secure-review-extension 1.0.0

package/src/scanners/bootstrap-tools.js

@@ -0,0 +1,303 @@
+const fs = require("node:fs");
+const path = require("node:path");
+const os = require("node:os");
+const { execFileSync } = require("node:child_process");
+
+function detectWorkspace(workspaceRoot) {
+  const manifestNames = new Set(walkFiles(workspaceRoot, 4).map((file) => path.relative(workspaceRoot, file)));
+  const languages = new Set();
+  const frameworks = new Set();
+
+  if (exists("package.json")) {
+    languages.add("javascript");
+    const packageJson = readJson(path.join(workspaceRoot, "package.json"));
+    const dependencies = {
+      ...(packageJson.dependencies || {}),
+      ...(packageJson.devDependencies || {}),
+      ...(packageJson.peerDependencies || {})
+    };
+
+    if (dependencies.react) frameworks.add("react");
+    if (dependencies.next) frameworks.add("nextjs");
+    if (dependencies.vue) frameworks.add("vue");
+    if (dependencies["@angular/core"]) frameworks.add("angular");
+    if (dependencies.express) frameworks.add("express");
+    if (dependencies["@nestjs/core"]) frameworks.add("nestjs");
+  }
+
+  if (exists("requirements.txt") || exists("pyproject.toml") || exists("Pipfile")) {
+    languages.add("python");
+    const pythonText = readTextIfExists("requirements.txt") || readTextIfExists("pyproject.toml") || "";
+    if (/django/i.test(pythonText)) frameworks.add("django");
+    if (/flask/i.test(pythonText)) frameworks.add("flask");
+    if (/fastapi/i.test(pythonText)) frameworks.add("fastapi");
+  }
+
+  if (exists("go.mod")) {
+    languages.add("go");
+    const goMod = readTextIfExists("go.mod");
+    if (/gin-gonic\/gin/i.test(goMod)) frameworks.add("gin");
+    if (/labstack\/echo/i.test(goMod)) frameworks.add("echo");
+  }
+
+  if (exists("Cargo.toml")) {
+    languages.add("rust");
+    const cargoToml = readTextIfExists("Cargo.toml");
+    if (/actix-web/i.test(cargoToml)) frameworks.add("actix-web");
+    if (/\baxum\b/i.test(cargoToml)) frameworks.add("axum");
+  }
+
+  if (exists("pom.xml") || exists("build.gradle") || exists("build.gradle.kts")) {
+    languages.add("java");
+    const javaText = readTextIfExists("pom.xml") || readTextIfExists("build.gradle") || readTextIfExists("build.gradle.kts") || "";
+    if (/spring/i.test(javaText)) frameworks.add("spring");
+  }
+
+  if (exists("CMakeLists.txt") || exists("Makefile")) {
+    languages.add("c");
+    languages.add("cpp");
+  }
+
+  for (const file of manifestNames) {
+    const ext = path.extname(file).toLowerCase();
+    if ([".c", ".h"].includes(ext)) languages.add("c");
+    if ([".cpp", ".cc", ".cxx", ".hpp", ".hh"].includes(ext)) languages.add("cpp");
+    if (ext === ".java") languages.add("java");
+    if (ext === ".py") languages.add("python");
+    if (ext === ".go") languages.add("go");
+    if (ext === ".rs") languages.add("rust");
+    if ([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"].includes(ext)) languages.add("javascript");
+  }
+
+  return {
+    workspaceRoot,
+    languages: [...languages].sort(),
+    frameworks: [...frameworks].sort()
+  };
+
+  function exists(relativePath) {
+    return fs.existsSync(path.join(workspaceRoot, relativePath));
+  }
+
+  function readTextIfExists(relativePath) {
+    const fullPath = path.join(workspaceRoot, relativePath);
+    return fs.existsSync(fullPath) ? fs.readFileSync(fullPath, "utf8") : "";
+  }
+}
+
+function buildInstallPlan(profile) {
+  const plan = [];
+  const seen = new Set();
+
+  addTool(plan, seen, {
+    tool: "Semgrep",
+    requiredFor: ["common multi-language scanning"],
+    install: resolvePythonInstall("semgrep"),
+    verify: ["semgrep", "--version"]
+  });
+
+  if (hasAny(profile.languages, ["javascript"])) {
+    addTool(plan, seen, {
+      tool: "ESLint",
+      requiredFor: ["JavaScript / TypeScript / React"],
+      install: resolveNpmGlobalInstall(["eslint", "@typescript-eslint/parser", "@typescript-eslint/eslint-plugin", "eslint-plugin-react", "eslint-plugin-jsx-a11y", "eslint-plugin-security"]),
+      verify: ["eslint", "-v"]
+    });
+  }
+
+  if (hasAny(profile.languages, ["python"])) {
+    addTool(plan, seen, {
+      tool: "Bandit",
+      requiredFor: ["Python"],
+      install: resolvePythonInstall("bandit"),
+      verify: ["bandit", "--version"]
+    });
+    addTool(plan, seen, {
+      tool: "pip-audit",
+      requiredFor: ["Python"],
+      install: resolvePythonInstall("pip-audit"),
+      verify: ["pip-audit", "--version"]
+    });
+  }
+
+  if (hasAny(profile.languages, ["java"])) {
+    addTool(plan, seen, {
+      tool: "SpotBugs",
+      requiredFor: ["Java"],
+      install: resolveSpotBugsInstall(),
+      verify: ["spotbugs", "-version"]
+    });
+  }
+
+  if (hasAny(profile.languages, ["go"])) {
+    addTool(plan, seen, {
+      tool: "gosec",
+      requiredFor: ["Go"],
+      install: resolveGoInstall("github.com/securego/gosec/v2/cmd/gosec@latest"),
+      verify: ["gosec", "-version"]
+    });
+    addTool(plan, seen, {
+      tool: "govulncheck",
+      requiredFor: ["Go"],
+      install: resolveGoInstall("golang.org/x/vuln/cmd/govulncheck@latest"),
+      verify: ["govulncheck", "-version"]
+    });
+  }
+
+  if (hasAny(profile.languages, ["rust"])) {
+    addTool(plan, seen, {
+      tool: "cargo-audit",
+      requiredFor: ["Rust"],
+      install: resolveCargoInstall("cargo-audit"),
+      verify: ["cargo", "audit", "--version"]
+    });
+    addTool(plan, seen, {
+      tool: "Clippy",
+      requiredFor: ["Rust"],
+      install: resolveRustupComponent("clippy"),
+      verify: ["cargo", "clippy", "--version"]
+    });
+  }
+
+  if (hasAny(profile.languages, ["c", "cpp"])) {
+    addTool(plan, seen, {
+      tool: "cppcheck",
+      requiredFor: ["C / C++"],
+      install: resolveCppcheckInstall(),
+      verify: ["cppcheck", "--version"]
+    });
+  }
+
+  return plan;
+}
+
+function formatInstallPlan(profile, plan) {
+  const lines = [
+    "Secure Review tool bootstrap",
+    `Workspace: ${profile.workspaceRoot}`,
+    `Languages: ${profile.languages.length ? profile.languages.join(", ") : "none detected"}`,
+    `Frameworks: ${profile.frameworks.length ? profile.frameworks.join(", ") : "none detected"}`,
+    ""
+  ];
+
+  if (!plan.length) {
+    lines.push("No language-specific scanner setup was required for this workspace.");
+    return lines.join("\n");
+  }
+
+  lines.push("Planned scanner tool setup:");
+  for (const item of plan) {
+    lines.push(`- ${item.tool} (${item.requiredFor.join(", ")})`);
+    if (item.install.kind === "command") {
+      lines.push(`  Install: ${item.install.command.join(" ")}`);
+    } else if (item.install.kind === "already-installed") {
+      lines.push("  Install: already available");
+    } else {
+      lines.push(`  Install: ${item.install.note}`);
+    }
+    lines.push(`  Verify: ${item.verify.join(" ")}`);
+  }
+
+  return lines.join("\n");
+}
+
+function addTool(plan, seen, entry) {
+  const key = entry.tool.toLowerCase();
+  if (seen.has(key)) return;
+  seen.add(key);
+  plan.push(entry);
+}
+
+function resolvePythonInstall(packageName) {
+  if (hasCommand("pipx")) return { kind: "command", command: ["pipx", "install", packageName] };
+  if (hasCommand("python3")) return { kind: "command", command: ["python3", "-m", "pip", "install", "--user", packageName] };
+  return { kind: "manual", note: `Install ${packageName} with pipx or python3 -m pip.` };
+}
+
+function resolveNpmGlobalInstall(packages) {
+  if (hasCommand("npm")) return { kind: "command", command: ["npm", "install", "-g", ...packages] };
+  return { kind: "manual", note: `Install ${packages.join(", ")} with npm.` };
+}
+
+function resolveGoInstall(moduleRef) {
+  if (hasCommand("go")) return { kind: "command", command: ["go", "install", moduleRef] };
+  return { kind: "manual", note: `Install ${moduleRef} with Go installed and GOPATH/bin on PATH.` };
+}
+
+function resolveCargoInstall(crateName) {
+  if (hasCommand("cargo")) return { kind: "command", command: ["cargo", "install", crateName] };
+  return { kind: "manual", note: `Install ${crateName} with Cargo.` };
+}
+
+function resolveRustupComponent(component) {
+  if (hasCommand("rustup")) return { kind: "command", command: ["rustup", "component", "add", component] };
+  return { kind: "manual", note: `Install Rustup and add the ${component} component.` };
+}
+
+function resolveCppcheckInstall() {
+  if (hasCommand("cppcheck")) return { kind: "already-installed" };
+  if (os.platform() === "linux") return { kind: "command", command: ["sudo", "apt-get", "install", "-y", "cppcheck"] };
+  if (hasCommand("brew")) return { kind: "command", command: ["brew", "install", "cppcheck"] };
+  return { kind: "manual", note: "Install cppcheck with your system package manager." };
+}
+
+function resolveSpotBugsInstall() {
+  if (hasCommand("spotbugs")) return { kind: "already-installed" };
+  if (hasCommand("brew")) return { kind: "command", command: ["brew", "install", "spotbugs"] };
+  return { kind: "manual", note: "Install SpotBugs manually and ensure `spotbugs` is on PATH." };
+}
+
+function hasAny(values, expected) {
+  return expected.some((value) => values.includes(value));
+}
+
+function hasCommand(command) {
+  try {
+    execFileSync("bash", ["-lc", `command -v ${command}`], { stdio: "ignore" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function walkFiles(root, maxDepth) {
+  const results = [];
+  visit(root, 0);
+  return results;
+
+  function visit(currentPath, depth) {
+    if (depth > maxDepth) return;
+    let entries = [];
+    try {
+      entries = fs.readdirSync(currentPath, { withFileTypes: true });
+    } catch {
+      return;
+    }
+
+    for (const entry of entries) {
+      const fullPath = path.join(currentPath, entry.name);
+      if (["node_modules", ".git", "dist", "build", ".next", "coverage"].includes(entry.name)) {
+        continue;
+      }
+      if (entry.isDirectory()) {
+        visit(fullPath, depth + 1);
+      } else {
+        results.push(fullPath);
+      }
+    }
+  }
+}
+
+function readJson(filePath) {
+  try {
+    return JSON.parse(fs.readFileSync(filePath, "utf8"));
+  } catch {
+    return {};
+  }
+}
+
+module.exports = {
+  detectWorkspace,
+  buildInstallPlan,
+  formatInstallPlan
+};

package/src/scanners/dynamic-scan.js

@@ -0,0 +1,224 @@
+const fs = require("node:fs/promises");
+const path = require("node:path");
+const { execFile } = require("node:child_process");
+const { URL } = require("node:url");
+let vscode;
+try {
+  vscode = require("vscode");
+} catch {
+  vscode = null;
+}
+const { hashFinding } = require("../utils");
+
+function execFileAsync(command, args, options = {}) {
+  return new Promise((resolve) => {
+    execFile(command, args, { maxBuffer: 20 * 1024 * 1024, ...options }, (error, stdout, stderr) => {
+      resolve({
+        error,
+        stdout,
+        stderr,
+        code: error && typeof error.code === "number" ? error.code : 0
+      });
+    });
+  });
+}
+
+async function runDockerZapScan(config) {
+  return runDockerZapScanWithOptions({
+    workspaceRoot: vscode?.workspace?.workspaceFolders?.[0]?.uri.fsPath,
+    target: config.get("dynamicBaseUrl", "http://127.0.0.1:3000"),
+    scanMode: config.get("dynamicScanMode", "baseline"),
+    allowHosts: config.get("dynamicAllowHosts", ["127.0.0.1", "localhost"]),
+    spiderMinutes: config.get("dynamicSpiderMinutes", 1),
+    useAjaxSpider: config.get("dynamicUseAjaxSpider", false),
+    dockerImage: config.get("zapDockerImage", "ghcr.io/zaproxy/zaproxy:stable")
+  });
+}
+
+async function runDockerZapScanWithOptions(options) {
+  const target = options.target || "http://127.0.0.1:3000";
+  const scanMode = options.scanMode || "baseline";
+  const allowHosts = options.allowHosts || ["127.0.0.1", "localhost"];
+  const spiderMinutes = String(options.spiderMinutes || 1);
+  const useAjaxSpider = Boolean(options.useAjaxSpider);
+  const dockerImage = options.dockerImage || "ghcr.io/zaproxy/zaproxy:stable";
+
+  const parsed = validateTarget(target, allowHosts);
+  const dockerTarget = rewriteTargetForDocker(parsed);
+
+  const tempDir = await createWorkspaceZapDirectory(options.workspaceRoot);
+  const reportPath = path.join(tempDir, "zap-report.json");
+  const htmlReportPath = path.join(tempDir, "zap-report.html");
+  const script = scanMode === "full" ? "zap-full-scan.py" : "zap-baseline.py";
+  const args = [
+    "run",
+    "--rm",
+    "-v",
+    `${tempDir}:/zap/wrk/:rw`,
+    "--add-host",
+    "host.docker.internal:host-gateway",
+    dockerImage,
+    script,
+    "-t",
+    dockerTarget,
+    "-J",
+    "zap-report.json",
+    "-r",
+    "zap-report.html",
+    "-m",
+    spiderMinutes,
+    "-I"
+  ];
+
+  if (useAjaxSpider) {
+    args.push("-j");
+  }
+
+  const dockerCheck = await execFileAsync("docker", ["version", "--format", "{{.Server.Version}}"]);
+  if (dockerCheck.error) {
+    throw new Error("Docker does not appear to be installed or running.");
+  }
+
+  const result = await execFileAsync("docker", args);
+  if (result.code !== 0 && result.code !== 1 && result.code !== 2) {
+    throw new Error(result.stderr || result.stdout || "ZAP Docker scan failed.");
+  }
+
+  let rawReport;
+  try {
+    rawReport = await fs.readFile(reportPath, "utf8");
+  } catch {
+    throw new Error("ZAP completed but no JSON report was generated.");
+  }
+
+  const parsedReport = JSON.parse(rawReport);
+  const findings = normalizeZapReport(parsedReport);
+
+  try {
+    await fs.unlink(reportPath);
+    await fs.unlink(htmlReportPath);
+    await fs.rmdir(tempDir);
+  } catch {}
+
+  return findings;
+}
+
+async function createWorkspaceZapDirectory(workspaceRoot) {
+  const resolvedRoot = workspaceRoot || vscode?.workspace?.workspaceFolders?.[0]?.uri.fsPath;
+  if (!resolvedRoot) {
+    throw new Error("Open a workspace folder before running a dynamic scan.");
+  }
+
+  const baseDir = path.join(resolvedRoot, ".secure-review", "zap-output");
+  await fs.mkdir(baseDir, { recursive: true });
+
+  return fs.mkdtemp(path.join(baseDir, "run-"));
+}
+
+function validateTarget(target, allowHosts) {
+  let parsed;
+  try {
+    parsed = new URL(target);
+  } catch {
+    throw new Error("Dynamic Base URL is not a valid URL.");
+  }
+
+  const allowed = new Set((allowHosts || []).map((host) => String(host).toLowerCase()));
+  if (!allowed.has(parsed.hostname.toLowerCase())) {
+    throw new Error(`Dynamic scan blocked: host ${parsed.hostname} is not in Secure Review > Dynamic Allow Hosts.`);
+  }
+
+  return parsed;
+}
+
+function rewriteTargetForDocker(url) {
+  const cloned = new URL(url.toString());
+  if (cloned.hostname === "127.0.0.1" || cloned.hostname === "localhost") {
+    cloned.hostname = "host.docker.internal";
+  }
+  return cloned.toString();
+}
+
+function normalizeZapReport(report) {
+  const sites = Array.isArray(report.site) ? report.site : [];
+  const findings = [];
+
+  for (const site of sites) {
+    const alerts = Array.isArray(site.alerts) ? site.alerts : [];
+    for (const alert of alerts) {
+      const instances = Array.isArray(alert.instances) && alert.instances.length
+        ? alert.instances
+        : [{}];
+
+      for (const instance of instances) {
+        const targetUrl = instance.uri || site["@name"] || "Unknown URL";
+        const evidence = [instance.method, instance.param, instance.evidence, alert.otherinfo]
+          .filter(Boolean)
+          .join(" | ");
+
+        findings.push({
+          id: hashFinding(["zap", alert.pluginid || alert.alertRef || alert.name || "alert", targetUrl]),
+          source: "dynamic",
+          title: alert.name || "ZAP finding",
+          severity: mapZapRisk(alert.riskcode, alert.riskdesc),
+          confidence: mapZapConfidence(alert.confidence),
+          category: "Dynamic",
+          subcategory: alert.name || "ZAP Alert",
+          reviewDomain: "security",
+          code: String(alert.pluginid || alert.alertRef || "zap"),
+          message: alert.desc || alert.name || "OWASP ZAP detected a dynamic issue.",
+          targetUrl,
+          evidence: evidence || "n/a",
+          remediation: alert.solution || "Review the affected endpoint and apply the recommended security control.",
+          suggestion: alert.solution || "Inspect the endpoint and validate the alert in the target application.",
+          whyItMatters: alert.desc || "Dynamic testing identified a web application behavior that may be exploitable at runtime.",
+          standards: [alert.cweid ? `CWE-${alert.cweid}` : null, alert.wascid ? `WASC-${alert.wascid}` : null].filter(Boolean)
+        });
+      }
+    }
+  }
+
+  return dedupeZapFindings(findings);
+}
+
+function dedupeZapFindings(findings) {
+  const seen = new Set();
+  return findings.filter((finding) => {
+    const key = `${finding.code}|${finding.targetUrl}|${finding.title}`;
+    if (seen.has(key)) {
+      return false;
+    }
+    seen.add(key);
+    return true;
+  });
+}
+
+function mapZapRisk(riskCode, riskDesc) {
+  const raw = `${riskCode || ""} ${riskDesc || ""}`.toLowerCase();
+  if (raw.includes("3") || raw.includes("high")) {
+    return "high";
+  }
+  if (raw.includes("2") || raw.includes("medium")) {
+    return "medium";
+  }
+  if (raw.includes("1") || raw.includes("low")) {
+    return "low";
+  }
+  return "low";
+}
+
+function mapZapConfidence(value) {
+  const raw = String(value || "").toLowerCase();
+  if (raw.includes("high")) {
+    return "high";
+  }
+  if (raw.includes("medium")) {
+    return "medium";
+  }
+  return "low";
+}
+
+module.exports = {
+  runDockerZapScan,
+  runDockerZapScanWithOptions
+};