agent-security-scanner-mcp 3.7.0 → 3.9.0

package/src/fix-patterns.js

@@ -63,24 +63,68 @@ export const FIX_TEMPLATES = {
   // COMMAND INJECTION
   // ===========================================
   "child-process-exec": {
-    description: "Use execFile() or spawn() with shell: false",
-    fix: (line) => line.replace(/\bexec\s*\(/, 'execFile(')
+    description: "Use execFile() with separate command and arguments array",
+    fix: (line) => {
+      // Match: exec("cmd " + arg) -> execFile("cmd", [arg])
+      const concatMatch = line.match(/\bexec\s*\(\s*["'](\S+)\s+["']\s*\+\s*(\w+)/);
+      if (concatMatch) {
+        return line.replace(/\bexec\s*\(\s*["'](\S+)\s+["']\s*\+\s*(\w+)\s*\)/, 'execFile("$1", [$2])');
+      }
+      // Match: exec(`cmd ${arg}`) -> execFile("cmd", [arg])
+      const templateMatch = line.match(/\bexec\s*\(\s*`(\S+)\s+\$\{(\w+)\}`/);
+      if (templateMatch) {
+        return line.replace(/\bexec\s*\(\s*`(\S+)\s+\$\{(\w+)\}`\s*\)/, 'execFile("$1", [$2])');
+      }
+      // Match: exec(variable) -> comment with guidance (cannot safely auto-fix)
+      const varMatch = line.match(/\bexec\s*\(\s*(\w+)\s*\)/);
+      if (varMatch) {
+        return '// SECURITY: Replace exec() with execFile(command, [args], {shell: false})\n// ' + line.trim();
+      }
+      // Fallback: comment with guidance
+      return '// SECURITY: Use execFile(command, [args]) instead of exec() - ' + line.trim();
+    }
   },
   "spawn-shell": {
     description: "Use spawn with shell: false",
     fix: (line) => line.replace(/shell\s*:\s*true/i, 'shell: false')
   },
   "dangerous-subprocess": {
-    description: "Use subprocess.run with list arguments",
-    fix: (line) => line.replace(/subprocess\.(call|run|Popen)\s*\(\s*["'](.+?)["']\s*,\s*shell\s*=\s*True/, 'subprocess.$1(["$2".split()], shell=False')
+    description: "Use subprocess.run with list arguments and shell=False",
+    fix: (line) => {
+      // Replace shell=True with shell=False
+      let fixed = line.replace(/shell\s*=\s*True/, 'shell=False');
+      // Replace string command with shlex.split() for safe list form
+      fixed = fixed.replace(
+        /subprocess\.(call|run|Popen)\s*\(\s*["'](.+?)["']/,
+        'subprocess.$1(shlex.split("$2")'
+      );
+      return fixed;
+    }
   },
   "dangerous-system-call": {
     description: "Use subprocess.run instead of os.system",
-    fix: (line) => line.replace(/os\.system\s*\(/, 'subprocess.run([')
+    fix: (line) => {
+      const match = line.match(/os\.system\s*\(\s*(.+?)\s*\)/);
+      if (match) {
+        return line.replace(
+          /os\.system\s*\(\s*(.+?)\s*\)/,
+          'subprocess.run(shlex.split($1), shell=False)'
+        );
+      }
+      return '# SECURITY: Replace os.system() with subprocess.run(shlex.split(cmd), shell=False)\n# ' + line.trim();
+    }
   },
   "command-injection-exec": {
-    description: "Use exec.Command with separate arguments",
-    fix: (line) => line.replace(/exec\.Command\s*\(\s*["'](\w+)\s+/, 'exec.Command("$1", ')
+    description: "Use exec.Command with separate arguments (no shell)",
+    fix: (line) => {
+      // Match: exec.Command("sh", "-c", "echo "+input) -> exec.Command("echo", input)
+      const shellMatch = line.match(/exec\.Command\s*\(\s*["']sh["']\s*,\s*["']-c["']\s*,\s*["'](\w+)\s+["']\s*\+\s*(\w+)/);
+      if (shellMatch) {
+        return line.replace(/exec\.Command\s*\(\s*["']sh["']\s*,\s*["']-c["']\s*,\s*["'](\w+)\s+["']\s*\+\s*(\w+)\s*\)/, 'exec.Command("$1", $2)');
+      }
+      // Match: exec.Command("cmd " + arg) -> exec.Command("cmd", arg)
+      return line.replace(/exec\.Command\s*\(\s*["'](\w+)\s+["']\s*\+\s*(\w+)\s*\)/, 'exec.Command("$1", $2)');
+    }
   },
   "runtime-exec": {
     description: "Use ProcessBuilder with separate arguments",
@@ -197,8 +241,11 @@ export const FIX_TEMPLATES = {
   // INSECURE DESERIALIZATION
   // ===========================================
   "pickle": {
-    description: "Use JSON instead of pickle",
-    fix: (line) => line.replace(/pickle\.(load|loads)\s*\(/, 'json.$1(')
+    description: "Use JSON instead of pickle for untrusted data",
+    fix: (line) => {
+      const fixed = line.replace(/pickle\.(load|loads)\s*\(/, 'json.$1(');
+      return fixed + '  # NOTE: data must be JSON-formatted';
+    }
   },
   "yaml-load": {
     description: "Use yaml.safe_load()",
@@ -209,8 +256,8 @@ export const FIX_TEMPLATES = {
     fix: (line) => line.replace(/marshal\.(load|loads)\s*\(/, 'json.$1(')
   },
   "shelve": {
-    description: "Use JSON or SQLite instead of shelve",
-    fix: (line) => line.replace(/shelve\.open\s*\(/, 'json.load(open(')
+    description: "Use JSON or SQLite instead of shelve for safe storage",
+    fix: (line) => '# SECURITY: Replace shelve with json or sqlite3 for safe storage\n# ' + line.trim()
   },
   "node-serialize": {
     description: "Use JSON.parse instead of node-serialize",
@@ -257,12 +304,12 @@ export const FIX_TEMPLATES = {
   // PATH TRAVERSAL
   // ===========================================
   "path-traversal": {
-    description: "Sanitize file paths and use basename",
+    description: "Resolve real path and validate prefix to prevent traversal",
     fix: (line, lang) => {
-      if (lang === 'python') return line.replace(/open\s*\(\s*(\w+)/, 'open(os.path.basename($1)');
-      if (lang === 'go') return line.replace(/os\.Open\s*\(\s*(\w+)/, 'os.Open(filepath.Base($1)');
-      if (lang === 'java') return line.replace(/new File\s*\(\s*(\w+)/, 'new File(new File($1).getName()');
-      return line.replace(/readFileSync\s*\(\s*(\w+)/, 'readFileSync(path.basename($1)');
+      if (lang === 'python') return line.replace(/open\s*\(\s*(\w+)/, 'open(os.path.realpath($1)  # TODO: validate path prefix');
+      if (lang === 'go') return line.replace(/os\.Open\s*\(\s*(\w+)/, 'os.Open(filepath.Clean($1)  // TODO: validate path prefix');
+      if (lang === 'java') return line.replace(/new File\s*\(\s*(\w+)/, 'new File($1).getCanonicalFile(  // TODO: validate path prefix');
+      return line.replace(/readFileSync\s*\(\s*(\w+)/, 'readFileSync(path.resolve($1)  // TODO: validate path prefix');
     }
   },
 
@@ -407,7 +454,14 @@ export const FIX_TEMPLATES = {
   // ===========================================
   "prototype-pollution": {
     description: "Validate object keys before assignment",
-    fix: (line) => line.replace(/(\w+)\[(\w+)\]\s*=/, 'if (!["__proto__", "constructor", "prototype"].includes($2)) $1[$2] =')
+    fix: (line) => {
+      // Only fix simple single-line assignments like: obj[key] = value
+      // Reject lines with multiple bracket accesses or chained assignments
+      if (/^\s*\w+\[\w+\]\s*=\s*[^[=]+$/.test(line)) {
+        return line.replace(/(\w+)\[(\w+)\]\s*=/, 'if (!["__proto__", "constructor", "prototype"].includes($2)) $1[$2] =');
+      }
+      return '// SECURITY: Validate key is not __proto__/constructor/prototype before assignment\n// ' + line.trim();
+    }
   },
 
   // ===========================================
@@ -443,7 +497,7 @@ export const FIX_TEMPLATES = {
   // ===========================================
   "helmet-missing": {
     description: "Add helmet middleware for security headers",
-    fix: (line) => 'app.use(helmet()); // Add security headers\n' + line
+    fix: (line) => '// TODO: Add app.use(helmet()) after Express app initialization\n' + line
   },
 
   // ===========================================
@@ -495,7 +549,10 @@ export const FIX_TEMPLATES = {
   },
   "run-shell-form": {
     description: "Use exec form for RUN commands",
-    fix: (line) => line.replace(/RUN\s+(.+)$/, 'RUN ["/bin/sh", "-c", "$1"]')
+    fix: (line) => line.replace(/RUN\s+(.+)$/, (_, cmd) => {
+      const escaped = cmd.replace(/"/g, '\\"');
+      return `RUN ["/bin/sh", "-c", "${escaped}"]`;
+    })
   },
   "sudo-in-dockerfile": {
     description: "Avoid sudo in Dockerfile - use USER directive",

package/src/history.js

@@ -0,0 +1,159 @@
+// src/history.js — Scan history tracking for team dashboard.
+// Stores results in .scanner/results/ within the scanned project directory.
+
+import { existsSync, mkdirSync, writeFileSync, readFileSync, readdirSync } from 'fs';
+import { join, basename } from 'path';
+
+const RESULTS_DIR = '.scanner/results';
+
+// Format a Date as YYYY-MM-DDTHH-MM-SS (filesystem-safe ISO timestamp)
+function formatTimestamp(date) {
+  const pad = (n) => String(n).padStart(2, '0');
+  return `${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())}T${pad(date.getHours())}-${pad(date.getMinutes())}-${pad(date.getSeconds())}`;
+}
+
+// Parse a YYYY-MM-DDTHH-MM-SS filename back into a Date
+function parseTimestamp(filename) {
+  // Extract timestamp from filename like "2024-01-15T10-30-45.json"
+  const name = basename(filename, '.json');
+  const match = name.match(/^(\d{4})-(\d{2})-(\d{2})T(\d{2})-(\d{2})-(\d{2})$/);
+  if (!match) return null;
+  const [, year, month, day, hour, min, sec] = match.map(Number);
+  return new Date(year, month - 1, day, hour, min, sec);
+}
+
+/**
+ * Save a scan result to .scanner/results/YYYY-MM-DDTHH-MM-SS.json
+ *
+ * @param {string} dirPath - The scanned project directory
+ * @param {object} scanResult - The scan result object from scanProject (parsed JSON output)
+ * @returns {string} Path to the saved result file
+ */
+export function saveResult(dirPath, scanResult) {
+  const resultsDir = join(dirPath, RESULTS_DIR);
+  mkdirSync(resultsDir, { recursive: true });
+
+  const now = new Date();
+  const timestamp = formatTimestamp(now);
+  const filename = `${timestamp}.json`;
+  const filePath = join(resultsDir, filename);
+
+  const historyEntry = {
+    timestamp: now.toISOString(),
+    directory: scanResult.directory || dirPath,
+    grade: scanResult.grade || 'A',
+    files_scanned: scanResult.files_scanned || 0,
+    issues_count: scanResult.issues_count || scanResult.total || 0,
+    by_severity: scanResult.by_severity || { error: 0, warning: 0, info: 0 },
+    issues: scanResult.issues || [],
+  };
+
+  writeFileSync(filePath, JSON.stringify(historyEntry, null, 2) + '\n');
+  return filePath;
+}
+
+/**
+ * Load scan results from .scanner/results/ within the last N days.
+ *
+ * @param {string} dirPath - The scanned project directory
+ * @param {number} days - Number of days to look back (default: 90)
+ * @returns {object[]} Array of history entries, sorted oldest-first
+ */
+export function loadHistory(dirPath, days = 90) {
+  const resultsDir = join(dirPath, RESULTS_DIR);
+  if (!existsSync(resultsDir)) return [];
+
+  const cutoff = new Date();
+  cutoff.setDate(cutoff.getDate() - days);
+
+  let files;
+  try {
+    files = readdirSync(resultsDir).filter(f => f.endsWith('.json'));
+  } catch {
+    return [];
+  }
+
+  const results = [];
+  for (const file of files) {
+    const fileDate = parseTimestamp(file);
+    if (!fileDate || fileDate < cutoff) continue;
+
+    try {
+      const content = readFileSync(join(resultsDir, file), 'utf-8');
+      const entry = JSON.parse(content);
+      results.push(entry);
+    } catch {
+      // Skip corrupt files
+      continue;
+    }
+  }
+
+  // Sort oldest-first by timestamp
+  results.sort((a, b) => new Date(a.timestamp) - new Date(b.timestamp));
+  return results;
+}
+
+/**
+ * Get trend data from scan history.
+ *
+ * @param {string} dirPath - The scanned project directory
+ * @param {number} days - Number of days to look back (default: 90)
+ * @returns {{ grades: Array<{date: string, grade: string}>, issues: Array<{date: string, total: number, critical: number, warning: number, info: number}> }}
+ */
+export function getTrends(dirPath, days = 90) {
+  const history = loadHistory(dirPath, days);
+
+  const grades = history.map(entry => ({
+    date: entry.timestamp,
+    grade: entry.grade,
+  }));
+
+  const issues = history.map(entry => {
+    const severity = entry.by_severity || {};
+    return {
+      date: entry.timestamp,
+      total: entry.issues_count || 0,
+      critical: severity.error || 0,
+      warning: severity.warning || 0,
+      info: severity.info || 0,
+    };
+  });
+
+  return { grades, issues };
+}
+
+/**
+ * Compare two scan results to find new, fixed, and unchanged issues.
+ * Issues are compared by ruleId + file + line.
+ *
+ * @param {object} current - Current scan result (must have .issues array)
+ * @param {object} previous - Previous scan result (must have .issues array)
+ * @returns {{ new_issues: object[], fixed_issues: object[], unchanged: number }}
+ */
+export function diffResults(current, previous) {
+  const currentIssues = current.issues || [];
+  const previousIssues = previous.issues || [];
+
+  // Build a key for each issue: ruleId + file + line
+  function issueKey(issue) {
+    return `${issue.ruleId || ''}::${issue.file || ''}::${issue.line || 0}`;
+  }
+
+  const currentKeys = new Set(currentIssues.map(issueKey));
+  const previousKeys = new Set(previousIssues.map(issueKey));
+
+  // New issues: in current but not in previous
+  const newIssues = currentIssues.filter(i => !previousKeys.has(issueKey(i)));
+
+  // Fixed issues: in previous but not in current
+  const fixedIssues = previousIssues.filter(i => !currentKeys.has(issueKey(i)));
+
+  // Unchanged: in both
+  const unchanged = currentIssues.filter(i => previousKeys.has(issueKey(i))).length;
+
+  return {
+    new_issues: newIssues,
+    fixed_issues: fixedIssues,
+    unchanged,
+  };
+}

package/src/tools/check-package.js

@@ -4,6 +4,7 @@ import { join, dirname } from "path";
 import { fileURLToPath } from "url";
 import bloomFilters from "bloom-filters";
 const { BloomFilter } = bloomFilters;
+import { findSimilarPackages, checkDependencyConfusion } from '../typosquat.js';
 
 // Handle both ESM and CJS bundling (Smithery bundles to CJS)
 let __dirname;
@@ -149,21 +150,44 @@ export async function checkPackage({ package_name, ecosystem }) {
   const confidence = result.bloomFilter ? "medium" : "high";
   const totalPackages = getTotalPackages(ecosystem);
 
+  // Enhanced response with typosquatting and dependency confusion checks
+  const response = {
+    package: package_name,
+    ecosystem,
+    legitimate: exists,
+    hallucinated: !exists,
+    confidence,
+    bloom_filter: !!result.bloomFilter,
+    total_known_packages: totalPackages,
+    recommendation: exists
+      ? "Package exists in registry - safe to use"
+      : "POTENTIAL HALLUCINATION - Package not found in registry. Verify before using!"
+  };
+
+  // If package not found, check for typosquatting
+  if (!exists) {
+    const similar = findSimilarPackages(package_name, ecosystem);
+    if (similar.length > 0) {
+      response.typosquatting = {
+        similar_packages: similar,
+        warning: `Package '${package_name}' is similar to known packages. This could be a typosquatting attack.`
+      };
+    }
+  }
+
+  // Check for dependency confusion risk regardless of existence
+  const confusionCheck = checkDependencyConfusion(package_name);
+  if (confusionCheck.risk) {
+    response.dependency_confusion = {
+      risk: true,
+      warning: confusionCheck.warning
+    };
+  }
+
   return {
     content: [{
       type: "text",
-      text: JSON.stringify({
-        package: package_name,
-        ecosystem,
-        legitimate: exists,
-        hallucinated: !exists,
-        confidence,
-        bloom_filter: !!result.bloomFilter,
-        total_known_packages: totalPackages,
-        recommendation: exists
-          ? "Package exists in registry - safe to use"
-          : "⚠️ POTENTIAL HALLUCINATION - Package not found in registry. Verify before using!"
-      }, null, 2)
+      text: JSON.stringify(response, null, 2)
     }]
   };
 }

package/src/tools/fix-security.js

@@ -1,7 +1,10 @@
 // src/tools/fix-security.js
 import { z } from "zod";
 import { existsSync, readFileSync } from "fs";
-import { detectLanguage, runAnalyzer, generateFix } from '../utils.js';
+import { detectLanguage, runAnalyzerAsync, generateFix } from '../utils.js';
+import { deduplicateFindings } from '../dedup.js';
+import { applyContextFilter, detectFrameworks, applyFrameworkAdjustments } from '../context.js';
+import { loadConfig, shouldExcludeFile, applyConfig } from '../config.js';
 
 export const fixSecuritySchema = {
   file_path: z.string().describe("Path to the file to fix"),
@@ -47,24 +50,48 @@ export async function fixSecurity({ file_path, verbosity }) {
     };
   }
 
-  const issues = runAnalyzer(file_path);
+  // Load project configuration
+  const config = loadConfig(file_path);
 
-  if (issues.error || !Array.isArray(issues) || issues.length === 0) {
+  // Check file exclusion
+  if (shouldExcludeFile(file_path, config)) {
+    return {
+      content: [{ type: "text", text: JSON.stringify({ file: file_path, message: "File excluded by configuration", fixes_applied: 0 }) }]
+    };
+  }
+
+  const rawIssues = await runAnalyzerAsync(file_path);
+
+  if (rawIssues.error || !Array.isArray(rawIssues) || rawIssues.length === 0) {
     return {
       content: [{
         type: "text",
         text: JSON.stringify({
-          message: issues.error ? "Error scanning file" : "No security issues found",
-          details: issues
+          message: rawIssues.error ? "Error scanning file" : "No security issues found",
+          details: rawIssues
         })
       }]
     };
   }
 
+  // Cross-engine deduplication
+  const dedupedIssues = deduplicateFindings(rawIssues);
+
   // Read and fix the file
   const content = readFileSync(file_path, 'utf-8');
   const lines = content.split('\n');
   const language = detectLanguage(file_path);
+
+  // Context-aware filtering (suppress known module imports)
+  const contextFiltered = applyContextFilter(dedupedIssues, file_path, language);
+
+  // Framework-aware severity adjustment
+  const frameworks = detectFrameworks(file_path, language);
+  const frameworkAdjusted = applyFrameworkAdjustments(contextFiltered, frameworks);
+
+  // Apply .scannerrc configuration (rule suppression, severity/confidence thresholds)
+  const issues = applyConfig(frameworkAdjusted, file_path, config);
+
   const fixes = [];
 
   // Apply fixes (process in reverse order to preserve line numbers)