guardrail-security 1.0.0

package/dist/languages/java-analyzer.js

@@ -0,0 +1,417 @@
+"use strict";
+/**
+ * Java Language Analyzer
+ *
+ * Security analysis for Java projects including:
+ * - Maven pom.xml / Gradle build.gradle parsing
+ * - Import analysis for detecting dangerous classes
+ * - Secret detection patterns specific to Java
+ * - Common vulnerability patterns (SQL injection, XXE, deserialization, etc.)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.javaAnalyzer = exports.JavaAnalyzer = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+// Dangerous Java imports
+const DANGEROUS_IMPORTS = [
+    {
+        pkg: "java.io.ObjectInputStream",
+        reason: "Unsafe deserialization",
+        severity: "critical",
+        cwe: "CWE-502",
+    },
+    {
+        pkg: "java.lang.Runtime",
+        reason: "Command execution",
+        severity: "high",
+        cwe: "CWE-78",
+    },
+    {
+        pkg: "java.lang.ProcessBuilder",
+        reason: "Command execution",
+        severity: "high",
+        cwe: "CWE-78",
+    },
+    {
+        pkg: "javax.xml.parsers",
+        reason: "Potential XXE vulnerability",
+        severity: "medium",
+        cwe: "CWE-611",
+    },
+    {
+        pkg: "org.xml.sax",
+        reason: "Potential XXE vulnerability",
+        severity: "medium",
+        cwe: "CWE-611",
+    },
+    {
+        pkg: "java.security.MessageDigest",
+        reason: "Verify secure algorithm usage",
+        severity: "low",
+        cwe: "CWE-327",
+    },
+];
+// Java-specific secret patterns
+const JAVA_SECRET_PATTERNS = [
+    { pattern: /(?:apiKey|API_KEY)\s*=\s*"[^"]{10,}"/g, type: "API Key" },
+    {
+        pattern: /(?:password|PASSWORD|passwd)\s*=\s*"[^"]{6,}"/g,
+        type: "Password",
+    },
+    { pattern: /(?:secret|SECRET|secretKey)\s*=\s*"[^"]{10,}"/g, type: "Secret" },
+    { pattern: /(?:token|TOKEN|accessToken)\s*=\s*"[^"]{10,}"/g, type: "Token" },
+    {
+        pattern: /(?:jdbc|JDBC):[^"]+password=[^"]+/g,
+        type: "JDBC Connection String",
+    },
+    { pattern: /aws\.accessKeyId\s*=\s*"[^"]+"/g, type: "AWS Access Key" },
+    { pattern: /aws\.secretKey\s*=\s*"[^"]+"/g, type: "AWS Secret Key" },
+];
+// Vulnerability code patterns
+const VULNERABILITY_PATTERNS = [
+    {
+        pattern: /Statement\s+\w+\s*=.*createStatement\(\)/g,
+        type: "SQL Injection",
+        message: "Using Statement instead of PreparedStatement",
+        severity: "critical",
+        cwe: "CWE-89",
+    },
+    {
+        pattern: /executeQuery\s*\(\s*"[^"]*"\s*\+/g,
+        type: "SQL Injection",
+        message: "String concatenation in SQL query",
+        severity: "critical",
+        cwe: "CWE-89",
+    },
+    {
+        pattern: /Runtime\.getRuntime\(\)\.exec\s*\(/g,
+        type: "Command Injection",
+        message: "Runtime.exec() can be vulnerable to command injection",
+        severity: "high",
+        cwe: "CWE-78",
+    },
+    {
+        pattern: /new\s+ObjectInputStream\s*\(/g,
+        type: "Unsafe Deserialization",
+        message: "ObjectInputStream can deserialize malicious objects",
+        severity: "critical",
+        cwe: "CWE-502",
+    },
+    {
+        pattern: /DocumentBuilderFactory\.newInstance\(\)/g,
+        type: "XXE Vulnerability",
+        message: "XML parser may be vulnerable to XXE - disable external entities",
+        severity: "high",
+        cwe: "CWE-611",
+    },
+    {
+        pattern: /SAXParserFactory\.newInstance\(\)/g,
+        type: "XXE Vulnerability",
+        message: "SAX parser may be vulnerable to XXE - disable external entities",
+        severity: "high",
+        cwe: "CWE-611",
+    },
+    {
+        pattern: /MessageDigest\.getInstance\s*\(\s*"MD5"\s*\)/g,
+        type: "Weak Cryptography",
+        message: "MD5 is cryptographically broken",
+        severity: "medium",
+        cwe: "CWE-327",
+    },
+    {
+        pattern: /MessageDigest\.getInstance\s*\(\s*"SHA-?1"\s*\)/g,
+        type: "Weak Cryptography",
+        message: "SHA-1 is deprecated for security use",
+        severity: "medium",
+        cwe: "CWE-327",
+    },
+    {
+        pattern: /new\s+Random\s*\(\)/g,
+        type: "Weak Random",
+        message: "java.util.Random is not cryptographically secure",
+        severity: "medium",
+        cwe: "CWE-330",
+    },
+    {
+        pattern: /setAllowFileAccess\s*\(\s*true\s*\)/g,
+        type: "WebView File Access",
+        message: "WebView file access enabled",
+        severity: "high",
+        cwe: "CWE-200",
+    },
+    {
+        pattern: /TrustManager\s*\[\s*\]\s*\{[^}]*checkServerTrusted[^}]*\{\s*\}/g,
+        type: "SSL/TLS Bypass",
+        message: "Empty TrustManager bypasses SSL verification",
+        severity: "critical",
+        cwe: "CWE-295",
+    },
+];
+class JavaAnalyzer {
+    /**
+     * Analyze a Java project
+     */
+    async analyze(projectPath) {
+        const buildTool = this.detectBuildTool(projectPath);
+        const dependencies = await this.extractDependencies(projectPath, buildTool);
+        const securityIssues = [];
+        // Scan Java files for security issues
+        const javaFiles = this.findJavaFiles(projectPath);
+        for (const file of javaFiles) {
+            const issues = this.scanFile(file);
+            securityIssues.push(...issues);
+        }
+        // Get Java version if available
+        const javaVersion = this.detectJavaVersion(projectPath);
+        // Calculate summary
+        const issuesBySeverity = {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+        };
+        for (const issue of securityIssues) {
+            const severity = issue.severity;
+            if (issuesBySeverity[severity] !== undefined) {
+                issuesBySeverity[severity]++;
+            }
+        }
+        return {
+            projectPath,
+            javaVersion,
+            buildTool,
+            dependencies,
+            securityIssues,
+            summary: {
+                totalDependencies: dependencies.length,
+                issuesBySeverity,
+            },
+        };
+    }
+    /**
+     * Detect build tool
+     */
+    detectBuildTool(projectPath) {
+        if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, "pom.xml"))) {
+            return "maven";
+        }
+        if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, "build.gradle")) ||
+            (0, fs_1.existsSync)((0, path_1.join)(projectPath, "build.gradle.kts"))) {
+            return "gradle";
+        }
+        return "unknown";
+    }
+    /**
+     * Extract dependencies
+     */
+    async extractDependencies(projectPath, buildTool) {
+        if (buildTool === "maven") {
+            return this.parseMavenPom(projectPath);
+        }
+        if (buildTool === "gradle") {
+            return this.parseGradleBuild(projectPath);
+        }
+        return [];
+    }
+    /**
+     * Parse Maven pom.xml
+     */
+    parseMavenPom(projectPath) {
+        const dependencies = [];
+        const pomPath = (0, path_1.join)(projectPath, "pom.xml");
+        if (!(0, fs_1.existsSync)(pomPath)) {
+            return dependencies;
+        }
+        try {
+            const content = (0, fs_1.readFileSync)(pomPath, "utf-8");
+            // Simple regex parsing for dependencies
+            const depRegex = /<dependency>\s*<groupId>([^<]+)<\/groupId>\s*<artifactId>([^<]+)<\/artifactId>\s*(?:<version>([^<]+)<\/version>)?/g;
+            let match;
+            while ((match = depRegex.exec(content)) !== null) {
+                dependencies.push({
+                    groupId: match[1] || "",
+                    artifactId: match[2] || "",
+                    version: match[3] || "managed",
+                    source: "maven",
+                });
+            }
+        }
+        catch {
+            // Skip if can't parse
+        }
+        return dependencies;
+    }
+    /**
+     * Parse Gradle build file
+     */
+    parseGradleBuild(projectPath) {
+        const dependencies = [];
+        const gradlePath = (0, path_1.join)(projectPath, "build.gradle");
+        const gradleKtsPath = (0, path_1.join)(projectPath, "build.gradle.kts");
+        const buildFile = (0, fs_1.existsSync)(gradlePath)
+            ? gradlePath
+            : (0, fs_1.existsSync)(gradleKtsPath)
+                ? gradleKtsPath
+                : null;
+        if (!buildFile) {
+            return dependencies;
+        }
+        try {
+            const content = (0, fs_1.readFileSync)(buildFile, "utf-8");
+            // Match implementation 'group:artifact:version' or implementation("group:artifact:version")
+            const depRegex = /(?:implementation|compile|api|testImplementation)\s*[("']([^:]+):([^:]+):([^)"']+)/g;
+            let match;
+            while ((match = depRegex.exec(content)) !== null) {
+                dependencies.push({
+                    groupId: match[1] || "",
+                    artifactId: match[2] || "",
+                    version: match[3] || "latest",
+                    source: "gradle",
+                });
+            }
+        }
+        catch {
+            // Skip if can't parse
+        }
+        return dependencies;
+    }
+    /**
+     * Find all Java files
+     */
+    findJavaFiles(projectPath) {
+        const files = [];
+        const walkDir = (dir) => {
+            try {
+                const entries = (0, fs_1.readdirSync)(dir);
+                for (const entry of entries) {
+                    const fullPath = (0, path_1.join)(dir, entry);
+                    // Skip common non-source directories
+                    if ([
+                        "node_modules",
+                        ".git",
+                        "target",
+                        "build",
+                        ".gradle",
+                        ".idea",
+                    ].includes(entry)) {
+                        continue;
+                    }
+                    try {
+                        const stat = (0, fs_1.statSync)(fullPath);
+                        if (stat.isDirectory()) {
+                            walkDir(fullPath);
+                        }
+                        else if (entry.endsWith(".java")) {
+                            files.push(fullPath);
+                        }
+                    }
+                    catch {
+                        // Skip files we can't access
+                    }
+                }
+            }
+            catch {
+                // Skip directories we can't access
+            }
+        };
+        walkDir(projectPath);
+        return files;
+    }
+    /**
+     * Scan a Java file for security issues
+     */
+    scanFile(filePath) {
+        const issues = [];
+        try {
+            const content = (0, fs_1.readFileSync)(filePath, "utf-8");
+            const lines = content.split("\n");
+            // Check for dangerous imports
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                if (!line)
+                    continue;
+                for (const dangerous of DANGEROUS_IMPORTS) {
+                    if (line.includes(`import ${dangerous.pkg}`) ||
+                        line.includes(dangerous.pkg)) {
+                        issues.push({
+                            type: "dangerous_import",
+                            severity: dangerous.severity,
+                            file: filePath,
+                            line: i + 1,
+                            message: `Dangerous import: ${dangerous.pkg} - ${dangerous.reason}`,
+                            recommendation: `Review usage of ${dangerous.pkg}`,
+                            cwe: dangerous.cwe,
+                        });
+                    }
+                }
+            }
+            // Check for secrets
+            for (const secretPattern of JAVA_SECRET_PATTERNS) {
+                const matches = content.matchAll(secretPattern.pattern);
+                for (const match of matches) {
+                    const lineNum = content.substring(0, match.index).split("\n").length;
+                    issues.push({
+                        type: "secret",
+                        severity: "critical",
+                        file: filePath,
+                        line: lineNum,
+                        message: `Potential ${secretPattern.type} detected`,
+                        recommendation: "Move secrets to environment variables or secure vault",
+                    });
+                }
+            }
+            // Check for vulnerability patterns
+            for (const vulnPattern of VULNERABILITY_PATTERNS) {
+                const matches = content.matchAll(vulnPattern.pattern);
+                for (const match of matches) {
+                    const lineNum = content.substring(0, match.index).split("\n").length;
+                    issues.push({
+                        type: "code_pattern",
+                        severity: vulnPattern.severity,
+                        file: filePath,
+                        line: lineNum,
+                        message: `${vulnPattern.type}: ${vulnPattern.message}`,
+                        recommendation: `Fix the ${vulnPattern.type.toLowerCase()} vulnerability`,
+                        cwe: vulnPattern.cwe,
+                    });
+                }
+            }
+        }
+        catch {
+            // Skip files we can't read
+        }
+        return issues;
+    }
+    /**
+     * Detect Java version
+     */
+    detectJavaVersion(projectPath) {
+        // Check pom.xml for java version
+        const pomPath = (0, path_1.join)(projectPath, "pom.xml");
+        if ((0, fs_1.existsSync)(pomPath)) {
+            try {
+                const content = (0, fs_1.readFileSync)(pomPath, "utf-8");
+                const match = content.match(/<java\.version>([^<]+)<\/java\.version>/);
+                if (match && match[1]) {
+                    return match[1];
+                }
+                const sourceMatch = content.match(/<maven\.compiler\.source>([^<]+)<\/maven\.compiler\.source>/);
+                if (sourceMatch && sourceMatch[1]) {
+                    return sourceMatch[1];
+                }
+            }
+            catch {
+                // Skip
+            }
+        }
+        // Check .java-version file
+        const javaVersionPath = (0, path_1.join)(projectPath, ".java-version");
+        if ((0, fs_1.existsSync)(javaVersionPath)) {
+            return (0, fs_1.readFileSync)(javaVersionPath, "utf-8").trim();
+        }
+        return undefined;
+    }
+}
+exports.JavaAnalyzer = JavaAnalyzer;
+// Export singleton
+exports.javaAnalyzer = new JavaAnalyzer();

package/dist/languages/python-analyzer.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Python Language Analyzer
+ *
+ * Security analysis for Python projects including:
+ * - requirements.txt / Pipfile / pyproject.toml parsing
+ * - Import analysis for detecting dangerous modules
+ * - Secret detection patterns specific to Python
+ * - Common vulnerability patterns (SQL injection, command injection, etc.)
+ */
+export interface PythonDependency {
+    name: string;
+    version: string;
+    source: "requirements" | "pipfile" | "pyproject" | "setup";
+    extras?: string[];
+}
+export interface PythonSecurityIssue {
+    type: "vulnerability" | "secret" | "dangerous_import" | "code_pattern";
+    severity: "low" | "medium" | "high" | "critical";
+    file: string;
+    line?: number;
+    message: string;
+    recommendation: string;
+}
+export interface PythonAnalysisResult {
+    projectPath: string;
+    pythonVersion?: string;
+    dependencies: PythonDependency[];
+    securityIssues: PythonSecurityIssue[];
+    summary: {
+        totalDependencies: number;
+        directDependencies: number;
+        issuesBySeverity: Record<string, number>;
+    };
+}
+export declare class PythonAnalyzer {
+    /**
+     * Analyze a Python project
+     */
+    analyze(projectPath: string): Promise<PythonAnalysisResult>;
+    /**
+     * Extract dependencies from various Python dependency files
+     */
+    private extractDependencies;
+    /**
+     * Parse requirements.txt format
+     */
+    private parseRequirementsTxt;
+    /**
+     * Parse pyproject.toml dependencies
+     */
+    private parsePyprojectToml;
+    /**
+     * Parse Pipfile dependencies
+     */
+    private parsePipfile;
+    /**
+     * Find all Python files in project
+     */
+    private findPythonFiles;
+    /**
+     * Scan a Python file for security issues
+     */
+    private scanFile;
+    /**
+     * Detect Python version from project
+     */
+    private detectPythonVersion;
+}
+export declare const pythonAnalyzer: PythonAnalyzer;
+//# sourceMappingURL=python-analyzer.d.ts.map

package/dist/languages/python-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"python-analyzer.d.ts","sourceRoot":"","sources":["../../src/languages/python-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,cAAc,GAAG,SAAS,GAAG,WAAW,GAAG,OAAO,CAAC;IAC3D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,eAAe,GAAG,QAAQ,GAAG,kBAAkB,GAAG,cAAc,CAAC;IACvE,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,YAAY,EAAE,gBAAgB,EAAE,CAAC;IACjC,cAAc,EAAE,mBAAmB,EAAE,CAAC;IACtC,OAAO,EAAE;QACP,iBAAiB,EAAE,MAAM,CAAC;QAC1B,kBAAkB,EAAE,MAAM,CAAC;QAC3B,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAC;CACH;AA0ID,qBAAa,cAAc;IACzB;;OAEG;IACG,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAyCjE;;OAEG;YACW,mBAAmB;IA6BjC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA0B5B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA6B1B;;OAEG;IACH,OAAO,CAAC,YAAY;IAsBpB;;OAEG;YACW,eAAe;IA+C7B;;OAEG;YACW,QAAQ;IAqEtB;;OAEG;IACH,OAAO,CAAC,mBAAmB;CA6B5B;AAGD,eAAO,MAAM,cAAc,gBAAuB,CAAC"}