secmanifest 1.0.0

package/src/core/html-report.ts

@@ -0,0 +1,259 @@
+import { writeFile } from "node:fs/promises";
+import { join } from "node:path";
+import type { AuditReport, Finding, Severity } from "../utils/types.js";
+
+const SEVERITY_COLORS: Record<Severity, string> = {
+  critical: "#FF0000",
+  high: "#FF6600",
+  medium: "#FFCC00",
+  low: "#00CCFF",
+  info: "#888888",
+};
+
+const CATEGORY_LABELS: Record<string, string> = {
+  vulnerability: "Vulnerabilidad",
+  malware: "Malware",
+  backdoor: "Backdoor",
+  drift: "Drift",
+  secrets: "Secrets",
+  license: "Licencia",
+  metadata: "Metadata",
+  obfuscation: "Ofuscacion",
+  "node-version": "Node.js",
+};
+
+function escapeHtml(str: string): string {
+  return str
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+}
+
+function generateFindingsHtml(findings: Finding[]): string {
+  if (findings.length === 0) {
+    return '<div class="no-findings">No se encontraron problemas de seguridad.</div>';
+  }
+
+  const sorted = [...findings].sort((a, b) => {
+    const order: Record<Severity, number> = {
+      critical: 0, high: 1, medium: 2, low: 3, info: 4,
+    };
+    return order[a.severity] - order[b.severity];
+  });
+
+  return `
+    <table>
+      <thead>
+        <tr>
+          <th>Severidad</th>
+          <th>Categoria</th>
+          <th>Titulo</th>
+          <th>Paquete</th>
+          <th>Recomendacion</th>
+        </tr>
+      </thead>
+      <tbody>
+        ${sorted.map((f) => `
+          <tr>
+            <td><span class="severity severity-${f.severity}">${f.severity.toUpperCase()}</span></td>
+            <td>${CATEGORY_LABELS[f.category] ?? f.category}</td>
+            <td>${escapeHtml(f.title)}</td>
+            <td>${f.package ? `<code>${escapeHtml(f.package)}</code>` : "-"}</td>
+            <td>${f.recommendation ? escapeHtml(f.recommendation) : "-"}</td>
+          </tr>
+        `).join("")}
+      </tbody>
+    </table>
+  `;
+}
+
+function generateScoreBarHtml(score: number): string {
+  const color =
+    score >= 80 ? "#FF0000" :
+    score >= 60 ? "#FF6600" :
+    score >= 40 ? "#FFCC00" :
+    score >= 20 ? "#00CCFF" : "#00CC00";
+
+  return `
+    <div class="score-container">
+      <div class="score-bar">
+        <div class="score-fill" style="width: ${score}%; background-color: ${color};"></div>
+      </div>
+      <div class="score-value" style="color: ${color};">${score}/100</div>
+    </div>
+  `;
+}
+
+export function generateHtmlReport(report: AuditReport): string {
+  const criticalCount = report.findings.filter((f) => f.severity === "critical").length;
+  const highCount = report.findings.filter((f) => f.severity === "high").length;
+  const mediumCount = report.findings.filter((f) => f.severity === "medium").length;
+  const lowCount = report.findings.filter((f) => f.severity === "low").length;
+
+  return `<!DOCTYPE html>
+<html lang="es">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>SecManifest Audit: ${escapeHtml(report.projectName)}</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      background: #0d1117;
+      color: #c9d1d9;
+      padding: 2rem;
+    }
+    .container { max-width: 1200px; margin: 0 auto; }
+    .header {
+      text-align: center;
+      margin-bottom: 2rem;
+      padding: 2rem;
+      background: #161b22;
+      border-radius: 12px;
+      border: 1px solid #30363d;
+    }
+    .header h1 { font-size: 2rem; color: #58a6ff; margin-bottom: 0.5rem; }
+    .header .subtitle { color: #8b949e; }
+    .stats {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(150px, 1fr));
+      gap: 1rem;
+      margin-bottom: 2rem;
+    }
+    .stat-card {
+      background: #161b22;
+      padding: 1.5rem;
+      border-radius: 8px;
+      border: 1px solid #30363d;
+      text-align: center;
+    }
+    .stat-card .value { font-size: 2rem; font-weight: bold; }
+    .stat-card .label { color: #8b949e; margin-top: 0.5rem; }
+    .score-container {
+      display: flex;
+      align-items: center;
+      gap: 1rem;
+      margin-bottom: 2rem;
+    }
+    .score-bar {
+      flex: 1;
+      height: 24px;
+      background: #21262d;
+      border-radius: 12px;
+      overflow: hidden;
+    }
+    .score-fill {
+      height: 100%;
+      border-radius: 12px;
+      transition: width 0.3s;
+    }
+    .score-value {
+      font-size: 1.5rem;
+      font-weight: bold;
+      min-width: 80px;
+      text-align: right;
+    }
+    table {
+      width: 100%;
+      border-collapse: collapse;
+      background: #161b22;
+      border-radius: 8px;
+      overflow: hidden;
+    }
+    th, td {
+      padding: 0.75rem 1rem;
+      text-align: left;
+      border-bottom: 1px solid #30363d;
+    }
+    th { background: #21262d; font-weight: 600; }
+    tr:hover { background: #1c2128; }
+    .severity {
+      padding: 0.25rem 0.5rem;
+      border-radius: 4px;
+      font-size: 0.75rem;
+      font-weight: bold;
+      color: #000;
+    }
+    .severity-critical { background: #FF0000; color: #fff; }
+    .severity-high { background: #FF6600; color: #000; }
+    .severity-medium { background: #FFCC00; color: #000; }
+    .severity-low { background: #00CCFF; color: #000; }
+    .severity-info { background: #888888; color: #fff; }
+    code {
+      background: #21262d;
+      padding: 0.2rem 0.4rem;
+      border-radius: 4px;
+      font-size: 0.875rem;
+    }
+    .no-findings {
+      text-align: center;
+      padding: 3rem;
+      color: #00CC00;
+      font-size: 1.25rem;
+    }
+    .footer {
+      text-align: center;
+      margin-top: 2rem;
+      color: #8b949e;
+      font-size: 0.875rem;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="header">
+      <h1>SecManifest Security Audit</h1>
+      <div class="subtitle">${escapeHtml(report.projectName)} | ${new Date(report.timestamp).toLocaleString()}</div>
+    </div>
+
+    <div class="stats">
+      <div class="stat-card">
+        <div class="value" style="color: #58a6ff;">${report.totalPackages}</div>
+        <div class="label">Paquetes</div>
+      </div>
+      <div class="stat-card">
+        <div class="value" style="color: ${criticalCount > 0 ? '#FF0000' : '#00CC00'};">${criticalCount}</div>
+        <div class="label">Criticos</div>
+      </div>
+      <div class="stat-card">
+        <div class="value" style="color: ${highCount > 0 ? '#FF6600' : '#00CC00'};">${highCount}</div>
+        <div class="label">Altos</div>
+      </div>
+      <div class="stat-card">
+        <div class="value" style="color: ${mediumCount > 0 ? '#FFCC00' : '#00CC00'};">${mediumCount}</div>
+        <div class="label">Medios</div>
+      </div>
+      <div class="stat-card">
+        <div class="value" style="color: ${lowCount > 0 ? '#00CCFF' : '#00CC00'};">${lowCount}</div>
+        <div class="label">Bajos</div>
+      </div>
+    </div>
+
+    <h2 style="margin-bottom: 1rem;">Score de Riesgo</h2>
+    ${generateScoreBarHtml(report.score)}
+
+    <h2 style="margin-bottom: 1rem;">Hallazgos (${report.findings.length})</h2>
+    ${generateFindingsHtml(report.findings)}
+
+    <div class="footer">
+      Generado por SecManifest v1.0.0 | ${report.packageManager.name ?? "desconocido"} | ${report.duration}ms
+    </div>
+  </div>
+</body>
+</html>`;
+}
+
+export async function saveHtmlReport(
+  report: AuditReport,
+  outputPath?: string,
+): Promise<string> {
+  const html = generateHtmlReport(report);
+  const filePath = outputPath ?? join(
+    process.cwd(),
+    `secmanifest-report-${report.projectName}-${Date.now()}.html`,
+  );
+  await writeFile(filePath, html, "utf-8");
+  return filePath;
+}

package/src/core/notify.ts

@@ -0,0 +1,153 @@
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import type { AuditReport } from "../utils/types.js";
+
+const CONFIG_DIR = join(homedir(), ".secmanifest");
+const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+
+interface SecManifestConfig {
+  slackWebhook?: string;
+  discordWebhook?: string;
+  autoFix?: boolean;
+  cacheResults?: boolean;
+}
+
+async function loadConfig(): Promise<SecManifestConfig> {
+  try {
+    const content = await readFile(CONFIG_FILE, "utf-8");
+    return JSON.parse(content);
+  } catch {
+    return {};
+  }
+}
+
+export async function saveConfig(config: SecManifestConfig): Promise<void> {
+  await mkdir(CONFIG_DIR, { recursive: true });
+  await writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), "utf-8");
+}
+
+export async function sendSlackNotification(report: AuditReport): Promise<boolean> {
+  const config = await loadConfig();
+  const webhookUrl = config.slackWebhook;
+
+  if (!webhookUrl) return false;
+
+  const criticalCount = report.findings.filter((f) => f.severity === "critical").length;
+  const highCount = report.findings.filter((f) => f.severity === "high").length;
+
+  const color =
+    report.score >= 80 ? "#FF0000" :
+    report.score >= 60 ? "#FF6600" :
+    report.score >= 40 ? "#FFCC00" : "#00CC00";
+
+  const blocks = [
+    {
+      type: "header",
+      text: {
+        type: "plain_text",
+        text: `SecManifest Audit: ${report.projectName}`,
+      },
+    },
+    {
+      type: "section",
+      fields: [
+        { type: "mrkdwn", text: `*Score:* ${report.score}/100` },
+        { type: "mrkdwn", text: `*Paquetes:* ${report.totalPackages}` },
+        { type: "mrkdwn", text: `*Criticos:* ${criticalCount}` },
+        { type: "mrkdwn", text: `*Altos:* ${highCount}` },
+      ],
+    },
+  ];
+
+  if (report.findings.length > 0) {
+    const findingText = report.findings
+      .slice(0, 5)
+      .map((f) => `• [${f.severity}] ${f.title}`)
+      .join("\n");
+
+    blocks.push({
+      type: "section",
+      text: {
+        type: "mrkdwn",
+        text: `*Hallazgos:*\n${findingText}`,
+      },
+    });
+  }
+
+  try {
+    const response = await fetch(webhookUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        attachments: [
+          {
+            color,
+            blocks,
+          },
+        ],
+      }),
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+
+export async function sendDiscordNotification(report: AuditReport): Promise<boolean> {
+  const config = await loadConfig();
+  const webhookUrl = config.discordWebhook;
+
+  if (!webhookUrl) return false;
+
+  const criticalCount = report.findings.filter((f) => f.severity === "critical").length;
+  const highCount = report.findings.filter((f) => f.severity === "high").length;
+
+  const color =
+    report.score >= 80 ? 0xFF0000 :
+    report.score >= 60 ? 0xFF6600 :
+    report.score >= 40 ? 0xFFCC00 : 0x00CC00;
+
+  const embed = {
+    title: `SecManifest: ${report.projectName}`,
+    description: report.findings.length === 0
+      ? "No se encontraron problemas de seguridad."
+      : report.findings
+          .slice(0, 10)
+          .map((f) => `• [${f.severity}] ${f.title}`)
+          .join("\n"),
+    color,
+    fields: [
+      { name: "Score", value: `${report.score}/100`, inline: true },
+      { name: "Paquetes", value: String(report.totalPackages), inline: true },
+      { name: "Criticos", value: String(criticalCount), inline: true },
+      { name: "Altos", value: String(highCount), inline: true },
+    ],
+    footer: {
+      text: `SecManifest v1.0.0 | ${new Date().toISOString()}`,
+    },
+  };
+
+  try {
+    const response = await fetch(webhookUrl, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ embeds: [embed] }),
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+
+export async function sendNotifications(report: AuditReport): Promise<void> {
+  const config = await loadConfig();
+
+  if (config.slackWebhook) {
+    await sendSlackNotification(report);
+  }
+
+  if (config.discordWebhook) {
+    await sendDiscordNotification(report);
+  }
+}

package/src/core/package-manager.ts

@@ -0,0 +1,85 @@
+import { $ } from "bun";
+import type { PackageManager } from "../utils/types.js";
+
+const BLOCKED_MANAGERS = ["npm"];
+
+const MANAGER_PRIORITY: Array<{
+  name: PackageManager["name"];
+  command: string;
+}> = [
+  { name: "pnpm", command: "pnpm" },
+  { name: "bun", command: "bun" },
+  { name: "yarn", command: "yarn" },
+];
+
+async function hasCommand(command: string): Promise<boolean> {
+  try {
+    if (process.platform === "win32") {
+      await $`where ${command}`.quiet();
+    } else {
+      await $`which ${command}`.quiet();
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function getVersion(command: string): Promise<string | null> {
+  try {
+    const result = await $`${command} --version`.quiet();
+    return result.stdout.toString().trim();
+  } catch {
+    return null;
+  }
+}
+
+export async function detectPackageManager(): Promise<PackageManager> {
+  const detectedNpm = await hasCommand("npm");
+  if (detectedNpm) {
+    const npmVersion = await getVersion("npm");
+    return {
+      name: "npm",
+      command: "npm",
+      version: npmVersion ?? undefined,
+      blocked: true,
+      reason:
+        "npm está bloqueado por razones de seguridad. Se requiere pnpm, bun o yarn.",
+    };
+  }
+
+  for (const manager of MANAGER_PRIORITY) {
+    const exists = await hasCommand(manager.command);
+    if (exists) {
+      const version = await getVersion(manager.command);
+      return {
+        name: manager.name,
+        command: manager.command,
+        version: version ?? undefined,
+        blocked: false,
+      };
+    }
+  }
+
+  return {
+    name: null,
+    command: "",
+    blocked: true,
+    reason: "No se encontró ningún gestor de paquetes seguro (pnpm, bun, yarn).",
+  };
+}
+
+export function getLockfileName(
+  managerName: PackageManager["name"],
+): string | null {
+  switch (managerName) {
+    case "pnpm":
+      return "pnpm-lock.yaml";
+    case "bun":
+      return "bun.lock";
+    case "yarn":
+      return "yarn.lock";
+    default:
+      return null;
+  }
+}

package/src/core/project-analyzer.ts

@@ -0,0 +1,84 @@
+import { readFile, stat } from "node:fs/promises";
+import { join } from "node:path";
+import type {
+  ProjectInfo,
+  PackageManager,
+} from "../utils/types.js";
+import { getLockfileName } from "./package-manager.js";
+
+export async function analyzeProject(
+  projectPath: string,
+  packageManager: PackageManager,
+): Promise<ProjectInfo> {
+  const pkgJsonPath = join(projectPath, "package.json");
+  let pkgJsonContent: string;
+
+  try {
+    pkgJsonContent = await readFile(pkgJsonPath, "utf-8");
+  } catch {
+    throw new Error(
+      `No se encontró package.json en: ${projectPath}`,
+    );
+  }
+
+  let pkgJson: Record<string, unknown>;
+  try {
+    pkgJson = JSON.parse(pkgJsonContent);
+  } catch {
+    throw new Error(
+      `Error al parsear package.json en: ${projectPath}`,
+    );
+  }
+
+  const dependencies =
+    (pkgJson.dependencies as Record<string, string>) ?? {};
+  const devDependencies =
+    (pkgJson.devDependencies as Record<string, string>) ?? {};
+  const scripts = (pkgJson.scripts as Record<string, string>) ?? {};
+
+  const lockfileName = getLockfileName(packageManager.name);
+  let lockfilePath: string | null = null;
+  let lockfileType: "pnpm" | "bun" | "yarn" | null = null;
+
+  if (lockfileName) {
+    const potentialPath = join(projectPath, lockfileName);
+    try {
+      await stat(potentialPath);
+      lockfilePath = potentialPath;
+      lockfileType = packageManager.name as "pnpm" | "bun" | "yarn";
+    } catch {
+      // Lockfile doesn't exist
+    }
+  }
+
+  return {
+    name: (pkgJson.name as string) ?? "unknown",
+    version: (pkgJson.version as string) ?? "0.0.0",
+    dependencies,
+    devDependencies,
+    scripts,
+    lockfilePath,
+    lockfileType,
+  };
+}
+
+export async function getInstalledPackages(
+  projectPath: string,
+  packageManager: PackageManager,
+): Promise<Array<{ name: string; version: string }>> {
+  const pkgJsonPath = join(projectPath, "package.json");
+  const pkgJsonContent = await readFile(pkgJsonPath, "utf-8");
+  const pkgJson = JSON.parse(pkgJsonContent);
+
+  const allDeps: Record<string, string> = {
+    ...(pkgJson.dependencies ?? {}),
+    ...(pkgJson.devDependencies ?? {}),
+  };
+
+  return Object.entries(allDeps)
+    .filter(([_, version]) => typeof version === "string")
+    .map(([name, version]) => ({
+      name,
+      version: version.replace(/[\^~>=<]*/, ""),
+    }));
+}