guardrail-security 1.0.2 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/sbom/generator.d.ts +42 -0
- package/dist/sbom/generator.d.ts.map +1 -1
- package/dist/sbom/generator.js +168 -7
- package/dist/secrets/allowlist.d.ts +38 -0
- package/dist/secrets/allowlist.d.ts.map +1 -0
- package/dist/secrets/allowlist.js +131 -0
- package/dist/secrets/config-loader.d.ts +25 -0
- package/dist/secrets/config-loader.d.ts.map +1 -0
- package/dist/secrets/config-loader.js +103 -0
- package/dist/secrets/contextual-risk.d.ts +19 -0
- package/dist/secrets/contextual-risk.d.ts.map +1 -0
- package/dist/secrets/contextual-risk.js +88 -0
- package/dist/secrets/git-scanner.d.ts +29 -0
- package/dist/secrets/git-scanner.d.ts.map +1 -0
- package/dist/secrets/git-scanner.js +109 -0
- package/dist/secrets/guardian.d.ts +70 -57
- package/dist/secrets/guardian.d.ts.map +1 -1
- package/dist/secrets/guardian.js +531 -258
- package/dist/secrets/index.d.ts +4 -0
- package/dist/secrets/index.d.ts.map +1 -1
- package/dist/secrets/index.js +11 -1
- package/dist/secrets/patterns.d.ts +39 -10
- package/dist/secrets/patterns.d.ts.map +1 -1
- package/dist/secrets/patterns.js +129 -71
- package/dist/secrets/pre-commit.d.ts.map +1 -1
- package/dist/secrets/pre-commit.js +1 -1
- package/dist/secrets/vault-integration.d.ts.map +1 -1
- package/dist/secrets/vault-integration.js +1 -0
- package/dist/supply-chain/vulnerability-db.d.ts +89 -16
- package/dist/supply-chain/vulnerability-db.d.ts.map +1 -1
- package/dist/supply-chain/vulnerability-db.js +404 -115
- package/dist/utils/semver.d.ts +37 -0
- package/dist/utils/semver.d.ts.map +1 -0
- package/dist/utils/semver.js +109 -0
- package/package.json +17 -3
- package/src/__tests__/license/engine.test.ts +0 -250
- package/src/__tests__/supply-chain/typosquat.test.ts +0 -191
- package/src/attack-surface/analyzer.ts +0 -153
- package/src/attack-surface/index.ts +0 -5
- package/src/index.ts +0 -21
- package/src/languages/index.ts +0 -91
- package/src/languages/java-analyzer.ts +0 -490
- package/src/languages/python-analyzer.ts +0 -498
- package/src/license/compatibility-matrix.ts +0 -366
- package/src/license/engine.ts +0 -346
- package/src/license/index.ts +0 -6
- package/src/sbom/generator.ts +0 -355
- package/src/sbom/index.ts +0 -5
- package/src/secrets/guardian.ts +0 -468
- package/src/secrets/index.ts +0 -10
- package/src/secrets/patterns.ts +0 -186
- package/src/secrets/pre-commit.ts +0 -158
- package/src/secrets/vault-integration.ts +0 -360
- package/src/secrets/vault-providers.ts +0 -446
- package/src/supply-chain/detector.ts +0 -253
- package/src/supply-chain/index.ts +0 -11
- package/src/supply-chain/malicious-db.ts +0 -103
- package/src/supply-chain/script-analyzer.ts +0 -194
- package/src/supply-chain/typosquat.ts +0 -302
- package/src/supply-chain/vulnerability-db.ts +0 -386
package/dist/secrets/index.d.ts
CHANGED
|
@@ -7,4 +7,8 @@ export * from './patterns';
|
|
|
7
7
|
export { secretsGuardian, SecretsGuardian } from './guardian';
|
|
8
8
|
export { preCommitHook } from './pre-commit';
|
|
9
9
|
export { vaultIntegration } from './vault-integration';
|
|
10
|
+
export { loadCustomPatterns, ConfigValidationError } from './config-loader';
|
|
11
|
+
export { Allowlist } from './allowlist';
|
|
12
|
+
export { adjustRiskByContext, getContextDescription } from './contextual-risk';
|
|
13
|
+
export { scanGitHistory } from './git-scanner';
|
|
10
14
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/secrets/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,YAAY,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAC5E,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AACxC,OAAO,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/E,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC"}
|
package/dist/secrets/index.js
CHANGED
|
@@ -19,7 +19,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
|
19
19
|
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
20
20
|
};
|
|
21
21
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
22
|
-
exports.vaultIntegration = exports.preCommitHook = exports.SecretsGuardian = exports.secretsGuardian = void 0;
|
|
22
|
+
exports.scanGitHistory = exports.getContextDescription = exports.adjustRiskByContext = exports.Allowlist = exports.ConfigValidationError = exports.loadCustomPatterns = exports.vaultIntegration = exports.preCommitHook = exports.SecretsGuardian = exports.secretsGuardian = void 0;
|
|
23
23
|
__exportStar(require("./patterns"), exports);
|
|
24
24
|
var guardian_1 = require("./guardian");
|
|
25
25
|
Object.defineProperty(exports, "secretsGuardian", { enumerable: true, get: function () { return guardian_1.secretsGuardian; } });
|
|
@@ -28,3 +28,13 @@ var pre_commit_1 = require("./pre-commit");
|
|
|
28
28
|
Object.defineProperty(exports, "preCommitHook", { enumerable: true, get: function () { return pre_commit_1.preCommitHook; } });
|
|
29
29
|
var vault_integration_1 = require("./vault-integration");
|
|
30
30
|
Object.defineProperty(exports, "vaultIntegration", { enumerable: true, get: function () { return vault_integration_1.vaultIntegration; } });
|
|
31
|
+
var config_loader_1 = require("./config-loader");
|
|
32
|
+
Object.defineProperty(exports, "loadCustomPatterns", { enumerable: true, get: function () { return config_loader_1.loadCustomPatterns; } });
|
|
33
|
+
Object.defineProperty(exports, "ConfigValidationError", { enumerable: true, get: function () { return config_loader_1.ConfigValidationError; } });
|
|
34
|
+
var allowlist_1 = require("./allowlist");
|
|
35
|
+
Object.defineProperty(exports, "Allowlist", { enumerable: true, get: function () { return allowlist_1.Allowlist; } });
|
|
36
|
+
var contextual_risk_1 = require("./contextual-risk");
|
|
37
|
+
Object.defineProperty(exports, "adjustRiskByContext", { enumerable: true, get: function () { return contextual_risk_1.adjustRiskByContext; } });
|
|
38
|
+
Object.defineProperty(exports, "getContextDescription", { enumerable: true, get: function () { return contextual_risk_1.getContextDescription; } });
|
|
39
|
+
var git_scanner_1 = require("./git-scanner");
|
|
40
|
+
Object.defineProperty(exports, "scanGitHistory", { enumerable: true, get: function () { return git_scanner_1.scanGitHistory; } });
|
|
@@ -7,36 +7,65 @@ export declare enum SecretType {
|
|
|
7
7
|
DATABASE_URL = "database_url",
|
|
8
8
|
JWT_SECRET = "jwt_secret",
|
|
9
9
|
AWS_ACCESS_KEY = "aws_access_key",
|
|
10
|
-
OTHER = "other",
|
|
11
10
|
AWS_SECRET_KEY = "aws_secret_key",
|
|
12
11
|
GITHUB_TOKEN = "github_token",
|
|
13
12
|
GOOGLE_API_KEY = "google_api_key",
|
|
14
13
|
STRIPE_KEY = "stripe_key",
|
|
15
|
-
JWT_TOKEN = "jwt_token",
|
|
16
14
|
SLACK_TOKEN = "slack_token",
|
|
17
|
-
|
|
15
|
+
JWT_TOKEN = "jwt_token",
|
|
16
|
+
API_KEY_GENERIC = "api_key_generic",
|
|
17
|
+
PASSWORD_GENERIC = "password_generic",
|
|
18
|
+
OTHER = "other"
|
|
18
19
|
}
|
|
19
|
-
|
|
20
|
-
* Secret detection pattern
|
|
21
|
-
*/
|
|
20
|
+
export type RiskLevel = 'high' | 'medium' | 'low';
|
|
22
21
|
export interface SecretPattern {
|
|
23
22
|
type: SecretType;
|
|
24
23
|
name: string;
|
|
24
|
+
/**
|
|
25
|
+
* IMPORTANT:
|
|
26
|
+
* - Store patterns WITHOUT the `g` flag (we clone to global during scanning).
|
|
27
|
+
* - Keep needed flags like `i` on this regex; the scanner preserves them.
|
|
28
|
+
*/
|
|
25
29
|
pattern: RegExp;
|
|
30
|
+
/**
|
|
31
|
+
* Which capture group contains the actual secret value.
|
|
32
|
+
* If omitted, scanner will use group 1 if present, else group 0.
|
|
33
|
+
*/
|
|
34
|
+
valueGroup?: number;
|
|
35
|
+
/**
|
|
36
|
+
* Entropy threshold (Shannon). Used to reduce false positives.
|
|
37
|
+
*/
|
|
26
38
|
minEntropy?: number;
|
|
39
|
+
/**
|
|
40
|
+
* Risk drives recommendations & severity.
|
|
41
|
+
*/
|
|
42
|
+
risk: RiskLevel;
|
|
27
43
|
description: string;
|
|
28
44
|
examples: string[];
|
|
45
|
+
/**
|
|
46
|
+
* Optional custom redaction for display (safe logging/UI).
|
|
47
|
+
* If omitted, the scanner uses a default masking strategy.
|
|
48
|
+
*/
|
|
49
|
+
redact?: (value: string, match: RegExpMatchArray) => string;
|
|
29
50
|
}
|
|
30
51
|
/**
|
|
31
52
|
* Comprehensive secret detection patterns
|
|
53
|
+
* Notes:
|
|
54
|
+
* - Examples are clearly fake.
|
|
55
|
+
* - Patterns are designed to be high-signal; add more vendors as needed.
|
|
56
|
+
*/
|
|
57
|
+
export declare const SECRET_PATTERNS: ReadonlyArray<SecretPattern>;
|
|
58
|
+
/**
|
|
59
|
+
* Test/example value patterns (used for down-weighting confidence, optional exclusion).
|
|
32
60
|
*/
|
|
33
|
-
export declare const
|
|
61
|
+
export declare const TEST_PATTERNS: ReadonlyArray<RegExp>;
|
|
34
62
|
/**
|
|
35
|
-
*
|
|
63
|
+
* Context patterns that are strongly associated with false positives (schemas/validators/etc).
|
|
64
|
+
* Scanner uses these to skip matches in certain code lines.
|
|
36
65
|
*/
|
|
37
|
-
export declare const
|
|
66
|
+
export declare const CONTEXT_EXCLUSION_PATTERNS: ReadonlyArray<RegExp>;
|
|
38
67
|
/**
|
|
39
|
-
* Common false positive values
|
|
68
|
+
* Common false positive literal values
|
|
40
69
|
*/
|
|
41
70
|
export declare const FALSE_POSITIVE_VALUES: Set<string>;
|
|
42
71
|
//# sourceMappingURL=patterns.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secrets/patterns.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../src/secrets/patterns.ts"],"names":[],"mappings":"AAIA,oBAAY,UAAU;IACpB,OAAO,YAAY;IACnB,QAAQ,aAAa;IACrB,KAAK,UAAU;IACf,WAAW,gBAAgB;IAC3B,WAAW,gBAAgB;IAC3B,YAAY,iBAAiB;IAC7B,UAAU,eAAe;IAEzB,cAAc,mBAAmB;IACjC,cAAc,mBAAmB;IAEjC,YAAY,iBAAiB;IAC7B,cAAc,mBAAmB;IACjC,UAAU,eAAe;IACzB,WAAW,gBAAgB;IAE3B,SAAS,cAAc;IACvB,eAAe,oBAAoB;IACnC,gBAAgB,qBAAqB;IAErC,KAAK,UAAU;CAChB;AAED,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAElD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,UAAU,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IAEb;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;OAEG;IACH,IAAI,EAAE,SAAS,CAAC;IAEhB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,EAAE,CAAC;IAEnB;;;OAGG;IACH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,gBAAgB,KAAK,MAAM,CAAC;CAC7D;AAED;;;;;GAKG;AACH,eAAO,MAAM,eAAe,EAAE,aAAa,CAAC,aAAa,CAwIxD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,aAAa,CAAC,MAAM,CAY/C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,0BAA0B,EAAE,aAAa,CAAC,MAAM,CA2B5D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,aAiBhC,CAAC"}
|
package/dist/secrets/patterns.js
CHANGED
|
@@ -1,7 +1,9 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
+
/* patterns.ts
|
|
3
|
+
* Enterprise-grade secret patterns & false-positive controls
|
|
4
|
+
*/
|
|
2
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.FALSE_POSITIVE_VALUES = exports.TEST_PATTERNS = exports.SECRET_PATTERNS = exports.SecretType = void 0;
|
|
4
|
-
// Define SecretType locally since it's not exported from database
|
|
6
|
+
exports.FALSE_POSITIVE_VALUES = exports.CONTEXT_EXCLUSION_PATTERNS = exports.TEST_PATTERNS = exports.SECRET_PATTERNS = exports.SecretType = void 0;
|
|
5
7
|
var SecretType;
|
|
6
8
|
(function (SecretType) {
|
|
7
9
|
SecretType["API_KEY"] = "api_key";
|
|
@@ -12,116 +14,148 @@ var SecretType;
|
|
|
12
14
|
SecretType["DATABASE_URL"] = "database_url";
|
|
13
15
|
SecretType["JWT_SECRET"] = "jwt_secret";
|
|
14
16
|
SecretType["AWS_ACCESS_KEY"] = "aws_access_key";
|
|
15
|
-
SecretType["OTHER"] = "other";
|
|
16
17
|
SecretType["AWS_SECRET_KEY"] = "aws_secret_key";
|
|
17
18
|
SecretType["GITHUB_TOKEN"] = "github_token";
|
|
18
19
|
SecretType["GOOGLE_API_KEY"] = "google_api_key";
|
|
19
20
|
SecretType["STRIPE_KEY"] = "stripe_key";
|
|
20
|
-
SecretType["JWT_TOKEN"] = "jwt_token";
|
|
21
21
|
SecretType["SLACK_TOKEN"] = "slack_token";
|
|
22
|
+
SecretType["JWT_TOKEN"] = "jwt_token";
|
|
22
23
|
SecretType["API_KEY_GENERIC"] = "api_key_generic";
|
|
24
|
+
SecretType["PASSWORD_GENERIC"] = "password_generic";
|
|
25
|
+
SecretType["OTHER"] = "other";
|
|
23
26
|
})(SecretType || (exports.SecretType = SecretType = {}));
|
|
24
27
|
/**
|
|
25
28
|
* Comprehensive secret detection patterns
|
|
29
|
+
* Notes:
|
|
30
|
+
* - Examples are clearly fake.
|
|
31
|
+
* - Patterns are designed to be high-signal; add more vendors as needed.
|
|
26
32
|
*/
|
|
27
33
|
exports.SECRET_PATTERNS = [
|
|
28
|
-
// AWS
|
|
34
|
+
// ---------- AWS ----------
|
|
29
35
|
{
|
|
30
|
-
type:
|
|
36
|
+
type: SecretType.AWS_ACCESS_KEY,
|
|
31
37
|
name: 'AWS Access Key ID',
|
|
32
|
-
pattern:
|
|
38
|
+
pattern: /\b(AKIA|ASIA)[0-9A-Z]{16}\b/,
|
|
39
|
+
valueGroup: 0,
|
|
33
40
|
minEntropy: 3.5,
|
|
34
|
-
|
|
35
|
-
|
|
41
|
+
risk: 'high',
|
|
42
|
+
description: 'AWS Access Key ID (AKIA/ASIA + 16 chars)',
|
|
43
|
+
examples: ['AKIAIOSFODNN7EXAMPLE', 'ASIAIOSFODNN7EXAMPLE'],
|
|
36
44
|
},
|
|
37
|
-
// AWS Secret Keys
|
|
38
45
|
{
|
|
39
|
-
type:
|
|
46
|
+
type: SecretType.AWS_SECRET_KEY,
|
|
40
47
|
name: 'AWS Secret Access Key',
|
|
41
|
-
pattern:
|
|
48
|
+
pattern: /\baws[_\s-]*secret[_\s-]*access[_\s-]*key\b\s*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/i,
|
|
49
|
+
valueGroup: 1,
|
|
42
50
|
minEntropy: 4.5,
|
|
43
|
-
|
|
51
|
+
risk: 'high',
|
|
52
|
+
description: 'AWS Secret Access Key assigned in config (40 chars)',
|
|
44
53
|
examples: ['aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'],
|
|
45
54
|
},
|
|
46
|
-
// GitHub
|
|
55
|
+
// ---------- GitHub ----------
|
|
47
56
|
{
|
|
48
|
-
type:
|
|
49
|
-
name: 'GitHub
|
|
50
|
-
pattern:
|
|
51
|
-
|
|
57
|
+
type: SecretType.GITHUB_TOKEN,
|
|
58
|
+
name: 'GitHub Token',
|
|
59
|
+
pattern: /\b(ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9]{36}\b/,
|
|
60
|
+
valueGroup: 0,
|
|
61
|
+
risk: 'high',
|
|
62
|
+
description: 'GitHub personal/app tokens (ghp_/gho_/...)',
|
|
52
63
|
examples: ['ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
|
|
53
64
|
},
|
|
54
|
-
// Google
|
|
65
|
+
// ---------- Google ----------
|
|
55
66
|
{
|
|
56
|
-
type:
|
|
67
|
+
type: SecretType.GOOGLE_API_KEY,
|
|
57
68
|
name: 'Google API Key',
|
|
58
|
-
pattern:
|
|
59
|
-
|
|
69
|
+
pattern: /\bAIza[0-9A-Za-z\-_]{35}\b/,
|
|
70
|
+
valueGroup: 0,
|
|
71
|
+
risk: 'medium',
|
|
72
|
+
description: 'Google API Key (AIzA...)',
|
|
60
73
|
examples: ['AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'],
|
|
61
74
|
},
|
|
62
|
-
// Stripe
|
|
75
|
+
// ---------- Stripe ----------
|
|
63
76
|
{
|
|
64
|
-
type:
|
|
65
|
-
name: 'Stripe
|
|
66
|
-
pattern:
|
|
67
|
-
|
|
77
|
+
type: SecretType.STRIPE_KEY,
|
|
78
|
+
name: 'Stripe Live Secret/Public/Restricted Key',
|
|
79
|
+
pattern: /\b(sk_live|pk_live|rk_live)_[0-9A-Za-z]{24,}\b/,
|
|
80
|
+
valueGroup: 0,
|
|
81
|
+
risk: 'high',
|
|
82
|
+
description: 'Stripe live keys (sk_live / pk_live / rk_live)',
|
|
68
83
|
examples: ['sk_live_1234567890abcdefghijklmn'],
|
|
69
84
|
},
|
|
70
|
-
//
|
|
85
|
+
// ---------- Slack ----------
|
|
71
86
|
{
|
|
72
|
-
type:
|
|
87
|
+
type: SecretType.SLACK_TOKEN,
|
|
88
|
+
name: 'Slack Token',
|
|
89
|
+
pattern: /\b(xox[pboa]-\d{10,13}-\d{10,13}-\d{10,13}-[a-z0-9]{32})\b/,
|
|
90
|
+
valueGroup: 1,
|
|
91
|
+
risk: 'high',
|
|
92
|
+
description: 'Slack bot/user/app tokens (xoxb/xoxp/xoxa/xoxo)',
|
|
93
|
+
examples: ['xoxb-0000000000-0000000000-0000000000-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
|
|
94
|
+
},
|
|
95
|
+
// ---------- JWT ----------
|
|
96
|
+
{
|
|
97
|
+
type: SecretType.JWT_TOKEN,
|
|
73
98
|
name: 'JWT Token',
|
|
74
|
-
pattern:
|
|
99
|
+
pattern: /\b(eyJ[0-9A-Za-z_-]*\.[0-9A-Za-z_-]*\.[0-9A-Za-z_-]+)\b/,
|
|
100
|
+
valueGroup: 1,
|
|
75
101
|
minEntropy: 4.0,
|
|
76
|
-
|
|
77
|
-
|
|
102
|
+
risk: 'medium',
|
|
103
|
+
description: 'JSON Web Token (header.payload.signature)',
|
|
104
|
+
examples: [
|
|
105
|
+
'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U',
|
|
106
|
+
],
|
|
78
107
|
},
|
|
79
|
-
// Private
|
|
108
|
+
// ---------- Private keys / certs ----------
|
|
80
109
|
{
|
|
81
|
-
type:
|
|
82
|
-
name: 'Private Key',
|
|
83
|
-
pattern: /(-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----[\s\S]*?-----END (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----)/,
|
|
84
|
-
|
|
110
|
+
type: SecretType.PRIVATE_KEY,
|
|
111
|
+
name: 'Private Key Block',
|
|
112
|
+
pattern: /(-----BEGIN (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----)/,
|
|
113
|
+
valueGroup: 1,
|
|
114
|
+
risk: 'high',
|
|
115
|
+
description: 'PEM private key blocks (RSA/EC/OpenSSH/DSA)',
|
|
85
116
|
examples: ['-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgk...\\n-----END PRIVATE KEY-----'],
|
|
86
117
|
},
|
|
87
|
-
// Database URLs
|
|
118
|
+
// ---------- Database URLs (credentials embedded) ----------
|
|
88
119
|
{
|
|
89
|
-
type:
|
|
90
|
-
name: 'Database URL with
|
|
91
|
-
pattern:
|
|
92
|
-
|
|
93
|
-
|
|
120
|
+
type: SecretType.DATABASE_URL,
|
|
121
|
+
name: 'Database URL with Embedded Credentials',
|
|
122
|
+
pattern: /\b(postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis):\/\/([^:\s\/]+):([^@\s\/]+)@([A-Za-z0-9.-]+)(?::(\d{2,5}))?(\/[^\s'"]*)?/i,
|
|
123
|
+
valueGroup: 0,
|
|
124
|
+
risk: 'high',
|
|
125
|
+
description: 'Connection string contains username:password@host',
|
|
94
126
|
examples: ['postgresql://user:password123@localhost:5432/dbname'],
|
|
127
|
+
redact: (_value, match) => {
|
|
128
|
+
const scheme = match[1] ?? 'db';
|
|
129
|
+
const host = match[4] ?? 'host';
|
|
130
|
+
const port = match[5] ? `:${match[5]}` : '';
|
|
131
|
+
return `${scheme}://***:***@${host}${port}/***`;
|
|
132
|
+
},
|
|
95
133
|
},
|
|
96
|
-
//
|
|
134
|
+
// ---------- Generic high-entropy API keys ----------
|
|
97
135
|
{
|
|
98
|
-
type:
|
|
99
|
-
name: '
|
|
100
|
-
pattern:
|
|
101
|
-
|
|
102
|
-
examples: ['xoxb-0000000000-0000000000-0000000000-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
|
|
103
|
-
},
|
|
104
|
-
// Generic API Keys (high entropy)
|
|
105
|
-
{
|
|
106
|
-
type: 'API_KEY_GENERIC',
|
|
107
|
-
name: 'Generic API Key',
|
|
108
|
-
pattern: /(?:api[_\s-]?key|apikey|access[_\s-]?token|auth[_\s-]?token|secret[_\s-]?key)[_\s]*[=:]\s*['"]?([a-zA-Z0-9_\-]{32,})['"]?/i,
|
|
136
|
+
type: SecretType.API_KEY_GENERIC,
|
|
137
|
+
name: 'Generic API Key / Token Assignment',
|
|
138
|
+
pattern: /\b(?:api[_\s-]?key|apikey|access[_\s-]?token|auth[_\s-]?token|secret[_\s-]?key)\b[_\s]*[=:]\s*['"]?([A-Za-z0-9_\-]{32,})['"]?/i,
|
|
139
|
+
valueGroup: 1,
|
|
109
140
|
minEntropy: 4.0,
|
|
110
|
-
|
|
141
|
+
risk: 'medium',
|
|
142
|
+
description: 'Generic API key/token (assignment + long value)',
|
|
111
143
|
examples: ['api_key = abcdef1234567890abcdef1234567890'],
|
|
112
144
|
},
|
|
113
|
-
// Generic
|
|
145
|
+
// ---------- Generic password assignment ----------
|
|
114
146
|
{
|
|
115
|
-
type:
|
|
116
|
-
name: 'Generic Password',
|
|
117
|
-
pattern:
|
|
118
|
-
|
|
119
|
-
|
|
147
|
+
type: SecretType.PASSWORD_GENERIC,
|
|
148
|
+
name: 'Generic Password Assignment',
|
|
149
|
+
pattern: /\b(?:password|passwd|pwd)\b\s*[=:]\s*['"]([^'"]{8,128})['"]/i,
|
|
150
|
+
valueGroup: 1,
|
|
151
|
+
minEntropy: 3.5,
|
|
152
|
+
risk: 'medium',
|
|
153
|
+
description: 'Password-like assignment (quoted, 8–128 chars)',
|
|
120
154
|
examples: ['password = "MySecretP@ssw0rd"'],
|
|
121
155
|
},
|
|
122
156
|
];
|
|
123
157
|
/**
|
|
124
|
-
* Test/example value patterns (
|
|
158
|
+
* Test/example value patterns (used for down-weighting confidence, optional exclusion).
|
|
125
159
|
*/
|
|
126
160
|
exports.TEST_PATTERNS = [
|
|
127
161
|
/test/i,
|
|
@@ -131,19 +165,43 @@ exports.TEST_PATTERNS = [
|
|
|
131
165
|
/fake/i,
|
|
132
166
|
/dummy/i,
|
|
133
167
|
/placeholder/i,
|
|
134
|
-
/\*{3,}/,
|
|
135
|
-
/x{3,}/i,
|
|
136
|
-
/0{5,}/,
|
|
137
|
-
/1{5,}/,
|
|
138
|
-
/abc{3,}/i,
|
|
139
|
-
/qwerty/i,
|
|
140
|
-
/password123/i,
|
|
141
168
|
/changeme/i,
|
|
142
169
|
/your[_-]?key/i,
|
|
143
170
|
/your[_-]?secret/i,
|
|
171
|
+
/password123/i,
|
|
172
|
+
];
|
|
173
|
+
/**
|
|
174
|
+
* Context patterns that are strongly associated with false positives (schemas/validators/etc).
|
|
175
|
+
* Scanner uses these to skip matches in certain code lines.
|
|
176
|
+
*/
|
|
177
|
+
exports.CONTEXT_EXCLUSION_PATTERNS = [
|
|
178
|
+
/\.min\s*\(/i,
|
|
179
|
+
/\.max\s*\(/i,
|
|
180
|
+
/\.length\b/i,
|
|
181
|
+
/\bschema\b/i,
|
|
182
|
+
/\bvalidation\b/i,
|
|
183
|
+
/\bvalidator\b/i,
|
|
184
|
+
/\.string\s*\(/i,
|
|
185
|
+
/\.required\b/i,
|
|
186
|
+
/\.optional\b/i,
|
|
187
|
+
/\bzod\./i,
|
|
188
|
+
/\byup\./i,
|
|
189
|
+
/\bjoi\./i,
|
|
190
|
+
/__tests__/i,
|
|
191
|
+
/__mocks__/i,
|
|
192
|
+
/\bmock\b/i,
|
|
193
|
+
/\bstub\b/i,
|
|
194
|
+
/\bfixture\b/i,
|
|
195
|
+
/\bprocess\.env\b/i,
|
|
196
|
+
/\benv\./i,
|
|
197
|
+
/\bconfig\./i,
|
|
198
|
+
/\bsettings\./i,
|
|
199
|
+
/\boptions\./i,
|
|
200
|
+
/\bparams\./i,
|
|
201
|
+
/\bprops\./i,
|
|
144
202
|
];
|
|
145
203
|
/**
|
|
146
|
-
* Common false positive values
|
|
204
|
+
* Common false positive literal values
|
|
147
205
|
*/
|
|
148
206
|
exports.FALSE_POSITIVE_VALUES = new Set([
|
|
149
207
|
'example',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pre-commit.d.ts","sourceRoot":"","sources":["../../src/secrets/pre-commit.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,aAAa;IACxB;;OAEG;IACH,kBAAkB,IAAI,MAAM;IAoB5B;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"pre-commit.d.ts","sourceRoot":"","sources":["../../src/secrets/pre-commit.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,OAAO,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,aAAa;IACxB;;OAEG;IACH,kBAAkB,IAAI,MAAM;IAoB5B;;OAEG;IACG,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAgDpE;;OAEG;IACH,OAAO,CAAC,cAAc;IAqCtB;;OAEG;IACH,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;CAWnC;AAGD,eAAO,MAAM,aAAa,eAAsB,CAAC"}
|
|
@@ -49,7 +49,7 @@ exit 0
|
|
|
49
49
|
// Scan each staged file
|
|
50
50
|
const allDetections = [];
|
|
51
51
|
for (const file of stagedFiles) {
|
|
52
|
-
const detections = await guardian_1.secretsGuardian.scanContent(file.content, file.path, {
|
|
52
|
+
const detections = await guardian_1.secretsGuardian.scanContent(file.content, file.path, 'pre-commit', {
|
|
53
53
|
excludeTests: true,
|
|
54
54
|
minConfidence: 0.7,
|
|
55
55
|
});
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vault-integration.d.ts","sourceRoot":"","sources":["../../src/secrets/vault-integration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAI7C;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,qBAAqB,GAAG,iBAAiB,GAAG,gBAAgB,GAAG,oBAAoB,CAAC;IAC1F,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE;QACZ,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,aAAa,CAAyC;IAE9D;;OAEG;IACH,OAAO,CAAC,WAAW;IAuBnB;;OAEG;IACG,cAAc,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAY/F;;;OAGG;IACG,cAAc,CAClB,UAAU,EAAE,eAAe,EAAE,EAC7B,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC,oBAAoB,EAAE,CAAC;IA2DlC;;OAEG;IACG,SAAS,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKrF;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAK9D;;OAEG;IACG,YAAY,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKlF;;OAEG;IACH,kBAAkB,CAAC,SAAS,EAAE,eAAe,GAAG,MAAM;
|
|
1
|
+
{"version":3,"file":"vault-integration.d.ts","sourceRoot":"","sources":["../../src/secrets/vault-integration.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAI7C;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,qBAAqB,GAAG,iBAAiB,GAAG,gBAAgB,GAAG,oBAAoB,CAAC;IAC1F,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE;QACZ,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,OAAO,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;GAKG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,aAAa,CAAyC;IAE9D;;OAEG;IACH,OAAO,CAAC,WAAW;IAuBnB;;OAEG;IACG,cAAc,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAY/F;;;OAGG;IACG,cAAc,CAClB,UAAU,EAAE,eAAe,EAAE,EAC7B,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC,oBAAoB,EAAE,CAAC;IA2DlC;;OAEG;IACG,SAAS,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKrF;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAK9D;;OAEG;IACG,YAAY,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKlF;;OAEG;IACH,kBAAkB,CAAC,SAAS,EAAE,eAAe,GAAG,MAAM;IA6BtD;;OAEG;IACH,mBAAmB,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM;IAyDzE;;OAEG;IACH,sBAAsB,CAAC,OAAO,EAAE,oBAAoB,EAAE,GAAG,MAAM;IA0B/D;;OAEG;IACG,YAAY,CAAC,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKlF;;OAEG;IACG,mBAAmB,CACvB,UAAU,EAAE,eAAe,EAAE,EAC7B,WAAW,EAAE,WAAW,EACxB,UAAU,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,KAAK,IAAI,GACvE,OAAO,CAAC,oBAAoB,EAAE,CAAC;CAoDnC;AAGD,eAAO,MAAM,gBAAgB,kBAAyB,CAAC"}
|
|
@@ -147,6 +147,7 @@ class VaultIntegration {
|
|
|
147
147
|
[patterns_1.SecretType.CERTIFICATE]: 'CERTIFICATE',
|
|
148
148
|
[patterns_1.SecretType.JWT_SECRET]: 'JWT_SECRET',
|
|
149
149
|
[patterns_1.SecretType.PASSWORD]: 'PASSWORD',
|
|
150
|
+
[patterns_1.SecretType.PASSWORD_GENERIC]: 'PASSWORD',
|
|
150
151
|
[patterns_1.SecretType.OTHER]: 'SECRET'
|
|
151
152
|
};
|
|
152
153
|
const baseName = typeMap[detection.secretType] || 'SECRET';
|
|
@@ -1,16 +1,30 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Vulnerability Database Integration
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
* -
|
|
6
|
-
* -
|
|
7
|
-
* -
|
|
4
|
+
* Real-time OSV (Open Source Vulnerabilities) integration with:
|
|
5
|
+
* - Multi-ecosystem support (npm, PyPI, RubyGems, Go)
|
|
6
|
+
* - Persistent caching with 24h TTL
|
|
7
|
+
* - Batch request optimization
|
|
8
|
+
* - CVSS scoring and vectors
|
|
9
|
+
* - Remediation path analysis
|
|
10
|
+
* - Optional NVD enrichment for CVE details
|
|
11
|
+
* - Retry logic with exponential backoff
|
|
12
|
+
* - Configurable timeouts
|
|
8
13
|
*/
|
|
14
|
+
export interface VulnerabilityDbOptions {
|
|
15
|
+
noCache?: boolean;
|
|
16
|
+
nvdEnrichment?: boolean;
|
|
17
|
+
timeout?: number;
|
|
18
|
+
retries?: number;
|
|
19
|
+
cacheDir?: string;
|
|
20
|
+
}
|
|
21
|
+
export type Ecosystem = 'npm' | 'PyPI' | 'RubyGems' | 'Go';
|
|
9
22
|
export interface Vulnerability {
|
|
10
23
|
id: string;
|
|
11
24
|
source: 'osv' | 'github' | 'nvd' | 'npm';
|
|
12
25
|
severity: 'low' | 'medium' | 'high' | 'critical';
|
|
13
26
|
cvssScore?: number;
|
|
27
|
+
cvssVector?: string;
|
|
14
28
|
title: string;
|
|
15
29
|
description: string;
|
|
16
30
|
affectedVersions: string[];
|
|
@@ -19,6 +33,7 @@ export interface Vulnerability {
|
|
|
19
33
|
publishedAt: Date;
|
|
20
34
|
updatedAt: Date;
|
|
21
35
|
cwe?: string[];
|
|
36
|
+
aliases?: string[];
|
|
22
37
|
}
|
|
23
38
|
export interface VulnerabilityCheckResult {
|
|
24
39
|
package: string;
|
|
@@ -27,6 +42,13 @@ export interface VulnerabilityCheckResult {
|
|
|
27
42
|
isVulnerable: boolean;
|
|
28
43
|
highestSeverity: 'none' | 'low' | 'medium' | 'high' | 'critical';
|
|
29
44
|
recommendedVersion?: string;
|
|
45
|
+
isDirect: boolean;
|
|
46
|
+
remediationPath?: {
|
|
47
|
+
action: 'upgrade' | 'replace' | 'remove';
|
|
48
|
+
targetVersion?: string;
|
|
49
|
+
breakingChange: boolean;
|
|
50
|
+
description: string;
|
|
51
|
+
};
|
|
30
52
|
}
|
|
31
53
|
export interface VulnerabilityReport {
|
|
32
54
|
projectPath: string;
|
|
@@ -40,37 +62,77 @@ export interface VulnerabilityReport {
|
|
|
40
62
|
medium: number;
|
|
41
63
|
low: number;
|
|
42
64
|
};
|
|
65
|
+
ecosystem: Ecosystem;
|
|
66
|
+
directVulnerabilities: number;
|
|
67
|
+
transitiveVulnerabilities: number;
|
|
68
|
+
cacheHitRate?: number;
|
|
43
69
|
}
|
|
44
70
|
export declare class VulnerabilityDatabase {
|
|
45
71
|
private osvApiUrl;
|
|
46
|
-
private
|
|
72
|
+
private cacheDir;
|
|
73
|
+
private cachePath;
|
|
74
|
+
private memoryCache;
|
|
75
|
+
private cacheHits;
|
|
76
|
+
private cacheMisses;
|
|
77
|
+
private options;
|
|
78
|
+
constructor(cacheDirOrOptions?: string | VulnerabilityDbOptions);
|
|
79
|
+
/**
|
|
80
|
+
* Update options at runtime
|
|
81
|
+
*/
|
|
82
|
+
setOptions(options: Partial<VulnerabilityDbOptions>): void;
|
|
83
|
+
/**
|
|
84
|
+
* Load cache from disk
|
|
85
|
+
*/
|
|
86
|
+
private loadDiskCache;
|
|
87
|
+
/**
|
|
88
|
+
* Save cache to disk
|
|
89
|
+
*/
|
|
90
|
+
private saveDiskCache;
|
|
47
91
|
/**
|
|
48
92
|
* Check a single package for vulnerabilities
|
|
49
93
|
*/
|
|
50
|
-
checkPackage(name: string, version: string): Promise<VulnerabilityCheckResult>;
|
|
94
|
+
checkPackage(name: string, version: string, ecosystem?: Ecosystem, isDirect?: boolean): Promise<VulnerabilityCheckResult>;
|
|
51
95
|
/**
|
|
52
|
-
* Check multiple packages in bulk
|
|
96
|
+
* Check multiple packages in bulk with batching
|
|
53
97
|
*/
|
|
54
98
|
checkPackages(packages: {
|
|
55
99
|
name: string;
|
|
56
100
|
version: string;
|
|
101
|
+
ecosystem?: Ecosystem;
|
|
102
|
+
isDirect?: boolean;
|
|
57
103
|
}[]): Promise<VulnerabilityCheckResult[]>;
|
|
104
|
+
/**
|
|
105
|
+
* Query OSV with retry logic and exponential backoff
|
|
106
|
+
*/
|
|
107
|
+
private queryOSVWithRetry;
|
|
58
108
|
/**
|
|
59
109
|
* Query OSV (Open Source Vulnerabilities) API
|
|
60
110
|
*/
|
|
61
111
|
private queryOSV;
|
|
62
112
|
/**
|
|
63
|
-
*
|
|
113
|
+
* Enrich vulnerabilities with NVD data (CVSS scores)
|
|
64
114
|
*/
|
|
65
|
-
private
|
|
115
|
+
private enrichWithNVD;
|
|
66
116
|
/**
|
|
67
|
-
* Query
|
|
117
|
+
* Query NVD API for CVE details
|
|
68
118
|
*/
|
|
69
|
-
private
|
|
119
|
+
private queryNVD;
|
|
70
120
|
/**
|
|
71
|
-
*
|
|
121
|
+
* Map CVSS score to severity level
|
|
72
122
|
*/
|
|
73
|
-
private
|
|
123
|
+
private mapCVSSSeverity;
|
|
124
|
+
/**
|
|
125
|
+
* Delay helper for retry backoff
|
|
126
|
+
*/
|
|
127
|
+
private delay;
|
|
128
|
+
/**
|
|
129
|
+
* Parse OSV API response
|
|
130
|
+
*/
|
|
131
|
+
private parseOSVResponse;
|
|
132
|
+
/**
|
|
133
|
+
* Check if a version is affected by vulnerability ranges
|
|
134
|
+
*/
|
|
135
|
+
private isVersionAffected;
|
|
74
136
|
/**
|
|
75
137
|
* Map OSV severity to standard levels
|
|
76
138
|
*/
|
|
@@ -84,9 +146,9 @@ export declare class VulnerabilityDatabase {
|
|
|
84
146
|
*/
|
|
85
147
|
private extractPatchedVersions;
|
|
86
148
|
/**
|
|
87
|
-
*
|
|
149
|
+
* Calculate remediation path for a vulnerability
|
|
88
150
|
*/
|
|
89
|
-
private
|
|
151
|
+
private calculateRemediationPath;
|
|
90
152
|
/**
|
|
91
153
|
* Build result object
|
|
92
154
|
*/
|
|
@@ -97,17 +159,28 @@ export declare class VulnerabilityDatabase {
|
|
|
97
159
|
generateReport(projectPath: string, packages: {
|
|
98
160
|
name: string;
|
|
99
161
|
version: string;
|
|
100
|
-
|
|
162
|
+
ecosystem?: Ecosystem;
|
|
163
|
+
isDirect?: boolean;
|
|
164
|
+
}[], ecosystem?: Ecosystem): Promise<VulnerabilityReport>;
|
|
101
165
|
/**
|
|
102
166
|
* Clear vulnerability cache
|
|
103
167
|
*/
|
|
104
168
|
clearCache(): void;
|
|
169
|
+
/**
|
|
170
|
+
* Clear entire cache directory
|
|
171
|
+
*/
|
|
172
|
+
static clearCacheDirectory(cacheDir?: string): {
|
|
173
|
+
success: boolean;
|
|
174
|
+
path: string;
|
|
175
|
+
error?: string;
|
|
176
|
+
};
|
|
105
177
|
/**
|
|
106
178
|
* Get cache statistics
|
|
107
179
|
*/
|
|
108
180
|
getCacheStats(): {
|
|
109
181
|
size: number;
|
|
110
182
|
oldestEntry: Date | null;
|
|
183
|
+
hitRate: number;
|
|
111
184
|
};
|
|
112
185
|
}
|
|
113
186
|
export declare const vulnerabilityDatabase: VulnerabilityDatabase;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"vulnerability-db.d.ts","sourceRoot":"","sources":["../../src/supply-chain/vulnerability-db.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"vulnerability-db.d.ts","sourceRoot":"","sources":["../../src/supply-chain/vulnerability-db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,MAAM,WAAW,sBAAsB;IACrC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC;AAE3D,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,KAAK,GAAG,QAAQ,GAAG,KAAK,GAAG,KAAK,CAAC;IACzC,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,IAAI,CAAC;IAClB,SAAS,EAAE,IAAI,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,aAAa,EAAE,CAAC;IACjC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,EAAE,MAAM,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,eAAe,CAAC,EAAE;QAChB,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;QACzC,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,cAAc,EAAE,OAAO,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,IAAI,CAAC;IACf,aAAa,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,OAAO,EAAE,wBAAwB,EAAE,CAAC;IACpC,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,SAAS,EAAE,SAAS,CAAC;IACrB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,yBAAyB,EAAE,MAAM,CAAC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAmBD,qBAAa,qBAAqB;IAChC,OAAO,CAAC,SAAS,CAA4B;IAC7C,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,SAAS,CAAS;IAC1B,OAAO,CAAC,WAAW,CAAsC;IACzD,OAAO,CAAC,SAAS,CAAK;IACtB,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,OAAO,CAAyB;gBAE5B,iBAAiB,CAAC,EAAE,MAAM,GAAG,sBAAsB;IAa/D;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,sBAAsB,CAAC,GAAG,IAAI;IAO1D;;OAEG;IACH,OAAO,CAAC,aAAa;IAiBrB;;OAEG;IACH,OAAO,CAAC,aAAa;IAerB;;OAEG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,SAAS,GAAE,SAAiB,EAC5B,QAAQ,UAAO,GACd,OAAO,CAAC,wBAAwB,CAAC;IAoCpC;;OAEG;IACG,aAAa,CACjB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,EAAE,GACvF,OAAO,CAAC,wBAAwB,EAAE,CAAC;IA+BtC;;OAEG;YACW,iBAAiB;IAuB/B;;OAEG;YACW,QAAQ;IAwCtB;;OAEG;YACW,aAAa;IA8B3B;;OAEG;YACW,QAAQ;IA4CtB;;OAEG;IACH,OAAO,CAAC,eAAe;IAQvB;;OAEG;IACH,OAAO,CAAC,KAAK;IAIb;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAgCxB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAgCzB;;OAEG;IACH,OAAO,CAAC,cAAc;IAetB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAsB9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IA0ChC;;OAEG;IACH,OAAO,CAAC,WAAW;IAqCnB;;OAEG;IACG,cAAc,CAClB,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;KAAE,EAAE,EACxF,SAAS,GAAE,SAAiB,GAC3B,OAAO,CAAC,mBAAmB,CAAC;IA2C/B;;OAEG;IACH,UAAU,IAAI,IAAI;IAalB;;OAEG;IACH,MAAM,CAAC,mBAAmB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAiBjG;;OAEG;IACH,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;CAiB7E;AAGD,eAAO,MAAM,qBAAqB,uBAA8B,CAAC"}
|