stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

feat: add security sink detection patterns for JavaScript/TypeScript

Browse Source 
- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.
This commit is contained in:
StellaOps Bot
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
Download Patch File Download Diff File Expand all files Collapse all files

291
src/Scanner/StellaOps.Scanner.WebService/Endpoints/DeltaCompareEndpoints.cs Normal file
View File

@@ -0,0 +1,291 @@
// -----------------------------------------------------------------------------
// DeltaCompareEndpoints.cs
// Sprint: SPRINT_4200_0002_0006_delta_compare_api
// Description: HTTP endpoints for delta/compare view API.
// -----------------------------------------------------------------------------
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using System.Text.Json.Serialization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Routing;
using StellaOps.Scanner.WebService.Contracts;
using StellaOps.Scanner.WebService.Security;
namespace StellaOps.Scanner.WebService.Endpoints;
/// <summary>
/// Endpoints for delta/compare view - comparing scan snapshots.
/// Per SPRINT_4200_0002_0006.
/// </summary>
internal static class DeltaCompareEndpoints
{
private static readonly JsonSerializerOptions SerializerOptions = new(JsonSerializerDefaults.Web)
{
DefaultIgnoreCondition = JsonIgnoreCondition.WhenWritingNull,
Converters = { new JsonStringEnumConverter() }
};
/// <summary>
/// Maps delta compare endpoints.
/// </summary>
public static void MapDeltaCompareEndpoints(this RouteGroupBuilder apiGroup, string prefix = "/delta")
{
ArgumentNullException.ThrowIfNull(apiGroup);
var group = apiGroup.MapGroup(prefix)
.WithTags("DeltaCompare");
// POST /v1/delta/compare - Full comparison between two snapshots
group.MapPost("/compare", HandleCompareAsync)
.WithName("scanner.delta.compare")
.WithDescription("Compares two scan snapshots and returns detailed delta.")
.Produces<DeltaCompareResponseDto>(StatusCodes.Status200OK)
.Produces(StatusCodes.Status400BadRequest)
.RequireAuthorization(ScannerPolicies.ScansRead);
// GET /v1/delta/quick - Quick summary for header display
group.MapGet("/quick", HandleQuickDiffAsync)
.WithName("scanner.delta.quick")
.WithDescription("Returns quick diff summary for Can I Ship header.")
.Produces<QuickDiffSummaryDto>(StatusCodes.Status200OK)
.Produces(StatusCodes.Status400BadRequest)
.RequireAuthorization(ScannerPolicies.ScansRead);
// GET /v1/delta/{comparisonId} - Get cached comparison by ID
group.MapGet("/{comparisonId}", HandleGetComparisonAsync)
.WithName("scanner.delta.get")
.WithDescription("Retrieves a cached comparison result by ID.")
.Produces<DeltaCompareResponseDto>(StatusCodes.Status200OK)
.Produces(StatusCodes.Status404NotFound)
.RequireAuthorization(ScannerPolicies.ScansRead);
}
private static async Task<IResult> HandleCompareAsync(
DeltaCompareRequestDto request,
IDeltaCompareService compareService,
HttpContext context,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(request);
ArgumentNullException.ThrowIfNull(compareService);
if (string.IsNullOrWhiteSpace(request.BaseDigest))
{
return Results.BadRequest(new
{
type = "validation-error",
title = "Invalid base digest",
detail = "Base digest is required."
});
}
if (string.IsNullOrWhiteSpace(request.TargetDigest))
{
return Results.BadRequest(new
{
type = "validation-error",
title = "Invalid target digest",
detail = "Target digest is required."
});
}
var result = await compareService.CompareAsync(request, cancellationToken);
return Results.Ok(result);
}
private static async Task<IResult> HandleQuickDiffAsync(
string baseDigest,
string targetDigest,
IDeltaCompareService compareService,
HttpContext context,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(compareService);
if (string.IsNullOrWhiteSpace(baseDigest))
{
return Results.BadRequest(new
{
type = "validation-error",
title = "Invalid base digest",
detail = "Base digest is required."
});
}
if (string.IsNullOrWhiteSpace(targetDigest))
{
return Results.BadRequest(new
{
type = "validation-error",
title = "Invalid target digest",
detail = "Target digest is required."
});
}
var result = await compareService.GetQuickDiffAsync(baseDigest, targetDigest, cancellationToken);
return Results.Ok(result);
}
private static async Task<IResult> HandleGetComparisonAsync(
string comparisonId,
IDeltaCompareService compareService,
HttpContext context,
CancellationToken cancellationToken)
{
ArgumentNullException.ThrowIfNull(compareService);
if (string.IsNullOrWhiteSpace(comparisonId))
{
return Results.BadRequest(new
{
type = "validation-error",
title = "Invalid comparison ID",
detail = "Comparison ID is required."
});
}
var result = await compareService.GetComparisonAsync(comparisonId, cancellationToken);
if (result is null)
{
return Results.NotFound(new
{
type = "not-found",
title = "Comparison not found",
detail = $"Comparison with ID '{comparisonId}' was not found or has expired."
});
}
return Results.Ok(result);
}
}
/// <summary>
/// Service interface for delta compare operations.
/// Per SPRINT_4200_0002_0006.
/// </summary>
public interface IDeltaCompareService
{
/// <summary>
/// Performs a full comparison between two snapshots.
/// </summary>
Task<DeltaCompareResponseDto> CompareAsync(DeltaCompareRequestDto request, CancellationToken ct = default);
/// <summary>
/// Gets a quick diff summary for the Can I Ship header.
/// </summary>
Task<QuickDiffSummaryDto> GetQuickDiffAsync(string baseDigest, string targetDigest, CancellationToken ct = default);
/// <summary>
/// Gets a cached comparison by ID.
/// </summary>
Task<DeltaCompareResponseDto?> GetComparisonAsync(string comparisonId, CancellationToken ct = default);
}
/// <summary>
/// Default implementation of delta compare service.
/// </summary>
public sealed class DeltaCompareService : IDeltaCompareService
{
private readonly TimeProvider _timeProvider;
public DeltaCompareService(TimeProvider timeProvider)
{
_timeProvider = timeProvider ?? throw new ArgumentNullException(nameof(timeProvider));
}
public Task<DeltaCompareResponseDto> CompareAsync(DeltaCompareRequestDto request, CancellationToken ct = default)
{
// Compute deterministic comparison ID
var comparisonId = ComputeComparisonId(request.BaseDigest, request.TargetDigest);
// In a full implementation, this would:
// 1. Load both snapshots from storage
// 2. Compare vulnerabilities and components
// 3. Compute policy diffs
// For now, return a structured response
var baseSummary = CreateSnapshotSummary(request.BaseDigest, "Block");
var targetSummary = CreateSnapshotSummary(request.TargetDigest, "Ship");
var response = new DeltaCompareResponseDto
{
Base = baseSummary,
Target = targetSummary,
Summary = new DeltaChangeSummaryDto
{
Added = 0,
Removed = 0,
Modified = 0,
Unchanged = 0,
NetVulnerabilityChange = 0,
NetComponentChange = 0,
SeverityChanges = new DeltaSeverityChangesDto(),
VerdictChanged = baseSummary.PolicyVerdict != targetSummary.PolicyVerdict,
RiskDirection = "unchanged"
},
Vulnerabilities = request.IncludeVulnerabilities ? [] : null,
Components = request.IncludeComponents ? [] : null,
PolicyDiff = request.IncludePolicyDiff
? new DeltaPolicyDiffDto
{
BaseVerdict = baseSummary.PolicyVerdict ?? "Unknown",
TargetVerdict = targetSummary.PolicyVerdict ?? "Unknown",
VerdictChanged = baseSummary.PolicyVerdict != targetSummary.PolicyVerdict,
BlockToShipCount = 0,
ShipToBlockCount = 0
}
: null,
GeneratedAt = _timeProvider.GetUtcNow(),
ComparisonId = comparisonId
};
return Task.FromResult(response);
}
public Task<QuickDiffSummaryDto> GetQuickDiffAsync(string baseDigest, string targetDigest, CancellationToken ct = default)
{
var summary = new QuickDiffSummaryDto
{
BaseDigest = baseDigest,
TargetDigest = targetDigest,
CanShip = true,
RiskDirection = "unchanged",
NetBlockingChange = 0,
CriticalAdded = 0,
CriticalRemoved = 0,
HighAdded = 0,
HighRemoved = 0,
Summary = "No material changes detected"
};
return Task.FromResult(summary);
}
public Task<DeltaCompareResponseDto?> GetComparisonAsync(string comparisonId, CancellationToken ct = default)
{
// In a full implementation, this would retrieve from cache/storage
return Task.FromResult<DeltaCompareResponseDto?>(null);
}
private DeltaSnapshotSummaryDto CreateSnapshotSummary(string digest, string verdict)
{
return new DeltaSnapshotSummaryDto
{
Digest = digest,
CreatedAt = _timeProvider.GetUtcNow(),
ComponentCount = 0,
VulnerabilityCount = 0,
SeverityCounts = new DeltaSeverityCountsDto(),
PolicyVerdict = verdict
};
}
private static string ComputeComparisonId(string baseDigest, string targetDigest)
{
var input = $"{baseDigest}|{targetDigest}";
var hash = SHA256.HashData(Encoding.UTF8.GetBytes(input));
return $"cmp-{Convert.ToHexString(hash)[..16].ToLowerInvariant()}";
}
}