mcp-siber-security-audit
Version:
MCP server for security code audit with auto-fix capabilities
514 lines • 21.2 kB
JSON
{
"metadata": {
"timestamp": "2025-11-03T05:09:33.872Z",
"version": "1.3.0"
},
"summary": {
"totalIssues": 35,
"bySeverity": {
"high": 29,
"medium": 2,
"low": 0,
"critical": null
},
"byType": {
"DETECT_NON_LITERAL_FS_FILENAME": 9,
"HARDCODED_API_KEY": 8,
"LINT_ERROR": 3,
"VULNERABLE_DEPENDENCY": 7,
"DETECT_OBJECT_INJECTION": 4,
"DETECT_UNSAFE_REGEX": 1,
"INSECURE_URL": 2,
"HARDCODED_PRIVATE_KEY": 1
},
"byScanner": {
"eslint": 17,
"secret-scanner": 11,
"dependency-scanner": 7
}
},
"issues": [
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/index.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found readFileSync from package \"fs\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 50,
"column": 29
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/index.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found writeFileSync from package \"fs\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 53,
"column": 11
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/index.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found existsSync from package \"fs\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 67,
"column": 12
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/index.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found readdirSync from package \"fs\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 76,
"column": 23
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/index.js",
"line": 25,
"column": 18,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": " ];\n this.fixers = {\n 'HARDCODED_API_KEY': new SecretFixer(),\n 'INSECURE_URL': new SecretFixer(),\n 'SRC.CONFIG.EXPRESS_XSS': new XSSFixer(),"
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/package.json",
"type": "LINT_ERROR",
"severity": "high",
"description": "Parsing error: Unexpected token :",
"ruleId": null,
"auto_fix_available": false,
"line": 2,
"column": 9
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/app.js",
"type": "LINT_ERROR",
"severity": "high",
"description": "Parsing error: Unexpected token",
"ruleId": null,
"auto_fix_available": false,
"line": 20,
"column": 4
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/app.js",
"line": 6,
"column": 7,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": "const db = require('./db');\n\nconst API_KEY = process.env.API_KEY; // Loaded from environment variable\n\napp.get('/', (req, res) => {"
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/app.js",
"line": 6,
"column": 29,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": "const db = require('./db');\n\nconst API_KEY = process.env.API_KEY; // Loaded from environment variable\n\napp.get('/', (req, res) => {"
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"type": "LINT_ERROR",
"severity": "high",
"description": "Parsing error: Unexpected token :",
"ruleId": null,
"auto_fix_available": false,
"line": 2,
"column": 9
},
{
"scanner": "dependency-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"line": 1,
"column": 1,
"type": "VULNERABLE_DEPENDENCY",
"severity": "high",
"description": "express@^4.17.1 has known vulnerability: Cache Poisoning Vulnerability in Express. Express versions prior to 4.17.3 are vulnerable to cache poisoning due to improper handling of the `res.set()` method when called with non-standard characters in header names. An attacker could potentially exploit this to manipulate response headers.\nRecommendation: Upgrade to version 4.17.3 or later",
"metadata": {
"packageName": "express",
"version": "^4.17.1",
"advisoryId": 1234567,
"cves": [
"CVE-2022-24999"
],
"cwes": [
"CWE-444"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
},
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-24999\n- https://github.com/advisories/GHSA-hrpp-h998-j3pp"
}
},
{
"scanner": "dependency-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"line": 1,
"column": 1,
"type": "VULNERABLE_DEPENDENCY",
"severity": "critical",
"description": "express@^4.17.1 has known vulnerability: HTTP Request Smuggling in Express. Express versions prior to 4.17.2 are vulnerable to Request Smuggling due to improper handling of multi-line transfer-encoding headers. An attacker could potentially exploit this to perform request smuggling attacks.\nRecommendation: Upgrade to version 4.17.2 or later",
"metadata": {
"packageName": "express",
"version": "^4.17.1",
"advisoryId": 1234568,
"cves": [
"CVE-2022-25871"
],
"cwes": [
"CWE-444"
],
"cvss": {
"score": 9.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25871\n- https://github.com/advisories/GHSA-wp2j-vmh9-23qx"
}
},
{
"scanner": "dependency-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"line": 1,
"column": 1,
"type": "VULNERABLE_DEPENDENCY",
"severity": "high",
"description": "body-parser@1.19.0 has known vulnerability: Denial of Service in body-parser. body-parser versions prior to 1.19.2 are vulnerable to denial of service attacks via the content-type header. An attacker can send specially crafted payloads that cause the parser to consume excessive CPU.\nRecommendation: Upgrade to version 1.19.2 or later",
"metadata": {
"packageName": "body-parser",
"version": "1.19.0",
"advisoryId": 1234569,
"cves": [
"CVE-2022-24434"
],
"cwes": [
"CWE-400"
],
"cvss": {
"score": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
},
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-24434\n- https://github.com/advisories/GHSA-qrjh-x847-mmhc"
}
},
{
"scanner": "dependency-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"line": 1,
"column": 1,
"type": "VULNERABLE_DEPENDENCY",
"severity": "high",
"description": "cookie-parser@1.4.0 has known vulnerability: Prototype Pollution in cookie-parser. cookie-parser versions prior to 1.4.6 are vulnerable to prototype pollution via the signed cookie parser. An attacker can potentially execute arbitrary code by manipulating cookie values.\nRecommendation: Upgrade to version 1.4.6 or later",
"metadata": {
"packageName": "cookie-parser",
"version": "1.4.0",
"advisoryId": 1234570,
"cves": [
"CVE-2023-1234"
],
"cwes": [
"CWE-1321"
],
"cvss": {
"score": 8.1,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2023-1234\n- https://github.com/advisories/GHSA-cookie-example"
}
},
{
"scanner": "dependency-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"line": 1,
"column": 1,
"type": "VULNERABLE_DEPENDENCY",
"severity": "critical",
"description": "jsonwebtoken@8.5.1 has known vulnerability: JWT Signature Validation Bypass in jsonwebtoken. jsonwebtoken versions prior to 9.0.0 are vulnerable to signature validation bypass when an `undefined` algorithm is provided. This can allow an attacker to forge tokens that pass validation.\nRecommendation: Upgrade to version 9.0.0 or later",
"metadata": {
"packageName": "jsonwebtoken",
"version": "8.5.1",
"advisoryId": 1234571,
"cves": [
"CVE-2022-23529"
],
"cwes": [
"CWE-347"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-23529\n- https://github.com/advisories/GHSA-8cf7-32gw-wr33"
}
},
{
"scanner": "dependency-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"line": 1,
"column": 1,
"type": "VULNERABLE_DEPENDENCY",
"severity": "high",
"description": "passport@0.5.3 has known vulnerability: Session Fixation Vulnerability in passport. passport versions prior to 0.6.0 are vulnerable to session fixation attacks. An attacker can potentially hijack user sessions by exploiting how the session is handled during authentication.\nRecommendation: Upgrade to version 0.6.0 or later",
"metadata": {
"packageName": "passport",
"version": "0.5.3",
"advisoryId": 1234572,
"cves": [
"CVE-2022-25901"
],
"cwes": [
"CWE-384"
],
"cvss": {
"score": 8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
},
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/advisories/GHSA-passport-example"
}
},
{
"scanner": "dependency-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/sample-project/package.json",
"line": 1,
"column": 1,
"type": "VULNERABLE_DEPENDENCY",
"severity": "critical",
"description": "passport-jwt@4.0.0 has known vulnerability: Authentication Bypass in passport-jwt. passport-jwt versions prior to 4.0.1 are vulnerable to authentication bypass when using certain JWT algorithms. An attacker can potentially forge tokens that pass validation due to improper algorithm verification.\nRecommendation: Upgrade to version 4.0.1 or later",
"metadata": {
"packageName": "passport-jwt",
"version": "4.0.0",
"advisoryId": 1234573,
"cves": [
"CVE-2022-25902"
],
"cwes": [
"CWE-287"
],
"cvss": {
"score": 9.8,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
},
"references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-25902\n- https://github.com/advisories/GHSA-passport-jwt-example"
}
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/secret-fixer.js",
"type": "DETECT_OBJECT_INJECTION",
"severity": "high",
"description": "Generic Object Injection Sink",
"ruleId": "security/detect-object-injection",
"auto_fix_available": false,
"line": 9,
"column": 7
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/secret-fixer.js",
"line": 6,
"column": 35,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": " let isFixed = false;\n\n if (issue.type === 'HARDCODED_API_KEY') {\n const lines = content.split('\\n');\n const lineIndex = issue.line - 1;"
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/secret-fixer.js",
"line": 9,
"column": 33,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": " const lines = content.split('\\n');\n const lineIndex = issue.line - 1;\n lines[lineIndex] = 'const API_KEY = process.env.API_KEY; // Loaded from environment variable';\n fixedContent = lines.join('\\n');\n isFixed = true;"
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/secret-fixer.js",
"line": 9,
"column": 55,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": " const lines = content.split('\\n');\n const lineIndex = issue.line - 1;\n lines[lineIndex] = 'const API_KEY = process.env.API_KEY; // Loaded from environment variable';\n fixedContent = lines.join('\\n');\n isFixed = true;"
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/xss-fixer.js",
"type": "DETECT_OBJECT_INJECTION",
"severity": "high",
"description": "Variable Assigned to Object Injection Sink",
"ruleId": "security/detect-object-injection",
"auto_fix_available": false,
"line": 7,
"column": 18
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/xss-fixer.js",
"type": "DETECT_OBJECT_INJECTION",
"severity": "high",
"description": "Generic Object Injection Sink",
"ruleId": "security/detect-object-injection",
"auto_fix_available": false,
"line": 10,
"column": 5
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/scanners/dependency-scanner.js",
"locations": [
{
"line": 9,
"column": 34
},
{
"line": 30,
"column": 38
}
],
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found readFileSync from package \"fs\" with non literal argument at index 0 (Found in 2 locations)",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 9,
"column": 34
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/scanners/dependency-scanner.js",
"type": "DETECT_UNSAFE_REGEX",
"severity": "high",
"description": "Unsafe Regular Expression",
"ruleId": "security/detect-unsafe-regex",
"auto_fix_available": false,
"line": 104,
"column": 33
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/scanners/secret-scanner.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found readFile from package \"fs-extra\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 46,
"column": 27
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/scanners/secret-scanner.js",
"type": "DETECT_OBJECT_INJECTION",
"severity": "high",
"description": "Variable Assigned to Object Injection Sink",
"ruleId": "security/detect-object-injection",
"auto_fix_available": false,
"line": 55,
"column": 20
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/scanners/secret-scanner.js",
"line": 14,
"column": 17,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": " {\n name: 'API Key',\n regex: /API_KEY/g,\n type: 'HARDCODED_API_KEY',\n severity: 'high',"
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/scanners/secret-scanner.js",
"line": 15,
"column": 26,
"type": "HARDCODED_API_KEY",
"severity": "high",
"description": "Detected a potential API Key",
"snippet": " name: 'API Key',\n regex: /API_KEY/g,\n type: 'HARDCODED_API_KEY',\n severity: 'high',\n },"
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/utils/report-generator.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found existsSync from package \"fs\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 63,
"column": 10
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/utils/report-generator.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found mkdirSync from package \"fs\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 64,
"column": 7
},
{
"scanner": "eslint",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/utils/report-generator.js",
"type": "DETECT_NON_LITERAL_FS_FILENAME",
"severity": "high",
"description": "Found writeFileSync from package \"fs\" with non literal argument at index 0",
"ruleId": "security/detect-non-literal-fs-filename",
"auto_fix_available": false,
"line": 70,
"column": 5
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/secret-fixer.js",
"line": 13,
"column": 18,
"type": "INSECURE_URL",
"severity": "medium",
"description": "Detected a potential Insecure URL",
"snippet": " isFixed = true;\n } else if (issue.type === 'INSECURE_URL') {\n // Replace http:// with https://\n fixedContent = content.replace('http://', 'https://');\n isFixed = true;"
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/fixers/secret-fixer.js",
"line": 14,
"column": 39,
"type": "INSECURE_URL",
"severity": "medium",
"description": "Detected a potential Insecure URL",
"snippet": " } else if (issue.type === 'INSECURE_URL') {\n // Replace http:// with https://\n fixedContent = content.replace('http://', 'https://');\n isFixed = true;\n }"
},
{
"scanner": "secret-scanner",
"file": "/Users/user/Campuss/Semester 5/SIBER/mcp-siber-security-audit-main/src/scanners/secret-scanner.js",
"line": 26,
"column": 17,
"type": "HARDCODED_PRIVATE_KEY",
"severity": "critical",
"description": "Detected a potential Private Key",
"snippet": " {\n name: 'Private Key',\n regex: /-----BEGIN.*PRIVATE KEY-----/g,\n type: 'HARDCODED_PRIVATE_KEY',\n severity: 'critical',"
}
]
}