ship-safe 4.1.0 → 4.3.0

package/cli/agents/scoring-engine.js

@@ -1,207 +1,225 @@
-/**
- * Enhanced Scoring Engine
- * ========================
- *
- * Risk-based scoring with 8 categories, EPSS integration,
- * KEV flagging, and historical trend tracking.
- *
- * Score = 100 - sum(category deductions)
- * Each category has a weight and max deduction cap.
- */
-
-import fs from 'fs';
-import path from 'path';
-
-// =============================================================================
-// SCORING CONFIGURATION
-// =============================================================================
-
-const CATEGORIES = {
-  secrets:       { weight: 15, label: 'Secrets',                deductions: { critical: 25, high: 15, medium: 5 } },
-  injection:     { weight: 15, label: 'Code Vulnerabilities',   deductions: { critical: 20, high: 10, medium: 3 } },
-  deps:          { weight: 15, label: 'Dependencies',           deductions: { critical: 20, high: 10, medium: 5, moderate: 5 } },
-  auth:          { weight: 15, label: 'Auth & Access Control',  deductions: { critical: 20, high: 10, medium: 3 } },
-  config:        { weight: 10, label: 'Configuration',          deductions: { critical: 15, high: 8,  medium: 3 } },
-  'supply-chain':{ weight: 10, label: 'Supply Chain',           deductions: { critical: 15, high: 8,  medium: 3 } },
-  api:           { weight: 10, label: 'API Security',           deductions: { critical: 15, high: 8,  medium: 3 } },
-  llm:           { weight: 10, label: 'AI/LLM Security',       deductions: { critical: 15, high: 8,  medium: 3 } },
-};
-
-// Fallback categories for findings that don't match a known category
-const FALLBACK_CATEGORY_MAP = {
-  'secret': 'secrets',
-  'vulnerability': 'injection',
-  'ssrf': 'injection',
-  'history': 'secrets',
-  'cicd': 'config',
-  'mobile': 'injection',
-  'recon': null, // skip recon findings
-};
-
-const GRADES = [
-  { min: 90, letter: 'A', label: 'Ship it!',                    color: 'green' },
-  { min: 75, letter: 'B', label: 'Minor issues to review',       color: 'cyan' },
-  { min: 60, letter: 'C', label: 'Fix before shipping',          color: 'yellow' },
-  { min: 40, letter: 'D', label: 'Significant security risks',   color: 'red' },
-  { min: 0,  letter: 'F', label: 'Not safe to ship',             color: 'red' },
-];
-
-// =============================================================================
-// SCORING ENGINE
-// =============================================================================
-
-export class ScoringEngine {
-  /**
-   * Compute the security score from agent findings + dependency vulnerabilities.
-   *
-   * @param {object[]} findings   — Array of finding objects from agents
-   * @param {object[]} depVulns   — Array of dependency CVE objects
-   * @returns {object}            — { score, grade, categories, breakdown }
-   */
-  compute(findings = [], depVulns = []) {
-    const categoryResults = {};
-
-    // Initialize all categories
-    for (const [key, config] of Object.entries(CATEGORIES)) {
-      categoryResults[key] = {
-        label: config.label,
-        weight: config.weight,
-        counts: { critical: 0, high: 0, medium: 0, low: 0 },
-        deduction: 0,
-        maxDeduction: config.weight, // Cap at category weight
-        findings: [],
-      };
-    }
-
-    // ── Classify findings into categories ─────────────────────────────────────
-    for (const finding of findings) {
-      const cat = this.resolveCategory(finding.category);
-      if (!cat || !categoryResults[cat]) continue;
-
-      const sev = finding.severity || 'medium';
-      categoryResults[cat].counts[sev] = (categoryResults[cat].counts[sev] || 0) + 1;
-      categoryResults[cat].findings.push(finding);
-    }
-
-    // ── Add dependency vulnerabilities ────────────────────────────────────────
-    for (const vuln of depVulns) {
-      const sev = vuln.severity || 'medium';
-      categoryResults.deps.counts[sev] = (categoryResults.deps.counts[sev] || 0) + 1;
-    }
-
-    // ── Compute deductions per category ───────────────────────────────────────
-    for (const [key, config] of Object.entries(CATEGORIES)) {
-      const result = categoryResults[key];
-      let deduction = 0;
-
-      for (const [sev, pts] of Object.entries(config.deductions)) {
-        deduction += (result.counts[sev] || 0) * pts;
-      }
-
-      result.deduction = Math.min(deduction, result.maxDeduction);
-    }
-
-    // ── Compute total score ───────────────────────────────────────────────────
-    const totalDeduction = Object.values(categoryResults).reduce(
-      (sum, r) => sum + r.deduction, 0
-    );
-    const score = Math.max(0, 100 - totalDeduction);
-    const grade = GRADES.find(g => score >= g.min);
-
-    return {
-      score,
-      grade,
-      categories: categoryResults,
-      totalFindings: findings.length,
-      totalDepVulns: depVulns.length,
-    };
-  }
-
-  /**
-   * Map a finding category to a scoring category.
-   */
-  resolveCategory(findingCategory) {
-    if (CATEGORIES[findingCategory]) return findingCategory;
-    if (FALLBACK_CATEGORY_MAP[findingCategory] !== undefined) {
-      return FALLBACK_CATEGORY_MAP[findingCategory];
-    }
-    return 'injection'; // default fallback
-  }
-
-  /**
-   * Save score to history file for trend tracking.
-   */
-  saveToHistory(rootPath, scoreResult) {
-    const historyDir = path.join(rootPath, '.ship-safe');
-    const historyFile = path.join(historyDir, 'history.json');
-
-    try {
-      if (!fs.existsSync(historyDir)) {
-        fs.mkdirSync(historyDir, { recursive: true });
-      }
-
-      let history = [];
-      if (fs.existsSync(historyFile)) {
-        try {
-          history = JSON.parse(fs.readFileSync(historyFile, 'utf-8'));
-        } catch { history = []; }
-      }
-
-      history.push({
-        timestamp: new Date().toISOString(),
-        score: scoreResult.score,
-        grade: scoreResult.grade.letter,
-        totalFindings: scoreResult.totalFindings,
-        totalDepVulns: scoreResult.totalDepVulns,
-        categoryScores: Object.fromEntries(
-          Object.entries(scoreResult.categories).map(([k, v]) => [k, {
-            deduction: v.deduction,
-            counts: v.counts,
-          }])
-        ),
-      });
-
-      // Keep last 100 entries
-      if (history.length > 100) history = history.slice(-100);
-
-      fs.writeFileSync(historyFile, JSON.stringify(history, null, 2));
-    } catch {
-      // Don't fail if history save fails
-    }
-  }
-
-  /**
-   * Load score history for trend display.
-   */
-  loadHistory(rootPath) {
-    const historyFile = path.join(rootPath, '.ship-safe', 'history.json');
-    try {
-      if (fs.existsSync(historyFile)) {
-        return JSON.parse(fs.readFileSync(historyFile, 'utf-8'));
-      }
-    } catch { /* ignore */ }
-    return [];
-  }
-
-  /**
-   * Get trend summary comparing current to last scan.
-   */
-  getTrend(rootPath, currentScore) {
-    const history = this.loadHistory(rootPath);
-    if (history.length < 2) return null;
-
-    const previous = history[history.length - 2];
-    const diff = currentScore - previous.score;
-
-    return {
-      previousScore: previous.score,
-      currentScore,
-      diff,
-      direction: diff > 0 ? 'improved' : diff < 0 ? 'regressed' : 'unchanged',
-      previousDate: previous.timestamp,
-    };
-  }
-}
-
-export { GRADES, CATEGORIES };
-export default ScoringEngine;
+/**
+ * Enhanced Scoring Engine
+ * ========================
+ *
+ * Risk-based scoring with 8 categories, EPSS integration,
+ * KEV flagging, and historical trend tracking.
+ *
+ * Score = 100 - sum(category deductions)
+ * Each category has a weight and max deduction cap.
+ */
+
+import fs from 'fs';
+import path from 'path';
+
+// =============================================================================
+// SCORING CONFIGURATION
+// =============================================================================
+
+const CATEGORIES = {
+  secrets:       { weight: 15, label: 'Secrets',                deductions: { critical: 25, high: 15, medium: 5 } },
+  injection:     { weight: 15, label: 'Code Vulnerabilities',   deductions: { critical: 20, high: 10, medium: 3 } },
+  deps:          { weight: 15, label: 'Dependencies',           deductions: { critical: 20, high: 10, medium: 5, moderate: 5 } },
+  auth:          { weight: 15, label: 'Auth & Access Control',  deductions: { critical: 20, high: 10, medium: 3 } },
+  config:        { weight: 10, label: 'Configuration',          deductions: { critical: 15, high: 8,  medium: 3 } },
+  'supply-chain':{ weight: 10, label: 'Supply Chain',           deductions: { critical: 15, high: 8,  medium: 3 } },
+  api:           { weight: 10, label: 'API Security',           deductions: { critical: 15, high: 8,  medium: 3 } },
+  llm:           { weight: 10, label: 'AI/LLM Security',       deductions: { critical: 15, high: 8,  medium: 3 } },
+};
+
+// Fallback categories for findings that don't match a known category
+const FALLBACK_CATEGORY_MAP = {
+  'secret': 'secrets',
+  'vulnerability': 'injection',
+  'ssrf': 'injection',
+  'history': 'secrets',
+  'cicd': 'config',
+  'mobile': 'injection',
+  'recon': null, // skip recon findings
+};
+
+const GRADES = [
+  { min: 90, letter: 'A', label: 'Ship it!',                    color: 'green' },
+  { min: 75, letter: 'B', label: 'Minor issues to review',       color: 'cyan' },
+  { min: 60, letter: 'C', label: 'Fix before shipping',          color: 'yellow' },
+  { min: 40, letter: 'D', label: 'Significant security risks',   color: 'red' },
+  { min: 0,  letter: 'F', label: 'Not safe to ship',             color: 'red' },
+];
+
+// =============================================================================
+// SCORING ENGINE
+// =============================================================================
+
+export class ScoringEngine {
+  /**
+   * Compute the security score from agent findings + dependency vulnerabilities.
+   *
+   * @param {object[]} findings   — Array of finding objects from agents
+   * @param {object[]} depVulns   — Array of dependency CVE objects
+   * @returns {object}            — { score, grade, categories, breakdown }
+   */
+  compute(findings = [], depVulns = []) {
+    const categoryResults = {};
+
+    // Initialize all categories
+    for (const [key, config] of Object.entries(CATEGORIES)) {
+      categoryResults[key] = {
+        label: config.label,
+        weight: config.weight,
+        counts: { critical: 0, high: 0, medium: 0, low: 0 },
+        deduction: 0,
+        maxDeduction: config.weight, // Cap at category weight
+        findings: [],
+      };
+    }
+
+    // ── Classify findings into categories ─────────────────────────────────────
+    for (const finding of findings) {
+      const cat = this.resolveCategory(finding.category);
+      if (!cat || !categoryResults[cat]) continue;
+
+      const sev = finding.severity || 'medium';
+      categoryResults[cat].counts[sev] = (categoryResults[cat].counts[sev] || 0) + 1;
+      categoryResults[cat].findings.push(finding);
+    }
+
+    // ── Add dependency vulnerabilities ────────────────────────────────────────
+    for (const vuln of depVulns) {
+      const sev = vuln.severity || 'medium';
+      categoryResults.deps.counts[sev] = (categoryResults.deps.counts[sev] || 0) + 1;
+    }
+
+    // ── Compute deductions per category (confidence-weighted) ─────────────────
+    const CONFIDENCE_MULTIPLIER = { high: 1.0, medium: 0.6, low: 0.3 };
+
+    for (const [key, config] of Object.entries(CATEGORIES)) {
+      const result = categoryResults[key];
+      let deduction = 0;
+
+      // Count-based deductions for deps (no per-finding confidence)
+      for (const [sev, pts] of Object.entries(config.deductions)) {
+        if (key === 'deps') {
+          deduction += (result.counts[sev] || 0) * pts;
+        }
+      }
+
+      // Per-finding confidence-weighted deductions for agent findings
+      if (key !== 'deps') {
+        for (const finding of result.findings) {
+          const sev = finding.severity || 'medium';
+          const pts = config.deductions[sev] || 0;
+          const confidence = finding.confidence || 'high';
+          const multiplier = CONFIDENCE_MULTIPLIER[confidence] || 1.0;
+          deduction += pts * multiplier;
+        }
+      }
+
+      result.deduction = Math.min(deduction, result.maxDeduction);
+    }
+
+    // ── Compute total score ───────────────────────────────────────────────────
+    const totalDeduction = Object.values(categoryResults).reduce(
+      (sum, r) => sum + r.deduction, 0
+    );
+    const score = Math.max(0, 100 - totalDeduction);
+    const grade = GRADES.find(g => score >= g.min);
+
+    return {
+      score,
+      grade,
+      categories: categoryResults,
+      totalFindings: findings.length,
+      totalDepVulns: depVulns.length,
+    };
+  }
+
+  /**
+   * Map a finding category to a scoring category.
+   */
+  resolveCategory(findingCategory) {
+    if (CATEGORIES[findingCategory]) return findingCategory;
+    if (FALLBACK_CATEGORY_MAP[findingCategory] !== undefined) {
+      return FALLBACK_CATEGORY_MAP[findingCategory];
+    }
+    return 'injection'; // default fallback
+  }
+
+  /**
+   * Save score to history file for trend tracking.
+   */
+  saveToHistory(rootPath, scoreResult, suppressions = null) {
+    const historyDir = path.join(rootPath, '.ship-safe');
+    const historyFile = path.join(historyDir, 'history.json');
+
+    try {
+      if (!fs.existsSync(historyDir)) {
+        fs.mkdirSync(historyDir, { recursive: true });
+      }
+
+      let history = [];
+      if (fs.existsSync(historyFile)) {
+        try {
+          history = JSON.parse(fs.readFileSync(historyFile, 'utf-8'));
+        } catch { history = []; }
+      }
+
+      const entry = {
+        timestamp: new Date().toISOString(),
+        score: scoreResult.score,
+        grade: scoreResult.grade.letter,
+        totalFindings: scoreResult.totalFindings,
+        totalDepVulns: scoreResult.totalDepVulns,
+        categoryScores: Object.fromEntries(
+          Object.entries(scoreResult.categories).map(([k, v]) => [k, {
+            deduction: v.deduction,
+            counts: v.counts,
+          }])
+        ),
+      };
+      if (suppressions) entry.suppressions = suppressions;
+      history.push(entry);
+
+      // Keep last 100 entries
+      if (history.length > 100) history = history.slice(-100);
+
+      fs.writeFileSync(historyFile, JSON.stringify(history, null, 2));
+    } catch {
+      // Don't fail if history save fails
+    }
+  }
+
+  /**
+   * Load score history for trend display.
+   */
+  loadHistory(rootPath) {
+    const historyFile = path.join(rootPath, '.ship-safe', 'history.json');
+    try {
+      if (fs.existsSync(historyFile)) {
+        return JSON.parse(fs.readFileSync(historyFile, 'utf-8'));
+      }
+    } catch { /* ignore */ }
+    return [];
+  }
+
+  /**
+   * Get trend summary comparing current to last scan.
+   */
+  getTrend(rootPath, currentScore) {
+    const history = this.loadHistory(rootPath);
+    if (history.length < 2) return null;
+
+    const previous = history[history.length - 2];
+    const diff = currentScore - previous.score;
+
+    return {
+      previousScore: previous.score,
+      currentScore,
+      diff,
+      direction: diff > 0 ? 'improved' : diff < 0 ? 'regressed' : 'unchanged',
+      previousDate: previous.timestamp,
+    };
+  }
+}
+
+export { GRADES, CATEGORIES };
+export default ScoringEngine;

package/cli/agents/supabase-rls-agent.js

@@ -0,0 +1,148 @@
+/**
+ * SupabaseRLSAgent
+ * =================
+ *
+ * Detects missing or weak Row Level Security (RLS) in Supabase projects.
+ * Checks SQL migrations, client-side service_role key usage,
+ * unprotected storage operations, and anon-key data mutations.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// Patterns for client-side code
+const CLIENT_PATTERNS = [
+  {
+    rule: 'SUPABASE_SERVICE_KEY_CLIENT',
+    title: 'Supabase: Service Role Key in Client Code',
+    regex: /SUPABASE_SERVICE_ROLE_KEY|service_role_key|serviceRoleKey|supabaseAdmin/g,
+    severity: 'critical',
+    cwe: 'CWE-798',
+    owasp: 'A07:2021',
+    description: 'Service role key bypasses RLS entirely. Never expose it in client-side code.',
+    fix: 'Use the anon key on the client. Move service_role operations to a backend/edge function.',
+  },
+  {
+    rule: 'SUPABASE_RLS_DISABLED',
+    title: 'Supabase: RLS Bypass via .rpc() or Admin Client',
+    regex: /\.rpc\s*\(\s*['"][^'"]+['"]/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Supabase .rpc() calls execute database functions that may bypass RLS policies.',
+    fix: 'Ensure the underlying SQL function uses SECURITY DEFINER carefully, or set search_path.',
+  },
+  {
+    rule: 'SUPABASE_PUBLIC_ANON_INSERT',
+    title: 'Supabase: Unguarded Insert/Update/Delete',
+    regex: /supabase\s*\.from\s*\(\s*['"][^'"]+['"]\s*\)\s*\.(?:insert|update|delete|upsert)\s*\(/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Supabase data mutation without visible auth check. Ensure RLS policies protect this table.',
+    fix: 'Verify RLS is enabled on the table and policies restrict mutations to authenticated users.',
+  },
+  {
+    rule: 'SUPABASE_UNPROTECTED_STORAGE',
+    title: 'Supabase: Storage Operation Without Auth',
+    regex: /supabase\s*\.storage\s*\.from\s*\(\s*['"][^'"]+['"]\s*\)\s*\.(?:upload|remove|move|createSignedUrl|list)\s*\(/g,
+    severity: 'medium',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Supabase storage operation detected. Ensure storage policies restrict access.',
+    fix: 'Configure storage bucket policies to require authentication.',
+  },
+];
+
+// Client-side directories (findings here are more severe)
+const CLIENT_DIRS = /(?:^|[/\\])(?:src|pages|app|components|hooks|lib|utils)[/\\]/i;
+
+export class SupabaseRLSAgent extends BaseAgent {
+  constructor() {
+    super('SupabaseRLSAgent', 'Supabase Row Level Security audit', 'auth');
+  }
+
+  async analyze(context) {
+    const { rootPath, files } = context;
+    let findings = [];
+
+    // ── 1. Scan client-side code for Supabase security issues ─────────────────
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.vue', '.svelte'].includes(ext);
+    });
+
+    for (const file of codeFiles) {
+      const fileFindings = this.scanFileWithPatterns(file, CLIENT_PATTERNS);
+      // Elevate severity for findings in client-side directories
+      const relPath = path.relative(rootPath, file).replace(/\\/g, '/');
+      if (CLIENT_DIRS.test(relPath)) {
+        for (const f of fileFindings) {
+          if (f.rule === 'SUPABASE_SERVICE_KEY_CLIENT') {
+            f.severity = 'critical';
+          }
+        }
+      }
+      findings = findings.concat(fileFindings);
+    }
+
+    // ── 2. Scan SQL migrations for missing RLS ────────────────────────────────
+    const sqlFiles = files.filter(f => path.extname(f).toLowerCase() === '.sql');
+    const tablesWithRLS = new Set();
+    const tablesWithoutRLS = [];
+
+    for (const file of sqlFiles) {
+      const content = this.readFile(file);
+      if (!content) continue;
+
+      // Find tables that have RLS enabled
+      const rlsMatches = content.matchAll(/ALTER\s+TABLE\s+(?:(?:public|auth|storage)\.)?["']?(\w+)["']?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi);
+      for (const m of rlsMatches) {
+        tablesWithRLS.add(m[1].toLowerCase());
+      }
+
+      // Find CREATE TABLE statements
+      const createMatches = content.matchAll(/CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:public|auth|storage)\.)?["']?(\w+)["']?/gi);
+      for (const m of createMatches) {
+        const tableName = m[1].toLowerCase();
+        // Skip Supabase internal tables
+        if (['_prisma_migrations', 'schema_migrations', 'knex_migrations'].includes(tableName)) continue;
+
+        // Check if RLS is enabled in the same file
+        const rlsInFile = new RegExp(
+          `ALTER\\s+TABLE\\s+(?:(?:public|auth|storage)\\.)?["']?${tableName}["']?\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`,
+          'gi'
+        ).test(content);
+
+        if (!rlsInFile && !tablesWithRLS.has(tableName)) {
+          tablesWithoutRLS.push({ table: tableName, file });
+        }
+      }
+    }
+
+    // Report tables missing RLS
+    for (const { table, file } of tablesWithoutRLS) {
+      // Double-check across all SQL files
+      if (tablesWithRLS.has(table)) continue;
+      findings.push(createFinding({
+        file,
+        line: 0,
+        severity: 'critical',
+        category: 'auth',
+        rule: 'SUPABASE_NO_RLS_POLICY',
+        title: `Supabase: Table "${table}" Missing RLS`,
+        description: `Table "${table}" is created without enabling Row Level Security. Any user with the anon key can read/write all rows.`,
+        matched: `CREATE TABLE ${table}`,
+        fix: `Add: ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;\nThen create appropriate policies with CREATE POLICY.`,
+      }));
+    }
+
+    return findings;
+  }
+}
+
+export default SupabaseRLSAgent;