codeprobe-scanner 1.0.17 ā 1.0.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/cli/commands/scan.ts +35 -0
- package/src/cli/config.ts +3 -2
- package/src/engine/code-fixer.ts +150 -0
package/package.json
CHANGED
package/src/cli/commands/scan.ts
CHANGED
|
@@ -82,6 +82,20 @@ function displayReport(report: Report, json: boolean, durationMs: number): void
|
|
|
82
82
|
console.log(chalk.green(`Patches Available: ${patchCount}/${report.summary.total_cves}`));
|
|
83
83
|
console.log(`Duration: ${msToHuman(durationMs)}`);
|
|
84
84
|
|
|
85
|
+
// Display SAST findings if available
|
|
86
|
+
if ((report as any).code_vulnerabilities && (report as any).code_vulnerabilities.length > 0) {
|
|
87
|
+
const codeVulns = (report as any).code_vulnerabilities;
|
|
88
|
+
console.log(chalk.bold('\nš Source Code Vulnerabilities:'));
|
|
89
|
+
codeVulns.forEach((vuln: any) => {
|
|
90
|
+
const severity = vuln.severity === 'CRITICAL' ? chalk.red(vuln.severity)
|
|
91
|
+
: vuln.severity === 'HIGH' ? chalk.yellow(vuln.severity)
|
|
92
|
+
: vuln.severity === 'MEDIUM' ? chalk.cyan(vuln.severity)
|
|
93
|
+
: chalk.green(vuln.severity);
|
|
94
|
+
console.log(` ${severity} ${vuln.type} in ${vuln.file}:${vuln.line}`);
|
|
95
|
+
console.log(` ${vuln.description}`);
|
|
96
|
+
});
|
|
97
|
+
}
|
|
98
|
+
|
|
85
99
|
if (report.scan.cves.length > 0) {
|
|
86
100
|
console.log(chalk.bold('\nCVE Details:'));
|
|
87
101
|
report.scan.cves.forEach((cve) => {
|
|
@@ -114,6 +128,27 @@ export async function scanCommand(args: string[]): Promise<void> {
|
|
|
114
128
|
// Run recursive scan to find all package.json files
|
|
115
129
|
const report = await engine.scanRecursive(repoPath);
|
|
116
130
|
|
|
131
|
+
// Also scan for source code vulnerabilities (SAST)
|
|
132
|
+
console.log("\nš Analyzing source code for vulnerabilities...");
|
|
133
|
+
const codeVulnerabilities = await engine.scanCodeVulnerabilities(repoPath);
|
|
134
|
+
|
|
135
|
+
// If --fix flag is set, apply fixes to source code
|
|
136
|
+
if (options.fix && codeVulnerabilities.length > 0) {
|
|
137
|
+
const { createCodeFixer } = await import("../../engine/code-fixer.js");
|
|
138
|
+
const fixer = createCodeFixer();
|
|
139
|
+
console.log("\nš§ Applying source code fixes...");
|
|
140
|
+
const fixes = await fixer.fixVulnerabilities(codeVulnerabilities);
|
|
141
|
+
console.log(` Applied ${fixes.length} code fixes`);
|
|
142
|
+
|
|
143
|
+
if (fixes.length > 0) {
|
|
144
|
+
console.log("\nš Fixed vulnerabilities:");
|
|
145
|
+
fixes.forEach((fix) => {
|
|
146
|
+
console.log(` - ${fix.file}:${fix.line}`);
|
|
147
|
+
console.log(` Type: ${fix.type}`);
|
|
148
|
+
});
|
|
149
|
+
}
|
|
150
|
+
}
|
|
151
|
+
|
|
117
152
|
const duration = Date.now() - startTime;
|
|
118
153
|
|
|
119
154
|
// Save report
|
package/src/cli/config.ts
CHANGED
|
@@ -10,6 +10,7 @@ interface ConfigData {
|
|
|
10
10
|
bright_data_api_key?: string;
|
|
11
11
|
daytona_api_key?: string;
|
|
12
12
|
nosana_api_key?: string;
|
|
13
|
+
kimi_api_key?: string;
|
|
13
14
|
[key: string]: string | undefined;
|
|
14
15
|
}
|
|
15
16
|
|
|
@@ -138,7 +139,7 @@ export async function setConfig(key: string, value: string): Promise<void> {
|
|
|
138
139
|
const config = await loadConfig();
|
|
139
140
|
|
|
140
141
|
// Encrypt if it's a token/secret field (specific fields only)
|
|
141
|
-
const secretFields = ['github_token', 'bright_data_api_key', 'daytona_api_key', 'nosana_api_key'];
|
|
142
|
+
const secretFields = ['github_token', 'bright_data_api_key', 'daytona_api_key', 'nosana_api_key', 'kimi_api_key'];
|
|
142
143
|
if (secretFields.includes(key.toLowerCase())) {
|
|
143
144
|
config[key] = encryptToken(value);
|
|
144
145
|
} else {
|
|
@@ -156,7 +157,7 @@ export async function clearConfig(key: string): Promise<void> {
|
|
|
156
157
|
console.log(chalk.green(`ā Config cleared: ${key}`));
|
|
157
158
|
}
|
|
158
159
|
|
|
159
|
-
export async function getApiKey(service: 'BRIGHT_DATA' | 'DAYTONA' | 'NOSANA'): Promise<string> {
|
|
160
|
+
export async function getApiKey(service: 'BRIGHT_DATA' | 'DAYTONA' | 'NOSANA' | 'KIMI'): Promise<string> {
|
|
160
161
|
const envKey = process.env[`${service}_API_KEY`];
|
|
161
162
|
if (envKey) {
|
|
162
163
|
return envKey;
|
|
@@ -0,0 +1,150 @@
|
|
|
1
|
+
import { readFile, writeFile } from "fs/promises";
|
|
2
|
+
import { CodeVulnerability } from "./sast";
|
|
3
|
+
|
|
4
|
+
export interface CodeFix {
|
|
5
|
+
file: string;
|
|
6
|
+
line: number;
|
|
7
|
+
original: string;
|
|
8
|
+
fixed: string;
|
|
9
|
+
type: string;
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
export class CodeFixer {
|
|
13
|
+
async fixVulnerabilities(vulnerabilities: CodeVulnerability[]): Promise<CodeFix[]> {
|
|
14
|
+
const fixes: CodeFix[] = [];
|
|
15
|
+
|
|
16
|
+
for (const vuln of vulnerabilities) {
|
|
17
|
+
const fix = await this.generateFix(vuln);
|
|
18
|
+
if (fix) {
|
|
19
|
+
fixes.push(fix);
|
|
20
|
+
await this.applyFix(fix);
|
|
21
|
+
}
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
return fixes;
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
private async generateFix(vuln: CodeVulnerability): Promise<CodeFix | null> {
|
|
28
|
+
try {
|
|
29
|
+
const file = await readFile(vuln.file, "utf-8");
|
|
30
|
+
const lines = file.split("\n");
|
|
31
|
+
const lineIndex = vuln.line - 1;
|
|
32
|
+
|
|
33
|
+
if (lineIndex < 0 || lineIndex >= lines.length) {
|
|
34
|
+
return null;
|
|
35
|
+
}
|
|
36
|
+
|
|
37
|
+
const original = lines[lineIndex];
|
|
38
|
+
let fixed = original;
|
|
39
|
+
|
|
40
|
+
// Apply type-specific fixes
|
|
41
|
+
if (vuln.type === "Hardcoded Secret") {
|
|
42
|
+
fixed = this.fixHardcodedSecret(original);
|
|
43
|
+
} else if (vuln.type === "Command Injection") {
|
|
44
|
+
fixed = this.fixCommandInjection(original);
|
|
45
|
+
} else if (vuln.type === "Insecure Random") {
|
|
46
|
+
fixed = this.fixInsecureRandom(original);
|
|
47
|
+
} else if (vuln.type === "SQL Injection") {
|
|
48
|
+
fixed = this.fixSQLInjection(original);
|
|
49
|
+
} else if (vuln.type === "Cross-Site Scripting (XSS)") {
|
|
50
|
+
fixed = this.fixXSS(original);
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
if (fixed !== original) {
|
|
54
|
+
return {
|
|
55
|
+
file: vuln.file,
|
|
56
|
+
line: vuln.line,
|
|
57
|
+
original,
|
|
58
|
+
fixed,
|
|
59
|
+
type: vuln.type,
|
|
60
|
+
};
|
|
61
|
+
}
|
|
62
|
+
} catch (error) {
|
|
63
|
+
console.warn(`Failed to generate fix for ${vuln.file}:${vuln.line}`);
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
return null;
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
private fixHardcodedSecret(line: string): string {
|
|
70
|
+
// Replace hardcoded values with environment variable references
|
|
71
|
+
let fixed = line;
|
|
72
|
+
|
|
73
|
+
// Replace apiKey/api_key patterns
|
|
74
|
+
fixed = fixed.replace(/api_?key\s*[:=]\s*["'][^"']*["']/i, (match) => {
|
|
75
|
+
const key = match.split("=")[0].trim();
|
|
76
|
+
return `${key} = process.env.API_KEY || "${match.split('"')[1] || match.split("'")[1] || "YOUR_KEY_HERE"}"`;
|
|
77
|
+
});
|
|
78
|
+
|
|
79
|
+
// Replace password patterns
|
|
80
|
+
fixed = fixed.replace(/password\s*[:=]\s*["'][^"']*["']/i, (match) => {
|
|
81
|
+
const key = match.split("=")[0].trim();
|
|
82
|
+
return `${key} = process.env.PASSWORD || ""`;
|
|
83
|
+
});
|
|
84
|
+
|
|
85
|
+
// Replace token patterns
|
|
86
|
+
fixed = fixed.replace(/token\s*[:=]\s*["'][^"']*["']/i, (match) => {
|
|
87
|
+
const key = match.split("=")[0].trim();
|
|
88
|
+
return `${key} = process.env.TOKEN || ""`;
|
|
89
|
+
});
|
|
90
|
+
|
|
91
|
+
return fixed;
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
private fixCommandInjection(line: string): string {
|
|
95
|
+
// Add escapeShellArg wrapper for unescaped variables
|
|
96
|
+
if (line.includes("execSync") || line.includes("exec")) {
|
|
97
|
+
return line.replace(/\$\{([^}]+)\}/g, (match, varName) => {
|
|
98
|
+
if (!line.includes("escapeShellArg")) {
|
|
99
|
+
return `\${escapeShellArg(${varName})}`;
|
|
100
|
+
}
|
|
101
|
+
return match;
|
|
102
|
+
});
|
|
103
|
+
}
|
|
104
|
+
return line;
|
|
105
|
+
}
|
|
106
|
+
|
|
107
|
+
private fixInsecureRandom(line: string): string {
|
|
108
|
+
// Replace Math.random with crypto.randomBytes
|
|
109
|
+
if (line.includes("Math.random()")) {
|
|
110
|
+
return line.replace(/Math\.random\(\)\.toString\(\d+\)\.slice\([^)]+\)/g, 'randomBytes(4).toString("hex")');
|
|
111
|
+
}
|
|
112
|
+
return line;
|
|
113
|
+
}
|
|
114
|
+
|
|
115
|
+
private fixSQLInjection(line: string): string {
|
|
116
|
+
// Suggest parameterized queries (manual fix needed)
|
|
117
|
+
if (line.includes("query") && line.includes("$")) {
|
|
118
|
+
return line.replace(/query\s*\([^)]*\$\{[^}]+\}[^)]*\)/, "query('...', [param1, param2])");
|
|
119
|
+
}
|
|
120
|
+
return line;
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
private fixXSS(line: string): string {
|
|
124
|
+
// Replace innerHTML with textContent
|
|
125
|
+
if (line.includes("innerHTML")) {
|
|
126
|
+
return line.replace(/\.innerHTML\s*=/, ".textContent =");
|
|
127
|
+
}
|
|
128
|
+
|
|
129
|
+
// Replace dangerouslySetInnerHTML with safe alternative
|
|
130
|
+
if (line.includes("dangerouslySetInnerHTML")) {
|
|
131
|
+
return line.replace(/dangerouslySetInnerHTML=\{[^}]+\}/g, "children");
|
|
132
|
+
}
|
|
133
|
+
|
|
134
|
+
return line;
|
|
135
|
+
}
|
|
136
|
+
|
|
137
|
+
private async applyFix(fix: CodeFix): Promise<void> {
|
|
138
|
+
try {
|
|
139
|
+
const file = await readFile(fix.file, "utf-8");
|
|
140
|
+
const lines = file.split("\n");
|
|
141
|
+
lines[fix.line - 1] = fix.fixed;
|
|
142
|
+
const updated = lines.join("\n");
|
|
143
|
+
await writeFile(fix.file, updated, "utf-8");
|
|
144
|
+
} catch (error) {
|
|
145
|
+
console.warn(`Failed to apply fix to ${fix.file}:${fix.line}`);
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
}
|
|
149
|
+
|
|
150
|
+
export const createCodeFixer = () => new CodeFixer();
|