codeprobe-scanner 1.0.7 → 1.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {

package/src/cli/commands/scan.ts

@@ -8,7 +8,7 @@ import { handleError, CodeProbeError } from '../errors.js';
 import { generateScanId, formatRiskScore, msToHuman } from '../../shared/utils.js';
 import { Report } from '../../shared/types.js';
 import { createEngine } from '../../engine/index.js';
-import { getConfig } from '../config.js';
+import { createScraper } from '../../engine/scraper.js';
 
 interface ScanOptions {
   fix: boolean;
@@ -105,23 +105,6 @@ export async function scanCommand(args: string[]): Promise<void> {
 
   logger.printHeader();
 
-  // Check for required API key
-  const brightDataKey = process.env.BRIGHT_DATA_API_KEY || await getConfig("bright_data_api_key");
-  if (!brightDataKey) {
-    console.log(chalk.yellow('\n⚠️  No Bright Data API key configured.'));
-    console.log(chalk.dim('   CVE lookup requires a Bright Data account (free tier available).'));
-    console.log(chalk.dim('   Get a key at: https://brightdata.com'));
-    console.log('');
-    console.log(chalk.cyan('   To configure:'));
-    console.log(chalk.white('   codeprobe config set bright_data_api_key <your-key>'));
-    console.log('');
-    console.log(chalk.dim('   Optional keys for full functionality:'));
-    console.log(chalk.dim('   codeprobe config set daytona_api_key <key>    # exploit verification'));
-    console.log(chalk.dim('   codeprobe config set kimi_api_key <key>       # AI patch generation'));
-    console.log('');
-    process.exit(EXIT_CODES.SCAN_FAILED);
-  }
-
   const startTime = Date.now();
 
   try {
@@ -139,6 +122,31 @@ export async function scanCommand(args: string[]): Promise<void> {
     // Display results
     displayReport(report, options.json, duration);
 
+    // Show recent npm threats from GitHub Advisory Database
+    if (!options.json) {
+      try {
+        const scraper = createScraper();
+        const threats = await scraper.fetchRecentThreats();
+        if (threats.length > 0) {
+          console.log(chalk.bold('\n🌐 Recent npm Security Threats (GitHub Advisory Database):'));
+          console.log(chalk.gray('─'.repeat(60)));
+          for (const t of threats.slice(0, 5)) {
+            const sev = t.severity === 'CRITICAL' ? chalk.red(t.severity)
+              : t.severity === 'HIGH' ? chalk.yellow(t.severity)
+              : chalk.blue(t.severity);
+            console.log(`  ${sev} ${chalk.bold(t.title)}`);
+            if (t.packages.length > 0) {
+              console.log(chalk.dim(`    Packages: ${t.packages.join(', ')}`));
+            }
+            console.log(chalk.dim(`    ${t.published?.slice(0, 10)} · ${t.url}`));
+          }
+          console.log('');
+        }
+      } catch {
+        // Non-fatal — threats feed is best-effort
+      }
+    }
+
     // If --fix, handle that next
     if (options.fix) {
       const { scanWithFixCommand } = await import('./scan-with-fix.js');

package/src/cli/index.ts

@@ -0,0 +1,137 @@
+#!/usr/bin/env bun
+
+import chalk from 'chalk';
+import { APP_NAME, APP_VERSION, EXIT_CODES } from '../shared/constants.js';
+import { ProgressLogger } from './progress.js';
+import { handleError } from './errors.js';
+import { scanCommand } from './commands/scan.js';
+import { reportCommand } from './commands/report.js';
+
+const logger = new ProgressLogger();
+
+function showHelp(): void {
+  console.log(`
+${chalk.bold.cyan(`⚡ ${APP_NAME} v${APP_VERSION}`)}
+
+${chalk.bold('USAGE')}
+  codeprobe <command> [options] [arguments]
+
+${chalk.bold('COMMANDS')}
+  scan [path]     Scan a repository for vulnerabilities (default: current dir)
+  report          Display last scan results
+  config          Manage configuration
+  help            Show this help message
+
+${chalk.bold('OPTIONS')}
+  --fix           Auto-fix vulnerabilities (creates git branch & commits)
+  --json          Output results as JSON
+  --verbose       Show detailed logs
+  --help          Show help
+
+${chalk.bold('EXAMPLES')}
+  codeprobe scan
+  codeprobe scan ./my-app
+  codeprobe scan --fix
+  codeprobe scan --json > report.json
+  codeprobe report
+  codeprobe config set bright_data_api_key <key>
+
+${chalk.bold('DOCS')}
+  https://github.com/codeprobe/codeprobe
+`);
+}
+
+async function main(): Promise<void> {
+  const args = process.argv.slice(2);
+
+  // No args = show help
+  if (args.length === 0) {
+    showHelp();
+    process.exit(EXIT_CODES.SUCCESS);
+  }
+
+  const command = args[0];
+  const restArgs = args.slice(1);
+
+  try {
+    switch (command) {
+      case 'scan':
+        await scanCommand(restArgs);
+        break;
+
+      case 'report':
+        await reportCommand(restArgs);
+        break;
+
+      case 'config':
+        await handleConfigCommand(restArgs);
+        break;
+
+      case '--help':
+      case '-h':
+      case 'help':
+        showHelp();
+        break;
+
+      default:
+        console.error(chalk.red(`Unknown command: ${command}`));
+        console.log(`Run ${chalk.cyan('codeprobe --help')} for usage`);
+        process.exit(EXIT_CODES.SCAN_FAILED);
+    }
+  } catch (error) {
+    handleError(error, logger, true);
+  }
+}
+
+async function handleConfigCommand(args: string[]): Promise<void> {
+  const { getConfig, setConfig, clearConfig } = await import('./config.js');
+
+  const subcommand = args[0];
+
+  switch (subcommand) {
+    case 'get':
+      {
+        const key = args[1];
+        if (!key) {
+          const config = await getConfig();
+          console.log(JSON.stringify(config, null, 2));
+        } else {
+          const value = await getConfig(key);
+          console.log(value || `${key} not set`);
+        }
+      }
+      break;
+
+    case 'set':
+      {
+        const key = args[1];
+        const value = args[2];
+        if (!key || !value) {
+          console.error(chalk.red('Usage: codeprobe config set <key> <value>'));
+          process.exit(EXIT_CODES.SCAN_FAILED);
+        }
+        await setConfig(key, value);
+      }
+      break;
+
+    case 'clear':
+      {
+        const key = args[1];
+        if (!key) {
+          console.error(chalk.red('Usage: codeprobe config clear <key>'));
+          process.exit(EXIT_CODES.SCAN_FAILED);
+        }
+        await clearConfig(key);
+      }
+      break;
+
+    default:
+      console.error(chalk.red(`Unknown config subcommand: ${subcommand}`));
+      console.log(`Usage: codeprobe config [get|set|clear]`);
+      process.exit(EXIT_CODES.SCAN_FAILED);
+  }
+}
+
+main().catch((error) => {
+  handleError(error, logger, true);
+});

package/src/engine/index.ts

@@ -0,0 +1,90 @@
+import { createParser } from "./parser";
+import { createScraper } from "./scraper";
+import { createSandbox } from "./sandbox";
+import { createMatcher } from "./matcher";
+import { createPatcher } from "./patcher";
+import { createReportBuilder } from "./report";
+import { Report } from "../shared/types";
+
+export class CodeProbeEngine {
+  private parser = createParser();
+  private scraper = createScraper();
+  private sandbox = createSandbox();
+  private matcher = createMatcher();
+  private patcher = createPatcher();
+  private reportBuilder = createReportBuilder();
+
+  getVideoRecorder() {
+    return this.sandbox.getVideoRecorder();
+  }
+
+  async scan(repoPath: string): Promise<Report> {
+    const startTime = Date.now();
+
+    try {
+      // Step 1: Parse dependencies
+      console.log("📦 Parsing dependencies...");
+      const dependencies = await this.parser.parseDependencies(repoPath);
+      console.log(`   Found ${dependencies.length} dependencies`);
+
+      // Step 2: Scrape CVEs from OSV.dev + npm audit
+      console.log("🔍 Checking OSV.dev + npm advisory database...");
+      const cves = await this.scraper.scrapeAll(dependencies);
+      console.log(`   Found ${cves.length} CVEs`);
+
+      // Step 3: Match dependencies to CVEs
+      console.log("🎯 Matching dependencies to CVEs...");
+      const matchedCves = this.matcher.matchDependenciesToCVEs(dependencies, cves);
+      console.log(`   Matched ${matchedCves.length} CVEs`);
+
+      // Step 4: Filter CRITICAL/HIGH for sandbox verification
+      const criticalCves = this.matcher.filterBySeverity(matchedCves, "HIGH");
+      console.log(`   Testing ${criticalCves.length} critical/high severity CVEs...`);
+
+      // Step 5: Run exploit verification in sandboxes (Daytona)
+      const exploits = criticalCves.map((cve) => ({
+        packageName: cve.package,
+        version: cve.version_vulnerable,
+        cveId: cve.id,
+      }));
+
+      console.log("\x1b[33m[Daytona]\x1b[0m 🏗️  Spawning isolated sandboxes for exploit verification...");
+      const sandboxResults = await this.sandbox.parallelRun(exploits);
+
+      // Step 6: Update CVEs with sandbox results
+      for (const cve of matchedCves) {
+        const sandboxResult = sandboxResults.get(cve.id);
+        if (sandboxResult) {
+          cve.exploitable = sandboxResult.success;
+          cve.exploit_evidence = sandboxResult.stdout;
+          cve.verification_time_ms = sandboxResult.time_ms;
+        }
+      }
+
+      // Step 7: Generate patches (Nosana)
+      console.log("\x1b[33m[Nosana]\x1b[0m 🔧 Generating patches with LLM...");
+      await this.patcher.loadPrebakedPatches();
+      const patches = await this.patcher.generateAllPatches(matchedCves.filter((c) => c.exploitable));
+      for (const cve of matchedCves) {
+        if (patches.has(cve.id)) {
+          cve.patch_diff = patches.get(cve.id);
+        }
+      }
+
+      // Step 8: Calculate risk score
+      const riskScore = this.matcher.calculateRiskScore(matchedCves);
+
+      // Step 9: Build and save report
+      const scanDuration = Date.now() - startTime;
+      const report = await this.reportBuilder.buildReport(repoPath, matchedCves, riskScore, scanDuration, dependencies.length);
+
+      await this.reportBuilder.saveReport(report);
+
+      return report;
+    } catch (error) {
+      throw new Error(`Scan failed: ${error instanceof Error ? error.message : String(error)}`);
+    }
+  }
+}
+
+export const createEngine = () => new CodeProbeEngine();

package/src/engine/scraper.ts

@@ -1,34 +1,111 @@
 import axios from "axios";
-import { CVE, ScrapeResult } from "../shared/types";
-import { API_ENDPOINTS, TIMEOUTS, PATHS, DEMO_CVE } from "../shared/constants";
-import { getConfig } from "../cli/config.js";
+import { CVE } from "../shared/types";
+import { DEMO_CVE } from "../shared/constants";
+
+const OSV_API = "https://api.osv.dev/v1";
+const GITHUB_ADVISORY_API = "https://api.github.com/advisories";
+
+export interface ThreatIntel {
+  id: string;
+  title: string;
+  severity: string;
+  packages: string[];
+  published: string;
+  url: string;
+  summary: string;
+}
 
 export class CVEScraper {
-  private apiKey: string = "";
-  private cache: Map<string, CVE> = new Map();
+  // Query OSV.dev — exact package+version match, no false positives
+  private async queryOSV(packageName: string, version: string): Promise<CVE[]> {
+    try {
+      const response = await axios.post(
+        `${OSV_API}/query`,
+        {
+          package: { name: packageName, ecosystem: "npm" },
+          version,
+        },
+        { timeout: 10000, headers: { "Content-Type": "application/json" } }
+      );
 
-  private async resolveApiKey(): Promise<string> {
-    if (process.env.BRIGHT_DATA_API_KEY) return process.env.BRIGHT_DATA_API_KEY;
-    const stored = await getConfig("bright_data_api_key");
-    return typeof stored === "string" ? stored : "";
+      const vulns = response.data?.vulns;
+      if (!Array.isArray(vulns)) return [];
+
+      return vulns.map((v: any) => {
+        const severity = v.severity?.[0]?.score || v.database_specific?.severity || "MEDIUM";
+        const cvss = typeof severity === "number" ? severity : this.severityToScore(severity);
+        const aliases: string[] = v.aliases || [];
+        const cveId = aliases.find((a: string) => a.startsWith("CVE-")) || v.id;
+
+        return {
+          id: cveId,
+          package: packageName,
+          affected_versions: [version],
+          fixed_version: this.extractFixedVersion(v, packageName),
+          severity: this.normalizeSeverity(severity),
+          cvss,
+          description: v.details || v.summary || "",
+          cwe: v.database_specific?.cwe_ids?.[0] || "",
+          exploit_url: `https://osv.dev/vulnerability/${v.id}`,
+        } as CVE;
+      });
+    } catch {
+      return [];
+    }
   }
 
-  async scrapeForCVEs(packageName: string, version: string): Promise<CVE[]> {
-    this.apiKey = await this.resolveApiKey();
+  // Fetch recent npm security threats from GitHub Advisory Database
+  async fetchRecentThreats(): Promise<ThreatIntel[]> {
+    try {
+      const response = await axios.get(GITHUB_ADVISORY_API, {
+        params: {
+          ecosystem: "npm",
+          per_page: 10,
+          sort: "published",
+          direction: "desc",
+        },
+        timeout: 10000,
+        headers: { Accept: "application/vnd.github+json" },
+      });
+
+      return (response.data || []).map((a: any) => ({
+        id: a.ghsa_id,
+        title: a.summary || a.ghsa_id,
+        severity: a.severity?.toUpperCase() || "UNKNOWN",
+        packages: (a.vulnerabilities || []).map((v: any) => v.package?.name).filter(Boolean),
+        published: a.published_at,
+        url: a.html_url || `https://github.com/advisories/${a.ghsa_id}`,
+        summary: a.description?.substring(0, 200) || "",
+      }));
+    } catch {
+      return [];
+    }
+  }
 
+  async scrapeForCVEs(packageName: string, version: string): Promise<CVE[]> {
     if (packageName === DEMO_CVE.package) {
       return [this.buildDemoCVE()];
     }
+    return await this.queryOSV(packageName, version);
+  }
 
-    if (!this.apiKey) {
-      return [];
-    }
-
-    try {
-      return await this.fetchFromBrightData(packageName, version);
-    } catch (error) {
-      return [];
+  async scrapeAll(
+    dependencies: Array<{ name: string; version: string }>
+  ): Promise<CVE[]> {
+    const results = await Promise.all(
+      dependencies.map(dep => this.scrapeForCVEs(dep.name, dep.version))
+    );
+    const seen = new Set<string>();
+    const allCVEs: CVE[] = [];
+    for (const cves of results) {
+      for (const cve of cves) {
+        if (!seen.has(cve.id)) {
+          seen.add(cve.id);
+          allCVEs.push(cve);
+        }
+      }
     }
+    return allCVEs;
   }
 
   private buildDemoCVE(): CVE {
@@ -41,87 +118,38 @@ export class CVEScraper {
       cvss: DEMO_CVE.cvss,
       description: DEMO_CVE.description,
       cwe: "CWE-94",
-      exploit_url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078",
+      exploit_url: `https://nvd.nist.gov/vuln/detail/${DEMO_CVE.id}`,
     };
   }
 
-  private async fetchFromBrightData(packageName: string, version: string): Promise<CVE[]> {
-    try {
-      // Use Bright Data Scraper API with Bearer token authentication
-      // For NVD data, we'll use the public NVD API endpoint with Bright Data proxy/unblocking
-      console.log(`[Bright Data] Scraping ${packageName} from NVD...`);
-
-      const response = await axios.get(
-        `${API_ENDPOINTS.NVD}?keyword=${packageName}`,
-        {
-          headers: {
-            Authorization: `Bearer ${this.apiKey}`,
-            "Accept": "application/json",
-          },
-          timeout: TIMEOUTS.BRIGHT_DATA_SCRAPE,
+  private extractFixedVersion(vuln: any, packageName: string): string {
+    const affected = vuln.affected || [];
+    for (const a of affected) {
+      if (a.package?.name === packageName) {
+        for (const range of a.ranges || []) {
+          for (const event of range.events || []) {
+            if (event.fixed) return event.fixed;
+          }
         }
-      );
-
-      if (response.data?.vulnerabilities && Array.isArray(response.data.vulnerabilities)) {
-        return response.data.vulnerabilities
-          .filter((vuln: any) => {
-            const affectedProducts = vuln.cve?.configurations?.[0]?.nodes?.flatMap((n: any) =>
-              n.cpeMatch?.map((m: any) => m.criteria) || []
-            ) || [];
-            return affectedProducts.some((p: string) => p?.includes(packageName));
-          })
-          .map((vuln: any) => {
-            const descriptions = vuln.cve?.descriptions || [];
-            return {
-              id: vuln.id,
-              package: packageName,
-              affected_versions: [version],
-              fixed_version: "",
-              severity: vuln.impact?.baseSeverity || "MEDIUM",
-              cvss: vuln.impact?.baseScore || 5.0,
-              description: descriptions[0]?.value || "",
-              cwe: vuln.cve?.weaknesses?.[0]?.source || "",
-              exploit_url: `https://nvd.nist.gov/vuln/detail/${vuln.id}`,
-            };
-          })
-          .slice(0, 5); // Limit to top 5 results
       }
-
-      return [];
-    } catch (error) {
-      // Bright Data failed, will fall back to cache
-      console.warn(`[Bright Data] Scraping failed: ${error instanceof Error ? error.message : String(error)}`);
-      throw new Error(`Bright Data API call failed: ${error instanceof Error ? error.message : String(error)}`);
     }
+    return "";
   }
 
-  private async loadFromCache(): Promise<CVE[]> {
-    try {
-      const cacheFile = Bun.file(PATHS.CACHE_FILE);
-      const exists = await cacheFile.exists();
-
-      if (exists) {
-        const content = await cacheFile.text();
-        const cacheData = JSON.parse(content);
-        return cacheData.cves || [];
-      }
-    } catch (error) {
-      console.warn("Failed to load CVE cache:", error);
-    }
-
-    // Return at least the demo CVE
-    return [this.buildDemoCVE()];
+  private normalizeSeverity(s: string): "CRITICAL" | "HIGH" | "MEDIUM" | "LOW" {
+    const upper = (s || "").toUpperCase();
+    if (upper === "CRITICAL") return "CRITICAL";
+    if (upper === "HIGH") return "HIGH";
+    if (upper === "LOW") return "LOW";
+    return "MEDIUM";
   }
 
-  async scrapeAll(dependencies: Array<{ name: string; version: string }>): Promise<CVE[]> {
-    const allCVEs: CVE[] = [];
-
-    for (const dep of dependencies) {
-      const cves = await this.scrapeForCVEs(dep.name, dep.version);
-      allCVEs.push(...cves);
-    }
-
-    return allCVEs;
+  private severityToScore(s: string): number {
+    const upper = (s || "").toUpperCase();
+    if (upper === "CRITICAL") return 9.0;
+    if (upper === "HIGH") return 7.5;
+    if (upper === "LOW") return 3.0;
+    return 5.0;
   }
 }