@clear-capabilities/agentic-security-scanner 0.77.0 → 0.78.0

package/bin/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+1a7a7e91a1b09ea956d4e722c3d9df15e8c662dba64e487bdc6f8ba875fd48b9

package/bin/.agentic-security/scan-history.json

@@ -0,0 +1,115 @@
+[
+  {
+    "timestamp": "2026-05-26T04:00:10.464Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1108"
+    ]
+  },
+  {
+    "timestamp": "2026-05-26T04:00:56.905Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1108"
+    ]
+  },
+  {
+    "timestamp": "2026-05-26T04:02:41.681Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1108"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T01:03:34.318Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1109"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T01:05:45.968Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1114"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T11:21:25.101Z",
+    "label": "scan",
+    "total": 4,
+    "critical": 0,
+    "high": 0,
+    "medium": 4,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1116"
+    ]
+  },
+  {
+    "timestamp": "2026-05-27T11:23:11.242Z",
+    "label": "scan",
+    "total": 5,
+    "critical": 0,
+    "high": 0,
+    "medium": 5,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "toctou-fs:agentic-security-audit.js:55",
+      "toctou-fs:agentic-security-consistency.js:44",
+      "toctou-fs:agentic-security-consistency.js:66",
+      "toctou-fs:agentic-security.js:1136",
+      "toctou-fs:agentic-security.js:362"
+    ]
+  }
+]

package/bin/.agentic-security/streak.json

@@ -0,0 +1,20 @@
+{
+  "firstScanDate": "2026-05-26T04:00:10.482Z",
+  "lastScanDate": "2026-05-27T11:23:11.268Z",
+  "totalScans": 7,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-27",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 11,
+  "totalFindingsAtLastScan": 13,
+  "totalFixesInferred": 0,
+  "lastGrade": "A-",
+  "bestGrade": "A-",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan"
+  ],
+  "previousGrade": "A-"
+}

package/bin/agentic-security.js

@@ -4,6 +4,9 @@
 import * as fs from 'node:fs';
 import * as fsp from 'node:fs/promises';
 import * as path from 'node:path';
+import { createRequire } from 'node:module';
+const __require = createRequire(import.meta.url);
+const PKG_VERSION = __require('../package.json').version;
 import { signLastScan as _signLastScan, verifyLastScan as _verifyLastScanShared } from '../src/posture/integrity.js';
 import { runScan } from '../src/runScan.js';
 import { toJSON, toMarkdown, toSARIF, toSTIX, toCSV, toJUnit, toCLI, toCLIByProfile, toShipVerdict, toProTable, toHTML, toSummary, exitCodeFor, normalizeFindings } from '../src/report/index.js';
@@ -103,6 +106,9 @@ Options:
   --no-network                 Skip OSV/registry queries (offline mode)
   --pr [ref]                   Diff-aware: scan only files changed since ref (auto-detects PR base)
   --deterministic              Reproducible scan: stable sort, no-network, lockfile-checked
+  --incremental                Reuse taint summaries from prior scans (speeds up deep mode in CI)
+  --set-baseline               Save current findings as baseline (suppresses pre-existing issues)
+  --since-baseline             Only show findings NOT in the saved baseline
   --no-epss                    Skip EPSS exploit-prediction enrichment (default: enabled)
   --no-blast-radius            Skip blast-radius / cost framing (default: enabled)
   --verbose                    Include fix bodies + taxonomy in CLI output
@@ -137,7 +143,7 @@ function printBanner(args) {
     BOLD:  '\x1b[1m',
     RESET: '\x1b[0m',
   } : { FROG:'', DEEP:'', CREAM:'', DIM:'', BOLD:'', RESET:'' };
-  const v = '0.75.1';
+  const v = PKG_VERSION;
   const compact = !args.flags.full;
   if (compact) {
     const lines = [
@@ -314,6 +320,11 @@ async function cmdScan(args) {
     }
   }
 
+  // --incremental : reuse taint summaries from prior scans for faster deep mode.
+  if (args.flags['incremental'] || process.env.AGENTIC_SECURITY_INCREMENTAL === '1') {
+    process.env.AGENTIC_SECURITY_INCREMENTAL = '1';
+  }
+
   // --pr [ref] : friendlier alias for --changed-since that auto-detects the PR
   // base ref (GitHub/GitLab/Buildkite/Bitbucket env vars) when no value is given.
   let changedSince = args.flags['changed-since'] || null;
@@ -338,6 +349,26 @@ async function cmdScan(args) {
     if (only === 'secrets') { scan.findings = []; scan.supplyChain = []; }
   }
 
+  // --set-baseline: save current findings as baseline for future --since-baseline filtering
+  const baselinePath = path.join(target || '.', '.agentic-security', 'baseline.json');
+  if (args.flags['set-baseline']) {
+    const { normalizeFindings } = await import('../src/report/index.js');
+    const baselineIds = new Set(normalizeFindings(scan).map(f => f.stableId || f.id));
+    fs.mkdirSync(path.dirname(baselinePath), { recursive: true });
+    fs.writeFileSync(baselinePath, JSON.stringify({ ids: [...baselineIds], createdAt: new Date().toISOString(), count: baselineIds.size }, null, 2));
+    process.stderr.write(`[baseline] saved ${baselineIds.size} findings as baseline\n`);
+  }
+  // --since-baseline: filter out findings that existed in the saved baseline
+  if (args.flags['since-baseline'] && fs.existsSync(baselinePath)) {
+    try {
+      const baseline = JSON.parse(fs.readFileSync(baselinePath, 'utf8'));
+      const baselineSet = new Set(baseline.ids || []);
+      const before = scan.findings.length;
+      scan.findings = (scan.findings || []).filter(f => !baselineSet.has(f.stableId || f.id));
+      process.stderr.write(`[baseline] filtered ${before - scan.findings.length} baseline findings, ${scan.findings.length} new\n`);
+    } catch { /* baseline file unreadable, skip */ }
+  }
+
   // 0.9.0 Feat-18: --scorecard flag enables OSSF Scorecard enrichment
   if (args.flags['scorecard']) process.env.AGENTIC_SECURITY_SCORECARD = '1';
 
@@ -1665,7 +1696,7 @@ async function main() {
         }
         process.exit(0);
       }
-      case 'version':  console.log('agentic-security 0.75.1  ·  created by ClearCapabilities.Com'); process.exit(0);
+      case 'version':  console.log(`agentic-security ${PKG_VERSION}  ·  created by ClearCapabilities.Com`); process.exit(0);
       case 'banner':   { printBanner(args); process.exit(0); }
       case 'harness':  process.exit(await cmdHarness(args));
       case 'scan-baseline': process.exit(await cmdScanBaseline(args));

package/dist/178.index.js

@@ -13,7 +13,7 @@ export const modules = {
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(8636);
 // Time-travel + counterfactual scanning (v0.68).
 //
 // Two new modes that exploit the pure-input shape of runFullScan:

package/dist/384.index.js

@@ -8,7 +8,7 @@ export const modules = {
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
 /* harmony export */   scanCredentials: () => (/* reexport safe */ _engine_js__WEBPACK_IMPORTED_MODULE_0__.Sv)
 /* harmony export */ });
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(8636);
 // Secrets submodule view of the engine — credential + entropy + TODO scanning.
 
 

package/dist/637.index.js

@@ -10,7 +10,7 @@ export const modules = {
 /* harmony export */   renderPrDeltaText: () => (/* binding */ renderPrDeltaText)
 /* harmony export */ });
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(8636);
 // Shadowscan / security-DELTA on PR (v0.72).
 //
 // Most SAST PR-comment integrations show absolute counts — "12 findings

package/dist/718.index.js

@@ -0,0 +1,106 @@
+export const id = 718;
+export const ids = [718];
+export const modules = {
+
+/***/ 8718:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   detectVendoredLibraries: () => (/* binding */ detectVendoredLibraries)
+/* harmony export */ });
+// Vendored / copied library detection via version-string fingerprinting.
+//
+// Detects library code copied into src/ that bypasses SCA. Uses version
+// string patterns (_.VERSION, jQuery.fn.jquery, etc.) and characteristic
+// function signatures to identify vendored libraries.
+
+const VERSION_FINGERPRINTS = [
+  { pkg: 'lodash', ecosystem: 'npm', patterns: [
+    { re: /\b(?:lodash|_)\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\b__lodash_hash_undefined__\b/, version: null },
+  ]},
+  { pkg: 'jquery', ecosystem: 'npm', patterns: [
+    { re: /jQuery\.fn\.jquery\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bjQuery\.fn\.init\b/, version: null },
+  ]},
+  { pkg: 'underscore', ecosystem: 'npm', patterns: [
+    { re: /\b_\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'moment', ecosystem: 'npm', patterns: [
+    { re: /\bmoment\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bmoment\.(?:utc|parseZone|duration|locale)\b/, version: null },
+  ]},
+  { pkg: 'handlebars', ecosystem: 'npm', patterns: [
+    { re: /\bHandlebars\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'backbone', ecosystem: 'npm', patterns: [
+    { re: /\bBackbone\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'angular', ecosystem: 'npm', patterns: [
+    { re: /\bangular\.version\s*=\s*\{[^}]*full\s*:\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'vue', ecosystem: 'npm', patterns: [
+    { re: /\bVue\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'react', ecosystem: 'npm', patterns: [
+    { re: /\bReactVersion\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'dompurify', ecosystem: 'npm', patterns: [
+    { re: /\bDOMPurify\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'marked', ecosystem: 'npm', patterns: [
+    { re: /\bmarked\.(?:defaults|setOptions|use|parse)\b[\s\S]{0,200}version\s*[:=]\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'axios', ecosystem: 'npm', patterns: [
+    { re: /\baxios\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'socket.io-client', ecosystem: 'npm', patterns: [
+    { re: /\bio\.protocol\s*=\s*(\d+)/, version: null },
+  ]},
+  { pkg: 'highlight.js', ecosystem: 'npm', patterns: [
+    { re: /\bhljs\.versionString\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'chart.js', ecosystem: 'npm', patterns: [
+    { re: /\bChart\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+];
+
+const SKIP_DIRS = /(?:^|[/\\])(?:node_modules|vendor|dist|build|\.next|__pycache__|\.git)[/\\]/;
+
+function detectVendoredLibraries(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const detected = [];
+  const seen = new Set();
+
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (!content || typeof content !== 'string') continue;
+    if (SKIP_DIRS.test(fp)) continue;
+    if (content.length < 500) continue;
+
+    for (const lib of VERSION_FINGERPRINTS) {
+      for (const pat of lib.patterns) {
+        const m = content.match(pat.re);
+        if (!m) continue;
+        const version = pat.versionGroup ? m[pat.versionGroup] : null;
+        const key = `${lib.pkg}:${fp}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        detected.push({
+          name: lib.pkg,
+          version: version || 'unknown',
+          ecosystem: lib.ecosystem,
+          file: fp,
+          scope: 'vendored',
+          isVendored: true,
+        });
+        break;
+      }
+    }
+  }
+  return detected;
+}
+
+
+/***/ })
+
+};

package/dist/824.index.js

@@ -0,0 +1,126 @@
+export const id = 824;
+export const ids = [824];
+export const modules = {
+
+/***/ 9824:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   extractVulnFunctionsViaLLM: () => (/* binding */ extractVulnFunctionsViaLLM)
+/* harmony export */ });
+/* unused harmony export isLlmScaEnabled */
+/* harmony import */ var node_crypto__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(7598);
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
+// LLM-assisted vulnerable function extraction for SCA findings.
+//
+// For CVEs without OSV ecosystem_specific data or GHSA fix commits,
+// uses an LLM to extract vulnerable function names from the CVE description.
+//
+// Gated behind AGENTIC_SECURITY_LLM_SCA=1 (opt-in).
+// Uses the same LLM endpoint config as the SAST validator.
+
+
+
+
+
+const CACHE_DIR = process.env.XDG_CONFIG_HOME
+  ? node_path__WEBPACK_IMPORTED_MODULE_2__.join(process.env.XDG_CONFIG_HOME, 'agentic-security', 'llm-sca-cache')
+  : node_path__WEBPACK_IMPORTED_MODULE_2__.join(process.env.HOME || '/tmp', '.config', 'agentic-security', 'llm-sca-cache');
+
+function _cacheKey(osvId) {
+  return node_crypto__WEBPACK_IMPORTED_MODULE_0__.createHash('sha256').update(`sca-fn:${osvId}`).digest('hex').slice(0, 16);
+}
+
+function _readCache(osvId) {
+  try {
+    const fp = node_path__WEBPACK_IMPORTED_MODULE_2__.join(CACHE_DIR, _cacheKey(osvId) + '.json');
+    return JSON.parse(node_fs__WEBPACK_IMPORTED_MODULE_1__.readFileSync(fp, 'utf8'));
+  } catch { return null; }
+}
+
+function _writeCache(osvId, data) {
+  try {
+    node_fs__WEBPACK_IMPORTED_MODULE_1__.mkdirSync(CACHE_DIR, { recursive: true });
+    node_fs__WEBPACK_IMPORTED_MODULE_1__.writeFileSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));
+  } catch { /* cache write failure is non-fatal */ }
+}
+
+function isLlmScaEnabled() {
+  return process.env.AGENTIC_SECURITY_LLM_SCA === '1';
+}
+
+function _endpointConfig() {
+  const endpoint = process.env.AGENTIC_SECURITY_LLM_ENDPOINT;
+  const apiKey = process.env.AGENTIC_SECURITY_LLM_API_KEY;
+  const model = process.env.AGENTIC_SECURITY_LLM_MODEL || 'unknown';
+  return endpoint ? { endpoint, apiKey, model } : null;
+}
+
+async function _askLlm(prompt, config) {
+  const headers = { 'Content-Type': 'application/json' };
+  if (config.apiKey) headers['Authorization'] = `Bearer ${config.apiKey}`;
+  const resp = await fetch(config.endpoint, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ prompt, model: config.model }),
+    signal: AbortSignal.timeout(15000),
+  });
+  if (!resp.ok) return null;
+  const text = await resp.text();
+  const jsonMatch = text.match(/\{[^{}]*"functions"\s*:\s*\[[^\]]*\][^{}]*\}/);
+  if (!jsonMatch) return null;
+  try { return JSON.parse(jsonMatch[0]); } catch { return null; }
+}
+
+async function extractVulnFunctionsViaLLM(supplyChain, opts = {}) {
+  if (!isLlmScaEnabled()) return [];
+  const config = _endpointConfig();
+  if (!config) return [];
+
+  const enriched = [];
+  const candidates = (supplyChain || []).filter(sc =>
+    sc.type === 'vulnerable_dep' &&
+    (!sc.osvVulnFunctions || !sc.osvVulnFunctions.length) &&
+    sc.noKnownCallSite &&
+    sc.description
+  );
+
+  const BATCH_LIMIT = 20;
+  for (const sc of candidates.slice(0, BATCH_LIMIT)) {
+    const cached = _readCache(sc.osvId);
+    if (cached) {
+      if (cached.functions && cached.functions.length) {
+        sc.osvVulnFunctions = cached.functions;
+        sc._llmFunctionExtracted = true;
+        enriched.push(sc);
+      }
+      continue;
+    }
+
+    const prompt = `Given security advisory ${sc.osvId || ''} (${sc.cveAliases?.[0] || ''}) affecting npm package "${sc.name}" version ${sc.version}:\n\nDescription: ${sc.description.slice(0, 500)}\n\nWhat specific exported function(s) in this package are vulnerable? Return ONLY a JSON object: { "functions": ["functionName1", "functionName2"] }\n\nIf you cannot determine the specific functions, return: { "functions": [] }`;
+
+    try {
+      const result = await _askLlm(prompt, config);
+      if (result && Array.isArray(result.functions)) {
+        const fns = result.functions.filter(f => typeof f === 'string' && f.length > 0 && f.length < 100);
+        _writeCache(sc.osvId, { functions: fns, model: config.model, extractedAt: new Date().toISOString() });
+        if (fns.length) {
+          sc.osvVulnFunctions = fns;
+          sc._llmFunctionExtracted = true;
+          enriched.push(sc);
+        }
+      } else {
+        _writeCache(sc.osvId, { functions: [], model: config.model, extractedAt: new Date().toISOString() });
+      }
+    } catch {
+      // LLM call failure — skip, don't cache (may be transient)
+    }
+  }
+  return enriched;
+}
+
+
+/***/ })
+
+};

package/dist/838.index.js

@@ -14,7 +14,7 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(8636);
 // Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
 //
 // Given a candidate patch (the new file content + the finding stableId being