feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/src/Aoc/StellaOps.Aoc.Cli/Commands/VerifyCommand.cs
+++ b/src/Aoc/StellaOps.Aoc.Cli/Commands/VerifyCommand.cs
@@ -17,13 +17,12 @@ public static class VerifyCommand
            IsRequired = true
        };

-        var mongoOption = new Option<string?>(
-            aliases: ["--mongo", "-m"],
-            description: "MongoDB connection string (legacy support)");
-
-        var postgresOption = new Option<string?>(
+        var postgresOption = new Option<string>(
            aliases: ["--postgres", "-p"],
-            description: "PostgreSQL connection string");
+            description: "PostgreSQL connection string")
+        {
+            IsRequired = true
+        };

        var outputOption = new Option<string?>(
            aliases: ["--output", "-o"],
@@ -50,7 +49,6 @@ public static class VerifyCommand
        var command = new Command("verify", "Verify AOC compliance for documents since a given point")
        {
            sinceOption,
-            mongoOption,
            postgresOption,
            outputOption,
            ndjsonOption,
@@ -62,8 +60,7 @@ public static class VerifyCommand
        command.SetHandler(async (context) =>
        {
            var since = context.ParseResult.GetValueForOption(sinceOption)!;
-            var mongo = context.ParseResult.GetValueForOption(mongoOption);
-            var postgres = context.ParseResult.GetValueForOption(postgresOption);
+            var postgres = context.ParseResult.GetValueForOption(postgresOption)!;
            var output = context.ParseResult.GetValueForOption(outputOption);
            var ndjson = context.ParseResult.GetValueForOption(ndjsonOption);
            var tenant = context.ParseResult.GetValueForOption(tenantOption);
@@ -73,7 +70,6 @@ public static class VerifyCommand
            var options = new VerifyOptions
            {
                Since = since,
-                MongoConnectionString = mongo,
                PostgresConnectionString = postgres,
                OutputPath = output,
                NdjsonPath = ndjson,
@@ -99,13 +95,6 @@ public static class VerifyCommand
            Console.WriteLine($"  Dry run: {options.DryRun}");
        }

-        // Validate connection string is provided
-        if (string.IsNullOrEmpty(options.MongoConnectionString) && string.IsNullOrEmpty(options.PostgresConnectionString))
-        {
-            Console.Error.WriteLine("Error: Either --mongo or --postgres connection string is required");
-            return 1;
-        }
-
        if (options.DryRun)
        {
            Console.WriteLine("Dry run mode - configuration validated successfully");
--- a/src/Aoc/StellaOps.Aoc.Cli/Models/VerifyOptions.cs
+++ b/src/Aoc/StellaOps.Aoc.Cli/Models/VerifyOptions.cs
@@ -3,8 +3,7 @@ namespace StellaOps.Aoc.Cli.Models;
 public sealed class VerifyOptions
 {
    public required string Since { get; init; }
-    public string? MongoConnectionString { get; init; }
-    public string? PostgresConnectionString { get; init; }
+    public required string PostgresConnectionString { get; init; }
    public string? OutputPath { get; init; }
    public string? NdjsonPath { get; init; }
    public string? Tenant { get; init; }
--- a/src/Aoc/StellaOps.Aoc.Cli/Services/AocVerificationService.cs
+++ b/src/Aoc/StellaOps.Aoc.Cli/Services/AocVerificationService.cs
@@ -22,17 +22,8 @@ public sealed class AocVerificationService
        // Parse the since parameter
        var sinceTimestamp = ParseSinceParameter(options.Since);

-        // Route to appropriate database verification
-        if (!string.IsNullOrEmpty(options.PostgresConnectionString))
-        {
-            await VerifyPostgresAsync(options.PostgresConnectionString, sinceTimestamp, options.Tenant, result, cancellationToken);
-        }
-        else if (!string.IsNullOrEmpty(options.MongoConnectionString))
-        {
-            // MongoDB support - for legacy verification
-            // Note: The codebase is transitioning to PostgreSQL
-            await VerifyMongoAsync(options.MongoConnectionString, sinceTimestamp, options.Tenant, result, cancellationToken);
-        }
+        // Verify using PostgreSQL
+        await VerifyPostgresAsync(options.PostgresConnectionString, sinceTimestamp, options.Tenant, result, cancellationToken);

        stopwatch.Stop();
        result.DurationMs = stopwatch.ElapsedMilliseconds;
@@ -238,19 +229,4 @@ public sealed class AocVerificationService
        }
    }

-    private Task VerifyMongoAsync(
-        string connectionString,
-        DateTimeOffset since,
-        string? tenant,
-        VerificationResult result,
-        CancellationToken cancellationToken)
-    {
-        // MongoDB support is deprecated - log warning and return empty result
-        Console.WriteLine("Warning: MongoDB verification is deprecated. The codebase is transitioning to PostgreSQL.");
-        Console.WriteLine("         Use --postgres instead of --mongo for production verification.");
-
-        // For backwards compatibility during transition, we don't fail
-        // but we also don't perform actual MongoDB queries
-        return Task.CompletedTask;
-    }
 }
--- a/src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/AocVerificationServiceTests.cs
+++ b/src/Aoc/__Tests/StellaOps.Aoc.Cli.Tests/AocVerificationServiceTests.cs
@@ -117,25 +117,16 @@ public sealed class AocVerificationServiceTests
    }

    [Fact]
-    public void VerifyOptions_MongoAndPostgres_AreMutuallyExclusive()
+    public void VerifyOptions_PostgresConnectionString_IsRequired()
    {
-        var optionsMongo = new VerifyOptions
-        {
-            Since = "HEAD~1",
-            MongoConnectionString = "mongodb://localhost:27017"
-        };
-
-        var optionsPostgres = new VerifyOptions
+        var options = new VerifyOptions
        {
            Since = "HEAD~1",
            PostgresConnectionString = "Host=localhost;Database=test"
        };

-        Assert.NotNull(optionsMongo.MongoConnectionString);
-        Assert.Null(optionsMongo.PostgresConnectionString);
-
-        Assert.Null(optionsPostgres.MongoConnectionString);
-        Assert.NotNull(optionsPostgres.PostgresConnectionString);
+        Assert.NotNull(options.PostgresConnectionString);
+        Assert.Equal("Host=localhost;Database=test", options.PostgresConnectionString);
    }

    [Fact]
@@ -143,7 +134,8 @@ public sealed class AocVerificationServiceTests
    {
        var options = new VerifyOptions
        {
-            Since = "2025-01-01"
+            Since = "2025-01-01",
+            PostgresConnectionString = "Host=localhost;Database=test"
        };

        Assert.False(options.DryRun);
@@ -154,7 +146,8 @@ public sealed class AocVerificationServiceTests
    {
        var options = new VerifyOptions
        {
-            Since = "2025-01-01"
+            Since = "2025-01-01",
+            PostgresConnectionString = "Host=localhost;Database=test"
        };

        Assert.False(options.Verbose);