ship-safe 4.0.0 → 4.2.0

package/cli/utils/cache-manager.js

@@ -0,0 +1,311 @@
+/**
+ * Cache Manager
+ * =============
+ *
+ * Provides incremental scanning by caching file hashes and findings.
+ * On subsequent runs, only changed files are re-scanned.
+ *
+ * Cache location: .ship-safe/context.json
+ *
+ * USAGE:
+ *   import { CacheManager } from './cache-manager.js';
+ *   const cache = new CacheManager(rootPath);
+ *   const { changedFiles, cachedFindings } = await cache.getChangedFiles(currentFiles);
+ *   // ... scan only changedFiles ...
+ *   cache.save(allFiles, allFindings, recon, scoreResult);
+ */
+
+import fs from 'fs';
+import path from 'path';
+import crypto from 'crypto';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+// Read version from package.json
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
+
+// Cache TTL: 24 hours
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
+
+export class CacheManager {
+  /**
+   * @param {string} rootPath — Absolute path to project root
+   */
+  constructor(rootPath) {
+    this.rootPath = rootPath;
+    this.cacheDir = path.join(rootPath, '.ship-safe');
+    this.cachePath = path.join(this.cacheDir, 'context.json');
+    this.cache = null;
+  }
+
+  /**
+   * Load the cache from disk. Returns null if cache is missing, expired, or invalid.
+   */
+  load() {
+    try {
+      if (!fs.existsSync(this.cachePath)) return null;
+
+      const raw = fs.readFileSync(this.cachePath, 'utf-8');
+      const cache = JSON.parse(raw);
+
+      // Version mismatch — patterns may have changed
+      if (cache.version !== PACKAGE_VERSION) return null;
+
+      // TTL expired
+      const age = Date.now() - new Date(cache.generatedAt).getTime();
+      if (age > CACHE_TTL_MS) return null;
+
+      this.cache = cache;
+      return cache;
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Compute SHA-256 hash of a file's contents.
+   */
+  hashFile(filePath) {
+    try {
+      const content = fs.readFileSync(filePath);
+      return crypto.createHash('sha256').update(content).digest('hex');
+    } catch {
+      return null;
+    }
+  }
+
+  /**
+   * Compare current files against cached file index to find what changed.
+   *
+   * @param {string[]} currentFiles — Array of absolute file paths
+   * @returns {{ changedFiles: string[], cachedFindings: object[], unchangedCount: number, newCount: number, modifiedCount: number, deletedCount: number }}
+   */
+  diff(currentFiles) {
+    if (!this.cache || !this.cache.fileIndex) {
+      return {
+        changedFiles: currentFiles,
+        cachedFindings: [],
+        unchangedCount: 0,
+        newCount: currentFiles.length,
+        modifiedCount: 0,
+        deletedCount: 0,
+      };
+    }
+
+    const cachedIndex = this.cache.fileIndex;
+    const cachedFindings = this.cache.lastFindings || {};
+    const changedFiles = [];
+    const reusedFindings = [];
+    let unchangedCount = 0;
+    let newCount = 0;
+    let modifiedCount = 0;
+
+    const currentSet = new Set(currentFiles);
+
+    for (const file of currentFiles) {
+      const relPath = path.relative(this.rootPath, file).replace(/\\/g, '/');
+      const cached = cachedIndex[relPath];
+
+      if (!cached) {
+        // New file — needs scanning
+        changedFiles.push(file);
+        newCount++;
+        continue;
+      }
+
+      // Quick size check before expensive hash
+      try {
+        const stats = fs.statSync(file);
+        if (stats.size !== cached.size) {
+          changedFiles.push(file);
+          modifiedCount++;
+          continue;
+        }
+      } catch {
+        changedFiles.push(file);
+        modifiedCount++;
+        continue;
+      }
+
+      // Hash check
+      const currentHash = this.hashFile(file);
+      if (currentHash !== cached.hash) {
+        changedFiles.push(file);
+        modifiedCount++;
+        continue;
+      }
+
+      // File unchanged — reuse cached findings
+      unchangedCount++;
+      if (cachedFindings[relPath]) {
+        // Restore absolute paths for cached findings
+        for (const finding of cachedFindings[relPath]) {
+          reusedFindings.push({ ...finding, file });
+        }
+      }
+    }
+
+    // Count deleted files (in cache but not in current)
+    const currentRelPaths = new Set(
+      currentFiles.map(f => path.relative(this.rootPath, f).replace(/\\/g, '/'))
+    );
+    const deletedCount = Object.keys(cachedIndex).filter(p => !currentRelPaths.has(p)).length;
+
+    return {
+      changedFiles,
+      cachedFindings: reusedFindings,
+      unchangedCount,
+      newCount,
+      modifiedCount,
+      deletedCount,
+    };
+  }
+
+  /**
+   * Save the cache to disk.
+   *
+   * @param {string[]} allFiles — All scanned file paths
+   * @param {object[]} allFindings — All findings from the scan
+   * @param {object} recon — ReconAgent output
+   * @param {object} [scoreResult] — Optional score result
+   */
+  save(allFiles, allFindings, recon, scoreResult) {
+    try {
+      // Ensure .ship-safe directory exists
+      if (!fs.existsSync(this.cacheDir)) {
+        fs.mkdirSync(this.cacheDir, { recursive: true });
+      }
+
+      // Build file index with hashes
+      const fileIndex = {};
+      for (const file of allFiles) {
+        const relPath = path.relative(this.rootPath, file).replace(/\\/g, '/');
+        const hash = this.hashFile(file);
+        if (hash) {
+          try {
+            const stats = fs.statSync(file);
+            fileIndex[relPath] = {
+              hash,
+              size: stats.size,
+              lastScanned: new Date().toISOString(),
+            };
+          } catch {
+            // Skip files we can't stat
+          }
+        }
+      }
+
+      // Group findings by file (relative paths)
+      const lastFindings = {};
+      for (const f of allFindings) {
+        const relPath = path.relative(this.rootPath, f.file).replace(/\\/g, '/');
+        if (!lastFindings[relPath]) lastFindings[relPath] = [];
+        // Store a lightweight copy (no absolute paths)
+        lastFindings[relPath].push({
+          line: f.line,
+          column: f.column,
+          severity: f.severity,
+          category: f.category,
+          rule: f.rule,
+          title: f.title,
+          description: f.description,
+          matched: f.matched,
+          confidence: f.confidence,
+          cwe: f.cwe,
+          owasp: f.owasp,
+          fix: f.fix,
+        });
+      }
+
+      const cache = {
+        version: PACKAGE_VERSION,
+        generatedAt: new Date().toISOString(),
+        rootPath: this.rootPath,
+        recon: recon || null,
+        fileIndex,
+        lastFindings,
+        stats: {
+          totalFiles: allFiles.length,
+          totalFindings: allFindings.length,
+          lastScore: scoreResult?.score ?? null,
+          lastGrade: scoreResult?.grade?.letter ?? null,
+        },
+      };
+
+      fs.writeFileSync(this.cachePath, JSON.stringify(cache, null, 2));
+    } catch {
+      // Silent failure — caching should never break a scan
+    }
+  }
+
+  /**
+   * Delete the cache file.
+   */
+  invalidate() {
+    try {
+      if (fs.existsSync(this.cachePath)) {
+        fs.unlinkSync(this.cachePath);
+      }
+    } catch {
+      // Silent
+    }
+  }
+
+  // ===========================================================================
+  // LLM CLASSIFICATION CACHE
+  // ===========================================================================
+
+  get llmCachePath() {
+    return path.join(this.cacheDir, 'llm-cache.json');
+  }
+
+  /**
+   * Generate a cache key for an LLM classification.
+   */
+  getLLMCacheKey(finding) {
+    const data = `${finding.file}:${finding.line}:${finding.rule}:${finding.matched || ''}`;
+    return crypto.createHash('sha256').update(data).digest('hex').slice(0, 16);
+  }
+
+  /**
+   * Load cached LLM classifications. Returns {} if none or expired.
+   */
+  loadLLMClassifications() {
+    const LLM_CACHE_TTL = 7 * 24 * 60 * 60 * 1000; // 7 days
+    try {
+      if (!fs.existsSync(this.llmCachePath)) return {};
+      const raw = JSON.parse(fs.readFileSync(this.llmCachePath, 'utf-8'));
+      const now = Date.now();
+      const valid = {};
+      for (const [key, entry] of Object.entries(raw)) {
+        if (now - new Date(entry.cachedAt).getTime() < LLM_CACHE_TTL) {
+          valid[key] = entry;
+        }
+      }
+      return valid;
+    } catch {
+      return {};
+    }
+  }
+
+  /**
+   * Save LLM classifications to cache.
+   */
+  saveLLMClassifications(classifications) {
+    try {
+      if (!fs.existsSync(this.cacheDir)) {
+        fs.mkdirSync(this.cacheDir, { recursive: true });
+      }
+      const existing = this.loadLLMClassifications();
+      const merged = { ...existing, ...classifications };
+      fs.writeFileSync(this.llmCachePath, JSON.stringify(merged, null, 2));
+    } catch {
+      // Silent
+    }
+  }
+}
+
+export default CacheManager;

package/cli/utils/patterns.js

@@ -1,3 +1,6 @@
+import fs from 'fs';
+import path from 'path';
+
 /**
  * Secret Detection Patterns
  * =========================
@@ -783,6 +786,7 @@ export const SKIP_DIRS = new Set([
   '.expo',
   '.docusaurus',
   '.storybook',
+  '.ship-safe',
 ]);
 
 export const SKIP_EXTENSIONS = new Set([
@@ -809,6 +813,97 @@ export const SKIP_EXTENSIONS = new Set([
 // Maximum file size to scan (1MB)
 export const MAX_FILE_SIZE = 1_000_000;
 
+// =============================================================================
+// .GITIGNORE LOADING
+// =============================================================================
+
+// Gitignore patterns that should NEVER be skipped by a security scanner.
+// These files are gitignored precisely because they contain secrets or
+// sensitive config — which is exactly what we want to detect.
+const SECURITY_SENSITIVE_PATTERNS = new Set([
+  '.env',
+  '.env.local',
+  '.env.development',
+  '.env.development.local',
+  '.env.test',
+  '.env.test.local',
+  '.env.production',
+  '.env.production.local',
+  '.env.staging',
+  '*.pem',
+  '*.key',
+  '*.p12',
+  '*.pfx',
+  '*.jks',
+  '*.keystore',
+  '*.crt',
+  '*.cer',
+  'credentials.json',
+  'service-account.json',
+  'serviceAccountKey.json',
+  '*.secret',
+  'htpasswd',
+  '.htpasswd',
+  'id_rsa',
+  'id_ed25519',
+  '*.sqlite',
+  '*.db',
+]);
+
+/**
+ * Load patterns from .gitignore file in the project root.
+ * Returns an array of glob-compatible ignore patterns.
+ *
+ * Smart filtering: skips gitignored build output, caches, and vendor dirs,
+ * but ALWAYS scans security-sensitive files (.env, *.key, *.pem, etc.)
+ * even if they appear in .gitignore.
+ */
+export function loadGitignorePatterns(rootPath) {
+  const gitignorePath = path.join(rootPath, '.gitignore');
+  try {
+    if (!fs.existsSync(gitignorePath)) return [];
+    return fs.readFileSync(gitignorePath, 'utf-8')
+      .split('\n')
+      .map(l => l.trim())
+      .filter(l => l && !l.startsWith('#') && !l.startsWith('!'))
+      .filter(p => !isSecuritySensitive(p))
+      .map(p => {
+        // Convert .gitignore patterns to fast-glob ignore patterns
+        if (p.startsWith('/')) {
+          // Rooted pattern: /build → build/**
+          return p.slice(1) + (p.endsWith('/') ? '**' : '');
+        }
+        if (p.endsWith('/')) {
+          // Directory pattern: logs/ → **/logs/**
+          return `**/${p}**`;
+        }
+        // General pattern: *.log → **/*.log, dist → **/dist, **/dist/**
+        if (!p.includes('/') && !p.includes('*')) {
+          return [`**/${p}`, `**/${p}/**`];
+        }
+        return `**/${p}`;
+      })
+      .flat();
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Check if a .gitignore pattern targets security-sensitive files.
+ * These should always be scanned regardless of .gitignore.
+ */
+function isSecuritySensitive(pattern) {
+  const cleaned = pattern.replace(/^\//, '').replace(/\/$/, '');
+  if (SECURITY_SENSITIVE_PATTERNS.has(cleaned)) return true;
+  // Check wildcard patterns like *.pem, *.key
+  for (const sensitive of SECURITY_SENSITIVE_PATTERNS) {
+    if (sensitive.startsWith('*') && cleaned.endsWith(sensitive.slice(1))) return true;
+    if (cleaned === sensitive || cleaned.endsWith('/' + sensitive)) return true;
+  }
+  return false;
+}
+
 // =============================================================================
 // SECURITY VULNERABILITY PATTERNS
 // =============================================================================

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "4.0.0",
+  "version": "4.2.0",
   "description": "AI-powered multi-agent security platform. 12 agents scan 50+ attack classes. Red team your code before attackers do.",
   "main": "cli/index.js",
   "bin": {
@@ -8,7 +8,7 @@
   },
   "type": "module",
   "scripts": {
-    "test": "node --test",
+    "test": "node --test cli/__tests__/*.test.js",
     "lint": "eslint cli/",
     "ship-safe": "node cli/bin/ship-safe.js"
   },