fivosense 0.1.4 ā 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/COMPLETE_SUMMARY.md +412 -0
- package/DOCUMENTATION.md +608 -0
- package/FINAL_VERIFICATION.md +316 -0
- package/README.md +198 -316
- package/VERIFICATION_CHECKLIST.md +307 -0
- package/dist/ai/client.d.ts +27 -0
- package/dist/ai/client.d.ts.map +1 -0
- package/dist/ai/client.js +167 -0
- package/dist/ai/client.js.map +1 -0
- package/dist/ai/judge.d.ts +3 -3
- package/dist/ai/judge.d.ts.map +1 -1
- package/dist/ai/judge.js +43 -14
- package/dist/ai/judge.js.map +1 -1
- package/dist/cli/index.js +48 -7
- package/dist/cli/index.js.map +1 -1
- package/dist/core/orchestrator.d.ts +31 -0
- package/dist/core/orchestrator.d.ts.map +1 -0
- package/dist/core/orchestrator.js +205 -0
- package/dist/core/orchestrator.js.map +1 -0
- package/dist/core/scope.d.ts +29 -0
- package/dist/core/scope.d.ts.map +1 -0
- package/dist/core/scope.js +143 -0
- package/dist/core/scope.js.map +1 -0
- package/dist/engine/adversary.d.ts +3 -2
- package/dist/engine/adversary.d.ts.map +1 -1
- package/dist/engine/adversary.js +43 -12
- package/dist/engine/adversary.js.map +1 -1
- package/dist/engine/poc.d.ts +20 -0
- package/dist/engine/poc.d.ts.map +1 -0
- package/dist/engine/poc.js +176 -0
- package/dist/engine/poc.js.map +1 -0
- package/dist/features/index.d.ts +7 -0
- package/dist/features/index.d.ts.map +1 -0
- package/dist/features/index.js +7 -0
- package/dist/features/index.js.map +1 -0
- package/dist/hooks/git.d.ts +31 -0
- package/dist/hooks/git.d.ts.map +1 -0
- package/dist/hooks/git.js +155 -0
- package/dist/hooks/git.js.map +1 -0
- package/mcp/index.js +48 -20
- package/mcp/package-lock.json +382 -0
- package/mcp/package.json +1 -1
- package/package.json +1 -1
- package/src/ai/client.ts +219 -0
- package/src/ai/judge.ts +51 -14
- package/src/cli/index.ts +46 -7
- package/src/core/orchestrator.ts +259 -0
- package/src/core/scope.ts +168 -0
- package/src/engine/adversary.ts +48 -12
- package/src/engine/poc.ts +212 -0
- package/src/features/index.ts +7 -0
- package/src/hooks/git.ts +187 -0
- package/vscode-extension/fivosense-vscode-0.1.0.vsix +0 -0
- package/vscode-extension/package-lock.json +4 -4
- package/vscode-extension/package.json +3 -3
- package/vscode-extension/src/extension.ts +65 -11
package/dist/cli/index.js
CHANGED
|
@@ -3,28 +3,69 @@
|
|
|
3
3
|
* FivoSense CLI
|
|
4
4
|
*/
|
|
5
5
|
import { auditFile, formatAuditResult } from '../index.js';
|
|
6
|
+
import { generateRoast, formatRoast, generateBadge } from '../features/index.js';
|
|
6
7
|
const args = process.argv.slice(2);
|
|
7
8
|
if (args.length === 0) {
|
|
8
9
|
console.log(`
|
|
9
10
|
š”ļø FivoSense - Neuro-symbolic AI Security Scanner
|
|
10
11
|
|
|
11
12
|
Usage:
|
|
12
|
-
|
|
13
|
-
|
|
13
|
+
fivosense <file> Scan a file for vulnerabilities
|
|
14
|
+
fivosense --roast <file> Get roasted for security issues š„
|
|
15
|
+
fivosense --badge <file> Get your security grade badge
|
|
14
16
|
|
|
15
17
|
Example:
|
|
16
|
-
|
|
18
|
+
fivosense src/server.js
|
|
19
|
+
fivosense --roast src/api.js
|
|
20
|
+
fivosense --badge src/app.js
|
|
17
21
|
`);
|
|
18
22
|
process.exit(0);
|
|
19
23
|
}
|
|
20
|
-
|
|
21
|
-
|
|
24
|
+
// Parse command and file
|
|
25
|
+
let mode = 'scan';
|
|
26
|
+
let filepath = args[0];
|
|
27
|
+
if (args[0] === '--roast' || args[0] === '-r') {
|
|
28
|
+
mode = 'roast';
|
|
29
|
+
filepath = args[1];
|
|
30
|
+
}
|
|
31
|
+
else if (args[0] === '--badge' || args[0] === '-b') {
|
|
32
|
+
mode = 'badge';
|
|
33
|
+
filepath = args[1];
|
|
34
|
+
}
|
|
35
|
+
else if (args[0] === 'audit') {
|
|
36
|
+
filepath = args[1];
|
|
37
|
+
}
|
|
38
|
+
if (!filepath) {
|
|
39
|
+
console.error('\nā Error: Please provide a file to scan\n');
|
|
40
|
+
process.exit(1);
|
|
41
|
+
}
|
|
22
42
|
async function main() {
|
|
23
43
|
try {
|
|
24
44
|
console.log(`\nš Auditing ${filepath}...\n`);
|
|
25
45
|
const result = await auditFile(filepath);
|
|
26
|
-
|
|
27
|
-
|
|
46
|
+
if (mode === 'roast') {
|
|
47
|
+
// Roast mode
|
|
48
|
+
const roast = generateRoast(result);
|
|
49
|
+
const roastText = formatRoast(roast);
|
|
50
|
+
console.log('\n' + roastText + '\n');
|
|
51
|
+
}
|
|
52
|
+
else if (mode === 'badge') {
|
|
53
|
+
// Badge mode
|
|
54
|
+
const badge = generateBadge(result);
|
|
55
|
+
console.log('\nš”ļø Security Badge\n');
|
|
56
|
+
console.log(`Grade: ${badge.grade}`);
|
|
57
|
+
console.log(`Score: ${badge.score}/100`);
|
|
58
|
+
console.log(`\nFindings:`);
|
|
59
|
+
console.log(` Critical: ${result.summary.critical}`);
|
|
60
|
+
console.log(` High: ${result.summary.high}`);
|
|
61
|
+
console.log(` Medium: ${result.summary.medium}`);
|
|
62
|
+
console.log();
|
|
63
|
+
}
|
|
64
|
+
else {
|
|
65
|
+
// Normal scan mode
|
|
66
|
+
const output = formatAuditResult(result);
|
|
67
|
+
console.log(output);
|
|
68
|
+
}
|
|
28
69
|
// Exit with error code if critical/high findings
|
|
29
70
|
if (result.summary.critical > 0 || result.summary.high > 0) {
|
|
30
71
|
process.exit(1);
|
package/dist/cli/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAEjF,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;GAYX,CAAC,CAAC;IACH,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,yBAAyB;AACzB,IAAI,IAAI,GAAG,MAAM,CAAC;AAClB,IAAI,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AAEvB,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;IAC9C,IAAI,GAAG,OAAO,CAAC;IACf,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AACrB,CAAC;KAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;IACrD,IAAI,GAAG,OAAO,CAAC;IACf,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AACrB,CAAC;KAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;IAC/B,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AACrB,CAAC;AAED,IAAI,CAAC,QAAQ,EAAE,CAAC;IACd,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAC5D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,IAAI,CAAC;QACH,OAAO,CAAC,GAAG,CAAC,iBAAiB,QAAQ,OAAO,CAAC,CAAC;QAE9C,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEzC,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YACrB,aAAa;YACb,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACpC,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;YACrC,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;QACvC,CAAC;aAAM,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,aAAa;YACb,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;YACrC,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,CAAC,KAAK,MAAM,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;YACtD,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC9C,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YAClD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;aAAM,CAAC;YACN,mBAAmB;YACnB,MAAM,MAAM,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtB,CAAC;QAED,iDAAiD;QACjD,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,KAAU,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,cAAc,KAAK,CAAC,OAAO,IAAI,CAAC,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Orchestrator - Coordinates analysis pipeline and flow control
|
|
3
|
+
*/
|
|
4
|
+
import type { AuditResult } from '../index.js';
|
|
5
|
+
import type { AIProvider } from '../ai/client.js';
|
|
6
|
+
export interface OrchestratorOptions {
|
|
7
|
+
enableAI?: boolean;
|
|
8
|
+
enableAdversarial?: boolean;
|
|
9
|
+
enablePoC?: boolean;
|
|
10
|
+
scopeToDiff?: boolean;
|
|
11
|
+
diffBase?: string;
|
|
12
|
+
aiProvider?: AIProvider;
|
|
13
|
+
verbose?: boolean;
|
|
14
|
+
}
|
|
15
|
+
/**
|
|
16
|
+
* Main orchestration pipeline
|
|
17
|
+
*/
|
|
18
|
+
export declare function orchestrateAudit(code: string, filepath: string, options?: OrchestratorOptions): Promise<AuditResult>;
|
|
19
|
+
/**
|
|
20
|
+
* Quick audit (no AI, no scope)
|
|
21
|
+
*/
|
|
22
|
+
export declare function quickAudit(code: string, filepath: string): Promise<AuditResult>;
|
|
23
|
+
/**
|
|
24
|
+
* Full audit (with AI and adversarial)
|
|
25
|
+
*/
|
|
26
|
+
export declare function fullAudit(code: string, filepath: string, aiProvider?: AIProvider): Promise<AuditResult>;
|
|
27
|
+
/**
|
|
28
|
+
* Diff-scoped audit (only changed code)
|
|
29
|
+
*/
|
|
30
|
+
export declare function diffAudit(code: string, filepath: string, diffBase?: string): Promise<AuditResult>;
|
|
31
|
+
//# sourceMappingURL=orchestrator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"orchestrator.d.ts","sourceRoot":"","sources":["../../src/core/orchestrator.ts"],"names":[],"mappings":"AAAA;;GAEG;AAUH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,mBAAwB,GAChC,OAAO,CAAC,WAAW,CAAC,CAiLtB;AAED;;GAEG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC,CAQrF;AAED;;GAEG;AACH,wBAAsB,SAAS,CAC7B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,UAAU,CAAC,EAAE,UAAU,GACtB,OAAO,CAAC,WAAW,CAAC,CAStB;AAED;;GAEG;AACH,wBAAsB,SAAS,CAC7B,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,MAAe,GACxB,OAAO,CAAC,WAAW,CAAC,CAStB"}
|
|
@@ -0,0 +1,205 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Orchestrator - Coordinates analysis pipeline and flow control
|
|
3
|
+
*/
|
|
4
|
+
import { buildDataFlowGraph } from '../engine/graph.js';
|
|
5
|
+
import { generateTaintTraces } from '../engine/taint.js';
|
|
6
|
+
import { detectSecrets } from '../rules/secrets.js';
|
|
7
|
+
import { detectDestructive } from '../rules/destructive.js';
|
|
8
|
+
import { judgePathWithAI } from '../ai/judge.js';
|
|
9
|
+
import { verifyWithAdversary } from '../engine/adversary.js';
|
|
10
|
+
import { generatePoC } from '../engine/poc.js';
|
|
11
|
+
import { getDiffScope, filterFindingsByScope } from './scope.js';
|
|
12
|
+
/**
|
|
13
|
+
* Main orchestration pipeline
|
|
14
|
+
*/
|
|
15
|
+
export async function orchestrateAudit(code, filepath, options = {}) {
|
|
16
|
+
const { enableAI = false, enableAdversarial = false, enablePoC = false, scopeToDiff = false, diffBase = 'main', aiProvider, verbose = false, } = options;
|
|
17
|
+
if (verbose) {
|
|
18
|
+
console.log(`š Starting audit: ${filepath}`);
|
|
19
|
+
console.log(` AI Judge: ${enableAI ? 'ā
' : 'ā'}`);
|
|
20
|
+
console.log(` Adversarial: ${enableAdversarial ? 'ā
' : 'ā'}`);
|
|
21
|
+
console.log(` PoC Generation: ${enablePoC ? 'ā
' : 'ā'}`);
|
|
22
|
+
console.log(` Scope to diff: ${scopeToDiff ? 'ā
' : 'ā'}`);
|
|
23
|
+
}
|
|
24
|
+
// Step 1: Get scope if needed
|
|
25
|
+
let scope;
|
|
26
|
+
if (scopeToDiff) {
|
|
27
|
+
if (verbose)
|
|
28
|
+
console.log(`š Getting diff scope (base: ${diffBase})...`);
|
|
29
|
+
scope = await getDiffScope(diffBase);
|
|
30
|
+
if (verbose)
|
|
31
|
+
console.log(` ${scope.files.length} files in scope`);
|
|
32
|
+
}
|
|
33
|
+
// Step 2: Build data-flow graph
|
|
34
|
+
if (verbose)
|
|
35
|
+
console.log(`šØ Building data-flow graph...`);
|
|
36
|
+
const graph = buildDataFlowGraph(code, filepath);
|
|
37
|
+
// Step 3: Taint analysis
|
|
38
|
+
if (verbose)
|
|
39
|
+
console.log(`š Running taint analysis...`);
|
|
40
|
+
const traces = generateTaintTraces(graph, filepath);
|
|
41
|
+
// Convert traces to vulnerabilities format
|
|
42
|
+
const allVulnerabilities = traces.map(trace => ({
|
|
43
|
+
finding: trace.finding,
|
|
44
|
+
severity: trace.severity,
|
|
45
|
+
category: trace.category,
|
|
46
|
+
cwe: trace.cwe,
|
|
47
|
+
path: trace.path.split(' ā '),
|
|
48
|
+
evidence: trace.evidence,
|
|
49
|
+
location: trace.location,
|
|
50
|
+
sanitized: trace.sanitized,
|
|
51
|
+
confidence: 0.8,
|
|
52
|
+
}));
|
|
53
|
+
// Step 4: Filter by scope if enabled
|
|
54
|
+
let vulnerabilities = allVulnerabilities;
|
|
55
|
+
if (scope && scopeToDiff) {
|
|
56
|
+
if (verbose)
|
|
57
|
+
console.log(`šÆ Filtering by scope...`);
|
|
58
|
+
vulnerabilities = filterFindingsByScope(vulnerabilities, filepath, scope);
|
|
59
|
+
if (verbose)
|
|
60
|
+
console.log(` ${vulnerabilities.length} vulnerabilities in scope`);
|
|
61
|
+
}
|
|
62
|
+
// Step 5: AI judgment (if enabled)
|
|
63
|
+
if (enableAI && vulnerabilities.length > 0) {
|
|
64
|
+
if (verbose)
|
|
65
|
+
console.log(`š¤ Running AI judgment...`);
|
|
66
|
+
for (let i = 0; i < vulnerabilities.length; i++) {
|
|
67
|
+
const vuln = vulnerabilities[i];
|
|
68
|
+
try {
|
|
69
|
+
const judgment = await judgePathWithAI({
|
|
70
|
+
source: vuln.path[0] || 'unknown',
|
|
71
|
+
sourceType: 'user input',
|
|
72
|
+
sourceLoc: `line ${vuln.location.line}`,
|
|
73
|
+
sink: vuln.path[vuln.path.length - 1] || 'unknown',
|
|
74
|
+
sinkType: vuln.category,
|
|
75
|
+
category: vuln.category,
|
|
76
|
+
cwe: vuln.cwe,
|
|
77
|
+
dataFlow: vuln.path.join(' ā '),
|
|
78
|
+
codeSnippet: code.split('\n').slice(Math.max(0, vuln.location.line - 3), vuln.location.line + 2).join('\n'),
|
|
79
|
+
language: filepath.endsWith('.ts') || filepath.endsWith('.tsx') ? 'typescript' : 'javascript',
|
|
80
|
+
}, aiProvider);
|
|
81
|
+
// Update vulnerability with AI judgment
|
|
82
|
+
vuln.confidence = judgment.confidence;
|
|
83
|
+
if (verbose) {
|
|
84
|
+
console.log(` [${i + 1}/${vulnerabilities.length}] ${vuln.finding}: ${judgment.exploitable ? 'ā Exploitable' : 'ā
Safe'} (confidence: ${judgment.confidence})`);
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
catch (error) {
|
|
88
|
+
if (verbose) {
|
|
89
|
+
console.warn(` [${i + 1}/${vulnerabilities.length}] AI judgment failed:`, error);
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
// Step 6: Adversarial verification (if enabled)
|
|
95
|
+
if (enableAdversarial && vulnerabilities.length > 0) {
|
|
96
|
+
if (verbose)
|
|
97
|
+
console.log(`āļø Running adversarial verification...`);
|
|
98
|
+
for (let i = 0; i < vulnerabilities.length; i++) {
|
|
99
|
+
const vuln = vulnerabilities[i];
|
|
100
|
+
try {
|
|
101
|
+
const trace = traces.find((t) => t.category === vuln.category && t.location.line === vuln.location.line);
|
|
102
|
+
if (trace) {
|
|
103
|
+
const adversary = await verifyWithAdversary(trace, code, aiProvider);
|
|
104
|
+
// Update confidence based on adversarial result
|
|
105
|
+
vuln.confidence = Math.min(vuln.confidence, adversary.confidence);
|
|
106
|
+
if (verbose) {
|
|
107
|
+
console.log(` [${i + 1}/${vulnerabilities.length}] ${adversary.exploitable ? 'āļø Exploit found' : 'š”ļø Defense holds'}`);
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
}
|
|
111
|
+
catch (error) {
|
|
112
|
+
if (verbose) {
|
|
113
|
+
console.warn(` [${i + 1}/${vulnerabilities.length}] Adversarial verification failed:`, error);
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
// Step 7: PoC generation (if enabled)
|
|
119
|
+
if (enablePoC && vulnerabilities.length > 0) {
|
|
120
|
+
if (verbose)
|
|
121
|
+
console.log(`š£ Generating PoCs...`);
|
|
122
|
+
for (const vuln of vulnerabilities) {
|
|
123
|
+
try {
|
|
124
|
+
const trace = traces.find((t) => t.category === vuln.category && t.location.line === vuln.location.line);
|
|
125
|
+
if (trace) {
|
|
126
|
+
const poc = generatePoC(trace);
|
|
127
|
+
// Attach PoC to vulnerability (could extend Vulnerability type)
|
|
128
|
+
vuln.poc = poc;
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
catch (error) {
|
|
132
|
+
if (verbose) {
|
|
133
|
+
console.warn(` Failed to generate PoC:`, error);
|
|
134
|
+
}
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
// Step 8: Secret detection
|
|
139
|
+
if (verbose)
|
|
140
|
+
console.log(`š Detecting secrets...`);
|
|
141
|
+
const secrets = detectSecrets(code);
|
|
142
|
+
// Step 9: Destructive command detection
|
|
143
|
+
if (verbose)
|
|
144
|
+
console.log(`š„ Detecting destructive commands...`);
|
|
145
|
+
const destructive = detectDestructive(code);
|
|
146
|
+
// Step 10: Build summary
|
|
147
|
+
const summary = {
|
|
148
|
+
total: vulnerabilities.length + secrets.length + destructive.length,
|
|
149
|
+
critical: vulnerabilities.filter((v) => v.severity === 'critical').length,
|
|
150
|
+
high: vulnerabilities.filter((v) => v.severity === 'high').length + secrets.length,
|
|
151
|
+
medium: vulnerabilities.filter((v) => v.severity === 'medium').length + destructive.length,
|
|
152
|
+
};
|
|
153
|
+
if (verbose) {
|
|
154
|
+
console.log(`\nš Audit complete:`);
|
|
155
|
+
console.log(` Total: ${summary.total}`);
|
|
156
|
+
console.log(` Critical: ${summary.critical}`);
|
|
157
|
+
console.log(` High: ${summary.high}`);
|
|
158
|
+
console.log(` Medium: ${summary.medium}\n`);
|
|
159
|
+
}
|
|
160
|
+
return {
|
|
161
|
+
vulnerabilities,
|
|
162
|
+
secrets,
|
|
163
|
+
destructive,
|
|
164
|
+
summary,
|
|
165
|
+
};
|
|
166
|
+
}
|
|
167
|
+
/**
|
|
168
|
+
* Quick audit (no AI, no scope)
|
|
169
|
+
*/
|
|
170
|
+
export async function quickAudit(code, filepath) {
|
|
171
|
+
return orchestrateAudit(code, filepath, {
|
|
172
|
+
enableAI: false,
|
|
173
|
+
enableAdversarial: false,
|
|
174
|
+
enablePoC: false,
|
|
175
|
+
scopeToDiff: false,
|
|
176
|
+
verbose: false,
|
|
177
|
+
});
|
|
178
|
+
}
|
|
179
|
+
/**
|
|
180
|
+
* Full audit (with AI and adversarial)
|
|
181
|
+
*/
|
|
182
|
+
export async function fullAudit(code, filepath, aiProvider) {
|
|
183
|
+
return orchestrateAudit(code, filepath, {
|
|
184
|
+
enableAI: true,
|
|
185
|
+
enableAdversarial: true,
|
|
186
|
+
enablePoC: true,
|
|
187
|
+
scopeToDiff: false,
|
|
188
|
+
aiProvider,
|
|
189
|
+
verbose: true,
|
|
190
|
+
});
|
|
191
|
+
}
|
|
192
|
+
/**
|
|
193
|
+
* Diff-scoped audit (only changed code)
|
|
194
|
+
*/
|
|
195
|
+
export async function diffAudit(code, filepath, diffBase = 'main') {
|
|
196
|
+
return orchestrateAudit(code, filepath, {
|
|
197
|
+
enableAI: false,
|
|
198
|
+
enableAdversarial: false,
|
|
199
|
+
enablePoC: false,
|
|
200
|
+
scopeToDiff: true,
|
|
201
|
+
diffBase,
|
|
202
|
+
verbose: true,
|
|
203
|
+
});
|
|
204
|
+
}
|
|
205
|
+
//# sourceMappingURL=orchestrator.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"orchestrator.js","sourceRoot":"","sources":["../../src/core/orchestrator.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAmB,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,qBAAqB,EAAkB,MAAM,YAAY,CAAC;AAcjF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY,EACZ,QAAgB,EAChB,UAA+B,EAAE;IAEjC,MAAM,EACJ,QAAQ,GAAG,KAAK,EAChB,iBAAiB,GAAG,KAAK,EACzB,SAAS,GAAG,KAAK,EACjB,WAAW,GAAG,KAAK,EACnB,QAAQ,GAAG,MAAM,EACjB,UAAU,EACV,OAAO,GAAG,KAAK,GAChB,GAAG,OAAO,CAAC;IAEZ,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,sBAAsB,QAAQ,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,gBAAgB,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,mBAAmB,iBAAiB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,GAAG,CAAC,sBAAsB,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,qBAAqB,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,8BAA8B;IAC9B,IAAI,KAA4B,CAAC;IACjC,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,gCAAgC,QAAQ,MAAM,CAAC,CAAC;QACzE,KAAK,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;QACrC,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,KAAK,CAAC,MAAM,iBAAiB,CAAC,CAAC;IACtE,CAAC;IAED,gCAAgC;IAChC,IAAI,OAAO;QAAE,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAEjD,yBAAyB;IACzB,IAAI,OAAO;QAAE,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,mBAAmB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAEpD,2CAA2C;IAC3C,MAAM,kBAAkB,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC9C,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,GAAG,EAAE,KAAK,CAAC,GAAG;QACd,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC;QAC7B,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,UAAU,EAAE,GAAG;KAChB,CAAC,CAAC,CAAC;IAEJ,qCAAqC;IACrC,IAAI,eAAe,GAAG,kBAAkB,CAAC;IACzC,IAAI,KAAK,IAAI,WAAW,EAAE,CAAC;QACzB,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;QACrD,eAAe,GAAG,qBAAqB,CAAC,eAAe,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAC1E,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,MAAM,eAAe,CAAC,MAAM,2BAA2B,CAAC,CAAC;IACpF,CAAC;IAED,mCAAmC;IACnC,IAAI,QAAQ,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QAEtD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChD,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAEhC,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC;oBACrC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,SAAS;oBACjC,UAAU,EAAE,YAAY;oBACxB,SAAS,EAAE,QAAQ,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE;oBACvC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,SAAS;oBAClD,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;oBACvB,GAAG,EAAE,IAAI,CAAC,GAAG;oBACb,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;oBAC/B,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CACjC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,EACnC,IAAI,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,CACvB,CAAC,IAAI,CAAC,IAAI,CAAC;oBACZ,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY;iBAC9F,EAAE,UAAU,CAAC,CAAC;gBAEf,wCAAwC;gBACxC,IAAI,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,CAAC;gBAEtC,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,KAAK,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,QAAQ,iBAAiB,QAAQ,CAAC,UAAU,GAAG,CAAC,CAAC;gBACpK,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,uBAAuB,EAAE,KAAK,CAAC,CAAC;gBACrF,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,IAAI,iBAAiB,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpD,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,yCAAyC,CAAC,CAAC;QAEpE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAChD,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAEhC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAa,EAAE,EAAE,CAC1C,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,IAAI,CAAC,QAAQ,CAAC,IAAI,CACvE,CAAC;gBAEF,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,KAAK,EAAE,IAAI,EAAE,UAAU,CAAC,CAAC;oBAErE,gDAAgD;oBAChD,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC;oBAElE,IAAI,OAAO,EAAE,CAAC;wBACZ,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,KAAK,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,oBAAoB,EAAE,CAAC,CAAC;oBAC/H,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,eAAe,CAAC,MAAM,oCAAoC,EAAE,KAAK,CAAC,CAAC;gBAClG,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,IAAI,SAAS,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5C,IAAI,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QAElD,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAa,EAAE,EAAE,CAC1C,CAAC,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,IAAI,CAAC,CAAC,QAAQ,CAAC,IAAI,KAAK,IAAI,CAAC,QAAQ,CAAC,IAAI,CACvE,CAAC;gBAEF,IAAI,KAAK,EAAE,CAAC;oBACV,MAAM,GAAG,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;oBAC/B,gEAAgE;oBAC/D,IAAY,CAAC,GAAG,GAAG,GAAG,CAAC;gBAC1B,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,IAAI,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,IAAI,OAAO;QAAE,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;IACpD,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IAEpC,wCAAwC;IACxC,IAAI,OAAO;QAAE,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;IACjE,MAAM,WAAW,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAE5C,yBAAyB;IACzB,MAAM,OAAO,GAAG;QACd,KAAK,EAAE,eAAe,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,WAAW,CAAC,MAAM;QACnE,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QAC9E,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM;QACvF,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,GAAG,WAAW,CAAC,MAAM;KAChG,CAAC;IAEF,IAAI,OAAO,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,gBAAgB,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,cAAc,OAAO,CAAC,MAAM,IAAI,CAAC,CAAC;IAChD,CAAC;IAED,OAAO;QACL,eAAe;QACf,OAAO;QACP,WAAW;QACX,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAY,EAAE,QAAgB;IAC7D,OAAO,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE;QACtC,QAAQ,EAAE,KAAK;QACf,iBAAiB,EAAE,KAAK;QACxB,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,KAAK;QAClB,OAAO,EAAE,KAAK;KACf,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAY,EACZ,QAAgB,EAChB,UAAuB;IAEvB,OAAO,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE;QACtC,QAAQ,EAAE,IAAI;QACd,iBAAiB,EAAE,IAAI;QACvB,SAAS,EAAE,IAAI;QACf,WAAW,EAAE,KAAK;QAClB,UAAU;QACV,OAAO,EAAE,IAAI;KACd,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAY,EACZ,QAAgB,EAChB,WAAmB,MAAM;IAEzB,OAAO,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE;QACtC,QAAQ,EAAE,KAAK;QACf,iBAAiB,EAAE,KAAK;QACxB,SAAS,EAAE,KAAK;QAChB,WAAW,EAAE,IAAI;QACjB,QAAQ;QACR,OAAO,EAAE,IAAI;KACd,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Scope Management - Track and filter relevant code changes
|
|
3
|
+
*/
|
|
4
|
+
export interface CodeScope {
|
|
5
|
+
files: string[];
|
|
6
|
+
lines: Map<string, Set<number>>;
|
|
7
|
+
changedFunctions: Map<string, string[]>;
|
|
8
|
+
}
|
|
9
|
+
/**
|
|
10
|
+
* Get diff scope for current changes
|
|
11
|
+
*/
|
|
12
|
+
export declare function getDiffScope(base?: string): Promise<CodeScope>;
|
|
13
|
+
/**
|
|
14
|
+
* Filter findings to only those in changed scope
|
|
15
|
+
*/
|
|
16
|
+
export declare function filterFindingsByScope<T extends {
|
|
17
|
+
location?: {
|
|
18
|
+
line: number;
|
|
19
|
+
};
|
|
20
|
+
}>(findings: T[], file: string, scope: CodeScope): T[];
|
|
21
|
+
/**
|
|
22
|
+
* Get scope for staged changes
|
|
23
|
+
*/
|
|
24
|
+
export declare function getStagedScope(): Promise<CodeScope>;
|
|
25
|
+
/**
|
|
26
|
+
* Check if a line is in scope
|
|
27
|
+
*/
|
|
28
|
+
export declare function isLineInScope(file: string, line: number, scope: CodeScope): boolean;
|
|
29
|
+
//# sourceMappingURL=scope.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../../src/core/scope.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;IAChC,gBAAgB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CACzC;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,IAAI,GAAE,MAAe,GAAG,OAAO,CAAC,SAAS,CAAC,CAiC5E;AA+BD;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,SAAS;IAAE,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;CAAE,EAC7E,QAAQ,EAAE,CAAC,EAAE,EACb,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE,SAAS,GACf,CAAC,EAAE,CAsBL;AAED;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,SAAS,CAAC,CAiCzD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,GAAG,OAAO,CAanF"}
|
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Scope Management - Track and filter relevant code changes
|
|
3
|
+
*/
|
|
4
|
+
import { exec } from 'child_process';
|
|
5
|
+
import { promisify } from 'util';
|
|
6
|
+
const execAsync = promisify(exec);
|
|
7
|
+
/**
|
|
8
|
+
* Get diff scope for current changes
|
|
9
|
+
*/
|
|
10
|
+
export async function getDiffScope(base = 'main') {
|
|
11
|
+
const scope = {
|
|
12
|
+
files: [],
|
|
13
|
+
lines: new Map(),
|
|
14
|
+
changedFunctions: new Map(),
|
|
15
|
+
};
|
|
16
|
+
try {
|
|
17
|
+
// Get changed files
|
|
18
|
+
const { stdout: filesOutput } = await execAsync(`git diff --name-only ${base}...HEAD`);
|
|
19
|
+
const files = filesOutput
|
|
20
|
+
.split('\n')
|
|
21
|
+
.filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
|
|
22
|
+
.filter(f => f.trim().length > 0);
|
|
23
|
+
scope.files = files;
|
|
24
|
+
// Get changed lines for each file
|
|
25
|
+
for (const file of files) {
|
|
26
|
+
try {
|
|
27
|
+
const { stdout: diffOutput } = await execAsync(`git diff ${base}...HEAD -- ${file}`);
|
|
28
|
+
const changedLines = parseDiffLines(diffOutput);
|
|
29
|
+
scope.lines.set(file, changedLines);
|
|
30
|
+
}
|
|
31
|
+
catch (error) {
|
|
32
|
+
console.warn(`Failed to get diff for ${file}:`, error);
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
return scope;
|
|
36
|
+
}
|
|
37
|
+
catch (error) {
|
|
38
|
+
console.warn('Failed to get diff scope:', error);
|
|
39
|
+
return scope;
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
/**
|
|
43
|
+
* Parse diff output to extract changed line numbers
|
|
44
|
+
*/
|
|
45
|
+
function parseDiffLines(diff) {
|
|
46
|
+
const lines = new Set();
|
|
47
|
+
const diffLines = diff.split('\n');
|
|
48
|
+
let currentLine = 0;
|
|
49
|
+
for (const line of diffLines) {
|
|
50
|
+
// Parse hunk header: @@ -1,5 +1,7 @@
|
|
51
|
+
const hunkMatch = line.match(/^@@\s+-\d+,?\d*\s+\+(\d+),?(\d*)\s+@@/);
|
|
52
|
+
if (hunkMatch) {
|
|
53
|
+
currentLine = parseInt(hunkMatch[1], 10);
|
|
54
|
+
continue;
|
|
55
|
+
}
|
|
56
|
+
// Track added/modified lines
|
|
57
|
+
if (line.startsWith('+') && !line.startsWith('+++')) {
|
|
58
|
+
lines.add(currentLine);
|
|
59
|
+
currentLine++;
|
|
60
|
+
}
|
|
61
|
+
else if (!line.startsWith('-')) {
|
|
62
|
+
currentLine++;
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
return lines;
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Filter findings to only those in changed scope
|
|
69
|
+
*/
|
|
70
|
+
export function filterFindingsByScope(findings, file, scope) {
|
|
71
|
+
const changedLines = scope.lines.get(file);
|
|
72
|
+
if (!changedLines || changedLines.size === 0) {
|
|
73
|
+
// No scope info, include all findings
|
|
74
|
+
return findings;
|
|
75
|
+
}
|
|
76
|
+
return findings.filter(finding => {
|
|
77
|
+
const line = finding.location?.line;
|
|
78
|
+
if (!line)
|
|
79
|
+
return false;
|
|
80
|
+
// Include if exact line changed
|
|
81
|
+
if (changedLines.has(line))
|
|
82
|
+
return true;
|
|
83
|
+
// Include if within 5 lines of a change (context)
|
|
84
|
+
for (const changedLine of changedLines) {
|
|
85
|
+
if (Math.abs(line - changedLine) <= 5)
|
|
86
|
+
return true;
|
|
87
|
+
}
|
|
88
|
+
return false;
|
|
89
|
+
});
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* Get scope for staged changes
|
|
93
|
+
*/
|
|
94
|
+
export async function getStagedScope() {
|
|
95
|
+
const scope = {
|
|
96
|
+
files: [],
|
|
97
|
+
lines: new Map(),
|
|
98
|
+
changedFunctions: new Map(),
|
|
99
|
+
};
|
|
100
|
+
try {
|
|
101
|
+
// Get staged files
|
|
102
|
+
const { stdout: filesOutput } = await execAsync('git diff --cached --name-only --diff-filter=ACM');
|
|
103
|
+
const files = filesOutput
|
|
104
|
+
.split('\n')
|
|
105
|
+
.filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
|
|
106
|
+
.filter(f => f.trim().length > 0);
|
|
107
|
+
scope.files = files;
|
|
108
|
+
// Get changed lines for each file
|
|
109
|
+
for (const file of files) {
|
|
110
|
+
try {
|
|
111
|
+
const { stdout: diffOutput } = await execAsync(`git diff --cached -- ${file}`);
|
|
112
|
+
const changedLines = parseDiffLines(diffOutput);
|
|
113
|
+
scope.lines.set(file, changedLines);
|
|
114
|
+
}
|
|
115
|
+
catch (error) {
|
|
116
|
+
console.warn(`Failed to get staged diff for ${file}:`, error);
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
return scope;
|
|
120
|
+
}
|
|
121
|
+
catch (error) {
|
|
122
|
+
console.warn('Failed to get staged scope:', error);
|
|
123
|
+
return scope;
|
|
124
|
+
}
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* Check if a line is in scope
|
|
128
|
+
*/
|
|
129
|
+
export function isLineInScope(file, line, scope) {
|
|
130
|
+
const changedLines = scope.lines.get(file);
|
|
131
|
+
if (!changedLines)
|
|
132
|
+
return false;
|
|
133
|
+
// Exact match
|
|
134
|
+
if (changedLines.has(line))
|
|
135
|
+
return true;
|
|
136
|
+
// Context match (within 5 lines)
|
|
137
|
+
for (const changedLine of changedLines) {
|
|
138
|
+
if (Math.abs(line - changedLine) <= 5)
|
|
139
|
+
return true;
|
|
140
|
+
}
|
|
141
|
+
return false;
|
|
142
|
+
}
|
|
143
|
+
//# sourceMappingURL=scope.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scope.js","sourceRoot":"","sources":["../../src/core/scope.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAQlC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAe,MAAM;IACtD,MAAM,KAAK,GAAc;QACvB,KAAK,EAAE,EAAE;QACT,KAAK,EAAE,IAAI,GAAG,EAAE;QAChB,gBAAgB,EAAE,IAAI,GAAG,EAAE;KAC5B,CAAC;IAEF,IAAI,CAAC;QACH,oBAAoB;QACpB,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,SAAS,CAAC,wBAAwB,IAAI,SAAS,CAAC,CAAC;QACvF,MAAM,KAAK,GAAG,WAAW;aACtB,KAAK,CAAC,IAAI,CAAC;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;aAC/F,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEpC,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC;QAEpB,kCAAkC;QAClC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,SAAS,CAAC,YAAY,IAAI,cAAc,IAAI,EAAE,CAAC,CAAC;gBACrF,MAAM,YAAY,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;gBAChD,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;YACtC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,0BAA0B,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC;YACzD,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC;QACjD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;IAChC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEnC,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,qCAAqC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;QACtE,IAAI,SAAS,EAAE,CAAC;YACd,WAAW,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACzC,SAAS;QACX,CAAC;QAED,6BAA6B;QAC7B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YACpD,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;YACvB,WAAW,EAAE,CAAC;QAChB,CAAC;aAAM,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,WAAW,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,QAAa,EACb,IAAY,EACZ,KAAgB;IAEhB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAE3C,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QAC7C,sCAAsC;QACtC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE;QAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAExB,gCAAgC;QAChC,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;QAExC,kDAAkD;QAClD,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;YACvC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC;gBAAE,OAAO,IAAI,CAAC;QACrD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,KAAK,GAAc;QACvB,KAAK,EAAE,EAAE;QACT,KAAK,EAAE,IAAI,GAAG,EAAE;QAChB,gBAAgB,EAAE,IAAI,GAAG,EAAE;KAC5B,CAAC;IAEF,IAAI,CAAC;QACH,mBAAmB;QACnB,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,SAAS,CAAC,iDAAiD,CAAC,CAAC;QACnG,MAAM,KAAK,GAAG,WAAW;aACtB,KAAK,CAAC,IAAI,CAAC;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;aAC/F,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEpC,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC;QAEpB,kCAAkC;QAClC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,EAAE,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,SAAS,CAAC,wBAAwB,IAAI,EAAE,CAAC,CAAC;gBAC/E,MAAM,YAAY,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;gBAChD,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;YACtC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,iCAAiC,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC;YAChE,CAAC;QACH,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY,EAAE,IAAY,EAAE,KAAgB;IACxE,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3C,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAC;IAEhC,cAAc;IACd,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAExC,iCAAiC;IACjC,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IACrD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
* Adversarial Verification - AI attacker proves exploitability
|
|
3
3
|
*/
|
|
4
4
|
import { TaintTrace } from './taint.js';
|
|
5
|
+
import { type AIProvider } from '../ai/client.js';
|
|
5
6
|
export interface AdversarialResult {
|
|
6
7
|
exploitable: boolean;
|
|
7
8
|
confidence: number;
|
|
@@ -18,7 +19,7 @@ export declare function buildAdversarialPrompt(trace: TaintTrace, code: string):
|
|
|
18
19
|
*/
|
|
19
20
|
export declare function parseAdversarialResult(response: string): AdversarialResult | null;
|
|
20
21
|
/**
|
|
21
|
-
*
|
|
22
|
+
* Verify exploitability using adversarial AI
|
|
22
23
|
*/
|
|
23
|
-
export declare function verifyWithAdversary(trace: TaintTrace, code: string): Promise<AdversarialResult>;
|
|
24
|
+
export declare function verifyWithAdversary(trace: TaintTrace, code: string, provider?: AIProvider): Promise<AdversarialResult>;
|
|
24
25
|
//# sourceMappingURL=adversary.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adversary.d.ts","sourceRoot":"","sources":["../../src/engine/adversary.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"adversary.d.ts","sourceRoot":"","sources":["../../src/engine/adversary.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAgC,KAAK,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAEhF,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,OAAO,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAuC9E;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAiBjF;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,UAAU,EACjB,IAAI,EAAE,MAAM,EACZ,QAAQ,CAAC,EAAE,UAAU,GACpB,OAAO,CAAC,iBAAiB,CAAC,CA+C5B"}
|
package/dist/engine/adversary.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Adversarial Verification - AI attacker proves exploitability
|
|
3
3
|
*/
|
|
4
|
+
import { callAI, getAIProviderFromEnv } from '../ai/client.js';
|
|
4
5
|
/**
|
|
5
6
|
* Generate adversarial attack prompt
|
|
6
7
|
*/
|
|
@@ -66,18 +67,48 @@ export function parseAdversarialResult(response) {
|
|
|
66
67
|
}
|
|
67
68
|
}
|
|
68
69
|
/**
|
|
69
|
-
*
|
|
70
|
+
* Verify exploitability using adversarial AI
|
|
70
71
|
*/
|
|
71
|
-
export async function verifyWithAdversary(trace, code) {
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
72
|
+
export async function verifyWithAdversary(trace, code, provider) {
|
|
73
|
+
// Get provider from env if not provided
|
|
74
|
+
const aiProvider = provider || getAIProviderFromEnv();
|
|
75
|
+
// If no AI provider available, return conservative result
|
|
76
|
+
if (!aiProvider) {
|
|
77
|
+
console.warn('ā ļø No AI provider configured for adversarial verification');
|
|
78
|
+
console.warn('š” Set OPENAI_API_KEY, ANTHROPIC_API_KEY, or OLLAMA_HOST to enable');
|
|
79
|
+
return {
|
|
80
|
+
exploitable: true,
|
|
81
|
+
confidence: 0.7,
|
|
82
|
+
attackVector: 'Adversarial verification not configured',
|
|
83
|
+
payload: '',
|
|
84
|
+
reasoning: 'Marked as potentially exploitable - configure AI provider to verify',
|
|
85
|
+
};
|
|
86
|
+
}
|
|
87
|
+
try {
|
|
88
|
+
const prompt = buildAdversarialPrompt(trace, code);
|
|
89
|
+
const response = await callAI(aiProvider, prompt);
|
|
90
|
+
const result = parseAdversarialResult(response.text);
|
|
91
|
+
if (!result) {
|
|
92
|
+
console.warn('ā ļø Failed to parse adversarial response');
|
|
93
|
+
return {
|
|
94
|
+
exploitable: true,
|
|
95
|
+
confidence: 0.6,
|
|
96
|
+
attackVector: 'Failed to parse AI response',
|
|
97
|
+
payload: '',
|
|
98
|
+
reasoning: 'Parser error - marked as potentially exploitable',
|
|
99
|
+
};
|
|
100
|
+
}
|
|
101
|
+
return result;
|
|
102
|
+
}
|
|
103
|
+
catch (error) {
|
|
104
|
+
console.warn(`ā ļø Adversarial verification failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
|
|
105
|
+
return {
|
|
106
|
+
exploitable: true,
|
|
107
|
+
confidence: 0.7,
|
|
108
|
+
attackVector: `AI verification failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
|
|
109
|
+
payload: '',
|
|
110
|
+
reasoning: 'Marked as potentially exploitable due to verification error',
|
|
111
|
+
};
|
|
112
|
+
}
|
|
82
113
|
}
|
|
83
114
|
//# sourceMappingURL=adversary.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adversary.js","sourceRoot":"","sources":["../../src/engine/adversary.ts"],"names":[],"mappings":"AAAA;;GAEG;
|
|
1
|
+
{"version":3,"file":"adversary.js","sourceRoot":"","sources":["../../src/engine/adversary.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EAAE,MAAM,EAAE,oBAAoB,EAAmB,MAAM,iBAAiB,CAAC;AAUhF;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAiB,EAAE,IAAY;IACpE,OAAO;;qBAEY,KAAK,CAAC,OAAO;gBAClB,KAAK,CAAC,QAAQ;WACnB,KAAK,CAAC,GAAG,IAAI,KAAK;;;EAG3B,KAAK,CAAC,IAAI;;;;EAIV,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BC,CAAC;AACR,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QAChD,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QAE5B,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAExC,OAAO;YACL,WAAW,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC;YACxC,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG;YAC5C,YAAY,EAAE,MAAM,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC;YAC/C,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;YACrC,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,IAAI,EAAE,CAAC;SAC1C,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAiB,EACjB,IAAY,EACZ,QAAqB;IAErB,wCAAwC;IACxC,MAAM,UAAU,GAAG,QAAQ,IAAI,oBAAoB,EAAE,CAAC;IAEtD,0DAA0D;IAC1D,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QAC3E,OAAO,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;QAEnF,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,yCAAyC;YACvD,OAAO,EAAE,EAAE;YACX,SAAS,EAAE,qEAAqE;SACjF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,sBAAsB,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;QAElD,MAAM,MAAM,GAAG,sBAAsB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QAErD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;YACzD,OAAO;gBACL,WAAW,EAAE,IAAI;gBACjB,UAAU,EAAE,GAAG;gBACf,YAAY,EAAE,6BAA6B;gBAC3C,OAAO,EAAE,EAAE;gBACX,SAAS,EAAE,kDAAkD;aAC9D,CAAC;QACJ,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,wCAAwC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;QAEjH,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,UAAU,EAAE,GAAG;YACf,YAAY,EAAE,2BAA2B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;YACnG,OAAO,EAAE,EAAE;YACX,SAAS,EAAE,6DAA6D;SACzE,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* PoC Generator - Generate proof-of-concept exploits
|
|
3
|
+
*/
|
|
4
|
+
import { TaintTrace } from '../engine/taint.js';
|
|
5
|
+
export interface PoCTest {
|
|
6
|
+
category: string;
|
|
7
|
+
payload: string;
|
|
8
|
+
expectedBehavior: string;
|
|
9
|
+
testCode: string;
|
|
10
|
+
curlCommand?: string;
|
|
11
|
+
}
|
|
12
|
+
/**
|
|
13
|
+
* Generate PoC based on vulnerability type
|
|
14
|
+
*/
|
|
15
|
+
export declare function generatePoC(trace: TaintTrace): PoCTest;
|
|
16
|
+
/**
|
|
17
|
+
* Format PoC as markdown
|
|
18
|
+
*/
|
|
19
|
+
export declare function formatPoCMarkdown(poc: PoCTest): string;
|
|
20
|
+
//# sourceMappingURL=poc.d.ts.map
|