@lateos/npm-scan 0.16.4 → 0.17.0

package/backend/detectors/cve-2026-48710-badhost/transitive.js

@@ -1,189 +1,189 @@
-import { transitiveDependencyFinding } from './findings.js';
-import { parseRequirementsTxt, parsePyprojectToml, parsePoetryLock, parsePipfile, parseSetupPy, parseSetupCfg } from './manifest.js';
-
-const TIER_1_PACKAGES = [
-  'fastapi',
-  'vllm',
-  'litellm',
-  'bentoml',
-  'text-generation-inference',
-  'ray-serve',
-  'ray[serve]',
-];
-
-const TIER_2_PACKAGES = [
-  'langserve',
-  'fastapi-mcp',
-  'mcp',
-  'starlette-admin',
-  'piccolo-api',
-  'fastapi-users',
-  'broadcaster',
-];
-
-function normalizePkgName(name) {
-  return name.replace(/["'\[\]]/g, '').trim().toLowerCase();
-}
-
-function findPackagesInManifests(allFiles) {
-  const packages = new Set();
-
-  for (const file of (allFiles || [])) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-
-    let deps = [];
-
-    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
-      const lines = content.split('\n');
-      for (const line of lines) {
-        const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
-        const idx = trimmed.indexOf('#');
-        const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
-        const eqIdx = spec.indexOf('==');
-        const geIdx = spec.indexOf('>=');
-        const name = eqIdx >= 0 ? spec.slice(0, eqIdx).trim() : (geIdx >= 0 ? spec.slice(0, geIdx).trim() : spec);
-        if (name && !name.includes('=') && !name.includes('<') && !name.includes('>')) {
-          deps.push(normalizePkgName(name));
-        }
-      }
-    } else if (path === 'pyproject.toml') {
-      try {
-        const obj = JSON.parse(content);
-        const allDeps = { ...(obj?.tool?.poetry?.dependencies || {}), ...(obj?.dependencies || {}), ...(obj?.['dev-dependencies'] || {}) };
-        for (const key of Object.keys(allDeps)) {
-          deps.push(normalizePkgName(key));
-        }
-      } catch {}
-    } else if (path === 'poetry.lock') {
-      const pattern = /name\s*=\s*["']([^"']+)["']/g;
-      let m;
-      while ((m = pattern.exec(content)) !== null) {
-        deps.push(normalizePkgName(m[1]));
-      }
-    } else if (path === 'Pipfile' || path === 'Pipfile.lock') {
-      try {
-        const obj = JSON.parse(content);
-        for (const key of Object.keys(obj?.packages || {})) {
-          deps.push(normalizePkgName(key));
-        }
-      } catch {}
-    }
-    for (const dep of deps) packages.add(dep);
-  }
-
-  return packages;
-}
-
-function hasStarlettePin(allFiles) {
-  for (const file of (allFiles || [])) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-
-    let result = null;
-    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
-      result = parseRequirementsTxt(content);
-    } else if (path === 'pyproject.toml') {
-      result = parsePyprojectToml(content);
-    } else if (path === 'poetry.lock') {
-      result = parsePoetryLock(content);
-    } else if (path === 'Pipfile' || path === 'Pipfile.lock') {
-      result = parsePipfile(content);
-    } else if (path === 'setup.py') {
-      result = parseSetupPy(content);
-    } else if (path === 'setup.cfg') {
-      result = parseSetupCfg(content);
-    }
-
-    if (result) {
-      if (result.version === null && result.specifier === null) return false;
-      const parsed = parsePEP440(result.version);
-      const safe = parsePEP440('1.0.1');
-      if (parsed && compareVersions(parsed, safe) >= 0) return true;
-    }
-  }
-
-  return false;
-}
-
-function parsePEP440(versionStr) {
-  if (!versionStr) return null;
-  const clean = versionStr.trim().replace(/^v/, '');
-  const parts = clean.split('.');
-  return {
-    major: parseInt(parts[0], 10) || 0,
-    minor: parseInt(parts[1], 10) || 0,
-    patch: parseInt(parts[2], 10) || 0,
-  };
-}
-
-function compareVersions(a, b) {
-  if (!a) return 1;
-  if (!b) return -1;
-  if (a.major !== b.major) return a.major - b.major;
-  if (a.minor !== b.minor) return a.minor - b.minor;
-  return a.patch - b.patch;
-}
-
-export function scanTransitive(allFiles) {
-  const findings = [];
-
-  if (!allFiles || allFiles.length === 0) return findings;
-
-  const packages = findPackagesInManifests(allFiles);
-
-  if (hasStarlettePin(allFiles)) return findings;
-
-  const handled = new Set();
-
-  for (const pkg of packages) {
-    if (TIER_1_PACKAGES.includes(pkg)) {
-      handled.add(pkg);
-      if (pkg === 'fastapi') {
-        const version = findFastapiVersion(allFiles);
-        if (version) {
-          const parsed = parsePEP440(version);
-          const safeFastapi = parsePEP440('0.116.0');
-          if (parsed && compareVersions(parsed, safeFastapi) >= 0) continue;
-        }
-      }
-      findings.push(transitiveDependencyFinding(pkg, 1));
-      break;
-    }
-  }
-
-  if (findings.length === 0) {
-    for (const pkg of packages) {
-      if (handled.has(pkg)) continue;
-      if (TIER_2_PACKAGES.includes(pkg)) {
-        findings.push(transitiveDependencyFinding(pkg, 2));
-        break;
-      }
-    }
-  }
-
-  return findings;
-}
-
-function findFastapiVersion(allFiles) {
-  for (const file of (allFiles || [])) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
-      const lines = content.split('\n');
-      for (const line of lines) {
-        const trimmed = line.trim();
-        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
-        if (trimmed.startsWith('fastapi')) {
-          const eqIdx = trimmed.indexOf('==');
-          if (eqIdx >= 0) return trimmed.slice(eqIdx + 2).trim();
-        }
-      }
-    }
-  }
-  return null;
-}
+import { transitiveDependencyFinding } from './findings.js';
+import { parseRequirementsTxt, parsePyprojectToml, parsePoetryLock, parsePipfile, parseSetupPy, parseSetupCfg } from './manifest.js';
+
+const TIER_1_PACKAGES = [
+  'fastapi',
+  'vllm',
+  'litellm',
+  'bentoml',
+  'text-generation-inference',
+  'ray-serve',
+  'ray[serve]',
+];
+
+const TIER_2_PACKAGES = [
+  'langserve',
+  'fastapi-mcp',
+  'mcp',
+  'starlette-admin',
+  'piccolo-api',
+  'fastapi-users',
+  'broadcaster',
+];
+
+function normalizePkgName(name) {
+  return name.replace(/["'\[\]]/g, '').trim().toLowerCase();
+}
+
+function findPackagesInManifests(allFiles) {
+  const packages = new Set();
+
+  for (const file of (allFiles || [])) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    let deps = [];
+
+    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
+      const lines = content.split('\n');
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+        const idx = trimmed.indexOf('#');
+        const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
+        const eqIdx = spec.indexOf('==');
+        const geIdx = spec.indexOf('>=');
+        const name = eqIdx >= 0 ? spec.slice(0, eqIdx).trim() : (geIdx >= 0 ? spec.slice(0, geIdx).trim() : spec);
+        if (name && !name.includes('=') && !name.includes('<') && !name.includes('>')) {
+          deps.push(normalizePkgName(name));
+        }
+      }
+    } else if (path === 'pyproject.toml') {
+      try {
+        const obj = JSON.parse(content);
+        const allDeps = { ...(obj?.tool?.poetry?.dependencies || {}), ...(obj?.dependencies || {}), ...(obj?.['dev-dependencies'] || {}) };
+        for (const key of Object.keys(allDeps)) {
+          deps.push(normalizePkgName(key));
+        }
+      } catch {}
+    } else if (path === 'poetry.lock') {
+      const pattern = /name\s*=\s*["']([^"']+)["']/g;
+      let m;
+      while ((m = pattern.exec(content)) !== null) {
+        deps.push(normalizePkgName(m[1]));
+      }
+    } else if (path === 'Pipfile' || path === 'Pipfile.lock') {
+      try {
+        const obj = JSON.parse(content);
+        for (const key of Object.keys(obj?.packages || {})) {
+          deps.push(normalizePkgName(key));
+        }
+      } catch {}
+    }
+    for (const dep of deps) packages.add(dep);
+  }
+
+  return packages;
+}
+
+function hasStarlettePin(allFiles) {
+  for (const file of (allFiles || [])) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+
+    let result = null;
+    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
+      result = parseRequirementsTxt(content);
+    } else if (path === 'pyproject.toml') {
+      result = parsePyprojectToml(content);
+    } else if (path === 'poetry.lock') {
+      result = parsePoetryLock(content);
+    } else if (path === 'Pipfile' || path === 'Pipfile.lock') {
+      result = parsePipfile(content);
+    } else if (path === 'setup.py') {
+      result = parseSetupPy(content);
+    } else if (path === 'setup.cfg') {
+      result = parseSetupCfg(content);
+    }
+
+    if (result) {
+      if (result.version === null && result.specifier === null) return false;
+      const parsed = parsePEP440(result.version);
+      const safe = parsePEP440('1.0.1');
+      if (parsed && compareVersions(parsed, safe) >= 0) return true;
+    }
+  }
+
+  return false;
+}
+
+function parsePEP440(versionStr) {
+  if (!versionStr) return null;
+  const clean = versionStr.trim().replace(/^v/, '');
+  const parts = clean.split('.');
+  return {
+    major: parseInt(parts[0], 10) || 0,
+    minor: parseInt(parts[1], 10) || 0,
+    patch: parseInt(parts[2], 10) || 0,
+  };
+}
+
+function compareVersions(a, b) {
+  if (!a) return 1;
+  if (!b) return -1;
+  if (a.major !== b.major) return a.major - b.major;
+  if (a.minor !== b.minor) return a.minor - b.minor;
+  return a.patch - b.patch;
+}
+
+export function scanTransitive(allFiles) {
+  const findings = [];
+
+  if (!allFiles || allFiles.length === 0) return findings;
+
+  const packages = findPackagesInManifests(allFiles);
+
+  if (hasStarlettePin(allFiles)) return findings;
+
+  const handled = new Set();
+
+  for (const pkg of packages) {
+    if (TIER_1_PACKAGES.includes(pkg)) {
+      handled.add(pkg);
+      if (pkg === 'fastapi') {
+        const version = findFastapiVersion(allFiles);
+        if (version) {
+          const parsed = parsePEP440(version);
+          const safeFastapi = parsePEP440('0.116.0');
+          if (parsed && compareVersions(parsed, safeFastapi) >= 0) continue;
+        }
+      }
+      findings.push(transitiveDependencyFinding(pkg, 1));
+      break;
+    }
+  }
+
+  if (findings.length === 0) {
+    for (const pkg of packages) {
+      if (handled.has(pkg)) continue;
+      if (TIER_2_PACKAGES.includes(pkg)) {
+        findings.push(transitiveDependencyFinding(pkg, 2));
+        break;
+      }
+    }
+  }
+
+  return findings;
+}
+
+function findFastapiVersion(allFiles) {
+  for (const file of (allFiles || [])) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
+      const lines = content.split('\n');
+      for (const line of lines) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+        if (trimmed.startsWith('fastapi')) {
+          const eqIdx = trimmed.indexOf('==');
+          if (eqIdx >= 0) return trimmed.slice(eqIdx + 2).trim();
+        }
+      }
+    }
+  }
+  return null;
+}