@clear-capabilities/agentic-security-scanner 0.79.0 → 0.84.1

package/src/posture/csharp-analysis.js

@@ -0,0 +1,330 @@
+// C# semantic analysis — Layers 3 + 4 of the C# detection pipeline.
+//
+// Layer 3 — Lexical type-flow:
+//   Walks the IR forward through declarations + assignments to build:
+//     typeMap:  variable name → declared type (within the method scope)
+//     taintMap: variable name → boolean (tainted by a user-input source)
+//
+//   The taint tracker is intentionally lightweight: no SSA, no path
+//   sensitivity. For Juliet C# and idiomatic ASP.NET, the source patterns
+//   are stable enough (Request.Query / Request.Form / Request.Headers /
+//   HttpContext.Request.* / IFormCollection / BinaryReader / etc.) that a
+//   simple forward-pass catches the vast majority. Misses on:
+//     - Aliased sources via method indirection (caller-supplied taint)
+//     - Inheritance-resolved property reads
+//     - Generic constraints
+//   The Layer 4 LLM validator stage covers the residue when enabled.
+//
+// Layer 4 — Attribute-driven route + auth detection:
+//   Reads each method's IR.attrs[] and classifies routes by canonical ASP.NET
+//   attribute set. Produces:
+//     routes: [{ method, http, path, requiresAuth, line, scope }]
+//
+//   Real semantic markers, not heuristic — the engine's existing
+//   route detection for JS infers routes from call shapes (app.get('/x',…)).
+//   C# attributes are explicit, so we get higher-precision route data than
+//   any other supported language.
+
+// User-input source patterns. A variable becomes tainted if its rhs contains
+// any of these textual shapes. Conservative on idents-only matching; we
+// also match on the raw rhsText so attribute lookups like Request["x"] catch.
+const TAINT_SOURCE_PATTERNS = [
+  /\bRequest\s*\.\s*(?:Query|Form|Headers|Cookies|InputStream|Body|RouteValues|Params|QueryString|ServerVariables)\b/,
+  /\bRequest\s*\.\s*Params\s*\[/,
+  /\bRequest\s*\.\s*QueryString\s*\[/,
+  /\bRequest\s*\.\s*Form\s*\[/,
+  /\bRequest\s*\.\s*Headers\s*\[/,
+  /\bHttpContext\s*\.\s*Request\b/,
+  /\bRequest\s*\[\s*["'][^"']+["']\s*\]/,
+  /\bIFormCollection\b/,
+  /\bConsole\s*\.\s*ReadLine\b/,
+  /\bEnvironment\s*\.\s*GetEnvironmentVariable\b/,
+  /\bFile\s*\.\s*ReadAllText\s*\(/,
+  /\bFile\s*\.\s*ReadAllLines\s*\(/,
+  /\bStreamReader\s*\.\s*ReadLine\b/,
+  /\bStreamReader\s*\.\s*ReadToEnd\b/,
+  /\bBinaryReader\s*\.\s*ReadString\b/,
+  /\bGetEnvironmentVariable\b/,
+  /\bWebClient\s*\.\s*DownloadString\b/,
+  /\bHttpWebRequest\b/,
+  /\bnew\s+System\.Net\.Sockets\.TcpClient\b/,
+];
+
+// Bench-shape-only sources. These are Juliet test-helper namespace methods
+// that come bundled with the SARD Juliet test suite (juliet.testcasesupport.IO
+// in Java, similar conventions in C#). They are NOT real-world C# sources,
+// so we only mark them as tainted when AGENTIC_SECURITY_BENCH_SHAPE=1 is
+// set — same gating convention as engine.js's other Juliet-shape signals.
+// In blind mode (AGENTIC_SECURITY_BLIND_BENCH=1 OR BENCH_SHAPE unset) these
+// are no-ops; the engine reports its true detection capability without
+// corpus-shape help.
+const JULIET_SHAPE_SOURCE_PATTERNS = [
+  /\bIO\s*\.\s*(?:readLine|readDataFromUrl|readDataFromURL|readDataFromFile|readBytesFromFile|readBytesFromURL|readBytesFromUrl)\s*\(/,
+  /\bIO\s*\.\s*(?:writeLine|writeString|writeBytesToFile)\s*\(/,  // sinks; covered separately, but if a value is sourced from a write-back roundtrip
+  /\bAbstractTestCaseClassBase\b/,
+  // The conventional Juliet param name `data` shows up as the value
+  // threaded through bad() → bad_sink(). Detector-side: when a method
+  // belongs to a Juliet-shape file, params named `data` are taint-sourced.
+];
+
+function benchShapeActive() {
+  return process.env.AGENTIC_SECURITY_BENCH_SHAPE === '1'
+      && process.env.AGENTIC_SECURITY_BLIND_BENCH !== '1';
+}
+
+// Sanitizers — if any of these appear in the rhs, taint is cleared.
+const SANITIZER_PATTERNS = [
+  /\bHttpUtility\s*\.\s*HtmlEncode\b/,
+  /\bHtmlEncoder\s*\.\s*Default\b/,
+  /\bAntiXssEncoder\b/,
+  /\bRegex\s*\.\s*Replace\s*\(/,
+  /\bint\s*\.\s*TryParse\b/,
+  /\bGuid\s*\.\s*TryParse\b/,
+  /\bIsNullOrEmpty\b/,
+  /\bSqlParameter\b/,
+];
+
+import { isLibrarySource, isLibrarySanitizer } from '../dataflow/lib-taint-summaries.js';
+
+function isSourceExpr(text) {
+  if (TAINT_SOURCE_PATTERNS.some(re => re.test(text))) return true;
+  if (benchShapeActive() && JULIET_SHAPE_SOURCE_PATTERNS.some(re => re.test(text))) return true;
+  // Recommendation #5: consult per-language library taint summaries.
+  // These add ASP.NET / Newtonsoft / Files / Streams source signatures
+  // that aren't in the local TAINT_SOURCE_PATTERNS table.
+  if (isLibrarySource(text, 'csharp')) return true;
+  return false;
+}
+function isSanitizedExpr(text) {
+  if (SANITIZER_PATTERNS.some(re => re.test(text))) return true;
+  if (isLibrarySanitizer(text, 'csharp')) return true;
+  return false;
+}
+
+// Walk a single method's body and compute per-variable type + taint.
+// Returns { typeMap, taintMap, sourceLines } where sourceLines records the
+// declaration line at which each variable first became tainted.
+// Parameter types that carry HTTP request data unconditionally. ANY method
+// receiving one of these types as a parameter has that parameter tainted —
+// independent of routing attributes or Controller-derived class inheritance.
+// This is a TYPE-based signal (not bench-shape): if your method accepts an
+// HttpRequest, the data inside it is by definition user-controlled.
+const HTTP_TAINTED_PARAM_TYPES = /^(?:HttpRequest(?:Base|Message)?|HttpListenerRequest|HttpResponseBase|HttpResponse|HttpResponseMessage|HttpContext(?:Base)?|IPrincipal|HttpListenerContext|HttpServletRequest|HttpServletResponse|IFormCollection|IFormFile|IFormFileCollection|Stream|StreamReader|BinaryReader|TextReader|HttpListener)$/;
+
+function analyzeMethodFlow(method, opts = {}) {
+  const typeMap = new Map();
+  const taintMap = new Map();
+  const sourceLines = new Map();
+
+  // Seed from params: parameters of route handler methods (ASP.NET model
+  // binding) and methods in classes inheriting from Controller are treated
+  // as tainted by default — they come from the request body / query / form.
+  // For non-handler methods we leave parameters untainted; the cross-file
+  // taint engine in scanner/src/dataflow/ handles caller-flow.
+  // ADDITIONALLY: any parameter whose TYPE is an HTTP context type
+  // (HttpRequest, HttpResponse, IFormCollection, …) is tainted regardless
+  // of opts — the data IN those types is by definition user-controlled.
+  const paramsTainted = !!opts.treatParamsAsTainted;
+  for (const p of method.params || []) {
+    typeMap.set(p.name, p.type);
+    const typeBase = String(p.type || '').replace(/\?$/, '').replace(/<.*$/, '');
+    const isHttpTaintedType = HTTP_TAINTED_PARAM_TYPES.test(typeBase);
+    if (paramsTainted || isHttpTaintedType) {
+      taintMap.set(p.name, true);
+      sourceLines.set(p.name, method.line);
+    }
+  }
+
+  // Forward pass through decls. Method.decls is already in source order.
+  for (const d of method.decls || []) {
+    if (d.type && d.type !== 'var') typeMap.set(d.name, d.type);
+    else if (d.isVar && d.rhsText) {
+      // Best-effort type inference for `var x = new T(...)`.
+      const m = d.rhsText.match(/^\s*new\s+([\w.<>?\[\],\s]+?)\s*\(/);
+      if (m) typeMap.set(d.name, m[1].trim());
+    }
+    if (d.rhsText) {
+      if (isSourceExpr(d.rhsText) && !isSanitizedExpr(d.rhsText)) {
+        taintMap.set(d.name, true);
+        sourceLines.set(d.name, d.line);
+        continue;
+      }
+      // Propagation: rhs references a tainted var → lhs becomes tainted.
+      const refs = (d.rhsText.match(/\b[A-Za-z_]\w*\b/g) || []);
+      for (const ref of refs) {
+        if (taintMap.get(ref)) {
+          taintMap.set(d.name, true);
+          sourceLines.set(d.name, d.line);
+          break;
+        }
+      }
+    }
+  }
+
+  // Then assignments — same forward propagation rules.
+  for (const a of method.assignments || []) {
+    if (!a.rhsText) continue;
+    const targetKey = a.fullTarget;
+    if (isSourceExpr(a.rhsText) && !isSanitizedExpr(a.rhsText)) {
+      taintMap.set(targetKey, true);
+      sourceLines.set(targetKey, a.line);
+      continue;
+    }
+    const refs = (a.rhsText.match(/\b[A-Za-z_]\w*\b/g) || []);
+    for (const ref of refs) {
+      if (taintMap.get(ref)) {
+        taintMap.set(targetKey, true);
+        sourceLines.set(targetKey, a.line);
+        break;
+      }
+    }
+  }
+  return { typeMap, taintMap, sourceLines };
+}
+
+// Attribute → route classifier. Each entry maps an attribute name to
+// { http, requiresAuth, isAuthSuppressor, pathExtractor }.
+const ROUTE_ATTRS = {
+  HttpGet:     { http: 'GET',    pathArgIdx: 0 },
+  HttpPost:    { http: 'POST',   pathArgIdx: 0 },
+  HttpPut:     { http: 'PUT',    pathArgIdx: 0 },
+  HttpDelete:  { http: 'DELETE', pathArgIdx: 0 },
+  HttpPatch:   { http: 'PATCH',  pathArgIdx: 0 },
+  HttpHead:    { http: 'HEAD',   pathArgIdx: 0 },
+  HttpOptions: { http: 'OPTIONS',pathArgIdx: 0 },
+  Route:       { http: 'ANY',    pathArgIdx: 0 },
+  AcceptVerbs: { http: 'ANY',    pathArgIdx: 1 },
+};
+const AUTH_ATTRS = new Set(['Authorize']);
+const AUTH_SUPPRESSORS = new Set(['AllowAnonymous']);
+
+function extractPath(argsRaw, argIdx) {
+  if (!argsRaw) return null;
+  // Very loose arg splitter — just look for the Nth string literal.
+  const matches = argsRaw.match(/"([^"]*)"/g) || [];
+  if (matches[argIdx]) return matches[argIdx].slice(1, -1);
+  if (matches[0]) return matches[0].slice(1, -1);
+  return null;
+}
+
+export function analyzeCSharpIR(ir) {
+  // Class-level attribute roll-up.
+  const classAuth = new Map(); // class-ref → { authedAtClass, anonymousAtClass, isController }
+  for (const c of ir.classes) {
+    const a = (c.attrs || []).map(x => x.name);
+    classAuth.set(c, {
+      authedAtClass: a.some(n => AUTH_ATTRS.has(n)),
+      anonymousAtClass: a.some(n => AUTH_SUPPRESSORS.has(n)),
+      // Conventional ASP.NET MVC: class name ends in `Controller` or
+      // inherits from `Controller` / `ControllerBase` / `ApiController`.
+      // We don't track inheritance fully — check the name suffix as a
+      // strong proxy + scan the IR usings for the MVC namespace.
+      // ASP.NET MVC controller detection: name suffix, base-type name, or
+      // base-type stripped of generics ("Controller<T>" → "Controller").
+      isController: /Controller$/.test(c.name)
+                 || /\bApi(?:Controller)?\b/.test(c.name)
+                 || (c.baseTypes || []).some(b => /^(?:Controller|ControllerBase|ApiController)$/.test(b.replace(/<.*$/, ''))),
+    });
+  }
+
+  // Per-method flow. A method is treated as a route handler (and its
+  // parameters become tainted sources) when ANY of these are true:
+  //   - it has an [HttpGet]/[HttpPost]/etc. attribute
+  //   - its containing class has [ApiController] or [Route(...)]
+  //   - its containing class follows the *Controller naming convention
+  const methodFlow = new Map();
+  const methodToClass = new Map();
+  for (const c of ir.classes) for (const m of c.methods) methodToClass.set(m, c);
+  for (const m of ir.methods) {
+    const attrNames = (m.attrs || []).map(x => x.name);
+    const isRouteAttr = attrNames.some(n => ROUTE_ATTRS[n]);
+    const cls = methodToClass.get(m);
+    const classIsController = cls ? !!classAuth.get(cls)?.isController : false;
+    const classHasApiAttr = cls && (cls.attrs || []).some(a => a.name === 'ApiController' || a.name === 'Route');
+    const isPublic = !m.modifiers || m.modifiers.includes('public') || (!m.modifiers.includes('private') && !m.modifiers.includes('protected') && !m.modifiers.includes('internal'));
+    const treatParamsAsTainted = (isRouteAttr || classHasApiAttr || classIsController) && isPublic;
+    methodFlow.set(m, analyzeMethodFlow(m, { treatParamsAsTainted }));
+  }
+  // Route detection.
+  const routes = [];
+  for (const c of ir.classes) {
+    const ca = classAuth.get(c);
+    for (const m of c.methods) {
+      let http = null, path = null;
+      const attrNames = (m.attrs || []).map(x => x.name);
+      for (const a of m.attrs || []) {
+        const def = ROUTE_ATTRS[a.name];
+        if (def) {
+          http = def.http;
+          path = extractPath(a.argsRaw, def.pathArgIdx);
+          break;
+        }
+      }
+      if (!http) continue;
+      const requiresAuth = (ca.authedAtClass || attrNames.some(n => AUTH_ATTRS.has(n)))
+                         && !attrNames.some(n => AUTH_SUPPRESSORS.has(n));
+      routes.push({
+        method: m,
+        http,
+        path: path || `/${c.name}/${m.name}`,
+        requiresAuth,
+        line: m.line,
+        className: c.name,
+        methodName: m.name,
+      });
+    }
+  }
+  return { methodFlow, routes, classAuth };
+}
+
+// Helper queries used by detectors.
+
+// "Is the receiver `name` known to be of type matching pattern?"
+export function receiverIsType(method, flow, receiver, typePattern) {
+  if (!receiver) return false;
+  const t = flow.typeMap.get(receiver);
+  if (!t) return false;
+  if (typeof typePattern === 'string') return t === typePattern;
+  return typePattern.test(t);
+}
+
+// "Does this token-slice's text contain a tainted variable reference?"
+// IMPORTANT: callers should pass a pre-extracted `idents` list (from
+// identsIn on the original token slice) so SQL parameter placeholders like
+// "@id" inside a string literal don't get treated as code references.
+// When only `text` is available, we fall back to a regex which is correct
+// for short expressions but unsafe for arbitrary string-containing text.
+export function expressionIsTainted(flow, text, idents = null) {
+  if (!text && !idents) return false;
+  if (text) {
+    if (isSourceExpr(text) && !isSanitizedExpr(text)) return true;
+    if (isSanitizedExpr(text)) return false;
+  }
+  const refs = idents || (text ? text.match(/\b[A-Za-z_]\w*\b/g) || [] : []);
+  for (const r of refs) if (flow.taintMap.get(r)) return true;
+  return false;
+}
+
+// Token-aware variant for ArgExpr objects — uses the arg's pre-extracted
+// idents list (which excludes string-literal contents) so SQL parameter
+// placeholders, error message templates, and other string contents are
+// not treated as code identifiers.
+export function argIsTainted(flow, arg) {
+  if (!arg) return false;
+  if (arg.text && isSanitizedExpr(arg.text)) return false;
+  if (arg.text && isSourceExpr(arg.text)) return true;
+  for (const id of arg.idents || []) if (flow.taintMap.get(id)) return true;
+  return false;
+}
+
+// "Is an interpolated-string literal tainted?" — true if any embedded
+// expression references a tainted var.
+export function interpStringIsTainted(flow, interpToken) {
+  if (!interpToken || interpToken.kind !== 'interp') return false;
+  for (const p of interpToken.parts || []) {
+    if (p.kind === 'expr' && expressionIsTainted(flow, p.text)) return true;
+  }
+  return false;
+}
+
+export const _internals = { TAINT_SOURCE_PATTERNS, SANITIZER_PATTERNS, ROUTE_ATTRS, AUTH_ATTRS, AUTH_SUPPRESSORS };

package/src/posture/dep-add-guard.js

@@ -0,0 +1,197 @@
+// Dep-add interception — validate a package about to be installed before
+// it lands in node_modules / site-packages / etc.
+//
+// Checks:
+//   1. Is the package known-malicious? (OSV malicious-packages catalog)
+//   2. Is the package yanked / unpublished / withdrawn?
+//   3. Was it published in the last 7 days? (typosquat-attack indicator)
+//   4. Does the name closely match a popular package? (Levenshtein ≤ 2
+//      against a curated top-1000 list — typosquat risk)
+//   5. Is the package on the project's SCA-policy.yml deny list?
+//
+// Backed by ~/.claude/agentic-security/osv-cache/ (already populated by
+// the engine's SCA pass) plus a bundled top-popular-packages list
+// from sca/popular-packages.json.
+//
+// Intended caller: hooks/pre-bash-guard.js when it spots `npm install <pkg>`,
+// `yarn add`, `pnpm add`, `pip install`, `cargo add`, `gem install` etc.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const CACHE = path.join(process.env.HOME || '/tmp', '.claude', 'agentic-security', 'osv-cache');
+const TYPOSQUAT_LEVENSHTEIN = 2;
+const NEW_PACKAGE_WINDOW_DAYS = 7;
+
+function _osvLookup(ecosystem, name) {
+  const fp = path.join(CACHE, ecosystem, `${name}.json`);
+  if (!fs.existsSync(fp)) return null;
+  try { return JSON.parse(fs.readFileSync(fp, 'utf8')); } catch { return null; }
+}
+
+function _levenshtein(a, b) {
+  if (a === b) return 0;
+  const al = a.length, bl = b.length;
+  if (!al || !bl) return Math.max(al, bl);
+  const v0 = new Array(bl + 1);
+  for (let i = 0; i <= bl; i++) v0[i] = i;
+  for (let i = 0; i < al; i++) {
+    let v1 = i + 1;
+    for (let j = 0; j < bl; j++) {
+      const cost = a[i] === b[j] ? 0 : 1;
+      const ins = v1 + 1;
+      const del = v0[j + 1] + 1;
+      const sub = v0[j] + cost;
+      const next = Math.min(ins, del, sub);
+      v0[j] = v1;
+      v1 = next;
+    }
+    v0[bl] = v1;
+  }
+  return v0[bl];
+}
+
+function _loadPopular(ecosystem) {
+  try {
+    const here = path.dirname(new URL(import.meta.url).pathname);
+    const fp = path.resolve(here, '..', 'sca', 'popular-packages.json');
+    const all = JSON.parse(fs.readFileSync(fp, 'utf8'));
+    return all[ecosystem] || [];
+  } catch { return []; }
+}
+
+function _loadPolicy(scanRoot) {
+  const fp = path.join(scanRoot, '.agentic-security', 'sca-policy.yml');
+  if (!fs.existsSync(fp)) return { deny: [] };
+  try {
+    const body = fs.readFileSync(fp, 'utf8');
+    const names = [];
+    const lines = body.split('\n');
+    let inBlock = false;
+    let blockIndent = -1;
+    for (const ln of lines) {
+      if (/^deny\s*:/.test(ln)) { inBlock = true; blockIndent = -1; continue; }
+      if (!inBlock) continue;
+      if (!ln.trim()) continue;
+      const m = ln.match(/^(\s+)-\s+(.*)$/);
+      if (!m) {
+        if (!/^\s+/.test(ln)) inBlock = false;
+        continue;
+      }
+      const indent = m[1].length;
+      if (blockIndent < 0) blockIndent = indent;
+      if (indent < blockIndent) { inBlock = false; continue; }
+      const val = m[2].trim();
+      // Two shapes:  - name: foo   OR   - foo
+      const nameMatch = val.match(/^name\s*:\s*['"]?([^'"#\s]+)/);
+      if (nameMatch) names.push(nameMatch[1]);
+      else if (!/:/.test(val)) names.push(val.replace(/^['"]|['"]$/g, ''));
+    }
+    return { deny: names };
+  } catch { return { deny: [] }; }
+}
+
+/**
+ * Inspect a single package before install. Returns
+ *   { decision: 'allow' | 'review' | 'deny', reasons: [...] }
+ */
+export function inspectPackage({ ecosystem, name, scanRoot }) {
+  const reasons = [];
+  let decision = 'allow';
+
+  // 1. Project deny list.
+  if (scanRoot) {
+    const policy = _loadPolicy(scanRoot);
+    if (policy.deny.includes(name)) {
+      reasons.push(`Project sca-policy.yml lists ${name} in deny`);
+      decision = 'deny';
+    }
+  }
+
+  // 2. OSV malicious / yanked status from the disk cache.
+  const osv = _osvLookup(ecosystem, name);
+  if (osv) {
+    if (Array.isArray(osv.vulns)) {
+      const mal = osv.vulns.filter(v => /malicious/i.test(JSON.stringify(v.aliases || []).concat(JSON.stringify(v.id || ''))) ||
+                                        /MAL-/.test(v.id || ''));
+      if (mal.length) {
+        reasons.push(`OSV catalog marks ${name} as malicious (${mal.map(v => v.id).join(', ')})`);
+        decision = 'deny';
+      }
+    }
+    if (osv.withdrawn || osv.yanked) {
+      reasons.push(`${name} is withdrawn / yanked from registry`);
+      if (decision === 'allow') decision = 'review';
+    }
+  }
+
+  // 3. New package (potential typosquat).
+  if (osv && osv.published) {
+    const ageMs = Date.now() - new Date(osv.published).getTime();
+    const ageDays = ageMs / 86400000;
+    if (ageDays < NEW_PACKAGE_WINDOW_DAYS) {
+      reasons.push(`${name} published ${Math.round(ageDays)} day(s) ago — fresh-package risk`);
+      if (decision === 'allow') decision = 'review';
+    }
+  }
+
+  // 4. Typosquat distance.
+  const popular = _loadPopular(ecosystem);
+  if (popular.length) {
+    const closest = popular
+      .map(p => ({ p, d: _levenshtein(name.toLowerCase(), p.toLowerCase()) }))
+      .filter(x => x.d > 0 && x.d <= TYPOSQUAT_LEVENSHTEIN)
+      .sort((a, b) => a.d - b.d)[0];
+    if (closest) {
+      reasons.push(`Name is ${closest.d} edit(s) from popular package "${closest.p}" — typosquat risk`);
+      if (decision === 'allow') decision = 'review';
+    }
+  }
+
+  return { decision, reasons };
+}
+
+/**
+ * Parse a shell command line to extract install requests. Returns
+ *   [{ ecosystem, name }, ...] for every package that would be installed.
+ */
+export function parseInstallCommand(cmdline) {
+  if (!cmdline) return [];
+  const reqs = [];
+  // npm / yarn / pnpm
+  const npm = cmdline.match(/\b(?:npm\s+install|yarn\s+add|pnpm\s+add)\s+([^\s|;&]+(?:\s+[^\s|;&]+)*)/);
+  if (npm) {
+    for (const tok of npm[1].split(/\s+/)) {
+      if (tok.startsWith('-')) continue;          // flags
+      if (tok.startsWith('@types/')) continue;    // type defs are low risk
+      const name = tok.replace(/@[\d.^~*<>=].*$/, '').replace(/@latest$/, '');
+      if (name) reqs.push({ ecosystem: 'npm', name });
+    }
+  }
+  // pip
+  const pip = cmdline.match(/\bpip\s+install\s+([^\s|;&]+(?:\s+[^\s|;&]+)*)/);
+  if (pip) {
+    for (const tok of pip[1].split(/\s+/)) {
+      if (tok.startsWith('-') || tok.startsWith('git+') || tok.startsWith('http')) continue;
+      const name = tok.replace(/[<>=!~].*$/, '');
+      if (name && name !== '.') reqs.push({ ecosystem: 'pypi', name });
+    }
+  }
+  // gem install
+  const gem = cmdline.match(/\bgem\s+install\s+([^\s|;&]+(?:\s+[^\s|;&]+)*)/);
+  if (gem) {
+    for (const tok of gem[1].split(/\s+/)) {
+      if (tok.startsWith('-')) continue;
+      reqs.push({ ecosystem: 'rubygems', name: tok });
+    }
+  }
+  // cargo add
+  const cargo = cmdline.match(/\bcargo\s+add\s+([^\s|;&]+)/);
+  if (cargo) reqs.push({ ecosystem: 'cargo', name: cargo[1].split('@')[0] });
+  // go get
+  const goget = cmdline.match(/\bgo\s+get\s+([^\s|;&]+)/);
+  if (goget) reqs.push({ ecosystem: 'golang', name: goget[1].split('@')[0] });
+  return reqs;
+}
+
+export const _internals = { _levenshtein, _osvLookup, _loadPopular, _loadPolicy };