context.js';
+import { loadConfig, shouldExcludeFile, applyConfig } from '../config.js';
 
 export const scanSecuritySchema = {
   file_path: z.string().describe("Path to the file to scan"),
   output_format: z.enum(['json', 'sarif']).optional().describe("Output format: 'json' (default) or 'sarif' for GitHub/GitLab integration"),
-  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level: 'minimal' (counts only), 'compact' (default, actionable info), 'full' (complete metadata)")
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level: 'minimal' (counts only), 'compact' (default, actionable info), 'full' (complete metadata)"),
+  engine: z.enum(['auto', 'ast', 'regex']).optional().describe("Analysis engine: 'auto' (default, AST with regex fallback), 'ast' (tree-sitter only), 'regex' (regex only)")
 };
 
 // Verbosity formatters
@@ -35,6 +39,7 @@ function formatCompact(file_path, language, issues) {
       line: i.line + 1,
       ruleId: i.ruleId,
       severity: i.severity,
+      confidence: i.confidence || 'MEDIUM',
       message: i.message,
       fix: i.suggested_fix?.fixed ? i.suggested_fix.fixed.trim() : null
     }))
@@ -50,26 +55,49 @@ function formatFull(file_path, language, issues) {
   };
 }
 
-export async function scanSecurity({ file_path, output_format, verbosity }) {
+export async function scanSecurity({ file_path, output_format, verbosity, engine }) {
   if (!existsSync(file_path)) {
     return {
       content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
     };
   }
 
-  const issues = runAnalyzer(file_path);
+  // Load project configuration
+  const config = loadConfig(file_path);
 
-  if (issues.error) {
+  // Check file exclusion
+  if (shouldExcludeFile(file_path, config)) {
     return {
-      content: [{ type: "text", text: JSON.stringify(issues) }]
+      content: [{ type: "text", text: JSON.stringify({ file: file_path, message: "File excluded by configuration", issues_count: 0 }) }]
     };
   }
 
+  const rawIssues = runAnalyzer(file_path, engine || 'auto');
+
+  if (rawIssues.error) {
+    return {
+      content: [{ type: "text", text: JSON.stringify(rawIssues) }]
+    };
+  }
+
+  // Cross-engine deduplication
+  const dedupedIssues = deduplicateFindings(rawIssues);
+
   // Read file content for fix suggestions
   const content = readFileSync(file_path, 'utf-8');
   const lines = content.split('\n');
   const language = detectLanguage(file_path);
 
+  // Context-aware filtering (suppress known module imports)
+  const contextFiltered = applyContextFilter(dedupedIssues, file_path, language);
+
+  // Framework-aware severity adjustment
+  const frameworks = detectFrameworks(file_path, language);
+  const frameworkAdjusted = applyFrameworkAdjustments(contextFiltered, frameworks);
+
+  // Apply .scannerrc configuration (rule suppression, severity/confidence thresholds)
+  const issues = applyConfig(frameworkAdjusted, file_path, config);
+
   // Enhance issues with fix suggestions
   const enhancedIssues = issues.map(issue => {
     const line = lines[issue.line] || '';