ship-safe 4.2.0 → 5.0.0

package/cli/agents/rag-security-agent.js

@@ -0,0 +1,204 @@
+/**
+ * RAG Security Agent
+ * ====================
+ *
+ * Detects security vulnerabilities in Retrieval-Augmented Generation
+ * (RAG) implementations. RAG poisoning attacks are a proven threat
+ * vector — attackers corrupt knowledge bases to manipulate LLM outputs.
+ *
+ * Checks: unvalidated document ingestion, missing chunk isolation,
+ * embedding exposure, metadata leakage, no retrieval filtering,
+ * excessive context stuffing.
+ *
+ * Maps to: OWASP LLM08 (Vector & Embedding Weaknesses),
+ *          OWASP Agentic AI ASI04 (Memory Poisoning)
+ */
+
+import path from 'path';
+import { BaseAgent } from './base-agent.js';
+
+// =============================================================================
+// RAG SECURITY PATTERNS
+// =============================================================================
+
+const PATTERNS = [
+  // ── Document Ingestion ───────────────────────────────────────────────────
+  {
+    rule: 'RAG_UNSANITIZED_INGESTION',
+    title: 'RAG: Documents Ingested Without Sanitization',
+    regex: /(?:addDocuments|add_documents|upsert|insert|index\.add|from_documents)\s*\(\s*(?:documents|docs|chunks|texts|pages|uploads|files|userDocs|userFiles)/g,
+    severity: 'high',
+    cwe: 'CWE-20',
+    owasp: 'A03:2021',
+    description: 'Documents added to vector store without sanitization. Attackers can embed malicious instructions in documents that get retrieved and injected into LLM context.',
+    fix: 'Sanitize document content before ingestion: strip HTML/script tags, detect prompt injection patterns, validate content type.',
+  },
+  {
+    rule: 'RAG_USER_UPLOAD_TO_VECTORDB',
+    title: 'RAG: User Upload Directly to Vector Store',
+    regex: /(?:upload|multer|formidable|busboy|req\.file|req\.files)[\s\S]{0,500}(?:addDocuments|add_documents|upsert|vectorStore|index\.add|embed|from_documents)/g,
+    severity: 'critical',
+    cwe: 'CWE-434',
+    owasp: 'A03:2021',
+    description: 'User file uploads are fed directly into a vector database without review. This enables RAG poisoning — attackers upload documents containing hidden instructions.',
+    fix: 'Add a review/approval pipeline between user uploads and vector store ingestion. Scan uploads for prompt injection patterns.',
+  },
+  {
+    rule: 'RAG_NO_CONTENT_FILTER',
+    title: 'RAG: No Content Filtering on Ingestion',
+    regex: /(?:TextLoader|PDFLoader|CSVLoader|DirectoryLoader|WebBaseLoader|UnstructuredLoader|load_and_split|loadDocuments)\s*\((?![\s\S]{0,300}(?:filter|sanitize|clean|validate|strip|remove|moderate))/g,
+    severity: 'medium',
+    cwe: 'CWE-20',
+    owasp: 'A03:2021',
+    confidence: 'medium',
+    description: 'Document loaders used without content filtering. Loaded content goes directly to embedding/vector store.',
+    fix: 'Add content filtering after loading documents: remove scripts, detect injection patterns, validate format.',
+  },
+
+  // ── Chunk Isolation ──────────────────────────────────────────────────────
+  {
+    rule: 'RAG_NO_TENANT_ISOLATION',
+    title: 'RAG: Vector Store Without Tenant Isolation',
+    regex: /(?:vectorStore|pinecone|chroma|weaviate|qdrant|milvus|pgvector)[\s\S]{0,300}(?:add|upsert|insert|index)(?![\s\S]{0,200}(?:namespace|tenant|partition|collection|filter|user_id|org_id|metadata.*(?:user|tenant|org)))/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Documents stored in vector database without tenant/user isolation. Users can retrieve other users\' private documents.',
+    fix: 'Use namespaces, collections, or metadata filters to isolate documents by tenant/user.',
+  },
+  {
+    rule: 'RAG_SYSTEM_DOCS_WITH_USER_DOCS',
+    title: 'RAG: System Documents Mixed With User Documents',
+    regex: /(?:addDocuments|add_documents|upsert)[\s\S]{0,200}(?:system|internal|private|admin)[\s\S]{0,200}(?:user|public|external|upload)/g,
+    severity: 'medium',
+    cwe: 'CWE-668',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'System/internal documents mixed with user documents in the same collection. User queries could retrieve sensitive internal docs.',
+    fix: 'Separate system documents from user documents in different collections or namespaces.',
+  },
+
+  // ── Retrieval & Query Safety ─────────────────────────────────────────────
+  {
+    rule: 'RAG_NO_RETRIEVAL_FILTER',
+    title: 'RAG: Retrieved Chunks Used Without Filtering',
+    regex: /(?:similarity_search|similaritySearch|query|retrieve|get_relevant|asRetriever)[\s\S]{0,300}(?:page_content|pageContent|text|content|document)[\s\S]{0,200}(?:prompt|messages|content|system|user)/g,
+    severity: 'high',
+    cwe: 'CWE-74',
+    owasp: 'A03:2021',
+    confidence: 'medium',
+    description: 'Retrieved document chunks injected into LLM prompt without filtering. Poisoned documents can override system instructions.',
+    fix: 'Filter retrieved chunks: remove instruction-like content, apply relevance score thresholds, limit number of chunks.',
+  },
+  {
+    rule: 'RAG_NO_RELEVANCE_THRESHOLD',
+    title: 'RAG: No Relevance Score Threshold on Retrieval',
+    regex: /(?:similarity_search|similaritySearch|asRetriever)\s*\(\s*(?:query|question|input)(?![\s\S]{0,200}(?:score_threshold|scoreThreshold|threshold|minScore|min_score|filter))/g,
+    severity: 'medium',
+    cwe: 'CWE-20',
+    owasp: 'A03:2021',
+    confidence: 'low',
+    description: 'Vector similarity search without relevance threshold. Low-relevance chunks may contain poisoned content designed to be retrieved for many queries.',
+    fix: 'Set a minimum relevance score threshold to filter out low-quality matches.',
+  },
+  {
+    rule: 'RAG_EXCESSIVE_CONTEXT',
+    title: 'RAG: Excessive Retrieved Context',
+    regex: /(?:k\s*[:=]\s*(?:[5-9]\d|\d{3,})|top_k\s*[:=]\s*(?:[5-9]\d|\d{3,})|search_kwargs.*k.*(?:[5-9]\d|\d{3,}))/g,
+    severity: 'medium',
+    cwe: 'CWE-400',
+    owasp: 'A04:2021',
+    confidence: 'low',
+    description: 'Retrieving a very large number of chunks (50+). Increases the attack surface for prompt injection via poisoned documents.',
+    fix: 'Limit retrieved chunks to the minimum needed (typically 3-10). More chunks = more injection surface.',
+  },
+
+  // ── Embedding & Data Exposure ────────────────────────────────────────────
+  {
+    rule: 'RAG_EMBEDDING_API_EXPOSED',
+    title: 'RAG: Embedding Endpoint Exposed Without Auth',
+    regex: /(?:app\.|router\.|api\.)(?:get|post)\s*\(\s*['"].*(?:embed|embedding|vectorize|encode)['"](?![\s\S]{0,300}(?:auth|middleware|protect|guard|jwt|bearer|session))/g,
+    severity: 'high',
+    cwe: 'CWE-306',
+    owasp: 'A07:2021',
+    confidence: 'medium',
+    description: 'Embedding API endpoint exposed without authentication. Attackers can enumerate embeddings or generate vectors for injection attacks.',
+    fix: 'Add authentication middleware to embedding endpoints.',
+  },
+  {
+    rule: 'RAG_METADATA_IN_RESPONSE',
+    title: 'RAG: Internal Metadata Exposed in Response',
+    regex: /(?:metadata|source|file_path|filePath|url|author|timestamp)[\s\S]{0,100}(?:res\.json|res\.send|response\.json|return\s*\{|jsonify)/g,
+    severity: 'medium',
+    cwe: 'CWE-200',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'Internal document metadata (file paths, sources, authors) returned in API responses. Leaks information about the knowledge base structure.',
+    fix: 'Strip internal metadata before returning responses. Only expose necessary fields to the client.',
+  },
+  {
+    rule: 'RAG_EMBEDDING_IN_RESPONSE',
+    title: 'RAG: Raw Embeddings Returned to Client',
+    regex: /(?:embedding|vector|dense_vector)[\s\S]{0,100}(?:res\.json|res\.send|response|return|output)/g,
+    severity: 'medium',
+    cwe: 'CWE-200',
+    owasp: 'A01:2021',
+    confidence: 'low',
+    description: 'Raw embedding vectors returned in API responses. Research shows embeddings can be inverted to recover original text, leaking private data.',
+    fix: 'Never return raw embedding vectors in API responses. Embeddings should remain server-side only.',
+  },
+
+  // ── Model & Pipeline Safety ──────────────────────────────────────────────
+  {
+    rule: 'RAG_PICKLE_EMBEDDING_MODEL',
+    title: 'RAG: Embedding Model Loaded via Pickle',
+    regex: /(?:torch\.load|pickle\.load|joblib\.load)\s*\(\s*(?!.*safetensors)(?!.*weights_only\s*=\s*True)/g,
+    severity: 'critical',
+    cwe: 'CWE-502',
+    owasp: 'A08:2021',
+    description: 'ML model loaded from pickle format. Pickle files can contain arbitrary code that executes on load.',
+    fix: 'Use safetensors format for model loading. If using torch.load(), set weights_only=True.',
+  },
+  {
+    rule: 'RAG_TRUST_REMOTE_CODE',
+    title: 'RAG: Model Loaded With trust_remote_code=True',
+    regex: /trust_remote_code\s*=\s*True/g,
+    severity: 'high',
+    cwe: 'CWE-94',
+    owasp: 'A08:2021',
+    description: 'Embedding or LLM model loaded with trust_remote_code=True. Allows execution of arbitrary code from the model repository.',
+    fix: 'Set trust_remote_code=False. Audit model code before enabling remote code execution.',
+  },
+];
+
+// =============================================================================
+// RAG SECURITY AGENT
+// =============================================================================
+
+export class RAGSecurityAgent extends BaseAgent {
+  constructor() {
+    super(
+      'RAGSecurityAgent',
+      'Detect RAG security vulnerabilities — poisoning, embedding exposure, tenant isolation gaps',
+      'llm'
+    );
+  }
+
+  async analyze(context) {
+    const { files } = context;
+
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs', '.py', '.rb', '.go', '.java'].includes(ext);
+    });
+
+    let findings = [];
+    for (const file of codeFiles) {
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+    }
+    return findings;
+  }
+}
+
+export default RAGSecurityAgent;

package/cli/agents/sbom-generator.js

@@ -108,7 +108,11 @@ export class SBOMGenerator {
       } catch { /* skip */ }
     }
 
-    // ── Build CycloneDX BOM ───────────────────────────────────────────────────
+    // ── Detect licenses from lock files ─────────────────────────────────────
+    const licenses = this._detectLicenses(rootPath);
+
+    // ── Build CycloneDX BOM (CRA-enhanced) ──────────────────────────────────
+    const projectMeta = this.getProjectMetadata(rootPath);
     const bom = {
       bomFormat: 'CycloneDX',
       specVersion: '1.5',
@@ -119,23 +123,57 @@ export class SBOMGenerator {
         tools: [{
           vendor: 'ship-safe',
           name: 'ship-safe',
-          version: '4.0.0',
+          version: '5.0.0',
         }],
-        component: this.getProjectMetadata(rootPath),
+        component: projectMeta,
+        // EU CRA: supplier identification
+        supplier: this._getSupplier(rootPath),
+        // EU CRA: lifecycle phase
+        lifecycles: [{ phase: 'build' }],
       },
-      components: components.map((c, i) => ({
-        'bom-ref': `component-${i}`,
-        type: c.type,
-        name: c.name,
-        version: c.version,
-        purl: c.purl,
-        scope: c.scope,
-      })),
+      components: components.map((c, i) => {
+        const comp = {
+          'bom-ref': `component-${i}`,
+          type: c.type,
+          name: c.name,
+          version: c.version,
+          purl: c.purl,
+          scope: c.scope,
+        };
+        // EU CRA: attach license if known
+        const lic = licenses[c.name];
+        if (lic) {
+          comp.licenses = [{ license: { id: lic } }];
+        }
+        return comp;
+      }),
+      // EU CRA: vulnerability disclosure info
+      vulnerabilities: [],
     };
 
     return bom;
   }
 
+  /**
+   * Attach known vulnerabilities to the SBOM (CRA requirement).
+   */
+  attachVulnerabilities(bom, depVulns = []) {
+    bom.vulnerabilities = depVulns.map((v, i) => ({
+      'bom-ref': `vuln-${i}`,
+      id: v.id || v.package || `VULN-${i}`,
+      source: { name: 'ship-safe' },
+      ratings: [{
+        severity: v.severity || 'unknown',
+        method: 'other',
+      }],
+      description: v.description || '',
+      affects: [{
+        ref: v.package || 'unknown',
+      }],
+    }));
+    return bom;
+  }
+
   /**
    * Generate SBOM and write to file.
    */
@@ -165,6 +203,57 @@ export class SBOMGenerator {
     };
   }
 
+  /**
+   * EU CRA: Extract supplier info from package.json.
+   */
+  _getSupplier(rootPath) {
+    const pkgPath = path.join(rootPath, 'package.json');
+    try {
+      if (fs.existsSync(pkgPath)) {
+        const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+        const author = typeof pkg.author === 'string' ? pkg.author
+          : pkg.author?.name || pkg.author?.email || null;
+        if (author) {
+          return { name: author, url: [pkg.homepage || pkg.repository?.url || ''].filter(Boolean) };
+        }
+      }
+    } catch { /* skip */ }
+    return { name: 'Unknown' };
+  }
+
+  /**
+   * Detect licenses from node_modules (best-effort).
+   * Returns { packageName: 'MIT' | 'ISC' | ... }
+   */
+  _detectLicenses(rootPath) {
+    const licenses = {};
+    const nodeModules = path.join(rootPath, 'node_modules');
+    const pkgPath = path.join(rootPath, 'package.json');
+
+    if (!fs.existsSync(pkgPath)) return licenses;
+
+    try {
+      const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+      for (const name of Object.keys(allDeps)) {
+        const depPkgPath = path.join(nodeModules, name, 'package.json');
+        try {
+          if (fs.existsSync(depPkgPath)) {
+            const depPkg = JSON.parse(fs.readFileSync(depPkgPath, 'utf-8'));
+            if (depPkg.license) {
+              licenses[name] = typeof depPkg.license === 'string'
+                ? depPkg.license
+                : depPkg.license.type || 'UNKNOWN';
+            }
+          }
+        } catch { /* skip */ }
+      }
+    } catch { /* skip */ }
+
+    return licenses;
+  }
+
   uuid() {
     return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, c => {
       const r = Math.random() * 16 | 0;

package/cli/agents/scoring-engine.js

@@ -35,6 +35,10 @@ const FALLBACK_CATEGORY_MAP = {
   'history': 'secrets',
   'cicd': 'config',
   'mobile': 'injection',
+  'privacy': 'config',
+  'mcp': 'llm',
+  'agentic': 'llm',
+  'rag': 'llm',
   'recon': null, // skip recon findings
 };
 

package/cli/agents/supabase-rls-agent.js

@@ -0,0 +1,154 @@
+/**
+ * SupabaseRLSAgent
+ * =================
+ *
+ * Detects missing or weak Row Level Security (RLS) in Supabase projects.
+ * Checks SQL migrations, client-side service_role key usage,
+ * unprotected storage operations, and anon-key data mutations.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// Patterns for client-side code
+const CLIENT_PATTERNS = [
+  {
+    rule: 'SUPABASE_SERVICE_KEY_CLIENT',
+    title: 'Supabase: Service Role Key in Client Code',
+    regex: /SUPABASE_SERVICE_ROLE_KEY|service_role_key|serviceRoleKey|supabaseAdmin/g,
+    severity: 'critical',
+    cwe: 'CWE-798',
+    owasp: 'A07:2021',
+    description: 'Service role key bypasses RLS entirely. Never expose it in client-side code.',
+    fix: 'Use the anon key on the client. Move service_role operations to a backend/edge function.',
+  },
+  {
+    rule: 'SUPABASE_RLS_DISABLED',
+    title: 'Supabase: RLS Bypass via .rpc() or Admin Client',
+    regex: /\.rpc\s*\(\s*['"][^'"]+['"]/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Supabase .rpc() calls execute database functions that may bypass RLS policies.',
+    fix: 'Ensure the underlying SQL function uses SECURITY DEFINER carefully, or set search_path.',
+  },
+  {
+    rule: 'SUPABASE_PUBLIC_ANON_INSERT',
+    title: 'Supabase: Unguarded Insert/Update/Delete',
+    regex: /supabase\s*\.from\s*\(\s*['"][^'"]+['"]\s*\)\s*\.(?:insert|update|delete|upsert)\s*\(/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Supabase data mutation without visible auth check. Ensure RLS policies protect this table.',
+    fix: 'Verify RLS is enabled on the table and policies restrict mutations to authenticated users.',
+  },
+  {
+    rule: 'SUPABASE_UNPROTECTED_STORAGE',
+    title: 'Supabase: Storage Operation Without Auth',
+    regex: /supabase\s*\.storage\s*\.from\s*\(\s*['"][^'"]+['"]\s*\)\s*\.(?:upload|remove|move|createSignedUrl|list)\s*\(/g,
+    severity: 'medium',
+    cwe: 'CWE-284',
+    owasp: 'A01:2021',
+    confidence: 'medium',
+    description: 'Supabase storage operation detected. Ensure storage policies restrict access.',
+    fix: 'Configure storage bucket policies to require authentication.',
+  },
+];
+
+// Client-side directories (findings here are more severe)
+const CLIENT_DIRS = /(?:^|[/\\])(?:src|pages|app|components|hooks|lib|utils)[/\\]/i;
+
+export class SupabaseRLSAgent extends BaseAgent {
+  constructor() {
+    super('SupabaseRLSAgent', 'Supabase Row Level Security audit', 'auth');
+  }
+
+  shouldRun(recon) {
+    return recon?.databases?.includes('supabase') ||
+           recon?.authPatterns?.includes('supabase-auth') ||
+           false;
+  }
+
+  async analyze(context) {
+    const { rootPath, files } = context;
+    let findings = [];
+
+    // ── 1. Scan client-side code for Supabase security issues ─────────────────
+    const codeFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      return ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.vue', '.svelte'].includes(ext);
+    });
+
+    for (const file of codeFiles) {
+      const fileFindings = this.scanFileWithPatterns(file, CLIENT_PATTERNS);
+      // Elevate severity for findings in client-side directories
+      const relPath = path.relative(rootPath, file).replace(/\\/g, '/');
+      if (CLIENT_DIRS.test(relPath)) {
+        for (const f of fileFindings) {
+          if (f.rule === 'SUPABASE_SERVICE_KEY_CLIENT') {
+            f.severity = 'critical';
+          }
+        }
+      }
+      findings = findings.concat(fileFindings);
+    }
+
+    // ── 2. Scan SQL migrations for missing RLS ────────────────────────────────
+    const sqlFiles = files.filter(f => path.extname(f).toLowerCase() === '.sql');
+    const tablesWithRLS = new Set();
+    const tablesWithoutRLS = [];
+
+    for (const file of sqlFiles) {
+      const content = this.readFile(file);
+      if (!content) continue;
+
+      // Find tables that have RLS enabled
+      const rlsMatches = content.matchAll(/ALTER\s+TABLE\s+(?:(?:public|auth|storage)\.)?["']?(\w+)["']?\s+ENABLE\s+ROW\s+LEVEL\s+SECURITY/gi);
+      for (const m of rlsMatches) {
+        tablesWithRLS.add(m[1].toLowerCase());
+      }
+
+      // Find CREATE TABLE statements
+      const createMatches = content.matchAll(/CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(?:(?:public|auth|storage)\.)?["']?(\w+)["']?/gi);
+      for (const m of createMatches) {
+        const tableName = m[1].toLowerCase();
+        // Skip Supabase internal tables
+        if (['_prisma_migrations', 'schema_migrations', 'knex_migrations'].includes(tableName)) continue;
+
+        // Check if RLS is enabled in the same file
+        const rlsInFile = new RegExp(
+          `ALTER\\s+TABLE\\s+(?:(?:public|auth|storage)\\.)?["']?${tableName}["']?\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`,
+          'gi'
+        ).test(content);
+
+        if (!rlsInFile && !tablesWithRLS.has(tableName)) {
+          tablesWithoutRLS.push({ table: tableName, file });
+        }
+      }
+    }
+
+    // Report tables missing RLS
+    for (const { table, file } of tablesWithoutRLS) {
+      // Double-check across all SQL files
+      if (tablesWithRLS.has(table)) continue;
+      findings.push(createFinding({
+        file,
+        line: 0,
+        severity: 'critical',
+        category: 'auth',
+        rule: 'SUPABASE_NO_RLS_POLICY',
+        title: `Supabase: Table "${table}" Missing RLS`,
+        description: `Table "${table}" is created without enabling Row Level Security. Any user with the anon key can read/write all rows.`,
+        matched: `CREATE TABLE ${table}`,
+        fix: `Add: ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;\nThen create appropriate policies with CREATE POLICY.`,
+      }));
+    }
+
+    return findings;
+  }
+}
+
+export default SupabaseRLSAgent;