codeprobe-scanner 1.0.0

package/demo-vulnerable-app/.github/workflows/codeprobe.yml

@@ -0,0 +1,32 @@
+name: CodeProbe Demo - Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v1
+
+      - name: Install CodeProbe
+        run: |
+          cd ..
+          bun install
+
+      - name: Run CodeProbe scan
+        run: |
+          cd ..
+          bun run src/cli/index.ts scan ./demo-vulnerable-app --json
+        env:
+          BRIGHT_DATA_API_KEY: ${{ secrets.BRIGHT_DATA_API_KEY }}
+          DAYTONA_API_KEY: ${{ secrets.DAYTONA_API_KEY }}
+
+      - name: Check for exploitable vulnerabilities
+        run: |
+          cd ..
+          bun run src/cli/index.ts scan ./demo-vulnerable-app --json | grep -q '"exploitable": true' && echo "✅ Vulnerability verified" || echo "⚠️ No exploitable vulnerabilities found"

package/demo-vulnerable-app/README.md

@@ -0,0 +1,70 @@
+# CodeProbe Demo: Vulnerable Node.js App
+
+This is a deliberately vulnerable Node.js application used to demonstrate CodeProbe's exploit verification capabilities.
+
+## Vulnerabilities
+
+### CVE-2022-29078: EJS Template Injection RCE
+
+**Affected Package:** `ejs@3.1.6`  
+**Severity:** CRITICAL (CVSS 9.8)  
+**Issue:** The EJS template engine allows template injection attacks that lead to arbitrary code execution.
+
+**How it's vulnerable:**
+- Line in `server.js`: `ejs.render(req.query.template, ...)`
+- User can inject malicious EJS template expressions
+- Server executes arbitrary JavaScript code
+
+**Exploit:**
+```bash
+curl "http://localhost:3000/?template=<%= require('child_process').execSync('whoami') %>"
+```
+
+**Fix:** Upgrade `ejs` to version 3.1.7 or higher.
+
+## Running the Demo App
+
+```bash
+cd demo-vulnerable-app
+npm install
+npm start
+```
+
+The app listens on `http://localhost:3000`.
+
+## Using CodeProbe to Scan
+
+```bash
+# From the codeprobe root directory:
+bun run src/cli/index.ts scan ./demo-vulnerable-app
+
+# Or with JSON output:
+bun run src/cli/index.ts scan ./demo-vulnerable-app --json
+```
+
+## Expected Output
+
+CodeProbe will:
+1. **Parse dependencies** — Extract EJS 3.1.6 from package.json
+2. **Scrape CVE data** — Find CVE-2022-29078 in NVD (via Bright Data)
+3. **Match versions** — Detect that EJS 3.1.6 is vulnerable
+4. **Verify in sandbox** — Spawn a Daytona container and execute the PoC exploit
+5. **Generate patch** — Create a patch to upgrade EJS to 3.1.7
+6. **Report findings** — Display "CONFIRMED EXPLOITABLE" with business impact ($4.9M breach cost)
+
+## Why This Demo?
+
+- **Realistic vulnerability**: EJS template injection is a real, widely-exploited vulnerability
+- **Node.js native**: Works in isolated containers without external dependencies
+- **Clear proof**: Exploit evidence is captured in sandbox logs
+- **Fast verification**: Exploit runs in < 2 seconds
+
+## Files
+
+- `package.json` — Intentionally pinned to vulnerable EJS 3.1.6
+- `server.js` — Express server with template injection vulnerability
+- `.github/workflows/codeprobe.yml` — CI/CD integration example
+
+## Disclaimer
+
+This app is for **security research and education only**. Do not use in production or with untrusted code.

package/demo-vulnerable-app/package-lock.json

@@ -0,0 +1,27 @@
+{
+  "name": "demo-vulnerable-app",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "demo-vulnerable-app",
+      "version": "1.0.0",
+      "dependencies": {
+        "express": "^4.18.2",
+        "ejs": "3.1.6"
+      }
+    },
+    "node_modules/express": {
+      "version": "4.18.2",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
+    },
+    "node_modules/ejs": {
+      "version": "3.1.6",
+      "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    }
+  }
+}

package/demo-vulnerable-app/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "demo-vulnerable-app",
+  "version": "1.0.0",
+  "description": "Demo application with intentional vulnerability for CodeProbe testing",
+  "main": "server.js",
+  "scripts": {
+    "start": "node server.js",
+    "test": "bun test"
+  },
+  "dependencies": {
+    "express": "^4.18.2",
+    "ejs": "3.1.6"
+  },
+  "devDependencies": {}
+}

package/demo-vulnerable-app/server.js

@@ -0,0 +1,34 @@
+const express = require("express");
+const ejs = require("ejs");
+const app = express();
+
+app.use(express.urlencoded({ extended: false }));
+
+// Vulnerable endpoint: directly renders user input as template
+app.get("/render", (req, res) => {
+  const template = req.query.template || "Hello <%= name %>";
+
+  try {
+    // VULNERABLE: ejs.render() executes arbitrary code in templates
+    // An attacker can inject: <%= require('child_process').execSync('id') %>
+    const result = ejs.render(template, { name: "World" });
+    res.send(`<pre>${result}</pre>`);
+  } catch (error) {
+    res.status(500).send(`<pre>Error: ${error.message}</pre>`);
+  }
+});
+
+app.get("/", (req, res) => {
+  res.send(`
+    <h1>CodeProbe Demo - EJS Template Injection</h1>
+    <p>This app uses EJS ${require("ejs/package.json").version}</p>
+    <p>Visit: <a href="/render?template=&lt;%= 'VULNERABLE' %>">/render</a> to test</p>
+    <p>Or send a template parameter to exploit</p>
+  `);
+});
+
+const port = 3000;
+app.listen(port, () => {
+  console.log(`Demo app listening on http://localhost:${port}`);
+  console.log(`Vulnerable ejs version: ${require("ejs/package.json").version}`);
+});

package/demo.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+set -e
+
+echo "=== CodeProbe Demo Script ==="
+echo ""
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Check if bun is installed
+if ! command -v bun &> /dev/null; then
+    echo -e "${RED}Error: bun is not installed${NC}"
+    exit 1
+fi
+
+echo -e "${BLUE}1. Clearing previous scans...${NC}"
+rm -rf ~/.codeprobe/scans/*
+echo -e "${GREEN}✓ Scans cleared${NC}"
+echo ""
+
+echo -e "${BLUE}2. Running scan...${NC}"
+time bun run src/cli/index.ts scan .
+echo -e "${GREEN}✓ Scan complete${NC}"
+echo ""
+
+echo -e "${BLUE}3. Displaying report...${NC}"
+bun run src/cli/index.ts report
+echo ""
+
+echo -e "${BLUE}4. Testing with --json flag...${NC}"
+bun run src/cli/index.ts scan . --json | head -20
+echo "..."
+echo ""
+
+echo -e "${GREEN}✅ Demo successful!${NC}"
+echo ""
+echo -e "${YELLOW}Next steps:${NC}"
+echo "  • Run scan with fix: bun run src/cli/index.ts scan . --fix"
+echo "  • View config: bun run src/cli/index.ts config get"
+echo "  • Set API key: bun run src/cli/index.ts config set bright_data_api_key <key>"
+echo ""

package/index.ts

@@ -0,0 +1,19 @@
+import { createEngine } from "./src/engine/index";
+
+const engine = createEngine();
+const repoPath = process.argv[2] || "./demo-vulnerable-app";
+
+console.log(`\n⚡ CodeProbe v1.0.0`);
+console.log(`Scanning repository: ${repoPath}\n`);
+
+try {
+  const report = await engine.scan(repoPath);
+  const formatted = (await import("./src/engine/report")).createReportBuilder().formatForTerminal(report);
+  console.log(formatted);
+
+  // Exit with appropriate code
+  process.exit(report.summary.exploitable_count > 0 ? 1 : 0);
+} catch (error) {
+  console.error("❌ Scan failed:", error instanceof Error ? error.message : String(error));
+  process.exit(2);
+}

package/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "codeprobe-scanner",
+  "version": "1.0.0",
+  "description": "Automated vulnerability scanner with exploit verification and video evidence",
+  "type": "module",
+  "bin": {
+    "codeprobe": "bin/install-and-run.sh"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "setup": "bin/install-and-run.sh"
+  },
+  "dependencies": {
+    "@daytona/sdk": "^0.187.0",
+    "axios": "^1.6.5",
+    "chalk": "^5.3.0",
+    "cli-table3": "^0.6.3",
+    "dayjs": "^1.11.10",
+    "ora": "^8.0.1",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
+    "tailwindcss": "^3.3.0",
+    "videodb": "^0.2.7",
+    "zod": "^3.22.4"
+  }
+}

package/patches.json

@@ -0,0 +1,12 @@
+[
+  {
+    "cve_id": "CVE-2022-29078",
+    "package": "ejs",
+    "from_version": "3.1.0",
+    "to_version": "3.1.7",
+    "description": "Fixes template injection RCE vulnerability by sanitizing template inputs",
+    "diff": "--- a/package.json\n+++ b/package.json\n@@ -5,1 +5,1 @@\n-  \"ejs\": \"3.1.6\"\n+  \"ejs\": \"3.1.7\"\n--- a/package-lock.json\n+++ b/package-lock.json\n@@ -10,1 +10,1 @@\n-      \"version\": \"3.1.6\",\n+      \"version\": \"3.1.7\",",
+    "severity": "CRITICAL",
+    "cvss": 9.8
+  }
+]

package/serve-dashboard.ts

@@ -0,0 +1,23 @@
+import { serve } from "bun";
+import path from "path";
+
+const distDir = "dist";
+
+export default serve({
+  port: 5173,
+  fetch(req) {
+    const url = new URL(req.url);
+    let filePath = url.pathname;
+
+    if (filePath === "/" || filePath === "") {
+      filePath = "index.html";
+    }
+
+    const file = Bun.file(path.join(distDir, filePath));
+    return file.exists().then(() => new Response(file));
+  },
+});
+
+console.log("🎨 Dashboard serving on http://localhost:5173");
+console.log("📡 API on http://localhost:3000");
+console.log("📂 Serving: dist/");

package/src/api/server-cli.ts

@@ -0,0 +1,270 @@
+import { createEngine } from "../engine/index";
+import { Report } from "../shared/types";
+
+// Environment validation
+const GOOGLE_CLOUD_URL = process.env.GOOGLE_CLOUD_URL;
+const API_SECRET_TOKEN = process.env.API_SECRET_TOKEN;
+const PORT = parseInt(process.env.PORT || "8080");
+const NODE_ENV = process.env.NODE_ENV || "development";
+
+// Validate required environment variables
+if (NODE_ENV === "production") {
+  if (!GOOGLE_CLOUD_URL) {
+    throw new Error(
+      "GOOGLE_CLOUD_URL environment variable is required in production"
+    );
+  }
+  if (!API_SECRET_TOKEN) {
+    throw new Error(
+      "API_SECRET_TOKEN environment variable is required in production"
+    );
+  }
+}
+
+// Rate limiting: max 5 requests per minute per IP
+interface RateLimitEntry {
+  count: number;
+  resetTime: number;
+}
+
+const rateLimitMap = new Map<string, RateLimitEntry>();
+const RATE_LIMIT_WINDOW = 60 * 1000; // 1 minute
+const RATE_LIMIT_MAX = 5;
+
+function getClientIP(req: Request): string {
+  const forwarded = req.headers.get("x-forwarded-for");
+  if (forwarded) {
+    return forwarded.split(",")[0].trim();
+  }
+  // In production on Google Cloud, you should rely on x-forwarded-for
+  // For local testing, use localhost
+  return req.headers.get("cf-connecting-ip") || "127.0.0.1";
+}
+
+function checkRateLimit(ip: string): { allowed: boolean; remaining: number } {
+  const now = Date.now();
+  const entry = rateLimitMap.get(ip);
+
+  if (!entry || now > entry.resetTime) {
+    // Window expired, create new entry
+    rateLimitMap.set(ip, { count: 1, resetTime: now + RATE_LIMIT_WINDOW });
+    return { allowed: true, remaining: RATE_LIMIT_MAX - 1 };
+  }
+
+  if (entry.count >= RATE_LIMIT_MAX) {
+    return { allowed: false, remaining: 0 };
+  }
+
+  entry.count++;
+  return { allowed: true, remaining: RATE_LIMIT_MAX - entry.count };
+}
+
+// Type for scan request
+interface ScanRequest {
+  dependencies?: Array<{ name: string; version: string }>;
+  repoPath?: string;
+}
+
+interface ScanResponse {
+  success: boolean;
+  data?: Report;
+  error?: string;
+  riskScore?: number;
+  executiveSummary?: {
+    totalCVEs: number;
+    exploitableCVEs: number;
+    theoreticalCVEs: number;
+    scanDurationMs: number;
+    timestamp: string;
+  };
+}
+
+async function handleScan(
+  req: Request,
+  ip: string
+): Promise<Response> {
+  try {
+    // Parse request body
+    const body = await req.json() as ScanRequest;
+
+    // Validate request
+    if (!body.repoPath && (!body.dependencies || body.dependencies.length === 0)) {
+      return new Response(
+        JSON.stringify({
+          success: false,
+          error:
+            "Request must include either repoPath or dependencies array",
+        }),
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json" },
+        }
+      );
+    }
+
+    const repoPath = body.repoPath || process.cwd();
+
+    // Log sponsor branding
+    console.log("[Bright Data] Scraping CVE data from NVD, Exploit-DB, Snyk...");
+    console.log("[Daytona] Sandboxing exploits for verification...");
+    console.log("[Nosana] Patching vulnerable dependencies...");
+
+    // Run scan
+    const engine = createEngine();
+    console.log(`\n🔍 Starting security scan for: ${repoPath}`);
+    const report = await engine.scan(repoPath);
+
+    const response: ScanResponse = {
+      success: true,
+      data: report,
+      riskScore: report.scan.risk_score,
+      executiveSummary: {
+        totalCVEs: report.summary.total_cves,
+        exploitableCVEs: report.summary.exploitable_count,
+        theoreticalCVEs: report.summary.theoretical_count,
+        scanDurationMs: report.summary.scan_duration_ms,
+        timestamp: report.scan.timestamp,
+      },
+    };
+
+    return new Response(JSON.stringify(response), {
+      status: 200,
+      headers: {
+        "Content-Type": "application/json",
+        "X-RateLimit-Remaining": String(rateLimitMap.get(ip)?.count || 0),
+      },
+    });
+  } catch (error) {
+    console.error("Scan error:", error);
+
+    const errorMessage =
+      error instanceof Error ? error.message : String(error);
+
+    const errorResponse: ScanResponse = {
+      success: false,
+      error: errorMessage,
+    };
+
+    return new Response(JSON.stringify(errorResponse), {
+      status: 500,
+      headers: { "Content-Type": "application/json" },
+    });
+  }
+}
+
+async function handleHealth(): Promise<Response> {
+  return new Response(JSON.stringify({ status: "ok" }), {
+    status: 200,
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+// Main server
+const server = Bun.serve({
+  port: PORT,
+  development: NODE_ENV !== "production",
+  async fetch(req) {
+    const url = new URL(req.url);
+    const pathname = url.pathname;
+    const method = req.method;
+    const ip = getClientIP(req);
+
+    // Health check
+    if (pathname === "/health" && method === "GET") {
+      return handleHealth();
+    }
+
+    // Scan endpoint
+    if (pathname === "/api/scan" && method === "POST") {
+      // Rate limiting check
+      const rateLimit = checkRateLimit(ip);
+      if (!rateLimit.allowed) {
+        console.warn(`Rate limit exceeded for IP: ${ip}`);
+        return new Response(
+          JSON.stringify({
+            success: false,
+            error: "Rate limit exceeded. Maximum 5 requests per minute.",
+          }),
+          {
+            status: 429,
+            headers: {
+              "Content-Type": "application/json",
+              "Retry-After": "60",
+            },
+          }
+        );
+      }
+
+      // Token validation in production
+      if (NODE_ENV === "production") {
+        const authHeader = req.headers.get("Authorization") || "";
+        const token = authHeader.replace("Bearer ", "");
+
+        if (token !== API_SECRET_TOKEN) {
+          console.warn(`Invalid API token from IP: ${ip}`);
+          return new Response(
+            JSON.stringify({
+              success: false,
+              error: "Invalid or missing API token",
+            }),
+            {
+              status: 401,
+              headers: { "Content-Type": "application/json" },
+            }
+          );
+        }
+      }
+
+      // Handle scan
+      return handleScan(req, ip);
+    }
+
+    // 404 for unknown routes
+    return new Response(
+      JSON.stringify({
+        success: false,
+        error: `Unknown route: ${pathname}`,
+      }),
+      {
+        status: 404,
+        headers: { "Content-Type": "application/json" },
+      }
+    );
+  },
+});
+
+// Log startup information
+console.log("\n╔════════════════════════════════════════════════════════╗");
+console.log("║     CodeProbe Security Scan API Server (CLI-only)     ║");
+console.log("╚════════════════════════════════════════════════════════╝\n");
+console.log(`📍 Environment: ${NODE_ENV}`);
+console.log(`🚀 Server running on http://localhost:${PORT}`);
+console.log(`\n📊 Available endpoints:`);
+console.log(`   GET  /health              - Health check`);
+console.log(`   POST /api/scan            - Run vulnerability scan\n`);
+
+if (NODE_ENV === "production") {
+  console.log(`✅ Production mode enabled`);
+  console.log(`   - Google Cloud URL configured: ${GOOGLE_CLOUD_URL}`);
+  console.log(`   - API authentication required (Bearer token)\n`);
+} else {
+  console.log(`⚠️  Development mode - authentication disabled\n`);
+}
+
+console.log(`📈 Rate limiting: 5 requests per minute per IP`);
+console.log(
+  `\n💡 Example request:\n`
+);
+console.log(`   curl -X POST http://localhost:${PORT}/api/scan \\`);
+console.log(`     -H "Content-Type: application/json" \\`);
+if (NODE_ENV === "production") {
+  console.log(`     -H "Authorization: Bearer $API_SECRET_TOKEN" \\`);
+}
+console.log(`     -d '{"repoPath": "/path/to/repo"}'\n`);
+
+console.log(`🔗 Sponsor credits:`);
+console.log(`   [Bright Data] - CVE data scraping from NVD, Exploit-DB, Snyk`);
+console.log(`   [Daytona] - Sandboxed exploit verification`);
+console.log(`   [Nosana] - LLM-powered patch generation\n`);
+
+export default server;