opensecurity 0.1.0

package/dist/cli.js

@@ -0,0 +1,396 @@
+#!/usr/bin/env node
+import fs from "node:fs/promises";
+import path from "node:path";
+import { Command } from "commander";
+import { login } from "./login.js";
+import { startProxyServer } from "./proxy.js";
+import { scan, renderJsonReport, renderSarifReport, renderTextReport, listMatchedFiles } from "./scan.js";
+import { setTelemetryEnabled, trackEvent } from "./telemetry.js";
+import { loadGlobalConfig } from "./config.js";
+import { getOAuthProfile } from "./oauthStore.js";
+import { Logger, Spinner, formatDuration, pluralize, bold, severityColor } from "./progress.js";
+const program = new Command();
+program
+    .name("opensecurity")
+    .description("openSecurity CLI")
+    .version("0.1.0");
+program
+    .command("login")
+    .description("Store Codex Access Token in global config")
+    .option("--mode <mode>", "oauth|api_key")
+    .option("--provider <provider>", "openai|anthropic|google|mistral|xai|cohere")
+    .option("--model <model>", "set default model")
+    .action(async (opts) => {
+    try {
+        await login(process.env, opts.mode, opts.model, opts.provider);
+    }
+    catch (err) {
+        console.error(err?.message ?? err);
+        process.exitCode = 1;
+    }
+});
+program
+    .command("proxy")
+    .description("Run local OAuth proxy for Codex tokens")
+    .option("--port <port>", "port to listen on", (v) => Number(v), 8787)
+    .action(async (opts) => {
+    try {
+        await startProxyServer({ port: opts.port });
+    }
+    catch (err) {
+        console.error(err?.message ?? err);
+        process.exitCode = 1;
+    }
+});
+program
+    .command("scan")
+    .description("Run AI security scan")
+    .option("--format <format>", "text|json|sarif", "text")
+    .option("--max-chars <maxChars>", "max chars per chunk", (v) => Number(v), 4000)
+    .option("--model <model>", "override model")
+    .option("--auth <mode>", "oauth|api_key (overrides config)", (value) => {
+    if (value !== "oauth" && value !== "api_key") {
+        throw new Error("--auth must be 'oauth' or 'api_key'");
+    }
+    return value;
+})
+    .option("--provider <provider>", "openai|anthropic|google|mistral|xai|cohere")
+    .option("--cwd <cwd>", "override working directory")
+    .option("--path <path>", "scan a specific file or directory")
+    .option("--include <pattern...>", "include glob patterns (overrides project config)")
+    .option("--exclude <pattern...>", "exclude glob patterns (overrides project config)")
+    .option("--rules <path>", "path to rules JSON (overrides project config)")
+    .option("--cve-cache <path>", "path to CVE cache JSON (overrides project config)")
+    .option("--cve-api-url <url>", "CVE API URL (overrides project config)")
+    .option("--simulate", "include simulated payload + impact for dependency findings")
+    .option("--data-sensitivity <level>", "low|medium|high (affects risk scoring)", "medium")
+    .option("--ai-all-text", "allow AI scan on all text files (non-JS/TS)")
+    .option("--ai-js-only", "limit AI scan to JS/TS only")
+    .option("--ai-multi-agent", "split AI scan into worker batches")
+    .option("--ai-batch-size <n>", "files per AI worker batch", (v) => Number(v))
+    .option("--ai-batch-depth <n>", "path depth for AI batching", (v) => Number(v))
+    .option("--ai-cache", "enable AI per-file cache")
+    .option("--no-ai-cache", "disable AI per-file cache")
+    .option("--ai-cache-path <path>", "path to AI cache file")
+    .option("--concurrency <n>", "parallel scan workers", (v) => Number(v))
+    .option("--dependency-only", "only run dependency/CVE scanning")
+    .option("--no-ai", "skip AI model scanning")
+    .option("--diff-only", "only scan files changed in git")
+    .option("--diff-base <ref>", "git base ref for diff-only (default: HEAD)")
+    .option("--dry-run", "list matched files without calling the model")
+    .option("--fail-on <severity>", "fail if findings are >= severity (low|medium|high|critical)")
+    .option("--fail-on-high", "fail if findings are >= high")
+    .option("--sarif-output <path>", "write SARIF to file in addition to primary output")
+    .option("--verbose", "show detailed progress information")
+    .action(async (opts) => {
+    await executeScan(opts);
+});
+async function executeScan(opts) {
+    const isJson = opts.format === "json";
+    const log = new Logger({ verbose: opts.verbose, silent: isJson });
+    try {
+        const authMode = await resolveAuthMode(opts);
+        if (authMode) {
+            opts.auth = authMode;
+        }
+        if (opts.dryRun) {
+            log.info("Dry run — listing matched files…");
+            const files = await listMatchedFiles({
+                cwd: opts.cwd,
+                include: opts.include,
+                exclude: opts.exclude
+            });
+            if (!files.length) {
+                console.log("No files matched.");
+                return;
+            }
+            const base = opts.cwd ?? process.cwd();
+            const output = files.map((file) => path.relative(base, file)).join("\n");
+            log.info(`Found ${pluralize(files.length, "file")}.`);
+            console.log(output);
+            return;
+        }
+        const startTime = Date.now();
+        const cwd = opts.cwd ?? process.cwd();
+        log.info(`Scanning ${bold(cwd)}…`);
+        log.verbose(`Format: ${opts.format}, Model: ${opts.model ?? "default"}`);
+        log.verbose(`AI scanning: ${opts.noAi ? "disabled" : "enabled"}`);
+        log.verbose(`Dependency-only: ${opts.dependencyOnly ? "yes" : "no"}`);
+        const liveOutput = Boolean(opts.verbose);
+        const spinner = new Spinner("Running security scan…");
+        const useSpinner = !isJson;
+        if (useSpinner)
+            spinner.start();
+        const result = await scan({
+            format: opts.format,
+            maxChars: opts.maxChars,
+            model: opts.model,
+            authMode: opts.auth,
+            provider: opts.provider,
+            liveOutput,
+            onProgress: (info) => {
+                const message = `Scanning ${info.file} (${info.fileIndex}/${info.totalFiles}) chunk ${info.chunkIndex}/${info.totalChunks}`;
+                if (useSpinner) {
+                    spinner.update(message);
+                }
+                if (opts.verbose) {
+                    log.verbose(message);
+                }
+            },
+            onOutputChunk: liveOutput && !isJson ? (chunk) => {
+                if (useSpinner)
+                    spinner.pause();
+                process.stderr.write(chunk);
+                if (useSpinner)
+                    spinner.resume();
+            } : undefined,
+            cwd: opts.cwd,
+            targetPath: opts.path,
+            include: opts.include,
+            exclude: opts.exclude,
+            rulesPath: opts.rules,
+            cveCachePath: opts.cveCache,
+            cveApiUrl: opts.cveApiUrl,
+            simulate: opts.simulate,
+            dataSensitivity: opts.dataSensitivity,
+            dependencyOnly: opts.dependencyOnly,
+            noAi: opts.noAi,
+            aiAllText: opts.aiJsOnly ? false : (opts.aiAllText ?? true),
+            aiMultiAgent: opts.aiMultiAgent,
+            aiBatchSize: opts.aiBatchSize,
+            aiBatchDepth: opts.aiBatchDepth,
+            aiCache: opts.aiCache,
+            aiCachePath: opts.aiCachePath,
+            diffOnly: opts.diffOnly,
+            diffBase: opts.diffBase,
+            concurrency: opts.concurrency
+        });
+        const elapsed = Date.now() - startTime;
+        if (useSpinner)
+            spinner.stop();
+        const output = opts.format === "sarif"
+            ? renderSarifReport(result)
+            : isJson
+                ? renderJsonReport(result)
+                : renderTextReport(result);
+        console.log(output || "No findings.");
+        if (opts.sarifOutput && opts.format !== "sarif") {
+            const sarif = renderSarifReport(result);
+            await fs.writeFile(opts.sarifOutput, sarif, "utf8");
+        }
+        // Print summary
+        if (!isJson) {
+            const total = result.findings.length;
+            if (total === 0) {
+                log.success(`Scan complete in ${formatDuration(elapsed)} — no findings.`);
+            }
+            else {
+                const counts = countBySeverity(result.findings);
+                const parts = [];
+                for (const [sev, count] of Object.entries(counts)) {
+                    if (count > 0)
+                        parts.push(`${severityColor(sev)}: ${count}`);
+                }
+                log.warn(`Scan complete in ${formatDuration(elapsed)} — ${pluralize(total, "finding")} [${parts.join(", ")}]`);
+            }
+        }
+        if (opts.failOn) {
+            const threshold = severityRank(opts.failOn);
+            if (threshold === null) {
+                log.warn(`Unknown --fail-on level: ${opts.failOn}`);
+            }
+            else {
+                const worst = highestSeverity(result.findings);
+                if (worst !== null && worst >= threshold) {
+                    process.exitCode = 1;
+                }
+            }
+        }
+        if (opts.failOnHigh) {
+            const threshold = severityRank("high");
+            const worst = highestSeverity(result.findings);
+            if (worst !== null && threshold !== null && worst >= threshold) {
+                process.exitCode = 1;
+            }
+        }
+        // Fire telemetry event (no-ops if disabled)
+        const globalCfg = await loadGlobalConfig();
+        await trackEvent("scan_completed", {
+            findings: result.findings.length,
+            format: opts.format ?? "text",
+            dependencyOnly: Boolean(opts.dependencyOnly),
+            noAi: Boolean(opts.noAi)
+        }, globalCfg);
+    }
+    catch (err) {
+        log.error(err?.message ?? err);
+        process.exitCode = 1;
+    }
+}
+program
+    .command("telemetry")
+    .description("Enable or disable anonymous telemetry")
+    .argument("<action>", "on | off")
+    .action(async (action) => {
+    try {
+        const enabled = action.toLowerCase() === "on";
+        await setTelemetryEnabled(enabled);
+        console.log(`Telemetry ${enabled ? "enabled" : "disabled"}.`);
+    }
+    catch (err) {
+        console.error(err?.message ?? err);
+        process.exitCode = 1;
+    }
+});
+program.parse();
+// --- helpers ---
+function countBySeverity(findings) {
+    const counts = { critical: 0, high: 0, medium: 0, low: 0 };
+    for (const f of findings) {
+        counts[f.severity] = (counts[f.severity] ?? 0) + 1;
+    }
+    return counts;
+}
+function severityRank(severity) {
+    switch (severity) {
+        case "critical":
+            return 3;
+        case "high":
+            return 2;
+        case "medium":
+            return 1;
+        case "low":
+            return 0;
+        default:
+            return null;
+    }
+}
+function highestSeverity(findings) {
+    let max = null;
+    for (const f of findings) {
+        const rank = severityRank(f.severity);
+        if (rank === null)
+            continue;
+        if (max === null || rank > max)
+            max = rank;
+    }
+    return max;
+}
+async function resolveAuthMode(opts) {
+    if (opts.auth)
+        return opts.auth;
+    const globalCfg = await loadGlobalConfig();
+    const hasApiKey = Boolean(globalCfg.apiKey);
+    const profileId = globalCfg.authProfileId ?? "codex-cli";
+    const oauthProfile = await getOAuthProfile(profileId);
+    const hasOauth = Boolean(oauthProfile);
+    if (hasApiKey && hasOauth) {
+        return await promptAuthMode();
+    }
+    if (hasOauth)
+        return "oauth";
+    if (hasApiKey)
+        return "api_key";
+    return undefined;
+}
+async function promptAuthMode() {
+    try {
+        return await interactiveSelectAuth();
+    }
+    catch {
+        // fall through to text prompt
+    }
+    const answer = await askQuestion("Select auth mode for this scan (oauth/api_key): ");
+    return answer.trim() === "api_key" ? "api_key" : "oauth";
+}
+function askQuestion(question) {
+    const readline = require("node:readline");
+    const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+    return new Promise((resolve) => {
+        rl.question(question, (answer) => {
+            rl.close();
+            resolve(answer.trim());
+        });
+    });
+}
+async function interactiveSelectAuth() {
+    return new Promise((resolve, reject) => {
+        const readline = require("node:readline");
+        const { input, output, cleanup: baseCleanup } = getInteractiveStreams();
+        readline.emitKeypressEvents(input);
+        input.setRawMode(true);
+        const options = [
+            { label: "OpenAI Codex OAuth", value: "oauth" },
+            { label: "OpenAI API Key", value: "api_key" }
+        ];
+        let index = 0;
+        const render = () => {
+            output.write("\x1b[2J\x1b[H");
+            output.write("Select auth mode for this scan\n");
+            for (let i = 0; i < options.length; i += 1) {
+                const prefix = i === index ? "◉" : "○";
+                output.write(`${prefix} ${options[i].label}\n`);
+            }
+            output.write("\nUse ↑/↓ to move, Enter to select.\n");
+        };
+        const cleanup = () => {
+            input.off("keypress", onKeypress);
+            baseCleanup();
+        };
+        const onKeypress = (_, key) => {
+            if (key.ctrl && key.name === "c") {
+                cleanup();
+                reject(new Error("Selection cancelled."));
+                return;
+            }
+            if (key.name === "down") {
+                index = (index + 1) % options.length;
+                render();
+                return;
+            }
+            if (key.name === "up") {
+                index = (index - 1 + options.length) % options.length;
+                render();
+                return;
+            }
+            if (key.name === "return") {
+                const value = options[index].value;
+                cleanup();
+                resolve(value);
+            }
+        };
+        input.on("keypress", onKeypress);
+        render();
+    });
+}
+function shouldForceInteractive() {
+    return process.env.OPENSECURITY_FORCE_TTY === "1";
+}
+function getInteractiveStreams() {
+    if (process.stdin.isTTY && process.stdout.isTTY) {
+        const wasRaw = process.stdin.isRaw;
+        const cleanup = () => {
+            if (!wasRaw)
+                process.stdin.setRawMode(false);
+            process.stdout.write("\x1b[2J\x1b[H");
+        };
+        return { input: process.stdin, output: process.stdout, cleanup };
+    }
+    try {
+        const tty = require("node:tty");
+        const fs = require("node:fs");
+        const fd = fs.openSync("/dev/tty", "r+");
+        const input = new tty.ReadStream(fd);
+        const output = new tty.WriteStream(fd);
+        const cleanup = () => {
+            input.setRawMode(false);
+            input.pause();
+            output.write("\x1b[2J\x1b[H");
+            fs.closeSync(fd);
+        };
+        return { input, output, cleanup };
+    }
+    catch {
+        throw new Error("No TTY available for interactive selection.");
+    }
+}

package/dist/config.js

@@ -0,0 +1,71 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import os from "node:os";
+export const DEFAULT_INCLUDE = ["**/*"];
+export const DEFAULT_EXCLUDE = [
+    "**/.git/**",
+    "**/node_modules/**",
+    "**/dist/**",
+    "**/build/**",
+    "**/coverage/**",
+    "**/.opensecurity.json",
+    "**/.opensecurity-cache.json",
+    "**/.opensecurity/ai-cache.json"
+];
+const DEFAULT_GLOBALS = {
+    baseUrl: "https://api.openai.com/v1/responses",
+    model: "gpt-4o-mini",
+    apiType: "responses",
+    provider: "openai"
+};
+export function getConfigDir(env = process.env) {
+    const override = env.OPENSECURITY_CONFIG_HOME;
+    if (override && override.trim())
+        return override;
+    return path.join(os.homedir(), ".config", "opensecurity");
+}
+export function getGlobalConfigPath(env = process.env) {
+    return path.join(getConfigDir(env), "config.json");
+}
+export function getProjectConfigPath(cwd = process.cwd()) {
+    return path.join(cwd, ".opensecurity.json");
+}
+async function readJsonFile(filePath) {
+    try {
+        const raw = await fs.readFile(filePath, "utf8");
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err?.code === "ENOENT")
+            return null;
+        throw err;
+    }
+}
+async function writeJsonFile(filePath, data) {
+    await fs.mkdir(path.dirname(filePath), { recursive: true });
+    await fs.writeFile(filePath, JSON.stringify(data, null, 2), "utf8");
+}
+export async function loadGlobalConfig(env = process.env) {
+    const filePath = getGlobalConfigPath(env);
+    const existing = await readJsonFile(filePath);
+    return {
+        ...DEFAULT_GLOBALS,
+        ...(existing ?? {})
+    };
+}
+export async function saveGlobalConfig(config, env = process.env) {
+    const current = await loadGlobalConfig(env);
+    const merged = { ...current, ...config };
+    await writeJsonFile(getGlobalConfigPath(env), merged);
+}
+export async function loadProjectConfig(cwd = process.cwd()) {
+    const filePath = getProjectConfigPath(cwd);
+    const existing = await readJsonFile(filePath);
+    return existing ?? {};
+}
+export function resolveProjectFilters(project) {
+    return {
+        include: project.include?.length ? project.include : [...DEFAULT_INCLUDE],
+        exclude: project.exclude?.length ? project.exclude : [...DEFAULT_EXCLUDE]
+    };
+}

package/dist/deps/cve.js

@@ -0,0 +1,102 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import semver from "semver";
+export function createCveLookup(options, cwd) {
+    if (options.cachePath) {
+        return new LocalCveLookup(options.cachePath, cwd);
+    }
+    if (options.apiUrl) {
+        return new ApiCveLookup(options.apiUrl);
+    }
+    return new EmptyCveLookup();
+}
+class EmptyCveLookup {
+    async lookup() {
+        return [];
+    }
+}
+class LocalCveLookup {
+    cache = null;
+    cachePath;
+    constructor(cachePath, cwd) {
+        this.cachePath = path.isAbsolute(cachePath) ? cachePath : path.join(cwd, cachePath);
+    }
+    async lookup(dependency) {
+        const cache = await this.load();
+        return cache.filter((record) => matchesDependency(record, dependency));
+    }
+    async load() {
+        if (this.cache)
+            return this.cache;
+        const raw = await fs.readFile(this.cachePath, "utf8");
+        const parsed = JSON.parse(raw);
+        const list = Array.isArray(parsed) ? parsed : Array.isArray(parsed?.vulnerabilities) ? parsed.vulnerabilities : [];
+        this.cache = list;
+        return this.cache;
+    }
+}
+class ApiCveLookup {
+    apiUrl;
+    constructor(apiUrl) {
+        this.apiUrl = apiUrl;
+    }
+    async lookup(dependency) {
+        const body = {
+            package: { name: dependency.name, ecosystem: dependency.ecosystem === "pypi" ? "PyPI" : "npm" },
+            version: dependency.version ?? dependency.spec
+        };
+        const res = await fetch(this.apiUrl, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify(body)
+        });
+        if (!res.ok)
+            return [];
+        const data = await res.json();
+        const vulns = Array.isArray(data?.vulns) ? data.vulns : [];
+        return vulns.map((v) => normalizeOsvRecord(v));
+    }
+}
+function normalizeOsvRecord(record) {
+    const severity = record?.severity?.[0]?.type === "CVSS_V3" ? mapCvss(record?.severity?.[0]?.score) : undefined;
+    const cvssScore = record?.severity?.[0]?.score ? Number(record.severity[0].score) : undefined;
+    return {
+        id: record?.id ?? "UNKNOWN",
+        package: record?.package?.name ?? "unknown",
+        ecosystem: record?.package?.ecosystem === "PyPI" ? "pypi" : "npm",
+        affectedRange: record?.affected?.[0]?.ranges?.[0]?.events
+            ?.map((e) => (e.introduced ? `>=${e.introduced}` : e.fixed ? `<${e.fixed}` : ""))
+            .join(" "),
+        fixedVersion: record?.affected?.[0]?.ranges?.[0]?.events?.find((e) => e.fixed)?.fixed,
+        severity,
+        cvssScore,
+        description: record?.summary ?? record?.details,
+        references: record?.references?.map((r) => r.url).filter(Boolean)
+    };
+}
+function mapCvss(score) {
+    const numeric = Number(score);
+    if (Number.isNaN(numeric))
+        return undefined;
+    if (numeric >= 9)
+        return "critical";
+    if (numeric >= 7)
+        return "high";
+    if (numeric >= 4)
+        return "medium";
+    return "low";
+}
+function matchesDependency(record, dep) {
+    if (record.ecosystem && record.ecosystem !== dep.ecosystem)
+        return false;
+    if (record.package !== dep.name)
+        return false;
+    if (!record.affectedRange)
+        return true;
+    if (!dep.version)
+        return true;
+    if (dep.ecosystem === "npm" && semver.valid(dep.version)) {
+        return semver.satisfies(dep.version, record.affectedRange, { includePrerelease: true });
+    }
+    return true;
+}

package/dist/deps/engine.js

@@ -0,0 +1,27 @@
+import { scanDependencies } from "./scanners.js";
+import { createCveLookup } from "./cve.js";
+import { scoreRisk } from "./scoring.js";
+import { buildPatchSuggestion } from "./patch.js";
+import { buildSimulation } from "./simulate.js";
+export async function scanDependenciesWithCves(options) {
+    const deps = await scanDependencies(options.cwd);
+    const lookup = createCveLookup(options.cveLookup, options.cwd);
+    const findings = [];
+    for (const dep of deps) {
+        const cves = await lookup.lookup(dep);
+        for (const cve of cves) {
+            const risk = scoreRisk(cve, { dataSensitivity: options.dataSensitivity });
+            const finding = {
+                dependency: dep,
+                cve,
+                risk,
+                recommendation: buildPatchSuggestion({ dependency: dep, cve, risk })
+            };
+            if (options.simulate) {
+                finding.simulation = buildSimulation({ dependency: dep, cve, risk });
+            }
+            findings.push(finding);
+        }
+    }
+    return findings;
+}

package/dist/deps/patch.js

@@ -0,0 +1,11 @@
+export function buildPatchSuggestion(finding) {
+    const dep = finding.dependency;
+    const cve = finding.cve;
+    if (cve.fixedVersion) {
+        return `Upgrade ${dep.name} to ${cve.fixedVersion} or later.`;
+    }
+    if (cve.affectedRange) {
+        return `Avoid versions in range ${cve.affectedRange}.`;
+    }
+    return `Review ${dep.name} usage and upgrade to a patched version.`;
+}