codeprobe-scanner 1.0.19 → 1.0.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/engine/code-fixer.ts +58 -39
- package/src/engine/index.ts +1 -1
- package/src/engine/patcher.ts +14 -17
package/package.json
CHANGED
package/src/engine/code-fixer.ts
CHANGED
|
@@ -12,24 +12,50 @@ export interface CodeFix {
|
|
|
12
12
|
export class CodeFixer {
|
|
13
13
|
async fixVulnerabilities(vulnerabilities: CodeVulnerability[]): Promise<CodeFix[]> {
|
|
14
14
|
const fixes: CodeFix[] = [];
|
|
15
|
+
const fileCache = new Map<string, { original: string; lines: string[] }>();
|
|
15
16
|
|
|
17
|
+
// Group vulnerabilities by file
|
|
18
|
+
const vulnsByFile = new Map<string, CodeVulnerability[]>();
|
|
16
19
|
for (const vuln of vulnerabilities) {
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
20
|
+
if (!vulnsByFile.has(vuln.file)) {
|
|
21
|
+
vulnsByFile.set(vuln.file, []);
|
|
22
|
+
}
|
|
23
|
+
vulnsByFile.get(vuln.file)!.push(vuln);
|
|
24
|
+
}
|
|
25
|
+
|
|
26
|
+
// Process each file
|
|
27
|
+
for (const [filePath, fileVulns] of vulnsByFile) {
|
|
28
|
+
try {
|
|
29
|
+
const content = await readFile(filePath, "utf-8");
|
|
30
|
+
const lines = content.split("\n");
|
|
31
|
+
let modified = false;
|
|
32
|
+
|
|
33
|
+
for (const vuln of fileVulns) {
|
|
34
|
+
const fix = this.generateFixForVulnerability(vuln, lines);
|
|
35
|
+
if (fix) {
|
|
36
|
+
lines[vuln.line - 1] = fix.fixed;
|
|
37
|
+
fixes.push({ file: filePath, line: vuln.line, original: fix.original, fixed: fix.fixed, type: vuln.type });
|
|
38
|
+
modified = true;
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
|
|
42
|
+
// Write back if modified
|
|
43
|
+
if (modified) {
|
|
44
|
+
const updatedContent = lines.join("\n");
|
|
45
|
+
await writeFile(filePath, updatedContent, "utf-8");
|
|
46
|
+
console.log(` ✓ Fixed ${fileVulns.length} issues in ${filePath}`);
|
|
47
|
+
}
|
|
48
|
+
} catch (error) {
|
|
49
|
+
console.warn(` ⚠️ Failed to fix ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
|
|
21
50
|
}
|
|
22
51
|
}
|
|
23
52
|
|
|
24
53
|
return fixes;
|
|
25
54
|
}
|
|
26
55
|
|
|
27
|
-
private
|
|
56
|
+
private generateFixForVulnerability(vuln: CodeVulnerability, lines: string[]): { original: string; fixed: string } | null {
|
|
28
57
|
try {
|
|
29
|
-
const file = await readFile(vuln.file, "utf-8");
|
|
30
|
-
const lines = file.split("\n");
|
|
31
58
|
const lineIndex = vuln.line - 1;
|
|
32
|
-
|
|
33
59
|
if (lineIndex < 0 || lineIndex >= lines.length) {
|
|
34
60
|
return null;
|
|
35
61
|
}
|
|
@@ -51,16 +77,10 @@ export class CodeFixer {
|
|
|
51
77
|
}
|
|
52
78
|
|
|
53
79
|
if (fixed !== original) {
|
|
54
|
-
return {
|
|
55
|
-
file: vuln.file,
|
|
56
|
-
line: vuln.line,
|
|
57
|
-
original,
|
|
58
|
-
fixed,
|
|
59
|
-
type: vuln.type,
|
|
60
|
-
};
|
|
80
|
+
return { original, fixed };
|
|
61
81
|
}
|
|
62
82
|
} catch (error) {
|
|
63
|
-
|
|
83
|
+
// Silent fail for individual fixes
|
|
64
84
|
}
|
|
65
85
|
|
|
66
86
|
return null;
|
|
@@ -71,22 +91,32 @@ export class CodeFixer {
|
|
|
71
91
|
let fixed = line;
|
|
72
92
|
|
|
73
93
|
// Replace apiKey/api_key patterns
|
|
74
|
-
|
|
75
|
-
const
|
|
76
|
-
|
|
77
|
-
|
|
94
|
+
if (/api_?key\s*[:=]\s*["']/i.test(fixed)) {
|
|
95
|
+
const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "apiKey";
|
|
96
|
+
fixed = fixed.replace(/api_?key\s*[:=]\s*["'][^"']*["']/i,
|
|
97
|
+
`${varName} = process.env.API_KEY || ""`);
|
|
98
|
+
}
|
|
78
99
|
|
|
79
100
|
// Replace password patterns
|
|
80
|
-
|
|
81
|
-
const
|
|
82
|
-
|
|
83
|
-
|
|
101
|
+
if (/password\s*[:=]\s*["']/i.test(fixed)) {
|
|
102
|
+
const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "password";
|
|
103
|
+
fixed = fixed.replace(/password\s*[:=]\s*["'][^"']*["']/i,
|
|
104
|
+
`${varName} = process.env.PASSWORD || ""`);
|
|
105
|
+
}
|
|
84
106
|
|
|
85
107
|
// Replace token patterns
|
|
86
|
-
|
|
87
|
-
const
|
|
88
|
-
|
|
89
|
-
|
|
108
|
+
if (/token\s*[:=]\s*["']/i.test(fixed)) {
|
|
109
|
+
const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "token";
|
|
110
|
+
fixed = fixed.replace(/token\s*[:=]\s*["'][^"']*["']/i,
|
|
111
|
+
`${varName} = process.env.TOKEN || ""`);
|
|
112
|
+
}
|
|
113
|
+
|
|
114
|
+
// Replace secret patterns
|
|
115
|
+
if (/secret\s*[:=]\s*["']/i.test(fixed)) {
|
|
116
|
+
const varName = fixed.match(/(\w+)\s*[:=]/)?.[1] || "secret";
|
|
117
|
+
fixed = fixed.replace(/secret\s*[:=]\s*["'][^"']*["']/i,
|
|
118
|
+
`${varName} = process.env.SECRET || ""`);
|
|
119
|
+
}
|
|
90
120
|
|
|
91
121
|
return fixed;
|
|
92
122
|
}
|
|
@@ -134,17 +164,6 @@ export class CodeFixer {
|
|
|
134
164
|
return line;
|
|
135
165
|
}
|
|
136
166
|
|
|
137
|
-
private async applyFix(fix: CodeFix): Promise<void> {
|
|
138
|
-
try {
|
|
139
|
-
const file = await readFile(fix.file, "utf-8");
|
|
140
|
-
const lines = file.split("\n");
|
|
141
|
-
lines[fix.line - 1] = fix.fixed;
|
|
142
|
-
const updated = lines.join("\n");
|
|
143
|
-
await writeFile(fix.file, updated, "utf-8");
|
|
144
|
-
} catch (error) {
|
|
145
|
-
console.warn(`Failed to apply fix to ${fix.file}:${fix.line}`);
|
|
146
|
-
}
|
|
147
|
-
}
|
|
148
167
|
}
|
|
149
168
|
|
|
150
169
|
export const createCodeFixer = () => new CodeFixer();
|
package/src/engine/index.ts
CHANGED
|
@@ -132,7 +132,7 @@ export class CodeProbeEngine {
|
|
|
132
132
|
}
|
|
133
133
|
|
|
134
134
|
// Step 7: Generate patches for exploitable CVEs + any HIGH/CRITICAL with a known fix version
|
|
135
|
-
console.log("\x1b[33m[
|
|
135
|
+
console.log("\x1b[33m[Kimi]\x1b[0m 🔧 Generating patches with Kimi LLM...");
|
|
136
136
|
await this.patcher.loadPrebakedPatches();
|
|
137
137
|
const patchCandidates = matchedCves.filter((c) =>
|
|
138
138
|
c.exploitable || ((c.severity === "CRITICAL" || c.severity === "HIGH") && c.version_fixed)
|
package/src/engine/patcher.ts
CHANGED
|
@@ -67,38 +67,35 @@ export class PatchGenerator {
|
|
|
67
67
|
async generatePatch(cve: ScanCVE): Promise<string | null> {
|
|
68
68
|
await this.resolveKeys();
|
|
69
69
|
|
|
70
|
+
// First, check for prebaked patches (highest priority)
|
|
70
71
|
const prebakedPatch = this.patches.get(cve.id);
|
|
71
72
|
if (prebakedPatch) {
|
|
72
73
|
cve.patch_diff = prebakedPatch.diff;
|
|
73
74
|
return prebakedPatch.diff;
|
|
74
75
|
}
|
|
75
76
|
|
|
76
|
-
//
|
|
77
|
+
// Use Kimi LLM for patch generation (primary method)
|
|
77
78
|
if (this.kimiApiKey) {
|
|
78
79
|
try {
|
|
79
|
-
console.log(`[Kimi] Generating patch for ${cve.id}...`);
|
|
80
|
+
console.log(`[Kimi] 🔧 Generating patch for ${cve.id}...`);
|
|
80
81
|
const patch = await this.generatePatchWithKimi(cve);
|
|
81
82
|
if (patch) {
|
|
82
83
|
cve.patch_diff = patch;
|
|
84
|
+
console.log(`[Kimi] ✓ Patch generated for ${cve.id}`);
|
|
83
85
|
return patch;
|
|
84
86
|
}
|
|
85
87
|
} catch (error) {
|
|
86
|
-
console.warn(
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
if (this.nosanaApiKey) {
|
|
92
|
-
try {
|
|
93
|
-
console.log(`[Kimi] Generating patch for ${cve.id}...`);
|
|
94
|
-
const patch = await this.generatePatchWithKimi(cve);
|
|
95
|
-
if (patch) {
|
|
96
|
-
cve.patch_diff = patch;
|
|
97
|
-
return patch;
|
|
98
|
-
}
|
|
99
|
-
} catch (error) {
|
|
100
|
-
console.warn(`[Kimi] Failed to generate patch: ${error instanceof Error ? error.message : String(error)}`);
|
|
88
|
+
console.warn(
|
|
89
|
+
`[Kimi] ⚠️ Failed to generate patch for ${cve.id}: ${
|
|
90
|
+
error instanceof Error ? error.message : String(error)
|
|
91
|
+
}`
|
|
92
|
+
);
|
|
101
93
|
}
|
|
94
|
+
} else {
|
|
95
|
+
console.warn(
|
|
96
|
+
`[Kimi] ⚠️ No Kimi API key configured. Set KIMI_API_KEY or run:\n` +
|
|
97
|
+
` codeprobe config set kimi_api_key <your-key>`
|
|
98
|
+
);
|
|
102
99
|
}
|
|
103
100
|
|
|
104
101
|
return null;
|