secmanifest 1.0.0

package/src/scanners/outdated.ts

@@ -0,0 +1,76 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import { $ } from "bun";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+export async function scanOutdated(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+  pmCommand: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  if (Object.keys(allDeps).length === 0) {
+    return { findings, errors, duration: Date.now() - startTime };
+  }
+
+  try {
+    let outdatedOutput: string;
+
+    if (pmCommand === "pnpm") {
+      const result = await $`${pmCommand} outdated --format json`.quiet().cwd(projectPath);
+      outdatedOutput = result.stdout.toString();
+    } else if (pmCommand === "yarn") {
+      const result = await $`${pmCommand} outdated --json`.quiet().cwd(projectPath);
+      outdatedOutput = result.stdout.toString();
+    } else {
+      const result = await $`${pmCommand} outdated --json`.quiet().cwd(projectPath);
+      outdatedOutput = result.stdout.toString();
+    }
+
+    if (outdatedOutput.trim()) {
+      try {
+        const outdated = JSON.parse(outdatedOutput);
+
+        const deps = outdated.dependencies ?? outdated;
+        for (const [name, info] of Object.entries(deps as Record<string, Record<string, string>>)) {
+          if (info.current && info.latest && info.current !== info.latest) {
+            const isMajor = info.latest.split(".")[0] !== info.current.split(".")[0];
+
+            findings.push({
+              id: `outdated-${name}`,
+              severity: isMajor ? "medium" : "low",
+              category: "vulnerability",
+              title: `Paquete desactualizado: ${name}`,
+              description: `${name} tiene version ${info.current} pero la ultima es ${info.latest}${isMajor ? " (cambio mayor)" : ""}.`,
+              package: name,
+              version: info.current,
+              recommendation: `Actualizar a ${info.latest}${isMajor ? " - revisar changelog por breaking changes" : ""}`,
+            });
+          }
+        }
+      } catch {
+        // JSON parsing failed, try line-by-line
+      }
+    }
+  } catch (error) {
+    errors.push(
+      new Error(
+        `Error al verificar paquetes desactualizados: ${error instanceof Error ? error.message : String(error)}`,
+      ),
+    );
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/secrets.ts

@@ -0,0 +1,224 @@
+import { readFile, readdir, stat } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult } from "../utils/types.js";
+
+interface SecretPattern {
+  name: string;
+  regex: RegExp;
+  severity: "critical" | "high" | "medium";
+}
+
+const SECRET_PATTERNS: SecretPattern[] = [
+  { name: "AWS Access Key", regex: /AKIA[0-9A-Z]{16}/g, severity: "critical" },
+  { name: "AWS Secret Key", regex: /aws[_\-]?secret[_\-]?access[_\-]?key\s*[:=]\s*['"]?[A-Za-z0-9/+=]{40}/gi, severity: "critical" },
+  { name: "GitHub Token", regex: /gh[pousr]_[A-Za-z0-9_]{36,}/g, severity: "critical" },
+  { name: "GitHub Fine-grained PAT", regex: /github_pat_[A-Za-z0-9_]{82,}/g, severity: "critical" },
+  { name: "GitLab Token", regex: /glpat-[A-Za-z0-9\-_]{20,}/g, severity: "critical" },
+  { name: "Slack Token", regex: /xox[baprs]-[0-9]{10,}-[A-Za-z0-9\-]+/g, severity: "high" },
+  { name: "Slack Webhook", regex: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/g, severity: "high" },
+  { name: "Stripe Key", regex: /[rs]k_(live|test)_[A-Za-z0-9]{24,}/g, severity: "critical" },
+  { name: "Google API Key", regex: /AIza[A-Za-z0-9\-_]{35}/g, severity: "high" },
+  { name: "Heroku API Key", regex: /heroku[_\-]?api[_\-]?key\s*[:=]\s*['"]?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/gi, severity: "high" },
+  { name: "npm Token", regex: /npm_[A-Za-z0-9]{36}/g, severity: "critical" },
+  { name: "Bearer Token", regex: /bearer\s+[A-Za-z0-9\-._~+/]+=*/gi, severity: "high" },
+  { name: "Private Key", regex: /-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----/g, severity: "critical" },
+  { name: "Connection String", regex: /(mongodb|mysql|postgres|redis):\/\/[^\s'"]+/gi, severity: "high" },
+  { name: "Generic Secret", regex: /(secret|password|passwd|pwd)\s*[:=]\s*['"]?[^\s'"]{8,}/gi, severity: "medium" },
+  { name: "JWT Token", regex: /eyJ[A-Za-z0-9\-_]+\.eyJ[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_.+/=]+/g, severity: "medium" },
+];
+
+const ENV_FILENAMES = [
+  ".env",
+  ".env.local",
+  ".env.development",
+  ".env.development.local",
+  ".env.production",
+  ".env.production.local",
+  ".env.test",
+  ".env.test.local",
+  ".env.staging",
+  ".env.backup",
+];
+
+const ALWAYS_COMMIT_PATTERNS = [
+  "AWS_ACCESS_KEY_ID",
+  "AWS_SECRET_ACCESS_KEY",
+  "AWS_SESSION_TOKEN",
+  "DATABASE_URL",
+  "DB_PASSWORD",
+  "REDIS_URL",
+  "STRIPE_SECRET_KEY",
+  "STRIPE_PUBLISHABLE_KEY",
+  "GITHUB_TOKEN",
+  "NPM_TOKEN",
+  "SECRET_KEY",
+  "PRIVATE_KEY",
+  "API_KEY",
+  "API_SECRET",
+];
+
+async function scanFileForSecrets(
+  filePath: string,
+  findings: Finding[],
+): Promise<void> {
+  let content: string;
+  try {
+    content = await readFile(filePath, "utf-8");
+  } catch {
+    return;
+  }
+
+  const lines = content.split("\n");
+
+  for (const pattern of SECRET_PATTERNS) {
+    const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+    let match: RegExpExecArray | null;
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split("\n").length;
+      const line = lines[lineNumber - 1]?.trim() ?? "";
+
+      if (line.startsWith("#") || line.startsWith("//")) continue;
+      if (line.startsWith("*") || line.startsWith("-")) continue;
+      if (/^\s*\{/.test(line) || /^interface\s/.test(line)) continue;
+
+      const prevLine = lines[lineNumber - 2]?.trim() ?? "";
+      if (prevLine.includes("regex:") || prevLine.includes("name:")) continue;
+
+      if (filePath.includes("scanners/secrets.ts")) {
+        if (line.includes("regex:") || line.includes("name:")) continue;
+        if (line.includes("severity:")) continue;
+        if (line.includes("SecretPattern")) continue;
+        if (line.includes("const SECRET_PATTERNS")) continue;
+      }
+
+      findings.push({
+        id: `secret-${pattern.name.toLowerCase().replace(/\s+/g, "-")}-${filePath}-${lineNumber}`,
+        severity: pattern.severity,
+        category: "backdoor",
+        title: `${pattern.name} encontrado en ${filePath}:${lineNumber}`,
+        description: `Se detecto un posible ${pattern.name} en la linea ${lineNumber}. Valor parcial: ${match[0].substring(0, 20)}...`,
+        recommendation: `Mover este secreto a un archivo .env y asegurarse de que .env esta en .gitignore.`,
+      });
+    }
+  }
+}
+
+async function scanEnvFiles(
+  projectPath: string,
+  findings: Finding[],
+): Promise<void> {
+  for (const envFile of ENV_FILENAMES) {
+    const envPath = join(projectPath, envFile);
+    try {
+      await stat(envPath);
+      findings.push({
+        id: `secret-env-file-${envFile}`,
+        severity: "high",
+        category: "backdoor",
+        title: `Archivo de entorno expuesto: ${envFile}`,
+        description: `El archivo ${envFile} existe en el directorio del proyecto. Si esta committeado, los secretos estan expuestos.`,
+        recommendation: `Verificar que ${envFile} esta en .gitignore y no esta en el historial de git.`,
+      });
+
+      await scanFileForSecrets(envPath, findings);
+    } catch {
+      // File doesn't exist
+    }
+  }
+}
+
+async function scanGitignore(
+  projectPath: string,
+  findings: Finding[],
+): Promise<void> {
+  const gitignorePath = join(projectPath, ".gitignore");
+  let content: string;
+  try {
+    content = await readFile(gitignorePath, "utf-8");
+  } catch {
+    findings.push({
+      id: "secret-no-gitignore",
+      severity: "high",
+      category: "backdoor",
+      title: "No se encontro .gitignore",
+      description: "El proyecto no tiene un archivo .gitignore. Los secretos pueden ser committeados accidentalmente.",
+      recommendation: "Crear un .gitignore que incluya .env, node_modules, y otros archivos sensibles.",
+    });
+    return;
+  }
+
+  const alwaysIgnore = [".env", ".env.*"];
+  for (const pattern of alwaysIgnore) {
+    if (!content.includes(pattern)) {
+      findings.push({
+        id: `secret-gitignore-missing-${pattern}`,
+        severity: "medium",
+        category: "backdoor",
+        title: `.gitignore no incluye ${pattern}`,
+        description: `El patron ${pattern} no esta en .gitignore. Los archivos sensibles podrian ser committeados.`,
+        recommendation: `Agregar ${pattern} a .gitignore.`,
+      });
+    }
+  }
+}
+
+async function scanSourceFiles(
+  projectPath: string,
+  findings: Finding[],
+): Promise<void> {
+  const sourceExtensions = [".js", ".ts", ".jsx", ".tsx", ".mjs", ".cjs"];
+  const ignoreDirs = ["node_modules", ".git", "dist", "build", ".next"];
+
+  async function walkDir(dir: string): Promise<void> {
+    let entries;
+    try {
+      entries = await readdir(dir, { withFileTypes: true });
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      if (entry.name.startsWith(".") && entry.name !== ".env") continue;
+      if (ignoreDirs.includes(entry.name)) continue;
+
+      const fullPath = join(dir, entry.name);
+
+      if (entry.isDirectory()) {
+        await walkDir(fullPath);
+      } else if (
+        sourceExtensions.some((ext) => entry.name.endsWith(ext))
+      ) {
+        await scanFileForSecrets(fullPath, findings);
+      }
+    }
+  }
+
+  await walkDir(projectPath);
+}
+
+export async function scanSecrets(
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  try {
+    await scanEnvFiles(projectPath, findings);
+    await scanGitignore(projectPath, findings);
+    await scanSourceFiles(projectPath, findings);
+  } catch (error) {
+    errors.push(
+      new Error(
+        `Error al escanear secrets: ${error instanceof Error ? error.message : String(error)}`,
+      ),
+    );
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/socket-dev.ts

@@ -0,0 +1,140 @@
+import type { Finding, ScanResult } from "../utils/types.js";
+import { httpRequest } from "../utils/http.js";
+import { cacheGet, cacheSet } from "../utils/cache.js";
+
+interface SocketPackageScore {
+  name: string;
+  score: number;
+  flags: string[];
+  details: {
+    network: number;
+    lifecycle: number;
+    codeQuality: number;
+    maintenance: number;
+    supplyChain: number;
+  };
+}
+
+interface SocketResponse {
+  scores: SocketPackageScore[];
+}
+
+const SOCKET_API_URL = "https://api.socket.dev/v0/packages";
+
+const SUSPICIOUS_FLAGS = [
+  "installScripts",
+  "networkAccess",
+  "obfuscatedCode",
+  "telemetry",
+  "cryptoMining",
+  "shellExecution",
+  "fileSystemAccess",
+  "envAccess",
+  "dynamicRequire",
+  "evalUsage",
+];
+
+export async function scanSocketDev(
+  packages: Array<{ name: string; version: string }>,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  if (packages.length === 0) {
+    return { findings, errors, duration: Date.now() - startTime };
+  }
+
+  const BATCH_SIZE = 50;
+
+  for (let i = 0; i < packages.length; i += BATCH_SIZE) {
+    const batch = packages.slice(i, i + BATCH_SIZE);
+
+    for (const pkg of batch) {
+      const cacheKey = `${pkg.name}@${pkg.version}`;
+      const cached = await cacheGet<SocketPackageScore>("socket", cacheKey);
+      if (cached) {
+        processSocketScore(cached, findings);
+        continue;
+      }
+
+      try {
+        const response = await httpRequest<SocketPackageScore>(
+          `${SOCKET_API_URL}/${encodeURIComponent(pkg.name)}`,
+          {
+            headers: {
+              Accept: "application/json",
+            },
+            timeout: 10000,
+          },
+        );
+
+        if (response) {
+          await cacheSet("socket", cacheKey, response);
+          processSocketScore(response, findings);
+        }
+      } catch {
+        // Socket.dev API not available or package not found
+      }
+
+      await new Promise((resolve) => setTimeout(resolve, 100));
+    }
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}
+
+function processSocketScore(
+  score: SocketPackageScore,
+  findings: Finding[],
+): void {
+  if (score.score < 50) {
+    findings.push({
+      id: `socket-low-score-${score.name}`,
+      severity: score.score < 20 ? "critical" : "high",
+      category: "malware",
+      title: `Socket.dev score bajo: ${score.name} (${score.score}/100)`,
+      description: `${score.name} tiene un score de seguridad de ${score.score}/100 en Socket.dev. Paquetes con score bajo tienen mayor riesgo de ser maliciosos.`,
+      package: score.name,
+      recommendation: `Revisar el paquete en https://socket.dev/npm/package/${score.name}`,
+      reference: `https://socket.dev/npm/package/${score.name}`,
+    });
+  }
+
+  for (const flag of score.flags) {
+    if (SUSPICIOUS_FLAGS.includes(flag)) {
+      findings.push({
+        id: `socket-flag-${flag}-${score.name}`,
+        severity: getFlagSeverity(flag),
+        category: "malware",
+        title: `Socket.dev flag: ${flag} en ${score.name}`,
+        description: `${score.name} tiene la flag "${flag}" detectada por Socket.dev.`,
+        package: score.name,
+        recommendation: `Revisar el comportamiento del paquete en Socket.dev.`,
+        reference: `https://socket.dev/npm/package/${score.name}`,
+      });
+    }
+  }
+}
+
+function getFlagSeverity(flag: string): Finding["severity"] {
+  switch (flag) {
+    case "cryptoMining":
+    case "shellExecution":
+    case "obfuscatedCode":
+      return "critical";
+    case "networkAccess":
+    case "dynamicRequire":
+    case "evalUsage":
+      return "high";
+    case "installScripts":
+    case "fileSystemAccess":
+      return "medium";
+    default:
+      return "low";
+  }
+}

package/src/scanners/transitive.ts

@@ -0,0 +1,97 @@
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
+import type { Finding, ScanResult, ProjectInfo } from "../utils/types.js";
+
+interface PackageJson {
+  name?: string;
+  version?: string;
+  dependencies?: Record<string, string>;
+  devDependencies?: Record<string, string>;
+}
+
+async function getAllTransitiveDeps(
+  projectPath: string,
+  deps: Record<string, string>,
+): Promise<Map<string, string>> {
+  const allDeps = new Map<string, string>();
+
+  for (const [name, version] of Object.entries(deps)) {
+    allDeps.set(name, version);
+
+    const pkgJsonPath = join(projectPath, "node_modules", name, "package.json");
+    try {
+      const content = await readFile(pkgJsonPath, "utf-8");
+      const pkgJson: PackageJson = JSON.parse(content);
+
+      if (pkgJson.dependencies) {
+        for (const [depName, depVersion] of Object.entries(pkgJson.dependencies)) {
+          if (!allDeps.has(depName)) {
+            allDeps.set(depName, depVersion);
+          }
+        }
+      }
+    } catch {
+      // Package not found
+    }
+  }
+
+  return allDeps;
+}
+
+export async function scanTransitive(
+  projectInfo: ProjectInfo,
+  projectPath: string,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  const allDeps = {
+    ...projectInfo.dependencies,
+    ...projectInfo.devDependencies,
+  };
+
+  const transitiveDeps = await getAllTransitiveDeps(projectPath, allDeps);
+
+  const directDepNames = new Set(Object.keys(allDeps));
+  const transitiveOnly = new Map<string, string>();
+
+  for (const [name, version] of transitiveDeps) {
+    if (!directDepNames.has(name)) {
+      transitiveOnly.set(name, version);
+    }
+  }
+
+  for (const [name, version] of transitiveOnly) {
+    if (version.includes("*") || version === "latest" || version === ">=0.0.0") {
+      findings.push({
+        id: `transitive-open-${name}`,
+        severity: "medium",
+        category: "vulnerability",
+        title: `Dependencia transitiva con version abierta: ${name}`,
+        description: `${name} es una dependencia transitiva con version "${version}". Las dependencias transitivas con versiones abiertas son vectores de ataque.`,
+        package: name,
+        version,
+        recommendation: `Auditar si ${name} es necesario y si tiene una version segura disponible.`,
+      });
+    }
+  }
+
+  const totalTransitive = transitiveOnly.size;
+  if (totalTransitive > 50) {
+    findings.push({
+      id: "transitive-high-count",
+      severity: "low",
+      category: "vulnerability",
+      title: `Alto numero de dependencias transitivas: ${totalTransitive}`,
+      description: `El proyecto tiene ${totalTransitive} dependencias transitivas. Un arbol de dependencias grande incrementa la superficie de ataque.`,
+      recommendation: "Revisar si todas las dependencias son necesarias.",
+    });
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/scanners/vulnerabilities.ts

@@ -0,0 +1,63 @@
+import chalk from "chalk";
+import type { Finding, ScanResult } from "../utils/types.js";
+import { checkOssIndex } from "../utils/http.js";
+
+export async function scanVulnerabilities(
+  packages: Array<{ name: string; version: string }>,
+): Promise<ScanResult> {
+  const startTime = Date.now();
+  const findings: Finding[] = [];
+  const errors: Error[] = [];
+
+  if (packages.length === 0) {
+    return { findings, errors, duration: Date.now() - startTime };
+  }
+
+  try {
+    const results = await checkOssIndex(packages);
+
+    for (const result of results) {
+      for (const vuln of result.vulnerabilities) {
+        const packageName = result.coordinates.replace(
+          "pkg:npm/",
+          "",
+        );
+
+        let severity: Finding["severity"] = "info";
+        if (vuln.severity === "CRITICAL") severity = "critical";
+        else if (vuln.severity === "HIGH") severity = "high";
+        else if (vuln.severity === "MEDIUM") severity = "medium";
+        else if (vuln.severity === "LOW") severity = "low";
+
+        findings.push({
+          id: vuln.id,
+          severity,
+          category: "vulnerability",
+          title: vuln.title || vuln.displayName,
+          description:
+            vuln.description ||
+            `Vulnerabilidad encontrada en ${packageName}`,
+          package: packageName,
+          cve: vuln.cve || undefined,
+          reference: vuln.reference,
+          recommendation:
+            severity === "critical" || severity === "high"
+              ? `Actualizar ${packageName} a la ultima version`
+              : undefined,
+        });
+      }
+    }
+  } catch (error) {
+    errors.push(
+      new Error(
+        `Error al consultar Sonatype OSS Index: ${error instanceof Error ? error.message : String(error)}`,
+      ),
+    );
+  }
+
+  return {
+    findings,
+    errors,
+    duration: Date.now() - startTime,
+  };
+}

package/src/utils/cache.ts

@@ -0,0 +1,59 @@
+import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { join } from "node:path";
+import { homedir } from "node:os";
+
+const CACHE_DIR = join(homedir(), ".secmanifest", "cache");
+const CACHE_TTL_MS = 60 * 60 * 1000;
+
+interface CacheEntry<T> {
+  data: T;
+  timestamp: number;
+}
+
+async function ensureCacheDir(): Promise<void> {
+  try {
+    await mkdir(CACHE_DIR, { recursive: true });
+  } catch {
+    // Directory exists
+  }
+}
+
+function getCacheKey(namespace: string, key: string): string {
+  const sanitized = key.replace(/[^a-zA-Z0-9-_]/g, "_");
+  return join(CACHE_DIR, `${namespace}_${sanitized}.json`);
+}
+
+export async function cacheGet<T>(namespace: string, key: string): Promise<T | null> {
+  const cachePath = getCacheKey(namespace, key);
+  try {
+    const content = await readFile(cachePath, "utf-8");
+    const entry: CacheEntry<T> = JSON.parse(content);
+    if (Date.now() - entry.timestamp > CACHE_TTL_MS) {
+      return null;
+    }
+    return entry.data;
+  } catch {
+    return null;
+  }
+}
+
+export async function cacheSet<T>(namespace: string, key: string, data: T): Promise<void> {
+  await ensureCacheDir();
+  const cachePath = getCacheKey(namespace, key);
+  const entry: CacheEntry<T> = { data, timestamp: Date.now() };
+  await writeFile(cachePath, JSON.stringify(entry), "utf-8");
+}
+
+export async function cacheClear(namespace?: string): Promise<void> {
+  const { readdir, unlink } = await import("node:fs/promises");
+  try {
+    const files = await readdir(CACHE_DIR);
+    for (const file of files) {
+      if (!namespace || file.startsWith(namespace)) {
+        await unlink(join(CACHE_DIR, file)).catch(() => {});
+      }
+    }
+  } catch {
+    // Cache dir doesn't exist
+  }
+}