codeprobe-scanner 1.0.4 → 1.0.5

package/demo-vulnerable-app/.github/workflows/codeprobe.yml

@@ -1,32 +0,0 @@
-name: CodeProbe Demo - Security Scan
-
-on: [push, pull_request]
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup Bun
-        uses: oven-sh/setup-bun@v1
-
-      - name: Install CodeProbe
-        run: |
-          cd ..
-          bun install
-
-      - name: Run CodeProbe scan
-        run: |
-          cd ..
-          bun run src/cli/index.ts scan ./demo-vulnerable-app --json
-        env:
-          BRIGHT_DATA_API_KEY: ${{ secrets.BRIGHT_DATA_API_KEY }}
-          DAYTONA_API_KEY: ${{ secrets.DAYTONA_API_KEY }}
-
-      - name: Check for exploitable vulnerabilities
-        run: |
-          cd ..
-          bun run src/cli/index.ts scan ./demo-vulnerable-app --json | grep -q '"exploitable": true' && echo "✅ Vulnerability verified" || echo "⚠️ No exploitable vulnerabilities found"

package/demo-vulnerable-app/README.md

@@ -1,70 +0,0 @@
-# CodeProbe Demo: Vulnerable Node.js App
-
-This is a deliberately vulnerable Node.js application used to demonstrate CodeProbe's exploit verification capabilities.
-
-## Vulnerabilities
-
-### CVE-2022-29078: EJS Template Injection RCE
-
-**Affected Package:** `ejs@3.1.6`  
-**Severity:** CRITICAL (CVSS 9.8)  
-**Issue:** The EJS template engine allows template injection attacks that lead to arbitrary code execution.
-
-**How it's vulnerable:**
-- Line in `server.js`: `ejs.render(req.query.template, ...)`
-- User can inject malicious EJS template expressions
-- Server executes arbitrary JavaScript code
-
-**Exploit:**
-```bash
-curl "http://localhost:3000/?template=<%= require('child_process').execSync('whoami') %>"
-```
-
-**Fix:** Upgrade `ejs` to version 3.1.7 or higher.
-
-## Running the Demo App
-
-```bash
-cd demo-vulnerable-app
-npm install
-npm start
-```
-
-The app listens on `http://localhost:3000`.
-
-## Using CodeProbe to Scan
-
-```bash
-# From the codeprobe root directory:
-bun run src/cli/index.ts scan ./demo-vulnerable-app
-
-# Or with JSON output:
-bun run src/cli/index.ts scan ./demo-vulnerable-app --json
-```
-
-## Expected Output
-
-CodeProbe will:
-1. **Parse dependencies** — Extract EJS 3.1.6 from package.json
-2. **Scrape CVE data** — Find CVE-2022-29078 in NVD (via Bright Data)
-3. **Match versions** — Detect that EJS 3.1.6 is vulnerable
-4. **Verify in sandbox** — Spawn a Daytona container and execute the PoC exploit
-5. **Generate patch** — Create a patch to upgrade EJS to 3.1.7
-6. **Report findings** — Display "CONFIRMED EXPLOITABLE" with business impact ($4.9M breach cost)
-
-## Why This Demo?
-
-- **Realistic vulnerability**: EJS template injection is a real, widely-exploited vulnerability
-- **Node.js native**: Works in isolated containers without external dependencies
-- **Clear proof**: Exploit evidence is captured in sandbox logs
-- **Fast verification**: Exploit runs in < 2 seconds
-
-## Files
-
-- `package.json` — Intentionally pinned to vulnerable EJS 3.1.6
-- `server.js` — Express server with template injection vulnerability
-- `.github/workflows/codeprobe.yml` — CI/CD integration example
-
-## Disclaimer
-
-This app is for **security research and education only**. Do not use in production or with untrusted code.

package/demo-vulnerable-app/package-lock.json

@@ -1,27 +0,0 @@
-{
-  "name": "demo-vulnerable-app",
-  "version": "1.0.0",
-  "lockfileVersion": 3,
-  "requires": true,
-  "packages": {
-    "": {
-      "name": "demo-vulnerable-app",
-      "version": "1.0.0",
-      "dependencies": {
-        "express": "^4.18.2",
-        "ejs": "3.1.6"
-      }
-    },
-    "node_modules/express": {
-      "version": "4.18.2",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.18.2.tgz"
-    },
-    "node_modules/ejs": {
-      "version": "3.1.6",
-      "resolved": "https://registry.npmjs.org/ejs/-/ejs-3.1.6.tgz",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    }
-  }
-}

package/demo-vulnerable-app/package.json

@@ -1,15 +0,0 @@
-{
-  "name": "demo-vulnerable-app",
-  "version": "1.0.0",
-  "description": "Demo application with intentional vulnerability for CodeProbe testing",
-  "main": "server.js",
-  "scripts": {
-    "start": "node server.js",
-    "test": "bun test"
-  },
-  "dependencies": {
-    "express": "^4.18.2",
-    "ejs": "3.1.6"
-  },
-  "devDependencies": {}
-}

package/demo-vulnerable-app/server.js

@@ -1,34 +0,0 @@
-const express = require("express");
-const ejs = require("ejs");
-const app = express();
-
-app.use(express.urlencoded({ extended: false }));
-
-// Vulnerable endpoint: directly renders user input as template
-app.get("/render", (req, res) => {
-  const template = req.query.template || "Hello <%= name %>";
-
-  try {
-    // VULNERABLE: ejs.render() executes arbitrary code in templates
-    // An attacker can inject: <%= require('child_process').execSync('id') %>
-    const result = ejs.render(template, { name: "World" });
-    res.send(`<pre>${result}</pre>`);
-  } catch (error) {
-    res.status(500).send(`<pre>Error: ${error.message}</pre>`);
-  }
-});
-
-app.get("/", (req, res) => {
-  res.send(`
-    <h1>CodeProbe Demo - EJS Template Injection</h1>
-    <p>This app uses EJS ${require("ejs/package.json").version}</p>
-    <p>Visit: <a href="/render?template=&lt;%= 'VULNERABLE' %>">/render</a> to test</p>
-    <p>Or send a template parameter to exploit</p>
-  `);
-});
-
-const port = 3000;
-app.listen(port, () => {
-  console.log(`Demo app listening on http://localhost:${port}`);
-  console.log(`Vulnerable ejs version: ${require("ejs/package.json").version}`);
-});

package/demo.sh

@@ -1,45 +0,0 @@
-#!/bin/bash
-set -e
-
-echo "=== CodeProbe Demo Script ==="
-echo ""
-
-# Colors for output
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-BLUE='\033[0;34m'
-NC='\033[0m' # No Color
-
-# Check if bun is installed
-if ! command -v bun &> /dev/null; then
-    echo -e "${RED}Error: bun is not installed${NC}"
-    exit 1
-fi
-
-echo -e "${BLUE}1. Clearing previous scans...${NC}"
-rm -rf ~/.codeprobe/scans/*
-echo -e "${GREEN}✓ Scans cleared${NC}"
-echo ""
-
-echo -e "${BLUE}2. Running scan...${NC}"
-time bun run src/cli/index.ts scan .
-echo -e "${GREEN}✓ Scan complete${NC}"
-echo ""
-
-echo -e "${BLUE}3. Displaying report...${NC}"
-bun run src/cli/index.ts report
-echo ""
-
-echo -e "${BLUE}4. Testing with --json flag...${NC}"
-bun run src/cli/index.ts scan . --json | head -20
-echo "..."
-echo ""
-
-echo -e "${GREEN}✅ Demo successful!${NC}"
-echo ""
-echo -e "${YELLOW}Next steps:${NC}"
-echo "  • Run scan with fix: bun run src/cli/index.ts scan . --fix"
-echo "  • View config: bun run src/cli/index.ts config get"
-echo "  • Set API key: bun run src/cli/index.ts config set bright_data_api_key <key>"
-echo ""

package/index.ts

@@ -1,19 +0,0 @@
-import { createEngine } from "./src/engine/index";
-
-const engine = createEngine();
-const repoPath = process.argv[2] || "./demo-vulnerable-app";
-
-console.log(`\n⚡ CodeProbe v1.0.0`);
-console.log(`Scanning repository: ${repoPath}\n`);
-
-try {
-  const report = await engine.scan(repoPath);
-  const formatted = (await import("./src/engine/report")).createReportBuilder().formatForTerminal(report);
-  console.log(formatted);
-
-  // Exit with appropriate code
-  process.exit(report.summary.exploitable_count > 0 ? 1 : 0);
-} catch (error) {
-  console.error("❌ Scan failed:", error instanceof Error ? error.message : String(error));
-  process.exit(2);
-}

package/patches.json

@@ -1,12 +0,0 @@
-[
-  {
-    "cve_id": "CVE-2022-29078",
-    "package": "ejs",
-    "from_version": "3.1.0",
-    "to_version": "3.1.7",
-    "description": "Fixes template injection RCE vulnerability by sanitizing template inputs",
-    "diff": "--- a/package.json\n+++ b/package.json\n@@ -5,1 +5,1 @@\n-  \"ejs\": \"3.1.6\"\n+  \"ejs\": \"3.1.7\"\n--- a/package-lock.json\n+++ b/package-lock.json\n@@ -10,1 +10,1 @@\n-      \"version\": \"3.1.6\",\n+      \"version\": \"3.1.7\",",
-    "severity": "CRITICAL",
-    "cvss": 9.8
-  }
-]

package/serve-dashboard.ts

@@ -1,23 +0,0 @@
-import { serve } from "bun";
-import path from "path";
-
-const distDir = "dist";
-
-export default serve({
-  port: 5173,
-  fetch(req) {
-    const url = new URL(req.url);
-    let filePath = url.pathname;
-
-    if (filePath === "/" || filePath === "") {
-      filePath = "index.html";
-    }
-
-    const file = Bun.file(path.join(distDir, filePath));
-    return file.exists().then(() => new Response(file));
-  },
-});
-
-console.log("🎨 Dashboard serving on http://localhost:5173");
-console.log("📡 API on http://localhost:3000");
-console.log("📂 Serving: dist/");

package/src/cli/index.ts

@@ -1,137 +0,0 @@
-#!/usr/bin/env bun
-
-import chalk from 'chalk';
-import { APP_NAME, APP_VERSION, EXIT_CODES } from '../shared/constants.js';
-import { ProgressLogger } from './progress.js';
-import { handleError } from './errors.js';
-import { scanCommand } from './commands/scan.js';
-import { reportCommand } from './commands/report.js';
-
-const logger = new ProgressLogger();
-
-function showHelp(): void {
-  console.log(`
-${chalk.bold.cyan(`⚡ ${APP_NAME} v${APP_VERSION}`)}
-
-${chalk.bold('USAGE')}
-  codeprobe <command> [options] [arguments]
-
-${chalk.bold('COMMANDS')}
-  scan [path]     Scan a repository for vulnerabilities (default: current dir)
-  report          Display last scan results
-  config          Manage configuration
-  help            Show this help message
-
-${chalk.bold('OPTIONS')}
-  --fix           Auto-fix vulnerabilities (creates git branch & commits)
-  --json          Output results as JSON
-  --verbose       Show detailed logs
-  --help          Show help
-
-${chalk.bold('EXAMPLES')}
-  codeprobe scan
-  codeprobe scan ./my-app
-  codeprobe scan --fix
-  codeprobe scan --json > report.json
-  codeprobe report
-  codeprobe config set bright_data_api_key <key>
-
-${chalk.bold('DOCS')}
-  https://github.com/codeprobe/codeprobe
-`);
-}
-
-async function main(): Promise<void> {
-  const args = process.argv.slice(2);
-
-  // No args = show help
-  if (args.length === 0) {
-    showHelp();
-    process.exit(EXIT_CODES.SUCCESS);
-  }
-
-  const command = args[0];
-  const restArgs = args.slice(1);
-
-  try {
-    switch (command) {
-      case 'scan':
-        await scanCommand(restArgs);
-        break;
-
-      case 'report':
-        await reportCommand(restArgs);
-        break;
-
-      case 'config':
-        await handleConfigCommand(restArgs);
-        break;
-
-      case '--help':
-      case '-h':
-      case 'help':
-        showHelp();
-        break;
-
-      default:
-        console.error(chalk.red(`Unknown command: ${command}`));
-        console.log(`Run ${chalk.cyan('codeprobe --help')} for usage`);
-        process.exit(EXIT_CODES.SCAN_FAILED);
-    }
-  } catch (error) {
-    handleError(error, logger, true);
-  }
-}
-
-async function handleConfigCommand(args: string[]): Promise<void> {
-  const { getConfig, setConfig, clearConfig } = await import('./config.js');
-
-  const subcommand = args[0];
-
-  switch (subcommand) {
-    case 'get':
-      {
-        const key = args[1];
-        if (!key) {
-          const config = await getConfig();
-          console.log(JSON.stringify(config, null, 2));
-        } else {
-          const value = await getConfig(key);
-          console.log(value || `${key} not set`);
-        }
-      }
-      break;
-
-    case 'set':
-      {
-        const key = args[1];
-        const value = args[2];
-        if (!key || !value) {
-          console.error(chalk.red('Usage: codeprobe config set <key> <value>'));
-          process.exit(EXIT_CODES.SCAN_FAILED);
-        }
-        await setConfig(key, value);
-      }
-      break;
-
-    case 'clear':
-      {
-        const key = args[1];
-        if (!key) {
-          console.error(chalk.red('Usage: codeprobe config clear <key>'));
-          process.exit(EXIT_CODES.SCAN_FAILED);
-        }
-        await clearConfig(key);
-      }
-      break;
-
-    default:
-      console.error(chalk.red(`Unknown config subcommand: ${subcommand}`));
-      console.log(`Usage: codeprobe config [get|set|clear]`);
-      process.exit(EXIT_CODES.SCAN_FAILED);
-  }
-}
-
-main().catch((error) => {
-  handleError(error, logger, true);
-});

package/src/engine/index.ts

@@ -1,90 +0,0 @@
-import { createParser } from "./parser";
-import { createScraper } from "./scraper";
-import { createSandbox } from "./sandbox";
-import { createMatcher } from "./matcher";
-import { createPatcher } from "./patcher";
-import { createReportBuilder } from "./report";
-import { Report } from "../shared/types";
-
-export class CodeProbeEngine {
-  private parser = createParser();
-  private scraper = createScraper();
-  private sandbox = createSandbox();
-  private matcher = createMatcher();
-  private patcher = createPatcher();
-  private reportBuilder = createReportBuilder();
-
-  getVideoRecorder() {
-    return this.sandbox.getVideoRecorder();
-  }
-
-  async scan(repoPath: string): Promise<Report> {
-    const startTime = Date.now();
-
-    try {
-      // Step 1: Parse dependencies
-      console.log("📦 Parsing dependencies...");
-      const dependencies = await this.parser.parseDependencies(repoPath);
-      console.log(`   Found ${dependencies.length} dependencies`);
-
-      // Step 2: Scrape CVEs (Bright Data)
-      console.log("\x1b[33m[Bright Data]\x1b[0m 🔍 Scraping CVE data from NVD, Exploit-DB, Snyk...");
-      const cves = await this.scraper.scrapeAll(dependencies);
-      console.log(`   Found ${cves.length} CVEs`);
-
-      // Step 3: Match dependencies to CVEs
-      console.log("🎯 Matching dependencies to CVEs...");
-      const matchedCves = this.matcher.matchDependenciesToCVEs(dependencies, cves);
-      console.log(`   Matched ${matchedCves.length} CVEs`);
-
-      // Step 4: Filter CRITICAL/HIGH for sandbox verification
-      const criticalCves = this.matcher.filterBySeverity(matchedCves, "HIGH");
-      console.log(`   Testing ${criticalCves.length} critical/high severity CVEs...`);
-
-      // Step 5: Run exploit verification in sandboxes (Daytona)
-      const exploits = criticalCves.map((cve) => ({
-        packageName: cve.package,
-        version: cve.version_vulnerable,
-        cveId: cve.id,
-      }));
-
-      console.log("\x1b[33m[Daytona]\x1b[0m 🏗️  Spawning isolated sandboxes for exploit verification...");
-      const sandboxResults = await this.sandbox.parallelRun(exploits);
-
-      // Step 6: Update CVEs with sandbox results
-      for (const cve of matchedCves) {
-        const sandboxResult = sandboxResults.get(cve.id);
-        if (sandboxResult) {
-          cve.exploitable = sandboxResult.success;
-          cve.exploit_evidence = sandboxResult.stdout;
-          cve.verification_time_ms = sandboxResult.time_ms;
-        }
-      }
-
-      // Step 7: Generate patches (Nosana)
-      console.log("\x1b[33m[Nosana]\x1b[0m 🔧 Generating patches with LLM...");
-      await this.patcher.loadPrebakedPatches();
-      const patches = await this.patcher.generateAllPatches(matchedCves.filter((c) => c.exploitable));
-      for (const cve of matchedCves) {
-        if (patches.has(cve.id)) {
-          cve.patch_diff = patches.get(cve.id);
-        }
-      }
-
-      // Step 8: Calculate risk score
-      const riskScore = this.matcher.calculateRiskScore(matchedCves);
-
-      // Step 9: Build and save report
-      const scanDuration = Date.now() - startTime;
-      const report = await this.reportBuilder.buildReport(repoPath, matchedCves, riskScore, scanDuration, dependencies.length);
-
-      await this.reportBuilder.saveReport(report);
-
-      return report;
-    } catch (error) {
-      throw new Error(`Scan failed: ${error instanceof Error ? error.message : String(error)}`);
-    }
-  }
-}
-
-export const createEngine = () => new CodeProbeEngine();