Skip to content

Vulnerability Scanner V2.0 Development #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ChaohuiLi0321 wants to merge 45 commits into
base: master
Choose a base branch
from
Open

Vulnerability Scanner V2.0 Development #133

ChaohuiLi0321 wants to merge 45 commits into from

Conversation

@ChaohuiLi0321
Copy link
Collaborator

@ChaohuiLi0321 ChaohuiLi0321 commented Sep 7, 2025
edited
Loading

Integrate Vulnerability Scanner V2.0 (Automated) into NutriHelp

Summary

This PR integrates the new plugin‑based Vulnerability Scanner V2.0 under Vulnerability_Tool_V2 and exposes a set of API endpoints for starting, monitoring, and retrieving scan results (JSON / HTML).
Local developer onboarding is now automated: a postinstall bootstrap prepares (or gracefully skips) the Python scanner environment.
CI workflows were updated to align with local behavior, and the scheduled security assessment now also runs a full V2 scan.

Key Changes

Scanner Core (Vulnerability_Tool_V2)

  • Plugin architecture (JWT configuration, missing protection, general security)
  • Progress emission + structured JSON output
  • Reports directory for persisted HTML / JSON outputs

Node Integration (scanner.js)

New endpoints under /api/scanner:

  • GET /api/scanner/test – simple availability check
  • GET /api/scanner/health – scanner presence & version
  • GET /api/scanner/plugins – enumerate available/enabled plugins
  • POST /api/scanner/scan – start an asynchronous scan (returns scan_id)
  • GET /api/scanner/scan/:scanId/status – live status & progress (0–100%, message)
  • GET /api/scanner/scan/:scanId/result – final JSON results (with severity summary & findings)
  • GET /api/scanner/scan/:scanId/report?format=html|json – generate/download HTML (lazy) or retrieve JSON
  • GET /api/scanner/scan/:scanId/raw – raw diagnostic / salvage output for debugging
  • POST /api/scanner/quick-scan – synchronous, fast scan (salvages JSON even on non‑zero exit)

Features:

  • Real‑time progress parsing via stdout sentinel lines (PROGRESS|pct|message)
  • Resilient JSON recovery (handles noisy stderr, emojis, partial writes)
  • Unified success messaging even on non‑zero exit when output is parseable
  • HTML report fallback generation in Node if Python renderer not used
  • Filename-safe scan IDs with timestamp + optional tag (quick-scan)

Automation & Scripts

  • bootstrap.js (postinstall) – installs Node deps (if needed), creates placeholder .env (if missing), prepares scanner venv, soft env validation
  • prepareScanner.js – idempotent Python venv creation + dependency hash check
  • ensureScannerReady.js – lightweight readiness & auto-repair
  • Postinstall hook: runs bootstrap in soft mode; strict mode via npm run setup

CI Updates

  • vulnerability-scan.yml: now uses node scripts/prepareScanner.js (aligned with local behavior), runs JSON + HTML V2 scan
  • security-assessment.yml: adds full V2 scan (JSON & HTML artifacts) alongside existing assessment logic
  • Legacy workflow (security.yml) left unchanged intentionally (backward-compatible / incremental adoption)

Documentation

  • Simplified README.md install flow to just: 
    npm install
npm start
  • Removed obsolete manual venv setup doc (README_SETUP.md)
  • Added notes about automated scanner bootstrap & graceful Python absence

Resilience / Quality

  • Cross-platform Python detection (override > local project .venv > venv > python3 > python > py)
  • UTF‑8 enforced for scanner subprocess to prevent Windows code page breakage
  • Progress message stability (final “Scan completed successfully” not overwritten)
  • Dependency change detection via .deps_hash
  • Graceful degradation if Python missing (API still runs; scanner endpoints return meaningful errors)

Why

  • Reduce onboarding friction (no manual pip / venv steps)
  • Provide consistent security scanning locally and in CI
  • Enable operational & scheduled scanning (security posture visibility)
  • Harden scanner integration against partial failures / platform inconsistencies

How to Test (Current Flow)

Local:

git clone <repo-url>
cd Nutrihelp-api
npm install         # auto bootstrap (postinstall)
npm start

Then (examples):

curl http://localhost:80/api/scanner/test
curl http://localhost:80/api/scanner/plugins
curl -X POST http://localhost:80/api/scanner/scan -H \"Content-Type: application/json\" -d '{\"target_path\":\"./\"}'
# Use returned scan_id:
curl http://localhost:80/api/scanner/scan/<scan_id>/status
curl http://localhost:80/api/scanner/scan/<scan_id>/result
curl http://localhost:80/api/scanner/scan/<scan_id>/report?format=html
curl -X POST http://localhost:80/api/scanner/quick-scan -H \"Content-Type: application/json\" -d '{\"target_path\":\"./\"}'

CI (GitHub Actions):

  • Run “Manual Vulnerability & Test Scan” → verify artifacts: vulnerability_report.json / .html
  • Run “Monthly Security Assessment” → verify security-report-v2.json / .html in artifacts

Risk & Mitigations

Area Risk Mitigation
Python env variability Missing interpreter / mismatched versions Graceful skip + explicit warnings
Partial scanner output Non-zero exit / encoding issues Salvage parser + UTF-8 enforcement
Long-running scans Potential timeout in CI Separate manual workflow + incremental adoption
Env config drift Placeholder .env misuse Soft validation now; can extend to strict in full mode
Report persistence Path conflicts Segregated Vulnerability_Tool_V2/reports + fallback logic

Reviewer Focus

  • scanner.js (async flow, progress parsing, report generation fallback)
  • scanner_engine.py (progress emission, plugin loop)
  • prepareScanner.js / bootstrap.js
  • Updated workflows (vulnerability-scan.yml, security-assessment.yml)
  • Ensure no real secrets introduced; only placeholders present

Follow-Up Suggestions (Not part of this PR)

  • Add npm run doctor for single-shot environment diagnostics
  • Cache Python venv in CI (actions/cache) keyed by requirements hash
  • Incremental diff-based scan workflow using changed files set
  • Strict env schema validation (fail build when placeholders remain)
  • PR comment bot summarizing severity stats on scan completion

Request Reviewers: @madhavi2809

@ChaohuiLi0321
Install basic dependencies
3ea7bf5
@ChaohuiLi0321
Add temporary file ignore filter settings
60c0fd0
@ChaohuiLi0321
Create the plugin package initialization file plugins/base_plugin.py …
e137e6e 
…and implement the plugin base class system.
@ChaohuiLi0321
Create the core engine core/scanner_engine.py
1c9a181
@ChaohuiLi0321
Create a configuration management system config/scanner_config.yaml
9367023
@ChaohuiLi0321
Configuration Manager - handles loading and validation of YAML config…
714d083 
…uration files.
@ChaohuiLi0321
NutriHelp Security Scanner V2.0 - Main Entry Point: scanner_v2.py, Mo…
b3fe677 
…dular security scanner main program.
@ChaohuiLi0321
Phase 1 Quick verification script——Verify that the modular infrastruc…
f5fde8d 
…ture is built correctly.
@ChaohuiLi0321
Create a file named test_basic_functionality.py to test the basic fun…
fe7e9c9 
…ctionality of the security scanning tool named Vulnerability_Tool_V2.
@ChaohuiLi0321
Create a JWT missing protection plug-in plugins/jwt_security/jwt_miss…
7a16146 
…ing.py
@ChaohuiLi0321
Create a JWT configuration verification plug-in plugins/jwt_security/…
d0a8f7f 
…jwt_config.py
@ChaohuiLi0321
Generate HTML report, view HTML report
2b66c52
@ChaohuiLi0321
Temporarily add a Scanner to http://localhost/api-docs/
f637efd
@ChaohuiLi0321
Integrate Vulnerability_Scanner_V2.0 into Swagger UI, with the URL: h…
f0995aa 
…ttp://localhost:8001/scanner/docs. Run the following command: python -m uvicorn api.scanner_api:app --host 0.0.0.0 --port 8001 --reload
@ChaohuiLi0321
resolve conflicts and commit
19bad1e
@ChaohuiLi0321
Change Comment
1a7925e
@ChaohuiLi0321
Update comment
45c8264
@ChaohuiLi0321
Update - Ensure both command scanning and Swagger UI scanning are wor…
a49416e 
…king properly.
@ChaohuiLi0321
Update - Ensured that the report generated by command scan is consist…
37015cc 
…ent with the report generated by scanning in Swagger UI.
@ChaohuiLi0321
Use the command "python scanner_v2.py --target ../ --format html --ou…
ca3e920 
…tput security_report.html --verbose" to generate a debugged report
@ChaohuiLi0321
Use Swagger UI: http://localhost:8001/scanner/docs to test and genera…
6375f5b 
…te reports in the updated debug format (use the command "python -m uvicorn api.scanner_api:app --host 0.0.0.0 --port 8001 --reload" to start the SwaggerUI integration of NutriHelp Security Scanner V2.0)
@ChaohuiLi0321
Integrate Vulnerability_Scanner_V2.0 into the Swagger UI: http://loca…
702082a 
…lhost/api-docs, and test the GET and POST methods in the API interface separately.
@ChaohuiLi0321
Update security report
7c28bc8
@ChaohuiLi0321
Add standard password or related security testing mechanisms and inte…
ecfe6fe 
…grate them into the API interface scanning function in Swagger UI.
@ChaohuiLi0321
update comment
ac49ba6
@ChaohuiLi0321
include general_security in GET /api/scanner/plugins
3788ba0
@ChaohuiLi0321
chore: update .gitignore to ignore venv and pytest cache
3e9f647
@ChaohuiLi0321
Add general security rules and enhance testing framework
4b7fc1e 
- Introduced a comprehensive set of security rules in `rules_v1.yaml` to detect vulnerabilities such as SQL injection, XSS, hardcoded credentials, and insecure file handling across JavaScript, Python, and text files.
- Implemented tests for the new rules in `test_general_security_legacy_rules.py`, ensuring detection of hardcoded API keys and permissive CORS configurations.
- Enhanced the testing framework with new test cases for excluding paths in `test_exclude_paths.py` and verifying JSON output fields in `test_output_json_fields.py`.
- Added a script `rename_reports_security_to_vulnerability.py` for batch renaming legacy security report files to a new naming convention.
- Improved the debug rules toggle functionality and HTML report generation in `test_debug_rules_and_html.py`.
@ChaohuiLi0321
Add Python executable resolution and setup script for virtual environ…
97d3d1d 
…ment
@ChaohuiLi0321
Merge branch 'master' of https://github.com/Gopher-Industries/Nutrihe…
3b9bbd9 
…lp-api into Vulnerability_Scanner_V2.0_Development
@ChaohuiLi0321 ChaohuiLi0321 changed the title Add Vulnerability Scanner V2.0 integration and Swagger UI endpoint Vulnerability scanner v2.0 development Vulnerability Scanner V2.0 Development Sep 18, 2025
@ChaohuiLi0321
Add manual vulnerability scan workflow and update documentation
15b2719 
- Introduced a GitHub Actions workflow for manual vulnerability scanning and optional unit tests.
- Updated README to include instructions on running the new workflow and details about inputs and artifacts.
- Enhanced the vulnerability scanner to include sensible default global excludes to reduce noise during scans.
- Implemented a CI helper script to check for critical findings in the vulnerability report and fail the job if any are found.
ChaohuiLi0321 and others added 7 commits September 25, 2025 21:05
@ChaohuiLi0321
Merge remote-tracking branch 'upstream/master' into Vulnerability_Sca…
a5ba1ea 
…nner_V2.0_Development
@ChaohuiLi0321
Update package-lock.json due to “npm install”
a43df7c
@ChaohuiLi0321
Merge remote-tracking branch 'upstream/master' into Vulnerability_Sca…
e0e8dab 
…nner_V2.0_Development
@ChaohuiLi0321
feat: enhance scanner setup and validation process
c03ed8c 
- Added `hasInstallScript` to package-lock.json for npm install script support.
- Updated package.json with new scripts for scanner preparation and environment validation.
- Improved `scanner.js` to allow for explicit Python executable overrides and enhanced progress tracking.
- Introduced `bootstrap.js` for one-shot setup of Node and Python dependencies, including environment validation.
- Created `ensureScannerReady.js` to check and prepare the scanner environment if necessary.
- Implemented `prepareScanner.js` to manage the creation of the Python virtual environment and installation of dependencies.
@ChaohuiLi0321
Merge pull request #6 from Gopher-Industries/master
8ede8a0 
merge from upstream/master
@ChaohuiLi0321
refactor: remove Python setup and V2 scanner integration from securit…
690a065 
…y assessment workflow
@ChaohuiLi0321
refactor: remove unused API files and dependencies from the project
7450193
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@madhavi2809 madhavi2809 Awaiting requested review from madhavi2809

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ChaohuiLi0321