guardrail-security 1.0.1 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/attack-surface/analyzer.d.ts.map +1 -1
- package/dist/attack-surface/analyzer.js +3 -2
- package/dist/license/engine.d.ts.map +1 -1
- package/dist/license/engine.js +3 -2
- package/dist/sbom/generator.d.ts +42 -0
- package/dist/sbom/generator.d.ts.map +1 -1
- package/dist/sbom/generator.js +168 -7
- package/dist/secrets/allowlist.d.ts +38 -0
- package/dist/secrets/allowlist.d.ts.map +1 -0
- package/dist/secrets/allowlist.js +131 -0
- package/dist/secrets/config-loader.d.ts +25 -0
- package/dist/secrets/config-loader.d.ts.map +1 -0
- package/dist/secrets/config-loader.js +103 -0
- package/dist/secrets/contextual-risk.d.ts +19 -0
- package/dist/secrets/contextual-risk.d.ts.map +1 -0
- package/dist/secrets/contextual-risk.js +88 -0
- package/dist/secrets/git-scanner.d.ts +29 -0
- package/dist/secrets/git-scanner.d.ts.map +1 -0
- package/dist/secrets/git-scanner.js +109 -0
- package/dist/secrets/guardian.d.ts +70 -57
- package/dist/secrets/guardian.d.ts.map +1 -1
- package/dist/secrets/guardian.js +532 -240
- package/dist/secrets/index.d.ts +4 -0
- package/dist/secrets/index.d.ts.map +1 -1
- package/dist/secrets/index.js +11 -1
- package/dist/secrets/patterns.d.ts +39 -10
- package/dist/secrets/patterns.d.ts.map +1 -1
- package/dist/secrets/patterns.js +129 -71
- package/dist/secrets/pre-commit.d.ts.map +1 -1
- package/dist/secrets/pre-commit.js +1 -1
- package/dist/secrets/vault-integration.d.ts.map +1 -1
- package/dist/secrets/vault-integration.js +1 -0
- package/dist/supply-chain/detector.d.ts.map +1 -1
- package/dist/supply-chain/detector.js +4 -3
- package/dist/supply-chain/vulnerability-db.d.ts +89 -16
- package/dist/supply-chain/vulnerability-db.d.ts.map +1 -1
- package/dist/supply-chain/vulnerability-db.js +404 -115
- package/dist/utils/semver.d.ts +37 -0
- package/dist/utils/semver.d.ts.map +1 -0
- package/dist/utils/semver.js +109 -0
- package/package.json +17 -4
- package/src/__tests__/license/engine.test.ts +0 -250
- package/src/__tests__/supply-chain/typosquat.test.ts +0 -191
- package/src/attack-surface/analyzer.ts +0 -152
- package/src/attack-surface/index.ts +0 -5
- package/src/index.ts +0 -21
- package/src/languages/index.ts +0 -91
- package/src/languages/java-analyzer.ts +0 -490
- package/src/languages/python-analyzer.ts +0 -498
- package/src/license/compatibility-matrix.ts +0 -366
- package/src/license/engine.ts +0 -345
- package/src/license/index.ts +0 -6
- package/src/sbom/generator.ts +0 -355
- package/src/sbom/index.ts +0 -5
- package/src/secrets/guardian.ts +0 -448
- package/src/secrets/index.ts +0 -10
- package/src/secrets/patterns.ts +0 -186
- package/src/secrets/pre-commit.ts +0 -158
- package/src/secrets/vault-integration.ts +0 -360
- package/src/secrets/vault-providers.ts +0 -446
- package/src/supply-chain/detector.ts +0 -252
- package/src/supply-chain/index.ts +0 -11
- package/src/supply-chain/malicious-db.ts +0 -103
- package/src/supply-chain/script-analyzer.ts +0 -194
- package/src/supply-chain/typosquat.ts +0 -302
- package/src/supply-chain/vulnerability-db.ts +0 -386
|
@@ -1,16 +1,30 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Vulnerability Database Integration
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* -
|
|
6
|
-
* -
|
|
7
|
-
* -
|
|
4
|
+
* Real-time OSV (Open Source Vulnerabilities) integration with:
|
|
5
|
+
* - Multi-ecosystem support (npm, PyPI, RubyGems, Go)
|
|
6
|
+
* - Persistent caching with 24h TTL
|
|
7
|
+
* - Batch request optimization
|
|
8
|
+
* - CVSS scoring and vectors
|
|
9
|
+
* - Remediation path analysis
|
|
10
|
+
* - Optional NVD enrichment for CVE details
|
|
11
|
+
* - Retry logic with exponential backoff
|
|
12
|
+
* - Configurable timeouts
|
|
8
13
|
*/
|
|
14
|
+
export interface VulnerabilityDbOptions {
|
|
15
|
+
noCache?: boolean;
|
|
16
|
+
nvdEnrichment?: boolean;
|
|
17
|
+
timeout?: number;
|
|
18
|
+
retries?: number;
|
|
19
|
+
cacheDir?: string;
|
|
20
|
+
}
|
|
21
|
+
export type Ecosystem = 'npm' | 'PyPI' | 'RubyGems' | 'Go';
|
|
9
22
|
export interface Vulnerability {
|
|
10
23
|
id: string;
|
|
11
24
|
source: 'osv' | 'github' | 'nvd' | 'npm';
|
|
12
25
|
severity: 'low' | 'medium' | 'high' | 'critical';
|
|
13
26
|
cvssScore?: number;
|
|
27
|
+
cvssVector?: string;
|
|
14
28
|
title: string;
|
|
15
29
|
description: string;
|
|
16
30
|
affectedVersions: string[];
|
|
@@ -19,6 +33,7 @@ export interface Vulnerability {
|
|
|
19
33
|
publishedAt: Date;
|
|
20
34
|
updatedAt: Date;
|
|
21
35
|
cwe?: string[];
|
|
36
|
+
aliases?: string[];
|
|
22
37
|
}
|
|
23
38
|
export interface VulnerabilityCheckResult {
|
|
24
39
|
package: string;
|
|
@@ -27,6 +42,13 @@ export interface VulnerabilityCheckResult {
|
|
|
27
42
|
isVulnerable: boolean;
|
|
28
43
|
highestSeverity: 'none' | 'low' | 'medium' | 'high' | 'critical';
|
|
29
44
|
recommendedVersion?: string;
|
|
45
|
+
isDirect: boolean;
|
|
46
|
+
remediationPath?: {
|
|
47
|
+
action: 'upgrade' | 'replace' | 'remove';
|
|
48
|
+
targetVersion?: string;
|
|
49
|
+
breakingChange: boolean;
|
|
50
|
+
description: string;
|
|
51
|
+
};
|
|
30
52
|
}
|
|
31
53
|
export interface VulnerabilityReport {
|
|
32
54
|
projectPath: string;
|
|
@@ -40,37 +62,77 @@ export interface VulnerabilityReport {
|
|
|
40
62
|
medium: number;
|
|
41
63
|
low: number;
|
|
42
64
|
};
|
|
65
|
+
ecosystem: Ecosystem;
|
|
66
|
+
directVulnerabilities: number;
|
|
67
|
+
transitiveVulnerabilities: number;
|
|
68
|
+
cacheHitRate?: number;
|
|
43
69
|
}
|
|
44
70
|
export declare class VulnerabilityDatabase {
|
|
45
71
|
private osvApiUrl;
|
|
46
|
-
private
|
|
72
|
+
private cacheDir;
|
|
73
|
+
private cachePath;
|
|
74
|
+
private memoryCache;
|
|
75
|
+
private cacheHits;
|
|
76
|
+
private cacheMisses;
|
|
77
|
+
private options;
|
|
78
|
+
constructor(cacheDirOrOptions?: string | VulnerabilityDbOptions);
|
|
79
|
+
/**
|
|
80
|
+
* Update options at runtime
|
|
81
|
+
*/
|
|
82
|
+
setOptions(options: Partial<VulnerabilityDbOptions>): void;
|
|
83
|
+
/**
|
|
84
|
+
* Load cache from disk
|
|
85
|
+
*/
|
|
86
|
+
private loadDiskCache;
|
|
87
|
+
/**
|
|
88
|
+
* Save cache to disk
|
|
89
|
+
*/
|
|
90
|
+
private saveDiskCache;
|
|
47
91
|
/**
|
|
48
92
|
* Check a single package for vulnerabilities
|
|
49
93
|
*/
|
|
50
|
-
checkPackage(name: string, version: string): Promise<VulnerabilityCheckResult>;
|
|
94
|
+
checkPackage(name: string, version: string, ecosystem?: Ecosystem, isDirect?: boolean): Promise<VulnerabilityCheckResult>;
|
|
51
95
|
/**
|
|
52
|
-
* Check multiple packages in bulk
|
|
96
|
+
* Check multiple packages in bulk with batching
|
|
53
97
|
*/
|
|
54
98
|
checkPackages(packages: {
|
|
55
99
|
name: string;
|
|
56
100
|
version: string;
|
|
101
|
+
ecosystem?: Ecosystem;
|
|
102
|
+
isDirect?: boolean;
|
|
57
103
|
}[]): Promise<VulnerabilityCheckResult[]>;
|
|
104
|
+
/**
|
|
105
|
+
* Query OSV with retry logic and exponential backoff
|
|
106
|
+
*/
|
|
107
|
+
private queryOSVWithRetry;
|
|
58
108
|
/**
|
|
59
109
|
* Query OSV (Open Source Vulnerabilities) API
|
|
60
110
|
*/
|
|
61
111
|
private queryOSV;
|
|
62
112
|
/**
|
|
63
|
-
*
|
|
113
|
+
* Enrich vulnerabilities with NVD data (CVSS scores)
|
|
64
114
|
*/
|
|
65
|
-
private
|
|
115
|
+
private enrichWithNVD;
|
|
66
116
|
/**
|
|
67
|
-
* Query
|
|
117
|
+
* Query NVD API for CVE details
|
|
68
118
|
*/
|
|
69
|
-
private
|
|
119
|
+
private queryNVD;
|
|
70
120
|
/**
|
|
71
|
-
*
|
|
121
|
+
* Map CVSS score to severity level
|
|
72
122
|
*/
|
|
73
|
-
private
|
|
123
|
+
private mapCVSSSeverity;
|
|
124
|
+
/**
|
|
125
|
+
* Delay helper for retry backoff
|
|
126
|
+
*/
|
|
127
|
+
private delay;
|
|
128
|
+
/**
|
|
129
|
+
* Parse OSV API response
|
|
130
|
+
*/
|
|
131
|
+
private parseOSVResponse;
|
|
132
|
+
/**
|
|
133
|
+
* Check if a version is affected by vulnerability ranges
|
|
134
|
+
*/
|
|
135
|
+
private isVersionAffected;
|
|
74
136
|
/**
|
|
75
137
|
* Map OSV severity to standard levels
|
|
76
138
|
*/
|
|
@@ -84,9 +146,9 @@ export declare class VulnerabilityDatabase {
|
|
|
84
146
|
*/
|
|
85
147
|
private extractPatchedVersions;
|
|
86
148
|
/**
|
|
87
|
-
*
|
|
149
|
+
* Calculate remediation path for a vulnerability
|
|
88
150
|
*/
|
|
89
|
-
private
|
|
151
|
+
private calculateRemediationPath;
|
|
90
152
|
/**
|
|
91
153
|
* Build result object
|
|
92
154
|
*/
|
|
@@ -97,17 +159,28 @@ export declare class VulnerabilityDatabase {
|
|
|
97
159
|
generateReport(projectPath: string, packages: {
|
|
98
160
|
name: string;
|
|
99
161
|
version: string;
|
|
100
|
-
|
|
162
|
+
ecosystem?: Ecosystem;
|
|
163
|
+
isDirect?: boolean;
|
|
164
|
+
}[], ecosystem?: Ecosystem): Promise<VulnerabilityReport>;
|
|
101
165
|
/**
|
|
102
166
|
* Clear vulnerability cache
|
|
103
167
|
*/
|
|
104
168
|
clearCache(): void;
|
|
169
|
+
/**
|
|
170
|
+
* Clear entire cache directory
|
|
171
|
+
*/
|
|
172
|
+
static clearCacheDirectory(cacheDir?: string): {
|
|
173
|
+
success: boolean;
|
|
174
|
+
path: string;
|
|
175
|
+
error?: string;
|
|
176
|
+
};
|
|
105
177
|
/**
|
|
106
178
|
* Get cache statistics
|
|
107
179
|
*/
|
|
108
180
|
getCacheStats(): {
|
|
109
181
|
size: number;
|
|
110
182
|
oldestEntry: Date | null;
|
|
183
|
+
hitRate: number;
|
|
111
184
|
};
|
|
112
185
|
}
|
|
113
186
|
export declare const vulnerabilityDatabase: VulnerabilityDatabase;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vulnerability-db.d.ts","sourceRoot":"","sources":["../../src/supply-chain/vulnerability-db.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"vulnerability-db.d.ts","sourceRoot":"","sources":["../../src/supply-chain/vulnerability-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,MAAM,WAAW,sBAAsB;IACrC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC;AAE3D,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,GAAG,KAAK,CAAC;IACzC,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,IAAI,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,aAAa,EAAE,CAAC;IACjC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE;QAChB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;QACzC,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,cAAc,EAAE,OAAO,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,IAAI,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACpC,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,SAAS,EAAE,SAAS,CAAC;IACrB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,yBAAyB,EAAE,MAAM,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAmBD,qBAAa,qBAAqB;IAChC,OAAO,CAAC,SAAS,CAA4B;IAC7C,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,WAAW,CAAsC;IACzD,OAAO,CAAC,SAAS,CAAK;IACtB,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,OAAO,CAAyB;gBAE5B,iBAAiB,CAAC,EAAE,MAAM,GAAG,sBAAsB;IAa/D;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAO1D;;OAEG;IACH,OAAO,CAAC,aAAa;IAiBrB;;OAEG;IACH,OAAO,CAAC,aAAa;IAerB;;OAEG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,SAAiB,EAC5B,QAAQ,UAAO,GACd,OAAO,CAAC,wBAAwB,CAAC;IAoCpC;;OAEG;IACG,aAAa,CACjB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,EAAE,GACvF,OAAO,CAAC,wBAAwB,EAAE,CAAC;IA+BtC;;OAEG;YACW,iBAAiB;IAuB/B;;OAEG;YACW,QAAQ;IAwCtB;;OAEG;YACW,aAAa;IA8B3B;;OAEG;YACW,QAAQ;IA4CtB;;OAEG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,KAAK;IAIb;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAgCxB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAgCzB;;OAEG;IACH,OAAO,CAAC,cAAc;IAetB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAsB9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA0ChC;;OAEG;IACH,OAAO,CAAC,WAAW;IAqCnB;;OAEG;IACG,cAAc,CAClB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,EAAE,EACxF,SAAS,GAAE,SAAiB,GAC3B,OAAO,CAAC,mBAAmB,CAAC;IA2C/B;;OAEG;IACH,UAAU,IAAI,IAAI;IAalB;;OAEG;IACH,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiBjG;;OAEG;IACH,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;CAiB7E;AAGD,eAAO,MAAM,qBAAqB,uBAA8B,CAAC"}
|