feat: add security sink detection patterns for JavaScript/TypeScript
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
151
src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs
Normal file
151
src/Policy/StellaOps.Policy.Engine/Gates/DriftGateOptions.cs
Normal file
@@ -0,0 +1,151 @@
|
||||
// -----------------------------------------------------------------------------
|
||||
// DriftGateOptions.cs
|
||||
// Sprint: SPRINT_3600_0005_0001_policy_ci_gate_integration
|
||||
// Description: Configuration options for drift gate evaluation.
|
||||
// -----------------------------------------------------------------------------
|
||||
|
||||
using System.Collections.Immutable;
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
|
||||
namespace StellaOps.Policy.Engine.Gates;
|
||||
|
||||
/// <summary>
|
||||
/// Configuration options for drift gate evaluation.
|
||||
/// </summary>
|
||||
public sealed class DriftGateOptions
|
||||
{
|
||||
/// <summary>
|
||||
/// Configuration section name.
|
||||
/// </summary>
|
||||
public const string SectionName = "SmartDiff:Gates";
|
||||
|
||||
/// <summary>
|
||||
/// Whether drift gates are enabled.
|
||||
/// </summary>
|
||||
public bool Enabled { get; set; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Custom gate definitions.
|
||||
/// </summary>
|
||||
public List<DriftGateDefinition> Gates { get; set; } = [];
|
||||
|
||||
/// <summary>
|
||||
/// Default action when no gate matches.
|
||||
/// </summary>
|
||||
public DriftGateAction DefaultAction { get; set; } = DriftGateAction.Warn;
|
||||
|
||||
/// <summary>
|
||||
/// Whether to block on KEV reachable by default.
|
||||
/// </summary>
|
||||
public bool BlockOnKev { get; set; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Whether to block when affected vulnerabilities become reachable.
|
||||
/// </summary>
|
||||
public bool BlockOnAffectedReachable { get; set; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Whether to auto-emit VEX candidates for unreachable sinks.
|
||||
/// </summary>
|
||||
public bool AutoEmitVexForUnreachable { get; set; } = true;
|
||||
|
||||
/// <summary>
|
||||
/// Minimum CVSS score to trigger block action.
|
||||
/// </summary>
|
||||
public double? CvssBlockThreshold { get; set; } = 9.0;
|
||||
|
||||
/// <summary>
|
||||
/// Minimum EPSS score to trigger block action.
|
||||
/// </summary>
|
||||
public double? EpssBlockThreshold { get; set; } = 0.5;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// A custom gate definition from policy configuration.
|
||||
/// </summary>
|
||||
public sealed class DriftGateDefinition
|
||||
{
|
||||
/// <summary>
|
||||
/// Gate identifier.
|
||||
/// </summary>
|
||||
[Required]
|
||||
public string Id { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Condition expression (e.g., "delta_reachable > 0 AND is_kev = true").
|
||||
/// </summary>
|
||||
[Required]
|
||||
public string Condition { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Action to take when condition matches.
|
||||
/// </summary>
|
||||
public DriftGateAction Action { get; set; } = DriftGateAction.Warn;
|
||||
|
||||
/// <summary>
|
||||
/// Message to display when gate triggers.
|
||||
/// </summary>
|
||||
public string Message { get; set; } = string.Empty;
|
||||
|
||||
/// <summary>
|
||||
/// Severity level.
|
||||
/// </summary>
|
||||
public DriftGateSeverity Severity { get; set; } = DriftGateSeverity.Medium;
|
||||
|
||||
/// <summary>
|
||||
/// Whether to auto-mitigate (emit VEX) when condition matches.
|
||||
/// </summary>
|
||||
public bool AutoMitigate { get; set; }
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Actions that can be taken by drift gates.
|
||||
/// </summary>
|
||||
public enum DriftGateAction
|
||||
{
|
||||
/// <summary>
|
||||
/// Allow the drift to proceed.
|
||||
/// </summary>
|
||||
Allow,
|
||||
|
||||
/// <summary>
|
||||
/// Allow with a warning.
|
||||
/// </summary>
|
||||
Warn,
|
||||
|
||||
/// <summary>
|
||||
/// Block the drift.
|
||||
/// </summary>
|
||||
Block
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Severity levels for drift gates.
|
||||
/// </summary>
|
||||
public enum DriftGateSeverity
|
||||
{
|
||||
/// <summary>
|
||||
/// Informational.
|
||||
/// </summary>
|
||||
Info,
|
||||
|
||||
/// <summary>
|
||||
/// Low severity.
|
||||
/// </summary>
|
||||
Low,
|
||||
|
||||
/// <summary>
|
||||
/// Medium severity.
|
||||
/// </summary>
|
||||
Medium,
|
||||
|
||||
/// <summary>
|
||||
/// High severity.
|
||||
/// </summary>
|
||||
High,
|
||||
|
||||
/// <summary>
|
||||
/// Critical severity.
|
||||
/// </summary>
|
||||
Critical
|
||||
}
|
||||
Reference in New Issue
Block a user