@aldegad/safedeps 2.1.1 → 2.4.0

package/lib/ledger/ledger.sh

@@ -183,16 +183,23 @@ safedeps_ledger_check() {
 
 safedeps_ledger_atomic_write() {
   local target_path="$1"
-  local temp_path="${target_path}.$$"
+  local target_dir
+  local target_base
+  local temp_path
 
   safedeps_ledger_init
+  target_dir=$(dirname "${target_path}")
+  target_base=$(basename "${target_path}")
+  mkdir -p "${target_dir}" || return 1
+  temp_path=$(mktemp "${target_dir}/.${target_base}.XXXXXX") || return 1
+
   cat > "${temp_path}"
   chmod 600 "${temp_path}" 2>/dev/null || true
   safedeps_ledger_validate_json "${temp_path}" || {
     rm -f "${temp_path}"
     return 1
   }
-  mv "${temp_path}" "${target_path}"
+  mv -f "${temp_path}" "${target_path}"
 }
 
 safedeps_ledger_write_approved_spec() {
@@ -203,11 +210,13 @@ safedeps_ledger_write_approved_spec() {
   local approved_by="${5:-local}"
   local evidence_file="${6:-}"
   local ttl_days="${7:-${SAFEDEPS_LEDGER_DEFAULT_TTL_DAYS}}"
+  local transitive_specs_file="${8:-}"
   local approved_at
   local expires_at
   local hash
   local target_path
   local evidence_arg=()
+  local transitive_arg=()
 
   safedeps_ledger_require_jq || return 1
   safedeps_ledger_init
@@ -227,6 +236,20 @@ safedeps_ledger_write_approved_spec() {
     evidence_arg=(--argjson evidence '{}')
   fi
 
+  if [[ -n "${transitive_specs_file}" ]]; then
+    [[ -f "${transitive_specs_file}" ]] || {
+      printf 'safedeps ledger: transitive specs file not found: %s\n' "${transitive_specs_file}" >&2
+      return 1
+    }
+    jq -e 'type == "array"' "${transitive_specs_file}" >/dev/null || {
+      printf 'safedeps ledger: transitive specs file must be a JSON array: %s\n' "${transitive_specs_file}" >&2
+      return 1
+    }
+    transitive_arg=(--slurpfile transitive_specs "${transitive_specs_file}")
+  else
+    transitive_arg=(--argjson transitive_specs '[]')
+  fi
+
   if [[ -n "${evidence_file}" ]]; then
     jq -cn \
       --arg hash "${hash}" \
@@ -238,6 +261,7 @@ safedeps_ledger_write_approved_spec() {
       --arg expires_at "${expires_at}" \
       --arg approved_by "${approved_by}" \
       "${evidence_arg[@]}" \
+      "${transitive_arg[@]}" \
       '{
         hash: $hash,
         ecosystem: $ecosystem,
@@ -248,7 +272,11 @@ safedeps_ledger_write_approved_spec() {
         expires_at: $expires_at,
         approved_by: $approved_by,
         evidence: ($evidence[0] // {}),
-        transitive_specs: []
+        transitive_specs: (($transitive_specs[0] // $transitive_specs) | map({
+          ecosystem: (.ecosystem // $ecosystem),
+          package: .package,
+          version: (.version | tostring)
+        }) | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + .version))
       }' | safedeps_ledger_atomic_write "${target_path}"
   else
     jq -cn \
@@ -261,6 +289,7 @@ safedeps_ledger_write_approved_spec() {
       --arg expires_at "${expires_at}" \
       --arg approved_by "${approved_by}" \
       "${evidence_arg[@]}" \
+      "${transitive_arg[@]}" \
       '{
         hash: $hash,
         ecosystem: $ecosystem,
@@ -271,39 +300,84 @@ safedeps_ledger_write_approved_spec() {
         expires_at: $expires_at,
         approved_by: $approved_by,
         evidence: $evidence,
-        transitive_specs: []
+        transitive_specs: (($transitive_specs[0] // $transitive_specs) | map({
+          ecosystem: (.ecosystem // $ecosystem),
+          package: .package,
+          version: (.version | tostring)
+        }) | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + .version))
       }' | safedeps_ledger_atomic_write "${target_path}"
   fi
 
   cat "${target_path}"
 }
 
+safedeps_ledger_effect_check() {
+  local ecosystem="$1"
+  local package_name="$2"
+  local version="$3"
+  local ledger_file
+  local now_iso
+
+  safedeps_ledger_require_jq || return 1
+  safedeps_ledger_init
+  now_iso=$(safedeps_ledger_now_iso)
+
+  while IFS= read -r -d '' ledger_file; do
+    safedeps_ledger_validate_json "${ledger_file}" || continue
+    safedeps_ledger_is_expired_file "${ledger_file}" && continue
+    if jq -e \
+      --arg ecosystem "${ecosystem}" \
+      --arg package "${package_name}" \
+      --arg version "${version}" \
+      '
+      (.revoked_at // "") == ""
+      and (
+        (.ecosystem == $ecosystem and .package == $package and .version == $version)
+        or (((.transitive_specs // []) | map(select(
+          (.ecosystem // $ecosystem) == $ecosystem
+          and .package == $package
+          and (.version | tostring) == $version
+        )) | length) > 0)
+      )
+    ' \
+      "${ledger_file}" >/dev/null; then
+      jq -cn \
+        --arg owner_hash "$(jq -r '.hash' "${ledger_file}")" \
+        --arg owner_package "$(jq -r '.package' "${ledger_file}")" \
+        --arg owner_version "$(jq -r '.version' "${ledger_file}")" \
+        --arg checked_at "${now_iso}" \
+        '{approved:true, reason:"hit", owner_hash:$owner_hash, owner_package:$owner_package, owner_version:$owner_version, checked_at:$checked_at}'
+      return 0
+    fi
+  done < <(find "${SAFEDEPS_LEDGER_DIR}" -maxdepth 1 -name '*.json' -type f -print0 2>/dev/null)
+
+  jq -cn \
+    --arg ecosystem "${ecosystem}" \
+    --arg package "${package_name}" \
+    --arg version "${version}" \
+    --arg checked_at "${now_iso}" \
+    '{approved:false, reason:"miss", ecosystem:$ecosystem, package:$package, version:$version, checked_at:$checked_at}'
+  return 1
+}
+
 safedeps_ledger_revoke() {
   local ecosystem="$1"
   local package_name="$2"
   local version="$3"
   local reason="${4:-revoked}"
   local ledger_file
-  local temp_path
   local revoked_at
 
   ledger_file=$(safedeps_ledger_path "${ecosystem}" "${package_name}" "${version}")
   [[ -f "${ledger_file}" ]] || return 1
   safedeps_ledger_validate_json "${ledger_file}" || return 1
 
-  temp_path="${ledger_file}.$$"
   revoked_at=$(safedeps_ledger_now_iso)
   jq \
     --arg revoked_at "${revoked_at}" \
     --arg reason "${reason}" \
     '. + {revoked_at: $revoked_at, revoked_reason: $reason, expires_at: $revoked_at}' \
-    "${ledger_file}" > "${temp_path}"
-  chmod 600 "${temp_path}" 2>/dev/null || true
-  safedeps_ledger_validate_json "${temp_path}" || {
-    rm -f "${temp_path}"
-    return 1
-  }
-  mv "${temp_path}" "${ledger_file}"
+    "${ledger_file}" | safedeps_ledger_atomic_write "${ledger_file}"
   cat "${ledger_file}"
 }
 
@@ -325,12 +399,16 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
       safedeps_ledger_check "$@"
       ;;
     approve)
-      if [[ "$#" -lt 3 || "$#" -gt 7 ]]; then
-        printf 'usage: %s approve <ecosystem> <package> <version> [version_range] [approved_by] [evidence_file] [ttl_days]\n' "$0" >&2
+      if [[ "$#" -lt 3 || "$#" -gt 8 ]]; then
+        printf 'usage: %s approve <ecosystem> <package> <version> [version_range] [approved_by] [evidence_file] [ttl_days] [transitive_specs_file]\n' "$0" >&2
         exit 2
       fi
       safedeps_ledger_write_approved_spec "$@"
       ;;
+    effect-check)
+      [[ "$#" -eq 3 ]] || { printf 'usage: %s effect-check <ecosystem> <package> <version>\n' "$0" >&2; exit 2; }
+      safedeps_ledger_effect_check "$@"
+      ;;
     revoke)
       if [[ "$#" -lt 3 || "$#" -gt 4 ]]; then
         printf 'usage: %s revoke <ecosystem> <package> <version> [reason]\n' "$0" >&2
@@ -339,7 +417,7 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
       safedeps_ledger_revoke "$@"
       ;;
     *)
-      printf 'usage: %s {hash|path|check|approve|revoke} ...\n' "$0" >&2
+      printf 'usage: %s {hash|path|check|effect-check|approve|revoke} ...\n' "$0" >&2
       exit 2
       ;;
   esac

package/lib/npm/closure.sh

@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+# npm dependency closure helpers for safedeps.
+
+set -euo pipefail
+
+safedeps_npm_require_jq() {
+  if ! command -v jq >/dev/null 2>&1; then
+    printf 'safedeps npm closure: jq is required\n' >&2
+    return 1
+  fi
+}
+
+safedeps_npm_lock_closure() {
+  local lockfile="$1"
+  local direct_package="${2:-}"
+
+  safedeps_npm_require_jq || return 1
+  [[ -f "${lockfile}" ]] || {
+    printf 'safedeps npm closure: lockfile not found: %s\n' "${lockfile}" >&2
+    return 1
+  }
+
+  jq -c --arg direct_package "${direct_package}" '
+    def package_name_from_path($path):
+      ($path | split("node_modules/") | last) as $tail
+      | if ($tail | startswith("@")) then
+          ($tail | split("/") | .[0:2] | join("/"))
+        else
+          ($tail | split("/") | .[0])
+        end;
+
+    if ((.packages // null) | type) == "object" then
+      [
+        .packages
+        | to_entries[]
+        | select(.key != "")
+        | select((.value.version // "") != "")
+        | {
+            ecosystem: "npm",
+            package: (.value.name // package_name_from_path(.key)),
+            version: (.value.version | tostring)
+          }
+        | select(.package != "" and .version != "")
+        | . + {direct: (.package == $direct_package)}
+      ]
+      | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + .version)
+      | sort_by(.package, .version)
+    else
+      []
+    end
+  ' "${lockfile}"
+}
+
+safedeps_npm_fixture_closure() {
+  local package_name="$1"
+  local version="$2"
+  local fixture_file="${SAFEDEPS_NPM_CLOSURE_FIXTURE_JSON:-}"
+  local key="${package_name}@${version}"
+
+  [[ -n "${fixture_file}" && -f "${fixture_file}" ]] || return 1
+  jq -e -c --arg key "${key}" --arg package "${package_name}" '
+    if type == "object" and (.[$key] | type) == "array" then
+      .[$key]
+    elif type == "array" then
+      .
+    else
+      empty
+    end
+    | map(. + {ecosystem: (.ecosystem // "npm"), direct: ((.direct // false) or (.package == $package))})
+    | unique_by(.ecosystem + "\u0000" + .package + "\u0000" + (.version | tostring))
+    | sort_by(.package, .version)
+  ' "${fixture_file}"
+}
+
+safedeps_npm_resolve_spec_closure() {
+  local package_name="$1"
+  local version="$2"
+  local tmp_dir
+  local lockfile
+
+  safedeps_npm_require_jq || return 1
+
+  if safedeps_npm_fixture_closure "${package_name}" "${version}"; then
+    return 0
+  fi
+
+  if ! command -v npm >/dev/null 2>&1; then
+    printf 'safedeps npm closure: npm CLI is required\n' >&2
+    return 1
+  fi
+
+  tmp_dir=$(mktemp -d "${TMPDIR:-/tmp}/safedeps-npm-closure.XXXXXX") || return 1
+
+  printf '{"name":"safedeps-closure-probe","version":"0.0.0","private":true}\n' > "${tmp_dir}/package.json"
+  if ! (
+    cd "${tmp_dir}" &&
+      npm install "${package_name}@${version}" \
+        --package-lock-only \
+        --ignore-scripts \
+        --audit=false \
+        --fund=false \
+        --save-exact \
+        >/dev/null
+  ); then
+    printf 'safedeps npm closure: npm lockfile resolution failed for %s@%s\n' "${package_name}" "${version}" >&2
+    rm -rf "${tmp_dir}"
+    return 1
+  fi
+
+  lockfile="${tmp_dir}/package-lock.json"
+  safedeps_npm_lock_closure "${lockfile}" "${package_name}"
+  local status=$?
+  rm -rf "${tmp_dir}"
+  return "${status}"
+}

package/lib/providers/providers.sh

@@ -10,6 +10,7 @@ SAFEDEPS_ADVISORY_LOG="${SAFEDEPS_ADVISORY_LOG:-${SAFEDEPS_HOME}/advisory.log}"
 SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS="${SAFEDEPS_PROVIDER_CACHE_TTL_SECONDS:-86400}"
 
 SAFEDEPS_OSV_API_URL="${SAFEDEPS_OSV_API_URL:-https://api.osv.dev/v1/query}"
+SAFEDEPS_OSV_BATCH_API_URL="${SAFEDEPS_OSV_BATCH_API_URL:-https://api.osv.dev/v1/querybatch}"
 SAFEDEPS_KEV_CATALOG_URL="${SAFEDEPS_KEV_CATALOG_URL:-https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json}"
 SAFEDEPS_GHSA_API_URL="${SAFEDEPS_GHSA_API_URL:-https://api.github.com/advisories}"
 
@@ -51,6 +52,27 @@ safedeps_provider_mktemp_dir() {
   mktemp -d "${tmp_root%/}/safedeps-providers.XXXXXX"
 }
 
+safedeps_cache_response_temp() {
+  local target_path="$1"
+  local target_dir
+  local target_base
+
+  target_dir=$(dirname "${target_path}")
+  target_base=$(basename "${target_path}")
+  mkdir -p "${target_dir}" || return 1
+  mktemp "${target_dir}/.${target_base}.XXXXXX"
+}
+
+safedeps_url_host() {
+  local url="$1"
+  local host
+
+  host="${url#*://}"
+  host="${host%%/*}"
+  host="${host%%:*}"
+  printf '%s' "${host}"
+}
+
 safedeps_now_iso() {
   date -u +"%Y-%m-%dT%H:%M:%SZ"
 }
@@ -71,7 +93,10 @@ safedeps_hash_text() {
 safedeps_file_mtime() {
   local path="$1"
 
-  stat -f %m "${path}" 2>/dev/null || stat -c %Y "${path}" 2>/dev/null
+  # GNU coreutils (Linux) uses `-c %Y`; BSD/macOS uses `-f %m`. GNU must run
+  # first: on Linux `stat -f` means --file-system and prints filesystem info to
+  # stdout, which would pollute the mtime and break the arithmetic downstream.
+  stat -c %Y "${path}" 2>/dev/null || stat -f %m "${path}" 2>/dev/null
 }
 
 safedeps_cache_is_fresh() {
@@ -167,7 +192,7 @@ safedeps_osv_query() {
     --arg version "${version}" \
     '{version: $version, package: {name: $package, ecosystem: $ecosystem}}')
 
-  response_file="${cache_path}.$$"
+  response_file=$(safedeps_cache_response_temp "${cache_path}") || return 1
   http_status=$(curl -fsS \
     --max-time 15 \
     -H 'Content-Type: application/json' \
@@ -177,7 +202,7 @@ safedeps_osv_query() {
     "${SAFEDEPS_OSV_API_URL}" 2>/dev/null || true)
 
   if [[ "${http_status}" == "200" ]] && jq -e 'type == "object"' "${response_file}" >/dev/null 2>&1; then
-    mv "${response_file}" "${cache_path}"
+    mv -f "${response_file}" "${cache_path}"
     safedeps_provider_log "INFO" "OSV live query ok ecosystem=${osv_ecosystem} package=${package_name} version=${version}"
     cat "${cache_path}"
     return 0
@@ -192,6 +217,134 @@ safedeps_osv_query() {
   return 1
 }
 
+safedeps_osv_query_batch() {
+  local ecosystem="$1"
+  local closure_file="$2"
+  local osv_ecosystem
+  local temp_dir
+  local all_items_file
+  local miss_items_file
+  local payload_file
+  local response_file
+  local results_file
+  local http_status
+  local index=0
+  local package_name
+  local version
+  local direct
+
+  safedeps_require_json_tools || return 1
+  safedeps_providers_init
+  [[ -f "${closure_file}" ]] || return 1
+
+  osv_ecosystem=$(safedeps_osv_ecosystem "${ecosystem}")
+  temp_dir=$(safedeps_provider_mktemp_dir) || return 1
+  all_items_file="${temp_dir}/items.jsonl"
+  miss_items_file="${temp_dir}/misses.jsonl"
+  payload_file="${temp_dir}/payload.json"
+  response_file="${temp_dir}/response.json"
+  results_file="${temp_dir}/results.json"
+  : > "${all_items_file}"
+  : > "${miss_items_file}"
+
+  while IFS=$'\t' read -r package_name version direct; do
+    [[ -n "${package_name}" && -n "${version}" ]] || continue
+    local cache_key
+    local cache_path
+    cache_key=$(safedeps_cache_key "osv" "${osv_ecosystem}" "${package_name}" "${version}")
+    cache_path="${SAFEDEPS_CACHE_DIR}/osv/${cache_key}.json"
+
+    if safedeps_cache_is_fresh "${cache_path}"; then
+      safedeps_provider_log "INFO" "OSV batch cache hit ecosystem=${osv_ecosystem} package=${package_name} version=${version}"
+      jq -cn \
+        --argjson index "${index}" \
+        --arg ecosystem "${ecosystem}" \
+        --arg package "${package_name}" \
+        --arg version "${version}" \
+        --argjson direct "${direct}" \
+        --slurpfile osv "${cache_path}" \
+        '{index:$index, ecosystem:$ecosystem, package:$package, version:$version, direct:$direct, osv:($osv[0] // {vulns:[]})}' >> "${all_items_file}"
+    else
+      jq -cn \
+        --argjson index "${index}" \
+        --arg ecosystem "${ecosystem}" \
+        --arg package "${package_name}" \
+        --arg version "${version}" \
+        --argjson direct "${direct}" \
+        --arg cache_path "${cache_path}" \
+        '{index:$index, ecosystem:$ecosystem, package:$package, version:$version, direct:$direct, cache_path:$cache_path}' >> "${miss_items_file}"
+    fi
+    index=$((index + 1))
+  done < <(jq -r '.[] | [.package, (.version | tostring), ((.direct // false) | tostring)] | @tsv' "${closure_file}")
+
+  if [[ -s "${miss_items_file}" ]]; then
+    safedeps_require_http_client || {
+      safedeps_provider_log "ERROR" "OSV batch unavailable; cache miss ecosystem=${osv_ecosystem}"
+      rm -rf "${temp_dir}"
+      return 1
+    }
+
+    jq -cn --arg ecosystem "${osv_ecosystem}" --slurpfile misses "${miss_items_file}" '
+      {
+        queries: [
+          $misses[]
+          | {version: .version, package: {name: .package, ecosystem: $ecosystem}}
+        ]
+      }
+    ' > "${payload_file}"
+
+    http_status=$(curl -fsS \
+      --max-time 20 \
+      -H 'Content-Type: application/json' \
+      -o "${response_file}" \
+      -w '%{http_code}' \
+      -d @"${payload_file}" \
+      "${SAFEDEPS_OSV_BATCH_API_URL}" 2>/dev/null || true)
+
+    if [[ "${http_status}" != "200" ]] || ! jq -e '.results | type == "array"' "${response_file}" >/dev/null 2>&1; then
+      safedeps_provider_log "ERROR" "OSV batch query failed status=${http_status:-none}"
+      rm -rf "${temp_dir}"
+      return 1
+    fi
+
+    local miss_count
+    local result_count
+    miss_count=$(jq -s 'length' "${miss_items_file}")
+    result_count=$(jq '.results | length' "${response_file}")
+    if [[ "${miss_count}" != "${result_count}" ]]; then
+      safedeps_provider_log "ERROR" "OSV batch result count mismatch misses=${miss_count} results=${result_count}"
+      rm -rf "${temp_dir}"
+      return 1
+    fi
+
+    local miss_i=0
+    while IFS= read -r miss_item; do
+      local cache_path
+      local response_item_file
+      cache_path=$(jq -r '.cache_path' <<< "${miss_item}")
+      response_item_file=$(safedeps_cache_response_temp "${cache_path}") || {
+        rm -rf "${temp_dir}"
+        return 1
+      }
+      jq -c --argjson i "${miss_i}" '.results[$i] // {vulns: []}' "${response_file}" > "${response_item_file}"
+      if ! jq -e 'type == "object"' "${response_item_file}" >/dev/null 2>&1; then
+        rm -f "${response_item_file}"
+        rm -rf "${temp_dir}"
+        return 1
+      fi
+      mv -f "${response_item_file}" "${cache_path}"
+      safedeps_provider_log "INFO" "OSV batch live query ok ecosystem=${osv_ecosystem} package=$(jq -r '.package' <<< "${miss_item}") version=$(jq -r '.version' <<< "${miss_item}")"
+      jq -cn --argjson miss "${miss_item}" --slurpfile osv "${cache_path}" \
+        '$miss | del(.cache_path) | . + {osv: ($osv[0] // {vulns: []})}' >> "${all_items_file}"
+      miss_i=$((miss_i + 1))
+    done < "${miss_items_file}"
+  fi
+
+  jq -s 'sort_by(.index)' "${all_items_file}" > "${results_file}"
+  cat "${results_file}"
+  rm -rf "${temp_dir}"
+}
+
 safedeps_extract_cves_from_osv() {
   local osv_json="$1"
 
@@ -230,11 +383,11 @@ safedeps_kev_refresh_catalog() {
     return 1
   fi
 
-  response_path="${cache_path}.$$"
+  response_path=$(safedeps_cache_response_temp "${cache_path}") || return 1
   http_status=$(curl -fsS --max-time 15 -o "${response_path}" -w '%{http_code}' "${SAFEDEPS_KEV_CATALOG_URL}" 2>/dev/null || true)
 
   if [[ "${http_status}" == "200" ]] && jq -e '.vulnerabilities | type == "array"' "${response_path}" >/dev/null 2>&1; then
-    mv "${response_path}" "${cache_path}"
+    mv -f "${response_path}" "${cache_path}"
     safedeps_provider_log "INFO" "CISA KEV catalog refresh ok"
     printf '%s' "${cache_path}"
     return 0
@@ -301,6 +454,8 @@ safedeps_ghsa_query() {
   local cache_path
   local response_file
   local http_status
+  local ghsa_host
+  local curl_args
 
   safedeps_require_json_tools || return 1
   safedeps_providers_init
@@ -324,29 +479,29 @@ safedeps_ghsa_query() {
 
   encoded_ecosystem=$(safedeps_json_uri_escape "${ghsa_ecosystem}")
   encoded_package=$(safedeps_json_uri_escape "${package_name}")
-  response_file="${cache_path}.$$"
-
-  if [[ -n "${GITHUB_TOKEN:-}" ]]; then
-    http_status=$(curl -fsS \
-      --max-time 15 \
-      -H 'Accept: application/vnd.github+json' \
-      -H 'X-GitHub-Api-Version: 2022-11-28' \
-      -H "Authorization: Bearer ${GITHUB_TOKEN}" \
-      -o "${response_file}" \
-      -w '%{http_code}' \
-      "${SAFEDEPS_GHSA_API_URL}?ecosystem=${encoded_ecosystem}&affects=${encoded_package}&per_page=100" 2>/dev/null || true)
-  else
-    http_status=$(curl -fsS \
-      --max-time 15 \
-      -H 'Accept: application/vnd.github+json' \
-      -H 'X-GitHub-Api-Version: 2022-11-28' \
-      -o "${response_file}" \
-      -w '%{http_code}' \
-      "${SAFEDEPS_GHSA_API_URL}?ecosystem=${encoded_ecosystem}&affects=${encoded_package}&per_page=100" 2>/dev/null || true)
+  response_file=$(safedeps_cache_response_temp "${cache_path}") || return 1
+  ghsa_host=$(safedeps_url_host "${SAFEDEPS_GHSA_API_URL}")
+
+  curl_args=(
+    -fsS
+    --max-time 15
+    -H 'Accept: application/vnd.github+json'
+    -H 'X-GitHub-Api-Version: 2022-11-28'
+    -o "${response_file}"
+    -w '%{http_code}'
+  )
+
+  if [[ -n "${GITHUB_TOKEN:-}" && "${ghsa_host}" == "api.github.com" ]]; then
+    curl_args+=(-H "Authorization: Bearer ${GITHUB_TOKEN}")
+  elif [[ -n "${GITHUB_TOKEN:-}" ]]; then
+    safedeps_provider_log "WARN" "GHSA token withheld for non-GitHub host host=${ghsa_host}"
   fi
 
+  http_status=$(curl "${curl_args[@]}" \
+    "${SAFEDEPS_GHSA_API_URL}?ecosystem=${encoded_ecosystem}&affects=${encoded_package}&per_page=100" 2>/dev/null || true)
+
   if [[ "${http_status}" == "200" ]] && jq -e 'type == "array"' "${response_file}" >/dev/null 2>&1; then
-    mv "${response_file}" "${cache_path}"
+    mv -f "${response_file}" "${cache_path}"
     safedeps_provider_log "INFO" "GHSA live query ok ecosystem=${ghsa_ecosystem} package=${package_name}"
     jq -cn --arg queried_at "${queried_at}" --slurpfile advisories "${cache_path}" \
       '{queried_at: $queried_at, status: "live", advisories: $advisories[0]}'
@@ -459,6 +614,66 @@ safedeps_providers_query() {
   rm -rf "${temp_dir}"
 }
 
+safedeps_providers_query_batch() {
+  local ecosystem="$1"
+  local closure_file="$2"
+  local queried_at
+  local temp_dir
+  local osv_batch_file
+  local results_file
+
+  safedeps_require_json_tools || return 1
+  queried_at=$(safedeps_now_iso)
+  temp_dir=$(safedeps_provider_mktemp_dir) || return 1
+  osv_batch_file="${temp_dir}/osv-batch.json"
+  results_file="${temp_dir}/results.jsonl"
+  : > "${results_file}"
+
+  if ! safedeps_osv_query_batch "${ecosystem}" "${closure_file}" > "${osv_batch_file}"; then
+    rm -rf "${temp_dir}"
+    return 1
+  fi
+
+  while IFS= read -r item; do
+    local osv_file
+    local kev_json
+    local status
+    osv_file="${temp_dir}/osv-item.json"
+    jq -c '.osv' <<< "${item}" > "${osv_file}"
+    kev_json=$(safedeps_kev_overlay "${osv_file}" "${queried_at}")
+    status=$(jq -r --argjson kev "${kev_json}" '
+      if $kev.exploited then "hard_block"
+      elif ((.osv.vulns // []) | length) > 0 then "vulnerable"
+      else "clean"
+      end
+    ' <<< "${item}")
+    jq -cn \
+      --argjson item "${item}" \
+      --arg queried_at "${queried_at}" \
+      --arg status "${status}" \
+      --argjson kev "${kev_json}" \
+      '{
+        index: $item.index,
+        ecosystem: $item.ecosystem,
+        package: $item.package,
+        version: $item.version,
+        direct: ($item.direct // false),
+        queried_at: $queried_at,
+        status: $status,
+        vulnerabilities: ($item.osv.vulns // []),
+        kev: $kev,
+        provider_status: {
+          osv: {status: "ok", canonical: true, batch: true},
+          kev: {status: ($kev.status // "ok"), overlay: true},
+          ghsa: {status: "skipped", enrichment: true, reason: "closure batch omits GHSA enrichment"}
+        }
+      }' >> "${results_file}"
+  done < <(jq -c '.[]' "${osv_batch_file}")
+
+  jq -s 'sort_by(.index)' "${results_file}"
+  rm -rf "${temp_dir}"
+}
+
 if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
   command_name="${1:-}"
   shift || true
@@ -471,8 +686,15 @@ if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then
       fi
       safedeps_providers_query "$@"
       ;;
+    query-batch)
+      if [[ "$#" -ne 2 ]]; then
+        printf 'usage: %s query-batch <ecosystem> <closure-json-file>\n' "$0" >&2
+        exit 2
+      fi
+      safedeps_providers_query_batch "$@"
+      ;;
     *)
-      printf 'usage: %s query <ecosystem> <package> <version>\n' "$0" >&2
+      printf 'usage: %s {query|query-batch} ...\n' "$0" >&2
       exit 2
       ;;
   esac