omen-sec-cli 1.0.17 → 1.0.18

package/core/local-scanner.js

@@ -109,22 +109,109 @@ export async function scanLocalProject() {
       filesScanned.push(path.basename(file));
 
       lines.forEach((line, index) => {
-        // Regra 1: Hardcoded Secrets
-        if (/(api_key|apikey|secret|password|token)\s*=\s*['"][a-zA-Z0-9_-]{10,}['"]/i.test(line)) {
+        // Regra 1: Hardcoded Secrets (Improved)
+        const secretRegex = /(api_key|apikey|secret|password|token|jwt_secret|connection_string|private_key|aws_key|aws_secret|db_pass)\s*[:=]\s*['"][a-zA-Z0-9_\-\.\/\+\=]{12,}['"]/i;
+        if (secretRegex.test(line)) {
           vulnerabilities.push({
-            id: `LOC-VULN-${Date.now()}-3`,
+            id: `LOC-SEC-${Date.now()}-${index}`,
             kind: 'content',
             category: 'confirmed',
-            confidence: 'medium',
+            confidence: 'high',
             severity: 'critical',
-            title: 'Hardcoded Secret Detected',
-            description: `Potential hardcoded secret found in ${path.basename(file)} at line ${index + 1}`,
+            title: 'Exposed Hardcoded Secret',
+            description: `A potential sensitive credential or token was found hardcoded in ${path.basename(file)} at line ${index + 1}.`,
             cwe: 'CWE-798',
             evidence: { file: path.basename(file), line: index + 1, code: line.trim() },
-            remediation: 'Move secrets to environment variables or a secure vault.'
+            remediation: 'Immediately rotate this secret and move it to an environment variable or a secret manager vault.'
+          });
+        }
+
+        // Regra 10: Insecure CORS configuration
+        if (/Access-Control-Allow-Origin.*\*['"]/i.test(line)) {
+          vulnerabilities.push({
+            id: `LOC-CORS-${Date.now()}-${index}`,
+            kind: 'content',
+            category: 'hardening',
+            confidence: 'high',
+            severity: 'medium',
+            title: 'Overly Permissive CORS Policy',
+            description: `CORS policy allows all origins (*) in ${path.basename(file)} at line ${index + 1}. This can lead to CSRF or data leakage.`,
+            cwe: 'CWE-942',
+            evidence: { file: path.basename(file), line: index + 1, code: line.trim() },
+            remediation: 'Restrict Access-Control-Allow-Origin to specific, trusted domains instead of using "*".'
+          });
+        }
+
+        // Regra 11: Insecure Cookie Attributes
+        if (/res\.cookie\(.*\{/i.test(line) && !/httpOnly:\s*true/i.test(line)) {
+          vulnerabilities.push({
+            id: `LOC-COOKIE-${Date.now()}-${index}`,
+            kind: 'content',
+            category: 'hardening',
+            confidence: 'medium',
+            severity: 'low',
+            title: 'Insecure Cookie (Missing httpOnly)',
+            description: `Cookie created without 'httpOnly' flag in ${path.basename(file)} at line ${index + 1}. This makes the cookie accessible via client-side scripts (XSS risk).`,
+            cwe: 'CWE-1004',
+            evidence: { file: path.basename(file), line: index + 1, code: line.trim() },
+            remediation: 'Always set { httpOnly: true } when creating sensitive cookies to prevent XSS-based theft.'
+          });
+        }
+
+        // Regra 12: Insecure Randomness
+        if (/Math\.random\(\)/.test(line)) {
+          vulnerabilities.push({
+            id: `LOC-RAND-${Date.now()}-${index}`,
+            kind: 'content',
+            category: 'hardening',
+            confidence: 'medium',
+            severity: 'low',
+            title: 'Insecure Randomness',
+            description: `Math.random() used in ${path.basename(file)} at line ${index + 1}. This is not cryptographically secure.`,
+            cwe: 'CWE-330',
+            evidence: { file: path.basename(file), line: index + 1, code: line.trim() },
+            remediation: 'Use crypto.getRandomValues() or the "crypto" module for security-sensitive random values.'
+          });
+        }
+
+        // Regra 13: Potential ReDoS (Regex Denial of Service)
+        if (/\/\(.*\+\)\+\//.test(line) || /\/\(.*\*\)\*\//.test(line)) {
+          vulnerabilities.push({
+            id: `LOC-REDOS-${Date.now()}-${index}`,
+            kind: 'content',
+            category: 'probable',
+            confidence: 'medium',
+            severity: 'medium',
+            title: 'Potential ReDoS Pattern',
+            description: `A potentially catastrophic backtracking regex pattern was found in ${path.basename(file)} at line ${index + 1}.`,
+            cwe: 'CWE-1333',
+            evidence: { file: path.basename(file), line: index + 1, code: line.trim() },
+            remediation: 'Review and simplify the regex pattern to avoid nested quantifiers that cause exponential backtracking.'
           });
         }
 
+        // Regra 8: Weak JWT Configuration
+        if (/jwt\.sign\(.*,\s*['"][^'"]{1,10}['"]\s*,/i.test(line)) {
+          vulnerabilities.push({
+            id: `LOC-AUTH-${Date.now()}`,
+            kind: 'content',
+            category: 'confirmed',
+            confidence: 'high',
+            severity: 'high',
+            title: 'Weak JWT Secret detected',
+            description: `The JWT signing secret appears to be a short, hardcoded string in ${path.basename(file)}: line ${index + 1}`,
+            cwe: 'CWE-522',
+            evidence: { file: path.basename(file), line: index + 1, code: line.trim() },
+            remediation: 'Use a strong, randomly generated secret stored in environment variables.'
+          });
+        }
+
+        // Regra 9: Missing CSRF Protection (Express example)
+        if (discoveryData && discoveryData.stack === 'Node/Express' && path.basename(file) === 'app.js') {
+           // This would require multi-line or AST, but let's do a simple check
+        }
+
+
         // Regra 2: Uso de Eval
         if (/eval\s*\(/.test(line)) {
           vulnerabilities.push({

package/core/remote-scanner.js

@@ -109,8 +109,25 @@ export async function scanRemoteTarget(targetUrl) {
       });
     }
 
+    // 3.1 Analisar X-Content-Type-Options
+    if (!headers['x-content-type-options']) {
+      headers_analysis["X-Content-Type-Options"] = "Missing";
+      vulnerabilities.push({
+        id: `REM-VULN-${Date.now()}-6`,
+        kind: 'header',
+        category: 'hardening',
+        confidence: 'high',
+        severity: 'low',
+        title: 'X-Content-Type-Options Missing',
+        description: `The X-Content-Type-Options: nosniff header is missing. This could allow the browser to "sniff" the content type, potentially leading to MIME-type sniffing attacks.`,
+        cwe: 'CWE-116',
+        evidence: { response: { headers: response.headers } },
+        remediation: 'Add the "X-Content-Type-Options: nosniff" header to all responses.'
+      });
+    }
+
     // 4. Server Header Leak
-    if (headers['server']) {
+    if (headers['server'] && !headers['server'].includes('Cloudflare') && !headers['server'].includes('Vercel')) {
       headers_analysis["Server"] = headers['server'];
       vulnerabilities.push({
         id: `REM-VULN-${Date.now()}-5`,
@@ -126,22 +143,51 @@ export async function scanRemoteTarget(targetUrl) {
       });
     }
 
-    // 5. X-Powered-By Leak
-    if (headers['x-powered-by']) {
-      vulnerabilities.push({
-        id: `REM-VULN-${Date.now()}-6`,
-        kind: 'tech',
-        category: 'informational',
-        confidence: 'high',
-        severity: 'low',
-        title: 'X-Powered-By Disclosure',
-        description: `X-Powered-By header leaks framework information: ${headers['x-powered-by']}`,
-        cwe: 'CWE-200',
-        evidence: { finding: `X-Powered-By: ${headers['x-powered-by']}` },
-        remediation: 'Disable the X-Powered-By header in the application framework settings.'
-      });
+    // 6. CORS Analysis
+    if (headers['access-control-allow-origin']) {
+      const cors = headers['access-control-allow-origin'];
+      if (cors === '*') {
+        vulnerabilities.push({
+          id: `REM-CORS-${Date.now()}`,
+          kind: 'header',
+          category: 'confirmed',
+          confidence: 'high',
+          severity: 'high',
+          title: 'Permissive CORS Policy',
+          description: `The application allows Cross-Origin Resource Sharing from any domain (Access-Control-Allow-Origin: *).`,
+          cwe: 'CWE-942',
+          evidence: { finding: `Access-Control-Allow-Origin: ${cors}` },
+          remediation: 'Restrict Access-Control-Allow-Origin to trusted domains only.'
+        });
+      }
     }
 
+    // 7. Cookie Security
+    const setCookies = headers['set-cookie'] || [];
+    const cookies = Array.isArray(setCookies) ? setCookies : [setCookies];
+    cookies.forEach(cookie => {
+      const issues = [];
+      if (!cookie.toLowerCase().includes('secure')) issues.push('Missing "Secure" flag');
+      if (!cookie.toLowerCase().includes('httponly')) issues.push('Missing "HttpOnly" flag');
+      if (!cookie.toLowerCase().includes('samesite')) issues.push('Missing "SameSite" attribute');
+
+      if (issues.length > 0) {
+        vulnerabilities.push({
+          id: `REM-COOKIE-${Date.now()}`,
+          kind: 'header',
+          category: 'confirmed',
+          confidence: 'high',
+          severity: 'medium',
+          title: 'Insecure Cookie Configuration',
+          description: `Cookie detected with missing security flags: ${issues.join(', ')}.`,
+          cwe: 'CWE-614',
+          evidence: { cookie: cookie.split(';')[0] + '...', issues },
+          remediation: 'Apply Secure, HttpOnly, and SameSite=Strict/Lax attributes to all sensitive cookies.'
+        });
+      }
+    });
+
+
     // --- SPIDER / CRAWLER (DEEP) ---
     if (typeof html === 'string') {
       const $ = cheerio.load(html);
@@ -256,41 +302,32 @@ export async function scanRemoteTarget(targetUrl) {
         const fuzzUrl = new URL(path, targetUrl).href;
         const fuzzRes = await axios.get(fuzzUrl, {
           timeout: 5000,
-          validateStatus: (status) => status === 200 || status === 403
+          validateStatus: (status) => status >= 200 && status < 500
         });
 
-        if (fuzzRes.status === 200) {
-          vulnerabilities.push({
-            id: `REM-FUZZ-${Date.now()}-${path.replace(/\//g, '-')}`,
-            type: 'Sensitive Path Exposed',
-            severity: path.includes('.env') || path.includes('.git') || path.includes('.ssh') ? 'Critical' : 'High',
-            description: `Exposed sensitive path discovered: ${fuzzUrl}. This path reveals internal configurations or credentials.`,
-            cwe: 'CWE-200'
-          });
-        } else if (fuzzRes.status === 403) {
-          vulnerabilities.push({
-            id: `REM-FUZZ-${Date.now()}-${path.replace(/\//g, '-')}`,
-            type: 'Potential Sensitive Path',
-            severity: 'Low',
-            description: `Path discovered but access forbidden (403): ${fuzzUrl}. Might indicate internal structure exposure.`,
-            cwe: 'CWE-204'
-          });
+        const finding = await validateFuzzerFinding(path, fuzzRes, fuzzUrl);
+        if (finding) {
+          vulnerabilities.push(finding);
         }
-      } catch (e) {}
+      } catch (e) {
+        // Silently skip if path doesn't exist or times out
+      }
     }
 
     // --- OFFENSIVE PARAMETER FUZZING ---
     const injectionPayloads = [
-      { type: 'SQLi', param: "' OR 1=1--", severity: 'Critical' },
-      { type: 'XSS', param: "<script>alert('OMEN')</script>", severity: 'High' },
-      { type: 'LFI', param: "/etc/passwd", severity: 'Critical' }
+      { type: 'SQLi', param: "' OR '1'='1", severity: 'Critical', cwe: 'CWE-89' },
+      { type: 'SQLi', param: '" OR "1"="1', severity: 'Critical', cwe: 'CWE-89' },
+      { type: 'XSS', param: "<script>alert('OMEN')</script>", severity: 'High', cwe: 'CWE-79' },
+      { type: 'XSS', param: "javascript:alert('OMEN')", severity: 'High', cwe: 'CWE-79' },
+      { type: 'LFI', param: "../../../../../etc/passwd", severity: 'Critical', cwe: 'CWE-22' }
     ];
 
     // Combine params from links and forms
     const allParams = Array.from(discoveredParams);
     discoveredForms.forEach(f => f.inputs.forEach(i => allParams.push(i)));
     
-    const uniqueParams = [...new Set(allParams)].slice(0, 5); // Fuzz top 5 params
+    const uniqueParams = [...new Set(allParams)].slice(0, 10); // Fuzz top 10 params
 
     for (const param of uniqueParams) {
       for (const payload of injectionPayloads) {
@@ -298,26 +335,68 @@ export async function scanRemoteTarget(targetUrl) {
           const testUrl = new URL(targetUrl);
           testUrl.searchParams.append(param, payload.param);
           
-          const res = await axios.get(testUrl.href, { timeout: 5000, validateStatus: () => true });
+          const res = await axios.get(testUrl.href, { 
+            timeout: 5000, 
+            validateStatus: () => true,
+            headers: { 'User-Agent': 'OMEN-SEC-CLI/1.0.17 (Security Audit)' }
+          });
           
+          const evidence = {
+            request: { url: testUrl.href, method: 'GET', parameter: param, payload: payload.param },
+            response: { status: res.status, body_snippet: typeof res.data === 'string' ? res.data.substring(0, 200) : '' }
+          };
+
           if (payload.type === 'XSS' && typeof res.data === 'string' && res.data.includes(payload.param)) {
             vulnerabilities.push({
-              id: `REM-INJ-${Date.now()}-XSS`,
-              type: 'Reflected XSS',
-              severity: 'High',
-              description: `Confirmed XSS at ${targetUrl} via parameter '${param}'. Payload was reflected in HTML.`,
-              cwe: 'CWE-79'
+              id: `REM-INJ-${Date.now()}-XSS-${param}`,
+              kind: 'injection',
+              category: 'confirmed',
+              confidence: 'high',
+              severity: payload.severity,
+              title: 'Reflected Cross-Site Scripting (XSS)',
+              description: `Confirmed reflected XSS at ${targetUrl} via parameter '${param}'. The payload was reflected verbatim in the response body.`,
+              cwe: payload.cwe,
+              evidence,
+              remediation: 'Sanitize all user inputs before reflecting them in the HTML. Use output encoding libraries.'
             });
           }
           
-          if (payload.type === 'SQLi' && (res.status === 500 || (typeof res.data === 'string' && /SQL|database|syntax/i.test(res.data)))) {
-            vulnerabilities.push({
-              id: `REM-INJ-${Date.now()}-SQLI`,
-              type: 'SQL Injection',
-              severity: 'Critical',
-              description: `Potential SQLi detected via parameter '${param}'. Server showed error patterns on payload.`,
-              cwe: 'CWE-89'
-            });
+          const sqliPatterns = [
+            /SQL syntax/i, /mysql_fetch/i, /PostgreSQL.*ERROR/i, /Oracle.*Error/i, 
+            /SQLite3::/i, /Dynamic SQL/i, /Syntax error.*in query/i
+          ];
+
+          if (payload.type === 'SQLi') {
+            const hasErrorPattern = typeof res.data === 'string' && sqliPatterns.some(p => p.test(res.data));
+            if (hasErrorPattern || res.status === 500) {
+              vulnerabilities.push({
+                id: `REM-INJ-${Date.now()}-SQLI-${param}`,
+                kind: 'injection',
+                category: 'probable',
+                confidence: hasErrorPattern ? 'high' : 'medium',
+                severity: payload.severity,
+                title: 'Potential SQL Injection',
+                description: `Potential SQLi detected via parameter '${param}'. The server returned a 500 error or a known SQL error pattern.`,
+                cwe: payload.cwe,
+                evidence,
+                remediation: 'Use parameterized queries or an ORM. Never concatenate user input directly into SQL strings.'
+              });
+            }
+          }
+
+          if (payload.type === 'LFI' && typeof res.data === 'string' && (res.data.includes('root:x:0:0') || res.data.includes('[boot loader]'))) {
+             vulnerabilities.push({
+                id: `REM-INJ-${Date.now()}-LFI-${param}`,
+                kind: 'injection',
+                category: 'confirmed',
+                confidence: 'high',
+                severity: payload.severity,
+                title: 'Local File Inclusion (LFI)',
+                description: `Confirmed LFI at ${targetUrl} via parameter '${param}'. System file content was detected in the response.`,
+                cwe: payload.cwe,
+                evidence,
+                remediation: 'Validate file paths against a whitelist and avoid using user-supplied input for file operations.'
+              });
           }
         } catch (e) {}
       }

package/core/reporters/fix-plan-reporter.js

@@ -0,0 +1,46 @@
+export function generateFixPlan(scanData) {
+  let md = `# 🛡️ OMEN Security Fix Plan: ${scanData.target || 'Local Project'}\n\n`;
+  md += `> **Data do Scan:** ${scanData.timestamp || new Date().toLocaleString()}  \n`;
+  md += `> **Score Atual:** ${scanData.score || 0}/100  \n`;
+  md += `> **Vulnerabilidades:** ${scanData.vulnerabilities?.length || 0}\n\n`;
+  
+  md += `Este documento é um guia passo-a-passo para remediar as falhas encontradas. Após aplicar as correções, execute \`omen verify\` para confirmar a resolução.\n\n`;
+
+  const vulnerabilities = scanData.vulnerabilities || [];
+  const prioritized = [...vulnerabilities].sort((a, b) => {
+    const weights = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
+    return (weights[b.severity] || 0) - (weights[a.severity] || 0);
+  });
+
+  md += `## 🚨 Checklist de Remediação\n\n`;
+  
+  if (prioritized.length === 0) {
+    md += `✅ Nenhuma vulnerabilidade encontrada que exija ação imediata.\n`;
+  } else {
+    prioritized.forEach((v, index) => {
+      const severityEmoji = v.severity === 'critical' ? '🔴' : v.severity === 'high' ? '🟠' : v.severity === 'medium' ? '🟡' : '🔵';
+      
+      md += `### [ ] ${severityEmoji} [${v.severity.toUpperCase()}] ${v.title || v.description}\n`;
+      md += `- **ID:** \`${v.id}\`  \n`;
+      md += `- **CWE:** ${v.cwe || 'N/A'}  \n`;
+      md += `- **Confiança:** ${v.confidence || 'medium'}  \n\n`;
+      
+      if (v.evidence) {
+        md += `#### 🔍 Evidência\n`;
+        if (v.evidence.file) md += `- **Arquivo:** \`${v.evidence.file}\`${v.evidence.line ? ` (Linha ${v.evidence.line})` : ''}  \n`;
+        if (v.evidence.code) md += `\`\`\`javascript\n${v.evidence.code}\n\`\`\`\n`;
+        if (v.evidence.finding) md += `- **Detalhe:** ${v.evidence.finding}  \n`;
+      }
+
+      md += `#### 🛠️ Estratégia de Correção\n`;
+      md += `${v.remediation || 'Consulte a documentação de segurança para mitigar este risco.'}\n\n`;
+      
+      md += `#### ✅ Comando de Verificação\n`;
+      md += `\`npx omen-sec-cli verify --id ${v.id}\` (ou apenas \`omen verify\` para checar tudo)\n\n`;
+      md += `---\n\n`;
+    });
+  }
+
+  md += `\n*Gerado automaticamente pelo OMEN SEC-CLI v1.0.17 - Protocolo Zero-Copy AI Ativo*\n`;
+  return md;
+}

package/core/reporters/markdown-reporter.js

@@ -0,0 +1,25 @@
+export function generateMarkdownReport(scanData) {
+  let md = `# OMEN Audit Report: ${scanData.target}\n\n`;
+  md += `**Scan ID:** \`${scanData.scan_id}\`  \n`;
+  md += `**Timestamp:** ${scanData.timestamp}  \n`;
+  md += `**Security Score:** ${scanData.score}/100  \n`;
+  md += `**Risk Level:** ${scanData.riskLevel}\n\n`;
+
+  md += `## Executive Summary\n`;
+  md += `The security audit identified ${scanData.vulnerabilities.length} total issues. `;
+  const confirmed = scanData.vulnerabilities.filter(v => v.category === 'confirmed').length;
+  md += `Of these, ${confirmed} are confirmed vulnerabilities that require immediate attention.\n\n`;
+
+  md += `## Detailed Findings\n\n`;
+  scanData.vulnerabilities.forEach(v => {
+    md += `### [${v.severity.toUpperCase()}] ${v.title || v.description}\n`;
+    md += `- **Category:** ${v.category}\n`;
+    md += `- **Confidence:** ${v.confidence}\n`;
+    md += `- **CWE:** ${v.cwe}\n\n`;
+    md += `#### Description\n${v.description}\n\n`;
+    md += `#### Remediation\n${v.remediation || 'Follow security best practices.'}\n\n`;
+    md += `---\n\n`;
+  });
+
+  return md;
+}

package/core/runners/local-app-runner.js

@@ -0,0 +1,39 @@
+import { execa } from 'execa';
+import chalk from 'chalk';
+import axios from 'axios';
+
+export async function bootLocalApp(command, port = 3000, timeout = 30000) {
+  if (!command) return { success: false, error: 'No boot strategy found' };
+
+  console.log(chalk.cyan(`[Runner] Starting local app with: ${command}...`));
+  
+  const [cmd, ...args] = command.split(' ');
+  const subprocess = execa(cmd, args, {
+    cleanup: true,
+    all: true
+  });
+
+  let bootLogs = '';
+  subprocess.all.on('data', (chunk) => {
+    bootLogs += chunk.toString();
+  });
+
+  // Wait for healthcheck or timeout
+  const start = Date.now();
+  while (Date.now() - start < timeout) {
+    try {
+      const res = await axios.get(`http://localhost:${port}`, { timeout: 1000, validateStatus: () => true });
+      if (res.status < 500) {
+        console.log(chalk.green(`[Runner] App is up and running on port ${port}!`));
+        return { success: true, subprocess, logs: bootLogs, port };
+      }
+    } catch (e) {
+      // Not up yet
+    }
+    await new Promise(r => setTimeout(r, 2000));
+  }
+
+  // If we reach here, boot failed or timed out
+  subprocess.kill();
+  return { success: false, error: 'App failed to start or healthcheck timed out', logs: bootLogs };
+}

package/core/state/state-manager.js

@@ -0,0 +1,43 @@
+import fs from 'fs/promises';
+import path from 'path';
+
+const STATE_FILE = path.join(process.cwd(), '.omen', 'context.json');
+
+export async function saveState(data) {
+  try {
+    await fs.mkdir(path.dirname(STATE_FILE), { recursive: true });
+    const currentState = await loadState();
+    const newState = { ...currentState, ...data, last_updated: new Date().toISOString() };
+    await fs.writeFile(STATE_FILE, JSON.stringify(newState, null, 2));
+    return newState;
+  } catch (err) {
+    console.error('Failed to save OMEN state:', err.message);
+    return null;
+  }
+}
+
+export async function loadState() {
+  try {
+    const data = await fs.readFile(STATE_FILE, 'utf-8');
+    return JSON.parse(data);
+  } catch (err) {
+    return {
+      schema_version: "1.0",
+      project: {},
+      discovery: {},
+      plan: {},
+      execution: {
+        static: [],
+        dynamic: [],
+        vulnerabilities: []
+      },
+      verification: {}
+    };
+  }
+}
+
+export async function clearState() {
+  try {
+    await fs.unlink(STATE_FILE);
+  } catch (err) {}
+}