ship-safe 3.2.0 → 4.1.0

package/cli/agents/recon-agent.js

@@ -0,0 +1,196 @@
+/**
+ * ReconAgent — Attack Surface Discovery
+ * =======================================
+ *
+ * Maps the full attack surface before other agents run.
+ * Detects frameworks, API routes, auth patterns, databases,
+ * cloud providers, and frontend exposure.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { BaseAgent } from './base-agent.js';
+
+export class ReconAgent extends BaseAgent {
+  constructor() {
+    super('ReconAgent', 'Attack surface discovery and mapping', 'recon');
+  }
+
+  async analyze(context) {
+    const { rootPath } = context;
+    const files = await this.discoverFiles(rootPath);
+
+    const recon = {
+      frameworks: [],
+      languages: new Set(),
+      apiRoutes: [],
+      authPatterns: [],
+      databases: [],
+      cloudProviders: [],
+      frontendExposure: [],
+      packageManagers: [],
+      cicd: [],
+      hasDockerfile: false,
+      hasTerraform: false,
+      hasKubernetes: false,
+      envFiles: [],
+      configFiles: [],
+    };
+
+    // ── Detect by config files ────────────────────────────────────────────────
+    for (const file of files) {
+      const basename = path.basename(file);
+      const relPath = path.relative(rootPath, file).replace(/\\/g, '/');
+      const ext = path.extname(file).toLowerCase();
+
+      // Languages
+      if (['.js', '.jsx', '.mjs', '.cjs'].includes(ext)) recon.languages.add('javascript');
+      if (['.ts', '.tsx'].includes(ext)) recon.languages.add('typescript');
+      if (ext === '.py') recon.languages.add('python');
+      if (ext === '.rb') recon.languages.add('ruby');
+      if (ext === '.go') recon.languages.add('go');
+      if (ext === '.java') recon.languages.add('java');
+      if (ext === '.rs') recon.languages.add('rust');
+      if (ext === '.php') recon.languages.add('php');
+
+      // Frameworks
+      if (basename === 'next.config.js' || basename === 'next.config.mjs' || basename === 'next.config.ts') {
+        recon.frameworks.push('nextjs');
+      }
+      if (basename === 'nuxt.config.ts' || basename === 'nuxt.config.js') recon.frameworks.push('nuxtjs');
+      if (basename === 'svelte.config.js') recon.frameworks.push('sveltekit');
+      if (basename === 'remix.config.js') recon.frameworks.push('remix');
+      if (basename === 'astro.config.mjs' || basename === 'astro.config.ts') recon.frameworks.push('astro');
+      if (basename === 'angular.json') recon.frameworks.push('angular');
+      if (basename === 'vite.config.ts' || basename === 'vite.config.js') recon.frameworks.push('vite');
+      if (basename === 'manage.py') recon.frameworks.push('django');
+      if (basename === 'Gemfile' && this.readFile(file)?.includes('rails')) recon.frameworks.push('rails');
+      if (basename === 'pubspec.yaml') recon.frameworks.push('flutter');
+
+      // API Routes
+      if (relPath.match(/app\/api\/.*\.(js|ts)$/) || relPath.match(/pages\/api\/.*\.(js|ts)$/)) {
+        recon.apiRoutes.push(relPath);
+      }
+      if (relPath.match(/routes?\.(js|ts)$/) || relPath.match(/router\.(js|ts)$/)) {
+        recon.apiRoutes.push(relPath);
+      }
+      if (relPath.match(/urls\.py$/)) recon.apiRoutes.push(relPath);
+      if (relPath.match(/controllers?\/.*\.(js|ts|rb)$/)) recon.apiRoutes.push(relPath);
+
+      // Auth
+      if (basename === 'auth.ts' || basename === 'auth.js' || relPath.includes('auth/')) {
+        recon.authPatterns.push(relPath);
+      }
+      if (basename === 'middleware.ts' || basename === 'middleware.js') {
+        recon.authPatterns.push(relPath);
+      }
+
+      // Databases
+      if (basename === 'schema.prisma') recon.databases.push('prisma');
+      if (basename === 'drizzle.config.ts' || basename === 'drizzle.config.js') recon.databases.push('drizzle');
+      if (relPath.includes('models/') && ['.py', '.rb'].includes(ext)) recon.databases.push('orm');
+
+      // Cloud
+      if (basename === 'vercel.json') recon.cloudProviders.push('vercel');
+      if (basename === 'netlify.toml') recon.cloudProviders.push('netlify');
+      if (basename === 'fly.toml') recon.cloudProviders.push('fly');
+      if (basename === 'app.yaml' || basename === 'app.yml') recon.cloudProviders.push('gcp');
+      if (basename === 'serverless.yml' || basename === 'serverless.yaml') recon.cloudProviders.push('aws-serverless');
+      if (basename === 'render.yaml') recon.cloudProviders.push('render');
+      if (basename === 'railway.json') recon.cloudProviders.push('railway');
+
+      // IaC
+      if (ext === '.tf') recon.hasTerraform = true;
+      if (basename === 'Dockerfile' || basename.startsWith('Dockerfile.')) recon.hasDockerfile = true;
+      if (basename.match(/\.ya?ml$/) && relPath.match(/(k8s|kubernetes|deploy|helm)/i)) {
+        recon.hasKubernetes = true;
+      }
+
+      // CI/CD
+      if (relPath.startsWith('.github/workflows/')) recon.cicd.push({ platform: 'github-actions', file: relPath });
+      if (basename === '.gitlab-ci.yml') recon.cicd.push({ platform: 'gitlab', file: relPath });
+      if (basename === 'Jenkinsfile') recon.cicd.push({ platform: 'jenkins', file: relPath });
+      if (basename === '.circleci/config.yml' || relPath.startsWith('.circleci/')) recon.cicd.push({ platform: 'circleci', file: relPath });
+      if (basename === 'bitbucket-pipelines.yml') recon.cicd.push({ platform: 'bitbucket', file: relPath });
+      if (basename === 'azure-pipelines.yml') recon.cicd.push({ platform: 'azure', file: relPath });
+
+      // Package managers
+      if (basename === 'package.json') recon.packageManagers.push('npm');
+      if (basename === 'Pipfile' || basename === 'requirements.txt' || basename === 'pyproject.toml') recon.packageManagers.push('pip');
+      if (basename === 'Gemfile') recon.packageManagers.push('bundler');
+      if (basename === 'go.mod') recon.packageManagers.push('go');
+      if (basename === 'Cargo.toml') recon.packageManagers.push('cargo');
+      if (basename === 'composer.json') recon.packageManagers.push('composer');
+
+      // Env files
+      if (basename.startsWith('.env')) recon.envFiles.push(relPath);
+
+      // Config files
+      if (['vercel.json', 'netlify.toml', 'next.config.js', 'next.config.mjs',
+           'next.config.ts', 'docker-compose.yml', 'docker-compose.yaml',
+           'nginx.conf', 'Caddyfile', 'firebase.json', 'supabase/config.toml'
+          ].includes(basename)) {
+        recon.configFiles.push(relPath);
+      }
+    }
+
+    // ── Detect frontend exposure from package.json ────────────────────────────
+    const pkgPath = path.join(rootPath, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+        if (allDeps['express']) recon.frameworks.push('express');
+        if (allDeps['fastify']) recon.frameworks.push('fastify');
+        if (allDeps['hono']) recon.frameworks.push('hono');
+        if (allDeps['@hono/node-server']) recon.frameworks.push('hono');
+        if (allDeps['koa']) recon.frameworks.push('koa');
+        if (allDeps['flask'] || allDeps['Flask']) recon.frameworks.push('flask');
+        if (allDeps['fastapi'] || allDeps['FastAPI']) recon.frameworks.push('fastapi');
+
+        // Auth libraries
+        if (allDeps['next-auth'] || allDeps['@auth/core']) recon.authPatterns.push('next-auth');
+        if (allDeps['@clerk/nextjs'] || allDeps['@clerk/clerk-react']) recon.authPatterns.push('clerk');
+        if (allDeps['@supabase/supabase-js']) { recon.authPatterns.push('supabase-auth'); recon.databases.push('supabase'); }
+        if (allDeps['firebase']) { recon.authPatterns.push('firebase-auth'); recon.databases.push('firebase'); }
+        if (allDeps['jsonwebtoken'] || allDeps['jose']) recon.authPatterns.push('jwt');
+        if (allDeps['passport']) recon.authPatterns.push('passport');
+
+        // Databases
+        if (allDeps['@prisma/client'] || allDeps['prisma']) recon.databases.push('prisma');
+        if (allDeps['drizzle-orm']) recon.databases.push('drizzle');
+        if (allDeps['sequelize']) recon.databases.push('sequelize');
+        if (allDeps['typeorm']) recon.databases.push('typeorm');
+        if (allDeps['mongoose'] || allDeps['mongodb']) recon.databases.push('mongodb');
+        if (allDeps['pg'] || allDeps['postgres']) recon.databases.push('postgres');
+        if (allDeps['mysql2'] || allDeps['mysql']) recon.databases.push('mysql');
+        if (allDeps['@upstash/redis']) recon.databases.push('upstash-redis');
+
+        // AI/LLM
+        if (allDeps['openai'] || allDeps['@anthropic-ai/sdk'] || allDeps['ai']) {
+          recon.frameworks.push('ai-app');
+        }
+
+        // Mobile
+        if (allDeps['react-native'] || allDeps['expo']) recon.frameworks.push('react-native');
+
+      } catch { /* skip parse errors */ }
+    }
+
+    // Deduplicate arrays
+    recon.frameworks = [...new Set(recon.frameworks)];
+    recon.languages = [...recon.languages];
+    recon.authPatterns = [...new Set(recon.authPatterns)];
+    recon.databases = [...new Set(recon.databases)];
+    recon.cloudProviders = [...new Set(recon.cloudProviders)];
+    recon.packageManagers = [...new Set(recon.packageManagers)];
+
+    // Store on context for other agents
+    if (context) context.recon = recon;
+
+    return recon;
+  }
+}
+
+export default ReconAgent;

package/cli/agents/sbom-generator.js

@@ -0,0 +1,176 @@
+/**
+ * SBOM Generator
+ * ===============
+ *
+ * Generates Software Bill of Materials in CycloneDX JSON format.
+ * Parses package.json, requirements.txt, Gemfile, go.mod, etc.
+ */
+
+import fs from 'fs';
+import path from 'path';
+
+export class SBOMGenerator {
+  /**
+   * Generate a CycloneDX 1.5 SBOM from the project.
+   *
+   * @param {string} rootPath — Project root directory
+   * @returns {object} — CycloneDX JSON object
+   */
+  generate(rootPath) {
+    const components = [];
+
+    // ── npm/yarn/pnpm ─────────────────────────────────────────────────────────
+    const pkgPath = path.join(rootPath, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      try {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+        for (const [name, version] of Object.entries(allDeps)) {
+          components.push({
+            type: 'library',
+            name,
+            version: version.replace(/^[\^~>=<]/, ''),
+            purl: `pkg:npm/${name.replace('/', '%2F')}@${version.replace(/^[\^~>=<]/, '')}`,
+            scope: pkg.dependencies?.[name] ? 'required' : 'optional',
+          });
+        }
+      } catch { /* skip */ }
+    }
+
+    // ── Python requirements.txt ───────────────────────────────────────────────
+    const reqPath = path.join(rootPath, 'requirements.txt');
+    if (fs.existsSync(reqPath)) {
+      try {
+        const lines = fs.readFileSync(reqPath, 'utf-8').split('\n');
+        for (const line of lines) {
+          const trimmed = line.trim();
+          if (!trimmed || trimmed.startsWith('#')) continue;
+          const match = trimmed.match(/^([a-zA-Z0-9_-]+)(?:==|>=|~=)?(.+)?$/);
+          if (match) {
+            components.push({
+              type: 'library',
+              name: match[1],
+              version: match[2] || 'unspecified',
+              purl: `pkg:pypi/${match[1]}@${match[2] || 'latest'}`,
+              scope: 'required',
+            });
+          }
+        }
+      } catch { /* skip */ }
+    }
+
+    // ── Go modules ────────────────────────────────────────────────────────────
+    const goModPath = path.join(rootPath, 'go.mod');
+    if (fs.existsSync(goModPath)) {
+      try {
+        const content = fs.readFileSync(goModPath, 'utf-8');
+        const requireBlock = content.match(/require\s*\(([\s\S]*?)\)/);
+        if (requireBlock) {
+          const lines = requireBlock[1].split('\n');
+          for (const line of lines) {
+            const match = line.trim().match(/^(\S+)\s+v?(\S+)/);
+            if (match) {
+              components.push({
+                type: 'library',
+                name: match[1],
+                version: match[2],
+                purl: `pkg:golang/${match[1]}@${match[2]}`,
+                scope: 'required',
+              });
+            }
+          }
+        }
+      } catch { /* skip */ }
+    }
+
+    // ── Rust Cargo.toml ───────────────────────────────────────────────────────
+    const cargoPath = path.join(rootPath, 'Cargo.toml');
+    if (fs.existsSync(cargoPath)) {
+      try {
+        const content = fs.readFileSync(cargoPath, 'utf-8');
+        const depsSection = content.match(/\[dependencies\]([\s\S]*?)(?:\[|$)/);
+        if (depsSection) {
+          const lines = depsSection[1].split('\n');
+          for (const line of lines) {
+            const match = line.trim().match(/^([a-zA-Z0-9_-]+)\s*=\s*"([^"]+)"/);
+            if (match) {
+              components.push({
+                type: 'library',
+                name: match[1],
+                version: match[2],
+                purl: `pkg:cargo/${match[1]}@${match[2]}`,
+                scope: 'required',
+              });
+            }
+          }
+        }
+      } catch { /* skip */ }
+    }
+
+    // ── Build CycloneDX BOM ───────────────────────────────────────────────────
+    const bom = {
+      bomFormat: 'CycloneDX',
+      specVersion: '1.5',
+      serialNumber: `urn:uuid:${this.uuid()}`,
+      version: 1,
+      metadata: {
+        timestamp: new Date().toISOString(),
+        tools: [{
+          vendor: 'ship-safe',
+          name: 'ship-safe',
+          version: '4.0.0',
+        }],
+        component: this.getProjectMetadata(rootPath),
+      },
+      components: components.map((c, i) => ({
+        'bom-ref': `component-${i}`,
+        type: c.type,
+        name: c.name,
+        version: c.version,
+        purl: c.purl,
+        scope: c.scope,
+      })),
+    };
+
+    return bom;
+  }
+
+  /**
+   * Generate SBOM and write to file.
+   */
+  generateToFile(rootPath, outputPath, format = 'cyclonedx') {
+    const bom = this.generate(rootPath);
+    const output = JSON.stringify(bom, null, 2);
+    fs.writeFileSync(outputPath, output);
+    return outputPath;
+  }
+
+  getProjectMetadata(rootPath) {
+    const pkgPath = path.join(rootPath, 'package.json');
+    try {
+      if (fs.existsSync(pkgPath)) {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        return {
+          type: 'application',
+          name: pkg.name || path.basename(rootPath),
+          version: pkg.version || '0.0.0',
+        };
+      }
+    } catch { /* skip */ }
+    return {
+      type: 'application',
+      name: path.basename(rootPath),
+      version: '0.0.0',
+    };
+  }
+
+  uuid() {
+    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, c => {
+      const r = Math.random() * 16 | 0;
+      return (c === 'x' ? r : (r & 0x3 | 0x8)).toString(16);
+    });
+  }
+}
+
+export default SBOMGenerator;

package/cli/agents/scoring-engine.js

@@ -0,0 +1,207 @@
+/**
+ * Enhanced Scoring Engine
+ * ========================
+ *
+ * Risk-based scoring with 8 categories, EPSS integration,
+ * KEV flagging, and historical trend tracking.
+ *
+ * Score = 100 - sum(category deductions)
+ * Each category has a weight and max deduction cap.
+ */
+
+import fs from 'fs';
+import path from 'path';
+
+// =============================================================================
+// SCORING CONFIGURATION
+// =============================================================================
+
+const CATEGORIES = {
+  secrets:       { weight: 15, label: 'Secrets',                deductions: { critical: 25, high: 15, medium: 5 } },
+  injection:     { weight: 15, label: 'Code Vulnerabilities',   deductions: { critical: 20, high: 10, medium: 3 } },
+  deps:          { weight: 15, label: 'Dependencies',           deductions: { critical: 20, high: 10, medium: 5, moderate: 5 } },
+  auth:          { weight: 15, label: 'Auth & Access Control',  deductions: { critical: 20, high: 10, medium: 3 } },
+  config:        { weight: 10, label: 'Configuration',          deductions: { critical: 15, high: 8,  medium: 3 } },
+  'supply-chain':{ weight: 10, label: 'Supply Chain',           deductions: { critical: 15, high: 8,  medium: 3 } },
+  api:           { weight: 10, label: 'API Security',           deductions: { critical: 15, high: 8,  medium: 3 } },
+  llm:           { weight: 10, label: 'AI/LLM Security',       deductions: { critical: 15, high: 8,  medium: 3 } },
+};
+
+// Fallback categories for findings that don't match a known category
+const FALLBACK_CATEGORY_MAP = {
+  'secret': 'secrets',
+  'vulnerability': 'injection',
+  'ssrf': 'injection',
+  'history': 'secrets',
+  'cicd': 'config',
+  'mobile': 'injection',
+  'recon': null, // skip recon findings
+};
+
+const GRADES = [
+  { min: 90, letter: 'A', label: 'Ship it!',                    color: 'green' },
+  { min: 75, letter: 'B', label: 'Minor issues to review',       color: 'cyan' },
+  { min: 60, letter: 'C', label: 'Fix before shipping',          color: 'yellow' },
+  { min: 40, letter: 'D', label: 'Significant security risks',   color: 'red' },
+  { min: 0,  letter: 'F', label: 'Not safe to ship',             color: 'red' },
+];
+
+// =============================================================================
+// SCORING ENGINE
+// =============================================================================
+
+export class ScoringEngine {
+  /**
+   * Compute the security score from agent findings + dependency vulnerabilities.
+   *
+   * @param {object[]} findings   — Array of finding objects from agents
+   * @param {object[]} depVulns   — Array of dependency CVE objects
+   * @returns {object}            — { score, grade, categories, breakdown }
+   */
+  compute(findings = [], depVulns = []) {
+    const categoryResults = {};
+
+    // Initialize all categories
+    for (const [key, config] of Object.entries(CATEGORIES)) {
+      categoryResults[key] = {
+        label: config.label,
+        weight: config.weight,
+        counts: { critical: 0, high: 0, medium: 0, low: 0 },
+        deduction: 0,
+        maxDeduction: config.weight, // Cap at category weight
+        findings: [],
+      };
+    }
+
+    // ── Classify findings into categories ─────────────────────────────────────
+    for (const finding of findings) {
+      const cat = this.resolveCategory(finding.category);
+      if (!cat || !categoryResults[cat]) continue;
+
+      const sev = finding.severity || 'medium';
+      categoryResults[cat].counts[sev] = (categoryResults[cat].counts[sev] || 0) + 1;
+      categoryResults[cat].findings.push(finding);
+    }
+
+    // ── Add dependency vulnerabilities ────────────────────────────────────────
+    for (const vuln of depVulns) {
+      const sev = vuln.severity || 'medium';
+      categoryResults.deps.counts[sev] = (categoryResults.deps.counts[sev] || 0) + 1;
+    }
+
+    // ── Compute deductions per category ───────────────────────────────────────
+    for (const [key, config] of Object.entries(CATEGORIES)) {
+      const result = categoryResults[key];
+      let deduction = 0;
+
+      for (const [sev, pts] of Object.entries(config.deductions)) {
+        deduction += (result.counts[sev] || 0) * pts;
+      }
+
+      result.deduction = Math.min(deduction, result.maxDeduction);
+    }
+
+    // ── Compute total score ───────────────────────────────────────────────────
+    const totalDeduction = Object.values(categoryResults).reduce(
+      (sum, r) => sum + r.deduction, 0
+    );
+    const score = Math.max(0, 100 - totalDeduction);
+    const grade = GRADES.find(g => score >= g.min);
+
+    return {
+      score,
+      grade,
+      categories: categoryResults,
+      totalFindings: findings.length,
+      totalDepVulns: depVulns.length,
+    };
+  }
+
+  /**
+   * Map a finding category to a scoring category.
+   */
+  resolveCategory(findingCategory) {
+    if (CATEGORIES[findingCategory]) return findingCategory;
+    if (FALLBACK_CATEGORY_MAP[findingCategory] !== undefined) {
+      return FALLBACK_CATEGORY_MAP[findingCategory];
+    }
+    return 'injection'; // default fallback
+  }
+
+  /**
+   * Save score to history file for trend tracking.
+   */
+  saveToHistory(rootPath, scoreResult) {
+    const historyDir = path.join(rootPath, '.ship-safe');
+    const historyFile = path.join(historyDir, 'history.json');
+
+    try {
+      if (!fs.existsSync(historyDir)) {
+        fs.mkdirSync(historyDir, { recursive: true });
+      }
+
+      let history = [];
+      if (fs.existsSync(historyFile)) {
+        try {
+          history = JSON.parse(fs.readFileSync(historyFile, 'utf-8'));
+        } catch { history = []; }
+      }
+
+      history.push({
+        timestamp: new Date().toISOString(),
+        score: scoreResult.score,
+        grade: scoreResult.grade.letter,
+        totalFindings: scoreResult.totalFindings,
+        totalDepVulns: scoreResult.totalDepVulns,
+        categoryScores: Object.fromEntries(
+          Object.entries(scoreResult.categories).map(([k, v]) => [k, {
+            deduction: v.deduction,
+            counts: v.counts,
+          }])
+        ),
+      });
+
+      // Keep last 100 entries
+      if (history.length > 100) history = history.slice(-100);
+
+      fs.writeFileSync(historyFile, JSON.stringify(history, null, 2));
+    } catch {
+      // Don't fail if history save fails
+    }
+  }
+
+  /**
+   * Load score history for trend display.
+   */
+  loadHistory(rootPath) {
+    const historyFile = path.join(rootPath, '.ship-safe', 'history.json');
+    try {
+      if (fs.existsSync(historyFile)) {
+        return JSON.parse(fs.readFileSync(historyFile, 'utf-8'));
+      }
+    } catch { /* ignore */ }
+    return [];
+  }
+
+  /**
+   * Get trend summary comparing current to last scan.
+   */
+  getTrend(rootPath, currentScore) {
+    const history = this.loadHistory(rootPath);
+    if (history.length < 2) return null;
+
+    const previous = history[history.length - 2];
+    const diff = currentScore - previous.score;
+
+    return {
+      previousScore: previous.score,
+      currentScore,
+      diff,
+      direction: diff > 0 ? 'improved' : diff < 0 ? 'regressed' : 'unchanged',
+      previousDate: previous.timestamp,
+    };
+  }
+}
+
+export { GRADES, CATEGORIES };
+export default ScoringEngine;