npm - codeprobe-scanner - Versions diffs - 1.0.6 → 1.0.8 - Mend

codeprobe-scanner 1.0.6 → 1.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {

package/src/cli/commands/scan.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import { handleError, CodeProbeError } from '../errors.js';
 import { generateScanId, formatRiskScore, msToHuman } from '../../shared/utils.js';
 import { Report } from '../../shared/types.js';
 import { createEngine } from '../../engine/index.js';
+import { getConfig } from '../config.js';
 interface ScanOptions {
   fix: boolean;
@@ -104,10 +105,26 @@ export async function scanCommand(args: string[]): Promise<void> {
   logger.printHeader();
+  // Check for required API key
+  const brightDataKey = process.env.BRIGHT_DATA_API_KEY || await getConfig("bright_data_api_key");
+  if (!brightDataKey) {
+    console.log(chalk.yellow('\n⚠️  No Bright Data API key configured.'));
+    console.log(chalk.dim('   CVE lookup requires a Bright Data account (free tier available).'));
+    console.log(chalk.dim('   Get a key at: https://brightdata.com'));
+    console.log('');
+    console.log(chalk.cyan('   To configure:'));
+    console.log(chalk.white('   codeprobe config set bright_data_api_key <your-key>'));
+    console.log('');
+    console.log(chalk.dim('   Optional keys for full functionality:'));
+    console.log(chalk.dim('   codeprobe config set daytona_api_key <key>    # exploit verification'));
+    console.log(chalk.dim('   codeprobe config set kimi_api_key <key>       # AI patch generation'));
+    console.log('');
+    process.exit(EXIT_CODES.SCAN_FAILED);
+  }
   const startTime = Date.now();
   try {
-    // Initialize engine
     const engine = createEngine();
     // Run the actual engine scan (not mocked)

package/src/cli/index.ts ADDED Viewed

@@ -0,0 +1,137 @@
+#!/usr/bin/env bun
+import chalk from 'chalk';
+import { APP_NAME, APP_VERSION, EXIT_CODES } from '../shared/constants.js';
+import { ProgressLogger } from './progress.js';
+import { handleError } from './errors.js';
+import { scanCommand } from './commands/scan.js';
+import { reportCommand } from './commands/report.js';
+const logger = new ProgressLogger();
+function showHelp(): void {
+  console.log(`
+${chalk.bold.cyan(`⚡ ${APP_NAME} v${APP_VERSION}`)}
+${chalk.bold('USAGE')}
+  codeprobe <command> [options] [arguments]
+${chalk.bold('COMMANDS')}
+  scan [path]     Scan a repository for vulnerabilities (default: current dir)
+  report          Display last scan results
+  config          Manage configuration
+  help            Show this help message
+${chalk.bold('OPTIONS')}
+  --fix           Auto-fix vulnerabilities (creates git branch & commits)
+  --json          Output results as JSON
+  --verbose       Show detailed logs
+  --help          Show help
+${chalk.bold('EXAMPLES')}
+  codeprobe scan
+  codeprobe scan ./my-app
+  codeprobe scan --fix
+  codeprobe scan --json > report.json
+  codeprobe report
+  codeprobe config set bright_data_api_key <key>
+${chalk.bold('DOCS')}
+  https://github.com/codeprobe/codeprobe
+`);
+}
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+  // No args = show help
+  if (args.length === 0) {
+    showHelp();
+    process.exit(EXIT_CODES.SUCCESS);
+  }
+  const command = args[0];
+  const restArgs = args.slice(1);
+  try {
+    switch (command) {
+      case 'scan':
+        await scanCommand(restArgs);
+        break;
+      case 'report':
+        await reportCommand(restArgs);
+        break;
+      case 'config':
+        await handleConfigCommand(restArgs);
+        break;
+      case '--help':
+      case '-h':
+      case 'help':
+        showHelp();
+        break;
+      default:
+        console.error(chalk.red(`Unknown command: ${command}`));
+        console.log(`Run ${chalk.cyan('codeprobe --help')} for usage`);
+        process.exit(EXIT_CODES.SCAN_FAILED);
+    }
+  } catch (error) {
+    handleError(error, logger, true);
+  }
+}
+async function handleConfigCommand(args: string[]): Promise<void> {
+  const { getConfig, setConfig, clearConfig } = await import('./config.js');
+  const subcommand = args[0];
+  switch (subcommand) {
+    case 'get':
+      {
+        const key = args[1];
+        if (!key) {
+          const config = await getConfig();
+          console.log(JSON.stringify(config, null, 2));
+        } else {
+          const value = await getConfig(key);
+          console.log(value || `${key} not set`);
+        }
+      }
+      break;
+    case 'set':
+      {
+        const key = args[1];
+        const value = args[2];
+        if (!key || !value) {
+          console.error(chalk.red('Usage: codeprobe config set <key> <value>'));
+          process.exit(EXIT_CODES.SCAN_FAILED);
+        }
+        await setConfig(key, value);
+      }
+      break;
+    case 'clear':
+      {
+        const key = args[1];
+        if (!key) {
+          console.error(chalk.red('Usage: codeprobe config clear <key>'));
+          process.exit(EXIT_CODES.SCAN_FAILED);
+        }
+        await clearConfig(key);
+      }
+      break;
+    default:
+      console.error(chalk.red(`Unknown config subcommand: ${subcommand}`));
+      console.log(`Usage: codeprobe config [get|set|clear]`);
+      process.exit(EXIT_CODES.SCAN_FAILED);
+  }
+}
+main().catch((error) => {
+  handleError(error, logger, true);
+});

package/src/engine/index.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import { createParser } from "./parser";
+import { createScraper } from "./scraper";
+import { createSandbox } from "./sandbox";
+import { createMatcher } from "./matcher";
+import { createPatcher } from "./patcher";
+import { createReportBuilder } from "./report";
+import { Report } from "../shared/types";
+export class CodeProbeEngine {
+  private parser = createParser();
+  private scraper = createScraper();
+  private sandbox = createSandbox();
+  private matcher = createMatcher();
+  private patcher = createPatcher();
+  private reportBuilder = createReportBuilder();
+  getVideoRecorder() {
+    return this.sandbox.getVideoRecorder();
+  }
+  async scan(repoPath: string): Promise<Report> {
+    const startTime = Date.now();
+    try {
+      // Step 1: Parse dependencies
+      console.log("📦 Parsing dependencies...");
+      const dependencies = await this.parser.parseDependencies(repoPath);
+      console.log(`   Found ${dependencies.length} dependencies`);
+      // Step 2: Scrape CVEs (Bright Data)
+      console.log("\x1b[33m[Bright Data]\x1b[0m 🔍 Scraping CVE data from NVD, Exploit-DB, Snyk...");
+      const cves = await this.scraper.scrapeAll(dependencies);
+      console.log(`   Found ${cves.length} CVEs`);
+      // Step 3: Match dependencies to CVEs
+      console.log("🎯 Matching dependencies to CVEs...");
+      const matchedCves = this.matcher.matchDependenciesToCVEs(dependencies, cves);
+      console.log(`   Matched ${matchedCves.length} CVEs`);
+      // Step 4: Filter CRITICAL/HIGH for sandbox verification
+      const criticalCves = this.matcher.filterBySeverity(matchedCves, "HIGH");
+      console.log(`   Testing ${criticalCves.length} critical/high severity CVEs...`);
+      // Step 5: Run exploit verification in sandboxes (Daytona)
+      const exploits = criticalCves.map((cve) => ({
+        packageName: cve.package,
+        version: cve.version_vulnerable,
+        cveId: cve.id,
+      }));
+      console.log("\x1b[33m[Daytona]\x1b[0m 🏗️  Spawning isolated sandboxes for exploit verification...");
+      const sandboxResults = await this.sandbox.parallelRun(exploits);
+      // Step 6: Update CVEs with sandbox results
+      for (const cve of matchedCves) {
+        const sandboxResult = sandboxResults.get(cve.id);
+        if (sandboxResult) {
+          cve.exploitable = sandboxResult.success;
+          cve.exploit_evidence = sandboxResult.stdout;
+          cve.verification_time_ms = sandboxResult.time_ms;
+        }
+      }
+      // Step 7: Generate patches (Nosana)
+      console.log("\x1b[33m[Nosana]\x1b[0m 🔧 Generating patches with LLM...");
+      await this.patcher.loadPrebakedPatches();
+      const patches = await this.patcher.generateAllPatches(matchedCves.filter((c) => c.exploitable));
+      for (const cve of matchedCves) {
+        if (patches.has(cve.id)) {
+          cve.patch_diff = patches.get(cve.id);
+        }
+      }
+      // Step 8: Calculate risk score
+      const riskScore = this.matcher.calculateRiskScore(matchedCves);
+      // Step 9: Build and save report
+      const scanDuration = Date.now() - startTime;
+      const report = await this.reportBuilder.buildReport(repoPath, matchedCves, riskScore, scanDuration, dependencies.length);
+      await this.reportBuilder.saveReport(report);
+      return report;
+    } catch (error) {
+      throw new Error(`Scan failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+}
+export const createEngine = () => new CodeProbeEngine();

package/src/engine/patcher.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { ScanCVE } from "../shared/types";
 import { PATHS, DEMO_CVE } from "../shared/constants";
 import axios from "axios";
+import { getConfig } from "../cli/config.js";
 interface PatchData {
   cve_id: string;
@@ -13,12 +14,14 @@ interface PatchData {
 export class PatchGenerator {
   private patches: Map<string, PatchData> = new Map();
-  private kimiApiKey: string;
-  private nosanaApiKey: string;
-  constructor() {
-    this.kimiApiKey = process.env.KIMI_API_KEY || "";
-    this.nosanaApiKey = process.env.NOSANA_API_KEY || "";
+  private kimiApiKey: string = "";
+  private nosanaApiKey: string = "";
+  private async resolveKeys(): Promise<void> {
+    this.kimiApiKey = process.env.KIMI_API_KEY
+      || (typeof await getConfig("kimi_api_key") === "string" ? await getConfig("kimi_api_key") as string : "");
+    this.nosanaApiKey = process.env.NOSANA_API_KEY
+      || (typeof await getConfig("nosana_api_key") === "string" ? await getConfig("nosana_api_key") as string : "");
   }
   async loadPrebakedPatches(): Promise<void> {
@@ -62,7 +65,8 @@ export class PatchGenerator {
   }
   async generatePatch(cve: ScanCVE): Promise<string | null> {
-    // Try to get prebaked patch first
+    await this.resolveKeys();
     const prebakedPatch = this.patches.get(cve.id);
     if (prebakedPatch) {
       cve.patch_diff = prebakedPatch.diff;

package/src/engine/sandbox.ts CHANGED Viewed

@@ -2,34 +2,36 @@ import { Daytona } from "@daytona/sdk";
 import { SandboxResult } from "../shared/types";
 import { TIMEOUTS, RETRY_CONFIG, DEMO_CVE } from "../shared/constants";
 import { createVideoDBRecorder } from "../integrations/videodb";
+import { getConfig } from "../cli/config.js";
 export class SandboxOrchestrator {
-  private apiKey: string;
+  private apiKey: string = "";
   private daytonaClient: Daytona | null = null;
   private useDaytona: boolean = false;
   private videoRecorder = createVideoDBRecorder();
-  constructor() {
-    this.apiKey = process.env.DAYTONA_API_KEY || "";
+  private async resolveApiKey(): Promise<string> {
+    if (process.env.DAYTONA_API_KEY) return process.env.DAYTONA_API_KEY;
+    const stored = await getConfig("daytona_api_key");
+    return typeof stored === "string" ? stored : "";
+  }
-    // Initialize Daytona if API key is available
+  async initialize(): Promise<void> {
+    this.apiKey = await this.resolveApiKey();
     if (this.apiKey && this.apiKey.startsWith("dtn_")) {
       try {
         this.daytonaClient = new Daytona({ apiKey: this.apiKey });
         this.useDaytona = true;
         console.log("[Daytona] ✓ Real sandbox enabled");
-      } catch (error) {
-        console.warn("[Daytona] ⚠️ Failed to initialize, will use local simulation:",
-          error instanceof Error ? error.message : String(error));
+      } catch {
         this.useDaytona = false;
       }
-    } else {
-      console.log("[Daytona] Using simulated sandbox (no API key provided)");
     }
   }
   async runExploit(packageName: string, version: string, cveId: string): Promise<SandboxResult> {
-    // Only support ejs RCE for now
+    if (!this.apiKey) await this.initialize();
     if (packageName === DEMO_CVE.package && cveId === DEMO_CVE.id) {
       if (this.useDaytona && this.daytonaClient) {
         return await this.runEjsWithDaytona(version);

package/src/engine/scraper.ts CHANGED Viewed

@@ -1,27 +1,33 @@
 import axios from "axios";
 import { CVE, ScrapeResult } from "../shared/types";
 import { API_ENDPOINTS, TIMEOUTS, PATHS, DEMO_CVE } from "../shared/constants";
+import { getConfig } from "../cli/config.js";
 export class CVEScraper {
-  private apiKey: string;
+  private apiKey: string = "";
   private cache: Map<string, CVE> = new Map();
-  constructor() {
-    this.apiKey = process.env.BRIGHT_DATA_API_KEY || "";
+  private async resolveApiKey(): Promise<string> {
+    if (process.env.BRIGHT_DATA_API_KEY) return process.env.BRIGHT_DATA_API_KEY;
+    const stored = await getConfig("bright_data_api_key");
+    return typeof stored === "string" ? stored : "";
   }
   async scrapeForCVEs(packageName: string, version: string): Promise<CVE[]> {
-    // For MVP, we'll focus on the demo CVE (ejs)
+    this.apiKey = await this.resolveApiKey();
     if (packageName === DEMO_CVE.package) {
       return [this.buildDemoCVE()];
     }
-    // For other packages, try to fetch from Bright Data or use fallback
+    if (!this.apiKey) {
+      return [];
+    }
     try {
       return await this.fetchFromBrightData(packageName, version);
     } catch (error) {
-      console.warn(`Bright Data fetch failed for ${packageName}: using cache`);
-      return await this.loadFromCache();
+      return [];
     }
   }