ship-safe 3.1.0 → 4.0.0

package/cli/agents/mobile-scanner.js

@@ -0,0 +1,225 @@
+/**
+ * MobileScanner Agent
+ * ====================
+ *
+ * Security scanning for React Native, Expo, Flutter,
+ * and native mobile codebases.
+ * Based on OWASP Mobile Top 10 2024.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+const PATTERNS = [
+  // ── M1: Improper Credential Usage ──────────────────────────────────────────
+  {
+    rule: 'MOBILE_HARDCODED_KEY',
+    title: 'Mobile: Hardcoded API Key in Bundle',
+    regex: /(?:apiKey|api_key|API_KEY|secret|SECRET)\s*[:=]\s*["'][a-zA-Z0-9_\-]{20,}["']/g,
+    severity: 'critical',
+    cwe: 'CWE-798',
+    owasp: 'M1',
+    description: 'Hardcoded API key in mobile code. Mobile bundles are easily decompiled.',
+    fix: 'Store secrets server-side. Use expo-secure-store or EncryptedSharedPreferences.',
+  },
+  {
+    rule: 'MOBILE_KEY_IN_CONFIG',
+    title: 'Mobile: Secret in app.json/app.config.js',
+    regex: /(?:apiKey|apiSecret|secret|token|password|private_key)\s*["']?\s*[:=]\s*["'][^"']{8,}["']/gi,
+    severity: 'high',
+    cwe: 'CWE-798',
+    owasp: 'M1',
+    description: 'Secret in app config file. This gets bundled into the app binary.',
+    fix: 'Move to environment variables or server-side configuration',
+  },
+
+  // ── M3: Insecure Authentication/Authorization ──────────────────────────────
+  {
+    rule: 'MOBILE_LOCAL_AUTH_ONLY',
+    title: 'Mobile: Client-Only Authentication',
+    regex: /(?:isAuthenticated|isLoggedIn|isAdmin)\s*[:=]\s*(?:AsyncStorage|localStorage|SecureStore)/g,
+    severity: 'high',
+    cwe: 'CWE-603',
+    owasp: 'M3',
+    description: 'Authentication state stored only on client. Attacker can bypass by modifying storage.',
+    fix: 'Verify authentication server-side on every API request',
+  },
+
+  // ── M4: Insufficient Input/Output Validation ──────────────────────────────
+  {
+    rule: 'MOBILE_WEBVIEW_JS',
+    title: 'Mobile: WebView JavaScript Enabled',
+    regex: /(?:javaScriptEnabled|javascriptEnabled)\s*[:=]\s*(?:\{?\s*true|True)/g,
+    severity: 'medium',
+    cwe: 'CWE-79',
+    owasp: 'M4',
+    description: 'WebView with JavaScript enabled can be exploited via injected content.',
+    fix: 'Disable JavaScript in WebViews loading untrusted content, or sanitize loaded HTML',
+  },
+  {
+    rule: 'MOBILE_DEEPLINK_INJECTION',
+    title: 'Mobile: Deep Link Parameter Injection',
+    regex: /(?:Linking\.getInitialURL|useURL|addEventListener.*url).*(?!validate|sanitize|verify)/g,
+    severity: 'high',
+    cwe: 'CWE-20',
+    owasp: 'M4',
+    confidence: 'low',
+    description: 'Deep link URL parameters used without validation. Attacker can craft malicious links.',
+    fix: 'Validate and sanitize all parameters from deep links before use',
+  },
+
+  // ── M5: Insecure Communication ─────────────────────────────────────────────
+  {
+    rule: 'MOBILE_HTTP_ENDPOINT',
+    title: 'Mobile: HTTP (Non-HTTPS) Endpoint',
+    regex: /(?:baseURL|apiUrl|endpoint|url|API_URL)\s*[:=]\s*["']http:\/\//gi,
+    severity: 'high',
+    cwe: 'CWE-319',
+    owasp: 'M5',
+    description: 'HTTP endpoint in mobile app. All traffic is unencrypted and interceptable.',
+    fix: 'Use HTTPS for all endpoints. Configure ATS (iOS) and cleartextTraffic (Android).',
+  },
+  {
+    rule: 'MOBILE_NO_CERT_PINNING',
+    title: 'Mobile: Missing Certificate Pinning',
+    regex: /(?:fetch|axios|http)\s*\(\s*(?!.*pin|certificate)/g,
+    severity: 'medium',
+    cwe: 'CWE-295',
+    owasp: 'M5',
+    confidence: 'low',
+    description: 'No certificate pinning detected. MITM attacks possible on compromised networks.',
+    fix: 'Implement cert pinning with react-native-ssl-pinning or TrustKit',
+  },
+
+  // ── M6: Inadequate Privacy Controls ────────────────────────────────────────
+  {
+    rule: 'MOBILE_EXCESSIVE_PERMISSIONS',
+    title: 'Mobile: Excessive Permissions',
+    regex: /(?:CAMERA|CONTACTS|LOCATION|MICROPHONE|CALENDAR|READ_SMS|CALL_LOG|READ_PHONE_STATE)\s*(?:[,\]])/g,
+    severity: 'medium',
+    cwe: 'CWE-250',
+    owasp: 'M6',
+    confidence: 'low',
+    description: 'Multiple sensitive permissions requested. Only request what is needed.',
+    fix: 'Remove unnecessary permissions. Request at runtime with clear justification.',
+  },
+
+  // ── M8: Security Misconfiguration ──────────────────────────────────────────
+  {
+    rule: 'MOBILE_DEBUG_BUILD',
+    title: 'Mobile: Debug Mode in Release',
+    regex: /(?:__DEV__|debuggable\s*[:=]\s*true|android:debuggable="true"|DEBUG_MODE\s*[:=]\s*true)/g,
+    severity: 'high',
+    cwe: 'CWE-215',
+    owasp: 'M8',
+    description: 'Debug mode enabled. Exposes debugging interfaces and detailed error messages.',
+    fix: 'Ensure __DEV__ checks are used correctly. Set debuggable=false in release builds.',
+  },
+  {
+    rule: 'MOBILE_BACKUP_ENABLED',
+    title: 'Mobile: App Backup Enabled',
+    regex: /(?:android:allowBackup="true"|allowsBackup\s*[:=]\s*true)/g,
+    severity: 'medium',
+    cwe: 'CWE-312',
+    owasp: 'M8',
+    description: 'App backup enabled. Sensitive data can be extracted from backups.',
+    fix: 'Set android:allowBackup="false" and exclude sensitive files from backup',
+  },
+
+  // ── M9: Insecure Data Storage ──────────────────────────────────────────────
+  {
+    rule: 'MOBILE_ASYNCSTORAGE_SECRET',
+    title: 'Mobile: Secret in AsyncStorage',
+    regex: /AsyncStorage\.setItem\s*\(\s*["'](?:.*(?:token|key|secret|password|credential|session))/gi,
+    severity: 'high',
+    cwe: 'CWE-312',
+    owasp: 'M9',
+    description: 'Storing secrets in AsyncStorage (unencrypted). Use expo-secure-store or Keychain.',
+    fix: 'Use expo-secure-store (Expo) or react-native-keychain for sensitive data',
+  },
+  {
+    rule: 'MOBILE_LOCALSTORAGE_SECRET',
+    title: 'Mobile: Secret in localStorage',
+    regex: /localStorage\.setItem\s*\(\s*["'](?:.*(?:token|key|secret|password|credential|session))/gi,
+    severity: 'high',
+    cwe: 'CWE-312',
+    owasp: 'M9',
+    description: 'Storing secrets in localStorage (unencrypted). Use secure storage APIs.',
+    fix: 'Use platform-specific secure storage: Keychain (iOS), EncryptedSharedPreferences (Android)',
+  },
+  {
+    rule: 'MOBILE_LOG_SENSITIVE',
+    title: 'Mobile: Sensitive Data in Logs',
+    regex: /console\.(?:log|info|warn|debug)\s*\(\s*.*(?:token|password|secret|key|credential|session|auth)/gi,
+    severity: 'medium',
+    cwe: 'CWE-532',
+    owasp: 'M9',
+    confidence: 'medium',
+    description: 'Sensitive data logged to console. Logs are accessible on rooted/jailbroken devices.',
+    fix: 'Remove sensitive data from console.log. Use __DEV__ check for debug logging.',
+  },
+
+  // ── M10: Insufficient Cryptography ─────────────────────────────────────────
+  {
+    rule: 'MOBILE_HARDCODED_CRYPTO_KEY',
+    title: 'Mobile: Hardcoded Encryption Key',
+    regex: /(?:encrypt|cipher|aes|crypto).*(?:key|iv|salt)\s*[:=]\s*["'][a-zA-Z0-9+/=]{8,}["']/gi,
+    severity: 'critical',
+    cwe: 'CWE-321',
+    owasp: 'M10',
+    description: 'Hardcoded encryption key in mobile code. Easily extracted from decompiled binary.',
+    fix: 'Derive keys from user credentials or fetch from server at runtime',
+  },
+
+  // ── Flutter-specific ───────────────────────────────────────────────────────
+  {
+    rule: 'FLUTTER_SHARED_PREFS_SECRET',
+    title: 'Flutter: Secret in SharedPreferences',
+    regex: /SharedPreferences.*(?:setString|setInt)\s*\(\s*["'](?:.*(?:token|key|secret|password|api))/gi,
+    severity: 'high',
+    cwe: 'CWE-312',
+    owasp: 'M9',
+    description: 'Storing secrets in SharedPreferences (unencrypted). Use flutter_secure_storage.',
+    fix: 'Use flutter_secure_storage package for sensitive data',
+  },
+];
+
+export class MobileScanner extends BaseAgent {
+  constructor() {
+    super('MobileScanner', 'Mobile security scanning (OWASP Mobile Top 10)', 'mobile');
+  }
+
+  async analyze(context) {
+    const { rootPath, files, recon } = context;
+
+    // Only run if mobile framework detected
+    const isMobile = recon?.frameworks?.some(f =>
+      ['react-native', 'flutter', 'expo'].includes(f)
+    );
+
+    // Also check for mobile-specific files
+    const hasMobileFiles = files.some(f => {
+      const basename = path.basename(f);
+      return ['app.json', 'app.config.js', 'app.config.ts',
+              'pubspec.yaml', 'AndroidManifest.xml', 'Info.plist',
+              'expo-env.d.ts'].includes(basename);
+    });
+
+    if (!isMobile && !hasMobileFiles) return [];
+
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.dart', '.swift', '.kt',
+              '.java', '.xml', '.plist', '.json'].includes(ext);
+    });
+
+    let findings = [];
+    for (const file of codeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+    }
+    return findings;
+  }
+}
+
+export default MobileScanner;

package/cli/agents/orchestrator.js

@@ -0,0 +1,152 @@
+/**
+ * Agent Orchestrator
+ * ==================
+ *
+ * Coordinates all security agents, deduplicates findings,
+ * and produces a unified report.
+ *
+ * USAGE:
+ *   const orchestrator = new Orchestrator();
+ *   orchestrator.register(new InjectionTester());
+ *   const results = await orchestrator.runAll(rootPath, options);
+ */
+
+import path from 'path';
+import ora from 'ora';
+import chalk from 'chalk';
+import { ReconAgent } from './recon-agent.js';
+
+// =============================================================================
+// ORCHESTRATOR
+// =============================================================================
+
+export class Orchestrator {
+  constructor() {
+    /** @type {import('./base-agent.js').BaseAgent[]} */
+    this.agents = [];
+    this.reconAgent = new ReconAgent();
+  }
+
+  /**
+   * Register an agent for execution.
+   */
+  register(agent) {
+    this.agents.push(agent);
+    return this;
+  }
+
+  /**
+   * Register multiple agents at once.
+   */
+  registerAll(agents) {
+    for (const agent of agents) {
+      this.register(agent);
+    }
+    return this;
+  }
+
+  /**
+   * Run all registered agents against the codebase.
+   *
+   * @param {string} rootPath — Absolute path to the project root
+   * @param {object} options  — { verbose, agents[], categories[] }
+   * @returns {Promise<object>} — { recon, findings[], agentResults[] }
+   */
+  async runAll(rootPath, options = {}) {
+    const absolutePath = path.resolve(rootPath);
+
+    // ── 1. Recon — map the attack surface ─────────────────────────────────────
+    const quiet = options.quiet || false;
+    const reconSpinner = quiet ? null : ora({ text: 'Mapping attack surface...', color: 'cyan' }).start();
+    const recon = await this.reconAgent.analyze({ rootPath: absolutePath, options });
+    if (reconSpinner) reconSpinner.succeed(chalk.green('Attack surface mapped'));
+
+    // ── 2. Discover files once (shared across agents) ─────────────────────────
+    const files = await this.reconAgent.discoverFiles(absolutePath);
+
+    // ── 3. Filter agents if specific ones requested ───────────────────────────
+    let agentsToRun = this.agents;
+    if (options.agents && options.agents.length > 0) {
+      const requested = options.agents.map(a => a.toLowerCase());
+      agentsToRun = this.agents.filter(a => {
+        const name = a.name.toLowerCase();
+        const cat = a.category.toLowerCase();
+        return requested.some(r => name === r || name.includes(r) || cat === r);
+      });
+    }
+    if (options.categories && options.categories.length > 0) {
+      const requested = new Set(options.categories.map(c => c.toLowerCase()));
+      agentsToRun = agentsToRun.filter(a => requested.has(a.category.toLowerCase()));
+    }
+
+    // ── 4. Run each agent ─────────────────────────────────────────────────────
+    const context = { rootPath: absolutePath, files, recon, options };
+    const agentResults = [];
+    let allFindings = [];
+
+    for (const agent of agentsToRun) {
+      const spinner = quiet ? null : ora({
+        text: `Running ${agent.name}...`,
+        color: 'cyan'
+      }).start();
+
+      try {
+        const findings = await agent.analyze(context);
+        agentResults.push({
+          agent: agent.name,
+          category: agent.category,
+          findingCount: findings.length,
+          success: true,
+        });
+        allFindings = allFindings.concat(findings);
+        if (spinner) spinner.succeed(
+          findings.length === 0
+            ? chalk.green(`${agent.name}: clean`)
+            : chalk.yellow(`${agent.name}: ${findings.length} finding(s)`)
+        );
+      } catch (err) {
+        agentResults.push({
+          agent: agent.name,
+          category: agent.category,
+          findingCount: 0,
+          success: false,
+          error: err.message,
+        });
+        if (spinner) spinner.fail(chalk.red(`${agent.name}: error — ${err.message}`));
+      }
+    }
+
+    // ── 5. Deduplicate ────────────────────────────────────────────────────────
+    allFindings = this.deduplicate(allFindings);
+
+    // ── 6. Sort by severity ───────────────────────────────────────────────────
+    const sevOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    allFindings.sort((a, b) =>
+      (sevOrder[a.severity] ?? 4) - (sevOrder[b.severity] ?? 4)
+    );
+
+    return { recon, findings: allFindings, agentResults };
+  }
+
+  /**
+   * Run only agents matching a specific category.
+   */
+  async runCategory(category, rootPath, options = {}) {
+    return this.runAll(rootPath, { ...options, categories: [category] });
+  }
+
+  /**
+   * Remove duplicate findings (same file + line + rule).
+   */
+  deduplicate(findings) {
+    const seen = new Set();
+    return findings.filter(f => {
+      const key = `${f.file}:${f.line}:${f.rule}`;
+      if (seen.has(key)) return false;
+      seen.add(key);
+      return true;
+    });
+  }
+}
+
+export default Orchestrator;

package/cli/agents/policy-engine.js

@@ -0,0 +1,149 @@
+/**
+ * Policy-as-Code Engine
+ * ======================
+ *
+ * Enforces security policies defined in .ship-safe.policy.json.
+ * Teams can define minimum scores, required scans, severity thresholds,
+ * and custom rule overrides.
+ *
+ * USAGE:
+ *   const policy = PolicyEngine.load(rootPath);
+ *   const violations = policy.evaluate(scoreResult, findings);
+ */
+
+import fs from 'fs';
+import path from 'path';
+
+const DEFAULT_POLICY = {
+  minimumScore: 0,
+  failOn: null,           // 'critical' | 'high' | 'medium' — fail if any finding at this level
+  requiredScans: [],      // ['secrets', 'deps', 'injection', 'auth']
+  ignoreRules: [],        // ['GENERIC_API_KEY', 'API_NO_VALIDATION']
+  customSeverityOverrides: {}, // { 'CORS_WILDCARD': 'critical' }
+  maxAge: {
+    criticalCVE: null,    // '7d' — max time before critical CVEs must be fixed
+    highCVE: null,
+    mediumCVE: null,
+  },
+};
+
+export class PolicyEngine {
+  constructor(policy = {}) {
+    this.policy = { ...DEFAULT_POLICY, ...policy };
+  }
+
+  /**
+   * Load policy from .ship-safe.policy.json in the project root.
+   */
+  static load(rootPath) {
+    const policyPath = path.join(rootPath, '.ship-safe.policy.json');
+
+    if (!fs.existsSync(policyPath)) {
+      return new PolicyEngine();
+    }
+
+    try {
+      const content = JSON.parse(fs.readFileSync(policyPath, 'utf-8'));
+      return new PolicyEngine(content);
+    } catch (err) {
+      console.warn(`Warning: Could not parse .ship-safe.policy.json: ${err.message}`);
+      return new PolicyEngine();
+    }
+  }
+
+  /**
+   * Evaluate findings against the policy.
+   * Returns array of violations (empty = pass).
+   */
+  evaluate(scoreResult, findings = []) {
+    const violations = [];
+
+    // ── Minimum score check ───────────────────────────────────────────────────
+    if (this.policy.minimumScore > 0 && scoreResult.score < this.policy.minimumScore) {
+      violations.push({
+        type: 'minimum_score',
+        message: `Score ${scoreResult.score} is below minimum ${this.policy.minimumScore}`,
+        severity: 'critical',
+      });
+    }
+
+    // ── Fail-on severity check ────────────────────────────────────────────────
+    if (this.policy.failOn) {
+      const sevOrder = ['critical', 'high', 'medium', 'low'];
+      const threshold = sevOrder.indexOf(this.policy.failOn);
+
+      for (const finding of findings) {
+        const findingSev = sevOrder.indexOf(finding.severity);
+        if (findingSev >= 0 && findingSev <= threshold) {
+          violations.push({
+            type: 'severity_threshold',
+            message: `${finding.severity} finding: ${finding.title} in ${finding.file}:${finding.line}`,
+            severity: finding.severity,
+            finding,
+          });
+        }
+      }
+    }
+
+    return violations;
+  }
+
+  /**
+   * Check if a finding's rule should be ignored by policy.
+   */
+  isIgnored(finding) {
+    return this.policy.ignoreRules.includes(finding.rule);
+  }
+
+  /**
+   * Apply severity overrides from policy.
+   */
+  applySeverityOverrides(findings) {
+    return findings.map(f => {
+      if (this.policy.customSeverityOverrides[f.rule]) {
+        return { ...f, severity: this.policy.customSeverityOverrides[f.rule] };
+      }
+      return f;
+    });
+  }
+
+  /**
+   * Filter findings by policy ignores and apply overrides.
+   */
+  applyPolicy(findings) {
+    let filtered = findings.filter(f => !this.isIgnored(f));
+    filtered = this.applySeverityOverrides(filtered);
+    return filtered;
+  }
+
+  /**
+   * Check if policy passes (no violations).
+   */
+  passes(scoreResult, findings) {
+    return this.evaluate(scoreResult, findings).length === 0;
+  }
+
+  /**
+   * Generate a default policy template.
+   */
+  static generateTemplate(rootPath) {
+    const template = {
+      minimumScore: 70,
+      failOn: 'critical',
+      requiredScans: ['secrets', 'injection', 'deps', 'auth'],
+      ignoreRules: [],
+      customSeverityOverrides: {},
+      maxAge: {
+        criticalCVE: '7d',
+        highCVE: '30d',
+        mediumCVE: '90d',
+      },
+    };
+
+    const policyPath = path.join(rootPath, '.ship-safe.policy.json');
+    fs.writeFileSync(policyPath, JSON.stringify(template, null, 2));
+    return policyPath;
+  }
+}
+
+export default PolicyEngine;