kramscan 0.3.0 → 0.4.0

package/dist/core/project-config.js

@@ -0,0 +1,104 @@
+"use strict";
+/**
+ * Project-level configuration (.kramscanrc)
+ *
+ * Discovers and loads a .kramscanrc file from the current working directory
+ * (or any parent directory) and merges it with the global config. Project
+ * settings override global settings, but sensitive fields (ai.apiKey) are
+ * never read from the project file.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PROJECT_CONFIG_FILENAME = void 0;
+exports.findProjectConfig = findProjectConfig;
+exports.deepMerge = deepMerge;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+exports.PROJECT_CONFIG_FILENAME = ".kramscanrc";
+/**
+ * Search for a .kramscanrc file starting from `startDir` and walking up
+ * to the filesystem root. Returns the parsed contents and file path,
+ * or null if no file is found.
+ */
+function findProjectConfig(startDir = process.cwd()) {
+    for (let dir = path.resolve(startDir);; dir = path.dirname(dir)) {
+        const candidate = path.join(dir, exports.PROJECT_CONFIG_FILENAME);
+        if (fs.existsSync(candidate)) {
+            try {
+                const raw = fs.readFileSync(candidate, "utf-8");
+                const parsed = JSON.parse(raw);
+                // Strip any ai.apiKey that might have been added by mistake
+                const sanitized = parsed;
+                if (sanitized.ai && typeof sanitized.ai === "object") {
+                    delete sanitized.ai.apiKey;
+                }
+                return { config: parsed, filepath: candidate };
+            }
+            catch {
+                // Malformed file — skip it silently
+                return null;
+            }
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir)
+            break; // reached filesystem root
+    }
+    return null;
+}
+/**
+ * Deep merge `source` into `target`, returning a new object. Arrays are
+ * replaced, not concatenated. Undefined values in source are skipped.
+ */
+function deepMerge(target, source) {
+    const result = { ...target };
+    for (const key of Object.keys(source)) {
+        const srcVal = source[key];
+        const tgtVal = result[key];
+        if (srcVal === undefined)
+            continue;
+        if (srcVal !== null &&
+            typeof srcVal === "object" &&
+            !Array.isArray(srcVal) &&
+            tgtVal !== null &&
+            typeof tgtVal === "object" &&
+            !Array.isArray(tgtVal)) {
+            result[key] = deepMerge(tgtVal, srcVal);
+        }
+        else {
+            result[key] = srcVal;
+        }
+    }
+    return result;
+}

package/dist/core/server-probe.js

@@ -15,7 +15,6 @@ async function probeServer(url, options = {}) {
     const { timeout = 30000, interval = 1000, maxAttempts = 20 } = options;
     const startTime = Date.now();
     let attempts = 0;
-    let lastError = null;
     while (attempts < maxAttempts && Date.now() - startTime < timeout) {
         attempts++;
         try {
@@ -23,10 +22,9 @@ async function probeServer(url, options = {}) {
             if (result.reachable) {
                 return result;
             }
-            lastError = `HTTP ${result.statusCode}`;
         }
         catch (err) {
-            lastError = err.message;
+            // error logged silently
         }
         // Exponential backoff with cap
         const delay = Math.min(interval * Math.pow(1.5, attempts - 1), 5000);

package/dist/index.js

@@ -1,9 +1,23 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const cli_1 = require("./cli");
 const errors_1 = require("./core/errors");
+const update_notifier_1 = __importDefault(require("update-notifier"));
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
 // Ensure uncaught exceptions and unhandled rejections produce useful output
 (0, errors_1.setupGlobalErrorHandlers)();
+try {
+    const pkgPath = path_1.default.join(__dirname, "../package.json");
+    const pkg = JSON.parse(fs_1.default.readFileSync(pkgPath, "utf-8"));
+    (0, update_notifier_1.default)({ pkg }).notify({ isGlobal: true });
+}
+catch (error) {
+    // Silently ignore if update notification fails
+}
 (0, cli_1.run)().catch((err) => {
     console.error("Fatal error:", err);
     process.exit(1);

package/dist/plugins/vulnerabilities/CORSAnalyzerPlugin.js

@@ -17,7 +17,6 @@ class CORSAnalyzerPlugin extends types_1.BaseVulnerabilityPlugin {
         const acao = headers["access-control-allow-origin"];
         const acac = headers["access-control-allow-credentials"];
         const acam = headers["access-control-allow-methods"];
-        const acah = headers["access-control-allow-headers"];
         // Check for wildcard origin
         if (acao === "*") {
             vulnerabilities.push(this.createVulnerability("CORS: Wildcard Origin Allowed", `The server at ${host} allows requests from any origin (Access-Control-Allow-Origin: *). ` +

package/dist/plugins/vulnerabilities/DebugEndpointPlugin.d.ts

@@ -10,6 +10,6 @@ export declare class DebugEndpointPlugin extends BaseVulnerabilityPlugin {
      * Each entry has a path, a human-readable name, and expected severity.
      */
     private readonly debugEndpoints;
-    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+    analyzeContent(context: PluginContext, _content: string): Promise<Vulnerability[]>;
     reset(): void;
 }

package/dist/plugins/vulnerabilities/DebugEndpointPlugin.js

@@ -174,7 +174,7 @@ class DebugEndpointPlugin extends types_1.BaseVulnerabilityPlugin {
             remediation: "Protect /metrics endpoint behind authentication or restrict to internal networks.",
         },
     ];
-    async analyzeContent(context, content) {
+    async analyzeContent(context, _content) {
         const vulnerabilities = [];
         const baseUrl = new URL(context.url).origin;
         for (const endpoint of this.debugEndpoints) {

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.d.ts

@@ -8,6 +8,6 @@ export declare class DirectoryTraversalPlugin extends BaseVulnerabilityPlugin {
      * Each payload targets a well-known file with distinctive content markers.
      */
     private readonly payloads;
-    testParameter(context: PluginContext, param: string, value: string): Promise<VulnerabilityTestResult>;
+    testParameter(context: PluginContext, param: string, _value: string): Promise<VulnerabilityTestResult>;
     private buildTestUrl;
 }

package/dist/plugins/vulnerabilities/DirectoryTraversalPlugin.js

@@ -66,7 +66,7 @@ class DirectoryTraversalPlugin extends types_1.BaseVulnerabilityPlugin {
             os: "linux",
         },
     ];
-    async testParameter(context, param, value) {
+    async testParameter(context, param, _value) {
         for (const { payload, markers, os } of this.payloads) {
             try {
                 const testUrl = this.buildTestUrl(context.url, param, payload);

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.d.ts

@@ -6,5 +6,5 @@ export declare class OpenRedirectPlugin extends BaseVulnerabilityPlugin {
     readonly description = "Detects open redirect vulnerabilities in URL parameters";
     private readonly redirectParams;
     private readonly testDomains;
-    analyzeContent(context: PluginContext, content: string): Promise<Vulnerability[]>;
+    analyzeContent(context: PluginContext, _content: string): Promise<Vulnerability[]>;
 }

package/dist/plugins/vulnerabilities/OpenRedirectPlugin.js

@@ -19,7 +19,7 @@ class OpenRedirectPlugin extends types_1.BaseVulnerabilityPlugin {
         "/\\evil.com",
         "https:evil.com",
     ];
-    async analyzeContent(context, content) {
+    async analyzeContent(context, _content) {
         const vulnerabilities = [];
         const url = new URL(context.url);
         // Check if the current URL uses any redirect-like parameters

package/dist/reports/PdfGenerator.js

@@ -53,6 +53,7 @@ function escapeHtml(text) {
 }
 function sanitizeFilenamePart(value) {
     return value
+        // eslint-disable-next-line no-control-regex, no-useless-escape
         .replace(/[<>:"\/\\|?*\x00-\x1F]/g, "_")
         .replace(/\s+/g, "_")
         .replace(/_+/g, "_")

package/dist/utils/logger.js

@@ -55,10 +55,10 @@ function outputLog(entry) {
         console.log(JSON.stringify(entry));
     }
     else {
-        const { timestamp, level, message, ...rest } = entry;
+        const { message, context: ctx } = entry;
         let output = message;
-        if (process.env.LOG_INCLUDE_CONTEXT === "true" && Object.keys(rest).length > 0) {
-            output += ` ${JSON.stringify(rest)}`;
+        if (process.env.LOG_INCLUDE_CONTEXT === "true" && ctx && Object.keys(ctx).length > 0) {
+            output += ` ${JSON.stringify(ctx)}`;
         }
         console.log(output);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kramscan",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "KramScan CLI — AI-powered web app security testing",
   "author": "Akram Shaikh (https://akramshaikh.me)",
   "license": "MIT",
@@ -54,6 +54,7 @@
     "@anthropic-ai/sdk": "^0.31.0",
     "@google/generative-ai": "^0.24.1",
     "@mistralai/mistralai": "^1.14.0",
+    "@types/update-notifier": "^5.1.0",
     "axios": "^1.6.8",
     "chalk": "^5.6.2",
     "commander": "^12.1.0",
@@ -65,6 +66,7 @@
     "openai": "^4.104.0",
     "ora": "^8.2.0",
     "puppeteer": "^22.15.0",
+    "update-notifier": "^5.1.0",
     "uuid": "^9.0.1"
   },
   "devDependencies": {