opensecurity 0.1.0 → 0.2.1

package/dist/analysis/infraPatterns.js

@@ -0,0 +1,196 @@
+const RULES = [
+    {
+        id: "dockerfile-root-user",
+        title: "Container Runs as Root",
+        description: "Dockerfile runs as root user; consider using a non-root user.",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bUSER\s+root\b/i
+    },
+    {
+        id: "dockerfile-privileged",
+        title: "Privileged Container",
+        description: "Dockerfile enables privileged mode or sets all capabilities.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\b(--privileged|CAP_SYS_ADMIN|cap_add\s*:\s*\[?\s*ALL\s*\]?)/i
+    },
+    {
+        id: "k8s-privileged",
+        title: "Privileged Kubernetes Pod",
+        description: "Kubernetes manifest enables privileged containers.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bprivileged\s*:\s*true\b/i
+    },
+    {
+        id: "k8s-host-path",
+        title: "HostPath Volume",
+        description: "Kubernetes HostPath volume may allow host access.",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bhostPath\s*:\b/i
+    },
+    {
+        id: "k8s-host-network",
+        title: "Host Network Enabled",
+        description: "Kubernetes manifest enables hostNetwork which reduces isolation.",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bhostNetwork\s*:\s*true\b/i
+    },
+    {
+        id: "k8s-host-ipc",
+        title: "Host IPC Enabled",
+        description: "Kubernetes manifest enables hostIPC which reduces isolation.",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bhostIPC\s*:\s*true\b/i
+    },
+    {
+        id: "k8s-host-pid",
+        title: "Host PID Namespace",
+        description: "Kubernetes manifest enables hostPID which reduces isolation.",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bhostPID\s*:\s*true\b/i
+    },
+    {
+        id: "k8s-allow-priv-esc",
+        title: "Privilege Escalation Enabled",
+        description: "Kubernetes manifest allows privilege escalation.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\ballowPrivilegeEscalation\s*:\s*true\b/i
+    },
+    {
+        id: "k8s-no-readonly-fs",
+        title: "Writable Root Filesystem",
+        description: "Kubernetes manifest allows writable root filesystem.",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\breadOnlyRootFilesystem\s*:\s*false\b/i
+    },
+    {
+        id: "k8s-run-as-root",
+        title: "Container Runs as Root",
+        description: "Kubernetes securityContext allows root user.",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\brunAsNonRoot\s*:\s*false\b/i
+    },
+    {
+        id: "k8s-run-as-user-root",
+        title: "Container Runs as Root UID",
+        description: "Kubernetes manifest sets runAsUser to 0 (root).",
+        severity: "medium",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\brunAsUser\s*:\s*0\b/i
+    },
+    {
+        id: "k8s-seccomp-unconfined",
+        title: "Seccomp Unconfined",
+        description: "Kubernetes manifest disables seccomp confinement.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bseccompProfile\b[\s\S]*?\btype\s*:\s*Unconfined\b/i
+    },
+    {
+        id: "terraform-public-sg",
+        title: "Public Security Group",
+        description: "Terraform security group allows ingress from all sources.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\b(cidr_blocks|cidr_block)\s*=\s*\[?\s*\"0\.0\.0\.0\/0\"\s*\]?/i
+    },
+    {
+        id: "terraform-public-acl",
+        title: "Public Network ACL",
+        description: "Terraform network ACL allows ingress from all sources.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\b(ingress|egress)\b[\s\S]*0\.0\.0\.0\/0/i
+    },
+    {
+        id: "terraform-open-sg-port",
+        title: "Open Security Group Port",
+        description: "Terraform security group allows public ingress on common ports.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\b(from_port|to_port)\s*=\s*(22|3389|5432|3306|6379|9200|27017)\b[\s\S]*0\.0\.0\.0\/0/i
+    },
+    {
+        id: "terraform-public-s3-acl",
+        title: "Public S3 ACL",
+        description: "Terraform S3 ACL is public-read or public-read-write.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bacl\s*=\s*\"public-read(-write)?\"/i
+    },
+    {
+        id: "terraform-s3-public-block-disabled",
+        title: "S3 Public Access Block Disabled",
+        description: "Terraform disables S3 public access block.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\b(block_public_acls|block_public_policy|ignore_public_acls|restrict_public_buckets)\s*=\s*false\b/i
+    },
+    {
+        id: "terraform-rds-public",
+        title: "Public RDS Instance",
+        description: "Terraform RDS instance is publicly accessible.",
+        severity: "high",
+        owasp: "A05:2021 Security Misconfiguration",
+        pattern: /\bpublicly_accessible\s*=\s*true\b/i
+    },
+    {
+        id: "yaml-insecure-tls",
+        title: "Insecure TLS",
+        description: "Config disables TLS verification.",
+        severity: "medium",
+        owasp: "A02:2021 Cryptographic Failures",
+        pattern: /\b(insecureSkipVerify|ssl_verify\s*:\s*false|verify_ssl\s*:\s*false)\b/i
+    }
+];
+export function runInfraPatterns(content, filePath) {
+    const findings = [];
+    const lineStarts = [0];
+    for (let i = 0; i < content.length; i += 1) {
+        if (content[i] === "\n")
+            lineStarts.push(i + 1);
+    }
+    const findLine = (index) => {
+        let low = 0;
+        let high = lineStarts.length - 1;
+        while (low <= high) {
+            const mid = Math.floor((low + high) / 2);
+            if (lineStarts[mid] <= index) {
+                if (mid === lineStarts.length - 1 || lineStarts[mid + 1] > index)
+                    return mid + 1;
+                low = mid + 1;
+            }
+            else {
+                high = mid - 1;
+            }
+        }
+        return 1;
+    };
+    for (const rule of RULES) {
+        const flags = rule.pattern.flags.includes("g") ? rule.pattern.flags : `${rule.pattern.flags}g`;
+        const regex = new RegExp(rule.pattern.source, flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const line = findLine(match.index);
+            findings.push({
+                id: rule.id,
+                severity: rule.severity,
+                owasp: rule.owasp,
+                title: rule.title,
+                description: rule.description,
+                file: filePath,
+                line
+            });
+        }
+    }
+    return findings;
+}

package/dist/analysis/universalPatterns.js

@@ -0,0 +1,56 @@
+const PATTERNS = [
+    {
+        id: "exec-os-system",
+        title: "Command Execution",
+        description: "Potential command execution via system call.",
+        severity: "critical",
+        owasp: "A03:2021 Injection",
+        pattern: /\b(os\.system|subprocess\.(call|run|Popen)|Runtime\.getRuntime\(\)\.exec|ProcessBuilder|exec\.Command|system\s*\(|popen\s*\(|Process\.Start|ShellExecute)\b/gi
+    },
+    {
+        id: "eval-exec",
+        title: "Dynamic Code Execution",
+        description: "Potential dynamic code execution detected.",
+        severity: "high",
+        owasp: "A03:2021 Injection",
+        pattern: /\b(eval|exec|Function|vm\.runInThisContext|loadstring)\s*\(/gi
+    },
+    {
+        id: "unsafe-deserialization",
+        title: "Unsafe Deserialization",
+        description: "Potential unsafe deserialization API usage.",
+        severity: "high",
+        owasp: "A08:2021 Software and Data Integrity Failures",
+        pattern: /\b(pickle\.loads?|yaml\.load|YAML\.load|ObjectInputStream|BinaryFormatter|XmlSerializer|Marshal\.load|PHP\s*unserialize|unserialize\s*\()\b/gi
+    },
+    {
+        id: "weak-crypto",
+        title: "Weak Crypto",
+        description: "Use of weak or deprecated crypto primitives.",
+        severity: "medium",
+        owasp: "A02:2021 Cryptographic Failures",
+        pattern: /\b(MD5|SHA1|RC4|DES|3DES|ECB)\b/gi
+    }
+];
+export function runUniversalPatterns(code, filePath) {
+    const findings = [];
+    const lines = code.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i += 1) {
+        const line = lines[i];
+        for (const rule of PATTERNS) {
+            if (rule.pattern.test(line)) {
+                findings.push({
+                    id: rule.id,
+                    severity: rule.severity,
+                    owasp: rule.owasp,
+                    title: rule.title,
+                    description: rule.description,
+                    file: filePath,
+                    line: i + 1
+                });
+            }
+            rule.pattern.lastIndex = 0;
+        }
+    }
+    return findings;
+}

package/dist/cli.js

@@ -13,7 +13,7 @@ const program = new Command();
 program
     .name("opensecurity")
     .description("openSecurity CLI")
-    .version("0.1.0");
+    .version("0.2.0");
 program
     .command("login")
     .description("Store Codex Access Token in global config")
@@ -72,6 +72,14 @@ program
     .option("--ai-cache", "enable AI per-file cache")
     .option("--no-ai-cache", "disable AI per-file cache")
     .option("--ai-cache-path <path>", "path to AI cache file")
+    .option("--native-taint", "enable native multi-language taint engine")
+    .option("--no-native-taint", "disable native multi-language taint engine")
+    .option("--native-langs <list>", "comma-separated native taint languages", (value) => value.split(",").map((item) => item.trim()).filter(Boolean))
+    .option("--native-cache", "enable native taint cache")
+    .option("--no-native-cache", "disable native taint cache")
+    .option("--native-cache-path <path>", "path to native taint cache file")
+    .option("--adapters <list>", "comma-separated external adapters (bandit,gosec,brakeman,semgrep)", (value) => value.split(",").map((item) => item.trim()).filter(Boolean))
+    .option("--disable-adapters", "disable external static adapters")
     .option("--concurrency <n>", "parallel scan workers", (v) => Number(v))
     .option("--dependency-only", "only run dependency/CVE scanning")
     .option("--no-ai", "skip AI model scanning")
@@ -161,6 +169,12 @@ async function executeScan(opts) {
             aiBatchDepth: opts.aiBatchDepth,
             aiCache: opts.aiCache,
             aiCachePath: opts.aiCachePath,
+            nativeTaint: opts.nativeTaint,
+            nativeTaintLanguages: opts.nativeLangs,
+            nativeTaintCache: opts.nativeCache,
+            nativeTaintCachePath: opts.nativeCachePath,
+            adapters: opts.adapters,
+            noAdapters: opts.disableAdapters,
             diffOnly: opts.diffOnly,
             diffBase: opts.diffBase,
             concurrency: opts.concurrency

package/dist/config.js

@@ -10,7 +10,8 @@ export const DEFAULT_EXCLUDE = [
     "**/coverage/**",
     "**/.opensecurity.json",
     "**/.opensecurity-cache.json",
-    "**/.opensecurity/ai-cache.json"
+    "**/.opensecurity/ai-cache.json",
+    "**/.opensecurity/native-taint-cache.json"
 ];
 const DEFAULT_GLOBALS = {
     baseUrl: "https://api.openai.com/v1/responses",

package/dist/native/languages.js

@@ -0,0 +1,211 @@
+const LANGUAGES = [
+    {
+        id: "python",
+        name: "Python",
+        extensions: [".py", ".pyw"],
+        wasmFile: "tree-sitter-python.wasm",
+        nativeModule: "tree-sitter-python",
+        callNodes: ["call"],
+        callCalleeFields: ["function"],
+        callArgumentFields: ["arguments"],
+        assignmentNodes: ["assignment"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["attribute"],
+        memberObjectFields: ["object"],
+        memberPropertyFields: ["attribute"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["string", "string_literal"]
+    },
+    {
+        id: "go",
+        name: "Go",
+        extensions: [".go"],
+        wasmFile: "tree-sitter-go.wasm",
+        nativeModule: "tree-sitter-go",
+        callNodes: ["call_expression"],
+        callCalleeFields: ["function"],
+        callArgumentFields: ["arguments"],
+        assignmentNodes: ["assignment_statement"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["selector_expression"],
+        memberObjectFields: ["operand"],
+        memberPropertyFields: ["field"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["interpreted_string_literal", "raw_string_literal"]
+    },
+    {
+        id: "java",
+        name: "Java",
+        extensions: [".java"],
+        wasmFile: "tree-sitter-java.wasm",
+        nativeModule: "tree-sitter-java",
+        callNodes: ["method_invocation"],
+        callCalleeFields: ["name", "object"],
+        callArgumentFields: ["arguments"],
+        assignmentNodes: ["assignment_expression"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["field_access"],
+        memberObjectFields: ["object"],
+        memberPropertyFields: ["field"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["string_literal"]
+    },
+    {
+        id: "csharp",
+        name: "C#",
+        extensions: [".cs"],
+        wasmFile: "tree-sitter-c-sharp.wasm",
+        nativeModule: "tree-sitter-c-sharp",
+        callNodes: ["invocation_expression"],
+        callCalleeFields: ["expression"],
+        callArgumentFields: ["argument_list"],
+        assignmentNodes: ["assignment_expression"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["member_access_expression"],
+        memberObjectFields: ["expression"],
+        memberPropertyFields: ["name"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["string_literal"]
+    },
+    {
+        id: "ruby",
+        name: "Ruby",
+        extensions: [".rb"],
+        wasmFile: "tree-sitter-ruby.wasm",
+        nativeModule: "tree-sitter-ruby",
+        callNodes: ["call", "command_call"],
+        callCalleeFields: ["method", "receiver"],
+        callArgumentFields: ["arguments"],
+        assignmentNodes: ["assignment"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["call"],
+        memberObjectFields: ["receiver"],
+        memberPropertyFields: ["method"],
+        identifierNodes: ["identifier", "constant"],
+        stringNodes: ["string", "string_literal"]
+    },
+    {
+        id: "php",
+        name: "PHP",
+        extensions: [".php", ".phtml", ".php5", ".php7", ".phps"],
+        wasmFile: "tree-sitter-php.wasm",
+        nativeModule: "tree-sitter-php",
+        callNodes: ["function_call_expression", "member_call_expression", "scoped_call_expression"],
+        callCalleeFields: ["name", "function", "member", "scope"],
+        callArgumentFields: ["arguments"],
+        assignmentNodes: ["assignment_expression"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["member_call_expression", "scoped_call_expression"],
+        memberObjectFields: ["object", "scope"],
+        memberPropertyFields: ["name", "member"],
+        identifierNodes: ["name", "variable_name", "identifier"],
+        stringNodes: ["string", "string_literal"]
+    },
+    {
+        id: "rust",
+        name: "Rust",
+        extensions: [".rs"],
+        wasmFile: "tree-sitter-rust.wasm",
+        nativeModule: "tree-sitter-rust",
+        callNodes: ["call_expression", "macro_invocation"],
+        callCalleeFields: ["function", "macro"],
+        callArgumentFields: ["arguments", "token_tree"],
+        assignmentNodes: ["assignment_expression", "let_declaration"],
+        assignmentLeftFields: ["left", "pattern"],
+        assignmentRightFields: ["right", "value"],
+        memberNodes: ["field_expression"],
+        memberObjectFields: ["value"],
+        memberPropertyFields: ["field"],
+        identifierNodes: ["identifier", "self"],
+        stringNodes: ["string_literal", "raw_string_literal"]
+    },
+    {
+        id: "kotlin",
+        name: "Kotlin",
+        extensions: [".kt", ".kts"],
+        wasmFile: "tree-sitter-kotlin.wasm",
+        nativeModule: "tree-sitter-kotlin",
+        callNodes: ["call_expression", "primary_expression"],
+        callCalleeFields: ["callee", "reference"],
+        callArgumentFields: ["value_arguments"],
+        assignmentNodes: ["assignment"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["navigation_expression"],
+        memberObjectFields: ["receiver"],
+        memberPropertyFields: ["selector"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["string_literal"]
+    },
+    {
+        id: "swift",
+        name: "Swift",
+        extensions: [".swift"],
+        wasmFile: "tree-sitter-swift.wasm",
+        nativeModule: "tree-sitter-swift",
+        callNodes: ["function_call_expression"],
+        callCalleeFields: ["function"],
+        callArgumentFields: ["argument_clause"],
+        assignmentNodes: ["assignment_expression"],
+        assignmentLeftFields: ["left"],
+        assignmentRightFields: ["right"],
+        memberNodes: ["member_access_expression"],
+        memberObjectFields: ["object"],
+        memberPropertyFields: ["name"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["string_literal"]
+    },
+    {
+        id: "c",
+        name: "C",
+        extensions: [".c", ".h"],
+        wasmFile: "tree-sitter-c.wasm",
+        nativeModule: "tree-sitter-c",
+        callNodes: ["call_expression"],
+        callCalleeFields: ["function"],
+        callArgumentFields: ["arguments"],
+        assignmentNodes: ["assignment_expression", "init_declarator"],
+        assignmentLeftFields: ["left", "declarator"],
+        assignmentRightFields: ["right", "value"],
+        memberNodes: ["field_expression"],
+        memberObjectFields: ["argument"],
+        memberPropertyFields: ["field"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["string_literal"]
+    },
+    {
+        id: "cpp",
+        name: "C++",
+        extensions: [".cpp", ".hpp", ".cc", ".cxx", ".hh", ".hxx"],
+        wasmFile: "tree-sitter-cpp.wasm",
+        nativeModule: "tree-sitter-cpp",
+        callNodes: ["call_expression"],
+        callCalleeFields: ["function"],
+        callArgumentFields: ["arguments"],
+        assignmentNodes: ["assignment_expression", "init_declarator"],
+        assignmentLeftFields: ["left", "declarator"],
+        assignmentRightFields: ["right", "value"],
+        memberNodes: ["field_expression", "qualified_identifier"],
+        memberObjectFields: ["scope", "argument"],
+        memberPropertyFields: ["name", "field"],
+        identifierNodes: ["identifier"],
+        stringNodes: ["string_literal"]
+    }
+];
+export function getNativeLanguages() {
+    return [...LANGUAGES];
+}
+export function getLanguageByExtension(filePath) {
+    const lower = filePath.toLowerCase();
+    for (const lang of LANGUAGES) {
+        if (lang.extensions.some((ext) => lower.endsWith(ext)))
+            return lang;
+    }
+    return null;
+}

package/dist/native/loader.js

@@ -0,0 +1,61 @@
+import path from "node:path";
+import fs from "node:fs/promises";
+import { createRequire } from "node:module";
+let treeSitter = null;
+let treeSitterInit = null;
+async function ensureTreeSitter() {
+    if (treeSitter)
+        return treeSitter;
+    const mod = await import("web-tree-sitter");
+    const resolved = {
+        init: mod.init?.bind(mod),
+        Language: mod.Language,
+        Parser: mod.Parser
+    };
+    treeSitter = resolved;
+    if (!treeSitterInit) {
+        treeSitterInit = resolved.init();
+    }
+    await treeSitterInit;
+    return resolved;
+}
+async function loadNativeLanguage(lang) {
+    try {
+        const require = createRequire(import.meta.url);
+        const Parser = require("tree-sitter");
+        const Lang = require(lang.nativeModule);
+        const parser = new Parser();
+        parser.setLanguage(Lang);
+        return { parser, type: "native" };
+    }
+    catch {
+        return null;
+    }
+}
+async function loadWasmLanguage(lang, baseDir) {
+    const mod = await ensureTreeSitter();
+    const wasmPath = path.join(baseDir, "assets", "grammars", lang.wasmFile);
+    try {
+        await fs.access(wasmPath);
+    }
+    catch {
+        return null;
+    }
+    const language = await mod.Language.load(wasmPath);
+    const parser = new mod.Parser();
+    parser.setLanguage(language);
+    return { parser, type: "wasm" };
+}
+export async function parseWithTreeSitter(source, lang, baseDir) {
+    const native = await loadNativeLanguage(lang);
+    if (native) {
+        const tree = native.parser.parse(source);
+        return { tree, source, language: lang };
+    }
+    const wasm = await loadWasmLanguage(lang, baseDir);
+    if (wasm) {
+        const tree = wasm.parser.parse(source);
+        return { tree, source, language: lang };
+    }
+    return null;
+}

package/dist/native/rules.js

@@ -0,0 +1,14 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+export async function loadNativeRules(baseDir, lang) {
+    const rulePath = path.join(baseDir, "rules", "taint", `${lang}.json`);
+    try {
+        const raw = await fs.readFile(rulePath, "utf8");
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err?.code === "ENOENT")
+            return null;
+        throw err;
+    }
+}