secure-scan 1.2.2

package/src/analyzers/java/javaAnalyzer.ts

@@ -0,0 +1,320 @@
+/**
+ * Java Analyzer
+ * Specialized analyzer for Java code
+ */
+
+import { BaseAnalyzer } from '../base';
+import { ScannedFile, Finding, Rule, SupportedLanguage, Severity, ThreatType, FindingCategory } from '../../types';
+import { generateId, extractCodeContext } from '../../utils';
+import { getStandardsForThreat } from '../../rules/standards';
+
+/**
+ * Java Analyzer Class
+ */
+export class JavaAnalyzer extends BaseAnalyzer {
+  name = 'Java Analyzer';
+  languages: SupportedLanguage[] = ['java'];
+  version = '1.0.0';
+
+  /**
+   * Analyze Java file
+   */
+  async analyze(file: ScannedFile, rules: Rule[]): Promise<Finding[]> {
+    const findings: Finding[] = [];
+
+    // Filter rules for Java
+    const javaRules = rules.filter(r => r.languages.includes('java'));
+
+    // Run rule engine
+    const ruleFindings = await this.ruleEngine.analyzeFile(file, javaRules);
+    findings.push(...ruleFindings);
+
+    // Additional Java-specific analysis
+    const customFindings = await this.customAnalysis(file);
+    findings.push(...customFindings);
+
+    return findings;
+  }
+
+  /**
+   * Custom Java-specific analysis
+   */
+  private async customAnalysis(file: ScannedFile): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    const lines = file.content.split('\n');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNum = i + 1;
+
+      // Check for ObjectInputStream deserialization
+      if (this.checkDeserializationSinks(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Unsafe Deserialization',
+          'ObjectInputStream.readObject() can execute arbitrary code.',
+          Severity.CRITICAL,
+          ThreatType.INSECURE_DESERIALIZATION
+        ));
+      }
+
+      // Check for Runtime.exec
+      if (this.checkRuntimeExec(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Potential Command Injection',
+          'Runtime.exec() with dynamic input can lead to command injection.',
+          Severity.CRITICAL,
+          ThreatType.COMMAND_INJECTION
+        ));
+      }
+
+      // Check for SQL injection patterns
+      if (this.checkSqlInjection(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Potential SQL Injection',
+          'String concatenation in SQL query detected. Use PreparedStatement.',
+          Severity.CRITICAL,
+          ThreatType.SQL_INJECTION
+        ));
+      }
+
+      // Check for XXE vulnerabilities
+      if (this.checkXxe(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Potential XXE Vulnerability',
+          'XML parser may be vulnerable to XXE attacks.',
+          Severity.HIGH,
+          ThreatType.DANGEROUS_FUNCTION
+        ));
+      }
+
+      // Check for path traversal
+      if (this.checkPathTraversal(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Potential Path Traversal',
+          'File operations with user-controlled input detected.',
+          Severity.HIGH,
+          ThreatType.PATH_TRAVERSAL
+        ));
+      }
+
+      // Check for insecure random
+      if (this.checkInsecureRandom(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Insecure Random Number Generator',
+          'java.util.Random is not cryptographically secure.',
+          Severity.MEDIUM,
+          ThreatType.WEAK_RANDOM
+        ));
+      }
+
+      // Check for weak crypto
+      if (this.checkWeakCrypto(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Weak Cryptographic Algorithm',
+          'Use of weak or deprecated cryptographic algorithm.',
+          Severity.MEDIUM,
+          ThreatType.INSECURE_CRYPTO
+        ));
+      }
+
+      // Check for LDAP injection
+      if (this.checkLdapInjection(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'Potential LDAP Injection',
+          'LDAP query with user-controlled input detected.',
+          Severity.HIGH,
+          ThreatType.LDAP_INJECTION
+        ));
+      }
+
+      // Check for Spring Expression Language injection
+      if (this.checkSpelInjection(line)) {
+        findings.push(this.createFinding(
+          file,
+          lineNum,
+          'SpEL Expression Injection',
+          'Spring Expression Language with user input can lead to RCE.',
+          Severity.CRITICAL,
+          ThreatType.COMMAND_INJECTION
+        ));
+      }
+    }
+
+    return findings;
+  }
+
+  /**
+   * Check for deserialization sinks
+   */
+  private checkDeserializationSinks(line: string): boolean {
+    const patterns = [
+      /ObjectInputStream\s*\(/,
+      /\.readObject\s*\(\s*\)/,
+      /XMLDecoder\s*\(/,
+      /XStream\s*\(\s*\)/,
+      /ObjectMapper\s*\(\s*\).*enableDefaultTyping/
+    ];
+    return patterns.some(p => p.test(line));
+  }
+
+  /**
+   * Check for Runtime.exec
+   */
+  private checkRuntimeExec(line: string): boolean {
+    const patterns = [
+      /Runtime\.getRuntime\s*\(\s*\)\.exec\s*\(/,
+      /ProcessBuilder\s*\([^)]*\+/,
+      /new\s+ProcessBuilder\s*\([^)]*\$/
+    ];
+    return patterns.some(p => p.test(line));
+  }
+
+  /**
+   * Check for SQL injection
+   */
+  private checkSqlInjection(line: string): boolean {
+    const patterns = [
+      /Statement\s*\.\s*execute(?:Query|Update)?\s*\([^)]*\+/,
+      /createStatement\s*\(\s*\).*execute/,
+      /["']SELECT[^'"]*["']\s*\+/i,
+      /["']INSERT[^'"]*["']\s*\+/i,
+      /["']UPDATE[^'"]*["']\s*\+/i,
+      /["']DELETE[^'"]*["']\s*\+/i
+    ];
+    return patterns.some(p => p.test(line));
+  }
+
+  /**
+   * Check for XXE vulnerabilities
+   */
+  private checkXxe(line: string): boolean {
+    const patterns = [
+      /DocumentBuilderFactory\.newInstance\s*\(\s*\)/,
+      /SAXParserFactory\.newInstance\s*\(\s*\)/,
+      /XMLInputFactory\.newInstance\s*\(\s*\)/,
+      /TransformerFactory\.newInstance\s*\(\s*\)/
+    ];
+    // Only flag if not followed by secure configuration
+    if (patterns.some(p => p.test(line))) {
+      // Check for secure configuration (simplified)
+      if (!/setFeature.*disallow-doctype-decl/i.test(line) &&
+          !/setFeature.*external-general-entities/i.test(line)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
+  /**
+   * Check for path traversal
+   */
+  private checkPathTraversal(line: string): boolean {
+    const patterns = [
+      /new\s+File\s*\([^)]*\+/,
+      /new\s+FileInputStream\s*\([^)]*\+/,
+      /new\s+FileOutputStream\s*\([^)]*\+/,
+      /Paths\.get\s*\([^)]*\+/,
+      /Files\.(?:read|write|copy|move)\s*\([^)]*request/i
+    ];
+    return patterns.some(p => p.test(line));
+  }
+
+  /**
+   * Check for insecure random
+   */
+  private checkInsecureRandom(line: string): boolean {
+    return /new\s+Random\s*\(\s*\)/.test(line) && !/SecureRandom/.test(line);
+  }
+
+  /**
+   * Check for weak crypto
+   */
+  private checkWeakCrypto(line: string): boolean {
+    const patterns = [
+      /Cipher\.getInstance\s*\(\s*["'](?:DES|DESede|RC2|RC4|Blowfish)["']/i,
+      /MessageDigest\.getInstance\s*\(\s*["'](?:MD5|SHA-1|SHA1)["']/i,
+      /KeyGenerator\.getInstance\s*\(\s*["'](?:DES|DESede)["']/i
+    ];
+    return patterns.some(p => p.test(line));
+  }
+
+  /**
+   * Check for LDAP injection
+   */
+  private checkLdapInjection(line: string): boolean {
+    const patterns = [
+      /new\s+InitialDirContext\s*\([^)]*\+/,
+      /ctx\.search\s*\([^)]*\+/,
+      /SearchControls/
+    ];
+    return patterns.some(p => p.test(line)) && /\+\s*[a-zA-Z]/.test(line);
+  }
+
+  /**
+   * Check for SpEL injection
+   */
+  private checkSpelInjection(line: string): boolean {
+    const patterns = [
+      /SpelExpressionParser\s*\(\s*\).*parseExpression\s*\([^)]*\+/,
+      /ExpressionParser.*parseExpression\s*\([^)]*request/i
+    ];
+    return patterns.some(p => p.test(line));
+  }
+
+  /**
+   * Create generic finding
+   */
+  private createFinding(
+    file: ScannedFile,
+    lineNum: number,
+    title: string,
+    description: string,
+    severity: Severity,
+    threatType: ThreatType
+  ): Finding {
+    const context = extractCodeContext(file.content, lineNum, 2);
+
+    return {
+      id: generateId(),
+      title,
+      description,
+      severity,
+      threatType,
+      category: FindingCategory.VULNERABILITY,
+      location: {
+        file: file.relativePath,
+        startLine: lineNum,
+        endLine: lineNum
+      },
+      snippet: {
+        code: context.code,
+        contextBefore: context.contextBefore,
+        contextAfter: context.contextAfter
+      },
+      standards: getStandardsForThreat(threatType),
+      remediation: 'Review and fix the identified issue.',
+      confidence: 75,
+      analyzer: this.name,
+      timestamp: new Date(),
+      tags: ['java']
+    };
+  }
+}
+
+export default JavaAnalyzer;

package/src/analyzers/javascript/PROMPT_JS_ANALYZER.md

@@ -0,0 +1,267 @@
+🔐 PROMPT — Mejora Avanzada del Módulo JavaScript
+Secure-Scan | javascriptAnalyzer.ts
+🎯 Rol del Agente
+
+Actúa simultáneamente como:
+
+Senior JavaScript Security Engineer
+
+Malware Analyst especializado en JavaScript / npm
+
+Application Security Lead (AppSec)
+
+Arquitecto SAST Enterprise
+
+Toma decisiones técnicas profesionales, priorizando precisión, cobertura, performance y seguridad, sin violar principios éticos ni legales.
+
+🧠 Contexto del Proyecto
+
+Secure-Scan es una herramienta de Análisis Estático de Seguridad de Aplicaciones (SAST) que analiza repositorios de código sin ejecutarlos, diseñada para detectar:
+
+Vulnerabilidades OWASP
+
+Código malicioso
+
+Amenazas de supply chain
+
+El archivo javascriptAnalyzer.ts es un módulo especializado en JavaScript y TypeScript, y debe mejorarse de forma incremental, manteniendo compatibilidad con BaseAnalyzer.
+
+🎯 Objetivo de Esta Mejora
+
+Mejorar TODOS los aspectos del módulo:
+
+✅ Detección avanzada de malware
+
+✅ Detección profunda de vulnerabilidades OWASP
+
+✅ Mayor precisión (reducción de falsos positivos)
+
+✅ Mayor cobertura (más técnicas y casos reales)
+
+✅ Mejor performance, sin sacrificar exactitud
+
+🧩 Enfoque Técnico Obligatorio
+🔍 Tipo de Análisis
+
+Análisis híbrido, con prioridad en:
+
+AST (principal)
+
+Regex / firmas solo como fallback
+
+📐 Herramientas Conceptuales a Emular
+
+No integrar directamente, pero diseñar el análisis inspirado en:
+
+Semgrep → estructura AST y patrones semánticos
+
+YARA → firmas de malware (regex controladas)
+
+CodeQL → flujos peligrosos (taint analysis)
+
+🌳 AST y Parsing
+
+Usar Babel Parser para JavaScript y TypeScript
+
+Migrar reglas críticas (XSS, RCE, Prototype Pollution) a AST
+
+Evitar detecciones basadas solo en strings cuando sea posible
+
+🔁 Taint Analysis (Obligatorio)
+
+Implementar taint analysis básico pero efectivo, capaz de detectar flujos reales:
+
+Fuentes (Sources)
+
+req.body
+
+req.query
+
+req.params
+
+process.env
+
+localStorage
+
+document.location
+
+postMessage
+
+Sinks (Sinks)
+
+innerHTML
+
+document.write
+
+eval
+
+Function()
+
+child_process.exec
+
+spawn
+
+execFile
+
+fetch / axios (SSRF)
+
+Detectar flujos como:
+
+req.body → innerHTML
+
+process.env → exec
+
+🦠 Malware a Detectar (Cobertura Total)
+Tipos
+
+Supply-chain malware (npm)
+
+Cryptominers JS
+
+Stealers (cookies, tokens, localStorage)
+
+Backdoors lógicos
+
+Droppers / loaders
+
+Payloads ofuscados
+
+Técnicas
+
+Base64 → decode → eval
+
+new Function()
+
+WebAssembly sospechoso
+
+Anti-debugging JS
+
+Código auto-modificable
+
+Uso anómalo de encoding / crypto
+
+📦 Análisis Profundo de package.json
+
+Analizar estáticamente:
+
+scripts
+
+dependencies
+
+devDependencies
+
+engines
+
+preinstall / postinstall
+
+Detectar:
+
+Typosquatting
+
+Paquetes abandonados
+
+Scripts ofuscados
+
+Comandos peligrosos (curl | sh, powershell, eval)
+
+🧠 Uso de Inteligencia Artificial
+
+La IA debe apoyar en:
+
+Clasificación de severidad
+
+Detección de patrones no triviales
+
+Reducción de falsos positivos
+
+Explicación del hallazgo
+
+Debe poder analizar:
+
+Fragmentos de código
+
+Metadatos
+
+Ambos combinados
+
+El diseño debe permitir IA local o por API, de forma desacoplada.
+
+📊 Hallazgos y Reportes
+
+Cada hallazgo debe incluir:
+
+Código vulnerable exacto
+
+Contexto y snippet
+
+Call stack aproximado (si aplica)
+
+Referencias OWASP / CWE automáticas
+
+Categoría:
+
+Malware
+
+Vulnerabilidad
+
+Severidad justificada
+
+Recomendación + ejemplo de fix seguro
+
+El lenguaje debe ser:
+
+Profesional (auditoría)
+
+Comprensible para desarrolladores
+
+⚙️ Performance y Seguridad
+
+Implementar:
+
+🔁 Análisis paralelo
+
+⏱️ Timeouts solo si se detectan bucles anómalos
+
+🧠 Límites de memoria, priorizando precisión
+
+Protecciones contra:
+
+Código altamente ofuscado
+
+ReDoS por regex
+
+Archivos excesivamente grandes
+
+🧪 Calidad del Código
+
+El código generado debe:
+
+Seguir principios SOLID
+
+Ser 100% testeable
+
+Incluir tests unitarios
+
+Mantener compatibilidad con BaseAnalyzer
+
+Se permite introducir:
+
+Nuevas clases
+
+Nuevas interfaces
+
+Helpers reutilizables
+
+🚀 Instrucción Final
+
+Mejora incrementalmente el archivo javascriptAnalyzer.ts, documentando cada decisión técnica, agregando detección avanzada de malware y vulnerabilidades, sin ejecutar código analizado y manteniendo el enfoque SAST enterprise.
+
+Prioridad:
+
+Seguridad
+
+Precisión
+
+Cobertura
+
+Performance