@clear-capabilities/agentic-security-scanner 0.77.0 → 0.79.0

package/dist/718.index.js

@@ -0,0 +1,159 @@
+export const id = 718;
+export const ids = [718];
+export const modules = {
+
+/***/ 8718:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   detectVendoredLibraries: () => (/* binding */ detectVendoredLibraries)
+/* harmony export */ });
+// Vendored / copied library detection via version-string fingerprinting.
+//
+// Detects library code copied into src/ that bypasses SCA. Uses version
+// string patterns (_.VERSION, jQuery.fn.jquery, etc.) and characteristic
+// function signatures to identify vendored libraries.
+
+const VERSION_FINGERPRINTS = [
+  { pkg: 'lodash', ecosystem: 'npm', patterns: [
+    { re: /\b(?:lodash|_)\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\b__lodash_hash_undefined__\b/, version: null },
+  ]},
+  { pkg: 'jquery', ecosystem: 'npm', patterns: [
+    { re: /jQuery\.fn\.jquery\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bjQuery\.fn\.init\b/, version: null },
+  ]},
+  { pkg: 'underscore', ecosystem: 'npm', patterns: [
+    { re: /\b_\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'moment', ecosystem: 'npm', patterns: [
+    { re: /\bmoment\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+    { re: /\bmoment\.(?:utc|parseZone|duration|locale)\b/, version: null },
+  ]},
+  { pkg: 'handlebars', ecosystem: 'npm', patterns: [
+    { re: /\bHandlebars\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'backbone', ecosystem: 'npm', patterns: [
+    { re: /\bBackbone\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'angular', ecosystem: 'npm', patterns: [
+    { re: /\bangular\.version\s*=\s*\{[^}]*full\s*:\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'vue', ecosystem: 'npm', patterns: [
+    { re: /\bVue\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'react', ecosystem: 'npm', patterns: [
+    { re: /\bReactVersion\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'dompurify', ecosystem: 'npm', patterns: [
+    { re: /\bDOMPurify\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'marked', ecosystem: 'npm', patterns: [
+    { re: /\bmarked\.(?:defaults|setOptions|use|parse)\b[\s\S]{0,200}version\s*[:=]\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'axios', ecosystem: 'npm', patterns: [
+    { re: /\baxios\.VERSION\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'socket.io-client', ecosystem: 'npm', patterns: [
+    { re: /\bio\.protocol\s*=\s*(\d+)/, version: null },
+  ]},
+  { pkg: 'highlight.js', ecosystem: 'npm', patterns: [
+    { re: /\bhljs\.versionString\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+  { pkg: 'chart.js', ecosystem: 'npm', patterns: [
+    { re: /\bChart\.version\s*=\s*['"](\d+\.\d+\.\d+)['"]/, versionGroup: 1 },
+  ]},
+];
+
+const SKIP_DIRS = /(?:^|[/\\])(?:node_modules|vendor|dist|build|\.next|__pycache__|\.git)[/\\]/;
+
+function detectVendoredLibraries(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const detected = [];
+  const seen = new Set();
+
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (!content || typeof content !== 'string') continue;
+    if (SKIP_DIRS.test(fp)) continue;
+    if (content.length < 500) continue;
+
+    for (const lib of VERSION_FINGERPRINTS) {
+      for (const pat of lib.patterns) {
+        const m = content.match(pat.re);
+        if (!m) continue;
+        const version = pat.versionGroup ? m[pat.versionGroup] : null;
+        const key = `${lib.pkg}:${fp}`;
+        if (seen.has(key)) continue;
+        seen.add(key);
+        detected.push({
+          name: lib.pkg,
+          version: version || 'unknown',
+          ecosystem: lib.ecosystem,
+          file: fp,
+          scope: 'vendored',
+          isVendored: true,
+        });
+        break;
+      }
+    }
+  }
+  // Pass 2: Function-body structural matching for minified/forked copies
+  const FUNCTION_BODY_SIGS = [
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'merge', paramMin: 1,
+      bodyContains: ['assignValue', 'baseFor', 'isObject', 'baseMerge'] },
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'template', paramMin: 1,
+      bodyContains: ['sourceURL', 'interpolate', 'evaluate', 'escape'] },
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'defaultsDeep', paramMin: 1,
+      bodyContains: ['baseMerge', 'isMergeableObject', 'customDefaultsMerge'] },
+    { pkg: 'jquery', ecosystem: 'npm', fn: 'ajax', paramMin: 1,
+      bodyContains: ['XMLHttpRequest', 'ajaxSettings', 'crossDomain', 'responseFields'] },
+    { pkg: 'handlebars', ecosystem: 'npm', fn: 'compile', paramMin: 1,
+      bodyContains: ['templateSpec', 'container', 'invokePartial', 'blockParams'] },
+    { pkg: 'marked', ecosystem: 'npm', fn: 'parse', paramMin: 1,
+      bodyContains: ['Lexer', 'Parser', 'blockTokens', 'walkTokens'] },
+    { pkg: 'ejs', ecosystem: 'npm', fn: 'render', paramMin: 1,
+      bodyContains: ['includeFile', 'resolveInclude', 'rethrow', 'escapeFn'] },
+    { pkg: 'moment', ecosystem: 'npm', fn: 'format', paramMin: 0,
+      bodyContains: ['formatMoment', 'expandFormat', 'makeFormatFunction', 'localFormattingTokens'] },
+    { pkg: 'underscore', ecosystem: 'npm', fn: 'template', paramMin: 1,
+      bodyContains: ['interpolate', 'evaluate', 'escape', 'templateSettings'] },
+    { pkg: 'minimist', ecosystem: 'npm', fn: 'parse', paramMin: 1,
+      bodyContains: ['boolean', 'alias', 'default', 'stopEarly', 'unknown'] },
+  ];
+
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (!content || typeof content !== 'string') continue;
+    if (SKIP_DIRS.test(fp)) continue;
+    if (!/\.(?:js|mjs|cjs)$/i.test(fp)) continue;
+    if (content.length < 200 || content.length > 500_000) continue;
+
+    for (const sig of FUNCTION_BODY_SIGS) {
+      const key = `${sig.pkg}:${fp}`;
+      if (seen.has(key)) continue;
+      const fnRe = new RegExp(`(?:function\\s+${sig.fn}|(?:const|let|var)\\s+${sig.fn}\\s*=|${sig.fn}\\s*[:=]\\s*function)\\s*\\(`, 'g');
+      const m = fnRe.exec(content);
+      if (!m) continue;
+      const bodyWindow = content.slice(m.index, m.index + 2000);
+      const matchCount = sig.bodyContains.filter(kw => bodyWindow.includes(kw)).length;
+      if (matchCount < Math.ceil(sig.bodyContains.length * 0.6)) continue;
+      seen.add(key);
+      detected.push({
+        name: sig.pkg,
+        version: 'unknown',
+        ecosystem: sig.ecosystem,
+        file: fp,
+        scope: 'vendored',
+        isVendored: true,
+        _detectionMethod: 'function-body-signature',
+        _matchedKeywords: matchCount,
+      });
+    }
+  }
+
+  return detected;
+}
+
+
+/***/ })
+
+};

package/dist/824.index.js

@@ -0,0 +1,126 @@
+export const id = 824;
+export const ids = [824];
+export const modules = {
+
+/***/ 9824:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   extractVulnFunctionsViaLLM: () => (/* binding */ extractVulnFunctionsViaLLM)
+/* harmony export */ });
+/* unused harmony export isLlmScaEnabled */
+/* harmony import */ var node_crypto__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(7598);
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
+// LLM-assisted vulnerable function extraction for SCA findings.
+//
+// For CVEs without OSV ecosystem_specific data or GHSA fix commits,
+// uses an LLM to extract vulnerable function names from the CVE description.
+//
+// Gated behind AGENTIC_SECURITY_LLM_SCA=1 (opt-in).
+// Uses the same LLM endpoint config as the SAST validator.
+
+
+
+
+
+const CACHE_DIR = process.env.XDG_CONFIG_HOME
+  ? node_path__WEBPACK_IMPORTED_MODULE_2__.join(process.env.XDG_CONFIG_HOME, 'agentic-security', 'llm-sca-cache')
+  : node_path__WEBPACK_IMPORTED_MODULE_2__.join(process.env.HOME || '/tmp', '.config', 'agentic-security', 'llm-sca-cache');
+
+function _cacheKey(osvId) {
+  return node_crypto__WEBPACK_IMPORTED_MODULE_0__.createHash('sha256').update(`sca-fn:${osvId}`).digest('hex').slice(0, 16);
+}
+
+function _readCache(osvId) {
+  try {
+    const fp = node_path__WEBPACK_IMPORTED_MODULE_2__.join(CACHE_DIR, _cacheKey(osvId) + '.json');
+    return JSON.parse(node_fs__WEBPACK_IMPORTED_MODULE_1__.readFileSync(fp, 'utf8'));
+  } catch { return null; }
+}
+
+function _writeCache(osvId, data) {
+  try {
+    node_fs__WEBPACK_IMPORTED_MODULE_1__.mkdirSync(CACHE_DIR, { recursive: true });
+    node_fs__WEBPACK_IMPORTED_MODULE_1__.writeFileSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(CACHE_DIR, _cacheKey(osvId) + '.json'), JSON.stringify(data));
+  } catch { /* cache write failure is non-fatal */ }
+}
+
+function isLlmScaEnabled() {
+  return process.env.AGENTIC_SECURITY_LLM_SCA === '1';
+}
+
+function _endpointConfig() {
+  const endpoint = process.env.AGENTIC_SECURITY_LLM_ENDPOINT;
+  const apiKey = process.env.AGENTIC_SECURITY_LLM_API_KEY;
+  const model = process.env.AGENTIC_SECURITY_LLM_MODEL || 'unknown';
+  return endpoint ? { endpoint, apiKey, model } : null;
+}
+
+async function _askLlm(prompt, config) {
+  const headers = { 'Content-Type': 'application/json' };
+  if (config.apiKey) headers['Authorization'] = `Bearer ${config.apiKey}`;
+  const resp = await fetch(config.endpoint, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify({ prompt, model: config.model }),
+    signal: AbortSignal.timeout(15000),
+  });
+  if (!resp.ok) return null;
+  const text = await resp.text();
+  const jsonMatch = text.match(/\{[^{}]*"functions"\s*:\s*\[[^\]]*\][^{}]*\}/);
+  if (!jsonMatch) return null;
+  try { return JSON.parse(jsonMatch[0]); } catch { return null; }
+}
+
+async function extractVulnFunctionsViaLLM(supplyChain, opts = {}) {
+  if (!isLlmScaEnabled()) return [];
+  const config = _endpointConfig();
+  if (!config) return [];
+
+  const enriched = [];
+  const candidates = (supplyChain || []).filter(sc =>
+    sc.type === 'vulnerable_dep' &&
+    (!sc.osvVulnFunctions || !sc.osvVulnFunctions.length) &&
+    sc.noKnownCallSite &&
+    sc.description
+  );
+
+  const BATCH_LIMIT = 20;
+  for (const sc of candidates.slice(0, BATCH_LIMIT)) {
+    const cached = _readCache(sc.osvId);
+    if (cached) {
+      if (cached.functions && cached.functions.length) {
+        sc.osvVulnFunctions = cached.functions;
+        sc._llmFunctionExtracted = true;
+        enriched.push(sc);
+      }
+      continue;
+    }
+
+    const prompt = `Given security advisory ${sc.osvId || ''} (${sc.cveAliases?.[0] || ''}) affecting npm package "${sc.name}" version ${sc.version}:\n\nDescription: ${sc.description.slice(0, 500)}\n\nWhat specific exported function(s) in this package are vulnerable? Return ONLY a JSON object: { "functions": ["functionName1", "functionName2"] }\n\nIf you cannot determine the specific functions, return: { "functions": [] }`;
+
+    try {
+      const result = await _askLlm(prompt, config);
+      if (result && Array.isArray(result.functions)) {
+        const fns = result.functions.filter(f => typeof f === 'string' && f.length > 0 && f.length < 100);
+        _writeCache(sc.osvId, { functions: fns, model: config.model, extractedAt: new Date().toISOString() });
+        if (fns.length) {
+          sc.osvVulnFunctions = fns;
+          sc._llmFunctionExtracted = true;
+          enriched.push(sc);
+        }
+      } else {
+        _writeCache(sc.osvId, { functions: [], model: config.model, extractedAt: new Date().toISOString() });
+      }
+    } catch {
+      // LLM call failure — skip, don't cache (may be transient)
+    }
+  }
+  return enriched;
+}
+
+
+/***/ })
+
+};

package/dist/838.index.js

@@ -14,7 +14,7 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(3291);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(6048);
 // Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
 //
 // Given a candidate patch (the new file content + the finding stableId being

package/dist/985.index.js

@@ -1465,6 +1465,11 @@ async function _postRemote(url, entry) {
 function auditCall({ sessionRoot, tool, args, outcome, reason }) {
   if (!sessionRoot) return;
   try {
+    // Safety: only write audit log if sessionRoot looks like a project root
+    const MARKERS = ['.git', 'package.json', 'pyproject.toml', 'go.mod', 'Cargo.toml', 'pom.xml', 'composer.json', 'Gemfile'];
+    let hasMarker = false;
+    for (const m of MARKERS) { try { if (external_node_fs_.existsSync(external_node_path_.join(sessionRoot, m))) { hasMarker = true; break; } } catch {} }
+    if (!hasMarker) return;
     const dir = external_node_path_.join(sessionRoot, '.agentic-security');
     external_node_fs_.mkdirSync(dir, { recursive: true });
     const logFile = external_node_path_.join(dir, 'mcp-audit.log');