agent-security-scanner-mcp 3.7.0 → 3.9.0

package/src/tools/import-resolver.js

@@ -0,0 +1,249 @@
+// src/tools/import-resolver.js
+// Import graph resolution — resolves local imports to file paths and builds dependency graphs
+
+import { existsSync, readFileSync, statSync } from 'fs';
+import { resolve, dirname, join, extname, relative, isAbsolute } from 'path';
+import { createHash } from 'crypto';
+import { extractImports, detectLanguage } from '../utils.js';
+
+// In-memory cache: absPath -> { content_hash, imports, resolvedImports }
+const importGraphCache = new Map();
+
+/**
+ * Clear the import graph cache (for testing).
+ */
+export function clearImportGraphCache() {
+  importGraphCache.clear();
+}
+
+/**
+ * Check if an import specifier is a local/relative import.
+ * @param {string} importSpec - The import string (e.g., './helpers', 'express')
+ * @param {string} language - The language: 'javascript', 'typescript', 'python', 'go'
+ * @returns {boolean}
+ */
+export function isLocalImport(importSpec, language) {
+  switch (language) {
+    case 'javascript':
+    case 'typescript':
+      return importSpec.startsWith('./') || importSpec.startsWith('../');
+    case 'python':
+      return importSpec.startsWith('.');
+    case 'go':
+      return importSpec.startsWith('./') || importSpec.startsWith('../');
+    default:
+      return importSpec.startsWith('./') || importSpec.startsWith('../');
+  }
+}
+
+/**
+ * Resolve a local import specifier to an actual file path.
+ * @param {string} importSpec - The import string (e.g., './routes/users')
+ * @param {string} fromFile - Absolute path of the file containing the import
+ * @param {string} language - The language
+ * @returns {string|null} Absolute resolved path, or null if unresolvable/package
+ */
+export function resolveImportPath(importSpec, fromFile, language) {
+  if (!isLocalImport(importSpec, language)) {
+    return null;
+  }
+
+  const fromDir = dirname(fromFile);
+
+  switch (language) {
+    case 'javascript':
+    case 'typescript': {
+      const base = resolve(fromDir, importSpec);
+      // Try exact path first
+      if (existsSync(base) && !isDirectory(base)) return base;
+      // Try with extensions
+      const jsExtensions = ['.js', '.ts', '.tsx', '.jsx', '.mjs'];
+      for (const ext of jsExtensions) {
+        const withExt = base + ext;
+        if (existsSync(withExt)) return withExt;
+      }
+      // Try as directory with index file
+      const indexFiles = ['index.js', 'index.ts', 'index.tsx', 'index.jsx', 'index.mjs'];
+      for (const idx of indexFiles) {
+        const indexPath = join(base, idx);
+        if (existsSync(indexPath)) return indexPath;
+      }
+      return null;
+    }
+
+    case 'python': {
+      // Python relative imports: . = current package, .. = parent package
+      // Convert dot-prefix to path
+      let dotCount = 0;
+      let rest = importSpec;
+      while (rest.startsWith('.')) {
+        dotCount++;
+        rest = rest.slice(1);
+      }
+
+      let targetDir = fromDir;
+      // Each dot beyond the first goes up one directory
+      for (let i = 1; i < dotCount; i++) {
+        targetDir = dirname(targetDir);
+      }
+
+      if (!rest) {
+        // Just dots — refers to __init__.py in the target dir
+        const initPath = join(targetDir, '__init__.py');
+        if (existsSync(initPath)) return initPath;
+        return null;
+      }
+
+      // Convert module.sub to module/sub
+      const modulePath = rest.replace(/\./g, '/');
+      const base = join(targetDir, modulePath);
+
+      // Try as .py file
+      const asPy = base + '.py';
+      if (existsSync(asPy)) return asPy;
+      // Try as package (__init__.py)
+      const asInit = join(base, '__init__.py');
+      if (existsSync(asInit)) return asInit;
+      // Try as sibling .py (same directory)
+      const sibling = join(fromDir, modulePath + '.py');
+      if (sibling !== asPy && existsSync(sibling)) return sibling;
+
+      return null;
+    }
+
+    case 'go': {
+      const base = resolve(fromDir, importSpec);
+      if (existsSync(base) && !isDirectory(base)) return base;
+      const withGo = base + '.go';
+      if (existsSync(withGo)) return withGo;
+      return null;
+    }
+
+    default:
+      return null;
+  }
+}
+
+/**
+ * Build an import graph starting from an entry file using BFS traversal.
+ * @param {string} filePath - Absolute path to the entry file
+ * @param {string} projectRoot - Absolute path to the project root
+ * @param {{ maxDepth?: number }} [options]
+ * @returns {{ files: Record<string, object>, edges: Array, cycles: Array, unresolved: Array, summary: object }}
+ */
+export function resolveImportGraph(filePath, projectRoot, options = {}) {
+  const { maxDepth = 3 } = options;
+  const MAX_FILES = 100;
+
+  const absEntry = isAbsolute(filePath) ? filePath : resolve(filePath);
+  const absRoot = isAbsolute(projectRoot) ? projectRoot : resolve(projectRoot);
+
+  const files = {};   // absPath -> { imports, resolvedImports, content_hash }
+  const edges = [];    // [{ from, to, importSpec }]
+  const cycles = [];   // [[from, to]]
+  const unresolved = []; // [{ file, importSpec }]
+
+  // BFS
+  // Queue entries: { absPath, depth }
+  const queue = [{ absPath: absEntry, depth: 0 }];
+  const visited = new Set();
+
+  while (queue.length > 0 && Object.keys(files).length < MAX_FILES) {
+    const { absPath, depth } = queue.shift();
+
+    if (visited.has(absPath)) continue;
+    visited.add(absPath);
+
+    if (!existsSync(absPath)) continue;
+
+    const language = detectLanguage(absPath);
+    let content;
+    try {
+      content = readFileSync(absPath, 'utf-8');
+    } catch {
+      continue;
+    }
+
+    const contentHash = createHash('sha256').update(content).digest('hex').slice(0, 16);
+
+    // Check cache
+    const cached = importGraphCache.get(absPath);
+    let rawImports, resolvedImports;
+
+    if (cached && cached.content_hash === contentHash) {
+      rawImports = cached.imports;
+      resolvedImports = cached.resolvedImports;
+    } else {
+      rawImports = extractImports(content, language);
+      resolvedImports = [];
+
+      for (const spec of rawImports) {
+        if (!isLocalImport(spec, language)) continue;
+
+        const resolved = resolveImportPath(spec, absPath, language);
+        if (resolved) {
+          // Guard: resolved path must stay within projectRoot
+          const relToRoot = relative(absRoot, resolved);
+          if (relToRoot.startsWith('..') || isAbsolute(relToRoot)) {
+            unresolved.push({ file: absPath, importSpec: spec });
+            continue;
+          }
+          resolvedImports.push({ spec, resolvedPath: resolved });
+        } else {
+          if (isLocalImport(spec, language)) {
+            unresolved.push({ file: absPath, importSpec: spec });
+          }
+        }
+      }
+
+      // Update cache
+      importGraphCache.set(absPath, {
+        content_hash: contentHash,
+        imports: rawImports,
+        resolvedImports,
+      });
+    }
+
+    files[absPath] = {
+      imports: rawImports,
+      resolvedImports,
+      content_hash: contentHash,
+    };
+
+    // Build edges and enqueue resolved imports
+    for (const { spec, resolvedPath } of resolvedImports) {
+      edges.push({ from: absPath, to: resolvedPath, importSpec: spec });
+
+      if (visited.has(resolvedPath)) {
+        // Cycle detected
+        cycles.push([absPath, resolvedPath]);
+      } else if (depth < maxDepth) {
+        queue.push({ absPath: resolvedPath, depth: depth + 1 });
+      }
+    }
+  }
+
+  const maxDepthReached = queue.some(item => item.depth >= maxDepth);
+
+  return {
+    files,
+    edges,
+    cycles,
+    unresolved,
+    summary: {
+      total_files: Object.keys(files).length,
+      total_edges: edges.length,
+      has_cycles: cycles.length > 0,
+      max_depth_reached: maxDepthReached || false,
+    },
+  };
+}
+
+// Helper: check if a path is a directory
+function isDirectory(p) {
+  try {
+    return statSync(p).isDirectory();
+  } catch {
+    return false;
+  }
+}

package/src/tools/project-context.js

@@ -0,0 +1,365 @@
+// src/tools/project-context.js
+// Project security profile discovery — detects frameworks, middleware, and security libraries
+
+import { existsSync, readFileSync } from 'fs';
+import { join, basename } from 'path';
+import { createHash } from 'crypto';
+
+// Cache: projectRoot -> { contentHash, result }
+const projectContextCache = new Map();
+
+/**
+ * Clear the project context cache (for testing).
+ */
+export function clearProjectContextCache() {
+  projectContextCache.clear();
+}
+
+// Framework detection: package name → { name, ecosystem }
+const FRAMEWORK_MAP = {
+  // Node.js
+  'express': { name: 'Express', ecosystem: 'node' },
+  'koa': { name: 'Koa', ecosystem: 'node' },
+  'fastify': { name: 'Fastify', ecosystem: 'node' },
+  '@hapi/hapi': { name: 'Hapi', ecosystem: 'node' },
+  'hapi': { name: 'Hapi', ecosystem: 'node' },
+  '@nestjs/core': { name: 'NestJS', ecosystem: 'node' },
+  'next': { name: 'Next.js', ecosystem: 'node' },
+  'nuxt': { name: 'Nuxt', ecosystem: 'node' },
+  // Python
+  'django': { name: 'Django', ecosystem: 'python' },
+  'flask': { name: 'Flask', ecosystem: 'python' },
+  'fastapi': { name: 'FastAPI', ecosystem: 'python' },
+  'tornado': { name: 'Tornado', ecosystem: 'python' },
+  'sanic': { name: 'Sanic', ecosystem: 'python' },
+  'starlette': { name: 'Starlette', ecosystem: 'python' },
+  // Ruby
+  'rails': { name: 'Rails', ecosystem: 'ruby' },
+  'sinatra': { name: 'Sinatra', ecosystem: 'ruby' },
+  // Go (module paths)
+  'github.com/gin-gonic/gin': { name: 'Gin', ecosystem: 'go' },
+  'github.com/labstack/echo': { name: 'Echo', ecosystem: 'go' },
+  'github.com/gofiber/fiber': { name: 'Fiber', ecosystem: 'go' },
+  // Java
+  'spring-boot-starter-web': { name: 'Spring Boot', ecosystem: 'java' },
+  'spring-boot-starter-security': { name: 'Spring Security', ecosystem: 'java' },
+};
+
+// Security middleware/library detection: package name → capability category
+const SECURITY_MAP = {
+  // Node.js security middleware
+  'helmet': 'http-headers',
+  'cors': 'cors',
+  'csurf': 'csrf',
+  'express-rate-limit': 'rate-limiting',
+  'rate-limiter-flexible': 'rate-limiting',
+  'dompurify': 'xss-sanitization',
+  'isomorphic-dompurify': 'xss-sanitization',
+  'xss': 'xss-sanitization',
+  'sanitize-html': 'xss-sanitization',
+  'express-validator': 'input-validation',
+  'joi': 'input-validation',
+  'zod': 'input-validation',
+  'yup': 'input-validation',
+  'hpp': 'http-parameter-pollution',
+  'express-mongo-sanitize': 'nosql-injection',
+  'sqlstring': 'sql-sanitization',
+  // Node.js auth
+  'passport': 'authentication',
+  'jsonwebtoken': 'jwt-auth',
+  'express-jwt': 'jwt-auth',
+  'bcrypt': 'password-hashing',
+  'bcryptjs': 'password-hashing',
+  'argon2': 'password-hashing',
+  'oauth2-server': 'oauth',
+  // Python security
+  'django-cors-headers': 'cors',
+  'flask-cors': 'cors',
+  'flask-wtf': 'csrf',
+  'flask-limiter': 'rate-limiting',
+  'bleach': 'xss-sanitization',
+  'python-jose': 'jwt-auth',
+  'pyjwt': 'jwt-auth',
+  'passlib': 'password-hashing',
+  'django-ratelimit': 'rate-limiting',
+  'django-csp': 'csp',
+  'django-axes': 'brute-force-protection',
+  'cerberus': 'input-validation',
+  'marshmallow': 'input-validation',
+  'pydantic': 'input-validation',
+  // Ruby security
+  'rack-cors': 'cors',
+  'devise': 'authentication',
+  'pundit': 'authorization',
+  'brakeman': 'sast',
+  'rack-attack': 'rate-limiting',
+  'secure_headers': 'http-headers',
+  // Go security
+  'github.com/gorilla/csrf': 'csrf',
+  'golang.org/x/crypto': 'crypto',
+  'github.com/rs/cors': 'cors',
+  'github.com/ulule/limiter': 'rate-limiting',
+  'github.com/golang-jwt/jwt': 'jwt-auth',
+  // Java security
+  'spring-security-core': 'authentication',
+  'spring-security-web': 'csrf',
+  'spring-security-oauth2': 'oauth',
+  'owasp-java-html-sanitizer': 'xss-sanitization',
+};
+
+// Test framework detection
+const TEST_FRAMEWORK_MAP = {
+  'jest': 'jest', 'vitest': 'vitest', 'mocha': 'mocha', 'chai': 'chai',
+  'jasmine': 'jasmine', 'ava': 'ava', 'tap': 'tap',
+  'pytest': 'pytest', 'unittest': 'unittest', 'nose2': 'nose2',
+  'rspec': 'rspec', 'minitest': 'minitest',
+  'testing': 'go-testing',
+  'junit': 'junit', 'testng': 'testng',
+};
+
+// Dependency file parsers
+
+function parsePackageJson(projectRoot) {
+  const filePath = join(projectRoot, 'package.json');
+  if (!existsSync(filePath)) return null;
+  try {
+    const pkg = JSON.parse(readFileSync(filePath, 'utf-8'));
+    const allDeps = {
+      ...pkg.dependencies,
+      ...pkg.devDependencies,
+    };
+    return { language: 'javascript', deps: Object.keys(allDeps), file: 'package.json' };
+  } catch {
+    return null;
+  }
+}
+
+function parseRequirementsTxt(projectRoot) {
+  const filePath = join(projectRoot, 'requirements.txt');
+  if (!existsSync(filePath)) return null;
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const deps = content.split('\n')
+      .map(line => line.trim())
+      .filter(line => line && !line.startsWith('#') && !line.startsWith('-'))
+      .map(line => line.split(/[>=<!~\[;]/)[0].trim().toLowerCase());
+    return { language: 'python', deps, file: 'requirements.txt' };
+  } catch {
+    return null;
+  }
+}
+
+function parsePyprojectToml(projectRoot) {
+  const filePath = join(projectRoot, 'pyproject.toml');
+  if (!existsSync(filePath)) return null;
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    // Simple extraction of dependencies from pyproject.toml
+    const deps = [];
+    const depRegex = /["']([a-zA-Z0-9_-]+)(?:[>=<!~\[].*)?["']/g;
+    const inDeps = content.match(/dependencies\s*=\s*\[([^\]]*)\]/s);
+    if (inDeps) {
+      let match;
+      while ((match = depRegex.exec(inDeps[1])) !== null) {
+        deps.push(match[1].toLowerCase());
+      }
+    }
+    return deps.length > 0 ? { language: 'python', deps, file: 'pyproject.toml' } : null;
+  } catch {
+    return null;
+  }
+}
+
+function parseGoMod(projectRoot) {
+  const filePath = join(projectRoot, 'go.mod');
+  if (!existsSync(filePath)) return null;
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const deps = [];
+    const requireBlock = content.match(/require\s*\(([\s\S]*?)\)/);
+    if (requireBlock) {
+      const lines = requireBlock[1].split('\n');
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (trimmed && !trimmed.startsWith('//')) {
+          const parts = trimmed.split(/\s+/);
+          if (parts[0]) deps.push(parts[0]);
+        }
+      }
+    }
+    // Also match single-line requires
+    const singleRequires = content.matchAll(/require\s+(\S+)\s+/g);
+    for (const match of singleRequires) {
+      deps.push(match[1]);
+    }
+    return deps.length > 0 ? { language: 'go', deps, file: 'go.mod' } : null;
+  } catch {
+    return null;
+  }
+}
+
+function parseGemfile(projectRoot) {
+  const filePath = join(projectRoot, 'Gemfile');
+  if (!existsSync(filePath)) return null;
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const deps = [];
+    const gemRegex = /gem\s+['"]([a-zA-Z0-9_-]+)['"]/g;
+    let match;
+    while ((match = gemRegex.exec(content)) !== null) {
+      deps.push(match[1].toLowerCase());
+    }
+    return deps.length > 0 ? { language: 'ruby', deps, file: 'Gemfile' } : null;
+  } catch {
+    return null;
+  }
+}
+
+function parsePomXml(projectRoot) {
+  const filePath = join(projectRoot, 'pom.xml');
+  if (!existsSync(filePath)) return null;
+  try {
+    const content = readFileSync(filePath, 'utf-8');
+    const deps = [];
+    const artifactRegex = /<artifactId>([^<]+)<\/artifactId>/g;
+    let match;
+    while ((match = artifactRegex.exec(content)) !== null) {
+      deps.push(match[1].toLowerCase());
+    }
+    return deps.length > 0 ? { language: 'java', deps, file: 'pom.xml' } : null;
+  } catch {
+    return null;
+  }
+}
+
+// Dependency files to check for cache hashing
+const DEP_FILES = ['package.json', 'requirements.txt', 'pyproject.toml', 'go.mod', 'Gemfile', 'pom.xml'];
+
+/**
+ * Hash the contents of dependency files in a project root for cache invalidation.
+ */
+function hashDependencyFiles(projectRoot) {
+  const hash = createHash('sha256');
+  let hasContent = false;
+  for (const depFile of DEP_FILES) {
+    const filePath = join(projectRoot, depFile);
+    if (existsSync(filePath)) {
+      try {
+        hash.update(depFile + ':' + readFileSync(filePath, 'utf-8'));
+        hasContent = true;
+      } catch {
+        // ignore unreadable files
+      }
+    }
+  }
+  return hasContent ? hash.digest('hex').slice(0, 16) : null;
+}
+
+/**
+ * Discover project security context from dependency files (with caching).
+ * Results are cached by projectRoot and invalidated when dependency file contents change.
+ * @param {string} projectRoot - Path to project root directory
+ * @returns {{ language: string, framework: string|null, security_middleware: string[], sanitizers: string[], auth_libraries: string[], test_frameworks: string[], dependency_file: string|null, raw_security_deps: Record<string, string> }}
+ */
+export function discoverProjectContext(projectRoot) {
+  const contentHash = hashDependencyFiles(projectRoot);
+  const cached = projectContextCache.get(projectRoot);
+  if (cached && cached.contentHash === contentHash) {
+    return cached.result;
+  }
+
+  const result = _discoverProjectContextUncached(projectRoot);
+  projectContextCache.set(projectRoot, { contentHash, result });
+  return result;
+}
+
+/**
+ * Internal: discover project security context without caching.
+ */
+function _discoverProjectContextUncached(projectRoot) {
+  const parsers = [
+    parsePackageJson,
+    parseRequirementsTxt,
+    parsePyprojectToml,
+    parseGoMod,
+    parseGemfile,
+    parsePomXml,
+  ];
+
+  let parsed = null;
+  for (const parser of parsers) {
+    parsed = parser(projectRoot);
+    if (parsed) break;
+  }
+
+  if (!parsed) {
+    return {
+      language: 'unknown',
+      framework: null,
+      security_middleware: [],
+      sanitizers: [],
+      auth_libraries: [],
+      test_frameworks: [],
+      dependency_file: null,
+      raw_security_deps: {},
+    };
+  }
+
+  const { language, deps, file } = parsed;
+
+  // Detect framework
+  let framework = null;
+  for (const dep of deps) {
+    const depLower = dep.toLowerCase();
+    if (FRAMEWORK_MAP[depLower]) {
+      framework = FRAMEWORK_MAP[depLower].name;
+      break;
+    }
+    // Partial match for Java spring artifacts
+    if (depLower.includes('spring-boot-starter-web')) {
+      framework = 'Spring Boot';
+      break;
+    }
+  }
+
+  // Detect security packages by category
+  const securityMiddleware = [];
+  const sanitizers = [];
+  const authLibraries = [];
+  const testFrameworks = [];
+  const rawSecurityDeps = {};
+
+  for (const dep of deps) {
+    const depLower = dep.toLowerCase();
+
+    // Security middleware
+    const capability = SECURITY_MAP[depLower] || SECURITY_MAP[dep];
+    if (capability) {
+      rawSecurityDeps[dep] = capability;
+
+      if (['xss-sanitization', 'sql-sanitization', 'nosql-injection'].includes(capability)) {
+        sanitizers.push(dep);
+      } else if (['authentication', 'jwt-auth', 'password-hashing', 'oauth', 'authorization'].includes(capability)) {
+        authLibraries.push(dep);
+      } else {
+        securityMiddleware.push(dep);
+      }
+    }
+
+    // Test frameworks
+    if (TEST_FRAMEWORK_MAP[depLower]) {
+      testFrameworks.push(TEST_FRAMEWORK_MAP[depLower]);
+    }
+  }
+
+  return {
+    language,
+    framework,
+    security_middleware: securityMiddleware,
+    sanitizers,
+    auth_libraries: authLibraries,
+    test_frameworks: testFrameworks,
+    dependency_file: file,
+    raw_security_deps: rawSecurityDeps,
+  };
+}