guardrail-security 1.0.0

package/dist/languages/python-analyzer.js

@@ -0,0 +1,425 @@
+"use strict";
+/**
+ * Python Language Analyzer
+ *
+ * Security analysis for Python projects including:
+ * - requirements.txt / Pipfile / pyproject.toml parsing
+ * - Import analysis for detecting dangerous modules
+ * - Secret detection patterns specific to Python
+ * - Common vulnerability patterns (SQL injection, command injection, etc.)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.pythonAnalyzer = exports.PythonAnalyzer = void 0;
+const fs_1 = require("fs");
+const path_1 = require("path");
+// Dangerous Python imports that may indicate security issues
+const DANGEROUS_IMPORTS = [
+    {
+        module: "pickle",
+        reason: "Arbitrary code execution via deserialization",
+        severity: "high",
+    },
+    {
+        module: "marshal",
+        reason: "Unsafe deserialization",
+        severity: "high",
+    },
+    {
+        module: "shelve",
+        reason: "Uses pickle internally",
+        severity: "medium",
+    },
+    {
+        module: "subprocess",
+        reason: "Command execution - ensure proper sanitization",
+        severity: "medium",
+    },
+    {
+        module: "os.system",
+        reason: "Command execution - prefer subprocess",
+        severity: "high",
+    },
+    {
+        module: "eval",
+        reason: "Arbitrary code execution",
+        severity: "critical",
+    },
+    {
+        module: "exec",
+        reason: "Arbitrary code execution",
+        severity: "critical",
+    },
+    {
+        module: "compile",
+        reason: "Dynamic code compilation",
+        severity: "medium",
+    },
+    {
+        module: "__import__",
+        reason: "Dynamic import - potential for injection",
+        severity: "medium",
+    },
+];
+// Python-specific secret patterns
+const PYTHON_SECRET_PATTERNS = [
+    { pattern: /(?:api_key|apikey)\s*=\s*['"][^'"]{10,}['"]/gi, type: "API Key" },
+    {
+        pattern: /(?:secret|password|passwd|pwd)\s*=\s*['"][^'"]{6,}['"]/gi,
+        type: "Password/Secret",
+    },
+    {
+        pattern: /(?:token|auth_token|access_token)\s*=\s*['"][^'"]{10,}['"]/gi,
+        type: "Token",
+    },
+    {
+        pattern: /AWS_(?:ACCESS_KEY_ID|SECRET_ACCESS_KEY)\s*=\s*['"][^'"]+['"]/gi,
+        type: "AWS Credential",
+    },
+    {
+        pattern: /(?:private_key|ssh_key)\s*=\s*['"]-----BEGIN/gi,
+        type: "Private Key",
+    },
+    {
+        pattern: /mongodb(?:\+srv)?:\/\/[^:]+:[^@]+@/gi,
+        type: "MongoDB Connection String",
+    },
+    {
+        pattern: /postgres(?:ql)?:\/\/[^:]+:[^@]+@/gi,
+        type: "PostgreSQL Connection String",
+    },
+];
+// Vulnerability code patterns
+const VULNERABILITY_PATTERNS = [
+    {
+        pattern: /cursor\.execute\s*\(\s*['"f].*\{.*\}/g,
+        type: "SQL Injection",
+        message: "String formatting in SQL query - use parameterized queries",
+        severity: "critical",
+    },
+    {
+        pattern: /cursor\.execute\s*\(\s*.*%\s*\(/g,
+        type: "SQL Injection",
+        message: "String interpolation in SQL query - use parameterized queries",
+        severity: "critical",
+    },
+    {
+        pattern: /subprocess\.(?:call|run|Popen)\s*\(\s*['"f].*\{/g,
+        type: "Command Injection",
+        message: "String formatting in shell command - use list arguments",
+        severity: "critical",
+    },
+    {
+        pattern: /os\.system\s*\(/g,
+        type: "Command Injection",
+        message: "os.system is vulnerable to shell injection - use subprocess",
+        severity: "high",
+    },
+    {
+        pattern: /yaml\.load\s*\([^)]*\)/g,
+        type: "Unsafe Deserialization",
+        message: "yaml.load is unsafe - use yaml.safe_load instead",
+        severity: "high",
+    },
+    {
+        pattern: /pickle\.loads?\s*\(/g,
+        type: "Unsafe Deserialization",
+        message: "Pickle is unsafe with untrusted data",
+        severity: "high",
+    },
+    {
+        pattern: /render_template_string\s*\(/g,
+        type: "Server-Side Template Injection",
+        message: "render_template_string with user input is dangerous",
+        severity: "critical",
+    },
+    {
+        pattern: /DEBUG\s*=\s*True/g,
+        type: "Debug Mode",
+        message: "Debug mode enabled - disable in production",
+        severity: "medium",
+    },
+    {
+        pattern: /verify\s*=\s*False/g,
+        type: "SSL Verification Disabled",
+        message: "SSL verification disabled - vulnerable to MITM attacks",
+        severity: "high",
+    },
+];
+class PythonAnalyzer {
+    /**
+     * Analyze a Python project
+     */
+    async analyze(projectPath) {
+        const dependencies = await this.extractDependencies(projectPath);
+        const securityIssues = [];
+        // Scan Python files for security issues
+        const pythonFiles = await this.findPythonFiles(projectPath);
+        for (const file of pythonFiles) {
+            const issues = await this.scanFile(file);
+            securityIssues.push(...issues);
+        }
+        // Get Python version if available
+        const pythonVersion = this.detectPythonVersion(projectPath);
+        // Calculate summary
+        const issuesBySeverity = {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+        };
+        for (const issue of securityIssues) {
+            const severity = issue.severity;
+            if (issuesBySeverity[severity] !== undefined) {
+                issuesBySeverity[severity]++;
+            }
+        }
+        return {
+            projectPath,
+            pythonVersion,
+            dependencies,
+            securityIssues,
+            summary: {
+                totalDependencies: dependencies.length,
+                directDependencies: dependencies.length,
+                issuesBySeverity,
+            },
+        };
+    }
+    /**
+     * Extract dependencies from various Python dependency files
+     */
+    async extractDependencies(projectPath) {
+        const dependencies = [];
+        // Check requirements.txt
+        const requirementsPath = (0, path_1.join)(projectPath, "requirements.txt");
+        if ((0, fs_1.existsSync)(requirementsPath)) {
+            const content = (0, fs_1.readFileSync)(requirementsPath, "utf-8");
+            dependencies.push(...this.parseRequirementsTxt(content));
+        }
+        // Check pyproject.toml
+        const pyprojectPath = (0, path_1.join)(projectPath, "pyproject.toml");
+        if ((0, fs_1.existsSync)(pyprojectPath)) {
+            const content = (0, fs_1.readFileSync)(pyprojectPath, "utf-8");
+            dependencies.push(...this.parsePyprojectToml(content));
+        }
+        // Check Pipfile
+        const pipfilePath = (0, path_1.join)(projectPath, "Pipfile");
+        if ((0, fs_1.existsSync)(pipfilePath)) {
+            const content = (0, fs_1.readFileSync)(pipfilePath, "utf-8");
+            dependencies.push(...this.parsePipfile(content));
+        }
+        return dependencies;
+    }
+    /**
+     * Parse requirements.txt format
+     */
+    parseRequirementsTxt(content) {
+        const dependencies = [];
+        const lines = content.split("\n");
+        for (const line of lines) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("-")) {
+                continue;
+            }
+            // Match package==version or package>=version etc.
+            const match = trimmed.match(/^([a-zA-Z0-9_-]+)\s*([=<>!~]+)?\s*([\d.]+)?/);
+            if (match && match[1]) {
+                dependencies.push({
+                    name: match[1],
+                    version: match[3] ?? "*",
+                    source: "requirements",
+                });
+            }
+        }
+        return dependencies;
+    }
+    /**
+     * Parse pyproject.toml dependencies
+     */
+    parsePyprojectToml(content) {
+        const dependencies = [];
+        // Simple regex parsing for dependencies section
+        const depsMatch = content.match(/\[project\.dependencies\]([\s\S]*?)(?:\[|$)/);
+        if (depsMatch && depsMatch[1]) {
+            const lines = depsMatch[1].split("\n");
+            for (const line of lines) {
+                const match = line.match(/^\s*"([^"]+)"/);
+                if (match && match[1]) {
+                    const depSpec = match[1];
+                    const nameMatch = depSpec.match(/^([a-zA-Z0-9_-]+)/);
+                    const versionMatch = depSpec.match(/[=<>!~]+([\d.]+)/);
+                    if (nameMatch && nameMatch[1]) {
+                        dependencies.push({
+                            name: nameMatch[1],
+                            version: versionMatch?.[1] ?? "*",
+                            source: "pyproject",
+                        });
+                    }
+                }
+            }
+        }
+        return dependencies;
+    }
+    /**
+     * Parse Pipfile dependencies
+     */
+    parsePipfile(content) {
+        const dependencies = [];
+        // Match [packages] section
+        const packagesMatch = content.match(/\[packages\]([\s\S]*?)(?:\[|$)/);
+        if (packagesMatch && packagesMatch[1]) {
+            const lines = packagesMatch[1].split("\n");
+            for (const line of lines) {
+                const match = line.match(/^([a-zA-Z0-9_-]+)\s*=\s*"?([^"\n]+)"?/);
+                if (match && match[1] && match[2]) {
+                    dependencies.push({
+                        name: match[1],
+                        version: match[2] === "*" ? "*" : match[2],
+                        source: "pipfile",
+                    });
+                }
+            }
+        }
+        return dependencies;
+    }
+    /**
+     * Find all Python files in project
+     */
+    async findPythonFiles(projectPath) {
+        const files = [];
+        // Simple recursive file finder
+        const walkDir = (dir) => {
+            try {
+                const { readdirSync, statSync } = require("fs");
+                const entries = readdirSync(dir);
+                for (const entry of entries) {
+                    const fullPath = (0, path_1.join)(dir, entry);
+                    // Skip common non-source directories
+                    if ([
+                        "node_modules",
+                        ".git",
+                        "__pycache__",
+                        ".venv",
+                        "venv",
+                        "env",
+                        ".tox",
+                    ].includes(entry)) {
+                        continue;
+                    }
+                    try {
+                        const stat = statSync(fullPath);
+                        if (stat.isDirectory()) {
+                            walkDir(fullPath);
+                        }
+                        else if (entry.endsWith(".py")) {
+                            files.push(fullPath);
+                        }
+                    }
+                    catch {
+                        // Skip files we can't access
+                    }
+                }
+            }
+            catch {
+                // Skip directories we can't access
+            }
+        };
+        walkDir(projectPath);
+        return files;
+    }
+    /**
+     * Scan a Python file for security issues
+     */
+    async scanFile(filePath) {
+        const issues = [];
+        try {
+            const content = (0, fs_1.readFileSync)(filePath, "utf-8");
+            const lines = content.split("\n");
+            // Check for dangerous imports
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                for (const dangerous of DANGEROUS_IMPORTS) {
+                    if (line &&
+                        (line.includes(`import ${dangerous.module}`) ||
+                            line.includes(`from ${dangerous.module}`) ||
+                            line.includes(dangerous.module))) {
+                        issues.push({
+                            type: "dangerous_import",
+                            severity: dangerous.severity,
+                            file: filePath,
+                            line: i + 1,
+                            message: `Dangerous import: ${dangerous.module} - ${dangerous.reason}`,
+                            recommendation: `Review usage of ${dangerous.module} and ensure proper security controls`,
+                        });
+                    }
+                }
+            }
+            // Check for secrets
+            for (const secretPattern of PYTHON_SECRET_PATTERNS) {
+                const matches = content.matchAll(secretPattern.pattern);
+                for (const match of matches) {
+                    const lineNum = content.substring(0, match.index).split("\n").length;
+                    issues.push({
+                        type: "secret",
+                        severity: "critical",
+                        file: filePath,
+                        line: lineNum,
+                        message: `Potential ${secretPattern.type} detected`,
+                        recommendation: "Move secrets to environment variables or a secure vault",
+                    });
+                }
+            }
+            // Check for vulnerability patterns
+            for (const vulnPattern of VULNERABILITY_PATTERNS) {
+                const matches = content.matchAll(vulnPattern.pattern);
+                for (const match of matches) {
+                    const lineNum = content.substring(0, match.index).split("\n").length;
+                    issues.push({
+                        type: "code_pattern",
+                        severity: vulnPattern.severity,
+                        file: filePath,
+                        line: lineNum,
+                        message: `${vulnPattern.type}: ${vulnPattern.message}`,
+                        recommendation: `Fix the ${vulnPattern.type.toLowerCase()} vulnerability`,
+                    });
+                }
+            }
+        }
+        catch (error) {
+            // Skip files we can't read
+        }
+        return issues;
+    }
+    /**
+     * Detect Python version from project
+     */
+    detectPythonVersion(projectPath) {
+        // Check pyproject.toml for requires-python
+        const pyprojectPath = (0, path_1.join)(projectPath, "pyproject.toml");
+        if ((0, fs_1.existsSync)(pyprojectPath)) {
+            const content = (0, fs_1.readFileSync)(pyprojectPath, "utf-8");
+            const match = content.match(/requires-python\s*=\s*"([^"]+)"/);
+            if (match) {
+                return match[1];
+            }
+        }
+        // Check .python-version file
+        const pythonVersionPath = (0, path_1.join)(projectPath, ".python-version");
+        if ((0, fs_1.existsSync)(pythonVersionPath)) {
+            return (0, fs_1.readFileSync)(pythonVersionPath, "utf-8").trim();
+        }
+        // Check runtime.txt (Heroku)
+        const runtimePath = (0, path_1.join)(projectPath, "runtime.txt");
+        if ((0, fs_1.existsSync)(runtimePath)) {
+            const content = (0, fs_1.readFileSync)(runtimePath, "utf-8").trim();
+            const match = content.match(/python-([\d.]+)/);
+            if (match) {
+                return match[1];
+            }
+        }
+        return undefined;
+    }
+}
+exports.PythonAnalyzer = PythonAnalyzer;
+// Export singleton
+exports.pythonAnalyzer = new PythonAnalyzer();

package/dist/license/compatibility-matrix.d.ts

@@ -0,0 +1,28 @@
+/**
+ * License Compatibility Matrix
+ *
+ * Defines which licenses are compatible with each other
+ */
+export type LicenseType = "MIT" | "Apache-2.0" | "BSD-2-Clause" | "BSD-3-Clause" | "ISC" | "GPL-2.0" | "GPL-3.0" | "LGPL-2.1" | "LGPL-3.0" | "AGPL-3.0" | "MPL-2.0" | "CDDL-1.0" | "EPL-2.0" | "Unlicense" | "CC0-1.0" | "Proprietary" | "Unknown";
+export type LicenseCategory = "permissive" | "weak_copyleft" | "strong_copyleft" | "public_domain" | "proprietary";
+export interface LicenseInfo {
+    name: string;
+    category: LicenseCategory;
+    requiresAttribution: boolean;
+    requiresSourceDisclosure: boolean;
+    requiresSameLicense: boolean;
+    allowsCommercialUse: boolean;
+    allowsModification: boolean;
+    allowsDistribution: boolean;
+    patentGrant: boolean;
+}
+/**
+ * License metadata
+ */
+export declare const LICENSE_INFO: Record<LicenseType, LicenseInfo>;
+/**
+ * Compatibility matrix
+ * true = compatible, false = incompatible
+ */
+export declare const COMPATIBILITY_MATRIX: Record<LicenseType, Record<LicenseType, boolean>>;
+//# sourceMappingURL=compatibility-matrix.d.ts.map

package/dist/license/compatibility-matrix.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compatibility-matrix.d.ts","sourceRoot":"","sources":["../../src/license/compatibility-matrix.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,MAAM,MAAM,WAAW,GACnB,KAAK,GACL,YAAY,GACZ,cAAc,GACd,cAAc,GACd,KAAK,GACL,SAAS,GACT,SAAS,GACT,UAAU,GACV,UAAU,GACV,UAAU,GACV,SAAS,GACT,UAAU,GACV,SAAS,GACT,WAAW,GACX,SAAS,GACT,aAAa,GACb,SAAS,CAAC;AAEd,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,eAAe,GACf,iBAAiB,GACjB,eAAe,GACf,aAAa,CAAC;AAElB,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,eAAe,CAAC;IAC1B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,wBAAwB,EAAE,OAAO,CAAC;IAClC,mBAAmB,EAAE,OAAO,CAAC;IAC7B,mBAAmB,EAAE,OAAO,CAAC;IAC7B,kBAAkB,EAAE,OAAO,CAAC;IAC5B,kBAAkB,EAAE,OAAO,CAAC;IAC5B,WAAW,EAAE,OAAO,CAAC;CACtB;AAED;;GAEG;AACH,eAAO,MAAM,YAAY,EAAE,MAAM,CAAC,WAAW,EAAE,WAAW,CA4LzD,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,oBAAoB,EAAE,MAAM,CACvC,WAAW,EACX,MAAM,CAAC,WAAW,EAAE,OAAO,CAAC,CAmGtB,CAAC"}