xploitscan 1.0.4 → 1.0.8

package/dist/index.js

@@ -335,15 +335,20 @@ var hardcodedSecrets = {
       // Database URLs with credentials
       /(?:postgres|mysql|mongodb(?:\+srv)?):\/\/[^:]+:[^@]+@[^/\s"'`]+/gi
     ];
+    const fixMessages = [
+      "Move this API key to an environment variable. If this key has been committed, rotate it immediately \u2014 it may have already been scraped by bots.",
+      "AWS access key detected \u2014 may grant full account access (EC2, S3, IAM, billing). Rotate immediately in AWS Console \u2192 IAM \u2192 Security Credentials. Use IAM roles or environment variables instead.",
+      "Stripe key detected. sk_live_ keys can process real charges, issue refunds, and access customer payment data. sk_test_ keys are lower risk but should still not be committed. Rotate in Stripe Dashboard \u2192 Developers \u2192 API Keys.",
+      "Supabase key detected. Service role keys bypass Row Level Security and grant full database read/write access. Move to a server-side environment variable immediately.",
+      "OpenAI API key detected \u2014 grants full API access and can incur charges. Rotate at platform.openai.com \u2192 API Keys.",
+      "Hardcoded token or password detected. Move to an environment variable and rotate the credential if it has been committed to version control.",
+      "Private key found in source code. If this has been committed to version control, consider the key compromised \u2014 generate a new key pair and revoke the old one.",
+      "Database credentials in connection string. An attacker with this URL has full database access. Move to an environment variable, restrict network access, and rotate the password."
+    ];
     const matches = [];
-    for (const pattern of patterns) {
-      const rawMatches = findMatches(
-        content,
-        pattern,
-        hardcodedSecrets,
-        filePath,
-        () => "Move this secret to an environment variable and add it to .env (not committed to git). Use .env.example to document the required variables."
-      );
+    for (let pi = 0; pi < patterns.length; pi++) {
+      const pattern = patterns[pi];
+      const rawMatches = findMatches(content, pattern, hardcodedSecrets, filePath, () => fixMessages[pi]);
       for (const rm3 of rawMatches) {
         const lineText = content.split("\n")[rm3.line - 1] || "";
         const trimmed = lineText.trimStart();
@@ -1144,51 +1149,52 @@ function detectFramework(files) {
   if (frameworks.size === 0) frameworks.add("unknown");
   return [...frameworks];
 }
-function calculateGrade(findings, totalFiles) {
+function calculateGrade(findings, _totalFiles) {
   if (findings.length === 0) {
-    return { grade: "A+", score: 100, summary: "No security issues detected. Excellent!" };
+    return { grade: "A+", score: 100, summary: "No security issues detected. Excellent." };
   }
-  let deductions = 0;
+  let critical = 0, high = 0, medium = 0, low = 0;
   for (const f of findings) {
-    switch (f.severity) {
-      case "critical":
-        deductions += 15;
-        break;
-      case "high":
-        deductions += 8;
-        break;
-      case "medium":
-        deductions += 4;
-        break;
-      case "low":
-        deductions += 1;
-        break;
-    }
-  }
-  const sizeBuffer = Math.min(Math.log2(Math.max(totalFiles, 1)) * 2, 15);
-  const score = Math.max(0, Math.min(100, 100 - deductions + sizeBuffer));
+    if (f.severity === "critical") critical++;
+    else if (f.severity === "high") high++;
+    else if (f.severity === "medium") medium++;
+    else if (f.severity === "low") low++;
+  }
+  const deductions = critical * 15 + high * 7 + medium * 3 + low * 1;
+  const rawScore = Math.max(0, 100 - deductions);
   let grade;
+  if (rawScore >= 97) grade = "A+";
+  else if (rawScore >= 90) grade = "A";
+  else if (rawScore >= 80) grade = "B";
+  else if (rawScore >= 70) grade = "C";
+  else if (rawScore >= 60) grade = "D";
+  else grade = "F";
+  const capGrade = (cap) => {
+    const order = ["A+", "A", "B", "C", "D", "F"];
+    return order.indexOf(grade) < order.indexOf(cap) ? cap : grade;
+  };
+  if (critical >= 1) grade = capGrade("D");
+  else if (high >= 3) grade = capGrade("D");
+  else if (high >= 1) grade = capGrade("B");
+  else if (medium >= 5) grade = capGrade("B");
+  else if (medium >= 1) grade = capGrade("A");
   let summary;
-  if (score >= 95) {
-    grade = "A+";
-    summary = "Excellent security posture with minimal issues.";
-  } else if (score >= 85) {
-    grade = "A";
-    summary = "Strong security with a few minor concerns.";
-  } else if (score >= 70) {
-    grade = "B";
-    summary = "Good security but some issues need attention.";
-  } else if (score >= 55) {
-    grade = "C";
-    summary = "Fair security \u2014 several vulnerabilities should be fixed.";
-  } else if (score >= 35) {
-    grade = "D";
-    summary = "Poor security \u2014 critical issues require immediate attention.";
+  if (critical > 0) {
+    summary = `${critical} critical ${critical === 1 ? "vulnerability" : "vulnerabilities"} require immediate attention.`;
+  } else if (high >= 3) {
+    summary = `${high} high-severity issues require urgent attention.`;
+  } else if (high > 0) {
+    summary = `${high} high-severity ${high === 1 ? "issue needs" : "issues need"} attention.`;
+  } else if (medium >= 5) {
+    summary = `${medium} medium-severity issues to address.`;
+  } else if (medium > 0) {
+    summary = `Clean of critical and high issues. ${medium} medium-severity ${medium === 1 ? "issue" : "issues"} to review.`;
+  } else if (low > 0) {
+    summary = `Clean of critical, high, and medium issues. ${low} low-severity best-practice ${low === 1 ? "note" : "notes"}.`;
   } else {
-    grade = "F";
-    summary = "Failing \u2014 serious vulnerabilities present. Fix critical issues immediately.";
+    summary = "No security issues detected.";
   }
-  return { grade, score: Math.round(score), summary };
+  return { grade, score: rawScore, summary };
 }
 var complianceMap = {
   VC001: { owasp: "A07:2021", cwe: "CWE-798" },
@@ -1321,7 +1327,29 @@ var complianceMap = {
   VC128: { owasp: "A05:2021", cwe: "CWE-444" },
   VC129: { owasp: "A02:2021", cwe: "CWE-311" },
   VC130: { owasp: "A07:2021", cwe: "CWE-307" },
-  VC131: { owasp: "A06:2021", cwe: "CWE-1104" }
+  VC131: { owasp: "A06:2021", cwe: "CWE-1104" },
+  // VC132–VC145: Service-specific API key detection
+  VC132: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC133: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC134: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC135: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC136: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC137: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC138: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC139: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC140: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC141: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC142: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC143: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC144: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC145: { owasp: "A07:2021", cwe: "CWE-798" },
+  // VC146–VC151: Secret exposure path analysis
+  VC146: { owasp: "A07:2021", cwe: "CWE-598" },
+  VC147: { owasp: "A09:2021", cwe: "CWE-532" },
+  VC148: { owasp: "A09:2021", cwe: "CWE-209" },
+  VC149: { owasp: "A07:2021", cwe: "CWE-798" },
+  VC150: { owasp: "A07:2021", cwe: "CWE-615" },
+  VC151: { owasp: "A07:2021", cwe: "CWE-214" }
 };
 var consoleLogProduction = {
   id: "VC097",
@@ -1925,6 +1953,85 @@ function buildASTContext(content, filePath) {
   };
 }
 
+// src/scanners/osv.ts
+var OSV_BATCH_URL = "https://api.osv.dev/v1/querybatch";
+var OSV_VULN_URL = "https://api.osv.dev/v1/vulns";
+var NETWORK_TIMEOUT_MS = 5e3;
+async function fetchWithTimeout(url, init, timeoutMs) {
+  const controller = new AbortController();
+  const id = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal });
+  } finally {
+    clearTimeout(id);
+  }
+}
+async function queryOsvBatch(queries) {
+  if (queries.length === 0) return [];
+  try {
+    const batchRes = await fetchWithTimeout(
+      OSV_BATCH_URL,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ queries })
+      },
+      NETWORK_TIMEOUT_MS
+    );
+    if (!batchRes.ok) return [];
+    const batch = await batchRes.json();
+    if (!Array.isArray(batch.results)) return [];
+    const uniqueVulnIds = /* @__PURE__ */ new Set();
+    for (const result of batch.results) {
+      for (const v of result.vulns ?? []) uniqueVulnIds.add(v.id);
+    }
+    const vulnDetails = /* @__PURE__ */ new Map();
+    for (const vulnId of uniqueVulnIds) {
+      try {
+        const detailRes = await fetchWithTimeout(
+          `${OSV_VULN_URL}/${encodeURIComponent(vulnId)}`,
+          { method: "GET" },
+          NETWORK_TIMEOUT_MS
+        );
+        if (!detailRes.ok) continue;
+        const detail = await detailRes.json();
+        vulnDetails.set(vulnId, detail);
+      } catch {
+      }
+    }
+    const matches = [];
+    batch.results.forEach((result, i) => {
+      const ids = (result.vulns ?? []).map((v) => v.id);
+      if (ids.length === 0) return;
+      const q = queries[i];
+      matches.push({
+        ecosystem: q.package.ecosystem,
+        name: q.package.name,
+        version: q.version,
+        vulns: ids.map((id) => vulnDetails.get(id) ?? { id })
+      });
+    });
+    return matches;
+  } catch {
+    return [];
+  }
+}
+function osvSeverity(vuln) {
+  const vectors = vuln.severity ?? [];
+  for (const v of vectors) {
+    const match = v.score.match(/\b(\d+(?:\.\d+)?)\b/);
+    if (!match) continue;
+    const score = parseFloat(match[1]);
+    if (Number.isFinite(score)) {
+      if (score >= 9) return "critical";
+      if (score >= 7) return "high";
+      if (score >= 4) return "medium";
+      return "low";
+    }
+  }
+  return "medium";
+}
+
 // src/scanners/dependency-scanner.ts
 var KNOWN_VULN_NPM = {
   "lodash": [{
@@ -2225,6 +2332,94 @@ function scanDependencies(files) {
   }
   return findings;
 }
+async function scanDependenciesOsv(files, alreadyFoundByRule) {
+  const lookups = [];
+  for (const { path: filePath, content } of files) {
+    if (filePath.endsWith("package.json") && !filePath.includes("node_modules")) {
+      try {
+        const pkg = JSON.parse(content);
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+        for (const [name, rawVersion] of Object.entries(allDeps)) {
+          const version = String(rawVersion).replace(/^[\^~>=<]*/g, "").trim();
+          if (!version || version === "*" || version === "latest") continue;
+          const line = content.split("\n").findIndex((l) => l.includes(`"${name}"`)) + 1;
+          lookups.push({ ecosystem: "npm", name, version, file: filePath, line: line || 1, content });
+        }
+      } catch {
+      }
+    }
+    if (filePath.match(/requirements.*\.txt$/i)) {
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const m = lines[i].trim().match(/^([a-zA-Z0-9_-]+)==([\d.]+)/);
+        if (!m) continue;
+        lookups.push({
+          ecosystem: "PyPI",
+          name: m[1].toLowerCase(),
+          version: m[2],
+          file: filePath,
+          line: i + 1,
+          content
+        });
+      }
+    }
+    if (filePath.endsWith("Gemfile.lock")) {
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const m = lines[i].match(/^\s{4}([a-z0-9_-]+)\s+\(([\d.]+)\)/);
+        if (!m) continue;
+        lookups.push({
+          ecosystem: "RubyGems",
+          name: m[1],
+          version: m[2],
+          file: filePath,
+          line: i + 1,
+          content
+        });
+      }
+    }
+  }
+  if (lookups.length === 0) return [];
+  const CHUNK = 500;
+  const findings = [];
+  for (let start = 0; start < lookups.length; start += CHUNK) {
+    const chunk = lookups.slice(start, start + CHUNK);
+    const matches = await queryOsvBatch(
+      chunk.map((l) => ({ package: { name: l.name, ecosystem: l.ecosystem }, version: l.version }))
+    );
+    const matchByKey = /* @__PURE__ */ new Map();
+    for (const m of matches) matchByKey.set(`${m.ecosystem}:${m.name}:${m.version}`, m);
+    for (const lookup of chunk) {
+      const key = `${lookup.ecosystem}:${lookup.name}:${lookup.version}`;
+      const match = matchByKey.get(key);
+      if (!match) continue;
+      for (const vuln of match.vulns) {
+        const dedupeKey = `${lookup.name}:${vuln.id}`;
+        if (alreadyFoundByRule.has(dedupeKey)) continue;
+        alreadyFoundByRule.add(dedupeKey);
+        const severity = osvSeverity(vuln);
+        const title = vuln.summary || `${lookup.name} vulnerability ${vuln.id}`;
+        const description = vuln.details || vuln.summary || `${lookup.name}@${lookup.version} is affected by ${vuln.id}. See https://osv.dev/vulnerability/${vuln.id} for details.`;
+        findings.push({
+          id: `${vuln.id}-${lookup.file}:${lookup.line}`,
+          rule: vuln.id,
+          severity,
+          title,
+          description: description.slice(0, 500),
+          file: lookup.file,
+          line: lookup.line,
+          snippet: getSnippet2(lookup.content, lookup.line),
+          fix: `Upgrade ${lookup.name} to a version that resolves ${vuln.id}. See https://osv.dev/vulnerability/${vuln.id}`,
+          category: "Dependencies",
+          source: "custom",
+          owasp: "A06:2021",
+          cwe: "CWE-1395"
+        });
+      }
+    }
+  }
+  return findings;
+}
 
 // src/scanners/entropy-scanner.ts
 function shannonEntropy(str) {
@@ -3136,6 +3331,24 @@ async function scanCommand(directory, options) {
     f.confidence = "high";
   }
   allFindings.push(...depFindings);
+  const dedupeKeys = /* @__PURE__ */ new Set();
+  for (const f of depFindings) {
+    const match = f.title.match(/^(\S+)/);
+    if (match) dedupeKeys.add(`${match[1].toLowerCase()}:${f.rule}`);
+  }
+  spinner.text = "Checking dependencies against OSV.dev...";
+  try {
+    const osvFindings = await scanDependenciesOsv(fileContentsForAnalysis, dedupeKeys);
+    for (const f of osvFindings) {
+      f.confidence = "high";
+    }
+    allFindings.push(...osvFindings);
+    if (verbose && osvFindings.length > 0) {
+      spinner.info(`OSV.dev found ${osvFindings.length} additional vulnerable dependencies`);
+    }
+  } catch (err) {
+    if (verbose) spinner.info(`OSV.dev lookup skipped: ${err instanceof Error ? err.message : "unknown error"}`);
+  }
   if (verbose && depFindings.length > 0) {
     spinner.info(`Dependency scanner found ${depFindings.length} issues`);
   }
@@ -3588,11 +3801,54 @@ async function uninstallHookCommand() {
   }
 }
 
+// src/commands/cursor.ts
+import chalk5 from "chalk";
+import { mkdirSync, existsSync as existsSync5, writeFileSync as writeFileSync2, readFileSync as readFileSync4 } from "fs";
+import { join as join7, dirname } from "path";
+import { fileURLToPath } from "url";
+async function cursorInstallCommand(opts = {}) {
+  const cwd = process.cwd();
+  const here = dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    join7(here, "templates"),
+    join7(here, "..", "templates"),
+    join7(here, "..", "src", "templates")
+  ];
+  const templatesDir = candidates.find((p) => existsSync5(join7(p, "cursor-security.mdc")));
+  if (!templatesDir) {
+    console.error(chalk5.red("Could not locate XploitScan rule templates. Try reinstalling: npm i -g xploitscan@latest"));
+    process.exit(1);
+  }
+  const mdcSrc = readFileSync4(join7(templatesDir, "cursor-security.mdc"), "utf-8");
+  const legacySrc = readFileSync4(join7(templatesDir, "cursorrules-legacy.txt"), "utf-8");
+  if (!opts.legacyOnly) {
+    const mdcDir = join7(cwd, ".cursor", "rules");
+    const mdcPath = join7(mdcDir, "xploitscan-security.mdc");
+    if (existsSync5(mdcPath) && !opts.force) {
+      console.log(chalk5.yellow(`Skipping ${mdcPath} (already exists, use --force to overwrite)`));
+    } else {
+      mkdirSync(mdcDir, { recursive: true });
+      writeFileSync2(mdcPath, mdcSrc);
+      console.log(chalk5.green(`Installed ${mdcPath}`));
+    }
+  }
+  const legacyPath = join7(cwd, ".cursorrules");
+  if (existsSync5(legacyPath) && !opts.force) {
+    console.log(chalk5.yellow(`Skipping ${legacyPath} (already exists, use --force to overwrite)`));
+  } else {
+    writeFileSync2(legacyPath, legacySrc);
+    console.log(chalk5.green(`Installed ${legacyPath}`));
+  }
+  console.log("");
+  console.log(chalk5.cyan("Cursor will pick up these rules automatically the next time you open the project."));
+  console.log(chalk5.gray("Run a scan any time to catch what slipped through:  npx xploitscan scan ."));
+}
+
 // src/index.ts
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("1.0.4");
+).version("1.0.8");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,
@@ -3612,26 +3868,30 @@ hook.command("install").description("Install a git pre-commit hook that runs Xpl
   await installHookCommand({ force: opts.force });
 });
 hook.command("uninstall").description("Remove the XploitScan pre-commit hook").action(uninstallHookCommand);
+var cursor = program.command("cursor").description("Manage XploitScan integration with Cursor IDE");
+cursor.command("install").description("Drop XploitScan security rules into .cursor/rules and .cursorrules so Cursor enforces them at write-time").option("-f, --force", "Overwrite existing rule files", false).option("--legacy-only", "Only install the legacy .cursorrules file (skip .cursor/rules/*.mdc)", false).action(async (opts) => {
+  await cursorInstallCommand({ force: opts.force, legacyOnly: opts.legacyOnly });
+});
 program.command("upgrade").description("Upgrade to XploitScan Pro for unlimited scans").action(async () => {
   const { getStoredToken: getStoredToken2, getCheckoutUrl } = await import("./api-HTHCG6QE.js");
-  const chalk5 = (await import("chalk")).default;
+  const chalk6 = (await import("chalk")).default;
   const token = getStoredToken2();
   if (!token) {
-    console.log(chalk5.yellow("Please log in first: xploitscan auth login"));
+    console.log(chalk6.yellow("Please log in first: xploitscan auth login"));
     return;
   }
-  console.log(chalk5.cyan("Creating checkout session..."));
+  console.log(chalk6.cyan("Creating checkout session..."));
   const url = await getCheckoutUrl();
   if (url) {
-    console.log(chalk5.green(`
+    console.log(chalk6.green(`
 Open this URL to upgrade:`));
-    console.log(chalk5.bold.underline(url));
+    console.log(chalk6.bold.underline(url));
     const { execFile: execFile4 } = await import("child_process");
     const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
     execFile4(openCmd, [url], () => {
     });
   } else {
-    console.log(chalk5.red("Failed to create checkout session. Please try again."));
+    console.log(chalk6.red("Failed to create checkout session. Please try again."));
   }
 });
 program.parse();