@clear-capabilities/agentic-security-scanner 0.78.0 → 0.80.0

package/src/sca/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-d2a426290abf051e739d3f60eefd2f5c61a9328cd2698d7020170b483a6ce836
+c1f9857f9226707719cde39879802be56f679e86412d6a32696ac85594786f41

package/src/sca/.agentic-security/scan-history.json

@@ -1,36 +1,113 @@
 [
   {
-    "timestamp": "2026-05-27T13:24:07.357Z",
+    "timestamp": "2026-05-28T17:58:30.776Z",
     "label": "scan",
-    "total": 4,
+    "total": 23,
     "critical": 0,
     "high": 0,
-    "medium": 4,
+    "medium": 23,
     "low": 0,
     "kev": 0,
     "ids": [
+      "struct:binary-metadata.js:124:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:133:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:139:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:binary-metadata.js:47",
+      "toctou-fs:binary-metadata.js:67",
       "toctou-fs:dep-confusion.js:56"
     ]
   },
   {
-    "timestamp": "2026-05-27T13:30:13.994Z",
+    "timestamp": "2026-05-28T17:59:33.255Z",
     "label": "scan",
-    "total": 6,
+    "total": 23,
     "critical": 0,
     "high": 0,
-    "medium": 6,
+    "medium": 23,
     "low": 0,
     "kev": 0,
     "ids": [
+      "struct:binary-metadata.js:124:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:133:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:139:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:binary-metadata.js:47",
+      "toctou-fs:binary-metadata.js:67",
       "toctou-fs:dep-confusion.js:56"
     ]
+  },
+  {
+    "timestamp": "2026-05-29T06:29:23.737Z",
+    "label": "scan",
+    "total": 29,
+    "critical": 0,
+    "high": 1,
+    "medium": 28,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:binary-metadata.js:124:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:133:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:139:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:159:Unsafe_Deserialization_(User-Controlled_JSON)",
+      "struct:sigstore-verify.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:55:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:binary-metadata.js:47",
+      "toctou-fs:binary-metadata.js:67",
+      "toctou-fs:dep-confusion.js:56",
+      "toctou-fs:sigstore-verify.js:53"
+    ]
   }
 ]

package/src/sca/.agentic-security/streak.json

@@ -1,16 +1,16 @@
 {
-  "firstScanDate": "2026-05-27T13:24:07.375Z",
-  "lastScanDate": "2026-05-27T13:30:14.013Z",
-  "totalScans": 2,
-  "daysCleanCritical": 1,
-  "lastCleanDate": "2026-05-27",
+  "firstScanDate": "2026-05-28T17:58:30.804Z",
+  "lastScanDate": "2026-05-29T06:29:23.771Z",
+  "totalScans": 3,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-29",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 1,
-  "totalFindingsAtFirstScan": 5,
-  "totalFindingsAtLastScan": 7,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 26,
+  "totalFindingsAtLastScan": 35,
   "totalFixesInferred": 0,
-  "lastGrade": "A",
+  "lastGrade": "A-",
   "bestGrade": "A",
   "launchCheckPassedAt": null,
   "achievements": [

package/src/sca/CLAUDE.md

@@ -0,0 +1,161 @@
+# scanner/src/sca/
+
+Software Composition Analysis. Detects vulnerable dependencies (OSV + KEV
++ EPSS), dependency confusion, typosquats, vendored copies, deprecated
+components, and EOL container base images. Reads manifests in 11
+ecosystems and the most common lockfiles in each.
+
+Most of the SCA *pipeline* lives in `../engine.js` (the manifest dispatch
+in `parseManifests`, OSV/KEV/EPSS enrichment, attack-path computation).
+This directory holds the eight specialized modules called from there.
+
+## Modules
+
+| Module | Purpose |
+|---|---|
+| `index.js` | Re-exports six public symbols from `../engine.js` so external consumers can `import { parseManifests, queryOSV, … } from '@…/sca'`. |
+| `binary-metadata.js` | **Opt-in via `AGENTIC_SECURITY_BINARY_SCA=1`.** Reads dependency metadata from compiled artifacts: JAR `META-INF/MANIFEST.MF` + `pom.properties`, Go binary `go.buildinfo`. Never executes the binary. JAR extraction uses `fs.mkdtemp` for an isolated scratch dir (premortem-derived: shared `/tmp` lets a hostile JAR plant a symlinked manifest that escapes the scratch). |
+| `container.js` | Dockerfile parser. Detects EOL `FROM` base images (alpine/debian/ubuntu/node/python) against `base-images.json`, and synthesizes lightweight SCA components from `apt-get install` / `apk add` package lists. No Docker daemon required. |
+| `dep-confusion.js` | Two related detectors. **Typosquat:** Levenshtein distance ≤ 2 against the top-1000 packages in `popular-packages.json`. **Dependency confusion:** internal-scoped names (declared in `.agentic-security/internal-scopes.yml`) appearing on the public registry. Local-first; OSV consulted only to confirm confusion findings. |
+| `llm-function-extract.js` | **Opt-in via `AGENTIC_SECURITY_LLM_SCA=1`.** LLM-assisted extraction of vulnerable function names for CVEs that lack OSV `ecosystem_specific.vulnerable_functions` data. Cached per CVE under `~/.config/agentic-security/llm-sca-cache/`. Endpoint-dependent — degrades to no-op when unreachable. |
+| `py-package-functions.js` | **Opt-in via `AGENTIC_SECURITY_DEEP=1`** (Python only). Locates installed Python packages via `site-packages` and parses them with the CPython `ast` module (subprocess) to *validate* that an OSV-named vulnerable function exists in the installed version. Closes the "OSV says this function is vulnerable, but the version you installed actually removed it" false-positive class. |
+| `sarif-ingest.js` | Normalizes SARIF 2.1.0 from external scanners and merges into the unified scan. Deduplicates by fingerprint `(CWE, file, line ± 2, rule)`. Twelve tool profiles supported with default-severity + semantic-kind mapping. |
+| `vendor-detect.js` | Detects libraries copied into `src/` (lodash, jQuery, Angular, React, etc.) via characteristic version strings and function signatures. Catches the case where a vulnerable library bypasses the lockfile because someone vendored it directly. |
+
+## Data sources + caches
+
+| Source | Cache location | TTL | Trigger |
+|---|---|---:|---|
+| OSV.dev `/v1/querybatch` | `~/.claude/agentic-security/osv-cache/` (sha256-keyed JSON blobs) | session | every SCA-enabled scan |
+| OSV.dev `/v1/vulns/{id}` | same | session | per unique vuln id from querybatch |
+| CISA KEV catalog | same, key `kev:catalog` | 24h | first SCA finding per scan |
+| FIRST.org EPSS | same, key `epss:<CVE>` | session | batched (100 CVEs / request — see `engine.js:_fetchEPSSBatch`) |
+| PyPI registry | session | session | `queryRegistries` for deprecated/yanked/inactive checks |
+| npm registry | session | session | fallback deprecation lookup |
+| OSV.dev licenses | repo-level fetch | per dep | license-policy enforcement |
+
+All network access degrades gracefully when offline
+(`AGENTIC_SECURITY_OFFLINE=1` forces this on); missing data results in
+incomplete fields, never a hard failure.
+
+## Manifest + lockfile dispatch
+
+The PARSERS table in `engine.js#parseManifests` maps basename →
+`_parseXxx` function. As of Phase 1 of the SCA improvement plan
+(commit `f8a4c3e`):
+
+| Ecosystem | Direct deps | Transitive deps |
+|---|---|---|
+| npm | `package.json` | `package-lock.json` ✓, `yarn.lock` ✓, `pnpm-lock.yaml` ✓ |
+| pypi | `requirements.txt`, `pyproject.toml`, `Pipfile` | `poetry.lock` ✓, `Pipfile.lock` ✓ |
+| packagist | `composer.json` | `composer.lock` ✓ |
+| rubygems | `Gemfile` | `Gemfile.lock` ✓ |
+| golang | `go.mod` | `go.sum` ✓ (Phase 1) |
+| cargo | `Cargo.toml` | `Cargo.lock` ✓ |
+| maven | `pom.xml` (+ `<properties>` substitution + `<dependencyManagement>` BOM labelling, Phase 1) | `dependency-tree.txt` ✓ (Phase 1) — output of `mvn dependency:tree -DoutputFile=…` |
+| maven (gradle) | `build.gradle`, `build.gradle.kts` | **not transitive** — Gradle dependency graph deferred per project policy |
+| pub (Dart/Flutter) | `pubspec.yaml` | `pubspec.lock` ✓ |
+| system (Conan) | `conanfile.txt` (regex) | `conan.lock` ✓ (Phase 1, both Conan 1.x and 2.x) |
+| system (vcpkg) | `vcpkg.json` | `vcpkg-configuration.json` ✓ (Phase 1, overlay registries) |
+| system (CMake) | `CMakeLists.txt` | n/a — Conan / vcpkg are the real lockfile surface |
+
+## Finding shape (supplyChain bucket)
+
+Each SCA finding lives in `scan.supplyChain` (kept separate from
+`scan.findings` which is the SAST array). Required + commonly-set fields:
+
+```javascript
+{
+  type: 'vulnerable_dep' | 'unpinned_dep' | 'no_lockfile',
+  name, version, ecosystem, group, scope, purl, file,
+  // OSV enrichment
+  osvId, cveAliases: ['CVE-…'], description, fixedVersions: ['…'],
+  severity, cvssVector, hasKnownAttackRef,
+  osvVulnFunctions: ['module.fn', '…'],
+  // Reachability
+  reachable: true | false,
+  functionReachable: 'reachable' | 'unreachable' | 'unknown',
+  reachabilityTier: 'function-reachable' | 'import-reachable'
+                  | 'build-only' | 'manifest-only' | 'transitive-only',
+  // Risk overlays (added by posture annotators)
+  kev, kevDateAdded, kevRansomware, weaponized,
+  epssScore, epssPercentile, exploitedNow,
+  toxicityScore, toxicityLabel,
+  // Composite (Phase 1)
+  compositeRisk: 0..100,
+  compositeRiskTier: 'critical' | 'high' | 'medium' | 'low' | 'minimal',
+  compositeRiskFactors: ['…'],
+  // Provenance
+  pomSource: 'direct' | 'managed' | 'dependency-tree',
+  isTransitive: true | false,
+  isUnpinned: boolean,
+  // Dedup
+  dependents: [], _transitiveDeduped: int,
+}
+```
+
+`parser` + `family` defaults are backfilled by `posture/finding-defaults.js`
+if a detector forgets to set them.
+
+## Conventions specific to this directory
+
+- **No detector executes downloaded code.** Manifest parsing only.
+  `binary-metadata.js` calls the `jar` CLI tool but only with extract-only
+  flags into an isolated scratch dir.
+- **Opt-in flags.** `AGENTIC_SECURITY_BINARY_SCA`, `AGENTIC_SECURITY_DEEP`,
+  `AGENTIC_SECURITY_LLM_SCA` all default off. Each module documents its
+  own activation gate.
+- **No new dependencies.** Maven / Conan / vcpkg use inline regex /
+  JSON parsing — `fast-xml-parser` was deliberately not added (premortem:
+  bundle-size + audit-surface concern).
+- **Network fan-out.** OSV `/v1/querybatch` accepts 1000-package batches;
+  EPSS accepts ~100 CVEs per `?cve=` URL; OSV vuln-details has no batch
+  endpoint so it's parallelized with a concurrency cap of 20
+  (`engine.js#queryOSV`).
+- **Cache hits are session-storage backed.** `_osvCacheGet` /
+  `_osvCacheSet` route through a disk-backed shim
+  (`engine.js:145`) into `~/.claude/agentic-security/osv-cache/`.
+
+## Gotchas
+
+- **`type: 'vulnerable_dep'` lives in supplyChain, not findings.** Code
+  that iterates `scan.findings` will miss every SCA finding. The report
+  layer's `normalizeFindings()` is the only place they're merged.
+- **`isTransitive` is detector-set when the lockfile knows.** `go.sum`,
+  `dependency-tree.txt`, `conan.lock` set it. `package-lock.json` does
+  not currently set it explicitly (treats every entry equivalently);
+  treat that as a known limitation.
+- **Function-level reachability is regex-based.** `markUsedVulnFunctions`
+  scans for `funcName(` patterns in `fileContents`. False negatives on
+  aliased imports (`{ vuln_fn as safeName }`) and dynamic dispatch.
+- **EOL base-image detection has a hand-curated cutoff.** `base-images.json`
+  is updated periodically; an alpine-3.16 today might not appear EOL until
+  the file is refreshed. Bias is toward false negatives.
+- **Typosquat threshold is a single distance.** Levenshtein ≤ 2 against
+  the top-1000 list. Increasing the threshold blows up the FP rate;
+  decreasing it loses real typosquats. This is the calibrated default.
+
+## Adding a new detector here
+
+1. Decide whether it fits an existing module (e.g. add a new typosquat
+   variant to `dep-confusion.js`) or warrants a new file.
+2. Re-export any public function from `index.js` IF external consumers
+   need it; otherwise keep it private.
+3. If it emits findings, set `family: 'vulnerable-dep'` (or a new family
+   recognized by `posture/finding-defaults.js`) so downstream calibration
+   and confidence pipelines work.
+4. Add a regression test under `../../test/`. The pattern at
+   `scanner/test/sca-deprecated.test.js` is the simplest model for a
+   network-stubbed detector.
+5. Wire the test file into `npm run test:posture` in `../../package.json`.
+
+## Open work (tracked in the SCA improvement plan)
+
+- Maven Gradle dependency-graph integration (currently regex-only, no
+  transitives) — deferred from v1 due to Gradle shell-out fragility.
+- Vulnerable-function reachability chained back to an HTTP route handler
+  for SCA (Phase 2 / Item 4 — was missing at the time of Phase 1's land).
+- SCA-aware remediation MCP toolchain (`synthesize_sca_upgrade` /
+  `apply_sca_upgrade`) — Phase 3.
+- `.agentic-security/sca-policy.yml` for per-CVE / per-package accept-risk +
+  SLA — Phase 4.

package/src/sca/binary-metadata.js

@@ -0,0 +1,146 @@
+// Binary artifact SCA metadata extraction.
+//
+// Reads dependency information from compiled artifacts:
+//   - Java JAR files: META-INF/MANIFEST.MF for version + classpath
+//   - Go binaries: embedded go.buildinfo for dependency tree
+//
+// Gated behind AGENTIC_SECURITY_BINARY_SCA=1 (opt-in).
+// Does NOT execute binaries — only reads metadata sections.
+
+import * as fs from 'node:fs';
+import * as os from 'node:os';
+import * as path from 'node:path';
+import { execFileSync } from 'node:child_process';
+
+export function isBinaryScaEnabled() {
+  return process.env.AGENTIC_SECURITY_BINARY_SCA === '1';
+}
+
+// Create a per-extraction temporary directory. Two reasons we can't use
+// /tmp directly:
+//   1. Permissions — /tmp is shared and a hostile JAR could try to plant a
+//      symlinked META-INF/MANIFEST.MF that escapes the scratch dir.
+//   2. Concurrency — two parallel extractions on the same jarPath would
+//      race on /tmp/META-INF/MANIFEST.MF.
+// fs.mkdtempSync atomically allocates a unique dir under the OS temp root;
+// the caller is responsible for cleaning it up on every exit path.
+function _allocScratchDir() {
+  return fs.mkdtempSync(path.join(os.tmpdir(), 'agentic-security-sca-'));
+}
+function _cleanupScratchDir(dir) {
+  if (!dir) return;
+  try { fs.rmSync(dir, { recursive: true, force: true }); } catch { /* best-effort */ }
+}
+
+export function extractJarMetadata(jarPath) {
+  if (!jarPath || !jarPath.endsWith('.jar')) return null;
+  let scratchDir = null;
+  try {
+    const out = execFileSync('jar', ['tf', jarPath], { encoding: 'utf8', timeout: 5000 });
+    const hasManifest = out.includes('META-INF/MANIFEST.MF');
+    if (!hasManifest) return null;
+    scratchDir = _allocScratchDir();
+    execFileSync('jar', ['xf', jarPath, 'META-INF/MANIFEST.MF'], {
+      encoding: 'utf8', timeout: 5000, cwd: scratchDir,
+    });
+    const manifestPath = path.join(scratchDir, 'META-INF', 'MANIFEST.MF');
+    if (!fs.existsSync(manifestPath)) return null;
+    const content = fs.readFileSync(manifestPath, 'utf8');
+    const attrs = {};
+    for (const line of content.split('\n')) {
+      const m = line.match(/^([A-Za-z-]+):\s*(.+)$/);
+      if (m) attrs[m[1].toLowerCase()] = m[2].trim();
+    }
+    const hasPom = out.includes('pom.properties');
+    let groupId = attrs['implementation-vendor-id'] || '';
+    let artifactId = attrs['implementation-title'] || path.basename(jarPath, '.jar');
+    let version = attrs['implementation-version'] || attrs['bundle-version'] || 'unknown';
+    if (hasPom) {
+      try {
+        const pomFiles = out.split('\n').filter(l => l.includes('pom.properties'));
+        if (pomFiles.length) {
+          execFileSync('jar', ['xf', jarPath, ...pomFiles], {
+            timeout: 5000, cwd: scratchDir,
+          });
+          for (const pf of pomFiles) {
+            const pfPath = path.join(scratchDir, pf);
+            if (!fs.existsSync(pfPath)) continue;
+            const props = fs.readFileSync(pfPath, 'utf8');
+            for (const line of props.split('\n')) {
+              if (line.startsWith('groupId=')) groupId = line.split('=')[1].trim();
+              if (line.startsWith('artifactId=')) artifactId = line.split('=')[1].trim();
+              if (line.startsWith('version=')) version = line.split('=')[1].trim();
+            }
+            break;
+          }
+        }
+      } catch { /* pom extraction optional */ }
+    }
+    return {
+      name: artifactId,
+      version,
+      group: groupId,
+      ecosystem: 'maven',
+      filePath: jarPath,
+      scope: 'required',
+      purl: `pkg:maven/${groupId}/${artifactId}@${version}`,
+      isUnpinned: false,
+      _source: 'jar-manifest',
+    };
+  } catch { return null; }
+  finally { _cleanupScratchDir(scratchDir); }
+}
+
+export function extractGoBuildInfo(binPath) {
+  if (!binPath) return [];
+  try {
+    const out = execFileSync('go', ['version', '-m', binPath], { encoding: 'utf8', timeout: 5000 });
+    const deps = [];
+    for (const line of out.split('\n')) {
+      const m = line.match(/^\s*dep\s+([\w./-]+)\s+(v[\d.]+(?:-[\w.]+)?)/);
+      if (m) {
+        deps.push({
+          name: m[1],
+          version: m[2].replace(/^v/, ''),
+          group: '',
+          ecosystem: 'golang',
+          filePath: binPath,
+          scope: 'required',
+          purl: `pkg:golang/${m[1]}@${m[2]}`,
+          isUnpinned: false,
+          _source: 'go-buildinfo',
+        });
+      }
+    }
+    return deps;
+  } catch { return []; }
+}
+
+export function scanBinaryArtifacts(fileContents, scanRoot) {
+  if (!isBinaryScaEnabled()) return [];
+  const components = [];
+  const root = scanRoot || '.';
+  try {
+    const jarFiles = fs.readdirSync(root, { recursive: true })
+      .filter(f => f.endsWith('.jar') && !f.includes('node_modules'))
+      .slice(0, 20);
+    for (const jar of jarFiles) {
+      const meta = extractJarMetadata(path.join(root, jar));
+      if (meta) components.push(meta);
+    }
+  } catch { /* jar scan optional */ }
+  try {
+    const goBins = fs.readdirSync(root, { recursive: true })
+      .filter(f => !f.includes('.') && !f.includes('node_modules') && !f.includes('/'))
+      .slice(0, 10);
+    for (const bin of goBins) {
+      const fp = path.join(root, bin);
+      try {
+        if (fs.statSync(fp).isFile() && (fs.statSync(fp).mode & 0o111)) {
+          components.push(...extractGoBuildInfo(fp));
+        }
+      } catch { /* skip non-executable */ }
+    }
+  } catch { /* go binary scan optional */ }
+  return components;
+}

package/src/sca/py-package-functions.js

@@ -0,0 +1,118 @@
+// Python package function extraction via the CST parser.
+//
+// Locates an installed Python package in site-packages or .venv,
+// parses its source files via the Python CST parser, and returns
+// a map of exported function names. Used by markUsedVulnFunctions
+// to validate that OSV-named vulnerable functions actually exist
+// in the installed version.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { execFileSync } from 'node:child_process';
+import { parsePythonFilesBatch, probePythonAvailable } from '../ir/parser-py-cst.js';
+
+const VENV_DIRS = ['.venv', 'venv', '.env', 'env'];
+
+function _findSitePackages(scanRoot) {
+  for (const vdir of VENV_DIRS) {
+    const base = path.join(scanRoot || '.', vdir);
+    if (!fs.existsSync(base)) continue;
+    const lib = path.join(base, 'lib');
+    if (!fs.existsSync(lib)) continue;
+    const pydirs = fs.readdirSync(lib).filter(d => d.startsWith('python'));
+    for (const pydir of pydirs) {
+      const sp = path.join(lib, pydir, 'site-packages');
+      if (fs.existsSync(sp)) return sp;
+    }
+  }
+  // Fallback: ask python3 directly
+  try {
+    const out = execFileSync('python3', ['-c', 'import site; print(site.getsitepackages()[0])'], {
+      encoding: 'utf8', timeout: 5000,
+    }).trim();
+    if (out && fs.existsSync(out)) return out;
+  } catch { /* no python3 or no site-packages */ }
+  return null;
+}
+
+function _findPackageDir(sitePackages, packageName) {
+  if (!sitePackages) return null;
+  const normalized = packageName.replace(/-/g, '_').toLowerCase();
+  const candidates = [
+    normalized,
+    packageName.toLowerCase(),
+    packageName,
+  ];
+  for (const name of candidates) {
+    const dir = path.join(sitePackages, name);
+    if (fs.existsSync(dir) && fs.statSync(dir).isDirectory()) return dir;
+  }
+  return null;
+}
+
+function _readPyFilesFromDir(dir, maxFiles = 50) {
+  const entries = [];
+  try {
+    const files = fs.readdirSync(dir, { recursive: true })
+      .filter(f => f.endsWith('.py'))
+      .slice(0, maxFiles);
+    for (const f of files) {
+      const fp = path.join(dir, f);
+      try {
+        const content = fs.readFileSync(fp, 'utf8');
+        if (content.length < 1_000_000) {
+          entries.push({ file: f, content });
+        }
+      } catch { /* skip unreadable files */ }
+    }
+  } catch { /* dir not readable */ }
+  return entries;
+}
+
+export function extractPythonPackageFunctions(packageName, scanRoot) {
+  const cap = probePythonAvailable();
+  if (!cap.ok) return null;
+
+  const sitePackages = _findSitePackages(scanRoot);
+  const pkgDir = _findPackageDir(sitePackages, packageName);
+  if (!pkgDir) return null;
+
+  const pyFiles = _readPyFilesFromDir(pkgDir);
+  if (!pyFiles.length) return null;
+
+  const batch = parsePythonFilesBatch(pyFiles);
+  if (!batch || !Array.isArray(batch)) return null;
+
+  const functionMap = new Map();
+  for (const fileIR of batch) {
+    if (!fileIR || !fileIR.functions) continue;
+    for (const fn of fileIR.functions) {
+      if (fn.name && !fn.name.startsWith('_')) {
+        functionMap.set(fn.name, {
+          file: fileIR.file,
+          line: fn.line,
+          qid: fn.qid,
+          params: fn.params,
+        });
+      }
+    }
+  }
+  return functionMap;
+}
+
+export function validateOsvFunctionsExist(packageName, osvFunctions, scanRoot) {
+  if (!osvFunctions || !osvFunctions.length) return { validated: [], missing: [] };
+  const fnMap = extractPythonPackageFunctions(packageName, scanRoot);
+  if (!fnMap) return { validated: osvFunctions, missing: [] };
+  const validated = [];
+  const missing = [];
+  for (const fn of osvFunctions) {
+    const shortFn = fn.includes('.') ? fn.split('.').pop() : fn;
+    if (fnMap.has(shortFn) || fnMap.has(fn)) {
+      validated.push(shortFn);
+    } else {
+      missing.push(fn);
+    }
+  }
+  return { validated, missing };
+}