moss-pqc 0.1.0__tar.gz

moss_pqc-0.1.0/.gitignore

@@ -0,0 +1,9 @@
+# Python / scanner mission artifacts
+scanner/.venv/
+**/__pycache__/
+*.egg-info/
+.semgrep/
+*.report.json
+.pytest_cache/
+build/
+dist/

moss_pqc-0.1.0/PKG-INFO

@@ -0,0 +1,11 @@
+Metadata-Version: 2.4
+Name: moss-pqc
+Version: 0.1.0
+Summary: Detect legacy / quantum-vulnerable cryptography in source code (Semgrep-powered).
+Requires-Python: >=3.10
+Requires-Dist: click
+Requires-Dist: semgrep
+Requires-Dist: sentry-sdk
+Requires-Dist: structlog
+Provides-Extra: dev
+Requires-Dist: pytest; extra == 'dev'

moss_pqc-0.1.0/moss_pqc/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

moss_pqc-0.1.0/moss_pqc/cli.py

@@ -0,0 +1,128 @@
+from __future__ import annotations
+
+import sys
+
+import click
+import sentry_sdk
+import structlog
+
+from . import __version__
+from .engine import SUPPORTED_LANGUAGES, PQCScanner, ScanError
+from .fix_runner import run_fixes
+from .logging import setup_logging
+from .models import SEVERITY_RANK, ScanResult
+from .report import ReportGenerator
+from .sentry import init_sentry
+
+log = structlog.get_logger()
+
+
+@click.group()
+@click.version_option(version=__version__, prog_name="moss-pqc")
+def cli() -> None:
+    """MOSS PQC: detect legacy / quantum-vulnerable cryptography in source code."""
+    setup_logging()
+    init_sentry()
+
+
+@cli.command()
+@click.argument("target", type=click.Path(exists=True))
+@click.option("-o", "--output", type=click.Path(), default=None,
+              help="Write the report to a file instead of stdout.")
+@click.option("-f", "--format", "fmt",
+              type=click.Choice(["json", "sarif", "text", "gitlab"]), default="text",
+              show_default=True, help="Output format.")
+@click.option("-l", "--lang", default=None,
+              help="Comma-separated languages to scan (python,javascript,java).")
+@click.option("-s", "--severity", type=click.Choice(["critical", "high", "medium", "low"]),
+              default="low", show_default=True, help="Minimum severity to include.")
+@click.option("--fail-on", "fail_on",
+              type=click.Choice(["critical", "high", "medium", "low", "none"]),
+              default="none", show_default=True,
+              help="Exit with code 1 if any finding at or above this severity exists. "
+                   "Independent of --severity (which only filters the report).")
+def scan(target: str, output: str | None, fmt: str, lang: str | None,
+         severity: str, fail_on: str) -> None:
+    """Scan TARGET (a file or directory) for quantum-vulnerable cryptography."""
+    languages = None
+    if lang:
+        languages = [part.strip().lower() for part in lang.split(",") if part.strip()]
+        invalid = [language for language in languages if language not in SUPPORTED_LANGUAGES]
+        if invalid:
+            raise click.UsageError(
+                f"unsupported --lang value(s): {', '.join(invalid)}. "
+                f"Supported: {', '.join(SUPPORTED_LANGUAGES)}."
+            )
+
+    scanner = PQCScanner()
+    try:
+        result = scanner.scan(target, languages=languages)
+    except ScanError as exc:
+        sentry_sdk.capture_exception(exc)
+        click.echo(f"error: {exc}", err=True)
+        sys.exit(2)
+
+    filtered = _filter_by_severity(result, severity)
+
+    if fmt == "json":
+        rendered = ReportGenerator.to_json(filtered)
+    elif fmt == "sarif":
+        rendered = ReportGenerator.to_sarif(filtered)
+    elif fmt == "gitlab":
+        rendered = ReportGenerator.to_gitlab(filtered)
+    else:
+        rendered = ReportGenerator.to_summary(filtered)
+
+    if output:
+        with open(output, "w", encoding="utf-8") as fh:
+            fh.write(rendered + "\n")
+    else:
+        click.echo(rendered)
+
+    # --fail-on is independent of --severity: it inspects the full, unfiltered
+    # finding set so hidden (filtered-out) findings still affect the exit code.
+    if fail_on != "none":
+        threshold = SEVERITY_RANK[fail_on]
+        if any(SEVERITY_RANK.get(f.severity, 0) >= threshold for f in result.findings):
+            sys.exit(1)
+
+
+@cli.command()
+@click.argument("target", type=click.Path(exists=True, file_okay=False))
+@click.option("-l", "--lang", default=None,
+              help="Comma-separated languages to scan (python,javascript,java).")
+def fix(target: str, lang: str | None) -> None:
+    """Scan TARGET (a directory) and apply auto-fixable migrations in place."""
+    languages = None
+    if lang:
+        languages = [part.strip().lower() for part in lang.split(",") if part.strip()]
+        invalid = [language for language in languages if language not in SUPPORTED_LANGUAGES]
+        if invalid:
+            raise click.UsageError(
+                f"unsupported --lang value(s): {', '.join(invalid)}. "
+                f"Supported: {', '.join(SUPPORTED_LANGUAGES)}."
+            )
+
+    scanner = PQCScanner()
+    try:
+        result = scanner.scan(target, languages=languages)
+    except ScanError as exc:
+        sentry_sdk.capture_exception(exc)
+        click.echo(f"error: {exc}", err=True)
+        sys.exit(2)
+
+    summary = run_fixes(result.findings, target)
+    click.echo(
+        f"fixes: {summary.applied} applied, {summary.failed} failed "
+        f"across {len(summary.file_fixes)} file(s)."
+    )
+
+
+def _filter_by_severity(result: ScanResult, minimum: str) -> ScanResult:
+    threshold = SEVERITY_RANK[minimum]
+    kept = [f for f in result.findings if SEVERITY_RANK.get(f.severity, 0) >= threshold]
+    return ScanResult(target=result.target, findings=kept, scanned_at=result.scanned_at)
+
+
+if __name__ == "__main__":
+    cli()

moss_pqc-0.1.0/moss_pqc/engine.py

@@ -0,0 +1,205 @@
+from __future__ import annotations
+
+import json
+import os
+import shutil
+import subprocess
+import sys
+import time
+import traceback
+import uuid
+from datetime import datetime, timezone
+from importlib import resources
+from pathlib import Path
+
+import structlog
+
+from .models import Finding, MigrationInfo, ScanResult
+
+SUPPORTED_LANGUAGES = ("python", "javascript", "java")
+
+log = structlog.get_logger()
+
+
+class ScanError(Exception):
+    """Raised when semgrep fails to run (config/parse error or crash)."""
+
+
+class PQCScanner:
+    def __init__(self, rules_path: str | None = None):
+        self.rules_path = rules_path
+
+    def _resolve_rules_dir(self) -> Path:
+        if self.rules_path:
+            path = Path(self.rules_path)
+            if not path.exists():
+                raise ScanError(f"rules path does not exist: {self.rules_path}")
+            return path
+
+        try:
+            packaged = resources.files("moss_pqc") / "rules"
+            packaged_path = Path(str(packaged))
+            if packaged_path.is_dir() and any(packaged_path.iterdir()):
+                return packaged_path
+        except (ModuleNotFoundError, FileNotFoundError, NotADirectoryError):
+            pass
+
+        repo_rules = Path(__file__).resolve().parents[2] / "rules"
+        if repo_rules.is_dir():
+            return repo_rules
+
+        raise ScanError("could not resolve a rules directory (packaged or repo-relative)")
+
+    @staticmethod
+    def _resolve_semgrep() -> str:
+        candidate = Path(sys.executable).parent / "semgrep"
+        if candidate.exists():
+            return str(candidate)
+        found = shutil.which("semgrep")
+        if found:
+            return found
+        raise ScanError("semgrep executable not found")
+
+    def _config_args(self, rules_dir: Path, languages: list[str] | None) -> list[str] | None:
+        if not languages:
+            return ["--config", str(rules_dir)]
+        args: list[str] = []
+        for lang in languages:
+            sub = rules_dir / lang
+            if sub.is_dir():
+                args += ["--config", str(sub)]
+        return args or None
+
+    def count_rules(self, languages: list[str] | None = None) -> int:
+        """Count the semgrep rule files that would be loaded for ``languages``.
+
+        Observability helper only; does not affect scan behavior. Returns the
+        number of ``.yml`` / ``.yaml`` rule files under the resolved config
+        directories.
+        """
+        try:
+            rules_dir = self._resolve_rules_dir()
+        except ScanError:
+            return 0
+        config_args = self._config_args(rules_dir, languages)
+        if not config_args:
+            return 0
+        config_dirs = [Path(config_args[i + 1]) for i in range(0, len(config_args), 2)]
+        count = 0
+        for directory in config_dirs:
+            count += sum(1 for _ in directory.rglob("*.yml"))
+            count += sum(1 for _ in directory.rglob("*.yaml"))
+        return count
+
+    def scan(self, target: str, languages: list[str] | None = None) -> ScanResult:
+        start = time.perf_counter()
+        log.info("scan.start", target=target, languages=languages)
+        try:
+            abs_target = os.path.abspath(target)
+            if not os.path.exists(abs_target):
+                raise ScanError(f"target does not exist: {target}")
+
+            rules_dir = self._resolve_rules_dir()
+            config_args = self._config_args(rules_dir, languages)
+            scanned_at = datetime.now(timezone.utc)
+
+            log.info("scan.rules_loaded", rule_count=self.count_rules(languages))
+
+            if config_args is None:
+                result = ScanResult(target=target, findings=[], scanned_at=scanned_at)
+            else:
+                semgrep = self._resolve_semgrep()
+                cmd = [
+                    semgrep, *config_args, "--json", "--quiet",
+                    "--no-rewrite-rule-ids", abs_target,
+                ]
+                proc = subprocess.run(cmd, capture_output=True, text=True)
+                if proc.returncode > 1:
+                    raise ScanError(
+                        f"semgrep failed (exit {proc.returncode}): "
+                        f"{proc.stderr.strip() or proc.stdout.strip()}"
+                    )
+
+                try:
+                    payload = json.loads(proc.stdout)
+                except json.JSONDecodeError as exc:
+                    raise ScanError(f"could not parse semgrep output: {exc}") from exc
+
+                base = abs_target if os.path.isdir(abs_target) else os.path.dirname(abs_target)
+                findings = [self._to_finding(r, base) for r in payload.get("results", [])]
+                result = ScanResult(target=target, findings=findings, scanned_at=scanned_at)
+        except Exception as exc:
+            log.error(
+                "scan.error",
+                target=target,
+                error=str(exc),
+                error_type=type(exc).__name__,
+                traceback=traceback.format_exc(),
+            )
+            raise
+
+        duration_s = round(time.perf_counter() - start, 4)
+        log.info(
+            "scan.complete",
+            target=target,
+            findings_total=len(result.findings),
+            findings_by_severity=result.counts_by_severity(),
+            duration_s=duration_s,
+        )
+        return result
+
+    def _to_finding(self, result: dict, base: str) -> Finding:
+        check_id = result.get("check_id", "")
+        pattern_id = check_id.rsplit(".", 1)[-1] if check_id else check_id
+
+        path = result.get("path", "")
+        start = result.get("start", {})
+        end = result.get("end", {})
+        line = int(start.get("line", 0) or 0)
+        column = int(start.get("col", 0) or 0)
+        end_line = int(end.get("line", line) or line)
+
+        display_file = os.path.relpath(path, base) if path else path
+        snippet = self._read_snippet(path, line, end_line)
+
+        extra = result.get("extra", {})
+        metadata = extra.get("metadata", {})
+        message = extra.get("message") or result.get("message", "")
+
+        migration = MigrationInfo(
+            recommendation=metadata.get("migration_recommendation", ""),
+            code_before=metadata.get("code_before"),
+            code_after=metadata.get("code_after"),
+            moss_sdk_link=metadata.get("moss_sdk_link"),
+            auto_fixable=bool(metadata.get("auto_fixable", False)),
+        )
+
+        return Finding(
+            id=str(uuid.uuid4()),
+            file=display_file,
+            line=line,
+            column=column,
+            code_snippet=snippet,
+            pattern_id=pattern_id,
+            severity=metadata.get("severity", "low"),
+            category=metadata.get("category", ""),
+            algorithm=metadata.get("algorithm", ""),
+            message=message,
+            migration=migration,
+            library=metadata.get("library", ""),
+            cwe=metadata.get("cwe", ""),
+            owasp=metadata.get("owasp", ""),
+            quantum_vulnerable=bool(metadata.get("quantum_vulnerable", True)),
+        )
+
+    @staticmethod
+    def _read_snippet(path: str, start_line: int, end_line: int) -> str:
+        if not path or start_line < 1:
+            return ""
+        try:
+            with open(path, encoding="utf-8", errors="replace") as fh:
+                lines = fh.readlines()
+        except OSError:
+            return ""
+        snippet = "".join(lines[start_line - 1:end_line])
+        return snippet.strip("\n")

moss_pqc-0.1.0/moss_pqc/fix_runner.py

@@ -0,0 +1,97 @@
+"""Observability wrapper around the sealed fixer engine.
+
+This module orchestrates :mod:`moss_pqc.fixer` to apply fixes while emitting
+structured fix-lifecycle log events (``fix.attempted`` / ``fix.applied`` /
+``fix.failed``) and forwarding :class:`~moss_pqc.fixer.FixError` to Sentry. It
+does not change any fixer behavior; it only observes it.
+"""
+
+from __future__ import annotations
+
+import traceback
+from dataclasses import dataclass
+
+import sentry_sdk
+import structlog
+
+from .fixer import FileFix, FixError, apply_fixes_to_repo, generate_fix
+from .models import Finding
+
+log = structlog.get_logger()
+
+
+@dataclass
+class FixRunSummary:
+    """Outcome of a fix run across a set of findings."""
+
+    attempted: int
+    applied: int
+    failed: int
+    file_fixes: list[FileFix]
+
+
+def _lines_changed(unified_diff: str) -> int:
+    changed = 0
+    for line in unified_diff.splitlines():
+        if line.startswith(("+++", "---")):
+            continue
+        if line.startswith(("+", "-")):
+            changed += 1
+    return changed
+
+
+def run_fixes(findings: list[Finding], repo_path: str) -> FixRunSummary:
+    """Attempt to fix every finding, logging each lifecycle transition.
+
+    For each finding a ``fix.attempted`` event is emitted. A successfully
+    generated fix emits ``fix.applied``; a :class:`FixError` emits
+    ``fix.failed`` (with a stack trace) and is captured by Sentry. Findings that
+    can be fixed are then written to disk via the sealed
+    :func:`~moss_pqc.fixer.apply_fixes_to_repo`.
+    """
+    fixable: list[Finding] = []
+    failed = 0
+
+    for finding in findings:
+        log.info("fix.attempted", file=finding.file, pattern_id=finding.pattern_id)
+        try:
+            fix = generate_fix(finding, repo_path)
+        except FixError as exc:
+            failed += 1
+            log.error(
+                "fix.failed",
+                file=finding.file,
+                pattern_id=finding.pattern_id,
+                error=str(exc),
+                traceback=traceback.format_exc(),
+            )
+            sentry_sdk.capture_exception(exc)
+            continue
+
+        log.info(
+            "fix.applied",
+            file=finding.file,
+            pattern_id=finding.pattern_id,
+            lines_changed=_lines_changed(fix.unified_diff),
+        )
+        fixable.append(finding)
+
+    file_fixes: list[FileFix] = []
+    if fixable:
+        try:
+            file_fixes = apply_fixes_to_repo(fixable, repo_path)
+        except FixError as exc:
+            log.error(
+                "fix.failed",
+                error=str(exc),
+                traceback=traceback.format_exc(),
+            )
+            sentry_sdk.capture_exception(exc)
+            raise
+
+    return FixRunSummary(
+        attempted=len(findings),
+        applied=len(fixable),
+        failed=failed,
+        file_fixes=file_fixes,
+    )