feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations). - Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns. - Added `package-lock.json` for dependency management.
2025-12-22 23:21:21 +02:00
parent 3ba7157b00
commit 5146204f1b
529 changed files with 73579 additions and 5985 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifModels.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifModels.cs
@@ -20,7 +20,8 @@ public sealed record SarifRun(
    [property: JsonPropertyName("results")] ImmutableArray<SarifResult> Results,
    [property: JsonPropertyName("invocations")] ImmutableArray<SarifInvocation>? Invocations = null,
    [property: JsonPropertyName("artifacts")] ImmutableArray<SarifArtifact>? Artifacts = null,
-    [property: JsonPropertyName("versionControlProvenance")] ImmutableArray<SarifVersionControlDetails>? VersionControlProvenance = null);
+    [property: JsonPropertyName("versionControlProvenance")] ImmutableArray<SarifVersionControlDetails>? VersionControlProvenance = null,
+    [property: JsonPropertyName("properties")] ImmutableSortedDictionary<string, object>? Properties = null);

 /// <summary>
 /// Tool information for the SARIF run.
--- a/src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifOutputGenerator.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.SmartDiff/Output/SarifOutputGenerator.cs
@@ -47,7 +47,19 @@ public sealed record SmartDiffSarifInput(
    IReadOnlyList<VexCandidate> VexCandidates,
    IReadOnlyList<ReachabilityChange> ReachabilityChanges,
    VcsInfo? VcsInfo = null,
-    string? DeltaVerdictReference = null);
+    string? DeltaVerdictReference = null,
+    AttestationReference? Attestation = null);
+
+/// <summary>
+/// Attestation reference for SARIF provenance linkage.
+/// Sprint: SPRINT_4400_0001_0001 - Signed Delta Verdict Attestation
+/// </summary>
+public sealed record AttestationReference(
+    string Digest,
+    string PredicateType,
+    string? OciReference = null,
+    string? RekorLogId = null,
+    string? SignatureKeyId = null);

 /// <summary>
 /// VCS information for SARIF provenance.
@@ -142,12 +154,15 @@ public sealed class SarifOutputGenerator
        var artifacts = CreateArtifacts(input);
        var vcsProvenance = CreateVcsProvenance(input);

+        var runProperties = CreateRunProperties(input);
+
        var run = new SarifRun(
            Tool: tool,
            Results: results,
            Invocations: [invocation],
            Artifacts: artifacts.Length > 0 ? artifacts : null,
-            VersionControlProvenance: vcsProvenance);
+            VersionControlProvenance: vcsProvenance,
+            Properties: runProperties);

        return new SarifLog(
            Version: SarifVersion,
@@ -399,4 +414,70 @@ public sealed class SarifOutputGenerator
            RevisionId: input.VcsInfo.RevisionId,
            Branch: input.VcsInfo.Branch)];
    }
+
+    /// <summary>
+    /// Create run-level properties including attestation references.
+    /// Sprint: SPRINT_4400_0001_0001 - Signed Delta Verdict Attestation
+    /// </summary>
+    private static ImmutableSortedDictionary<string, object>? CreateRunProperties(SmartDiffSarifInput input)
+    {
+        var hasAttestation = input.Attestation is not null;
+        var hasDeltaRef = !string.IsNullOrWhiteSpace(input.DeltaVerdictReference);
+        var hasBaseDigest = !string.IsNullOrWhiteSpace(input.BaseDigest);
+        var hasTargetDigest = !string.IsNullOrWhiteSpace(input.TargetDigest);
+
+        if (!hasAttestation && !hasDeltaRef && !hasBaseDigest && !hasTargetDigest)
+        {
+            return null;
+        }
+
+        var props = new SortedDictionary<string, object>(StringComparer.Ordinal);
+
+        // Add digest references for diff tracking
+        if (hasBaseDigest)
+        {
+            props["stellaops.diff.base.digest"] = input.BaseDigest!;
+        }
+
+        if (hasTargetDigest)
+        {
+            props["stellaops.diff.target.digest"] = input.TargetDigest!;
+        }
+
+        // Add legacy delta verdict reference for backwards compatibility
+        if (hasDeltaRef)
+        {
+            props["stellaops.deltaVerdictRef"] = input.DeltaVerdictReference!;
+        }
+
+        // Add full attestation reference per SPRINT_4400_0001_0001
+        if (hasAttestation)
+        {
+            var attestation = input.Attestation!;
+            var attestationObj = new SortedDictionary<string, object>(StringComparer.Ordinal)
+            {
+                ["digest"] = attestation.Digest,
+                ["predicateType"] = attestation.PredicateType
+            };
+
+            if (!string.IsNullOrWhiteSpace(attestation.OciReference))
+            {
+                attestationObj["ociReference"] = attestation.OciReference!;
+            }
+
+            if (!string.IsNullOrWhiteSpace(attestation.RekorLogId))
+            {
+                attestationObj["rekorLogId"] = attestation.RekorLogId!;
+            }
+
+            if (!string.IsNullOrWhiteSpace(attestation.SignatureKeyId))
+            {
+                attestationObj["signatureKeyId"] = attestation.SignatureKeyId!;
+            }
+
+            props["stellaops.attestation"] = attestationObj;
+        }
+
+        return ImmutableSortedDictionary.CreateRange(StringComparer.Ordinal, props);
+    }
 }