fivosense 0.1.0

package/src/engine/graph.ts

@@ -0,0 +1,167 @@
+/**
+ * FivoCore Graph Builder
+ */
+
+import { parse } from '@babel/parser';
+import * as traverseModule from '@babel/traverse';
+import * as t from '@babel/types';
+import { isSource, SourcePattern } from './sources.js';
+import { isSink, SinkPattern } from './sinks.js';
+
+// @ts-ignore - Handle CJS/ESM interop
+const traverse = traverseModule.default ?? traverseModule;
+
+export interface DataFlowNode {
+  id: string;
+  type: 'source' | 'sink' | 'variable' | 'function';
+  name: string;
+  value?: string;
+  loc?: t.SourceLocation | null;
+  sourcePattern?: SourcePattern;
+  sinkPattern?: SinkPattern;
+}
+
+export interface DataFlowEdge {
+  from: string;
+  to: string;
+  type: 'assignment' | 'call' | 'return' | 'parameter';
+  loc?: t.SourceLocation | null;
+}
+
+export interface TaintPath {
+  source: DataFlowNode;
+  sink: DataFlowNode;
+  path: DataFlowNode[];
+  sanitized: boolean;
+  confidence: number;
+}
+
+export interface DataFlowGraph {
+  nodes: Map<string, DataFlowNode>;
+  edges: DataFlowEdge[];
+  taintPaths: TaintPath[];
+}
+
+const SANITIZERS = new Set([
+  'parseInt', 'parseFloat', 'Number', 'escape', 'escapeHtml', 'sanitize',
+  'validator.escape', 'validator.trim', 'encodeURIComponent', 'encodeURI',
+]);
+
+export function buildDataFlowGraph(code: string, filename = 'input.js'): DataFlowGraph {
+  const ast = parse(code, {
+    sourceType: 'module',
+    plugins: ['jsx', 'typescript'],
+    errorRecovery: true,
+  });
+
+  const graph: DataFlowGraph = { nodes: new Map(), edges: [], taintPaths: [] };
+  const taintedVars = new Map<string, { source: SourcePattern; sanitized: boolean; node: DataFlowNode }>();
+  let nodeIdCounter = 0;
+  const getNodeId = () => `node_${nodeIdCounter++}`;
+
+  function addNode(node: DataFlowNode): DataFlowNode {
+    graph.nodes.set(node.id, node);
+    return node;
+  }
+
+  function nodeToString(node: t.Node): string {
+    if (t.isMemberExpression(node)) {
+      const obj = nodeToString(node.object);
+      const prop = t.isIdentifier(node.property) ? node.property.name : '';
+      return `${obj}.${prop}`;
+    }
+    return t.isIdentifier(node) ? node.name : t.isStringLiteral(node) ? node.value : '';
+  }
+
+  function getCalleeName(node: t.Node): string {
+    if (t.isIdentifier(node)) return node.name;
+    if (t.isMemberExpression(node)) {
+      const obj = t.isIdentifier(node.object) ? node.object.name : '';
+      const prop = t.isIdentifier(node.property) ? node.property.name : '';
+      return `${obj}.${prop}`;
+    }
+    return '';
+  }
+
+  function findTaintedVars(node: t.Node): Array<{ varName: string; taint: any }> {
+    const results: Array<{ varName: string; taint: any }> = [];
+    if (t.isIdentifier(node)) {
+      const taint = taintedVars.get(node.name);
+      if (taint) results.push({ varName: node.name, taint });
+    } else if (t.isTemplateLiteral(node)) {
+      node.expressions.forEach(expr => results.push(...findTaintedVars(expr)));
+    } else if (t.isBinaryExpression(node)) {
+      results.push(...findTaintedVars(node.left), ...findTaintedVars(node.right));
+    } else if (t.isCallExpression(node)) {
+      node.arguments.forEach(arg => !t.isSpreadElement(arg) && results.push(...findTaintedVars(arg)));
+    }
+    return results;
+  }
+
+  (traverse as any)(ast, {
+    VariableDeclarator(path: any) {
+      const { id, init } = path.node;
+      if (t.isIdentifier(id) && init) {
+        const varName = id.name;
+        const sourcePattern = isSource(nodeToString(init));
+        if (sourcePattern) {
+          const node = addNode({
+            id: getNodeId(), type: 'source', name: varName, value: nodeToString(init),
+            loc: path.node.loc, sourcePattern,
+          });
+          taintedVars.set(varName, { source: sourcePattern, sanitized: false, node });
+        } else {
+          const taintedSources = findTaintedVars(init);
+          if (taintedSources.length > 0) {
+            const firstTaint = taintedSources[0].taint;
+            taintedVars.set(varName, { source: firstTaint.source, sanitized: firstTaint.sanitized, node: firstTaint.node });
+          }
+        }
+      }
+    },
+    CallExpression(path: any) {
+      const { callee, arguments: args } = path.node;
+      if (SANITIZERS.has(getCalleeName(callee))) {
+        args.forEach((arg: any) => {
+          if (t.isIdentifier(arg)) {
+            const taint = taintedVars.get(arg.name);
+            if (taint) taint.sanitized = true;
+          }
+        });
+        return;
+      }
+      const sinkPattern = isSink(nodeToString(callee));
+      if (sinkPattern) {
+        const sinkNode = addNode({
+          id: getNodeId(), type: 'sink', name: getCalleeName(callee),
+          loc: path.node.loc, sinkPattern,
+        });
+        args.forEach((arg: any) => {
+          if (t.isSpreadElement(arg)) return;
+          findTaintedVars(arg).forEach(({ taint }) => {
+            graph.taintPaths.push({
+              source: taint.node, sink: sinkNode, path: [taint.node, sinkNode],
+              sanitized: taint.sanitized, confidence: taint.sanitized ? 0.3 : 0.9,
+            });
+          });
+        });
+      }
+    },
+  });
+
+  return graph;
+}
+
+export function getVulnerablePaths(graph: DataFlowGraph): TaintPath[] {
+  return graph.taintPaths.filter(p => !p.sanitized);
+}
+
+export function getPathsBySeverity(graph: DataFlowGraph, severity: 'critical' | 'high' | 'medium'): TaintPath[] {
+  return graph.taintPaths.filter(p => p.sink.sinkPattern?.severity === severity);
+}
+
+export function formatTaintPath(path: TaintPath): string {
+  const sourceStr = `${path.source.value} (${path.source.sourcePattern?.description})`;
+  const sinkStr = `${path.sink.name} (${path.sink.sinkPattern?.description})`;
+  return `${sourceStr} → ${sinkStr}`;
+}

package/src/engine/reach.ts

@@ -0,0 +1,141 @@
+/**
+ * Reachability Analysis - Filters code to only entry-point reachable paths
+ * This reduces analysis surface by ~97% (OpenAnt research)
+ */
+
+import { parse } from '@babel/parser';
+import * as traverseModule from '@babel/traverse';
+import * as t from '@babel/types';
+
+// @ts-ignore
+const traverse = traverseModule.default ?? traverseModule;
+
+export interface ReachabilityResult {
+  reachableFunctions: Set<string>;
+  reachableLines: Set<number>;
+  entryPoints: string[];
+  totalFunctions: number;
+  reachableFunctionCount: number;
+  reductionPercent: number;
+}
+
+/**
+ * Common entry points in web applications
+ */
+const ENTRY_POINT_PATTERNS = [
+  /^app\.(get|post|put|delete|patch)/,
+  /^router\.(get|post|put|delete|patch)/,
+  /^exports\./,
+  /^module\.exports/,
+  /^export /,
+  /addEventListener/,
+  /^on[A-Z]/,
+];
+
+/**
+ * Analyze reachability from entry points
+ */
+export function analyzeReachability(code: string): ReachabilityResult {
+  const ast = parse(code, {
+    sourceType: 'module',
+    plugins: ['jsx', 'typescript'],
+    errorRecovery: true,
+  });
+
+  const entryPoints: string[] = [];
+  const allFunctions = new Set<string>();
+  const reachableFunctions = new Set<string>();
+  const reachableLines = new Set<number>();
+  const functionCalls = new Map<string, Set<string>>();
+
+  (traverse as any)(ast, {
+    FunctionDeclaration(path: any) {
+      const name = path.node.id?.name;
+      if (name) {
+        allFunctions.add(name);
+      }
+    },
+    
+    CallExpression(path: any) {
+      const callee = getCalleeName(path.node.callee);
+      
+      if (isEntryPoint(callee)) {
+        entryPoints.push(callee);
+        
+        const callback = path.node.arguments[1] || path.node.arguments[0];
+        if (t.isFunctionExpression(callback) || t.isArrowFunctionExpression(callback)) {
+          markReachable(callback, reachableFunctions, reachableLines);
+        }
+      }
+    },
+  });
+
+  const visited = new Set<string>();
+  const queue = [...entryPoints];
+  
+  while (queue.length > 0) {
+    const current = queue.shift()!;
+    if (visited.has(current)) continue;
+    visited.add(current);
+    
+    reachableFunctions.add(current);
+    
+    const callees = functionCalls.get(current) || new Set();
+    for (const callee of callees) {
+      if (!visited.has(callee)) {
+        queue.push(callee);
+      }
+    }
+  }
+
+  const totalFuncs = allFunctions.size || 1;
+  const reachableFuncs = reachableFunctions.size;
+  const reduction = ((totalFuncs - reachableFuncs) / totalFuncs) * 100;
+
+  return {
+    reachableFunctions,
+    reachableLines,
+    entryPoints,
+    totalFunctions: totalFuncs,
+    reachableFunctionCount: reachableFuncs,
+    reductionPercent: reduction,
+  };
+}
+
+function isEntryPoint(callee: string): boolean {
+  return ENTRY_POINT_PATTERNS.some(pattern => pattern.test(callee));
+}
+
+function getCalleeName(node: t.Node): string {
+  if (t.isIdentifier(node)) return node.name;
+  if (t.isMemberExpression(node)) {
+    const obj = t.isIdentifier(node.object) ? node.object.name : '';
+    const prop = t.isIdentifier(node.property) ? node.property.name : '';
+    return `${obj}.${prop}`;
+  }
+  return '';
+}
+
+function markReachable(
+  node: t.Node,
+  reachableFunctions: Set<string>,
+  reachableLines: Set<number>
+): void {
+  if (t.isFunctionExpression(node) || t.isArrowFunctionExpression(node)) {
+    if (node.loc) {
+      for (let i = node.loc.start.line; i <= node.loc.end.line; i++) {
+        reachableLines.add(i);
+      }
+    }
+  }
+}
+
+export function filterReachablePaths<T extends { location: { line: number } }>(
+  paths: T[],
+  reachability: ReachabilityResult
+): T[] {
+  return paths.filter(path => 
+    reachability.reachableLines.size === 0 ||
+    reachability.reachableLines.has(path.location.line)
+  );
+}

package/src/engine/sinks.ts

@@ -0,0 +1,113 @@
+/**
+ * Catalog of dangerous sinks (vulnerability endpoints)
+ * These are operations that can cause security issues if fed untrusted data
+ */
+
+export interface SinkPattern {
+  pattern: string;
+  category: 'sql' | 'nosql' | 'command' | 'code' | 'xss' | 'path' | 'xxe';
+  description: string;
+  severity: 'critical' | 'high' | 'medium';
+  cwe?: string;
+}
+
+/**
+ * SQL injection sinks
+ */
+export const SQL_SINKS: SinkPattern[] = [
+  { pattern: 'db.execute', category: 'sql', description: 'SQL execution', severity: 'critical', cwe: 'CWE-89' },
+  { pattern: 'db.query', category: 'sql', description: 'SQL query', severity: 'critical', cwe: 'CWE-89' },
+  { pattern: 'connection.query', category: 'sql', description: 'MySQL query', severity: 'critical', cwe: 'CWE-89' },
+  { pattern: 'pool.query', category: 'sql', description: 'Connection pool query', severity: 'critical', cwe: 'CWE-89' },
+  { pattern: 'executeQuery', category: 'sql', description: 'Generic SQL exec', severity: 'critical', cwe: 'CWE-89' },
+];
+
+/**
+ * NoSQL injection sinks
+ */
+export const NOSQL_SINKS: SinkPattern[] = [
+  { pattern: 'find', category: 'nosql', description: 'MongoDB find', severity: 'high', cwe: 'CWE-943' },
+  { pattern: 'findOne', category: 'nosql', description: 'MongoDB findOne', severity: 'high', cwe: 'CWE-943' },
+  { pattern: 'updateOne', category: 'nosql', description: 'MongoDB update', severity: 'high', cwe: 'CWE-943' },
+  { pattern: 'deleteOne', category: 'nosql', description: 'MongoDB delete', severity: 'high', cwe: 'CWE-943' },
+];
+
+/**
+ * Command injection sinks
+ */
+export const COMMAND_SINKS: SinkPattern[] = [
+  { pattern: 'exec', category: 'command', description: 'Command execution', severity: 'critical', cwe: 'CWE-78' },
+  { pattern: 'execSync', category: 'command', description: 'Sync command exec', severity: 'critical', cwe: 'CWE-78' },
+  { pattern: 'spawn', category: 'command', description: 'Process spawn', severity: 'critical', cwe: 'CWE-78' },
+  { pattern: 'spawnSync', category: 'command', description: 'Sync process spawn', severity: 'critical', cwe: 'CWE-78' },
+  { pattern: 'execFile', category: 'command', description: 'File execution', severity: 'critical', cwe: 'CWE-78' },
+];
+
+/**
+ * Code injection sinks
+ */
+export const CODE_SINKS: SinkPattern[] = [
+  { pattern: 'eval', category: 'code', description: 'Code evaluation', severity: 'critical', cwe: 'CWE-94' },
+  { pattern: 'Function', category: 'code', description: 'Dynamic function creation', severity: 'critical', cwe: 'CWE-94' },
+  { pattern: 'setTimeout', category: 'code', description: 'Delayed code exec', severity: 'high', cwe: 'CWE-94' },
+  { pattern: 'setInterval', category: 'code', description: 'Repeated code exec', severity: 'high', cwe: 'CWE-94' },
+];
+
+/**
+ * XSS sinks
+ */
+export const XSS_SINKS: SinkPattern[] = [
+  { pattern: 'res.send', category: 'xss', description: 'HTTP response', severity: 'high', cwe: 'CWE-79' },
+  { pattern: 'res.write', category: 'xss', description: 'HTTP write', severity: 'high', cwe: 'CWE-79' },
+  { pattern: 'innerHTML', category: 'xss', description: 'DOM innerHTML', severity: 'critical', cwe: 'CWE-79' },
+  { pattern: 'outerHTML', category: 'xss', description: 'DOM outerHTML', severity: 'critical', cwe: 'CWE-79' },
+  { pattern: 'document.write', category: 'xss', description: 'Document write', severity: 'critical', cwe: 'CWE-79' },
+];
+
+/**
+ * Path traversal sinks
+ */
+export const PATH_SINKS: SinkPattern[] = [
+  { pattern: 'fs.readFile', category: 'path', description: 'File read', severity: 'high', cwe: 'CWE-22' },
+  { pattern: 'fs.writeFile', category: 'path', description: 'File write', severity: 'critical', cwe: 'CWE-22' },
+  { pattern: 'fs.unlink', category: 'path', description: 'File delete', severity: 'critical', cwe: 'CWE-22' },
+  { pattern: 'fs.readFileSync', category: 'path', description: 'Sync file read', severity: 'high', cwe: 'CWE-22' },
+];
+
+/**
+ * All sinks combined
+ */
+export const ALL_SINKS = [
+  ...SQL_SINKS,
+  ...NOSQL_SINKS,
+  ...COMMAND_SINKS,
+  ...CODE_SINKS,
+  ...XSS_SINKS,
+  ...PATH_SINKS,
+];
+
+/**
+ * Check if a code string matches any sink pattern
+ */
+export function isSink(code: string): SinkPattern | null {
+  for (const sink of ALL_SINKS) {
+    if (code.includes(sink.pattern)) {
+      return sink;
+    }
+  }
+  return null;
+}
+
+/**
+ * Get all sinks matching a category
+ */
+export function getSinksByCategory(category: SinkPattern['category']): SinkPattern[] {
+  return ALL_SINKS.filter(s => s.category === category);
+}
+
+/**
+ * Get sinks by severity
+ */
+export function getSinksBySeverity(severity: SinkPattern['severity']): SinkPattern[] {
+  return ALL_SINKS.filter(s => s.severity === severity);
+}

package/src/engine/sources.ts

@@ -0,0 +1,71 @@
+/**
+ * Catalog of untrusted input sources (taint origins)
+ * These represent user-controlled data that could be malicious
+ */
+
+export interface SourcePattern {
+  pattern: string;
+  category: 'http' | 'file' | 'env' | 'cli' | 'external';
+  description: string;
+  severity: 'critical' | 'high' | 'medium';
+}
+
+/**
+ * HTTP/API sources - user input from web requests
+ */
+export const HTTP_SOURCES: SourcePattern[] = [
+  { pattern: 'req.query', category: 'http', description: 'URL query parameters', severity: 'critical' },
+  { pattern: 'req.params', category: 'http', description: 'Route parameters', severity: 'critical' },
+  { pattern: 'req.body', category: 'http', description: 'Request body', severity: 'critical' },
+  { pattern: 'req.headers', category: 'http', description: 'HTTP headers', severity: 'high' },
+  { pattern: 'req.cookies', category: 'http', description: 'Cookies', severity: 'high' },
+  { pattern: 'request.query', category: 'http', description: 'Query string', severity: 'critical' },
+  { pattern: 'request.body', category: 'http', description: 'Request body', severity: 'critical' },
+  { pattern: 'ctx.request.body', category: 'http', description: 'Koa/context body', severity: 'critical' },
+  { pattern: 'ctx.query', category: 'http', description: 'Koa query', severity: 'critical' },
+];
+
+/**
+ * File system sources - external file content
+ */
+export const FILE_SOURCES: SourcePattern[] = [
+  { pattern: 'fs.readFileSync', category: 'file', description: 'File content', severity: 'high' },
+  { pattern: 'fs.readFile', category: 'file', description: 'File content async', severity: 'high' },
+  { pattern: 'readFileSync', category: 'file', description: 'File read', severity: 'high' },
+];
+
+/**
+ * Environment/config sources - potentially untrusted config
+ */
+export const ENV_SOURCES: SourcePattern[] = [
+  { pattern: 'process.env', category: 'env', description: 'Environment variables', severity: 'medium' },
+  { pattern: 'process.argv', category: 'cli', description: 'Command-line arguments', severity: 'high' },
+];
+
+/**
+ * All sources combined
+ */
+export const ALL_SOURCES = [
+  ...HTTP_SOURCES,
+  ...FILE_SOURCES,
+  ...ENV_SOURCES,
+];
+
+/**
+ * Check if a code string matches any source pattern
+ */
+export function isSource(code: string): SourcePattern | null {
+  for (const source of ALL_SOURCES) {
+    if (code.includes(source.pattern)) {
+      return source;
+    }
+  }
+  return null;
+}
+
+/**
+ * Get all sources matching a category
+ */
+export function getSourcesByCategory(category: SourcePattern['category']): SourcePattern[] {
+  return ALL_SOURCES.filter(s => s.category === category);
+}

package/src/engine/taint.ts

@@ -0,0 +1,117 @@
+/**
+ * Taint Analysis - tracks data flow from sources to sinks
+ * Generates taint-trace proofs for each vulnerability
+ */
+
+import { DataFlowGraph, TaintPath, formatTaintPath } from './graph.js';
+
+export interface TaintTrace {
+  finding: string;
+  severity: 'critical' | 'high' | 'medium';
+  category: string;
+  cwe?: string;
+  path: string;
+  evidence: string[];
+  location: {
+    file: string;
+    line: number;
+    column: number;
+  };
+  sanitized: boolean;
+  confidence: number;
+}
+
+/**
+ * Generate taint traces from data-flow graph
+ */
+export function generateTaintTraces(graph: DataFlowGraph, filename: string): TaintTrace[] {
+  const traces: TaintTrace[] = [];
+
+  for (const taintPath of graph.taintPaths) {
+    const trace = buildTaintTrace(taintPath, filename);
+    traces.push(trace);
+  }
+
+  return traces;
+}
+
+/**
+ * Build a single taint trace from a taint path
+ */
+function buildTaintTrace(path: TaintPath, filename: string): TaintTrace {
+  const source = path.source;
+  const sink = path.sink;
+  
+  const evidence: string[] = [];
+  
+  // Build evidence chain
+  evidence.push(`Source: ${source.value} at line ${source.loc?.start.line || '?'}`);
+  evidence.push(`  Type: ${source.sourcePattern?.description || 'untrusted input'}`);
+  
+  if (path.sanitized) {
+    evidence.push('  ✅ Sanitized');
+  } else {
+    evidence.push('  ❌ NOT sanitized');
+  }
+  
+  evidence.push(`Sink: ${sink.name} at line ${sink.loc?.start.line || '?'}`);
+  evidence.push(`  Type: ${sink.sinkPattern?.description || 'dangerous operation'}`);
+  
+  const finding = path.sanitized
+    ? `Sanitized ${sink.sinkPattern?.category || 'data flow'}`
+    : `Potential ${sink.sinkPattern?.category || 'vulnerability'}`;
+
+  return {
+    finding,
+    severity: sink.sinkPattern?.severity || 'medium',
+    category: sink.sinkPattern?.category || 'unknown',
+    cwe: sink.sinkPattern?.cwe,
+    path: formatTaintPath(path),
+    evidence,
+    location: {
+      file: filename,
+      line: sink.loc?.start.line || 0,
+      column: sink.loc?.start.column || 0,
+    },
+    sanitized: path.sanitized,
+    confidence: path.confidence,
+  };
+}
+
+/**
+ * Filter traces by severity
+ */
+export function filterBySeverity(
+  traces: TaintTrace[],
+  severity: 'critical' | 'high' | 'medium'
+): TaintTrace[] {
+  return traces.filter(t => t.severity === severity);
+}
+
+/**
+ * Get only vulnerable (unsanitized) traces
+ */
+export function getVulnerableTraces(traces: TaintTrace[]): TaintTrace[] {
+  return traces.filter(t => !t.sanitized);
+}
+
+/**
+ * Format trace for display
+ */
+export function formatTrace(trace: TaintTrace): string {
+  const icon = trace.sanitized ? '✅' : '❌';
+  const lines = [
+    `${icon} [${trace.severity.toUpperCase()}] ${trace.finding}`,
+    `   ${trace.location.file}:${trace.location.line}:${trace.location.column}`,
+    `   ${trace.path}`,
+  ];
+  
+  if (trace.cwe) {
+    lines.push(`   CWE: ${trace.cwe}`);
+  }
+  
+  lines.push('   Evidence:');
+  trace.evidence.forEach(e => lines.push(`     ${e}`));
+  
+  return lines.join('\n');
+}