getdoorman 1.0.0

package/src/rules/bugs/crypto-bugs.js

@@ -0,0 +1,195 @@
+// Bug detection: Cryptographic and hashing bugs
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const PY_EXT = ['.py'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+function isPy(f) { return PY_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  // BUG-CRYPTO-001: Hash truncated too short — collision risk
+  {
+    id: 'BUG-CRYPTO-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Hash digest truncated too short — collision risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // Match: .digest('hex').slice(0, N) or .substring(0, N)
+          const match = line.match(/\.digest\s*\(\s*['"]hex['"]\s*\)\s*\.(?:slice|substring)\s*\(\s*0\s*,\s*(\d+)\s*\)/);
+          if (match) {
+            const len = parseInt(match[1], 10);
+            // 16 hex chars = 64 bits = birthday collision at ~2^32
+            // 32 hex chars = 128 bits = safe for most uses
+            if (len < 32) {
+              findings.push({
+                ruleId: 'BUG-CRYPTO-001', category: 'bugs', severity: 'high',
+                title: `Hash truncated to ${len} hex chars (${len * 4} bits) — collision risk`,
+                description: `Truncating a hash to ${len} characters gives only ${len * 4} bits of entropy. Birthday paradox means collisions after ~2^${len * 2} values. Use at least 32 hex chars (128 bits) for identifiers, fingerprints, and cache keys.`,
+                file: fp, line: i + 1,
+                fix: len < 32 ? {
+                  type: 'replace',
+                  old: match[0],
+                  new: match[0].replace(`(0, ${len})`, '(0, 32)'),
+                } : null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-CRYPTO-002: Python hash truncated too short
+  {
+    id: 'BUG-CRYPTO-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Hash digest truncated too short — collision risk',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isPy(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('#')) continue;
+          // Match: .hexdigest()[:N]
+          const match = line.match(/\.hexdigest\s*\(\s*\)\s*\[\s*:(\d+)\s*\]/);
+          if (match) {
+            const len = parseInt(match[1], 10);
+            if (len < 32) {
+              findings.push({
+                ruleId: 'BUG-CRYPTO-002', category: 'bugs', severity: 'high',
+                title: `Hash truncated to ${len} hex chars (${len * 4} bits) — collision risk`,
+                description: `Truncating a hash to ${len} characters gives only ${len * 4} bits of entropy. Use at least 32 hex chars (128 bits) for identifiers and fingerprints.`,
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-CRYPTO-003: Using Math.random() for IDs/tokens
+  {
+    id: 'BUG-CRYPTO-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Math.random() used for ID/token generation — not cryptographically secure',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // Math.random used with toString(36) or in context of id/token/key generation
+          if (/Math\.random\(\)/.test(line) &&
+              (/toString\s*\(\s*36\s*\)/.test(line) || /(?:id|token|key|uuid|nonce|session|secret)\s*[=:]/i.test(line))) {
+            findings.push({
+              ruleId: 'BUG-CRYPTO-003', category: 'bugs', severity: 'high',
+              title: 'Math.random() for ID/token generation — predictable output',
+              description: 'Math.random() is not cryptographically secure and its output is predictable. Use crypto.randomUUID() or crypto.randomBytes() for tokens, IDs, and secrets.',
+              file: fp, line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-CRYPTO-004: Weak hash algorithm (MD5/SHA1) for security purposes
+  {
+    id: 'BUG-CRYPTO-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Weak hash algorithm (MD5/SHA1) used for security-sensitive purpose',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp) && !isPy(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//') || line.trim().startsWith('#')) continue;
+
+          let algo = null;
+          // JS: createHash('md5') or createHash('sha1')
+          const jsMatch = line.match(/createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)/i);
+          if (jsMatch) algo = jsMatch[0].includes('md5') ? 'MD5' : 'SHA1';
+
+          // Python: hashlib.md5() or hashlib.sha1()
+          const pyMatch = line.match(/hashlib\.(?:md5|sha1)\s*\(/i);
+          if (pyMatch) algo = pyMatch[0].includes('md5') ? 'MD5' : 'SHA1';
+
+          if (algo) {
+            // Check context for security use (password, auth, token, verify, sign)
+            if (/(?:password|auth|token|verify|sign|secret|credential|session)/i.test(line) ||
+                /(?:password|auth|token|verify|sign|secret|credential|session)/i.test(lines[Math.max(0, i - 1)] || '')) {
+              findings.push({
+                ruleId: 'BUG-CRYPTO-004', category: 'bugs', severity: 'high',
+                title: `${algo} used for security-sensitive purpose — cryptographically broken`,
+                description: `${algo} has known collision attacks and should not be used for passwords, authentication, or signatures. Use SHA-256 or bcrypt/argon2 for passwords.`,
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // BUG-CRYPTO-005: Hardcoded encryption key/IV
+  {
+    id: 'BUG-CRYPTO-005',
+    category: 'bugs',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Hardcoded encryption key or IV',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (line.trim().startsWith('//')) continue;
+          // createCipheriv with string literal key/iv
+          if (/createCipher(?:iv)?\s*\(\s*['"]/.test(line)) {
+            // Check if key/iv are string literals (not variables from env)
+            if (/createCipher(?:iv)?\s*\(\s*['"][^'"]+['"]\s*,\s*['"]/.test(line)) {
+              findings.push({
+                ruleId: 'BUG-CRYPTO-005', category: 'bugs', severity: 'high',
+                title: 'Hardcoded encryption key — anyone with source code can decrypt',
+                description: 'Encryption keys must not be hardcoded. Load from environment variables or a secrets manager: process.env.ENCRYPTION_KEY.',
+                file: fp, line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/docker-bugs.js

@@ -0,0 +1,158 @@
+// Bug detection: Dockerfile anti-patterns
+function isDockerfile(f) { return f === 'Dockerfile' || f.endsWith('/Dockerfile') || /Dockerfile\.\w+$/.test(f) || f.endsWith('.dockerfile'); }
+function isCompose(f) { return /docker-compose.*\.ya?ml$/.test(f) || /compose\.ya?ml$/.test(f); }
+
+const rules = [
+  {
+    id: 'BUG-DOCKER-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Running as root in container',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isDockerfile(fp)) continue;
+        if (!/\bUSER\b/.test(content)) {
+          findings.push({
+            ruleId: 'BUG-DOCKER-001', category: 'bugs', severity: 'high',
+            title: 'Container runs as root — security risk',
+            description: 'Without a USER directive, the container runs as root. Add USER node (or appropriate non-root user) after installing dependencies.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-DOCKER-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Using :latest tag — non-reproducible builds',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isDockerfile(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^FROM\s+\w+(:latest)?\s*$/i.test(lines[i]) || /^FROM\s+\w+:latest\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-DOCKER-002', category: 'bugs', severity: 'high',
+              title: 'FROM with :latest tag — builds are not reproducible',
+              description: 'Pin to a specific version (e.g., node:20-alpine) so builds are reproducible. :latest can change unexpectedly and break your app.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-DOCKER-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'COPY . before npm install — cache invalidation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isDockerfile(fp)) continue;
+        const lines = content.split('\n');
+        let sawCopyDot = false;
+        let sawInstall = false;
+        for (let i = 0; i < lines.length; i++) {
+          if (/^COPY\s+\.\s/.test(lines[i]) || /^COPY\s+\.\s*$/.test(lines[i]) || /^ADD\s+\.\s/.test(lines[i])) {
+            sawCopyDot = true;
+          }
+          if (sawCopyDot && /npm install|yarn install|pnpm install|pip install/.test(lines[i])) {
+            sawInstall = true;
+            findings.push({
+              ruleId: 'BUG-DOCKER-003', category: 'bugs', severity: 'medium',
+              title: 'COPY . before dependency install — every code change re-downloads deps',
+              description: 'Copy package.json first, run install, then COPY the rest. This lets Docker cache the dependency layer.',
+              file: fp, line: i + 1, fix: null,
+            });
+            break;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-DOCKER-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No .dockerignore — node_modules copied into image',
+    check({ files }) {
+      const findings = [];
+      const hasDockerfile = [...files.keys()].some(f => isDockerfile(f));
+      const hasDockerignore = [...files.keys()].some(f => f === '.dockerignore' || f.endsWith('/.dockerignore'));
+      if (hasDockerfile && !hasDockerignore) {
+        findings.push({
+          ruleId: 'BUG-DOCKER-004', category: 'bugs', severity: 'medium',
+          title: 'No .dockerignore file — node_modules, .git, etc. copied into image',
+          description: 'Without .dockerignore, COPY . sends everything (node_modules, .git, .env) to the daemon. Create .dockerignore with: node_modules, .git, .env, dist.',
+          file: 'Dockerfile', line: 1, fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-DOCKER-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Secrets in Dockerfile — baked into image layer',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isDockerfile(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^ENV\s+\w*(?:SECRET|PASSWORD|TOKEN|API_KEY|PRIVATE_KEY|CREDENTIALS)\w*[\s=]/i.test(lines[i]) && !/\$\{/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-DOCKER-005', category: 'bugs', severity: 'high',
+              title: 'Secret hardcoded in Dockerfile ENV — visible in image layers',
+              description: 'ENV values are baked into image layers and visible to anyone with the image. Use runtime env vars (docker run -e) or secrets management.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-DOCKER-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No health check defined',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isDockerfile(fp)) continue;
+        if (!/HEALTHCHECK/.test(content)) {
+          // Only flag if it's a server (has EXPOSE)
+          if (/EXPOSE/.test(content)) {
+            findings.push({
+              ruleId: 'BUG-DOCKER-006', category: 'bugs', severity: 'medium',
+              title: 'No HEALTHCHECK — orchestrator can\'t detect unhealthy containers',
+              description: 'Add HEALTHCHECK CMD curl -f http://localhost:PORT/health || exit 1 so Docker/K8s can detect and restart unhealthy containers.',
+              file: fp, line: 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;