opensecurity 0.2.0 → 0.3.0

package/dist/ui/progress.js

@@ -0,0 +1,150 @@
+/**
+ * CLI UX utilities: progress spinner, verbose logging, and formatting.
+ */
+const SPINNER_FRAMES = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+const SPINNER_INTERVAL = 80;
+export class Logger {
+    level;
+    constructor(options = {}) {
+        if (options.silent) {
+            this.level = "silent";
+        }
+        else if (options.verbose) {
+            this.level = "verbose";
+        }
+        else {
+            this.level = "normal";
+        }
+    }
+    info(message) {
+        if (this.level === "silent")
+            return;
+        console.error(`ℹ ${message}`);
+    }
+    verbose(message) {
+        if (this.level !== "verbose")
+            return;
+        console.error(`  ${dim(message)}`);
+    }
+    success(message) {
+        if (this.level === "silent")
+            return;
+        console.error(`✅ ${message}`);
+    }
+    warn(message) {
+        if (this.level === "silent")
+            return;
+        console.error(`⚠️  ${message}`);
+    }
+    error(message) {
+        console.error(`❌ ${message}`);
+    }
+}
+export class Spinner {
+    frame = 0;
+    timer = null;
+    message;
+    stream;
+    active = false;
+    constructor(message) {
+        this.message = message;
+        this.stream = process.stderr;
+    }
+    start() {
+        if (!this.stream.isTTY)
+            return;
+        this.active = true;
+        this.render();
+        this.timer = setInterval(() => this.render(), SPINNER_INTERVAL);
+    }
+    update(message) {
+        this.message = message;
+    }
+    pause() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+        if (this.active) {
+            this.clearLine();
+        }
+    }
+    resume() {
+        if (!this.active || !this.stream.isTTY)
+            return;
+        if (this.timer)
+            return;
+        this.render();
+        this.timer = setInterval(() => this.render(), SPINNER_INTERVAL);
+    }
+    stop(finalMessage) {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+        if (this.active) {
+            this.clearLine();
+            if (finalMessage) {
+                this.stream.write(`${finalMessage}\n`);
+            }
+        }
+        this.active = false;
+    }
+    render() {
+        const symbol = SPINNER_FRAMES[this.frame % SPINNER_FRAMES.length];
+        this.frame += 1;
+        this.clearLine();
+        this.stream.write(`${symbol} ${this.message}`);
+    }
+    clearLine() {
+        this.stream.write("\r\x1b[K");
+    }
+}
+/**
+ * Format duration in human-readable form.
+ */
+export function formatDuration(ms) {
+    if (ms < 1000)
+        return `${Math.round(ms)}ms`;
+    const seconds = ms / 1000;
+    if (seconds < 60)
+        return `${seconds.toFixed(1)}s`;
+    const minutes = Math.floor(seconds / 60);
+    const remainingSeconds = Math.round(seconds % 60);
+    return `${minutes}m ${remainingSeconds}s`;
+}
+/**
+ * Format a count with plural suffix.
+ */
+export function pluralize(count, singular, plural) {
+    return count === 1 ? `${count} ${singular}` : `${count} ${plural ?? singular + "s"}`;
+}
+/**
+ * Dim text using ANSI escape codes (stderr only).
+ */
+function dim(text) {
+    return `\x1b[2m${text}\x1b[0m`;
+}
+/**
+ * Bold text using ANSI escape codes.
+ */
+export function bold(text) {
+    return `\x1b[1m${text}\x1b[0m`;
+}
+/**
+ * Colored severity label.
+ */
+export function severityColor(severity) {
+    switch (severity) {
+        case "critical":
+            return `\x1b[31m${severity.toUpperCase()}\x1b[0m`; // red
+        case "high":
+            return `\x1b[33m${severity.toUpperCase()}\x1b[0m`; // yellow
+        case "medium":
+            return `\x1b[36m${severity.toUpperCase()}\x1b[0m`; // cyan
+        case "low":
+            return `\x1b[34m${severity.toUpperCase()}\x1b[0m`; // blue
+        default:
+            return severity.toUpperCase();
+    }
+}

package/package.json

@@ -1,15 +1,40 @@
 {
   "name": "opensecurity",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "private": false,
+  "description": "Open-source CLI for scanning repositories for security risks across code, infra, and dependencies.",
+  "license": "MIT",
   "type": "module",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/eliophan/opensecurity.git"
+  },
+  "homepage": "https://github.com/eliophan/opensecurity",
+  "bugs": {
+    "url": "https://github.com/eliophan/opensecurity/issues"
+  },
+  "keywords": [
+    "security",
+    "sast",
+    "static-analysis",
+    "taint",
+    "vulnerability",
+    "scanner",
+    "devsecops",
+    "cli",
+    "dependency",
+    "ai"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
   "bin": {
-    "opensecurity": "dist/cli.js",
-    "openSecurity": "dist/cli.js"
+    "opensecurity": "dist/ui/cli.js",
+    "openSecurity": "dist/ui/cli.js"
   },
   "scripts": {
-    "dev": "tsx src/cli.ts",
-    "proxy": "tsx src/proxy.ts",
+    "dev": "tsx src/ui/cli.ts",
+    "proxy": "tsx src/io/proxy.ts",
     "build": "tsc",
     "build-grammars": "tsx scripts/build-grammars.ts",
     "prepack": "npm run build",

package/rules/taint/c.json

@@ -8,7 +8,9 @@
       "owasp": "A03:2021 Injection",
       "kind": "taint",
       "sources": [
-        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
       ],
       "sinks": [
         { "id": "system", "name": "system", "matcher": { "callee": ["system", "popen"] } }
@@ -21,12 +23,46 @@
       "owasp": "A01:2021 Broken Access Control",
       "kind": "taint",
       "sources": [
-        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
       ],
       "sinks": [
         { "id": "fopen", "name": "fopen", "matcher": { "callee": ["fopen", "open", "read"] } }
       ]
     },
+    {
+      "id": "c-sqli",
+      "title": "SQL Injection",
+      "severity": "high",
+      "owasp": "A03:2021 Injection",
+      "kind": "taint",
+      "sources": [
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
+      ],
+      "sinks": [
+        { "id": "sqlite", "name": "sqlite3_exec", "matcher": { "callee": ["sqlite3_exec"] } },
+        { "id": "mysql", "name": "mysql_query", "matcher": { "callee": ["mysql_query"] } },
+        { "id": "pq", "name": "PQexec", "matcher": { "callee": ["PQexec"] } }
+      ]
+    },
+    {
+      "id": "c-ssrf",
+      "title": "Server-Side Request Forgery",
+      "severity": "high",
+      "owasp": "A10:2021 Server-Side Request Forgery",
+      "kind": "taint",
+      "sources": [
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
+      ],
+      "sinks": [
+        { "id": "curl", "name": "curl_easy_perform", "matcher": { "callee": ["curl_easy_perform"] } }
+      ]
+    },
     {
       "id": "c-weak-crypto",
       "title": "Weak Crypto",

package/rules/taint/cpp.json

@@ -8,7 +8,9 @@
       "owasp": "A03:2021 Injection",
       "kind": "taint",
       "sources": [
-        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
       ],
       "sinks": [
         { "id": "system", "name": "system", "matcher": { "callee": ["system", "popen"] } }
@@ -21,12 +23,46 @@
       "owasp": "A01:2021 Broken Access Control",
       "kind": "taint",
       "sources": [
-        { "id": "argv", "name": "argv", "matcher": { "calleePattern": ["argv", "getenv"] } }
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
       ],
       "sinks": [
         { "id": "fstream", "name": "fstream", "matcher": { "calleePattern": ["std::fstream", "std::ifstream", "std::ofstream", "fopen", "open"] } }
       ]
     },
+    {
+      "id": "cpp-sqli",
+      "title": "SQL Injection",
+      "severity": "high",
+      "owasp": "A03:2021 Injection",
+      "kind": "taint",
+      "sources": [
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
+      ],
+      "sinks": [
+        { "id": "sqlite", "name": "sqlite3_exec", "matcher": { "callee": ["sqlite3_exec"] } },
+        { "id": "mysql", "name": "mysql_query", "matcher": { "callee": ["mysql_query"] } },
+        { "id": "pq", "name": "PQexec", "matcher": { "callee": ["PQexec"] } }
+      ]
+    },
+    {
+      "id": "cpp-ssrf",
+      "title": "Server-Side Request Forgery",
+      "severity": "high",
+      "owasp": "A10:2021 Server-Side Request Forgery",
+      "kind": "taint",
+      "sources": [
+        { "id": "getenv", "name": "getenv", "matcher": { "callee": ["getenv"] } },
+        { "id": "scanf", "name": "scanf", "matcher": { "calleePattern": ["scanf", "fscanf", "sscanf"] } },
+        { "id": "gets", "name": "gets", "matcher": { "callee": ["gets", "fgets"] } }
+      ],
+      "sinks": [
+        { "id": "curl", "name": "curl_easy_perform", "matcher": { "callee": ["curl_easy_perform"] } }
+      ]
+    },
     {
       "id": "cpp-weak-crypto",
       "title": "Weak Crypto",

package/rules/taint/go.json

@@ -53,6 +53,22 @@
         { "id": "http", "name": "http.Get", "matcher": { "calleePattern": ["http.Get", "http.Post", "http.NewRequest"] } }
       ]
     },
+    {
+      "id": "go-deser",
+      "title": "Unsafe Deserialization",
+      "severity": "high",
+      "owasp": "A08:2021 Software and Data Integrity Failures",
+      "kind": "taint",
+      "sources": [
+        { "id": "query", "name": "r.URL.Query", "matcher": { "calleePattern": ["*.Query", "*.Query().Get", "*.FormValue"] } }
+      ],
+      "sinks": [
+        { "id": "json", "name": "json.Unmarshal", "matcher": { "calleePattern": ["json.Unmarshal"] } },
+        { "id": "xml", "name": "xml.Unmarshal", "matcher": { "calleePattern": ["xml.Unmarshal"] } },
+        { "id": "yaml", "name": "yaml.Unmarshal", "matcher": { "calleePattern": ["yaml.Unmarshal"] } },
+        { "id": "gob", "name": "gob.Decoder.Decode", "matcher": { "calleePattern": ["gob.Decoder.Decode"] } }
+      ]
+    },
     {
       "id": "go-xss-template",
       "title": "Server Template XSS",

package/rules/taint/kotlin.json

@@ -53,6 +53,21 @@
         { "id": "url", "name": "URL.openConnection", "matcher": { "calleePattern": ["*.openConnection"] } }
       ]
     },
+    {
+      "id": "kt-deser",
+      "title": "Unsafe Deserialization",
+      "severity": "high",
+      "owasp": "A08:2021 Software and Data Integrity Failures",
+      "kind": "taint",
+      "sources": [
+        { "id": "param", "name": "request.getParameter", "matcher": { "calleePattern": ["*.getParameter", "*.getHeader"] } }
+      ],
+      "sinks": [
+        { "id": "java-io", "name": "ObjectInputStream.readObject", "matcher": { "calleePattern": ["ObjectInputStream.readObject", "*.readObject"] } },
+        { "id": "jackson", "name": "ObjectMapper.readValue", "matcher": { "calleePattern": ["ObjectMapper.readValue", "*.readValue"] } },
+        { "id": "gson", "name": "Gson.fromJson", "matcher": { "calleePattern": ["Gson.fromJson", "*.fromJson"] } }
+      ]
+    },
     {
       "id": "kt-xss-template",
       "title": "Server Template XSS",

package/rules/taint/rust.json

@@ -53,6 +53,22 @@
         { "id": "reqwest", "name": "reqwest", "matcher": { "calleePattern": ["reqwest::get", "reqwest::Client.get", "reqwest::Client.post"] } }
       ]
     },
+    {
+      "id": "rs-deser",
+      "title": "Unsafe Deserialization",
+      "severity": "high",
+      "owasp": "A08:2021 Software and Data Integrity Failures",
+      "kind": "taint",
+      "sources": [
+        { "id": "query", "name": "web::Query", "matcher": { "calleePattern": ["Query::*", "Form::*"] } }
+      ],
+      "sinks": [
+        { "id": "serde-json", "name": "serde_json::from_str", "matcher": { "calleePattern": ["serde_json::from_str", "serde_json::from_slice"] } },
+        { "id": "serde-yaml", "name": "serde_yaml::from_str", "matcher": { "calleePattern": ["serde_yaml::from_str", "serde_yaml::from_slice"] } },
+        { "id": "bincode", "name": "bincode::deserialize", "matcher": { "calleePattern": ["bincode::deserialize", "bincode::deserialize_from"] } },
+        { "id": "rmp", "name": "rmp_serde::from_slice", "matcher": { "calleePattern": ["rmp_serde::from_slice", "rmp_serde::from_read"] } }
+      ]
+    },
     {
       "id": "rs-xss-template",
       "title": "Server Template XSS",

package/rules/taint/swift.json

@@ -53,6 +53,21 @@
         { "id": "urlsession", "name": "URLSession", "matcher": { "calleePattern": ["URLSession.shared.dataTask", "URLSession.dataTask"] } }
       ]
     },
+    {
+      "id": "swift-deser",
+      "title": "Unsafe Deserialization",
+      "severity": "high",
+      "owasp": "A08:2021 Software and Data Integrity Failures",
+      "kind": "taint",
+      "sources": [
+        { "id": "param", "name": "request.query", "matcher": { "calleePattern": ["request.query*", "request.form*"] } }
+      ],
+      "sinks": [
+        { "id": "nskeyed", "name": "NSKeyedUnarchiver", "matcher": { "calleePattern": ["NSKeyedUnarchiver.unarchiveTopLevelObjectWithData", "NSKeyedUnarchiver.unarchiveObject"] } },
+        { "id": "plist", "name": "PropertyListSerialization", "matcher": { "calleePattern": ["PropertyListSerialization.propertyList"] } },
+        { "id": "json", "name": "JSONSerialization", "matcher": { "calleePattern": ["JSONSerialization.jsonObject"] } }
+      ]
+    },
     {
       "id": "swift-xss-template",
       "title": "Server Template XSS",