/** * @fileoverview API Security Analyzer - OpenAPI/REST API security analysis * @module @nahisaho/musubix-security/analyzers/api/api-security-analyzer * @trace DES-SEC3-API-001, REQ-SEC3-API-001 */ import type { Vulnerability, Severity } from '../../types/vulnerability.js'; /** * API endpoint information */ export interface APIEndpoint { path: string; method: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'OPTIONS' | 'HEAD'; operationId?: string; summary?: string; tags?: string[]; parameters?: APIParameter[]; requestBody?: APIRequestBody; responses?: Record; security?: SecurityRequirement[]; } /** * API parameter */ export interface APIParameter { name: string; in: 'path' | 'query' | 'header' | 'cookie'; required?: boolean; schema?: SchemaObject; description?: string; } /** * API request body */ export interface APIRequestBody { required?: boolean; content?: Record; } /** * API response */ export interface APIResponse { description: string; content?: Record; } /** * Schema object (simplified) */ export interface SchemaObject { type?: string; format?: string; pattern?: string; minimum?: number; maximum?: number; minLength?: number; maxLength?: number; enum?: any[]; properties?: Record; required?: string[]; items?: SchemaObject; } /** * Security requirement */ export interface SecurityRequirement { [name: string]: string[]; } /** * API security issue */ export interface APISecurityIssue { id: string; severity: Severity; category: APISecurityCategory; endpoint?: string; method?: string; title: string; description: string; recommendation: string; owasp?: string[]; cwe?: string[]; } /** * API security category */ export type APISecurityCategory = 'authentication' | 'authorization' | 'injection' | 'data-exposure' | 'rate-limiting' | 'cors' | 'transport-security' | 'input-validation' | 'error-handling' | 'logging' | 'deprecated-api' | 'misconfiguration'; /** * API security analysis result */ export interface APISecurityResult { timestamp: Date; specVersion?: string; title?: string; endpoints: number; issues: APISecurityIssue[]; coverage: SecurityCoverage; score: number; summary: APISecuritySummary; } /** * Security coverage metrics */ export interface SecurityCoverage { endpointsWithAuth: number; endpointsWithoutAuth: number; endpointsWithValidation: number; endpointsWithRateLimiting: number; totalEndpoints: number; authCoverage: number; validationCoverage: number; } /** * API security summary */ export interface APISecuritySummary { criticalIssues: number; highIssues: number; mediumIssues: number; lowIssues: number; topCategories: Array<{ category: APISecurityCategory; count: number; }>; recommendations: string[]; } /** * API security analyzer options */ export interface APISecurityOptions { checkAuth?: boolean; checkInjection?: boolean; checkDataExposure?: boolean; checkRateLimiting?: boolean; checkCORS?: boolean; skipPaths?: string[]; customRules?: APISecurityRule[]; } /** * Custom API security rule */ export interface APISecurityRule { id: string; name: string; severity: Severity; category: APISecurityCategory; check: (endpoint: APIEndpoint, spec: OpenAPISpec) => boolean; message: string; recommendation: string; } /** * OpenAPI specification (simplified) */ export interface OpenAPISpec { openapi?: string; swagger?: string; info?: { title?: string; version?: string; }; servers?: Array<{ url: string; description?: string; }>; paths?: Record; components?: { securitySchemes?: Record; schemas?: Record; }; security?: SecurityRequirement[]; } /** * Path item */ interface PathItem { get?: OperationObject; post?: OperationObject; put?: OperationObject; patch?: OperationObject; delete?: OperationObject; options?: OperationObject; head?: OperationObject; parameters?: APIParameter[]; } /** * Operation object */ interface OperationObject { operationId?: string; summary?: string; description?: string; tags?: string[]; parameters?: APIParameter[]; requestBody?: APIRequestBody; responses?: Record; security?: SecurityRequirement[]; deprecated?: boolean; } /** * Security scheme */ interface SecurityScheme { type: 'apiKey' | 'http' | 'oauth2' | 'openIdConnect'; description?: string; name?: string; in?: 'query' | 'header' | 'cookie'; scheme?: string; bearerFormat?: string; } /** * API Security Analyzer * @trace DES-SEC3-API-001 */ export declare class APISecurityAnalyzer { private options; private rules; constructor(options?: APISecurityOptions); /** * Analyze OpenAPI specification * @trace REQ-SEC3-API-001 */ analyze(spec: OpenAPISpec | string): Promise; /** * Analyze from file path */ analyzeFile(filePath: string): Promise; /** * Extract endpoints from spec */ private extractEndpoints; /** * Check if rule should run based on options */ private shouldRunRule; /** * Calculate security coverage */ private calculateCoverage; /** * Calculate security score */ private calculateScore; /** * Generate summary */ private generateSummary; /** * Simple YAML parser (for basic OpenAPI specs) */ private parseSimpleYaml; /** * Convert issues to vulnerabilities */ toVulnerabilities(result: APISecurityResult): Vulnerability[]; } /** * Create API security analyzer instance */ export declare function createAPISecurityAnalyzer(options?: APISecurityOptions): APISecurityAnalyzer; export {}; //# sourceMappingURL=api-security-analyzer.d.ts.map