security-use 0.1.1__py3-none-any.whl → 0.2.9__py3-none-any.whl

security_use/iac/rules/registry.py

@@ -94,6 +94,7 @@ def get_registry() -> RuleRegistry:
 
 def _register_default_rules(registry: RuleRegistry) -> None:
     """Register all default rules."""
+    # AWS Rules
     from security_use.iac.rules.aws import (
         S3BucketEncryptionRule,
         S3BucketPublicAccessRule,
@@ -113,3 +114,58 @@ def _register_default_rules(registry: RuleRegistry) -> None:
     registry.register_class(EBSEncryptionRule)
     registry.register_class(CloudTrailEnabledRule)
     registry.register_class(VPCFlowLogsRule)
+
+    # Azure Rules
+    from security_use.iac.rules.azure import (
+        AzureStoragePublicAccessRule,
+        AzureStorageEncryptionRule,
+        AzureNSGOpenIngressRule,
+        AzureSQLEncryptionRule,
+        AzureKeyVaultSoftDeleteRule,
+        AzureActivityLogRetentionRule,
+    )
+
+    registry.register_class(AzureStoragePublicAccessRule)
+    registry.register_class(AzureStorageEncryptionRule)
+    registry.register_class(AzureNSGOpenIngressRule)
+    registry.register_class(AzureSQLEncryptionRule)
+    registry.register_class(AzureKeyVaultSoftDeleteRule)
+    registry.register_class(AzureActivityLogRetentionRule)
+
+    # GCP Rules
+    from security_use.iac.rules.gcp import (
+        GCSBucketPublicAccessRule,
+        GCSBucketEncryptionRule,
+        GCPFirewallOpenIngressRule,
+        GCPCloudSQLEncryptionRule,
+        GCPKMSKeyRotationRule,
+        GCPServiceAccountKeyRule,
+        GCPAuditLoggingRule,
+    )
+
+    registry.register_class(GCSBucketPublicAccessRule)
+    registry.register_class(GCSBucketEncryptionRule)
+    registry.register_class(GCPFirewallOpenIngressRule)
+    registry.register_class(GCPCloudSQLEncryptionRule)
+    registry.register_class(GCPKMSKeyRotationRule)
+    registry.register_class(GCPServiceAccountKeyRule)
+    registry.register_class(GCPAuditLoggingRule)
+
+    # Kubernetes Rules
+    from security_use.iac.rules.kubernetes import (
+        K8sRunAsRootRule,
+        K8sPrivilegedContainerRule,
+        K8sResourceLimitsRule,
+        K8sHostNetworkRule,
+        K8sSecretsEnvVarsRule,
+        K8sReadOnlyRootFilesystemRule,
+        K8sNetworkPolicyRule,
+    )
+
+    registry.register_class(K8sRunAsRootRule)
+    registry.register_class(K8sPrivilegedContainerRule)
+    registry.register_class(K8sResourceLimitsRule)
+    registry.register_class(K8sHostNetworkRule)
+    registry.register_class(K8sSecretsEnvVarsRule)
+    registry.register_class(K8sReadOnlyRootFilesystemRule)
+    registry.register_class(K8sNetworkPolicyRule)

security_use/parsers/__init__.py

@@ -5,6 +5,13 @@ from security_use.parsers.requirements import RequirementsParser
 from security_use.parsers.pyproject import PyProjectParser
 from security_use.parsers.pipfile import PipfileParser
 from security_use.parsers.poetry_lock import PoetryLockParser
+from security_use.parsers.maven import MavenParser
+from security_use.parsers.npm import NpmParser, NpmLockParser
+from security_use.parsers.gradle import GradleParser
+from security_use.parsers.yarn import YarnLockParser, PnpmLockParser
+from security_use.parsers.dotnet import CsprojParser, PackagesConfigParser
+from security_use.parsers.conda import CondaEnvironmentParser
+from security_use.parsers.composer import ComposerParser, ComposerLockParser
 
 __all__ = [
     "Dependency",
@@ -13,4 +20,15 @@ __all__ = [
     "PyProjectParser",
     "PipfileParser",
     "PoetryLockParser",
+    "MavenParser",
+    "NpmParser",
+    "NpmLockParser",
+    "GradleParser",
+    "YarnLockParser",
+    "PnpmLockParser",
+    "CsprojParser",
+    "PackagesConfigParser",
+    "CondaEnvironmentParser",
+    "ComposerParser",
+    "ComposerLockParser",
 ]

security_use/parsers/base.py

@@ -14,6 +14,8 @@ class Dependency:
     version_spec: Optional[str] = None
     line_number: Optional[int] = None
     extras: list[str] | None = None
+    source: Optional[str] = None
+    ecosystem: str = "PyPI"
 
     @property
     def normalized_name(self) -> str:

security_use/parsers/composer.py

@@ -0,0 +1,101 @@
+"""Parser for PHP Composer files (composer.json, composer.lock)."""
+
+import json
+from typing import Optional
+
+from security_use.parsers.base import Dependency, DependencyParser
+
+
+class ComposerParser(DependencyParser):
+    """Parser for composer.json files."""
+
+    def parse(self, content: str) -> list[Dependency]:
+        """Parse composer.json content."""
+        dependencies = []
+
+        try:
+            data = json.loads(content)
+        except json.JSONDecodeError:
+            return dependencies
+
+        # Parse require and require-dev sections
+        for section in ["require", "require-dev"]:
+            deps = data.get(section, {})
+            if isinstance(deps, dict):
+                for name, version_spec in deps.items():
+                    # Skip PHP and extensions
+                    if name == "php" or name.startswith("ext-"):
+                        continue
+
+                    # Extract version from spec
+                    version = self._extract_version(version_spec)
+
+                    dependencies.append(
+                        Dependency(
+                            name=name,
+                            version=version,
+                            version_spec=version_spec,
+                            ecosystem="Packagist",
+                        )
+                    )
+
+        return dependencies
+
+    def _extract_version(self, spec: str) -> Optional[str]:
+        """Extract a concrete version from a version specification."""
+        # Handle various Composer version formats
+        # ^1.0, ~1.0, >=1.0, 1.0.*, 1.0.0, etc.
+        import re
+
+        # Try to find a version number
+        match = re.search(r"(\d+\.\d+(?:\.\d+)?)", spec)
+        if match:
+            return match.group(1)
+        return None
+
+    @classmethod
+    def supported_filenames(cls) -> list[str]:
+        """Return supported filenames."""
+        return ["composer.json"]
+
+
+class ComposerLockParser(DependencyParser):
+    """Parser for composer.lock files."""
+
+    def parse(self, content: str) -> list[Dependency]:
+        """Parse composer.lock content."""
+        dependencies = []
+
+        try:
+            data = json.loads(content)
+        except json.JSONDecodeError:
+            return dependencies
+
+        # Parse packages and packages-dev sections
+        for section in ["packages", "packages-dev"]:
+            packages = data.get(section, [])
+            if isinstance(packages, list):
+                for pkg in packages:
+                    name = pkg.get("name")
+                    version = pkg.get("version")
+
+                    if name:
+                        # Remove 'v' prefix if present
+                        if version and version.startswith("v"):
+                            version = version[1:]
+
+                        dependencies.append(
+                            Dependency(
+                                name=name,
+                                version=version,
+                                version_spec=f"={version}" if version else None,
+                                ecosystem="Packagist",
+                            )
+                        )
+
+        return dependencies
+
+    @classmethod
+    def supported_filenames(cls) -> list[str]:
+        """Return supported filenames."""
+        return ["composer.lock"]

security_use/parsers/conda.py

@@ -0,0 +1,97 @@
+"""Parser for Conda environment files (environment.yml)."""
+
+import re
+from typing import Optional
+
+from security_use.parsers.base import Dependency, DependencyParser
+
+
+class CondaEnvironmentParser(DependencyParser):
+    """Parser for Conda environment.yml files."""
+
+    # Regex for conda dependency format: package=version or package==version
+    DEP_RE = re.compile(r"^\s*-\s*(?P<name>[a-zA-Z0-9_-]+)(?:[=<>]+(?P<version>[^\s#]+))?")
+
+    def parse(self, content: str) -> list[Dependency]:
+        """Parse environment.yml content."""
+        dependencies = []
+        in_dependencies = False
+        in_pip = False
+
+        for line_num, line in enumerate(content.splitlines(), start=1):
+            stripped = line.strip()
+
+            # Track which section we're in
+            if stripped == "dependencies:":
+                in_dependencies = True
+                continue
+
+            if stripped.startswith("- pip:"):
+                in_pip = True
+                continue
+
+            # Exit dependencies section
+            if stripped and not stripped.startswith("-") and ":" in stripped:
+                in_dependencies = False
+                in_pip = False
+                continue
+
+            if not in_dependencies:
+                continue
+
+            # Parse pip dependencies (these are PyPI packages)
+            if in_pip:
+                dep = self._parse_pip_dep(line, line_num)
+                if dep:
+                    dependencies.append(dep)
+                continue
+
+            # Parse conda dependencies
+            match = self.DEP_RE.match(line)
+            if match:
+                name = match.group("name")
+                version = match.group("version")
+
+                # Skip python itself and other non-package entries
+                if name.lower() in ("python", "pip"):
+                    continue
+
+                dependencies.append(
+                    Dependency(
+                        name=name,
+                        version=version,
+                        version_spec=f"={version}" if version else None,
+                        line_number=line_num,
+                        ecosystem="conda",
+                    )
+                )
+
+        return dependencies
+
+    def _parse_pip_dep(self, line: str, line_num: int) -> Optional[Dependency]:
+        """Parse a pip dependency line from conda environment file."""
+        # Format: - package==version or - package>=version
+        match = re.match(r"^\s*-\s*(?P<name>[a-zA-Z0-9_-]+)(?P<spec>[=<>!]+(?P<version>[^\s#]+))?", line)
+        if match:
+            name = match.group("name")
+            version = match.group("version")
+            spec = match.group("spec")
+
+            return Dependency(
+                name=name,
+                version=version,
+                version_spec=spec,
+                line_number=line_num,
+                ecosystem="PyPI",
+            )
+        return None
+
+    @classmethod
+    def supported_filenames(cls) -> list[str]:
+        """Return supported filenames."""
+        return [
+            "environment.yml",
+            "environment.yaml",
+            "conda-environment.yml",
+            "conda-environment.yaml",
+        ]

security_use/parsers/dotnet.py

@@ -0,0 +1,89 @@
+"""Parser for .NET project files (*.csproj, packages.config)."""
+
+import re
+import xml.etree.ElementTree as ET
+from typing import Optional
+
+from security_use.parsers.base import Dependency, DependencyParser
+
+
+class CsprojParser(DependencyParser):
+    """Parser for .NET .csproj and .fsproj files."""
+
+    def parse(self, content: str) -> list[Dependency]:
+        """Parse .csproj/.fsproj content."""
+        dependencies = []
+
+        try:
+            root = ET.fromstring(content)
+        except ET.ParseError:
+            return dependencies
+
+        # Find PackageReference elements
+        for item_group in root.iter():
+            if item_group.tag == "PackageReference":
+                name = item_group.get("Include")
+                version = item_group.get("Version")
+
+                if name:
+                    # Version might be in a child element
+                    if not version:
+                        version_elem = item_group.find("Version")
+                        if version_elem is not None:
+                            version = version_elem.text
+
+                    dependencies.append(
+                        Dependency(
+                            name=name,
+                            version=version,
+                            version_spec=f"={version}" if version else None,
+                            ecosystem="NuGet",
+                        )
+                    )
+
+        return dependencies
+
+    @classmethod
+    def supported_filenames(cls) -> list[str]:
+        """Return supported filenames."""
+        return [
+            "*.csproj",
+            "*.fsproj",
+            "*.vbproj",
+            "Directory.Packages.props",
+        ]
+
+
+class PackagesConfigParser(DependencyParser):
+    """Parser for NuGet packages.config files."""
+
+    def parse(self, content: str) -> list[Dependency]:
+        """Parse packages.config content."""
+        dependencies = []
+
+        try:
+            root = ET.fromstring(content)
+        except ET.ParseError:
+            return dependencies
+
+        # Find package elements
+        for package in root.iter("package"):
+            name = package.get("id")
+            version = package.get("version")
+
+            if name:
+                dependencies.append(
+                    Dependency(
+                        name=name,
+                        version=version,
+                        version_spec=f"={version}" if version else None,
+                        ecosystem="NuGet",
+                    )
+                )
+
+        return dependencies
+
+    @classmethod
+    def supported_filenames(cls) -> list[str]:
+        """Return supported filenames."""
+        return ["packages.config"]

security_use/parsers/gradle.py

@@ -0,0 +1,90 @@
+"""Parser for Gradle build files (build.gradle, build.gradle.kts)."""
+
+import re
+from typing import Optional
+
+from security_use.parsers.base import Dependency, DependencyParser
+
+
+class GradleParser(DependencyParser):
+    """Parser for Gradle build files."""
+
+    # Regex patterns for Gradle dependencies
+    # Groovy: implementation 'group:artifact:version'
+    GROOVY_DEP_RE = re.compile(
+        r"(?:implementation|api|compile|runtimeOnly|testImplementation|testCompile|compileOnly)"
+        r"\s*['\"](?P<group>[^:]+):(?P<artifact>[^:]+):(?P<version>[^'\"]+)['\"]"
+    )
+    # Groovy: implementation group: 'group', name: 'artifact', version: 'version'
+    GROOVY_MAP_RE = re.compile(
+        r"(?:implementation|api|compile|runtimeOnly|testImplementation|testCompile|compileOnly)"
+        r"\s+group:\s*['\"](?P<group>[^'\"]+)['\"],\s*"
+        r"name:\s*['\"](?P<artifact>[^'\"]+)['\"],\s*"
+        r"version:\s*['\"](?P<version>[^'\"]+)['\"]"
+    )
+    # Kotlin DSL: implementation("group:artifact:version")
+    KOTLIN_DEP_RE = re.compile(
+        r"(?:implementation|api|compile|runtimeOnly|testImplementation|testCompile|compileOnly)"
+        r"\s*\(\s*['\"](?P<group>[^:]+):(?P<artifact>[^:]+):(?P<version>[^'\"]+)['\"]\s*\)"
+    )
+
+    def parse(self, content: str) -> list[Dependency]:
+        """Parse Gradle build file content."""
+        dependencies = []
+
+        for line_num, line in enumerate(content.splitlines(), start=1):
+            dep = self._parse_line(line, line_num)
+            if dep:
+                dependencies.append(dep)
+
+        return dependencies
+
+    def _parse_line(self, line: str, line_number: int) -> Optional[Dependency]:
+        """Parse a single line from build.gradle."""
+        line = line.strip()
+
+        # Skip comments
+        if line.startswith("//") or line.startswith("/*") or line.startswith("*"):
+            return None
+
+        # Try Groovy string format
+        match = self.GROOVY_DEP_RE.search(line)
+        if match:
+            return self._create_dependency(match, line_number)
+
+        # Try Groovy map format
+        match = self.GROOVY_MAP_RE.search(line)
+        if match:
+            return self._create_dependency(match, line_number)
+
+        # Try Kotlin DSL format
+        match = self.KOTLIN_DEP_RE.search(line)
+        if match:
+            return self._create_dependency(match, line_number)
+
+        return None
+
+    def _create_dependency(self, match: re.Match, line_number: int) -> Dependency:
+        """Create a Dependency from a regex match."""
+        group = match.group("group")
+        artifact = match.group("artifact")
+        version = match.group("version")
+
+        # For Maven/Gradle, the package name is typically group:artifact
+        name = f"{group}:{artifact}"
+
+        return Dependency(
+            name=name,
+            version=version,
+            version_spec=f"={version}",
+            line_number=line_number,
+            ecosystem="Maven",  # Gradle uses Maven Central
+        )
+
+    @classmethod
+    def supported_filenames(cls) -> list[str]:
+        """Return supported filenames."""
+        return [
+            "build.gradle",
+            "build.gradle.kts",
+        ]

security_use/parsers/maven.py

@@ -0,0 +1,108 @@
+"""Maven pom.xml parser."""
+
+import re
+import xml.etree.ElementTree as ET
+from typing import Optional
+
+from security_use.parsers.base import Dependency, DependencyParser
+
+
+class MavenParser(DependencyParser):
+    """Parser for Maven pom.xml files."""
+
+    # Maven namespace
+    MAVEN_NS = "{http://maven.apache.org/POM/4.0.0}"
+
+    def parse(self, content: str) -> list[Dependency]:
+        """Parse Maven pom.xml content.
+
+        Args:
+            content: The pom.xml file content.
+
+        Returns:
+            List of dependencies found.
+        """
+        dependencies = []
+
+        try:
+            # Remove namespace for easier parsing
+            content_clean = re.sub(r'\sxmlns="[^"]+"', '', content, count=1)
+            root = ET.fromstring(content_clean)
+        except ET.ParseError:
+            return dependencies
+
+        # Extract properties for variable substitution
+        properties = self._extract_properties(root)
+
+        # Find all dependency elements
+        for dep_elem in root.iter("dependency"):
+            group_id = self._get_text(dep_elem, "groupId")
+            artifact_id = self._get_text(dep_elem, "artifactId")
+            version = self._get_text(dep_elem, "version")
+
+            if not group_id or not artifact_id:
+                continue
+
+            # Resolve property references like ${project.version}
+            if version:
+                version = self._resolve_properties(version, properties)
+
+            # Skip if version still has unresolved properties
+            if version and "${" in version:
+                continue
+
+            # Create Maven coordinate as package name
+            package_name = f"{group_id}:{artifact_id}"
+
+            dependencies.append(
+                Dependency(
+                    name=package_name,
+                    version=version,
+                    extras=None,
+                    source="pom.xml",
+                    ecosystem="Maven",
+                )
+            )
+
+        return dependencies
+
+    def _extract_properties(self, root: ET.Element) -> dict[str, str]:
+        """Extract properties from pom.xml for variable substitution."""
+        properties = {}
+
+        # Get project version
+        version_elem = root.find("version")
+        if version_elem is not None and version_elem.text:
+            properties["project.version"] = version_elem.text
+
+        # Get properties section
+        props_elem = root.find("properties")
+        if props_elem is not None:
+            for prop in props_elem:
+                tag = prop.tag.replace(self.MAVEN_NS, "")
+                if prop.text:
+                    properties[tag] = prop.text
+
+        return properties
+
+    def _resolve_properties(self, value: str, properties: dict[str, str]) -> str:
+        """Resolve ${property} references in a value."""
+        pattern = r"\$\{([^}]+)\}"
+
+        def replace(match: re.Match) -> str:
+            prop_name = match.group(1)
+            return properties.get(prop_name, match.group(0))
+
+        return re.sub(pattern, replace, value)
+
+    def _get_text(self, elem: ET.Element, tag: str) -> Optional[str]:
+        """Get text content of a child element."""
+        child = elem.find(tag)
+        if child is not None and child.text:
+            return child.text.strip()
+        return None
+
+    @classmethod
+    def supported_filenames(cls) -> list[str]:
+        """Return supported filenames."""
+        return ["pom.xml"]