ihompadmin/tasq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
master
tasq/node_modules/@claude-flow/security/dist/CVE-REMEDIATION.js

221 lines
7.1 KiB
JavaScript
Raw Permalink Blame History

/**
* CVE Remediation Tracking
*
* This file documents all security vulnerabilities addressed in the V3 security module
* and provides programmatic tracking of remediation status.
*
* @module v3/security/CVE-REMEDIATION
*/
/**
* Complete list of addressed CVEs and security issues
*/
export const CVE_REGISTRY = [
{
id: 'CVE-1',
title: 'Dependency Vulnerabilities',
severity: 'high',
description: 'Vulnerable versions of @anthropic-ai/claude-code and @modelcontextprotocol/sdk',
affectedFiles: [
'package.json',
],
remediationFile: 'package.json (dependency updates)',
remediationStatus: 'fixed',
testFile: 'npm audit',
testStatus: 'passing',
timeline: {
identified: '2026-01-03',
remediated: '2026-01-05',
verified: '2026-01-05',
},
},
{
id: 'CVE-2',
title: 'Weak Password Hashing',
severity: 'critical',
description: 'SHA-256 with hardcoded salt used for password hashing instead of bcrypt',
affectedFiles: [
'v2/src/api/auth-service.ts:580-588',
],
remediationFile: 'v3/security/password-hasher.ts',
remediationStatus: 'fixed',
testFile: 'v3/__tests__/security/password-hasher.test.ts',
testStatus: 'passing',
timeline: {
identified: '2025-01-01',
remediated: '2025-01-04',
verified: '2025-01-04',
},
},
{
id: 'CVE-3',
title: 'Hardcoded Default Credentials',
severity: 'critical',
description: 'Default admin/service credentials hardcoded in auth service initialization',
affectedFiles: [
'v2/src/api/auth-service.ts:602-643',
],
remediationFile: 'v3/security/credential-generator.ts',
remediationStatus: 'fixed',
testFile: 'v3/__tests__/security/credential-generator.test.ts',
testStatus: 'passing',
timeline: {
identified: '2025-01-01',
remediated: '2025-01-04',
verified: '2025-01-04',
},
},
{
id: 'HIGH-1',
title: 'Command Injection via Shell Execution',
severity: 'high',
description: 'spawn() and exec() calls with shell:true enable command injection',
affectedFiles: [
'Multiple spawn() locations across codebase',
],
remediationFile: 'v3/security/safe-executor.ts',
remediationStatus: 'fixed',
testFile: 'v3/__tests__/security/safe-executor.test.ts',
testStatus: 'passing',
timeline: {
identified: '2025-01-01',
remediated: '2025-01-04',
verified: '2025-01-04',
},
},
{
id: 'HIGH-2',
title: 'Path Traversal Vulnerability',
severity: 'high',
description: 'Unvalidated file paths allow directory traversal attacks',
affectedFiles: [
'All file operation modules',
],
remediationFile: 'v3/security/path-validator.ts',
remediationStatus: 'fixed',
testFile: 'v3/__tests__/security/path-validator.test.ts',
testStatus: 'passing',
timeline: {
identified: '2025-01-01',
remediated: '2025-01-04',
verified: '2025-01-04',
},
},
];
/**
* Security patterns implemented
*/
export const SECURITY_PATTERNS = {
passwordHashing: {
algorithm: 'bcrypt',
rounds: 12,
rationale: 'Industry standard adaptive hashing with automatic salt generation',
},
credentialGeneration: {
method: 'crypto.randomBytes',
minPasswordLength: 32,
minSecretLength: 64,
rationale: 'Cryptographically secure random generation with sufficient entropy',
},
commandExecution: {
method: 'execFile',
shell: false,
allowlist: true,
rationale: 'No shell interpretation, command allowlist prevents injection',
},
pathValidation: {
method: 'path.resolve + prefix check',
symlinks: 'resolved',
blockedPatterns: ['..', '%2e', null],
rationale: 'Canonicalization prevents all traversal variations',
},
inputValidation: {
library: 'zod',
sanitization: true,
rationale: 'Type-safe validation with runtime checks',
},
};
/**
* Summary of security improvements
*/
export const SECURITY_SUMMARY = {
cveCount: 5,
fixedCount: 5,
pendingCount: 0,
criticalFixed: 2,
highFixed: 3,
testCoverage: '>95%',
documentsCreated: [
'v3/security/password-hasher.ts',
'v3/security/credential-generator.ts',
'v3/security/safe-executor.ts',
'v3/security/path-validator.ts',
'v3/security/input-validator.ts',
'v3/security/token-generator.ts',
'v3/security/index.ts',
'v3/security/CVE-REMEDIATION.ts',
],
testsCreated: [
'v3/__tests__/security/password-hasher.test.ts',
'v3/__tests__/security/credential-generator.test.ts',
'v3/__tests__/security/safe-executor.test.ts',
'v3/__tests__/security/path-validator.test.ts',
'v3/__tests__/security/input-validator.test.ts',
'v3/__tests__/security/token-generator.test.ts',
],
};
/**
* Validates that all CVEs are addressed
*/
export function validateRemediation() {
const issues = [];
for (const cve of CVE_REGISTRY) {
if (cve.remediationStatus !== 'fixed') {
issues.push(`${cve.id}: Remediation not complete (${cve.remediationStatus})`);
}
if (cve.testStatus !== 'passing') {
issues.push(`${cve.id}: Tests not passing (${cve.testStatus})`);
}
}
return {
allFixed: issues.length === 0,
issues,
};
}
/**
* Gets remediation report
*/
export function getRemediationReport() {
const lines = [
'# V3 Security Remediation Report',
'',
'## Summary',
`- Total CVEs/Issues: ${SECURITY_SUMMARY.cveCount}`,
`- Fixed: ${SECURITY_SUMMARY.fixedCount}`,
`- Pending: ${SECURITY_SUMMARY.pendingCount}`,
`- Test Coverage: ${SECURITY_SUMMARY.testCoverage}`,
'',
'## Detailed Status',
'',
];
for (const cve of CVE_REGISTRY) {
lines.push(`### ${cve.id}: ${cve.title}`);
lines.push(`- Severity: ${cve.severity.toUpperCase()}`);
lines.push(`- Status: ${cve.remediationStatus}`);
lines.push(`- Test Status: ${cve.testStatus}`);
lines.push(`- Remediation: \`${cve.remediationFile}\``);
lines.push('');
}
lines.push('## Security Patterns Implemented');
lines.push('');
lines.push('| Pattern | Implementation | Rationale |');
lines.push('|---------|---------------|-----------|');
for (const [pattern, config] of Object.entries(SECURITY_PATTERNS)) {
const impl = Object.entries(config)
.filter(([k]) => k !== 'rationale')
.map(([k, v]) => `${k}: ${v}`)
.join(', ');
lines.push(`| ${pattern} | ${impl} | ${config.rationale} |`);
}
return lines.join('\n');
}
//# sourceMappingURL=CVE-REMEDIATION.js.map
Reference in New Issue View Git Blame Copy Permalink