cryptoserve 0.1.3 → 0.2.0

package/lib/scanner.mjs

@@ -1,47 +1,30 @@
 /**
- * JavaScript/TypeScript crypto dependency and secret scanner.
+ * Cryptographic dependency and secret scanner — orchestrates all sub-scanners.
  *
  * Scans projects for:
- * 1. Cryptographic dependencies (package.json, imports, algorithm strings)
- * 2. Hardcoded secrets (API keys, passwords — patterns from secretless-ai)
- * 3. Certificate/key files (.pem, .key, .crt, .p12)
+ * 1. Cryptographic dependencies (package.json, go.mod, requirements.txt, etc.)
+ * 2. Source code crypto patterns (JS/TS, Go, Python, Java, Rust, C/C++)
+ * 3. Hardcoded secrets (API keys, passwords — patterns from secretless-ai)
+ * 4. Certificate/key files (.pem, .key, .crt, .p12)
+ * 5. TLS version issues in config files
+ * 6. Binary crypto signatures (optional, via --binary flag)
  *
  * Output matches the library inventory format used by pqc-engine.mjs.
  * Zero dependencies — uses only node:fs and node:path.
  */
 
-import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs';
+import { existsSync, readFileSync, readdirSync } from 'node:fs';
 import { join, relative, extname, basename } from 'node:path';
+import { LANGUAGE_PATTERNS, scanSourceFile, detectLanguage, MULTI_LANG_EXTENSIONS } from './scanner-languages.mjs';
+import { scanManifests } from './scanner-manifests.mjs';
+import { scanTlsConfigs } from './scanner-tls.mjs';
+import { lookupAlgorithm } from './algorithm-db.mjs';
+import { lookupNpmPackage } from './crypto-registry.mjs';
+import { walkProject } from './walker.mjs';
+import { loadScannerConfig } from './config.mjs';
 
 // ---------------------------------------------------------------------------
-// Known crypto packages → algorithm mappings
-// ---------------------------------------------------------------------------
-
-const CRYPTO_PACKAGES = {
-  'crypto-js':                { algorithms: ['AES', 'DES', '3DES', 'MD5', 'SHA-256', 'SHA-512', 'HMAC'], quantumRisk: 'low', category: 'symmetric' },
-  'bcrypt':                   { algorithms: ['bcrypt'], quantumRisk: 'none', category: 'kdf' },
-  'bcryptjs':                 { algorithms: ['bcrypt'], quantumRisk: 'none', category: 'kdf' },
-  'jsonwebtoken':             { algorithms: ['RS256', 'HS256', 'ES256'], quantumRisk: 'high', category: 'token' },
-  'jose':                     { algorithms: ['RS256', 'ES256', 'EdDSA', 'AES-GCM'], quantumRisk: 'high', category: 'token' },
-  'node-forge':               { algorithms: ['RSA', 'AES', 'SHA-256', 'HMAC', 'TLS'], quantumRisk: 'high', category: 'tls' },
-  'tweetnacl':                { algorithms: ['X25519', 'Ed25519', 'XSalsa20'], quantumRisk: 'high', category: 'asymmetric' },
-  'libsodium-wrappers':       { algorithms: ['X25519', 'Ed25519', 'ChaCha20', 'AES-256-GCM'], quantumRisk: 'high', category: 'asymmetric' },
-  '@noble/curves':            { algorithms: ['ECDSA', 'Ed25519', 'X25519'], quantumRisk: 'high', category: 'asymmetric' },
-  '@noble/hashes':            { algorithms: ['SHA-256', 'SHA-512', 'SHA3', 'Blake2'], quantumRisk: 'low', category: 'hash' },
-  '@noble/post-quantum':      { algorithms: ['ML-KEM', 'ML-DSA', 'SLH-DSA'], quantumRisk: 'none', category: 'pqc' },
-  'openpgp':                  { algorithms: ['RSA', 'ECDSA', 'AES', 'SHA-256'], quantumRisk: 'high', category: 'asymmetric' },
-  'elliptic':                 { algorithms: ['ECDSA', 'ECDHE', 'Ed25519'], quantumRisk: 'high', category: 'asymmetric' },
-  'secp256k1':                { algorithms: ['ECDSA'], quantumRisk: 'high', category: 'asymmetric' },
-  'argon2':                   { algorithms: ['Argon2'], quantumRisk: 'none', category: 'kdf' },
-  'scrypt':                   { algorithms: ['scrypt'], quantumRisk: 'none', category: 'kdf' },
-  'pbkdf2':                   { algorithms: ['PBKDF2'], quantumRisk: 'none', category: 'kdf' },
-  'tls':                      { algorithms: ['TLS', 'RSA', 'ECDSA'], quantumRisk: 'high', category: 'tls' },
-  'ssh2':                     { algorithms: ['RSA', 'Ed25519', 'ECDSA', 'AES'], quantumRisk: 'high', category: 'asymmetric' },
-  'node-rsa':                 { algorithms: ['RSA'], quantumRisk: 'high', category: 'asymmetric' },
-};
-
-// ---------------------------------------------------------------------------
-// Import/require patterns to detect in source code
+// Import/require patterns to detect in JS/TS source code
 // ---------------------------------------------------------------------------
 
 const IMPORT_PATTERNS = [
@@ -117,71 +100,29 @@ const SECRET_PATTERNS = [
 // File patterns for cert/key discovery
 const CERT_EXTENSIONS = new Set(['.pem', '.key', '.crt', '.p12', '.pfx', '.jks', '.keystore']);
 
-// ---------------------------------------------------------------------------
-// File walker
-// ---------------------------------------------------------------------------
-
-const SKIP_DIRS = new Set([
-  'node_modules', '.git', '.next', 'dist', 'build', 'coverage',
-  '.cache', '.nuxt', '.output', '.svelte-kit', '__pycache__',
-  'vendor', '.venv', 'venv',
-]);
-
-const SOURCE_EXTENSIONS = new Set(['.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx']);
-
-function walkFiles(dir, maxFiles = 10000, maxBytes = 500 * 1024 * 1024) {
-  const files = [];
-  let totalBytes = 0;
-
-  function walk(currentDir) {
-    if (files.length >= maxFiles || totalBytes >= maxBytes) return;
-
-    let entries;
-    try { entries = readdirSync(currentDir, { withFileTypes: true }); }
-    catch { return; }
-
-    for (const entry of entries) {
-      if (files.length >= maxFiles || totalBytes >= maxBytes) return;
-
-      if (entry.isDirectory()) {
-        if (!SKIP_DIRS.has(entry.name) && !entry.name.startsWith('.')) {
-          walk(join(currentDir, entry.name));
-        }
-        continue;
-      }
-
-      if (!entry.isFile()) continue;
-
-      const filePath = join(currentDir, entry.name);
-      try {
-        const stat = statSync(filePath);
-        if (stat.size > 1024 * 1024) continue; // Skip files >1MB
-        totalBytes += stat.size;
-        files.push(filePath);
-      } catch { continue; }
-    }
-  }
-
-  walk(dir);
-  return files;
-}
+const JS_EXTENSIONS = new Set(['.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx']);
 
 // ---------------------------------------------------------------------------
 // Scanner
 // ---------------------------------------------------------------------------
 
-export function scanProject(projectDir) {
+export function scanProject(projectDir, options = {}) {
   const results = {
     libraries: [],
     secrets: [],
     weakPatterns: [],
     certFiles: [],
     filesScanned: 0,
+    // New in v0.2.0
+    sourceAlgorithms: [],
+    tlsFindings: [],
+    binaryFindings: [],
+    languagesDetected: new Set(),
+    manifestsFound: [],
   };
 
   // 1. Scan package.json for crypto dependencies (root + monorepo workspaces)
   const pkgPaths = [join(projectDir, 'package.json')];
-  // Check common monorepo locations for nested package.json files
   const monorepoGlobs = ['apps', 'packages', 'libs', 'modules', 'services'];
   for (const sub of monorepoGlobs) {
     const subDir = join(projectDir, sub);
@@ -207,9 +148,9 @@ export function scanProject(projectDir) {
       };
 
       for (const [name, version] of Object.entries(allDeps)) {
-        if (name in CRYPTO_PACKAGES && !seenPkgs.has(name)) {
+        const info = lookupNpmPackage(name);
+        if (info && !seenPkgs.has(name)) {
           seenPkgs.add(name);
-          const info = CRYPTO_PACKAGES[name];
           results.libraries.push({
             name,
             version: version.replace(/^[\^~]/, ''),
@@ -217,37 +158,87 @@ export function scanProject(projectDir) {
             quantumRisk: info.quantumRisk,
             category: info.category,
             source: pkgPath.replace(projectDir + '/', ''),
+            ecosystem: 'npm',
           });
         }
       }
+      results.manifestsFound.push('package.json');
     } catch { /* invalid package.json */ }
   }
 
-  // 2. Walk source files
-  const files = walkFiles(projectDir);
+  // 2. Scan non-npm manifests (go.mod, requirements.txt, Cargo.toml, etc.)
+  const manifestLibs = scanManifests(projectDir);
+  for (const lib of manifestLibs) {
+    if (!seenPkgs.has(lib.name)) {
+      seenPkgs.add(lib.name);
+      results.libraries.push(lib);
+      if (!results.manifestsFound.includes(lib.source)) {
+        results.manifestsFound.push(lib.source);
+      }
+    }
+  }
+
+  // 3. Walk source files (single-pass unified walker with config overrides)
+  const scannerConfig = loadScannerConfig(projectDir);
+  const walked = walkProject(projectDir, {
+    skipDirs: scannerConfig.skipDirs.length > 0 ? new Set(scannerConfig.skipDirs) : undefined,
+    includeExtensions: scannerConfig.includeExtensions.length > 0 ? new Set(scannerConfig.includeExtensions) : undefined,
+    maxFiles: scannerConfig.maxFiles,
+    maxBytes: scannerConfig.maxBytes,
+    maxFileSize: scannerConfig.maxFileSize,
+    maxBinaryFiles: scannerConfig.binary.maxFiles,
+    maxBinaryFileSize: scannerConfig.binary.maxFileSize,
+  });
   const seenImports = new Set();
   const seenAlgos = new Set();
+  const seenSourceAlgos = new Set();
+
+  // Cert files from walker
+  for (const certPath of walked.certFiles) {
+    results.certFiles.push(relative(projectDir, certPath));
+  }
 
-  for (const filePath of files) {
+  for (const filePath of walked.sourceFiles) {
     const ext = extname(filePath);
+    const relPath = relative(projectDir, filePath);
 
-    // Check for cert/key files
-    if (CERT_EXTENSIONS.has(ext)) {
-      results.certFiles.push(relative(projectDir, filePath));
+    // Multi-language scanning (Go, Python, Java, Rust, C/C++)
+    const language = detectLanguage(filePath);
+    if (language && !JS_EXTENSIONS.has(ext)) {
+      results.filesScanned++;
+      results.languagesDetected.add(language);
+
+      let content;
+      try { content = readFileSync(filePath, 'utf-8'); }
+      catch { continue; }
+
+      const langResult = scanSourceFile(filePath, content, language);
+      for (const algo of langResult.algorithms) {
+        if (!seenSourceAlgos.has(algo.algorithm)) {
+          seenSourceAlgos.add(algo.algorithm);
+          const dbEntry = lookupAlgorithm(algo.algorithm);
+          results.sourceAlgorithms.push({
+            algorithm: algo.algorithm,
+            category: algo.category,
+            language,
+            quantumRisk: dbEntry?.quantumRisk || 'unknown',
+            isWeak: dbEntry?.isWeak || false,
+          });
+        }
+      }
       continue;
     }
 
-    // Only scan source files for code patterns
-    if (!SOURCE_EXTENSIONS.has(ext)) continue;
+    // Only scan JS/TS source files for JS-specific code patterns
+    if (!JS_EXTENSIONS.has(ext)) continue;
 
     results.filesScanned++;
+    results.languagesDetected.add('javascript');
 
     let content;
     try { content = readFileSync(filePath, 'utf-8'); }
     catch { continue; }
 
-    const relPath = relative(projectDir, filePath);
-
     // Detect imports/requires
     for (const { pattern, lib, detail } of IMPORT_PATTERNS) {
       pattern.lastIndex = 0;
@@ -323,7 +314,6 @@ export function scanProject(projectDir) {
     }
 
     if (nodeCryptoAlgos.length > 0) {
-      // Determine quantum risk based on detected algorithms
       const hasAsymmetric = nodeCryptoAlgos.some(a =>
         ['RSA', 'ECDSA', 'Ed25519', 'RS256', 'ES256', 'DH'].includes(a)
       );
@@ -334,10 +324,20 @@ export function scanProject(projectDir) {
         quantumRisk: hasAsymmetric ? 'high' : 'low',
         category: hasAsymmetric ? 'asymmetric' : 'symmetric',
         source: 'source-code',
+        ecosystem: 'npm',
       });
     }
   }
 
+  // 4. TLS scanning — pass pre-walked source+config files
+  const tlsFiles = [...walked.sourceFiles, ...walked.configFiles];
+  results.tlsFindings = scanTlsConfigs(projectDir, tlsFiles);
+
+  // 5. Binary scanning moved to CLI layer (lazy-loaded via dynamic import)
+
+  // Convert sets to arrays for JSON serialization
+  results.languagesDetected = [...results.languagesDetected];
+
   return results;
 }
 
@@ -346,12 +346,41 @@ export function scanProject(projectDir) {
 // ---------------------------------------------------------------------------
 
 export function toLibraryInventory(scanResults) {
-  return scanResults.libraries.map(lib => ({
-    name: lib.name,
-    version: lib.version,
-    algorithms: lib.algorithms,
-    quantumRisk: lib.quantumRisk,
-    category: lib.category,
-    isDeprecated: false,
-  }));
+  const inventory = scanResults.libraries.map(lib => {
+    const entry = {
+      name: lib.name,
+      version: lib.version,
+      algorithms: lib.algorithms,
+      quantumRisk: lib.quantumRisk,
+      category: lib.category,
+      isDeprecated: lib.isDeprecated || false,
+    };
+    // Enrich with algorithm-db data
+    for (const algoName of lib.algorithms) {
+      const dbEntry = lookupAlgorithm(algoName);
+      if (dbEntry?.isWeak && !entry.isDeprecated) {
+        entry.isDeprecated = true;
+      }
+    }
+    return entry;
+  });
+
+  // Also add source-detected algorithms as synthetic library entries
+  for (const algo of (scanResults.sourceAlgorithms || [])) {
+    const alreadyInLib = inventory.some(lib =>
+      lib.algorithms.some(a => a.toLowerCase() === algo.algorithm.toLowerCase())
+    );
+    if (!alreadyInLib) {
+      inventory.push({
+        name: `${algo.language}:${algo.algorithm}`,
+        version: 'source-code',
+        algorithms: [algo.algorithm],
+        quantumRisk: algo.quantumRisk || 'unknown',
+        category: algo.category,
+        isDeprecated: algo.isWeak || false,
+      });
+    }
+  }
+
+  return inventory;
 }

package/lib/walker.mjs

@@ -0,0 +1,166 @@
+/**
+ * Unified single-pass file walker.
+ *
+ * Replaces three independent walkers (scanner.mjs, scanner-tls.mjs,
+ * scanner-binary.mjs) with a single directory traversal that classifies
+ * files into buckets by extension.
+ * Zero dependencies — uses only node:fs and node:path.
+ */
+
+import { readdirSync, statSync } from 'node:fs';
+import { join, extname } from 'node:path';
+
+// ---------------------------------------------------------------------------
+// Default skip directories (union of all three previous walkers)
+// ---------------------------------------------------------------------------
+
+export const DEFAULT_SKIP_DIRS = new Set([
+  'node_modules', '.git', '.next', 'dist', 'build', 'coverage',
+  '.cache', '.nuxt', '.output', '.svelte-kit', '__pycache__',
+  'vendor', '.venv', 'venv',
+]);
+
+// ---------------------------------------------------------------------------
+// File classification by extension
+// ---------------------------------------------------------------------------
+
+const SOURCE_EXTENSIONS = new Set([
+  '.js', '.ts', '.mjs', '.cjs', '.jsx', '.tsx',
+  '.go', '.py',
+  '.java', '.kt', '.scala',
+  '.rs',
+  '.c', '.h', '.cpp', '.hpp', '.cc', '.cxx',
+]);
+
+const CONFIG_EXTENSIONS = new Set([
+  '.conf', '.cfg', '.ini', '.toml', '.yaml', '.yml', '.json', '.xml',
+]);
+
+const CONFIG_NAMES = new Set([
+  'Dockerfile', 'docker-compose.yml', 'docker-compose.yaml',
+  'nginx.conf', 'httpd.conf', 'apache2.conf', 'ssl.conf',
+  '.env',
+]);
+
+const BINARY_EXTENSIONS = new Set([
+  '.exe', '.dll', '.so', '.dylib', '.wasm',
+  '.class', '.jar', '.war',
+  '.o', '.a', '.lib',
+  '.pyc', '.pyd',
+]);
+
+const CERT_EXTENSIONS = new Set(['.pem', '.key', '.crt', '.p12', '.pfx', '.jks', '.keystore']);
+
+// ---------------------------------------------------------------------------
+// Walker
+// ---------------------------------------------------------------------------
+
+/**
+ * Walk a project directory once, classifying files into buckets.
+ *
+ * @param {string} dir - Root directory to walk
+ * @param {object} options
+ * @param {Set<string>} [options.skipDirs] - Extra directory names to skip (merged with defaults)
+ * @param {Set<string>} [options.includeExtensions] - Extra source extensions to include
+ * @param {number} [options.maxFiles=10000] - Max total files to collect
+ * @param {number} [options.maxBytes=524288000] - Max total bytes (500MB)
+ * @param {number} [options.maxFileSize=1048576] - Max single file size (1MB) for source/config
+ * @param {number} [options.maxBinaryFiles=50] - Max binary files
+ * @param {number} [options.maxBinaryFileSize=10485760] - Max binary file size (10MB)
+ * @returns {{ sourceFiles: string[], configFiles: string[], binaryFiles: string[], certFiles: string[], totalBytes: number, totalFiles: number }}
+ */
+export function walkProject(dir, options = {}) {
+  const skipDirs = options.skipDirs
+    ? new Set([...DEFAULT_SKIP_DIRS, ...options.skipDirs])
+    : DEFAULT_SKIP_DIRS;
+  const extraSourceExts = options.includeExtensions
+    ? new Set([...SOURCE_EXTENSIONS, ...options.includeExtensions])
+    : SOURCE_EXTENSIONS;
+  const maxFiles = options.maxFiles || 10000;
+  const maxBytes = options.maxBytes || 500 * 1024 * 1024;
+  const maxFileSize = options.maxFileSize || 1024 * 1024;
+  const maxBinaryFiles = options.maxBinaryFiles || 50;
+  const maxBinaryFileSize = options.maxBinaryFileSize || 10 * 1024 * 1024;
+
+  const sourceFiles = [];
+  const configFiles = [];
+  const binaryFiles = [];
+  const certFiles = [];
+  let totalBytes = 0;
+  let totalFiles = 0;
+
+  function walk(currentDir) {
+    if (totalFiles >= maxFiles || totalBytes >= maxBytes) return;
+
+    let entries;
+    try { entries = readdirSync(currentDir, { withFileTypes: true }); }
+    catch { return; }
+
+    for (const entry of entries) {
+      if (totalFiles >= maxFiles || totalBytes >= maxBytes) return;
+
+      if (entry.isDirectory()) {
+        if (!skipDirs.has(entry.name) && !entry.name.startsWith('.')) {
+          walk(join(currentDir, entry.name));
+        }
+        continue;
+      }
+
+      if (!entry.isFile()) continue;
+
+      const filePath = join(currentDir, entry.name);
+      const ext = extname(entry.name).toLowerCase();
+      const name = entry.name;
+
+      // Classify cert files (no size check needed — just record path)
+      if (CERT_EXTENSIONS.has(ext)) {
+        certFiles.push(filePath);
+        totalFiles++;
+        continue;
+      }
+
+      // Classify binary files (separate limit)
+      if (BINARY_EXTENSIONS.has(ext)) {
+        if (binaryFiles.length < maxBinaryFiles) {
+          try {
+            const stat = statSync(filePath);
+            if (stat.size <= maxBinaryFileSize) {
+              binaryFiles.push(filePath);
+              totalFiles++;
+            }
+          } catch { /* skip */ }
+        }
+        continue;
+      }
+
+      // Check size for source/config files
+      let fileSize;
+      try {
+        const stat = statSync(filePath);
+        if (stat.size > maxFileSize) continue;
+        fileSize = stat.size;
+      } catch { continue; }
+
+      totalBytes += fileSize;
+      totalFiles++;
+
+      // Classify source files
+      if (extraSourceExts.has(ext)) {
+        sourceFiles.push(filePath);
+        continue;
+      }
+
+      // Classify config files
+      if (CONFIG_EXTENSIONS.has(ext) || CONFIG_NAMES.has(name)) {
+        configFiles.push(filePath);
+        continue;
+      }
+
+      // Other files are walked but not bucketed
+    }
+  }
+
+  walk(dir);
+
+  return { sourceFiles, configFiles, binaryFiles, certFiles, totalBytes, totalFiles };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cryptoserve",
-  "version": "0.1.3",
+  "version": "0.2.0",
   "description": "CryptoServe CLI - Cryptographic scanning, PQC analysis, encryption, and local key management",
   "type": "module",
   "bin": {
@@ -24,7 +24,12 @@
     "security",
     "scanner",
     "keychain",
-    "vault"
+    "vault",
+    "cbom",
+    "cyclonedx",
+    "spdx",
+    "binary-analysis",
+    "tls"
   ],
   "repository": {
     "type": "git",