codeprobe-scanner 1.0.4 → 1.0.5

package/src/test/cli.test.ts

@@ -1,211 +0,0 @@
-import { describe, it, expect, beforeEach, afterEach } from 'bun:test';
-import { mkdirSync, rmSync, writeFileSync, readFileSync, existsSync } from 'fs';
-import path from 'path';
-import os from 'os';
-
-// Test utilities
-const TEST_CONFIG_DIR = path.join(os.tmpdir(), 'codeprobe-test-' + Date.now());
-
-beforeEach(() => {
-  mkdirSync(TEST_CONFIG_DIR, { recursive: true });
-  process.env.HOME = TEST_CONFIG_DIR;
-});
-
-afterEach(() => {
-  if (existsSync(TEST_CONFIG_DIR)) {
-    rmSync(TEST_CONFIG_DIR, { recursive: true, force: true });
-  }
-});
-
-describe('CLI: Config Management', () => {
-  it('should export ensureConfigDir function', async () => {
-    const { ensureConfigDir } = await import('../cli/config');
-
-    expect(typeof ensureConfigDir).toBe('function');
-  });
-
-  it('should save and load config', async () => {
-    const { setConfig, getConfig } = await import('../cli/config');
-
-    await setConfig('test_key', 'test_value');
-    const value = await getConfig('test_key');
-
-    expect(value).toBe('test_value');
-  });
-
-  it('should handle missing config gracefully', async () => {
-    const { getConfig } = await import('../cli/config');
-
-    const value = await getConfig('nonexistent_key');
-
-    expect(value).toBeUndefined();
-  });
-});
-
-describe('CLI: Progress Logger', () => {
-  it('should format timestamps correctly', async () => {
-    const { ProgressLogger } = await import('../cli/progress');
-
-    const logger = new ProgressLogger(false);
-
-    expect(logger).toBeDefined();
-  });
-
-  it('should handle events without crashing', async () => {
-    const { ProgressLogger } = await import('../cli/progress');
-
-    const logger = new ProgressLogger(false);
-    const event = {
-      phase: 'parsing' as const,
-      status: 'start' as const,
-      message: 'Test message',
-      timestamp: new Date().toISOString(),
-      level: 'info' as const,
-    };
-
-    // Should not throw
-    logger.log(event);
-
-    expect(logger).toBeDefined();
-  });
-});
-
-describe('CLI: Error Handling', () => {
-  it('should create CodeProbeError with code', async () => {
-    const { CodeProbeError } = await import('../cli/errors');
-
-    const error = new CodeProbeError('TEST_CODE', 'Test message', 'Details');
-
-    expect(error.code).toBe('TEST_CODE');
-    expect(error.message).toBe('Test message');
-  });
-
-  it('should create specific error types', async () => {
-    const { BrightDataError, DaytonaError, GitError } = await import('../cli/errors');
-
-    const brightError = new BrightDataError('API timeout');
-    const daytonaError = new DaytonaError('Container failed');
-    const gitError = new GitError('Push failed');
-
-    expect(brightError.code).toBe('BRIGHT_DATA_FAILED');
-    expect(daytonaError.code).toBe('DAYTONA_FAILED');
-    expect(gitError.code).toBe('GIT_ERROR');
-  });
-
-  it('should retry with backoff', async () => {
-    const { retryWithBackoff } = await import('../cli/errors');
-
-    let attempts = 0;
-    const fn = async () => {
-      attempts++;
-      if (attempts < 2) throw new Error('Temporary failure');
-      return 'success';
-    };
-
-    const result = await retryWithBackoff(fn, 2, 10);
-
-    expect(result).toBe('success');
-    expect(attempts).toBe(2);
-  });
-});
-
-describe('CLI: Utils', () => {
-  it('should generate unique scan IDs', async () => {
-    const { generateScanId } = await import('../shared/utils');
-
-    const id1 = generateScanId();
-    const id2 = generateScanId();
-
-    expect(id1).not.toBe(id2);
-    expect(id1.startsWith('scan_')).toBe(true);
-  });
-
-  it('should format risk scores', async () => {
-    const { formatRiskScore } = await import('../shared/utils');
-
-    const highRisk = formatRiskScore(8.5);
-    const mediumRisk = formatRiskScore(5.0);
-    const lowRisk = formatRiskScore(2.0);
-
-    expect(highRisk.includes('8.5')).toBe(true);
-    expect(mediumRisk.includes('5.0')).toBe(true);
-    expect(lowRisk.includes('2.0')).toBe(true);
-  });
-
-  it('should get risk level correctly', async () => {
-    const { getRiskLevel } = await import('../shared/utils');
-
-    expect(getRiskLevel(9)).toBe('CRITICAL');
-    expect(getRiskLevel(7)).toBe('HIGH');
-    expect(getRiskLevel(5)).toBe('MEDIUM');
-    expect(getRiskLevel(1)).toBe('LOW');
-  });
-
-  it('should convert milliseconds to human readable', async () => {
-    const { msToHuman } = await import('../shared/utils');
-
-    expect(msToHuman(500)).toBe('500ms');
-    expect(msToHuman(5000)).toBe('5s');
-    expect(msToHuman(65000)).toBe('1m 5s');
-  });
-});
-
-describe('CLI: Types', () => {
-  it('should have correct CVE type structure', async () => {
-    const { Report } = await import('../shared/types');
-
-    const mockReport: Report = {
-      scan: {
-        id: 'scan_123',
-        timestamp: new Date().toISOString(),
-        repo_url: '.',
-        cves: [
-          {
-            id: 'CVE-2023-44487',
-            package: 'http2-server',
-            version_vulnerable: '1.0.0',
-            severity: 'CRITICAL',
-            cvss: 8.5,
-            exploitable: true,
-            exploit_evidence: 'DoS confirmed',
-            patch_version: '1.0.1',
-          },
-        ],
-        risk_score: 8.5,
-        patches_available: 1,
-      },
-      summary: {
-        exploitable_count: 1,
-        theoretical_count: 0,
-      },
-    };
-
-    expect(mockReport.scan.id).toBe('scan_123');
-    expect(mockReport.scan.cves[0].id).toBe('CVE-2023-44487');
-    expect(mockReport.scan.cves[0].exploitable).toBe(true);
-  });
-});
-
-describe('CLI: Constants', () => {
-  it('should define exit codes correctly', async () => {
-    const { EXIT_CODES } = await import('../shared/constants');
-
-    expect(EXIT_CODES.SUCCESS).toBe(0);
-    expect(EXIT_CODES.VULNERABILITIES_FOUND).toBe(1);
-    expect(EXIT_CODES.SCAN_FAILED).toBe(2);
-  });
-
-  it('should define file permissions', async () => {
-    const { FILE_PERMISSIONS } = await import('../shared/constants');
-
-    expect(FILE_PERMISSIONS.DIR).toBe(0o700);
-    expect(FILE_PERMISSIONS.FILE).toBe(0o600);
-  });
-
-  it('should define risk score weights', async () => {
-    const { RISK_SCORE_WEIGHTS } = await import('../shared/constants');
-
-    expect(RISK_SCORE_WEIGHTS.EXPLOITABLE).toBe(10);
-    expect(RISK_SCORE_WEIGHTS.THEORETICAL).toBe(3);
-  });
-});

package/src/test/dashboard.test.ts

@@ -1,38 +0,0 @@
-import { test, expect } from "bun:test";
-
-test("Dashboard: API server starts", async () => {
-  const server = Bun.serve({
-    port: 0,
-    fetch() {
-      return new Response("OK");
-    },
-  });
-
-  const res = await fetch(`http://${server.hostname}:${server.port}/`);
-  expect(res.ok).toBe(true);
-
-  server.stop();
-});
-
-test("Dashboard: OAuth endpoint exists", async () => {
-  // Test would require full server setup
-  // Simplified check: verify imports work
-  const authModule = await import("../api/auth.ts");
-  expect(authModule.exchangeGitHubToken).toBeDefined();
-  expect(authModule.validateGitHubToken).toBeDefined();
-});
-
-test("Dashboard: Components render", async () => {
-  // Note: JSX/React component testing requires a DOM environment
-  // In production, use Playwright or similar for E2E tests
-  const componentModules = [
-    import("../dashboard/components/RiskGauge.tsx"),
-    import("../dashboard/components/CVETable.tsx"),
-    import("../dashboard/components/BusinessImpactCard.tsx"),
-  ];
-
-  const results = await Promise.all(componentModules);
-  results.forEach((mod) => {
-    expect(Object.keys(mod).length).toBeGreaterThan(0);
-  });
-});

package/src/test/demo-scan.json

@@ -1,32 +0,0 @@
-{
-  "id": "scan-demo-001",
-  "repo": "https://github.com/demo/vulnerable-app",
-  "riskScore": 8.5,
-  "timestamp": 1718281200,
-  "duration": 45,
-  "supplyChainWarnings": 0,
-  "cves": [
-    {
-      "id": "CVE-2023-44487",
-      "package": "http2-server",
-      "severity": "CRITICAL",
-      "status": "✅ Confirmed Exploitable",
-      "patch": "v1.0.1",
-      "description": "HTTP/2 server implementation vulnerable to rapid reset attacks. Attacker can trigger remote code execution.",
-      "affectedVersions": "1.0.0 - 1.0.0",
-      "poc": "$ codeprobe poc CVE-2023-44487\n[*] Setting up sandbox...\n[+] Server started on :8000\n[*] Sending exploit payload...\n[+] RCE confirmed: /bin/sh opened\n$ whoami\nroot\n$ exit\n[+] Patch required: Upgrade to http2-server >= 1.0.1",
-      "diff": "--- a/package.json\n+++ b/package.json\n@@ -5,1 +5,1 @@\n-  \"http2-server\": \"1.0.0\"\n+  \"http2-server\": \"1.0.1\""
-    },
-    {
-      "id": "CVE-2023-12345",
-      "package": "lodash",
-      "severity": "HIGH",
-      "status": "⚠️ Theoretical Risk",
-      "patch": "N/A",
-      "description": "Prototype pollution in lodash utility functions. Could allow arbitrary code execution.",
-      "affectedVersions": "4.17.0 - 4.17.20",
-      "poc": "Manual code review identified unsafe merge patterns.",
-      "diff": "--- a/src/utils.js\n+++ b/src/utils.js\n@@ -12,3 +12,5 @@\n function merge(obj, src) {\n+  if (!src) return obj;\n+  if (typeof src !== 'object') return obj;\n   return Object.assign(obj, src);"
-    }
-  ]
-}

package/src/test/engine.test.ts

@@ -1,157 +0,0 @@
-import { test, expect, beforeAll, afterAll } from "bun:test";
-import { createEngine } from "../engine/index";
-import { createParser } from "../engine/parser";
-import { createScraper } from "../engine/scraper";
-import { createMatcher } from "../engine/matcher";
-
-let demoRepoPath: string;
-
-beforeAll(async () => {
-  // Create a demo repo with vulnerable ejs
-  const tempDir = `/tmp/codeprobe-test-${Date.now()}`;
-
-  // Create directory
-  try {
-    await Bun.$`mkdir -p ${tempDir}`;
-  } catch {
-    // Directory might already exist
-  }
-
-  const packageJson = {
-    name: "test-app",
-    version: "1.0.0",
-    dependencies: {
-      ejs: "3.1.6",
-    },
-  };
-
-  await Bun.write(`${tempDir}/package.json`, JSON.stringify(packageJson, null, 2));
-
-  // Create package-lock.json with exact version
-  const lockfile = {
-    name: "test-app",
-    version: "1.0.0",
-    dependencies: {
-      ejs: {
-        version: "3.1.6",
-      },
-    },
-  };
-
-  await Bun.write(`${tempDir}/package-lock.json`, JSON.stringify(lockfile, null, 2));
-
-  demoRepoPath = tempDir;
-});
-
-test("Parser: extracts dependencies from package.json", async () => {
-  const parser = createParser();
-  const deps = await parser.parseDependencies(demoRepoPath);
-
-  expect(deps).toHaveLength(1);
-  expect(deps[0].name).toBe("ejs");
-  expect(deps[0].version).toBe("3.1.6");
-});
-
-test("Scraper: returns demo CVE for ejs", async () => {
-  const scraper = createScraper();
-  const cves = await scraper.scrapeForCVEs("ejs", "3.1.6");
-
-  expect(cves.length).toBeGreaterThan(0);
-  expect(cves[0].id).toBe("CVE-2022-29078");
-  expect(cves[0].package).toBe("ejs");
-});
-
-test("Matcher: matches ejs to CVE-2022-29078", async () => {
-  const scraper = createScraper();
-  const matcher = createMatcher();
-
-  const deps = [{ name: "ejs", version: "3.1.6" }];
-  const cves = await scraper.scrapeForCVEs("ejs", "3.1.6");
-
-  const matched = matcher.matchDependenciesToCVEs(deps, cves);
-
-  expect(matched.length).toBeGreaterThan(0);
-  expect(matched[0].id).toBe("CVE-2022-29078");
-  expect(matched[0].package).toBe("ejs");
-});
-
-test("Matcher: calculates risk score", async () => {
-  const matcher = createMatcher();
-
-  const cves = [
-    {
-      id: "CVE-2022-29078",
-      package: "ejs",
-      version_vulnerable: "3.1.6",
-      version_fixed: "3.1.7",
-      severity: "CRITICAL" as const,
-      cvss: 9.8,
-      description: "Template injection RCE",
-      exploitable: true,
-    },
-  ];
-
-  const riskScore = matcher.calculateRiskScore(cves);
-
-  expect(riskScore).toBeGreaterThan(5);
-  expect(riskScore).toBeLessThanOrEqual(10);
-});
-
-test("Engine: full scan end-to-end", async () => {
-  const engine = createEngine();
-  const report = await engine.scan(demoRepoPath);
-
-  expect(report).toBeDefined();
-  expect(report.scan.id).toBeDefined();
-  expect(report.scan.cves.length).toBeGreaterThan(0);
-  expect(report.scan.risk_score).toBeGreaterThan(0);
-  expect(report.summary.total_cves).toBeGreaterThan(0);
-
-  // Check for demo CVE
-  const demoCveFound = report.scan.cves.find((c) => c.id === "CVE-2022-29078");
-  expect(demoCveFound).toBeDefined();
-  expect(demoCveFound?.package).toBe("ejs");
-
-  // Verify exploit was run (vulnerable version should be exploitable)
-  if (demoCveFound?.version_vulnerable === "3.1.6") {
-    expect(demoCveFound?.exploitable).toBe(true);
-  }
-});
-
-test("Engine: reports fixed version as not exploitable", async () => {
-  const tempDir = `/tmp/codeprobe-test-fixed-${Date.now()}`;
-
-  try {
-    await Bun.$`mkdir -p ${tempDir}`;
-  } catch {
-    // OK
-  }
-
-  const packageJson = {
-    name: "test-app-fixed",
-    version: "1.0.0",
-    dependencies: {
-      ejs: "3.1.7",
-    },
-  };
-
-  await Bun.write(`${tempDir}/package.json`, JSON.stringify(packageJson, null, 2));
-
-  const engine = createEngine();
-  const report = await engine.scan(tempDir);
-
-  const demoCve = report.scan.cves.find((c) => c.id === "CVE-2022-29078");
-  if (demoCve) {
-    // Fixed version should not be exploitable
-    expect(demoCve?.exploitable).toBe(false);
-  }
-});
-
-afterAll(async () => {
-  // Cleanup
-  try {
-    await Bun.$`rm -rf /tmp/codeprobe-test-*`;
-  } catch {
-    // Ignore cleanup errors
-  }
-});

package/tailwind.config.js

@@ -1,11 +0,0 @@
-/** @type {import('tailwindcss').Config} */
-export default {
-  content: [
-    "./src/dashboard/**/*.{ts,tsx}",
-    "./src/dashboard/index.html",
-  ],
-  theme: {
-    extend: {},
-  },
-  plugins: [],
-}

package/tsconfig.json

@@ -1,30 +0,0 @@
-{
-  "compilerOptions": {
-    // Environment setup & latest features
-    "lib": ["ESNext", "DOM", "DOM.Iterable"],
-    "target": "ESNext",
-    "module": "Preserve",
-    "moduleDetection": "force",
-    "jsx": "react-jsx",
-    "allowJs": true,
-    "types": ["bun"],
-
-    // Bundler mode
-    "moduleResolution": "bundler",
-    "allowImportingTsExtensions": true,
-    "verbatimModuleSyntax": true,
-    "noEmit": true,
-
-    // Best practices
-    "strict": true,
-    "skipLibCheck": true,
-    "noFallthroughCasesInSwitch": true,
-    "noUncheckedIndexedAccess": true,
-    "noImplicitOverride": true,
-
-    // Some stricter flags (disabled by default)
-    "noUnusedLocals": false,
-    "noUnusedParameters": false,
-    "noPropertyAccessFromIndexSignature": false
-  }
-}

package/verify-dashboard.ts

@@ -1,87 +0,0 @@
-// Quick verification: Does the dashboard serve + API respond?
-
-console.log("🧪 Dashboard Verification\n");
-
-// Test 1: API responds with scans
-console.log("1️⃣ Testing API /api/scans...");
-const apiRes = await fetch("http://localhost:3000/api/scans", {
-  headers: { Authorization: "Bearer demo-token" },
-});
-
-if (!apiRes.ok) {
-  console.error("❌ API failed:", apiRes.status);
-  process.exit(1);
-}
-
-const scans = await apiRes.json();
-console.log(`✅ API returns ${scans.length} scan(s)`);
-console.log(`   - Scan ID: ${scans[0].id}`);
-console.log(`   - Repo: ${scans[0].repo}`);
-console.log(`   - Risk: ${scans[0].riskScore}/10`);
-console.log(`   - CVEs: ${scans[0].cves.length}`);
-
-// Test 2: Scan detail endpoint
-console.log("\n2️⃣ Testing API /api/scans/{id}...");
-const scanRes = await fetch(`http://localhost:3000/api/scans/${scans[0].id}`, {
-  headers: { Authorization: "Bearer demo-token" },
-});
-
-if (!scanRes.ok) {
-  console.error("❌ Scan detail failed:", scanRes.status);
-  process.exit(1);
-}
-
-const scanDetail = await scanRes.json();
-console.log("✅ Scan detail loads");
-console.log(`   - Risk Score: ${scanDetail.riskScore}`);
-console.log(`   - Business Impact: $${(scanDetail.riskScore / 10 * 4.9).toFixed(1)}M`);
-console.log(`   - CVEs found:`);
-scanDetail.cves.forEach((cve: any) => {
-  console.log(`      • ${cve.id} (${cve.severity}) - ${cve.status}`);
-});
-
-// Test 3: Dashboard HTML exists
-console.log("\n3️⃣ Checking dashboard files...");
-const htmlExists = Bun.file("dist/index.html").exists();
-const appExists = Bun.file("dist/app.js").exists();
-
-if (htmlExists && appExists) {
-  console.log("✅ Dashboard files built");
-  console.log(`   - HTML: dist/index.html`);
-  console.log(`   - JS Bundle: dist/app.js (1.0 MB)`);
-} else {
-  console.error("❌ Missing dashboard files");
-  process.exit(1);
-}
-
-// Test 4: Key components in bundle
-console.log("\n4️⃣ Verifying React components...");
-const appContent = await Bun.file("dist/app.js").text();
-const components = [
-  "LoginPage",
-  "ScansListPage",
-  "ScanDetailPage",
-  "BusinessImpactCard",
-  "RiskGauge",
-  "CVETable",
-  "PatchDiffViewer",
-];
-
-const found = components.filter((c) => appContent.includes(c));
-console.log(`✅ ${found.length}/${components.length} components bundled`);
-
-// Summary
-console.log("\n✨ VERIFICATION SUMMARY");
-console.log("========================");
-console.log("✅ API server running on :3000");
-console.log("✅ Demo scan loaded with 2 CVEs");
-console.log("✅ Risk score: 8.5/10 (CRITICAL)");
-console.log("✅ Business impact: $4.165M");
-console.log("✅ Dashboard built (1.0 MB)");
-console.log("✅ React components bundled");
-console.log("\n🚀 TO VIEW:");
-console.log("   1. Serve dist/ on port 5173");
-console.log("   2. Open http://localhost:5173");
-console.log("   3. See login page → click Login → see scans list");
-console.log("   4. Click scan → risk gauge + CVE table + business impact card");
-console.log("   5. Click CVE → expand patch diff");

package/verify-env.sh

@@ -1,98 +0,0 @@
-#!/bin/bash
-# CodeProbe Environment Verification Script
-
-echo "🔍 Checking CodeProbe Environment Setup..."
-echo ""
-
-# Check .env file exists
-if [ ! -f .env ]; then
-    echo "❌ .env file not found!"
-    echo "   Create it with: cp .env.example .env"
-    exit 1
-fi
-echo "✅ .env file exists"
-
-# Check required API keys
-echo ""
-echo "Checking API Keys:"
-
-if grep -q "BRIGHT_DATA_API_KEY=" .env && grep "BRIGHT_DATA_API_KEY=" .env | grep -qv "your_"; then
-    echo "✅ BRIGHT_DATA_API_KEY is set"
-else
-    echo "⚠️  BRIGHT_DATA_API_KEY is missing or not configured"
-fi
-
-if grep -q "DAYTONA_API_KEY=" .env && grep "DAYTONA_API_KEY=" .env | grep -qv "your_"; then
-    echo "✅ DAYTONA_API_KEY is set"
-else
-    echo "⚠️  DAYTONA_API_KEY is missing or not configured"
-fi
-
-if grep -q "KIMI_API_KEY=" .env && grep "KIMI_API_KEY=" .env | grep -qv "your_"; then
-    echo "✅ KIMI_API_KEY is set"
-else
-    echo "⚠️  KIMI_API_KEY is missing or not configured"
-fi
-
-if grep -q "NOSANA_API_KEY=" .env && grep "NOSANA_API_KEY=" .env | grep -qv "your_"; then
-    echo "✅ NOSANA_API_KEY is set"
-else
-    echo "⚠️  NOSANA_API_KEY is missing or not configured"
-fi
-
-# Check server configuration
-echo ""
-echo "Checking Server Configuration:"
-
-if grep -q "PORT=8080" .env; then
-    echo "✅ PORT is set to 8080"
-else
-    echo "⚠️  PORT configuration not found"
-fi
-
-if grep -q "NODE_ENV=development" .env; then
-    echo "✅ NODE_ENV is set to development"
-fi
-
-# Test that Bun loads .env
-echo ""
-echo "Testing Bun .env loading..."
-
-if command -v bun &> /dev/null; then
-    # Try a quick test
-    TEST_OUTPUT=$(bun -e "console.log(process.env.PORT)" 2>/dev/null)
-    if [ "$TEST_OUTPUT" == "8080" ]; then
-        echo "✅ Bun can load .env variables"
-    else
-        echo "⚠️  Bun may not be loading .env correctly"
-    fi
-else
-    echo "⚠️  Bun not installed - skipping .env load test"
-fi
-
-# Check git ignore
-echo ""
-echo "Checking Security:"
-
-if grep -q ".env" .gitignore 2>/dev/null; then
-    echo "✅ .env is in .gitignore (secure)"
-else
-    echo "⚠️  .env might not be in .gitignore"
-fi
-
-# Summary
-echo ""
-echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
-echo "✨ Environment Setup Complete!"
-echo ""
-echo "To start testing:"
-echo ""
-echo "  Terminal 1:"
-echo "    bun src/api/server-cli.ts"
-echo ""
-echo "  Terminal 2:"
-echo "    SERVER_URL=http://localhost:8080 \\"
-echo "    CODEPROBE_SECRET=dev-token \\"
-echo "    bun src/cli-server.ts scan ./demo-vulnerable-app"
-echo ""
-echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"