getdoorman 1.0.0

package/src/compliance.js

@@ -0,0 +1,539 @@
+import { writeFileSync } from 'fs';
+import { resolve } from 'path';
+
+/**
+ * SOC2 Trust Service Criteria mapped to Doorman rule prefixes.
+ */
+const SOC2_CONTROLS = [
+  { id: 'CC6.1', name: 'Logical and Physical Access Controls', prefixes: ['SEC-AUTH'], description: 'Controls that limit logical access to systems and data to authorized users.' },
+  { id: 'CC6.6', name: 'System Boundary Security', prefixes: ['SEC-CORS', 'SEC-HDR'], description: 'Controls that restrict access at system boundaries, including network and application layers.' },
+  { id: 'CC6.7', name: 'Transmission Integrity and Security', prefixes: ['SEC-CRY'], description: 'Controls that protect data in transit using encryption and integrity mechanisms.' },
+  { id: 'CC7.1', name: 'Detection and Monitoring', prefixes: ['SEC-RL'], description: 'Controls for detecting anomalies, rate limiting, and monitoring access patterns.' },
+  { id: 'CC7.2', name: 'Change Management', prefixes: ['DEP-'], description: 'Controls that manage changes to infrastructure and software, including dependency management.' },
+  { id: 'CC8.1', name: 'Software Development and Testing', prefixes: ['QUAL-', 'REL-'], description: 'Controls that ensure code quality through testing, reviews, and secure development practices.' },
+];
+
+/**
+ * GDPR Articles mapped to Doorman rule prefixes.
+ */
+const GDPR_CONTROLS = [
+  { id: 'Art. 25', name: 'Data Protection by Design and Default', prefixes: ['DATA-'], description: 'Technical and organizational measures to implement data protection principles.' },
+  { id: 'Art. 32', name: 'Security of Processing', prefixes: ['SEC-CRY', 'SEC-AUTH'], description: 'Appropriate technical measures including encryption and access control.' },
+  { id: 'Art. 33', name: 'Breach Notification', prefixes: ['SEC-RL', 'SEC-HDR'], description: 'Logging and monitoring capabilities for timely breach detection and notification.' },
+  { id: 'Art. 5(1)(c)', name: 'Data Minimization', prefixes: ['DATA-PII', 'DATA-EXP'], description: 'Personal data must be adequate, relevant, and limited to what is necessary.' },
+];
+
+/**
+ * HIPAA Security Rule sections mapped to Doorman rule prefixes.
+ */
+const HIPAA_CONTROLS = [
+  { id: '164.312(a)', name: 'Access Control', prefixes: ['SEC-AUTH'], description: 'Technical policies to allow access only to authorized persons or software programs.' },
+  { id: '164.312(c)', name: 'Integrity Controls', prefixes: ['SEC-INJ', 'SEC-XSS', 'SEC-CSRF'], description: 'Policies to protect ePHI from improper alteration or destruction.' },
+  { id: '164.312(d)', name: 'Person or Entity Authentication', prefixes: ['SEC-AUTH', 'SEC-MISC'], description: 'Procedures to verify that a person seeking access is who they claim to be.' },
+  { id: '164.312(e)', name: 'Transmission Security', prefixes: ['SEC-CRY', 'SEC-HDR'], description: 'Technical security measures to guard against unauthorized access during transmission.' },
+];
+
+/**
+ * PCI-DSS Requirements mapped to Doorman rule prefixes.
+ */
+const PCI_CONTROLS = [
+  { id: 'Req. 2', name: 'Do Not Use Vendor-Supplied Defaults', prefixes: ['SEC-MISC'], description: 'Change all vendor-supplied defaults and remove unnecessary default accounts.' },
+  { id: 'Req. 3', name: 'Protect Stored Cardholder Data', prefixes: ['SEC-CRY', 'DATA-'], description: 'Protect stored cardholder data with encryption and access restrictions.' },
+  { id: 'Req. 6', name: 'Develop and Maintain Secure Systems', prefixes: ['SEC-'], description: 'Develop and maintain secure systems and applications throughout the SDLC.' },
+  { id: 'Req. 8', name: 'Identify and Authenticate Access', prefixes: ['SEC-AUTH'], description: 'Identify and authenticate access to system components.' },
+];
+
+const FRAMEWORK_MAP = {
+  soc2: { name: 'SOC 2 Type II', controls: SOC2_CONTROLS },
+  gdpr: { name: 'GDPR', controls: GDPR_CONTROLS },
+  hipaa: { name: 'HIPAA Security Rule', controls: HIPAA_CONTROLS },
+  pci: { name: 'PCI-DSS v4.0', controls: PCI_CONTROLS },
+};
+
+/**
+ * Check if a finding's ruleId matches any of the given prefixes.
+ */
+function matchesPrefix(ruleId, prefixes) {
+  if (!ruleId) return false;
+  return prefixes.some(prefix => ruleId.startsWith(prefix));
+}
+
+/**
+ * Determine control status from associated findings.
+ */
+function evaluateControl(control, findings) {
+  const matched = findings.filter(f => matchesPrefix(f.ruleId, control.prefixes));
+  const criticalOrHigh = matched.filter(f => f.severity === 'critical' || f.severity === 'high');
+  const medium = matched.filter(f => f.severity === 'medium');
+
+  let status;
+  if (criticalOrHigh.length > 0) {
+    status = 'fail';
+  } else if (medium.length > 0) {
+    status = 'warning';
+  } else {
+    status = 'pass';
+  }
+
+  let remediation = null;
+  if (status === 'fail') {
+    remediation = `Resolve ${criticalOrHigh.length} critical/high finding(s): ${criticalOrHigh.map(f => f.ruleId).join(', ')}`;
+  } else if (status === 'warning') {
+    remediation = `Address ${medium.length} medium finding(s) to achieve full compliance.`;
+  }
+
+  return {
+    id: control.id,
+    name: control.name,
+    description: control.description,
+    status,
+    findings: matched,
+    remediation,
+  };
+}
+
+/**
+ * Map scan findings to compliance frameworks and return compliance status for each.
+ *
+ * @param {Array} findings - Array of finding objects from a Doorman scan.
+ * @returns {{ soc2: object, gdpr: object, hipaa: object, pci: object }}
+ */
+export function getComplianceStatus(findings) {
+  const result = {};
+
+  for (const [key, framework] of Object.entries(FRAMEWORK_MAP)) {
+    const controls = framework.controls.map(ctrl => evaluateControl(ctrl, findings));
+    const passing = controls.filter(c => c.status === 'pass').length;
+    const score = controls.length > 0 ? Math.round((passing / controls.length) * 100) : 100;
+
+    let status;
+    if (score === 100) status = 'compliant';
+    else if (score >= 50) status = 'partial';
+    else status = 'non-compliant';
+
+    result[key] = {
+      name: framework.name,
+      status,
+      controls,
+      score,
+    };
+  }
+
+  return result;
+}
+
+/**
+ * Map findings to their associated compliance controls across all frameworks.
+ *
+ * @param {Array} findings - Array of finding objects.
+ * @returns {Map<string, Array>} Map of control ID to array of matched findings.
+ */
+export function mapFindingsToControls(findings) {
+  const controlMap = new Map();
+
+  for (const [, framework] of Object.entries(FRAMEWORK_MAP)) {
+    for (const control of framework.controls) {
+      const matched = findings.filter(f => matchesPrefix(f.ruleId, control.prefixes));
+      if (matched.length > 0) {
+        controlMap.set(control.id, matched);
+      }
+    }
+  }
+
+  return controlMap;
+}
+
+/**
+ * Generate a professional HTML compliance report from scan results.
+ *
+ * @param {{ findings: Array, score: number, stack?: object }} scanResult
+ * @param {{ framework?: string, projectName?: string, outputPath?: string }} options
+ * @returns {{ html: string, summary: object }}
+ */
+export function generateReport(scanResult, options = {}) {
+  const { findings = [], score = 0, stack = {} } = scanResult;
+  const frameworkFilter = (options.framework || 'all').toLowerCase();
+  const projectName = options.projectName || 'Untitled Project';
+  const reportDate = new Date().toISOString().split('T')[0];
+  const reportTime = new Date().toISOString();
+
+  const compliance = getComplianceStatus(findings);
+
+  // Filter frameworks if requested
+  const frameworks = frameworkFilter === 'all'
+    ? compliance
+    : { [frameworkFilter]: compliance[frameworkFilter] };
+
+  // Severity counts
+  const severityCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of findings) {
+    if (severityCounts[f.severity] !== undefined) severityCounts[f.severity]++;
+  }
+
+  // Build remediation roadmap sorted by priority
+  const remediationItems = [];
+  for (const [fwKey, fw] of Object.entries(frameworks)) {
+    if (!fw) continue;
+    for (const ctrl of fw.controls) {
+      if (ctrl.status !== 'pass' && ctrl.remediation) {
+        remediationItems.push({
+          framework: fw.name,
+          control: `${ctrl.id} — ${ctrl.name}`,
+          priority: ctrl.status === 'fail' ? 'High' : 'Medium',
+          remediation: ctrl.remediation,
+          findingCount: ctrl.findings.length,
+        });
+      }
+    }
+  }
+  remediationItems.sort((a, b) => (a.priority === 'High' ? -1 : 1) - (b.priority === 'High' ? -1 : 1));
+
+  // Score styling
+  let scoreClass, scoreLabel;
+  if (score >= 80) { scoreClass = 'score-good'; scoreLabel = 'SAFE TO LAUNCH'; }
+  else if (score >= 60) { scoreClass = 'score-warn'; scoreLabel = 'NEEDS ATTENTION'; }
+  else if (score >= 40) { scoreClass = 'score-warn'; scoreLabel = 'AT RISK'; }
+  else { scoreClass = 'score-bad'; scoreLabel = 'NOT SAFE TO LAUNCH'; }
+
+  // Overall compliance summary
+  const frameworkSummaryRows = Object.entries(frameworks)
+    .filter(([, fw]) => fw)
+    .map(([, fw]) => {
+      const statusClass = fw.status === 'compliant' ? 'pass' : fw.status === 'partial' ? 'warning' : 'fail';
+      const statusLabel = fw.status === 'compliant' ? 'Compliant' : fw.status === 'partial' ? 'Partial' : 'Non-Compliant';
+      return `<tr>
+        <td><strong>${escapeHtml(fw.name)}</strong></td>
+        <td class="${statusClass}">${statusLabel}</td>
+        <td>${fw.score}%</td>
+        <td>${fw.controls.filter(c => c.status === 'pass').length} / ${fw.controls.length}</td>
+      </tr>`;
+    }).join('\n');
+
+  // Findings table rows
+  const findingsRows = findings.map(f => {
+    const sevClass = f.severity === 'critical' || f.severity === 'high' ? 'fail' : f.severity === 'medium' ? 'warning' : 'pass';
+    return `<tr>
+      <td class="${sevClass}">${escapeHtml((f.severity || '').toUpperCase())}</td>
+      <td>${escapeHtml(f.ruleId || '')}</td>
+      <td>${escapeHtml(f.title || '')}</td>
+      <td>${escapeHtml(f.file || 'N/A')}${f.line ? ':' + f.line : ''}</td>
+      <td>${escapeHtml(f.category || '')}</td>
+    </tr>`;
+  }).join('\n');
+
+  // Per-framework compliance detail sections
+  const frameworkDetailSections = Object.entries(frameworks)
+    .filter(([, fw]) => fw)
+    .map(([, fw]) => {
+      const controlRows = fw.controls.map(ctrl => {
+        const statusIcon = ctrl.status === 'pass' ? '\u2705' : ctrl.status === 'warning' ? '\u26A0\uFE0F' : '\u274C';
+        const statusClass = ctrl.status === 'pass' ? 'pass' : ctrl.status === 'warning' ? 'warning' : 'fail';
+        return `<tr>
+          <td>${statusIcon}</td>
+          <td><strong>${escapeHtml(ctrl.id)}</strong></td>
+          <td>${escapeHtml(ctrl.name)}</td>
+          <td class="${statusClass}">${ctrl.status.toUpperCase()}</td>
+          <td>${ctrl.findings.length}</td>
+          <td>${escapeHtml(ctrl.remediation || 'No action required.')}</td>
+        </tr>`;
+      }).join('\n');
+
+      const statusClass = fw.status === 'compliant' ? 'pass' : fw.status === 'partial' ? 'warning' : 'fail';
+
+      return `
+      <div class="section">
+        <h2>${escapeHtml(fw.name)}</h2>
+        <p>Overall Status: <span class="${statusClass}" style="font-weight: bold;">${fw.status.toUpperCase()}</span> &mdash; ${fw.score}% of controls passing</p>
+        <table>
+          <thead>
+            <tr>
+              <th style="width:40px;"></th>
+              <th>Control</th>
+              <th>Name</th>
+              <th>Status</th>
+              <th>Findings</th>
+              <th>Remediation</th>
+            </tr>
+          </thead>
+          <tbody>
+            ${controlRows}
+          </tbody>
+        </table>
+      </div>`;
+    }).join('\n');
+
+  // Remediation roadmap
+  const remediationRows = remediationItems.map((item, idx) => {
+    const prioClass = item.priority === 'High' ? 'fail' : 'warning';
+    return `<tr>
+      <td>${idx + 1}</td>
+      <td class="${prioClass}">${item.priority}</td>
+      <td>${escapeHtml(item.framework)}</td>
+      <td>${escapeHtml(item.control)}</td>
+      <td>${item.findingCount}</td>
+      <td>${escapeHtml(item.remediation)}</td>
+    </tr>`;
+  }).join('\n');
+
+  // Stack detection label
+  const stackLabel = [stack.framework || stack.language || 'Unknown', stack.orm, stack.database]
+    .filter(Boolean).join(' + ');
+
+  const html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Doorman Compliance Report — ${escapeHtml(projectName)}</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, Roboto, sans-serif;
+      max-width: 960px;
+      margin: 0 auto;
+      padding: 40px 24px;
+      color: #1f2937;
+      line-height: 1.6;
+      background: #ffffff;
+    }
+    .header {
+      border-bottom: 3px solid #2563eb;
+      padding-bottom: 24px;
+      margin-bottom: 32px;
+    }
+    .header h1 {
+      margin: 0 0 4px 0;
+      font-size: 28px;
+      color: #111827;
+    }
+    .header .subtitle {
+      color: #6b7280;
+      font-size: 14px;
+      margin: 0;
+    }
+    .header .logo-text {
+      font-size: 14px;
+      font-weight: 600;
+      color: #2563eb;
+      letter-spacing: 0.5px;
+      text-transform: uppercase;
+      margin-bottom: 8px;
+    }
+    .executive-summary {
+      display: flex;
+      gap: 32px;
+      align-items: flex-start;
+      margin: 32px 0;
+      padding: 24px;
+      background: #f9fafb;
+      border-radius: 8px;
+      border: 1px solid #e5e7eb;
+    }
+    .score-block { text-align: center; min-width: 140px; }
+    .score-badge {
+      font-size: 56px;
+      font-weight: 800;
+      line-height: 1;
+    }
+    .score-label {
+      font-size: 13px;
+      font-weight: 700;
+      letter-spacing: 0.5px;
+      margin-top: 4px;
+    }
+    .score-good { color: #16a34a; }
+    .score-warn { color: #ca8a04; }
+    .score-bad { color: #dc2626; }
+    .summary-stats { flex: 1; }
+    .summary-stats h3 { margin: 0 0 12px 0; font-size: 16px; }
+    .stat-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(100px, 1fr));
+      gap: 8px;
+    }
+    .stat-item {
+      text-align: center;
+      padding: 8px;
+      border-radius: 6px;
+      background: #fff;
+      border: 1px solid #e5e7eb;
+    }
+    .stat-item .stat-value { font-size: 24px; font-weight: 700; }
+    .stat-item .stat-label { font-size: 11px; color: #6b7280; text-transform: uppercase; letter-spacing: 0.3px; }
+    .stat-critical .stat-value { color: #dc2626; }
+    .stat-high .stat-value { color: #ea580c; }
+    .stat-medium .stat-value { color: #ca8a04; }
+    .stat-low .stat-value { color: #2563eb; }
+    .stat-info .stat-value { color: #6b7280; }
+    .section { margin: 36px 0; }
+    .section h2 {
+      font-size: 20px;
+      color: #111827;
+      border-bottom: 2px solid #e5e7eb;
+      padding-bottom: 8px;
+      margin-bottom: 16px;
+    }
+    table { width: 100%; border-collapse: collapse; font-size: 14px; margin-top: 12px; }
+    th, td { border: 1px solid #e5e7eb; padding: 10px 14px; text-align: left; }
+    th { background: #f9fafb; font-weight: 600; color: #374151; font-size: 12px; text-transform: uppercase; letter-spacing: 0.3px; }
+    tr:nth-child(even) { background: #fafbfc; }
+    .pass { color: #16a34a; font-weight: 600; }
+    .fail { color: #dc2626; font-weight: 600; }
+    .warning { color: #ca8a04; font-weight: 600; }
+    .meta-table { margin: 16px 0; }
+    .meta-table td { border: none; padding: 4px 16px 4px 0; }
+    .meta-table td:first-child { font-weight: 600; color: #6b7280; white-space: nowrap; }
+    .attestation {
+      margin-top: 48px;
+      padding: 20px;
+      background: #f9fafb;
+      border: 1px solid #e5e7eb;
+      border-radius: 8px;
+      font-size: 13px;
+      color: #6b7280;
+    }
+    .attestation strong { color: #374151; }
+    .disclaimer {
+      margin-top: 24px;
+      padding-top: 16px;
+      border-top: 1px solid #e5e7eb;
+      font-size: 11px;
+      color: #9ca3af;
+    }
+    .no-findings { padding: 24px; text-align: center; color: #6b7280; font-style: italic; }
+    @media print {
+      body { padding: 20px; }
+      .no-print { display: none; }
+      .executive-summary { break-inside: avoid; }
+      .section { break-inside: avoid; }
+    }
+  </style>
+</head>
+<body>
+  <div class="header">
+    <div class="logo-text">Doorman Compliance Report</div>
+    <h1>${escapeHtml(projectName)}</h1>
+    <p class="subtitle">Generated on ${escapeHtml(reportDate)} &bull; Framework${frameworkFilter === 'all' ? 's' : ''}: ${frameworkFilter === 'all' ? 'SOC 2, GDPR, HIPAA, PCI-DSS' : escapeHtml(frameworks[frameworkFilter]?.name || frameworkFilter.toUpperCase())}</p>
+  </div>
+
+  <table class="meta-table">
+    <tr><td>Report Date</td><td>${escapeHtml(reportDate)}</td></tr>
+    <tr><td>Project</td><td>${escapeHtml(projectName)}</td></tr>
+    <tr><td>Detected Stack</td><td>${escapeHtml(stackLabel)}</td></tr>
+    <tr><td>Total Findings</td><td>${findings.length}</td></tr>
+    <tr><td>Doorman Version</td><td>v1.0.0</td></tr>
+  </table>
+
+  <div class="section">
+    <h2>Executive Summary</h2>
+    <div class="executive-summary">
+      <div class="score-block">
+        <div class="score-badge ${scoreClass}">${score}</div>
+        <div class="score-label ${scoreClass}">${scoreLabel}</div>
+        <div style="font-size: 12px; color: #9ca3af; margin-top: 2px;">out of 100</div>
+      </div>
+      <div class="summary-stats">
+        <h3>Findings by Severity</h3>
+        <div class="stat-grid">
+          <div class="stat-item stat-critical"><div class="stat-value">${severityCounts.critical}</div><div class="stat-label">Critical</div></div>
+          <div class="stat-item stat-high"><div class="stat-value">${severityCounts.high}</div><div class="stat-label">High</div></div>
+          <div class="stat-item stat-medium"><div class="stat-value">${severityCounts.medium}</div><div class="stat-label">Medium</div></div>
+          <div class="stat-item stat-low"><div class="stat-value">${severityCounts.low}</div><div class="stat-label">Low</div></div>
+          <div class="stat-item stat-info"><div class="stat-value">${severityCounts.info}</div><div class="stat-label">Info</div></div>
+        </div>
+      </div>
+    </div>
+
+    <h3>Compliance Status by Framework</h3>
+    <table>
+      <thead>
+        <tr><th>Framework</th><th>Status</th><th>Score</th><th>Controls Passing</th></tr>
+      </thead>
+      <tbody>
+        ${frameworkSummaryRows}
+      </tbody>
+    </table>
+  </div>
+
+  <div class="section">
+    <h2>Findings Detail</h2>
+    ${findings.length > 0 ? `
+    <table>
+      <thead>
+        <tr><th>Severity</th><th>Rule</th><th>Title</th><th>Location</th><th>Category</th></tr>
+      </thead>
+      <tbody>
+        ${findingsRows}
+      </tbody>
+    </table>` : '<div class="no-findings">No findings detected. All checks passed.</div>'}
+  </div>
+
+  ${frameworkDetailSections}
+
+  <div class="section">
+    <h2>Remediation Roadmap</h2>
+    ${remediationItems.length > 0 ? `
+    <p>The following items are prioritized by severity. Address high-priority items first to achieve compliance.</p>
+    <table>
+      <thead>
+        <tr><th>#</th><th>Priority</th><th>Framework</th><th>Control</th><th>Findings</th><th>Action Required</th></tr>
+      </thead>
+      <tbody>
+        ${remediationRows}
+      </tbody>
+    </table>` : '<div class="no-findings">No remediation actions required. All controls are passing.</div>'}
+  </div>
+
+  <div class="attestation">
+    <strong>Attestation</strong><br>
+    This report was generated by Doorman v1.0.0 on ${escapeHtml(reportTime)}. The findings
+    reflect an automated analysis of the project source code at the time of the scan. This report
+    is intended to support compliance efforts and should be reviewed by a qualified auditor before
+    being used as evidence for certification or regulatory purposes.
+  </div>
+
+  <div class="disclaimer">
+    <strong>Disclaimer:</strong> This automated compliance report maps technical findings to regulatory
+    framework controls as a convenience. It does not constitute legal advice or a formal compliance
+    assessment. Compliance with SOC 2, GDPR, HIPAA, PCI-DSS, and other frameworks requires a
+    comprehensive review by qualified professionals that includes organizational policies, procedures,
+    and technical controls beyond the scope of static code analysis. Doorman makes no representations
+    or warranties regarding the completeness or accuracy of compliance mappings.
+  </div>
+</body>
+</html>`;
+
+  // Write to disk if outputPath is provided
+  if (options.outputPath) {
+    writeFileSync(resolve(options.outputPath), html, 'utf-8');
+  }
+
+  const summary = {
+    projectName,
+    date: reportDate,
+    score,
+    totalFindings: findings.length,
+    severityCounts,
+    frameworks: Object.fromEntries(
+      Object.entries(frameworks)
+        .filter(([, fw]) => fw)
+        .map(([key, fw]) => [key, { name: fw.name, status: fw.status, score: fw.score }])
+    ),
+    remediationCount: remediationItems.length,
+  };
+
+  return { html, summary };
+}
+
+/**
+ * Escape HTML special characters to prevent XSS in generated reports.
+ */
+function escapeHtml(str) {
+  if (typeof str !== 'string') return '';
+  return str
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#039;');
+}