security-mcp 1.1.1 → 1.1.2

package/dist/gate/checks/dependencies.js

@@ -1,8 +1,12 @@
+import { sanitizeErrorMessage } from "../result.js";
 import fg from "fast-glob";
 import { readFileSafe } from "../../repo/fs.js";
 import { execFile } from "node:child_process";
 import { promisify } from "node:util";
 import { readFile } from "node:fs/promises";
+import { checkActiveExploitation } from "../threat-intel.js";
+import { join } from "node:path";
+const THREAT_INTEL_CACHE_DIR = join(process.cwd(), ".mcp", "threat-intel");
 const execFileAsync = promisify(execFile);
 // 24-hour cache for OpenSSF Scorecard API responses
 const scorecardCache = new Map();
@@ -61,7 +65,8 @@ async function checkNpmProvenance() {
         try {
             const { stdout } = await execFileAsync("npm", ["audit", "signatures", "--json"], {
                 timeout: 30000,
-                env: process.env
+                // CWE-526: pass only PATH — do not propagate API keys or tokens from parent env.
+                env: { PATH: process.env["PATH"] ?? "/usr/local/bin:/usr/bin:/bin" }
             });
             if (stdout) {
                 let auditResult;
@@ -120,7 +125,7 @@ async function checkNpmProvenance() {
         }
     }
     catch (err) {
-        console.warn("[checkNpmProvenance] Internal error:", err instanceof Error ? err.message : String(err));
+        console.warn("[checkNpmProvenance] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
     }
     return { findings };
 }
@@ -165,5 +170,295 @@ export async function checkDependencies(_) {
     }
     const provenance = await checkNpmProvenance();
     findings.push(...provenance.findings);
+    const transitive = await checkTransitiveDependencies();
+    findings.push(...transitive);
+    const typosquat = await checkTyposquatting();
+    findings.push(...typosquat);
+    const threatIntel = await checkCveExploitation();
+    findings.push(...threatIntel);
+    return findings;
+}
+function extractCveIds(audit) {
+    const cveSet = new Set();
+    for (const vuln of Object.values(audit.vulnerabilities ?? {})) {
+        for (const via of vuln.via ?? []) {
+            if (typeof via !== "object" || !Array.isArray(via.cve))
+                continue;
+            for (const cve of via.cve) {
+                if (typeof cve === "string" && cve.startsWith("CVE-"))
+                    cveSet.add(cve);
+            }
+        }
+    }
+    return [...cveSet];
+}
+function buildThreatIntelFindings(intel) {
+    const findings = [];
+    if (intel.kevMatches.length > 0) {
+        findings.push({
+            id: "DEP_CVE_ACTIVELY_EXPLOITED",
+            title: `${intel.kevMatches.length} dependency CVE(s) are actively exploited (CISA KEV)`,
+            severity: "CRITICAL",
+            evidence: intel.kevMatches.slice(0, 20),
+            requiredActions: [
+                "Upgrade or patch these dependencies immediately — these CVEs are in CISA's Known Exploited Vulnerabilities catalog.",
+                "Run `npm audit fix` or manually update to a patched version.",
+                "If no patch is available, apply mitigating controls and document accepted risk."
+            ]
+        });
+    }
+    if (intel.highEpss.length > 0) {
+        findings.push({
+            id: "DEP_CVE_HIGH_EPSS",
+            title: `${intel.highEpss.length} dependency CVE(s) have high exploitation probability (EPSS > 50%)`,
+            severity: "HIGH",
+            evidence: intel.highEpss.slice(0, 20).map((e) => `${e.cve}: ${(e.score * 100).toFixed(1)}% exploitation probability`),
+            requiredActions: [
+                "Prioritize patching these CVEs — high EPSS scores indicate active exploitation in the wild.",
+                "Run `npm audit fix` or update affected packages.",
+                "Monitor for exploit availability and treat as high urgency even without a current patch."
+            ]
+        });
+    }
+    return findings;
+}
+async function checkCveExploitation() {
+    try {
+        let stdout;
+        try {
+            const result = await execFileAsync("npm", ["audit", "--json"], {
+                timeout: 30_000,
+                env: { PATH: process.env["PATH"] ?? "/usr/local/bin:/usr/bin:/bin" }
+            });
+            stdout = result.stdout;
+        }
+        catch (err) {
+            // npm audit exits non-zero when vulnerabilities exist — output is still valid JSON.
+            stdout = err?.stdout ?? "";
+        }
+        if (!stdout)
+            return [];
+        let audit;
+        try {
+            audit = JSON.parse(stdout);
+        }
+        catch {
+            return [];
+        }
+        const cveIds = extractCveIds(audit);
+        if (cveIds.length === 0)
+            return [];
+        const intel = await checkActiveExploitation(cveIds, THREAT_INTEL_CACHE_DIR);
+        if (intel.failed)
+            return [];
+        return buildThreatIntelFindings(intel);
+    }
+    catch (err) {
+        console.warn("[checkCveExploitation] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
+        return [];
+    }
+}
+const LIFECYCLE_SCRIPTS = ["postinstall", "install", "preinstall"];
+function hasLifecycleScript(pkg) {
+    return !!pkg.scripts && LIFECYCLE_SCRIPTS.some((s) => !!pkg.scripts[s]);
+}
+function scanLockfilePackages(packages) {
+    const scriptPkgs = [];
+    const missingIntegrityPkgs = [];
+    for (const [name, pkg] of Object.entries(packages)) {
+        if (!name)
+            continue; // skip root entry
+        const pkgName = name.replace(/^node_modules\//, "");
+        if (hasLifecycleScript(pkg))
+            scriptPkgs.push(pkgName);
+        if (pkg.version && !pkg.integrity)
+            missingIntegrityPkgs.push(pkgName);
+    }
+    return { scriptPkgs, missingIntegrityPkgs };
+}
+async function checkTransitiveDependencies() {
+    const findings = [];
+    try {
+        let lockRaw;
+        try {
+            lockRaw = await readFile("package-lock.json", "utf8");
+        }
+        catch {
+            return [];
+        }
+        let lock;
+        try {
+            lock = JSON.parse(lockRaw);
+        }
+        catch {
+            return [];
+        }
+        const { scriptPkgs, missingIntegrityPkgs } = scanLockfilePackages(lock.packages ?? {});
+        if (scriptPkgs.length > 0) {
+            findings.push({
+                id: "DEP_LIFECYCLE_SCRIPTS",
+                title: `${scriptPkgs.length} transitive dependencies contain lifecycle scripts (postinstall/install/preinstall)`,
+                severity: "HIGH",
+                evidence: scriptPkgs.slice(0, 15),
+                requiredActions: [
+                    "Audit each package's lifecycle script for malicious behavior before trusting.",
+                    "Add `ignore-scripts=true` to `.npmrc` to prevent automatic execution of install scripts.",
+                    "For required scripts, explicitly allowlist them via `npm pkg set scripts.prepare=...`."
+                ]
+            });
+            findings.push(...await checkIgnoreScripts());
+        }
+        if (missingIntegrityPkgs.length > 0) {
+            findings.push({
+                id: "DEP_MISSING_INTEGRITY",
+                title: `${missingIntegrityPkgs.length} lockfile entries are missing integrity hashes — possible tampering`,
+                severity: "HIGH",
+                evidence: missingIntegrityPkgs.slice(0, 15),
+                requiredActions: [
+                    "Regenerate the lockfile with `npm install` and commit the result.",
+                    "Missing `integrity` fields prevent npm from verifying the downloaded package matches the expected content.",
+                    "Consider using `npm ci` in CI/CD — it fails if the lockfile has missing or mismatched integrity hashes."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[checkTransitiveDependencies] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
+    }
+    return findings;
+}
+async function checkIgnoreScripts() {
+    let npmrcContent = "";
+    try {
+        npmrcContent = await readFile(".npmrc", "utf8");
+    }
+    catch {
+        // .npmrc absent — treat as missing
+    }
+    if (/ignore-scripts\s*=\s*true/.test(npmrcContent))
+        return [];
+    return [{
+            id: "DEP_IGNORE_SCRIPTS_MISSING",
+            title: "`.npmrc` does not set `ignore-scripts=true` — lifecycle scripts run automatically on install",
+            severity: "MEDIUM",
+            requiredActions: [
+                "Add `ignore-scripts=true` to your project's `.npmrc` file.",
+                "This prevents malicious postinstall scripts from executing during `npm install`.",
+                "Commit `.npmrc` to the repository so CI/CD enforces it consistently."
+            ]
+        }];
+}
+// ─── Typosquatting / dependency confusion ──────────────────────────────────
+// Known typosquat → legitimate package mappings (1-edit-distance variants of top npm packages)
+const KNOWN_TYPOSQUATS = {
+    "lodahs": "lodash",
+    "loadsh": "lodash",
+    "lodash-": "lodash",
+    "expres": "express",
+    "expresss": "express",
+    "expres-session": "express-session",
+    "requets": "request",
+    "reqwest": "request",
+    "reacts": "react",
+    "reactt": "react",
+    "react-doms": "react-dom",
+    "axois": "axios",
+    "axio": "axios",
+    "momnet": "moment",
+    "momment": "moment",
+    "undersocre": "underscore",
+    "underscoree": "underscore",
+    "babbel": "babel",
+    "webpakc": "webpack",
+    "webapck": "webpack",
+    "eslint-": "eslint",
+    "typscript": "typescript",
+    "typescrip": "typescript",
+    "ts-nod": "ts-node",
+    "nod-fetch": "node-fetch",
+    "nodefetch": "node-fetch",
+    "crossenv": "cross-env",
+    "cross-envs": "cross-env",
+    "dotenvs": "dotenv",
+    "dot-env": "dotenv",
+    "jest-": "jest",
+    "jests": "jest",
+    "chalkk": "chalk",
+    "chak": "chalk",
+    "commnder": "commander",
+    "commanderjs": "commander",
+    "yargss": "yargs",
+    "uuid-": "uuid",
+    "uuidd": "uuid",
+    "semverr": "semver",
+    "globb": "glob",
+    "glo": "glob",
+    "mimimatch": "minimatch",
+    "minimach": "minimatch",
+    "debugg": "debug",
+    "debu": "debug",
+    "async-": "async",
+    "asyncs": "async"
+};
+// Suspicious version patterns used in dependency confusion / version injection attacks
+const SUSPICIOUS_VERSION_RE = /^\^?999\.|^0\.0\.[01]$/;
+async function checkTyposquatting() {
+    const findings = [];
+    try {
+        let pkgRaw;
+        try {
+            pkgRaw = await readFile("package.json", "utf8");
+        }
+        catch {
+            return [];
+        }
+        const pkg = JSON.parse(pkgRaw);
+        const allDeps = {
+            ...pkg.dependencies,
+            ...pkg.devDependencies
+        };
+        const typosquatHits = [];
+        const suspiciousVersionHits = [];
+        for (const [name, version] of Object.entries(allDeps)) {
+            const normalized = name.toLowerCase();
+            // Check against known typosquat list
+            if (KNOWN_TYPOSQUATS[normalized]) {
+                typosquatHits.push(`"${name}" (possible typo of "${KNOWN_TYPOSQUATS[normalized]}")`);
+            }
+            // Check for suspicious version numbers used in dependency confusion attacks
+            if (SUSPICIOUS_VERSION_RE.test(version) && name.length < 8) {
+                suspiciousVersionHits.push(`"${name}@${version}"`);
+            }
+        }
+        if (typosquatHits.length > 0) {
+            findings.push({
+                id: "DEP_TYPOSQUAT",
+                title: `Possible typosquatted package name(s) detected in dependencies`,
+                severity: "CRITICAL",
+                evidence: typosquatHits.slice(0, 10),
+                requiredActions: [
+                    "Verify each flagged package is the intended dependency — typosquatting replaces legitimate packages with malicious ones.",
+                    "Remove the package, run `npm install` with the correctly-spelled name, and audit `package-lock.json`.",
+                    "Use `npm audit` and review the package on npmjs.com before reinstalling."
+                ]
+            });
+        }
+        if (suspiciousVersionHits.length > 0) {
+            findings.push({
+                id: "DEP_SUSPICIOUS_VERSION",
+                title: "Dependencies with suspicious version numbers — possible dependency confusion attack",
+                severity: "HIGH",
+                evidence: suspiciousVersionHits.slice(0, 10),
+                requiredActions: [
+                    "Packages with version `999.*` or `0.0.0`/`0.0.1` on short names are a common dependency confusion attack signal.",
+                    "Verify these packages are legitimate using `npm view <package>` and inspect the publish history.",
+                    "Use a private registry with an allowlist of approved packages (Artifactory, Verdaccio, GitHub Packages)."
+                ]
+            });
+        }
+    }
+    catch (err) {
+        console.warn("[checkTyposquatting] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
+    }
     return findings;
 }

package/dist/gate/checks/dlp.js

@@ -1,3 +1,8 @@
+/**
+ * Data Loss Prevention checks.
+ * Detects PII leaking into logs, APIs, and error responses.
+ */
+import { sanitizeErrorMessage } from "../result.js";
 import { searchRepo } from "../../repo/search.js";
 export async function checkDlp(_opts) {
     const findings = [];
@@ -147,7 +152,7 @@ export async function checkDlp(_opts) {
         }
     }
     catch (err) {
-        console.warn("[checkDlp] Internal error:", err instanceof Error ? err.message : String(err));
+        console.warn("[checkDlp] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
     }
     return findings;
 }

package/dist/gate/checks/graphql.js

@@ -1,3 +1,8 @@
+/**
+ * GraphQL security checks.
+ * Detects GraphQL schemas and validates security controls.
+ */
+import { sanitizeErrorMessage } from "../result.js";
 import { searchRepo } from "../../repo/search.js";
 import fg from "fast-glob";
 import { readFileSafe } from "../../repo/fs.js";
@@ -116,7 +121,7 @@ export async function checkGraphQL(_opts) {
         }
     }
     catch (err) {
-        console.warn("[checkGraphQL] Internal error:", err instanceof Error ? err.message : String(err));
+        console.warn("[checkGraphQL] Internal error:", sanitizeErrorMessage(err instanceof Error ? err.message : String(err)));
     }
     return findings;
 }