analyzer

package
v0.1.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 4, 2026 License: MIT Imports: 10 Imported by: 0

Documentation

Overview

Package analyzer provides the scanning engine that runs a set of checkers over a UnifiedTool and produces a RiskScore.

Package analyzer provides the scanning engine that runs a set of checkers over a UnifiedTool and produces a RiskScore.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Dependency 

type Dependency struct {
	Name      string `json:"name"`
	Version   string `json:"version"`
	Ecosystem string `json:"ecosystem"` // e.g. "npm", "Go", "PyPI"
}

Dependency describes a package that a tool depends on. Adapters should populate UnifiedTool.Metadata["dependencies"] with []Dependency when the source protocol exposes package information.

type DoSResilienceChecker 

type DoSResilienceChecker struct{}

DoSResilienceChecker detects tools that perform network or resource-heavy operations without any visible rate-limit or retry configuration, creating potential for denial-of-service or runaway resource consumption.

Rule ID: AS-011.

func NewDoSResilienceChecker 

func NewDoSResilienceChecker() *DoSResilienceChecker

NewDoSResilienceChecker returns a new DoSResilienceChecker.

func (*DoSResilienceChecker) Check 

func (c *DoSResilienceChecker) Check(tool model.UnifiedTool) ([]model.Issue, error)

Check raises a LOW finding when a tool holds a risky permission but declares no rate-limit metadata and has no rate-limit-related schema properties.

type Engine 

type Engine struct {
	// contains filtered or unexported fields
}

Engine is the public-facing scanner. It wraps the lower-level Scanner and exposes a context-free Scan method suitable for direct use in tests and CLI one-shot invocations.

func NewEngine 

func NewEngine() *Engine

NewEngine returns an Engine pre-wired with all default checkers:

  • AS-001 Tool Poisoning (PoisoningChecker)
  • AS-002 Permission Surface (PermissionChecker)
  • AS-003 Scope Mismatch (ScopeChecker)
  • AS-004 Supply Chain CVE (SupplyChainChecker)
  • AS-005 Privilege Escalation (PrivilegeEscalationChecker)
  • AS-010 Secret Handling (SecretHandlingChecker)
  • AS-011 DoS Resilience (DoSResilienceChecker)

func (*Engine) Scan 

func (e *Engine) Scan(tool model.UnifiedTool) ScanReport

Scan analyses tool and returns a ScanReport. It uses a background context. context.Background() never cancels, so the only error path is an internal checker failure — which the built-in checkers never trigger. In the unlikely event of a failure, a zero ScanReport is returned.

type MockVuln 

type MockVuln struct {
	ID        string
	Summary   string
	CVSSScore string // CVSS v3 base score string, e.g. "9.8". Empty = no severity.
}

MockVuln describes a fake vulnerability returned by the mock OSV client.

type PermissionChecker 

type PermissionChecker struct{}

PermissionChecker analyses the declared permissions of a tool.

func NewPermissionChecker 

func NewPermissionChecker() *PermissionChecker

NewPermissionChecker returns a new PermissionChecker.

func (*PermissionChecker) Check 

func (c *PermissionChecker) Check(tool model.UnifiedTool) ([]model.Issue, error)

Check produces issues for each risky permission and for over-broad input schemas.

type PoisoningChecker 

type PoisoningChecker struct{}

PoisoningChecker inspects a tool's description for prompt injection signals.

func NewPoisoningChecker 

func NewPoisoningChecker() *PoisoningChecker

NewPoisoningChecker returns a new PoisoningChecker.

func (*PoisoningChecker) Check 

func (c *PoisoningChecker) Check(tool model.UnifiedTool) ([]model.Issue, error)

Check runs all injection pattern rules against the tool description.

type PrivilegeEscalationChecker 

type PrivilegeEscalationChecker struct{}

PrivilegeEscalationChecker detects OAuth/token scopes that are broader than necessary, and description-level signals of privilege escalation at runtime.

Rule ID: AS-005.

func NewPrivilegeEscalationChecker 

func NewPrivilegeEscalationChecker() *PrivilegeEscalationChecker

NewPrivilegeEscalationChecker returns a new PrivilegeEscalationChecker.

func (*PrivilegeEscalationChecker) Check 

func (c *PrivilegeEscalationChecker) Check(tool model.UnifiedTool) ([]model.Issue, error)

Check inspects:

  1. tool.Metadata["oauth_scopes"] ([]string) for over-broad OAuth scopes.
  2. tool.Description for privilege-escalation language.

type ScanReport 

type ScanReport struct {
	ToolName  string
	RiskScore int
	Grade     model.Grade
	Findings  []model.Issue
}

ScanReport is the high-level result returned by Engine.Scan. It exposes the numeric RiskScore and the full slice of Findings so callers can filter by RuleID (e.g. "AS-001") without unpacking a model.RiskScore.

func (ScanReport) HasFinding 

func (r ScanReport) HasFinding(ruleID string) bool

HasFinding reports whether the report contains at least one finding with the given RuleID.

type Scanner 

type Scanner struct {
	// contains filtered or unexported fields
}

Scanner orchestrates all registered checkers and aggregates their output into a single RiskScore.

func NewScanner 

func NewScanner() *Scanner

NewScanner returns a Scanner wired with all default checkers. Supply chain (AS-004) uses the live OSV API; for tests inject a mock via NewScannerWithCheckers or use Engine.Scan which calls the real checker.

func (*Scanner) Scan 

func (s *Scanner) Scan(ctx context.Context, tool model.UnifiedTool) (model.RiskScore, error)

Scan runs all checkers against the tool and returns the aggregated RiskScore. It respects ctx cancellation.

type ScopeChecker 

type ScopeChecker struct{}

ScopeChecker detects mismatches between a tool's name semantics and its declared permissions.

func NewScopeChecker 

func NewScopeChecker() *ScopeChecker

NewScopeChecker returns a new ScopeChecker.

func (*ScopeChecker) Check 

func (c *ScopeChecker) Check(tool model.UnifiedTool) ([]model.Issue, error)

Check raises SCOPE_MISMATCH issues when a "read-only" named tool holds write-class permissions, or when a "write" named tool lacks write permissions.

type SecretHandlingChecker 

type SecretHandlingChecker struct{}

SecretHandlingChecker flags tools that accept credentials as input parameters (high leakage risk in agent traces) and descriptions that suggest secrets are logged or stored insecurely.

Rule ID: AS-010.

func NewSecretHandlingChecker 

func NewSecretHandlingChecker() *SecretHandlingChecker

NewSecretHandlingChecker returns a new SecretHandlingChecker.

func (*SecretHandlingChecker) Check 

func (c *SecretHandlingChecker) Check(tool model.UnifiedTool) ([]model.Issue, error)

Check scans input schema properties and the tool description for credential exposure patterns.

type SupplyChainChecker 

type SupplyChainChecker struct {
	// contains filtered or unexported fields
}

SupplyChainChecker queries the OSV API for known CVEs in a tool's declared dependencies. Dependencies are read from UnifiedTool.Metadata["dependencies"] which adapters populate when the source protocol exposes package info.

Rule ID: AS-004.

func NewSupplyChainChecker 

func NewSupplyChainChecker() *SupplyChainChecker

NewSupplyChainChecker returns a SupplyChainChecker using the live OSV API.

func NewSupplyChainCheckerWithMock 

func NewSupplyChainCheckerWithMock(vulns []MockVuln, queryErr error) *SupplyChainChecker

NewSupplyChainCheckerWithMock returns a SupplyChainChecker backed by an in-memory mock OSV client. Intended for unit tests only.

func (*SupplyChainChecker) Check 

func (c *SupplyChainChecker) Check(tool model.UnifiedTool) ([]model.Issue, error)

Check reads dependencies from tool.Metadata["dependencies"] and queries OSV for each one. Missing or empty metadata results in no findings.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.