cc-audit 3.2.14

Security auditor for Claude Code skills, hooks, and MCP servers
Documentation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
//! CVE database for known vulnerabilities in AI coding tools.
//!
//! This module provides functionality to load and query a database of known CVEs
//! affecting MCP servers, AI coding assistants, and related tools.

use crate::rules::{Category, Confidence, Finding, Location, Severity};
use serde::{Deserialize, Serialize};
use std::fs;
use std::path::Path;
use thiserror::Error;

/// Built-in CVE database (embedded at compile time)
const BUILTIN_DATABASE: &str = include_str!("../data/cve-database.json");

#[derive(Debug, Error)]
pub enum CveDbError {
    #[error("Failed to read CVE database file: {0}")]
    ReadFile(#[from] std::io::Error),

    #[error("Failed to parse CVE database JSON: {0}")]
    ParseJson(#[from] serde_json::Error),

    #[error("Failed to parse version requirement for {cve_id}: {version}")]
    InvalidVersion { cve_id: String, version: String },
}

/// Affected product information in a CVE entry
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct AffectedProduct {
    pub vendor: String,
    pub product: String,
    pub version_affected: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version_fixed: Option<String>,
}

/// A CVE entry in the database
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CveEntry {
    pub id: String,
    pub title: String,
    pub description: String,
    pub severity: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cvss_score: Option<f32>,
    pub affected_products: Vec<AffectedProduct>,
    #[serde(default)]
    pub cwe_ids: Vec<String>,
    #[serde(default)]
    pub references: Vec<String>,
    pub published_at: String,
}

/// CVE database file format
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CveDatabaseFile {
    pub version: String,
    pub updated_at: String,
    pub entries: Vec<CveEntry>,
}

/// CVE database for querying known vulnerabilities
pub struct CveDatabase {
    entries: Vec<CveEntry>,
    version: String,
    updated_at: String,
}

impl CveDatabase {
    /// Load the built-in CVE database
    pub fn builtin() -> Result<Self, CveDbError> {
        Self::from_json(BUILTIN_DATABASE)
    }

    /// Load CVE database from a JSON file
    pub fn from_file(path: &Path) -> Result<Self, CveDbError> {
        let content = fs::read_to_string(path)?;
        Self::from_json(&content)
    }

    /// Load CVE database from a JSON string
    pub fn from_json(json: &str) -> Result<Self, CveDbError> {
        let file: CveDatabaseFile = serde_json::from_str(json)?;
        Ok(Self {
            entries: file.entries,
            version: file.version,
            updated_at: file.updated_at,
        })
    }

    /// Get database version
    pub fn version(&self) -> &str {
        &self.version
    }

    /// Get last update timestamp
    pub fn updated_at(&self) -> &str {
        &self.updated_at
    }

    /// Get all entries
    pub fn entries(&self) -> &[CveEntry] {
        &self.entries
    }

    /// Get entry count
    pub fn len(&self) -> usize {
        self.entries.len()
    }

    /// Check if database is empty
    pub fn is_empty(&self) -> bool {
        self.entries.is_empty()
    }

    /// Check if a product/version combination is affected by any CVE
    /// Returns matching CVE entries
    pub fn check_product(&self, vendor: &str, product: &str, version: &str) -> Vec<&CveEntry> {
        self.entries
            .iter()
            .filter(|entry| {
                entry.affected_products.iter().any(|p| {
                    p.vendor.eq_ignore_ascii_case(vendor)
                        && p.product.eq_ignore_ascii_case(product)
                        && Self::version_matches(&p.version_affected, version)
                })
            })
            .collect()
    }

    /// Check if a version string matches a version requirement
    /// Supports: "< X.Y.Z", "<= X.Y.Z", "= X.Y.Z", ">= X.Y.Z", "> X.Y.Z"
    fn version_matches(requirement: &str, version: &str) -> bool {
        let requirement = requirement.trim();

        // Parse the operator and version from the requirement
        let (op, req_version) = if let Some(rest) = requirement.strip_prefix("<=") {
            ("<=", rest.trim())
        } else if let Some(rest) = requirement.strip_prefix(">=") {
            (">=", rest.trim())
        } else if let Some(rest) = requirement.strip_prefix('<') {
            ("<", rest.trim())
        } else if let Some(rest) = requirement.strip_prefix('>') {
            (">", rest.trim())
        } else if let Some(rest) = requirement.strip_prefix('=') {
            ("=", rest.trim())
        } else {
            ("=", requirement) // Default to exact match
        };

        // Parse versions into comparable parts
        let version_parts = Self::parse_version(version);
        let req_parts = Self::parse_version(req_version);

        match op {
            "<" => Self::compare_versions(&version_parts, &req_parts) < 0,
            "<=" => Self::compare_versions(&version_parts, &req_parts) <= 0,
            ">" => Self::compare_versions(&version_parts, &req_parts) > 0,
            ">=" => Self::compare_versions(&version_parts, &req_parts) >= 0,
            _ => Self::compare_versions(&version_parts, &req_parts) == 0,
        }
    }

    /// Parse version string into comparable parts
    fn parse_version(version: &str) -> Vec<u32> {
        version
            .split(['.', '-', '_'])
            .filter_map(|s| {
                // Extract leading numeric part
                let num_str: String = s.chars().take_while(|c| c.is_ascii_digit()).collect();
                num_str.parse().ok()
            })
            .collect()
    }

    /// Compare two parsed versions
    /// Returns: -1 if a < b, 0 if a == b, 1 if a > b
    fn compare_versions(a: &[u32], b: &[u32]) -> i32 {
        let max_len = a.len().max(b.len());
        for i in 0..max_len {
            let av = a.get(i).copied().unwrap_or(0);
            let bv = b.get(i).copied().unwrap_or(0);
            if av < bv {
                return -1;
            }
            if av > bv {
                return 1;
            }
        }
        0
    }

    /// Create findings for matching CVEs
    pub fn create_findings(
        &self,
        vendor: &str,
        product: &str,
        version: &str,
        file_path: &str,
        line: usize,
    ) -> Vec<Finding> {
        let matches = self.check_product(vendor, product, version);

        matches
            .into_iter()
            .map(|cve| Finding {
                id: cve.id.clone(),
                severity: Self::parse_severity(&cve.severity),
                category: Category::SupplyChain,
                confidence: Confidence::Certain,
                name: cve.title.clone(),
                location: Location {
                    file: file_path.to_string(),
                    line,
                    column: None,
                },
                code: format!("{}/{} v{}", vendor, product, version),
                message: cve.description.clone(),
                recommendation: if let Some(ref fixed) = cve
                    .affected_products
                    .iter()
                    .find(|p| {
                        p.vendor.eq_ignore_ascii_case(vendor)
                            && p.product.eq_ignore_ascii_case(product)
                    })
                    .and_then(|p| p.version_fixed.clone())
                {
                    format!("Update to version {} or later", fixed)
                } else {
                    "Check for security updates from the vendor".to_string()
                },
                fix_hint: None,
                cwe_ids: cve.cwe_ids.clone(),
                rule_severity: None,
                client: None,
                context: None,
            })
            .collect()
    }

    fn parse_severity(s: &str) -> Severity {
        match s.to_lowercase().as_str() {
            "critical" => Severity::Critical,
            "high" => Severity::High,
            "medium" => Severity::Medium,
            "low" => Severity::Low,
            _ => Severity::Medium,
        }
    }
}

impl Default for CveDatabase {
    fn default() -> Self {
        Self::builtin().expect("Built-in CVE database should be valid")
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_load_builtin_database() {
        let db = CveDatabase::builtin().unwrap();
        assert!(!db.is_empty());
        // Version should be a valid semver string (e.g., "1.0.0", "1.0.1")
        assert!(db.version().starts_with("1."));
    }

    #[test]
    fn test_version_comparison_less_than() {
        assert!(CveDatabase::version_matches("< 1.5.0", "1.4.9"));
        assert!(CveDatabase::version_matches("< 1.5.0", "1.4.0"));
        assert!(CveDatabase::version_matches("< 1.5.0", "0.9.0"));
        assert!(!CveDatabase::version_matches("< 1.5.0", "1.5.0"));
        assert!(!CveDatabase::version_matches("< 1.5.0", "1.5.1"));
        assert!(!CveDatabase::version_matches("< 1.5.0", "2.0.0"));
    }

    #[test]
    fn test_version_comparison_less_than_or_equal() {
        assert!(CveDatabase::version_matches("<= 1.5.0", "1.4.9"));
        assert!(CveDatabase::version_matches("<= 1.5.0", "1.5.0"));
        assert!(!CveDatabase::version_matches("<= 1.5.0", "1.5.1"));
    }

    #[test]
    fn test_version_comparison_greater_than() {
        assert!(CveDatabase::version_matches("> 1.5.0", "1.5.1"));
        assert!(CveDatabase::version_matches("> 1.5.0", "2.0.0"));
        assert!(!CveDatabase::version_matches("> 1.5.0", "1.5.0"));
        assert!(!CveDatabase::version_matches("> 1.5.0", "1.4.9"));
    }

    #[test]
    fn test_version_comparison_equal() {
        assert!(CveDatabase::version_matches("= 1.5.0", "1.5.0"));
        assert!(!CveDatabase::version_matches("= 1.5.0", "1.5.1"));
        assert!(!CveDatabase::version_matches("= 1.5.0", "1.4.9"));
    }

    #[test]
    fn test_check_product_matches() {
        let db = CveDatabase::builtin().unwrap();
        let matches = db.check_product("anthropic", "claude-code-vscode", "1.4.0");
        assert!(!matches.is_empty());
        assert!(matches.iter().any(|e| e.id == "CVE-2025-52882"));
    }

    #[test]
    fn test_check_product_no_match_fixed_version() {
        let db = CveDatabase::builtin().unwrap();
        let matches = db.check_product("anthropic", "claude-code-vscode", "1.5.0");
        assert!(matches.is_empty());
    }

    #[test]
    fn test_check_product_case_insensitive() {
        let db = CveDatabase::builtin().unwrap();
        let matches = db.check_product("Anthropic", "Claude-Code-VSCode", "1.4.0");
        assert!(!matches.is_empty());
    }

    #[test]
    fn test_create_findings() {
        let db = CveDatabase::builtin().unwrap();
        let findings = db.create_findings(
            "anthropic",
            "claude-code-vscode",
            "1.4.0",
            "package.json",
            10,
        );
        assert!(!findings.is_empty());

        let finding = &findings[0];
        assert_eq!(finding.id, "CVE-2025-52882");
        assert_eq!(finding.severity, Severity::Critical);
        assert_eq!(finding.category, Category::SupplyChain);
        assert!(finding.recommendation.contains("1.5.0"));
    }

    #[test]
    fn test_parse_version_with_prerelease() {
        let parts = CveDatabase::parse_version("1.5.0-beta.1");
        assert_eq!(parts, vec![1, 5, 0, 1]);
    }

    #[test]
    fn test_entry_count() {
        let db = CveDatabase::builtin().unwrap();
        // Database should have at least the initial 7 CVEs (may grow over time)
        assert!(db.len() >= 7);
    }

    #[test]
    fn test_updated_at() {
        let db = CveDatabase::builtin().unwrap();
        let updated = db.updated_at();
        // Should be a valid ISO 8601 date string (e.g., "2025-01-26T00:00:00Z")
        assert!(!updated.is_empty());
        // Validate year is reasonable (2024-2030)
        let year: i32 = updated[..4].parse().unwrap_or(0);
        assert!(
            (2024..=2030).contains(&year),
            "Unexpected year in updated_at: {updated}"
        );
    }

    #[test]
    fn test_entries() {
        let db = CveDatabase::builtin().unwrap();
        let entries = db.entries();
        assert!(!entries.is_empty());
        // First entry should have a CVE ID
        assert!(entries[0].id.starts_with("CVE-"));
    }

    #[test]
    fn test_from_file() {
        use std::io::Write;
        use tempfile::NamedTempFile;

        // Create a temporary file with valid CVE database JSON
        let mut temp_file = NamedTempFile::new().unwrap();
        let json = r#"{
            "version": "1.0.0",
            "updated_at": "2025-01-01",
            "entries": []
        }"#;
        temp_file.write_all(json.as_bytes()).unwrap();

        let db = CveDatabase::from_file(temp_file.path()).unwrap();
        assert_eq!(db.version(), "1.0.0");
        assert!(db.is_empty());
    }

    #[test]
    fn test_from_file_invalid_path() {
        let result = CveDatabase::from_file(Path::new("/nonexistent/file.json"));
        assert!(result.is_err());
    }

    #[test]
    fn test_version_comparison_greater_than_or_equal() {
        // Test >= operator (line 140)
        assert!(CveDatabase::version_matches(">= 1.5.0", "1.5.0"));
        assert!(CveDatabase::version_matches(">= 1.5.0", "1.5.1"));
        assert!(CveDatabase::version_matches(">= 1.5.0", "2.0.0"));
        assert!(!CveDatabase::version_matches(">= 1.5.0", "1.4.9"));
        assert!(!CveDatabase::version_matches(">= 1.5.0", "1.4.0"));
    }

    #[test]
    fn test_version_comparison_exact_match_no_operator() {
        // Test default exact match without operator (line 148)
        assert!(CveDatabase::version_matches("1.5.0", "1.5.0"));
        assert!(!CveDatabase::version_matches("1.5.0", "1.5.1"));
        assert!(!CveDatabase::version_matches("1.5.0", "1.4.9"));
    }
}