agent-security-scanner-mcp 4.0.0 → 4.1.0

package/code-review-agent/src/context/security-summary.ts

@@ -0,0 +1,225 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { FileContext, DependencyGraph } from '../types/analysis.js';
+
+/**
+ * Keywords that indicate security-relevant lines worth including in summaries.
+ */
+const SECURITY_RELEVANT_PATTERNS = [
+  // Dangerous sinks
+  /\b(subprocess|exec|eval|system|popen|spawn|shell_exec|os\.system|os\.popen)\b/,
+  /\b(requests?\.(get|post|put|delete|patch|head)|fetch|urllib|http\.request|axios)\b/,
+  /\b(query|execute|cursor\.execute|\.raw\(|\.query\(|sequelize|knex)\b/,
+  /\b(fs\.(readFile|writeFile|unlink|rmdir|rename)|open\(|os\.remove|shutil)\b/,
+  // Guard / policy patterns
+  /\b(allowlist|allow_list|whitelist|denylist|deny_list|blocklist|blacklist)\b/,
+  /\b(validate|sanitize|authorize|authenticate|check_perm|has_perm)\b/,
+  /\b(guard|policy|permission|auth_check|is_allowed\w*|can_access\w*|ALLOWED_\w+)\b/,
+  /\b(shell\s*=\s*(True|False)|parameterized|prepared_statement|bind_param)\b/,
+  // Routing / dispatching
+  /\b(app\.(get|post|put|delete|patch|use)|router\.(get|post|put|delete))\b/,
+  /\b(dispatch|handle_request|route_to|forward_to)\b/,
+];
+
+/**
+ * Maximum number of nearby files to summarize.
+ */
+const MAX_RELATED_FILES = 4;
+
+/**
+ * Maximum lines to extract per file summary.
+ */
+const MAX_SUMMARY_LINES = 15;
+
+/**
+ * Maximum bytes to read from any related file.
+ */
+const MAX_FILE_READ_BYTES = 64 * 1024;
+
+export interface RelatedFileSummary {
+  filePath: string;
+  relationship: 'imports' | 'imported-by' | 'sibling';
+  relevantLines: string[];
+}
+
+/**
+ * Build compact security-relevant summaries of files related to the one
+ * being analyzed. This gives the LLM enough context to understand:
+ * - Whether a called module has guards (allowlist, validation)
+ * - Whether an imported file contains a dangerous sink
+ * - Whether sibling files provide auth/policy enforcement
+ */
+export function buildRelatedFileSummaries(
+  file: FileContext,
+  projectRoot: string,
+  graph?: DependencyGraph,
+): RelatedFileSummary[] {
+  const summaries: RelatedFileSummary[] = [];
+  const seen = new Set<string>();
+
+  // Priority 1: files this file imports (may contain sinks or guards)
+  for (const imp of file.imports) {
+    if (summaries.length >= MAX_RELATED_FILES) break;
+    const resolved = resolveLocalFile(imp, file.filePath, projectRoot);
+    if (!resolved) continue;
+    const relativePath = path.relative(projectRoot, resolved);
+    if (seen.has(relativePath)) continue;
+    seen.add(relativePath);
+
+    const summary = summarizeFile(resolved, projectRoot, 'imports');
+    if (summary) summaries.push(summary);
+  }
+
+  // Priority 2: files that import this file (may be routers/controllers)
+  for (const importer of file.importedBy) {
+    if (summaries.length >= MAX_RELATED_FILES) break;
+    const fullPath = path.resolve(projectRoot, importer);
+    const normalized = path.relative(projectRoot, fullPath);
+    if (seen.has(normalized)) continue;
+    seen.add(normalized);
+
+    const summary = summarizeFile(fullPath, projectRoot, 'imported-by');
+    if (summary) summaries.push(summary);
+  }
+
+  // Priority 3: security-relevant sibling files (guard, policy, tool, etc.)
+  const securitySiblingKeywords = /\b(guard|policy|validator|auth|tool|command|executor|service|middleware)\b/i;
+  for (const sibling of file.siblingFiles) {
+    if (summaries.length >= MAX_RELATED_FILES) break;
+    if (!securitySiblingKeywords.test(sibling)) continue;
+
+    const siblingPath = path.resolve(path.dirname(path.resolve(projectRoot, file.filePath)), sibling);
+    const normalized = path.relative(projectRoot, siblingPath);
+    if (seen.has(normalized)) continue;
+    seen.add(normalized);
+
+    const summary = summarizeFile(siblingPath, projectRoot, 'sibling');
+    if (summary) summaries.push(summary);
+  }
+
+  return summaries;
+}
+
+/**
+ * Extract security-relevant lines from a file.
+ */
+function summarizeFile(
+  filePath: string,
+  projectRoot: string,
+  relationship: RelatedFileSummary['relationship'],
+): RelatedFileSummary | null {
+  try {
+    const stat = fs.statSync(filePath);
+    if (!stat.isFile() || stat.size > MAX_FILE_READ_BYTES) return null;
+  } catch {
+    return null;
+  }
+
+  let content: string;
+  try {
+    content = fs.readFileSync(filePath, 'utf-8');
+  } catch {
+    return null;
+  }
+
+  const lines = content.split('\n');
+  const relevantLines: string[] = [];
+
+  for (let i = 0; i < lines.length && relevantLines.length < MAX_SUMMARY_LINES; i++) {
+    const line = lines[i];
+    if (SECURITY_RELEVANT_PATTERNS.some((p) => p.test(line))) {
+      relevantLines.push(`L${i + 1}: ${line.trim()}`);
+    }
+  }
+
+  // No relevant lines found — skip this file
+  if (relevantLines.length === 0) return null;
+
+  return {
+    filePath: path.relative(projectRoot, filePath),
+    relationship,
+    relevantLines,
+  };
+}
+
+/**
+ * Try to resolve a local import specifier to an actual file path.
+ * Handles:
+ * - Relative imports: ./foo, ../bar
+ * - Python bare module imports: tools.executor → tools/executor.py
+ * - Python single-token imports: guard → guard.py, tools → tools/__init__.py
+ */
+function resolveLocalFile(
+  specifier: string,
+  fromFile: string,
+  projectRoot: string,
+): string | null {
+  const fromDir = path.dirname(path.resolve(projectRoot, fromFile));
+
+  let basePath: string;
+
+  if (specifier.startsWith('.')) {
+    // Relative import (JS/TS/Python relative)
+    basePath = path.resolve(fromDir, specifier);
+  } else if (/^[a-zA-Z_]\w*(\.[a-zA-Z_]\w*)*$/.test(specifier) && !specifier.includes('/')) {
+    // Python bare module import:
+    //   tools.executor → tools/executor
+    //   guard → guard
+    //   tools → tools
+    const asPath = specifier.replace(/\./g, '/');
+    basePath = path.resolve(fromDir, asPath);
+
+    // Also try from project root (Python resolves from project root or cwd)
+    const fromRoot = path.resolve(projectRoot, asPath);
+    const rootCandidates = [
+      `${fromRoot}.py`,
+      path.join(fromRoot, '__init__.py'),
+    ];
+    for (const candidate of rootCandidates) {
+      try {
+        if (fs.statSync(candidate).isFile()) return candidate;
+      } catch { /* not found */ }
+    }
+  } else {
+    // Non-local third-party import
+    return null;
+  }
+
+  // Try exact path, then common extensions
+  const candidates = [
+    basePath,
+    `${basePath}.ts`,
+    `${basePath}.js`,
+    `${basePath}.py`,
+    `${basePath}.go`,
+    path.join(basePath, 'index.ts'),
+    path.join(basePath, 'index.js'),
+    `${basePath}.tsx`,
+    `${basePath}.jsx`,
+    path.join(basePath, '__init__.py'),
+  ];
+
+  for (const candidate of candidates) {
+    try {
+      if (fs.statSync(candidate).isFile()) {
+        return candidate;
+      }
+    } catch { /* not found, try next */ }
+  }
+
+  return null;
+}
+
+/**
+ * Format related file summaries for inclusion in the LLM prompt.
+ */
+export function formatRelatedFileSummaries(summaries: RelatedFileSummary[]): string {
+  if (summaries.length === 0) return '';
+
+  const parts = summaries.map((s) => {
+    const header = `${s.filePath} (${s.relationship}):`;
+    return [header, ...s.relevantLines].join('\n  ');
+  });
+
+  return parts.join('\n\n');
+}

package/code-review-agent/src/graph/dependency.ts

@@ -64,7 +64,14 @@ export class DependencyGraphBuilder {
       for (const imp of imports) {
         if (!imp.isLocal) continue;
 
-        const resolved = resolveImportPath(imp.specifier, file, language);
+        // Try resolving from the file's directory first, then from project root
+        // (Python bare imports resolve from sys.path which includes project root)
+        let resolved = resolveImportPath(imp.specifier, file, language);
+        if (!resolved && !imp.specifier.startsWith('.')) {
+          // Create a synthetic "from project root" path for resolution
+          const rootSentinel = path.join(this.projectRoot, '__resolve_root__.py');
+          resolved = resolveImportPath(imp.specifier, rootSentinel, language);
+        }
         if (resolved) {
           const resolvedRel = path.relative(this.projectRoot, resolved);
           resolvedImports.push(resolvedRel);

package/code-review-agent/src/graph/resolver.ts

@@ -35,10 +35,14 @@ export function extractImports(content: string, language: string): ImportInfo[]
       imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
     }
   } else if (language === 'python') {
-    // from .module import ... (relative) and from package import ... (absolute)
-    for (const m of content.matchAll(/from\s+(\S+)\s+import/g)) {
-      const spec = m[1];
-      imports.push({ specifier: spec, isLocal: isLocalImport(spec, language), resolved: null });
+    // `from package import name` — emit both `package` and `package.name`
+    // since `name` might be a submodule (file) or a symbol within the package.
+    for (const m of content.matchAll(/from\s+(\S+)\s+import\s+(\w+)/g)) {
+      const pkg = m[1];
+      const name = m[2];
+      imports.push({ specifier: pkg, isLocal: isLocalImport(pkg, language), resolved: null });
+      const sub = `${pkg}.${name}`;
+      imports.push({ specifier: sub, isLocal: isLocalImport(sub, language), resolved: null });
     }
     // import module
     for (const m of content.matchAll(/^import\s+(\S+)/gm)) {
@@ -119,6 +123,7 @@ export function resolveImportPath(
       const initFile = path.join(base, '__init__.py');
       if (fs.statSync(initFile).isFile()) return initFile;
     } catch { /* not found */ }
+
   }
 
   return null;
@@ -129,7 +134,11 @@ export function isLocalImport(specifier: string, language: string): boolean {
     return specifier.startsWith('./') || specifier.startsWith('../');
   }
   if (language === 'python') {
-    return specifier.startsWith('.');
+    // Relative imports (starts with .) are always local.
+    // Bare imports (tools, tools.executor) may be local — let resolveImportPath
+    // do a filesystem check rather than rejecting them outright.
+    if (specifier.startsWith('.')) return true;
+    return /^[a-zA-Z_]\w*(\.[a-zA-Z_]\w*)*$/.test(specifier);
   }
   if (language === 'go') {
     return !specifier.includes('.');

package/code-review-agent/src/index.ts

@@ -2,6 +2,7 @@
 export { AnalysisEngine, type ProgressCallback } from './analyzer/engine.js';
 export { IntentProfiler } from './analyzer/intent.js';
 export { SemanticAnalyzer } from './analyzer/semantic.js';
+export { postFilterFindings, suppressCarrierFindings } from './analyzer/postprocess.js';
 
 // LLM providers
 export { AnthropicProvider } from './llm/anthropic.js';
@@ -16,6 +17,8 @@ export { zodToJsonSchema, zodToAnthropicTool, zodToOpenAIResponseFormat } from '
 export { buildProjectContext, formatProjectContextForLLM } from './context/project.js';
 export { buildFileContext, isTestFile, isConfigFile, isGeneratedFile } from './context/file.js';
 export { ContextAssembler } from './context/assembler.js';
+export { buildRelatedFileSummaries, formatRelatedFileSummaries } from './context/security-summary.js';
+export type { RelatedFileSummary } from './context/security-summary.js';
 
 // Graph
 export { DependencyGraphBuilder } from './graph/dependency.js';
@@ -32,6 +35,7 @@ export type {
   DependencyGraph,
 } from './types/analysis.js';
 export type {
+  AnalysisMode,
   AnalysisOptions,
   CRAgentConfig,
 } from './types/config.js';

package/code-review-agent/src/types/config.ts

@@ -1,7 +1,10 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 
+export type AnalysisMode = 'review' | 'security';
+
 export interface AnalysisOptions {
+  mode: AnalysisMode;
   provider: 'anthropic' | 'openai' | 'claude-cli';
   model?: string;
   triageModel?: string;
@@ -15,6 +18,7 @@ export interface AnalysisOptions {
 }
 
 export interface CRAgentConfig {
+  mode?: AnalysisMode;
   provider?: 'anthropic' | 'openai' | 'claude-cli';
   model?: string;
   triageModel?: string;
@@ -25,6 +29,7 @@ export interface CRAgentConfig {
 }
 
 const DEFAULTS: AnalysisOptions = {
+  mode: 'review',
   provider: 'anthropic',
   confidenceThreshold: 0.7,
   format: 'text',
@@ -50,7 +55,18 @@ export function resolveOptions(
   config: CRAgentConfig | null,
   env: Record<string, string | undefined> = process.env,
 ): AnalysisOptions {
+  const mode =
+    cliFlags.mode ??
+    config?.mode ??
+    (env.CR_AGENT_MODE as AnalysisMode | undefined) ??
+    DEFAULTS.mode;
+
+  if (mode !== 'review' && mode !== 'security') {
+    throw new Error(`Invalid analysis mode "${mode}". Must be "review" or "security".`);
+  }
+
   return {
+    mode,
     provider:
       cliFlags.provider ??
       config?.provider ??

package/code-review-agent/tests/analyzer/engine.test.ts

@@ -86,6 +86,7 @@ describe('AnalysisEngine', () => {
 
   it('analyzes vuln-api-server and finds vulnerabilities', async () => {
     const options: AnalysisOptions = {
+      mode: 'review',
       provider: 'anthropic',
       confidenceThreshold: 0.7,
       format: 'text',
@@ -108,6 +109,7 @@ describe('AnalysisEngine', () => {
 
   it('returns sorted findings (critical first)', async () => {
     const options: AnalysisOptions = {
+      mode: 'review',
       provider: 'anthropic',
       confidenceThreshold: 0.5,
       format: 'text',
@@ -133,6 +135,7 @@ describe('AnalysisEngine', () => {
 
   it('filters findings below confidence threshold', async () => {
     const options: AnalysisOptions = {
+      mode: 'review',
       provider: 'anthropic',
       confidenceThreshold: 0.99,
       format: 'text',
@@ -154,6 +157,7 @@ describe('AnalysisEngine', () => {
 
   it('computes stats correctly', async () => {
     const options: AnalysisOptions = {
+      mode: 'review',
       provider: 'anthropic',
       confidenceThreshold: 0.7,
       format: 'text',
@@ -174,6 +178,7 @@ describe('AnalysisEngine', () => {
 
   it('clamps private worker count when concurrency is zero', async () => {
     const options: AnalysisOptions = {
+      mode: 'review',
       provider: 'anthropic',
       confidenceThreshold: 0.7,
       format: 'text',