secure-review-extension 1.0.0

package/package.json

@@ -0,0 +1,323 @@
+{
+  "name": "secure-review-extension",
+  "displayName": "Secure Review",
+  "description": "Run deep static and Docker-based dynamic secure code reviews directly inside VS Code.",
+  "version": "1.0.0",
+  "publisher": "your-publisher-id",
+  "icon": "media/shield.png",
+  "license": "MIT",
+  "homepage": "https://bitbucket.org/macehand/secure-review-extension",
+  "repository": {
+    "type": "git",
+    "url": "https://bitbucket.org/macehand/secure-review-extension.git"
+  },
+  "files": [
+    "bin/",
+    "src/",
+    "scripts/",
+    "media/",
+    "extension.js",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "bugs": {
+    "url": "https://bitbucket.org/macehand/secure-review-extension.git"
+  },
+  "keywords": [
+    "security",
+    "appsec",
+    "sast",
+    "dast",
+    "code-review",
+    "vscode-extension",
+    "secure-review"
+  ],
+  "galleryBanner": {
+    "color": "#1F4E79",
+    "theme": "light"
+  },
+  "engines": {
+    "vscode": "^1.85.0"
+  },
+  "categories": [
+    "Linters",
+    "Testing",
+    "Other"
+  ],
+  "activationEvents": [
+    "onStartupFinished",
+    "onCommand:secureReview.inspectRequirements",
+    "onCommand:secureReview.scanWorkspace",
+    "onCommand:secureReview.scanCurrentFile",
+    "onCommand:secureReview.dynamicScan",
+    "onCommand:secureReview.openReport",
+    "onView:secureReview.findingsView"
+  ],
+  "main": "./extension.js",
+  "bin": {
+    "secure-review": "./bin/secure-review.js"
+  },
+  "contributes": {
+    "commands": [
+      {
+        "command": "secureReview.inspectRequirements",
+        "title": "Check Workspace Requirements",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.scanWorkspace",
+        "title": "Scan Workspace",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.scanCurrentFile",
+        "title": "Scan Current File",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.dynamicScan",
+        "title": "Dynamic Scan Local App",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.openReport",
+        "title": "Open Review Report",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.exportReport",
+        "title": "Export Findings Report",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.clearFindings",
+        "title": "Clear Findings",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.ignoreFinding",
+        "title": "Ignore Finding",
+        "category": "Secure Review"
+      },
+      {
+        "command": "secureReview.openFinding",
+        "title": "Open Finding",
+        "category": "Secure Review"
+      }
+    ],
+    "viewsContainers": {
+      "activitybar": [
+        {
+          "id": "secureReview",
+          "title": "Secure Review",
+          "icon": "media/shield.svg"
+        }
+      ]
+    },
+    "views": {
+      "secureReview": [
+        {
+          "id": "secureReview.findingsView",
+          "name": "Findings"
+        }
+      ]
+    },
+    "menus": {
+      "view/title": [
+        {
+          "command": "secureReview.inspectRequirements",
+          "when": "view == secureReview.findingsView",
+          "group": "navigation"
+        },
+        {
+          "command": "secureReview.scanWorkspace",
+          "when": "view == secureReview.findingsView",
+          "group": "navigation"
+        },
+        {
+          "command": "secureReview.dynamicScan",
+          "when": "view == secureReview.findingsView",
+          "group": "navigation"
+        },
+        {
+          "command": "secureReview.openReport",
+          "when": "view == secureReview.findingsView",
+          "group": "navigation"
+        }
+      ],
+      "view/item/context": [
+        {
+          "command": "secureReview.openFinding",
+          "when": "view == secureReview.findingsView && viewItem == finding",
+          "group": "inline"
+        },
+        {
+          "command": "secureReview.ignoreFinding",
+          "when": "view == secureReview.findingsView && viewItem == finding",
+          "group": "inline"
+        }
+      ]
+    },
+    "configuration": {
+      "title": "Secure Review",
+      "properties": {
+        "secureReview.runOnSave": {
+          "type": "boolean",
+          "default": false,
+          "description": "Automatically rescan the current file after it is saved."
+        },
+        "secureReview.excludeGlobs": {
+          "type": "array",
+          "default": [
+            "**/node_modules/**",
+            "**/.git/**",
+            "**/dist/**",
+            "**/build/**",
+            "**/.next/**",
+            "**/coverage/**"
+          ],
+          "items": {
+            "type": "string"
+          },
+          "description": "Glob patterns excluded from static scanning."
+        },
+        "secureReview.minimumSeverity": {
+          "type": "string",
+          "enum": [
+            "low",
+            "medium",
+            "high",
+            "critical"
+          ],
+          "default": "low",
+          "description": "Lowest severity shown in the findings panel."
+        },
+        "secureReview.maxFiles": {
+          "type": "number",
+          "default": 400,
+          "minimum": 1,
+          "description": "Maximum number of workspace files scanned in one run."
+        },
+        "secureReview.enableBuiltInRules": {
+          "type": "boolean",
+          "default": true,
+          "description": "Run the built-in static review rule packs."
+        },
+        "secureReview.enableSemgrep": {
+          "type": "boolean",
+          "default": true,
+          "description": "If Semgrep is installed locally, include its results in the workspace review."
+        },
+        "secureReview.enableEslint": {
+          "type": "boolean",
+          "default": true,
+          "description": "If ESLint is installed locally, include JavaScript, TypeScript, and frontend lint findings."
+        },
+        "secureReview.enableNpmAudit": {
+          "type": "boolean",
+          "default": true,
+          "description": "If package.json exists and npm is installed locally, include npm audit results."
+        },
+        "secureReview.enableBandit": {
+          "type": "boolean",
+          "default": true,
+          "description": "If Bandit is installed locally, include Python security analysis results."
+        },
+        "secureReview.enablePipAudit": {
+          "type": "boolean",
+          "default": true,
+          "description": "If Python dependency files exist and pip-audit is installed locally, include its results."
+        },
+        "secureReview.enableSpotBugs": {
+          "type": "boolean",
+          "default": true,
+          "description": "If SpotBugs is installed locally and compiled Java classes are available, include Java bytecode findings."
+        },
+        "secureReview.enableGosec": {
+          "type": "boolean",
+          "default": true,
+          "description": "If gosec is installed locally, include Go security findings."
+        },
+        "secureReview.enableGovulncheck": {
+          "type": "boolean",
+          "default": true,
+          "description": "If govulncheck is installed locally, include Go vulnerability findings."
+        },
+        "secureReview.enableCargoAudit": {
+          "type": "boolean",
+          "default": true,
+          "description": "If cargo-audit is available, include Rust dependency advisories."
+        },
+        "secureReview.enableClippy": {
+          "type": "boolean",
+          "default": true,
+          "description": "If cargo clippy is available, include Rust lint findings."
+        },
+        "secureReview.enableCppcheck": {
+          "type": "boolean",
+          "default": true,
+          "description": "If cppcheck is installed locally, include C and C++ static analysis findings."
+        },
+        "secureReview.dynamicBaseUrl": {
+          "type": "string",
+          "default": "http://127.0.0.1:3000",
+          "description": "Local or test application URL used for Docker-based ZAP scanning."
+        },
+        "secureReview.dynamicScanMode": {
+          "type": "string",
+          "enum": [
+            "baseline",
+            "full"
+          ],
+          "default": "baseline",
+          "description": "ZAP Docker scan mode. Baseline is passive-focused; full scan is more intrusive."
+        },
+        "secureReview.dynamicSpiderMinutes": {
+          "type": "number",
+          "default": 1,
+          "minimum": 1,
+          "description": "Minutes ZAP should spend spidering the target before reporting."
+        },
+        "secureReview.dynamicUseAjaxSpider": {
+          "type": "boolean",
+          "default": false,
+          "description": "Enable the ZAP Ajax spider in addition to the traditional spider."
+        },
+        "secureReview.dynamicAllowHosts": {
+          "type": "array",
+          "default": [
+            "127.0.0.1",
+            "localhost"
+          ],
+          "items": {
+            "type": "string"
+          },
+          "description": "Explicit hostnames allowed for dynamic scans."
+        },
+        "secureReview.zapDockerImage": {
+          "type": "string",
+          "default": "ghcr.io/zaproxy/zaproxy:stable",
+          "description": "Docker image used to run OWASP ZAP scans."
+        }
+      }
+    }
+  },
+  "scripts": {
+    "cli": "node bin/secure-review.js",
+    "bootstrap:tools": "node scripts/bootstrap-review-tools.js",
+    "bootstrap:tools:run": "node scripts/bootstrap-review-tools.js --run",
+    "verify": "node --check extension.js && node --check bin/secure-review.js && node --check scripts/bootstrap-review-tools.js && node --check src/report.js && node --check src/scanners/static-scan.js && node --check src/scanners/tool-integrations.js && node --check src/scanners/workspace-profile.js && node --check src/scanners/bootstrap-tools.js && node --check src/scanners/dynamic-scan.js",
+    "pack:cli": "npm pack",
+    "pack:cli:dry-run": "npm pack --dry-run",
+    "publish:npm": "npm publish",
+    "package": "npx @vscode/vsce package",
+    "publish:precheck": "npm run verify && npx @vscode/vsce package --allow-missing-repository",
+    "publish:marketplace": "npx @vscode/vsce publish",
+    "lint": "echo \"No lint tool configured\"",
+    "test": "echo \"No test runner configured\""
+  }
+}

package/scripts/bootstrap-review-tools.js

@@ -0,0 +1,54 @@
+#!/usr/bin/env node
+
+const { spawnSync } = require("node:child_process");
+const { detectWorkspace, buildInstallPlan, formatInstallPlan } = require("../src/scanners/bootstrap-tools");
+
+const cwd = process.cwd();
+const args = new Set(process.argv.slice(2));
+const shouldRun = args.has("--run");
+
+function main() {
+  const profile = detectWorkspace(cwd);
+  const plan = buildInstallPlan(profile);
+
+  console.log(formatInstallPlan(profile, plan));
+
+  if (!shouldRun) {
+    console.log("");
+    console.log("Dry run only. Use `node scripts/bootstrap-review-tools.js --run` to execute supported install commands.");
+    return;
+  }
+
+  console.log("");
+  executePlan(plan);
+}
+
+function executePlan(plan) {
+  for (const item of plan) {
+    if (item.install.kind === "already-installed") {
+      console.log(`Skipping ${item.tool}: already available.`);
+      continue;
+    }
+
+    if (item.install.kind !== "command") {
+      console.log(`Skipping ${item.tool}: ${item.install.note}`);
+      continue;
+    }
+
+    const command = item.install.command;
+    console.log(`Running ${command.join(" ")}`);
+    const result = spawnSync(command[0], command.slice(1), {
+      stdio: "inherit",
+      cwd
+    });
+
+    if (result.status !== 0) {
+      console.error(`Install failed for ${item.tool}.`);
+      continue;
+    }
+
+    console.log(`Installed ${item.tool}.`);
+  }
+}
+
+main();

package/src/code-actions.js

@@ -0,0 +1,47 @@
+const vscode = require("vscode");
+
+class SecureReviewCodeActionProvider {
+  constructor(store) {
+    this.store = store;
+  }
+
+  provideCodeActions(document, range) {
+    const actions = [];
+    const findings = this.store.findings.filter(
+      (finding) =>
+        finding.filePath === document.uri.fsPath &&
+        typeof finding.line === "number" &&
+        finding.line - 1 === range.start.line
+    );
+
+    for (const finding of findings) {
+      const openAction = new vscode.CodeAction(
+        `Open Secure Review finding: ${finding.title}`,
+        vscode.CodeActionKind.QuickFix
+      );
+      openAction.command = {
+        command: "secureReview.openFinding",
+        title: "Open Finding",
+        arguments: [finding]
+      };
+      actions.push(openAction);
+
+      const ignoreAction = new vscode.CodeAction(
+        `Ignore Secure Review finding: ${finding.code}`,
+        vscode.CodeActionKind.QuickFix
+      );
+      ignoreAction.command = {
+        command: "secureReview.ignoreFinding",
+        title: "Ignore Finding",
+        arguments: [finding]
+      };
+      actions.push(ignoreAction);
+    }
+
+    return actions;
+  }
+}
+
+module.exports = {
+  SecureReviewCodeActionProvider
+};

package/src/constants.js

@@ -0,0 +1,20 @@
+const vscode = require("vscode");
+
+const severityOrder = {
+  low: 0,
+  medium: 1,
+  high: 2,
+  critical: 3
+};
+
+const diagnosticSeverityMap = {
+  low: vscode.DiagnosticSeverity.Information,
+  medium: vscode.DiagnosticSeverity.Warning,
+  high: vscode.DiagnosticSeverity.Warning,
+  critical: vscode.DiagnosticSeverity.Error
+};
+
+module.exports = {
+  severityOrder,
+  diagnosticSeverityMap
+};

package/src/diagnostics.js

@@ -0,0 +1,41 @@
+const vscode = require("vscode");
+const { diagnosticSeverityMap } = require("./constants");
+
+function applyDiagnostics(collection, findings) {
+  collection.clear();
+
+  const grouped = new Map();
+
+  for (const finding of findings) {
+    if (!finding.filePath || typeof finding.line !== "number") {
+      continue;
+    }
+
+    const uri = vscode.Uri.file(finding.filePath);
+    const list = grouped.get(uri.toString()) || [];
+    const range = new vscode.Range(
+      Math.max(0, finding.line - 1),
+      Math.max(0, (finding.column || 1) - 1),
+      Math.max(0, finding.line - 1),
+      Math.max(0, (finding.column || 1) + 8)
+    );
+
+    list.push(
+      new vscode.Diagnostic(
+        range,
+        `${finding.title}. ${finding.remediation}`,
+        diagnosticSeverityMap[finding.severity]
+      )
+    );
+
+    grouped.set(uri.toString(), list);
+  }
+
+  for (const [uriString, diagnostics] of grouped.entries()) {
+    collection.set(vscode.Uri.parse(uriString), diagnostics);
+  }
+}
+
+module.exports = {
+  applyDiagnostics
+};

package/src/findings-provider.js

@@ -0,0 +1,78 @@
+const vscode = require("vscode");
+const { severityOrder } = require("./constants");
+
+class SeverityNode extends vscode.TreeItem {
+  constructor(label, count) {
+    super(`${label} (${count})`, vscode.TreeItemCollapsibleState.Expanded);
+    this.contextValue = "severityGroup";
+  }
+}
+
+class FindingNode extends vscode.TreeItem {
+  constructor(finding) {
+    super(finding.title, vscode.TreeItemCollapsibleState.None);
+    this.finding = finding;
+    this.contextValue = "finding";
+    this.description = finding.source === "dynamic"
+      ? `${finding.category} • ${finding.targetUrl || finding.reviewDomain}`
+      : `${finding.category} • ${finding.reviewDomain}`;
+    this.tooltip = `${finding.title}\nSeverity: ${finding.severity}\nConfidence: ${finding.confidence}\n${finding.message}`;
+    this.command = {
+      command: "secureReview.openFinding",
+      title: "Open Finding",
+      arguments: [finding]
+    };
+  }
+}
+
+class FindingsProvider {
+  constructor(store, configAccessor) {
+    this.store = store;
+    this.configAccessor = configAccessor;
+    this._emitter = new vscode.EventEmitter();
+    this.onDidChangeTreeData = this._emitter.event;
+    this.store.onDidChange(() => this.refresh());
+  }
+
+  refresh() {
+    this._emitter.fire();
+  }
+
+  getTreeItem(element) {
+    return element;
+  }
+
+  getChildren(element) {
+    const minSeverity = this.configAccessor().get("minimumSeverity", "low");
+    const findings = this.store.getVisibleFindings(minSeverity, severityOrder);
+
+    if (!element) {
+      const counts = ["critical", "high", "medium", "low"]
+        .map((severity) => ({
+          severity,
+          count: findings.filter((finding) => finding.severity === severity).length
+        }))
+        .filter((entry) => entry.count > 0);
+
+      if (!counts.length) {
+        return [new SeverityNode("No findings", 0)];
+      }
+
+      return counts.map((entry) => new SeverityNode(entry.severity, entry.count));
+    }
+
+    if (element instanceof SeverityNode && element.label !== "No findings (0)") {
+      const severity = String(element.label).split(" ")[0];
+      return findings
+        .filter((finding) => finding.severity === severity)
+        .sort((a, b) => (a.relativePath || a.targetUrl || "").localeCompare(b.relativePath || b.targetUrl || ""))
+        .map((finding) => new FindingNode(finding));
+    }
+
+    return [];
+  }
+}
+
+module.exports = {
+  FindingsProvider
+};