@nahisaho/musubix-security 1.8.0 → 1.8.5

package/dist/analyzers/sca/dependency-scanner.d.ts

@@ -0,0 +1,275 @@
+/**
+ * @fileoverview Dependency Scanner - SCA and SBOM generation
+ * @module @nahisaho/musubix-security/analyzers/sca/dependency-scanner
+ * @trace DES-SEC3-SCA-001, REQ-SEC3-SCA-001
+ */
+import type { Vulnerability, Severity } from '../../types/vulnerability.js';
+/**
+ * Dependency information
+ */
+export interface DependencyInfo {
+    name: string;
+    version: string;
+    type: 'production' | 'development' | 'peer' | 'optional';
+    license: string;
+    repository?: string;
+    description?: string;
+    dependencies?: string[];
+    devDependencies?: string[];
+}
+/**
+ * Dependency vulnerability
+ */
+export interface DependencyVulnerability {
+    id: string;
+    package: string;
+    severity: Severity;
+    vulnerableVersions: string;
+    patchedVersions?: string;
+    title: string;
+    description: string;
+    cve?: string;
+    cwe?: string[];
+    references: string[];
+    recommendation: string;
+}
+/**
+ * License risk information
+ */
+export interface LicenseRisk {
+    package: string;
+    version: string;
+    license: string;
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+    reason: string;
+    recommendation?: string;
+}
+/**
+ * SBOM entry (CycloneDX format)
+ */
+export interface SBOMComponent {
+    type: 'library' | 'application' | 'framework' | 'file' | 'container';
+    name: string;
+    version: string;
+    purl?: string;
+    licenses?: Array<{
+        id: string;
+        name: string;
+    }>;
+    hashes?: Array<{
+        alg: string;
+        content: string;
+    }>;
+    externalReferences?: Array<{
+        type: string;
+        url: string;
+    }>;
+}
+/**
+ * SBOM document
+ */
+export interface SBOMDocument {
+    bomFormat: 'CycloneDX';
+    specVersion: string;
+    serialNumber: string;
+    version: number;
+    metadata: {
+        timestamp: string;
+        tools: Array<{
+            vendor: string;
+            name: string;
+            version: string;
+        }>;
+        component?: {
+            type: string;
+            name: string;
+            version: string;
+        };
+    };
+    components: SBOMComponent[];
+    dependencies?: Array<{
+        ref: string;
+        dependsOn: string[];
+    }>;
+}
+/**
+ * Dependency scan result
+ */
+export interface DependencyScanResult {
+    timestamp: Date;
+    projectPath: string;
+    packageManager: 'npm' | 'yarn' | 'pnpm' | 'unknown';
+    totalDependencies: number;
+    directDependencies: number;
+    devDependencies: number;
+    vulnerabilities: DependencyVulnerability[];
+    licenseRisks: LicenseRisk[];
+    outdatedPackages: OutdatedPackage[];
+    sbom: SBOMDocument;
+    summary: DependencySummary;
+}
+/**
+ * Outdated package info
+ */
+export interface OutdatedPackage {
+    name: string;
+    currentVersion: string;
+    latestVersion: string;
+    type: 'major' | 'minor' | 'patch';
+    breaking: boolean;
+}
+/**
+ * Dependency scan summary
+ */
+export interface DependencySummary {
+    vulnerabilityCount: {
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+    };
+    licenseRiskCount: {
+        high: number;
+        medium: number;
+        low: number;
+    };
+    outdatedCount: number;
+    healthScore: number;
+}
+/**
+ * Dependency scanner options
+ */
+export interface DependencyScannerOptions {
+    checkVulnerabilities?: boolean;
+    checkLicenses?: boolean;
+    checkOutdated?: boolean;
+    generateSBOM?: boolean;
+    includeDev?: boolean;
+    depth?: number;
+    ignoredPackages?: string[];
+    allowedLicenses?: string[];
+    blockedLicenses?: string[];
+}
+/**
+ * Dependency Scanner
+ * @trace DES-SEC3-SCA-001
+ */
+export declare class DependencyScanner {
+    private options;
+    constructor(options?: DependencyScannerOptions);
+    /**
+     * Scan project dependencies
+     * @trace REQ-SEC3-SCA-001
+     */
+    scan(projectPath: string): Promise<DependencyScanResult>;
+    /**
+     * Alias for scan() - for API compatibility
+     */
+    scanDependencies(projectPath: string): Promise<{
+        packageManager: DependencyScanResult['packageManager'];
+        dependencies: Array<{
+            name: string;
+            version: string;
+            isDev: boolean;
+        }>;
+        vulnerabilities: Array<{
+            name: string;
+            severity: string;
+            advisory: string;
+        }>;
+        outdatedPackages: Array<{
+            name: string;
+            current: string;
+            latest: string;
+            updateType: string;
+        }>;
+        licenseRisks: Array<{
+            package: string;
+            license: string;
+            risk: string;
+        }>;
+        summary: {
+            totalDependencies: number;
+            vulnerableCount: number;
+            outdatedCount: number;
+            healthScore: number;
+        };
+    }>;
+    /**
+     * Public accessor for parsing dependencies
+     */
+    private parseDependenciesPublic;
+    /**
+     * Generate SBOM from scan result (public)
+     */
+    generateSBOM(scanResult: DependencyScanResult | string, deps?: DependencyInfo[]): SBOMDocument;
+    /**
+     * Internal SBOM generation
+     */
+    private generateSBOMInternal;
+    /**
+     * Detect package manager
+     */
+    private detectPackageManager;
+    /**
+     * Parse dependencies from package.json
+     */
+    private parseDependencies;
+    /**
+     * Get license for a package
+     */
+    private getLicense;
+    /**
+     * Check for vulnerabilities using npm audit
+     */
+    private checkVulnerabilities;
+    /**
+     * Map npm severity to our severity type
+     */
+    private mapNpmSeverity;
+    /**
+     * Check license risks
+     */
+    private checkLicenses;
+    /**
+     * Normalize license identifier
+     */
+    private normalizeLicense;
+    /**
+     * Check for outdated packages
+     */
+    private checkOutdated;
+    /**
+     * Determine update type
+     */
+    private determineUpdateType;
+    /**
+     * Generate SBOM document
+     */
+    private generateSBOMPrivate;
+    /**
+     * Build dependency graph for SBOM
+     */
+    private buildDependencyGraph;
+    /**
+     * Create empty SBOM
+     */
+    private createEmptySBOM;
+    /**
+     * Generate UUID v4
+     */
+    private generateUUID;
+    /**
+     * Generate scan summary
+     */
+    private generateSummary;
+    /**
+     * Convert scan result to vulnerabilities
+     */
+    toVulnerabilities(result: DependencyScanResult): Vulnerability[];
+}
+/**
+ * Create dependency scanner instance
+ */
+export declare function createDependencyScanner(options?: DependencyScannerOptions): DependencyScanner;
+//# sourceMappingURL=dependency-scanner.d.ts.map

package/dist/analyzers/sca/dependency-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-scanner.d.ts","sourceRoot":"","sources":["../../../src/analyzers/sca/dependency-scanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,8BAA8B,CAAC;AAE5E;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,YAAY,GAAG,aAAa,GAAG,MAAM,GAAG,UAAU,CAAC;IACzD,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,QAAQ,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IAClD,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,SAAS,GAAG,aAAa,GAAG,WAAW,GAAG,MAAM,GAAG,WAAW,CAAC;IACrE,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C,MAAM,CAAC,EAAE,KAAK,CAAC;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACjD,kBAAkB,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC3D;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,WAAW,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE;QACR,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,KAAK,CAAC;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAChE,SAAS,CAAC,EAAE;YACV,IAAI,EAAE,MAAM,CAAC;YACb,IAAI,EAAE,MAAM,CAAC;YACb,OAAO,EAAE,MAAM,CAAC;SACjB,CAAC;KACH,CAAC;IACF,UAAU,EAAE,aAAa,EAAE,CAAC;IAC5B,YAAY,CAAC,EAAE,KAAK,CAAC;QACnB,GAAG,EAAE,MAAM,CAAC;QACZ,SAAS,EAAE,MAAM,EAAE,CAAC;KACrB,CAAC,CAAC;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,IAAI,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,KAAK,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACpD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,uBAAuB,EAAE,CAAC;IAC3C,YAAY,EAAE,WAAW,EAAE,CAAC;IAC5B,gBAAgB,EAAE,eAAe,EAAE,CAAC;IACpC,IAAI,EAAE,YAAY,CAAC;IACnB,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;IAClC,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,kBAAkB,EAAE;QAClB,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,gBAAgB,EAAE;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAkCD;;;GAGG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,OAAO,CAAqC;gBAExC,OAAO,GAAE,wBAA6B;IAclD;;;OAGG;IACG,IAAI,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAiD9D;;OAEG;IACG,gBAAgB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC;QACnD,cAAc,EAAE,oBAAoB,CAAC,gBAAgB,CAAC,CAAC;QACvD,YAAY,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,OAAO,CAAA;SAAE,CAAC,CAAC;QACvE,eAAe,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,QAAQ,EAAE,MAAM,CAAC;YAAC,QAAQ,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAC7E,gBAAgB,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAC;YAAC,MAAM,EAAE,MAAM,CAAC;YAAC,UAAU,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAC/F,YAAY,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACxE,OAAO,EAAE;YACP,iBAAiB,EAAE,MAAM,CAAC;YAC1B,eAAe,EAAE,MAAM,CAAC;YACxB,aAAa,EAAE,MAAM,CAAC;YACtB,WAAW,EAAE,MAAM,CAAC;SACrB,CAAC;KACH,CAAC;IAyCF;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAI/B;;OAEG;IACH,YAAY,CAAC,UAAU,EAAE,oBAAoB,GAAG,MAAM,EAAE,IAAI,CAAC,EAAE,cAAc,EAAE,GAAG,YAAY;IAS9F;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA4C5B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAQ5B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAmDzB;;OAEG;IACH,OAAO,CAAC,UAAU;IAelB;;OAEG;YACW,oBAAoB;IA6ElC;;OAEG;IACH,OAAO,CAAC,cAAc;IAWtB;;OAEG;IACH,OAAO,CAAC,aAAa;IAoDrB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAgBxB;;OAEG;YACW,aAAa;IAyC3B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAiB3B;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAwC3B;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAgC5B;;OAEG;IACH,OAAO,CAAC,eAAe;IAIvB;;OAEG;IACH,OAAO,CAAC,YAAY;IAQpB;;OAEG;IACH,OAAO,CAAC,eAAe;IAuCvB;;OAEG;IACH,iBAAiB,CAAC,MAAM,EAAE,oBAAoB,GAAG,aAAa,EAAE;CAsBjE;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,CAAC,EAAE,wBAAwB,GAAG,iBAAiB,CAE7F"}