@clear-capabilities/agentic-security-scanner 0.78.0 → 0.80.0

package/dist/333.index.js

@@ -0,0 +1,283 @@
+export const id = 333;
+export const ids = [333];
+export const modules = {
+
+/***/ 5333:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+__webpack_require__.r(__webpack_exports__);
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   applyScaUpgrade: () => (/* binding */ applyScaUpgrade),
+/* harmony export */   planScaUpgrade: () => (/* binding */ planScaUpgrade)
+/* harmony export */ });
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3024);
+/* harmony import */ var node_fs_promises__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(1455);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
+/* harmony import */ var node_crypto__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(7598);
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_4__ = __webpack_require__(1421);
+/* harmony import */ var node_util__WEBPACK_IMPORTED_MODULE_5__ = __webpack_require__(7975);
+/* harmony import */ var _state_dir_js__WEBPACK_IMPORTED_MODULE_6__ = __webpack_require__(1174);
+// SCA upgrade engine: dry-run plan + worktree-isolated apply.
+//
+// Phase 3 / Item 5 of the SCA improvement plan. The MCP `apply_fix` path
+// refuses to write manifest files (package.json, *-lock.*, poetry.lock,
+// Cargo.lock, etc.) for safety. SCA findings need a separate path that:
+//   1. Generates an upgrade *plan* via the ecosystem's native dry-run
+//      command (npm install --dry-run, pip install --dry-run, etc.).
+//   2. Applies the upgrade via the package manager itself, with a backup
+//      + test-gate so a peer-dep break or test regression rolls back.
+//
+// Caller pattern: plan first (read-only), inspect the breaking-change
+// flag / peer warnings, then apply with confirm:true.
+
+
+
+
+
+
+
+
+
+const execFileAsync = (0,node_util__WEBPACK_IMPORTED_MODULE_5__.promisify)(node_child_process__WEBPACK_IMPORTED_MODULE_4__.execFile);
+
+// Per-ecosystem command/manifest map. Add ecosystems by extending this
+// table — every other place in the module reads it.
+const ECOSYSTEM = {
+  npm: {
+    manifests: ['package.json', 'package-lock.json'],
+    altManifests: [['yarn.lock'], ['pnpm-lock.yaml']],
+    dryRun: (pkg, ver) => ({ cmd: 'npm', args: ['install', `${pkg}@${ver}`, '--dry-run', '--json'] }),
+    apply:  (pkg, ver) => ({ cmd: 'npm', args: ['install', `${pkg}@${ver}`, '--save'] }),
+    parseDryRun(stdout) {
+      try {
+        const j = JSON.parse(stdout);
+        const peerDeps = Array.isArray(j.warnings) ? j.warnings.filter(w => /peer dep/i.test(w)) : [];
+        const transitiveImpact = (j.added || []).length + (j.updated || []).length + (j.removed || []).length;
+        return { peerDeps, transitiveImpact, rawSummary: { added: (j.added || []).length, updated: (j.updated || []).length, removed: (j.removed || []).length } };
+      } catch { return { peerDeps: [], transitiveImpact: 0, rawSummary: null }; }
+    },
+  },
+  pypi: {
+    manifests: ['requirements.txt', 'pyproject.toml'],
+    altManifests: [['poetry.lock'], ['Pipfile.lock']],
+    dryRun: (pkg, ver) => ({ cmd: 'pip', args: ['install', '--dry-run', `${pkg}==${ver}`] }),
+    apply:  (pkg, ver) => ({ cmd: 'pip', args: ['install', '--upgrade', `${pkg}==${ver}`] }),
+    parseDryRun() {
+      // pip --dry-run output is human-readable; we don't parse it for v1.
+      return { peerDeps: [], transitiveImpact: 0, rawSummary: null };
+    },
+  },
+  cargo: {
+    manifests: ['Cargo.toml', 'Cargo.lock'],
+    altManifests: [],
+    dryRun: (pkg, _ver) => ({ cmd: 'cargo', args: ['update', '--package', pkg, '--dry-run'] }),
+    apply:  (pkg, _ver) => ({ cmd: 'cargo', args: ['update', '--package', pkg] }),
+    parseDryRun() { return { peerDeps: [], transitiveImpact: 0, rawSummary: null }; },
+  },
+  golang: {
+    manifests: ['go.mod', 'go.sum'],
+    altManifests: [],
+    dryRun: (_pkg, _ver) => null,   // `go get` has no dry-run flag; we skip dry-run in v1.
+    apply:  (pkg, ver) => ({ cmd: 'go', args: ['get', `${pkg}@v${ver}`] }),
+    parseDryRun() { return { peerDeps: [], transitiveImpact: 0, rawSummary: null }; },
+  },
+  // Other ecosystems (rubygems, packagist, pub, maven) return a structured
+  // "manual" plan in v1 — no native dry-run + the install side-effects
+  // (gem build artifacts, composer cache) are easier for the user to
+  // confirm interactively.
+};
+
+function _majorVersion(v) {
+  const m = String(v || '').match(/^(\d+)/);
+  return m ? parseInt(m[1], 10) : null;
+}
+
+function _detectTestCommand(scanRoot) {
+  try {
+    const pkg = node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, 'package.json');
+    if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(pkg)) {
+      const j = JSON.parse(node_fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(pkg, 'utf8'));
+      if (j.scripts?.test && !/no test specified/i.test(j.scripts.test)) {
+        return { cmd: 'npm', args: ['test'] };
+      }
+    }
+  } catch {}
+  if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, 'Cargo.toml'))) return { cmd: 'cargo', args: ['test'] };
+  if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, 'go.mod'))) return { cmd: 'go', args: ['test', './...'] };
+  if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, 'pyproject.toml'))) return { cmd: 'pytest', args: [] };
+  return null;
+}
+
+// Produce a structured upgrade plan WITHOUT modifying anything on disk.
+// Safe to call repeatedly; runs the ecosystem's --dry-run command.
+async function planScaUpgrade({ scanRoot, finding }) {
+  if (!finding || finding.type !== 'vulnerable_dep') {
+    return { ok: false, reason: 'not a vulnerable_dep finding' };
+  }
+  const eco = ECOSYSTEM[finding.ecosystem];
+  if (!eco) {
+    return {
+      ok: true,
+      mode: 'manual',
+      reason: `ecosystem '${finding.ecosystem}' has no automated upgrade in v1`,
+      package: finding.name, currentVersion: finding.version,
+      targetVersion: (finding.fixedVersions && finding.fixedVersions[0]) || null,
+      command: null,
+    };
+  }
+  const target = (finding.fixedVersions && finding.fixedVersions[0]) || null;
+  if (!target) {
+    return { ok: false, reason: 'no fixed version in OSV record' };
+  }
+  const isBreaking = (_majorVersion(target) ?? 0) > (_majorVersion(finding.version) ?? 0);
+  const apply = eco.apply(finding.name, target);
+  const dryRunSpec = eco.dryRun(finding.name, target);
+  let peerDeps = [], transitiveImpact = 0, rawSummary = null, dryRunOk = null;
+  if (dryRunSpec) {
+    try {
+      const r = await execFileAsync(dryRunSpec.cmd, dryRunSpec.args, {
+        cwd: scanRoot, timeout: 60_000, maxBuffer: 8 * 1024 * 1024,
+      });
+      const parsed = eco.parseDryRun(r.stdout);
+      peerDeps = parsed.peerDeps;
+      transitiveImpact = parsed.transitiveImpact;
+      rawSummary = parsed.rawSummary;
+      dryRunOk = true;
+    } catch (e) {
+      // Dry-run failed (e.g. peer-dep resolution conflict). Surface the
+      // error structurally so the caller can decide whether to proceed.
+      dryRunOk = false;
+      const stderr = (e && e.stderr) || (e && e.message) || '';
+      peerDeps = /peer dep/i.test(stderr) ? [String(stderr).slice(0, 500)] : [];
+    }
+  }
+  return {
+    ok: true,
+    mode: 'auto',
+    ecosystem: finding.ecosystem,
+    package: finding.name,
+    currentVersion: finding.version,
+    targetVersion: target,
+    isBreaking,
+    command: `${apply.cmd} ${apply.args.join(' ')}`,
+    manifestFiles: eco.manifests,
+    dryRun: { ok: dryRunOk, command: dryRunSpec ? `${dryRunSpec.cmd} ${dryRunSpec.args.join(' ')}` : null, peerDeps, transitiveImpact, rawSummary },
+    testCommand: (() => { const t = _detectTestCommand(scanRoot); return t ? `${t.cmd} ${t.args.join(' ')}` : null; })(),
+  };
+}
+
+// Apply the upgrade. Backs up affected manifests, runs the install, runs
+// the project's test command if detected, and ROLLS BACK on failure.
+// Audit-logged via the MCP audit layer at the call site.
+async function applyScaUpgrade({ scanRoot, finding, runTests = true }) {
+  const plan = await planScaUpgrade({ scanRoot, finding });
+  if (!plan.ok) return { applied: false, reason: plan.reason };
+  if (plan.mode === 'manual') {
+    return { applied: false, reason: plan.reason, plan };
+  }
+  const eco = ECOSYSTEM[finding.ecosystem];
+  const target = plan.targetVersion;
+
+  // Backup pass — record original contents of every relevant manifest so
+  // we can restore on test failure. node_modules / vendor dirs are NOT
+  // backed up (too big); they'll be rebuilt by re-running the install on
+  // restore.
+  const stateDir = (0,_state_dir_js__WEBPACK_IMPORTED_MODULE_6__/* .statePath */ .BQ)(scanRoot, 'sca-upgrade-history');
+  node_fs__WEBPACK_IMPORTED_MODULE_0__.mkdirSync(stateDir, { recursive: true });
+  const upgradeId = node_crypto__WEBPACK_IMPORTED_MODULE_3__.randomBytes(8).toString('hex');
+  const backups = {};
+  for (const mf of eco.manifests) {
+    const abs = node_path__WEBPACK_IMPORTED_MODULE_2__.join(scanRoot, mf);
+    if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(abs)) continue;
+    const content = await node_fs_promises__WEBPACK_IMPORTED_MODULE_1__.readFile(abs, 'utf8');
+    const backupPath = node_path__WEBPACK_IMPORTED_MODULE_2__.join(stateDir, `${upgradeId}-${mf.replace(/[\/\\]/g, '_')}.bak`);
+    await node_fs_promises__WEBPACK_IMPORTED_MODULE_1__.writeFile(backupPath, content);
+    backups[mf] = { abs, backupPath };
+  }
+  if (!Object.keys(backups).length) {
+    return { applied: false, reason: `no ${finding.ecosystem} manifest files found in scan root` };
+  }
+
+  // Run the install.
+  const apply = eco.apply(finding.name, target);
+  let installOutput = '';
+  try {
+    const r = await execFileAsync(apply.cmd, apply.args, {
+      cwd: scanRoot, timeout: 300_000, maxBuffer: 16 * 1024 * 1024,
+    });
+    installOutput = (r.stdout || '') + (r.stderr || '');
+  } catch (e) {
+    // Install failed; restore backups (manifests may have been touched).
+    for (const { abs, backupPath } of Object.values(backups)) {
+      try { await node_fs_promises__WEBPACK_IMPORTED_MODULE_1__.copyFile(backupPath, abs); } catch {}
+    }
+    return {
+      applied: false,
+      reason: `install failed: ${(e && e.message) || e}`.slice(0, 600),
+      installOutput: ((e && e.stdout) || '').slice(0, 1500),
+      restored: true,
+      upgradeId,
+    };
+  }
+
+  // Optionally run the project's test command. On failure, restore.
+  let testResult = null;
+  if (runTests) {
+    const test = _detectTestCommand(scanRoot);
+    if (test) {
+      try {
+        const r = await execFileAsync(test.cmd, test.args, {
+          cwd: scanRoot, timeout: 600_000, maxBuffer: 16 * 1024 * 1024,
+        });
+        testResult = { ok: true, command: `${test.cmd} ${test.args.join(' ')}`, output: ((r.stdout || '') + (r.stderr || '')).slice(0, 2000) };
+      } catch (e) {
+        // Tests failed — restore manifests so the working tree is clean.
+        for (const { abs, backupPath } of Object.values(backups)) {
+          try { await node_fs_promises__WEBPACK_IMPORTED_MODULE_1__.copyFile(backupPath, abs); } catch {}
+        }
+        return {
+          applied: false,
+          reason: `tests failed after upgrade: ${(e && e.message) || e}`.slice(0, 300),
+          testOutput: ((e && e.stdout) || '').slice(0, 2000),
+          restored: true,
+          upgradeId,
+        };
+      }
+    }
+  }
+
+  // Success path — write a log entry so the user can audit / undo.
+  const logEntry = {
+    id: upgradeId,
+    timestamp: new Date().toISOString(),
+    ecosystem: finding.ecosystem,
+    package: finding.name,
+    from: finding.version,
+    to: target,
+    backups: Object.fromEntries(Object.entries(backups).map(([k, v]) => [k, v.backupPath])),
+    testResult,
+    isBreaking: plan.isBreaking,
+    finding: { id: finding.id, osvId: finding.osvId, cveAliases: finding.cveAliases },
+  };
+  const logFp = node_path__WEBPACK_IMPORTED_MODULE_2__.join(stateDir, 'log.json');
+  let log = [];
+  try { log = JSON.parse(node_fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(logFp, 'utf8')); } catch {}
+  log.push(logEntry);
+  node_fs__WEBPACK_IMPORTED_MODULE_0__.writeFileSync(logFp, JSON.stringify(log, null, 2));
+
+  return {
+    applied: true,
+    upgradeId,
+    package: finding.name,
+    from: finding.version,
+    to: target,
+    isBreaking: plan.isBreaking,
+    testResult,
+    installOutput: installOutput.slice(0, 1500),
+  };
+}
+
+
+/***/ })
+
+};

package/dist/384.index.js

@@ -8,7 +8,7 @@ export const modules = {
 /* harmony export */ __webpack_require__.d(__webpack_exports__, {
 /* harmony export */   scanCredentials: () => (/* reexport safe */ _engine_js__WEBPACK_IMPORTED_MODULE_0__.Sv)
 /* harmony export */ });
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(8636);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(9072);
 // Secrets submodule view of the engine — credential + entropy + TODO scanning.
 
 

package/dist/476.index.js

@@ -11,6 +11,7 @@ export const modules = {
 /* unused harmony export _internals */
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(6760);
+/* harmony import */ var _state_dir_js__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(1174);
 // Auto-rule synthesis from repeated FPs (FR-LEARN-6).
 //
 // Reads `.agentic-security/triage-feedback.json` (populated by the /triage
@@ -27,13 +28,11 @@ export const modules = {
 
 
 
-const TRIAGE_PATH = node_path__WEBPACK_IMPORTED_MODULE_1__.join('.agentic-security', 'triage-feedback.json');
-const PROPOSED_DIR = node_path__WEBPACK_IMPORTED_MODULE_1__.join('.agentic-security', 'rules-proposed');
 
 const DEFAULT_FP_THRESHOLD = 5;
 
 function _readTriage(scanRoot) {
-  const fp = node_path__WEBPACK_IMPORTED_MODULE_1__.join(scanRoot || process.cwd(), TRIAGE_PATH);
+  const fp = (0,_state_dir_js__WEBPACK_IMPORTED_MODULE_2__/* .statePath */ .BQ)(scanRoot, 'triage-feedback.json');
   if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(fp)) return null;
   try { return JSON.parse(node_fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(fp, 'utf8')); } catch { return null; }
 }
@@ -100,7 +99,8 @@ function synthesizeRules(scanRoot, opts = {}) {
     groups.get(k).push(e);
   }
   const proposals = [];
-  const dir = node_path__WEBPACK_IMPORTED_MODULE_1__.join(scanRoot || process.cwd(), PROPOSED_DIR);
+  const dir = (0,_state_dir_js__WEBPACK_IMPORTED_MODULE_2__/* .statePath */ .BQ)(scanRoot, 'rules-proposed');
+  if (!opts.dryRun && !(0,_state_dir_js__WEBPACK_IMPORTED_MODULE_2__.isSafeStateDir)(node_path__WEBPACK_IMPORTED_MODULE_1__.dirname(dir))) return [];
   for (const [, group] of groups) {
     if (group.length < threshold) continue;
     const summary = _summarizeGroup(group);
@@ -118,7 +118,7 @@ function synthesizeRules(scanRoot, opts = {}) {
   return proposals;
 }
 
-const _internals = { DEFAULT_FP_THRESHOLD, TRIAGE_PATH, PROPOSED_DIR };
+const _internals = { DEFAULT_FP_THRESHOLD };
 
 
 /***/ })

package/dist/637.index.js

@@ -10,7 +10,7 @@ export const modules = {
 /* harmony export */   renderPrDeltaText: () => (/* binding */ renderPrDeltaText)
 /* harmony export */ });
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(8636);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(9072);
 // Shadowscan / security-DELTA on PR (v0.72).
 //
 // Most SAST PR-comment integrations show absolute counts — "12 findings

package/dist/700.index.js

@@ -0,0 +1,138 @@
+export const id = 700;
+export const ids = [700];
+export const modules = {
+
+/***/ 1700:
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+/* harmony export */ __webpack_require__.d(__webpack_exports__, {
+/* harmony export */   validateOsvFunctionsExist: () => (/* binding */ validateOsvFunctionsExist)
+/* harmony export */ });
+/* unused harmony export extractPythonPackageFunctions */
+/* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(3024);
+/* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(6760);
+/* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(1421);
+/* harmony import */ var _ir_parser_py_cst_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(682);
+// Python package function extraction via the CST parser.
+//
+// Locates an installed Python package in site-packages or .venv,
+// parses its source files via the Python CST parser, and returns
+// a map of exported function names. Used by markUsedVulnFunctions
+// to validate that OSV-named vulnerable functions actually exist
+// in the installed version.
+
+
+
+
+
+
+const VENV_DIRS = ['.venv', 'venv', '.env', 'env'];
+
+function _findSitePackages(scanRoot) {
+  for (const vdir of VENV_DIRS) {
+    const base = node_path__WEBPACK_IMPORTED_MODULE_1__.join(scanRoot || '.', vdir);
+    if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(base)) continue;
+    const lib = node_path__WEBPACK_IMPORTED_MODULE_1__.join(base, 'lib');
+    if (!node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(lib)) continue;
+    const pydirs = node_fs__WEBPACK_IMPORTED_MODULE_0__.readdirSync(lib).filter(d => d.startsWith('python'));
+    for (const pydir of pydirs) {
+      const sp = node_path__WEBPACK_IMPORTED_MODULE_1__.join(lib, pydir, 'site-packages');
+      if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(sp)) return sp;
+    }
+  }
+  // Fallback: ask python3 directly
+  try {
+    const out = (0,node_child_process__WEBPACK_IMPORTED_MODULE_2__.execFileSync)('python3', ['-c', 'import site; print(site.getsitepackages()[0])'], {
+      encoding: 'utf8', timeout: 5000,
+    }).trim();
+    if (out && node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(out)) return out;
+  } catch { /* no python3 or no site-packages */ }
+  return null;
+}
+
+function _findPackageDir(sitePackages, packageName) {
+  if (!sitePackages) return null;
+  const normalized = packageName.replace(/-/g, '_').toLowerCase();
+  const candidates = [
+    normalized,
+    packageName.toLowerCase(),
+    packageName,
+  ];
+  for (const name of candidates) {
+    const dir = node_path__WEBPACK_IMPORTED_MODULE_1__.join(sitePackages, name);
+    if (node_fs__WEBPACK_IMPORTED_MODULE_0__.existsSync(dir) && node_fs__WEBPACK_IMPORTED_MODULE_0__.statSync(dir).isDirectory()) return dir;
+  }
+  return null;
+}
+
+function _readPyFilesFromDir(dir, maxFiles = 50) {
+  const entries = [];
+  try {
+    const files = node_fs__WEBPACK_IMPORTED_MODULE_0__.readdirSync(dir, { recursive: true })
+      .filter(f => f.endsWith('.py'))
+      .slice(0, maxFiles);
+    for (const f of files) {
+      const fp = node_path__WEBPACK_IMPORTED_MODULE_1__.join(dir, f);
+      try {
+        const content = node_fs__WEBPACK_IMPORTED_MODULE_0__.readFileSync(fp, 'utf8');
+        if (content.length < 1_000_000) {
+          entries.push({ file: f, content });
+        }
+      } catch { /* skip unreadable files */ }
+    }
+  } catch { /* dir not readable */ }
+  return entries;
+}
+
+function extractPythonPackageFunctions(packageName, scanRoot) {
+  const cap = (0,_ir_parser_py_cst_js__WEBPACK_IMPORTED_MODULE_3__/* .probePythonAvailable */ .w4)();
+  if (!cap.ok) return null;
+
+  const sitePackages = _findSitePackages(scanRoot);
+  const pkgDir = _findPackageDir(sitePackages, packageName);
+  if (!pkgDir) return null;
+
+  const pyFiles = _readPyFilesFromDir(pkgDir);
+  if (!pyFiles.length) return null;
+
+  const batch = (0,_ir_parser_py_cst_js__WEBPACK_IMPORTED_MODULE_3__/* .parsePythonFilesBatch */ .H2)(pyFiles);
+  if (!batch || !Array.isArray(batch)) return null;
+
+  const functionMap = new Map();
+  for (const fileIR of batch) {
+    if (!fileIR || !fileIR.functions) continue;
+    for (const fn of fileIR.functions) {
+      if (fn.name && !fn.name.startsWith('_')) {
+        functionMap.set(fn.name, {
+          file: fileIR.file,
+          line: fn.line,
+          qid: fn.qid,
+          params: fn.params,
+        });
+      }
+    }
+  }
+  return functionMap;
+}
+
+function validateOsvFunctionsExist(packageName, osvFunctions, scanRoot) {
+  if (!osvFunctions || !osvFunctions.length) return { validated: [], missing: [] };
+  const fnMap = extractPythonPackageFunctions(packageName, scanRoot);
+  if (!fnMap) return { validated: osvFunctions, missing: [] };
+  const validated = [];
+  const missing = [];
+  for (const fn of osvFunctions) {
+    const shortFn = fn.includes('.') ? fn.split('.').pop() : fn;
+    if (fnMap.has(shortFn) || fnMap.has(fn)) {
+      validated.push(shortFn);
+    } else {
+      missing.push(fn);
+    }
+  }
+  return { validated, missing };
+}
+
+
+/***/ })
+
+};

package/dist/718.index.js

@@ -97,6 +97,59 @@ function detectVendoredLibraries(fileContents) {
       }
     }
   }
+  // Pass 2: Function-body structural matching for minified/forked copies
+  const FUNCTION_BODY_SIGS = [
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'merge', paramMin: 1,
+      bodyContains: ['assignValue', 'baseFor', 'isObject', 'baseMerge'] },
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'template', paramMin: 1,
+      bodyContains: ['sourceURL', 'interpolate', 'evaluate', 'escape'] },
+    { pkg: 'lodash', ecosystem: 'npm', fn: 'defaultsDeep', paramMin: 1,
+      bodyContains: ['baseMerge', 'isMergeableObject', 'customDefaultsMerge'] },
+    { pkg: 'jquery', ecosystem: 'npm', fn: 'ajax', paramMin: 1,
+      bodyContains: ['XMLHttpRequest', 'ajaxSettings', 'crossDomain', 'responseFields'] },
+    { pkg: 'handlebars', ecosystem: 'npm', fn: 'compile', paramMin: 1,
+      bodyContains: ['templateSpec', 'container', 'invokePartial', 'blockParams'] },
+    { pkg: 'marked', ecosystem: 'npm', fn: 'parse', paramMin: 1,
+      bodyContains: ['Lexer', 'Parser', 'blockTokens', 'walkTokens'] },
+    { pkg: 'ejs', ecosystem: 'npm', fn: 'render', paramMin: 1,
+      bodyContains: ['includeFile', 'resolveInclude', 'rethrow', 'escapeFn'] },
+    { pkg: 'moment', ecosystem: 'npm', fn: 'format', paramMin: 0,
+      bodyContains: ['formatMoment', 'expandFormat', 'makeFormatFunction', 'localFormattingTokens'] },
+    { pkg: 'underscore', ecosystem: 'npm', fn: 'template', paramMin: 1,
+      bodyContains: ['interpolate', 'evaluate', 'escape', 'templateSettings'] },
+    { pkg: 'minimist', ecosystem: 'npm', fn: 'parse', paramMin: 1,
+      bodyContains: ['boolean', 'alias', 'default', 'stopEarly', 'unknown'] },
+  ];
+
+  for (const [fp, content] of Object.entries(fileContents)) {
+    if (!content || typeof content !== 'string') continue;
+    if (SKIP_DIRS.test(fp)) continue;
+    if (!/\.(?:js|mjs|cjs)$/i.test(fp)) continue;
+    if (content.length < 200 || content.length > 500_000) continue;
+
+    for (const sig of FUNCTION_BODY_SIGS) {
+      const key = `${sig.pkg}:${fp}`;
+      if (seen.has(key)) continue;
+      const fnRe = new RegExp(`(?:function\\s+${sig.fn}|(?:const|let|var)\\s+${sig.fn}\\s*=|${sig.fn}\\s*[:=]\\s*function)\\s*\\(`, 'g');
+      const m = fnRe.exec(content);
+      if (!m) continue;
+      const bodyWindow = content.slice(m.index, m.index + 2000);
+      const matchCount = sig.bodyContains.filter(kw => bodyWindow.includes(kw)).length;
+      if (matchCount < Math.ceil(sig.bodyContains.length * 0.6)) continue;
+      seen.add(key);
+      detected.push({
+        name: sig.pkg,
+        version: 'unknown',
+        ecosystem: sig.ecosystem,
+        file: fp,
+        scope: 'vendored',
+        isVendored: true,
+        _detectionMethod: 'function-body-signature',
+        _matchedKeywords: matchCount,
+      });
+    }
+  }
+
   return detected;
 }
 

package/dist/838.index.js

@@ -14,7 +14,7 @@ __webpack_require__.r(__webpack_exports__);
 /* harmony import */ var node_child_process__WEBPACK_IMPORTED_MODULE_0__ = __webpack_require__(1421);
 /* harmony import */ var node_fs__WEBPACK_IMPORTED_MODULE_1__ = __webpack_require__(3024);
 /* harmony import */ var node_path__WEBPACK_IMPORTED_MODULE_2__ = __webpack_require__(6760);
-/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(8636);
+/* harmony import */ var _engine_js__WEBPACK_IMPORTED_MODULE_3__ = __webpack_require__(9072);
 // Closed-loop /fix verification (Sentinel-parity FR-L4-4, FR-L4-5).
 //
 // Given a candidate patch (the new file content + the finding stableId being