security-use 0.1.1__py3-none-any.whl

security_use/fixers/dependency_fixer.py

@@ -0,0 +1,196 @@
+"""Dependency vulnerability fixer.
+
+Updates vulnerable dependencies to safe versions in requirements files.
+"""
+
+import re
+import json
+import urllib.request
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Optional
+
+
+@dataclass
+class FixResult:
+    """Result of applying a fix."""
+    success: bool
+    file_modified: str = ""
+    old_version: str = ""
+    new_version: str = ""
+    diff: str = ""
+    before: str = ""
+    after: str = ""
+    explanation: str = ""
+    error: Optional[str] = None
+
+
+class DependencyFixer:
+    """Fixer for dependency vulnerabilities."""
+
+    def fix(
+        self,
+        path: str,
+        package_name: str,
+        target_version: Optional[str] = None
+    ) -> FixResult:
+        """Fix a vulnerable dependency by updating its version.
+
+        Args:
+            path: Path to the project directory.
+            package_name: Name of the package to update.
+            target_version: Version to update to (if not specified, uses latest safe version).
+
+        Returns:
+            FixResult with the outcome.
+        """
+        path_obj = Path(path)
+
+        if not path_obj.exists():
+            return FixResult(
+                success=False,
+                error=f"Path does not exist: {path}"
+            )
+
+        # Find the requirements file containing the package
+        req_file = self._find_package_file(path_obj, package_name)
+        if not req_file:
+            return FixResult(
+                success=False,
+                error=f"Package '{package_name}' not found in any dependency file"
+            )
+
+        try:
+            original_content = req_file.read_text()
+            old_version = self._get_package_version(original_content, package_name)
+
+            if not old_version:
+                return FixResult(
+                    success=False,
+                    error=f"Could not find version for '{package_name}'"
+                )
+
+            # Determine target version
+            new_version = target_version or self._get_latest_version(package_name) or old_version
+
+            if old_version == new_version:
+                return FixResult(
+                    success=False,
+                    error=f"Package is already at version {new_version}"
+                )
+
+            # Update the file
+            new_content = self._update_package_version(
+                original_content, package_name, old_version, new_version
+            )
+
+            # Write the file
+            req_file.write_text(new_content)
+
+            # Generate diff
+            diff = self._generate_diff(original_content, new_content, package_name, old_version, new_version)
+
+            return FixResult(
+                success=True,
+                file_modified=str(req_file.relative_to(path_obj) if path_obj.is_dir() else req_file.name),
+                old_version=old_version,
+                new_version=new_version,
+                diff=diff,
+                explanation=f"Updated {package_name} from {old_version} to {new_version}",
+            )
+
+        except Exception as e:
+            return FixResult(
+                success=False,
+                error=str(e)
+            )
+
+    def _find_package_file(self, path: Path, package_name: str) -> Optional[Path]:
+        """Find the dependency file containing the package."""
+        patterns = ["requirements*.txt", "pyproject.toml", "Pipfile"]
+
+        for pattern in patterns:
+            for f in path.glob(pattern):
+                content = f.read_text()
+                if re.search(rf'\b{re.escape(package_name)}\b', content, re.IGNORECASE):
+                    return f
+
+        return None
+
+    def _get_package_version(self, content: str, package_name: str) -> Optional[str]:
+        """Extract the current version of a package from file content."""
+        # Try requirements.txt format
+        match = re.search(
+            rf'^{re.escape(package_name)}\s*[=<>~!]=?\s*([\d.]+)',
+            content,
+            re.MULTILINE | re.IGNORECASE
+        )
+        if match:
+            return match.group(1)
+
+        # Try pyproject.toml format
+        match = re.search(
+            rf'"{re.escape(package_name)}\s*[=<>~!]=?\s*([\d.]+)"',
+            content,
+            re.IGNORECASE
+        )
+        if match:
+            return match.group(1)
+
+        return None
+
+    def _update_package_version(
+        self,
+        content: str,
+        package_name: str,
+        old_version: str,
+        new_version: str
+    ) -> str:
+        """Update the package version in the file content."""
+        # Replace in requirements.txt format
+        pattern = rf'^({re.escape(package_name)}\s*[=<>~!]=?\s*){re.escape(old_version)}'
+        new_content = re.sub(pattern, rf'\g<1>{new_version}', content, flags=re.MULTILINE | re.IGNORECASE)
+
+        # If no change, try pyproject.toml format
+        if new_content == content:
+            pattern = rf'("{re.escape(package_name)}\s*[=<>~!>=]*){re.escape(old_version)}'
+            new_content = re.sub(pattern, rf'\g<1>{new_version}', content, flags=re.IGNORECASE)
+
+        return new_content
+
+    def _generate_diff(
+        self,
+        old_content: str,
+        new_content: str,
+        package_name: str,
+        old_version: str,
+        new_version: str
+    ) -> str:
+        """Generate a simple diff of the changes."""
+        old_lines = old_content.split("\n")
+        new_lines = new_content.split("\n")
+
+        diff_lines = []
+        for i, (old_line, new_line) in enumerate(zip(old_lines, new_lines)):
+            if old_line != new_line:
+                diff_lines.append(f"-{old_line}")
+                diff_lines.append(f"+{new_line}")
+
+        if not diff_lines:
+            diff_lines = [
+                f"-{package_name}=={old_version}",
+                f"+{package_name}=={new_version}",
+            ]
+
+        return "\n".join(diff_lines)
+
+    def _get_latest_version(self, package_name: str) -> Optional[str]:
+        """Get the latest version of a package from PyPI."""
+        try:
+            url = f"https://pypi.org/pypi/{package_name}/json"
+            request = urllib.request.Request(url, headers={"Accept": "application/json"})
+            with urllib.request.urlopen(request, timeout=10) as response:
+                data = json.loads(response.read().decode())
+                return data.get("info", {}).get("version")
+        except Exception:
+            return None

security_use/fixers/iac_fixer.py

@@ -0,0 +1,191 @@
+"""Infrastructure as Code fixer.
+
+Generates and optionally applies fixes for IaC security issues.
+"""
+
+import re
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Optional
+
+
+@dataclass
+class FixResult:
+    """Result of applying or suggesting a fix."""
+    success: bool
+    file_modified: str = ""
+    old_version: str = ""
+    new_version: str = ""
+    diff: str = ""
+    before: str = ""
+    after: str = ""
+    explanation: str = ""
+    error: Optional[str] = None
+
+
+# Fix mappings for known rules
+IAC_FIXES = {
+    "S3_PUBLIC_ACCESS": {
+        "pattern": r'acl\s*=\s*"public-read"',
+        "replacement": 'acl = "private"',
+        "explanation": "Changed S3 bucket ACL from public-read to private to prevent unauthorized public access.",
+    },
+    "S3_VERSIONING_DISABLED": {
+        "pattern": r'versioning\s*=\s*false',
+        "replacement": 'versioning = true',
+        "explanation": "Enabled S3 bucket versioning to allow recovery of accidentally deleted objects.",
+    },
+    "SG_OPEN_INGRESS": {
+        "pattern": r'cidr_blocks\s*=\s*\[\s*"0\.0\.0\.0/0"\s*\]',
+        "replacement": 'cidr_blocks = ["10.0.0.0/8"]',
+        "explanation": "Restricted security group ingress to private IP range. Update this to your specific IP range.",
+    },
+    "RDS_PUBLIC": {
+        "pattern": r'publicly_accessible\s*=\s*true',
+        "replacement": 'publicly_accessible = false',
+        "explanation": "Disabled public accessibility for RDS instance. Access via VPC or bastion host instead.",
+    },
+    "EBS_UNENCRYPTED": {
+        "pattern": r'encrypted\s*=\s*false',
+        "replacement": 'encrypted = true',
+        "explanation": "Enabled EBS volume encryption to protect data at rest.",
+    },
+    "IAM_WILDCARD_ACTION": {
+        "pattern": r'"Action"\s*:\s*"\*"',
+        "replacement": '"Action": ["s3:GetObject", "s3:PutObject"]',
+        "explanation": "Replaced wildcard action with specific actions. Update to your required actions.",
+    },
+    "CLOUDTRAIL_DISABLED": {
+        "pattern": r'enable_logging\s*=\s*false',
+        "replacement": 'enable_logging = true',
+        "explanation": "Enabled CloudTrail logging to maintain audit trail.",
+    },
+    "KMS_KEY_ROTATION": {
+        "pattern": r'enable_key_rotation\s*=\s*false',
+        "replacement": 'enable_key_rotation = true',
+        "explanation": "Enabled KMS key rotation for improved security compliance.",
+    },
+}
+
+
+class IaCFixer:
+    """Fixer for Infrastructure as Code security issues."""
+
+    def __init__(self):
+        self.fixes = IAC_FIXES
+
+    def fix(
+        self,
+        file_path: str,
+        rule_id: str,
+        line_number: Optional[int] = None,
+        auto_apply: bool = False
+    ) -> FixResult:
+        """Fix an IaC security issue.
+
+        Args:
+            file_path: Path to the IaC file.
+            rule_id: ID of the security rule that was violated.
+            line_number: Optional line number where the issue is located.
+            auto_apply: If True, apply the fix. If False, only suggest.
+
+        Returns:
+            FixResult with the fix details.
+        """
+        path_obj = Path(file_path)
+
+        if not path_obj.exists():
+            return FixResult(
+                success=False,
+                error=f"File does not exist: {file_path}"
+            )
+
+        if rule_id not in self.fixes:
+            return FixResult(
+                success=False,
+                error=f"No fix available for rule: {rule_id}"
+            )
+
+        fix_info = self.fixes[rule_id]
+
+        try:
+            content = path_obj.read_text()
+            lines = content.split("\n")
+
+            # Find the problematic section
+            pattern = re.compile(fix_info["pattern"], re.IGNORECASE | re.MULTILINE)
+            match = pattern.search(content)
+
+            if not match:
+                return FixResult(
+                    success=False,
+                    error=f"Could not find the issue pattern for rule {rule_id}"
+                )
+
+            # Get the before snippet
+            match_line = content[:match.start()].count("\n")
+            start_line = max(0, match_line - 2)
+            end_line = min(len(lines), match_line + 5)
+            before_snippet = "\n".join(lines[start_line:end_line])
+
+            # Apply the fix
+            new_content = pattern.sub(fix_info["replacement"], content, count=1)
+            new_lines = new_content.split("\n")
+
+            # Get the after snippet
+            after_snippet = "\n".join(new_lines[start_line:end_line])
+
+            # Generate diff
+            diff = self._generate_diff(content, new_content)
+
+            if auto_apply:
+                # Write the fixed content
+                path_obj.write_text(new_content)
+                return FixResult(
+                    success=True,
+                    file_modified=file_path,
+                    diff=diff,
+                    before=before_snippet,
+                    after=after_snippet,
+                    explanation=fix_info["explanation"],
+                )
+            else:
+                # Return suggested fix without applying
+                return FixResult(
+                    success=True,
+                    before=before_snippet,
+                    after=after_snippet,
+                    diff=diff,
+                    explanation=fix_info["explanation"],
+                )
+
+        except Exception as e:
+            return FixResult(
+                success=False,
+                error=str(e)
+            )
+
+    def _generate_diff(self, old_content: str, new_content: str) -> str:
+        """Generate a unified diff of the changes."""
+        old_lines = old_content.split("\n")
+        new_lines = new_content.split("\n")
+
+        diff_lines = []
+        for i, (old_line, new_line) in enumerate(zip(old_lines, new_lines)):
+            if old_line != new_line:
+                diff_lines.append(f"-{old_line}")
+                diff_lines.append(f"+{new_line}")
+
+        # Handle length differences
+        if len(old_lines) > len(new_lines):
+            for line in old_lines[len(new_lines):]:
+                diff_lines.append(f"-{line}")
+        elif len(new_lines) > len(old_lines):
+            for line in new_lines[len(old_lines):]:
+                diff_lines.append(f"+{line}")
+
+        return "\n".join(diff_lines) if diff_lines else "No changes"
+
+    def get_available_fixes(self) -> list[str]:
+        """Get list of rule IDs that have available fixes."""
+        return list(self.fixes.keys())

security_use/iac/__init__.py

@@ -0,0 +1,9 @@
+"""Infrastructure as Code parsers and scanners."""
+
+from security_use.iac.terraform import TerraformParser
+from security_use.iac.cloudformation import CloudFormationParser
+
+__all__ = [
+    "TerraformParser",
+    "CloudFormationParser",
+]

security_use/iac/base.py

@@ -0,0 +1,69 @@
+"""Base classes for IaC parsers."""
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass, field
+from typing import Any, Optional
+
+
+@dataclass
+class IaCResource:
+    """Represents a parsed IaC resource."""
+
+    resource_type: str
+    name: str
+    config: dict[str, Any]
+    file_path: str
+    line_number: int
+    end_line: Optional[int] = None
+    provider: str = "unknown"
+
+    def get_config(self, *keys: str, default: Any = None) -> Any:
+        """Get nested config value by key path.
+
+        Args:
+            *keys: Path of keys to traverse.
+            default: Default value if not found.
+
+        Returns:
+            Config value or default.
+        """
+        current = self.config
+        for key in keys:
+            if isinstance(current, dict) and key in current:
+                current = current[key]
+            else:
+                return default
+        return current
+
+
+@dataclass
+class ParseResult:
+    """Result of parsing an IaC file."""
+
+    resources: list[IaCResource] = field(default_factory=list)
+    variables: dict[str, Any] = field(default_factory=dict)
+    outputs: dict[str, Any] = field(default_factory=dict)
+    errors: list[str] = field(default_factory=list)
+
+
+class IaCParser(ABC):
+    """Abstract base class for IaC file parsers."""
+
+    @abstractmethod
+    def parse(self, content: str, file_path: str = "<string>") -> ParseResult:
+        """Parse IaC file content.
+
+        Args:
+            content: File content to parse.
+            file_path: Path to the file (for error reporting).
+
+        Returns:
+            ParseResult containing resources and any errors.
+        """
+        pass
+
+    @classmethod
+    @abstractmethod
+    def supported_extensions(cls) -> list[str]:
+        """Return list of supported file extensions."""
+        pass

security_use/iac/cloudformation.py

@@ -0,0 +1,207 @@
+"""CloudFormation template parser."""
+
+import json
+import re
+from typing import Any, Optional
+
+import yaml
+
+from security_use.iac.base import IaCParser, IaCResource, ParseResult
+
+
+# Custom YAML loader that handles CloudFormation intrinsic functions
+class CloudFormationLoader(yaml.SafeLoader):
+    """YAML loader that handles CloudFormation intrinsic function tags."""
+
+    pass
+
+
+def _construct_cfn_tag(loader: yaml.SafeLoader, tag_suffix: str, node: yaml.Node) -> dict:
+    """Construct a dict representing a CloudFormation intrinsic function."""
+    if isinstance(node, yaml.ScalarNode):
+        value = loader.construct_scalar(node)
+    elif isinstance(node, yaml.SequenceNode):
+        value = loader.construct_sequence(node)
+    elif isinstance(node, yaml.MappingNode):
+        value = loader.construct_mapping(node)
+    else:
+        value = None
+    return {f"Fn::{tag_suffix}": value}
+
+
+def _construct_ref(loader: yaml.SafeLoader, node: yaml.Node) -> dict:
+    """Construct a Ref intrinsic function."""
+    return {"Ref": loader.construct_scalar(node)}
+
+
+# Register CloudFormation intrinsic function tags
+CloudFormationLoader.add_constructor("!Ref", _construct_ref)
+CloudFormationLoader.add_constructor("!GetAtt", lambda l, n: _construct_cfn_tag(l, "GetAtt", n))
+CloudFormationLoader.add_constructor("!Sub", lambda l, n: _construct_cfn_tag(l, "Sub", n))
+CloudFormationLoader.add_constructor("!Join", lambda l, n: _construct_cfn_tag(l, "Join", n))
+CloudFormationLoader.add_constructor("!If", lambda l, n: _construct_cfn_tag(l, "If", n))
+CloudFormationLoader.add_constructor("!Equals", lambda l, n: _construct_cfn_tag(l, "Equals", n))
+CloudFormationLoader.add_constructor("!And", lambda l, n: _construct_cfn_tag(l, "And", n))
+CloudFormationLoader.add_constructor("!Or", lambda l, n: _construct_cfn_tag(l, "Or", n))
+CloudFormationLoader.add_constructor("!Not", lambda l, n: _construct_cfn_tag(l, "Not", n))
+CloudFormationLoader.add_constructor("!Condition", lambda l, n: _construct_cfn_tag(l, "Condition", n))
+CloudFormationLoader.add_constructor("!FindInMap", lambda l, n: _construct_cfn_tag(l, "FindInMap", n))
+CloudFormationLoader.add_constructor("!Base64", lambda l, n: _construct_cfn_tag(l, "Base64", n))
+CloudFormationLoader.add_constructor("!Cidr", lambda l, n: _construct_cfn_tag(l, "Cidr", n))
+CloudFormationLoader.add_constructor("!GetAZs", lambda l, n: _construct_cfn_tag(l, "GetAZs", n))
+CloudFormationLoader.add_constructor("!ImportValue", lambda l, n: _construct_cfn_tag(l, "ImportValue", n))
+CloudFormationLoader.add_constructor("!Select", lambda l, n: _construct_cfn_tag(l, "Select", n))
+CloudFormationLoader.add_constructor("!Split", lambda l, n: _construct_cfn_tag(l, "Split", n))
+CloudFormationLoader.add_constructor("!Transform", lambda l, n: _construct_cfn_tag(l, "Transform", n))
+
+
+class CloudFormationParser(IaCParser):
+    """Parser for AWS CloudFormation templates (YAML/JSON)."""
+
+    def parse(self, content: str, file_path: str = "<string>") -> ParseResult:
+        """Parse CloudFormation template.
+
+        Args:
+            content: Template content (YAML or JSON).
+            file_path: Path to the file.
+
+        Returns:
+            ParseResult with resources and any errors.
+        """
+        result = ParseResult()
+
+        # Determine format and parse
+        template = self._parse_template(content, file_path)
+        if template is None:
+            result.errors.append(f"Failed to parse {file_path}: Invalid YAML/JSON")
+            return result
+
+        # Validate it's a CloudFormation template
+        if not self._is_cloudformation(template):
+            result.errors.append(f"{file_path} is not a valid CloudFormation template")
+            return result
+
+        # Extract resources
+        resources = template.get("Resources", {})
+        for resource_name, resource_def in resources.items():
+            resource_type = resource_def.get("Type", "Unknown")
+            properties = resource_def.get("Properties", {})
+
+            line_number = self._find_resource_line(content, resource_name)
+
+            resource = IaCResource(
+                resource_type=resource_type,
+                name=resource_name,
+                config=properties,
+                file_path=file_path,
+                line_number=line_number,
+                provider="aws",
+            )
+            result.resources.append(resource)
+
+        # Extract parameters as variables
+        for param_name, param_def in template.get("Parameters", {}).items():
+            result.variables[param_name] = param_def
+
+        # Extract outputs
+        for output_name, output_def in template.get("Outputs", {}).items():
+            result.outputs[output_name] = output_def
+
+        return result
+
+    def _parse_template(self, content: str, file_path: str) -> Optional[dict[str, Any]]:
+        """Parse template content as YAML or JSON."""
+        # Try YAML first with CloudFormation-aware loader
+        try:
+            template = yaml.load(content, Loader=CloudFormationLoader)
+            if isinstance(template, dict):
+                return template
+        except yaml.YAMLError:
+            pass
+
+        # Try JSON explicitly
+        try:
+            template = json.loads(content)
+            if isinstance(template, dict):
+                return template
+        except json.JSONDecodeError:
+            pass
+
+        return None
+
+    def _is_cloudformation(self, template: dict[str, Any]) -> bool:
+        """Check if the template is a valid CloudFormation template."""
+        # Must have either Resources or AWSTemplateFormatVersion
+        if "Resources" in template:
+            return True
+        if "AWSTemplateFormatVersion" in template:
+            return True
+        return False
+
+    def _find_resource_line(self, content: str, resource_name: str) -> int:
+        """Find the line number where a resource is defined."""
+        lines = content.split("\n")
+        for i, line in enumerate(lines, start=1):
+            # Match YAML style: "ResourceName:" at start of line
+            if re.match(rf'^\s*{re.escape(resource_name)}\s*:', line):
+                return i
+            # Match JSON style: "ResourceName": {
+            if re.search(rf'"{re.escape(resource_name)}"\s*:\s*\{{', line):
+                return i
+        return 1
+
+    @classmethod
+    def supported_extensions(cls) -> list[str]:
+        """Return supported file extensions."""
+        return [".yaml", ".yml", ".json", ".template"]
+
+
+class SAMParser(CloudFormationParser):
+    """Parser for AWS SAM (Serverless Application Model) templates.
+
+    SAM is a superset of CloudFormation with additional resource types.
+    """
+
+    def _is_cloudformation(self, template: dict[str, Any]) -> bool:
+        """Check if the template is a valid SAM or CloudFormation template."""
+        # SAM templates have Transform: AWS::Serverless
+        if "Transform" in template:
+            transform = template["Transform"]
+            if isinstance(transform, str) and "AWS::Serverless" in transform:
+                return True
+            if isinstance(transform, list) and any(
+                "AWS::Serverless" in t for t in transform
+            ):
+                return True
+
+        # Fall back to CloudFormation check
+        return super()._is_cloudformation(template)
+
+
+class CDKOutputParser(IaCParser):
+    """Parser for AWS CDK synthesized CloudFormation templates."""
+
+    def parse(self, content: str, file_path: str = "<string>") -> ParseResult:
+        """Parse CDK output (CloudFormation JSON).
+
+        Args:
+            content: Synthesized CloudFormation template.
+            file_path: Path to the file.
+
+        Returns:
+            ParseResult with resources.
+        """
+        # CDK outputs CloudFormation JSON, so delegate to CloudFormation parser
+        cf_parser = CloudFormationParser()
+        result = cf_parser.parse(content, file_path)
+
+        # Mark resources as CDK-generated
+        for resource in result.resources:
+            resource.config["__cdk_generated"] = True
+
+        return result
+
+    @classmethod
+    def supported_extensions(cls) -> list[str]:
+        """Return supported file extensions."""
+        return [".template.json"]