codeprobe-scanner 1.0.13 → 1.0.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.13",
+  "version": "1.0.15",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {

package/src/cli/commands/scan.ts

@@ -110,8 +110,8 @@ export async function scanCommand(args: string[]): Promise<void> {
   try {
     const engine = createEngine();
 
-    // Run the actual engine scan (not mocked)
-    const report = await engine.scan(repoPath);
+    // Run recursive scan to find all package.json files
+    const report = await engine.scanRecursive(repoPath);
 
     const duration = Date.now() - startTime;
 

package/src/engine/index.ts

@@ -4,7 +4,8 @@ import { createSandbox } from "./sandbox";
 import { createMatcher } from "./matcher";
 import { createPatcher } from "./patcher";
 import { createReportBuilder } from "./report";
-import { Report } from "../shared/types";
+import { Report, ScanCVE } from "../shared/types";
+import { findAllPackageJsons } from "../shared/file-scanner";
 
 export class CodeProbeEngine {
   private parser = createParser();
@@ -18,6 +19,66 @@ export class CodeProbeEngine {
     return this.sandbox.getVideoRecorder();
   }
 
+  async scanRecursive(rootPath: string): Promise<Report> {
+    const startTime = Date.now();
+
+    try {
+      // Find all package.json files
+      console.log("🔍 Searching for package.json files...");
+      const packageJsonLocations = await findAllPackageJsons(rootPath);
+      console.log(`   Found ${packageJsonLocations.length} package.json file(s)`);
+
+      if (packageJsonLocations.length === 0) {
+        throw new Error("No package.json files found in the repository");
+      }
+
+      // Scan each location
+      const allCves: ScanCVE[] = [];
+      const allDependencies: number[] = [];
+      const scannedLocations: string[] = [];
+
+      for (const location of packageJsonLocations) {
+        console.log(`\n📂 Scanning: ${location.path}`);
+        try {
+          const report = await this.scan(location.path);
+          allCves.push(...report.scan.cves);
+          allDependencies.push(report.scan.total_dependencies);
+          scannedLocations.push(location.path);
+        } catch (error) {
+          console.warn(
+            `   ⚠️  Skipped: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
+      }
+
+      // Aggregate results
+      const riskScore = this.matcher.calculateRiskScore(allCves);
+      const scanDuration = Date.now() - startTime;
+      const totalDependencies = allDependencies.reduce((a, b) => a + b, 0);
+
+      const report = await this.reportBuilder.buildReport(
+        rootPath,
+        allCves,
+        riskScore,
+        scanDuration,
+        totalDependencies
+      );
+
+      // Add metadata about scanned locations
+      (report as any).scanned_locations = scannedLocations;
+
+      await this.reportBuilder.saveReport(report);
+
+      return report;
+    } catch (error) {
+      throw new Error(
+        `Recursive scan failed: ${
+          error instanceof Error ? error.message : String(error)
+        }`
+      );
+    }
+  }
+
   async scan(repoPath: string): Promise<Report> {
     const startTime = Date.now();
 

package/src/integrations/videodb.ts

@@ -1,3 +1,6 @@
+import { mkdir, writeFile } from "fs/promises";
+import { join } from "path";
+
 interface ExploitVideoRecord {
   cveId: string;
   package: string;
@@ -9,29 +12,18 @@ interface ExploitVideoRecord {
 }
 
 export class VideoDBRecorder {
-  private videoDb: any = null;
-  private apiKey: string;
   private recordedVideos: Map<string, ExploitVideoRecord> = new Map();
+  private proofsDir = ".proofs";
 
   constructor() {
-    this.apiKey = process.env.VIDEODB_API_KEY || "";
-    this.initializeVideoDB();
+    this.ensureProofsDir();
   }
 
-  private initializeVideoDB(): void {
-    if (!this.apiKey) {
-      return;
-    }
-
+  private async ensureProofsDir(): Promise<void> {
     try {
-      const videodb = require("videodb");
-      const Constructor = videodb.VideoDb || videodb.Connection || videodb.connect;
-      if (typeof Constructor === "function") {
-        this.videoDb = new Constructor({ apiKey: this.apiKey });
-        console.log("[VideoDB] ✓ Initialized - exploit recordings enabled");
-      }
+      await mkdir(this.proofsDir, { recursive: true });
     } catch {
-      // VideoDB unavailable, video recording disabled
+      // Directory might already exist
     }
   }
 
@@ -42,88 +34,61 @@ export class VideoDBRecorder {
     exploitOutput: string,
     duration: number = 15
   ): Promise<ExploitVideoRecord | null> {
-    if (!this.videoDb) {
-      console.warn(`[VideoDB] Skipping recording for ${cveId} - not initialized`);
-      return null;
-    }
-
     try {
-      console.log(`[VideoDB] 🎥 Recording exploit for ${cveId}...`);
-
-      // Create collection for this CVE
-      const collectionName = `codeprobe-${cveId.toLowerCase().replace("-", "_")}`;
-
-      // Create metadata for the video
-      const metadata = {
-        cve_id: cveId,
-        package: packageName,
-        version: version,
-        exploit_output: exploitOutput,
-        timestamp: new Date().toISOString(),
-        severity: "CRITICAL",
-        type: "rce-verification",
-      };
+      console.log(`[ProofRecorder] 🎥 Recording proof for ${cveId}...`);
 
-      // In real scenario, this would capture actual sandbox screen recording
-      // For now, we create a metadata entry with exploitOutput as the video description
-      const videoUrl = await this.uploadExploitRecord(
+      const proofPath = await this.saveProof(
         cveId,
         packageName,
         version,
-        exploitOutput,
-        collectionName,
-        metadata
+        exploitOutput
       );
 
       const record: ExploitVideoRecord = {
         cveId,
         package: packageName,
         version,
-        videoUrl,
+        videoUrl: proofPath,
         duration,
         timestamp: new Date().toISOString(),
       };
 
       this.recordedVideos.set(cveId, record);
-      console.log(`[VideoDB] ✓ Recorded: ${videoUrl}`);
+      console.log(`[ProofRecorder] ✓ Saved: ${proofPath}`);
 
       return record;
     } catch (error) {
       console.warn(
-        `[VideoDB] Failed to record ${cveId}: ${error instanceof Error ? error.message : String(error)}`
+        `[ProofRecorder] Failed to save proof for ${cveId}: ${error instanceof Error ? error.message : String(error)}`
       );
       return null;
     }
   }
 
-  private async uploadExploitRecord(
+  private async saveProof(
     cveId: string,
     packageName: string,
     version: string,
-    exploitOutput: string,
-    collectionName: string,
-    metadata: any
+    exploitOutput: string
   ): Promise<string> {
-    // Create a reference URL that links to the video
-    // In production, this would actually upload screen recording to VideoDB
-    const videoId = `${cveId.toLowerCase()}_${Date.now()}`;
-    const videoUrl = `https://console.videodb.io/videos/${videoId}`;
-
-    // Store metadata in cache for later retrieval
-    const cacheKey = `videodb_${cveId}`;
-    if (typeof globalThis !== "undefined") {
-      (globalThis as any)[cacheKey] = {
-        cveId,
-        packageName,
-        version,
-        exploitOutput,
-        metadata,
-        videoUrl,
-        createdAt: new Date().toISOString(),
-      };
-    }
-
-    return videoUrl;
+    await this.ensureProofsDir();
+
+    const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+    const filename = `${cveId}_${timestamp}.json`;
+    const filePath = join(this.proofsDir, filename);
+
+    const proofData = {
+      cveId,
+      package: packageName,
+      version,
+      exploitOutput,
+      savedAt: new Date().toISOString(),
+      severity: "CRITICAL",
+      type: "rce-verification",
+    };
+
+    await writeFile(filePath, JSON.stringify(proofData, null, 2));
+    return filePath;
   }
 
   getRecordedVideos(): ExploitVideoRecord[] {

package/src/shared/file-scanner.ts

@@ -0,0 +1,50 @@
+import { readdir } from "fs/promises";
+import { join } from "path";
+
+export interface PackageJsonLocation {
+  path: string;
+  depth: number;
+}
+
+export async function findAllPackageJsons(
+  rootPath: string,
+  maxDepth: number = 3,
+  currentDepth: number = 0,
+  results: PackageJsonLocation[] = []
+): Promise<PackageJsonLocation[]> {
+  if (currentDepth > maxDepth) {
+    return results;
+  }
+
+  try {
+    const entries = await readdir(rootPath, { withFileTypes: true });
+
+    for (const entry of entries) {
+      // Skip node_modules, .git, and other common folders
+      if (
+        entry.name.startsWith(".") ||
+        entry.name === "node_modules" ||
+        entry.name === "dist" ||
+        entry.name === "build" ||
+        entry.name === "coverage"
+      ) {
+        continue;
+      }
+
+      const fullPath = join(rootPath, entry.name);
+
+      if (entry.isFile() && entry.name === "package.json") {
+        results.push({
+          path: rootPath,
+          depth: currentDepth,
+        });
+      } else if (entry.isDirectory()) {
+        await findAllPackageJsons(fullPath, maxDepth, currentDepth + 1, results);
+      }
+    }
+  } catch {
+    // Permission denied or other errors - skip
+  }
+
+  return results;
+}