@lateos/npm-scan 0.18.2 → 1.0.0

package/backend/report.js

@@ -1,255 +1,255 @@
-export function generateHTML(scans) {
-  const rows = scans.map(s => {
-    const findings = s.findings || [];
-    const sevMap = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
-    const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
-    const worstLabel = ['', 'info', 'low', 'medium', 'high', 'critical'][worst] || 'clean';
-    const color = { critical: '#d73a49', high: '#cb2431', medium: '#f66a0a', low: '#dbab09', clean: '#28a745' }[worstLabel] || '#28a745';
-    const findingRows = findings.map(f =>
-      `<tr><td>${f.atk_id || f.id}</td><td style="color:${color}">${f.severity}</td><td>${f.description || f.title || ''}</td><td>${(f.evidence || '').slice(0, 80)}</td></tr>`
-    ).join('');
-    return { name: s.package_name, worstLabel, color, count: findings.length, findingRows };
-  });
-
-  const criticalCount = scans.filter(s => s.findings?.some(f => f.severity === 'critical')).length;
-  const highCount = scans.filter(s => s.findings?.some(f => f.severity === 'high')).length;
-  const mediumCount = scans.filter(s => s.findings?.some(f => f.severity === 'medium')).length;
-  const lowCount = scans.filter(s => s.findings?.some(f => f.severity === 'low')).length;
-  const cleanCount = scans.filter(s => !s.findings?.length).length;
-
-  const nistMap = generateNistTable(scans);
-
-  return `<!DOCTYPE html>
-<html lang="en">
-<head>
-<meta charset="UTF-8">
-<meta name="viewport" content="width=device-width, initial-scale=1.0">
-<title>npm-scan Report</title>
-<style>
-body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 960px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
-h1 { color: #58a6ff; border-bottom: 1px solid #30363d; padding-bottom: 10px; }
-h2 { color: #8b949e; margin-top: 28px; }
-table { width: 100%; border-collapse: collapse; margin: 12px 0; }
-th, td { padding: 8px 12px; text-align: left; border-bottom: 1px solid #30363d; }
-th { background: #161b22; font-weight: 600; }
-.summary { display: flex; gap: 16px; margin: 16px 0; flex-wrap: wrap; }
-.badge { padding: 4px 12px; border-radius: 12px; font-size: 13px; font-weight: 600; }
-.critical { background: #d73a49; color: #fff; }
-.high { background: #cb2431; color: #fff; }
-.medium { background: #f66a0a; color: #fff; }
-.low { background: #dbab09; color: #000; }
-.clean { background: #28a745; color: #fff; }
-.meta { color: #8b949e; font-size: 13px; margin-top: 30px; }
-.nist-pass { background: #1b3a1b; color: #7ee787; }
-.nist-fail { background: #3a1b1b; color: #ff7b72; }
-</style>
-</head>
-<body>
-<h1>npm-scan Report</h1>
-<p>Generated ${new Date().toISOString()}. ${scans.length} packages scanned.</p>
-
-<div class="summary">
-<div class="badge critical">critical: ${criticalCount}</div>
-<div class="badge high">high: ${highCount}</div>
-<div class="badge medium">medium: ${mediumCount}</div>
-<div class="badge low">low: ${lowCount}</div>
-<div class="badge clean">clean: ${cleanCount}</div>
-</div>
-
-<h2>Findings</h2>
-<table>
-<thead><tr><th>ATK</th><th>Severity</th><th>Title</th><th>Evidence</th></tr></thead>
-<tbody>${rows.map(r => `<tr><td colspan="4" style="background:#161b22;font-weight:600">${r.name} <span class="badge ${r.worstLabel}">${r.count ? r.worstLabel : 'clean'}</span></td></tr>${r.findingRows}`).join('')}</tbody>
-</table>
-
-<h2>NIST SP 800-161 Compliance Summary</h2>
-${nistMap}
-
-<p class="meta">npm-scan v${process.env.npm_package_version || '0.3.2'} | Apache-2.0 + Commons Clause | NIST SP 800-161 mapped</p>
-</body>
-</html>`;
-}
-
-function getAtkFindings(scans) {
-  const map = {};
-  for (const s of scans) {
-    for (const f of (s.findings || [])) {
-      const key = f.atk_id || f.id;
-      if (!map[key]) map[key] = [];
-      map[key].push(f);
-    }
-  }
-  return map;
-}
-
-const NIST_SR_MAP = {
-  'ATK-001': { control: 'SR-3.1', title: 'Malicious code detection' },
-  'ATK-002': { control: 'SR-4.2', title: 'Code obfuscation analysis' },
-  'ATK-003': { control: 'SR-5.3', title: 'Credential protection' },
-  'ATK-004': { control: 'SR-6.4', title: 'Persistence monitoring' },
-  'ATK-005': { control: 'SR-7.5', title: 'Data exfiltration prevention' },
-  'ATK-006': { control: 'SR-2.2', title: 'Dependency validation' },
-  'ATK-007': { control: 'SR-2.1', title: 'Typosquatting prevention' },
-  'ATK-008': { control: 'SR-8.1', title: 'Integrity verification' },
-  'ATK-009': { control: 'SR-9.2', title: 'Conditional behavior analysis' },
-  'ATK-010': { control: 'SR-10.3', title: 'Anti-evasion detection' },
-  'ATK-011': { control: 'SR-11.4', title: 'Supply chain propagation monitoring' },
-};
-
-export function generateText(scans) {
-  const lines = [];
-  lines.push('npm-scan Report');
-  lines.push('================');
-  lines.push(`Generated: ${new Date().toISOString()}`);
-  lines.push(`Packages scanned: ${scans.length}`);
-  lines.push('');
-
-  let totalFindings = 0;
-  const sevMap = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
-
-  const sevCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
-  const sevLabel = ['', 'info', 'low', 'medium', 'high', 'critical'];
-
-  for (const s of scans) {
-    const findings = s.findings || [];
-    totalFindings += findings.length;
-
-    const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
-    const worstLabel = sevLabel[worst] || 'clean';
-
-    lines.push(`${s.package_name}@${s.version || 'unknown'} \u2500\u2500 ${findings.length} findings (worst: ${worstLabel})`);
-
-    for (const f of findings) {
-      const desc = (f.description || f.title || '').slice(0, 80);
-      sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
-      lines.push(`  ${f.atk_id || f.id}  ${f.severity.padEnd(8)} ${desc}`);
-    }
-
-    if (!findings.length) {
-      lines.push(`  (clean \u2014 no findings)`);
-    }
-    lines.push('');
-  }
-
-  lines.push('--- Severity Summary ---');
-  for (const sev of ['critical', 'high', 'medium', 'low']) {
-    lines.push(`  ${sev}: ${sevCounts[sev] || 0}`);
-  }
-  lines.push(`  total: ${totalFindings} findings across ${scans.length} packages`);
-  lines.push('');
-
-  return lines.join('\n');
-}
-
-function generateNistTable(scans) {
-  const atkMap = getAtkFindings(scans);
-  let rows = '';
-  for (const [atkId, { control, title }] of Object.entries(NIST_SR_MAP)) {
-    const findings = atkMap[atkId] || [];
-    const status = findings.length > 0 ? 'fail' : 'pass';
-    const label = findings.length > 0 ? `${findings.length} findings` : 'No findings';
-    const colorClass = status === 'pass' ? 'nist-pass' : 'nist-fail';
-    rows += `<tr><td>${control}</td><td>${title}</td><td class="${colorClass}">${label}</td><td>${atkId}</td></tr>`;
-  }
-  return `<table>
-<thead><tr><th>NIST Control</th><th>Control Title</th><th>Status</th><th>ATK ID</th></tr></thead>
-<tbody>${rows}</tbody>
-</table>`;
-}
-
-export function generateSARIF(scan, format = 'json') {
-  const findings = scan.findings || [];
-  const runs = [{
-    tool: {
-      driver: {
-        name: 'npm-scan',
-        version: '0.9.7',
-        informationUri: 'https://github.com/lateos-ai/npm-scan',
-        rules: Array.from(new Set(findings.map(f => f.id))).map(id => ({
-          id,
-          name: `ATK-${id.replace('ATK-', '')}`,
-          shortDescription: { text: findings.find(f => f.id === id)?.title || id },
-          fullDescription: { text: findings.find(f => f.id === id)?.description || '' },
-          defaultConfiguration: { enabled: true }
-        }))
-      }
-    },
-    results: findings.map(f => {
-      const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
-      return {
-        ruleId: f.id,
-        level: severityMap[f.severity] || 'note',
-        message: { text: f.description || f.title },
-        locations: [{
-          physicalLocation: {
-            artifactLocation: { uri: f.evidence || 'unknown' },
-            region: { startLine: 1, startColumn: 1 }
-          }
-        }]
-      };
-    })
-  }];
-
-  const sarif = {
-    version: '2.1.0',
-    schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
-    runs
-  };
-
-  return format === 'pretty' ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
-}
-
-export function generateCSV(scans) {
-  const headers = 'id,severity,title,description,evidence,package_name,version\n';
-  const rows = (scans || []).flatMap(s => 
-    (s.findings || []).map(f => [
-      f.id,
-      f.severity || '',
-      (f.title || '').replace(/,/g, ';'),
-      (f.description || '').replace(/,/g, ';'),
-      (f.evidence || '').replace(/,/g, ';'),
-      s.package_name || '',
-      s.version || ''
-    ].join(','))
-  ).join('\n');
-  return headers + rows;
-}
-
-export function calculateRiskScore(findings, totalPackages = 1) {
-  const weights = { low: 1, medium: 3, high: 7, critical: 10 };
-  const rawScore = findings.reduce((sum, f) => sum + (weights[f.severity] || 0), 0) / totalPackages;
-  return Math.min(rawScore, 10).toFixed(1);
-}
-
-const STIG_MAP = {
-  'SRG-APP-000141': { title: 'Application Malware Detection', atk: 'ATK-001', desc: 'Lifecycle script detection' },
-  'SRG-APP-000142': { title: 'Application Code Obfuscation', atk: 'ATK-002', desc: 'Obfuscated payload detection' },
-  'SRG-APP-000143': { title: 'Credential Harvesting', atk: 'ATK-003', desc: 'Credential exfiltration detection' },
-  'SRG-APP-000144': { title: 'Persistence Mechanisms', atk: 'ATK-004', desc: 'Malicious persistence detection' },
-  'SRG-APP-000145': { title: 'Data Exfiltration', atk: 'ATK-005', desc: 'Network exfiltration detection' },
-  'SRG-APP-000146': { title: 'Dependency Confusion', atk: 'ATK-006', desc: 'Internal package detection' },
-  'SRG-APP-000147': { title: 'Typosquatting', atk: 'ATK-007', desc: 'Malicious package name detection' },
-  'SRG-APP-000148': { title: 'Tarball Tampering', atk: 'ATK-008', desc: 'Modified package detection' },
-  'SRG-APP-000149': { title: 'Dormant Triggers', atk: 'ATK-009', desc: 'Conditional execution detection' },
-  'SRG-APP-000150': { title: 'Sandbox Evasion', atk: 'ATK-010', desc: 'Environment detection evasion' },
-  'SRG-APP-000151': { title: 'Transitive Propagation', atk: 'ATK-011', desc: 'Dependency chain attacks' }
-};
-
-export function generateSTIG(scans) {
-  const rows = [];
-  for (const [stigId, info] of Object.entries(STIG_MAP)) {
-    const findings = scans.flatMap(s => (s.findings || []).filter(f => f.id === info.atk));
-    const status = findings.length > 0 ? 'NOT APPLICABLE' : 'COMPLETE';
-    const findingsList = findings.map(f => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
-    rows.push(`| ${stigId} | ${info.title} | ${status} | ${findingsList} |`);
-  }
-  return `# STIG Compliance Report
-Generated: ${new Date().toISOString()}
-
-| STIG ID | Control Title | Status | Findings |
-|---------|--------------|--------|----------|
-${rows.join('\n')}
-
----
-*This report maps application security controls to DISA STIG requirements.*`;
+export function generateHTML(scans) {
+  const rows = scans.map(s => {
+    const findings = s.findings || [];
+    const sevMap = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
+    const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
+    const worstLabel = ['', 'info', 'low', 'medium', 'high', 'critical'][worst] || 'clean';
+    const color = { critical: '#d73a49', high: '#cb2431', medium: '#f66a0a', low: '#dbab09', clean: '#28a745' }[worstLabel] || '#28a745';
+    const findingRows = findings.map(f =>
+      `<tr><td>${f.atk_id || f.id}</td><td style="color:${color}">${f.severity}</td><td>${f.description || f.title || ''}</td><td>${(f.evidence || '').slice(0, 80)}</td></tr>`
+    ).join('');
+    return { name: s.package_name, worstLabel, color, count: findings.length, findingRows };
+  });
+
+  const criticalCount = scans.filter(s => s.findings?.some(f => f.severity === 'critical')).length;
+  const highCount = scans.filter(s => s.findings?.some(f => f.severity === 'high')).length;
+  const mediumCount = scans.filter(s => s.findings?.some(f => f.severity === 'medium')).length;
+  const lowCount = scans.filter(s => s.findings?.some(f => f.severity === 'low')).length;
+  const cleanCount = scans.filter(s => !s.findings?.length).length;
+
+  const nistMap = generateNistTable(scans);
+
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>npm-scan Report</title>
+<style>
+body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; max-width: 960px; margin: 0 auto; padding: 20px; background: #0d1117; color: #c9d1d9; }
+h1 { color: #58a6ff; border-bottom: 1px solid #30363d; padding-bottom: 10px; }
+h2 { color: #8b949e; margin-top: 28px; }
+table { width: 100%; border-collapse: collapse; margin: 12px 0; }
+th, td { padding: 8px 12px; text-align: left; border-bottom: 1px solid #30363d; }
+th { background: #161b22; font-weight: 600; }
+.summary { display: flex; gap: 16px; margin: 16px 0; flex-wrap: wrap; }
+.badge { padding: 4px 12px; border-radius: 12px; font-size: 13px; font-weight: 600; }
+.critical { background: #d73a49; color: #fff; }
+.high { background: #cb2431; color: #fff; }
+.medium { background: #f66a0a; color: #fff; }
+.low { background: #dbab09; color: #000; }
+.clean { background: #28a745; color: #fff; }
+.meta { color: #8b949e; font-size: 13px; margin-top: 30px; }
+.nist-pass { background: #1b3a1b; color: #7ee787; }
+.nist-fail { background: #3a1b1b; color: #ff7b72; }
+</style>
+</head>
+<body>
+<h1>npm-scan Report</h1>
+<p>Generated ${new Date().toISOString()}. ${scans.length} packages scanned.</p>
+
+<div class="summary">
+<div class="badge critical">critical: ${criticalCount}</div>
+<div class="badge high">high: ${highCount}</div>
+<div class="badge medium">medium: ${mediumCount}</div>
+<div class="badge low">low: ${lowCount}</div>
+<div class="badge clean">clean: ${cleanCount}</div>
+</div>
+
+<h2>Findings</h2>
+<table>
+<thead><tr><th>ATK</th><th>Severity</th><th>Title</th><th>Evidence</th></tr></thead>
+<tbody>${rows.map(r => `<tr><td colspan="4" style="background:#161b22;font-weight:600">${r.name} <span class="badge ${r.worstLabel}">${r.count ? r.worstLabel : 'clean'}</span></td></tr>${r.findingRows}`).join('')}</tbody>
+</table>
+
+<h2>NIST SP 800-161 Compliance Summary</h2>
+${nistMap}
+
+<p class="meta">npm-scan v${process.env.npm_package_version || '0.3.2'} | Apache-2.0 + Commons Clause | NIST SP 800-161 mapped</p>
+</body>
+</html>`;
+}
+
+function getAtkFindings(scans) {
+  const map = {};
+  for (const s of scans) {
+    for (const f of (s.findings || [])) {
+      const key = f.atk_id || f.id;
+      if (!map[key]) map[key] = [];
+      map[key].push(f);
+    }
+  }
+  return map;
+}
+
+const NIST_SR_MAP = {
+  'ATK-001': { control: 'SR-3.1', title: 'Malicious code detection' },
+  'ATK-002': { control: 'SR-4.2', title: 'Code obfuscation analysis' },
+  'ATK-003': { control: 'SR-5.3', title: 'Credential protection' },
+  'ATK-004': { control: 'SR-6.4', title: 'Persistence monitoring' },
+  'ATK-005': { control: 'SR-7.5', title: 'Data exfiltration prevention' },
+  'ATK-006': { control: 'SR-2.2', title: 'Dependency validation' },
+  'ATK-007': { control: 'SR-2.1', title: 'Typosquatting prevention' },
+  'ATK-008': { control: 'SR-8.1', title: 'Integrity verification' },
+  'ATK-009': { control: 'SR-9.2', title: 'Conditional behavior analysis' },
+  'ATK-010': { control: 'SR-10.3', title: 'Anti-evasion detection' },
+  'ATK-011': { control: 'SR-11.4', title: 'Supply chain propagation monitoring' },
+};
+
+export function generateText(scans) {
+  const lines = [];
+  lines.push('npm-scan Report');
+  lines.push('================');
+  lines.push(`Generated: ${new Date().toISOString()}`);
+  lines.push(`Packages scanned: ${scans.length}`);
+  lines.push('');
+
+  let totalFindings = 0;
+  const sevMap = { critical: 5, high: 4, medium: 3, low: 2, info: 1 };
+
+  const sevCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  const sevLabel = ['', 'info', 'low', 'medium', 'high', 'critical'];
+
+  for (const s of scans) {
+    const findings = s.findings || [];
+    totalFindings += findings.length;
+
+    const worst = findings.reduce((m, f) => Math.max(m, sevMap[f.severity] || 0), 0);
+    const worstLabel = sevLabel[worst] || 'clean';
+
+    lines.push(`${s.package_name}@${s.version || 'unknown'} \u2500\u2500 ${findings.length} findings (worst: ${worstLabel})`);
+
+    for (const f of findings) {
+      const desc = (f.description || f.title || '').slice(0, 80);
+      sevCounts[f.severity] = (sevCounts[f.severity] || 0) + 1;
+      lines.push(`  ${f.atk_id || f.id}  ${f.severity.padEnd(8)} ${desc}`);
+    }
+
+    if (!findings.length) {
+      lines.push(`  (clean \u2014 no findings)`);
+    }
+    lines.push('');
+  }
+
+  lines.push('--- Severity Summary ---');
+  for (const sev of ['critical', 'high', 'medium', 'low']) {
+    lines.push(`  ${sev}: ${sevCounts[sev] || 0}`);
+  }
+  lines.push(`  total: ${totalFindings} findings across ${scans.length} packages`);
+  lines.push('');
+
+  return lines.join('\n');
+}
+
+function generateNistTable(scans) {
+  const atkMap = getAtkFindings(scans);
+  let rows = '';
+  for (const [atkId, { control, title }] of Object.entries(NIST_SR_MAP)) {
+    const findings = atkMap[atkId] || [];
+    const status = findings.length > 0 ? 'fail' : 'pass';
+    const label = findings.length > 0 ? `${findings.length} findings` : 'No findings';
+    const colorClass = status === 'pass' ? 'nist-pass' : 'nist-fail';
+    rows += `<tr><td>${control}</td><td>${title}</td><td class="${colorClass}">${label}</td><td>${atkId}</td></tr>`;
+  }
+  return `<table>
+<thead><tr><th>NIST Control</th><th>Control Title</th><th>Status</th><th>ATK ID</th></tr></thead>
+<tbody>${rows}</tbody>
+</table>`;
+}
+
+export function generateSARIF(scan, format = 'json') {
+  const findings = scan.findings || [];
+  const runs = [{
+    tool: {
+      driver: {
+        name: 'npm-scan',
+        version: '0.9.7',
+        informationUri: 'https://github.com/lateos-ai/npm-scan',
+        rules: Array.from(new Set(findings.map(f => f.id))).map(id => ({
+          id,
+          name: `ATK-${id.replace('ATK-', '')}`,
+          shortDescription: { text: findings.find(f => f.id === id)?.title || id },
+          fullDescription: { text: findings.find(f => f.id === id)?.description || '' },
+          defaultConfiguration: { enabled: true }
+        }))
+      }
+    },
+    results: findings.map(f => {
+      const severityMap = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
+      return {
+        ruleId: f.id,
+        level: severityMap[f.severity] || 'note',
+        message: { text: f.description || f.title },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: { uri: f.evidence || 'unknown' },
+            region: { startLine: 1, startColumn: 1 }
+          }
+        }]
+      };
+    })
+  }];
+
+  const sarif = {
+    version: '2.1.0',
+    schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs
+  };
+
+  return format === 'pretty' ? JSON.stringify(sarif, null, 2) : JSON.stringify(sarif);
+}
+
+export function generateCSV(scans) {
+  const headers = 'id,severity,title,description,evidence,package_name,version\n';
+  const rows = (scans || []).flatMap(s => 
+    (s.findings || []).map(f => [
+      f.id,
+      f.severity || '',
+      (f.title || '').replace(/,/g, ';'),
+      (f.description || '').replace(/,/g, ';'),
+      (f.evidence || '').replace(/,/g, ';'),
+      s.package_name || '',
+      s.version || ''
+    ].join(','))
+  ).join('\n');
+  return headers + rows;
+}
+
+export function calculateRiskScore(findings, totalPackages = 1) {
+  const weights = { low: 1, medium: 3, high: 7, critical: 10 };
+  const rawScore = findings.reduce((sum, f) => sum + (weights[f.severity] || 0), 0) / totalPackages;
+  return Math.min(rawScore, 10).toFixed(1);
+}
+
+const STIG_MAP = {
+  'SRG-APP-000141': { title: 'Application Malware Detection', atk: 'ATK-001', desc: 'Lifecycle script detection' },
+  'SRG-APP-000142': { title: 'Application Code Obfuscation', atk: 'ATK-002', desc: 'Obfuscated payload detection' },
+  'SRG-APP-000143': { title: 'Credential Harvesting', atk: 'ATK-003', desc: 'Credential exfiltration detection' },
+  'SRG-APP-000144': { title: 'Persistence Mechanisms', atk: 'ATK-004', desc: 'Malicious persistence detection' },
+  'SRG-APP-000145': { title: 'Data Exfiltration', atk: 'ATK-005', desc: 'Network exfiltration detection' },
+  'SRG-APP-000146': { title: 'Dependency Confusion', atk: 'ATK-006', desc: 'Internal package detection' },
+  'SRG-APP-000147': { title: 'Typosquatting', atk: 'ATK-007', desc: 'Malicious package name detection' },
+  'SRG-APP-000148': { title: 'Tarball Tampering', atk: 'ATK-008', desc: 'Modified package detection' },
+  'SRG-APP-000149': { title: 'Dormant Triggers', atk: 'ATK-009', desc: 'Conditional execution detection' },
+  'SRG-APP-000150': { title: 'Sandbox Evasion', atk: 'ATK-010', desc: 'Environment detection evasion' },
+  'SRG-APP-000151': { title: 'Transitive Propagation', atk: 'ATK-011', desc: 'Dependency chain attacks' }
+};
+
+export function generateSTIG(scans) {
+  const rows = [];
+  for (const [stigId, info] of Object.entries(STIG_MAP)) {
+    const findings = scans.flatMap(s => (s.findings || []).filter(f => f.id === info.atk));
+    const status = findings.length > 0 ? 'NOT APPLICABLE' : 'COMPLETE';
+    const findingsList = findings.map(f => `${f.severity.toUpperCase()}: ${f.title}`).join('; ') || 'None';
+    rows.push(`| ${stigId} | ${info.title} | ${status} | ${findingsList} |`);
+  }
+  return `# STIG Compliance Report
+Generated: ${new Date().toISOString()}
+
+| STIG ID | Control Title | Status | Findings |
+|---------|--------------|--------|----------|
+${rows.join('\n')}
+
+---
+*This report maps application security controls to DISA STIG requirements.*`;
 }

package/backend/sbom.js

@@ -1,67 +1,67 @@
-export function generateSBOM(pkgJson, findings, format = 'json') {
-  if (format === 'spdx') return generateSPDX(pkgJson, findings);
-  return generateCycloneDX(pkgJson, findings);
-}
-
-function generateCycloneDX(pkgJson, findings) {
-  const bom = {
-    bomFormat: 'CycloneDX',
-    specVersion: '1.5',
-    version: 1,
-    metadata: {
-      component: {
-        type: 'library',
-        name: pkgJson.name || 'unknown',
-        version: pkgJson.version || 'unknown',
-        purl: `pkg:npm/${pkgJson.name || 'unknown'}@${pkgJson.version || 'unknown'}`
-      },
-      tools: [{ name: 'npm-scan', version: process.env.npm_package_version || '0.3.2' }]
-    },
-    vulnerabilities: findings.map(f => {
-      const atkId = f.atk_id || f.id;
-      return {
-      id: atkId,
-      source: { name: 'npm-scan' },
-      ratings: [{ severity: f.severity }],
-      description: f.description || f.title || '',
-      recommendation: f.mitigation || 'Review evidence'
-      };
-    })
-  };
-  return JSON.stringify(bom, null, 2);
-}
-
-function generateSPDX(pkgJson, findings) {
-  const pkgName = pkgJson.name || 'unknown';
-  const pkgVer = pkgJson.version || 'unknown';
-  const spdx = {
-    spdxVersion: 'SPDX-2.3',
-    dataLicense: 'CC0-1.0',
-    SPDXID: 'SPDXRef-DOCUMENT',
-    name: `${pkgName}@${pkgVer} npm-scan SBOM`,
-    documentNamespace: `https://npm-scan.io/spdx/${pkgName}-${pkgVer}`,
-    creationInfo: {
-      creators: ['Tool: npm-scan'],
-      created: new Date().toISOString()
-    },
-    packages: [{
-      SPDXID: 'SPDXRef-Package',
-      name: pkgName,
-      versionInfo: pkgVer,
-      packageFileName: `pkg:npm/${pkgName}@${pkgVer}`,
-      primaryPackagePurpose: 'LIBRARY',
-      externalRefs: [{
-        referenceCategory: 'PACKAGE-MANAGER',
-        referenceType: 'purl',
-        referenceLocator: `pkg:npm/${pkgName}@${pkgVer}`
-      }]
-    }],
-    annotations: findings.map(f => ({
-      annotationDate: new Date().toISOString(),
-      annotationType: 'OTHER',
-      annotator: 'Tool: npm-scan',
-      comment: `[${f.atk_id || f.id}] ${f.severity.toUpperCase()}: ${f.description || f.title || ''}`
-    }))
-  };
-  return JSON.stringify(spdx, null, 2);
+export function generateSBOM(pkgJson, findings, format = 'json') {
+  if (format === 'spdx') return generateSPDX(pkgJson, findings);
+  return generateCycloneDX(pkgJson, findings);
+}
+
+function generateCycloneDX(pkgJson, findings) {
+  const bom = {
+    bomFormat: 'CycloneDX',
+    specVersion: '1.5',
+    version: 1,
+    metadata: {
+      component: {
+        type: 'library',
+        name: pkgJson.name || 'unknown',
+        version: pkgJson.version || 'unknown',
+        purl: `pkg:npm/${pkgJson.name || 'unknown'}@${pkgJson.version || 'unknown'}`
+      },
+      tools: [{ name: 'npm-scan', version: process.env.npm_package_version || '0.3.2' }]
+    },
+    vulnerabilities: findings.map(f => {
+      const atkId = f.atk_id || f.id;
+      return {
+      id: atkId,
+      source: { name: 'npm-scan' },
+      ratings: [{ severity: f.severity }],
+      description: f.description || f.title || '',
+      recommendation: f.mitigation || 'Review evidence'
+      };
+    })
+  };
+  return JSON.stringify(bom, null, 2);
+}
+
+function generateSPDX(pkgJson, findings) {
+  const pkgName = pkgJson.name || 'unknown';
+  const pkgVer = pkgJson.version || 'unknown';
+  const spdx = {
+    spdxVersion: 'SPDX-2.3',
+    dataLicense: 'CC0-1.0',
+    SPDXID: 'SPDXRef-DOCUMENT',
+    name: `${pkgName}@${pkgVer} npm-scan SBOM`,
+    documentNamespace: `https://npm-scan.io/spdx/${pkgName}-${pkgVer}`,
+    creationInfo: {
+      creators: ['Tool: npm-scan'],
+      created: new Date().toISOString()
+    },
+    packages: [{
+      SPDXID: 'SPDXRef-Package',
+      name: pkgName,
+      versionInfo: pkgVer,
+      packageFileName: `pkg:npm/${pkgName}@${pkgVer}`,
+      primaryPackagePurpose: 'LIBRARY',
+      externalRefs: [{
+        referenceCategory: 'PACKAGE-MANAGER',
+        referenceType: 'purl',
+        referenceLocator: `pkg:npm/${pkgName}@${pkgVer}`
+      }]
+    }],
+    annotations: findings.map(f => ({
+      annotationDate: new Date().toISOString(),
+      annotationType: 'OTHER',
+      annotator: 'Tool: npm-scan',
+      comment: `[${f.atk_id || f.id}] ${f.severity.toUpperCase()}: ${f.description || f.title || ''}`
+    }))
+  };
+  return JSON.stringify(spdx, null, 2);
 }