aura-security 0.4.0

package/dist/pipeline/index.js

@@ -0,0 +1,313 @@
+// Pipeline Framework - Extensible security analysis pipeline
+// Compose multiple analysis stages with pluggable rules
+// Built-in analysis stages
+export class SecretsDetectionStage {
+    name = 'secrets-detection';
+    description = 'Detect hardcoded secrets and credentials in code changes';
+    patterns = [
+        { name: 'API Key', regex: /api[_-]?key\s*[=:]\s*['"][^'"]{8,}['"]/gi },
+        { name: 'Secret', regex: /secret\s*[=:]\s*['"][^'"]{8,}['"]/gi },
+        { name: 'Password', regex: /password\s*[=:]\s*['"][^'"]{4,}['"]/gi },
+        { name: 'Bearer Token', regex: /bearer\s+[a-z0-9_-]{20,}/gi },
+        { name: 'Private Key', regex: /-----BEGIN\s+(RSA|EC|OPENSSH|PGP)\s+PRIVATE\s+KEY-----/g },
+        { name: 'AWS Key', regex: /AKIA[0-9A-Z]{16}/g },
+        { name: 'GitHub Token', regex: /gh[pousr]_[A-Za-z0-9_]{36,}/g },
+        { name: 'JWT', regex: /eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*/g }
+    ];
+    analyze(ctx) {
+        const { diff } = ctx.input.change_event;
+        const lines = diff.split('\n');
+        const findings = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (!line.startsWith('+'))
+                continue;
+            for (const { name, regex } of this.patterns) {
+                regex.lastIndex = 0;
+                if (regex.test(line)) {
+                    findings.push({ pattern: name, line: i + 1 });
+                }
+            }
+        }
+        if (findings.length > 0) {
+            ctx.events.push(this.createEvent({
+                severity: 'critical',
+                claim: `Detected ${findings.length} potential secret(s): ${[...new Set(findings.map(f => f.pattern))].join(', ')}`,
+                attackPath: [
+                    'Credentials committed to repository',
+                    'Secrets exposed in version control history',
+                    'Attacker extracts credentials from git history or logs'
+                ],
+                affectedAssets: findings.map(f => `line:${f.line}`),
+                evidenceRefs: findings.map(f => ({ type: 'diff', pointer: `line:${f.line}` })),
+                assuranceBreak: ['integrity', 'access_control'],
+                confidence: 0.95
+            }));
+        }
+    }
+    createEvent(result) {
+        return {
+            event_type: 'escalation_triggered',
+            target: 'self',
+            payload: {
+                severity: result.severity,
+                claim: result.claim,
+                attack_path: result.attackPath,
+                affected_assets: result.affectedAssets,
+                evidence_refs: result.evidenceRefs,
+                assurance_break: result.assuranceBreak,
+                confidence: result.confidence
+            },
+            timestamp: new Date().toISOString()
+        };
+    }
+}
+export class VulnerabilityScanStage {
+    name = 'vulnerability-scan';
+    description = 'Analyze vulnerability scan results from evidence bundle';
+    analyze(ctx) {
+        const { vuln_scan } = ctx.input.evidence_bundle;
+        if (!vuln_scan)
+            return;
+        const vulns = this.parseVulnScan(vuln_scan);
+        if (vulns.critical > 0) {
+            ctx.events.push({
+                event_type: 'escalation_triggered',
+                target: 'self',
+                payload: {
+                    severity: 'critical',
+                    claim: `${vulns.critical} critical vulnerabilities detected in dependencies`,
+                    attack_path: [
+                        'Known CVE present in deployed dependencies',
+                        'Attacker identifies vulnerable component version',
+                        'Exploit executed against production system'
+                    ],
+                    affected_assets: ['dependencies'],
+                    evidence_refs: [{ type: 'scan', pointer: 'vuln_scan:critical' }],
+                    assurance_break: ['integrity'],
+                    confidence: 0.95
+                },
+                timestamp: new Date().toISOString()
+            });
+        }
+        if (vulns.high > 0) {
+            ctx.events.push({
+                event_type: 'finding_raised',
+                target: 'self',
+                payload: {
+                    severity: 'high',
+                    claim: `${vulns.high} high severity vulnerabilities detected`,
+                    attack_path: [
+                        'Known vulnerability in dependency chain',
+                        'Attacker chains vulnerability with other weaknesses',
+                        'System compromise achieved'
+                    ],
+                    affected_assets: ['dependencies'],
+                    evidence_refs: [{ type: 'scan', pointer: 'vuln_scan:high' }],
+                    assurance_break: ['integrity'],
+                    confidence: 0.85
+                },
+                timestamp: new Date().toISOString()
+            });
+        }
+    }
+    parseVulnScan(scan) {
+        const criticalMatch = scan.match(/critical[:\s]+(\d+)/i);
+        const highMatch = scan.match(/high[:\s]+(\d+)/i);
+        const mediumMatch = scan.match(/medium[:\s]+(\d+)/i);
+        const lowMatch = scan.match(/low[:\s]+(\d+)/i);
+        return {
+            critical: criticalMatch ? parseInt(criticalMatch[1], 10) : 0,
+            high: highMatch ? parseInt(highMatch[1], 10) : 0,
+            medium: mediumMatch ? parseInt(mediumMatch[1], 10) : 0,
+            low: lowMatch ? parseInt(lowMatch[1], 10) : 0
+        };
+    }
+}
+export class CriticalAssetStage {
+    name = 'critical-asset-monitor';
+    description = 'Monitor changes to critical asset paths';
+    analyze(ctx) {
+        const { files_changed } = ctx.input.change_event;
+        const { critical_assets, risk_tolerance } = ctx.input.policy_context;
+        const criticalChanges = [];
+        for (const file of files_changed) {
+            const fileLower = file.toLowerCase();
+            for (const asset of critical_assets) {
+                if (fileLower.includes(asset.toLowerCase())) {
+                    criticalChanges.push(file);
+                    break;
+                }
+            }
+        }
+        if (criticalChanges.length > 0) {
+            const severity = this.adjustSeverity('high', risk_tolerance);
+            ctx.events.push({
+                event_type: 'finding_raised',
+                target: 'self',
+                payload: {
+                    severity,
+                    claim: `${criticalChanges.length} critical asset file(s) modified`,
+                    attack_path: [
+                        'Attacker gains commit access or compromises developer',
+                        'Modifies critical asset configuration or code',
+                        'Changes bypass review due to file location complexity'
+                    ],
+                    affected_assets: criticalChanges,
+                    evidence_refs: criticalChanges.map(f => ({ type: 'diff', pointer: f })),
+                    assurance_break: ['integrity', 'access_control'],
+                    confidence: 0.85
+                },
+                timestamp: new Date().toISOString()
+            });
+        }
+    }
+    adjustSeverity(base, tolerance) {
+        if (tolerance === 'low') {
+            if (base === 'low')
+                return 'medium';
+            if (base === 'medium')
+                return 'high';
+            if (base === 'high')
+                return 'critical';
+        }
+        if (tolerance === 'high') {
+            if (base === 'critical')
+                return 'high';
+            if (base === 'high')
+                return 'medium';
+            if (base === 'medium')
+                return 'low';
+        }
+        return base;
+    }
+}
+export class InfrastructureChangeStage {
+    name = 'infrastructure-change';
+    description = 'Analyze infrastructure-as-code changes';
+    iacPatterns = [
+        /\.tf$/, // Terraform
+        /\.tfvars$/,
+        /cloudformation/i,
+        /\.yaml$/,
+        /\.yml$/,
+        /kubernetes/i,
+        /helm/i,
+        /docker-compose/i,
+        /Dockerfile$/i
+    ];
+    analyze(ctx) {
+        const { type, files_changed } = ctx.input.change_event;
+        if (type !== 'infra_change') {
+            // Check if any files look like IaC
+            const iacFiles = files_changed.filter(f => this.iacPatterns.some(p => p.test(f)));
+            if (iacFiles.length === 0)
+                return;
+            ctx.uncertainties.push('Detected potential IaC files but change type is not infra_change');
+        }
+        ctx.events.push({
+            event_type: 'finding_raised',
+            target: 'self',
+            payload: {
+                severity: 'medium',
+                claim: 'Infrastructure change requires manual security review',
+                attack_path: [
+                    'IaC misconfiguration introduced',
+                    'Security boundaries or network rules modified',
+                    'Attacker gains access to previously protected resources'
+                ],
+                affected_assets: ['infrastructure'],
+                evidence_refs: files_changed.map(f => ({ type: 'diff', pointer: f })),
+                assurance_break: ['isolation', 'access_control'],
+                confidence: 0.6
+            },
+            timestamp: new Date().toISOString()
+        });
+        ctx.assumptions.push('Infrastructure changes require human approval regardless of automated checks');
+    }
+}
+export class ProductionDeployStage {
+    name = 'production-deploy-guard';
+    description = 'Guard against direct production deployments';
+    analyze(ctx) {
+        const { type, environment } = ctx.input.change_event;
+        if (type === 'deploy' && environment === 'prod') {
+            ctx.events.push({
+                event_type: 'finding_raised',
+                target: 'self',
+                payload: {
+                    severity: 'medium',
+                    claim: 'Direct production deployment detected - verify staging validation completed',
+                    attack_path: [
+                        'Code deployed directly to production',
+                        'Untested changes reach production environment',
+                        'Runtime errors or vulnerabilities exposed to users'
+                    ],
+                    affected_assets: ['production-environment'],
+                    evidence_refs: [{ type: 'diff', pointer: ctx.input.change_event.commit }],
+                    assurance_break: ['isolation'],
+                    confidence: 0.7
+                },
+                timestamp: new Date().toISOString()
+            });
+            ctx.assumptions.push('Production deployments should pass through staging first');
+        }
+    }
+}
+// Pipeline executor
+export class SecurityPipeline {
+    stages = [];
+    constructor() {
+        // Add default stages
+        this.stages = [
+            new SecretsDetectionStage(),
+            new VulnerabilityScanStage(),
+            new CriticalAssetStage(),
+            new InfrastructureChangeStage(),
+            new ProductionDeployStage()
+        ];
+    }
+    addStage(stage) {
+        this.stages.push(stage);
+    }
+    removeStage(name) {
+        this.stages = this.stages.filter(s => s.name !== name);
+    }
+    getStages() {
+        return [...this.stages];
+    }
+    async execute(input) {
+        const ctx = {
+            input,
+            events: [],
+            assumptions: [],
+            uncertainties: [],
+            metadata: new Map()
+        };
+        // Add analysis started event
+        ctx.events.push({
+            event_type: 'analysis_started',
+            target: 'self',
+            payload: {
+                severity: 'low',
+                claim: `Pipeline started: ${this.stages.length} stages`,
+                attack_path: ['Initiated security analysis'],
+                affected_assets: [],
+                evidence_refs: [{ type: 'diff', pointer: input.change_event.id }],
+                assurance_break: [],
+                confidence: 1.0
+            },
+            timestamp: new Date().toISOString()
+        });
+        // Run all stages
+        for (const stage of this.stages) {
+            try {
+                await stage.analyze(ctx);
+            }
+            catch (err) {
+                ctx.uncertainties.push(`Stage ${stage.name} failed: ${err}`);
+            }
+        }
+        return ctx;
+    }
+}

package/dist/sbom/index.d.ts

@@ -0,0 +1,94 @@
+import type { LocalScanResult } from '../integrations/local-scanner.js';
+export interface CycloneDXComponent {
+    type: 'library' | 'application' | 'framework' | 'file' | 'container' | 'operating-system';
+    name: string;
+    version: string;
+    purl?: string;
+    licenses?: Array<{
+        license: {
+            id?: string;
+            name?: string;
+        };
+    }>;
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
+}
+export interface CycloneDXVulnerability {
+    id: string;
+    source?: {
+        name: string;
+        url?: string;
+    };
+    ratings?: Array<{
+        severity: 'critical' | 'high' | 'medium' | 'low' | 'info' | 'none' | 'unknown';
+        method?: string;
+        score?: number;
+    }>;
+    description?: string;
+    recommendation?: string;
+    affects?: Array<{
+        ref: string;
+    }>;
+}
+export interface CycloneDXDocument {
+    bomFormat: 'CycloneDX';
+    specVersion: '1.5';
+    serialNumber: string;
+    version: number;
+    metadata: {
+        timestamp: string;
+        tools?: Array<{
+            vendor: string;
+            name: string;
+            version: string;
+        }>;
+        component?: CycloneDXComponent;
+    };
+    components: CycloneDXComponent[];
+    vulnerabilities?: CycloneDXVulnerability[];
+}
+export interface SPDXPackage {
+    SPDXID: string;
+    name: string;
+    versionInfo: string;
+    downloadLocation: string;
+    filesAnalyzed: boolean;
+    licenseConcluded?: string;
+    licenseDeclared?: string;
+    copyrightText?: string;
+    externalRefs?: Array<{
+        referenceCategory: string;
+        referenceType: string;
+        referenceLocator: string;
+    }>;
+}
+export interface SPDXDocument {
+    spdxVersion: 'SPDX-2.3';
+    dataLicense: 'CC0-1.0';
+    SPDXID: 'SPDXRef-DOCUMENT';
+    name: string;
+    documentNamespace: string;
+    creationInfo: {
+        created: string;
+        creators: string[];
+        licenseListVersion?: string;
+    };
+    packages: SPDXPackage[];
+    relationships: Array<{
+        spdxElementId: string;
+        relationshipType: string;
+        relatedSpdxElement: string;
+    }>;
+}
+export interface SBOMOptions {
+    format: 'cyclonedx' | 'spdx';
+    includeVulnerabilities?: boolean;
+    includeLicenses?: boolean;
+    projectName?: string;
+    projectVersion?: string;
+}
+export declare function generateCycloneDX(targetPath: string, scanResult?: LocalScanResult, options?: SBOMOptions): CycloneDXDocument;
+export declare function generateSPDX(targetPath: string, scanResult?: LocalScanResult, options?: SBOMOptions): SPDXDocument;
+export declare function generateSBOM(targetPath: string, scanResult?: LocalScanResult, options?: SBOMOptions): CycloneDXDocument | SPDXDocument;

package/dist/sbom/index.js

@@ -0,0 +1,298 @@
+// SBOM (Software Bill of Materials) Generator
+// Supports CycloneDX 1.5 and SPDX 2.3 formats
+import { spawnSync } from 'child_process';
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+function isToolAvailable(tool) {
+    try {
+        const result = spawnSync(tool, ['--version'], { encoding: 'utf-8', timeout: 5000 });
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+// Try to use Syft for better SBOM generation
+function runSyft(targetPath, format) {
+    if (!isToolAvailable('syft')) {
+        return null;
+    }
+    try {
+        const result = spawnSync('syft', [targetPath, '-o', format], {
+            encoding: 'utf-8',
+            timeout: 120000,
+            maxBuffer: 50 * 1024 * 1024
+        });
+        if (result.status === 0 && result.stdout) {
+            return result.stdout;
+        }
+    }
+    catch { }
+    return null;
+}
+// Generate package URL (purl)
+function generatePurl(name, version, type) {
+    const typeMap = {
+        npm: 'npm',
+        pip: 'pypi',
+        go: 'golang',
+        cargo: 'cargo',
+        gem: 'gem',
+        composer: 'composer',
+        maven: 'maven'
+    };
+    const purlType = typeMap[type] || 'generic';
+    return `pkg:${purlType}/${encodeURIComponent(name)}@${encodeURIComponent(version)}`;
+}
+// Read package.json dependencies
+function readNpmDependencies(targetPath) {
+    const deps = [];
+    const pkgPath = join(targetPath, 'package.json');
+    const lockPath = join(targetPath, 'package-lock.json');
+    if (existsSync(lockPath)) {
+        try {
+            const lock = JSON.parse(readFileSync(lockPath, 'utf-8'));
+            const packages = lock.packages || {};
+            for (const [path, info] of Object.entries(packages)) {
+                if (path === '' || !path.includes('node_modules/'))
+                    continue;
+                const pkgInfo = info;
+                const name = path.replace(/^node_modules\//, '').replace(/.*node_modules\//, '');
+                if (name && pkgInfo.version) {
+                    deps.push({ name, version: pkgInfo.version });
+                }
+            }
+        }
+        catch { }
+    }
+    else if (existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+            const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+            for (const [name, version] of Object.entries(allDeps)) {
+                deps.push({ name, version: String(version).replace(/^[\^~]/, '') });
+            }
+        }
+        catch { }
+    }
+    return deps;
+}
+// Read Python requirements
+function readPythonDependencies(targetPath) {
+    const deps = [];
+    const reqPath = join(targetPath, 'requirements.txt');
+    if (existsSync(reqPath)) {
+        try {
+            const content = readFileSync(reqPath, 'utf-8');
+            const lines = content.split('\n');
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith('#'))
+                    continue;
+                const match = trimmed.match(/^([a-zA-Z0-9_-]+)[=<>~!]*=*([0-9.]+)?/);
+                if (match) {
+                    deps.push({
+                        name: match[1],
+                        version: match[2] || 'unknown'
+                    });
+                }
+            }
+        }
+        catch { }
+    }
+    return deps;
+}
+// Generate CycloneDX SBOM
+export function generateCycloneDX(targetPath, scanResult, options = { format: 'cyclonedx' }) {
+    // Try Syft first
+    const syftOutput = runSyft(targetPath, 'cyclonedx-json');
+    if (syftOutput) {
+        try {
+            const sbom = JSON.parse(syftOutput);
+            // Add vulnerabilities if we have scan results
+            if (options.includeVulnerabilities && scanResult) {
+                sbom.vulnerabilities = scanResult.packages
+                    .filter(p => p.vulnId)
+                    .map(p => ({
+                    id: p.vulnId,
+                    ratings: [{
+                            severity: p.severity,
+                            method: 'other'
+                        }],
+                    description: p.title,
+                    affects: [{
+                            ref: `pkg:npm/${p.name}@${p.version}`
+                        }]
+                }));
+            }
+            return sbom;
+        }
+        catch { }
+    }
+    // Manual generation
+    const components = [];
+    // Read NPM dependencies
+    const npmDeps = readNpmDependencies(targetPath);
+    for (const dep of npmDeps) {
+        components.push({
+            type: 'library',
+            name: dep.name,
+            version: dep.version,
+            purl: generatePurl(dep.name, dep.version, 'npm')
+        });
+    }
+    // Read Python dependencies
+    const pyDeps = readPythonDependencies(targetPath);
+    for (const dep of pyDeps) {
+        components.push({
+            type: 'library',
+            name: dep.name,
+            version: dep.version,
+            purl: generatePurl(dep.name, dep.version, 'pip')
+        });
+    }
+    // Create vulnerabilities from scan results
+    const vulnerabilities = [];
+    if (options.includeVulnerabilities && scanResult) {
+        for (const pkg of scanResult.packages) {
+            if (pkg.vulnId) {
+                vulnerabilities.push({
+                    id: pkg.vulnId,
+                    ratings: [{
+                            severity: pkg.severity,
+                            method: 'other'
+                        }],
+                    description: pkg.title,
+                    recommendation: pkg.fixedVersion ? `Upgrade to ${pkg.fixedVersion}` : undefined,
+                    affects: [{
+                            ref: components.find(c => c.name === pkg.name)?.purl || `pkg:generic/${pkg.name}@${pkg.version}`
+                        }]
+                });
+            }
+        }
+    }
+    const serialNumber = `urn:uuid:${crypto.randomUUID()}`;
+    return {
+        bomFormat: 'CycloneDX',
+        specVersion: '1.5',
+        serialNumber,
+        version: 1,
+        metadata: {
+            timestamp: new Date().toISOString(),
+            tools: [{
+                    vendor: 'AuraSecurity',
+                    name: 'aura-security',
+                    version: '0.2.0'
+                }],
+            component: {
+                type: 'application',
+                name: options.projectName || 'unknown',
+                version: options.projectVersion || '0.0.0'
+            }
+        },
+        components,
+        vulnerabilities: vulnerabilities.length > 0 ? vulnerabilities : undefined
+    };
+}
+// Generate SPDX SBOM
+export function generateSPDX(targetPath, scanResult, options = { format: 'spdx' }) {
+    // Try Syft first
+    const syftOutput = runSyft(targetPath, 'spdx-json');
+    if (syftOutput) {
+        try {
+            return JSON.parse(syftOutput);
+        }
+        catch { }
+    }
+    // Manual generation
+    const packages = [];
+    const relationships = [];
+    // Root package
+    const rootId = 'SPDXRef-Package-root';
+    packages.push({
+        SPDXID: rootId,
+        name: options.projectName || 'unknown',
+        versionInfo: options.projectVersion || '0.0.0',
+        downloadLocation: 'NOASSERTION',
+        filesAnalyzed: false,
+        licenseConcluded: 'NOASSERTION',
+        copyrightText: 'NOASSERTION'
+    });
+    relationships.push({
+        spdxElementId: 'SPDXRef-DOCUMENT',
+        relationshipType: 'DESCRIBES',
+        relatedSpdxElement: rootId
+    });
+    // NPM dependencies
+    const npmDeps = readNpmDependencies(targetPath);
+    for (let i = 0; i < npmDeps.length; i++) {
+        const dep = npmDeps[i];
+        const id = `SPDXRef-Package-npm-${i}`;
+        packages.push({
+            SPDXID: id,
+            name: dep.name,
+            versionInfo: dep.version,
+            downloadLocation: `https://www.npmjs.com/package/${dep.name}`,
+            filesAnalyzed: false,
+            licenseConcluded: 'NOASSERTION',
+            copyrightText: 'NOASSERTION',
+            externalRefs: [{
+                    referenceCategory: 'PACKAGE-MANAGER',
+                    referenceType: 'purl',
+                    referenceLocator: generatePurl(dep.name, dep.version, 'npm')
+                }]
+        });
+        relationships.push({
+            spdxElementId: rootId,
+            relationshipType: 'DEPENDS_ON',
+            relatedSpdxElement: id
+        });
+    }
+    // Python dependencies
+    const pyDeps = readPythonDependencies(targetPath);
+    for (let i = 0; i < pyDeps.length; i++) {
+        const dep = pyDeps[i];
+        const id = `SPDXRef-Package-pip-${i}`;
+        packages.push({
+            SPDXID: id,
+            name: dep.name,
+            versionInfo: dep.version,
+            downloadLocation: `https://pypi.org/project/${dep.name}/`,
+            filesAnalyzed: false,
+            licenseConcluded: 'NOASSERTION',
+            copyrightText: 'NOASSERTION',
+            externalRefs: [{
+                    referenceCategory: 'PACKAGE-MANAGER',
+                    referenceType: 'purl',
+                    referenceLocator: generatePurl(dep.name, dep.version, 'pip')
+                }]
+        });
+        relationships.push({
+            spdxElementId: rootId,
+            relationshipType: 'DEPENDS_ON',
+            relatedSpdxElement: id
+        });
+    }
+    const namespace = `https://spdx.org/spdxdocs/${options.projectName || 'project'}-${Date.now()}`;
+    return {
+        spdxVersion: 'SPDX-2.3',
+        dataLicense: 'CC0-1.0',
+        SPDXID: 'SPDXRef-DOCUMENT',
+        name: options.projectName || 'unknown',
+        documentNamespace: namespace,
+        creationInfo: {
+            created: new Date().toISOString(),
+            creators: ['Tool: aura-security-0.2.0'],
+            licenseListVersion: '3.19'
+        },
+        packages,
+        relationships
+    };
+}
+// Main SBOM generation function
+export function generateSBOM(targetPath, scanResult, options = { format: 'cyclonedx' }) {
+    if (options.format === 'spdx') {
+        return generateSPDX(targetPath, scanResult, options);
+    }
+    return generateCycloneDX(targetPath, scanResult, options);
+}