npm - guardrail-security - Versions diffs - 1.0.0 - Mend

guardrail-security 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

package/dist/attack-surface/analyzer.d.ts +50 -0
package/dist/attack-surface/analyzer.d.ts.map +1 -0
package/dist/attack-surface/analyzer.js +83 -0
package/dist/attack-surface/index.d.ts +5 -0
package/dist/attack-surface/index.d.ts.map +1 -0
package/dist/attack-surface/index.js +20 -0
package/dist/index.d.ts +15 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +33 -0
package/dist/languages/index.d.ts +21 -0
package/dist/languages/index.d.ts.map +1 -0
package/dist/languages/index.js +78 -0
package/dist/languages/java-analyzer.d.ts +72 -0
package/dist/languages/java-analyzer.d.ts.map +1 -0
package/dist/languages/java-analyzer.js +417 -0
package/dist/languages/python-analyzer.d.ts +70 -0
package/dist/languages/python-analyzer.d.ts.map +1 -0
package/dist/languages/python-analyzer.js +425 -0
package/dist/license/compatibility-matrix.d.ts +28 -0
package/dist/license/compatibility-matrix.d.ts.map +1 -0
package/dist/license/compatibility-matrix.js +323 -0
package/dist/license/engine.d.ts +77 -0
package/dist/license/engine.d.ts.map +1 -0
package/dist/license/engine.js +264 -0
package/dist/license/index.d.ts +6 -0
package/dist/license/index.d.ts.map +1 -0
package/dist/license/index.js +21 -0
package/dist/sbom/generator.d.ts +108 -0
package/dist/sbom/generator.d.ts.map +1 -0
package/dist/sbom/generator.js +271 -0
package/dist/sbom/index.d.ts +5 -0
package/dist/sbom/index.d.ts.map +1 -0
package/dist/sbom/index.js +20 -0
package/dist/secrets/guardian.d.ts +113 -0
package/dist/secrets/guardian.d.ts.map +1 -0
package/dist/secrets/guardian.js +334 -0
package/dist/secrets/index.d.ts +10 -0
package/dist/secrets/index.d.ts.map +1 -0
package/dist/secrets/index.js +30 -0
package/dist/secrets/patterns.d.ts +42 -0
package/dist/secrets/patterns.d.ts.map +1 -0
package/dist/secrets/patterns.js +165 -0
package/dist/secrets/pre-commit.d.ts +39 -0
package/dist/secrets/pre-commit.d.ts.map +1 -0
package/dist/secrets/pre-commit.js +127 -0
package/dist/secrets/vault-integration.d.ts +83 -0
package/dist/secrets/vault-integration.d.ts.map +1 -0
package/dist/secrets/vault-integration.js +295 -0
package/dist/secrets/vault-providers.d.ts +110 -0
package/dist/secrets/vault-providers.d.ts.map +1 -0
package/dist/secrets/vault-providers.js +417 -0
package/dist/supply-chain/detector.d.ts +80 -0
package/dist/supply-chain/detector.d.ts.map +1 -0
package/dist/supply-chain/detector.js +168 -0
package/dist/supply-chain/index.d.ts +11 -0
package/dist/supply-chain/index.d.ts.map +1 -0
package/dist/supply-chain/index.js +26 -0
package/dist/supply-chain/malicious-db.d.ts +41 -0
package/dist/supply-chain/malicious-db.d.ts.map +1 -0
package/dist/supply-chain/malicious-db.js +82 -0
package/dist/supply-chain/script-analyzer.d.ts +54 -0
package/dist/supply-chain/script-analyzer.d.ts.map +1 -0
package/dist/supply-chain/script-analyzer.js +160 -0
package/dist/supply-chain/typosquat.d.ts +58 -0
package/dist/supply-chain/typosquat.d.ts.map +1 -0
package/dist/supply-chain/typosquat.js +257 -0
package/dist/supply-chain/vulnerability-db.d.ts +114 -0
package/dist/supply-chain/vulnerability-db.d.ts.map +1 -0
package/dist/supply-chain/vulnerability-db.js +310 -0
package/package.json +34 -0
package/src/__tests__/license/engine.test.ts +250 -0
package/src/__tests__/supply-chain/typosquat.test.ts +191 -0
package/src/attack-surface/analyzer.ts +152 -0
package/src/attack-surface/index.ts +5 -0
package/src/index.ts +21 -0
package/src/languages/index.ts +91 -0
package/src/languages/java-analyzer.ts +490 -0
package/src/languages/python-analyzer.ts +498 -0
package/src/license/compatibility-matrix.ts +366 -0
package/src/license/engine.ts +345 -0
package/src/license/index.ts +6 -0
package/src/sbom/generator.ts +355 -0
package/src/sbom/index.ts +5 -0
package/src/secrets/guardian.ts +448 -0
package/src/secrets/index.ts +10 -0
package/src/secrets/patterns.ts +186 -0
package/src/secrets/pre-commit.ts +158 -0
package/src/secrets/vault-integration.ts +360 -0
package/src/secrets/vault-providers.ts +446 -0
package/src/supply-chain/detector.ts +252 -0
package/src/supply-chain/index.ts +11 -0
package/src/supply-chain/malicious-db.ts +103 -0
package/src/supply-chain/script-analyzer.ts +194 -0
package/src/supply-chain/typosquat.ts +302 -0
package/src/supply-chain/vulnerability-db.ts +386 -0

package/src/supply-chain/vulnerability-db.ts ADDED Viewed

@@ -0,0 +1,386 @@
+/**
+ * Vulnerability Database Integration
+ *
+ * Integrates with multiple vulnerability databases:
+ * - OSV (Open Source Vulnerabilities)
+ * - GitHub Security Advisories
+ * - NVD (National Vulnerability Database)
+ */
+export interface Vulnerability {
+  id: string;
+  source: 'osv' | 'github' | 'nvd' | 'npm';
+  severity: 'low' | 'medium' | 'high' | 'critical';
+  cvssScore?: number;
+  title: string;
+  description: string;
+  affectedVersions: string[];
+  patchedVersions: string[];
+  references: string[];
+  publishedAt: Date;
+  updatedAt: Date;
+  cwe?: string[];
+}
+export interface VulnerabilityCheckResult {
+  package: string;
+  version: string;
+  vulnerabilities: Vulnerability[];
+  isVulnerable: boolean;
+  highestSeverity: 'none' | 'low' | 'medium' | 'high' | 'critical';
+  recommendedVersion?: string;
+}
+export interface VulnerabilityReport {
+  projectPath: string;
+  scanDate: Date;
+  totalPackages: number;
+  vulnerablePackages: number;
+  results: VulnerabilityCheckResult[];
+  summary: {
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+  };
+}
+const vulnerabilityCache = new Map<string, { data: Vulnerability[]; fetchedAt: Date }>();
+const CACHE_TTL_MS = 6 * 60 * 60 * 1000; // 6 hours
+export class VulnerabilityDatabase {
+  private osvApiUrl = 'https://api.osv.dev/v1';
+  private npmAuditUrl = 'https://registry.npmjs.org/-/npm/v1/security/advisories/bulk';
+  // GitHub API available for future enhancement with authentication
+  // private githubApiUrl = 'https://api.github.com/advisories';
+  /**
+   * Check a single package for vulnerabilities
+   */
+  async checkPackage(name: string, version: string): Promise<VulnerabilityCheckResult> {
+    const cacheKey = `${name}@${version}`;
+    const cached = vulnerabilityCache.get(cacheKey);
+    if (cached && (Date.now() - cached.fetchedAt.getTime()) < CACHE_TTL_MS) {
+      return this.buildResult(name, version, cached.data);
+    }
+    const vulnerabilities: Vulnerability[] = [];
+    // Query multiple sources in parallel
+    const [osvVulns, npmVulns] = await Promise.allSettled([
+      this.queryOSV(name, version),
+      this.queryNpmAudit(name, version),
+    ]);
+    if (osvVulns.status === 'fulfilled') {
+      vulnerabilities.push(...osvVulns.value);
+    }
+    if (npmVulns.status === 'fulfilled') {
+      vulnerabilities.push(...npmVulns.value);
+    }
+    // Deduplicate by ID
+    const uniqueVulns = this.deduplicateVulnerabilities(vulnerabilities);
+    // Cache the result
+    vulnerabilityCache.set(cacheKey, {
+      data: uniqueVulns,
+      fetchedAt: new Date(),
+    });
+    return this.buildResult(name, version, uniqueVulns);
+  }
+  /**
+   * Check multiple packages in bulk
+   */
+  async checkPackages(packages: { name: string; version: string }[]): Promise<VulnerabilityCheckResult[]> {
+    const batchSize = 20;
+    const results: VulnerabilityCheckResult[] = [];
+    for (let i = 0; i < packages.length; i += batchSize) {
+      const batch = packages.slice(i, i + batchSize);
+      const batchResults = await Promise.all(
+        batch.map(pkg => this.checkPackage(pkg.name, pkg.version))
+      );
+      results.push(...batchResults);
+    }
+    return results;
+  }
+  /**
+   * Query OSV (Open Source Vulnerabilities) API
+   */
+  private async queryOSV(packageName: string, version: string): Promise<Vulnerability[]> {
+    try {
+      const response = await fetch(`${this.osvApiUrl}/query`, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          package: {
+            name: packageName,
+            ecosystem: 'npm',
+          },
+          version: version,
+        }),
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!response.ok) {
+        return [];
+      }
+      const data = await response.json();
+      return this.parseOSVResponse(data);
+    } catch (error) {
+      console.error(`OSV query failed for ${packageName}@${version}:`, error);
+      return [];
+    }
+  }
+  /**
+   * Parse OSV API response
+   */
+  private parseOSVResponse(data: any): Vulnerability[] {
+    if (!data.vulns || !Array.isArray(data.vulns)) {
+      return [];
+    }
+    return data.vulns.map((vuln: any) => ({
+      id: vuln.id,
+      source: 'osv' as const,
+      severity: this.mapOSVSeverity(vuln.severity),
+      cvssScore: vuln.severity?.[0]?.score,
+      title: vuln.summary || vuln.id,
+      description: vuln.details || '',
+      affectedVersions: this.extractAffectedVersions(vuln.affected),
+      patchedVersions: this.extractPatchedVersions(vuln.affected),
+      references: (vuln.references || []).map((r: any) => r.url),
+      publishedAt: new Date(vuln.published || Date.now()),
+      updatedAt: new Date(vuln.modified || Date.now()),
+      cwe: vuln.database_specific?.cwe_ids || [],
+    }));
+  }
+  /**
+   * Query npm audit API
+   */
+  private async queryNpmAudit(packageName: string, version: string): Promise<Vulnerability[]> {
+    try {
+      const response = await fetch(this.npmAuditUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          [packageName]: [version],
+        }),
+        signal: AbortSignal.timeout(10000),
+      });
+      if (!response.ok) {
+        return [];
+      }
+      const data = await response.json();
+      return this.parseNpmAuditResponse(data, packageName);
+    } catch (error) {
+      console.error(`npm audit query failed for ${packageName}@${version}:`, error);
+      return [];
+    }
+  }
+  /**
+   * Parse npm audit response
+   */
+  private parseNpmAuditResponse(data: any, packageName: string): Vulnerability[] {
+    const advisories = data[packageName] || [];
+    return advisories.map((advisory: any) => ({
+      id: `npm-${advisory.id || advisory.github_advisory_id}`,
+      source: 'npm' as const,
+      severity: advisory.severity || 'medium',
+      cvssScore: advisory.cvss?.score,
+      title: advisory.title || 'Security Advisory',
+      description: advisory.overview || advisory.recommendation || '',
+      affectedVersions: [advisory.vulnerable_versions || '*'],
+      patchedVersions: [advisory.patched_versions || 'No patch available'],
+      references: [advisory.url].filter(Boolean),
+      publishedAt: new Date(advisory.created || Date.now()),
+      updatedAt: new Date(advisory.updated || Date.now()),
+      cwe: advisory.cwe ? [advisory.cwe] : [],
+    }));
+  }
+  /**
+   * Map OSV severity to standard levels
+   */
+  private mapOSVSeverity(severity: any): 'low' | 'medium' | 'high' | 'critical' {
+    if (!severity || !Array.isArray(severity) || severity.length === 0) {
+      return 'medium';
+    }
+    const score = severity[0]?.score || 0;
+    if (score >= 9.0) return 'critical';
+    if (score >= 7.0) return 'high';
+    if (score >= 4.0) return 'medium';
+    return 'low';
+  }
+  /**
+   * Extract affected versions from OSV format
+   */
+  private extractAffectedVersions(affected: any[]): string[] {
+    if (!affected || !Array.isArray(affected)) {
+      return ['*'];
+    }
+    const versions: string[] = [];
+    for (const aff of affected) {
+      if (aff.versions) {
+        versions.push(...aff.versions);
+      }
+      if (aff.ranges) {
+        for (const range of aff.ranges) {
+          if (range.events) {
+            const introduced = range.events.find((e: any) => e.introduced);
+            const fixed = range.events.find((e: any) => e.fixed);
+            if (introduced) {
+              versions.push(`>=${introduced.introduced}${fixed ? ` <${fixed.fixed}` : ''}`);
+            }
+          }
+        }
+      }
+    }
+    return versions.length > 0 ? versions : ['*'];
+  }
+  /**
+   * Extract patched versions from OSV format
+   */
+  private extractPatchedVersions(affected: any[]): string[] {
+    if (!affected || !Array.isArray(affected)) {
+      return [];
+    }
+    const versions: string[] = [];
+    for (const aff of affected) {
+      if (aff.ranges) {
+        for (const range of aff.ranges) {
+          if (range.events) {
+            const fixed = range.events.find((e: any) => e.fixed);
+            if (fixed) {
+              versions.push(fixed.fixed);
+            }
+          }
+        }
+      }
+    }
+    return versions;
+  }
+  /**
+   * Deduplicate vulnerabilities by ID
+   */
+  private deduplicateVulnerabilities(vulns: Vulnerability[]): Vulnerability[] {
+    const seen = new Set<string>();
+    return vulns.filter(vuln => {
+      if (seen.has(vuln.id)) {
+        return false;
+      }
+      seen.add(vuln.id);
+      return true;
+    });
+  }
+  /**
+   * Build result object
+   */
+  private buildResult(name: string, version: string, vulnerabilities: Vulnerability[]): VulnerabilityCheckResult {
+    const severityOrder = { critical: 4, high: 3, medium: 2, low: 1, none: 0 };
+    let highestSeverity: 'none' | 'low' | 'medium' | 'high' | 'critical' = 'none';
+    for (const vuln of vulnerabilities) {
+      if (severityOrder[vuln.severity] > severityOrder[highestSeverity]) {
+        highestSeverity = vuln.severity;
+      }
+    }
+    // Find recommended version from patches
+    const patchedVersions = vulnerabilities.flatMap(v => v.patchedVersions).filter(Boolean);
+    const recommendedVersion = patchedVersions.length > 0 ? patchedVersions[0] : undefined;
+    return {
+      package: name,
+      version,
+      vulnerabilities,
+      isVulnerable: vulnerabilities.length > 0,
+      highestSeverity,
+      recommendedVersion,
+    };
+  }
+  /**
+   * Generate a full vulnerability report for a project
+   */
+  async generateReport(projectPath: string, packages: { name: string; version: string }[]): Promise<VulnerabilityReport> {
+    const results = await this.checkPackages(packages);
+    const summary = {
+      critical: 0,
+      high: 0,
+      medium: 0,
+      low: 0,
+    };
+    for (const result of results) {
+      for (const vuln of result.vulnerabilities) {
+        summary[vuln.severity]++;
+      }
+    }
+    const vulnerablePackages = results.filter(r => r.isVulnerable).length;
+    return {
+      projectPath,
+      scanDate: new Date(),
+      totalPackages: packages.length,
+      vulnerablePackages,
+      results,
+      summary,
+    };
+  }
+  /**
+   * Clear vulnerability cache
+   */
+  clearCache(): void {
+    vulnerabilityCache.clear();
+  }
+  /**
+   * Get cache statistics
+   */
+  getCacheStats(): { size: number; oldestEntry: Date | null } {
+    let oldest: Date | null = null;
+    for (const entry of vulnerabilityCache.values()) {
+      if (!oldest || entry.fetchedAt < oldest) {
+        oldest = entry.fetchedAt;
+      }
+    }
+    return {
+      size: vulnerabilityCache.size,
+      oldestEntry: oldest,
+    };
+  }
+}
+// Export singleton
+export const vulnerabilityDatabase = new VulnerabilityDatabase();