npm - guardrail-security - Versions diffs - 1.0.0 - Mend

guardrail-security 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

package/dist/attack-surface/analyzer.d.ts +50 -0
package/dist/attack-surface/analyzer.d.ts.map +1 -0
package/dist/attack-surface/analyzer.js +83 -0
package/dist/attack-surface/index.d.ts +5 -0
package/dist/attack-surface/index.d.ts.map +1 -0
package/dist/attack-surface/index.js +20 -0
package/dist/index.d.ts +15 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +33 -0
package/dist/languages/index.d.ts +21 -0
package/dist/languages/index.d.ts.map +1 -0
package/dist/languages/index.js +78 -0
package/dist/languages/java-analyzer.d.ts +72 -0
package/dist/languages/java-analyzer.d.ts.map +1 -0
package/dist/languages/java-analyzer.js +417 -0
package/dist/languages/python-analyzer.d.ts +70 -0
package/dist/languages/python-analyzer.d.ts.map +1 -0
package/dist/languages/python-analyzer.js +425 -0
package/dist/license/compatibility-matrix.d.ts +28 -0
package/dist/license/compatibility-matrix.d.ts.map +1 -0
package/dist/license/compatibility-matrix.js +323 -0
package/dist/license/engine.d.ts +77 -0
package/dist/license/engine.d.ts.map +1 -0
package/dist/license/engine.js +264 -0
package/dist/license/index.d.ts +6 -0
package/dist/license/index.d.ts.map +1 -0
package/dist/license/index.js +21 -0
package/dist/sbom/generator.d.ts +108 -0
package/dist/sbom/generator.d.ts.map +1 -0
package/dist/sbom/generator.js +271 -0
package/dist/sbom/index.d.ts +5 -0
package/dist/sbom/index.d.ts.map +1 -0
package/dist/sbom/index.js +20 -0
package/dist/secrets/guardian.d.ts +113 -0
package/dist/secrets/guardian.d.ts.map +1 -0
package/dist/secrets/guardian.js +334 -0
package/dist/secrets/index.d.ts +10 -0
package/dist/secrets/index.d.ts.map +1 -0
package/dist/secrets/index.js +30 -0
package/dist/secrets/patterns.d.ts +42 -0
package/dist/secrets/patterns.d.ts.map +1 -0
package/dist/secrets/patterns.js +165 -0
package/dist/secrets/pre-commit.d.ts +39 -0
package/dist/secrets/pre-commit.d.ts.map +1 -0
package/dist/secrets/pre-commit.js +127 -0
package/dist/secrets/vault-integration.d.ts +83 -0
package/dist/secrets/vault-integration.d.ts.map +1 -0
package/dist/secrets/vault-integration.js +295 -0
package/dist/secrets/vault-providers.d.ts +110 -0
package/dist/secrets/vault-providers.d.ts.map +1 -0
package/dist/secrets/vault-providers.js +417 -0
package/dist/supply-chain/detector.d.ts +80 -0
package/dist/supply-chain/detector.d.ts.map +1 -0
package/dist/supply-chain/detector.js +168 -0
package/dist/supply-chain/index.d.ts +11 -0
package/dist/supply-chain/index.d.ts.map +1 -0
package/dist/supply-chain/index.js +26 -0
package/dist/supply-chain/malicious-db.d.ts +41 -0
package/dist/supply-chain/malicious-db.d.ts.map +1 -0
package/dist/supply-chain/malicious-db.js +82 -0
package/dist/supply-chain/script-analyzer.d.ts +54 -0
package/dist/supply-chain/script-analyzer.d.ts.map +1 -0
package/dist/supply-chain/script-analyzer.js +160 -0
package/dist/supply-chain/typosquat.d.ts +58 -0
package/dist/supply-chain/typosquat.d.ts.map +1 -0
package/dist/supply-chain/typosquat.js +257 -0
package/dist/supply-chain/vulnerability-db.d.ts +114 -0
package/dist/supply-chain/vulnerability-db.d.ts.map +1 -0
package/dist/supply-chain/vulnerability-db.js +310 -0
package/package.json +34 -0
package/src/__tests__/license/engine.test.ts +250 -0
package/src/__tests__/supply-chain/typosquat.test.ts +191 -0
package/src/attack-surface/analyzer.ts +152 -0
package/src/attack-surface/index.ts +5 -0
package/src/index.ts +21 -0
package/src/languages/index.ts +91 -0
package/src/languages/java-analyzer.ts +490 -0
package/src/languages/python-analyzer.ts +498 -0
package/src/license/compatibility-matrix.ts +366 -0
package/src/license/engine.ts +345 -0
package/src/license/index.ts +6 -0
package/src/sbom/generator.ts +355 -0
package/src/sbom/index.ts +5 -0
package/src/secrets/guardian.ts +448 -0
package/src/secrets/index.ts +10 -0
package/src/secrets/patterns.ts +186 -0
package/src/secrets/pre-commit.ts +158 -0
package/src/secrets/vault-integration.ts +360 -0
package/src/secrets/vault-providers.ts +446 -0
package/src/supply-chain/detector.ts +252 -0
package/src/supply-chain/index.ts +11 -0
package/src/supply-chain/malicious-db.ts +103 -0
package/src/supply-chain/script-analyzer.ts +194 -0
package/src/supply-chain/typosquat.ts +302 -0
package/src/supply-chain/vulnerability-db.ts +386 -0

package/src/secrets/vault-providers.ts ADDED Viewed

@@ -0,0 +1,446 @@
+/**
+ * Vault Providers
+ *
+ * Real implementations for secret vault integrations:
+ * - AWS Secrets Manager
+ * - HashiCorp Vault
+ * - Azure Key Vault
+ * - GCP Secret Manager
+ */
+export interface VaultProvider {
+  name: string;
+  createSecret(name: string, value: string): Promise<string>;
+  getSecret(name: string): Promise<string | null>;
+  deleteSecret(name: string): Promise<boolean>;
+  listSecrets(): Promise<string[]>;
+  testConnection(): Promise<boolean>;
+}
+export interface VaultProviderConfig {
+  type: 'aws_secrets_manager' | 'hashicorp_vault' | 'azure_keyvault' | 'gcp_secret_manager';
+  region?: string;
+  endpoint?: string;
+  projectId?: string;
+  credentials?: {
+    accessKeyId?: string;
+    secretAccessKey?: string;
+    token?: string;
+    clientId?: string;
+    clientSecret?: string;
+    tenantId?: string;
+  };
+}
+/**
+ * AWS Secrets Manager Provider
+ */
+export class AWSSecretsManagerProvider implements VaultProvider {
+  name = 'AWS Secrets Manager';
+  private client: any;
+  private region: string;
+  constructor(config: VaultProviderConfig) {
+    this.region = config.region || 'us-east-1';
+  }
+  private async getClient() {
+    if (!this.client) {
+      const { SecretsManagerClient } = await import('@aws-sdk/client-secrets-manager');
+      this.client = new SecretsManagerClient({ region: this.region });
+    }
+    return this.client;
+  }
+  async createSecret(name: string, value: string): Promise<string> {
+    const client = await this.getClient();
+    const { CreateSecretCommand } = await import('@aws-sdk/client-secrets-manager');
+    try {
+      const result = await client.send(new CreateSecretCommand({
+        Name: name,
+        SecretString: value,
+        Description: 'Migrated by Guardrail AI',
+      }));
+      return result.ARN || name;
+    } catch (error: any) {
+      if (error.name === 'ResourceExistsException') {
+        const { PutSecretValueCommand } = await import('@aws-sdk/client-secrets-manager');
+        await client.send(new PutSecretValueCommand({
+          SecretId: name,
+          SecretString: value,
+        }));
+        return name;
+      }
+      throw error;
+    }
+  }
+  async getSecret(name: string): Promise<string | null> {
+    const client = await this.getClient();
+    const { GetSecretValueCommand } = await import('@aws-sdk/client-secrets-manager');
+    try {
+      const result = await client.send(new GetSecretValueCommand({ SecretId: name }));
+      return result.SecretString || null;
+    } catch (error: any) {
+      if (error.name === 'ResourceNotFoundException') {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async deleteSecret(name: string): Promise<boolean> {
+    const client = await this.getClient();
+    const { DeleteSecretCommand } = await import('@aws-sdk/client-secrets-manager');
+    try {
+      await client.send(new DeleteSecretCommand({
+        SecretId: name,
+        ForceDeleteWithoutRecovery: false,
+      }));
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  async listSecrets(): Promise<string[]> {
+    const client = await this.getClient();
+    const { ListSecretsCommand } = await import('@aws-sdk/client-secrets-manager');
+    const result = await client.send(new ListSecretsCommand({}));
+    return (result.SecretList || []).map((s: any) => s.Name).filter(Boolean);
+  }
+  async testConnection(): Promise<boolean> {
+    try {
+      await this.listSecrets();
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+}
+/**
+ * HashiCorp Vault Provider
+ */
+export class HashiCorpVaultProvider implements VaultProvider {
+  name = 'HashiCorp Vault';
+  private client: any;
+  private endpoint: string;
+  private token: string;
+  private mountPath: string;
+  constructor(config: VaultProviderConfig) {
+    this.endpoint = config.endpoint || 'http://127.0.0.1:8200';
+    this.token = config.credentials?.token || process.env['VAULT_TOKEN'] || '';
+    this.mountPath = 'secret';
+  }
+  private async getClient() {
+    if (!this.client) {
+      const vault = (await import('node-vault')).default;
+      this.client = vault({
+        endpoint: this.endpoint,
+        token: this.token,
+      });
+    }
+    return this.client;
+  }
+  async createSecret(name: string, value: string): Promise<string> {
+    const client = await this.getClient();
+    const path = `${this.mountPath}/data/${name}`;
+    await client.write(path, {
+      data: { value },
+      metadata: { created_by: 'Guardrail-ai' },
+    });
+    return path;
+  }
+  async getSecret(name: string): Promise<string | null> {
+    const client = await this.getClient();
+    const path = `${this.mountPath}/data/${name}`;
+    try {
+      const result = await client.read(path);
+      return result?.data?.data?.value || null;
+    } catch (error: any) {
+      if (error.response?.statusCode === 404) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async deleteSecret(name: string): Promise<boolean> {
+    const client = await this.getClient();
+    const path = `${this.mountPath}/metadata/${name}`;
+    try {
+      await client.delete(path);
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  async listSecrets(): Promise<string[]> {
+    const client = await this.getClient();
+    const path = `${this.mountPath}/metadata`;
+    try {
+      const result = await client.list(path);
+      return result?.data?.keys || [];
+    } catch (error) {
+      return [];
+    }
+  }
+  async testConnection(): Promise<boolean> {
+    try {
+      const client = await this.getClient();
+      await client.health();
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+}
+/**
+ * Azure Key Vault Provider
+ */
+export class AzureKeyVaultProvider implements VaultProvider {
+  name = 'Azure Key Vault';
+  private client: any;
+  private vaultUrl: string;
+  constructor(config: VaultProviderConfig) {
+    this.vaultUrl = config.endpoint || '';
+    if (!this.vaultUrl) {
+      throw new Error('Azure Key Vault URL is required');
+    }
+  }
+  private async getClient() {
+    if (!this.client) {
+      const { SecretClient } = await import('@azure/keyvault-secrets');
+      const { DefaultAzureCredential } = await import('@azure/identity');
+      const credential = new DefaultAzureCredential();
+      this.client = new SecretClient(this.vaultUrl, credential);
+    }
+    return this.client;
+  }
+  async createSecret(name: string, value: string): Promise<string> {
+    const client = await this.getClient();
+    const sanitizedName = name.replace(/[^a-zA-Z0-9-]/g, '-');
+    const result = await client.setSecret(sanitizedName, value, {
+      tags: { createdBy: 'Guardrail-ai' },
+    });
+    return result.properties.id || sanitizedName;
+  }
+  async getSecret(name: string): Promise<string | null> {
+    const client = await this.getClient();
+    const sanitizedName = name.replace(/[^a-zA-Z0-9-]/g, '-');
+    try {
+      const result = await client.getSecret(sanitizedName);
+      return result.value || null;
+    } catch (error: any) {
+      if (error.code === 'SecretNotFound') {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async deleteSecret(name: string): Promise<boolean> {
+    const client = await this.getClient();
+    const sanitizedName = name.replace(/[^a-zA-Z0-9-]/g, '-');
+    try {
+      await client.beginDeleteSecret(sanitizedName);
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  async listSecrets(): Promise<string[]> {
+    const client = await this.getClient();
+    const secrets: string[] = [];
+    for await (const secretProperties of client.listPropertiesOfSecrets()) {
+      secrets.push(secretProperties.name);
+    }
+    return secrets;
+  }
+  async testConnection(): Promise<boolean> {
+    try {
+      await this.listSecrets();
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+}
+/**
+ * GCP Secret Manager Provider
+ */
+export class GCPSecretManagerProvider implements VaultProvider {
+  name = 'GCP Secret Manager';
+  private client: any;
+  private projectId: string;
+  constructor(config: VaultProviderConfig) {
+    this.projectId = config.projectId || process.env['GOOGLE_CLOUD_PROJECT'] || '';
+    if (!this.projectId) {
+      throw new Error('GCP Project ID is required');
+    }
+  }
+  private async getClient() {
+    if (!this.client) {
+      const { SecretManagerServiceClient } = await import('@google-cloud/secret-manager');
+      this.client = new SecretManagerServiceClient();
+    }
+    return this.client;
+  }
+  async createSecret(name: string, value: string): Promise<string> {
+    const client = await this.getClient();
+    const parent = `projects/${this.projectId}`;
+    const sanitizedName = name.replace(/[^a-zA-Z0-9_-]/g, '_');
+    try {
+      await client.createSecret({
+        parent,
+        secretId: sanitizedName,
+        secret: {
+          replication: { automatic: {} },
+          labels: { created_by: 'Guardrail-ai' },
+        },
+      });
+    } catch (error: any) {
+      if (error.code !== 6) {
+        throw error;
+      }
+    }
+    const secretName = `${parent}/secrets/${sanitizedName}`;
+    await client.addSecretVersion({
+      parent: secretName,
+      payload: { data: Buffer.from(value, 'utf8') },
+    });
+    return secretName;
+  }
+  async getSecret(name: string): Promise<string | null> {
+    const client = await this.getClient();
+    const sanitizedName = name.replace(/[^a-zA-Z0-9_-]/g, '_');
+    const secretName = `projects/${this.projectId}/secrets/${sanitizedName}/versions/latest`;
+    try {
+      const [version] = await client.accessSecretVersion({ name: secretName });
+      return version.payload?.data?.toString() || null;
+    } catch (error: any) {
+      if (error.code === 5) {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async deleteSecret(name: string): Promise<boolean> {
+    const client = await this.getClient();
+    const sanitizedName = name.replace(/[^a-zA-Z0-9_-]/g, '_');
+    const secretName = `projects/${this.projectId}/secrets/${sanitizedName}`;
+    try {
+      await client.deleteSecret({ name: secretName });
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+  async listSecrets(): Promise<string[]> {
+    const client = await this.getClient();
+    const parent = `projects/${this.projectId}`;
+    const [secrets] = await client.listSecrets({ parent });
+    return secrets.map((s: any) => s.name?.split('/').pop()).filter(Boolean);
+  }
+  async testConnection(): Promise<boolean> {
+    try {
+      await this.listSecrets();
+      return true;
+    } catch (error) {
+      return false;
+    }
+  }
+}
+/**
+ * Factory function to create vault provider
+ */
+export function createVaultProvider(config: VaultProviderConfig): VaultProvider {
+  switch (config.type) {
+    case 'aws_secrets_manager':
+      return new AWSSecretsManagerProvider(config);
+    case 'hashicorp_vault':
+      return new HashiCorpVaultProvider(config);
+    case 'azure_keyvault':
+      return new AzureKeyVaultProvider(config);
+    case 'gcp_secret_manager':
+      return new GCPSecretManagerProvider(config);
+    default:
+      throw new Error(`Unsupported vault type: ${config.type}`);
+  }
+}
+/**
+ * Local environment provider (for development/testing)
+ */
+export class LocalEnvProvider implements VaultProvider {
+  name = 'Local Environment';
+  private secrets: Map<string, string> = new Map();
+  async createSecret(name: string, value: string): Promise<string> {
+    this.secrets.set(name, value);
+    return `local://${name}`;
+  }
+  async getSecret(name: string): Promise<string | null> {
+    return this.secrets.get(name) || process.env[name] || null;
+  }
+  async deleteSecret(name: string): Promise<boolean> {
+    return this.secrets.delete(name);
+  }
+  async listSecrets(): Promise<string[]> {
+    return Array.from(this.secrets.keys());
+  }
+  async testConnection(): Promise<boolean> {
+    return true;
+  }
+}

package/src/supply-chain/detector.ts ADDED Viewed

@@ -0,0 +1,252 @@
+import { prisma } from "@guardrail/database";
+import { typosquatDetector, TyposquatResult } from "./typosquat";
+import { maliciousPackageDB } from "./malicious-db";
+import { scriptAnalyzer, ScriptAnalysisResult } from "./script-analyzer";
+import { readFileSync } from "fs";
+import { join } from "path";
+/**
+ * Package analysis result
+ */
+export interface PackageAnalysisResult {
+  packageName: string;
+  version: string;
+  registry: string;
+  riskScore: number;
+  threats: Threat[];
+  isMalicious: boolean;
+  isTyposquat: boolean;
+  isDeprecated: boolean;
+  typosquatResult?: TyposquatResult;
+  scriptAnalysis?: ScriptAnalysisResult[];
+  license?: string;
+  maintainerRisk?: MaintainerRisk;
+}
+export interface Threat {
+  type: string;
+  severity: "low" | "medium" | "high" | "critical";
+  description: string;
+}
+export interface MaintainerRisk {
+  accountAge: number;
+  packageCount: number;
+  suspiciousActivity: boolean;
+  riskLevel: "low" | "medium" | "high";
+}
+/**
+ * SBOM (Software Bill of Materials)
+ */
+export interface SBOM {
+  id?: string;
+  projectId: string;
+  version: number;
+  format: "CycloneDX" | "SPDX";
+  specVersion: string;
+  components: SBOMComponent[];
+  generatedAt: Date;
+}
+export interface SBOMComponent {
+  type: "library" | "application" | "framework";
+  name: string;
+  version: string;
+  purl: string; // Package URL
+  licenses?: string[];
+  hashes?: { algorithm: string; value: string }[];
+  dependencies?: string[];
+}
+/**
+ * Supply Chain Attack Detector
+ */
+export class SupplyChainDetector {
+  /**
+   * Detect typosquatting
+   */
+  async detectTyposquatting(packageName: string): Promise<TyposquatResult> {
+    return typosquatDetector.detectTyposquatting(packageName);
+  }
+  /**
+   * Detect dependency confusion
+   */
+  async detectDependencyConfusion(
+    _packageName: string,
+    internalRegistry?: string,
+  ): Promise<{ isDependencyConfusion: boolean; reason: string }> {
+    // Check if package exists in both public and internal registries
+    // This is a simplified implementation
+    if (!internalRegistry) {
+      return {
+        isDependencyConfusion: false,
+        reason: "No internal registry configured",
+      };
+    }
+    // In production, this would check both registries
+    // and compare versions, publish dates, etc.
+    return {
+      isDependencyConfusion: false,
+      reason: "Package only found in public registry",
+    };
+  }
+  /**
+   * Full package analysis
+   */
+  async analyzePackage(
+    packageName: string,
+    version: string,
+    projectId: string,
+  ): Promise<PackageAnalysisResult> {
+    const threats: Threat[] = [];
+    let riskScore = 0;
+    // Check for typosquatting
+    const typosquatResult = await this.detectTyposquatting(packageName);
+    const isTyposquat = typosquatResult.isTyposquat;
+    if (isTyposquat) {
+      threats.push({
+        type: "typosquatting",
+        severity: "high",
+        description: `Possible typosquatting of ${typosquatResult.targetPackage}`,
+      });
+      riskScore += 40;
+    }
+    // Check against malicious database
+    const maliciousCheck = await maliciousPackageDB.checkPackage(
+      packageName,
+      version,
+    );
+    const isMalicious = maliciousCheck.isMalicious;
+    if (isMalicious) {
+      for (const match of maliciousCheck.matches) {
+        threats.push({
+          type: "known_malicious",
+          severity: match.severity,
+          description: match.reason,
+        });
+        riskScore += 50;
+      }
+    }
+    // Analyze scripts
+    const scriptAnalysis = await scriptAnalyzer.analyzeScripts(
+      packageName,
+      version,
+    );
+    for (const analysis of scriptAnalysis) {
+      if (analysis.isSuspicious) {
+        threats.push({
+          type: "suspicious_script",
+          severity: "high",
+          description: `Suspicious script: ${analysis.scriptName}`,
+        });
+        riskScore += analysis.riskScore * 0.5;
+      }
+    }
+    // Save to database
+    await prisma.dependencyAnalysis.create({
+      data: {
+        projectId,
+        packageName,
+        version,
+        registry: "npm",
+        isMalicious,
+        isTyposquat,
+        isDeprecated: false,
+        riskScore: Math.min(100, riskScore),
+        threats: JSON.parse(JSON.stringify(threats)),
+      },
+    });
+    return {
+      packageName,
+      version,
+      registry: "npm",
+      riskScore: Math.min(100, riskScore),
+      threats,
+      isMalicious,
+      isTyposquat,
+      isDeprecated: false,
+      typosquatResult: isTyposquat ? typosquatResult : undefined,
+      scriptAnalysis,
+    };
+  }
+  /**
+   * Generate SBOM (CycloneDX format)
+   */
+  async generateSBOM(projectPath: string, projectId: string): Promise<SBOM> {
+    const components: SBOMComponent[] = [];
+    try {
+      // Read package.json
+      const packageJsonPath = join(projectPath, "package.json");
+      const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+      // Extract dependencies
+      const deps = {
+        ...packageJson.dependencies,
+        ...packageJson.devDependencies,
+      };
+      for (const [name, version] of Object.entries(deps)) {
+        components.push({
+          type: "library",
+          name,
+          version: version as string,
+          purl: `pkg:npm/${name}@${version}`,
+        });
+      }
+    } catch (error) {
+      // Handle error
+    }
+    const sbom: SBOM = {
+      id: `sbom_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`,
+      projectId,
+      version: 1,
+      format: "CycloneDX",
+      specVersion: "1.4",
+      components,
+      generatedAt: new Date(),
+    };
+    // @ts-ignore - SBOM model exists in schema, Prisma client may need regeneration
+    const savedSBOM = await (prisma as any).sBOM.create({
+      data: {
+        id: sbom.id,
+        projectId,
+        version: sbom.version,
+        format: sbom.format,
+        specVersion: sbom.specVersion,
+        components: JSON.parse(JSON.stringify(components)),
+        generatedAt: sbom.generatedAt,
+      },
+    });
+    return {
+      id: savedSBOM.id,
+      projectId: savedSBOM.projectId,
+      version: savedSBOM.version,
+      format: savedSBOM.format as "CycloneDX" | "SPDX",
+      specVersion: savedSBOM.specVersion,
+      components: savedSBOM.components as unknown as SBOMComponent[],
+      generatedAt: savedSBOM.generatedAt,
+    };
+  }
+}
+// Export singleton
+export const supplyChainDetector = new SupplyChainDetector();

package/src/supply-chain/index.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ * Supply Chain Attack Detection
+ *
+ * Detects typosquatting, malicious packages, and generates SBOMs
+ */
+export * from './detector';
+export * from './typosquat';
+export * from './malicious-db';
+export * from './script-analyzer';
+export * from './vulnerability-db';