api-tests-coverage 1.0.0

package/dist/src/security/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/security/types.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,OAAO,GAAG,KAAK,GAAG,UAAU,GAAG,OAAO,CAAC;AAE7E,MAAM,MAAM,eAAe,GACvB,MAAM,GACN,KAAK,GACL,QAAQ,GACR,WAAW,GACX,MAAM,GACN,MAAM,GACN,WAAW,GACX,eAAe,GACf,QAAQ,GACR,SAAS,CAAC;AAEd,MAAM,MAAM,eAAe,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAErE,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,WAAW,CAAC;IACrB,QAAQ,EAAE,eAAe,CAAC;IAC1B,QAAQ,EAAE,eAAe,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE;QACT,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,IAAI,CAAC,EAAE,MAAM,CAAC;KACf,CAAC;IACF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oBAAoB,CAAC,EAAE,OAAO,CAAC;CAChC;AAID,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,QAAQ,GAAG,UAAU,CAAC;AAE7D,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,WAAW,CAAC;IAClB,qFAAqF;IACrF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,8DAA8D;IAC9D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,WAAW,CAAC;IAClB,6CAA6C;IAC7C,QAAQ,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC;IACzB,kEAAkE;IAClE,QAAQ,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,WAAW,GAAG,QAAQ,CAAC,CAAC;IAClD,2BAA2B;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,4DAA4D;IAC5D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,WAAW,CAAC;IAClB,oCAAoC;IACpC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mBAAmB;IACnB,OAAO,CAAC,EAAE,UAAU,GAAG,MAAM,CAAC;IAC9B,mCAAmC;IACnC,IAAI,CAAC,EAAE;QACL,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;IACF,yBAAyB;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,8DAA8D;IAC9D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,CAAC,EAAE,oBAAoB,CAAC;IAC/B,KAAK,CAAC,EAAE,kBAAkB,CAAC;IAC3B,GAAG,CAAC,EAAE,gBAAgB,CAAC;CACxB;AAID,MAAM,WAAW,kBAAkB;IACjC,0CAA0C;IAC1C,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,sCAAsC;IACtC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,sCAAsC;IACtC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAID,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAClC,IAAI,CAAC,EAAE,kBAAkB,CAAC;CAC3B;AAID,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,WAAW,CAAC;IACrB,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,2CAA2C;IAC3C,OAAO,EAAE,OAAO,CAAC;IACjB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,WAAW,EAAE,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC5C,UAAU,EAAE,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IAC5C,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IACvC,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,UAAU,CAAC,EAAE,kBAAkB,CAAC;CACjC;AAID,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,OAAO,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,EAAE,kBAAkB,CAAC;IAC/B,MAAM,EAAE;QACN,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,MAAM,CAAC;QACtB,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH"}

package/dist/src/security/types.js

@@ -0,0 +1,6 @@
+"use strict";
+/**
+ * Normalized security finding model.
+ * All scanner outputs (Semgrep, Trivy, ZAP, etc.) are mapped to this common schema.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/src/securityCoverage.d.ts

@@ -0,0 +1,116 @@
+import type { AstAnalysisConfig, DeepAnalysisCoverageConfig } from './config/types';
+export type SecurityCategory = 'authentication' | 'authorization' | 'input-validation' | 'cryptography' | 'session-management';
+export declare const SECURITY_CATEGORIES: SecurityCategory[];
+export interface SecurityControl {
+    /** Unique identifier, e.g. "authentication:BearerAuth" or "authorization:get:/users" */
+    id: string;
+    /** Which security domain this control belongs to */
+    category: SecurityCategory;
+    /** Human-readable description */
+    description: string;
+    /** Endpoint string, e.g. "GET /users", for endpoint-specific controls */
+    endpoint?: string;
+    /** Additional detail, e.g. scheme type */
+    detail?: string;
+}
+export interface SecurityControlCoverage {
+    control: SecurityControl;
+    /** True if covered by at least one test or scan report finding */
+    covered: boolean;
+    /** Test description strings that matched this control */
+    matchedTests: string[];
+    /** Whether this was covered by an external scan report finding */
+    coveredByScanReport: boolean;
+    /**
+     * AST metadata when coverage was informed by semantic analysis.
+     */
+    astMetadata?: {
+        sourceLanguage?: string;
+        resolutionType?: string;
+        confidence?: string;
+    };
+}
+/**
+ * Options to enable AST-augmented security coverage analysis.
+ */
+export interface AstSecurityAnalysisOptions {
+    astConfig: AstAnalysisConfig;
+    deepConfig?: DeepAnalysisCoverageConfig;
+}
+export interface SecurityCategorySummary {
+    total: number;
+    covered: number;
+}
+export interface SecurityCoverageReport {
+    total: number;
+    covered: number;
+    percentage: number;
+    controls: SecurityControlCoverage[];
+    categorySummary: Record<SecurityCategory, SecurityCategorySummary>;
+    /** Number of findings ingested from the external scan report */
+    scanFindings: number;
+}
+/** Keywords used to detect security tests in test descriptions */
+export declare const SECURITY_KEYWORDS: Record<SecurityCategory, string[]>;
+/**
+ * Extract security controls from a validated OpenAPI 3.x document.
+ * Controls are derived from:
+ *  - Security schemes (authentication / session-management)
+ *  - Endpoint security requirements (authorization)
+ *  - Parameter / request-body validation constraints (input-validation)
+ *  - Server URLs (cryptography)
+ */
+export declare function parseSecurityControls(specPath: string): Promise<SecurityControl[]>;
+export interface ScanFinding {
+    name: string;
+    category: SecurityCategory;
+    severity?: string;
+    endpoint?: string;
+}
+/**
+ * Parse an external security scanner report and return normalised findings.
+ *
+ * Supported formats:
+ *   • ZAP JSON  – `{ "site": [{ "alerts": [{ "alert": "...", "riskdesc": "..." }] }] }`
+ *   • Generic   – `{ "findings": [{ "name": "...", "severity": "..." }] }`
+ *   • Array     – `[{ "name": "...", "severity": "..." }]`
+ *   • XML       – basic regex extraction of alert/name elements
+ */
+export declare function parseScanReport(reportPath: string): ScanFinding[];
+/**
+ * Map a scanner alert name to a SecurityCategory using known patterns.
+ * Returns null if the alert name does not map to any category.
+ */
+export declare function alertNameToCategory(name: string): SecurityCategory | null;
+interface TestEntry {
+    description: string;
+    content: string;
+    filePath: string;
+}
+/**
+ * Determine whether a test entry covers a given security control.
+ *
+ * Matching rules (in order of precedence):
+ *   1. `@security <controlId>` annotation in description or surrounding content
+ *   2. Category keywords present in the test description
+ *   3. For endpoint-specific controls, the test description or content must
+ *      also reference the endpoint path (matched after stripping path params)
+ */
+export declare function testCoversControl(entry: TestEntry, control: SecurityControl): boolean;
+/**
+ * Analyse test files (and optionally an external scan report) to determine
+ * which security controls from the spec are covered. Optionally augments
+ * text-scan results with AST-derived semantic signals when `astOptions` is
+ * provided.
+ */
+export declare function analyzeSecurityCoverage(controls: SecurityControl[], testGlob: string, scanReportPath?: string, astOptions?: AstSecurityAnalysisOptions): Promise<SecurityControlCoverage[]>;
+/**
+ * Build the coverage summary from per-control coverages.
+ */
+export declare function buildSecurityCoverageReport(coverages: SecurityControlCoverage[], scanFindings?: number): SecurityCoverageReport;
+/**
+ * Write JSON and HTML security-coverage reports to the given directory.
+ */
+export declare function generateSecurityReports(report: SecurityCoverageReport, reportsDir: string): void;
+export {};
+//# sourceMappingURL=securityCoverage.d.ts.map

package/dist/src/securityCoverage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"securityCoverage.d.ts","sourceRoot":"","sources":["../../src/securityCoverage.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,MAAM,gBAAgB,CAAC;AAUpF,MAAM,MAAM,gBAAgB,GACxB,gBAAgB,GAChB,eAAe,GACf,kBAAkB,GAClB,cAAc,GACd,oBAAoB,CAAC;AAEzB,eAAO,MAAM,mBAAmB,EAAE,gBAAgB,EAMjD,CAAC;AAEF,MAAM,WAAW,eAAe;IAC9B,wFAAwF;IACxF,EAAE,EAAE,MAAM,CAAC;IACX,oDAAoD;IACpD,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,yEAAyE;IACzE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,EAAE,eAAe,CAAC;IACzB,kEAAkE;IAClE,OAAO,EAAE,OAAO,CAAC;IACjB,yDAAyD;IACzD,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,kEAAkE;IAClE,mBAAmB,EAAE,OAAO,CAAC;IAC7B;;OAEG;IACH,WAAW,CAAC,EAAE;QACZ,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,cAAc,CAAC,EAAE,MAAM,CAAC;QACxB,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,SAAS,EAAE,iBAAiB,CAAC;IAC7B,UAAU,CAAC,EAAE,0BAA0B,CAAC;CACzC;AAED,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,uBAAuB,EAAE,CAAC;IACpC,eAAe,EAAE,MAAM,CAAC,gBAAgB,EAAE,uBAAuB,CAAC,CAAC;IACnE,gEAAgE;IAChE,YAAY,EAAE,MAAM,CAAC;CACtB;AAID,kEAAkE;AAClE,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAwBhE,CAAC;AAgBF;;;;;;;GAOG;AACH,wBAAsB,qBAAqB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC,CA8GxF;AAwDD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,EAAE,CAiBjE;AA8ED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,GAAG,IAAI,CAKzE;AAID,UAAU,SAAS;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAyBD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,eAAe,GAAG,OAAO,CA4BrF;AAyKD;;;;;GAKG;AACH,wBAAsB,uBAAuB,CAC3C,QAAQ,EAAE,eAAe,EAAE,EAC3B,QAAQ,EAAE,MAAM,EAChB,cAAc,CAAC,EAAE,MAAM,EACvB,UAAU,CAAC,EAAE,0BAA0B,GACtC,OAAO,CAAC,uBAAuB,EAAE,CAAC,CA6CpC;AAID;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,SAAS,EAAE,uBAAuB,EAAE,EACpC,YAAY,GAAE,MAAU,GACvB,sBAAsB,CAsBxB;AAID;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,sBAAsB,EAC9B,UAAU,EAAE,MAAM,GACjB,IAAI,CAqHN"}