npm - wize-dev-kit - Versions diffs - 0.5.0 → 0.6.0 - Mend

wize-dev-kit 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/src/security-overlay/skills/wize-sec-recon/scripts/run-osv.js ADDED Viewed

@@ -0,0 +1,227 @@
+'use strict';
+// run-osv.js — SAST dependencies via osv-scanner (primary) or grype (fallback).
+// Auto-detects common manifest files in the project root and emits findings
+// into sast.md (composing with secrets from run-gitleaks.js).
+const path = require('node:path');
+const fs = require('node:fs');
+const { execFileSync } = require('node:child_process');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial, loadPartial } = require('../../../_shared/partial.js');
+const MANIFEST_FILES = [
+  'package.json', 'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+  'requirements.txt', 'Pipfile', 'Pipfile.lock', 'pyproject.toml', 'poetry.lock',
+  'go.mod', 'go.sum',
+  'Cargo.toml', 'Cargo.lock',
+  'composer.json', 'composer.lock',
+  'Gemfile', 'Gemfile.lock'
+];
+function detectManifests(root) {
+  const found = [];
+  for (const m of MANIFEST_FILES) {
+    if (fs.existsSync(path.join(root, m))) found.push(m);
+  }
+  return found;
+}
+function parseOsvReport(report) {
+  // osv-scanner JSON shape (simplified): { results: [{ packages: [{ package: {name, version}, vulnerabilities: [{id, severity, cvss: {score}}] }] }] }
+  const out = [];
+  const results = report && report.results ? report.results : [];
+  // Map a CVSS base score to a coarse severity label.
+  const sevFromScore = s => {
+    const n = parseFloat(s);
+    if (isNaN(n)) return null;
+    if (n === 0) return 'None';
+    if (n < 4) return 'Low';
+    if (n < 7) return 'Medium';
+    if (n < 9) return 'High';
+    return 'Critical';
+  };
+  for (const r of results) {
+    for (const p of (r.packages || [])) {
+      const name = p.package && p.package.name;
+      const version = p.package && p.package.version;
+      // osv-scanner v2 groups vulnerabilities and exposes a max_severity
+      // (CVSS) + aliases (CVE ids) per group. Prefer that; fall back to
+      // the raw vulnerabilities array for older shapes.
+      const groups = Array.isArray(p.groups) ? p.groups : [];
+      if (groups.length) {
+        for (const g of groups) {
+          const ids = g.aliases && g.aliases.length ? g.aliases : g.ids || [];
+          const cve = ids.find(x => /^CVE-/.test(x)) || ids[0] || '?';
+          const cvss = g.max_severity ? parseFloat(g.max_severity) : null;
+          out.push({ package: name, version, cve, severity: sevFromScore(g.max_severity) || 'UNKNOWN', cvss });
+        }
+      } else {
+        for (const v of (p.vulnerabilities || [])) {
+          const cve = v.id || '?';
+          const cvss = v.cvss && (typeof v.cvss === 'number' ? v.cvss : v.cvss.score);
+          out.push({ package: name, version, cve, severity: sevFromScore(cvss) || 'UNKNOWN', cvss });
+        }
+      }
+    }
+  }
+  return out;
+}
+function parseGrypeReport(report) {
+  // grype JSON shape: { matches: [{ artifact: {name, version}, vulnerability: {id, severity, cvss:[{metrics:{baseScore}}]} }] }
+  const out = [];
+  for (const m of (report && report.matches ? report.matches : [])) {
+    const name = m.artifact && m.artifact.name;
+    const version = m.artifact && m.artifact.version;
+    const v = m.vulnerability || {};
+    const cve = v.id || '?';
+    const severity = v.severity || 'UNKNOWN';
+    let cvss = null;
+    if (Array.isArray(v.cvss) && v.cvss[0] && v.cvss[0].metrics) {
+      cvss = v.cvss[0].metrics.baseScore;
+    } else if (typeof v.cvss === 'number') {
+      cvss = v.cvss;
+    }
+    out.push({ package: name, version, cve, severity, cvss });
+  }
+  return out;
+}
+function renderDepsSection(findings) {
+  if (!findings.length) return '_(nenhuma dep vulnerável encontrada)_';
+  return findings.map(f => {
+    const cvss = f.cvss != null ? ` cvss=${f.cvss}` : '';
+    return `- **${f.package}@${f.version || '?'}** \`${f.cve}\` severity=${f.severity}${cvss}`;
+  }).join('\n');
+}
+// runOsv({ securityDir, scope, active, execFn?, detectFn?, manifestRoot?, reportFilename? })
+async function runOsv(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const active = opts.active === true;
+  // The project to scan is the parent of `.wize/security/`. Scripts run with
+  // cwd = the kit, so default to the target repo, not process.cwd().
+  const manifestRoot = opts.manifestRoot
+    || (sec ? path.resolve(sec, '..', '..') : process.cwd());
+  const osvReportName = 'osv-report.json';
+  const grypeReportName = 'grype-report.json';
+  const execFn = opts.execFn || ((bin, args) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 5 * 60 * 1000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+  const tools = detectFn(['osv-scanner', 'grype'], { cacheDir: sec });
+  const osvPresent = !!(tools['osv-scanner'] && tools['osv-scanner'].present);
+  const grypePresent = !!(tools.grype && tools.grype.present);
+  // No tools at all -> degraded.
+  if (!osvPresent && !grypePresent) {
+    mergeSast(sec, scope, active, tools, {
+      degraded: '- deps: osv-scanner e grype ausentes — instale um dos dois e re-rode.'
+    });
+    return { ok: true, partialStatus: 'incomplete', tool: null, findings: [] };
+  }
+  // Manifest detection: warn if the project root has no known manifest.
+  const manifests = detectManifests(manifestRoot);
+  if (manifests.length === 0) {
+    mergeSast(sec, scope, active, tools, {
+      degraded: `- deps: nenhum manifesto encontrado em ${manifestRoot} (procurando package.json, requirements.txt, go.mod, Cargo.toml, pyproject.toml, composer.json, Gemfile).`
+    });
+    return { ok: true, partialStatus: 'incomplete', tool: null, findings: [] };
+  }
+  // Pick tool. Prefer osv-scanner; fallback to grype.
+  let findings = [];
+  let tool = null;
+  if (osvPresent) {
+    tool = 'osv-scanner';
+    const reportPath = path.join(sec, osvReportName);
+    // osv-scanner v2 needs explicit lockfiles (`-L <path>`); recursive
+    // directory scan misses composer.lock/package-lock.json. We pass each
+    // detected lockfile we found. Non-zero exit = vulns found (success).
+    const LOCKFILES = ['composer.lock', 'package-lock.json', 'yarn.lock', 'pnpm-lock.yaml',
+      'requirements.txt', 'Pipfile.lock', 'poetry.lock', 'go.sum', 'Cargo.lock', 'Gemfile.lock'];
+    const lockArgs = [];
+    for (const lf of LOCKFILES) {
+      if (fs.existsSync(path.join(manifestRoot, lf))) {
+        lockArgs.push('-L', path.join(manifestRoot, lf));
+      }
+    }
+    const args = lockArgs.length
+      ? filterArgs('osv-scanner', ['scan', 'source', ...lockArgs, '--format', 'json', '--output-file', reportPath])
+      : filterArgs('osv-scanner', ['scan', 'source', '-r', '--format', 'json', '--output-file', reportPath, manifestRoot]);
+    try {
+      execFn('osv-scanner', args, { timeout: 5 * 60 * 1000 });
+    } catch (_) { /* vulns found -> non-zero exit; report still written */ }
+    if (fs.existsSync(reportPath)) {
+      try { findings = parseOsvReport(JSON.parse(fs.readFileSync(reportPath, 'utf8'))); }
+      catch (_) { findings = []; }
+    }
+  } else if (grypePresent) {
+    tool = 'grype';
+    const reportPath = path.join(sec, grypeReportName);
+    const args = filterArgs('grype', ['dir:' + manifestRoot, '-o', 'json']);
+    execFn('grype', args, { timeout: 5 * 60 * 1000 });
+    if (fs.existsSync(reportPath)) {
+      try { findings = parseGrypeReport(JSON.parse(fs.readFileSync(reportPath, 'utf8'))); }
+      catch (_) { findings = []; }
+    }
+  }
+  mergeSast(sec, scope, active, tools, {
+    deps: renderDepsSection(findings)
+  });
+  return { ok: true, partialStatus: 'complete', tool, findings };
+}
+function mergeSast(sec, scope, active, tools, update) {
+  const existing = loadPartial({ securityDir: sec, phase: 'sast' });
+  const sections = {};
+  let mergedTools = Object.assign({}, tools);
+  if (existing) {
+    if (existing.body) {
+      const re = /## ([a-z_]+)\n\n([\s\S]*?)(?=\n## |$)/g;
+      let m;
+      while ((m = re.exec(existing.body)) !== null) {
+        sections[m[1]] = m[2].trim();
+      }
+    }
+    if (existing.frontmatter && existing.frontmatter.tools) {
+      mergedTools = Object.assign({}, existing.frontmatter.tools, tools);
+    }
+  }
+  if (update.degraded) {
+    sections.degraded_checks = sections.degraded_checks
+      ? sections.degraded_checks + '\n' + update.degraded
+      : update.degraded;
+  }
+  if (update.deps !== undefined) sections.deps = update.deps;
+  const status = sections.degraded_checks ? 'incomplete' : 'complete';
+  writePartial({
+    securityDir: sec,
+    phase: 'sast',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status,
+    tools: mergedTools,
+    sections
+  });
+}
+module.exports = { runOsv, parseOsvReport, parseGrypeReport, detectManifests, MANIFEST_FILES };
+if (require.main === module) {
+  require('../../../_shared/cli-runner.js').runFromArgv({
+    fn: ({ securityDir, scopePath, active, manifestRoot, reportFilename } = {}) => {
+      const { loadScope } = require('../../../_shared/scope-gate.js');
+      const scope = loadScope(scopePath);
+      return runOsv({ securityDir, scope, active, manifestRoot, reportFilename });
+    },
+    argMap: { 'securityDir': 'securityDir', 'scope': 'scopePath', 'active': 'active', 'manifestRoot': 'manifestRoot', 'reportFilename': 'reportFilename' }
+  });
+}

package/src/security-overlay/skills/wize-sec-recon/scripts/run-recon.js ADDED Viewed

@@ -0,0 +1,162 @@
+'use strict';
+// run-recon.js — the nmap portion of the wize-sec-recon skill.
+// SAST (gitleaks, osv/grype) is implemented in E05 and lives in
+// scripts/run-sast.js (sibling). The orchestrator (wize-sec-pentest) and
+// any caller can invoke either script directly; this file only handles
+// recon.
+const path = require('node:path');
+const { execFileSync } = require('node:child_process');
+const { assertTargetInScope, ScopeError } = require('../../../_shared/scope-gate.js');
+const { filterArgs } = require('../../../_shared/allowlist.js');
+const { writePartial } = require('../../../_shared/partial.js');
+// Default argument list for nmap. filterArgs() will drop anything not in
+// the tool-allowlist, so this list is intentionally explicit and minimal.
+function defaultArgs(active) {
+  const args = ['-Pn', '-T4'];
+  if (active) args.push('-sV');
+  else args.push('-sn'); // passive: ping scan only — no port scan, no service detection.
+  return args;
+}
+// Parse a greppable nmap stdout into a markdown list. We only care about
+// lines that look like `PORT/PROTO  SERVICE  VERSION`. Ports whose service
+// nmap could not fingerprint (`?`, unknown, tcpwrapped, or empty version)
+// are flagged for manual investigation — an unidentified open port is a
+// medium-priority unknown, not just inventory.
+function parseNmapGreppable(stdout) {
+  const lines = String(stdout || '').split('\n');
+  const out = [];
+  for (const line of lines) {
+    const m = line.match(/^(\d+\/[a-z]+)\s+(\S+)\s+(.*)$/);
+    if (!m) continue;
+    const port = m[1];
+    const service = m[2];
+    const version = m[3].trim();
+    const unidentified = /\?$/.test(service) || /^(unknown|tcpwrapped)$/i.test(service) || version === '';
+    if (unidentified) {
+      out.push(`- **${port}** \`${service}\` — ⚠️ serviço não identificado. **Investigar:** \`lsof -i :${port.split('/')[0]}\` · \`docker ps\` · \`ss -tulpn | grep ${port.split('/')[0]}\``);
+    } else {
+      out.push(`- **${port}** \`${service}\` — ${version}`);
+    }
+  }
+  return out.join('\n');
+}
+// runRecon({ securityDir, scope, target, active, execFn?, detectFn? }) ->
+//   { ok, partialStatus, mode }
+// dependencies are injectable for tests.
+async function runRecon(opts = {}) {
+  const sec = opts.securityDir;
+  const scope = opts.scope;
+  const target = opts.target;
+  const active = opts.active === true;
+  const execFn = opts.execFn || ((bin, args, opt) => {
+    return execFileSync(bin, args, { encoding: 'utf8', timeout: 60_000 });
+  });
+  const detectFn = opts.detectFn || require('../../../_shared/detect.js').detectTools;
+  // Gate — propagates ScopeError if scope is invalid.
+  const tools = detectFn(['nmap'], { cacheDir: sec });
+  const nmapTool = tools.nmap || { present: false };
+  // 1. nmap missing -> degraded partial, exit 0.
+  if (!nmapTool.present) {
+    writePartial({
+      securityDir: sec,
+      phase: 'recon',
+      mode: active ? 'active' : 'passive',
+      scope,
+      status: 'incomplete',
+      tools,
+      sections: {
+        degraded_checks: 'nmap ausente — instale nmap e re-rode a fase para resultados completos.'
+      }
+    });
+    return { ok: true, partialStatus: 'incomplete', mode: active ? 'active' : 'passive' };
+  }
+  // 2. target out of scope -> degraded partial, ok=false (gate refused).
+  const inScope = assertTargetInScope(scope, { host: target }, { refusalsDir: sec });
+  if (!inScope) {
+    writePartial({
+      securityDir: sec,
+      phase: 'recon',
+      mode: active ? 'active' : 'passive',
+      scope,
+      status: 'incomplete',
+      tools,
+      sections: {
+        degraded_checks: `target ${target} recusado pelo gate (host not in allowlist) — ver .wize/security/.refusals.log`
+      }
+    });
+    return { ok: false, partialStatus: 'incomplete', mode: active ? 'active' : 'passive' };
+  }
+  // 3. happy path: filterArgs + execFile.
+  const args = filterArgs('nmap', [...defaultArgs(active), target]);
+  const out = execFn('nmap', args, { timeout: 60_000 });
+  const portsText = parseNmapGreppable(out && out.stdout ? out.stdout : out);
+  const body = portsText || '_(nmap returned no parseable ports)_';
+  writePartial({
+    securityDir: sec,
+    phase: 'recon',
+    mode: active ? 'active' : 'passive',
+    scope,
+    status: 'complete',
+    tools,
+    sections: { open_ports: body }
+  });
+  return { ok: true, partialStatus: 'complete', mode: active ? 'active' : 'passive' };
+}
+// --- CLI entrypoint ------------------------------------------------------
+function parseArgv(argv) {
+  const out = { active: false, securityDir: null, scopePath: null, target: null };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === '--active') out.active = true;
+    else if (a === '--target' && argv[i + 1]) { out.target = argv[i + 1]; i++; }
+    else if (a.startsWith('--target=')) out.target = a.slice('--target='.length);
+    else if (a === '--scope' && argv[i + 1]) { out.scopePath = argv[i + 1]; i++; }
+    else if (a.startsWith('--scope=')) out.scopePath = a.slice('--scope='.length);
+    else if (a === '--securityDir' && argv[i + 1]) { out.securityDir = argv[i + 1]; i++; }
+    else if (a.startsWith('--securityDir=')) out.securityDir = a.slice('--securityDir='.length);
+  }
+  if (!out.securityDir) out.securityDir = path.join(process.cwd(), '.wize', 'security');
+  if (!out.scopePath) out.scopePath = path.join(process.cwd(), '.wize', 'security', 'scope.md');
+  if (!out.target) {
+    // Default to scope.md dast_target.url host if available.
+    out.target = 'localhost';
+  }
+  return out;
+}
+async function main() {
+  const args = parseArgv(process.argv.slice(2));
+  const { loadScope } = require('../../../_shared/scope-gate.js');
+  const scope = loadScope(args.scopePath);
+  const r = await runRecon({
+    securityDir: args.securityDir,
+    scope,
+    target: args.target,
+    active: args.active
+  });
+  console.log(`recon: partial_status=${r.partialStatus} mode=${r.mode}`);
+  process.exit(r.ok ? 0 : 1);
+}
+if (require.main === module) {
+  main().catch(err => {
+    console.error('✖ wize-sec-recon:', err && err.message ? err.message : err);
+    process.exit(2);
+  });
+}
+module.exports = { runRecon, defaultArgs, parseNmapGreppable };

package/src/security-overlay/skills/wize-sec-recon/skill.md ADDED Viewed

@@ -0,0 +1,35 @@
+---
+code: wize-sec-recon
+name: wize-sec-recon
+overlay: security
+module: security-overlay
+owner: red-teamer
+status: ready
+---
+# wize-sec-recon — Recon (nmap)
+Runs nmap against the targets in the `scope.md` allowlist and writes `recon.md`. **Default passive** (ping scan only); `--active` enables `-sV` service detection.
+## Usage
+```bash
+/wize-sec-recon
+/wize-sec-recon --active
+/wize-sec-recon --target=staging.example.internal
+```
+## Behavior
+- Loads `.wize/security/scope.md` first; aborts loudly on invalid scope (HASH_MISMATCH / MISSING_FIELDS).
+- Detects nmap via `command -v`. If absent, writes a `partial_status: incomplete` recon.md with a `degraded_checks` section and exits 0 — the pipeline continues.
+- Calls `assertTargetInScope` for the target. Out-of-scope targets produce an `incomplete` partial and a refusal entry in `.refusals.log`; nmap is **not** invoked.
+- Active vs passive flag set is recorded in the partial's `mode:` frontmatter.
+- The SAST portion of recon (gitleaks, osv/grype) is implemented in a sibling script `scripts/run-sast.js` and is invoked separately or by the orchestrator — see E05.
+## Output
+- `.wize/security/recon.md` — partial with `## open_ports` (or `## degraded_checks` on missing tool / out-of-scope target).
+- `.wize/security/.refusals.log` — appended on out-of-scope targets.
+Exits 0 on success or graceful degradation; 1 when the gate refused the target; 2 on scope error.