@clear-capabilities/agentic-security-scanner 0.74.0

package/dist/117.index.js

@@ -0,0 +1,207 @@
+export const id = 117;
+export const ids = [117];
+export const modules = {
+
+/***/ 3117:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   iI: () => (/* binding */ summarizeForBadge),
+/* harmony export */   renderBadge: () => (/* binding */ renderBadge)
+/* harmony export */ });
+/* unused harmony exports badgeFromScanRoot, renderSvg, _internal */
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(6760);
+// Live SVG badge generator (v0.72).
+//
+// Every repo can drop a badge in its README pulling from the latest scan:
+//
+//   ![agentic-security](https://agentic-security.dev/badge?repo=<slug>)
+//
+// or self-hosted via the CLI subcommand emitting an inline <img> URL or
+// a static SVG. The badge format borrows from shields.io for visual
+// consistency. Reads from .agentic-security/last-scan.json or accepts a
+// scan object directly.
+//
+// Output formats:
+//   - 'svg'  — inline SVG string (default; the bytes you'd serve)
+//   - 'json' — { label, count, color, severity } for a frontend renderer
+//
+// Style variants:
+//   - 'flat'         — shields.io flat
+//   - 'for-the-badge' — caps + thicker
+//
+// Color is driven by the highest non-zero severity:
+//   critical → red
+//   high     → orange
+//   medium   → yellow
+//   low      → blue
+//   info     → lightgrey
+//   none     → brightgreen
+
+
+
+
+const COLORS = {
+  critical:    '#e05d44',  // red
+  high:        '#fe7d37',  // orange
+  medium:      '#dfb317',  // yellow
+  low:         '#007ec6',  // blue
+  info:        '#9f9f9f',  // grey
+  none:        '#4c1',     // brightgreen
+  label:       '#555',
+};
+
+const SEVERITIES = ['critical', 'high', 'medium', 'low', 'info'];
+
+function _readLastScan(scanRoot) {
+  if (!scanRoot) return null;
+  const fp = node_path__WEBPACK_IMPORTED_MODULE_1__.join(scanRoot, '.agentic-security', 'last-scan.json');
+  if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(fp)) return null;
+  try { return JSON.parse(node_fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(fp, 'utf8')); }
+  catch { return null; }
+}
+
+function _ageString(ts) {
+  if (!ts) return null;
+  const ageMs = Date.now() - new Date(ts).getTime();
+  if (isNaN(ageMs) || ageMs < 0) return null;
+  const min = Math.floor(ageMs / 60_000);
+  if (min < 60) return `${min}m ago`;
+  const hr = Math.floor(min / 60);
+  if (hr < 24) return `${hr}h ago`;
+  const day = Math.floor(hr / 24);
+  return `${day}d ago`;
+}
+
+/**
+ * Compute the badge value from a scan object.
+ *
+ * Returns:
+ *   {
+ *     label:    'agentic-security',
+ *     summary:  'critical 0 · high 2 · medium 5' | 'passing' | 'no scan',
+ *     color:    '#fe7d37',
+ *     highest:  'high' | 'none' | 'unknown',
+ *     ageStr:   '4h ago' | null,
+ *     counts:   { critical, high, medium, low, info },
+ *     total:    7,
+ *   }
+ */
+function summarizeForBadge(scan) {
+  if (!scan || !Array.isArray(scan.findings)) {
+    return {
+      label: 'agentic-security',
+      summary: 'no scan',
+      color: COLORS.info,
+      highest: 'unknown',
+      ageStr: null,
+      counts: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+      total: 0,
+    };
+  }
+  const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of scan.findings) {
+    const s = f.severity || 'info';
+    if (counts[s] !== undefined) counts[s]++;
+  }
+  let highest = 'none';
+  for (const s of SEVERITIES) { if (counts[s] > 0) { highest = s; break; } }
+  const color = COLORS[highest] || COLORS.info;
+  const summary = highest === 'none'
+    ? 'passing'
+    : `crit ${counts.critical} · high ${counts.high} · med ${counts.medium}`;
+  const total = SEVERITIES.reduce((a, s) => a + counts[s], 0);
+  return {
+    label: 'agentic-security',
+    summary,
+    color,
+    highest,
+    ageStr: _ageString(scan.timestamp || scan.when || scan.lastScan),
+    counts,
+    total,
+  };
+}
+
+/**
+ * Compute the badge from .agentic-security/last-scan.json under `scanRoot`.
+ */
+function badgeFromScanRoot(scanRoot) {
+  return summarizeForBadge(_readLastScan(scanRoot));
+}
+
+function _xmlEscape(s) {
+  return String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+
+function _textWidth(s) {
+  // Rough character width — works fine for the small badge label range.
+  return s.length * 7 + 10;
+}
+
+/**
+ * Render an inline SVG matching shields.io's flat style. Self-contained
+ * (no external font references) so the badge works in any README.
+ */
+function renderSvg(b, opts = {}) {
+  if (!b) b = summarizeForBadge(null);
+  const style = opts.style || 'flat';
+  const labelText = b.label;
+  const valueText = b.ageStr ? `${b.summary} · ${b.ageStr}` : b.summary;
+  const lblW = _textWidth(labelText);
+  const valW = _textWidth(valueText);
+  const totalW = lblW + valW;
+  const h = style === 'for-the-badge' ? 28 : 20;
+  const fontSize = style === 'for-the-badge' ? 12 : 11;
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalW}" height="${h}" role="img" aria-label="${_xmlEscape(labelText)}: ${_xmlEscape(valueText)}">
+  <title>${_xmlEscape(labelText)}: ${_xmlEscape(valueText)}</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r"><rect width="${totalW}" height="${h}" rx="3" fill="#fff"/></clipPath>
+  <g clip-path="url(#r)">
+    <rect width="${lblW}" height="${h}" fill="${COLORS.label}"/>
+    <rect x="${lblW}" width="${valW}" height="${h}" fill="${b.color}"/>
+    <rect width="${totalW}" height="${h}" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" font-size="${fontSize}">
+    <text aria-hidden="true" x="${lblW / 2}" y="${h - 6}" fill="#010101" fill-opacity=".3">${_xmlEscape(labelText)}</text>
+    <text x="${lblW / 2}" y="${h - 7}">${_xmlEscape(labelText)}</text>
+    <text aria-hidden="true" x="${lblW + valW / 2}" y="${h - 6}" fill="#010101" fill-opacity=".3">${_xmlEscape(valueText)}</text>
+    <text x="${lblW + valW / 2}" y="${h - 7}">${_xmlEscape(valueText)}</text>
+  </g>
+</svg>`;
+}
+
+/**
+ * Public entry: produce the badge in the requested format.
+ *
+ *   format: 'svg' (default) | 'json'
+ *   style:  'flat' (default) | 'for-the-badge'
+ *   scanRoot: directory containing .agentic-security/last-scan.json
+ *   scan: pre-loaded scan object (skips disk read)
+ */
+function renderBadge({ format = 'svg', style = 'flat', scanRoot, scan } = {}) {
+  const summary = summarizeForBadge(scan || _readLastScan(scanRoot));
+  if (format === 'json') {
+    return JSON.stringify({
+      schemaVersion: 1,
+      label: summary.label,
+      message: summary.summary,
+      color: summary.color,
+      highest: summary.highest,
+      ageStr: summary.ageStr,
+      counts: summary.counts,
+      total: summary.total,
+    });
+  }
+  return renderSvg(summary, { style });
+}
+
+const _internal = { COLORS, _ageString, _readLastScan };
+
+
+/***/ })
+
+};

package/dist/178.index.js

@@ -0,0 +1,250 @@
+export const id = 178;
+export const ids = [178];
+export const modules = {
+
+/***/ 7178:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   runHistory: () => (/* binding */ runHistory),
+/* harmony export */   runWhatIf: () => (/* binding */ runWhatIf)
+/* harmony export */ });
+/* unused harmony export listHistoricalRefs */
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+// Time-travel + counterfactual scanning (v0.68).
+//
+// Two new modes that exploit the pure-input shape of runFullScan:
+//
+//   1. `runHistory` — walks N historical git refs, scans each, emits a
+//      per-ref timeline of finding counts + identifies findings introduced
+//      and resolved between each pair of consecutive refs.
+//
+//   2. `runWhatIf` — overlays virtual file contents onto the working tree,
+//      scans the modified state, returns delta vs. the baseline scan.
+//      Useful for "what if I delete this middleware" / "what if I add this
+//      new route" / "what if I downgrade this dependency."
+//
+// Both modes read source via `git show <ref>:<path>` and feed the byte
+// content into runFullScan's fileContents map directly. No `git checkout`
+// or worktree write — the user's working tree is never disturbed.
+
+
+
+
+
+
+const MAX_FILES_PER_SCAN = 5000;
+
+function _git(root, args) {
+  const r = (0,node_child_process__WEBPACK_IMPORTED_MODULE_0__.spawnSync)('git', args, { cwd: root, encoding: 'utf8', maxBuffer: 64 * 1024 * 1024 });
+  return { ok: r.status === 0, stdout: r.stdout || '', stderr: r.stderr || '' };
+}
+
+// Enumerate refs going back `since` from HEAD at `interval` steps.
+// `since`: a git-readable duration like '6.months', '30.days', '1.year'.
+// `interval`: same shape; used to step backward.
+function listHistoricalRefs(root, { since = '6.months', interval = '1.month' } = {}) {
+  // First, get the oldest reachable commit within `since`.
+  const log = _git(root, ['log', `--since=${since}`, '--format=%H %at %s']);
+  if (!log.ok) return [];
+  const rows = log.stdout.trim().split('\n').filter(Boolean).map(l => {
+    const [sha, ts, ...subject] = l.split(' ');
+    return { sha, timestamp: Number(ts), subject: subject.join(' ') };
+  });
+  if (rows.length === 0) return [];
+  // Step backward by `interval`-equivalent timestamps. Convert interval
+  // to seconds (rough: assume month=30d).
+  const ivSec = _approxSeconds(interval);
+  const picks = [];
+  let last = rows[0].timestamp + 1; // ensure HEAD itself is included
+  for (const row of rows) {
+    if (row.timestamp <= last - ivSec) {
+      picks.push(row);
+      last = row.timestamp;
+    }
+  }
+  // Always include HEAD as the first sample.
+  return [{ sha: 'HEAD', timestamp: rows[0].timestamp, subject: rows[0].subject }, ...picks];
+}
+
+function _approxSeconds(d) {
+  const m = String(d).match(/^(\d+(?:\.\d+)?)\.(seconds?|minutes?|hours?|days?|weeks?|months?|years?)$/);
+  if (!m) return 30 * 86400;
+  const v = Number(m[1]);
+  const u = m[2];
+  const mult = u.startsWith('second') ? 1
+    : u.startsWith('minute') ? 60
+    : u.startsWith('hour')   ? 3600
+    : u.startsWith('day')    ? 86400
+    : u.startsWith('week')   ? 7 * 86400
+    : u.startsWith('month')  ? 30 * 86400
+    : u.startsWith('year')   ? 365 * 86400
+    : 86400;
+  return v * mult;
+}
+
+// List all the source files at a given ref (relative paths). Filter to
+// files the scanner actually processes.
+function _listFilesAtRef(root, ref) {
+  const r = _git(root, ['ls-tree', '-r', '--name-only', ref]);
+  if (!r.ok) return [];
+  return r.stdout.trim().split('\n').filter(p => {
+    if (!p) return false;
+    if (p.includes('/node_modules/') || p.includes('/.venv/')) return false;
+    return /\.(?:js|jsx|ts|tsx|mjs|cjs|py|java|cs|kt|go|rb|php|sol|swift|rs|tf|yml|yaml|json|toml|md)$/i.test(p);
+  });
+}
+
+function _readFileAtRef(root, ref, file) {
+  const r = _git(root, ['show', `${ref}:${file}`]);
+  if (!r.ok) return null;
+  return r.stdout;
+}
+
+async function _scanAtRef(root, ref) {
+  const files = _listFilesAtRef(root, ref).slice(0, MAX_FILES_PER_SCAN);
+  const fileContents = {};
+  for (const f of files) {
+    const c = _readFileAtRef(root, ref, f);
+    if (c != null) fileContents[f] = c;
+  }
+  const scan = await (0,_engine_js__WEBPACK_IMPORTED_MODULE_3__/* .runFullScan */ .wW)({ fileContents, scanRoot: root }, () => {});
+  return {
+    ref,
+    fileCount: Object.keys(fileContents).length,
+    findings: (scan.findings || []).map(_compact),
+    logicVulns: (scan.logicVulns || []).length,
+    secrets: (scan.secrets || []).length,
+  };
+}
+
+function _compact(f) {
+  return {
+    stableId: f.stableId || f.id,
+    file: f.file,
+    line: f.line,
+    vuln: f.vuln,
+    severity: f.severity,
+    cwe: f.cwe,
+    family: f.family || null,
+  };
+}
+
+// Top-level: scan each historical ref + diff consecutive snapshots.
+//
+// Returns:
+//   {
+//     refs: [{ ref, when, fileCount, findings, secretsN, logicVulnsN }],
+//     timeline: [{ from, to, introduced: [...], resolved: [...] }],
+//   }
+async function runHistory(root, opts = {}) {
+  const refs = listHistoricalRefs(root, opts);
+  if (refs.length === 0) return { error: 'no-refs-in-window', refs: [], timeline: [] };
+  const snapshots = [];
+  for (const r of refs) {
+    try {
+      const s = await _scanAtRef(root, r.sha);
+      snapshots.push({ ...s, when: new Date(r.timestamp * 1000).toISOString(), subject: r.subject });
+    } catch (e) {
+      snapshots.push({ ref: r.sha, error: e.message, when: new Date(r.timestamp * 1000).toISOString() });
+    }
+  }
+  // Walk pairs from oldest → newest. snapshots[] is currently HEAD→old;
+  // reverse so timeline reads forward in time.
+  const ordered = [...snapshots].reverse();
+  const timeline = [];
+  for (let i = 1; i < ordered.length; i++) {
+    const a = ordered[i - 1];
+    const b = ordered[i];
+    const idsA = new Set((a.findings || []).map(f => f.stableId));
+    const idsB = new Set((b.findings || []).map(f => f.stableId));
+    const introduced = (b.findings || []).filter(f => !idsA.has(f.stableId));
+    const resolved   = (a.findings || []).filter(f => !idsB.has(f.stableId));
+    timeline.push({
+      from: a.ref, fromWhen: a.when, to: b.ref, toWhen: b.when,
+      introducedN: introduced.length,
+      resolvedN: resolved.length,
+      introduced: introduced.slice(0, 50),
+      resolved: resolved.slice(0, 50),
+    });
+  }
+  return { refs: snapshots, timeline };
+}
+
+// Counterfactual scan: apply a virtual overlay then scan.
+// overlays: [{ file, content }]
+// remove: [file] — files to virtually delete (skipped from scan input)
+async function runWhatIf(root, { overlays = [], remove = [] } = {}) {
+  // Collect baseline working-tree files.
+  const baseFiles = _walkWorkingTree(root).slice(0, MAX_FILES_PER_SCAN);
+  const fileContents = {};
+  const removeSet = new Set(remove);
+  for (const rel of baseFiles) {
+    if (removeSet.has(rel)) continue;
+    try { fileContents[rel] = node_fs__WEBPACK_IMPORTED_MODULE_1__.readFileSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(root, rel), 'utf8'); } catch {}
+  }
+  // Apply overlays — these replace or add files.
+  for (const o of overlays) {
+    if (o && typeof o.file === 'string' && typeof o.content === 'string') {
+      fileContents[o.file] = o.content;
+    }
+  }
+  // Baseline (without overlays) for delta computation.
+  const baseScan = await (0,_engine_js__WEBPACK_IMPORTED_MODULE_3__/* .runFullScan */ .wW)({ fileContents: _baselineFor(fileContents, overlays, remove, root), scanRoot: root }, () => {});
+  const whatIfScan = await (0,_engine_js__WEBPACK_IMPORTED_MODULE_3__/* .runFullScan */ .wW)({ fileContents, scanRoot: root }, () => {});
+  const baseIds = new Set((baseScan.findings || []).map(f => f.stableId || f.id));
+  const wIds = new Set((whatIfScan.findings || []).map(f => f.stableId || f.id));
+  const introduced = (whatIfScan.findings || []).filter(f => !baseIds.has(f.stableId || f.id)).map(_compact);
+  const removed    = (baseScan.findings || []).filter(f => !wIds.has(f.stableId || f.id)).map(_compact);
+  return {
+    baselineFindings: (baseScan.findings || []).length,
+    whatIfFindings: (whatIfScan.findings || []).length,
+    delta: whatIfScan.findings.length - baseScan.findings.length,
+    introduced,
+    removed,
+  };
+}
+
+function _baselineFor(fileContents, overlays, remove, root) {
+  // Reverse the overlay: restore original content (from disk) for any
+  // overlay'd file; re-add any virtually-removed file. Paths are resolved
+  // relative to the scan root, NOT the cwd.
+  const base = { ...fileContents };
+  for (const o of overlays) {
+    if (!o || typeof o.file !== 'string') continue;
+    try { base[o.file] = node_fs__WEBPACK_IMPORTED_MODULE_1__.readFileSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(root, o.file), 'utf8'); }
+    catch { delete base[o.file]; }
+  }
+  for (const rel of (remove || [])) {
+    try { base[rel] = node_fs__WEBPACK_IMPORTED_MODULE_1__.readFileSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(root, rel), 'utf8'); } catch {}
+  }
+  return base;
+}
+
+function _walkWorkingTree(root) {
+  const out = [];
+  const exclude = new Set(['node_modules', '.git', '.venv', 'dist', 'build', '__pycache__', 'target', '.next', '.nuxt']);
+  function walk(dir, rel = '') {
+    let entries;
+    try { entries = node_fs__WEBPACK_IMPORTED_MODULE_1__.readdirSync(dir, { withFileTypes: true }); } catch { return; }
+    for (const e of entries) {
+      if (exclude.has(e.name)) continue;
+      const full = node_path__WEBPACK_IMPORTED_MODULE_2__.join(dir, e.name);
+      const r = rel ? `${rel}/${e.name}` : e.name;
+      if (e.isDirectory()) walk(full, r);
+      else if (e.isFile() && /\.(?:js|jsx|ts|tsx|mjs|cjs|py|java|cs|kt|go|rb|php|sol|swift|rs|tf|yml|yaml|json|toml|md)$/i.test(e.name)) {
+        out.push(r);
+      }
+    }
+  }
+  walk(root);
+  return out;
+}
+
+
+/***/ })
+
+};