UNPKG

agentsqripts

Version:

Comprehensive static code analysis toolkit for identifying technical debt, security vulnerabilities, performance issues, and code quality problems

github.com/Bijikyu/agentsqripts

Bijikyu/agentsqripts

109 lines (102 loc) • 5.64 kB

JavaScript

/** * @file Security fix action provider * @description Generates actionable fix recommendations for security vulnerabilities * This module serves as a knowledge base of security fixes, providing structured remediation * guidance that prioritizes fixes by risk level and implementation complexity. The design * separates vulnerability identification from fix recommendation to enable flexible * remediation strategies across different development contexts. */ // Comprehensive fix action database mapping vulnerability types to remediation strategies // Rationale: Centralizes security expertise in data structure for consistency and maintainability // Each fix includes priority (business impact), effort (implementation cost), and specific actions const SECURITY_FIXES = { 'sql-injection': { priority: 'critical', // SQL injection can lead to complete database compromise effort: 'medium', // Requires code changes but patterns are well-established actions: [ 'Use parameterized queries or prepared statements', // Primary defense - prevents SQL parsing of user input 'Implement input validation and sanitization', // Secondary defense - validates data types and ranges 'Use ORM with built-in SQL injection protection' // Framework-level protection for long-term security ] }, 'xss': { priority: 'high', // XSS enables session hijacking and malicious script execution effort: 'low', // Often fixable with framework features or simple encoding actions: [ 'Sanitize user input before rendering', // Removes or encodes dangerous HTML/JS content 'Use Content Security Policy (CSP)', // Browser-level protection against script injection 'Implement proper output encoding' // Context-aware encoding for HTML, JS, URL contexts ] }, 'hardcoded-secrets': { priority: 'critical', // Exposed secrets enable unauthorized system access effort: 'low', // Simple configuration change with environment variables actions: [ 'Move secrets to environment variables', // Immediate fix - externalize sensitive data 'Use secure secret management service', // Enterprise solution for secret rotation and access control 'Remove secrets from version control history' // Clean up historical exposure using git filter-branch ] } }; /** * Retrieve fix actions for a specific vulnerability type * @param {string} vulnerabilityType - The type of security vulnerability detected * @returns {Object} Fix recommendation object with priority, effort, and action steps * * Rationale: Provides fallback for unknown vulnerability types to ensure the system * remains functional even when encountering new or custom vulnerability patterns. * Default recommendation encourages manual security review as a safe fallback. */ function getFixActions(vulnerabilityType) { return SECURITY_FIXES[vulnerabilityType] || { priority: 'medium', // Conservative priority for unknown vulnerabilities effort: 'medium', // Assume moderate complexity for unknown fixes actions: ['Review code for security best practices'] // Generic but actionable guidance }; } /** * Generate comprehensive fix recommendation with context and impact assessment * @param {Object} vulnerability - Vulnerability object containing type, location, and context * @param {string} vulnerability.type - Classification of the security issue * @param {Array<string>} vulnerability.files - Files affected by this vulnerability * @returns {Object} Structured recommendation with priority, effort, actions, and impact metrics * * Rationale: Enriches basic fix actions with contextual information needed for project * planning and risk assessment. Includes affected files for targeted remediation and * risk reduction metrics for prioritizing fixes across multiple vulnerabilities. */ function generateFixRecommendation(vulnerability) { const fixes = getFixActions(vulnerability.type); return { vulnerability: vulnerability.type, priority: fixes.priority, // Business impact level for prioritization estimatedEffort: fixes.effort, // Implementation complexity for resource planning actions: fixes.actions, // Step-by-step remediation guidance affectedFiles: vulnerability.files || [], // Files requiring changes for targeted fixes riskReduction: calculateRiskReduction(vulnerability.type) // Quantified security improvement }; } /** * Calculate percentage risk reduction achieved by fixing a vulnerability type * @param {string} type - Vulnerability classification * @returns {number} Percentage (0-100) representing risk reduction from fixing this vulnerability * * Rationale: Provides quantitative metrics for security investment decisions and helps * prioritize fixes based on security impact rather than just business priority. Higher * values indicate vulnerabilities that significantly improve overall security posture. */ function calculateRiskReduction(type) { const riskImpact = { 'sql-injection': 90, // High impact - prevents complete database compromise 'xss': 75, // Significant impact - prevents client-side attacks and session hijacking 'hardcoded-secrets': 85, // High impact - eliminates unauthorized access vectors 'path-traversal': 80, // High impact - prevents file system access beyond intended boundaries 'command-injection': 95 // Critical impact - prevents arbitrary system command execution }; return riskImpact[type] || 50; // Conservative 50% for unknown vulnerability types } module.exports = { getFixActions, generateFixRecommendation, calculateRiskReduction };