sicua/dist/analyzers/security/SecurityAnalyzer.js

A tool for analyzing project structure and dependencies

"use strict";
/**
 * Main security analyzer that orchestrates all security vulnerability detectors
 */
Object.defineProperty(exports, "__esModule", { value: true });
exports.SecurityAnalyzer = void 0;
const VulnerabilityAggregator_1 = require("./utils/VulnerabilityAggregator");
// Critical Severity Detectors
const HardcodedSecretDetector_1 = require("./detectors/HardcodedSecretDetector");
const DangerousEvalDetector_1 = require("./detectors/DangerousEvalDetector");
const UnsafeHTMLDetector_1 = require("./detectors/UnsafeHTMLDetector");
const ConsoleLoggingDetector_1 = require("./detectors/ConsoleLoggingDetector");
const SqlInjectionDetector_1 = require("./detectors/SqlInjectionDetector");
// High Severity Detectors
const InsecureRandomDetector_1 = require("./detectors/InsecureRandomDetector");
const MixedContentDetector_1 = require("./detectors/MixedContentDetector");
const EnvironmentExposureDetector_1 = require("./detectors/EnvironmentExposureDetector");
const DebugCodeDetector_1 = require("./detectors/DebugCodeDetector");
// Medium Severity Detectors
const SecurityHeaderDetector_1 = require("./detectors/SecurityHeaderDetector");
const InsecureCookieDetector_1 = require("./detectors/InsecureCookieDetector");
const ClientStorageDetector_1 = require("./detectors/ClientStorageDetector");
const UnvalidatedRedirectDetector_1 = require("./detectors/UnvalidatedRedirectDetector");
const RedosPatternDetector_1 = require("./detectors/RedosPatternDetector");
const ServerOnlyImportsDetector_1 = require("./detectors/ServerOnlyImportsDetector");
const ReactAntiPatternDetector_1 = require("./detectors/ReactAntiPatternDetector");
class SecurityAnalyzer {
    async analyze(scanResult, context) {
        const allVulnerabilities = [];
        // Initialize all detectors
        const detectors = [
            // Critical Severity
            new HardcodedSecretDetector_1.HardcodedSecretDetector(),
            new DangerousEvalDetector_1.DangerousEvalDetector(),
            new UnsafeHTMLDetector_1.UnsafeHTMLDetector(),
            new ConsoleLoggingDetector_1.ConsoleLoggingDetector(),
            new ReactAntiPatternDetector_1.ReactAntiPatternDetector(),
            new SqlInjectionDetector_1.SqlInjectionDetector(),
            // High Severity
            new InsecureRandomDetector_1.InsecureRandomDetector(),
            new MixedContentDetector_1.MixedContentDetector(),
            new EnvironmentExposureDetector_1.EnvironmentExposureDetector(),
            new DebugCodeDetector_1.DebugCodeDetector(),
            new RedosPatternDetector_1.RedosPatternDetector(),
            new ServerOnlyImportsDetector_1.ServerOnlyImportsDetector(),
            // Medium Severity
            new SecurityHeaderDetector_1.SecurityHeaderDetector(),
            new InsecureCookieDetector_1.InsecureCookieDetector(),
            new ClientStorageDetector_1.ClientStorageDetector(),
            new UnvalidatedRedirectDetector_1.UnvalidatedRedirectDetector(),
        ];
        // Run each detector
        for (const detector of detectors) {
            try {
                const vulnerabilities = await detector.detect(scanResult, context);
                allVulnerabilities.push(...vulnerabilities);
            }
            catch (error) {
                console.error(`Error running detector ${detector.constructor.name}:`, error);
                // Continue with other detectors
            }
        }
        // Aggregate results and enhance with project data
        const result = VulnerabilityAggregator_1.VulnerabilityAggregator.aggregateResults(allVulnerabilities);
        this.enhanceProjectAnalysis(result, scanResult);
        return result;
    }
    /**
     * Enhance project analysis with scan result data
     */
    enhanceProjectAnalysis(result, scanResult) {
        // API route security
        const apiRouteVulns = result.vulnerabilities.filter((v) => v.filePath.includes("/api/") || v.filePath.includes("/pages/api/"));
        result.projectAnalysis.apiRouteSecurity = {
            totalRoutes: scanResult.apiRoutes.length,
            vulnerableRoutes: apiRouteVulns.length,
            authenticatedRoutes: scanResult.apiRoutes.filter((route) => route.authenticationRequired).length,
            validatedRoutes: scanResult.apiRoutes.filter((route) => route.validationPresent).length,
        };
        // Configuration security
        const configVulns = result.vulnerabilities.filter((v) => v.type === "missing-security-headers" ||
            v.type === "environment-exposure");
        result.projectAnalysis.configurationSecurity = {
            securityHeadersConfigured: !configVulns.some((v) => v.type === "missing-security-headers"),
            envVarsSecure: !configVulns.some((v) => v.type === "environment-exposure"),
            missingConfigurations: configVulns.map((v) => v.description),
        };
        // Dependency security
        result.projectAnalysis.dependencySecurity = {
            totalDependencies: scanResult.packageInfo.length,
            vulnerableDependencies: result.vulnerabilities.filter((v) => v.type === "insecure-random" || v.type === "dangerous-eval").length,
            outdatedDependencies: 0,
        };
    }
}
exports.SecurityAnalyzer = SecurityAnalyzer;