vsec 0.0.1 - Docs.rs

// src/config/schema.rs

use serde::{Deserialize, Serialize};

/// Root configuration structure
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct Config {
    /// General settings
    pub general: GeneralConfig,

    /// Scoring configuration
    pub scoring: ScoringConfig,

    /// Name filter configuration
    pub name_filter: NameFilterConfig,

    /// Scope filter configuration
    pub scope_filter: ScopeFilterConfig,

    /// Consequence analysis configuration
    pub consequence: ConsequenceConfig,

    /// RHS analysis configuration
    pub rhs: RhsConfig,

    /// Output configuration
    pub output: OutputConfig,

    /// Custom rules
    #[serde(default)]
    pub rules: Vec<CustomRule>,
}

impl Default for Config {
    fn default() -> Self {
        Self {
            general: GeneralConfig::default(),
            scoring: ScoringConfig::default(),
            name_filter: NameFilterConfig::default(),
            scope_filter: ScopeFilterConfig::default(),
            consequence: ConsequenceConfig::default(),
            rhs: RhsConfig::default(),
            output: OutputConfig::default(),
            rules: Vec::new(),
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct GeneralConfig {
    /// Files/directories to always ignore
    pub ignore_paths: Vec<String>,

    /// File extensions to scan
    pub extensions: Vec<String>,

    /// Maximum file size to scan (bytes)
    pub max_file_size: usize,

    /// Follow symlinks
    pub follow_symlinks: bool,
}

impl Default for GeneralConfig {
    fn default() -> Self {
        Self {
            ignore_paths: vec![
                "**/target/**".into(),
                "**/node_modules/**".into(),
                "**/.git/**".into(),
            ],
            extensions: vec!["rs".into()],
            max_file_size: 1_000_000,
            follow_symlinks: false,
        }
    }
}

/// Sensitivity presets instead of magic numbers
#[derive(Debug, Clone, Copy, Serialize, Deserialize, Default, PartialEq, Eq)]
#[serde(rename_all = "lowercase")]
pub enum SensitivityPreset {
    /// Report everything suspicious (many false positives)
    Paranoid,
    /// High sensitivity, some false positives acceptable
    High,
    /// Balanced detection (default)
    #[default]
    Balanced,
    /// Low sensitivity, prefer precision over recall
    Low,
    /// Only report obvious secrets
    Minimal,
}

impl SensitivityPreset {
    pub fn threshold(&self) -> i32 {
        match self {
            Self::Paranoid => 30,
            Self::High => 50,
            Self::Balanced => 70,
            Self::Low => 85,
            Self::Minimal => 95,
        }
    }

    pub fn base_comparison_score(&self) -> i32 {
        match self {
            Self::Paranoid => 60,
            Self::High => 55,
            Self::Balanced => 50,
            Self::Low => 45,
            Self::Minimal => 40,
        }
    }
}

impl std::str::FromStr for SensitivityPreset {
    type Err = String;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s.to_lowercase().as_str() {
            "paranoid" => Ok(Self::Paranoid),
            "high" => Ok(Self::High),
            "balanced" => Ok(Self::Balanced),
            "low" => Ok(Self::Low),
            "minimal" => Ok(Self::Minimal),
            _ => Err(format!("Unknown sensitivity preset: {}", s)),
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct ScoringConfig {
    /// Sensitivity preset: paranoid, high, balanced, low, minimal
    pub sensitivity: SensitivityPreset,

    /// Override: manual threshold (takes precedence over preset)
    pub threshold_override: Option<i32>,

    /// Base score for comparison findings
    pub base_comparison_score: i32,

    /// Base score for definition findings
    pub base_definition_score: i32,

    /// Exact literal values to ignore (case-insensitive)
    pub ignore_values: Vec<String>,

    /// Value patterns to ignore (prefix match)
    pub ignore_value_prefixes: Vec<String>,

    /// Value patterns to ignore (suffix match)
    pub ignore_value_suffixes: Vec<String>,

    /// Value patterns to ignore (contains match)
    pub ignore_value_contains: Vec<String>,
}

impl Default for ScoringConfig {
    fn default() -> Self {
        Self {
            sensitivity: SensitivityPreset::default(),
            threshold_override: None,
            base_comparison_score: 50,
            base_definition_score: 30,
            ignore_values: Vec::new(),
            ignore_value_prefixes: Vec::new(),
            ignore_value_suffixes: Vec::new(),
            ignore_value_contains: Vec::new(),
        }
    }
}

impl ScoringConfig {
    /// Get the effective threshold (override or preset)
    pub fn effective_threshold(&self) -> i32 {
        self.threshold_override
            .unwrap_or_else(|| self.sensitivity.threshold())
    }

    /// Check if a value should be ignored based on config
    pub fn should_ignore_value(&self, value: &str) -> bool {
        let lower = value.to_lowercase();

        // Check exact matches
        if self.ignore_values.iter().any(|v| v.to_lowercase() == lower) {
            return true;
        }

        // Check prefix matches
        if self.ignore_value_prefixes.iter().any(|p| lower.starts_with(&p.to_lowercase())) {
            return true;
        }

        // Check suffix matches
        if self.ignore_value_suffixes.iter().any(|s| lower.ends_with(&s.to_lowercase())) {
            return true;
        }

        // Check contains matches
        if self.ignore_value_contains.iter().any(|c| lower.contains(&c.to_lowercase())) {
            return true;
        }

        false
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct NameFilterConfig {
    /// Additional benign terms
    pub additional_benign_terms: Vec<TermConfig>,

    /// Additional suspicious terms
    pub additional_suspicious_terms: Vec<TermConfig>,

    /// Exact names to ignore
    pub ignore_names: Vec<String>,

    /// Regex patterns to ignore
    pub ignore_patterns: Vec<String>,
}

impl Default for NameFilterConfig {
    fn default() -> Self {
        Self {
            additional_benign_terms: Vec::new(),
            additional_suspicious_terms: Vec::new(),
            ignore_names: Vec::new(),
            ignore_patterns: Vec::new(),
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TermConfig {
    /// The term to match
    pub term: String,

    /// Score modification
    pub score: i32,

    /// Match mode: contains, prefix, suffix, exact
    #[serde(default = "default_match_mode")]
    pub mode: String,
}

fn default_match_mode() -> String {
    "contains".into()
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct ScopeFilterConfig {
    /// Ignore test functions
    pub ignore_tests: bool,

    /// Ignore example files
    pub ignore_examples: bool,

    /// Ignore benchmark files
    pub ignore_benchmarks: bool,

    /// Additional paths to ignore
    pub ignore_paths: Vec<String>,
}

impl Default for ScopeFilterConfig {
    fn default() -> Self {
        Self {
            ignore_tests: true,
            ignore_examples: true,
            ignore_benchmarks: true,
            ignore_paths: Vec::new(),
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct ConsequenceConfig {
    /// Additional logging functions to ignore
    pub additional_logging_functions: Vec<String>,

    /// Additional auth functions to flag
    pub additional_auth_functions: Vec<String>,

    /// Additional auth fields to flag
    pub additional_auth_fields: Vec<String>,
}

impl Default for ConsequenceConfig {
    fn default() -> Self {
        Self {
            additional_logging_functions: Vec::new(),
            additional_auth_functions: Vec::new(),
            additional_auth_fields: Vec::new(),
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct RhsConfig {
    /// Additional command-like variable names
    pub additional_command_names: Vec<String>,

    /// Additional auth-like variable names
    pub additional_auth_names: Vec<String>,
}

impl Default for RhsConfig {
    fn default() -> Self {
        Self {
            additional_command_names: Vec::new(),
            additional_auth_names: Vec::new(),
        }
    }
}

#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct OutputConfig {
    /// Default output format
    pub format: String,

    /// Include score breakdown in output
    pub show_scores: bool,

    /// Include remediation suggestions
    pub show_remediation: bool,

    /// Color output
    pub color: bool,
}

impl Default for OutputConfig {
    fn default() -> Self {
        Self {
            format: "text".into(),
            show_scores: false,
            show_remediation: true,
            color: true,
        }
    }
}

/// Custom rule definition
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CustomRule {
    /// Rule identifier
    pub id: String,

    /// Rule description
    pub description: String,

    /// Name pattern to match (regex)
    pub name_pattern: Option<String>,

    /// Value pattern to match (regex)
    pub value_pattern: Option<String>,

    /// Score modification
    pub score: i32,

    /// Severity override
    pub severity: Option<String>,
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_default_config() {
        let config = Config::default();
        assert_eq!(config.scoring.sensitivity, SensitivityPreset::Balanced);
        assert!(config.scope_filter.ignore_tests);
        assert!(config.general.ignore_paths.contains(&"**/target/**".to_string()));
    }

    #[test]
    fn test_sensitivity_preset_threshold() {
        assert_eq!(SensitivityPreset::Paranoid.threshold(), 30);
        assert_eq!(SensitivityPreset::Balanced.threshold(), 70);
        assert_eq!(SensitivityPreset::Minimal.threshold(), 95);
    }

    #[test]
    fn test_effective_threshold() {
        let mut config = ScoringConfig::default();
        assert_eq!(config.effective_threshold(), 70); // Balanced default

        config.threshold_override = Some(80);
        assert_eq!(config.effective_threshold(), 80); // Override
    }

    #[test]
    fn test_preset_from_str() {
        assert_eq!(
            "paranoid".parse::<SensitivityPreset>().unwrap(),
            SensitivityPreset::Paranoid
        );
        assert_eq!(
            "BALANCED".parse::<SensitivityPreset>().unwrap(),
            SensitivityPreset::Balanced
        );
        assert!("invalid".parse::<SensitivityPreset>().is_err());
    }

    #[test]
    fn test_config_serialization() {
        let config = Config::default();
        let toml_str = toml::to_string(&config).unwrap();
        assert!(toml_str.contains("[general]"));
        assert!(toml_str.contains("[scoring]"));

        // Roundtrip
        let parsed: Config = toml::from_str(&toml_str).unwrap();
        assert_eq!(parsed.scoring.sensitivity, config.scoring.sensitivity);
    }
}