codeprobe-scanner 1.0.8 → 1.0.10

package/README.md

@@ -1,15 +1,168 @@
-# codeprobe
+# CodeProbe
 
-To install dependencies:
+Automated vulnerability scanner for Node.js projects. Scans your `package.json` dependencies against live security databases, verifies exploits in isolated sandboxes, generates AI patches, and shows you what's trending in npm security right now.
+
+```
+npx codeprobe-scanner scan .
+```
+
+---
+
+## What it does
+
+1. **Scans your dependencies** — reads `package.json` and checks every package against [OSV.dev](https://osv.dev) (the same database behind `npm audit`)
+2. **Verifies exploits** — spins up isolated [Daytona](https://daytona.io) sandboxes to confirm whether a CVE is actually exploitable in your version, not just theoretical
+3. **Generates patches** — uses Kimi AI to produce a version-bump diff for exploitable vulnerabilities
+4. **Shows recent threats** — pulls the latest npm security advisories from GitHub's Advisory Database so you can see what attacks are trending
+
+---
+
+## Install
+
+```bash
+npm install -g codeprobe-scanner
+```
+
+Or run without installing:
+
+```bash
+npx codeprobe-scanner scan .
+```
+
+Requires [Bun](https://bun.sh) — installed automatically if not present.
+
+---
+
+## Usage
+
+### Scan a project
 
 ```bash
-bun install
+codeprobe scan .
+codeprobe scan ./my-app
 ```
 
-To run:
+Output:
+
+```
+⚡ CodeProbe v1.0.0
+📦 Parsing dependencies...
+   Found 11 dependencies
+🔍 Checking OSV.dev + npm advisory database...
+   Found 3 CVEs
+🎯 Matching dependencies to CVEs...
+
+SCAN COMPLETE
+Risk Score: 6.4/10 (MEDIUM)
+
+CVE Details:
+  CVE-2024-39338: axios 1.6.5 [HIGH] ~ Theoretical Risk
+  CVE-2023-45133: babel 7.22.0 [CRITICAL] ✓ CONFIRMED EXPLOITABLE
+  ...
+
+🌐 Recent npm Security Threats:
+  HIGH  esbuild: Missing binary integrity verification enables RCE
+  HIGH  Budibase: Auth bypass on webhook schema endpoint
+  ...
+```
+
+### Scan and auto-fix
 
 ```bash
-bun run index.ts
+codeprobe scan . --fix
 ```
 
-This project was created using `bun init` in bun v1.3.14. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.
+Walks you through each vulnerability interactively. For each one you approve, it:
+- Updates the version in `package.json`
+- Creates a git branch (`codeprobe-security-fixes-<timestamp>`)
+- Commits and pushes
+- Opens a pull request via GitHub CLI
+
+### Other commands
+
+```bash
+codeprobe report                  # show last scan results again
+codeprobe scan . --json           # JSON output (for CI pipelines)
+codeprobe scan . --verbose        # detailed logs
+codeprobe config get              # show stored config
+```
+
+---
+
+## Configuration
+
+No API keys are required for basic scanning — OSV.dev and the GitHub Advisory Database are free public APIs.
+
+For exploit verification and AI patch generation, configure optional keys once:
+
+```bash
+codeprobe config set daytona_api_key <key>    # sandbox exploit verification
+codeprobe config set kimi_api_key <key>       # AI patch generation
+codeprobe config set nosana_api_key <key>     # backup LLM for patches
+```
+
+Keys are stored encrypted at `~/.codeprobe/config.json`. You can also pass them as environment variables:
+
+```bash
+DAYTONA_API_KEY=xxx KIMI_API_KEY=xxx codeprobe scan .
+```
+
+| Key | Where to get it | What it enables |
+|-----|----------------|-----------------|
+| `DAYTONA_API_KEY` | [daytona.io](https://daytona.io) | Confirms if CVEs are truly exploitable |
+| `KIMI_API_KEY` | [aimlapi.com](https://aimlapi.com) | AI-generated patch diffs |
+| `NOSANA_API_KEY` | [nosana.io](https://nosana.io) | Backup LLM for patches |
+
+---
+
+## CI / GitHub Actions
+
+```yaml
+- name: Security scan
+  run: npx codeprobe-scanner scan . --json > security-report.json
+
+- name: Fail on exploitable CVEs
+  run: npx codeprobe-scanner scan .
+  # exits with code 1 if exploitable CVEs found
+```
+
+---
+
+## Exit codes
+
+| Code | Meaning |
+|------|---------|
+| `0` | No vulnerabilities found |
+| `1` | Vulnerabilities found |
+| `2` | Scan error |
+
+---
+
+## How it works
+
+```
+package.json
+     │
+     ▼
+ Parse deps          (reads your dependencies + exact versions)
+     │
+     ▼
+ OSV.dev query       (exact version match — no false positives)
+     │
+     ▼
+ Daytona sandbox     (runs the exploit in isolation to confirm)
+     │
+     ▼
+ Kimi / Nosana       (generates a patch diff via AI)
+     │
+     ▼
+ Report + PR         (shows results, optionally opens a fix PR)
+```
+
+No source code is sent to any external service. Only package names and versions are used for lookups.
+
+---
+
+## License
+
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.8",
+  "version": "1.0.10",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {

package/src/cli/commands/scan.ts

@@ -8,7 +8,7 @@ import { handleError, CodeProbeError } from '../errors.js';
 import { generateScanId, formatRiskScore, msToHuman } from '../../shared/utils.js';
 import { Report } from '../../shared/types.js';
 import { createEngine } from '../../engine/index.js';
-import { getConfig } from '../config.js';
+import { createScraper } from '../../engine/scraper.js';
 
 interface ScanOptions {
   fix: boolean;
@@ -105,23 +105,6 @@ export async function scanCommand(args: string[]): Promise<void> {
 
   logger.printHeader();
 
-  // Check for required API key
-  const brightDataKey = process.env.BRIGHT_DATA_API_KEY || await getConfig("bright_data_api_key");
-  if (!brightDataKey) {
-    console.log(chalk.yellow('\n⚠️  No Bright Data API key configured.'));
-    console.log(chalk.dim('   CVE lookup requires a Bright Data account (free tier available).'));
-    console.log(chalk.dim('   Get a key at: https://brightdata.com'));
-    console.log('');
-    console.log(chalk.cyan('   To configure:'));
-    console.log(chalk.white('   codeprobe config set bright_data_api_key <your-key>'));
-    console.log('');
-    console.log(chalk.dim('   Optional keys for full functionality:'));
-    console.log(chalk.dim('   codeprobe config set daytona_api_key <key>    # exploit verification'));
-    console.log(chalk.dim('   codeprobe config set kimi_api_key <key>       # AI patch generation'));
-    console.log('');
-    process.exit(EXIT_CODES.SCAN_FAILED);
-  }
-
   const startTime = Date.now();
 
   try {
@@ -139,6 +122,31 @@ export async function scanCommand(args: string[]): Promise<void> {
     // Display results
     displayReport(report, options.json, duration);
 
+    // Show recent npm threats from GitHub Advisory Database
+    if (!options.json) {
+      try {
+        const scraper = createScraper();
+        const threats = await scraper.fetchRecentThreats();
+        if (threats.length > 0) {
+          console.log(chalk.bold('\n🌐 Recent npm Security Threats (GitHub Advisory Database):'));
+          console.log(chalk.gray('─'.repeat(60)));
+          for (const t of threats.slice(0, 5)) {
+            const sev = t.severity === 'CRITICAL' ? chalk.red(t.severity)
+              : t.severity === 'HIGH' ? chalk.yellow(t.severity)
+              : chalk.blue(t.severity);
+            console.log(`  ${sev} ${chalk.bold(t.title)}`);
+            if (t.packages.length > 0) {
+              console.log(chalk.dim(`    Packages: ${t.packages.join(', ')}`));
+            }
+            console.log(chalk.dim(`    ${t.published?.slice(0, 10)} · ${t.url}`));
+          }
+          console.log('');
+        }
+      } catch {
+        // Non-fatal — threats feed is best-effort
+      }
+    }
+
     // If --fix, handle that next
     if (options.fix) {
       const { scanWithFixCommand } = await import('./scan-with-fix.js');

package/src/engine/index.ts

@@ -27,8 +27,8 @@ export class CodeProbeEngine {
       const dependencies = await this.parser.parseDependencies(repoPath);
       console.log(`   Found ${dependencies.length} dependencies`);
 
-      // Step 2: Scrape CVEs (Bright Data)
-      console.log("\x1b[33m[Bright Data]\x1b[0m 🔍 Scraping CVE data from NVD, Exploit-DB, Snyk...");
+      // Step 2: Scrape CVEs from OSV.dev + npm audit
+      console.log("🔍 Checking OSV.dev + npm advisory database...");
       const cves = await this.scraper.scrapeAll(dependencies);
       console.log(`   Found ${cves.length} CVEs`);
 

package/src/engine/scraper.ts

@@ -1,34 +1,111 @@
 import axios from "axios";
-import { CVE, ScrapeResult } from "../shared/types";
-import { API_ENDPOINTS, TIMEOUTS, PATHS, DEMO_CVE } from "../shared/constants";
-import { getConfig } from "../cli/config.js";
+import { CVE } from "../shared/types";
+import { DEMO_CVE } from "../shared/constants";
+
+const OSV_API = "https://api.osv.dev/v1";
+const GITHUB_ADVISORY_API = "https://api.github.com/advisories";
+
+export interface ThreatIntel {
+  id: string;
+  title: string;
+  severity: string;
+  packages: string[];
+  published: string;
+  url: string;
+  summary: string;
+}
 
 export class CVEScraper {
-  private apiKey: string = "";
-  private cache: Map<string, CVE> = new Map();
+  // Query OSV.dev — exact package+version match, no false positives
+  private async queryOSV(packageName: string, version: string): Promise<CVE[]> {
+    try {
+      const response = await axios.post(
+        `${OSV_API}/query`,
+        {
+          package: { name: packageName, ecosystem: "npm" },
+          version,
+        },
+        { timeout: 10000, headers: { "Content-Type": "application/json" } }
+      );
 
-  private async resolveApiKey(): Promise<string> {
-    if (process.env.BRIGHT_DATA_API_KEY) return process.env.BRIGHT_DATA_API_KEY;
-    const stored = await getConfig("bright_data_api_key");
-    return typeof stored === "string" ? stored : "";
+      const vulns = response.data?.vulns;
+      if (!Array.isArray(vulns)) return [];
+
+      return vulns.map((v: any) => {
+        const severity = v.severity?.[0]?.score || v.database_specific?.severity || "MEDIUM";
+        const cvss = typeof severity === "number" ? severity : this.severityToScore(severity);
+        const aliases: string[] = v.aliases || [];
+        const cveId = aliases.find((a: string) => a.startsWith("CVE-")) || v.id;
+
+        return {
+          id: cveId,
+          package: packageName,
+          affected_versions: [version],
+          fixed_version: this.extractFixedVersion(v, packageName),
+          severity: this.normalizeSeverity(severity),
+          cvss,
+          description: v.details || v.summary || "",
+          cwe: v.database_specific?.cwe_ids?.[0] || "",
+          exploit_url: `https://osv.dev/vulnerability/${v.id}`,
+        } as CVE;
+      });
+    } catch {
+      return [];
+    }
   }
 
-  async scrapeForCVEs(packageName: string, version: string): Promise<CVE[]> {
-    this.apiKey = await this.resolveApiKey();
+  // Fetch recent npm security threats from GitHub Advisory Database
+  async fetchRecentThreats(): Promise<ThreatIntel[]> {
+    try {
+      const response = await axios.get(GITHUB_ADVISORY_API, {
+        params: {
+          ecosystem: "npm",
+          per_page: 10,
+          sort: "published",
+          direction: "desc",
+        },
+        timeout: 10000,
+        headers: { Accept: "application/vnd.github+json" },
+      });
+
+      return (response.data || []).map((a: any) => ({
+        id: a.ghsa_id,
+        title: a.summary || a.ghsa_id,
+        severity: a.severity?.toUpperCase() || "UNKNOWN",
+        packages: (a.vulnerabilities || []).map((v: any) => v.package?.name).filter(Boolean),
+        published: a.published_at,
+        url: a.html_url || `https://github.com/advisories/${a.ghsa_id}`,
+        summary: a.description?.substring(0, 200) || "",
+      }));
+    } catch {
+      return [];
+    }
+  }
 
+  async scrapeForCVEs(packageName: string, version: string): Promise<CVE[]> {
     if (packageName === DEMO_CVE.package) {
       return [this.buildDemoCVE()];
     }
+    return await this.queryOSV(packageName, version);
+  }
 
-    if (!this.apiKey) {
-      return [];
-    }
-
-    try {
-      return await this.fetchFromBrightData(packageName, version);
-    } catch (error) {
-      return [];
+  async scrapeAll(
+    dependencies: Array<{ name: string; version: string }>
+  ): Promise<CVE[]> {
+    const results = await Promise.all(
+      dependencies.map(dep => this.scrapeForCVEs(dep.name, dep.version))
+    );
+    const seen = new Set<string>();
+    const allCVEs: CVE[] = [];
+    for (const cves of results) {
+      for (const cve of cves) {
+        if (!seen.has(cve.id)) {
+          seen.add(cve.id);
+          allCVEs.push(cve);
+        }
+      }
     }
+    return allCVEs;
   }
 
   private buildDemoCVE(): CVE {
@@ -41,87 +118,38 @@ export class CVEScraper {
       cvss: DEMO_CVE.cvss,
       description: DEMO_CVE.description,
       cwe: "CWE-94",
-      exploit_url: "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29078",
+      exploit_url: `https://nvd.nist.gov/vuln/detail/${DEMO_CVE.id}`,
     };
   }
 
-  private async fetchFromBrightData(packageName: string, version: string): Promise<CVE[]> {
-    try {
-      // Use Bright Data Scraper API with Bearer token authentication
-      // For NVD data, we'll use the public NVD API endpoint with Bright Data proxy/unblocking
-      console.log(`[Bright Data] Scraping ${packageName} from NVD...`);
-
-      const response = await axios.get(
-        `${API_ENDPOINTS.NVD}?keyword=${packageName}`,
-        {
-          headers: {
-            Authorization: `Bearer ${this.apiKey}`,
-            "Accept": "application/json",
-          },
-          timeout: TIMEOUTS.BRIGHT_DATA_SCRAPE,
+  private extractFixedVersion(vuln: any, packageName: string): string {
+    const affected = vuln.affected || [];
+    for (const a of affected) {
+      if (a.package?.name === packageName) {
+        for (const range of a.ranges || []) {
+          for (const event of range.events || []) {
+            if (event.fixed) return event.fixed;
+          }
         }
-      );
-
-      if (response.data?.vulnerabilities && Array.isArray(response.data.vulnerabilities)) {
-        return response.data.vulnerabilities
-          .filter((vuln: any) => {
-            const affectedProducts = vuln.cve?.configurations?.[0]?.nodes?.flatMap((n: any) =>
-              n.cpeMatch?.map((m: any) => m.criteria) || []
-            ) || [];
-            return affectedProducts.some((p: string) => p?.includes(packageName));
-          })
-          .map((vuln: any) => {
-            const descriptions = vuln.cve?.descriptions || [];
-            return {
-              id: vuln.id,
-              package: packageName,
-              affected_versions: [version],
-              fixed_version: "",
-              severity: vuln.impact?.baseSeverity || "MEDIUM",
-              cvss: vuln.impact?.baseScore || 5.0,
-              description: descriptions[0]?.value || "",
-              cwe: vuln.cve?.weaknesses?.[0]?.source || "",
-              exploit_url: `https://nvd.nist.gov/vuln/detail/${vuln.id}`,
-            };
-          })
-          .slice(0, 5); // Limit to top 5 results
       }
-
-      return [];
-    } catch (error) {
-      // Bright Data failed, will fall back to cache
-      console.warn(`[Bright Data] Scraping failed: ${error instanceof Error ? error.message : String(error)}`);
-      throw new Error(`Bright Data API call failed: ${error instanceof Error ? error.message : String(error)}`);
     }
+    return "";
   }
 
-  private async loadFromCache(): Promise<CVE[]> {
-    try {
-      const cacheFile = Bun.file(PATHS.CACHE_FILE);
-      const exists = await cacheFile.exists();
-
-      if (exists) {
-        const content = await cacheFile.text();
-        const cacheData = JSON.parse(content);
-        return cacheData.cves || [];
-      }
-    } catch (error) {
-      console.warn("Failed to load CVE cache:", error);
-    }
-
-    // Return at least the demo CVE
-    return [this.buildDemoCVE()];
+  private normalizeSeverity(s: string): "CRITICAL" | "HIGH" | "MEDIUM" | "LOW" {
+    const upper = (s || "").toUpperCase();
+    if (upper === "CRITICAL") return "CRITICAL";
+    if (upper === "HIGH") return "HIGH";
+    if (upper === "LOW") return "LOW";
+    return "MEDIUM";
   }
 
-  async scrapeAll(dependencies: Array<{ name: string; version: string }>): Promise<CVE[]> {
-    const allCVEs: CVE[] = [];
-
-    for (const dep of dependencies) {
-      const cves = await this.scrapeForCVEs(dep.name, dep.version);
-      allCVEs.push(...cves);
-    }
-
-    return allCVEs;
+  private severityToScore(s: string): number {
+    const upper = (s || "").toUpperCase();
+    if (upper === "CRITICAL") return 9.0;
+    if (upper === "HIGH") return 7.5;
+    if (upper === "LOW") return 3.0;
+    return 5.0;
   }
 }