Vulnerability Scanner V2.0 Development

.github/workflows/security-assessment.yml

@@ -37,6 +37,7 @@ jobs:
     - name: Install dependencies
       run: npm ci
 
+
     - name: Start server in background
       run: |
         npm start &
@@ -84,7 +85,7 @@ jobs:
       run: |
         echo "Starting security assessment..."
 
-        # Run the assessment
+        # Run the assessment (original behavior without full V2 scan integration)
         node security/runAssessment.js
 
         # Find the latest generated JSON report

.github/workflows/vulnerability-scan.yml

@@ -0,0 +1,102 @@
+name: Manual Vulnerability & Test Scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      run_tests:
+        description: 'Set to true to run unit tests (may require DB). Default: false'
+        required: false
+        default: 'false'
+      fail_on_critical:
+        description: 'If true, the job will fail when the vulnerability_report.json contains CRITICAL issues. Default: false'
+        required: false
+        default: 'false'
+
+env:
+  NODE_VERSION: '20'
+
+jobs:
+  vulnerability-scan:
+    name: Run vulnerability scans and tests (manual)
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+          cache-dependency-path: package-lock.json
+
+      - name: Install npm dependencies
+        run: npm ci
+      - name: Setup Python 3
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Prepare Scanner Environment (V2)
+        run: |
+          node scripts/prepareScanner.js
+          if [ ! -d Vulnerability_Tool_V2/venv ]; then
+            echo "Scanner venv not created (Python missing or script skipped). Using system python.";
+          fi
+
+      - name: Run unit tests (mocha)
+        if: ${{ github.event.inputs.run_tests == 'true' }}
+        run: |
+          echo "run_tests was set to true — running unit tests"
+          if npm run | grep -q "test:unit"; then
+            npm run test:unit
+          elif npm run | grep -q "test:rce"; then
+            npm run test:rce || true
+          else
+            echo "No test script found (test:unit/test:rce). Skipping tests.";
+          fi
+
+      - name: Run npm audit and save JSON
+        run: |
+          npm audit --json > npm_audit.json || true
+
+      - name: Run Vulnerability_Tool_V2 - JSON output
+        run: |
+          PYEXEC="python3"
+          if [ -f Vulnerability_Tool_V2/venv/bin/python ]; then PYEXEC="Vulnerability_Tool_V2/venv/bin/python"; fi
+          if [ -f Vulnerability_Tool_V2/scanner_v2.py ]; then
+            $PYEXEC Vulnerability_Tool_V2/scanner_v2.py --target . --format json --output vulnerability_report.json || true
+          else
+            echo "Vulnerability_Tool_V2/scanner_v2.py not found" > vulnerability_report.json
+          fi
+
+      - name: Run Vulnerability_Tool_V2 - HTML output
+        run: |
+          PYEXEC="python3"
+            if [ -f Vulnerability_Tool_V2/venv/bin/python ]; then PYEXEC="Vulnerability_Tool_V2/venv/bin/python"; fi
+          if [ -f Vulnerability_Tool_V2/scanner_v2.py ]; then
+            $PYEXEC Vulnerability_Tool_V2/scanner_v2.py --target . --format html --output vulnerability_report.html || true
+          else
+            echo "Vulnerability_Tool_V2/scanner_v2.py not found" > vulnerability_report.html
+          fi
+
+      - name: Collect generated reports
+        run: |
+          ls -la || true
+          echo "Collected artifacts:"; ls -la *.html *.txt npm_audit.json || true
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: vulnerability-scan-reports
+          path: |
+            vulnerability_report.json
+            vulnerability_report.html
+            vulnerability_tool_report.txt
+            npm_audit.json
+
+      - name: Fail on critical findings (optional)
+        if: ${{ github.event.inputs.fail_on_critical == 'true' }}
+        run: |
+          echo "Checking vulnerability_report.json for CRITICAL findings..."
+          python3 scripts/ci_check_vuln.py

.gitignore

@@ -149,4 +149,33 @@ __pycache__/
 
 # Ignore generated security assessment reports
 /security/reports/
-```
+```
+
+# Python virtual environments
+venv/
+.env/
+__pycache__/
+*.pyc
+
+# Local virtualenv created during testing
+.venv/
+
+# pytest cache
+.pytest_cache/
+
+# pipenv
+Pipfile.lock
+
+# macOS system files
+.DS_Store
+
+# VS Code settings
+.vscode/
+
+# Logs and temp files
+*.log
+*.tmp
+
+# Vulnerability Scanner V2 reports - generated artifacts
+Vulnerability_Tool_V2/reports/
+Vulnerability_Tool_V2/reports/*

README.md

@@ -11,15 +11,18 @@ git clone https://github.com/Gopher-Industries/Nutrihelp-api
 ```bash
 cd Nutrihelp-api
 ```
-4. Install the required dependencies (including python dependencies):
+4. Install dependencies (runs automated bootstrap via npm postinstall):
 ```bash
 npm install
-pip install -r requirements.txt
-npm install node-fetch
-npm install --save-dev jest supertest
 ```
-5. Contact a project maintainer to get the `.env` file that contains the necessary environment variables and place it in the root of the project directory.
-6. Start the server:
+  What happens automatically:
+  - Node dependencies installed
+  - Environment bootstrap runs (`scripts/bootstrap.js --mode=postinstall`)
+  - If no `.env` exists a minimal placeholder is generated (internal team must replace with real values)
+  - Vulnerability scanner virtual environment prepared if Python 3 is available
+  - Environment validation runs (warnings only in postinstall mode)
+
+3. Start the server:
 ```bash
 npm start
 ```
@@ -57,3 +60,31 @@ npx jest .\test\healthNews.test.js
 
 /\ Please refer to the "PatchNotes_VersionControl" file for  /\
 /\ recent updates and changes made through each version.     /\
+
+
+## CI: Manual Vulnerability & Test Scan (V2 Aligned)
+
+This repository includes a manual GitHub Actions workflow that runs the Vulnerability Scanner (V2) and optional tests.
+
+How to run
+- Open the repository on GitHub and go to the Actions tab.
+- Select the workflow named `Manual Vulnerability & Test Scan`.
+- Click the `Run workflow` button.
+
+Inputs
+- `run_tests` (default: `false`) — set to `true` to run unit tests (`npm run test:unit`). Tests may require a database or other services; use with caution.
+- `fail_on_critical` (default: `false`) — set to `true` to make the job fail when the scanner JSON report contains one or more `CRITICAL` findings.
+
+Artifacts
+- `vulnerability-scan-reports` (artifact bundle) — contains:
+  - `vulnerability_report.json` — machine-readable scan results
+  - `vulnerability_report.html` — human-friendly HTML report (if HTML rendering succeeds)
+  - `vulnerability_tool_report.txt` — legacy/auxiliary scanner output (if generated)
+  - `npm_audit.json` — result of `npm audit --json`
+
+Notes and recommendations
+- The scanner excludes internal tool directories and common noisy paths (for example `Vulnerability_Tool_V2`, legacy `Vulnerability_Tool`, `node_modules`, test caches).
+- If you enable `run_tests`, ensure the required environment (DB, credentials) is available to avoid noisy failures.
+- Use `fail_on_critical=true` for gating releases or running stricter checks in CI; keep it `false` for quick, informational scans.
+
+

VULN_CI_MIGRATION_TASK.md

@@ -0,0 +1,82 @@
+# Vulnerability Scanner CI Migration Task (V1.4 -> V2.0)
+
+This document is a handover for the next developer to migrate `.github/workflows/security.yml` from invoking
+`Vulnerability_Tool/Vulnerability_Scanner_V1.4.py` to using `Vulnerability_Tool_V2/scanner_v2.py`.
+
+Goal
+- Run the V2.0 scanner in GitHub Actions to produce human-readable HTML (recommended) and/or JSON reports and
+  upload them as artifacts.
+- Keep reproducibility by preferring the repository-provided venv setup (`setup_venv.sh`) and consider caching to
+  reduce CI time.
+
+Acceptance criteria
+1. Actions produces a report file (HTML or JSON) under `Vulnerability_Tool_V2/reports/` and uploads it as an artifact.
+   Suggested filename: `security_report_${{ github.sha }}.html`.
+2. Decide and document whether CRITICAL findings should fail the CI job (i.e. block PRs) and reflect that decision in
+   the workflow (comments or parameters).
+3. Document performance / caching recommendations (for example, use `actions/cache` to cache pip wheels or pip cache
+   directories).
+
+Key information
+- V2 CLI entry: `Vulnerability_Tool_V2/scanner_v2.py`. Required argument: `--target` (target directory). Optional flags:
+  `--format` (json|html|summary), `--output` (write output file), and `--verbose`.
+- Recommended: use the repo script to create a virtual environment: `Vulnerability_Tool_V2/setup_venv.sh` which will
+  create `Vulnerability_Tool_V2/venv` and install dependencies from `requirements.txt`.
+
+Recommended implementation (preferred: use repository venv)
+
+Replace the existing step that used to run V1 against each changed file with the snippet below. Adjust to your job
+context and branching strategy as needed.
+
+```yaml
+# ...existing job steps...
+- name: Set up Python venv for scanner
+  run: |
+    cd Vulnerability_Tool_V2
+    chmod +x ./setup_venv.sh || true
+    ./setup_venv.sh
+
+- name: Run Vulnerability_Tool_V2 scanner
+  run: |
+    SCAN_OUTPUT=Vulnerability_Tool_V2/reports/security_report_${{ github.sha }}.html
+    Vulnerability_Tool_V2/venv/bin/python Vulnerability_Tool_V2/scanner_v2.py --target . --format html --output "$SCAN_OUTPUT" --verbose
+    ls -la Vulnerability_Tool_V2/reports || true
+
+- name: Upload scanner report
+  uses: actions/upload-artifact@v4
+  with:
+    name: security-scan-report
+    path: Vulnerability_Tool_V2/reports/security_report_${{ github.sha }}.html
+```
+
+Minimal alternative (do not create venv; use system Python)
+
+```yaml
+- name: Install scanner deps (system python)
+  run: |
+    python3 -m pip install --upgrade pip
+    pip install -r Vulnerability_Tool_V2/requirements.txt
+
+- name: Run scanner (system python)
+  run: |
+    python3 Vulnerability_Tool_V2/scanner_v2.py --target . --format html --output Vulnerability_Tool_V2/reports/security_report_${{ github.sha }}.html
+```
+
+Notes and optimizations
+- Caching: use `actions/cache` to speed up dependency installation (cache pip wheel files or pip cache directories).
+- Exit code behavior: V2 will return a non-zero exit code if CRITICAL issues are found (the CLI returns 1 on
+  critical findings). If you want PRs to be blocked on criticals, keep this behavior. Otherwise, use
+  `continue-on-error: true` for the scanner step or capture the exit code and treat it as a warning while still
+  uploading the report.
+- Scan scope: V1 was scanning changed files one-by-one. V2 is intended to scan directories. If you want to scan only
+  changed files, you can copy changed files to a temporary directory in the job and use `--target` to point to that
+  temporary directory, or adapt scanner configuration to accept a file-list.
+
+Additional resources
+- Scanner entrypoint: `Vulnerability_Tool_V2/scanner_v2.py`
+- Requirements: `Vulnerability_Tool_V2/requirements.txt`
+- venv setup script: `Vulnerability_Tool_V2/setup_venv.sh`
+
+Handover
+Assign this task to the person responsible for CI and link this document in the issue/PR. Include the acceptance
+criteria in the PR description when implementing the change.

Vulnerability_Tool_V2/.gitignore

@@ -0,0 +1,4 @@
+# Ignore generated reports from the scanner
+reports/
+# Keep temp json files used during rendering
+tmp_*.json