codeprobe-scanner 1.0.9 → 1.0.11

package/README.md

@@ -1,15 +1,209 @@
-# codeprobe
+# CodeProbe
 
-To install dependencies:
+Automated vulnerability scanner for Node.js / npm projects. Scans dependencies against OSV.dev and the GitHub Advisory Database, verifies exploits in isolated sandboxes, and optionally auto-patches vulnerable packages.
 
-```bash
-bun install
+## Install
+
+```sh
+npm install -g codeprobe-scanner
+```
+
+Or run without installing:
+
+```sh
+npx codeprobe-scanner scan
+```
+
+## Quick Start
+
+```sh
+# Scan the current directory
+codeprobe scan
+
+# Scan a specific project
+codeprobe scan ./my-app
+
+# Scan and auto-fix vulnerabilities
+codeprobe scan --fix
+
+# Output results as JSON
+codeprobe scan --json > report.json
+
+# Show the last scan report
+codeprobe report
 ```
 
-To run:
+## Commands
+
+### `codeprobe scan [path]`
+
+Scans a repository for known CVEs in its npm dependencies.
+
+| Flag | Description |
+|------|-------------|
+| `--fix` | Auto-fix: upgrades vulnerable packages, creates a git branch and commit |
+| `--json` | Print results as JSON (pipe-friendly) |
+| `--verbose` | Show detailed phase-by-phase logs |
+
+**What it does:**
+
+1. Parses `package.json` / `package-lock.json` / `bun.lock` for installed packages and versions
+2. Queries **OSV.dev** for CVEs matching each package+version
+3. Cross-references the **GitHub Advisory Database** for additional intelligence
+4. Runs exploit verification in an isolated **Daytona sandbox** (when configured)
+5. Saves the report to `~/.codeprobe/scans/<scan-id>.json`
+6. Displays a risk score, CVE table, and recent npm threat feed
 
-```bash
-bun run index.ts
+**Exit codes:**
+
+| Code | Meaning |
+|------|---------|
+| `0` | No vulnerabilities found |
+| `1` | Vulnerabilities found |
+| `2` | Scan failed |
+
+### `codeprobe report`
+
+Displays the most recent scan results from `~/.codeprobe/scans/latest.json`.
+
+### `codeprobe config set <key> <value>`
+
+Saves a configuration value to `~/.codeprobe/config.json`.
+
+```sh
+codeprobe config set bright_data_api_key YOUR_KEY
+codeprobe config set daytona_api_key YOUR_KEY
+```
+
+## Configuration
+
+CodeProbe works out of the box with zero configuration using public APIs. Optional integrations unlock deeper exploit verification.
+
+### Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `BRIGHT_DATA_API_KEY` | Bright Data scraping proxy (optional) |
+| `DAYTONA_API_KEY` | Daytona sandbox for exploit verification (optional) |
+| `NOSANA_API_KEY` | Nosana LLM for AI-assisted analysis (optional) |
+| `GITHUB_TOKEN` | GitHub token for higher Advisory API rate limits |
+| `PORT` | API server port (default: `3000`) |
+
+Create a `.env` file in your project root or export variables in your shell.
+
+## How It Works
+
+```
+package.json / lockfile
+        ↓
+   Dependency Parser
+        ↓
+  OSV.dev + GitHub Advisory DB  ──→  CVE list
+        ↓
+  Sandbox Exploit Verification  ──→  Confirmed / Theoretical
+        ↓
+   Risk Score + Report
 ```
 
-This project was created using `bun init` in bun v1.3.14. [Bun](https://bun.com) is a fast all-in-one JavaScript runtime.
+- **Risk score** = (confirmed exploitable × 10) + (theoretical × 3)
+- Scans are saved locally at `~/.codeprobe/scans/`
+- `latest.json` always points to the most recent scan
+
+## Auto-Fix (`--fix`)
+
+When `--fix` is passed, CodeProbe:
+
+1. Identifies vulnerable packages that have a patched version available
+2. Updates `package.json` to the safe version
+3. Runs `bun install` (or `npm install`) to apply the change
+4. Creates a git commit on a new branch: `codeprobe-fix/<scan-id>`
+
+Review the branch and open a PR — no changes are pushed automatically.
+
+## API Server
+
+Start the REST API server:
+
+```sh
+bun run src/api/server.ts
+```
+
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `POST /api/scan` | POST | Trigger a scan (`{ "repoPath": "./path" }`) |
+| `GET /api/scans` | GET | List all past scans (requires auth) |
+| `GET /api/scans/:id` | GET | Get a specific scan (requires auth) |
+| `GET /api/auth/github` | GET | GitHub OAuth callback |
+| `GET /api/auth/logout` | GET | Logout |
+
+Authentication: pass a `Bearer <token>` header. In development mode any non-empty token is accepted.
+
+## Docker
+
+```sh
+docker build -t codeprobe .
+docker run -e PORT=8080 -p 8080:8080 codeprobe
+```
+
+## GitHub Actions
+
+Add CodeProbe to your CI pipeline:
+
+```yaml
+# .github/workflows/codeprobe-scan.yml
+name: Security Scan
+on: [push, pull_request]
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: npx codeprobe-scanner scan --json > report.json
+      - uses: actions/upload-artifact@v3
+        with:
+          name: security-report
+          path: report.json
+```
+
+## Output Example
+
+```
+╔══════════════════════════════════════════╗
+║           CodeProbe Scanner              ║
+╚══════════════════════════════════════════╝
+
+SCAN COMPLETE
+Risk Score: 🔴 HIGH (43)
+Confirmed Exploitable: 2 | Theoretical Risk: 5
+Patches Available: 3
+Duration: 8.3s
+
+CVE Details:
+  CVE-2022-29078: ejs 3.1.6 [CRITICAL] ✓ CONFIRMED EXPLOITABLE
+    → Patch available: 3.1.7
+  CVE-2023-44487: http2-server 1.0.0 [HIGH] ✓ CONFIRMED EXPLOITABLE
+    → Patch available: 1.0.1
+
+🌐 Recent npm Security Threats (GitHub Advisory Database):
+  CRITICAL lodash - Prototype Pollution
+  HIGH     axios - SSRF via redirect
+```
+
+## Project Structure
+
+```
+src/
+├── cli/          # CLI entry point and commands (scan, report, config)
+├── engine/       # Core scanner: parser, scraper, sandbox, patcher
+├── api/          # REST API server
+├── shared/       # Types, constants, utilities
+├── integrations/ # VideoDB, Daytona, Nosana integrations
+├── bot/          # Bot server
+└── mcp/          # MCP server
+bin/
+└── codeprobe.cjs # CLI binary entry point
+```
+
+## License
+
+MIT

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.9",
+  "version": "1.0.11",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {
@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@daytona/sdk": "^0.187.0",
-    "axios": "^1.6.5",
+    "axios": "^1.16.0",
     "chalk": "^5.3.0",
     "cli-table3": "^0.6.3",
     "dayjs": "^1.11.10",

package/src/cli/commands/scan-with-fix.ts

@@ -1,22 +1,16 @@
 import chalk from 'chalk';
 import { execSync } from 'child_process';
+import { readFileSync, writeFileSync } from 'fs';
+import path from 'path';
 import dayjs from 'dayjs';
 import { Report } from '../../shared/types.js';
 import { ProgressLogger } from '../progress.js';
 import { GitError, handleError } from '../errors.js';
 import { EXIT_CODES } from '../../shared/constants.js';
 
-function getGitStatus(): string {
-  try {
-    return execSync('git status --porcelain', { encoding: 'utf-8' });
-  } catch {
-    throw new GitError('Not a git repository');
-  }
-}
-
 function checkGitRepo(): boolean {
   try {
-    execSync('git rev-parse --git-dir', { encoding: 'utf-8' });
+    execSync('git rev-parse --git-dir', { encoding: 'utf-8', stdio: 'pipe' });
     return true;
   } catch {
     return false;
@@ -24,25 +18,48 @@ function checkGitRepo(): boolean {
 }
 
 function isGitDirty(): boolean {
-  const status = getGitStatus();
-  return status.trim().length > 0;
+  try {
+    const status = execSync('git status --porcelain', { encoding: 'utf-8', stdio: 'pipe' });
+    return status.trim().length > 0;
+  } catch {
+    throw new GitError('Not a git repository');
+  }
 }
 
 function createBranch(name: string): void {
   try {
-    execSync(`git checkout -b ${name}`, { encoding: 'utf-8' });
-  } catch (error) {
+    execSync(`git checkout -b ${name}`, { encoding: 'utf-8', stdio: 'pipe' });
+  } catch {
     throw new GitError(`Failed to create branch: ${name}`);
   }
 }
 
-function commitChanges(message: string): void {
+function commitAndPush(message: string, branchName: string): void {
+  execSync('git add package.json', { encoding: 'utf-8', stdio: 'pipe' });
+  execSync(`git commit -m "${message}"`, { encoding: 'utf-8', stdio: 'pipe' });
   try {
-    execSync('git add .', { encoding: 'utf-8' });
-    execSync(`git commit -m "${message}"`, { encoding: 'utf-8' });
-  } catch (error) {
-    throw new GitError('Failed to commit changes');
+    execSync(`git push -u origin ${branchName}`, { encoding: 'utf-8', stdio: 'pipe' });
+  } catch {
+    // Push failed — not fatal, user can push manually
+  }
+}
+
+function applyVersionBumps(
+  repoPath: string,
+  bumps: Array<{ package: string; from: string; to: string }>
+): void {
+  const pkgPath = path.join(repoPath, 'package.json');
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+
+  for (const bump of bumps) {
+    if (pkg.dependencies?.[bump.package]) {
+      pkg.dependencies[bump.package] = `^${bump.to}`;
+    } else if (pkg.devDependencies?.[bump.package]) {
+      pkg.devDependencies[bump.package] = `^${bump.to}`;
+    }
   }
+
+  writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
 }
 
 export async function scanWithFixCommand(
@@ -52,72 +69,81 @@ export async function scanWithFixCommand(
 ): Promise<void> {
   console.log('');
   logger.printSeparator();
-  logger.logPhaseStart('git', 'Preparing to apply patches');
 
-  try {
-    // Check git repo exists
-    if (!checkGitRepo()) {
-      throw new GitError('Not a git repository. Run: git init');
-    }
+  const repoPath = path.resolve(args[0] || '.');
 
-    // Check git status
-    if (isGitDirty()) {
-      logger.logWarning('Git repository has uncommitted changes', 'Commit or stash first');
-      throw new GitError('Repository is dirty. Commit changes before applying patches.');
-    }
+  // Collect CVEs that have a known fixed version
+  const fixable = report.scan.cves.filter(
+    (cve) => cve.version_fixed && cve.version_fixed.trim() !== ''
+  );
 
-    // Filter for exploitable CVEs only
-    const exploitableCVEs = report.scan.cves.filter((cve) => cve.exploitable);
+  if (fixable.length === 0) {
+    console.log(chalk.yellow('⚠️  No CVEs with known fixes found.'));
+    console.log(chalk.dim('   All vulnerabilities are either unpatched or already on the latest version.'));
+    process.exit(EXIT_CODES.SUCCESS);
+  }
 
-    if (exploitableCVEs.length === 0) {
-      logger.logWarning('No exploitable CVEs found', 'Nothing to patch');
-      process.exit(EXIT_CODES.SUCCESS);
+  // Deduplicate: one bump per package (use highest fixed version)
+  const bumpMap = new Map<string, { from: string; to: string; cves: string[] }>();
+  for (const cve of fixable) {
+    const existing = bumpMap.get(cve.package);
+    if (!existing) {
+      bumpMap.set(cve.package, {
+        from: cve.version_vulnerable,
+        to: cve.version_fixed!,
+        cves: [cve.id],
+      });
+    } else {
+      existing.cves.push(cve.id);
     }
+  }
 
-    // Create feature branch
-    const timestamp = dayjs().format('YYYY-MM-DD-HHmmss');
-    const branchName = `codeprobe-fix-${timestamp}`;
+  const bumps = Array.from(bumpMap.entries()).map(([pkg, info]) => ({
+    package: pkg,
+    ...info,
+  }));
+
+  // Show what will be changed
+  console.log(chalk.bold(`\n📦 ${bumps.length} package(s) can be updated:\n`));
+  for (const b of bumps) {
+    console.log(
+      `  ${chalk.cyan(b.package)}: ${chalk.red(b.from)} → ${chalk.green(b.to)}`
+    );
+    console.log(chalk.dim(`    Fixes: ${b.cves.slice(0, 3).join(', ')}${b.cves.length > 3 ? ` +${b.cves.length - 3} more` : ''}`));
+  }
 
-    logger.logPhaseStart('git', `Creating branch: ${branchName}`);
-    createBranch(branchName);
-    logger.logPhaseComplete('git', `Branch created: ${branchName}`);
+  // Check git repo
+  if (!checkGitRepo()) {
+    console.log(chalk.yellow('\n⚠️  Not a git repository — applying fixes without committing.'));
+    applyVersionBumps(repoPath, bumps);
+    console.log(chalk.green('\n✓ package.json updated. Run your package manager to install.'));
+    process.exit(EXIT_CODES.SUCCESS);
+  }
 
-    // Apply patches
-    for (const cve of exploitableCVEs) {
-      if (!cve.patch_diff) continue;
+  if (isGitDirty()) {
+    console.log(chalk.yellow('\n⚠️  Uncommitted changes detected — applying fixes without committing.'));
+    applyVersionBumps(repoPath, bumps);
+    console.log(chalk.green('\n✓ package.json updated. Commit when ready.'));
+    process.exit(EXIT_CODES.SUCCESS);
+  }
 
-      logger.logPhaseStart('patch', `Applying patch for ${cve.id}`);
+  // Create branch and apply fixes
+  const branchName = `codeprobe-fix-${dayjs().format('YYYY-MM-DD-HHmmss')}`;
+  console.log(chalk.dim(`\nCreating branch: ${branchName}`));
+  createBranch(branchName);
 
-      // Mock: just log the patch
-      console.log(chalk.gray(`  Patch preview:\n${cve.patch_diff.split('\n').slice(0, 5).join('\n')}`));
+  applyVersionBumps(repoPath, bumps);
+  console.log(chalk.green('\n✓ package.json updated'));
 
-      // In production: apply patch using git apply or manual file updates
-      // For now: mock success
-      logger.logPhaseComplete('patch', `Patched ${cve.package}: ${cve.version_vulnerable} → ${cve.patch_version}`);
-    }
+  const commitMsg = `security: bump ${bumps.length} vulnerable package(s) via codeprobe\\n\\n${bumps.map(b => `- ${b.package}: ${b.from} -> ${b.to}`).join('\\n')}`;
+  commitAndPush(commitMsg, branchName);
 
-    // Commit with detailed message
-    const commitMsg =
-      `[CodeProbe] Fix ${exploitableCVEs.length} exploitable CVE(s)\n\n` +
-      exploitableCVEs
-        .map((cve) => `- ${cve.id} (${cve.package} ${cve.version_vulnerable} → ${cve.patch_version})`)
-        .join('\n');
-
-    logger.logPhaseStart('git', 'Committing patches');
-    commitChanges(commitMsg);
-    logger.logPhaseComplete('git', 'Changes committed');
-
-    // Show what to do next
-    console.log('');
-    console.log(chalk.green('✓ Patches applied successfully!'));
-    console.log(chalk.cyan(`\nNext steps:`));
-    console.log(chalk.cyan(`  1. Review changes: git diff main`));
-    console.log(chalk.cyan(`  2. Push branch: git push -u origin ${branchName}`));
-    console.log(chalk.cyan(`  3. Create PR on GitHub`));
-
-    logger.printSeparator();
-    process.exit(EXIT_CODES.SUCCESS);
-  } catch (error) {
-    handleError(error, logger, true);
-  }
+  console.log(chalk.bold.green(`\n✨ Done! Branch '${branchName}' created and pushed.\n`));
+  console.log(chalk.cyan('Next steps:'));
+  console.log(`  1. Run your package manager: ${chalk.white('bun install')} or ${chalk.white('npm install')}`);
+  console.log(`  2. Open a PR from branch: ${chalk.white(branchName)}`);
+  console.log('');
+
+  logger.printSeparator();
+  process.exit(EXIT_CODES.SUCCESS);
 }

package/src/engine/index.ts

@@ -61,10 +61,13 @@ export class CodeProbeEngine {
         }
       }
 
-      // Step 7: Generate patches (Nosana)
+      // Step 7: Generate patches for exploitable CVEs + any HIGH/CRITICAL with a known fix version
       console.log("\x1b[33m[Nosana]\x1b[0m 🔧 Generating patches with LLM...");
       await this.patcher.loadPrebakedPatches();
-      const patches = await this.patcher.generateAllPatches(matchedCves.filter((c) => c.exploitable));
+      const patchCandidates = matchedCves.filter((c) =>
+        c.exploitable || ((c.severity === "CRITICAL" || c.severity === "HIGH") && c.version_fixed)
+      );
+      const patches = await this.patcher.generateAllPatches(patchCandidates);
       for (const cve of matchedCves) {
         if (patches.has(cve.id)) {
           cve.patch_diff = patches.get(cve.id);