devguard-core 0.1.2__tar.gz

devguard_core-0.1.2/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 DevGuard Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

devguard_core-0.1.2/PKG-INFO

@@ -0,0 +1,39 @@
+Metadata-Version: 2.4
+Name: devguard-core
+Version: 0.1.2
+Summary: Core analysis engine for DevGuard modules
+Author: DevGuard Contributors
+License-Expression: MIT
+Project-URL: Homepage, https://github.com/upendra-manike/developer-problem-solvers
+Project-URL: Repository, https://github.com/upendra-manike/developer-problem-solvers
+Project-URL: Issues, https://github.com/upendra-manike/developer-problem-solvers/issues
+Keywords: static-analysis,security,reliability,ai-code
+Classifier: Programming Language :: Python :: 3
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: ruff>=0.8.0; extra == "dev"
+Requires-Dist: build>=1.2.0; extra == "dev"
+Dynamic: license-file
+
+# devguard-core
+
+Shared scanning engine and rule framework for DevGuard modules.
+
+## Features
+
+- Rule metadata model (`id`, `severity`, `match_type`, `description`, `fix`)
+- File walker with language detection
+- Built-in checks for common AI-code risks
+- AST-backed Python checks for SQL injection, unsafe deserialization, and hardcoded secrets
+- JSON and SARIF output
+- Baseline input/output for incremental CI rollout
+
+## Quick Run
+
+```bash
+PYTHONPATH=src python -m devguard_core.cli scan ../../examples/sample_insecure.py --format json
+```

devguard_core-0.1.2/README.md

@@ -0,0 +1,18 @@
+# devguard-core
+
+Shared scanning engine and rule framework for DevGuard modules.
+
+## Features
+
+- Rule metadata model (`id`, `severity`, `match_type`, `description`, `fix`)
+- File walker with language detection
+- Built-in checks for common AI-code risks
+- AST-backed Python checks for SQL injection, unsafe deserialization, and hardcoded secrets
+- JSON and SARIF output
+- Baseline input/output for incremental CI rollout
+
+## Quick Run
+
+```bash
+PYTHONPATH=src python -m devguard_core.cli scan ../../examples/sample_insecure.py --format json
+```

devguard_core-0.1.2/pyproject.toml

@@ -0,0 +1,43 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "devguard-core"
+version = "0.1.2"
+description = "Core analysis engine for DevGuard modules"
+readme = "README.md"
+requires-python = ">=3.10"
+authors = [{ name = "DevGuard Contributors" }]
+license = "MIT"
+license-files = ["LICENSE"]
+keywords = ["static-analysis", "security", "reliability", "ai-code"]
+classifiers = [
+  "Programming Language :: Python :: 3",
+  "Operating System :: OS Independent"
+]
+
+[project.urls]
+Homepage = "https://github.com/upendra-manike/developer-problem-solvers"
+Repository = "https://github.com/upendra-manike/developer-problem-solvers"
+Issues = "https://github.com/upendra-manike/developer-problem-solvers/issues"
+
+[project.optional-dependencies]
+dev = ["pytest>=8.0", "ruff>=0.8.0", "build>=1.2.0"]
+
+[project.scripts]
+devguard-core = "devguard_core.cli:main"
+
+[tool.setuptools]
+package-dir = {"" = "src"}
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.pytest.ini_options]
+addopts = "-q"
+testpaths = ["tests"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py310"

devguard_core-0.1.2/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

devguard_core-0.1.2/src/devguard_core/__init__.py

@@ -0,0 +1,7 @@
+"""DevGuard core package."""
+
+from .config import ScanOptions
+from .models import Finding, Rule, ScanResult
+from .scanner import scan_path
+
+__all__ = ["Rule", "Finding", "ScanResult", "ScanOptions", "scan_path"]

devguard_core-0.1.2/src/devguard_core/ast_checks.py

@@ -0,0 +1,150 @@
+from __future__ import annotations
+
+import ast
+from pathlib import Path
+
+from .models import Finding
+from .rules import BUILTIN_RULES
+
+SQL_PREFIXES = ("SELECT", "INSERT", "UPDATE", "DELETE")
+SECRET_NAMES = {"api_key", "apikey", "secret", "token", "password", "access_token"}
+UNSAFE_DESER_CALLS = {"pickle.loads", "yaml.load", "jsonpickle.decode"}
+
+
+def run_python_ast_checks(file_path: Path, text: str) -> tuple[list[Finding], bool]:
+    try:
+        tree = ast.parse(text)
+    except SyntaxError:
+        return [], False
+
+    findings: list[Finding] = []
+    tainted_sql_vars: set[str] = set()
+
+    for node in ast.walk(tree):
+        finding = _detect_sql_injection(node, file_path, tainted_sql_vars)
+        if finding is not None:
+            findings.append(finding)
+
+        finding = _detect_unsafe_deser(node, file_path)
+        if finding is not None:
+            findings.append(finding)
+
+        finding = _detect_hardcoded_secrets(node, file_path)
+        if finding is not None:
+            findings.append(finding)
+
+    return findings, True
+
+
+def _detect_sql_injection(node: ast.AST, file_path: Path, tainted_sql_vars: set[str]) -> Finding | None:
+    if isinstance(node, ast.Assign) and len(node.targets) == 1 and isinstance(node.targets[0], ast.Name):
+        target_name = node.targets[0].id
+        if _is_sql_concat(node.value):
+            tainted_sql_vars.add(target_name)
+
+    if not isinstance(node, ast.Call):
+        return None
+
+    call_name = _dotted_name(node.func)
+    if call_name not in {"execute", "query", "cursor.execute", "cursor.query"}:
+        return None
+    if not node.args:
+        return None
+
+    first_arg = node.args[0]
+    line = getattr(node, "lineno", 1)
+
+    if isinstance(first_arg, ast.Name) and first_arg.id in tainted_sql_vars:
+        return _make_finding(
+            "DG001",
+            file_path,
+            line,
+            "Potential SQL injection pattern found in query execution.",
+            0.9,
+        )
+
+    if _is_sql_concat(first_arg):
+        return _make_finding(
+            "DG001",
+            file_path,
+            line,
+            "Potential SQL injection pattern found in query construction.",
+            0.91,
+        )
+
+    return None
+
+
+def _detect_unsafe_deser(node: ast.AST, file_path: Path) -> Finding | None:
+    if not isinstance(node, ast.Call):
+        return None
+
+    call_name = _dotted_name(node.func)
+    if call_name in UNSAFE_DESER_CALLS:
+        return _make_finding(
+            "DG002",
+            file_path,
+            getattr(node, "lineno", 1),
+            "Potential unsafe deserialization call detected.",
+            0.92,
+        )
+
+    return None
+
+
+def _detect_hardcoded_secrets(node: ast.AST, file_path: Path) -> Finding | None:
+    if not isinstance(node, ast.Assign):
+        return None
+    if len(node.targets) != 1 or not isinstance(node.targets[0], ast.Name):
+        return None
+
+    var_name = node.targets[0].id.lower()
+    if var_name not in SECRET_NAMES:
+        return None
+
+    value = node.value
+    if isinstance(value, ast.Constant) and isinstance(value.value, str) and len(value.value) >= 8:
+        return _make_finding(
+            "DG003",
+            file_path,
+            getattr(node, "lineno", 1),
+            "Potential hardcoded secret detected.",
+            0.94,
+        )
+
+    return None
+
+
+def _is_sql_concat(node: ast.AST) -> bool:
+    if not isinstance(node, ast.BinOp) or not isinstance(node.op, ast.Add):
+        return False
+
+    left = node.left
+    if not isinstance(left, ast.Constant) or not isinstance(left.value, str):
+        return False
+
+    prefix = left.value.strip().upper()
+    return prefix.startswith(SQL_PREFIXES)
+
+
+def _dotted_name(node: ast.AST) -> str:
+    if isinstance(node, ast.Name):
+        return node.id
+    if isinstance(node, ast.Attribute):
+        left = _dotted_name(node.value)
+        return f"{left}.{node.attr}" if left else node.attr
+    return ""
+
+
+def _make_finding(rule_id: str, file_path: Path, line: int, message: str, confidence: float) -> Finding:
+    rule = BUILTIN_RULES[rule_id]
+    return Finding(
+        rule_id=rule.id,
+        severity=rule.severity,
+        file_path=str(file_path),
+        line=line,
+        message=message,
+        recommendation=rule.fix,
+        language="python",
+        confidence=confidence,
+    )

devguard_core-0.1.2/src/devguard_core/checks.py

@@ -0,0 +1,237 @@
+from __future__ import annotations
+
+import re
+from pathlib import Path
+
+from .ast_checks import run_python_ast_checks
+from .models import Finding
+from .rules import BUILTIN_RULES
+
+SQL_INJECTION_PATTERN = re.compile(r"(?:execute|query)\s*\([^\n]*[\"'][^\"']*[\"']\s*\+", re.IGNORECASE)
+SQL_ASSIGN_CONCAT_PATTERN = re.compile(
+    r"^\s*([A-Za-z_][A-Za-z0-9_]*)\s*=\s*[\"']\s*(SELECT|INSERT|UPDATE|DELETE)\b[^\"']*[\"']\s*\+",
+    re.IGNORECASE,
+)
+EXECUTE_VAR_PATTERN = re.compile(r"(?:execute|query)\s*\(\s*([A-Za-z_][A-Za-z0-9_]*)\s*\)", re.IGNORECASE)
+UNSAFE_DESER_PATTERN = re.compile(
+    r"pickle\.loads\(|yaml\.load\(|ObjectInputStream\(|BinaryFormatter|jsonpickle\.decode\(",
+    re.IGNORECASE,
+)
+HARDCODED_SECRET_PATTERN = re.compile(
+    r"(?i)(api[_-]?key|secret|token|password)\s*[:=]\s*[\"'][A-Za-z0-9_\-\./+=]{8,}[\"']"
+)
+LOOP_HEADER_PATTERN = re.compile(r"^\s*(for|while)\b")
+EXPENSIVE_IN_LOOP_PATTERN = re.compile(r"(re\.compile\(|new\s+Regex\(|json\.loads\(|datetime\.strptime\()")
+ASYNC_DEF_PATTERN = re.compile(r"^\s*async\s+def\b")
+NETWORK_CALL_PATTERN = re.compile(r"\b(requests\.|httpx\.|aiohttp\.|fetch\(|axios\.)")
+TRY_PATTERN = re.compile(r"^\s*try\s*:")
+IGNORE_INLINE_PATTERN = re.compile(r"devguard-ignore\s*:\s*(.+)", re.IGNORECASE)
+IGNORE_NEXT_LINE_PATTERN = re.compile(r"devguard-ignore-next-line\s*:\s*(.+)", re.IGNORECASE)
+
+
+SUPPORTED_EXTENSIONS = {
+    ".py": "python",
+    ".js": "javascript",
+    ".ts": "typescript",
+    ".java": "java",
+    ".go": "go",
+    ".rs": "rust",
+}
+
+
+def detect_language(path: Path) -> str:
+    return SUPPORTED_EXTENSIONS.get(path.suffix.lower(), "unknown")
+
+
+def _make_finding(
+    rule_id: str,
+    file_path: Path,
+    line: int,
+    language: str,
+    message: str,
+    confidence: float,
+) -> Finding:
+    rule = BUILTIN_RULES[rule_id]
+    return Finding(
+        rule_id=rule.id,
+        severity=rule.severity,
+        file_path=str(file_path),
+        line=line,
+        message=message,
+        recommendation=rule.fix,
+        language=language,
+        confidence=confidence,
+    )
+
+
+def run_builtin_checks(file_path: Path, text: str) -> list[Finding]:
+    language = detect_language(file_path)
+    findings: list[Finding] = []
+    lines = text.splitlines()
+    ast_parsed = False
+    if language == "python":
+        ast_findings, ast_parsed = run_python_ast_checks(file_path, text)
+        findings.extend(ast_findings)
+
+    tainted_sql_vars: set[str] = set()
+    for idx, line in enumerate(lines, start=1):
+        if language == "python" and ast_parsed:
+            continue
+
+        assign_match = SQL_ASSIGN_CONCAT_PATTERN.search(line)
+        if assign_match:
+            tainted_sql_vars.add(assign_match.group(1))
+
+        if SQL_INJECTION_PATTERN.search(line):
+            findings.append(
+                _make_finding(
+                    "DG001",
+                    file_path,
+                    idx,
+                    language,
+                    "Potential SQL injection pattern found in query construction.",
+                    0.88,
+                )
+            )
+
+        exec_match = EXECUTE_VAR_PATTERN.search(line)
+        if exec_match and exec_match.group(1) in tainted_sql_vars:
+            findings.append(
+                _make_finding(
+                    "DG001",
+                    file_path,
+                    idx,
+                    language,
+                    "Potential SQL injection pattern found in query execution.",
+                    0.84,
+                )
+            )
+
+        if UNSAFE_DESER_PATTERN.search(line):
+            findings.append(
+                _make_finding(
+                    "DG002",
+                    file_path,
+                    idx,
+                    language,
+                    "Potential unsafe deserialization call detected.",
+                    0.87,
+                )
+            )
+
+        if HARDCODED_SECRET_PATTERN.search(line):
+            findings.append(
+                _make_finding(
+                    "DG003",
+                    file_path,
+                    idx,
+                    language,
+                    "Potential hardcoded secret detected.",
+                    0.91,
+                )
+            )
+
+    findings.extend(_detect_expensive_allocations_in_loops(file_path, language, lines))
+    findings.extend(_detect_network_calls_without_local_try(file_path, language, lines))
+    deduped = _dedupe_findings(findings)
+    return _apply_suppressions(deduped, lines)
+
+
+def _dedupe_findings(findings: list[Finding]) -> list[Finding]:
+    deduped: list[Finding] = []
+    seen: set[tuple[str, str, int, str]] = set()
+    for finding in findings:
+        key = (finding.rule_id, finding.file_path, finding.line, finding.message)
+        if key in seen:
+            continue
+        seen.add(key)
+        deduped.append(finding)
+    return deduped
+
+
+def _detect_expensive_allocations_in_loops(file_path: Path, language: str, lines: list[str]) -> list[Finding]:
+    findings: list[Finding] = []
+    for idx, line in enumerate(lines, start=1):
+        if LOOP_HEADER_PATTERN.search(line):
+            end = min(len(lines), idx + 6)
+            for look_ahead in range(idx, end):
+                if EXPENSIVE_IN_LOOP_PATTERN.search(lines[look_ahead - 1]):
+                    findings.append(
+                        _make_finding(
+                            "DG004",
+                            file_path,
+                            look_ahead,
+                            language,
+                            "Potential repeated expensive allocation inside loop.",
+                            0.72,
+                        )
+                    )
+                    break
+    return findings
+
+
+def _detect_network_calls_without_local_try(file_path: Path, language: str, lines: list[str]) -> list[Finding]:
+    findings: list[Finding] = []
+    for idx, line in enumerate(lines, start=1):
+        if ASYNC_DEF_PATTERN.search(line):
+            block_end = min(len(lines), idx + 20)
+            block = lines[idx - 1:block_end]
+            has_try = any(TRY_PATTERN.search(item) for item in block)
+            for local_idx, block_line in enumerate(block, start=idx):
+                if NETWORK_CALL_PATTERN.search(block_line) and not has_try:
+                    findings.append(
+                        _make_finding(
+                            "DG005",
+                            file_path,
+                            local_idx,
+                            language,
+                            "Async/network call found without local try/except handling.",
+                            0.68,
+                        )
+                    )
+                    break
+    return findings
+
+
+def _apply_suppressions(findings: list[Finding], lines: list[str]) -> list[Finding]:
+    line_suppressions, file_suppressions = _collect_suppressions(lines)
+    filtered: list[Finding] = []
+    for finding in findings:
+        if "all" in file_suppressions or finding.rule_id in file_suppressions:
+            continue
+        suppressed = line_suppressions.get(finding.line, set())
+        if "all" in suppressed or finding.rule_id in suppressed:
+            continue
+        filtered.append(finding)
+    return filtered
+
+
+def _collect_suppressions(lines: list[str]) -> tuple[dict[int, set[str]], set[str]]:
+    line_suppressions: dict[int, set[str]] = {}
+    file_suppressions: set[str] = set()
+
+    for idx, line in enumerate(lines, start=1):
+        next_match = IGNORE_NEXT_LINE_PATTERN.search(line)
+        if next_match:
+            rules = _parse_rule_list(next_match.group(1))
+            line_suppressions.setdefault(idx + 1, set()).update(rules)
+
+        inline_match = IGNORE_INLINE_PATTERN.search(line)
+        if inline_match:
+            rules = _parse_rule_list(inline_match.group(1))
+            line_suppressions.setdefault(idx, set()).update(rules)
+            if "file" in rules:
+                file_suppressions.update({"all"})
+
+    return line_suppressions, file_suppressions
+
+
+def _parse_rule_list(raw: str) -> set[str]:
+    # Accept comma or whitespace delimited rule IDs.
+    items = [token.strip().upper() for token in re.split(r"[,\s]+", raw.strip()) if token.strip()]
+    normalized = set(items)
+    if "ALL" in normalized:
+        return {"all"}
+    if "FILE" in normalized:
+        return {"file"}
+    return normalized