ferret-scan 1.0.0

package/dist/utils/baseline.js

@@ -0,0 +1,276 @@
+/**
+ * Baseline Management - Track and ignore accepted findings
+ * Allows users to create baselines of known/accepted security findings
+ */
+import { writeFileSync, readFileSync, existsSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { mkdirSync } from 'node:fs';
+import logger from './logger.js';
+/**
+ * Generate a hash for a finding to uniquely identify it
+ */
+function generateFindingHash(finding) {
+    const content = `${finding.ruleId}:${finding.relativePath}:${finding.line}:${finding.match}`;
+    // Simple hash function (could use crypto for better security)
+    let hash = 0;
+    for (let i = 0; i < content.length; i++) {
+        const char = content.charCodeAt(i);
+        hash = ((hash << 5) - hash) + char;
+        hash = hash & hash; // Convert to 32-bit integer
+    }
+    return Math.abs(hash).toString(36);
+}
+/**
+ * Load baseline from file
+ */
+export function loadBaseline(baselinePath) {
+    try {
+        if (!existsSync(baselinePath)) {
+            return null;
+        }
+        const content = readFileSync(baselinePath, 'utf-8');
+        const baseline = JSON.parse(content);
+        // Validate baseline structure
+        if (!baseline.version || !baseline.findings || !Array.isArray(baseline.findings)) {
+            throw new Error('Invalid baseline format');
+        }
+        logger.debug(`Loaded baseline with ${baseline.findings.length} accepted findings`);
+        return baseline;
+    }
+    catch (error) {
+        logger.error(`Failed to load baseline from ${baselinePath}:`, error);
+        return null;
+    }
+}
+/**
+ * Save baseline to file
+ */
+export function saveBaseline(baseline, baselinePath) {
+    try {
+        // Ensure directory exists
+        const dir = dirname(baselinePath);
+        mkdirSync(dir, { recursive: true });
+        // Update lastUpdated timestamp
+        baseline.lastUpdated = new Date().toISOString();
+        // Write baseline file
+        const content = JSON.stringify(baseline, null, 2);
+        writeFileSync(baselinePath, content, 'utf-8');
+        logger.info(`Baseline saved to ${baselinePath} with ${baseline.findings.length} findings`);
+    }
+    catch (error) {
+        logger.error(`Failed to save baseline to ${baselinePath}:`, error);
+        throw error;
+    }
+}
+/**
+ * Create a new baseline from scan results
+ */
+export function createBaseline(result, description) {
+    const now = new Date().toISOString();
+    const baselineFindings = result.findings.map(finding => ({
+        ruleId: finding.ruleId,
+        file: finding.relativePath,
+        line: finding.line,
+        match: finding.match,
+        hash: generateFindingHash(finding),
+        acceptedDate: now,
+    }));
+    return {
+        version: '1.0',
+        createdDate: now,
+        lastUpdated: now,
+        description: description ?? `Baseline created from scan of ${result.scannedPaths.join(', ')}`,
+        findings: baselineFindings,
+    };
+}
+/**
+ * Add findings to an existing baseline
+ */
+export function addToBaseline(baseline, findings, reason) {
+    const now = new Date().toISOString();
+    const existingHashes = new Set(baseline.findings.map(f => f.hash));
+    const newFindings = findings
+        .filter(finding => {
+        const hash = generateFindingHash(finding);
+        return !existingHashes.has(hash);
+    })
+        .map(finding => ({
+        ruleId: finding.ruleId,
+        file: finding.relativePath,
+        line: finding.line,
+        match: finding.match,
+        hash: generateFindingHash(finding),
+        acceptedDate: now,
+        ...(reason && { reason }),
+    }));
+    logger.info(`Adding ${newFindings.length} new findings to baseline`);
+    return {
+        ...baseline,
+        lastUpdated: now,
+        findings: [...baseline.findings, ...newFindings],
+    };
+}
+/**
+ * Remove findings from baseline
+ */
+export function removeFromBaseline(baseline, findingHashes) {
+    const hashSet = new Set(findingHashes);
+    const filteredFindings = baseline.findings.filter(f => !hashSet.has(f.hash));
+    const removedCount = baseline.findings.length - filteredFindings.length;
+    logger.info(`Removed ${removedCount} findings from baseline`);
+    return {
+        ...baseline,
+        lastUpdated: new Date().toISOString(),
+        findings: filteredFindings,
+    };
+}
+/**
+ * Filter scan results against baseline
+ */
+export function filterAgainstBaseline(result, baseline) {
+    if (!baseline || baseline.findings.length === 0) {
+        return result; // No filtering needed
+    }
+    // Create hash set of baseline findings for fast lookup
+    const baselineHashes = new Set(baseline.findings.map(f => f.hash));
+    // Filter out findings that exist in baseline
+    const filteredFindings = result.findings.filter(finding => {
+        const hash = generateFindingHash(finding);
+        const isInBaseline = baselineHashes.has(hash);
+        if (isInBaseline) {
+            logger.debug(`Filtered baseline finding: ${finding.ruleId} in ${finding.relativePath}:${finding.line}`);
+        }
+        return !isInBaseline;
+    });
+    const filteredCount = result.findings.length - filteredFindings.length;
+    logger.info(`Filtered ${filteredCount} baseline findings, ${filteredFindings.length} new findings remain`);
+    // Recalculate summary and groupings
+    const newSummary = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+        info: 0,
+        total: filteredFindings.length,
+    };
+    const newFindingsBySeverity = {
+        CRITICAL: [],
+        HIGH: [],
+        MEDIUM: [],
+        LOW: [],
+        INFO: [],
+    };
+    const newFindingsByCategory = {
+        injection: [],
+        credentials: [],
+        backdoors: [],
+        'supply-chain': [],
+        permissions: [],
+        persistence: [],
+        obfuscation: [],
+        'ai-specific': [],
+        'advanced-hiding': [],
+        behavioral: [],
+        exfiltration: [],
+    };
+    for (const finding of filteredFindings) {
+        // Update summary
+        switch (finding.severity) {
+            case 'CRITICAL':
+                newSummary.critical++;
+                break;
+            case 'HIGH':
+                newSummary.high++;
+                break;
+            case 'MEDIUM':
+                newSummary.medium++;
+                break;
+            case 'LOW':
+                newSummary.low++;
+                break;
+            case 'INFO':
+                newSummary.info++;
+                break;
+        }
+        // Group by severity and category
+        newFindingsBySeverity[finding.severity]?.push(finding);
+        newFindingsByCategory[finding.category]?.push(finding);
+    }
+    return {
+        ...result,
+        findings: filteredFindings,
+        summary: newSummary,
+        findingsBySeverity: newFindingsBySeverity,
+        findingsByCategory: newFindingsByCategory,
+    };
+}
+/**
+ * Check if baseline findings are still valid
+ */
+export function validateBaseline(baseline, currentResult) {
+    const currentHashes = new Set(currentResult.findings.map(finding => generateFindingHash(finding)));
+    const valid = [];
+    const invalid = [];
+    for (const baselineFinding of baseline.findings) {
+        if (currentHashes.has(baselineFinding.hash)) {
+            valid.push(baselineFinding);
+        }
+        else {
+            invalid.push(baselineFinding);
+        }
+    }
+    if (invalid.length > 0) {
+        logger.info(`Baseline validation: ${valid.length} valid, ${invalid.length} invalid findings`);
+    }
+    return { valid, invalid };
+}
+/**
+ * Get default baseline path for a project
+ */
+export function getDefaultBaselinePath(scanPaths) {
+    // Try to find a good location for baseline file
+    const firstPath = scanPaths[0] ?? process.cwd();
+    return resolve(firstPath, '.ferret-baseline.json');
+}
+/**
+ * Baseline statistics
+ */
+export function getBaselineStats(baseline) {
+    const byRule = {};
+    const bySeverity = {};
+    let oldestDate = new Date().toISOString();
+    let newestDate = '1970-01-01T00:00:00.000Z';
+    for (const finding of baseline.findings) {
+        // Count by rule
+        byRule[finding.ruleId] = (byRule[finding.ruleId] ?? 0) + 1;
+        // Extract severity from rule ID (if follows pattern like CRED-001)
+        const severity = finding.ruleId.split('-')[0] ?? 'UNKNOWN';
+        bySeverity[severity] = (bySeverity[severity] ?? 0) + 1;
+        // Track date range
+        if (finding.acceptedDate < oldestDate) {
+            oldestDate = finding.acceptedDate;
+        }
+        if (finding.acceptedDate > newestDate) {
+            newestDate = finding.acceptedDate;
+        }
+    }
+    return {
+        totalFindings: baseline.findings.length,
+        byRule,
+        bySeverity,
+        oldestFinding: oldestDate,
+        newestFinding: newestDate,
+    };
+}
+export default {
+    loadBaseline,
+    saveBaseline,
+    createBaseline,
+    addToBaseline,
+    removeFromBaseline,
+    filterAgainstBaseline,
+    validateBaseline,
+    getDefaultBaselinePath,
+    getBaselineStats,
+};
+//# sourceMappingURL=baseline.js.map

package/dist/utils/config.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Configuration loader for Ferret-Scan
+ * Loads and merges configuration from files and CLI options
+ */
+import type { ScannerConfig, CliOptions } from '../types.js';
+/**
+ * Get AI CLI configuration paths
+ * Detects configurations for Claude Code, Cursor, Windsurf, Continue, Aider, Cline, and generic AI configs
+ */
+export declare function getAIConfigPaths(): string[];
+/**
+ * Get Claude Code configuration paths
+ * @deprecated Use getAIConfigPaths() instead
+ */
+export declare function getClaudeConfigPaths(): string[];
+/**
+ * Load and merge configuration from all sources
+ */
+export declare function loadConfig(cliOptions: CliOptions): ScannerConfig;
+export default loadConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/utils/config.js

@@ -0,0 +1,247 @@
+/**
+ * Configuration loader for Ferret-Scan
+ * Loads and merges configuration from files and CLI options
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { homedir } from 'node:os';
+import { DEFAULT_CONFIG } from '../types.js';
+import logger from './logger.js';
+const CONFIG_FILE_NAMES = [
+    '.ferretrc.json',
+    '.ferretrc',
+    'ferret.config.json',
+    '.ferret/config.json',
+];
+/**
+ * Find configuration file starting from a directory and walking up
+ */
+function findConfigFile(startDir) {
+    let currentDir = resolve(startDir);
+    const root = dirname(currentDir);
+    while (currentDir !== root) {
+        for (const configName of CONFIG_FILE_NAMES) {
+            const configPath = resolve(currentDir, configName);
+            if (existsSync(configPath)) {
+                logger.debug(`Found config file: ${configPath}`);
+                return configPath;
+            }
+        }
+        currentDir = dirname(currentDir);
+    }
+    // Check home directory
+    const homeConfig = resolve(homedir(), '.ferretrc.json');
+    if (existsSync(homeConfig)) {
+        logger.debug(`Found home config: ${homeConfig}`);
+        return homeConfig;
+    }
+    return null;
+}
+/**
+ * Load configuration file
+ */
+function loadConfigFile(configPath) {
+    try {
+        const content = readFileSync(configPath, 'utf-8');
+        const config = JSON.parse(content);
+        logger.debug(`Loaded config from: ${configPath}`);
+        return config;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logger.warn(`Failed to load config file ${configPath}: ${message}`);
+        return {};
+    }
+}
+/**
+ * Parse severity string to array
+ */
+function parseSeverities(severityStr) {
+    if (!severityStr)
+        return undefined;
+    const severities = severityStr.split(',').map(s => s.trim().toUpperCase());
+    const validSeverities = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
+    return severities.filter(s => validSeverities.includes(s));
+}
+/**
+ * Parse categories string to array
+ */
+function parseCategories(categoriesStr) {
+    if (!categoriesStr)
+        return undefined;
+    const categories = categoriesStr.split(',').map(c => c.trim().toLowerCase());
+    const validCategories = [
+        'exfiltration', 'credentials', 'injection', 'backdoors',
+        'supply-chain', 'permissions', 'persistence', 'obfuscation',
+        'ai-specific', 'advanced-hiding', 'behavioral'
+    ];
+    return categories.filter(c => validCategories.includes(c));
+}
+/**
+ * AI CLI configuration directory patterns
+ * Supports multiple AI assistants and their config locations
+ */
+const AI_CLI_PATTERNS = {
+    // Claude Code
+    claude: {
+        dirs: ['.claude'],
+        files: ['CLAUDE.md', '.mcp.json'],
+    },
+    // Cursor
+    cursor: {
+        dirs: ['.cursor'],
+        files: ['.cursorrules'],
+    },
+    // Windsurf
+    windsurf: {
+        dirs: ['.windsurf'],
+        files: ['.windsurfrules'],
+    },
+    // Continue
+    continue: {
+        dirs: ['.continue'],
+        files: [],
+    },
+    // Aider
+    aider: {
+        dirs: ['.aider'],
+        files: ['.aider.conf.yml', '.aiderignore'],
+    },
+    // Cline
+    cline: {
+        dirs: ['.cline'],
+        files: ['.clinerules'],
+    },
+    // Generic AI
+    generic: {
+        dirs: ['.ai'],
+        files: ['AI.md', 'AGENT.md', 'AGENTS.md'],
+    },
+};
+/**
+ * Get AI CLI configuration paths
+ * Detects configurations for Claude Code, Cursor, Windsurf, Continue, Aider, Cline, and generic AI configs
+ */
+export function getAIConfigPaths() {
+    const paths = [];
+    const cwd = process.cwd();
+    const home = homedir();
+    // Check all AI CLI patterns
+    for (const cli of Object.values(AI_CLI_PATTERNS)) {
+        // Check directories (both global and project-level)
+        for (const dir of cli.dirs) {
+            const globalDir = resolve(home, dir);
+            if (existsSync(globalDir)) {
+                paths.push(globalDir);
+            }
+            const projectDir = resolve(cwd, dir);
+            if (existsSync(projectDir)) {
+                paths.push(projectDir);
+            }
+        }
+        // Check files (project-level only)
+        for (const file of cli.files) {
+            const projectFile = resolve(cwd, file);
+            if (existsSync(projectFile)) {
+                paths.push(projectFile);
+            }
+        }
+    }
+    return paths;
+}
+/**
+ * Get Claude Code configuration paths
+ * @deprecated Use getAIConfigPaths() instead
+ */
+export function getClaudeConfigPaths() {
+    return getAIConfigPaths();
+}
+/**
+ * Load and merge configuration from all sources
+ */
+export function loadConfig(cliOptions) {
+    // Start with defaults
+    const config = { ...DEFAULT_CONFIG };
+    // Load config file if exists
+    const configPath = cliOptions.config ?? findConfigFile(process.cwd());
+    if (configPath) {
+        const fileConfig = loadConfigFile(configPath);
+        // Merge file config
+        if (fileConfig.severity) {
+            config.severities = fileConfig.severity;
+        }
+        if (fileConfig.categories) {
+            config.categories = fileConfig.categories;
+        }
+        if (fileConfig.ignore) {
+            config.ignore = [...config.ignore, ...fileConfig.ignore];
+        }
+        if (fileConfig.customRules) {
+            config.customRules = fileConfig.customRules;
+        }
+        if (fileConfig.failOn) {
+            config.failOn = fileConfig.failOn;
+        }
+        if (fileConfig.aiDetection?.enabled !== undefined) {
+            config.aiDetection = fileConfig.aiDetection.enabled;
+        }
+        if (fileConfig.threatIntelligence?.enabled !== undefined) {
+            config.threatIntel = fileConfig.threatIntelligence.enabled;
+        }
+        if (fileConfig.behaviorAnalysis?.enabled !== undefined) {
+            config.behaviorAnalysis = fileConfig.behaviorAnalysis.enabled;
+        }
+    }
+    // Apply CLI options (highest priority)
+    if (cliOptions.path) {
+        config.paths = [resolve(cliOptions.path)];
+    }
+    else {
+        // Default to AI CLI config paths
+        config.paths = getAIConfigPaths();
+    }
+    const parsedSeverities = parseSeverities(cliOptions.severity);
+    if (parsedSeverities?.length) {
+        config.severities = parsedSeverities;
+    }
+    const parsedCategories = parseCategories(cliOptions.categories);
+    if (parsedCategories?.length) {
+        config.categories = parsedCategories;
+    }
+    if (cliOptions.failOn) {
+        config.failOn = cliOptions.failOn.toUpperCase();
+    }
+    if (cliOptions.format) {
+        config.format = cliOptions.format;
+    }
+    if (cliOptions.output) {
+        config.outputFile = cliOptions.output;
+    }
+    if (cliOptions.watch !== undefined) {
+        config.watch = cliOptions.watch;
+    }
+    if (cliOptions.ci !== undefined) {
+        config.ci = cliOptions.ci;
+    }
+    if (cliOptions.verbose !== undefined) {
+        config.verbose = cliOptions.verbose;
+    }
+    if (cliOptions.aiDetection !== undefined) {
+        config.aiDetection = cliOptions.aiDetection;
+    }
+    if (cliOptions.threatIntel !== undefined) {
+        config.threatIntel = cliOptions.threatIntel;
+    }
+    if (cliOptions.semanticAnalysis !== undefined) {
+        config.semanticAnalysis = cliOptions.semanticAnalysis;
+    }
+    if (cliOptions.correlationAnalysis !== undefined) {
+        config.correlationAnalysis = cliOptions.correlationAnalysis;
+    }
+    if (cliOptions.autoRemediation !== undefined) {
+        config.autoRemediation = cliOptions.autoRemediation;
+    }
+    return config;
+}
+export default loadConfig;
+//# sourceMappingURL=config.js.map

package/dist/utils/ignore.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Ignore file parser for Ferret-Scan
+ * Handles .ferretignore files similar to .gitignore
+ */
+export interface Ignore {
+    add(patterns: string | string[]): Ignore;
+    ignores(path: string): boolean;
+}
+/**
+ * Create an ignore filter instance
+ */
+export declare function createIgnoreFilter(baseDir: string, additionalPatterns?: string[]): Ignore;
+/**
+ * Check if a path should be ignored
+ */
+export declare function shouldIgnore(ig: Ignore, filePath: string, baseDir: string): boolean;
+export default createIgnoreFilter;
+//# sourceMappingURL=ignore.d.ts.map

package/dist/utils/ignore.js

@@ -0,0 +1,82 @@
+/**
+ * Ignore file parser for Ferret-Scan
+ * Handles .ferretignore files similar to .gitignore
+ */
+import { readFileSync, existsSync } from 'node:fs';
+import { resolve, dirname, relative } from 'node:path';
+import { createRequire } from 'node:module';
+const require = createRequire(import.meta.url);
+const ignoreFactory = require('ignore');
+import logger from './logger.js';
+const IGNORE_FILE_NAMES = [
+    '.ferretignore',
+    '.ferret/ignore',
+];
+/**
+ * Find and load ignore patterns from files
+ */
+function findIgnoreFiles(startDir) {
+    const files = [];
+    let currentDir = resolve(startDir);
+    const root = dirname(currentDir);
+    while (currentDir !== root) {
+        for (const ignoreName of IGNORE_FILE_NAMES) {
+            const ignorePath = resolve(currentDir, ignoreName);
+            if (existsSync(ignorePath)) {
+                files.push(ignorePath);
+            }
+        }
+        currentDir = dirname(currentDir);
+    }
+    return files;
+}
+/**
+ * Load patterns from an ignore file
+ */
+function loadIgnorePatterns(filePath) {
+    try {
+        const content = readFileSync(filePath, 'utf-8');
+        return content
+            .split('\n')
+            .map(line => line.trim())
+            .filter(line => line && !line.startsWith('#'));
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        logger.warn(`Failed to load ignore file ${filePath}: ${message}`);
+        return [];
+    }
+}
+/**
+ * Create an ignore filter instance
+ */
+export function createIgnoreFilter(baseDir, additionalPatterns = []) {
+    const ig = ignoreFactory();
+    // Load patterns from ignore files
+    const ignoreFiles = findIgnoreFiles(baseDir);
+    for (const file of ignoreFiles) {
+        const patterns = loadIgnorePatterns(file);
+        logger.debug(`Loaded ${patterns.length} patterns from ${file}`);
+        ig.add(patterns);
+    }
+    // Add additional patterns (from config)
+    if (additionalPatterns.length > 0) {
+        ig.add(additionalPatterns);
+    }
+    // Always ignore certain patterns
+    ig.add([
+        '.git',
+        'node_modules',
+        '.ferret-quarantine',
+    ]);
+    return ig;
+}
+/**
+ * Check if a path should be ignored
+ */
+export function shouldIgnore(ig, filePath, baseDir) {
+    const relativePath = relative(baseDir, filePath);
+    return ig.ignores(relativePath);
+}
+export default createIgnoreFilter;
+//# sourceMappingURL=ignore.js.map

package/dist/utils/logger.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Logger utility for Ferret-Scan
+ * Provides consistent logging with levels and formatting
+ */
+import type { Severity } from '../types.js';
+export type LogLevel = 'debug' | 'info' | 'warn' | 'error' | 'silent';
+interface LoggerConfig {
+    level: LogLevel;
+    verbose: boolean;
+    ci: boolean;
+}
+declare class Logger {
+    private config;
+    configure(config: Partial<LoggerConfig>): void;
+    private shouldLog;
+    private formatMessage;
+    debug(message: string, ...args: unknown[]): void;
+    info(message: string, ...args: unknown[]): void;
+    warn(message: string, ...args: unknown[]): void;
+    error(message: string, ...args: unknown[]): void;
+    /** Log without any formatting - for direct output */
+    raw(message: string): void;
+    /** Log finding with severity-appropriate formatting */
+    finding(severity: Severity, message: string): void;
+    /** Get current log level */
+    getLevel(): LogLevel;
+    /** Check if verbose mode is enabled */
+    isVerbose(): boolean;
+}
+export declare const logger: Logger;
+export default logger;
+//# sourceMappingURL=logger.d.ts.map