@clear-capabilities/agentic-security-scanner 0.74.0

package/dist/637.index.js

@@ -0,0 +1,216 @@
+export const id = 637;
+export const ids = [637];
+export const modules = {
+
+/***/ 5637:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   computePrDelta: () => (/* binding */ computePrDelta),
+/* harmony export */   renderPrDeltaText: () => (/* binding */ renderPrDeltaText)
+/* harmony export */ });
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3291);
+// Shadowscan / security-DELTA on PR (v0.72).
+//
+// Most SAST PR-comment integrations show absolute counts — "12 findings
+// detected in changed files." Engineers can't act on that: 11 of those
+// 12 already existed before they touched the file. They want a DELTA:
+// what did THIS PR introduce, what did it remove, what changed.
+//
+// This module diffs two scans (PR branch vs base) by stableId and emits
+// both a JSON delta and a human-readable summary suitable for embedding
+// in a PR comment. Reuses the existing `history-scan.js` machinery for
+// the at-ref scans.
+//
+// Algorithm:
+//   1. Scan the base ref (in-memory via runFullScan, no checkout)
+//   2. Scan the head ref (same way)
+//   3. Key findings by stableId
+//   4. Emit:
+//        - introduced: findings in head not in base
+//        - resolved:   findings in base not in head
+//        - persistent: findings in both (changed severity/cwe → 'shifted')
+//   5. Severity-summary counts each side
+//
+// Output shape stays stable so downstream renderers (advisor-tone PR
+// comment) can transform without re-walking IR.
+
+
+
+
+const FILE_EXT_RE = /\.(?:js|jsx|ts|tsx|mjs|cjs|py|java|cs|kt|go|rb|php|sol|swift|rs|tf|yml|yaml|json|toml|md)$/i;
+const SEVERITIES = ['critical', 'high', 'medium', 'low', 'info'];
+
+function _git(root, args) {
+  const r = (0,node_child_process__WEBPACK_IMPORTED_MODULE_0__.spawnSync)('git', args, { cwd: root, encoding: 'utf8', maxBuffer: 64 * 1024 * 1024 });
+  return { ok: r.status === 0, stdout: r.stdout || '', stderr: r.stderr || '' };
+}
+
+function _readFileAtRef(root, ref, file) {
+  const r = _git(root, ['show', `${ref}:${file}`]);
+  return r.ok ? r.stdout : null;
+}
+
+function _listFilesAtRef(root, ref) {
+  const r = _git(root, ['ls-tree', '-r', '--name-only', ref]);
+  if (!r.ok) return [];
+  return r.stdout.trim().split('\n').filter(p => {
+    if (!p) return false;
+    if (p.includes('/node_modules/') || p.includes('/.venv/')) return false;
+    return FILE_EXT_RE.test(p);
+  });
+}
+
+async function _scanAtRef(root, ref) {
+  const files = _listFilesAtRef(root, ref);
+  const fileContents = {};
+  for (const f of files) {
+    const c = _readFileAtRef(root, ref, f);
+    if (c != null) fileContents[f] = c;
+  }
+  return (0,_engine_js__WEBPACK_IMPORTED_MODULE_1__/* .runFullScan */ .wW)({ fileContents, scanRoot: root }, () => {});
+}
+
+function _summary(findings) {
+  const out = { total: 0 };
+  for (const s of SEVERITIES) out[s] = 0;
+  for (const f of (findings || [])) {
+    const s = f.severity || 'info';
+    if (out[s] !== undefined) out[s]++;
+    out.total++;
+  }
+  return out;
+}
+
+function _changedFiles(root, baseRef, headRef) {
+  const r = _git(root, ['diff', '--name-only', `${baseRef}...${headRef}`]);
+  if (!r.ok) return new Set();
+  return new Set(r.stdout.trim().split('\n').filter(Boolean));
+}
+
+/**
+ * Top-level entry: compute the delta between two refs.
+ *
+ *   root:     scan root (a git repo)
+ *   baseRef:  the ref to compare against (e.g. main, origin/main)
+ *   headRef:  the ref to score (e.g. HEAD, the PR branch). Defaults HEAD.
+ *
+ * Returns:
+ *   {
+ *     baseRef, headRef,
+ *     changedFiles: [...],          // git diff --name-only base...head
+ *     base:        { findings, summary, secrets, supplyChain, logicVulns },
+ *     head:        { findings, summary, secrets, supplyChain, logicVulns },
+ *     introduced:  Finding[],       // new in head only
+ *     resolved:    Finding[],       // removed from base
+ *     persistent:  Finding[],       // same stableId in both (no semantic change)
+ *     shifted:     Finding[],       // same stableId, severity OR cwe changed
+ *     summary:     { introduced: SeveritySummary, resolved, persistent, net },
+ *   }
+ *
+ * `net` is per-severity (head − base). A negative critical count means
+ * the PR resolved a critical finding overall.
+ */
+async function computePrDelta(root, { baseRef, headRef = 'HEAD' } = {}) {
+  if (!baseRef) throw new Error('computePrDelta: baseRef is required');
+  const changedFiles = [..._changedFiles(root, baseRef, headRef)];
+  const baseScan = await _scanAtRef(root, baseRef);
+  const headScan = await _scanAtRef(root, headRef);
+  const baseById = new Map();
+  const headById = new Map();
+  for (const f of (baseScan.findings || [])) {
+    const k = f.stableId || f.id;
+    if (k) baseById.set(k, f);
+  }
+  for (const f of (headScan.findings || [])) {
+    const k = f.stableId || f.id;
+    if (k) headById.set(k, f);
+  }
+  const introduced = [];
+  const resolved = [];
+  const persistent = [];
+  const shifted = [];
+  for (const [k, f] of headById) {
+    if (!baseById.has(k)) introduced.push(f);
+    else {
+      const base = baseById.get(k);
+      if (base.severity !== f.severity || base.cwe !== f.cwe) {
+        shifted.push({ from: base, to: f });
+      } else {
+        persistent.push(f);
+      }
+    }
+  }
+  for (const [k, f] of baseById) {
+    if (!headById.has(k)) resolved.push(f);
+  }
+  // Net severity (head − base).
+  const net = {};
+  const baseSummary = _summary(baseScan.findings || []);
+  const headSummary = _summary(headScan.findings || []);
+  for (const s of [...SEVERITIES, 'total']) net[s] = (headSummary[s] || 0) - (baseSummary[s] || 0);
+  return {
+    baseRef, headRef,
+    changedFiles,
+    base: {
+      findings: baseScan.findings || [],
+      summary: baseSummary,
+      secrets: baseScan.secrets || [],
+      supplyChain: baseScan.supplyChain || [],
+      logicVulns: baseScan.logicVulns || [],
+    },
+    head: {
+      findings: headScan.findings || [],
+      summary: headSummary,
+      secrets: headScan.secrets || [],
+      supplyChain: headScan.supplyChain || [],
+      logicVulns: headScan.logicVulns || [],
+    },
+    introduced,
+    resolved,
+    persistent,
+    shifted,
+    summary: {
+      introduced: _summary(introduced),
+      resolved: _summary(resolved),
+      persistent: _summary(persistent),
+      net,
+    },
+  };
+}
+
+/**
+ * Lightweight text summary used as a CLI fallback when --json isn't set.
+ */
+function renderPrDeltaText(delta) {
+  const i = delta.summary.introduced;
+  const r = delta.summary.resolved;
+  const lines = [];
+  lines.push(`Delta: ${delta.baseRef} → ${delta.headRef}`);
+  lines.push(`Changed files: ${delta.changedFiles.length}`);
+  lines.push('');
+  if (delta.introduced.length === 0 && delta.resolved.length === 0 && delta.shifted.length === 0) {
+    lines.push('No security delta. Safe to merge.');
+    return lines.join('\n');
+  }
+  lines.push(`Introduced: ${delta.introduced.length}  ` +
+    `(crit ${i.critical} · high ${i.high} · med ${i.medium} · low ${i.low})`);
+  lines.push(`Resolved:   ${delta.resolved.length}  ` +
+    `(crit ${r.critical} · high ${r.high} · med ${r.medium} · low ${r.low})`);
+  if (delta.shifted.length) lines.push(`Shifted:    ${delta.shifted.length}`);
+  if (delta.introduced.length) {
+    lines.push('');
+    lines.push('Newly introduced:');
+    for (const f of delta.introduced.slice(0, 20)) {
+      lines.push(`  + ${f.severity.padEnd(8)} ${f.cwe || ''} ${f.vuln} (${f.file}:${f.line})`);
+    }
+    if (delta.introduced.length > 20) lines.push(`  … ${delta.introduced.length - 20} more`);
+  }
+  return lines.join('\n');
+}
+
+
+/***/ })
+
+};

package/dist/660.index.js

@@ -0,0 +1,131 @@
+export const id = 660;
+export const ids = [660];
+export const modules = {
+
+/***/ 1660:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   diffScans: () => (/* binding */ diffScans),
+/* harmony export */   renderDiff: () => (/* binding */ renderDiff)
+/* harmony export */ });
+/* unused harmony export summarizeDiff */
+// Scan-result baseline comparison.
+//
+// Distinct from agentic-security-diff (which runs two SCANNER VERSIONS
+// against the same code). This module diffs TWO SCAN RESULTS, regardless
+// of scanner version — i.e., it compares findings between yesterday's
+// scan and today's scan to surface what was introduced / what was fixed.
+//
+// Keys per-finding on `stableId` when present (refactor-stable), else on
+// `(file, line, family)`. Output:
+//   {
+//     added:    [...],   // present in current, absent in previous
+//     removed:  [...],   // present in previous, absent in current
+//     changed:  [...],   // same key, different severity / verdict
+//     unchanged: <count>
+//   }
+
+function _keyOf(f) {
+  if (!f || typeof f !== 'object') return '';
+  if (f.stableId) return `sid:${f.stableId}`;
+  return `pos:${f.file || '?'}:${f.line || 0}:${f.family || f.vuln || '?'}`;
+}
+
+function _indexBy(findings, keyFn) {
+  const m = new Map();
+  if (!Array.isArray(findings)) return m;
+  for (const f of findings) {
+    const k = keyFn(f);
+    if (!k) continue;
+    if (!m.has(k)) m.set(k, f);
+  }
+  return m;
+}
+
+function diffScans(previous, current) {
+  const prevFindings = (previous && Array.isArray(previous.findings)) ? previous.findings : [];
+  const currFindings = (current && Array.isArray(current.findings)) ? current.findings : [];
+  const prevIdx = _indexBy(prevFindings, _keyOf);
+  const currIdx = _indexBy(currFindings, _keyOf);
+
+  const added = [], removed = [], changed = [];
+  let unchanged = 0;
+  for (const [k, c] of currIdx) {
+    const p = prevIdx.get(k);
+    if (!p) { added.push(c); continue; }
+    const sevChanged = p.severity !== c.severity;
+    const verdictChanged = p.mitigationVerdict !== c.mitigationVerdict;
+    const validatorChanged = p.validator_verdict !== c.validator_verdict;
+    if (sevChanged || verdictChanged || validatorChanged) {
+      changed.push({ before: p, after: c, fields: {
+        severity: sevChanged ? [p.severity, c.severity] : null,
+        mitigationVerdict: verdictChanged ? [p.mitigationVerdict, c.mitigationVerdict] : null,
+        validator_verdict: validatorChanged ? [p.validator_verdict, c.validator_verdict] : null,
+      }});
+    } else {
+      unchanged++;
+    }
+  }
+  for (const [k, p] of prevIdx) {
+    if (!currIdx.has(k)) removed.push(p);
+  }
+  return { added, removed, changed, unchanged };
+}
+
+function summarizeDiff(diff) {
+  const bySev = { critical: { added: 0, removed: 0 }, high: { added: 0, removed: 0 }, medium: { added: 0, removed: 0 }, low: { added: 0, removed: 0 } };
+  for (const f of diff.added)   if (bySev[f.severity]) bySev[f.severity].added++;
+  for (const f of diff.removed) if (bySev[f.severity]) bySev[f.severity].removed++;
+  return {
+    addedCount: diff.added.length,
+    removedCount: diff.removed.length,
+    changedCount: diff.changed.length,
+    unchangedCount: diff.unchanged,
+    bySeverity: bySev,
+  };
+}
+
+function renderDiff(diff, opts = {}) {
+  const color = opts.color !== false;
+  const C = color ? { RED: '\x1b[31m', GREEN: '\x1b[32m', YELLOW: '\x1b[33m', DIM: '\x1b[2m', BOLD: '\x1b[1m', RESET: '\x1b[0m' } : { RED:'', GREEN:'', YELLOW:'', DIM:'', BOLD:'', RESET:'' };
+  const sum = summarizeDiff(diff);
+  const out = [];
+  out.push('');
+  out.push(`${C.BOLD}Scan-result diff${C.RESET}`);
+  out.push(`  ${C.RED}+${sum.addedCount} added${C.RESET}   ${C.GREEN}-${sum.removedCount} removed${C.RESET}   ${C.YELLOW}~${sum.changedCount} changed${C.RESET}   ${C.DIM}${sum.unchangedCount} unchanged${C.RESET}`);
+  out.push('');
+  if (diff.added.length) {
+    out.push(`${C.RED}${C.BOLD}Added (${diff.added.length})${C.RESET}`);
+    for (const f of diff.added.slice(0, 25)) {
+      out.push(`  ${C.RED}+${C.RESET} [${(f.severity || '').toUpperCase()}] ${(f.vuln || '').slice(0, 60)}  ${C.DIM}${f.file || '?'}:${f.line || 0}${C.RESET}`);
+    }
+    if (diff.added.length > 25) out.push(`  ${C.DIM}... and ${diff.added.length - 25} more${C.RESET}`);
+    out.push('');
+  }
+  if (diff.removed.length) {
+    out.push(`${C.GREEN}${C.BOLD}Removed (${diff.removed.length})${C.RESET}`);
+    for (const f of diff.removed.slice(0, 25)) {
+      out.push(`  ${C.GREEN}-${C.RESET} [${(f.severity || '').toUpperCase()}] ${(f.vuln || '').slice(0, 60)}  ${C.DIM}${f.file || '?'}:${f.line || 0}${C.RESET}`);
+    }
+    if (diff.removed.length > 25) out.push(`  ${C.DIM}... and ${diff.removed.length - 25} more${C.RESET}`);
+    out.push('');
+  }
+  if (diff.changed.length) {
+    out.push(`${C.YELLOW}${C.BOLD}Changed (${diff.changed.length})${C.RESET}`);
+    for (const c of diff.changed.slice(0, 15)) {
+      const sevDelta = c.fields.severity ? `${c.fields.severity[0]} → ${c.fields.severity[1]}` : '';
+      const verdictDelta = c.fields.mitigationVerdict ? `verdict ${c.fields.mitigationVerdict[0]} → ${c.fields.mitigationVerdict[1]}` : '';
+      const validatorDelta = c.fields.validator_verdict ? `validator ${c.fields.validator_verdict[0]} → ${c.fields.validator_verdict[1]}` : '';
+      const delta = [sevDelta, verdictDelta, validatorDelta].filter(Boolean).join('; ');
+      out.push(`  ${C.YELLOW}~${C.RESET} ${(c.after.vuln || '').slice(0, 50)}  ${C.DIM}${c.after.file || '?'}:${c.after.line || 0}${C.RESET}   ${delta}`);
+    }
+    out.push('');
+  }
+  return out.join('\n');
+}
+
+
+/***/ })
+
+};