xploitscan 1.0.3 → 1.0.7

package/dist/index.js

@@ -1925,6 +1925,85 @@ function buildASTContext(content, filePath) {
   };
 }
 
+// src/scanners/osv.ts
+var OSV_BATCH_URL = "https://api.osv.dev/v1/querybatch";
+var OSV_VULN_URL = "https://api.osv.dev/v1/vulns";
+var NETWORK_TIMEOUT_MS = 5e3;
+async function fetchWithTimeout(url, init, timeoutMs) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal });
+  } finally {
+    clearTimeout(id);
+  }
+}
+async function queryOsvBatch(queries) {
+  if (queries.length === 0) return [];
+  try {
+    const batchRes = await fetchWithTimeout(
+      OSV_BATCH_URL,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ queries })
+      },
+      NETWORK_TIMEOUT_MS
+    );
+    if (!batchRes.ok) return [];
+    const batch = await batchRes.json();
+    if (!Array.isArray(batch.results)) return [];
+    const uniqueVulnIds = /* @__PURE__ */ new Set();
+    for (const result of batch.results) {
+      for (const v of result.vulns ?? []) uniqueVulnIds.add(v.id);
+    }
+    const vulnDetails = /* @__PURE__ */ new Map();
+    for (const vulnId of uniqueVulnIds) {
+      try {
+        const detailRes = await fetchWithTimeout(
+          `${OSV_VULN_URL}/${encodeURIComponent(vulnId)}`,
+          { method: "GET" },
+          NETWORK_TIMEOUT_MS
+        );
+        if (!detailRes.ok) continue;
+        const detail = await detailRes.json();
+        vulnDetails.set(vulnId, detail);
+      } catch {
+      }
+    }
+    const matches = [];
+    batch.results.forEach((result, i) => {
+      const ids = (result.vulns ?? []).map((v) => v.id);
+      if (ids.length === 0) return;
+      const q = queries[i];
+      matches.push({
+        ecosystem: q.package.ecosystem,
+        name: q.package.name,
+        version: q.version,
+        vulns: ids.map((id) => vulnDetails.get(id) ?? { id })
+      });
+    });
+    return matches;
+  } catch {
+    return [];
+  }
+}
+function osvSeverity(vuln) {
+  const vectors = vuln.severity ?? [];
+  for (const v of vectors) {
+    const match = v.score.match(/\b(\d+(?:\.\d+)?)\b/);
+    if (!match) continue;
+    const score = parseFloat(match[1]);
+    if (Number.isFinite(score)) {
+      if (score >= 9) return "critical";
+      if (score >= 7) return "high";
+      if (score >= 4) return "medium";
+      return "low";
+    }
+  }
+  return "medium";
+}
+
 // src/scanners/dependency-scanner.ts
 var KNOWN_VULN_NPM = {
   "lodash": [{
@@ -2225,6 +2304,94 @@ function scanDependencies(files) {
   }
   return findings;
 }
+async function scanDependenciesOsv(files, alreadyFoundByRule) {
+  const lookups = [];
+  for (const { path: filePath, content } of files) {
+    if (filePath.endsWith("package.json") && !filePath.includes("node_modules")) {
+      try {
+        const pkg = JSON.parse(content);
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+        for (const [name, rawVersion] of Object.entries(allDeps)) {
+          const version = String(rawVersion).replace(/^[\^~>=<]*/g, "").trim();
+          if (!version || version === "*" || version === "latest") continue;
+          const line = content.split("\n").findIndex((l) => l.includes(`"${name}"`)) + 1;
+          lookups.push({ ecosystem: "npm", name, version, file: filePath, line: line || 1, content });
+        }
+      } catch {
+      }
+    }
+    if (filePath.match(/requirements.*\.txt$/i)) {
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const m = lines[i].trim().match(/^([a-zA-Z0-9_-]+)==([\d.]+)/);
+        if (!m) continue;
+        lookups.push({
+          ecosystem: "PyPI",
+          name: m[1].toLowerCase(),
+          version: m[2],
+          file: filePath,
+          line: i + 1,
+          content
+        });
+      }
+    }
+    if (filePath.endsWith("Gemfile.lock")) {
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const m = lines[i].match(/^\s{4}([a-z0-9_-]+)\s+\(([\d.]+)\)/);
+        if (!m) continue;
+        lookups.push({
+          ecosystem: "RubyGems",
+          name: m[1],
+          version: m[2],
+          file: filePath,
+          line: i + 1,
+          content
+        });
+      }
+    }
+  }
+  if (lookups.length === 0) return [];
+  const CHUNK = 500;
+  const findings = [];
+  for (let start = 0; start < lookups.length; start += CHUNK) {
+    const chunk = lookups.slice(start, start + CHUNK);
+    const matches = await queryOsvBatch(
+      chunk.map((l) => ({ package: { name: l.name, ecosystem: l.ecosystem }, version: l.version }))
+    );
+    const matchByKey = /* @__PURE__ */ new Map();
+    for (const m of matches) matchByKey.set(`${m.ecosystem}:${m.name}:${m.version}`, m);
+    for (const lookup of chunk) {
+      const key = `${lookup.ecosystem}:${lookup.name}:${lookup.version}`;
+      const match = matchByKey.get(key);
+      if (!match) continue;
+      for (const vuln of match.vulns) {
+        const dedupeKey = `${lookup.name}:${vuln.id}`;
+        if (alreadyFoundByRule.has(dedupeKey)) continue;
+        alreadyFoundByRule.add(dedupeKey);
+        const severity = osvSeverity(vuln);
+        const title = vuln.summary || `${lookup.name} vulnerability ${vuln.id}`;
+        const description = vuln.details || vuln.summary || `${lookup.name}@${lookup.version} is affected by ${vuln.id}. See https://osv.dev/vulnerability/${vuln.id} for details.`;
+        findings.push({
+          id: `${vuln.id}-${lookup.file}:${lookup.line}`,
+          rule: vuln.id,
+          severity,
+          title,
+          description: description.slice(0, 500),
+          file: lookup.file,
+          line: lookup.line,
+          snippet: getSnippet2(lookup.content, lookup.line),
+          fix: `Upgrade ${lookup.name} to a version that resolves ${vuln.id}. See https://osv.dev/vulnerability/${vuln.id}`,
+          category: "Dependencies",
+          source: "custom",
+          owasp: "A06:2021",
+          cwe: "CWE-1395"
+        });
+      }
+    }
+  }
+  return findings;
+}
 
 // src/scanners/entropy-scanner.ts
 function shannonEntropy(str) {
@@ -3003,13 +3170,13 @@ function renderSarifReport(result) {
           }
         },
         results: result.findings.map((f) => {
-          const entry = {
+          const messageText = f.fix ? `${f.title}: ${f.description}
+Suggested fix: ${f.fix}` : `${f.title}: ${f.description}`;
+          return {
             ruleId: f.rule,
             ruleIndex: ruleIndex.get(f.rule) ?? 0,
             level: SEVERITY_TO_SARIF[f.severity],
-            message: {
-              text: `${f.title}: ${f.description}`
-            },
+            message: { text: messageText },
             locations: [
               {
                 physicalLocation: {
@@ -3022,10 +3189,6 @@ function renderSarifReport(result) {
               }
             ]
           };
-          if (f.fix) {
-            entry.fixes = [{ description: { text: f.fix } }];
-          }
-          return entry;
         })
       }
     ]
@@ -3140,6 +3303,24 @@ async function scanCommand(directory, options) {
     f.confidence = "high";
   }
   allFindings.push(...depFindings);
+  const dedupeKeys = /* @__PURE__ */ new Set();
+  for (const f of depFindings) {
+    const match = f.title.match(/^(\S+)/);
+    if (match) dedupeKeys.add(`${match[1].toLowerCase()}:${f.rule}`);
+  }
+  spinner.text = "Checking dependencies against OSV.dev...";
+  try {
+    const osvFindings = await scanDependenciesOsv(fileContentsForAnalysis, dedupeKeys);
+    for (const f of osvFindings) {
+      f.confidence = "high";
+    }
+    allFindings.push(...osvFindings);
+    if (verbose && osvFindings.length > 0) {
+      spinner.info(`OSV.dev found ${osvFindings.length} additional vulnerable dependencies`);
+    }
+  } catch (err) {
+    if (verbose) spinner.info(`OSV.dev lookup skipped: ${err instanceof Error ? err.message : "unknown error"}`);
+  }
   if (verbose && depFindings.length > 0) {
     spinner.info(`Dependency scanner found ${depFindings.length} issues`);
   }
@@ -3592,11 +3773,54 @@ async function uninstallHookCommand() {
   }
 }
 
+// src/commands/cursor.ts
+import chalk5 from "chalk";
+import { mkdirSync, existsSync as existsSync5, writeFileSync as writeFileSync2, readFileSync as readFileSync4 } from "fs";
+import { join as join7, dirname } from "path";
+import { fileURLToPath } from "url";
+async function cursorInstallCommand(opts = {}) {
+  const cwd = process.cwd();
+  const here = dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    join7(here, "templates"),
+    join7(here, "..", "templates"),
+    join7(here, "..", "src", "templates")
+  ];
+  const templatesDir = candidates.find((p) => existsSync5(join7(p, "cursor-security.mdc")));
+  if (!templatesDir) {
+    console.error(chalk5.red("Could not locate XploitScan rule templates. Try reinstalling: npm i -g xploitscan@latest"));
+    process.exit(1);
+  }
+  const mdcSrc = readFileSync4(join7(templatesDir, "cursor-security.mdc"), "utf-8");
+  const legacySrc = readFileSync4(join7(templatesDir, "cursorrules-legacy.txt"), "utf-8");
+  if (!opts.legacyOnly) {
+    const mdcDir = join7(cwd, ".cursor", "rules");
+    const mdcPath = join7(mdcDir, "xploitscan-security.mdc");
+    if (existsSync5(mdcPath) && !opts.force) {
+      console.log(chalk5.yellow(`Skipping ${mdcPath} (already exists, use --force to overwrite)`));
+    } else {
+      mkdirSync(mdcDir, { recursive: true });
+      writeFileSync2(mdcPath, mdcSrc);
+      console.log(chalk5.green(`Installed ${mdcPath}`));
+    }
+  }
+  const legacyPath = join7(cwd, ".cursorrules");
+  if (existsSync5(legacyPath) && !opts.force) {
+    console.log(chalk5.yellow(`Skipping ${legacyPath} (already exists, use --force to overwrite)`));
+  } else {
+    writeFileSync2(legacyPath, legacySrc);
+    console.log(chalk5.green(`Installed ${legacyPath}`));
+  }
+  console.log("");
+  console.log(chalk5.cyan("Cursor will pick up these rules automatically the next time you open the project."));
+  console.log(chalk5.gray("Run a scan any time to catch what slipped through:  npx xploitscan scan ."));
+}
+
 // src/index.ts
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("1.0.3");
+).version("1.0.7");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,
@@ -3616,26 +3840,30 @@ hook.command("install").description("Install a git pre-commit hook that runs Xpl
   await installHookCommand({ force: opts.force });
 });
 hook.command("uninstall").description("Remove the XploitScan pre-commit hook").action(uninstallHookCommand);
+var cursor = program.command("cursor").description("Manage XploitScan integration with Cursor IDE");
+cursor.command("install").description("Drop XploitScan security rules into .cursor/rules and .cursorrules so Cursor enforces them at write-time").option("-f, --force", "Overwrite existing rule files", false).option("--legacy-only", "Only install the legacy .cursorrules file (skip .cursor/rules/*.mdc)", false).action(async (opts) => {
+  await cursorInstallCommand({ force: opts.force, legacyOnly: opts.legacyOnly });
+});
 program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited scans").action(async () => {
   const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-HTHCG6QE.js");
-  const chalk5 = (await import("chalk")).default;
+  const chalk6 = (await import("chalk")).default;
   const token = getStoredToken2();
   if (!token) {
-    console.log(chalk5.yellow("Please log in first: xploitscan auth login"));
+    console.log(chalk6.yellow("Please log in first: xploitscan auth login"));
     return;
   }
-  console.log(chalk5.cyan("Creating checkout session..."));
+  console.log(chalk6.cyan("Creating checkout session..."));
   const url = await getCheckoutUrl();
   if (url) {
-    console.log(chalk5.green(`
+    console.log(chalk6.green(`
 Open this URL to upgrade:`));
-    console.log(chalk5.bold.underline(url));
+    console.log(chalk6.bold.underline(url));
     const { execFile: execFile4 } = await import("child_process");
     const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
     execFile4(openCmd, [url], () => {
     });
   } else {
-    console.log(chalk5.red("Failed to create checkout session. Please try again."));
+    console.log(chalk6.red("Failed to create checkout session. Please try again."));
   }
 });
 program.parse();