npm - vite-plugin-vue-security - Versions diffs - 1.0.0 - Mend

vite-plugin-vue-security 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,87 @@
+# Vite Plugin Vue Security
+A Vite plugin that performs security scans on Vue.js projects during the build process. This plugin integrates the Vue Security Scanner directly into your Vite build pipeline, allowing you to detect security vulnerabilities in real-time during development and build.
+## Installation
+```bash
+npm install vite-plugin-vue-security --save-dev
+```
+## Usage
+### Basic Usage
+```javascript
+// vite.config.js
+import { defineConfig } from 'vite';
+import vue from '@vitejs/plugin-vue';
+import vueSecurityPlugin from 'vite-plugin-vue-security';
+export default defineConfig({
+  plugins: [
+    vueSecurityPlugin(), // Add security scanning
+    vue() // Vue plugin
+  ]
+});
+```
+### Advanced Configuration
+```javascript
+// vite.config.js
+import { defineConfig } from 'vite';
+import vue from '@vitejs/plugin-vue';
+import vueSecurityPlugin from 'vite-plugin-vue-security';
+export default defineConfig({
+  plugins: [
+    vueSecurityPlugin({
+      enabled: true,           // Enable/disable security scanning (default: true)
+      failOnError: false,      // Fail build on security issues (default: false)
+      reportLevel: 'warning',  // 'error', 'warning', or 'info' (default: 'warning')
+      outputFile: './security-report.json', // Optional output file for security report
+      exclude: [              // Patterns to exclude from scanning
+        'node_modules',
+        'dist',
+        'public'
+      ]
+    }),
+    vue()
+  ]
+});
+```
+## Configuration Options
+- `enabled`: Boolean to enable/disable the security scanning (default: true)
+- `failOnError`: Boolean to make the build fail when high severity vulnerabilities are detected (default: false)
+- `reportLevel`: Sets the level of reporting ('error', 'warning', or 'info'; default: 'warning')
+- `outputFile`: Optional path to write a JSON security report (default: null)
+- `exclude`: Array of patterns to exclude from scanning (default: [])
+## Features
+- **Real-time Security Scanning**: Scans Vue, JS, and TS files during the build process
+- **Multiple Vulnerability Types**: Detects XSS, dependency issues, misconfigurations, hardcoded secrets, and more
+- **Enterprise Plugin Support**: Compatible with the Vue Security Scanner plugin system
+- **Flexible Reporting**: Configurable reporting levels and output formats
+- **Build Integration**: Option to fail builds on security issues
+## Detected Vulnerabilities
+The plugin can detect various security issues including:
+- Cross-Site Scripting (XSS) vulnerabilities
+- Insecure dependencies
+- Hardcoded secrets and credentials
+- Misconfigurations
+- Potential code injection issues
+- DOM-based XSS patterns
+- Missing security headers
+- Sensitive data exposure in URLs
+- Weak random number generation
+## License
+MIT

package/index.js ADDED Viewed

@@ -0,0 +1,179 @@
+const fs = require('fs');
+const path = require('path');
+// Import the security scanner with plugin and ignore functionality
+const { SecurityScanner } = require('vue-security-scanner/src/scanner');
+const VulnerabilityDetector = require('vue-security-scanner/src/core/vulnerability-detector');
+const pluginManager = require('vue-security-scanner/src/plugin-system/plugin-manager');
+const IgnoreManager = require('vue-security-scanner/src/utils/ignore-manager');
+/**
+ * Vite Plugin for Vue Security Scanning
+ * Performs security scans on Vue.js projects during the build process
+ */
+function vueSecurityPlugin(options = {}) {
+  const config = {
+    // Default options
+    enabled: true,
+    failOnError: false, // Whether to fail the build on security issues
+    reportLevel: 'warning', // 'error', 'warning', or 'info'
+    outputFile: null, // Optional output file for security report
+    exclude: [], // Patterns to exclude from scanning
+    ...options
+  };
+  let detector;
+  return {
+    name: 'vue-security',
+    enforce: 'pre', // Run before other transforms
+    async buildStart() {
+      // Initialize the security scanner with configuration
+      const scannerConfig = {
+        rules: config.rules || {},
+        scan: {
+          ignoreDirs: config.ignoreDirs || [],
+          ignorePatterns: config.ignorePatterns || [],
+          maxSize: config.maxSize || 10,
+          maxDepth: config.maxDepth || 10
+        },
+        output: {
+          showProgress: false, // Disable progress in build process
+          format: 'json'
+        },
+        plugins: {
+          enabled: true,
+          directory: config.pluginsDir || path.join(__dirname, '../plugins'),
+          settings: config.pluginSettings || {}
+        }
+      };
+      // Initialize the security scanner
+      this.scanner = new SecurityScanner(scannerConfig);
+      // Load plugins if available
+      try {
+        await pluginManager.loadPluginsFromDirectory(scannerConfig.plugins.directory);
+      } catch (error) {
+        console.warn('Could not load security plugins:', error.message);
+      }
+      // Initialize ignore manager
+      this.ignoreManager = new IgnoreManager(process.cwd());
+    },
+    async transform(code, id) {
+      // Skip if disabled
+      if (!config.enabled) {
+        return null;
+      }
+      // Skip excluded files
+      if (config.exclude.some(pattern => id.includes(pattern))) {
+        return null;
+      }
+      // Only scan Vue files and JS/TS files
+      if (!id.endsWith('.vue') && !id.endsWith('.js') && !id.endsWith('.ts') && !id.endsWith('.jsx') && !id.endsWith('.tsx')) {
+        return null;
+      }
+      // Check if file should be ignored
+      if (this.ignoreManager && this.ignoreManager.shouldIgnoreFile(id)) {
+        return null;
+      }
+      try {
+        // Perform security scan using the new scanner
+        const result = await this.scanner.scanFile(id, code);
+        const vulnerabilities = result.vulnerabilities || [];
+        // Report vulnerabilities
+        if (vulnerabilities.length > 0) {
+          vulnerabilities.forEach(vuln => {
+            let message = `[VUE-SECURITY] ${vuln.type} - ${vuln.severity} SEVERITY\n`;
+            message += `File: ${vuln.file}\n`;
+            if (vuln.line !== 'N/A') {
+              message += `Line: ${vuln.line}\n`;
+            }
+            message += `Description: ${vuln.description}\n`;
+            message += `Recommendation: ${vuln.recommendation}\n`;
+            if (vuln.plugin) {
+              message += `Plugin: ${vuln.plugin}\n`;
+            }
+            // Log based on report level
+            if (config.reportLevel === 'error' ||
+                (config.reportLevel === 'warning' && vuln.severity !== 'Low')) {
+              this.error(message);
+            } else {
+              this.warn(message);
+            }
+          });
+          // Optionally write to output file
+          if (config.outputFile) {
+            await writeSecurityReport(config.outputFile, vulnerabilities);
+          }
+          // Fail build if configured to do so
+          if (config.failOnError) {
+            const highSeverityVulns = vulnerabilities.filter(v => v.severity === 'High' || v.severity === 'Critical');
+            if (highSeverityVulns.length > 0) {
+              this.error(`Build failed due to ${highSeverityVulns.length} high severity security vulnerabilities.`);
+            }
+          }
+        }
+      } catch (error) {
+        console.warn(`Security scan error for ${id}:`, error.message);
+      }
+      // Return the original code (we're only scanning, not modifying)
+      return {
+        code,
+        map: null // No source map transformation
+      };
+    },
+    // Hook to generate final report
+    async buildEnd(errors) {
+      if (errors && errors.length > 0) {
+        console.log(`Build completed with ${errors.length} errors.`);
+      }
+    }
+  };
+}
+/**
+ * Write security report to file
+ */
+async function writeSecurityReport(outputFile, vulnerabilities) {
+  try {
+    const report = {
+      timestamp: new Date().toISOString(),
+      totalVulnerabilities: vulnerabilities.length,
+      vulnerabilities: vulnerabilities.map(v => ({
+        type: v.type,
+        severity: v.severity,
+        file: v.file,
+        line: v.line,
+        description: v.description,
+        recommendation: v.recommendation,
+        plugin: v.plugin
+      }))
+    };
+    const dir = path.dirname(outputFile);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+    await fs.promises.writeFile(outputFile, JSON.stringify(report, null, 2));
+    console.log(`Security report written to ${outputFile}`);
+  } catch (error) {
+    console.error('Error writing security report:', error.message);
+  }
+}
+module.exports = vueSecurityPlugin;

package/package.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "name": "vite-plugin-vue-security",
+  "version": "1.0.0",
+  "description": "A Vite plugin that performs security scans on Vue.js projects during the build process",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "vite",
+    "plugin",
+    "vue",
+    "security",
+    "scanner",
+    "vulnerability",
+    "xss",
+    "owasp"
+  ],
+  "author": "Vue Security Team",
+  "license": "MIT",
+  "peerDependencies": {
+    "vite": "^4.0.0 || ^5.0.0",
+    "vue": "^3.0.0"
+  },
+  "dependencies": {
+    "cheerio": "^1.0.0-rc.12",
+    "vue-security-scanner": "^1.1.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ereddate/vue-security-scanner.git"
+  },
+  "bugs": {
+    "url": "https://github.com/ereddate/vue-security-scanner/issues"
+  },
+  "homepage": "https://github.com/ereddate/vue-security-scanner#readme"
+}

package/vite.config.example.js ADDED Viewed

@@ -0,0 +1,28 @@
+// 示例：如何在Vite项目中使用Vue安全插件
+// vite.config.js
+import { defineConfig } from 'vite';
+import vue from '@vitejs/plugin-vue';
+import vueSecurityPlugin from 'vite-plugin-vue-security';
+export default defineConfig({
+  plugins: [
+    // 启用Vue安全扫描插件
+    vueSecurityPlugin({
+      enabled: true,           // 启用安全扫描
+      failOnError: false,      // 发现安全问题时不中断构建
+      reportLevel: 'warning',  // 报告级别：'error', 'warning', 或 'info'
+      outputFile: './security-report.json', // 安全报告输出文件
+      exclude: [              // 排除扫描的文件模式
+        'node_modules',
+        'dist',
+        'public'
+      ]
+    }),
+    // Vue插件
+    vue()
+  ],
+  // 其他Vite配置...
+});