guardvibe 3.0.1 → 3.0.3

package/build/tools/cross-file-taint.js

@@ -101,6 +101,41 @@ function parseImports(file, content) {
                 });
             }
         }
+        // CommonJS: const X = require('./mod') — default require
+        {
+            const re = /(?:const|let|var)\s+([\w$]+)\s*=\s*require\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+            let m;
+            while ((m = re.exec(line)) !== null) {
+                imports.push({
+                    importer: file,
+                    source: normalizePath(file, m[2]),
+                    names: new Map(),
+                    defaultName: m[1].trim(),
+                    line: i + 1,
+                });
+            }
+        }
+        // CommonJS: const { a, b } = require('./mod') — destructured require
+        {
+            const re = /(?:const|let|var)\s+\{([^}]+)\}\s*=\s*require\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+            let m;
+            while ((m = re.exec(line)) !== null) {
+                const names = new Map();
+                for (const spec of m[1].split(",")) {
+                    const parts = spec.trim().split(/\s*:\s*/);
+                    const exported = parts[0].trim();
+                    const local = (parts[1] ?? parts[0]).trim();
+                    if (exported)
+                        names.set(local, exported);
+                }
+                imports.push({
+                    importer: file,
+                    source: normalizePath(file, m[2]),
+                    names,
+                    line: i + 1,
+                });
+            }
+        }
     }
     return imports;
 }
@@ -151,6 +186,39 @@ function parseExports(file, content) {
                 names.set(m[1], m[1]);
             }
         }
+        // CommonJS: module.exports = { a, b }
+        {
+            const re = /module\.exports\s*=\s*\{([^}]+)\}/;
+            const m = re.exec(line);
+            if (m) {
+                for (const spec of m[1].split(",")) {
+                    const parts = spec.trim().split(/\s*:\s*/);
+                    const name = parts[0].trim();
+                    const local = (parts[1] ?? parts[0]).trim();
+                    if (name)
+                        names.set(name, local);
+                }
+            }
+        }
+        // CommonJS: module.exports = funcName (default export)
+        {
+            const re = /module\.exports\s*=\s*([\w$]+)\s*;?\s*$/;
+            const m = re.exec(line);
+            if (m && !line.includes("{")) {
+                hasDefault = true;
+                defaultLocal = m[1];
+            }
+        }
+        // CommonJS: exports.name = funcName
+        {
+            const re = /exports\.([\w$]+)\s*=\s*([\w$]+)/g;
+            let m;
+            while ((m = re.exec(line)) !== null) {
+                if (!line.startsWith("module.")) {
+                    names.set(m[1], m[2]);
+                }
+            }
+        }
     }
     return { file, names, hasDefault, defaultLocal };
 }
@@ -242,6 +310,45 @@ function checkParamFlowsToSink(paramName, body, startLine) {
     }
     return null;
 }
+// Check if a function parameter flows to a return statement (for return value taint tracking).
+// Returns true only if the param (or a derived variable) IS the return value,
+// not merely referenced inside a function call's arguments.
+function checkParamFlowsToReturn(paramName, body) {
+    const lines = body.split("\n");
+    const taintedNames = new Set([paramName]);
+    const assignPattern = /(?:const|let|var)\s+([\w$]+)\s*=\s*(.*)/;
+    for (const line of lines) {
+        const m = assignPattern.exec(line);
+        if (m) {
+            for (const t of taintedNames) {
+                if (m[2].includes(t)) {
+                    taintedNames.add(m[1]);
+                    break;
+                }
+            }
+        }
+    }
+    for (const line of lines) {
+        const returnMatch = /\breturn\s+(.+?)[\s;]*$/.exec(line);
+        if (!returnMatch)
+            continue;
+        const returnExpr = returnMatch[1].trim();
+        // Direct return of tainted variable (e.g., "return trimmed;")
+        for (const t of taintedNames) {
+            if (returnExpr === t)
+                return true;
+        }
+        // Return of expression that uses tainted var directly (e.g., "return x + y;")
+        // but NOT as argument inside a function call (e.g., "return fn(x)" — x is consumed, not returned)
+        // Only match if tainted name appears outside parenthesized call args
+        const withoutCalls = returnExpr.replace(/\w+\s*\([^)]*\)/g, "");
+        for (const t of taintedNames) {
+            if (withoutCalls.includes(t))
+                return true;
+        }
+    }
+    return false;
+}
 function findTaintedExports(files) {
     const taintedExports = [];
     for (const file of files) {
@@ -263,8 +370,25 @@ function findTaintedExports(files) {
                     taintedParams.set(pIdx, paramAsTainted);
                 }
             }
-            if (taintedParams.size > 0) {
-                taintedExports.push({ file: file.path, exportName: exportedName === "default" ? fn.name : exportedName, taintedParams });
+            // Check if any param flows to a return statement
+            const taintedReturnParams = [];
+            for (let pIdx = 0; pIdx < fn.params.length; pIdx++) {
+                const param = fn.params[pIdx];
+                if (!param)
+                    continue;
+                if (checkParamFlowsToReturn(param, fn.body)) {
+                    taintedReturnParams.push(pIdx);
+                }
+            }
+            const returnsTainted = taintedReturnParams.length > 0;
+            if (taintedParams.size > 0 || (returnsTainted && taintedReturnParams.length > 0)) {
+                taintedExports.push({
+                    file: file.path,
+                    exportName: exportedName === "default" ? fn.name : exportedName,
+                    taintedParams,
+                    returnsTainted: returnsTainted && taintedReturnParams.length > 0,
+                    taintedReturnParams,
+                });
             }
         }
     }
@@ -310,7 +434,7 @@ function findTaintedCallSites(files, allImports, taintedExports) {
         let changed = true;
         let iterations = 0;
         const taintedSet = new Set(taintedVars.map(v => v.name));
-        while (changed && iterations < 10) {
+        while (changed && iterations < 25) {
             changed = false;
             iterations++;
             for (let i = 0; i < lines.length; i++) {
@@ -353,6 +477,25 @@ function findTaintedCallSites(files, allImports, taintedExports) {
                     if (!callPattern.test(lines[i]))
                         continue;
                     const args = extractCallArgs(lines[i], localName);
+                    // Return value tracking: if function returnsTainted and a tainted arg is passed,
+                    // mark the receiving variable as tainted
+                    if (te.returnsTainted) {
+                        const assignMatch = /(?:const|let|var)\s+([\w$]+)\s*=/.exec(lines[i]);
+                        if (assignMatch) {
+                            const receivingVar = assignMatch[1];
+                            const hasTaintedArg = te.taintedReturnParams.some(pIdx => {
+                                const arg = args[pIdx];
+                                if (!arg)
+                                    return false;
+                                return taintedVars.some(v => arg.includes(v.name)) ||
+                                    TAINT_SOURCES.some(src => { src.pattern.lastIndex = 0; return src.pattern.test(arg); });
+                            });
+                            if (hasTaintedArg && !taintedSet.has(receivingVar)) {
+                                taintedSet.add(receivingVar);
+                                taintedVars.push({ name: receivingVar, line: i + 1, sourceType: "return-propagated" });
+                            }
+                        }
+                    }
                     for (const [paramIdx, sinkInfo] of te.taintedParams) {
                         const argAtIdx = args[paramIdx];
                         if (!argAtIdx)

package/build/tools/deep-scan.d.ts

@@ -0,0 +1,33 @@
+/**
+ * LLM-powered deep scan — sends suspicious code to an LLM API for
+ * semantic analysis of IDOR, business logic, race conditions, and
+ * other issues that pattern-matching alone cannot detect.
+ *
+ * Uses native fetch — no extra dependencies.
+ */
+export interface DeepScanFinding {
+    type: string;
+    severity: "critical" | "high" | "medium" | "low";
+    description: string;
+    location: string;
+    fix: string;
+}
+/**
+ * Build a structured prompt for the LLM to analyze code.
+ */
+export declare function buildDeepScanPrompt(code: string, language: string, existingFindings: string[]): string;
+/**
+ * Parse LLM response into structured findings.
+ * Handles raw JSON, JSON in markdown code blocks, and malformed responses.
+ */
+export declare function parseDeepScanResult(response: string): DeepScanFinding[];
+/**
+ * Format deep scan findings as markdown or JSON.
+ */
+export declare function formatDeepScanFindings(findings: DeepScanFinding[], format: "markdown" | "json"): string;
+/**
+ * Call an LLM API for deep analysis. Uses native fetch.
+ * Supports Anthropic (ANTHROPIC_API_KEY) or OpenAI (OPENAI_API_KEY).
+ * Returns null if no API key is available.
+ */
+export declare function callLLM(prompt: string): Promise<string | null>;

package/build/tools/deep-scan.js

@@ -0,0 +1,169 @@
+/**
+ * LLM-powered deep scan — sends suspicious code to an LLM API for
+ * semantic analysis of IDOR, business logic, race conditions, and
+ * other issues that pattern-matching alone cannot detect.
+ *
+ * Uses native fetch — no extra dependencies.
+ */
+const FOCUS_AREAS = [
+    "IDOR (Insecure Direct Object Reference) — can users access resources belonging to other users?",
+    "Business logic flaws — are there authorization bypasses, price manipulation, or state machine violations?",
+    "Race conditions — are there TOCTOU issues, double-spend, or concurrent mutation without locking?",
+    "Stale auth/session — are tokens validated on every request? Can expired sessions still perform actions?",
+    "Mass assignment — can users set fields they shouldn't (role, isAdmin, price)?",
+    "Privilege escalation — can a regular user perform admin actions through parameter manipulation?",
+];
+/**
+ * Build a structured prompt for the LLM to analyze code.
+ */
+export function buildDeepScanPrompt(code, language, existingFindings) {
+    const lines = [
+        "You are a senior application security engineer performing a deep code review.",
+        "Analyze the following code for security vulnerabilities that automated pattern-matching scanners miss.",
+        "",
+        "## Focus Areas",
+        "",
+    ];
+    for (const area of FOCUS_AREAS) {
+        lines.push(`- ${area}`);
+    }
+    lines.push("");
+    lines.push("## Code");
+    lines.push("");
+    lines.push(`Language: ${language}`);
+    lines.push("```");
+    lines.push(code);
+    lines.push("```");
+    if (existingFindings.length > 0) {
+        lines.push("");
+        lines.push("## Already Detected (by pattern scanner)");
+        lines.push("Do NOT repeat these — only report NEW findings:");
+        lines.push("");
+        for (const f of existingFindings) {
+            lines.push(`- ${f}`);
+        }
+    }
+    lines.push("");
+    lines.push("## Response Format");
+    lines.push("Return ONLY a JSON object with this structure:");
+    lines.push("```json");
+    lines.push(JSON.stringify({
+        findings: [{
+                type: "IDOR | race-condition | business-logic | stale-auth | mass-assignment | privilege-escalation",
+                severity: "critical | high | medium | low",
+                description: "Clear description of the vulnerability",
+                location: "line number or code reference",
+                fix: "Specific remediation guidance",
+            }],
+    }, null, 2));
+    lines.push("```");
+    lines.push("If no vulnerabilities found, return: { \"findings\": [] }");
+    return lines.join("\n");
+}
+/**
+ * Parse LLM response into structured findings.
+ * Handles raw JSON, JSON in markdown code blocks, and malformed responses.
+ */
+export function parseDeepScanResult(response) {
+    if (!response || response.trim().length === 0)
+        return [];
+    let jsonStr = response.trim();
+    // Extract JSON from markdown code block
+    const codeBlockMatch = /```(?:json)?\s*\n?([\s\S]*?)\n?```/.exec(jsonStr);
+    if (codeBlockMatch) {
+        jsonStr = codeBlockMatch[1].trim();
+    }
+    try {
+        const parsed = JSON.parse(jsonStr);
+        if (!parsed.findings || !Array.isArray(parsed.findings))
+            return [];
+        return parsed.findings.filter((f) => f.type && f.severity && f.description && f.location && f.fix);
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Format deep scan findings as markdown or JSON.
+ */
+export function formatDeepScanFindings(findings, format) {
+    if (format === "json") {
+        return JSON.stringify({
+            summary: {
+                total: findings.length,
+                critical: findings.filter(f => f.severity === "critical").length,
+                high: findings.filter(f => f.severity === "high").length,
+                medium: findings.filter(f => f.severity === "medium").length,
+                low: findings.filter(f => f.severity === "low").length,
+            },
+            findings,
+        });
+    }
+    if (findings.length === 0) {
+        return "## Deep Scan Results\n\nNo additional vulnerabilities found beyond pattern-matching results.";
+    }
+    const lines = [
+        `## Deep Scan Results`,
+        ``,
+        `Found ${findings.length} finding(s) via LLM analysis:`,
+        ``,
+    ];
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    findings.sort((a, b) => (severityOrder[a.severity] ?? 4) - (severityOrder[b.severity] ?? 4));
+    for (const f of findings) {
+        lines.push(`### [${f.severity.toUpperCase()}] ${f.type}`);
+        lines.push(`**Location:** ${f.location}`);
+        lines.push(`${f.description}`);
+        lines.push(`**Fix:** ${f.fix}`);
+        lines.push(``);
+    }
+    return lines.join("\n");
+}
+/**
+ * Call an LLM API for deep analysis. Uses native fetch.
+ * Supports Anthropic (ANTHROPIC_API_KEY) or OpenAI (OPENAI_API_KEY).
+ * Returns null if no API key is available.
+ */
+export async function callLLM(prompt) {
+    // guardvibe-ignore — API URLs are hardcoded trusted endpoints, not user-controlled
+    const anthropicKey = process.env.ANTHROPIC_API_KEY;
+    const openaiKey = process.env.OPENAI_API_KEY;
+    if (anthropicKey) {
+        const res = await fetch("https://api.anthropic.com/v1/messages", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "x-api-key": anthropicKey,
+                "anthropic-version": "2023-06-01",
+            },
+            body: JSON.stringify({
+                model: "claude-sonnet-4-6",
+                max_tokens: 2048,
+                messages: [{ role: "user", content: prompt }],
+            }),
+        });
+        if (!res.ok)
+            return null;
+        const data = await res.json();
+        return data.content?.[0]?.text ?? null;
+    }
+    if (openaiKey) {
+        const res = await fetch("https://api.openai.com/v1/chat/completions", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${openaiKey}`,
+            },
+            body: JSON.stringify({
+                model: "gpt-4o",
+                max_tokens: 2048,
+                messages: [{ role: "user", content: prompt }],
+            }),
+        });
+        if (!res.ok)
+            return null;
+        const data = await res.json();
+        return data.choices?.[0]?.message?.content ?? null;
+    }
+    return null;
+}

package/build/tools/full-audit.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Full Audit — single source of truth for AI assistants.
+ * Orchestrates all security tools in one call, produces:
+ * - PASS/FAIL/WARN verdict
+ * - Unified report across code, secrets, deps, config, taint, auth
+ * - Deterministic result hash (same code = same hash)
+ * - Coverage metrics (files scanned, rules applied, %)
+ */
+export type AuditVerdict = "PASS" | "WARN" | "FAIL";
+export interface AuditCoverage {
+    filesScanned: number;
+    filesSkipped: number;
+    totalFiles: number;
+    coveragePercent: number;
+    rulesApplied: number;
+}
+export interface FindingRef {
+    ruleId: string;
+    severity: string;
+    file: string;
+    line: number;
+    [key: string]: unknown;
+}
+export interface AuditSection {
+    name: string;
+    status: "ok" | "error" | "skipped";
+    findings: number;
+    critical: number;
+    high: number;
+    medium: number;
+    details: string;
+}
+export interface AuditResult {
+    verdict: AuditVerdict;
+    score: number;
+    grade: string;
+    coverage: AuditCoverage;
+    resultHash: string;
+    timestamp: string;
+    sections: AuditSection[];
+    truncation: {
+        truncated: boolean;
+        maxFindings: number;
+        totalFindings: number;
+        taintFileCap: number;
+        taintFilesProcessed: number;
+    };
+    summary: {
+        totalFindings: number;
+        critical: number;
+        high: number;
+        medium: number;
+    };
+    actionItems: string[];
+}
+/**
+ * Compute verdict: PASS (0 critical + 0 high), WARN (high > 0), FAIL (critical > 0)
+ */
+export declare function computeVerdict(critical: number, high: number, _medium: number): AuditVerdict;
+/**
+ * Compute coverage metrics from scan results.
+ */
+export declare function computeCoverage(filesScanned: number, filesSkipped: number, rulesApplied: number): AuditCoverage;
+/**
+ * Compute deterministic SHA256 hash of findings.
+ * Same findings (in any order) = same hash.
+ */
+export declare function computeResultHash(findings: FindingRef[]): string;
+/**
+ * Run a full security audit — single source of truth.
+ * Orchestrates code scan, secret scan, dependency scan, config audit,
+ * taint analysis, and auth coverage in one call.
+ */
+export declare function runFullAudit(path: string, options?: {
+    skipDeps?: boolean;
+    skipSecrets?: boolean;
+}): Promise<AuditResult>;
+/**
+ * Format audit result as markdown or JSON.
+ */
+export declare function formatAuditResult(result: AuditResult, format: "markdown" | "json"): string;