ferret-scan 1.0.0

package/dist/intelligence/ThreatFeed.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Threat Feed Manager - Manages file-based threat intelligence feeds
+ * Provides indicators of compromise (IoCs) for enhanced security detection
+ */
+/**
+ * Threat intelligence indicator types
+ */
+export type IndicatorType = 'domain' | 'url' | 'ip' | 'hash' | 'email' | 'filename' | 'package' | 'pattern' | 'signature';
+/**
+ * Threat intelligence source
+ */
+export interface ThreatSource {
+    name: string;
+    url?: string;
+    description: string;
+    lastUpdated: string;
+    enabled: boolean;
+    format: 'json' | 'csv' | 'txt';
+}
+/**
+ * Threat indicator
+ */
+export interface ThreatIndicator {
+    value: string;
+    type: IndicatorType;
+    category: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    description: string;
+    source: string;
+    firstSeen: string;
+    lastSeen: string;
+    confidence: number;
+    tags: string[];
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Threat intelligence database
+ */
+export interface ThreatDatabase {
+    version: string;
+    lastUpdated: string;
+    sources: ThreatSource[];
+    indicators: ThreatIndicator[];
+    stats: {
+        totalIndicators: number;
+        byType: Record<IndicatorType, number>;
+        byCategory: Record<string, number>;
+        bySeverity: Record<string, number>;
+    };
+}
+/**
+ * Load threat intelligence database
+ */
+export declare function loadThreatDatabase(intelDir?: string): ThreatDatabase;
+/**
+ * Save threat intelligence database
+ */
+export declare function saveThreatDatabase(db: ThreatDatabase, intelDir?: string): void;
+/**
+ * Add indicators to database
+ */
+export declare function addIndicators(db: ThreatDatabase, indicators: Omit<ThreatIndicator, 'firstSeen' | 'lastSeen'>[]): ThreatDatabase;
+/**
+ * Remove indicators from database
+ */
+export declare function removeIndicators(db: ThreatDatabase, indicatorIds: string[]): ThreatDatabase;
+/**
+ * Get indicators by type
+ */
+export declare function getIndicatorsByType(db: ThreatDatabase, type: IndicatorType): ThreatIndicator[];
+/**
+ * Get indicators by category
+ */
+export declare function getIndicatorsByCategory(db: ThreatDatabase, category: string): ThreatIndicator[];
+/**
+ * Get high-confidence indicators
+ */
+export declare function getHighConfidenceIndicators(db: ThreatDatabase, minConfidence?: number): ThreatIndicator[];
+/**
+ * Search indicators by value
+ */
+export declare function searchIndicators(db: ThreatDatabase, query: string): ThreatIndicator[];
+/**
+ * Check if database needs updating
+ */
+export declare function needsUpdate(db: ThreatDatabase, maxAgeHours?: number): boolean;
+declare const _default: {
+    loadThreatDatabase: typeof loadThreatDatabase;
+    saveThreatDatabase: typeof saveThreatDatabase;
+    addIndicators: typeof addIndicators;
+    removeIndicators: typeof removeIndicators;
+    getIndicatorsByType: typeof getIndicatorsByType;
+    getIndicatorsByCategory: typeof getIndicatorsByCategory;
+    getHighConfidenceIndicators: typeof getHighConfidenceIndicators;
+    searchIndicators: typeof searchIndicators;
+    needsUpdate: typeof needsUpdate;
+};
+export default _default;
+//# sourceMappingURL=ThreatFeed.d.ts.map

package/dist/intelligence/ThreatFeed.js

@@ -0,0 +1,296 @@
+/**
+ * Threat Feed Manager - Manages file-based threat intelligence feeds
+ * Provides indicators of compromise (IoCs) for enhanced security detection
+ */
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'node:fs';
+import { resolve } from 'node:path';
+import logger from '../utils/logger.js';
+/**
+ * Default threat intelligence directory
+ */
+const DEFAULT_INTEL_DIR = '.ferret-intel';
+/**
+ * Built-in threat sources for AI CLI environments
+ */
+const BUILTIN_SOURCES = [
+    {
+        name: 'ai-cli-malicious-packages',
+        description: 'Known malicious npm packages targeting AI CLI environments',
+        lastUpdated: new Date().toISOString(),
+        enabled: true,
+        format: 'json'
+    },
+    {
+        name: 'ai-cli-suspicious-domains',
+        description: 'Suspicious domains used in AI CLI exploitation attempts',
+        lastUpdated: new Date().toISOString(),
+        enabled: true,
+        format: 'json'
+    },
+    {
+        name: 'ai-cli-backdoor-patterns',
+        description: 'Code patterns associated with AI CLI-specific backdoors',
+        lastUpdated: new Date().toISOString(),
+        enabled: true,
+        format: 'json'
+    }
+];
+/**
+ * Built-in threat indicators
+ */
+const BUILTIN_INDICATORS = [
+    // Malicious domains
+    {
+        value: 'evil-ai-api.com',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Fake AI API endpoint used for credential harvesting',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-01-01T00:00:00Z',
+        lastSeen: new Date().toISOString(),
+        confidence: 95,
+        tags: ['phishing', 'fake-api', 'credential-theft']
+    },
+    {
+        value: 'anthropic-fake.net',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Impersonates legitimate AI provider domain',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-01-01T00:00:00Z',
+        lastSeen: new Date().toISOString(),
+        confidence: 90,
+        tags: ['phishing', 'impersonation']
+    },
+    // Malicious packages
+    {
+        value: 'ai-jailbreak-helper',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'critical',
+        description: 'Package designed to bypass AI assistant safety mechanisms',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-01-01T00:00:00Z',
+        lastSeen: new Date().toISOString(),
+        confidence: 100,
+        tags: ['jailbreak', 'bypass', 'malicious-npm']
+    },
+    {
+        value: 'anthropic-sdk-fake',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'high',
+        description: 'Fake AI SDK that steals credentials',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-01-01T00:00:00Z',
+        lastSeen: new Date().toISOString(),
+        confidence: 95,
+        tags: ['credential-theft', 'fake-sdk']
+    },
+    // Backdoor patterns
+    {
+        value: 'ignore.*previous.*instructions?.*forget.*rules?',
+        type: 'pattern',
+        category: 'jailbreak-attempt',
+        severity: 'high',
+        description: 'Pattern attempting to override AI assistant safety instructions',
+        source: 'ai-cli-backdoor-patterns',
+        firstSeen: '2024-01-01T00:00:00Z',
+        lastSeen: new Date().toISOString(),
+        confidence: 85,
+        tags: ['jailbreak', 'instruction-override']
+    },
+    {
+        value: 'developer.*mode.*enabled|admin.*access.*granted',
+        type: 'pattern',
+        category: 'privilege-escalation',
+        severity: 'medium',
+        description: 'Attempts to claim elevated privileges in AI assistants',
+        source: 'ai-cli-backdoor-patterns',
+        firstSeen: '2024-01-01T00:00:00Z',
+        lastSeen: new Date().toISOString(),
+        confidence: 75,
+        tags: ['privilege-escalation', 'social-engineering']
+    },
+    // Hash indicators (example malicious file hashes)
+    {
+        value: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
+        type: 'hash',
+        category: 'malicious-file',
+        severity: 'critical',
+        description: 'Hash of known malicious AI CLI configuration file',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-01-01T00:00:00Z',
+        lastSeen: new Date().toISOString(),
+        confidence: 100,
+        tags: ['malicious-config', 'sha256']
+    }
+];
+/**
+ * Load threat intelligence database
+ */
+export function loadThreatDatabase(intelDir = DEFAULT_INTEL_DIR) {
+    const dbPath = resolve(intelDir, 'threat-db.json');
+    if (!existsSync(dbPath)) {
+        logger.debug(`No threat database found at ${dbPath}, creating default`);
+        return createDefaultDatabase();
+    }
+    try {
+        const content = readFileSync(dbPath, 'utf-8');
+        const db = JSON.parse(content);
+        logger.debug(`Loaded threat database with ${db.indicators.length} indicators`);
+        return db;
+    }
+    catch (error) {
+        logger.warn(`Failed to load threat database from ${dbPath}: ${error instanceof Error ? error.message : String(error)}`);
+        return createDefaultDatabase();
+    }
+}
+/**
+ * Save threat intelligence database
+ */
+export function saveThreatDatabase(db, intelDir = DEFAULT_INTEL_DIR) {
+    try {
+        // Ensure directory exists
+        mkdirSync(intelDir, { recursive: true });
+        const dbPath = resolve(intelDir, 'threat-db.json');
+        // Update metadata
+        db.lastUpdated = new Date().toISOString();
+        db.stats = calculateStats(db.indicators);
+        const content = JSON.stringify(db, null, 2);
+        writeFileSync(dbPath, content, 'utf-8');
+        logger.info(`Saved threat database to ${dbPath} with ${db.indicators.length} indicators`);
+    }
+    catch (error) {
+        logger.error(`Failed to save threat database: ${error instanceof Error ? error.message : String(error)}`);
+        throw error;
+    }
+}
+/**
+ * Create default threat database
+ */
+function createDefaultDatabase() {
+    const db = {
+        version: '1.0',
+        lastUpdated: new Date().toISOString(),
+        sources: BUILTIN_SOURCES,
+        indicators: BUILTIN_INDICATORS,
+        stats: calculateStats(BUILTIN_INDICATORS)
+    };
+    return db;
+}
+/**
+ * Calculate database statistics
+ */
+function calculateStats(indicators) {
+    const stats = {
+        totalIndicators: indicators.length,
+        byType: {},
+        byCategory: {},
+        bySeverity: {}
+    };
+    // Initialize type counts
+    const types = ['domain', 'url', 'ip', 'hash', 'email', 'filename', 'package', 'pattern', 'signature'];
+    for (const type of types) {
+        stats.byType[type] = 0;
+    }
+    // Count indicators
+    for (const indicator of indicators) {
+        stats.byType[indicator.type]++;
+        stats.byCategory[indicator.category] = (stats.byCategory[indicator.category] ?? 0) + 1;
+        stats.bySeverity[indicator.severity] = (stats.bySeverity[indicator.severity] ?? 0) + 1;
+    }
+    return stats;
+}
+/**
+ * Add indicators to database
+ */
+export function addIndicators(db, indicators) {
+    const now = new Date().toISOString();
+    const newIndicators = indicators.map(indicator => ({
+        ...indicator,
+        firstSeen: now,
+        lastSeen: now
+    }));
+    // Check for duplicates
+    const existingValues = new Set(db.indicators.map(i => `${i.type}:${i.value}`));
+    const uniqueIndicators = newIndicators.filter(indicator => {
+        const key = `${indicator.type}:${indicator.value}`;
+        return !existingValues.has(key);
+    });
+    logger.info(`Adding ${uniqueIndicators.length} new threat indicators (${newIndicators.length - uniqueIndicators.length} duplicates skipped)`);
+    return {
+        ...db,
+        indicators: [...db.indicators, ...uniqueIndicators],
+        lastUpdated: now,
+        stats: calculateStats([...db.indicators, ...uniqueIndicators])
+    };
+}
+/**
+ * Remove indicators from database
+ */
+export function removeIndicators(db, indicatorIds) {
+    const idSet = new Set(indicatorIds);
+    const filteredIndicators = db.indicators.filter((indicator, index) => {
+        const id = `${indicator.type}:${indicator.value}`;
+        return !idSet.has(id) && !idSet.has(index.toString());
+    });
+    const removedCount = db.indicators.length - filteredIndicators.length;
+    logger.info(`Removed ${removedCount} threat indicators`);
+    return {
+        ...db,
+        indicators: filteredIndicators,
+        lastUpdated: new Date().toISOString(),
+        stats: calculateStats(filteredIndicators)
+    };
+}
+/**
+ * Get indicators by type
+ */
+export function getIndicatorsByType(db, type) {
+    return db.indicators.filter(indicator => indicator.type === type);
+}
+/**
+ * Get indicators by category
+ */
+export function getIndicatorsByCategory(db, category) {
+    return db.indicators.filter(indicator => indicator.category === category);
+}
+/**
+ * Get high-confidence indicators
+ */
+export function getHighConfidenceIndicators(db, minConfidence = 80) {
+    return db.indicators.filter(indicator => indicator.confidence >= minConfidence);
+}
+/**
+ * Search indicators by value
+ */
+export function searchIndicators(db, query) {
+    const lowerQuery = query.toLowerCase();
+    return db.indicators.filter(indicator => indicator.value.toLowerCase().includes(lowerQuery) ||
+        indicator.description.toLowerCase().includes(lowerQuery) ||
+        indicator.tags.some(tag => tag.toLowerCase().includes(lowerQuery)));
+}
+/**
+ * Check if database needs updating
+ */
+export function needsUpdate(db, maxAgeHours = 24) {
+    const lastUpdate = new Date(db.lastUpdated);
+    const now = new Date();
+    const ageHours = (now.getTime() - lastUpdate.getTime()) / (1000 * 60 * 60);
+    return ageHours > maxAgeHours;
+}
+export default {
+    loadThreatDatabase,
+    saveThreatDatabase,
+    addIndicators,
+    removeIndicators,
+    getIndicatorsByType,
+    getIndicatorsByCategory,
+    getHighConfidenceIndicators,
+    searchIndicators,
+    needsUpdate
+};
+//# sourceMappingURL=ThreatFeed.js.map

package/dist/remediation/Fixer.d.ts

@@ -0,0 +1,71 @@
+/**
+ * Auto-Remediation Engine - Automated security fix application
+ * Provides safe, reversible fixes for common security issues
+ */
+import type { Finding, RemediationFix } from '../types.js';
+/**
+ * Remediation result
+ */
+export interface RemediationResult {
+    success: boolean;
+    finding: Finding;
+    fixApplied?: RemediationFix;
+    backupPath?: string;
+    error?: string;
+    changes?: {
+        linesModified: number;
+        originalContent: string;
+        newContent: string;
+    };
+}
+/**
+ * Remediation options
+ */
+export interface RemediationOptions {
+    /** Create backups before making changes */
+    createBackups: boolean;
+    /** Backup directory */
+    backupDir: string;
+    /** Only apply safe fixes (safety >= 0.8) */
+    safeOnly: boolean;
+    /** Dry run mode - don't actually make changes */
+    dryRun: boolean;
+    /** Maximum file size to process (MB) */
+    maxFileSizeMB: number;
+}
+/**
+ * Apply automatic remediation to a finding
+ */
+export declare function applyRemediation(finding: Finding, options?: Partial<RemediationOptions>): Promise<RemediationResult>;
+/**
+ * Apply remediation to multiple findings
+ */
+export declare function applyRemediationBatch(findings: Finding[], options?: Partial<RemediationOptions>): Promise<RemediationResult[]>;
+/**
+ * Restore file from backup
+ */
+export declare function restoreFromBackup(backupPath: string, originalPath: string): boolean;
+/**
+ * Check if a finding can be automatically remediated
+ */
+export declare function canAutoRemediate(finding: Finding): boolean;
+/**
+ * Get remediation preview without applying changes
+ */
+export declare function previewRemediation(finding: Finding): Promise<{
+    canFix: boolean;
+    fixes: RemediationFix[];
+    preview?: {
+        originalLine: string;
+        fixedLine: string;
+    };
+}>;
+declare const _default: {
+    applyRemediation: typeof applyRemediation;
+    applyRemediationBatch: typeof applyRemediationBatch;
+    restoreFromBackup: typeof restoreFromBackup;
+    canAutoRemediate: typeof canAutoRemediate;
+    previewRemediation: typeof previewRemediation;
+};
+export default _default;
+//# sourceMappingURL=Fixer.d.ts.map