secure-review-extension 1.0.0

package/extension.js

@@ -0,0 +1,368 @@
+const vscode = require("vscode");
+const { FindingsStore } = require("./src/store");
+const { FindingsProvider } = require("./src/findings-provider");
+const { scanWorkspace, scanCurrentFile } = require("./src/scanners/static-scan");
+const { runDockerZapScan } = require("./src/scanners/dynamic-scan");
+const { detectWorkspace, buildInstallPlan, formatInstallPlan } = require("./src/scanners/bootstrap-tools");
+const { applyDiagnostics } = require("./src/diagnostics");
+const { buildReportModel, renderReportHtml, exportReport, promptReportMetadata } = require("./src/report");
+const { SecureReviewCodeActionProvider } = require("./src/code-actions");
+const { severityOrder } = require("./src/constants");
+
+let reportPanel;
+let lastReportMetadata;
+
+function activate(context) {
+  const store = new FindingsStore();
+  const diagnostics = vscode.languages.createDiagnosticCollection("secureReview");
+  const statusBar = vscode.window.createStatusBarItem(vscode.StatusBarAlignment.Left, 100);
+  statusBar.text = "$(shield) Secure Review: Ready";
+  statusBar.command = "secureReview.scanWorkspace";
+  statusBar.show();
+
+  const configAccessor = () => vscode.workspace.getConfiguration("secureReview");
+  const provider = new FindingsProvider(store, configAccessor);
+
+  context.subscriptions.push(
+    diagnostics,
+    statusBar,
+    vscode.window.registerTreeDataProvider("secureReview.findingsView", provider),
+    vscode.languages.registerCodeActionsProvider(
+      { scheme: "file" },
+      new SecureReviewCodeActionProvider(store)
+    )
+  );
+
+  function refreshUi() {
+    const minSeverity = configAccessor().get("minimumSeverity", "low");
+    const visibleFindings = store.getVisibleFindings(minSeverity, severityOrder);
+    applyDiagnostics(diagnostics, visibleFindings);
+    statusBar.text = `$(shield) Secure Review: ${visibleFindings.length} findings`;
+
+    if (reportPanel) {
+      const reportModel = buildReportModel(visibleFindings, getReportMetadata(store.lastRun));
+      reportPanel.webview.html = renderReportHtml(reportModel);
+    }
+  }
+
+  store.onDidChange(refreshUi);
+
+  async function runWorkspaceScan() {
+    if (!vscode.workspace.workspaceFolders?.length) {
+      vscode.window.showWarningMessage("Open a workspace folder before running Secure Review.");
+      return;
+    }
+
+    await vscode.window.withProgress(
+      {
+        location: vscode.ProgressLocation.Notification,
+        title: "Secure Review: scanning workspace",
+        cancellable: false
+      },
+      async () => {
+        const findings = await scanWorkspace(configAccessor());
+        const dynamicFindings = store.findings.filter((item) => item.source === "dynamic");
+        store.setFindings(sortFindings([...findings, ...dynamicFindings]));
+        vscode.window.showInformationMessage(`Secure Review found ${store.findings.length} total findings.`);
+      }
+    );
+  }
+
+  async function runCurrentFileScan() {
+    const editor = vscode.window.activeTextEditor;
+    if (!editor) {
+      vscode.window.showWarningMessage("Open a file before running a current-file scan.");
+      return;
+    }
+
+    await vscode.window.withProgress(
+      {
+        location: vscode.ProgressLocation.Notification,
+        title: "Secure Review: scanning current file",
+        cancellable: false
+      },
+      async () => {
+        const currentFileFindings = await scanCurrentFile();
+        const otherStaticFindings = store.findings.filter(
+          (item) => item.source === "static" && item.filePath !== editor.document.uri.fsPath
+        );
+        const dynamicFindings = store.findings.filter((item) => item.source === "dynamic");
+
+        store.setFindings(sortFindings([...otherStaticFindings, ...currentFileFindings, ...dynamicFindings]));
+        vscode.window.showInformationMessage(`Secure Review updated findings for ${editor.document.fileName}.`);
+      }
+    );
+  }
+
+  async function runDynamicScan() {
+    const mode = configAccessor().get("dynamicScanMode", "baseline");
+    if (mode === "full") {
+      const choice = await vscode.window.showWarningMessage(
+        "ZAP full scan performs active attacks and should only be used against developer-controlled local or test applications.",
+        { modal: true },
+        "Run Full Scan"
+      );
+
+      if (choice !== "Run Full Scan") {
+        return;
+      }
+    }
+
+    await vscode.window.withProgress(
+      {
+        location: vscode.ProgressLocation.Notification,
+        title: `Secure Review: running Docker-based ZAP ${mode} scan`,
+        cancellable: false
+      },
+      async () => {
+        try {
+          const dynamicFindings = await runDockerZapScan(configAccessor());
+          const staticFindings = store.findings.filter((item) => item.source === "static");
+          store.setFindings(sortFindings([...staticFindings, ...dynamicFindings]));
+          vscode.window.showInformationMessage(`Secure Review dynamic scan completed with ${dynamicFindings.length} findings.`);
+        } catch (error) {
+          vscode.window.showErrorMessage(`Dynamic scan failed: ${error.message}`);
+        }
+      }
+    );
+  }
+
+  function openReport() {
+    if (!reportPanel) {
+      reportPanel = vscode.window.createWebviewPanel(
+        "secureReview.report",
+        "Secure Review Report",
+        vscode.ViewColumn.Beside,
+        { enableFindWidget: true }
+      );
+
+      reportPanel.onDidDispose(() => {
+        reportPanel = undefined;
+      }, null, context.subscriptions);
+    }
+
+    const minSeverity = configAccessor().get("minimumSeverity", "low");
+    const visibleFindings = store.getVisibleFindings(minSeverity, severityOrder);
+    const reportModel = buildReportModel(visibleFindings, getReportMetadata(store.lastRun));
+    reportPanel.webview.html = renderReportHtml(reportModel);
+    reportPanel.reveal();
+  }
+
+  async function exportFindingsReport() {
+    const minSeverity = configAccessor().get("minimumSeverity", "low");
+    const visibleFindings = store.getVisibleFindings(minSeverity, severityOrder);
+    const selection = await promptReportScope(visibleFindings);
+    if (!selection) {
+      return;
+    }
+
+    const scopedFindings = filterFindingsForReport(visibleFindings, selection.scope);
+    const metadata = await promptReportMetadata(selection.defaultScanType);
+    if (!metadata) {
+      return;
+    }
+
+    lastReportMetadata = metadata;
+    const reportModel = buildReportModel(
+      scopedFindings,
+      getReportMetadata(store.lastRun, selection.defaultScanType)
+    );
+    const saved = await exportReport(reportModel);
+
+    if (saved) {
+      vscode.window.showInformationMessage("Secure Review report exported.");
+    }
+  }
+
+  function clearFindings() {
+    store.clear();
+    diagnostics.clear();
+    vscode.window.showInformationMessage("Secure Review findings cleared.");
+  }
+
+  async function inspectWorkspaceRequirements() {
+    const workspaceRoot = vscode.workspace.workspaceFolders?.[0]?.uri.fsPath;
+    if (!workspaceRoot) {
+      vscode.window.showWarningMessage("Open a workspace folder before checking Secure Review requirements.");
+      return;
+    }
+
+    const profile = detectWorkspace(workspaceRoot);
+    const plan = buildInstallPlan(profile);
+    const formatted = formatInstallPlan(profile, plan);
+
+    const document = await vscode.workspace.openTextDocument({
+      language: "markdown",
+      content: `# Secure Review Workspace Requirements\n\n\`\`\`text\n${formatted}\n\`\`\`\n`
+    });
+
+    await vscode.window.showTextDocument(document, {
+      preview: false,
+      viewColumn: vscode.ViewColumn.Beside
+    });
+
+    if (!plan.length) {
+      vscode.window.showInformationMessage("Secure Review did not find any additional language-specific scanner requirements for this workspace.");
+      return;
+    }
+
+    vscode.window.showInformationMessage(
+      `Secure Review identified ${plan.length} scanner tool requirement${plan.length === 1 ? "" : "s"} for this workspace.`
+    );
+  }
+
+  async function openFinding(finding) {
+    const targetFinding = finding?.id ? finding : store.getById(finding);
+    if (!targetFinding) {
+      return;
+    }
+
+    if (targetFinding.filePath) {
+      const document = await vscode.workspace.openTextDocument(targetFinding.filePath);
+      const editor = await vscode.window.showTextDocument(document, { preview: false });
+      const line = Math.max(0, (targetFinding.line || 1) - 1);
+      const column = Math.max(0, (targetFinding.column || 1) - 1);
+      const position = new vscode.Position(line, column);
+      editor.selection = new vscode.Selection(position, position);
+      editor.revealRange(new vscode.Range(position, position), vscode.TextEditorRevealType.InCenter);
+    }
+
+    vscode.window.showInformationMessage(
+      `${targetFinding.title}: ${targetFinding.remediation}`,
+      "Open Report"
+    ).then((action) => {
+      if (action === "Open Report") {
+        openReport();
+      }
+    });
+  }
+
+  function ignoreFinding(finding) {
+    const targetFinding = finding?.id ? finding : store.getById(finding);
+    if (!targetFinding) {
+      return;
+    }
+
+    store.ignore(targetFinding.id);
+    vscode.window.showInformationMessage(`Ignored finding ${targetFinding.code}.`);
+  }
+
+  context.subscriptions.push(
+    vscode.commands.registerCommand("secureReview.scanWorkspace", runWorkspaceScan),
+    vscode.commands.registerCommand("secureReview.inspectRequirements", inspectWorkspaceRequirements),
+    vscode.commands.registerCommand("secureReview.scanCurrentFile", runCurrentFileScan),
+    vscode.commands.registerCommand("secureReview.dynamicScan", runDynamicScan),
+    vscode.commands.registerCommand("secureReview.openReport", openReport),
+    vscode.commands.registerCommand("secureReview.exportReport", exportFindingsReport),
+    vscode.commands.registerCommand("secureReview.clearFindings", clearFindings),
+    vscode.commands.registerCommand("secureReview.openFinding", openFinding),
+    vscode.commands.registerCommand("secureReview.ignoreFinding", ignoreFinding)
+  );
+
+  context.subscriptions.push(
+    vscode.workspace.onDidSaveTextDocument(async () => {
+      if (configAccessor().get("runOnSave", false)) {
+        await runCurrentFileScan();
+      }
+    })
+  );
+
+  refreshUi();
+
+  function getReportMetadata(lastRun, defaultScanType) {
+    return {
+      projectName: lastReportMetadata?.projectName || vscode.workspace.workspaceFolders?.[0]?.name || "Workspace",
+      reportDate: lastReportMetadata?.reportDate || (lastRun || new Date()),
+      scanType: lastReportMetadata?.scanType || defaultScanType || (store.findings.some((item) => item.source === "dynamic") ? "Static + Dynamic Analysis" : "Static Analysis"),
+      notes: lastReportMetadata?.notes || "",
+      scanConfiguration: `Minimum Severity: ${configAccessor().get("minimumSeverity", "low")}; Run On Save: ${configAccessor().get("runOnSave", false) ? "Enabled" : "Disabled"}; Built-In Rules: ${configAccessor().get("enableBuiltInRules", true) ? "Enabled" : "Disabled"}; Semgrep: ${configAccessor().get("enableSemgrep", true) ? "Enabled" : "Disabled"}; ESLint: ${configAccessor().get("enableEslint", true) ? "Enabled" : "Disabled"}; Bandit: ${configAccessor().get("enableBandit", true) ? "Enabled" : "Disabled"}; npm audit: ${configAccessor().get("enableNpmAudit", true) ? "Enabled" : "Disabled"}; pip-audit: ${configAccessor().get("enablePipAudit", true) ? "Enabled" : "Disabled"}; SpotBugs: ${configAccessor().get("enableSpotBugs", true) ? "Enabled" : "Disabled"}; gosec: ${configAccessor().get("enableGosec", true) ? "Enabled" : "Disabled"}; govulncheck: ${configAccessor().get("enableGovulncheck", true) ? "Enabled" : "Disabled"}; cargo-audit: ${configAccessor().get("enableCargoAudit", true) ? "Enabled" : "Disabled"}; Clippy: ${configAccessor().get("enableClippy", true) ? "Enabled" : "Disabled"}; cppcheck: ${configAccessor().get("enableCppcheck", true) ? "Enabled" : "Disabled"}; Dynamic URL: ${configAccessor().get("dynamicBaseUrl", "http://127.0.0.1:3000")}; Dynamic Mode: ${configAccessor().get("dynamicScanMode", "baseline")}; Ajax Spider: ${configAccessor().get("dynamicUseAjaxSpider", false) ? "Enabled" : "Disabled"}`
+    };
+  }
+}
+
+async function promptReportScope(findings) {
+  const staticCount = findings.filter((finding) => finding.source !== "dynamic").length;
+  const dynamicCount = findings.filter((finding) => finding.source === "dynamic").length;
+  const options = [];
+
+  if (staticCount > 0 && dynamicCount > 0) {
+    options.push(
+      {
+        label: "Combined Report",
+        description: `${staticCount} static + ${dynamicCount} dynamic findings`,
+        scope: "combined",
+        defaultScanType: "Static + Dynamic Analysis"
+      },
+      {
+        label: "Static-Only Report",
+        description: `${staticCount} static findings`,
+        scope: "static",
+        defaultScanType: "Static Analysis"
+      },
+      {
+        label: "Dynamic-Only Report",
+        description: `${dynamicCount} dynamic findings`,
+        scope: "dynamic",
+        defaultScanType: "Dynamic Analysis"
+      }
+    );
+  } else if (dynamicCount > 0) {
+    options.push({
+      label: "Dynamic-Only Report",
+      description: `${dynamicCount} dynamic findings`,
+      scope: "dynamic",
+      defaultScanType: "Dynamic Analysis"
+    });
+  } else if (staticCount > 0) {
+    options.push({
+      label: "Static-Only Report",
+      description: `${staticCount} static findings`,
+      scope: "static",
+      defaultScanType: "Static Analysis"
+    });
+  } else {
+    vscode.window.showWarningMessage("Secure Review has no findings to export.");
+    return null;
+  }
+
+  if (options.length === 1) {
+    return options[0];
+  }
+
+  return vscode.window.showQuickPick(options, {
+    placeHolder: "Choose which findings to include in the exported report",
+    ignoreFocusOut: true
+  });
+}
+
+function filterFindingsForReport(findings, scope) {
+  if (scope === "dynamic") {
+    return findings.filter((finding) => finding.source === "dynamic");
+  }
+
+  if (scope === "static") {
+    return findings.filter((finding) => finding.source !== "dynamic");
+  }
+
+  return findings;
+}
+
+function sortFindings(findings) {
+  return [...findings].sort((left, right) => {
+    const severityDiff = severityOrder[right.severity] - severityOrder[left.severity];
+    if (severityDiff !== 0) {
+      return severityDiff;
+    }
+
+    const leftLocation = left.relativePath || "";
+    const rightLocation = right.relativePath || "";
+    return leftLocation.localeCompare(rightLocation);
+  });
+}
+
+function deactivate() {}
+
+module.exports = {
+  activate,
+  deactivate
+};

package/media/shield.svg

@@ -0,0 +1,6 @@
+<svg width="128" height="128" viewBox="0 0 128 128" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <rect width="128" height="128" rx="28" fill="#12355B"/>
+  <path d="M64 18L96 30V54C96 77.5 82.4 99.2 64 110C45.6 99.2 32 77.5 32 54V30L64 18Z" fill="#F76707"/>
+  <path d="M64 29L87 37.5V53.6C87 71.3 77.1 87.9 64 96.2C50.9 87.9 41 71.3 41 53.6V37.5L64 29Z" fill="#FFF6E8"/>
+  <path d="M58 69.5L48 59.5L52.7 54.8L58 60.1L76.8 41.2L81.5 45.9L58 69.5Z" fill="#0B7B72"/>
+</svg>