@clear-capabilities/agentic-security-scanner 0.77.0 → 0.79.0

package/src/sast/weak-password-hash.js

@@ -0,0 +1,77 @@
+// Weak password hashing detector.
+//
+// Context-gated: only fires when the hash input variable is named
+// password/secret/credential or the enclosing function is password-related.
+// Detects MD5/SHA1 without salt for password storage.
+
+const PASSWORD_CONTEXT = /\b(password|passwd|pwd|secret|credential|passphrase|pass_hash|user_pass)\b/i;
+const PASSWORD_FUNC = /\b(hashPassword|encryptPassword|checkPassword|verifyPassword|createHash|setPassword|validatePassword|hash_password|check_password)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const PATTERNS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    rules: [
+      { re: /\bcreateHash\s*\(\s*['"](?:md5|sha1|sha-1|md4)['"]\s*\)[\s\S]{0,60}\.update\s*\(\s*(\w+)/g, label: 'createHash with weak algorithm' },
+      { re: /\bmd5\s*\(\s*(\w+)/g, label: 'md5() function call' },
+      { re: /\bsha1\s*\(\s*(\w+)/g, label: 'sha1() function call' },
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    rules: [
+      { re: /\bhashlib\.(?:md5|sha1)\s*\(\s*(\w+)/g, label: 'hashlib.md5/sha1' },
+      { re: /\bhashlib\.new\s*\(\s*['"](?:md5|sha1)['"]\s*\)[\s\S]{0,40}\.update\s*\(\s*(\w+)/g, label: 'hashlib.new with weak algorithm' },
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    rules: [
+      { re: /\bmd5\.(?:Sum|New)\s*\(\s*(?:\[\]byte\s*\(\s*)?(\w+)/g, label: 'md5.Sum/New' },
+      { re: /\bsha1\.(?:Sum|New)\s*\(\s*(?:\[\]byte\s*\(\s*)?(\w+)/g, label: 'sha1.Sum/New' },
+    ],
+  },
+};
+
+export function scanWeakPasswordHash(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const v of Object.values(PATTERNS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const { re, label } of lang.rules) {
+    re.lastIndex = 0;
+    for (const m of raw.matchAll(re)) {
+      const inputVar = m[1] || '';
+      const line = _line(raw, m.index);
+      // Check context: password-named variable or password-related function
+      const funcStart = raw.lastIndexOf('\n', Math.max(0, m.index - 500));
+      const context = raw.slice(funcStart, m.index + m[0].length + 100);
+      if (!PASSWORD_CONTEXT.test(inputVar) && !PASSWORD_CONTEXT.test(context) && !PASSWORD_FUNC.test(context)) continue;
+      // Check for salt within 10 lines before
+      const before = raw.slice(Math.max(0, m.index - 400), m.index);
+      const hasSalt = /\b(salt|randomBytes|urandom|os\.urandom|crypto\.randomBytes|bcrypt|argon2|scrypt|pbkdf2)\b/i.test(before);
+      if (hasSalt) continue;
+
+      findings.push({
+        id: `weak-pw-hash:${fp}:${line}`,
+        file: fp, line,
+        vuln: `Weak Password Hashing — ${label} for password without salt`,
+        severity: 'critical',
+        family: 'weak-password-hash',
+        cwe: 'CWE-916',
+        parser: 'WEAK-PW-HASH',
+        confidence: 0.80,
+        description: `${label} used on a password-context variable without salt. MD5/SHA1 are fast hashes trivially reversed via rainbow tables. Unsalted hashes are cracked in seconds.`,
+        remediation: 'Use bcrypt (cost ≥ 12), argon2id, or scrypt. Never use MD5/SHA1/SHA256 for password storage.',
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/weak-randomness.js

@@ -0,0 +1,100 @@
+// Cross-language insecure randomness detector.
+//
+// Flags usage of non-cryptographic PRNGs when the result is assigned to a
+// security-sensitive variable (token, session, nonce, key, secret, etc.).
+//
+// Coverage:
+//   JS/TS: Math.random()
+//   Python: random.random(), random.randint(), random.choice(), random.uniform()
+//   Go: rand.Intn(), rand.Int(), rand.Float64(), rand.Int31(), rand.Int63()
+//   Ruby: rand(), Random.rand, Random.new.rand
+//   PHP: rand(), mt_rand(), array_rand(), shuffle()
+
+const SECURITY_CONTEXT = /\b(token|session|nonce|key|secret|password|otp|csrf|salt|code|pin|auth|reset|verify|captcha|challenge|ticket)\b/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+const LANG_PATTERNS = {
+  js: {
+    ext: /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i,
+    patterns: [
+      { re: /\bMath\.random\s*\(\s*\)/g, label: 'Math.random()' },
+    ],
+  },
+  py: {
+    ext: /\.py$/i,
+    patterns: [
+      { re: /\brandom\.(?:random|randint|choice|uniform|randrange|sample|getrandbits)\s*\(/g, label: 'random module (non-crypto)' },
+    ],
+  },
+  go: {
+    ext: /\.go$/i,
+    patterns: [
+      { re: /\brand\.(?:Intn|Int|Float64|Float32|Int31|Int63|Int31n|Int63n|Uint32|Uint64)\s*\(/g, label: 'math/rand (non-crypto)' },
+    ],
+  },
+  rb: {
+    ext: /\.rb$/i,
+    patterns: [
+      { re: /\b(?:rand\s*\(|Random\.(?:rand|new\.rand)\s*\()/g, label: 'Kernel.rand / Random.rand' },
+    ],
+  },
+  php: {
+    ext: /\.(?:php|phtml)$/i,
+    patterns: [
+      { re: /\b(?:rand|mt_rand|array_rand)\s*\(/g, label: 'rand() / mt_rand()' },
+    ],
+  },
+};
+
+export function scanWeakRandomness(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+
+  const findings = [];
+  let lang = null;
+  for (const [k, v] of Object.entries(LANG_PATTERNS)) {
+    if (v.ext.test(fp)) { lang = v; break; }
+  }
+  if (!lang) return [];
+
+  for (const { re, label } of lang.patterns) {
+    re.lastIndex = 0;
+    for (const m of raw.matchAll(re)) {
+      const line = _line(raw, m.index);
+      const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+      const lineEnd = raw.indexOf('\n', m.index);
+      const lineText = raw.slice(lineStart, lineEnd > 0 ? lineEnd : raw.length);
+      if (!SECURITY_CONTEXT.test(lineText)) {
+        const prevLineStart = raw.lastIndexOf('\n', lineStart - 2) + 1;
+        const prevLine = raw.slice(prevLineStart, lineStart - 1);
+        if (!SECURITY_CONTEXT.test(prevLine)) continue;
+      }
+      findings.push({
+        id: `weak-rng:${fp}:${line}`,
+        file: fp,
+        line,
+        vuln: `Insecure Randomness — ${label} used for security-sensitive value`,
+        severity: 'high',
+        family: 'weak-rng',
+        cwe: 'CWE-330',
+        parser: 'WEAK-RNG',
+        confidence: 0.80,
+        description: `${label} is not cryptographically secure. An attacker can predict the output and forge tokens, bypass OTP, or guess session identifiers.`,
+        remediation: _remediation(fp),
+        snippet: lineText.trim().slice(0, 80),
+      });
+    }
+  }
+  return findings;
+}
+
+function _remediation(fp) {
+  if (/\.py$/i.test(fp)) return 'Use secrets.token_hex(32), secrets.token_urlsafe(32), or secrets.randbelow(n).';
+  if (/\.go$/i.test(fp)) return 'Use crypto/rand: n, _ := rand.Int(rand.Reader, big.NewInt(999999)).';
+  if (/\.rb$/i.test(fp)) return 'Use SecureRandom.hex(32) or SecureRandom.uuid.';
+  if (/\.(?:php|phtml)$/i.test(fp)) return 'Use random_bytes(32) or random_int(0, $max).';
+  return 'Use crypto.randomBytes(32).toString("hex") or crypto.getRandomValues().';
+}

package/src/sca/binary-metadata.js

@@ -0,0 +1,124 @@
+// Binary artifact SCA metadata extraction.
+//
+// Reads dependency information from compiled artifacts:
+//   - Java JAR files: META-INF/MANIFEST.MF for version + classpath
+//   - Go binaries: embedded go.buildinfo for dependency tree
+//
+// Gated behind AGENTIC_SECURITY_BINARY_SCA=1 (opt-in).
+// Does NOT execute binaries — only reads metadata sections.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { execFileSync } from 'node:child_process';
+
+export function isBinaryScaEnabled() {
+  return process.env.AGENTIC_SECURITY_BINARY_SCA === '1';
+}
+
+export function extractJarMetadata(jarPath) {
+  if (!jarPath || !jarPath.endsWith('.jar')) return null;
+  try {
+    const out = execFileSync('jar', ['tf', jarPath], { encoding: 'utf8', timeout: 5000 });
+    const hasManifest = out.includes('META-INF/MANIFEST.MF');
+    if (!hasManifest) return null;
+    const manifest = execFileSync('jar', ['xf', jarPath, 'META-INF/MANIFEST.MF', '-C', '/tmp'], {
+      encoding: 'utf8', timeout: 5000, cwd: '/tmp',
+    });
+    const manifestPath = '/tmp/META-INF/MANIFEST.MF';
+    if (!fs.existsSync(manifestPath)) return null;
+    const content = fs.readFileSync(manifestPath, 'utf8');
+    const attrs = {};
+    for (const line of content.split('\n')) {
+      const m = line.match(/^([A-Za-z-]+):\s*(.+)$/);
+      if (m) attrs[m[1].toLowerCase()] = m[2].trim();
+    }
+    const hasPom = out.includes('pom.properties');
+    let groupId = attrs['implementation-vendor-id'] || '';
+    let artifactId = attrs['implementation-title'] || path.basename(jarPath, '.jar');
+    let version = attrs['implementation-version'] || attrs['bundle-version'] || 'unknown';
+    if (hasPom) {
+      try {
+        execFileSync('jar', ['xf', jarPath, '--', ...out.split('\n').filter(l => l.includes('pom.properties'))], {
+          timeout: 5000, cwd: '/tmp',
+        });
+        const pomFiles = out.split('\n').filter(l => l.includes('pom.properties'));
+        for (const pf of pomFiles) {
+          const pfPath = path.join('/tmp', pf);
+          if (!fs.existsSync(pfPath)) continue;
+          const props = fs.readFileSync(pfPath, 'utf8');
+          for (const line of props.split('\n')) {
+            if (line.startsWith('groupId=')) groupId = line.split('=')[1].trim();
+            if (line.startsWith('artifactId=')) artifactId = line.split('=')[1].trim();
+            if (line.startsWith('version=')) version = line.split('=')[1].trim();
+          }
+          break;
+        }
+      } catch { /* pom extraction optional */ }
+    }
+    return {
+      name: artifactId,
+      version,
+      group: groupId,
+      ecosystem: 'maven',
+      filePath: jarPath,
+      scope: 'required',
+      purl: `pkg:maven/${groupId}/${artifactId}@${version}`,
+      isUnpinned: false,
+      _source: 'jar-manifest',
+    };
+  } catch { return null; }
+}
+
+export function extractGoBuildInfo(binPath) {
+  if (!binPath) return [];
+  try {
+    const out = execFileSync('go', ['version', '-m', binPath], { encoding: 'utf8', timeout: 5000 });
+    const deps = [];
+    for (const line of out.split('\n')) {
+      const m = line.match(/^\s*dep\s+([\w./-]+)\s+(v[\d.]+(?:-[\w.]+)?)/);
+      if (m) {
+        deps.push({
+          name: m[1],
+          version: m[2].replace(/^v/, ''),
+          group: '',
+          ecosystem: 'golang',
+          filePath: binPath,
+          scope: 'required',
+          purl: `pkg:golang/${m[1]}@${m[2]}`,
+          isUnpinned: false,
+          _source: 'go-buildinfo',
+        });
+      }
+    }
+    return deps;
+  } catch { return []; }
+}
+
+export function scanBinaryArtifacts(fileContents, scanRoot) {
+  if (!isBinaryScaEnabled()) return [];
+  const components = [];
+  const root = scanRoot || '.';
+  try {
+    const jarFiles = fs.readdirSync(root, { recursive: true })
+      .filter(f => f.endsWith('.jar') && !f.includes('node_modules'))
+      .slice(0, 20);
+    for (const jar of jarFiles) {
+      const meta = extractJarMetadata(path.join(root, jar));
+      if (meta) components.push(meta);
+    }
+  } catch { /* jar scan optional */ }
+  try {
+    const goBins = fs.readdirSync(root, { recursive: true })
+      .filter(f => !f.includes('.') && !f.includes('node_modules') && !f.includes('/'))
+      .slice(0, 10);
+    for (const bin of goBins) {
+      const fp = path.join(root, bin);
+      try {
+        if (fs.statSync(fp).isFile() && (fs.statSync(fp).mode & 0o111)) {
+          components.push(...extractGoBuildInfo(fp));
+        }
+      } catch { /* skip non-executable */ }
+    }
+  } catch { /* go binary scan optional */ }
+  return components;
+}

package/src/sca/llm-function-extract.js

@@ -0,0 +1,107 @@
+// LLM-assisted vulnerable function extraction for SCA findings.
+//
+// For CVEs without OSV ecosystem_specific data or GHSA fix commits,
+// uses an LLM to extract vulnerable function names from the CVE description.
+//
+// Gated behind AGENTIC_SECURITY_LLM_SCA=1 (opt-in).
+// Uses the same LLM endpoint config as the SAST validator.
+
+import * as crypto from 'node:crypto';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const CACHE_DIR = process.env.XDG_CONFIG_HOME
+  ? path.join(process.env.XDG_CONFIG_HOME, 'agentic-security', 'llm-sca-cache')
+  : path.join(process.env.HOME || '/tmp', '.config', 'agentic-security', 'llm-sca-cache');
+
+function _cacheKey(osvId) {
+  return crypto.createHash('sha256').update(`sca-fn:${osvId}`).digest('hex').slice(0, 16);
+}
+
+function _readCache(osvId) {
+  try {
+    const fp = path.join(CACHE_DIR, _cacheKey(osvId) + '.json');
+    return JSON.parse(fs.readFileSync(fp, 'utf8'));
+  } catch { return null; }
+}
+
+function _writeCache(osvId, data) {
+  try {
+    fs.mkdirSync(CACHE_DIR, { recursive: true });
+    fs.writeFileSync(path.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));
+  } catch { /* cache write failure is non-fatal */ }
+}
+
+export function isLlmScaEnabled() {
+  return process.env.AGENTIC_SECURITY_LLM_SCA === '1';
+}
+
+function _endpointConfig() {
+  const endpoint = process.env.AGENTIC_SECURITY_LLM_ENDPOINT;
+  const apiKey = process.env.AGENTIC_SECURITY_LLM_API_KEY;
+  const model = process.env.AGENTIC_SECURITY_LLM_MODEL || 'unknown';
+  return endpoint ? { endpoint, apiKey, model } : null;
+}
+
+async function _askLlm(prompt, config) {
+  const headers = { 'Content-Type': 'application/json' };
+  if (config.apiKey) headers['Authorization'] = `Bearer ${config.apiKey}`;
+  const resp = await fetch(config.endpoint, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ prompt, model: config.model }),
+    signal: AbortSignal.timeout(15000),
+  });
+  if (!resp.ok) return null;
+  const text = await resp.text();
+  const jsonMatch = text.match(/\{[^{}]*"functions"\s*:\s*\[[^\]]*\][^{}]*\}/);
+  if (!jsonMatch) return null;
+  try { return JSON.parse(jsonMatch[0]); } catch { return null; }
+}
+
+export async function extractVulnFunctionsViaLLM(supplyChain, opts = {}) {
+  if (!isLlmScaEnabled()) return [];
+  const config = _endpointConfig();
+  if (!config) return [];
+
+  const enriched = [];
+  const candidates = (supplyChain || []).filter(sc =>
+    sc.type === 'vulnerable_dep' &&
+    (!sc.osvVulnFunctions || !sc.osvVulnFunctions.length) &&
+    sc.noKnownCallSite &&
+    sc.description
+  );
+
+  const BATCH_LIMIT = 20;
+  for (const sc of candidates.slice(0, BATCH_LIMIT)) {
+    const cached = _readCache(sc.osvId);
+    if (cached) {
+      if (cached.functions && cached.functions.length) {
+        sc.osvVulnFunctions = cached.functions;
+        sc._llmFunctionExtracted = true;
+        enriched.push(sc);
+      }
+      continue;
+    }
+
+    const prompt = `Given security advisory ${sc.osvId || ''} (${sc.cveAliases?.[0] || ''}) affecting npm package "${sc.name}" version ${sc.version}:\n\nDescription: ${sc.description.slice(0, 500)}\n\nWhat specific exported function(s) in this package are vulnerable? Return ONLY a JSON object: { "functions": ["functionName1", "functionName2"] }\n\nIf you cannot determine the specific functions, return: { "functions": [] }`;
+
+    try {
+      const result = await _askLlm(prompt, config);
+      if (result && Array.isArray(result.functions)) {
+        const fns = result.functions.filter(f => typeof f === 'string' && f.length > 0 && f.length < 100);
+        _writeCache(sc.osvId, { functions: fns, model: config.model, extractedAt: new Date().toISOString() });
+        if (fns.length) {
+          sc.osvVulnFunctions = fns;
+          sc._llmFunctionExtracted = true;
+          enriched.push(sc);
+        }
+      } else {
+        _writeCache(sc.osvId, { functions: [], model: config.model, extractedAt: new Date().toISOString() });
+      }
+    } catch {
+      // LLM call failure — skip, don't cache (may be transient)
+    }
+  }
+  return enriched;
+}

package/src/sca/py-package-functions.js

@@ -0,0 +1,118 @@
+// Python package function extraction via the CST parser.
+//
+// Locates an installed Python package in site-packages or .venv,
+// parses its source files via the Python CST parser, and returns
+// a map of exported function names. Used by markUsedVulnFunctions
+// to validate that OSV-named vulnerable functions actually exist
+// in the installed version.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { execFileSync } from 'node:child_process';
+import { parsePythonFilesBatch, probePythonAvailable } from '../ir/parser-py-cst.js';
+
+const VENV_DIRS = ['.venv', 'venv', '.env', 'env'];
+
+function _findSitePackages(scanRoot) {
+  for (const vdir of VENV_DIRS) {
+    const base = path.join(scanRoot || '.', vdir);
+    if (!fs.existsSync(base)) continue;
+    const lib = path.join(base, 'lib');
+    if (!fs.existsSync(lib)) continue;
+    const pydirs = fs.readdirSync(lib).filter(d => d.startsWith('python'));
+    for (const pydir of pydirs) {
+      const sp = path.join(lib, pydir, 'site-packages');
+      if (fs.existsSync(sp)) return sp;
+    }
+  }
+  // Fallback: ask python3 directly
+  try {
+    const out = execFileSync('python3', ['-c', 'import site; print(site.getsitepackages()[0])'], {
+      encoding: 'utf8', timeout: 5000,
+    }).trim();
+    if (out && fs.existsSync(out)) return out;
+  } catch { /* no python3 or no site-packages */ }
+  return null;
+}
+
+function _findPackageDir(sitePackages, packageName) {
+  if (!sitePackages) return null;
+  const normalized = packageName.replace(/-/g, '_').toLowerCase();
+  const candidates = [
+    normalized,
+    packageName.toLowerCase(),
+    packageName,
+  ];
+  for (const name of candidates) {
+    const dir = path.join(sitePackages, name);
+    if (fs.existsSync(dir) && fs.statSync(dir).isDirectory()) return dir;
+  }
+  return null;
+}
+
+function _readPyFilesFromDir(dir, maxFiles = 50) {
+  const entries = [];
+  try {
+    const files = fs.readdirSync(dir, { recursive: true })
+      .filter(f => f.endsWith('.py'))
+      .slice(0, maxFiles);
+    for (const f of files) {
+      const fp = path.join(dir, f);
+      try {
+        const content = fs.readFileSync(fp, 'utf8');
+        if (content.length < 1_000_000) {
+          entries.push({ file: f, content });
+        }
+      } catch { /* skip unreadable files */ }
+    }
+  } catch { /* dir not readable */ }
+  return entries;
+}
+
+export function extractPythonPackageFunctions(packageName, scanRoot) {
+  const cap = probePythonAvailable();
+  if (!cap.ok) return null;
+
+  const sitePackages = _findSitePackages(scanRoot);
+  const pkgDir = _findPackageDir(sitePackages, packageName);
+  if (!pkgDir) return null;
+
+  const pyFiles = _readPyFilesFromDir(pkgDir);
+  if (!pyFiles.length) return null;
+
+  const batch = parsePythonFilesBatch(pyFiles);
+  if (!batch || !Array.isArray(batch)) return null;
+
+  const functionMap = new Map();
+  for (const fileIR of batch) {
+    if (!fileIR || !fileIR.functions) continue;
+    for (const fn of fileIR.functions) {
+      if (fn.name && !fn.name.startsWith('_')) {
+        functionMap.set(fn.name, {
+          file: fileIR.file,
+          line: fn.line,
+          qid: fn.qid,
+          params: fn.params,
+        });
+      }
+    }
+  }
+  return functionMap;
+}
+
+export function validateOsvFunctionsExist(packageName, osvFunctions, scanRoot) {
+  if (!osvFunctions || !osvFunctions.length) return { validated: [], missing: [] };
+  const fnMap = extractPythonPackageFunctions(packageName, scanRoot);
+  if (!fnMap) return { validated: osvFunctions, missing: [] };
+  const validated = [];
+  const missing = [];
+  for (const fn of osvFunctions) {
+    const shortFn = fn.includes('.') ? fn.split('.').pop() : fn;
+    if (fnMap.has(shortFn) || fnMap.has(fn)) {
+      validated.push(shortFn);
+    } else {
+      missing.push(fn);
+    }
+  }
+  return { validated, missing };
+}

package/src/sca/vendor-detect.js

@@ -0,0 +1,144 @@
+// Vendored / copied library detection via version-string fingerprinting.
+//
+// Detects library code copied into src/ that bypasses SCA. Uses version
+// string patterns (_.VERSION, jQuery.fn.jquery, etc.) and characteristic
+// function signatures to identify vendored libraries.
+
+const VERSION_FINGERPRINTS = [
+  { pkg: 'lodash', ecosystem: 'npm', patterns: [
+    { re: /\b(?:lodash|_)\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\b__lodash_hash_undefined__\b/, version: null },
+  ]},
+  { pkg: 'jquery', ecosystem: 'npm', patterns: [
+    { re: /jQuery\.fn\.jquery\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bjQuery\.fn\.init\b/, version: null },
+  ]},
+  { pkg: 'underscore', ecosystem: 'npm', patterns: [
+    { re: /\b_\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'moment', ecosystem: 'npm', patterns: [
+    { re: /\bmoment\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bmoment\.(?:utc|parseZone|duration|locale)\b/, version: null },
+  ]},
+  { pkg: 'handlebars', ecosystem: 'npm', patterns: [
+    { re: /\bHandlebars\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'backbone', ecosystem: 'npm', patterns: [
+    { re: /\bBackbone\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'angular', ecosystem: 'npm', patterns: [
+    { re: /\bangular\.version\s*=\s*\{[^}]*full\s*:\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'vue', ecosystem: 'npm', patterns: [
+    { re: /\bVue\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'react', ecosystem: 'npm', patterns: [
+    { re: /\bReactVersion\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'dompurify', ecosystem: 'npm', patterns: [
+    { re: /\bDOMPurify\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'marked', ecosystem: 'npm', patterns: [
+    { re: /\bmarked\.(?:defaults|setOptions|use|parse)\b[\s\S]{0,200}version\s*[:=]\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'axios', ecosystem: 'npm', patterns: [
+    { re: /\baxios\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'socket.io-client', ecosystem: 'npm', patterns: [
+    { re: /\bio\.protocol\s*=\s*(\d+)/, version: null },
+  ]},
+  { pkg: 'highlight.js', ecosystem: 'npm', patterns: [
+    { re: /\bhljs\.versionString\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'chart.js', ecosystem: 'npm', patterns: [
+    { re: /\bChart\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+];
+
+const SKIP_DIRS = /(?:^|[/\\])(?:node_modules|vendor|dist|build|\.next|__pycache__|\.git)[/\\]/;
+
+export function detectVendoredLibraries(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const detected = [];
+  const seen = new Set();
+
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (!content || typeof content !== 'string') continue;
+    if (SKIP_DIRS.test(fp)) continue;
+    if (content.length < 500) continue;
+
+    for (const lib of VERSION_FINGERPRINTS) {
+      for (const pat of lib.patterns) {
+        const m = content.match(pat.re);
+        if (!m) continue;
+        const version = pat.versionGroup ? m[pat.versionGroup] : null;
+        const key = `${lib.pkg}:${fp}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        detected.push({
+          name: lib.pkg,
+          version: version || 'unknown',
+          ecosystem: lib.ecosystem,
+          file: fp,
+          scope: 'vendored',
+          isVendored: true,
+        });
+        break;
+      }
+    }
+  }
+  // Pass 2: Function-body structural matching for minified/forked copies
+  const FUNCTION_BODY_SIGS = [
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'merge', paramMin: 1,
+      bodyContains: ['assignValue', 'baseFor', 'isObject', 'baseMerge'] },
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'template', paramMin: 1,
+      bodyContains: ['sourceURL', 'interpolate', 'evaluate', 'escape'] },
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'defaultsDeep', paramMin: 1,
+      bodyContains: ['baseMerge', 'isMergeableObject', 'customDefaultsMerge'] },
+    { pkg: 'jquery', ecosystem: 'npm', fn: 'ajax', paramMin: 1,
+      bodyContains: ['XMLHttpRequest', 'ajaxSettings', 'crossDomain', 'responseFields'] },
+    { pkg: 'handlebars', ecosystem: 'npm', fn: 'compile', paramMin: 1,
+      bodyContains: ['templateSpec', 'container', 'invokePartial', 'blockParams'] },
+    { pkg: 'marked', ecosystem: 'npm', fn: 'parse', paramMin: 1,
+      bodyContains: ['Lexer', 'Parser', 'blockTokens', 'walkTokens'] },
+    { pkg: 'ejs', ecosystem: 'npm', fn: 'render', paramMin: 1,
+      bodyContains: ['includeFile', 'resolveInclude', 'rethrow', 'escapeFn'] },
+    { pkg: 'moment', ecosystem: 'npm', fn: 'format', paramMin: 0,
+      bodyContains: ['formatMoment', 'expandFormat', 'makeFormatFunction', 'localFormattingTokens'] },
+    { pkg: 'underscore', ecosystem: 'npm', fn: 'template', paramMin: 1,
+      bodyContains: ['interpolate', 'evaluate', 'escape', 'templateSettings'] },
+    { pkg: 'minimist', ecosystem: 'npm', fn: 'parse', paramMin: 1,
+      bodyContains: ['boolean', 'alias', 'default', 'stopEarly', 'unknown'] },
+  ];
+
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (!content || typeof content !== 'string') continue;
+    if (SKIP_DIRS.test(fp)) continue;
+    if (!/\.(?:js|mjs|cjs)$/i.test(fp)) continue;
+    if (content.length < 200 || content.length > 500_000) continue;
+
+    for (const sig of FUNCTION_BODY_SIGS) {
+      const key = `${sig.pkg}:${fp}`;
+      if (seen.has(key)) continue;
+      const fnRe = new RegExp(`(?:function\\s+${sig.fn}|(?:const|let|var)\\s+${sig.fn}\\s*=|${sig.fn}\\s*[:=]\\s*function)\\s*\\(`, 'g');
+      const m = fnRe.exec(content);
+      if (!m) continue;
+      const bodyWindow = content.slice(m.index, m.index + 2000);
+      const matchCount = sig.bodyContains.filter(kw => bodyWindow.includes(kw)).length;
+      if (matchCount < Math.ceil(sig.bodyContains.length * 0.6)) continue;
+      seen.add(key);
+      detected.push({
+        name: sig.pkg,
+        version: 'unknown',
+        ecosystem: sig.ecosystem,
+        file: fp,
+        scope: 'vendored',
+        isVendored: true,
+        _detectionMethod: 'function-body-signature',
+        _matchedKeywords: matchCount,
+      });
+    }
+  }
+
+  return detected;
+}