npm - @lateos/npm-scan - Versions diffs - 0.17.1 → 0.18.1 - Mend

@lateos/npm-scan 0.17.1 → 0.18.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/.dockerignore +20 -20
package/.husky/pre-commit +1 -1
package/CHANGELOG.md +199 -199
package/LICENSING.md +19 -19
package/README.de.md +708 -708
package/README.fr.md +707 -707
package/README.ja.md +704 -704
package/README.md +826 -826
package/README.zh.md +708 -708
package/SECURITY.md +72 -72
package/backend/cra.js +68 -68
package/backend/db/schema.sql +32 -32
package/backend/db.js +88 -88
package/backend/detectors/atk-001-lifecycle.js +17 -17
package/backend/detectors/atk-002-obfusc.js +261 -261
package/backend/detectors/atk-003-creds.js +13 -13
package/backend/detectors/atk-004-persist.js +13 -13
package/backend/detectors/atk-005-exfil.js +13 -13
package/backend/detectors/atk-006-depconf.js +14 -14
package/backend/detectors/atk-007-typosquat.js +34 -34
package/backend/detectors/atk-008-tarball-tamper.js +91 -91
package/backend/detectors/atk-009-dormant-trigger.js +62 -62
package/backend/detectors/atk-010-sandbox-evasion.js +50 -50
package/backend/detectors/atk-011-transitive-prop.js +76 -76
package/backend/detectors/cve-2026-48710-badhost/codePattern.js +99 -99
package/backend/detectors/cve-2026-48710-badhost/findings.js +105 -105
package/backend/detectors/cve-2026-48710-badhost/index.js +15 -15
package/backend/detectors/cve-2026-48710-badhost/manifest.js +305 -305
package/backend/detectors/cve-2026-48710-badhost/transitive.js +189 -189
package/backend/detectors/hf-impersonation/index.js +396 -396
package/backend/detectors/hf-impersonation/jaro-winkler.js +44 -44
package/backend/detectors/hf-impersonation/known-orgs.js +5 -5
package/backend/detectors/hf-impersonation/simhash.js +46 -46
package/backend/detectors/index.js +75 -75
package/backend/detectors/megalodon/d1-workflow-scan.js +147 -147
package/backend/detectors/megalodon/d2-credential-harvest.js +61 -61
package/backend/detectors/megalodon/d3-publish-velocity.js +67 -67
package/backend/detectors/megalodon/d4-publisher-drift.js +124 -124
package/backend/detectors/megalodon/d5-bot-commit-identity.js +3 -3
package/backend/detectors/megalodon/d6-date-anachronism.js +3 -3
package/backend/detectors/megalodon/index.js +80 -80
package/backend/detectors/megalodon/types.js +9 -9
package/backend/detectors/mini-shai-hulud/d1-burst-publish.js +42 -42
package/backend/detectors/mini-shai-hulud/d2-sibling-compromise.js +116 -116
package/backend/detectors/mini-shai-hulud/d3-slsa-mismatch.js +72 -72
package/backend/detectors/mini-shai-hulud/d4-maintainer-anomaly.js +45 -45
package/backend/detectors/mini-shai-hulud/d5-ioc-check.js +95 -95
package/backend/detectors/mini-shai-hulud/d6-token-exfil.js +38 -38
package/backend/detectors/mini-shai-hulud/index.js +118 -118
package/backend/detectors/mini-shai-hulud/iocs.json +79 -79
package/backend/fetch.js +175 -175
package/backend/index.js +4 -4
package/backend/license.js +89 -89
package/backend/lockfile.js +379 -379
package/backend/pdf.js +245 -245
package/backend/policy.js +193 -193
package/backend/report.js +254 -254
package/backend/sbom.js +66 -66
package/backend/siem/cef.js +32 -32
package/backend/siem/ecs.js +40 -40
package/backend/siem/index.js +18 -18
package/backend/siem/qradar.js +56 -56
package/backend/siem/sentinel.js +27 -27
package/backend/vsix-scan/detectors/activation-event-risk.js +116 -116
package/backend/vsix-scan/detectors/burst-publish.js +52 -52
package/backend/vsix-scan/detectors/exfil-pattern.js +88 -88
package/backend/vsix-scan/detectors/known-ioc.js +105 -105
package/backend/vsix-scan/detectors/orphan-commit-fetch.js +69 -69
package/backend/vsix-scan/detectors/publisher-anomaly.js +70 -70
package/backend/vsix-scan/index.js +183 -183
package/backend/vsix-scan/marketplace-client.js +145 -145
package/backend/vsix-scan/vsix-iocs.json +31 -31
package/cli/cli.js +458 -458
package/deploy/helm/npm-scan/Chart.yaml +21 -21
package/deploy/helm/npm-scan/templates/_helpers.tpl +8 -8
package/deploy/helm/npm-scan/templates/api.yaml +93 -93
package/deploy/helm/npm-scan/templates/ingress.yaml +27 -27
package/deploy/helm/npm-scan/templates/postgresql.yaml +66 -66
package/deploy/helm/npm-scan/templates/secrets.yaml +18 -18
package/deploy/helm/npm-scan/templates/worker.yaml +31 -31
package/deploy/helm/npm-scan/values.byoc.yaml +74 -74
package/deploy/helm/npm-scan/values.yaml +102 -102
package/package.json +57 -57
package/scripts/download-corpus.js +30 -30
package/scripts/gen-mal-corpus.js +34 -34
package/test/fixtures/lockfiles/npm-lock.json +68 -68
package/test/fixtures/lockfiles/pnpm-lock.yaml +117 -117
package/test/fixtures/lockfiles/yarn.lock +103 -103
package/test/fixtures/mock-data.js +69 -69

package/backend/detectors/cve-2026-48710-badhost/manifest.js CHANGED Viewed

@@ -1,305 +1,305 @@
-import { directDependencyFinding, directDependencyUnpinnedFinding } from './findings.js';
-function parseReqTxtLine(line) {
-  const trimmed = line.trim();
-  if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) return null;
-  const idx = trimmed.indexOf('#');
-  const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
-  if (!spec || !spec.startsWith('starlette')) return null;
-  const eqIdx = spec.indexOf('==');
-  const geIdx = spec.indexOf('>=');
-  const tildeIdx = spec.indexOf('~=');
-  const ltIdx = spec.indexOf('<');
-  if (eqIdx >= 0) {
-    const ver = spec.slice(eqIdx + 2).trim();
-    return { name: 'starlette', version: ver, specifier: `==${ver}` };
-  }
-  if (geIdx >= 0) {
-    const rest = spec.slice(geIdx + 2).trim();
-    const parts = rest.split(',');
-    const lower = parts[0]?.trim();
-    const upper = parts[1]?.trim();
-    let specStr = `>=${lower}`;
-    if (upper && upper.startsWith('<')) specStr += `,${upper}`;
-    return { name: 'starlette', version: lower, specifier: specStr };
-  }
-  if (tildeIdx >= 0) {
-    const ver = spec.slice(tildeIdx + 2).trim();
-    return { name: 'starlette', version: ver, specifier: `~=${ver}` };
-  }
-  if (ltIdx >= 0) {
-    const ver = spec.slice(ltIdx + 1).trim();
-    const name = 'starlette';
-    return { name, version: ver, specifier: `<${ver}` };
-  }
-  const rest = spec.slice('starlette'.length).trim();
-  if (!rest) return { name: 'starlette', version: null, specifier: null };
-  if (!rest.includes('=') && !rest.includes('<') && !rest.includes('>') && !rest.includes('~') && !rest.includes('!')) {
-    return { name: 'starlette', version: rest, specifier: rest };
-  }
-  return null;
-}
-export function parseRequirementsTxt(content) {
-  const lines = content.split('\n');
-  for (const line of lines) {
-    const result = parseReqTxtLine(line);
-    if (result) return result;
-  }
-  return null;
-}
-function parsePEP440(versionStr) {
-  if (!versionStr) return null;
-  const clean = versionStr.trim().replace(/^v/, '');
-  const parts = clean.split('.');
-  return {
-    major: parseInt(parts[0], 10) || 0,
-    minor: parseInt(parts[1], 10) || 0,
-    patch: parseInt(parts[2], 10) || 0,
-  };
-}
-function compareVersions(a, b) {
-  if (!a) return 1;
-  if (!b) return -1;
-  if (a.major !== b.major) return a.major - b.major;
-  if (a.minor !== b.minor) return a.minor - b.minor;
-  return a.patch - b.patch;
-}
-const STARLETTE_SAFE = parsePEP440('1.0.1');
-function isVulnerable(version) {
-  if (!version) return true;
-  const parsed = parsePEP440(version);
-  if (!parsed) return true;
-  return compareVersions(parsed, STARLETTE_SAFE) < 0;
-}
-function findStarletteInTOML(obj) {
-  if (!obj || typeof obj !== 'object') return null;
-  const sectionPaths = ['dependencies', 'project.dependencies', 'tool.poetry.dependencies'];
-  for (const path of sectionPaths) {
-    const parts = path.split('.');
-    let ptr = obj;
-    let found = true;
-    for (const p of parts) {
-      if (!ptr || typeof ptr !== 'object') { found = false; break; }
-      ptr = ptr[p];
-    }
-    if (!found || !ptr || typeof ptr !== 'object') continue;
-    for (const [key, val] of Object.entries(ptr)) {
-      if (key === 'starlette' || key === '"starlette"') {
-        const version = typeof val === 'string' ? val : (val?.version || null);
-        const specifier = typeof val === 'string' ? val : null;
-        return { name: 'starlette', version, specifier };
-      }
-    }
-  }
-  return null;
-}
-function parseTomlSimple(content) {
-  const result = {};
-  let currentSection = result;
-  for (const line of content.split('\n')) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith('#')) continue;
-    const sectionMatch = trimmed.match(/^\[([^\]]+)\]$/);
-    if (sectionMatch) {
-      const parts = sectionMatch[1].split('.');
-      let ptr = result;
-      for (const p of parts) {
-        const key = p.replace(/^"(.*)"$/, '$1').trim();
-        if (!ptr[key]) ptr[key] = {};
-        ptr = ptr[key];
-      }
-      currentSection = ptr;
-      continue;
-    }
-    const kvMatch = trimmed.match(/^([^=]+)=\s*(.+)$/);
-    if (!kvMatch) continue;
-    const key = kvMatch[1].trim().replace(/^"(.*)"$/, '$1');
-    let val = kvMatch[2].trim();
-    if (val.startsWith('"') && val.endsWith('"')) {
-      val = val.slice(1, -1);
-    } else if (val.startsWith("'") && val.endsWith("'")) {
-      val = val.slice(1, -1);
-    } else if (val.startsWith('^') || val.startsWith('~') || val.startsWith('>') || val.startsWith('<') || val.startsWith('=') || val.startsWith('!')) {
-      val = val.replace(/"/g, '');
-    }
-    currentSection[key] = val;
-  }
-  return result;
-}
-export function parsePyprojectToml(content) {
-  let obj;
-  try {
-    obj = JSON.parse(content);
-  } catch {
-    obj = parseTomlSimple(content);
-  }
-  return findStarletteInTOML(obj);
-}
-function parsePoetryLockEntry(content) {
-  const lines = content.split('\n');
-  let inStarlette = false;
-  let version = null;
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (trimmed.startsWith('[[package]]')) {
-      inStarlette = false;
-    }
-    if (trimmed.startsWith('name = "starlette"') || trimmed.startsWith("name = 'starlette'")) {
-      inStarlette = true;
-    }
-    if (inStarlette && trimmed.startsWith('version = ')) {
-      const match = trimmed.match(/version\s*=\s*["'](.+?)["']/);
-      if (match) version = match[1];
-    }
-    if (inStarlette && trimmed.startsWith('[[package]]') && trimmed !== '[[package]]') {
-      break;
-    }
-  }
-  if (version) {
-    return { name: 'starlette', version, specifier: `==${version}` };
-  }
-  return null;
-}
-export function parsePoetryLock(content) {
-  return parsePoetryLockEntry(content);
-}
-function parsePipfileEntry(content) {
-  try {
-    const obj = JSON.parse(content);
-    const packages = obj?.packages || {};
-    for (const [key, val] of Object.entries(packages)) {
-      if (key === 'starlette' || key === '"starlette"') {
-        const version = typeof val === 'string' ? val : null;
-        return { name: 'starlette', version, specifier: version || null };
-      }
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-export function parsePipfile(content) {
-  return parsePipfileEntry(content);
-}
-function parseSetupPyContent(content) {
-  const match = content.match(/install_requires\s*=\s*\[([^\]]+)\]/s);
-  if (!match) return null;
-  const block = match[1];
-  const lines = block.split(',').map(l => l.trim().replace(/["']/g, ''));
-  for (const line of lines) {
-    const clean = line.trim();
-    if (!clean) continue;
-    if (clean.startsWith('starlette')) {
-      const eqIdx = clean.indexOf('==');
-      const geIdx = clean.indexOf('>=');
-      const tildeIdx = clean.indexOf('~=');
-      const ltIdx = clean.indexOf('<');
-      let version = null;
-      let specifier = null;
-      if (eqIdx >= 0) { version = clean.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
-      else if (geIdx >= 0) { version = clean.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
-      else if (tildeIdx >= 0) { version = clean.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
-      else if (ltIdx >= 0) { version = clean.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
-      else if (clean === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
-      return { name: 'starlette', version, specifier };
-    }
-  }
-  return null;
-}
-export function parseSetupPy(content) {
-  return parseSetupPyContent(content);
-}
-function parseSetupCfgContent(content) {
-  const lines = content.split('\n');
-  let inInstallRequires = false;
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (trimmed.startsWith('install_requires')) {
-      inInstallRequires = true;
-      continue;
-    }
-    if (inInstallRequires) {
-      if (trimmed.startsWith('[')) break;
-      if (trimmed.startsWith('starlette')) {
-        const eqIdx = trimmed.indexOf('==');
-        const geIdx = trimmed.indexOf('>=');
-        const tildeIdx = trimmed.indexOf('~=');
-        const ltIdx = trimmed.indexOf('<');
-        let version = null;
-        let specifier = null;
-        if (eqIdx >= 0) { version = trimmed.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
-        else if (geIdx >= 0) { version = trimmed.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
-        else if (tildeIdx >= 0) { version = trimmed.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
-        else if (ltIdx >= 0) { version = trimmed.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
-        else if (trimmed === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
-        if (trimmed.startsWith('starlette')) {
-          return { name: 'starlette', version, specifier };
-        }
-      }
-    }
-  }
-  return null;
-}
-export function parseSetupCfg(content) {
-  return parseSetupCfgContent(content);
-}
-export function scanFiles(allFiles) {
-  const findings = [];
-  for (const file of (allFiles || [])) {
-    const content = typeof file.content === 'string' ? file.content : '';
-    if (!content) continue;
-    const path = file.path || '';
-    let result = null;
-    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
-      result = parseRequirementsTxt(content);
-    } else if (path === 'pyproject.toml') {
-      result = parsePyprojectToml(content);
-    } else if (path === 'poetry.lock') {
-      result = parsePoetryLock(content);
-    } else if (path === 'Pipfile' || path === 'Pipfile.lock') {
-      result = parsePipfile(content);
-    } else if (path === 'setup.py') {
-      result = parseSetupPy(content);
-    } else if (path === 'setup.cfg') {
-      result = parseSetupCfg(content);
-    }
-    if (!result) continue;
-    if (result.version === null && result.specifier === null) {
-      findings.push(directDependencyUnpinnedFinding());
-    } else if (isVulnerable(result.version)) {
-      findings.push(directDependencyFinding(result.version, result.specifier || 'unknown'));
-    }
-  }
-  return findings;
-}
+import { directDependencyFinding, directDependencyUnpinnedFinding } from './findings.js';
+function parseReqTxtLine(line) {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) return null;
+  const idx = trimmed.indexOf('#');
+  const spec = idx >= 0 ? trimmed.slice(0, idx).trim() : trimmed;
+  if (!spec || !spec.startsWith('starlette')) return null;
+  const eqIdx = spec.indexOf('==');
+  const geIdx = spec.indexOf('>=');
+  const tildeIdx = spec.indexOf('~=');
+  const ltIdx = spec.indexOf('<');
+  if (eqIdx >= 0) {
+    const ver = spec.slice(eqIdx + 2).trim();
+    return { name: 'starlette', version: ver, specifier: `==${ver}` };
+  }
+  if (geIdx >= 0) {
+    const rest = spec.slice(geIdx + 2).trim();
+    const parts = rest.split(',');
+    const lower = parts[0]?.trim();
+    const upper = parts[1]?.trim();
+    let specStr = `>=${lower}`;
+    if (upper && upper.startsWith('<')) specStr += `,${upper}`;
+    return { name: 'starlette', version: lower, specifier: specStr };
+  }
+  if (tildeIdx >= 0) {
+    const ver = spec.slice(tildeIdx + 2).trim();
+    return { name: 'starlette', version: ver, specifier: `~=${ver}` };
+  }
+  if (ltIdx >= 0) {
+    const ver = spec.slice(ltIdx + 1).trim();
+    const name = 'starlette';
+    return { name, version: ver, specifier: `<${ver}` };
+  }
+  const rest = spec.slice('starlette'.length).trim();
+  if (!rest) return { name: 'starlette', version: null, specifier: null };
+  if (!rest.includes('=') && !rest.includes('<') && !rest.includes('>') && !rest.includes('~') && !rest.includes('!')) {
+    return { name: 'starlette', version: rest, specifier: rest };
+  }
+  return null;
+}
+export function parseRequirementsTxt(content) {
+  const lines = content.split('\n');
+  for (const line of lines) {
+    const result = parseReqTxtLine(line);
+    if (result) return result;
+  }
+  return null;
+}
+function parsePEP440(versionStr) {
+  if (!versionStr) return null;
+  const clean = versionStr.trim().replace(/^v/, '');
+  const parts = clean.split('.');
+  return {
+    major: parseInt(parts[0], 10) || 0,
+    minor: parseInt(parts[1], 10) || 0,
+    patch: parseInt(parts[2], 10) || 0,
+  };
+}
+function compareVersions(a, b) {
+  if (!a) return 1;
+  if (!b) return -1;
+  if (a.major !== b.major) return a.major - b.major;
+  if (a.minor !== b.minor) return a.minor - b.minor;
+  return a.patch - b.patch;
+}
+const STARLETTE_SAFE = parsePEP440('1.0.1');
+function isVulnerable(version) {
+  if (!version) return true;
+  const parsed = parsePEP440(version);
+  if (!parsed) return true;
+  return compareVersions(parsed, STARLETTE_SAFE) < 0;
+}
+function findStarletteInTOML(obj) {
+  if (!obj || typeof obj !== 'object') return null;
+  const sectionPaths = ['dependencies', 'project.dependencies', 'tool.poetry.dependencies'];
+  for (const path of sectionPaths) {
+    const parts = path.split('.');
+    let ptr = obj;
+    let found = true;
+    for (const p of parts) {
+      if (!ptr || typeof ptr !== 'object') { found = false; break; }
+      ptr = ptr[p];
+    }
+    if (!found || !ptr || typeof ptr !== 'object') continue;
+    for (const [key, val] of Object.entries(ptr)) {
+      if (key === 'starlette' || key === '"starlette"') {
+        const version = typeof val === 'string' ? val : (val?.version || null);
+        const specifier = typeof val === 'string' ? val : null;
+        return { name: 'starlette', version, specifier };
+      }
+    }
+  }
+  return null;
+}
+function parseTomlSimple(content) {
+  const result = {};
+  let currentSection = result;
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const sectionMatch = trimmed.match(/^\[([^\]]+)\]$/);
+    if (sectionMatch) {
+      const parts = sectionMatch[1].split('.');
+      let ptr = result;
+      for (const p of parts) {
+        const key = p.replace(/^"(.*)"$/, '$1').trim();
+        if (!ptr[key]) ptr[key] = {};
+        ptr = ptr[key];
+      }
+      currentSection = ptr;
+      continue;
+    }
+    const kvMatch = trimmed.match(/^([^=]+)=\s*(.+)$/);
+    if (!kvMatch) continue;
+    const key = kvMatch[1].trim().replace(/^"(.*)"$/, '$1');
+    let val = kvMatch[2].trim();
+    if (val.startsWith('"') && val.endsWith('"')) {
+      val = val.slice(1, -1);
+    } else if (val.startsWith("'") && val.endsWith("'")) {
+      val = val.slice(1, -1);
+    } else if (val.startsWith('^') || val.startsWith('~') || val.startsWith('>') || val.startsWith('<') || val.startsWith('=') || val.startsWith('!')) {
+      val = val.replace(/"/g, '');
+    }
+    currentSection[key] = val;
+  }
+  return result;
+}
+export function parsePyprojectToml(content) {
+  let obj;
+  try {
+    obj = JSON.parse(content);
+  } catch {
+    obj = parseTomlSimple(content);
+  }
+  return findStarletteInTOML(obj);
+}
+function parsePoetryLockEntry(content) {
+  const lines = content.split('\n');
+  let inStarlette = false;
+  let version = null;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith('[[package]]')) {
+      inStarlette = false;
+    }
+    if (trimmed.startsWith('name = "starlette"') || trimmed.startsWith("name = 'starlette'")) {
+      inStarlette = true;
+    }
+    if (inStarlette && trimmed.startsWith('version = ')) {
+      const match = trimmed.match(/version\s*=\s*["'](.+?)["']/);
+      if (match) version = match[1];
+    }
+    if (inStarlette && trimmed.startsWith('[[package]]') && trimmed !== '[[package]]') {
+      break;
+    }
+  }
+  if (version) {
+    return { name: 'starlette', version, specifier: `==${version}` };
+  }
+  return null;
+}
+export function parsePoetryLock(content) {
+  return parsePoetryLockEntry(content);
+}
+function parsePipfileEntry(content) {
+  try {
+    const obj = JSON.parse(content);
+    const packages = obj?.packages || {};
+    for (const [key, val] of Object.entries(packages)) {
+      if (key === 'starlette' || key === '"starlette"') {
+        const version = typeof val === 'string' ? val : null;
+        return { name: 'starlette', version, specifier: version || null };
+      }
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+export function parsePipfile(content) {
+  return parsePipfileEntry(content);
+}
+function parseSetupPyContent(content) {
+  const match = content.match(/install_requires\s*=\s*\[([^\]]+)\]/s);
+  if (!match) return null;
+  const block = match[1];
+  const lines = block.split(',').map(l => l.trim().replace(/["']/g, ''));
+  for (const line of lines) {
+    const clean = line.trim();
+    if (!clean) continue;
+    if (clean.startsWith('starlette')) {
+      const eqIdx = clean.indexOf('==');
+      const geIdx = clean.indexOf('>=');
+      const tildeIdx = clean.indexOf('~=');
+      const ltIdx = clean.indexOf('<');
+      let version = null;
+      let specifier = null;
+      if (eqIdx >= 0) { version = clean.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
+      else if (geIdx >= 0) { version = clean.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
+      else if (tildeIdx >= 0) { version = clean.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
+      else if (ltIdx >= 0) { version = clean.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
+      else if (clean === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
+      return { name: 'starlette', version, specifier };
+    }
+  }
+  return null;
+}
+export function parseSetupPy(content) {
+  return parseSetupPyContent(content);
+}
+function parseSetupCfgContent(content) {
+  const lines = content.split('\n');
+  let inInstallRequires = false;
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith('install_requires')) {
+      inInstallRequires = true;
+      continue;
+    }
+    if (inInstallRequires) {
+      if (trimmed.startsWith('[')) break;
+      if (trimmed.startsWith('starlette')) {
+        const eqIdx = trimmed.indexOf('==');
+        const geIdx = trimmed.indexOf('>=');
+        const tildeIdx = trimmed.indexOf('~=');
+        const ltIdx = trimmed.indexOf('<');
+        let version = null;
+        let specifier = null;
+        if (eqIdx >= 0) { version = trimmed.slice(eqIdx + 2).trim(); specifier = `==${version}`; }
+        else if (geIdx >= 0) { version = trimmed.slice(geIdx + 2).split(',')[0].trim(); specifier = `>=${version}`; }
+        else if (tildeIdx >= 0) { version = trimmed.slice(tildeIdx + 2).trim(); specifier = `~=${version}`; }
+        else if (ltIdx >= 0) { version = trimmed.slice(ltIdx + 1).trim(); specifier = `<${version}`; }
+        else if (trimmed === 'starlette') { return { name: 'starlette', version: null, specifier: null }; }
+        if (trimmed.startsWith('starlette')) {
+          return { name: 'starlette', version, specifier };
+        }
+      }
+    }
+  }
+  return null;
+}
+export function parseSetupCfg(content) {
+  return parseSetupCfgContent(content);
+}
+export function scanFiles(allFiles) {
+  const findings = [];
+  for (const file of (allFiles || [])) {
+    const content = typeof file.content === 'string' ? file.content : '';
+    if (!content) continue;
+    const path = file.path || '';
+    let result = null;
+    if (path === 'requirements.txt' || path.match(/^requirements\/.*\.txt$/)) {
+      result = parseRequirementsTxt(content);
+    } else if (path === 'pyproject.toml') {
+      result = parsePyprojectToml(content);
+    } else if (path === 'poetry.lock') {
+      result = parsePoetryLock(content);
+    } else if (path === 'Pipfile' || path === 'Pipfile.lock') {
+      result = parsePipfile(content);
+    } else if (path === 'setup.py') {
+      result = parseSetupPy(content);
+    } else if (path === 'setup.cfg') {
+      result = parseSetupCfg(content);
+    }
+    if (!result) continue;
+    if (result.version === null && result.specifier === null) {
+      findings.push(directDependencyUnpinnedFinding());
+    } else if (isVulnerable(result.version)) {
+      findings.push(directDependencyFinding(result.version, result.specifier || 'unknown'));
+    }
+  }
+  return findings;
+}