feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/src/Cli/StellaOps.Cli/Services/VerdictAttestationVerifier.cs
+++ b/src/Cli/StellaOps.Cli/Services/VerdictAttestationVerifier.cs
@@ -0,0 +1,486 @@
+// -----------------------------------------------------------------------------
+// VerdictAttestationVerifier.cs
+// Sprint: SPRINT_4300_0001_0001_oci_verdict_attestation_push
+// Task: VERDICT-022 - DSSE envelope signature verification added.
+// Description: Service for verifying verdict attestations via OCI referrers API.
+// -----------------------------------------------------------------------------
+
+using System.IO.Compression;
+using System.Text;
+using System.Text.Json;
+using Microsoft.Extensions.Logging;
+using StellaOps.Cli.Commands;
+using StellaOps.Cli.Services.Models;
+using StellaOps.Scanner.Storage.Oci;
+
+namespace StellaOps.Cli.Services;
+
+/// <summary>
+/// Service for verifying verdict attestations attached to container images.
+/// Uses the OCI referrers API to discover and fetch verdict artifacts.
+/// </summary>
+public sealed class VerdictAttestationVerifier : IVerdictAttestationVerifier
+{
+    private readonly IOciRegistryClient _registryClient;
+    private readonly ITrustPolicyLoader _trustPolicyLoader;
+    private readonly IDsseSignatureVerifier _dsseVerifier;
+    private readonly ILogger<VerdictAttestationVerifier> _logger;
+
+    private static readonly JsonSerializerOptions JsonOptions = new(JsonSerializerDefaults.Web);
+
+    public VerdictAttestationVerifier(
+        IOciRegistryClient registryClient,
+        ITrustPolicyLoader trustPolicyLoader,
+        IDsseSignatureVerifier dsseVerifier,
+        ILogger<VerdictAttestationVerifier> logger)
+    {
+        _registryClient = registryClient ?? throw new ArgumentNullException(nameof(registryClient));
+        _trustPolicyLoader = trustPolicyLoader ?? throw new ArgumentNullException(nameof(trustPolicyLoader));
+        _dsseVerifier = dsseVerifier ?? throw new ArgumentNullException(nameof(dsseVerifier));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<VerdictVerificationResult> VerifyAsync(
+        VerdictVerificationRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        var parsed = OciImageReferenceParser.Parse(request.Reference);
+        var imageDigest = await ResolveImageDigestAsync(parsed, cancellationToken).ConfigureAwait(false);
+
+        if (string.IsNullOrWhiteSpace(imageDigest))
+        {
+            return CreateFailedResult(request.Reference, "unknown", "Failed to resolve image digest");
+        }
+
+        _logger.LogDebug("Fetching verdict referrers for {Reference} ({Digest})", request.Reference, imageDigest);
+
+        // Fetch referrers with verdict artifact type
+        var referrers = await _registryClient.GetReferrersAsync(
+            parsed.Registry,
+            parsed.Repository,
+            imageDigest,
+            OciMediaTypes.VerdictAttestation,
+            cancellationToken).ConfigureAwait(false);
+
+        if (referrers.Count == 0)
+        {
+            _logger.LogWarning("No verdict attestations found for {Reference}", request.Reference);
+            return new VerdictVerificationResult
+            {
+                ImageReference = request.Reference,
+                ImageDigest = imageDigest,
+                VerdictFound = false,
+                IsValid = false,
+                Errors = new[] { "No verdict attestation found for image" }
+            };
+        }
+
+        // Get the most recent verdict (first in the list)
+        var verdictReferrer = referrers[0];
+        _logger.LogDebug("Found verdict attestation: {Digest}", verdictReferrer.Digest);
+
+        // Extract verdict metadata from annotations
+        var annotations = verdictReferrer.Annotations ?? new Dictionary<string, string>();
+        var actualSbomDigest = annotations.GetValueOrDefault(OciAnnotations.StellaSbomDigest);
+        var actualFeedsDigest = annotations.GetValueOrDefault(OciAnnotations.StellaFeedsDigest);
+        var actualPolicyDigest = annotations.GetValueOrDefault(OciAnnotations.StellaPolicyDigest);
+        var actualDecision = annotations.GetValueOrDefault(OciAnnotations.StellaVerdictDecision);
+
+        // Compare against expected values
+        var sbomMatches = CompareDigests(request.ExpectedSbomDigest, actualSbomDigest);
+        var feedsMatches = CompareDigests(request.ExpectedFeedsDigest, actualFeedsDigest);
+        var policyMatches = CompareDigests(request.ExpectedPolicyDigest, actualPolicyDigest);
+        var decisionMatches = CompareDecision(request.ExpectedDecision, actualDecision);
+
+        var errors = new List<string>();
+        var isValid = true;
+
+        // Check for mismatches
+        if (sbomMatches == false)
+        {
+            errors.Add($"SBOM digest mismatch: expected {request.ExpectedSbomDigest}, actual {actualSbomDigest}");
+            isValid = false;
+        }
+
+        if (feedsMatches == false)
+        {
+            errors.Add($"Feeds digest mismatch: expected {request.ExpectedFeedsDigest}, actual {actualFeedsDigest}");
+            isValid = false;
+        }
+
+        if (policyMatches == false)
+        {
+            errors.Add($"Policy digest mismatch: expected {request.ExpectedPolicyDigest}, actual {actualPolicyDigest}");
+            isValid = false;
+        }
+
+        if (decisionMatches == false)
+        {
+            errors.Add($"Decision mismatch: expected {request.ExpectedDecision}, actual {actualDecision}");
+            isValid = false;
+        }
+
+        // In strict mode, all expected values must be provided and match
+        if (request.Strict)
+        {
+            if (sbomMatches == null && !string.IsNullOrWhiteSpace(request.ExpectedSbomDigest))
+            {
+                errors.Add("Strict mode: SBOM digest not present in verdict");
+                isValid = false;
+            }
+
+            if (feedsMatches == null && !string.IsNullOrWhiteSpace(request.ExpectedFeedsDigest))
+            {
+                errors.Add("Strict mode: Feeds digest not present in verdict");
+                isValid = false;
+            }
+
+            if (policyMatches == null && !string.IsNullOrWhiteSpace(request.ExpectedPolicyDigest))
+            {
+                errors.Add("Strict mode: Policy digest not present in verdict");
+                isValid = false;
+            }
+        }
+
+        // VERDICT-022: Verify DSSE envelope signature if trust policy is provided
+        bool? signatureValid = null;
+        string? signerIdentity = null;
+
+        if (!string.IsNullOrWhiteSpace(request.TrustPolicyPath))
+        {
+            try
+            {
+                var signatureResult = await VerifyDsseSignatureAsync(
+                    parsed,
+                    verdictReferrer.Digest,
+                    request.TrustPolicyPath,
+                    cancellationToken).ConfigureAwait(false);
+
+                signatureValid = signatureResult.IsValid;
+                signerIdentity = signatureResult.SignerIdentity;
+
+                if (!signatureResult.IsValid)
+                {
+                    errors.Add($"Signature verification failed: {signatureResult.Error}");
+                    isValid = false;
+                }
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(ex, "Failed to verify DSSE signature for verdict");
+                errors.Add($"Signature verification error: {ex.Message}");
+                signatureValid = false;
+                isValid = false;
+            }
+        }
+
+        return new VerdictVerificationResult
+        {
+            ImageReference = request.Reference,
+            ImageDigest = imageDigest,
+            VerdictFound = true,
+            IsValid = isValid,
+            VerdictDigest = verdictReferrer.Digest,
+            Decision = actualDecision,
+            ExpectedSbomDigest = request.ExpectedSbomDigest,
+            ActualSbomDigest = actualSbomDigest,
+            SbomDigestMatches = sbomMatches,
+            ExpectedFeedsDigest = request.ExpectedFeedsDigest,
+            ActualFeedsDigest = actualFeedsDigest,
+            FeedsDigestMatches = feedsMatches,
+            ExpectedPolicyDigest = request.ExpectedPolicyDigest,
+            ActualPolicyDigest = actualPolicyDigest,
+            PolicyDigestMatches = policyMatches,
+            ExpectedDecision = request.ExpectedDecision,
+            DecisionMatches = decisionMatches,
+            SignatureValid = signatureValid,
+            SignerIdentity = signerIdentity,
+            Errors = errors
+        };
+    }
+
+    public async Task<IReadOnlyList<VerdictSummary>> ListAsync(
+        string reference,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(reference);
+
+        var parsed = OciImageReferenceParser.Parse(reference);
+        var imageDigest = await ResolveImageDigestAsync(parsed, cancellationToken).ConfigureAwait(false);
+
+        if (string.IsNullOrWhiteSpace(imageDigest))
+        {
+            return Array.Empty<VerdictSummary>();
+        }
+
+        var referrers = await _registryClient.GetReferrersAsync(
+            parsed.Registry,
+            parsed.Repository,
+            imageDigest,
+            OciMediaTypes.VerdictAttestation,
+            cancellationToken).ConfigureAwait(false);
+
+        var summaries = new List<VerdictSummary>();
+        foreach (var referrer in referrers)
+        {
+            var annotations = referrer.Annotations ?? new Dictionary<string, string>();
+            var timestampStr = annotations.GetValueOrDefault(OciAnnotations.StellaVerdictTimestamp);
+            DateTimeOffset? createdAt = null;
+            if (!string.IsNullOrWhiteSpace(timestampStr) && DateTimeOffset.TryParse(timestampStr, out var ts))
+            {
+                createdAt = ts;
+            }
+
+            summaries.Add(new VerdictSummary
+            {
+                Digest = referrer.Digest,
+                Decision = annotations.GetValueOrDefault(OciAnnotations.StellaVerdictDecision),
+                CreatedAt = createdAt,
+                SbomDigest = annotations.GetValueOrDefault(OciAnnotations.StellaSbomDigest),
+                FeedsDigest = annotations.GetValueOrDefault(OciAnnotations.StellaFeedsDigest),
+                PolicyDigest = annotations.GetValueOrDefault(OciAnnotations.StellaPolicyDigest),
+                GraphRevisionId = annotations.GetValueOrDefault(OciAnnotations.StellaGraphRevisionId)
+            });
+        }
+
+        return summaries;
+    }
+
+    private async Task<string?> ResolveImageDigestAsync(
+        OciImageReference parsed,
+        CancellationToken cancellationToken)
+    {
+        // If already a digest, return it
+        if (!string.IsNullOrWhiteSpace(parsed.Digest))
+        {
+            return parsed.Digest;
+        }
+
+        // Otherwise, resolve tag to digest
+        if (!string.IsNullOrWhiteSpace(parsed.Tag))
+        {
+            try
+            {
+                return await _registryClient.ResolveTagAsync(
+                    parsed.Registry,
+                    parsed.Repository,
+                    parsed.Tag,
+                    cancellationToken).ConfigureAwait(false);
+            }
+            catch (Exception ex)
+            {
+                _logger.LogWarning(ex, "Failed to resolve tag {Tag} to digest", parsed.Tag);
+            }
+        }
+
+        return null;
+    }
+
+    private static bool? CompareDigests(string? expected, string? actual)
+    {
+        if (string.IsNullOrWhiteSpace(expected))
+        {
+            return null; // No expected value, skip comparison
+        }
+
+        if (string.IsNullOrWhiteSpace(actual))
+        {
+            return null; // No actual value to compare
+        }
+
+        return string.Equals(expected, actual, StringComparison.OrdinalIgnoreCase);
+    }
+
+    private static bool? CompareDecision(string? expected, string? actual)
+    {
+        if (string.IsNullOrWhiteSpace(expected))
+        {
+            return null; // No expected value, skip comparison
+        }
+
+        if (string.IsNullOrWhiteSpace(actual))
+        {
+            return null; // No actual value to compare
+        }
+
+        return string.Equals(expected, actual, StringComparison.OrdinalIgnoreCase);
+    }
+
+    private static VerdictVerificationResult CreateFailedResult(string reference, string digest, string error)
+    {
+        return new VerdictVerificationResult
+        {
+            ImageReference = reference,
+            ImageDigest = digest,
+            VerdictFound = false,
+            IsValid = false,
+            Errors = new[] { error }
+        };
+    }
+
+    /// <summary>
+    /// Verify the DSSE signature of a verdict attestation.
+    /// Sprint: SPRINT_4300_0001_0001, Task: VERDICT-022
+    /// </summary>
+    private async Task<DsseVerificationResult> VerifyDsseSignatureAsync(
+        OciImageReference parsed,
+        string verdictDigest,
+        string trustPolicyPath,
+        CancellationToken cancellationToken)
+    {
+        // Load trust policy
+        var trustPolicy = await _trustPolicyLoader.LoadAsync(trustPolicyPath, cancellationToken).ConfigureAwait(false);
+        if (trustPolicy.Keys.Count == 0)
+        {
+            return new DsseVerificationResult
+            {
+                IsValid = false,
+                Error = "Trust policy contains no keys"
+            };
+        }
+
+        // Fetch the verdict manifest to get the DSSE layer
+        var manifest = await _registryClient.GetManifestAsync(parsed, verdictDigest, cancellationToken).ConfigureAwait(false);
+        var dsseLayer = SelectDsseLayer(manifest);
+        if (dsseLayer is null)
+        {
+            return new DsseVerificationResult
+            {
+                IsValid = false,
+                Error = "No DSSE layer found in verdict manifest"
+            };
+        }
+
+        // Fetch the DSSE envelope blob
+        var blob = await _registryClient.GetBlobAsync(parsed, dsseLayer.Digest, cancellationToken).ConfigureAwait(false);
+        var payload = await DecodeLayerAsync(dsseLayer, blob, cancellationToken).ConfigureAwait(false);
+
+        // Parse the DSSE envelope
+        var envelope = ParseDsseEnvelope(payload);
+        if (envelope is null)
+        {
+            return new DsseVerificationResult
+            {
+                IsValid = false,
+                Error = "Failed to parse DSSE envelope"
+            };
+        }
+
+        // Extract signatures
+        var signatures = envelope.Signatures
+            .Where(sig => !string.IsNullOrWhiteSpace(sig.KeyId) && !string.IsNullOrWhiteSpace(sig.Signature))
+            .Select(sig => new DsseSignatureInput
+            {
+                KeyId = sig.KeyId!,
+                SignatureBase64 = sig.Signature!
+            })
+            .ToList();
+
+        if (signatures.Count == 0)
+        {
+            return new DsseVerificationResult
+            {
+                IsValid = false,
+                Error = "DSSE envelope contains no signatures"
+            };
+        }
+
+        // Verify signatures
+        var verification = _dsseVerifier.Verify(
+            envelope.PayloadType,
+            envelope.Payload,
+            signatures,
+            trustPolicy);
+
+        return new DsseVerificationResult
+        {
+            IsValid = verification.IsValid,
+            SignerIdentity = verification.KeyId,
+            Error = verification.Error
+        };
+    }
+
+    private static OciDescriptor? SelectDsseLayer(OciManifest manifest)
+    {
+        if (manifest.Layers.Count == 0)
+        {
+            return null;
+        }
+
+        // Look for DSSE/in-toto layer by media type
+        var dsse = manifest.Layers.FirstOrDefault(layer =>
+            layer.MediaType is not null &&
+            (layer.MediaType.Contains("dsse", StringComparison.OrdinalIgnoreCase) ||
+             layer.MediaType.Contains("in-toto", StringComparison.OrdinalIgnoreCase) ||
+             layer.MediaType.Contains("intoto", StringComparison.OrdinalIgnoreCase)));
+
+        return dsse ?? manifest.Layers[0];
+    }
+
+    private static async Task<byte[]> DecodeLayerAsync(OciDescriptor layer, byte[] content, CancellationToken ct)
+    {
+        if (layer.MediaType is null || !layer.MediaType.Contains("gzip", StringComparison.OrdinalIgnoreCase))
+        {
+            return content;
+        }
+
+        await using var input = new MemoryStream(content);
+        await using var gzip = new GZipStream(input, CompressionMode.Decompress);
+        await using var output = new MemoryStream();
+        await gzip.CopyToAsync(output, ct).ConfigureAwait(false);
+        return output.ToArray();
+    }
+
+    private static DsseEnvelopeWire? ParseDsseEnvelope(byte[] payload)
+    {
+        try
+        {
+            var json = Encoding.UTF8.GetString(payload);
+            var envelope = JsonSerializer.Deserialize<DsseEnvelopeWire>(json, JsonOptions);
+            if (envelope is null ||
+                string.IsNullOrWhiteSpace(envelope.PayloadType) ||
+                string.IsNullOrWhiteSpace(envelope.Payload))
+            {
+                return null;
+            }
+
+            envelope.Signatures ??= new List<DsseSignatureWire>();
+            return envelope;
+        }
+        catch
+        {
+            return null;
+        }
+    }
+
+    /// <summary>
+    /// Result of DSSE signature verification.
+    /// </summary>
+    private sealed record DsseVerificationResult
+    {
+        public required bool IsValid { get; init; }
+        public string? SignerIdentity { get; init; }
+        public string? Error { get; init; }
+    }
+
+    /// <summary>
+    /// Wire format for DSSE envelope.
+    /// </summary>
+    private sealed record DsseEnvelopeWire
+    {
+        public string PayloadType { get; init; } = string.Empty;
+        public string Payload { get; init; } = string.Empty;
+        public List<DsseSignatureWire> Signatures { get; set; } = new();
+    }
+
+    /// <summary>
+    /// Wire format for DSSE signature.
+    /// </summary>
+    private sealed record DsseSignatureWire
+    {
+        public string? KeyId { get; init; }
+        public string? Signature { get; init; }
+    }
+}