empathy-framework 4.6.6__py3-none-any.whl → 4.7.1__py3-none-any.whl

empathy_software_plugin/wizards/security/vulnerability_scanner.py

@@ -1,604 +0,0 @@
-"""Vulnerability Scanner for Security Analysis Wizard
-
-Comprehensive vulnerability detection including:
-- Dependency vulnerabilities (CVE matching)
-- Secret detection (API keys, passwords, tokens)
-- Configuration security issues
-- OWASP Top 10 patterns
-- Code security anti-patterns
-
-Copyright 2025 Smart-AI-Memory
-Licensed under Fair Source License 0.9
-"""
-
-import json
-import re
-import subprocess
-from dataclasses import dataclass
-from enum import Enum
-from pathlib import Path
-
-
-class VulnerabilityType(Enum):
-    """Types of security vulnerabilities"""
-
-    SQL_INJECTION = "sql_injection"
-    XSS = "xss"
-    COMMAND_INJECTION = "command_injection"
-    PATH_TRAVERSAL = "path_traversal"
-    HARDCODED_SECRET = "hardcoded_secret"
-    WEAK_CRYPTO = "weak_crypto"
-    INSECURE_DESERIALIZATION = "insecure_deserialization"
-    XXE = "xxe"  # XML External Entity
-    CSRF = "csrf"
-    SSRF = "ssrf"  # Server-Side Request Forgery
-    DEPENDENCY_VULN = "dependency_vulnerability"
-    INSECURE_CONFIG = "insecure_configuration"
-
-
-class Severity(Enum):
-    """CVSS-based severity levels"""
-
-    CRITICAL = "critical"  # CVSS 9.0-10.0
-    HIGH = "high"  # CVSS 7.0-8.9
-    MEDIUM = "medium"  # CVSS 4.0-6.9
-    LOW = "low"  # CVSS 0.1-3.9
-    INFO = "info"  # Informational
-
-
-@dataclass
-class Vulnerability:
-    """Represents a detected security vulnerability"""
-
-    vuln_type: VulnerabilityType
-    severity: Severity
-    file_path: str
-    line_number: int
-    description: str
-    evidence: str  # Code snippet or pattern matched
-    cwe_id: str | None = None  # Common Weakness Enumeration
-    cve_id: str | None = None  # Common Vulnerabilities and Exposures
-    cvss_score: float | None = None
-    remediation: str | None = None
-    references: list[str] | None = None
-
-    def __post_init__(self):
-        if self.references is None:
-            self.references = []
-
-
-@dataclass
-class DependencyVulnerability:
-    """Vulnerability in a dependency package"""
-
-    package_name: str
-    installed_version: str
-    vulnerable_versions: str
-    fixed_version: str | None
-    cve_id: str
-    cvss_score: float
-    severity: Severity
-    description: str
-    references: list[str]
-
-
-@dataclass
-class VulnerabilityScanReport:
-    """Complete vulnerability scan report"""
-
-    total_issues: int
-    critical_count: int
-    high_count: int
-    medium_count: int
-    low_count: int
-    info_count: int
-    vulnerabilities: list[Vulnerability]
-    dependency_vulnerabilities: list[DependencyVulnerability]
-    files_scanned: int
-    scan_duration: float  # seconds
-
-
-class VulnerabilityScanner:
-    """Comprehensive vulnerability scanner for Python projects.
-
-    Detects:
-    - OWASP Top 10 vulnerabilities
-    - Hardcoded secrets
-    - Insecure dependencies
-    - Configuration issues
-    - Common security anti-patterns
-    """
-
-    def __init__(self):
-        self._init_secret_patterns()
-        self._init_injection_patterns()
-        self._init_crypto_patterns()
-
-    def _init_secret_patterns(self):
-        """Initialize patterns for secret detection"""
-        self.secret_patterns = {
-            "AWS Access Key": re.compile(r"AKIA[0-9A-Z]{16}"),
-            "AWS Secret Key": re.compile(
-                r'aws_secret_access_key\s*=\s*["\']([^"\']+)["\']',
-                re.IGNORECASE,
-            ),
-            "API Key": re.compile(
-                r'api[_-]?key\s*[=:]\s*["\']([a-zA-Z0-9_\-]{20,})["\']',
-                re.IGNORECASE,
-            ),
-            "Private Key": re.compile(r"-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----"),
-            "GitHub Token": re.compile(r"ghp_[a-zA-Z0-9]{36}"),
-            "Generic Secret": re.compile(
-                r'(secret|password|passwd|pwd)\s*[=:]\s*["\']([^"\']{8,})["\']',
-                re.IGNORECASE,
-            ),
-            "JWT Token": re.compile(r"eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*"),
-            "Database URL": re.compile(r"(mysql|postgresql|mongodb)://[^:]+:[^@]+@", re.IGNORECASE),
-            "Slack Token": re.compile(r"xox[baprs]-[0-9a-zA-Z]{10,48}"),
-            "Stripe Key": re.compile(r"sk_live_[0-9a-zA-Z]{24}"),
-        }
-
-    def _init_injection_patterns(self):
-        """Initialize patterns for injection vulnerabilities"""
-        self.injection_patterns = {
-            VulnerabilityType.SQL_INJECTION: [
-                (re.compile(r'execute\(["\'].*%s.*["\']'), "String formatting in SQL"),
-                (re.compile(r'execute\(["\'].*\+.*["\']'), "String concatenation in SQL"),
-                (re.compile(r'execute\(f["\'].*\{.*\}.*["\']'), "f-string in SQL"),
-                (re.compile(r"raw_sql\s*=.*\+"), "SQL string concatenation"),
-            ],
-            VulnerabilityType.COMMAND_INJECTION: [
-                (re.compile(r"os\.system\(.*\+"), "os.system with concatenation"),
-                (
-                    re.compile(r"subprocess\.(call|run|Popen)\(.*shell\s*=\s*True"),
-                    "subprocess with shell=True",
-                ),
-                (re.compile(r"eval\("), "Use of eval()"),
-                (re.compile(r"exec\("), "Use of exec()"),
-            ],
-            VulnerabilityType.PATH_TRAVERSAL: [
-                (re.compile(r'open\(["\'].*\+'), "Path concatenation in file open"),
-                (re.compile(r"open\(.*\.format\("), "String formatting in file path"),
-                (re.compile(r"Path\(.*\+"), "Path concatenation"),
-            ],
-            VulnerabilityType.XSS: [
-                (re.compile(r"\.innerHTML\s*="), "Direct innerHTML assignment"),
-                (re.compile(r"document\.write\("), "document.write usage"),
-                (re.compile(r"render_template_string\(.*\+"), "Unsafe template rendering"),
-            ],
-        }
-
-    def _init_crypto_patterns(self):
-        """Initialize patterns for cryptographic issues"""
-        self.crypto_patterns = {
-            "Weak Hash (MD5)": re.compile(r"hashlib\.md5\("),
-            "Weak Hash (SHA1)": re.compile(r"hashlib\.sha1\("),
-            "Weak Cipher (DES)": re.compile(r"Crypto\.Cipher\.(DES|DES3)"),
-            "Weak Cipher (RC4)": re.compile(r"Crypto\.Cipher\.ARC4"),
-            "Hardcoded IV": re.compile(r'iv\s*=\s*b?["\'][^"\']+["\']'),
-            "Random without seed": re.compile(r"random\.random\(\)"),
-        }
-
-    def scan_file(self, file_path: Path) -> list[Vulnerability]:
-        """Scan a single file for vulnerabilities
-
-        Args:
-            file_path: Path to file to scan
-
-        Returns:
-            List of Vulnerability objects found
-
-        Raises:
-            FileNotFoundError: If file doesn't exist
-
-        """
-        if not file_path.exists():
-            raise FileNotFoundError(f"File not found: {file_path}")
-
-        vulnerabilities = []
-
-        with open(file_path, encoding="utf-8", errors="ignore") as f:
-            content = f.read()
-            lines = content.split("\n")
-
-        # Scan for secrets
-        vulnerabilities.extend(self._scan_for_secrets(file_path, content, lines))
-
-        # Scan for injection vulnerabilities
-        vulnerabilities.extend(self._scan_for_injections(file_path, content, lines))
-
-        # Scan for crypto issues
-        vulnerabilities.extend(self._scan_for_crypto_issues(file_path, content, lines))
-
-        # Scan for insecure deserialization
-        vulnerabilities.extend(self._scan_for_deserialization(file_path, content, lines))
-
-        # Scan for CSRF issues (web frameworks)
-        vulnerabilities.extend(self._scan_for_csrf(file_path, content, lines))
-
-        return vulnerabilities
-
-    def _scan_for_secrets(
-        self,
-        file_path: Path,
-        content: str,
-        lines: list[str],
-    ) -> list[Vulnerability]:
-        """Scan for hardcoded secrets"""
-        vulnerabilities: list[Vulnerability] = []
-
-        # Skip certain file types
-        if file_path.suffix in [".md", ".txt", ".json", ".xml"]:
-            return vulnerabilities
-
-        for secret_type, pattern in self.secret_patterns.items():
-            for match in pattern.finditer(content):
-                # Find line number
-                line_num = content[: match.start()].count("\n") + 1
-
-                # Extract evidence (mask the actual secret)
-                evidence = lines[line_num - 1] if line_num <= len(lines) else ""
-                masked_evidence = self._mask_secret(evidence)
-
-                # Determine severity
-                if "private key" in secret_type.lower():
-                    severity = Severity.CRITICAL
-                elif "password" in secret_type.lower():
-                    severity = Severity.HIGH
-                else:
-                    severity = Severity.MEDIUM
-
-                vuln = Vulnerability(
-                    vuln_type=VulnerabilityType.HARDCODED_SECRET,
-                    severity=severity,
-                    file_path=str(file_path),
-                    line_number=line_num,
-                    description=f"Hardcoded {secret_type} detected",
-                    evidence=masked_evidence,
-                    cwe_id="CWE-798",  # Use of Hard-coded Credentials
-                    remediation="Use environment variables or secure secret management (e.g., AWS Secrets Manager, HashiCorp Vault)",
-                    references=["https://cwe.mitre.org/data/definitions/798.html"],
-                )
-                vulnerabilities.append(vuln)
-
-        return vulnerabilities
-
-    def _scan_for_injections(
-        self,
-        file_path: Path,
-        content: str,
-        lines: list[str],
-    ) -> list[Vulnerability]:
-        """Scan for injection vulnerabilities"""
-        vulnerabilities = []
-
-        for vuln_type, patterns in self.injection_patterns.items():
-            for pattern, description in patterns:
-                for match in pattern.finditer(content):
-                    line_num = content[: match.start()].count("\n") + 1
-                    evidence = lines[line_num - 1] if line_num <= len(lines) else ""
-
-                    # Determine severity and CWE
-                    if vuln_type == VulnerabilityType.SQL_INJECTION:
-                        severity = Severity.CRITICAL
-                        cwe_id = "CWE-89"
-                        remediation = "Use parameterized queries or an ORM with automatic escaping"
-                    elif vuln_type == VulnerabilityType.COMMAND_INJECTION:
-                        severity = Severity.CRITICAL
-                        cwe_id = "CWE-78"
-                        remediation = "Avoid shell=True, use list arguments, validate input"
-                    elif vuln_type == VulnerabilityType.XSS:
-                        severity = Severity.HIGH
-                        cwe_id = "CWE-79"
-                        remediation = (
-                            "Use proper output encoding, template engines with auto-escaping"
-                        )
-                    else:
-                        severity = Severity.HIGH
-                        cwe_id = "CWE-20"
-                        remediation = "Validate and sanitize all user input"
-
-                    vuln = Vulnerability(
-                        vuln_type=vuln_type,
-                        severity=severity,
-                        file_path=str(file_path),
-                        line_number=line_num,
-                        description=description,
-                        evidence=evidence.strip(),
-                        cwe_id=cwe_id,
-                        remediation=remediation,
-                        references=[
-                            f"https://cwe.mitre.org/data/definitions/{cwe_id.split('-')[1]}.html",
-                        ],
-                    )
-                    vulnerabilities.append(vuln)
-
-        return vulnerabilities
-
-    def _scan_for_crypto_issues(
-        self,
-        file_path: Path,
-        content: str,
-        lines: list[str],
-    ) -> list[Vulnerability]:
-        """Scan for cryptographic issues"""
-        vulnerabilities = []
-
-        for issue_type, pattern in self.crypto_patterns.items():
-            for match in pattern.finditer(content):
-                line_num = content[: match.start()].count("\n") + 1
-                evidence = lines[line_num - 1] if line_num <= len(lines) else ""
-
-                vuln = Vulnerability(
-                    vuln_type=VulnerabilityType.WEAK_CRYPTO,
-                    severity=Severity.MEDIUM,
-                    file_path=str(file_path),
-                    line_number=line_num,
-                    description=f"Weak cryptography: {issue_type}",
-                    evidence=evidence.strip(),
-                    cwe_id="CWE-327",  # Use of Broken or Risky Cryptographic Algorithm
-                    remediation="Use SHA-256 or better for hashing, AES for encryption",
-                    references=["https://cwe.mitre.org/data/definitions/327.html"],
-                )
-                vulnerabilities.append(vuln)
-
-        return vulnerabilities
-
-    def _scan_for_deserialization(
-        self,
-        file_path: Path,
-        content: str,
-        lines: list[str],
-    ) -> list[Vulnerability]:
-        """Scan for insecure deserialization"""
-        vulnerabilities = []
-
-        # Patterns for unsafe deserialization
-        patterns = [
-            (
-                re.compile(r"pickle\.loads?\("),
-                "Use of pickle.load() - vulnerable to code execution",
-            ),
-            (
-                re.compile(r"yaml\.load\((?!.*Loader=yaml\.SafeLoader)"),
-                "Use of yaml.load() without SafeLoader",
-            ),
-            (re.compile(r"eval\("), "Use of eval() - code execution risk"),
-        ]
-
-        for pattern, description in patterns:
-            for match in pattern.finditer(content):
-                line_num = content[: match.start()].count("\n") + 1
-                evidence = lines[line_num - 1] if line_num <= len(lines) else ""
-
-                vuln = Vulnerability(
-                    vuln_type=VulnerabilityType.INSECURE_DESERIALIZATION,
-                    severity=Severity.HIGH,
-                    file_path=str(file_path),
-                    line_number=line_num,
-                    description=description,
-                    evidence=evidence.strip(),
-                    cwe_id="CWE-502",  # Deserialization of Untrusted Data
-                    remediation="Use safe deserialization methods (json.loads, yaml.safe_load)",
-                    references=["https://cwe.mitre.org/data/definitions/502.html"],
-                )
-                vulnerabilities.append(vuln)
-
-        return vulnerabilities
-
-    def _scan_for_csrf(
-        self,
-        file_path: Path,
-        content: str,
-        lines: list[str],
-    ) -> list[Vulnerability]:
-        """Scan for CSRF vulnerabilities in web frameworks"""
-        vulnerabilities = []
-
-        # Django/Flask CSRF patterns
-        patterns = [
-            (
-                re.compile(r'@app\.route\(.*methods\s*=\s*\[.*["\']POST["\'].*\]'),
-                "POST route without CSRF protection",
-            ),
-        ]
-
-        for pattern, _description in patterns:
-            for match in pattern.finditer(content):
-                # Check if CSRF protection is present nearby
-                line_num = content[: match.start()].count("\n") + 1
-
-                # Look for CSRF decorators/middleware in surrounding lines
-                surrounding_lines = lines[max(0, line_num - 5) : min(len(lines), line_num + 3)]
-                has_csrf_protection = any(
-                    "csrf" in line.lower() or "@login_required" in line
-                    for line in surrounding_lines
-                )
-
-                if not has_csrf_protection:
-                    evidence = lines[line_num - 1] if line_num <= len(lines) else ""
-
-                    vuln = Vulnerability(
-                        vuln_type=VulnerabilityType.CSRF,
-                        severity=Severity.MEDIUM,
-                        file_path=str(file_path),
-                        line_number=line_num,
-                        description="POST endpoint without CSRF protection",
-                        evidence=evidence.strip(),
-                        cwe_id="CWE-352",  # Cross-Site Request Forgery
-                        remediation="Add CSRF protection (e.g., Flask-WTF, Django CSRF middleware)",
-                        references=["https://cwe.mitre.org/data/definitions/352.html"],
-                    )
-                    vulnerabilities.append(vuln)
-
-        return vulnerabilities
-
-    def _mask_secret(self, text: str) -> str:
-        """Mask secrets in evidence"""
-        # Mask anything that looks like a secret
-        masked = re.sub(r'["\'][a-zA-Z0-9_\-/+=]{16,}["\']', '"***REDACTED***"', text)
-        return masked
-
-    def scan_dependencies(
-        self,
-        requirements_file: Path | None = None,
-    ) -> list[DependencyVulnerability]:
-        """Scan dependencies for known vulnerabilities using pip-audit
-
-        Args:
-            requirements_file: Path to requirements.txt (optional)
-
-        Returns:
-            List of DependencyVulnerability objects
-
-        Note: Requires 'pip-audit' to be installed
-
-        """
-        try:
-            # Try to run pip-audit
-            cmd = ["pip-audit", "--format", "json"]
-            if requirements_file:
-                cmd.extend(["-r", str(requirements_file)])
-
-            result = subprocess.run(cmd, check=False, capture_output=True, text=True, timeout=60)
-
-            if result.returncode != 0:
-                # pip-audit not installed or failed
-                return []
-
-            # Parse JSON output
-            data = json.loads(result.stdout)
-            return self._parse_pip_audit_output(data)
-
-        except (subprocess.TimeoutExpired, FileNotFoundError, json.JSONDecodeError):
-            # pip-audit not available or failed
-            return []
-
-    def _parse_pip_audit_output(self, data: dict) -> list[DependencyVulnerability]:
-        """Parse pip-audit JSON output"""
-        vulnerabilities = []
-
-        for package_data in data.get("dependencies", []):
-            package_name = package_data.get("name", "")
-            version = package_data.get("version", "")
-
-            for vuln in package_data.get("vulns", []):
-                cve_id = vuln.get("id", "")
-                description = vuln.get("description", "")
-                fixed_version = (
-                    vuln.get("fix_versions", [""])[0] if vuln.get("fix_versions") else None
-                )
-
-                # Parse CVSS score
-                cvss_score = 0.0
-                if "aliases" in vuln:
-                    for alias in vuln["aliases"]:
-                        if "cvss" in alias:
-                            try:
-                                cvss_score = float(alias["cvss"])
-                            except (ValueError, TypeError):
-                                pass
-
-                # Determine severity from CVSS
-                if cvss_score >= 9.0:
-                    severity = Severity.CRITICAL
-                elif cvss_score >= 7.0:
-                    severity = Severity.HIGH
-                elif cvss_score >= 4.0:
-                    severity = Severity.MEDIUM
-                else:
-                    severity = Severity.LOW
-
-                dep_vuln = DependencyVulnerability(
-                    package_name=package_name,
-                    installed_version=version,
-                    vulnerable_versions=f"<{fixed_version}" if fixed_version else "current",
-                    fixed_version=fixed_version,
-                    cve_id=cve_id,
-                    cvss_score=cvss_score,
-                    severity=severity,
-                    description=description,
-                    references=[f"https://nvd.nist.gov/vuln/detail/{cve_id}"],
-                )
-                vulnerabilities.append(dep_vuln)
-
-        return vulnerabilities
-
-    def generate_report(
-        self,
-        vulnerabilities: list[Vulnerability],
-        dependency_vulns: list[DependencyVulnerability],
-        files_scanned: int,
-        scan_duration: float,
-    ) -> VulnerabilityScanReport:
-        """Generate comprehensive scan report"""
-        # Count by severity
-        critical_count = sum(1 for v in vulnerabilities if v.severity == Severity.CRITICAL)
-        high_count = sum(1 for v in vulnerabilities if v.severity == Severity.HIGH)
-        medium_count = sum(1 for v in vulnerabilities if v.severity == Severity.MEDIUM)
-        low_count = sum(1 for v in vulnerabilities if v.severity == Severity.LOW)
-        info_count = sum(1 for v in vulnerabilities if v.severity == Severity.INFO)
-
-        # Add dependency vulnerabilities to counts
-        critical_count += sum(1 for v in dependency_vulns if v.severity == Severity.CRITICAL)
-        high_count += sum(1 for v in dependency_vulns if v.severity == Severity.HIGH)
-        medium_count += sum(1 for v in dependency_vulns if v.severity == Severity.MEDIUM)
-        low_count += sum(1 for v in dependency_vulns if v.severity == Severity.LOW)
-
-        return VulnerabilityScanReport(
-            total_issues=len(vulnerabilities) + len(dependency_vulns),
-            critical_count=critical_count,
-            high_count=high_count,
-            medium_count=medium_count,
-            low_count=low_count,
-            info_count=info_count,
-            vulnerabilities=vulnerabilities,
-            dependency_vulnerabilities=dependency_vulns,
-            files_scanned=files_scanned,
-            scan_duration=scan_duration,
-        )
-
-    def generate_summary(self, report: VulnerabilityScanReport) -> str:
-        """Generate human-readable summary"""
-        summary = []
-        summary.append("=" * 70)
-        summary.append("SECURITY VULNERABILITY SCAN REPORT")
-        summary.append("=" * 70)
-        summary.append(f"Files Scanned: {report.files_scanned}")
-        summary.append(f"Scan Duration: {report.scan_duration:.2f}s")
-        summary.append(f"Total Issues Found: {report.total_issues}")
-        summary.append("")
-        summary.append("Severity Breakdown:")
-        summary.append(f"  🔴 CRITICAL: {report.critical_count}")
-        summary.append(f"  🟠 HIGH:     {report.high_count}")
-        summary.append(f"  🟡 MEDIUM:   {report.medium_count}")
-        summary.append(f"  🔵 LOW:      {report.low_count}")
-        summary.append(f"  ⚪ INFO:     {report.info_count}")
-        summary.append("")
-
-        if report.critical_count > 0 or report.high_count > 0:
-            summary.append("⚠️  CRITICAL & HIGH SEVERITY ISSUES:")
-            critical_high = [
-                v
-                for v in report.vulnerabilities
-                if v.severity in [Severity.CRITICAL, Severity.HIGH]
-            ]
-            for vuln in critical_high[:5]:
-                summary.append(f"\n  {vuln.severity.value.upper()}: {vuln.description}")
-                summary.append(f"    File: {vuln.file_path}:{vuln.line_number}")
-                summary.append(f"    Type: {vuln.vuln_type.value}")
-                if vuln.cwe_id:
-                    summary.append(f"    CWE: {vuln.cwe_id}")
-
-        if report.dependency_vulnerabilities:
-            summary.append("\n📦 DEPENDENCY VULNERABILITIES:")
-            for dep_vuln in report.dependency_vulnerabilities[:5]:
-                summary.append(f"\n  {dep_vuln.package_name} {dep_vuln.installed_version}")
-                summary.append(f"    {dep_vuln.cve_id} - {dep_vuln.severity.value.upper()}")
-                summary.append(f"    CVSS: {dep_vuln.cvss_score}")
-                if dep_vuln.fixed_version:
-                    summary.append(f"    Fix: Upgrade to {dep_vuln.fixed_version}")
-
-        summary.append("\n" + "=" * 70)
-
-        return "\n".join(summary)