agent-security-scanner-mcp 4.1.1 → 4.2.0

package/src/lib/compliance-evidence.js

@@ -0,0 +1,321 @@
+// src/lib/compliance-evidence.js — Collect normalized evidence bundle from scan + SBOM tooling.
+// Uses JS imports only — no CLI shelling, no HTML parsing.
+
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { scanProject } from '../tools/scan-project.js';
+import { normalizeFindings } from './normalize-finding.js';
+import { scoreBatch } from './aivss.js';
+import { discoverDependencies } from './lockfile-parsers.js';
+import { serialize } from './cyclonedx.js';
+import { componentFromBomComponent } from './sbom-component.js';
+import { queryBatch } from './osv-client.js';
+import { isHallucinated } from '../tools/check-package.js';
+import { ecosystemFromPurlType } from './purl.js';
+
+const HALLUCINATION_ECOSYSTEMS = new Set(['npm', 'pypi', 'rubygems', 'dart', 'perl', 'raku', 'crates']);
+const CATEGORY_DEFAULTS = [
+  'exfiltration', 'info-exposure', 'crypto', 'permissions', 'auth',
+  'prompt-injection', 'supply-chain', 'injection', 'xss', 'ssrf',
+  'deserialization', 'secrets', 'path-traversal', 'logging',
+];
+const SEVERITY_LEVELS = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
+
+/**
+ * Build a compliance evidence bundle from a project directory.
+ *
+ * Collects scan results, SBOM data, vulnerability info, hallucination checks, and drift analysis.
+ * Each data source is collected independently — partial failures produce null sections, not aborts.
+ *
+ * @param {object} opts
+ * @param {string} opts.directory - Project root to scan
+ * @param {string} [opts.sbomPath] - Pre-existing SBOM file (skips discovery)
+ * @param {string} [opts.baselinePath] - SBOM baseline for drift comparison
+ * @param {string} [opts.toolVersion] - Scanner version for metadata
+ * @param {'minimal'|'compact'|'full'} [opts.verbosity='compact'] - Detail level
+ * @returns {Promise<object>} Evidence bundle
+ */
+export async function collectEvidence({ directory, sbomPath, baselinePath, toolVersion, verbosity = 'compact' }) {
+  const toolsRun = [];
+  const errors = [];
+
+  // --- 1. Scan project ---
+  let scanData = null;
+  try {
+    const result = await scanProject({ directory_path: directory, verbosity: 'full' });
+    const raw = JSON.parse(result.content[0].text);
+    scanData = raw;
+    toolsRun.push('scan_project', 'scan_security');
+  } catch (err) {
+    errors.push({ source: 'scan_project', message: err.message });
+  }
+
+  // --- 2. Normalize findings + AIVSS ---
+  // scan_project wraps scan_security — duplicate findings under both source_tools
+  // so AIUC-1 controls scoped to either tool see them correctly.
+  let normalized = [];
+  let aivssResult = null;
+  if (scanData) {
+    const base = normalizeFindings(scanData.issues || [], 'scan_security');
+    const duped = base.map(f => ({ ...f, source_tool: 'scan_project' }));
+    normalized = [...base, ...duped];
+    aivssResult = scoreBatch(base); // score deduplicated set
+  }
+
+  // --- 3. SBOM generation ---
+  let components = null;
+  let componentList = null;
+  let bom = null;
+  try {
+    if (sbomPath) {
+      // Explicit sbom_path: error if it doesn't exist (don't silently fall through)
+      if (!existsSync(sbomPath)) {
+        throw new Error(`SBOM file not found: ${sbomPath}`);
+      }
+      bom = JSON.parse(readFileSync(sbomPath, 'utf-8'));
+      components = (bom.components || []).map(componentFromBomComponent);
+    } else if (existsSync(directory)) {
+      componentList = discoverDependencies(directory);
+      components = componentList.components;
+      bom = serialize(componentList);
+    }
+    if (components) toolsRun.push('sbom_generate');
+  } catch (err) {
+    errors.push({ source: 'sbom_generate', message: err.message });
+  }
+
+  // --- 4. Vulnerability scan ---
+  let vulnData = null;
+  if (components && components.length > 0) {
+    try {
+      const cacheDir = directory ? join(directory, '.scanner', 'cache', 'vuln') : null;
+      const results = await queryBatch(components, { cacheDir });
+
+      const allVulns = [];
+      const affectedPackages = new Set();
+      const bySeverity = { critical: 0, high: 0, medium: 0, low: 0, unknown: 0 };
+
+      for (const [key, vulns] of results) {
+        for (const vuln of vulns) {
+          const level = vuln.ratings?.[0]?.severity || 'unknown';
+          allVulns.push(vuln);
+          affectedPackages.add(key);
+          bySeverity[level] = (bySeverity[level] || 0) + 1;
+        }
+      }
+
+      vulnData = {
+        total: allVulns.length,
+        affected_packages: affectedPackages.size,
+        by_severity: bySeverity,
+        vulnerabilities: allVulns,
+      };
+      toolsRun.push('sbom_scan_vulnerabilities');
+    } catch (err) {
+      errors.push({ source: 'sbom_scan_vulnerabilities', message: err.message });
+    }
+  }
+
+  // --- 5. Hallucination check ---
+  let hallucinationData = null;
+  if (components && components.length > 0) {
+    try {
+      const hallucinated = [];
+      const unsupported = [];
+      let legitimateCount = 0;
+
+      for (const comp of components) {
+        if (!HALLUCINATION_ECOSYSTEMS.has(comp.ecosystem)) {
+          unsupported.push({ name: comp.name, ecosystem: comp.ecosystem });
+          continue;
+        }
+        const result = isHallucinated(comp.name, comp.ecosystem);
+        if (result && result.hallucinated) {
+          hallucinated.push({ name: comp.name, ecosystem: comp.ecosystem, confidence: result.confidence || 'medium' });
+        } else {
+          legitimateCount++;
+        }
+      }
+
+      hallucinationData = {
+        hallucinated_count: hallucinated.length,
+        unsupported_count: unsupported.length,
+        legitimate_count: legitimateCount,
+        hallucinated_packages: hallucinated,
+        unsupported_packages: unsupported,
+      };
+      toolsRun.push('sbom_check_hallucinations');
+    } catch (err) {
+      errors.push({ source: 'sbom_check_hallucinations', message: err.message });
+    }
+  }
+
+  // --- 6. SBOM drift ---
+  let driftData = null;
+  if (bom) {
+    try {
+      const resolvedBaseline = baselinePath || join(directory, '.scanner', 'sbom-baseline.json');
+      const baselineExists = existsSync(resolvedBaseline);
+
+      if (baselineExists) {
+        const baselineBom = JSON.parse(readFileSync(resolvedBaseline, 'utf-8'));
+        const currentMap = buildComponentMap(bom.components || []);
+        const baselineMap = buildComponentMap(baselineBom.components || []);
+
+        let added = 0, removed = 0, versionChanged = 0;
+        for (const [key, comp] of currentMap) {
+          const baseComp = baselineMap.get(key);
+          if (!baseComp) added++;
+          else if (baseComp.version !== comp.version) versionChanged++;
+        }
+        for (const key of baselineMap.keys()) {
+          if (!currentMap.has(key)) removed++;
+        }
+
+        driftData = {
+          baseline_exists: true,
+          added,
+          removed,
+          version_changed: versionChanged,
+          summary: `+${added} added, -${removed} removed, ~${versionChanged} changed`,
+        };
+      } else {
+        driftData = { baseline_exists: false, added: 0, removed: 0, version_changed: 0, summary: '' };
+      }
+      toolsRun.push('sbom_diff');
+    } catch (err) {
+      errors.push({ source: 'sbom_diff', message: err.message });
+    }
+  }
+
+  // --- Build the evidence bundle ---
+  const grade = scanData?.grade || null;
+  const bySeverity = buildSeverityMap(normalized);
+  const byCategory = buildCategoryMap(normalized);
+  const byCategorySeverity = buildCategorySeverityMap(normalized);
+
+  const bundle = {
+    metadata: {
+      generated_at: new Date().toISOString(),
+      directory,
+      tool_version: toolVersion || 'unknown',
+    },
+    tools_run: [...new Set(toolsRun)],
+    errors: errors.length > 0 ? errors : undefined,
+    scan: scanData ? {
+      grade,
+      findings: normalized,
+      by_severity: bySeverity,
+      by_category: byCategory,
+      by_category_severity: byCategorySeverity,
+    } : null,
+    aivss: aivssResult ? {
+      posture: aivssResult.posture,
+      findings: aivssResult.findings,
+    } : null,
+    sbom: components ? {
+      component_count: components.length,
+      ecosystems: [...new Set(components.map(c => c.ecosystem))],
+      direct_count: components.filter(c => c.isDirect).length,
+      dev_count: components.filter(c => c.isDev).length,
+      bom: verbosity === 'full' ? bom : undefined,
+    } : null,
+    supply_chain: {
+      vulnerabilities: vulnData ? {
+        total: vulnData.total,
+        affected_packages: vulnData.affected_packages,
+        by_severity: vulnData.by_severity,
+        vulnerabilities: verbosity === 'full' ? vulnData.vulnerabilities : undefined,
+      } : null,
+      hallucinations: hallucinationData ? {
+        hallucinated_count: hallucinationData.hallucinated_count,
+        unsupported_count: hallucinationData.unsupported_count,
+        legitimate_count: hallucinationData.legitimate_count,
+        hallucinated_packages: hallucinationData.hallucinated_packages,
+        unsupported_packages: hallucinationData.unsupported_packages,
+      } : null,
+      drift: driftData,
+    },
+  };
+
+  return bundle;
+}
+
+/**
+ * Build the legacy-compatible evidence object for the compliance evaluator.
+ * This converts the evidence bundle into the shape expected by evaluateControl/evaluateAll.
+ */
+export function buildEvaluatorEvidence(bundle) {
+  const grade = bundle.scan?.grade || null;
+  return {
+    aivssPosture: bundle.aivss?.posture || null,
+    findings: bundle.scan?.findings || [],
+    grades: { scan_project: grade, scan_security: grade, project: grade },
+    toolsRun: bundle.tools_run,
+  };
+}
+
+// --- Internal helpers ---
+
+function buildSeverityMap(findings) {
+  const map = {};
+  for (const level of SEVERITY_LEVELS) map[level] = 0;
+  for (const f of findings) {
+    if (f.source_tool === 'scan_project') continue; // avoid double-counting
+    const sev = f.severity || 'INFO';
+    map[sev] = (map[sev] || 0) + 1;
+  }
+  return map;
+}
+
+function buildCategoryMap(findings) {
+  const map = {};
+  for (const cat of CATEGORY_DEFAULTS) map[cat] = 0;
+  for (const f of findings) {
+    if (f.source_tool === 'scan_project') continue;
+    const cat = f.category || 'unknown';
+    map[cat] = (map[cat] || 0) + 1;
+  }
+  return map;
+}
+
+function buildCategorySeverityMap(findings) {
+  const map = {};
+  for (const cat of CATEGORY_DEFAULTS) {
+    map[cat] = {};
+    for (const sev of SEVERITY_LEVELS) map[cat][sev] = 0;
+  }
+  for (const f of findings) {
+    if (f.source_tool === 'scan_project') continue;
+    const cat = f.category || 'unknown';
+    const sev = f.severity || 'INFO';
+    if (!map[cat]) {
+      map[cat] = {};
+      for (const s of SEVERITY_LEVELS) map[cat][s] = 0;
+    }
+    map[cat][sev] = (map[cat][sev] || 0) + 1;
+  }
+  return map;
+}
+
+function buildComponentMap(components) {
+  const map = new Map();
+  for (const comp of components) {
+    const eco = extractEcosystem(comp);
+    const key = `${eco}:${comp.name}`;
+    map.set(key, comp);
+  }
+  return map;
+}
+
+function extractEcosystem(component) {
+  if (component.properties) {
+    const eco = component.properties.find(p => p.name === 'cdx:ecosystem');
+    if (eco) return eco.value;
+  }
+  if (component.purl) {
+    const match = component.purl.match(/^pkg:([^/]+)/);
+    if (match) return ecosystemFromPurlType(match[1]);
+  }
+  return component.ecosystem || 'unknown';
+}

package/src/tools/compliance-controls.js

@@ -1,31 +1,35 @@
 // src/tools/compliance-controls.js — get_compliance_controls MCP tool (thin wrapper)
 
 import { z } from 'zod';
-import { loadControls, filterControls } from '../lib/compliance-controls.js';
+import { loadControls, filterControls, listFrameworks } from '../lib/compliance-controls.js';
 
 export const complianceControlsSchema = {
-  domain: z.enum(['security', 'safety', 'all']).optional().describe("Filter by domain"),
+  framework: z.string().optional().describe("Framework to query (default: aiuc-1). Use 'soc2-technical', 'gdpr-technical', etc."),
+  domain: z.string().optional().describe("Filter by domain (e.g. 'security', 'safety', 'all'). Accepted values depend on the framework."),
   control_ids: z.array(z.string()).optional().describe("Specific control IDs to retrieve"),
   owasp_filter: z.array(z.string()).optional().describe("Filter by OWASP LLM tags (e.g. LLM01)"),
   verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level"),
 };
 
-export async function getComplianceControls({ domain, control_ids, owasp_filter, verbosity }) {
+export async function getComplianceControls({ framework, domain, control_ids, owasp_filter, verbosity }) {
+  const fw = framework || 'aiuc-1';
   const level = verbosity || 'compact';
 
   const controls = filterControls({
+    framework: fw,
     domain: domain || 'all',
     controlIds: control_ids,
     owaspFilter: owasp_filter,
   });
 
-  const registry = loadControls();
+  const registry = loadControls(fw);
 
   let output;
   switch (level) {
     case 'minimal':
       output = {
         framework: registry.framework,
+        domains: registry.domains,
         controls_count: controls.length,
         controls: controls.map(c => ({ id: c.id, title: c.title, domain: c.domain })),
       };
@@ -37,6 +41,8 @@ export async function getComplianceControls({ domain, control_ids, owasp_filter,
         schema_version: registry.schema_version,
         source: registry.source,
         source_snapshot: registry.source_snapshot,
+        domains: registry.domains,
+        available_frameworks: listFrameworks(),
         controls_count: controls.length,
         controls,
       };
@@ -47,14 +53,18 @@ export async function getComplianceControls({ domain, control_ids, owasp_filter,
       output = {
         framework: registry.framework,
         controls_count: controls.length,
-        controls: controls.map(c => ({
-          id: c.id,
-          title: c.title,
-          domain: c.domain,
-          owasp_llm: c.owasp_llm,
-          scanner_tools: c.scanner_tools,
-          evaluation: c.evaluation,
-        })),
+        controls: controls.map(c => {
+          const out = {
+            id: c.id,
+            title: c.title,
+            domain: c.domain,
+            scanner_tools: c.scanner_tools,
+            evaluation: c.evaluation,
+          };
+          if (c.owasp_llm) out.owasp_llm = c.owasp_llm;
+          if (c.references) out.references = c.references;
+          return out;
+        }),
       };
   }
 

package/src/tools/evaluate-compliance.js

@@ -0,0 +1,161 @@
+// src/tools/evaluate-compliance.js — evaluate_compliance MCP tool.
+// Collects evidence from scan + SBOM, evaluates controls per framework, persists optionally.
+
+import { z } from 'zod';
+import { existsSync, mkdirSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { collectEvidence, buildEvaluatorEvidence } from '../lib/compliance-evidence.js';
+import { loadControls } from '../lib/compliance-controls.js';
+import { evaluateAll } from '../lib/compliance-evaluator.js';
+function formatTimestamp(date) {
+  const pad = (n) => String(n).padStart(2, '0');
+  return `${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())}T${pad(date.getHours())}-${pad(date.getMinutes())}-${pad(date.getSeconds())}`;
+}
+
+export const evaluateComplianceSchema = {
+  directory_path: z.string().describe('Path to project root directory to evaluate'),
+  frameworks: z.array(z.string()).optional()
+    .describe('Compliance frameworks to evaluate (default: ["aiuc-1"]). Options: aiuc-1, soc2-technical, gdpr-technical'),
+  sbom_path: z.string().optional().describe('Path to existing SBOM file (skips SBOM generation)'),
+  baseline_path: z.string().optional().describe('Path to SBOM baseline file for drift comparison'),
+  save_evidence: z.boolean().optional().describe('Save evidence bundle to .scanner/evidence/ (default: false)'),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe('Response detail level (default: compact)'),
+};
+
+export async function evaluateCompliance({ directory_path, frameworks, sbom_path, baseline_path, save_evidence, verbosity }) {
+  if (!existsSync(directory_path)) {
+    return error(`Directory not found: ${directory_path}`);
+  }
+
+  const fws = (frameworks && frameworks.length > 0) ? frameworks : ['aiuc-1'];
+  const level = verbosity || 'compact';
+
+  // Collect evidence once, evaluate against all requested frameworks
+  let bundle;
+  try {
+    bundle = await collectEvidence({
+      directory: directory_path,
+      sbomPath: sbom_path,
+      baselinePath: baseline_path,
+      toolVersion: process.env.npm_package_version || 'unknown',
+      verbosity: level,
+    });
+  } catch (err) {
+    return error(`Evidence collection failed: ${err.message}`);
+  }
+
+  // Add requested frameworks to metadata
+  bundle.metadata.frameworks = fws;
+
+  // Build legacy evaluator evidence (for AIUC-1 backward compat)
+  const legacyEvidence = buildEvaluatorEvidence(bundle);
+
+  // Evaluate each framework
+  const frameworkResults = [];
+  for (const fw of fws) {
+    try {
+      const registry = loadControls(fw);
+      const result = evaluateAll(registry.controls, legacyEvidence, bundle);
+      frameworkResults.push({
+        framework: registry.framework,
+        controls_evaluated: result.controls_evaluated,
+        summary: {
+          pass: result.pass,
+          partial: result.partial,
+          fail: result.fail,
+          not_evaluated: result.not_evaluated,
+        },
+        results: result.results,
+      });
+    } catch (err) {
+      frameworkResults.push({
+        framework: fw,
+        error: err.message,
+      });
+    }
+  }
+
+  // Persist evidence if requested
+  let savedPath = null;
+  if (save_evidence) {
+    try {
+      const evidenceDir = join(directory_path, '.scanner', 'evidence');
+      if (!existsSync(evidenceDir)) {
+        mkdirSync(evidenceDir, { recursive: true, mode: 0o700 });
+      }
+      const filename = `${formatTimestamp(new Date())}.json`;
+      savedPath = join(evidenceDir, filename);
+      const persistBundle = {
+        ...bundle,
+        compliance: frameworkResults,
+      };
+      writeFileSync(savedPath, JSON.stringify(persistBundle, null, 2), { encoding: 'utf-8', mode: 0o600 });
+    } catch (err) {
+      // Non-fatal — report but don't fail
+      if (!bundle.errors) bundle.errors = [];
+      bundle.errors.push({ source: 'evidence_persist', message: err.message });
+    }
+  }
+
+  // Build response based on verbosity
+  let response;
+  switch (level) {
+    case 'minimal':
+      response = {
+        directory: directory_path,
+        tools_run: bundle.tools_run,
+        compliance: frameworkResults.map(r => ({
+          framework: r.framework,
+          summary: r.summary || null,
+          error: r.error || undefined,
+        })),
+        ...(savedPath && { evidence_saved: savedPath }),
+      };
+      break;
+
+    case 'full':
+      response = {
+        evidence: bundle,
+        compliance: frameworkResults,
+        ...(savedPath && { evidence_saved: savedPath }),
+      };
+      break;
+
+    case 'compact':
+    default:
+      response = {
+        directory: directory_path,
+        tools_run: bundle.tools_run,
+        errors: bundle.errors || undefined,
+        scan_summary: bundle.scan ? {
+          grade: bundle.scan.grade,
+          by_severity: bundle.scan.by_severity,
+        } : null,
+        sbom_summary: bundle.sbom ? {
+          component_count: bundle.sbom.component_count,
+          ecosystems: bundle.sbom.ecosystems,
+        } : null,
+        supply_chain: bundle.supply_chain.vulnerabilities || bundle.supply_chain.hallucinations ? {
+          vulnerabilities: bundle.supply_chain.vulnerabilities ? {
+            total: bundle.supply_chain.vulnerabilities.total,
+            by_severity: bundle.supply_chain.vulnerabilities.by_severity,
+          } : null,
+          hallucinations: bundle.supply_chain.hallucinations ? {
+            hallucinated_count: bundle.supply_chain.hallucinations.hallucinated_count,
+          } : null,
+          drift: bundle.supply_chain.drift,
+        } : null,
+        compliance: frameworkResults,
+        ...(savedPath && { evidence_saved: savedPath }),
+      };
+      break;
+  }
+
+  return {
+    content: [{ type: 'text', text: JSON.stringify(response, null, 2) }],
+  };
+}
+
+function error(msg) {
+  return { content: [{ type: 'text', text: JSON.stringify({ error: msg }) }] };
+}