npm - secure-review-extension - Versions diffs - 1.0.0 - Mend

secure-review-extension 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/CHANGELOG.md +9 -0
package/LICENSE +21 -0
package/README.md +304 -0
package/bin/secure-review.js +269 -0
package/extension.js +368 -0
package/media/shield.png +0 -0
package/media/shield.svg +6 -0
package/package.json +323 -0
package/scripts/bootstrap-review-tools.js +54 -0
package/src/code-actions.js +47 -0
package/src/constants.js +20 -0
package/src/diagnostics.js +41 -0
package/src/findings-provider.js +78 -0
package/src/report.js +837 -0
package/src/scanners/bootstrap-tools.js +303 -0
package/src/scanners/dynamic-scan.js +224 -0
package/src/scanners/static-rules.js +497 -0
package/src/scanners/static-scan.js +341 -0
package/src/scanners/tool-integrations.js +666 -0
package/src/scanners/workspace-profile.js +316 -0
package/src/store.js +49 -0
package/src/utils.js +24 -0

package/src/scanners/static-scan.js ADDED Viewed

@@ -0,0 +1,341 @@
+const fs = require("node:fs/promises");
+const path = require("node:path");
+let vscode;
+try {
+  vscode = require("vscode");
+} catch {
+  vscode = null;
+}
+const { STATIC_RULES } = require("./static-rules");
+const { runRegisteredScanners } = require("./tool-integrations");
+const { buildWorkspaceProfile, buildWorkspaceProfileForRoot } = require("./workspace-profile");
+const { hashFinding, toPosixPath } = require("../utils");
+const ALLOWED_EXTENSIONS = new Set([
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".ts",
+  ".tsx",
+  ".py",
+  ".java",
+  ".go",
+  ".rs",
+  ".c",
+  ".h",
+  ".cpp",
+  ".cc",
+  ".cxx",
+  ".hpp",
+  ".hh",
+  ".rb",
+  ".php",
+  ".cs",
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".tf",
+  ".sh",
+  ".env",
+  ".properties",
+  ".xml"
+]);
+async function scanWorkspace(config) {
+  const workspaceProfile = await buildWorkspaceProfile(config);
+  return scanProfile(workspaceProfile, config);
+}
+async function scanWorkspaceAtPath(workspaceRoot, rawConfig = {}) {
+  const config = toConfigAccessor(rawConfig);
+  const workspaceProfile = await buildWorkspaceProfileForRoot(workspaceRoot, {
+    excludeGlobs: config.get("excludeGlobs", []),
+    maxFiles: config.get("maxFiles", 400)
+  });
+  return scanProfile(workspaceProfile, config);
+}
+async function scanCurrentFile() {
+  const editor = vscode.window.activeTextEditor;
+  if (!editor) {
+    return [];
+  }
+  const content = await readText(editor.document.uri.fsPath);
+  if (content === null) {
+    return [];
+  }
+  const workspaceRoot = vscode?.workspace?.workspaceFolders?.[0]?.uri.fsPath || path.dirname(editor.document.uri.fsPath);
+  return dedupeFindings(scanContent(editor.document.uri.fsPath, content, workspaceRoot));
+}
+function scanProfile(workspaceProfile, config) {
+  const findings = [];
+  for (const file of workspaceProfile.files) {
+    if (config.get("enableBuiltInRules", true)) {
+      findings.push(...scanContent(file.fsPath, file.content, workspaceProfile.workspaceRoot));
+    }
+  }
+  const relativePaths = new Set(workspaceProfile.files.map((file) => file.relativePath));
+  const testedFindings = correlateTestCoverage(findings, relativePaths);
+  const repoHeuristics = config.get("enableBuiltInRules", true)
+    ? analyzeRepository(workspaceProfile.files, workspaceProfile.workspaceRoot)
+    : [];
+  return runRegisteredScanners(config, workspaceProfile).then((externalFindings) =>
+    dedupeFindings([...testedFindings, ...repoHeuristics, ...externalFindings])
+  );
+}
+function scanContent(filePath, content, workspaceRoot) {
+  const lines = content.split(/\r?\n/);
+  const findings = [];
+  const relativePath = toRelativePath(filePath, workspaceRoot);
+  for (const rule of STATIC_RULES) {
+    const regex = new RegExp(rule.regex);
+    let match;
+    while ((match = regex.exec(content)) !== null) {
+      const index = match.index;
+      const before = content.slice(0, index);
+      const lineNumber = before.split(/\r?\n/).length;
+      const lineText = lines[lineNumber - 1] || "";
+      const id = hashFinding([filePath, String(lineNumber), rule.id, rule.title]);
+      findings.push({
+        id,
+        source: "static",
+        title: rule.title,
+        severity: rule.severity,
+        confidence: rule.confidence,
+        category: rule.category,
+        subcategory: rule.subcategory,
+        reviewDomain: rule.reviewDomain,
+        filePath,
+        relativePath,
+        line: lineNumber,
+        column: Math.max(1, lineText.indexOf(match[0]) + 1),
+        code: rule.id,
+        message: `${rule.title} in ${toPosixPath(relativePath)}:${lineNumber}`,
+        evidence: lineText.trim(),
+        remediation: rule.remediation,
+        suggestion: rule.suggestion,
+        whyItMatters: rule.whyItMatters,
+        standards: rule.standards
+      });
+      if (match.index === regex.lastIndex) {
+        regex.lastIndex += 1;
+      }
+    }
+  }
+  return findings;
+}
+function correlateTestCoverage(findings, relativePaths) {
+  return findings.filter((finding) => {
+    if (finding.code !== "missing-tests-heuristic") {
+      return true;
+    }
+    const relativePath = finding.relativePath || "";
+    const normalized = relativePath.toLowerCase();
+    const baseName = normalized
+      .replace(/\.[^.]+$/, "")
+      .replace(/^src\//, "")
+      .replace(/^backend\//, "");
+    const hasNearbyTest = [...relativePaths].some((candidate) => {
+      const lower = candidate.toLowerCase();
+      return lower.includes(baseName) && /(test|spec)/.test(lower);
+    });
+    return !hasNearbyTest;
+  });
+}
+function dedupeFindings(findings) {
+  const seen = new Set();
+  const unique = [];
+  for (const finding of findings) {
+    const key = `${finding.code}|${finding.relativePath || ""}|${finding.line || ""}|${finding.title}`;
+    if (seen.has(key)) {
+      continue;
+    }
+    seen.add(key);
+    unique.push(finding);
+  }
+  return unique;
+}
+async function readText(filePath) {
+  try {
+    return await fs.readFile(filePath, "utf8");
+  } catch {
+    return null;
+  }
+}
+module.exports = {
+  scanWorkspace,
+  scanWorkspaceAtPath,
+  scanCurrentFile
+};
+function analyzeRepository(files, workspaceRoot) {
+  const findings = [];
+  const fileSet = new Set(files.map((file) => file.relativePath));
+  const packageJsonFile = files.find((file) => path.basename(file.relativePath) === "package.json");
+  if (packageJsonFile) {
+    findings.push(...analyzePackageJson(packageJsonFile, fileSet, workspaceRoot));
+  }
+  const requirementsFile = files.find((file) => path.basename(file.relativePath) === "requirements.txt");
+  if (requirementsFile) {
+    findings.push(...analyzeRequirements(requirementsFile, workspaceRoot));
+  }
+  for (const file of files) {
+    const base = path.basename(file.relativePath);
+    if (base === "Dockerfile") {
+      findings.push(...analyzeDockerfile(file, workspaceRoot));
+    }
+    if (file.relativePath.includes(".github/workflows/") && file.ext === ".yml") {
+      findings.push(...analyzeGithubWorkflow(file, workspaceRoot));
+    }
+    if (file.relativePath.toLowerCase().includes("openapi") || file.relativePath.endsWith("swagger.json") || file.relativePath.endsWith("swagger.yaml")) {
+      findings.push(...analyzeApiSpec(file, workspaceRoot));
+    }
+    findings.push(...analyzeFileSizeAndComplexity(file, workspaceRoot));
+  }
+  return findings;
+}
+function analyzePackageJson(file, fileSet, workspaceRoot) {
+  const findings = [];
+  try {
+    const payload = JSON.parse(file.content);
+    const dependencies = { ...(payload.dependencies || {}), ...(payload.devDependencies || {}) };
+    const dependencyNames = Object.keys(dependencies);
+    if (dependencyNames.length > 80) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "dependency-bloat", "High dependency count may increase maintenance and supply-chain risk", "medium", "Dependency Risk", "Dependency Bloat", "dependency-risk", `Detected ${dependencyNames.length} dependencies in package.json.`, "Review whether all dependencies are still required and remove unnecessary packages.", "Trim unused dependencies and keep the dependency graph intentionally small.", "Large dependency graphs increase attack surface and upgrade complexity.", ["Supply Chain Review"]));
+    }
+    const weakPins = dependencyNames.filter((name) => /^[~^*]/.test(String(dependencies[name])));
+    if (weakPins.length >= 5) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "weak-version-pinning", "Dependency version pinning appears loose", "medium", "Dependency Risk", "Version Pinning", "dependency-risk", weakPins.slice(0, 8).map((name) => `${name}@${dependencies[name]}`).join(", "), "Pin critical runtime dependencies more tightly or use a disciplined update workflow.", "Adopt explicit upgrade windows and lockfile hygiene for runtime dependencies.", "Loose version ranges can increase drift and make builds less predictable.", ["Supply Chain Review"]));
+    }
+    if (!fileSet.has("package-lock.json") && !fileSet.has("pnpm-lock.yaml") && !fileSet.has("yarn.lock")) {
+      findings.push(repoFinding(workspaceRoot, file.relativePath, "missing-lockfile", "JavaScript workspace appears to be missing a lockfile", "medium", "Dependency Risk", "Build Reproducibility", "dependency-risk", "No package-lock.json, pnpm-lock.yaml, or yarn.lock detected near package.json.", "Commit a lockfile to support reproducible builds and dependency review.", "Use a lockfile in version control for deterministic installs and better auditability.", "Missing lockfiles make builds less reproducible and can hide dependency drift.", ["Build Integrity"]));
+    }
+    const scripts = payload.scripts || {};
+    for (const [name, command] of Object.entries(scripts)) {
+      if (/curl\s+.*\|\s*(bash|sh)/i.test(String(command))) {
+        findings.push(repoFinding(workspaceRoot, file.relativePath, "unsafe-install-script", "Script pipes remote content into a shell", "high", "DevOps", "Unsafe Script Pattern", "security", `${name}: ${command}`, "Avoid piping remote content directly into a shell in package scripts.", "Download artifacts explicitly, verify them, and execute only trusted local files.", "Remote shell piping increases supply-chain and command-execution risk.", ["CWE-494"]));
+      }
+    }
+  } catch {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "package-json-parse", "package.json could not be parsed during repository review", "low", "Reliability", "Manifest Parsing", "reliability", "Unable to parse package.json cleanly.", "Validate manifest syntax and keep project metadata well-formed.", "Fix malformed manifests early to keep tooling predictable.", "Broken manifests can disrupt review tooling and build workflows.", ["Build Reliability"]));
+  }
+  return findings;
+}
+function analyzeRequirements(file, workspaceRoot) {
+  const findings = [];
+  const lines = file.content.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+  const unpinned = lines.filter((line) => !line.startsWith("#") && !/(==|~=|>=|<=)/.test(line));
+  if (unpinned.length >= 3) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "unpinned-python-dependencies", "Python dependencies may be insufficiently pinned", "medium", "Dependency Risk", "Version Pinning", "dependency-risk", unpinned.slice(0, 8).join(", "), "Pin Python dependencies to reviewed versions and add an upgrade process.", "Use constraints or lock tooling for deterministic Python environments.", "Unpinned dependencies increase build drift and make vulnerability management harder.", ["Supply Chain Review"]));
+  }
+  return findings;
+}
+function analyzeDockerfile(file, workspaceRoot) {
+  const findings = [];
+  if (/^FROM\s+.+:latest/im.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "docker-latest-tag", "Docker image uses the latest tag", "medium", "DevOps", "Container Reproducibility", "outdated-practices", "Dockerfile uses a latest base image tag.", "Pin the base image to a reviewed version or digest.", "Use immutable digests or explicit version tags for container bases.", "Latest tags create non-deterministic builds and make rollbacks harder.", ["Container Review"]));
+  }
+  if (!/^USER\s+/im.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "docker-root-user", "Dockerfile does not appear to switch away from root", "medium", "DevOps", "Container Privilege", "security", "No USER directive detected in Dockerfile.", "Run containers as a non-root user where feasible.", "Create a dedicated runtime user and drop privileges before launching the app.", "Root containers increase blast radius if the application is compromised.", ["Container Review"]));
+  }
+  return findings;
+}
+function analyzeGithubWorkflow(file, workspaceRoot) {
+  const findings = [];
+  const unpinnedActions = [...file.content.matchAll(/uses:\s*([^\n@]+)@(main|master|v?\d+\s*$)/gmi)];
+  if (unpinnedActions.length) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "workflow-unpinned-action", "GitHub Actions workflow may use loosely pinned actions", "medium", "DevOps", "CI Supply Chain", "security", unpinnedActions.slice(0, 5).map((match) => match[0].trim()).join("; "), "Pin actions to trusted versions or commit SHAs.", "Use immutable action SHAs for sensitive CI workflows.", "Loosely pinned CI actions increase supply-chain risk in build pipelines.", ["CI/CD Review"]));
+  }
+  return findings;
+}
+function analyzeApiSpec(file, workspaceRoot) {
+  const findings = [];
+  if (!/securitySchemes|security:/i.test(file.content)) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "api-spec-missing-security", "API specification may be missing explicit security definitions", "medium", "API Review", "Security Contract", "architecture", "No obvious securitySchemes or security declarations were found in the API spec.", "Document authentication and authorization expectations directly in the API contract.", "Use the API spec as the source of truth for auth and sensitive endpoint behavior.", "Underspecified API security contracts increase integration and review ambiguity.", ["API Review"]));
+  }
+  return findings;
+}
+function analyzeFileSizeAndComplexity(file, workspaceRoot) {
+  const findings = [];
+  const lineCount = file.content.split(/\r?\n/).length;
+  if (lineCount > 800) {
+    findings.push(repoFinding(workspaceRoot, file.relativePath, "large-file", "Large source file may indicate weak modularity", "low", "Maintainability", "Large File", "maintainability", `${lineCount} lines detected in a single file.`, "Split large files into smaller modules with clearer ownership boundaries.", "Separate transport, business logic, and data handling concerns.", "Very large files are harder to review, test, and secure correctly.", ["Maintainability Review"]));
+  }
+  return findings;
+}
+function repoFinding(workspaceRoot, relativePath, code, title, severity, category, subcategory, reviewDomain, evidence, remediation, suggestion, whyItMatters, standards) {
+  return {
+    id: hashFinding([relativePath, code, title]),
+    source: "static",
+    title,
+    severity,
+    confidence: "medium",
+    category,
+    subcategory,
+    reviewDomain,
+    filePath: workspaceRoot ? path.join(workspaceRoot, relativePath) : relativePath,
+    relativePath,
+    line: 1,
+    column: 1,
+    code,
+    message: `${title} in ${toPosixPath(relativePath)}`,
+    evidence,
+    remediation,
+    suggestion,
+    whyItMatters,
+    standards
+  };
+}
+function toRelativePath(filePath, workspaceRoot) {
+  if (!workspaceRoot) {
+    return path.basename(filePath);
+  }
+  return path.relative(workspaceRoot, filePath).split(path.sep).join("/");
+}
+function toConfigAccessor(rawConfig) {
+  return {
+    get(key, fallback) {
+      return rawConfig[key] === undefined ? fallback : rawConfig[key];
+    }
+  };
+}