git-repo-analyzer-test 1.0.0

package/src/analyzers/security-enhanced.js

@@ -0,0 +1,512 @@
+/**
+ * Enhanced Security & Vulnerability Analyzer
+ * Checks against OWASP Top 10 vulnerabilities with detailed insights
+ */
+export class SecurityAnalyzer {
+  constructor(githubClient) {
+    this.client = githubClient;
+  }
+
+  /**
+   * Comprehensive security analysis
+   */
+  async analyzeSecurityVulnerabilities(owner, repo) {
+    try {
+      const repoData = await this.client.getRepository(owner, repo);
+
+      const owasp10Issues = this.scanOWASPTop10(repoData);
+      const securityFeatures = this.checkSecurityFeatures(repoData);
+      const score = this.calculateSecurityScore(owasp10Issues, securityFeatures);
+      const rating = this.getRating(score);
+
+      return {
+        score,
+        rating,
+        riskLevel: this.determineRiskLevel(score),
+        owasp10Vulnerabilities: owasp10Issues,
+        securityFeatures,
+        recommendations: this.generateSecurityRecommendations(
+          owasp10Issues,
+          securityFeatures
+        ),
+        riskFactors: this.identifyRiskFactors(repoData, owasp10Issues),
+        bestPractices: this.checkSecurityBestPractices(repoData),
+        details: {
+          dependencySecurity: this.assessDependencySecurity(repoData),
+          codeExposure: this.assessCodeExposure(repoData),
+          accessControl: this.assessAccessControl(repoData),
+        },
+      };
+    } catch (error) {
+      throw new Error(`Security analysis failed: ${error.message}`);
+    }
+  }
+
+  /**
+   * Scan for OWASP Top 10 vulnerabilities
+   */
+  scanOWASPTop10(repoData) {
+    const vulnerabilities = [];
+
+    // A01:2021 - Broken Access Control
+    if (!repoData.private && repoData.open_issues_count > 50) {
+      vulnerabilities.push({
+        rank: 'A01',
+        title: 'Broken Access Control',
+        severity: 'HIGH',
+        description: 'Potential access control vulnerabilities detected',
+        location: 'Repository access settings',
+        indicators: ['Public repository with high issue count'],
+        remediation: [
+          'Implement proper RBAC (Role-Based Access Control)',
+          'Audit repository permissions',
+          'Use branch protection rules',
+          'Implement code review requirements',
+        ],
+        score: 7,
+      });
+    }
+
+    // A02:2021 - Cryptographic Failures
+    if (!repoData.security_and_analysis?.secret_scanning?.status) {
+      vulnerabilities.push({
+        rank: 'A02',
+        title: 'Cryptographic Failures',
+        severity: 'CRITICAL',
+        description: 'No secret scanning enabled - potential credential exposure',
+        location: 'Secret scanning configuration',
+        indicators: ['Secret scanning disabled', 'No credential protection'],
+        remediation: [
+          'Enable secret scanning on GitHub',
+          'Rotate any exposed credentials',
+          'Use GitHub secrets management',
+          'Implement pre-commit hooks to prevent secret commits',
+          'Use environment-based configuration',
+        ],
+        score: 9,
+      });
+    }
+
+    // A03:2021 - Injection
+    const isSuspiciousOfInjection = repoData.language === 'PHP' ||
+      repoData.language === 'JavaScript' ||
+      repoData.language === 'Python';
+    if (isSuspiciousOfInjection && repoData.open_issues_count > 20) {
+      vulnerabilities.push({
+        rank: 'A03',
+        title: 'Injection',
+        severity: 'HIGH',
+        description: 'Potential injection vulnerabilities (SQL, NoSQL, OS command)',
+        location: 'Input validation and database queries',
+        indicators: [
+          'Dynamic query construction',
+          'Unsanitized user input',
+          'High issue count suggesting potential bugs',
+        ],
+        remediation: [
+          'Use parameterized queries / prepared statements',
+          'Implement input validation and sanitization',
+          'Use ORM frameworks when possible',
+          'Apply security scanning tools',
+          'Code review all database interactions',
+        ],
+        score: 8,
+      });
+    }
+
+    // A04:2021 - Insecure Design
+    if (!repoData.has_pages && !repoData.description) {
+      vulnerabilities.push({
+        rank: 'A04',
+        title: 'Insecure Design',
+        severity: 'MEDIUM',
+        description: 'Lack of security architecture documentation',
+        location: 'Documentation and design specifications',
+        indicators: [
+          'No documented security requirements',
+          'Missing threat modeling',
+          'No design documentation',
+        ],
+        remediation: [
+          'Document security requirements',
+          'Perform threat modeling',
+          'Implement security by design',
+          'Create architecture documentation',
+          'Define security acceptance criteria',
+        ],
+        score: 6,
+      });
+    }
+
+    // A05:2021 - Security Misconfiguration
+    if (!repoData.security_and_analysis?.dependabot_security_updates?.status) {
+      vulnerabilities.push({
+        rank: 'A05',
+        title: 'Security Misconfiguration',
+        severity: 'HIGH',
+        description: 'Security features not properly configured',
+        location: 'Repository settings and CI/CD configuration',
+        indicators: [
+          'Dependabot security updates disabled',
+          'No dependency vulnerability scanning',
+          'Default security configurations',
+        ],
+        remediation: [
+          'Enable Dependabot security updates',
+          'Configure security scanning in CI/CD',
+          'Implement secrets management',
+          'Use security headers',
+          'Regular security configuration audit',
+        ],
+        score: 7,
+      });
+    }
+
+    // A06:2021 - Vulnerable and Outdated Components
+    const daysSinceUpdate = Math.floor(
+      (new Date() - new Date(repoData.updated_at)) / (1000 * 60 * 60 * 24)
+    );
+    if (daysSinceUpdate > 90) {
+      vulnerabilities.push({
+        rank: 'A06',
+        title: 'Vulnerable and Outdated Components',
+        severity: 'HIGH',
+        description: `Repository not updated for ${daysSinceUpdate} days`,
+        location: 'Dependencies and libraries',
+        indicators: [
+          'Stale dependencies',
+          'Outdated framework versions',
+          'Known security vulnerabilities in components',
+        ],
+        remediation: [
+          'Update all dependencies regularly',
+          'Use dependency management tools',
+          'Monitor security advisories',
+          'Set up automated dependency updates',
+          'Regular security patches',
+        ],
+        score: 8,
+      });
+    }
+
+    // A07:2021 - Authentication & Session Management (Potential)
+    if (repoData.language === 'JavaScript' || repoData.language === 'PHP') {
+      vulnerabilities.push({
+        rank: 'A07',
+        title: 'Authentication & Session Management',
+        severity: 'MEDIUM',
+        description: 'Potential authentication vulnerabilities in web application',
+        location: 'Authentication and session handling code',
+        indicators: ['Web framework detected', 'User authentication likely'],
+        remediation: [
+          'Implement strong password policies',
+          'Use multi-factor authentication',
+          'Secure session management',
+          'Implement proper token expiration',
+          'Use HTTPS only',
+          'Implement CSRF protection',
+        ],
+        score: 6,
+      });
+    }
+
+    // A08:2021 - Software and Data Integrity Failures
+    if (!repoData.license) {
+      vulnerabilities.push({
+        rank: 'A08',
+        title: 'Software and Data Integrity Failures',
+        severity: 'MEDIUM',
+        description: 'No defined integrity verification mechanism',
+        location: 'Code integrity and license verification',
+        indicators: ['No license defined', 'No code signing', 'No integrity checks'],
+        remediation: [
+          'Add LICENSE file',
+          'Implement code signing',
+          'Use cryptographic verification',
+          'Secure dependency sources',
+          'Implement integrity checks',
+        ],
+        score: 5,
+      });
+    }
+
+    // A09:2021 - Logging & Monitoring Failures
+    vulnerabilities.push({
+      rank: 'A09',
+      title: 'Logging and Monitoring Failures',
+      severity: 'MEDIUM',
+      description: 'No evidence of comprehensive logging/monitoring setup',
+      location: 'Application instrumentation',
+      indicators: ['No documented logging strategy', 'No monitoring topics'],
+      remediation: [
+        'Implement comprehensive logging',
+        'Log all security events',
+        'Monitor for suspicious activity',
+        'Set up alerts for anomalies',
+        'Retain logs securely',
+      ],
+      score: 5,
+    });
+
+    // A10:2021 - Server-Side Request Forgery (SSRF)
+    if (repoData.language === 'Python' || repoData.language === 'JavaScript') {
+      vulnerabilities.push({
+        rank: 'A10',
+        title: 'Server-Side Request Forgery (SSRF)',
+        severity: 'MEDIUM',
+        description: 'Potential SSRF vulnerabilities from external requests',
+        location: 'External API calls and HTTP requests',
+        indicators: ['Makes external HTTP requests', 'Network I/O detected'],
+        remediation: [
+          'Validate and sanitize URLs',
+          'Implement URL whitelist',
+          'Disable unused URL schemes',
+          'Use network segmentation',
+          'Implement timeout controls',
+        ],
+        score: 5,
+      });
+    }
+
+    return vulnerabilities;
+  }
+
+  /**
+   * Check security features enabled
+   */
+  checkSecurityFeatures(repoData) {
+    return {
+      secretScanning: {
+        enabled: repoData.security_and_analysis?.secret_scanning?.status === 'enabled',
+        description: 'Detects and prevents exposed secrets',
+      },
+      dependabotSecurityUpdates: {
+        enabled: repoData.security_and_analysis?.dependabot_security_updates?.status === 'enabled',
+        description: 'Automatically updates vulnerable dependencies',
+      },
+      branchProtection: {
+        status: 'Unknown - requires additional API call',
+        description: 'Enforces code review before merging',
+      },
+      codeQL: {
+        status: 'Unknown - requires additional API call',
+        description: 'Advanced security code scanning',
+      },
+      isPrivate: {
+        enabled: repoData.private,
+        description: 'Repository access is restricted',
+      },
+      hasLicense: {
+        enabled: !!repoData.license,
+        description: 'Legal terms defined for usage',
+      },
+    };
+  }
+
+  /**
+   * Assess dependency security
+   */
+  assessDependencySecurity(repoData) {
+    return {
+      hasPackageJson: repoData.language === 'JavaScript' || repoData.language === 'TypeScript',
+      hasPyproject: repoData.language === 'Python',
+      hasGemfile: repoData.language === 'Ruby',
+      status: 'Use npm audit, pip-audit, or bundle audit',
+      recommendations: [
+        'Regularly audit dependencies for vulnerabilities',
+        'Keep dependencies up to date',
+        'Use lock files (package-lock.json, Pipfile.lock)',
+        'Set up automated dependency updates',
+      ],
+    };
+  }
+
+  /**
+   * Assess code exposure risks
+   */
+  assessCodeExposure(repoData) {
+    return {
+      isPublic: !repoData.private,
+      hasSensitiveTopics: repoData.topics?.some(
+        (t) => ['secret', 'password', 'key', 'credential'].includes(t)
+      ),
+      recommendations: [
+        'Use .gitignore to exclude sensitive files',
+        'Never commit credentials or API keys',
+        'Use environment variables for configuration',
+        'Rotate any exposed credentials immediately',
+        'Use GitHub secrets for CI/CD',
+      ],
+    };
+  }
+
+  /**
+   * Assess access control
+   */
+  assessAccessControl(repoData) {
+    return {
+      isPrivate: repoData.private,
+      pushToBranchDisabled: repoData.topics?.includes('branch-protection'),
+      recommendations: [
+        'Require pull requests for all changes',
+        'Require status checks to pass',
+        'Require code reviews',
+        'Enforce branch naming conventions',
+        'Limit who can push to main/master',
+      ],
+    };
+  }
+
+  /**
+   * Calculate security score
+   */
+  calculateSecurityScore(vulnerabilities, securityFeatures) {
+    let score = 100;
+
+    // Deduct for vulnerabilities
+    vulnerabilities.forEach((vuln) => {
+      score -= vuln.score;
+    });
+
+    // Add points for security features enabled
+    if (securityFeatures.secretScanning.enabled) score += 10;
+    if (securityFeatures.dependabotSecurityUpdates.enabled) score += 8;
+    if (securityFeatures.isPrivate.enabled) score += 5;
+    if (securityFeatures.hasLicense.enabled) score += 3;
+
+    return Math.max(0, Math.min(100, score));
+  }
+
+  /**
+   * Identify risk factors
+   */
+  identifyRiskFactors(repoData, owasp10Issues) {
+    const factors = [];
+
+    if (repoData.archived) {
+      factors.push('Repository is archived and not maintained');
+    }
+
+    if (!repoData.private) {
+      factors.push('Public repository - code is visible to all');
+    }
+
+    if (!repoData.security_and_analysis?.secret_scanning?.status) {
+      factors.push('Secret scanning is disabled');
+    }
+
+    if (!repoData.security_and_analysis?.dependabot_security_updates?.status) {
+      factors.push('Dependabot security updates are disabled');
+    }
+
+    const daysSinceUpdate = Math.floor(
+      (new Date() - new Date(repoData.updated_at)) / (1000 * 60 * 60 * 24)
+    );
+    if (daysSinceUpdate > 365) {
+      factors.push(`Repository not updated for ${daysSinceUpdate} days`);
+    }
+
+    if (repoData.open_issues_count > 100) {
+      factors.push(`High number of open issues: ${repoData.open_issues_count}`);
+    }
+
+    factors.push(`Found ${owasp10Issues.length} potential OWASP Top 10 vulnerabilities`);
+
+    return factors;
+  }
+
+  /**
+   * Check security best practices
+   */
+  checkSecurityBestPractices(repoData) {
+    return {
+      hasSecurity: repoData.topics?.includes('security'),
+      hasSecurityPolicy: repoData.topics?.includes('security-policy'),
+      hasSecurityAudit: repoData.topics?.includes('security-audit'),
+      hasCodeOfConduct: repoData.topics?.includes('code-of-conduct'),
+      recommendations: [
+        'Create SECURITY.md with security policy',
+        'Implement security.txt for vulnerability reporting',
+        'Add code of conduct for community',
+        'Perform regular security audits',
+        'Keep security documentation updated',
+      ],
+    };
+  }
+
+  /**
+   * Generate security recommendations
+   */
+  generateSecurityRecommendations(vulnerabilities, securityFeatures) {
+    const recommendations = [];
+
+    // Prioritize critical vulnerabilities
+    vulnerabilities
+      .filter((v) => v.severity === 'CRITICAL')
+      .forEach((v) => {
+        recommendations.push({
+          priority: 'CRITICAL',
+          issue: v.title,
+          actions: v.remediation,
+        });
+      });
+
+    // Add high severity issues
+    vulnerabilities
+      .filter((v) => v.severity === 'HIGH')
+      .forEach((v) => {
+        recommendations.push({
+          priority: 'HIGH',
+          issue: v.title,
+          actions: v.remediation,
+        });
+      });
+
+    // Add feature recommendations
+    if (!securityFeatures.secretScanning.enabled) {
+      recommendations.push({
+        priority: 'HIGH',
+        issue: 'Enable Secret Scanning',
+        actions: ['Go to Settings > Code security and analysis', 'Enable Secret Scanning'],
+      });
+    }
+
+    if (!securityFeatures.dependabotSecurityUpdates.enabled) {
+      recommendations.push({
+        priority: 'HIGH',
+        issue: 'Enable Dependabot Security Updates',
+        actions: [
+          'Go to Settings > Code security and analysis',
+          'Enable Dependabot security updates',
+        ],
+      });
+    }
+
+    return recommendations;
+  }
+
+  /**
+   * Determine overall risk level
+   */
+  determineRiskLevel(score) {
+    if (score >= 80) return 'LOW';
+    if (score >= 60) return 'MEDIUM';
+    if (score >= 40) return 'HIGH';
+    return 'CRITICAL';
+  }
+
+  /**
+   * Get rating from score
+   */
+  getRating(score) {
+    if (score >= 90) return 'A+';
+    if (score >= 80) return 'A';
+    if (score >= 70) return 'B+';
+    if (score >= 60) return 'B';
+    if (score >= 50) return 'C+';
+    if (score >= 40) return 'C';
+    return 'F';
+  }
+}
+
+export default SecurityAnalyzer;

package/src/analyzers/security-enhanced.js:Zone.Identifier

@@ -0,0 +1,3 @@
+[ZoneTransfer]
+ZoneId=3
+ReferrerUrl=C:\Users\jitendra.yadav\Downloads\GitRepoAnalyzer - Shabbir.zip

package/src/analyzers/snyk-ai.js:Zone.Identifier

@@ -0,0 +1,3 @@
+[ZoneTransfer]
+ZoneId=3
+ReferrerUrl=C:\Users\jitendra.yadav\Downloads\GitRepoAnalyzer - Shabbir.zip