agent-security-scanner-mcp 3.4.0 → 3.5.1

package/src/config.js

@@ -1,181 +0,0 @@
-// .scannerrc configuration loading and filtering.
-// Supports YAML (.scannerrc.yaml/.yml) and JSON (.scannerrc.json) project configs.
-
-import { existsSync, readFileSync } from 'fs';
-import { dirname, join, resolve, sep } from 'path';
-import { execFileSync } from 'child_process';
-
-const DEFAULT_CONFIG = {
-  version: 1,
-  suppress: [],
-  exclude: ['node_modules/**', 'vendor/**', 'dist/**', '**/*.min.js'],
-  severity_threshold: 'info',
-  confidence_threshold: 'LOW',
-};
-
-const SEVERITY_ORDER = { info: 0, warning: 1, error: 2 };
-const CONFIDENCE_ORDER = { LOW: 0, MEDIUM: 1, HIGH: 2 };
-
-// Simple glob-to-regex converter (no external dependency)
-function globToRegex(pattern) {
-  let regex = '';
-  let i = 0;
-  while (i < pattern.length) {
-    const c = pattern[i];
-    if (c === '*') {
-      if (pattern[i + 1] === '*') {
-        if (pattern[i + 2] === '/') {
-          regex += '(?:.+/)?';
-          i += 3;
-          continue;
-        }
-        regex += '.*';
-        i += 2;
-        continue;
-      }
-      regex += '[^/]*';
-    } else if (c === '?') {
-      regex += '[^/]';
-    } else if (c === '{') {
-      regex += '(?:';
-    } else if (c === '}') {
-      regex += ')';
-    } else if (c === ',') {
-      regex += '|';
-    } else if ('.+^$|()[]\\'.includes(c)) {
-      regex += '\\' + c;
-    } else {
-      regex += c;
-    }
-    i++;
-  }
-  return new RegExp('^' + regex + '$');
-}
-
-export function matchGlob(filePath, pattern) {
-  // Normalize path separators
-  const normalized = filePath.replace(/\\/g, '/');
-  const re = globToRegex(pattern);
-  // Test against both full path and basename
-  return re.test(normalized) || re.test(normalized.split('/').pop());
-}
-
-// Walk up from filePath to find config file
-function findConfigFile(startPath) {
-  const names = ['.scannerrc.yaml', '.scannerrc.yml', '.scannerrc.json'];
-  let dir = resolve(dirname(startPath));
-  const root = resolve('/');
-
-  for (let i = 0; i < 50; i++) {
-    for (const name of names) {
-      const candidate = join(dir, name);
-      if (existsSync(candidate)) return candidate;
-    }
-    const parent = dirname(dir);
-    if (parent === dir || dir === root) break;
-    dir = parent;
-  }
-  return null;
-}
-
-function parseYaml(filePath) {
-  try {
-    const result = execFileSync('python3', [
-      '-c',
-      'import yaml,json,sys; print(json.dumps(yaml.safe_load(open(sys.argv[1]))))',
-      filePath,
-    ], { encoding: 'utf-8', timeout: 5000 });
-    return JSON.parse(result.trim());
-  } catch {
-    // Fallback: try simple key-value parsing for basic configs
-    return null;
-  }
-}
-
-export function loadConfig(filePath) {
-  const configFile = findConfigFile(filePath);
-  if (!configFile) return { ...DEFAULT_CONFIG };
-
-  try {
-    let parsed;
-    if (configFile.endsWith('.json')) {
-      parsed = JSON.parse(readFileSync(configFile, 'utf-8'));
-    } else {
-      parsed = parseYaml(configFile);
-    }
-
-    if (!parsed || typeof parsed !== 'object') return { ...DEFAULT_CONFIG };
-
-    return {
-      version: parsed.version || DEFAULT_CONFIG.version,
-      suppress: Array.isArray(parsed.suppress) ? parsed.suppress : DEFAULT_CONFIG.suppress,
-      exclude: Array.isArray(parsed.exclude) ? parsed.exclude : DEFAULT_CONFIG.exclude,
-      severity_threshold: parsed.severity_threshold || DEFAULT_CONFIG.severity_threshold,
-      confidence_threshold: parsed.confidence_threshold || DEFAULT_CONFIG.confidence_threshold,
-    };
-  } catch {
-    return { ...DEFAULT_CONFIG };
-  }
-}
-
-export function shouldExcludeFile(filePath, config) {
-  if (!config.exclude || config.exclude.length === 0) return false;
-  const normalized = filePath.replace(/\\/g, '/');
-  return config.exclude.some(pattern => matchGlob(normalized, pattern));
-}
-
-export function shouldSuppressRule(ruleId, filePath, config) {
-  if (!config.suppress || config.suppress.length === 0) return false;
-
-  for (const entry of config.suppress) {
-    const rule = typeof entry === 'string' ? entry : entry.rule;
-    if (!rule) continue;
-
-    // Check if rule pattern matches
-    const ruleMatches = matchGlob(ruleId, rule);
-    if (!ruleMatches) continue;
-
-    // Check path restriction if present
-    if (entry.paths && Array.isArray(entry.paths)) {
-      const normalized = filePath.replace(/\\/g, '/');
-      const pathMatches = entry.paths.some(p => matchGlob(normalized, p));
-      if (!pathMatches) continue;
-    }
-
-    return true;
-  }
-
-  return false;
-}
-
-export function meetsSeverityThreshold(severity, config) {
-  const threshold = config.severity_threshold || 'info';
-  const severityLevel = SEVERITY_ORDER[severity] ?? 0;
-  const thresholdLevel = SEVERITY_ORDER[threshold] ?? 0;
-  return severityLevel >= thresholdLevel;
-}
-
-export function meetsConfidenceThreshold(confidence, config) {
-  const threshold = config.confidence_threshold || 'LOW';
-  const confidenceLevel = CONFIDENCE_ORDER[confidence] ?? 0;
-  const thresholdLevel = CONFIDENCE_ORDER[threshold] ?? 0;
-  return confidenceLevel >= thresholdLevel;
-}
-
-export function applyConfig(findings, filePath, config) {
-  if (!Array.isArray(findings)) return findings;
-  if (!config) return findings;
-
-  return findings.filter(finding => {
-    // Check rule suppression
-    if (shouldSuppressRule(finding.ruleId, filePath, config)) return false;
-
-    // Check severity threshold
-    if (!meetsSeverityThreshold(finding.severity, config)) return false;
-
-    // Check confidence threshold
-    if (!meetsConfidenceThreshold(finding.confidence || 'MEDIUM', config)) return false;
-
-    return true;
-  });
-}

package/src/context.js

@@ -1,228 +0,0 @@
-// Context-aware filtering to reduce false positives.
-// Suppresses findings on import-only lines for known standard/popular modules.
-
-import { existsSync, readFileSync } from 'fs';
-import { dirname, join } from 'path';
-
-// Known safe standard library and popular modules per language
-const KNOWN_MODULES = {
-  javascript: new Set([
-    // Node.js builtins
-    'assert', 'buffer', 'child_process', 'cluster', 'crypto', 'dgram',
-    'dns', 'events', 'fs', 'http', 'http2', 'https', 'net', 'os',
-    'path', 'perf_hooks', 'process', 'querystring', 'readline', 'stream',
-    'string_decoder', 'timers', 'tls', 'tty', 'url', 'util', 'v8',
-    'vm', 'worker_threads', 'zlib',
-    // Popular frameworks/libraries
-    'express', 'koa', 'fastify', 'hapi', 'next', 'nuxt',
-    'react', 'react-dom', 'vue', 'angular', 'svelte',
-    'lodash', 'underscore', 'ramda',
-    'axios', 'node-fetch', 'got', 'superagent',
-    'moment', 'dayjs', 'date-fns', 'luxon',
-    'winston', 'morgan', 'pino', 'bunyan',
-    'helmet', 'cors', 'body-parser', 'cookie-parser', 'compression',
-    'passport', 'jsonwebtoken', 'bcrypt', 'bcryptjs',
-    'jest', 'mocha', 'chai', 'vitest', 'sinon', 'tape',
-    'typescript', 'webpack', 'vite', 'esbuild', 'rollup', 'parcel',
-    'mysql', 'mysql2', 'pg', 'mongodb', 'mongoose', 'redis', 'ioredis',
-    'sequelize', 'knex', 'prisma', 'typeorm', 'drizzle-orm',
-    'zod', 'joi', 'yup', 'ajv',
-    'dotenv', 'config', 'commander', 'yargs',
-    'chalk', 'debug', 'uuid', 'nanoid',
-    'socket.io', 'ws',
-  ]),
-  typescript: new Set([
-    // Same as JavaScript - TS shares the same ecosystem
-    'assert', 'buffer', 'child_process', 'cluster', 'crypto', 'dgram',
-    'dns', 'events', 'fs', 'http', 'http2', 'https', 'net', 'os',
-    'path', 'process', 'querystring', 'readline', 'stream', 'tls',
-    'url', 'util', 'worker_threads', 'zlib',
-    'express', 'koa', 'fastify', 'next', 'nuxt',
-    'react', 'react-dom', 'vue', 'angular', 'svelte',
-    'lodash', 'axios', 'node-fetch',
-    'helmet', 'cors', 'body-parser',
-    'jest', 'mocha', 'vitest',
-    'typescript', 'webpack', 'vite', 'esbuild',
-    'mysql', 'mysql2', 'pg', 'mongodb', 'mongoose', 'redis',
-    'sequelize', 'knex', 'prisma', 'typeorm',
-    'zod', 'joi',
-  ]),
-  python: new Set([
-    // Standard library
-    'os', 'sys', 'json', 'math', 'datetime', 'collections', 're',
-    'pathlib', 'typing', 'abc', 'io', 'subprocess', 'shutil',
-    'hashlib', 'hmac', 'secrets', 'sqlite3', 'csv', 'xml',
-    'urllib', 'http', 'socket', 'ssl', 'email', 'logging',
-    'unittest', 'argparse', 'configparser', 'functools', 'itertools',
-    'contextlib', 'dataclasses', 'enum', 'struct', 'copy', 'pprint',
-    'textwrap', 'string', 'codecs', 'base64', 'binascii',
-    'threading', 'multiprocessing', 'asyncio', 'concurrent',
-    'pickle', 'shelve', 'marshal', 'dbm',
-    'tempfile', 'glob', 'fnmatch', 'stat',
-    'time', 'calendar', 'locale', 'gettext',
-    'random', 'statistics',
-    // Popular packages
-    'pytest', 'mock', 'coverage',
-    'flask', 'django', 'fastapi', 'starlette', 'uvicorn', 'gunicorn',
-    'requests', 'httpx', 'aiohttp', 'urllib3',
-    'sqlalchemy', 'alembic', 'psycopg2', 'pymongo',
-    'celery', 'redis', 'boto3', 'botocore',
-    'numpy', 'pandas', 'scipy', 'matplotlib',
-    'pydantic', 'marshmallow', 'attrs',
-    'click', 'typer', 'rich',
-    'yaml', 'toml', 'dotenv',
-  ]),
-  ruby: new Set([
-    'rails', 'sinatra', 'rack', 'puma', 'unicorn',
-    'bundler', 'rake', 'rspec', 'minitest',
-    'activerecord', 'activesupport', 'actionpack',
-    'devise', 'pundit', 'cancancan',
-    'json', 'yaml', 'csv', 'net/http', 'uri', 'openssl',
-    'fileutils', 'pathname', 'tempfile', 'logger',
-  ]),
-  go: new Set([
-    'fmt', 'os', 'io', 'net', 'net/http', 'encoding/json',
-    'encoding/xml', 'crypto', 'crypto/tls', 'database/sql',
-    'sync', 'context', 'errors', 'strings', 'strconv',
-    'path', 'path/filepath', 'log', 'testing', 'time',
-    'math', 'sort', 'regexp', 'reflect', 'bufio',
-  ]),
-};
-
-// Patterns that identify import-only lines (no actual code execution)
-const IMPORT_ONLY_PATTERNS = [
-  // JS/TS require
-  /^\s*(const|let|var)\s+\w+\s*=\s*require\s*\(\s*['"][^'"]+['"]\s*\)\s*;?\s*$/,
-  /^\s*(const|let|var)\s+\{[^}]+\}\s*=\s*require\s*\(\s*['"][^'"]+['"]\s*\)\s*;?\s*$/,
-  // JS/TS import
-  /^\s*import\s+.*\s+from\s+['"][^'"]+['"]\s*;?\s*$/,
-  /^\s*import\s+['"][^'"]+['"]\s*;?\s*$/,
-  /^\s*import\s+\w+\s*$/,
-  // Python import
-  /^\s*import\s+[a-zA-Z_][\w.]*\s*(,\s*[a-zA-Z_][\w.]*)*\s*$/,
-  /^\s*from\s+[a-zA-Z_][\w.]*\s+import\s+/,
-  // Ruby require
-  /^\s*require\s+['"][^'"]+['"]\s*$/,
-  /^\s*require_relative\s+['"][^'"]+['"]\s*$/,
-  // Go import (single line)
-  /^\s*"[a-zA-Z_][\w/.]*"\s*$/,
-];
-
-export function isImportOnly(line) {
-  let trimmed = line.trim();
-  if (!trimmed) return false;
-  // Strip trailing single-line comments (JS/Python/Ruby)
-  trimmed = trimmed.replace(/\s*\/\/.*$/, '').replace(/\s*#(?!!).*$/, '').trim();
-  if (!trimmed) return false;
-  return IMPORT_ONLY_PATTERNS.some(p => p.test(trimmed));
-}
-
-export function isKnownModule(moduleName, language) {
-  const modules = KNOWN_MODULES[language];
-  if (!modules) return false;
-  // Handle scoped packages (@org/pkg -> check full name)
-  // Handle subpath imports (child_process -> child_process)
-  const baseName = moduleName.split('/')[0];
-  return modules.has(moduleName) || modules.has(baseName);
-}
-
-// Extract module name from a line of code
-function extractModuleName(line) {
-  // JS/TS: require("module") or require('module')
-  const requireMatch = line.match(/require\s*\(\s*['"]([^'"]+)['"]\s*\)/);
-  if (requireMatch) return requireMatch[1];
-
-  // JS/TS: import ... from "module"
-  const importFromMatch = line.match(/from\s+['"]([^'"]+)['"]/);
-  if (importFromMatch) return importFromMatch[1];
-
-  // Python: import module or from module import ...
-  const pyImportMatch = line.match(/^\s*import\s+([a-zA-Z_][\w]*)/);
-  if (pyImportMatch) return pyImportMatch[1];
-
-  const pyFromMatch = line.match(/^\s*from\s+([a-zA-Z_][\w]*)/);
-  if (pyFromMatch) return pyFromMatch[1];
-
-  return null;
-}
-
-// Filter findings based on context awareness
-export function applyContextFilter(findings, filePath, language) {
-  if (!Array.isArray(findings) || findings.length === 0) return findings;
-
-  let lines = [];
-  try {
-    if (existsSync(filePath)) {
-      lines = readFileSync(filePath, 'utf-8').split('\n');
-    }
-  } catch {
-    return findings;
-  }
-
-  return findings.filter(finding => {
-    const line = lines[finding.line] || '';
-
-    // Only filter import-only lines
-    if (!isImportOnly(line)) return true;
-
-    // Check if the module is known/safe
-    const moduleName = extractModuleName(line);
-    if (moduleName && isKnownModule(moduleName, language)) {
-      return false; // Suppress finding on known module import
-    }
-
-    return true;
-  });
-}
-
-// Framework/middleware detection patterns
-const FRAMEWORK_PATTERNS = {
-  helmet: { pattern: /require\s*\(\s*['"]helmet['"]\s*\)|from\s+['"]helmet['"]|import\s+.*helmet/, languages: ['javascript', 'typescript'] },
-  dompurify: { pattern: /require\s*\(\s*['"](?:dompurify|isomorphic-dompurify)['"]\s*\)|from\s+['"](?:dompurify|isomorphic-dompurify)['"]|import\s+.*(?:dompurify|DOMPurify)/, languages: ['javascript', 'typescript'] },
-  csurf: { pattern: /require\s*\(\s*['"]csurf['"]\s*\)|from\s+['"]csurf['"]/, languages: ['javascript', 'typescript'] },
-  cors: { pattern: /require\s*\(\s*['"]cors['"]\s*\)|from\s+['"]cors['"]/, languages: ['javascript', 'typescript'] },
-  prisma: { pattern: /from\s+prisma|import\s+prisma|@prisma\/client/, languages: ['javascript', 'typescript', 'python'] },
-  bcrypt: { pattern: /import\s+bcrypt|from\s+bcrypt|require\s*\(\s*['"]bcryptjs?['"]\s*\)/, languages: ['javascript', 'typescript', 'python'] },
-};
-
-// Maps framework -> which rule categories it mitigates -> downgraded severity
-const SEVERITY_DOWNGRADE = {
-  helmet: { mitigates: ['xss', 'innerhtml', 'outerhtml', 'document-write', 'cors-wildcard'], to: 'warning' },
-  dompurify: { mitigates: ['xss', 'innerhtml', 'outerhtml', 'dangerouslysetinnerhtml', 'insertadjacenthtml', 'document-write'], to: 'warning' },
-  csurf: { mitigates: ['csrf'], to: 'warning' },
-  cors: { mitigates: ['cors-wildcard'], to: 'info' },
-  prisma: { mitigates: ['sql-injection', 'nosql-injection', 'raw-query'], to: 'warning' },
-  bcrypt: { mitigates: ['md5', 'sha1', 'weak-hash', 'weak-cipher'], to: 'info' },
-};
-
-export function detectFrameworks(filePath, language) {
-  const detected = [];
-  try {
-    if (!existsSync(filePath)) return detected;
-    const content = readFileSync(filePath, 'utf-8');
-    for (const [name, config] of Object.entries(FRAMEWORK_PATTERNS)) {
-      if (config.languages.includes(language) && config.pattern.test(content)) {
-        detected.push(name);
-      }
-    }
-  } catch {
-    // Ignore read errors
-  }
-  return detected;
-}
-
-export function applyFrameworkAdjustments(findings, frameworks) {
-  if (!Array.isArray(findings) || findings.length === 0 || frameworks.length === 0) return findings;
-
-  return findings.map(finding => {
-    const ruleId = finding.ruleId?.toLowerCase() || '';
-    for (const fw of frameworks) {
-      const downgrade = SEVERITY_DOWNGRADE[fw];
-      if (!downgrade) continue;
-      if (downgrade.mitigates.some(m => ruleId.includes(m))) {
-        return { ...finding, severity: downgrade.to, frameworkMitigated: fw };
-      }
-    }
-    return finding;
-  });
-}

package/src/dedup.js

@@ -1,129 +0,0 @@
-// Cross-engine deduplication for security findings.
-// When AST and regex engines flag the same vulnerability on the same line
-// with different ruleIds, this module merges them into a single finding.
-
-// Maps ruleId substrings to vulnerability classes for cross-engine dedup.
-// Order matters: more specific patterns must come before generic ones.
-const VULN_CLASS_PATTERNS = [
-  // XSS variants
-  ['innerhtml', 'xss-innerhtml'],
-  ['outerhtml', 'xss-outerhtml'],
-  ['document-write', 'xss-document-write'],
-  ['document.write', 'xss-document-write'],
-  ['insertadjacenthtml', 'xss-insertadjacenthtml'],
-  ['dangerouslysetinnerhtml', 'xss-dangerouslysetinnerhtml'],
-  ['mustache-escape', 'xss-innerhtml'],
-  ['insecure-document-method', 'xss-document-write'],
-  ['dom-based-xss', 'xss-dom'],
-  ['xss-echo', 'xss-echo'],
-  ['xss-raw', 'xss-raw'],
-  ['xss-response-write', 'xss-response-write'],
-
-  // SQL Injection
-  ['sql-injection', 'sqli'],
-  ['nosql-injection', 'nosqli'],
-
-  // Command Injection
-  ['child-process-exec', 'cmdi-exec'],
-  ['spawn-shell', 'cmdi-spawn'],
-  ['dangerous-subprocess', 'cmdi-subprocess'],
-  ['dangerous-system-call', 'cmdi-system'],
-  ['command-injection', 'cmdi'],
-  ['backticks-exec', 'cmdi-backticks'],
-  ['libc-system-call', 'cmdi-libc'],
-
-  // Code Injection
-  ['eval-detected', 'code-eval'],
-  ['eval-usage', 'code-eval'],
-  ['exec-detected', 'code-exec'],
-  ['function-constructor', 'code-function-constructor'],
-
-  // Deserialization
-  ['pickle-load', 'deser-pickle'],
-  ['unsafe-unserialize', 'deser-unserialize'],
-  ['unsafe-yaml-load', 'deser-yaml'],
-  ['yaml-load', 'deser-yaml'],
-  ['unsafe-marshal', 'deser-marshal'],
-  ['insecure-deserialization', 'deser'],
-
-  // Crypto
-  ['md5', 'weak-hash-md5'],
-  ['sha1', 'weak-hash-sha1'],
-  ['insecure-hash', 'weak-hash'],
-  ['weak-hash', 'weak-hash'],
-  ['weak-cipher', 'weak-cipher'],
-
-  // Secrets
-  ['hardcoded-password', 'hardcoded-password'],
-  ['hardcoded-secret', 'hardcoded-secret'],
-  ['hardcoded-api-key', 'hardcoded-api-key'],
-  ['hardcoded-connection-string', 'hardcoded-connection-string'],
-
-  // Path traversal
-  ['path-traversal', 'path-traversal'],
-
-  // SSL
-  ['ssl-verify-disabled', 'ssl-verify-disabled'],
-
-  // Random
-  ['insecure-random', 'insecure-random'],
-  ['weak-random', 'weak-random'],
-];
-
-// Engine priority (higher = more trusted analysis)
-const ENGINE_PRIORITY = {
-  'taint': 3,
-  'ast': 2,
-  'regex': 1,
-  'regex-fallback': 0,
-};
-
-const SEVERITY_ORDER = { error: 3, warning: 2, info: 1 };
-
-export function classifyFinding(ruleId) {
-  const lower = ruleId.toLowerCase();
-  for (const [pattern, vulnClass] of VULN_CLASS_PATTERNS) {
-    if (lower.includes(pattern)) return vulnClass;
-  }
-  return lower;
-}
-
-export function deduplicateFindings(findings) {
-  if (!Array.isArray(findings)) return findings;
-
-  // Group by (vulnClass, line)
-  const groups = new Map();
-  for (const finding of findings) {
-    const vulnClass = classifyFinding(finding.ruleId);
-    const key = `${vulnClass}:${finding.line}`;
-    if (!groups.has(key)) groups.set(key, []);
-    groups.get(key).push(finding);
-  }
-
-  const deduped = [];
-  for (const group of groups.values()) {
-    if (group.length === 1) {
-      deduped.push(group[0]);
-      continue;
-    }
-
-    // Sort by engine priority (highest first)
-    group.sort((a, b) =>
-      (ENGINE_PRIORITY[b.engine] || 0) - (ENGINE_PRIORITY[a.engine] || 0)
-    );
-
-    const best = { ...group[0] };
-
-    // Preserve highest severity across group
-    for (const f of group) {
-      if ((SEVERITY_ORDER[f.severity] || 0) > (SEVERITY_ORDER[best.severity] || 0)) {
-        best.severity = f.severity;
-      }
-    }
-
-    best.engines_matched = [...new Set(group.map(f => f.engine))];
-    deduped.push(best);
-  }
-
-  return deduped;
-}