vite-plugin-vue-security 1.2.0 → 1.4.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 ereddate
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/index.js

@@ -1,13 +1,15 @@
 const fs = require('fs');
 const path = require('path');
 
-// Import the security scanner with rule-based architecture
-const { SecurityScanner } = require('vue-security-scanner/src/scanner');
+// Import the security scanner with rule-based architecture from npm package
+const { SecurityScanner } = require('vue-security-scanner');
 const IgnoreManager = require('vue-security-scanner/src/utils/ignore-manager');
+const AdvancedReportGenerator = require('vue-security-scanner/src/reporting/advanced-report-generator');
 
 /**
  * Vite Plugin for Vue Security Scanning
  * Performs security scans on Vue.js projects during the build process
+ * with advanced semantic analysis and enterprise-grade reporting
  */
 function vueSecurityPlugin(options = {}) {
   const config = {
@@ -17,11 +19,21 @@ function vueSecurityPlugin(options = {}) {
     reportLevel: 'warning', // 'error', 'warning', or 'info'
     outputFile: null, // Optional output file for security report
     exclude: [], // Patterns to exclude from scanning
+    
+    // NEW: Advanced features
+    enableSemanticAnalysis: true, // Enable AST-based semantic analysis
+    enableDependencyScanning: true, // Enable dependency vulnerability scanning
+    enableAdvancedReport: false, // Enable advanced reporting with trends and compliance
+    reportHistoryPath: '.vue-security-reports', // Path for report history
+    complianceStandards: ['OWASP', 'GDPR', 'HIPAA', 'PCI-DSS', 'SOX'], // Compliance standards to check
+    
     ...options
   };
 
   let scanner;
   let ignoreManager;
+  let advancedReportGenerator;
+  let allVulnerabilities = []; // Collect all vulnerabilities for final report
 
   return {
     name: 'vue-security',
@@ -40,6 +52,15 @@ function vueSecurityPlugin(options = {}) {
         output: {
           showProgress: false, // Disable progress in build process
           format: 'json'
+        },
+        performance: {
+          enableSemanticAnalysis: config.enableSemanticAnalysis,
+          enableNpmAudit: config.enableDependencyScanning,
+          enableVulnerabilityDB: config.enableDependencyScanning
+        },
+        compliance: {
+          enabled: config.enableAdvancedReport,
+          standards: config.complianceStandards
         }
       };
 
@@ -48,6 +69,14 @@ function vueSecurityPlugin(options = {}) {
       
       // Initialize ignore manager
       ignoreManager = new IgnoreManager(process.cwd());
+      
+      // Initialize advanced report generator if enabled
+      if (config.enableAdvancedReport) {
+        advancedReportGenerator = new AdvancedReportGenerator();
+      }
+      
+      // Clear previous vulnerabilities
+      allVulnerabilities = [];
     },
 
     async transform(code, id) {
@@ -76,6 +105,9 @@ function vueSecurityPlugin(options = {}) {
         const result = await scanner.scanFile(id, code);
         const vulnerabilities = result.vulnerabilities || [];
 
+        // Collect vulnerabilities for final report
+        allVulnerabilities.push(...vulnerabilities);
+
         // Report vulnerabilities
         if (vulnerabilities.length > 0) {
           vulnerabilities.forEach(vuln => {
@@ -89,6 +121,9 @@ function vueSecurityPlugin(options = {}) {
             if (vuln.ruleId) {
               message += `Rule: ${vuln.ruleId}\n`;
             }
+            if (vuln.confidence) {
+              message += `Confidence: ${vuln.confidence}\n`;
+            }
 
             // Log based on report level
             if (config.reportLevel === 'error' || 
@@ -99,11 +134,6 @@ function vueSecurityPlugin(options = {}) {
             }
           });
 
-          // Optionally write to output file
-          if (config.outputFile) {
-            await writeSecurityReport(config.outputFile, vulnerabilities);
-          }
-
           // Fail build if configured to do so
           if (config.failOnError) {
             const highSeverityVulns = vulnerabilities.filter(v => v.severity === 'High' || v.severity === 'Critical');
@@ -128,6 +158,70 @@ function vueSecurityPlugin(options = {}) {
       if (errors && errors.length > 0) {
         console.log(`Build completed with ${errors.length} errors.`);
       }
+
+      // Scan dependencies if enabled
+      if (config.enableDependencyScanning) {
+        try {
+          console.log('Scanning dependencies for vulnerabilities...');
+          const dependencyScanner = require('vue-security-scanner/src/analysis/dependency-scanner');
+          const depScanner = new dependencyScanner({
+            enableNpmAudit: true,
+            enableVulnerabilityDB: true
+          });
+          
+          const depVulns = await depScanner.scanDependencies(process.cwd());
+          allVulnerabilities.push(...depVulns);
+          
+          console.log(`Found ${depVulns.length} dependency vulnerabilities.`);
+        } catch (error) {
+          console.warn('Dependency scanning failed:', error.message);
+        }
+      }
+
+      // Generate report
+      if (allVulnerabilities.length > 0) {
+        const scanResult = {
+          summary: {
+            totalVulnerabilities: allVulnerabilities.length,
+            critical: allVulnerabilities.filter(v => v.severity === 'Critical').length,
+            high: allVulnerabilities.filter(v => v.severity === 'High').length,
+            medium: allVulnerabilities.filter(v => v.severity === 'Medium').length,
+            low: allVulnerabilities.filter(v => v.severity === 'Low').length
+          },
+          vulnerabilities: allVulnerabilities,
+          scanInfo: {
+            scannerVersion: '1.3.0',
+            scanDate: new Date().toISOString(),
+            projectPath: process.cwd()
+          }
+        };
+
+        // Generate advanced report if enabled
+        if (config.enableAdvancedReport && advancedReportGenerator) {
+          try {
+            const advancedReport = advancedReportGenerator.generateAdvancedReport(scanResult, {
+              includeTrends: true,
+              includeCompliance: true,
+              historyPath: config.reportHistoryPath
+            });
+            
+            if (config.outputFile) {
+              const reportPath = config.outputFile.endsWith('.html') 
+                ? config.outputFile 
+                : config.outputFile.replace('.json', '.html');
+              
+              await writeAdvancedReport(reportPath, advancedReport, 'html');
+            }
+          } catch (error) {
+            console.warn('Advanced report generation failed:', error.message);
+          }
+        }
+
+        // Write basic report
+        if (config.outputFile) {
+          await writeSecurityReport(config.outputFile, allVulnerabilities, scanResult);
+        }
+      }
     }
   };
 }
@@ -135,11 +229,12 @@ function vueSecurityPlugin(options = {}) {
 /**
  * Write security report to file
  */
-async function writeSecurityReport(outputFile, vulnerabilities) {
+async function writeSecurityReport(outputFile, vulnerabilities, scanResult) {
   try {
     const report = {
       timestamp: new Date().toISOString(),
       totalVulnerabilities: vulnerabilities.length,
+      summary: scanResult.summary,
       vulnerabilities: vulnerabilities.map(v => ({
         type: v.type,
         severity: v.severity,
@@ -147,7 +242,8 @@ async function writeSecurityReport(outputFile, vulnerabilities) {
         line: v.line,
         description: v.description,
         recommendation: v.recommendation,
-        ruleId: v.ruleId
+        ruleId: v.ruleId,
+        confidence: v.confidence
       }))
     };
 
@@ -163,4 +259,105 @@ async function writeSecurityReport(outputFile, vulnerabilities) {
   }
 }
 
+/**
+ * Write advanced report to file (HTML or JSON)
+ */
+async function writeAdvancedReport(outputFile, advancedReport, format = 'json') {
+  try {
+    const dir = path.dirname(outputFile);
+    if (!fs.existsSync(dir)) {
+      fs.mkdirSync(dir, { recursive: true });
+    }
+
+    if (format === 'html') {
+      const htmlReport = generateHTMLReport(advancedReport);
+      await fs.promises.writeFile(outputFile, htmlReport);
+      console.log(`Advanced HTML report written to ${outputFile}`);
+    } else {
+      await fs.promises.writeFile(outputFile, JSON.stringify(advancedReport, null, 2));
+      console.log(`Advanced JSON report written to ${outputFile}`);
+    }
+  } catch (error) {
+    console.error('Error writing advanced report:', error.message);
+  }
+}
+
+/**
+ * Generate HTML report from advanced report data
+ */
+function generateHTMLReport(report) {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Vue Security Scanner Report</title>
+    <style>
+        body { font-family: Arial, sans-serif; margin: 20px; background: #f5f5f5; }
+        .container { max-width: 1200px; margin: 0 auto; background: white; padding: 20px; border-radius: 8px; }
+        h1 { color: #333; }
+        .summary { display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 15px; margin: 20px 0; }
+        .summary-card { padding: 15px; border-radius: 5px; color: white; }
+        .critical { background: #d32f2f; }
+        .high { background: #f57c00; }
+        .medium { background: #fbc02d; }
+        .low { background: #388e3c; }
+        .vulnerability { border: 1px solid #ddd; padding: 15px; margin: 10px 0; border-radius: 5px; }
+        .vulnerability.critical { border-left: 5px solid #d32f2f; }
+        .vulnerability.high { border-left: 5px solid #f57c00; }
+        .vulnerability.medium { border-left: 5px solid #fbc02d; }
+        .vulnerability.low { border-left: 5px solid #388e3c; }
+        .compliance { margin-top: 30px; padding: 15px; background: #e3f2fd; border-radius: 5px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>🔒 Vue Security Scanner Report</h1>
+        <p><strong>Generated:</strong> ${report.metadata.generatedAt}</p>
+        <p><strong>Scanner Version:</strong> ${report.metadata.scannerVersion}</p>
+        
+        <div class="summary">
+            <div class="summary-card critical">
+                <h3>Critical</h3>
+                <p>${report.summary.critical || 0}</p>
+            </div>
+            <div class="summary-card high">
+                <h3>High</h3>
+                <p>${report.summary.high || 0}</p>
+            </div>
+            <div class="summary-card medium">
+                <h3>Medium</h3>
+                <p>${report.summary.medium || 0}</p>
+            </div>
+            <div class="summary-card low">
+                <h3>Low</h3>
+                <p>${report.summary.low || 0}</p>
+            </div>
+        </div>
+        
+        ${report.compliance ? `
+        <div class="compliance">
+            <h2>📋 Compliance Status</h2>
+            ${Object.entries(report.compliance).map(([standard, status]) => `
+                <p><strong>${standard}:</strong> ${status.status === 'compliant' ? '✅ Compliant' : '⚠️ Non-compliant'}</p>
+            `).join('')}
+        </div>
+        ` : ''}
+        
+        <h2>Vulnerabilities (${report.vulnerabilities.length})</h2>
+        ${report.vulnerabilities.map(vuln => `
+            <div class="vulnerability ${vuln.severity.toLowerCase()}">
+                <h3>${vuln.type} - ${vuln.severity}</h3>
+                <p><strong>File:</strong> ${vuln.file}</p>
+                <p><strong>Line:</strong> ${vuln.line}</p>
+                <p><strong>Description:</strong> ${vuln.description}</p>
+                <p><strong>Recommendation:</strong> ${vuln.recommendation}</p>
+                ${vuln.confidence ? `<p><strong>Confidence:</strong> ${vuln.confidence}</p>` : ''}
+            </div>
+        `).join('')}
+    </div>
+</body>
+</html>`;
+}
+
 module.exports = vueSecurityPlugin;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "vite-plugin-vue-security",
-  "version": "1.2.0",
-  "description": "A Vite plugin that performs security scans on Vue.js projects during the build process",
+  "version": "1.4.0",
+  "description": "A Vite plugin that performs security scans on Vue.js projects during the build process with advanced semantic analysis and enterprise-grade reporting",
   "main": "index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
@@ -14,9 +14,13 @@
     "scanner",
     "vulnerability",
     "xss",
-    "owasp"
+    "owasp",
+    "ast",
+    "semantic-analysis",
+    "dependency-scanning",
+    "compliance"
   ],
-  "author": "Vue Security Team",
+  "author": "ereddate",
   "license": "MIT",
   "peerDependencies": {
     "vite": "^4.0.0 || ^5.0.0",
@@ -24,7 +28,7 @@
   },
   "dependencies": {
     "cheerio": "^1.0.0-rc.12",
-    "vue-security-scanner": "^1.2.1"
+    "vue-security-scanner": "^1.4.0"
   },
   "repository": {
     "type": "git",

package/vite.config.example.js

@@ -1,28 +0,0 @@
-// 示例：如何在Vite项目中使用Vue安全插件
-// vite.config.js
-
-import { defineConfig } from 'vite';
-import vue from '@vitejs/plugin-vue';
-import vueSecurityPlugin from 'vite-plugin-vue-security';
-
-export default defineConfig({
-  plugins: [
-    // 启用Vue安全扫描插件
-    vueSecurityPlugin({
-      enabled: true,           // 启用安全扫描
-      failOnError: false,      // 发现安全问题时不中断构建
-      reportLevel: 'warning',  // 报告级别：'error', 'warning', 或 'info'
-      outputFile: './security-report.json', // 安全报告输出文件
-      exclude: [              // 排除扫描的文件模式
-        'node_modules',
-        'dist',
-        'public'
-      ]
-    }),
-    
-    // Vue插件
-    vue()
-  ],
-  
-  // 其他Vite配置...
-});