circle-ir-ai 1.1.0

package/dist/security-scan/scanner.js

@@ -0,0 +1,693 @@
+/**
+ * Continuous Security Scanner
+ *
+ * Provides automated security scanning for repositories with:
+ * - Git clone → file walker → Circle-IR analysis pipeline
+ * - OWASP Top 10 category mapping
+ * - Summary report with severity, location, confidence
+ * - Trend tracking (store results, compare across runs)
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+import { initAnalyzer, isAnalyzerInitialized, analyze, generateFindings, } from 'circle-ir';
+import { getOWASPMapping } from './owasp-mapping.js';
+// ============================================================================
+// Scanner Implementation
+// ============================================================================
+export class SecurityScanner {
+    workDir;
+    verbose;
+    onProgress;
+    constructor() {
+        this.workDir = '';
+        this.verbose = false;
+    }
+    /**
+     * Run a security scan on a repository or local path.
+     */
+    async scan(options) {
+        const startTime = Date.now();
+        this.verbose = options.verbose ?? false;
+        this.onProgress = options.onProgress;
+        // Ensure analyzer is initialized
+        if (!isAnalyzerInitialized()) {
+            await initAnalyzer();
+        }
+        // Phase 1: Clone or locate repository
+        this.reportProgress({ phase: 'clone', filesProcessed: 0, totalFiles: 0, findingsCount: 0 });
+        const repoPath = await this.prepareRepository(options);
+        // Phase 2: Discover files
+        this.reportProgress({ phase: 'discover', filesProcessed: 0, totalFiles: 0, findingsCount: 0 });
+        const files = this.discoverFiles(repoPath, options);
+        // Phase 3: Analyze files
+        this.reportProgress({ phase: 'analyze', filesProcessed: 0, totalFiles: files.length, findingsCount: 0 });
+        const fileResults = await this.analyzeFiles(files, options);
+        // Phase 4: Generate report
+        this.reportProgress({ phase: 'report', filesProcessed: files.length, totalFiles: files.length, findingsCount: 0 });
+        const result = this.generateReport(fileResults, options, startTime);
+        // Save report if output directory specified
+        if (options.outputDir) {
+            await this.saveReport(result, options.outputDir);
+        }
+        return result;
+    }
+    /**
+     * Prepare repository for scanning.
+     */
+    async prepareRepository(options) {
+        const { target, branch, commit } = options;
+        // Check if target is a URL (Git clone needed)
+        if (target.startsWith('http://') || target.startsWith('https://') || target.startsWith('git@')) {
+            return this.cloneRepository(target, branch, commit);
+        }
+        // Target is a local path
+        if (!fs.existsSync(target)) {
+            throw new Error(`Target path does not exist: ${target}`);
+        }
+        return path.resolve(target);
+    }
+    /**
+     * Clone a Git repository.
+     */
+    cloneRepository(url, branch, commit) {
+        // Create temp directory for clone
+        const tmpDir = fs.mkdtempSync(path.join('/tmp', 'circle-scan-'));
+        this.workDir = tmpDir;
+        if (this.verbose) {
+            console.log(`Cloning ${url} to ${tmpDir}...`);
+        }
+        try {
+            // Clone with shallow depth for speed
+            const branchArg = branch ? `--branch ${branch}` : '';
+            execSync(`git clone --depth 1 ${branchArg} "${url}" "${tmpDir}"`, {
+                stdio: this.verbose ? 'inherit' : 'pipe',
+            });
+            // Checkout specific commit if specified
+            if (commit) {
+                execSync(`git -C "${tmpDir}" fetch --depth 1 origin ${commit}`, {
+                    stdio: this.verbose ? 'inherit' : 'pipe',
+                });
+                execSync(`git -C "${tmpDir}" checkout ${commit}`, {
+                    stdio: this.verbose ? 'inherit' : 'pipe',
+                });
+            }
+            return tmpDir;
+        }
+        catch (error) {
+            // Clean up on error
+            fs.rmSync(tmpDir, { recursive: true, force: true });
+            throw new Error(`Failed to clone repository: ${error}`);
+        }
+    }
+    /**
+     * Discover files to scan.
+     */
+    discoverFiles(repoPath, options) {
+        const { languages, maxFiles = 1000, includePatterns, excludePatterns, } = options;
+        const files = [];
+        const defaultExcludes = [
+            '**/node_modules/**',
+            '**/vendor/**',
+            '**/target/**',
+            '**/build/**',
+            '**/dist/**',
+            '**/.git/**',
+            '**/test/**',
+            '**/tests/**',
+            '**/__tests__/**',
+            '**/*.test.*',
+            '**/*.spec.*',
+            '**/.*',
+        ];
+        const excludes = [...defaultExcludes, ...(excludePatterns || [])];
+        const languageExtensions = {
+            java: ['.java'],
+            c: ['.c', '.h'],
+            cpp: ['.cpp', '.cc', '.cxx', '.hpp', '.hxx'],
+            javascript: ['.js', '.jsx', '.mjs', '.cjs'],
+            typescript: ['.ts', '.tsx', '.mts', '.cts'],
+            python: ['.py'],
+            rust: ['.rs'],
+        };
+        // Determine which extensions to look for
+        let extensions = [];
+        if (languages && languages.length > 0) {
+            for (const lang of languages) {
+                extensions.push(...(languageExtensions[lang] || []));
+            }
+        }
+        else {
+            // Auto-detect: include all supported languages
+            extensions = Object.values(languageExtensions).flat();
+        }
+        // Walk directory tree
+        const walk = (dir, depth = 0) => {
+            if (depth > 30 || files.length >= maxFiles)
+                return;
+            try {
+                const entries = fs.readdirSync(dir, { withFileTypes: true });
+                for (const entry of entries) {
+                    if (files.length >= maxFiles)
+                        break;
+                    const fullPath = path.join(dir, entry.name);
+                    const relativePath = path.relative(repoPath, fullPath);
+                    // Check excludes
+                    if (this.matchesPattern(relativePath, excludes)) {
+                        continue;
+                    }
+                    if (entry.isDirectory()) {
+                        walk(fullPath, depth + 1);
+                    }
+                    else if (entry.isFile()) {
+                        // Check extension
+                        const ext = path.extname(entry.name).toLowerCase();
+                        if (!extensions.includes(ext))
+                            continue;
+                        // Check includes if specified
+                        if (includePatterns && includePatterns.length > 0) {
+                            if (!this.matchesPattern(relativePath, includePatterns)) {
+                                continue;
+                            }
+                        }
+                        files.push(fullPath);
+                    }
+                }
+            }
+            catch {
+                // Skip directories we can't read
+            }
+        };
+        walk(repoPath);
+        if (this.verbose) {
+            console.log(`Discovered ${files.length} files to scan`);
+        }
+        return files;
+    }
+    /**
+     * Check if a path matches any of the given glob patterns.
+     */
+    matchesPattern(filePath, patterns) {
+        const normalizedPath = filePath.replace(/\\/g, '/');
+        for (const pattern of patterns) {
+            // Simple glob matching (supports * and **)
+            const regex = pattern
+                .replace(/\*\*/g, '{{DOUBLESTAR}}')
+                .replace(/\*/g, '[^/]*')
+                .replace(/{{DOUBLESTAR}}/g, '.*')
+                .replace(/\?/g, '.');
+            if (new RegExp(`^${regex}$`).test(normalizedPath)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Analyze files.
+     */
+    async analyzeFiles(files, options) {
+        const { parallel = true, maxConcurrency = 10, minSeverity = 'low' } = options;
+        const results = [];
+        let filesProcessed = 0;
+        let totalFindings = 0;
+        const repoPath = this.workDir || path.dirname(files[0] || '');
+        if (parallel) {
+            // Parallel analysis
+            const queue = [...files];
+            const workers = [];
+            for (let i = 0; i < Math.min(maxConcurrency, files.length); i++) {
+                workers.push((async () => {
+                    while (queue.length > 0) {
+                        const file = queue.shift();
+                        if (!file)
+                            break;
+                        const result = await this.analyzeFile(file, repoPath, minSeverity);
+                        results.push(result);
+                        filesProcessed++;
+                        totalFindings += result.findings.length;
+                        this.reportProgress({
+                            phase: 'analyze',
+                            currentFile: result.path,
+                            filesProcessed,
+                            totalFiles: files.length,
+                            findingsCount: totalFindings,
+                        });
+                    }
+                })());
+            }
+            await Promise.all(workers);
+        }
+        else {
+            // Sequential analysis
+            for (const file of files) {
+                const result = await this.analyzeFile(file, repoPath, minSeverity);
+                results.push(result);
+                filesProcessed++;
+                totalFindings += result.findings.length;
+                this.reportProgress({
+                    phase: 'analyze',
+                    currentFile: result.path,
+                    filesProcessed,
+                    totalFiles: files.length,
+                    findingsCount: totalFindings,
+                });
+            }
+        }
+        return results;
+    }
+    /**
+     * Analyze a single file.
+     */
+    async analyzeFile(filePath, repoPath, minSeverity) {
+        const startTime = Date.now();
+        const relativePath = path.relative(repoPath, filePath);
+        const language = this.detectLanguage(filePath);
+        const findings = [];
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const ir = await analyze(content, path.basename(filePath), language);
+            // Generate findings from taint analysis
+            const irFindings = generateFindings(ir.taint.sources, ir.taint.sinks, ir.dfg, path.basename(filePath));
+            // Convert findings to ScanFinding with OWASP mapping
+            for (const finding of irFindings) {
+                // Filter by severity
+                if (!this.meetsMinSeverity(finding.severity, minSeverity)) {
+                    continue;
+                }
+                const owasp = getOWASPMapping(finding.cwe);
+                findings.push({
+                    ...finding,
+                    owasp,
+                    filePath: relativePath,
+                });
+            }
+            return {
+                path: relativePath,
+                language,
+                loc: ir.meta.loc,
+                findings,
+                analysisTimeMs: Date.now() - startTime,
+            };
+        }
+        catch (error) {
+            if (this.verbose) {
+                console.error(`Error analyzing ${relativePath}: ${error}`);
+            }
+            return {
+                path: relativePath,
+                language,
+                loc: 0,
+                findings: [],
+                analysisTimeMs: Date.now() - startTime,
+            };
+        }
+    }
+    /**
+     * Detect language from file extension.
+     */
+    detectLanguage(filePath) {
+        const ext = path.extname(filePath).toLowerCase();
+        switch (ext) {
+            case '.java':
+                return 'java';
+            case '.c':
+            case '.h':
+                return 'c';
+            case '.cpp':
+            case '.cc':
+            case '.cxx':
+            case '.hpp':
+            case '.hxx':
+                return 'cpp';
+            case '.js':
+            case '.jsx':
+            case '.mjs':
+            case '.cjs':
+                return 'javascript';
+            case '.ts':
+            case '.tsx':
+            case '.mts':
+            case '.cts':
+                return 'typescript';
+            case '.py':
+                return 'python';
+            case '.rs':
+                return 'rust';
+            default:
+                return 'java';
+        }
+    }
+    /**
+     * Check if severity meets minimum threshold.
+     */
+    meetsMinSeverity(severity, minSeverity) {
+        const severityOrder = { critical: 4, high: 3, medium: 2, low: 1 };
+        const actualLevel = severityOrder[severity] || 0;
+        const minLevel = severityOrder[minSeverity];
+        return actualLevel >= minLevel;
+    }
+    /**
+     * Generate scan report.
+     */
+    generateReport(fileResults, options, startTime) {
+        // Collect all findings
+        const allFindings = [];
+        for (const file of fileResults) {
+            allFindings.push(...file.findings);
+        }
+        // Group by OWASP category
+        const byOWASP = {};
+        for (const finding of allFindings) {
+            const category = finding.owasp.category;
+            if (!byOWASP[category]) {
+                byOWASP[category] = {
+                    count: 0,
+                    critical: 0,
+                    high: 0,
+                    medium: 0,
+                    low: 0,
+                    findings: [],
+                };
+            }
+            byOWASP[category].count++;
+            byOWASP[category][finding.severity]++;
+            byOWASP[category].findings.push(finding);
+        }
+        // Calculate summary
+        const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
+        const byType = {};
+        for (const finding of allFindings) {
+            bySeverity[finding.severity]++;
+            byType[finding.type] = (byType[finding.type] || 0) + 1;
+        }
+        // Find top vulnerable files
+        const fileVulnCounts = fileResults
+            .map((f) => ({ file: f.path, count: f.findings.length }))
+            .filter((f) => f.count > 0)
+            .sort((a, b) => b.count - a.count)
+            .slice(0, 5);
+        const totalLOC = fileResults.reduce((sum, f) => sum + f.loc, 0);
+        // Get commit info if available
+        let commit;
+        let branch;
+        if (this.workDir && fs.existsSync(path.join(this.workDir, '.git'))) {
+            try {
+                commit = execSync(`git -C "${this.workDir}" rev-parse HEAD`, { encoding: 'utf-8' }).trim();
+                branch = execSync(`git -C "${this.workDir}" rev-parse --abbrev-ref HEAD`, { encoding: 'utf-8' }).trim();
+            }
+            catch {
+                // Ignore git errors
+            }
+        }
+        return {
+            meta: {
+                target: options.target,
+                branch: options.branch || branch,
+                commit: options.commit || commit,
+                timestamp: new Date().toISOString(),
+                durationMs: Date.now() - startTime,
+                version: '1.0.0', // TODO: Get from package.json
+            },
+            findings: allFindings,
+            byOWASP,
+            summary: {
+                totalFiles: fileResults.length,
+                totalLOC,
+                totalFindings: allFindings.length,
+                bySeverity,
+                byType,
+                topVulnerableFiles: fileVulnCounts,
+            },
+            files: fileResults,
+        };
+    }
+    /**
+     * Save report to output directory.
+     */
+    async saveReport(result, outputDir) {
+        // Ensure output directory exists
+        fs.mkdirSync(outputDir, { recursive: true });
+        const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+        // Save JSON report
+        const jsonPath = path.join(outputDir, `scan-${timestamp}.json`);
+        fs.writeFileSync(jsonPath, JSON.stringify(result, null, 2));
+        // Save SARIF report
+        const sarifPath = path.join(outputDir, `scan-${timestamp}.sarif`);
+        fs.writeFileSync(sarifPath, JSON.stringify(this.toSARIF(result), null, 2));
+        // Save summary report
+        const summaryPath = path.join(outputDir, `scan-${timestamp}.txt`);
+        fs.writeFileSync(summaryPath, this.toTextSummary(result));
+        if (this.verbose) {
+            console.log(`Reports saved to ${outputDir}`);
+        }
+    }
+    /**
+     * Convert result to SARIF format.
+     */
+    toSARIF(result) {
+        return {
+            $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+            version: '2.1.0',
+            runs: [
+                {
+                    tool: {
+                        driver: {
+                            name: 'Circle-IR',
+                            version: result.meta.version,
+                            informationUri: 'https://github.com/cognium/circle-ir',
+                            rules: Object.entries(result.summary.byType).map(([type, _count]) => ({
+                                id: type,
+                                name: type.replace(/_/g, ' ').replace(/\b\w/g, (c) => c.toUpperCase()),
+                                helpUri: `https://cwe.mitre.org/data/definitions/${type}.html`,
+                            })),
+                        },
+                    },
+                    results: result.findings.map((f) => ({
+                        ruleId: f.type,
+                        level: f.severity === 'critical' || f.severity === 'high' ? 'error' : 'warning',
+                        message: {
+                            text: f.explanation || `${f.type} vulnerability detected`,
+                        },
+                        locations: [
+                            {
+                                physicalLocation: {
+                                    artifactLocation: {
+                                        uri: f.filePath,
+                                    },
+                                    region: {
+                                        startLine: f.sink?.line || f.source?.line || 1,
+                                    },
+                                },
+                            },
+                        ],
+                        properties: {
+                            cwe: f.cwe,
+                            owasp: f.owasp.category,
+                            severity: f.severity,
+                            confidence: f.confidence,
+                        },
+                    })),
+                },
+            ],
+        };
+    }
+    /**
+     * Convert result to text summary.
+     */
+    toTextSummary(result) {
+        const lines = [
+            '='.repeat(70),
+            'SECURITY SCAN REPORT',
+            '='.repeat(70),
+            '',
+            `Target: ${result.meta.target}`,
+            `Branch: ${result.meta.branch || 'N/A'}`,
+            `Commit: ${result.meta.commit || 'N/A'}`,
+            `Timestamp: ${result.meta.timestamp}`,
+            `Duration: ${(result.meta.durationMs / 1000).toFixed(2)}s`,
+            '',
+            '-'.repeat(70),
+            'SUMMARY',
+            '-'.repeat(70),
+            '',
+            `Files Scanned: ${result.summary.totalFiles}`,
+            `Lines of Code: ${result.summary.totalLOC.toLocaleString()}`,
+            `Total Findings: ${result.summary.totalFindings}`,
+            '',
+            'Severity Breakdown:',
+            `  Critical: ${result.summary.bySeverity.critical}`,
+            `  High:     ${result.summary.bySeverity.high}`,
+            `  Medium:   ${result.summary.bySeverity.medium}`,
+            `  Low:      ${result.summary.bySeverity.low}`,
+            '',
+            '-'.repeat(70),
+            'OWASP TOP 10 BREAKDOWN',
+            '-'.repeat(70),
+            '',
+        ];
+        // Sort OWASP categories by rank
+        const sortedOWASP = Object.entries(result.byOWASP)
+            .sort(([, a], [, b]) => b.count - a.count);
+        for (const [category, data] of sortedOWASP) {
+            if (data.count === 0)
+                continue;
+            lines.push(`${category}: ${data.count} findings`);
+            lines.push(`  Critical: ${data.critical}, High: ${data.high}, Medium: ${data.medium}, Low: ${data.low}`);
+            lines.push('');
+        }
+        if (result.summary.topVulnerableFiles.length > 0) {
+            lines.push('-'.repeat(70));
+            lines.push('TOP VULNERABLE FILES');
+            lines.push('-'.repeat(70));
+            lines.push('');
+            for (const file of result.summary.topVulnerableFiles) {
+                lines.push(`  ${file.file}: ${file.count} findings`);
+            }
+            lines.push('');
+        }
+        lines.push('='.repeat(70));
+        return lines.join('\n');
+    }
+    /**
+     * Report progress.
+     */
+    reportProgress(progress) {
+        if (this.onProgress) {
+            this.onProgress(progress);
+        }
+        if (this.verbose) {
+            const { phase, currentFile, filesProcessed, totalFiles, findingsCount } = progress;
+            if (currentFile) {
+                console.log(`[${phase}] ${filesProcessed}/${totalFiles} - ${currentFile} (${findingsCount} findings)`);
+            }
+            else {
+                console.log(`[${phase}] ${filesProcessed}/${totalFiles}`);
+            }
+        }
+    }
+    /**
+     * Clean up temporary files.
+     */
+    cleanup() {
+        if (this.workDir && fs.existsSync(this.workDir)) {
+            fs.rmSync(this.workDir, { recursive: true, force: true });
+            this.workDir = '';
+        }
+    }
+}
+// ============================================================================
+// Convenience Functions
+// ============================================================================
+/**
+ * Run a security scan on a repository or local path.
+ */
+export async function scanRepository(options) {
+    const scanner = new SecurityScanner();
+    try {
+        return await scanner.scan(options);
+    }
+    finally {
+        scanner.cleanup();
+    }
+}
+/**
+ * Scan a local directory.
+ */
+export async function scanDirectory(directory, options) {
+    return scanRepository({ target: directory, ...options });
+}
+/**
+ * Quick scan with default options.
+ */
+export async function quickScan(target) {
+    return scanRepository({
+        target,
+        parallel: true,
+        maxConcurrency: 10,
+        minSeverity: 'medium',
+    });
+}
+/**
+ * Format scan result as a human-readable report.
+ */
+export function formatScanReport(result) {
+    const lines = [];
+    lines.push('═'.repeat(60));
+    lines.push('SECURITY SCAN REPORT');
+    lines.push('═'.repeat(60));
+    lines.push('');
+    lines.push(`Target: ${result.meta.target}`);
+    lines.push(`Timestamp: ${result.meta.timestamp}`);
+    lines.push(`Duration: ${(result.meta.durationMs / 1000).toFixed(2)}s`);
+    lines.push('');
+    // Summary
+    lines.push('─'.repeat(40));
+    lines.push('SUMMARY');
+    lines.push('─'.repeat(40));
+    lines.push(`Files scanned: ${result.summary.totalFiles}`);
+    lines.push(`Lines of code: ${result.summary.totalLOC.toLocaleString()}`);
+    lines.push(`Total findings: ${result.summary.totalFindings}`);
+    lines.push('');
+    // By severity
+    lines.push('By Severity:');
+    const { bySeverity } = result.summary;
+    if (bySeverity.critical > 0)
+        lines.push(`  🔴 Critical: ${bySeverity.critical}`);
+    if (bySeverity.high > 0)
+        lines.push(`  🟠 High: ${bySeverity.high}`);
+    if (bySeverity.medium > 0)
+        lines.push(`  🟡 Medium: ${bySeverity.medium}`);
+    if (bySeverity.low > 0)
+        lines.push(`  🟢 Low: ${bySeverity.low}`);
+    lines.push('');
+    // OWASP Top 10
+    const owaspEntries = Object.entries(result.byOWASP).filter(([_, v]) => v.count > 0);
+    if (owaspEntries.length > 0) {
+        lines.push('─'.repeat(40));
+        lines.push('OWASP TOP 10');
+        lines.push('─'.repeat(40));
+        for (const [category, data] of owaspEntries.sort((a, b) => b[1].count - a[1].count)) {
+            lines.push(`${category}: ${data.count} findings`);
+            if (data.critical > 0)
+                lines.push(`  Critical: ${data.critical}`);
+            if (data.high > 0)
+                lines.push(`  High: ${data.high}`);
+            if (data.medium > 0)
+                lines.push(`  Medium: ${data.medium}`);
+        }
+        lines.push('');
+    }
+    // Top vulnerable files
+    if (result.summary.topVulnerableFiles.length > 0) {
+        lines.push('─'.repeat(40));
+        lines.push('TOP VULNERABLE FILES');
+        lines.push('─'.repeat(40));
+        for (const file of result.summary.topVulnerableFiles.slice(0, 5)) {
+            lines.push(`  ${file.file}: ${file.count} findings`);
+        }
+        lines.push('');
+    }
+    // Detailed findings
+    if (result.findings.length > 0) {
+        lines.push('─'.repeat(40));
+        lines.push('FINDINGS');
+        lines.push('─'.repeat(40));
+        for (const finding of result.findings.slice(0, 20)) {
+            const sev = finding.severity?.toUpperCase() || 'INFO';
+            const icon = sev === 'CRITICAL' ? '🔴' : sev === 'HIGH' ? '🟠' : sev === 'MEDIUM' ? '🟡' : '🟢';
+            lines.push(`${icon} [${finding.cwe || 'N/A'}] ${finding.type}`);
+            lines.push(`   File: ${finding.filePath}:${finding.source?.line || '?'}`);
+            if (finding.explanation) {
+                lines.push(`   ${finding.explanation.substring(0, 80)}${finding.explanation.length > 80 ? '...' : ''}`);
+            }
+            lines.push('');
+        }
+        if (result.findings.length > 20) {
+            lines.push(`... and ${result.findings.length - 20} more findings`);
+            lines.push('');
+        }
+    }
+    lines.push('═'.repeat(60));
+    return lines.join('\n');
+}
+//# sourceMappingURL=scanner.js.map