codeprobe-scanner 1.0.0

package/src/scraper-cron.ts

@@ -0,0 +1,103 @@
+#!/usr/bin/env bun
+// CodeProbe Scraper Cron - Hourly dependency change detector
+
+import { mkdir, writeFile } from "fs/promises";
+import { existsSync } from "fs";
+import path from "path";
+
+const CODEPROBE_DIR = path.join(process.env.HOME || process.env.USERPROFILE || "/tmp", ".codeprobe");
+const HASH_FILE = path.join(CODEPROBE_DIR, "last-scan-hash.txt");
+const SERVER_URL = process.env.CODEPROBE_SERVER_URL || "http://localhost:3000";
+
+async function computeDependencyHash(): Promise<string> {
+  const lockfiles = ["package-lock.json", "bun.lock", "yarn.lock", "pnpm-lock.yaml"];
+  let lockfileContent = "";
+
+  for (const name of lockfiles) {
+    const filePath = path.join(process.cwd(), name);
+    if (existsSync(filePath)) {
+      lockfileContent = await Bun.file(filePath).text();
+      break;
+    }
+  }
+
+  const packagePath = path.join(process.cwd(), "package.json");
+  let packageContent = "";
+  if (existsSync(packagePath)) {
+    packageContent = await Bun.file(packagePath).text();
+  }
+
+  const combined = packageContent + lockfileContent;
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(combined);
+  return hasher.digest("hex");
+}
+
+async function getStoredHash(): Promise<string | null> {
+  try {
+    if (existsSync(HASH_FILE)) {
+      return (await Bun.file(HASH_FILE).text()).trim();
+    }
+  } catch (error) {
+    console.warn("[Scraper] Failed to read hash:", error instanceof Error ? error.message : "unknown");
+  }
+  return null;
+}
+
+async function saveHash(hash: string): Promise<void> {
+  if (!existsSync(CODEPROBE_DIR)) {
+    await mkdir(CODEPROBE_DIR, { mode: 0o700, recursive: true });
+  }
+  await writeFile(HASH_FILE, hash, "utf-8");
+}
+
+async function triggerScan(): Promise<boolean> {
+  try {
+    const response = await fetch(`${SERVER_URL}/api/scan`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ repoPath: "." }),
+      signal: AbortSignal.timeout(30000),
+    });
+
+    if (!response.ok) {
+      console.error(`[Scraper] Server error: ${response.status}`);
+      return false;
+    }
+
+    const result = await response.json();
+    console.log(`[Scraper] Scan triggered (ID: ${result.scanId})`);
+    return true;
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    console.error(`[Scraper] Failed: ${msg}`);
+    return false;
+  }
+}
+
+async function main(): Promise<void> {
+  try {
+    const currentHash = await computeDependencyHash();
+    const storedHash = await getStoredHash();
+
+    if (storedHash === currentHash) {
+      console.log("[Scraper] Dependencies unchanged, skipping scan");
+      process.exit(0);
+    }
+
+    console.log("[Scraper] New packages detected, scanning...");
+
+    const success = await triggerScan();
+    if (success) {
+      await saveHash(currentHash);
+    } else {
+      console.warn("[Scraper] Trigger failed, will retry next hour");
+      process.exit(1);
+    }
+  } catch (error) {
+    console.error("[Scraper] Fatal:", error instanceof Error ? error.message : String(error));
+    process.exit(2);
+  }
+}
+
+main();

package/src/shared/constants.ts

@@ -0,0 +1,88 @@
+import path from 'path';
+import os from 'os';
+
+// API Endpoints
+export const API_ENDPOINTS = {
+  BRIGHT_DATA: process.env.BRIGHT_DATA_API_URL || "https://api.brightdata.com",
+  DAYTONA: process.env.DAYTONA_API_URL || "https://api.daytona.io",
+  NOSANA: process.env.NOSANA_API_URL || "https://api.nosana.io",
+  NVD: "https://services.nvd.nist.gov/rest/json/cves/2.0",
+  SNYK: "https://security.snyk.io/api/v1/vulnerabilities",
+} as const;
+
+// Timeout configurations
+export const TIMEOUTS = {
+  BRIGHT_DATA_SCRAPE: 30000, // 30s
+  DAYTONA_SANDBOX: 60000, // 60s per CVE
+  NOSANA_LLM: 45000, // 45s
+  HTTP_GENERAL: 10000, // 10s
+} as const;
+
+// Sandbox configuration
+export const SANDBOX_CONFIG = {
+  BASE_IMAGE: "node:20-alpine",
+  CPU: 1,
+  MEMORY: "512Mi",
+  DISK: "5Gi",
+  TIMEOUT_MS: TIMEOUTS.DAYTONA_SANDBOX,
+} as const;
+
+// File paths
+export const PATHS = {
+  HOME: os.homedir(),
+  CODEPROBE_DIR: path.join(os.homedir(), '.codeprobe'),
+  CONFIG_DIR: path.join(os.homedir(), '.codeprobe'),
+  SCANS_DIR: path.join(os.homedir(), '.codeprobe', 'scans'),
+  CONFIG_FILE: path.join(os.homedir(), '.codeprobe', 'config.json'),
+  LATEST_SCAN: path.join(os.homedir(), '.codeprobe', 'scans', 'latest.json'),
+  CVE_CACHE: path.join(process.cwd(), 'cve-cache.json'),
+  CACHE_FILE: path.join(process.cwd(), 'cve-cache.json'),
+  PATCHES_FILE: path.join(process.cwd(), 'patches.json'),
+} as const;
+
+// Retry configuration
+export const RETRY_CONFIG = {
+  MAX_RETRIES: 2,
+  INITIAL_DELAY_MS: 1000,
+  BACKOFF_MULTIPLIER: 2,
+} as const;
+
+// File permissions
+export const FILE_PERMISSIONS = {
+  DIR: 0o700, // drwx------
+  FILE: 0o600, // -rw-------
+} as const;
+
+// Risk scoring
+export const RISK_SCORE_WEIGHTS = {
+  EXPLOITABLE: 10,
+  THEORETICAL: 3,
+} as const;
+
+// Exit codes
+export const EXIT_CODES = {
+  SUCCESS: 0,
+  VULNERABILITIES_FOUND: 1,
+  SCAN_FAILED: 2,
+} as const;
+
+// App metadata
+export const APP_VERSION = '1.0.0';
+export const APP_NAME = 'CodeProbe';
+
+// Demo CVE for testing
+export const DEMO_CVE = {
+  id: "CVE-2022-29078",
+  package: "ejs",
+  affected_versions: ["3.1.0", "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6"],
+  fixed_version: "3.1.7",
+  severity: "CRITICAL",
+  cvss: 9.8,
+  description:
+    "ejs before 3.1.7 has a template injection vulnerability that allows arbitrary code execution",
+  exploit_type: "Template Injection RCE",
+} as const;
+
+// Demo CVE ID and package (alternative format used in tests)
+export const DEMO_CVE_ID = 'CVE-2023-44487';
+export const DEMO_PACKAGE = 'http2-server';

package/src/shared/types.ts

@@ -0,0 +1,123 @@
+import { z } from "zod";
+
+// CVE schema from vulnerability scraper (Stage 1: Bright Data, NVD, Snyk)
+export const CVESchema = z.object({
+  id: z.string(),
+  package: z.string(),
+  affected_versions: z.array(z.string()),
+  fixed_version: z.string(),
+  severity: z.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
+  cvss: z.number().min(0).max(10),
+  description: z.string(),
+  cwe: z.string().optional(),
+  exploit_url: z.string().optional(),
+});
+
+export type CVE = z.infer<typeof CVESchema>;
+
+// CVE result in a scan report (includes verification results from sandbox)
+export const ScanCVESchema = z.object({
+  id: z.string(),
+  package: z.string(),
+  version_vulnerable: z.string(),
+  version_fixed: z.string().optional(),
+  severity: z.enum(["CRITICAL", "HIGH", "MEDIUM", "LOW"]),
+  cvss: z.number().min(0).max(10),
+  description: z.string(),
+  exploitable: z.boolean(),
+  exploit_evidence: z.string().optional(),
+  patch_diff: z.string().optional(),
+  patch_version: z.string().optional(),
+  verification_time_ms: z.number().optional(),
+});
+
+export type ScanCVE = z.infer<typeof ScanCVESchema>;
+
+// Complete scan result (Stage 1 + Stage 2)
+export const ScanSchema = z.object({
+  id: z.string(),
+  timestamp: z.string().datetime(),
+  repo_url: z.string(),
+  repo_path: z.string().optional(),
+  cves: z.array(ScanCVESchema),
+  risk_score: z.number().min(0).max(10),
+  exploitable_count: z.number(),
+  theoretical_count: z.number(),
+  total_dependencies: z.number(),
+  patches_available: z.number().optional(),
+});
+
+export type Scan = z.infer<typeof ScanSchema>;
+
+// Report with summary (for CLI output and Dashboard)
+export const ReportSchema = z.object({
+  scan: ScanSchema,
+  summary: z.object({
+    total_cves: z.number(),
+    exploitable_count: z.number(),
+    theoretical_count: z.number(),
+    scan_duration_ms: z.number(),
+  }),
+});
+
+export type Report = z.infer<typeof ReportSchema>;
+
+// Dependency from package.json
+export interface Dependency {
+  name: string;
+  version: string;
+}
+
+// Dependency matched with CVE
+export interface DependencyMatch {
+  dependency: Dependency;
+  cves: CVE[];
+}
+
+// Result from CVE scraper (Bright Data, NVD, etc.)
+export interface ScrapeResult {
+  cves: CVE[];
+  source: string;
+  timestamp: string;
+}
+
+// Result from exploit sandbox (Daytona)
+export interface SandboxResult {
+  exploit_ran: boolean;
+  exit_code: number;
+  stdout: string;
+  stderr: string;
+  success: boolean;
+  time_ms: number;
+}
+
+// Scan event for progress reporting
+export interface ScanEvent {
+  phase:
+    | 'parsing'
+    | 'scraping'
+    | 'matching'
+    | 'sandboxing'
+    | 'verification'
+    | 'patching'
+    | 'report';
+  status: 'start' | 'progress' | 'complete' | 'error';
+  message: string;
+  timestamp: string;
+  level: 'info' | 'warn' | 'error' | 'success';
+  metadata?: Record<string, unknown>;
+}
+
+// CLI options
+export interface CliOptions {
+  fix?: boolean;
+  json?: boolean;
+  verbose?: boolean;
+  exportFormat?: 'json' | 'html' | 'text';
+}
+
+// Scan result with duration
+export interface ScanResult {
+  report: Report;
+  duration_ms: number;
+}

package/src/shared/utils.ts

@@ -0,0 +1,80 @@
+import chalk from 'chalk';
+
+export function formatRiskScore(score: number): string {
+  const level = getRiskLevel(score);
+  const color = getRiskColor(score);
+  return color(`${score.toFixed(1)}/10 (${level})`);
+}
+
+export function getRiskLevel(score: number): 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' {
+  if (score >= 8) return 'CRITICAL';
+  if (score >= 6) return 'HIGH';
+  if (score >= 4) return 'MEDIUM';
+  return 'LOW';
+}
+
+export function getRiskColor(score: number) {
+  if (score >= 8) return chalk.red;
+  if (score >= 6) return chalk.yellow;
+  if (score >= 4) return chalk.cyan;
+  return chalk.green;
+}
+
+export function formatSeverity(severity: string): string {
+  switch (severity) {
+    case 'CRITICAL':
+      return chalk.red(severity);
+    case 'HIGH':
+      return chalk.yellow(severity);
+    case 'MEDIUM':
+      return chalk.cyan(severity);
+    case 'LOW':
+      return chalk.green(severity);
+    default:
+      return chalk.gray(severity);
+  }
+}
+
+export function formatExploitable(exploitable: boolean): string {
+  if (exploitable) {
+    return chalk.red('✓ EXPLOITABLE');
+  }
+  return chalk.yellow('~ THEORETICAL');
+}
+
+export function generateScanId(): string {
+  return `scan_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+}
+
+export function bytesToHuman(bytes: number): string {
+  const units = ['B', 'KB', 'MB', 'GB'];
+  let size = bytes;
+  let unitIdx = 0;
+
+  while (size >= 1024 && unitIdx < units.length - 1) {
+    size /= 1024;
+    unitIdx++;
+  }
+
+  return `${size.toFixed(2)} ${units[unitIdx]}`;
+}
+
+export function msToHuman(ms: number): string {
+  if (ms < 1000) {
+    return `${ms}ms`;
+  }
+
+  const totalSeconds = Math.floor(ms / 1000);
+  const minutes = Math.floor(totalSeconds / 60);
+  const seconds = totalSeconds % 60;
+
+  if (minutes > 0) {
+    return `${minutes}m ${seconds}s`;
+  }
+  return `${seconds}s`;
+}
+
+export function truncate(str: string, length: number): string {
+  if (str.length <= length) return str;
+  return str.substring(0, length - 3) + '...';
+}

package/src/test/cli.test.ts

@@ -0,0 +1,211 @@
+import { describe, it, expect, beforeEach, afterEach } from 'bun:test';
+import { mkdirSync, rmSync, writeFileSync, readFileSync, existsSync } from 'fs';
+import path from 'path';
+import os from 'os';
+
+// Test utilities
+const TEST_CONFIG_DIR = path.join(os.tmpdir(), 'codeprobe-test-' + Date.now());
+
+beforeEach(() => {
+  mkdirSync(TEST_CONFIG_DIR, { recursive: true });
+  process.env.HOME = TEST_CONFIG_DIR;
+});
+
+afterEach(() => {
+  if (existsSync(TEST_CONFIG_DIR)) {
+    rmSync(TEST_CONFIG_DIR, { recursive: true, force: true });
+  }
+});
+
+describe('CLI: Config Management', () => {
+  it('should export ensureConfigDir function', async () => {
+    const { ensureConfigDir } = await import('../cli/config');
+
+    expect(typeof ensureConfigDir).toBe('function');
+  });
+
+  it('should save and load config', async () => {
+    const { setConfig, getConfig } = await import('../cli/config');
+
+    await setConfig('test_key', 'test_value');
+    const value = await getConfig('test_key');
+
+    expect(value).toBe('test_value');
+  });
+
+  it('should handle missing config gracefully', async () => {
+    const { getConfig } = await import('../cli/config');
+
+    const value = await getConfig('nonexistent_key');
+
+    expect(value).toBeUndefined();
+  });
+});
+
+describe('CLI: Progress Logger', () => {
+  it('should format timestamps correctly', async () => {
+    const { ProgressLogger } = await import('../cli/progress');
+
+    const logger = new ProgressLogger(false);
+
+    expect(logger).toBeDefined();
+  });
+
+  it('should handle events without crashing', async () => {
+    const { ProgressLogger } = await import('../cli/progress');
+
+    const logger = new ProgressLogger(false);
+    const event = {
+      phase: 'parsing' as const,
+      status: 'start' as const,
+      message: 'Test message',
+      timestamp: new Date().toISOString(),
+      level: 'info' as const,
+    };
+
+    // Should not throw
+    logger.log(event);
+
+    expect(logger).toBeDefined();
+  });
+});
+
+describe('CLI: Error Handling', () => {
+  it('should create CodeProbeError with code', async () => {
+    const { CodeProbeError } = await import('../cli/errors');
+
+    const error = new CodeProbeError('TEST_CODE', 'Test message', 'Details');
+
+    expect(error.code).toBe('TEST_CODE');
+    expect(error.message).toBe('Test message');
+  });
+
+  it('should create specific error types', async () => {
+    const { BrightDataError, DaytonaError, GitError } = await import('../cli/errors');
+
+    const brightError = new BrightDataError('API timeout');
+    const daytonaError = new DaytonaError('Container failed');
+    const gitError = new GitError('Push failed');
+
+    expect(brightError.code).toBe('BRIGHT_DATA_FAILED');
+    expect(daytonaError.code).toBe('DAYTONA_FAILED');
+    expect(gitError.code).toBe('GIT_ERROR');
+  });
+
+  it('should retry with backoff', async () => {
+    const { retryWithBackoff } = await import('../cli/errors');
+
+    let attempts = 0;
+    const fn = async () => {
+      attempts++;
+      if (attempts < 2) throw new Error('Temporary failure');
+      return 'success';
+    };
+
+    const result = await retryWithBackoff(fn, 2, 10);
+
+    expect(result).toBe('success');
+    expect(attempts).toBe(2);
+  });
+});
+
+describe('CLI: Utils', () => {
+  it('should generate unique scan IDs', async () => {
+    const { generateScanId } = await import('../shared/utils');
+
+    const id1 = generateScanId();
+    const id2 = generateScanId();
+
+    expect(id1).not.toBe(id2);
+    expect(id1.startsWith('scan_')).toBe(true);
+  });
+
+  it('should format risk scores', async () => {
+    const { formatRiskScore } = await import('../shared/utils');
+
+    const highRisk = formatRiskScore(8.5);
+    const mediumRisk = formatRiskScore(5.0);
+    const lowRisk = formatRiskScore(2.0);
+
+    expect(highRisk.includes('8.5')).toBe(true);
+    expect(mediumRisk.includes('5.0')).toBe(true);
+    expect(lowRisk.includes('2.0')).toBe(true);
+  });
+
+  it('should get risk level correctly', async () => {
+    const { getRiskLevel } = await import('../shared/utils');
+
+    expect(getRiskLevel(9)).toBe('CRITICAL');
+    expect(getRiskLevel(7)).toBe('HIGH');
+    expect(getRiskLevel(5)).toBe('MEDIUM');
+    expect(getRiskLevel(1)).toBe('LOW');
+  });
+
+  it('should convert milliseconds to human readable', async () => {
+    const { msToHuman } = await import('../shared/utils');
+
+    expect(msToHuman(500)).toBe('500ms');
+    expect(msToHuman(5000)).toBe('5s');
+    expect(msToHuman(65000)).toBe('1m 5s');
+  });
+});
+
+describe('CLI: Types', () => {
+  it('should have correct CVE type structure', async () => {
+    const { Report } = await import('../shared/types');
+
+    const mockReport: Report = {
+      scan: {
+        id: 'scan_123',
+        timestamp: new Date().toISOString(),
+        repo_url: '.',
+        cves: [
+          {
+            id: 'CVE-2023-44487',
+            package: 'http2-server',
+            version_vulnerable: '1.0.0',
+            severity: 'CRITICAL',
+            cvss: 8.5,
+            exploitable: true,
+            exploit_evidence: 'DoS confirmed',
+            patch_version: '1.0.1',
+          },
+        ],
+        risk_score: 8.5,
+        patches_available: 1,
+      },
+      summary: {
+        exploitable_count: 1,
+        theoretical_count: 0,
+      },
+    };
+
+    expect(mockReport.scan.id).toBe('scan_123');
+    expect(mockReport.scan.cves[0].id).toBe('CVE-2023-44487');
+    expect(mockReport.scan.cves[0].exploitable).toBe(true);
+  });
+});
+
+describe('CLI: Constants', () => {
+  it('should define exit codes correctly', async () => {
+    const { EXIT_CODES } = await import('../shared/constants');
+
+    expect(EXIT_CODES.SUCCESS).toBe(0);
+    expect(EXIT_CODES.VULNERABILITIES_FOUND).toBe(1);
+    expect(EXIT_CODES.SCAN_FAILED).toBe(2);
+  });
+
+  it('should define file permissions', async () => {
+    const { FILE_PERMISSIONS } = await import('../shared/constants');
+
+    expect(FILE_PERMISSIONS.DIR).toBe(0o700);
+    expect(FILE_PERMISSIONS.FILE).toBe(0o600);
+  });
+
+  it('should define risk score weights', async () => {
+    const { RISK_SCORE_WEIGHTS } = await import('../shared/constants');
+
+    expect(RISK_SCORE_WEIGHTS.EXPLOITABLE).toBe(10);
+    expect(RISK_SCORE_WEIGHTS.THEORETICAL).toBe(3);
+  });
+});

package/src/test/dashboard.test.ts

@@ -0,0 +1,38 @@
+import { test, expect } from "bun:test";
+
+test("Dashboard: API server starts", async () => {
+  const server = Bun.serve({
+    port: 0,
+    fetch() {
+      return new Response("OK");
+    },
+  });
+
+  const res = await fetch(`http://${server.hostname}:${server.port}/`);
+  expect(res.ok).toBe(true);
+
+  server.stop();
+});
+
+test("Dashboard: OAuth endpoint exists", async () => {
+  // Test would require full server setup
+  // Simplified check: verify imports work
+  const authModule = await import("../api/auth.ts");
+  expect(authModule.exchangeGitHubToken).toBeDefined();
+  expect(authModule.validateGitHubToken).toBeDefined();
+});
+
+test("Dashboard: Components render", async () => {
+  // Note: JSX/React component testing requires a DOM environment
+  // In production, use Playwright or similar for E2E tests
+  const componentModules = [
+    import("../dashboard/components/RiskGauge.tsx"),
+    import("../dashboard/components/CVETable.tsx"),
+    import("../dashboard/components/BusinessImpactCard.tsx"),
+  ];
+
+  const results = await Promise.all(componentModules);
+  results.forEach((mod) => {
+    expect(Object.keys(mod).length).toBeGreaterThan(0);
+  });
+});

package/src/test/demo-scan.json

@@ -0,0 +1,32 @@
+{
+  "id": "scan-demo-001",
+  "repo": "https://github.com/demo/vulnerable-app",
+  "riskScore": 8.5,
+  "timestamp": 1718281200,
+  "duration": 45,
+  "supplyChainWarnings": 0,
+  "cves": [
+    {
+      "id": "CVE-2023-44487",
+      "package": "http2-server",
+      "severity": "CRITICAL",
+      "status": "✅ Confirmed Exploitable",
+      "patch": "v1.0.1",
+      "description": "HTTP/2 server implementation vulnerable to rapid reset attacks. Attacker can trigger remote code execution.",
+      "affectedVersions": "1.0.0 - 1.0.0",
+      "poc": "$ codeprobe poc CVE-2023-44487\n[*] Setting up sandbox...\n[+] Server started on :8000\n[*] Sending exploit payload...\n[+] RCE confirmed: /bin/sh opened\n$ whoami\nroot\n$ exit\n[+] Patch required: Upgrade to http2-server >= 1.0.1",
+      "diff": "--- a/package.json\n+++ b/package.json\n@@ -5,1 +5,1 @@\n-  \"http2-server\": \"1.0.0\"\n+  \"http2-server\": \"1.0.1\""
+    },
+    {
+      "id": "CVE-2023-12345",
+      "package": "lodash",
+      "severity": "HIGH",
+      "status": "⚠️ Theoretical Risk",
+      "patch": "N/A",
+      "description": "Prototype pollution in lodash utility functions. Could allow arbitrary code execution.",
+      "affectedVersions": "4.17.0 - 4.17.20",
+      "poc": "Manual code review identified unsafe merge patterns.",
+      "diff": "--- a/src/utils.js\n+++ b/src/utils.js\n@@ -12,3 +12,5 @@\n function merge(obj, src) {\n+  if (!src) return obj;\n+  if (typeof src !== 'object') return obj;\n   return Object.assign(obj, src);"
+    }
+  ]
+}