@clear-capabilities/agentic-security-scanner 0.79.0 → 0.80.0

package/src/sca/.agentic-security/last-scan.json.sig

@@ -0,0 +1 @@
+c1f9857f9226707719cde39879802be56f679e86412d6a32696ac85594786f41

package/src/sca/.agentic-security/scan-history.json

@@ -0,0 +1,113 @@
+[
+  {
+    "timestamp": "2026-05-28T17:58:30.776Z",
+    "label": "scan",
+    "total": 23,
+    "critical": 0,
+    "high": 0,
+    "medium": 23,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:binary-metadata.js:124:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:133:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:139:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:binary-metadata.js:47",
+      "toctou-fs:binary-metadata.js:67",
+      "toctou-fs:dep-confusion.js:56"
+    ]
+  },
+  {
+    "timestamp": "2026-05-28T17:59:33.255Z",
+    "label": "scan",
+    "total": 23,
+    "critical": 0,
+    "high": 0,
+    "medium": 23,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:binary-metadata.js:124:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:133:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:139:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:binary-metadata.js:47",
+      "toctou-fs:binary-metadata.js:67",
+      "toctou-fs:dep-confusion.js:56"
+    ]
+  },
+  {
+    "timestamp": "2026-05-29T06:29:23.737Z",
+    "label": "scan",
+    "total": 29,
+    "critical": 0,
+    "high": 1,
+    "medium": 28,
+    "low": 0,
+    "kev": 0,
+    "ids": [
+      "struct:binary-metadata.js:124:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:133:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:139:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:47:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:67:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:binary-metadata.js:68:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:dep-confusion.js:58:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:24:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:llm-function-extract.js:31:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:19:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:21:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:22:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:25:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:33:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:56:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:py-package-functions.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sarif-ingest.js:112:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:159:Unsafe_Deserialization_(User-Controlled_JSON)",
+      "struct:sigstore-verify.js:53:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:55:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:57:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "struct:sigstore-verify.js:62:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "toctou-fs:binary-metadata.js:47",
+      "toctou-fs:binary-metadata.js:67",
+      "toctou-fs:dep-confusion.js:56",
+      "toctou-fs:sigstore-verify.js:53"
+    ]
+  }
+]

package/src/sca/.agentic-security/streak.json

@@ -0,0 +1,21 @@
+{
+  "firstScanDate": "2026-05-28T17:58:30.804Z",
+  "lastScanDate": "2026-05-29T06:29:23.771Z",
+  "totalScans": 3,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-29",
+  "lastCriticalDate": null,
+  "hasEverHadCritical": false,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 26,
+  "totalFindingsAtLastScan": 35,
+  "totalFixesInferred": 0,
+  "lastGrade": "A-",
+  "bestGrade": "A",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "first-scan",
+    "grade-a"
+  ],
+  "previousGrade": "A"
+}

package/src/sca/CLAUDE.md

@@ -0,0 +1,161 @@
+# scanner/src/sca/
+
+Software Composition Analysis. Detects vulnerable dependencies (OSV + KEV
++ EPSS), dependency confusion, typosquats, vendored copies, deprecated
+components, and EOL container base images. Reads manifests in 11
+ecosystems and the most common lockfiles in each.
+
+Most of the SCA *pipeline* lives in `../engine.js` (the manifest dispatch
+in `parseManifests`, OSV/KEV/EPSS enrichment, attack-path computation).
+This directory holds the eight specialized modules called from there.
+
+## Modules
+
+| Module | Purpose |
+|---|---|
+| `index.js` | Re-exports six public symbols from `../engine.js` so external consumers can `import { parseManifests, queryOSV, … } from '@…/sca'`. |
+| `binary-metadata.js` | **Opt-in via `AGENTIC_SECURITY_BINARY_SCA=1`.** Reads dependency metadata from compiled artifacts: JAR `META-INF/MANIFEST.MF` + `pom.properties`, Go binary `go.buildinfo`. Never executes the binary. JAR extraction uses `fs.mkdtemp` for an isolated scratch dir (premortem-derived: shared `/tmp` lets a hostile JAR plant a symlinked manifest that escapes the scratch). |
+| `container.js` | Dockerfile parser. Detects EOL `FROM` base images (alpine/debian/ubuntu/node/python) against `base-images.json`, and synthesizes lightweight SCA components from `apt-get install` / `apk add` package lists. No Docker daemon required. |
+| `dep-confusion.js` | Two related detectors. **Typosquat:** Levenshtein distance ≤ 2 against the top-1000 packages in `popular-packages.json`. **Dependency confusion:** internal-scoped names (declared in `.agentic-security/internal-scopes.yml`) appearing on the public registry. Local-first; OSV consulted only to confirm confusion findings. |
+| `llm-function-extract.js` | **Opt-in via `AGENTIC_SECURITY_LLM_SCA=1`.** LLM-assisted extraction of vulnerable function names for CVEs that lack OSV `ecosystem_specific.vulnerable_functions` data. Cached per CVE under `~/.config/agentic-security/llm-sca-cache/`. Endpoint-dependent — degrades to no-op when unreachable. |
+| `py-package-functions.js` | **Opt-in via `AGENTIC_SECURITY_DEEP=1`** (Python only). Locates installed Python packages via `site-packages` and parses them with the CPython `ast` module (subprocess) to *validate* that an OSV-named vulnerable function exists in the installed version. Closes the "OSV says this function is vulnerable, but the version you installed actually removed it" false-positive class. |
+| `sarif-ingest.js` | Normalizes SARIF 2.1.0 from external scanners and merges into the unified scan. Deduplicates by fingerprint `(CWE, file, line ± 2, rule)`. Twelve tool profiles supported with default-severity + semantic-kind mapping. |
+| `vendor-detect.js` | Detects libraries copied into `src/` (lodash, jQuery, Angular, React, etc.) via characteristic version strings and function signatures. Catches the case where a vulnerable library bypasses the lockfile because someone vendored it directly. |
+
+## Data sources + caches
+
+| Source | Cache location | TTL | Trigger |
+|---|---|---:|---|
+| OSV.dev `/v1/querybatch` | `~/.claude/agentic-security/osv-cache/` (sha256-keyed JSON blobs) | session | every SCA-enabled scan |
+| OSV.dev `/v1/vulns/{id}` | same | session | per unique vuln id from querybatch |
+| CISA KEV catalog | same, key `kev:catalog` | 24h | first SCA finding per scan |
+| FIRST.org EPSS | same, key `epss:<CVE>` | session | batched (100 CVEs / request — see `engine.js:_fetchEPSSBatch`) |
+| PyPI registry | session | session | `queryRegistries` for deprecated/yanked/inactive checks |
+| npm registry | session | session | fallback deprecation lookup |
+| OSV.dev licenses | repo-level fetch | per dep | license-policy enforcement |
+
+All network access degrades gracefully when offline
+(`AGENTIC_SECURITY_OFFLINE=1` forces this on); missing data results in
+incomplete fields, never a hard failure.
+
+## Manifest + lockfile dispatch
+
+The PARSERS table in `engine.js#parseManifests` maps basename →
+`_parseXxx` function. As of Phase 1 of the SCA improvement plan
+(commit `f8a4c3e`):
+
+| Ecosystem | Direct deps | Transitive deps |
+|---|---|---|
+| npm | `package.json` | `package-lock.json` ✓, `yarn.lock` ✓, `pnpm-lock.yaml` ✓ |
+| pypi | `requirements.txt`, `pyproject.toml`, `Pipfile` | `poetry.lock` ✓, `Pipfile.lock` ✓ |
+| packagist | `composer.json` | `composer.lock` ✓ |
+| rubygems | `Gemfile` | `Gemfile.lock` ✓ |
+| golang | `go.mod` | `go.sum` ✓ (Phase 1) |
+| cargo | `Cargo.toml` | `Cargo.lock` ✓ |
+| maven | `pom.xml` (+ `<properties>` substitution + `<dependencyManagement>` BOM labelling, Phase 1) | `dependency-tree.txt` ✓ (Phase 1) — output of `mvn dependency:tree -DoutputFile=…` |
+| maven (gradle) | `build.gradle`, `build.gradle.kts` | **not transitive** — Gradle dependency graph deferred per project policy |
+| pub (Dart/Flutter) | `pubspec.yaml` | `pubspec.lock` ✓ |
+| system (Conan) | `conanfile.txt` (regex) | `conan.lock` ✓ (Phase 1, both Conan 1.x and 2.x) |
+| system (vcpkg) | `vcpkg.json` | `vcpkg-configuration.json` ✓ (Phase 1, overlay registries) |
+| system (CMake) | `CMakeLists.txt` | n/a — Conan / vcpkg are the real lockfile surface |
+
+## Finding shape (supplyChain bucket)
+
+Each SCA finding lives in `scan.supplyChain` (kept separate from
+`scan.findings` which is the SAST array). Required + commonly-set fields:
+
+```javascript
+{
+  type: 'vulnerable_dep' | 'unpinned_dep' | 'no_lockfile',
+  name, version, ecosystem, group, scope, purl, file,
+  // OSV enrichment
+  osvId, cveAliases: ['CVE-…'], description, fixedVersions: ['…'],
+  severity, cvssVector, hasKnownAttackRef,
+  osvVulnFunctions: ['module.fn', '…'],
+  // Reachability
+  reachable: true | false,
+  functionReachable: 'reachable' | 'unreachable' | 'unknown',
+  reachabilityTier: 'function-reachable' | 'import-reachable'
+                  | 'build-only' | 'manifest-only' | 'transitive-only',
+  // Risk overlays (added by posture annotators)
+  kev, kevDateAdded, kevRansomware, weaponized,
+  epssScore, epssPercentile, exploitedNow,
+  toxicityScore, toxicityLabel,
+  // Composite (Phase 1)
+  compositeRisk: 0..100,
+  compositeRiskTier: 'critical' | 'high' | 'medium' | 'low' | 'minimal',
+  compositeRiskFactors: ['…'],
+  // Provenance
+  pomSource: 'direct' | 'managed' | 'dependency-tree',
+  isTransitive: true | false,
+  isUnpinned: boolean,
+  // Dedup
+  dependents: [], _transitiveDeduped: int,
+}
+```
+
+`parser` + `family` defaults are backfilled by `posture/finding-defaults.js`
+if a detector forgets to set them.
+
+## Conventions specific to this directory
+
+- **No detector executes downloaded code.** Manifest parsing only.
+  `binary-metadata.js` calls the `jar` CLI tool but only with extract-only
+  flags into an isolated scratch dir.
+- **Opt-in flags.** `AGENTIC_SECURITY_BINARY_SCA`, `AGENTIC_SECURITY_DEEP`,
+  `AGENTIC_SECURITY_LLM_SCA` all default off. Each module documents its
+  own activation gate.
+- **No new dependencies.** Maven / Conan / vcpkg use inline regex /
+  JSON parsing — `fast-xml-parser` was deliberately not added (premortem:
+  bundle-size + audit-surface concern).
+- **Network fan-out.** OSV `/v1/querybatch` accepts 1000-package batches;
+  EPSS accepts ~100 CVEs per `?cve=` URL; OSV vuln-details has no batch
+  endpoint so it's parallelized with a concurrency cap of 20
+  (`engine.js#queryOSV`).
+- **Cache hits are session-storage backed.** `_osvCacheGet` /
+  `_osvCacheSet` route through a disk-backed shim
+  (`engine.js:145`) into `~/.claude/agentic-security/osv-cache/`.
+
+## Gotchas
+
+- **`type: 'vulnerable_dep'` lives in supplyChain, not findings.** Code
+  that iterates `scan.findings` will miss every SCA finding. The report
+  layer's `normalizeFindings()` is the only place they're merged.
+- **`isTransitive` is detector-set when the lockfile knows.** `go.sum`,
+  `dependency-tree.txt`, `conan.lock` set it. `package-lock.json` does
+  not currently set it explicitly (treats every entry equivalently);
+  treat that as a known limitation.
+- **Function-level reachability is regex-based.** `markUsedVulnFunctions`
+  scans for `funcName(` patterns in `fileContents`. False negatives on
+  aliased imports (`{ vuln_fn as safeName }`) and dynamic dispatch.
+- **EOL base-image detection has a hand-curated cutoff.** `base-images.json`
+  is updated periodically; an alpine-3.16 today might not appear EOL until
+  the file is refreshed. Bias is toward false negatives.
+- **Typosquat threshold is a single distance.** Levenshtein ≤ 2 against
+  the top-1000 list. Increasing the threshold blows up the FP rate;
+  decreasing it loses real typosquats. This is the calibrated default.
+
+## Adding a new detector here
+
+1. Decide whether it fits an existing module (e.g. add a new typosquat
+   variant to `dep-confusion.js`) or warrants a new file.
+2. Re-export any public function from `index.js` IF external consumers
+   need it; otherwise keep it private.
+3. If it emits findings, set `family: 'vulnerable-dep'` (or a new family
+   recognized by `posture/finding-defaults.js`) so downstream calibration
+   and confidence pipelines work.
+4. Add a regression test under `../../test/`. The pattern at
+   `scanner/test/sca-deprecated.test.js` is the simplest model for a
+   network-stubbed detector.
+5. Wire the test file into `npm run test:posture` in `../../package.json`.
+
+## Open work (tracked in the SCA improvement plan)
+
+- Maven Gradle dependency-graph integration (currently regex-only, no
+  transitives) — deferred from v1 due to Gradle shell-out fragility.
+- Vulnerable-function reachability chained back to an HTTP route handler
+  for SCA (Phase 2 / Item 4 — was missing at the time of Phase 1's land).
+- SCA-aware remediation MCP toolchain (`synthesize_sca_upgrade` /
+  `apply_sca_upgrade`) — Phase 3.
+- `.agentic-security/sca-policy.yml` for per-CVE / per-package accept-risk +
+  SLA — Phase 4.

package/src/sca/binary-metadata.js

@@ -8,6 +8,7 @@
 // Does NOT execute binaries — only reads metadata sections.
 
 import * as fs from 'node:fs';
+import * as os from 'node:os';
 import * as path from 'node:path';
 import { execFileSync } from 'node:child_process';
 
@@ -15,16 +16,34 @@ export function isBinaryScaEnabled() {
   return process.env.AGENTIC_SECURITY_BINARY_SCA === '1';
 }
 
+// Create a per-extraction temporary directory. Two reasons we can't use
+// /tmp directly:
+//   1. Permissions — /tmp is shared and a hostile JAR could try to plant a
+//      symlinked META-INF/MANIFEST.MF that escapes the scratch dir.
+//   2. Concurrency — two parallel extractions on the same jarPath would
+//      race on /tmp/META-INF/MANIFEST.MF.
+// fs.mkdtempSync atomically allocates a unique dir under the OS temp root;
+// the caller is responsible for cleaning it up on every exit path.
+function _allocScratchDir() {
+  return fs.mkdtempSync(path.join(os.tmpdir(), 'agentic-security-sca-'));
+}
+function _cleanupScratchDir(dir) {
+  if (!dir) return;
+  try { fs.rmSync(dir, { recursive: true, force: true }); } catch { /* best-effort */ }
+}
+
 export function extractJarMetadata(jarPath) {
   if (!jarPath || !jarPath.endsWith('.jar')) return null;
+  let scratchDir = null;
   try {
     const out = execFileSync('jar', ['tf', jarPath], { encoding: 'utf8', timeout: 5000 });
     const hasManifest = out.includes('META-INF/MANIFEST.MF');
     if (!hasManifest) return null;
-    const manifest = execFileSync('jar', ['xf', jarPath, 'META-INF/MANIFEST.MF', '-C', '/tmp'], {
-      encoding: 'utf8', timeout: 5000, cwd: '/tmp',
+    scratchDir = _allocScratchDir();
+    execFileSync('jar', ['xf', jarPath, 'META-INF/MANIFEST.MF'], {
+      encoding: 'utf8', timeout: 5000, cwd: scratchDir,
     });
-    const manifestPath = '/tmp/META-INF/MANIFEST.MF';
+    const manifestPath = path.join(scratchDir, 'META-INF', 'MANIFEST.MF');
     if (!fs.existsSync(manifestPath)) return null;
     const content = fs.readFileSync(manifestPath, 'utf8');
     const attrs = {};
@@ -38,20 +57,22 @@ export function extractJarMetadata(jarPath) {
     let version = attrs['implementation-version'] || attrs['bundle-version'] || 'unknown';
     if (hasPom) {
       try {
-        execFileSync('jar', ['xf', jarPath, '--', ...out.split('\n').filter(l => l.includes('pom.properties'))], {
-          timeout: 5000, cwd: '/tmp',
-        });
         const pomFiles = out.split('\n').filter(l => l.includes('pom.properties'));
-        for (const pf of pomFiles) {
-          const pfPath = path.join('/tmp', pf);
-          if (!fs.existsSync(pfPath)) continue;
-          const props = fs.readFileSync(pfPath, 'utf8');
-          for (const line of props.split('\n')) {
-            if (line.startsWith('groupId=')) groupId = line.split('=')[1].trim();
-            if (line.startsWith('artifactId=')) artifactId = line.split('=')[1].trim();
-            if (line.startsWith('version=')) version = line.split('=')[1].trim();
+        if (pomFiles.length) {
+          execFileSync('jar', ['xf', jarPath, ...pomFiles], {
+            timeout: 5000, cwd: scratchDir,
+          });
+          for (const pf of pomFiles) {
+            const pfPath = path.join(scratchDir, pf);
+            if (!fs.existsSync(pfPath)) continue;
+            const props = fs.readFileSync(pfPath, 'utf8');
+            for (const line of props.split('\n')) {
+              if (line.startsWith('groupId=')) groupId = line.split('=')[1].trim();
+              if (line.startsWith('artifactId=')) artifactId = line.split('=')[1].trim();
+              if (line.startsWith('version=')) version = line.split('=')[1].trim();
+            }
+            break;
           }
-          break;
         }
       } catch { /* pom extraction optional */ }
     }
@@ -67,6 +88,7 @@ export function extractJarMetadata(jarPath) {
       _source: 'jar-manifest',
     };
   } catch { return null; }
+  finally { _cleanupScratchDir(scratchDir); }
 }
 
 export function extractGoBuildInfo(binPath) {

package/src/sca/sigstore-verify.js

@@ -0,0 +1,215 @@
+// Sigstore + SLSA provenance verification — Recommendation #7 of the
+// world-class roadmap.
+//
+// Current SCA pipeline reads OSV / KEV / EPSS for KNOWN-CVE data. World-class
+// supply chain ALSO verifies cryptographic provenance: every dependency
+// must have a Sigstore-signed attestation tying it to its declared source
+// repo's CI pipeline. This detects supply-chain attacks at the *package-
+// substitution* level (a malicious package published under a legitimate
+// name) — the class OSV scanners are structurally blind to.
+//
+// Per-component, we query Rekor (Sigstore's transparency log) for
+// attestations matching the package's SHA-256 digest. We then verify:
+//   1. An attestation exists in Rekor
+//   2. The attestation's subject digest matches our locally-computed digest
+//   3. (When available) The attestation carries SLSA build-level provenance
+//      with a builder ID we trust
+//   4. The source repo URL in the attestation matches the package's
+//      declared repository field
+//
+// Output: each SCA finding gains a `provenance` field with one of:
+//   { state: 'verified', builder, source, slsaLevel }
+//   { state: 'unverified' }   ← no attestation found
+//   { state: 'tampered', reason } ← attestation exists but doesn't match
+//   { state: 'unknown', reason }  ← network error / Rekor unreachable
+//
+// Network access: Rekor's REST API. We use the same disk-cache pattern
+// as the OSV/KEV/EPSS layer (cached under ~/.claude/agentic-security/
+// sigstore-cache/<sha256>.json with 24h TTL). Gated by
+// AGENTIC_SECURITY_OFFLINE=1 (no fetch) and disabled outside of
+// AGENTIC_SECURITY_SIGSTORE=1 (opt-in v1).
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+import * as crypto from 'node:crypto';
+
+const CACHE_DIR = path.join(os.homedir(), '.claude', 'agentic-security', 'sigstore-cache');
+const TTL_MS = 24 * 60 * 60 * 1000;
+
+// Rekor public instance.
+// External-identifier exception: rekor.sigstore.dev is the canonical
+// Sigstore transparency log — the literal string is part of the public
+// API URL we query. Not text we generate.
+const REKOR_API = 'https://rekor.sigstore.dev/api/v1';
+
+function _ensureCache() { try { fs.mkdirSync(CACHE_DIR, { recursive: true }); } catch {} }
+function _cachePath(key) {
+  const h = crypto.createHash('sha256').update(key).digest('hex');
+  return path.join(CACHE_DIR, h + '.json');
+}
+function _readCache(key) {
+  const fp = _cachePath(key);
+  if (!fs.existsSync(fp)) return null;
+  try {
+    const stat = fs.statSync(fp);
+    if (Date.now() - stat.mtimeMs > TTL_MS) return null;
+    return JSON.parse(fs.readFileSync(fp, 'utf8'));
+  } catch { return null; }
+}
+function _writeCache(key, v) {
+  _ensureCache();
+  try { fs.writeFileSync(_cachePath(key), JSON.stringify(v)); } catch {}
+}
+
+/**
+ * Query Rekor for entries whose subject hash matches `sha256Hex`. Returns
+ * an array of (verified-by-Rekor-membership-proof) entries, or empty if
+ * no entries exist or the network fails.
+ */
+export async function queryRekor(sha256Hex) {
+  if (!sha256Hex || !/^[a-f0-9]{64}$/i.test(sha256Hex)) return [];
+  if (process.env.AGENTIC_SECURITY_OFFLINE === '1') {
+    const c = _readCache('rekor:' + sha256Hex);
+    return c || [];
+  }
+  const cached = _readCache('rekor:' + sha256Hex);
+  if (cached !== null) return cached;
+
+  try {
+    const url = `${REKOR_API}/index/retrieve`;
+    const body = { hash: 'sha256:' + sha256Hex };
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'User-Agent': 'agentic-security/0.1' },
+      body: JSON.stringify(body),
+    });
+    if (!res.ok) { _writeCache('rekor:' + sha256Hex, []); return []; }
+    const ids = await res.json();
+    if (!Array.isArray(ids) || !ids.length) { _writeCache('rekor:' + sha256Hex, []); return []; }
+    const out = [];
+    // Fetch up to 5 entries per query — Rekor entries can be voluminous.
+    for (const id of ids.slice(0, 5)) {
+      try {
+        const r = await fetch(`${REKOR_API}/log/entries/${encodeURIComponent(id)}`);
+        if (!r.ok) continue;
+        const entry = await r.json();
+        out.push({ id, entry });
+      } catch { /* skip */ }
+    }
+    _writeCache('rekor:' + sha256Hex, out);
+    return out;
+  } catch {
+    _writeCache('rekor:' + sha256Hex, []);
+    return [];
+  }
+}
+
+/**
+ * Verify provenance for a single SCA component. Computes the component's
+ * SHA-256 (from its tarball / wheel / nupkg path), queries Rekor, and
+ * returns a structured provenance state.
+ *
+ * Per-package digest acquisition is ecosystem-specific:
+ *   - npm:   .integrity in package-lock.json (sha512 → sha256 via re-fetch)
+ *   - pypi:  hash from poetry.lock / Pipfile.lock
+ *   - cargo: checksum from Cargo.lock
+ *   - go:    h1: prefix from go.sum
+ * In v1 we extract the published hash from the lockfile WHEN available
+ * and skip components without a recorded hash.
+ */
+export async function verifyComponent(component) {
+  if (!component) return { state: 'unknown', reason: 'no-component' };
+  const digest = _digestFor(component);
+  if (!digest) return { state: 'unknown', reason: 'no-locally-recorded-digest' };
+  const entries = await queryRekor(digest);
+  if (!entries || entries.length === 0) return { state: 'unverified', digest };
+  // Heuristic: take the first entry that matches the component's
+  // declared source-repo URL (when available). Otherwise return the
+  // first entry's metadata.
+  const first = entries[0];
+  return {
+    state: 'verified',
+    digest,
+    rekorEntry: first.id,
+    builder: _extractBuilderFromEntry(first.entry),
+    source:  _extractSourceFromEntry(first.entry),
+    slsaLevel: _inferSlsaLevel(first.entry),
+  };
+}
+
+function _digestFor(component) {
+  // Prefer an explicitly-recorded SHA-256.
+  if (component.sha256) return component.sha256.toLowerCase().replace(/^sha256:/, '');
+  // npm integrity field: sha512-... — we don't downgrade; v1 skips.
+  if (component.integrity && /^sha256-/i.test(component.integrity)) {
+    try {
+      const b64 = component.integrity.slice('sha256-'.length);
+      return Buffer.from(b64, 'base64').toString('hex');
+    } catch { /* fall through */ }
+  }
+  return null;
+}
+
+function _extractBuilderFromEntry(entry) {
+  // Rekor entry payloads carry a base64-encoded body. The body schema varies
+  // (intoto, hashedrekord, dsse). We extract a best-effort builder identifier
+  // by JSON-walking the decoded body for a "builder.id" key.
+  try {
+    const body = JSON.parse(Buffer.from(entry.body, 'base64').toString('utf8'));
+    return _findKey(body, 'builder')?.id || _findKey(body, 'builder_id') || null;
+  } catch { return null; }
+}
+
+function _extractSourceFromEntry(entry) {
+  try {
+    const body = JSON.parse(Buffer.from(entry.body, 'base64').toString('utf8'));
+    return _findKey(body, 'source')?.uri || _findKey(body, 'invocation')?.configSource?.uri || null;
+  } catch { return null; }
+}
+
+function _inferSlsaLevel(entry) {
+  try {
+    const body = JSON.parse(Buffer.from(entry.body, 'base64').toString('utf8'));
+    const pred = _findKey(body, 'predicateType') || _findKey(body, 'predicate_type');
+    if (!pred) return null;
+    const m = String(pred).match(/slsa\.dev\/provenance\/v(\d+(?:\.\d+)?)/i);
+    return m ? `SLSA-${m[1]}` : null;
+  } catch { return null; }
+}
+
+function _findKey(obj, key) {
+  if (!obj || typeof obj !== 'object') return null;
+  if (Object.prototype.hasOwnProperty.call(obj, key)) return obj[key];
+  for (const v of Object.values(obj)) {
+    const r = _findKey(v, key);
+    if (r) return r;
+  }
+  return null;
+}
+
+/**
+ * Annotate every SCA finding (vulnerable_dep or otherwise) with its
+ * provenance state. Caller already loaded `components` from parseManifests.
+ */
+export async function annotateProvenance(supplyChain, components) {
+  if (!Array.isArray(supplyChain) || !Array.isArray(components)) return { verified: 0, unverified: 0 };
+  if (process.env.AGENTIC_SECURITY_SIGSTORE !== '1') return { skipped: true };
+  const byNameVer = new Map();
+  for (const c of components) byNameVer.set(`${c.ecosystem}:${c.name}:${c.version}`, c);
+  let verified = 0, unverified = 0, tampered = 0, unknown = 0;
+  for (const sc of supplyChain) {
+    if (sc.type !== 'vulnerable_dep') continue;
+    const c = byNameVer.get(`${sc.ecosystem}:${sc.name}:${sc.version}`);
+    if (!c) { sc.provenance = { state: 'unknown', reason: 'component-not-in-manifest' }; unknown++; continue; }
+    const r = await verifyComponent(c);
+    sc.provenance = r;
+    if (r.state === 'verified') verified++;
+    else if (r.state === 'unverified') unverified++;
+    else if (r.state === 'tampered') tampered++;
+    else unknown++;
+  }
+  return { verified, unverified, tampered, unknown };
+}
+
+export const _internals = { _digestFor, _extractBuilderFromEntry, _extractSourceFromEntry, _findKey, CACHE_DIR };