devcompass 2.6.0 → 2.7.0

package/src/analyzers/security-recommendations.js

@@ -0,0 +1,274 @@
+// src/analyzers/security-recommendations.js
+
+/**
+ * Priority levels for recommendations
+ */
+const PRIORITY = {
+  CRITICAL: { level: 1, label: 'CRITICAL', color: 'red', emoji: '🔴' },
+  HIGH: { level: 2, label: 'HIGH', color: 'orange', emoji: '🟠' },
+  MEDIUM: { level: 3, label: 'MEDIUM', color: 'yellow', emoji: '🟡' },
+  LOW: { level: 4, label: 'LOW', color: 'gray', emoji: '⚪' }
+};
+
+/**
+ * Generate actionable recommendations from all security findings
+ */
+function generateSecurityRecommendations(analysisResults) {
+  const recommendations = [];
+  
+  const {
+    supplyChainWarnings = [],
+    licenseWarnings = [],
+    qualityResults = [],
+    securityVulnerabilities = [],
+    ecosystemAlerts = [],
+    unusedDeps = [],
+    outdatedPackages = []
+  } = analysisResults;
+  
+  // 1. Supply Chain Issues (CRITICAL/HIGH)
+  for (const warning of supplyChainWarnings) {
+    if (warning.type === 'malicious' || warning.severity === 'critical') {
+      recommendations.push({
+        priority: PRIORITY.CRITICAL,
+        category: 'supply_chain',
+        package: warning.package,
+        issue: warning.message,
+        action: `Remove ${warning.package} immediately`,
+        command: `npm uninstall ${warning.package}`,
+        impact: 'Eliminates critical security risk',
+        reason: 'Known malicious package detected'
+      });
+    } else if (warning.type === 'typosquatting') {
+      recommendations.push({
+        priority: PRIORITY.HIGH,
+        category: 'supply_chain',
+        package: warning.package,
+        issue: warning.message,
+        action: warning.recommendation,
+        command: `npm uninstall ${warning.package} && npm install ${warning.official}`,
+        impact: 'Prevents potential supply chain attack',
+        reason: 'Typosquatting attempt detected'
+      });
+    } else if (warning.type === 'install_script' && warning.severity === 'high') {
+      recommendations.push({
+        priority: PRIORITY.HIGH,
+        category: 'supply_chain',
+        package: warning.package,
+        issue: warning.message,
+        action: 'Review install script before deployment',
+        command: `cat node_modules/${warning.package.split('@')[0]}/package.json`,
+        impact: 'Prevents malicious code execution',
+        reason: 'Suspicious install script detected'
+      });
+    }
+  }
+  
+  // 2. License Compliance (HIGH/MEDIUM)
+  for (const warning of licenseWarnings) {
+    if (warning.severity === 'critical' || warning.severity === 'high') {
+      recommendations.push({
+        priority: warning.severity === 'critical' ? PRIORITY.CRITICAL : PRIORITY.HIGH,
+        category: 'license',
+        package: warning.package,
+        issue: `${warning.license}: ${warning.message}`,
+        action: 'Replace with permissive alternative',
+        command: `npm uninstall ${warning.package}`,
+        impact: 'Ensures license compliance',
+        reason: 'High-risk license detected',
+        alternative: 'Search npm for MIT/Apache alternatives'
+      });
+    }
+  }
+  
+  // 3. Security Vulnerabilities (CRITICAL/HIGH)
+  if (securityVulnerabilities.critical > 0 || securityVulnerabilities.high > 0) {
+    recommendations.push({
+      priority: securityVulnerabilities.critical > 0 ? PRIORITY.CRITICAL : PRIORITY.HIGH,
+      category: 'security',
+      issue: `${securityVulnerabilities.total} security vulnerabilities detected`,
+      action: 'Run npm audit fix to resolve vulnerabilities',
+      command: 'npm audit fix',
+      impact: `Resolves ${securityVulnerabilities.total} known vulnerabilities`,
+      reason: 'Security vulnerabilities in dependencies'
+    });
+  }
+  
+  // 4. Ecosystem Alerts (varies by severity)
+  for (const alert of ecosystemAlerts) {
+    if (alert.severity === 'critical' || alert.severity === 'high') {
+      const priority = alert.severity === 'critical' ? PRIORITY.CRITICAL : PRIORITY.HIGH;
+      
+      recommendations.push({
+        priority: priority,
+        category: 'ecosystem',
+        package: `${alert.package}@${alert.version}`,
+        issue: alert.title,
+        action: `Upgrade to ${alert.fix}`,
+        command: `npm install ${alert.package}@${alert.fix}`,
+        impact: 'Resolves known stability/security issue',
+        reason: alert.source
+      });
+    }
+  }
+  
+  // 5. Package Quality Issues (MEDIUM/LOW)
+  for (const pkg of qualityResults) {
+    if (pkg.status === 'deprecated') {
+      recommendations.push({
+        priority: PRIORITY.CRITICAL,
+        category: 'quality',
+        package: pkg.package,
+        issue: 'Package is deprecated',
+        action: 'Find actively maintained alternative',
+        command: `npm uninstall ${pkg.package}`,
+        impact: 'Prevents future breaking changes',
+        reason: 'Package is no longer maintained',
+        healthScore: pkg.healthScore
+      });
+    } else if (pkg.status === 'abandoned') {
+      recommendations.push({
+        priority: PRIORITY.HIGH,
+        category: 'quality',
+        package: pkg.package,
+        issue: `Last updated ${Math.floor(pkg.daysSincePublish / 365)} years ago`,
+        action: 'Migrate to actively maintained alternative',
+        command: `npm uninstall ${pkg.package}`,
+        impact: 'Improves long-term stability',
+        reason: 'Package appears abandoned',
+        healthScore: pkg.healthScore
+      });
+    } else if (pkg.status === 'stale' && pkg.healthScore < 5) {
+      recommendations.push({
+        priority: PRIORITY.MEDIUM,
+        category: 'quality',
+        package: pkg.package,
+        issue: `Health score: ${pkg.healthScore}/10`,
+        action: 'Consider more actively maintained alternative',
+        impact: 'Improves package quality',
+        reason: 'Low health score',
+        healthScore: pkg.healthScore
+      });
+    }
+  }
+  
+  // 6. Unused Dependencies (MEDIUM)
+  if (unusedDeps.length > 0) {
+    const packageList = unusedDeps.map(d => d.name).join(' ');
+    recommendations.push({
+      priority: PRIORITY.MEDIUM,
+      category: 'cleanup',
+      issue: `${unusedDeps.length} unused dependencies detected`,
+      action: 'Remove unused packages',
+      command: `npm uninstall ${packageList}`,
+      impact: `Reduces node_modules size, improves security surface`,
+      reason: 'Unused dependencies increase attack surface'
+    });
+  }
+  
+  // 7. Outdated Packages (LOW)
+  const criticalOutdated = outdatedPackages.filter(p => 
+    p.updateType === 'major update' && p.current.startsWith('0.')
+  );
+  
+  if (criticalOutdated.length > 0) {
+    for (const pkg of criticalOutdated.slice(0, 3)) { // Top 3
+      recommendations.push({
+        priority: PRIORITY.MEDIUM,
+        category: 'updates',
+        package: pkg.name,
+        issue: `Version ${pkg.current} is pre-1.0 and outdated`,
+        action: `Update to ${pkg.latest}`,
+        command: `npm install ${pkg.name}@latest`,
+        impact: 'Gets bug fixes and improvements',
+        reason: 'Pre-1.0 packages change rapidly'
+      });
+    }
+  }
+  
+  // Sort by priority
+  recommendations.sort((a, b) => a.priority.level - b.priority.level);
+  
+  return recommendations;
+}
+
+/**
+ * Group recommendations by priority
+ */
+function groupByPriority(recommendations) {
+  return {
+    critical: recommendations.filter(r => r.priority.level === 1),
+    high: recommendations.filter(r => r.priority.level === 2),
+    medium: recommendations.filter(r => r.priority.level === 3),
+    low: recommendations.filter(r => r.priority.level === 4)
+  };
+}
+
+/**
+ * Calculate expected impact of following recommendations
+ */
+function calculateExpectedImpact(recommendations, currentScore) {
+  let improvement = 0;
+  
+  for (const rec of recommendations) {
+    switch (rec.priority.level) {
+      case 1: // CRITICAL
+        improvement += 2.0;
+        break;
+      case 2: // HIGH
+        improvement += 1.5;
+        break;
+      case 3: // MEDIUM
+        improvement += 0.5;
+        break;
+      case 4: // LOW
+        improvement += 0.2;
+        break;
+    }
+  }
+  
+  const newScore = Math.min(10, currentScore + improvement);
+  const percentageIncrease = ((newScore - currentScore) / 10) * 100;
+  
+  return {
+    currentScore,
+    expectedScore: Number(newScore.toFixed(1)),
+    improvement: Number(improvement.toFixed(1)),
+    percentageIncrease: Number(percentageIncrease.toFixed(1)),
+    critical: recommendations.filter(r => r.priority.level === 1).length,
+    high: recommendations.filter(r => r.priority.level === 2).length,
+    medium: recommendations.filter(r => r.priority.level === 3).length,
+    low: recommendations.filter(r => r.priority.level === 4).length
+  };
+}
+
+/**
+ * Get top N recommendations
+ */
+function getTopRecommendations(recommendations, n = 5) {
+  return recommendations.slice(0, n);
+}
+
+/**
+ * Get recommendations by category
+ */
+function getRecommendationsByCategory(recommendations) {
+  return {
+    supply_chain: recommendations.filter(r => r.category === 'supply_chain'),
+    license: recommendations.filter(r => r.category === 'license'),
+    security: recommendations.filter(r => r.category === 'security'),
+    ecosystem: recommendations.filter(r => r.category === 'ecosystem'),
+    quality: recommendations.filter(r => r.category === 'quality'),
+    cleanup: recommendations.filter(r => r.category === 'cleanup'),
+    updates: recommendations.filter(r => r.category === 'updates')
+  };
+}
+
+module.exports = {
+  generateSecurityRecommendations,
+  groupByPriority,
+  calculateExpectedImpact,
+  getTopRecommendations,
+  getRecommendationsByCategory,
+  PRIORITY
+};

package/src/analyzers/supply-chain.js

@@ -0,0 +1,217 @@
+// src/analyzers/supply-chain.js
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Load known malicious packages database
+ */
+function loadMaliciousDatabase() {
+  try {
+    const dbPath = path.join(__dirname, '../../data/known-malicious.json');
+    const data = fs.readFileSync(dbPath, 'utf8');
+    return JSON.parse(data);
+  } catch (error) {
+    console.error('Error loading malicious packages database:', error.message);
+    return {
+      malicious_packages: [],
+      typosquat_patterns: {},
+      suspicious_patterns: { install_scripts: [], suspicious_dependencies: [] }
+    };
+  }
+}
+
+/**
+ * Calculate Levenshtein distance between two strings
+ */
+function levenshteinDistance(str1, str2) {
+  const matrix = [];
+  
+  for (let i = 0; i <= str2.length; i++) {
+    matrix[i] = [i];
+  }
+  
+  for (let j = 0; j <= str1.length; j++) {
+    matrix[0][j] = j;
+  }
+  
+  for (let i = 1; i <= str2.length; i++) {
+    for (let j = 1; j <= str1.length; j++) {
+      if (str2.charAt(i - 1) === str1.charAt(j - 1)) {
+        matrix[i][j] = matrix[i - 1][j - 1];
+      } else {
+        matrix[i][j] = Math.min(
+          matrix[i - 1][j - 1] + 1,
+          matrix[i][j - 1] + 1,
+          matrix[i - 1][j] + 1
+        );
+      }
+    }
+  }
+  
+  return matrix[str2.length][str1.length];
+}
+
+/**
+ * Detect typosquatting attempts
+ */
+function detectTyposquatting(packageName, database) {
+  const warnings = [];
+  
+  // Check against known typosquat patterns
+  for (const [official, typos] of Object.entries(database.typosquat_patterns)) {
+    if (typos.includes(packageName.toLowerCase())) {
+      warnings.push({
+        package: packageName,
+        type: 'typosquatting',
+        severity: 'high',
+        official: official,
+        message: `Potential typosquatting: "${packageName}" is similar to official package "${official}"`,
+        recommendation: `Remove ${packageName} and install ${official} instead`
+      });
+    }
+  }
+  
+  // Check Levenshtein distance against popular packages
+  const popularPackages = Object.keys(database.typosquat_patterns);
+  for (const popular of popularPackages) {
+    const distance = levenshteinDistance(packageName.toLowerCase(), popular.toLowerCase());
+    
+    // If distance is 1-2 characters and not already flagged
+    if (distance > 0 && distance <= 2 && packageName !== popular) {
+      const alreadyFlagged = warnings.some(w => w.package === packageName);
+      
+      if (!alreadyFlagged) {
+        warnings.push({
+          package: packageName,
+          type: 'typosquatting_suspected',
+          severity: 'medium',
+          official: popular,
+          message: `Possible typosquatting: "${packageName}" is very similar to "${popular}"`,
+          recommendation: `Verify if you meant to install ${popular}`
+        });
+      }
+    }
+  }
+  
+  return warnings;
+}
+
+/**
+ * Check if package is known malicious
+ */
+function checkMaliciousPackage(packageName, database) {
+  if (database.malicious_packages.includes(packageName.toLowerCase())) {
+    return {
+      package: packageName,
+      type: 'malicious',
+      severity: 'critical',
+      message: `Known malicious package detected: ${packageName}`,
+      recommendation: 'Remove immediately - this package is known to be malicious'
+    };
+  }
+  return null;
+}
+
+/**
+ * Analyze install scripts for suspicious patterns
+ */
+function analyzeInstallScripts(projectPath, dependencies) {
+  const warnings = [];
+  const database = loadMaliciousDatabase();
+  
+  try {
+    for (const dep of Object.keys(dependencies)) {
+      const packageJsonPath = path.join(projectPath, 'node_modules', dep, 'package.json');
+      
+      if (!fs.existsSync(packageJsonPath)) {
+        continue;
+      }
+      
+      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+      const scripts = packageJson.scripts || {};
+      
+      // Check for install hooks
+      const installHooks = ['preinstall', 'install', 'postinstall'];
+      
+      for (const hook of installHooks) {
+        if (scripts[hook]) {
+          const script = scripts[hook].toLowerCase();
+          
+          // Check for suspicious patterns
+          const suspiciousPatterns = database.suspicious_patterns.install_scripts;
+          const foundPatterns = suspiciousPatterns.filter(pattern => 
+            script.includes(pattern.toLowerCase())
+          );
+          
+          if (foundPatterns.length > 0) {
+            warnings.push({
+              package: `${dep}@${packageJson.version}`,
+              type: 'install_script',
+              severity: foundPatterns.some(p => ['curl', 'wget', 'eval', 'exec'].includes(p)) ? 'high' : 'medium',
+              script: hook,
+              action: scripts[hook],
+              patterns: foundPatterns,
+              message: `Install script contains suspicious patterns: ${foundPatterns.join(', ')}`,
+              recommendation: 'Review the install script before deployment'
+            });
+          }
+        }
+      }
+    }
+  } catch (error) {
+    console.error('Error analyzing install scripts:', error.message);
+  }
+  
+  return warnings;
+}
+
+/**
+ * Perform comprehensive supply chain security analysis
+ */
+async function analyzeSupplyChain(projectPath, dependencies) {
+  const warnings = [];
+  const database = loadMaliciousDatabase();
+  
+  // Check each dependency
+  for (const [packageName, version] of Object.entries(dependencies)) {
+    // 1. Check if known malicious
+    const maliciousCheck = checkMaliciousPackage(packageName, database);
+    if (maliciousCheck) {
+      warnings.push(maliciousCheck);
+    }
+    
+    // 2. Detect typosquatting
+    const typosquatWarnings = detectTyposquatting(packageName, database);
+    warnings.push(...typosquatWarnings);
+  }
+  
+  // 3. Analyze install scripts
+  const scriptWarnings = analyzeInstallScripts(projectPath, dependencies);
+  warnings.push(...scriptWarnings);
+  
+  return warnings;
+}
+
+/**
+ * Get supply chain statistics
+ */
+function getSupplyChainStats(warnings) {
+  return {
+    total: warnings.length,
+    critical: warnings.filter(w => w.severity === 'critical').length,
+    high: warnings.filter(w => w.severity === 'high').length,
+    medium: warnings.filter(w => w.severity === 'medium').length,
+    malicious: warnings.filter(w => w.type === 'malicious').length,
+    typosquatting: warnings.filter(w => w.type === 'typosquatting' || w.type === 'typosquatting_suspected').length,
+    installScripts: warnings.filter(w => w.type === 'install_script').length
+  };
+}
+
+module.exports = {
+  analyzeSupplyChain,
+  detectTyposquatting,
+  checkMaliciousPackage,
+  analyzeInstallScripts,
+  getSupplyChainStats,
+  loadMaliciousDatabase
+};