@nahisaho/musubix-security 2.0.1 → 2.1.1

package/dist/cve/dependency-parser.js

@@ -0,0 +1,338 @@
+/**
+ * @fileoverview Package JSON Parser for dependency extraction
+ * @module @nahisaho/musubix-security/cve/dependency-parser
+ *
+ * Parses package.json and package-lock.json to extract dependency
+ * information for vulnerability scanning.
+ *
+ * @requirement REQ-CVE-002 - Dependency extraction from package files
+ * @design DES-EPIC2-005 - Dependency Parser component
+ */
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+/**
+ * Dependency Parser for npm projects
+ *
+ * @example
+ * ```typescript
+ * const parser = new DependencyParser();
+ *
+ * // Parse from directory
+ * const result = await parser.parseDirectory('./my-project');
+ *
+ * // Parse from package.json content
+ * const deps = parser.parsePackageJson(packageJsonContent);
+ *
+ * // Get all dependencies as flat list
+ * console.log(result.dependencies);
+ * ```
+ */
+export class DependencyParser {
+    options;
+    constructor(options = {}) {
+        this.options = {
+            includeDevDependencies: options.includeDevDependencies ?? true,
+            includePeerDependencies: options.includePeerDependencies ?? false,
+            includeOptionalDependencies: options.includeOptionalDependencies ?? true,
+            maxDepth: options.maxDepth ?? Infinity,
+        };
+    }
+    /**
+     * Parse dependencies from a project directory
+     * @param dirPath - Path to project directory
+     * @returns Parsed dependencies
+     */
+    async parseDirectory(dirPath) {
+        const warnings = [];
+        // Read package.json
+        const packageJsonPath = path.join(dirPath, 'package.json');
+        if (!fs.existsSync(packageJsonPath)) {
+            throw new Error(`package.json not found at ${packageJsonPath}`);
+        }
+        const packageJsonContent = await fs.promises.readFile(packageJsonPath, 'utf-8');
+        const packageJson = JSON.parse(packageJsonContent);
+        // Try to read package-lock.json
+        let packageLock = null;
+        const packageLockPath = path.join(dirPath, 'package-lock.json');
+        if (fs.existsSync(packageLockPath)) {
+            try {
+                const lockContent = await fs.promises.readFile(packageLockPath, 'utf-8');
+                packageLock = JSON.parse(lockContent);
+            }
+            catch (error) {
+                warnings.push(`Failed to parse package-lock.json: ${error}`);
+            }
+        }
+        else {
+            warnings.push('package-lock.json not found, using version specifiers only');
+        }
+        return this.parsePackageJsonWithLock(packageJson, packageLock, warnings);
+    }
+    /**
+     * Parse package.json content directly
+     * @param content - package.json content as string
+     * @returns Direct dependencies (no transitive without lock file)
+     */
+    parsePackageJson(content) {
+        const packageJson = JSON.parse(content);
+        const dependencies = [];
+        this.extractDependencies(packageJson.dependencies, 'dependencies', true, dependencies);
+        if (this.options.includeDevDependencies) {
+            this.extractDependencies(packageJson.devDependencies, 'devDependencies', true, dependencies);
+        }
+        if (this.options.includePeerDependencies) {
+            this.extractDependencies(packageJson.peerDependencies, 'peerDependencies', true, dependencies);
+        }
+        if (this.options.includeOptionalDependencies) {
+            this.extractDependencies(packageJson.optionalDependencies, 'optionalDependencies', true, dependencies);
+        }
+        return dependencies;
+    }
+    /**
+     * Parse package-lock.json content directly
+     * @param content - package-lock.json content as string
+     * @returns All dependencies including transitive
+     */
+    parsePackageLock(content) {
+        const lockFile = JSON.parse(content);
+        return this.extractFromLockFile(lockFile);
+    }
+    /**
+     * Parse with both package.json and lock file
+     */
+    parsePackageJsonWithLock(packageJson, packageLock, warnings) {
+        const dependencies = [];
+        const directNames = new Set();
+        // Extract direct dependencies from package.json
+        const directDeps = this.parsePackageJson(JSON.stringify(packageJson));
+        for (const dep of directDeps) {
+            directNames.add(dep.name);
+        }
+        if (packageLock) {
+            // Use lock file for all dependencies
+            const allDeps = this.extractFromLockFile(packageLock);
+            // Mark direct dependencies
+            for (const dep of allDeps) {
+                dep.isDirect = directNames.has(dep.name);
+                // Find matching direct dep to get the type
+                if (dep.isDirect) {
+                    const direct = directDeps.find(d => d.name === dep.name);
+                    if (direct) {
+                        dep.type = direct.type;
+                        dep.versionSpecifier = direct.versionSpecifier;
+                    }
+                }
+                dependencies.push(dep);
+            }
+        }
+        else {
+            // Without lock file, we only have direct dependencies
+            dependencies.push(...directDeps);
+        }
+        const directCount = dependencies.filter(d => d.isDirect).length;
+        const transitiveCount = dependencies.length - directCount;
+        return {
+            projectName: packageJson.name,
+            projectVersion: packageJson.version,
+            dependencies,
+            directCount,
+            transitiveCount,
+            warnings,
+        };
+    }
+    /**
+     * Extract dependencies from lock file
+     */
+    extractFromLockFile(lockFile) {
+        const dependencies = [];
+        const seen = new Set();
+        // Handle v2/v3 format (packages)
+        if (lockFile.packages) {
+            for (const [key, entry] of Object.entries(lockFile.packages)) {
+                // Skip root package
+                if (key === '')
+                    continue;
+                // Extract package name from path (node_modules/pkg or node_modules/@scope/pkg)
+                const name = this.extractPackageNameFromPath(key);
+                if (!name || seen.has(name))
+                    continue;
+                const type = this.determineDependencyType(entry);
+                if (!this.shouldIncludeType(type))
+                    continue;
+                seen.add(name);
+                dependencies.push({
+                    name,
+                    versionSpecifier: entry.version ?? '*',
+                    resolvedVersion: entry.version,
+                    type,
+                    isDirect: false, // Will be updated later
+                    integrity: entry.integrity,
+                    resolved: entry.resolved,
+                    dependencies: entry.dependencies ? Object.keys(entry.dependencies) : undefined,
+                });
+            }
+        }
+        // Handle v1 format (dependencies)
+        if (lockFile.dependencies && dependencies.length === 0) {
+            this.extractFromLegacyLock(lockFile.dependencies, dependencies, seen, 0);
+        }
+        return dependencies;
+    }
+    /**
+     * Extract from v1 lock format (recursive)
+     */
+    extractFromLegacyLock(deps, result, seen, depth) {
+        if (depth > this.options.maxDepth)
+            return;
+        for (const [name, entry] of Object.entries(deps)) {
+            if (seen.has(name))
+                continue;
+            const type = entry.dev
+                ? 'devDependencies'
+                : entry.optional
+                    ? 'optionalDependencies'
+                    : 'dependencies';
+            if (!this.shouldIncludeType(type))
+                continue;
+            seen.add(name);
+            result.push({
+                name,
+                versionSpecifier: entry.version,
+                resolvedVersion: entry.version,
+                type,
+                isDirect: depth === 0,
+                integrity: entry.integrity,
+                resolved: entry.resolved,
+                dependencies: entry.requires ? Object.keys(entry.requires) : undefined,
+            });
+            // Recurse into nested dependencies
+            if (entry.dependencies) {
+                this.extractFromLegacyLock(entry.dependencies, result, seen, depth + 1);
+            }
+        }
+    }
+    /**
+     * Extract dependencies from package.json section
+     */
+    extractDependencies(deps, type, isDirect, result) {
+        if (!deps)
+            return;
+        for (const [name, version] of Object.entries(deps)) {
+            result.push({
+                name,
+                versionSpecifier: version,
+                type,
+                isDirect,
+            });
+        }
+    }
+    /**
+     * Determine dependency type from lock entry
+     */
+    determineDependencyType(entry) {
+        if (entry.dev)
+            return 'devDependencies';
+        if (entry.optional)
+            return 'optionalDependencies';
+        if (entry.peer)
+            return 'peerDependencies';
+        return 'dependencies';
+    }
+    /**
+     * Check if dependency type should be included
+     */
+    shouldIncludeType(type) {
+        switch (type) {
+            case 'dependencies':
+                return true;
+            case 'devDependencies':
+                return this.options.includeDevDependencies;
+            case 'peerDependencies':
+                return this.options.includePeerDependencies;
+            case 'optionalDependencies':
+                return this.options.includeOptionalDependencies;
+            default:
+                return true;
+        }
+    }
+    /**
+     * Extract package name from node_modules path
+     */
+    extractPackageNameFromPath(modulePath) {
+        // Handle paths like:
+        // node_modules/lodash
+        // node_modules/@scope/package
+        // node_modules/a/node_modules/b
+        const match = modulePath.match(/node_modules\/(@[^/]+\/[^/]+|[^/]+)$/);
+        return match ? match[1] : null;
+    }
+}
+/**
+ * Resolve version specifier to concrete version
+ * Handles npm version ranges
+ */
+export function resolveVersionSpecifier(specifier) {
+    // Exact version
+    if (/^\d+\.\d+\.\d+/.test(specifier)) {
+        return { type: 'exact', version: specifier };
+    }
+    // URL or git
+    if (specifier.startsWith('http') || specifier.startsWith('git') || specifier.includes('github:')) {
+        if (specifier.startsWith('git') || specifier.includes('github:')) {
+            return { type: 'git' };
+        }
+        return { type: 'url' };
+    }
+    // Tag (latest, next, etc.)
+    if (/^[a-z]+$/i.test(specifier)) {
+        return { type: 'tag' };
+    }
+    // Range patterns
+    const rangeMatch = specifier.match(/^(?:>=?|<=?|~|\^)?(\d+(?:\.\d+(?:\.\d+)?)?)/);
+    if (rangeMatch) {
+        return {
+            type: 'range',
+            minVersion: rangeMatch[1],
+        };
+    }
+    return { type: 'range' };
+}
+/**
+ * Filter dependencies for security scanning
+ * Removes dev dependencies if not needed, etc.
+ */
+export function filterDependenciesForScanning(dependencies, options = {}) {
+    // Set defaults - by default include everything
+    const includeDevDeps = options.includeDevDependencies ?? true;
+    const includeTransitive = options.includeTransitive ?? true;
+    const directOnly = options.directOnly ?? false;
+    return dependencies.filter((dep) => {
+        // directOnly takes precedence
+        if (directOnly && !dep.isDirect) {
+            return false;
+        }
+        // If not including transitive and this is transitive
+        if (!includeTransitive && !dep.isDirect) {
+            return false;
+        }
+        // If not including dev deps and this is a dev dep
+        if (!includeDevDeps && dep.type === 'devDependencies') {
+            return false;
+        }
+        return true;
+    });
+}
+/**
+ * Get unique packages (deduplicate by name)
+ */
+export function getUniquePackages(dependencies) {
+    const seen = new Map();
+    for (const dep of dependencies) {
+        const existing = seen.get(dep.name);
+        if (!existing || dep.isDirect) {
+            seen.set(dep.name, dep);
+        }
+    }
+    return Array.from(seen.values());
+}
+//# sourceMappingURL=dependency-parser.js.map

package/dist/cve/dependency-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependency-parser.js","sourceRoot":"","sources":["../../src/cve/dependency-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAqHlC;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,gBAAgB;IACV,OAAO,CAAoC;IAE5D,YAAY,UAAmC,EAAE;QAC/C,IAAI,CAAC,OAAO,GAAG;YACb,sBAAsB,EAAE,OAAO,CAAC,sBAAsB,IAAI,IAAI;YAC9D,uBAAuB,EAAE,OAAO,CAAC,uBAAuB,IAAI,KAAK;YACjE,2BAA2B,EAAE,OAAO,CAAC,2BAA2B,IAAI,IAAI;YACxE,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,QAAQ;SACvC,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,cAAc,CAAC,OAAe;QAClC,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,oBAAoB;QACpB,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;QAC3D,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,6BAA6B,eAAe,EAAE,CAAC,CAAC;QAClE,CAAC;QAED,MAAM,kBAAkB,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;QAChF,MAAM,WAAW,GAAgB,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAEhE,gCAAgC;QAChC,IAAI,WAAW,GAA2B,IAAI,CAAC;QAC/C,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;QAEhE,IAAI,EAAE,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACnC,IAAI,CAAC;gBACH,MAAM,WAAW,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;gBACzE,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YACxC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,QAAQ,CAAC,IAAI,CAAC,sCAAsC,KAAK,EAAE,CAAC,CAAC;YAC/D,CAAC;QACH,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QAC9E,CAAC;QAED,OAAO,IAAI,CAAC,wBAAwB,CAAC,WAAW,EAAE,WAAW,EAAE,QAAQ,CAAC,CAAC;IAC3E,CAAC;IAED;;;;OAIG;IACH,gBAAgB,CAAC,OAAe;QAC9B,MAAM,WAAW,GAAgB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACrD,MAAM,YAAY,GAAuB,EAAE,CAAC;QAE5C,IAAI,CAAC,mBAAmB,CACtB,WAAW,CAAC,YAAY,EACxB,cAAc,EACd,IAAI,EACJ,YAAY,CACb,CAAC;QAEF,IAAI,IAAI,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC;YACxC,IAAI,CAAC,mBAAmB,CACtB,WAAW,CAAC,eAAe,EAC3B,iBAAiB,EACjB,IAAI,EACJ,YAAY,CACb,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,uBAAuB,EAAE,CAAC;YACzC,IAAI,CAAC,mBAAmB,CACtB,WAAW,CAAC,gBAAgB,EAC5B,kBAAkB,EAClB,IAAI,EACJ,YAAY,CACb,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,2BAA2B,EAAE,CAAC;YAC7C,IAAI,CAAC,mBAAmB,CACtB,WAAW,CAAC,oBAAoB,EAChC,sBAAsB,EACtB,IAAI,EACJ,YAAY,CACb,CAAC;QACJ,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACH,gBAAgB,CAAC,OAAe;QAC9B,MAAM,QAAQ,GAAoB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACK,wBAAwB,CAC9B,WAAwB,EACxB,WAAmC,EACnC,QAAkB;QAElB,MAAM,YAAY,GAAuB,EAAE,CAAC;QAC5C,MAAM,WAAW,GAAG,IAAI,GAAG,EAAU,CAAC;QAEtC,gDAAgD;QAChD,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC;QACtE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,qCAAqC;YACrC,MAAM,OAAO,GAAG,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;YAEtD,2BAA2B;YAC3B,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,GAAG,CAAC,QAAQ,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAEzC,2CAA2C;gBAC3C,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;oBACjB,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,CAAC,CAAC;oBACzD,IAAI,MAAM,EAAE,CAAC;wBACX,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;wBACvB,GAAG,CAAC,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;oBACjD,CAAC;gBACH,CAAC;gBAED,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;aAAM,CAAC;YACN,sDAAsD;YACtD,YAAY,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,WAAW,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;QAChE,MAAM,eAAe,GAAG,YAAY,CAAC,MAAM,GAAG,WAAW,CAAC;QAE1D,OAAO;YACL,WAAW,EAAE,WAAW,CAAC,IAAI;YAC7B,cAAc,EAAE,WAAW,CAAC,OAAO;YACnC,YAAY;YACZ,WAAW;YACX,eAAe;YACf,QAAQ;SACT,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,QAAyB;QACnD,MAAM,YAAY,GAAuB,EAAE,CAAC;QAC5C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAE/B,iCAAiC;QACjC,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACtB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7D,oBAAoB;gBACpB,IAAI,GAAG,KAAK,EAAE;oBAAE,SAAS;gBAEzB,+EAA+E;gBAC/E,MAAM,IAAI,GAAG,IAAI,CAAC,0BAA0B,CAAC,GAAG,CAAC,CAAC;gBAClD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAEtC,MAAM,IAAI,GAAG,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC;gBACjD,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAE5C,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBACf,YAAY,CAAC,IAAI,CAAC;oBAChB,IAAI;oBACJ,gBAAgB,EAAE,KAAK,CAAC,OAAO,IAAI,GAAG;oBACtC,eAAe,EAAE,KAAK,CAAC,OAAO;oBAC9B,IAAI;oBACJ,QAAQ,EAAE,KAAK,EAAE,wBAAwB;oBACzC,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,YAAY,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS;iBAC/E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,IAAI,QAAQ,CAAC,YAAY,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvD,IAAI,CAAC,qBAAqB,CAAC,QAAQ,CAAC,YAAY,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC3E,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAED;;OAEG;IACK,qBAAqB,CAC3B,IAAqC,EACrC,MAA0B,EAC1B,IAAiB,EACjB,KAAa;QAEb,IAAI,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ;YAAE,OAAO;QAE1C,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,SAAS;YAE7B,MAAM,IAAI,GAAmB,KAAK,CAAC,GAAG;gBACpC,CAAC,CAAC,iBAAiB;gBACnB,CAAC,CAAC,KAAK,CAAC,QAAQ;oBAChB,CAAC,CAAC,sBAAsB;oBACxB,CAAC,CAAC,cAAc,CAAC;YAEnB,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC;gBAAE,SAAS;YAE5C,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI;gBACJ,gBAAgB,EAAE,KAAK,CAAC,OAAO;gBAC/B,eAAe,EAAE,KAAK,CAAC,OAAO;gBAC9B,IAAI;gBACJ,QAAQ,EAAE,KAAK,KAAK,CAAC;gBACrB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,YAAY,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,SAAS;aACvE,CAAC,CAAC;YAEH,mCAAmC;YACnC,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;gBACvB,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CACzB,IAAwC,EACxC,IAAoB,EACpB,QAAiB,EACjB,MAA0B;QAE1B,IAAI,CAAC,IAAI;YAAE,OAAO;QAElB,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI;gBACJ,gBAAgB,EAAE,OAAO;gBACzB,IAAI;gBACJ,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACK,uBAAuB,CAAC,KAAuB;QACrD,IAAI,KAAK,CAAC,GAAG;YAAE,OAAO,iBAAiB,CAAC;QACxC,IAAI,KAAK,CAAC,QAAQ;YAAE,OAAO,sBAAsB,CAAC;QAClD,IAAI,KAAK,CAAC,IAAI;YAAE,OAAO,kBAAkB,CAAC;QAC1C,OAAO,cAAc,CAAC;IACxB,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,IAAoB;QAC5C,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,cAAc;gBACjB,OAAO,IAAI,CAAC;YACd,KAAK,iBAAiB;gBACpB,OAAO,IAAI,CAAC,OAAO,CAAC,sBAAsB,CAAC;YAC7C,KAAK,kBAAkB;gBACrB,OAAO,IAAI,CAAC,OAAO,CAAC,uBAAuB,CAAC;YAC9C,KAAK,sBAAsB;gBACzB,OAAO,IAAI,CAAC,OAAO,CAAC,2BAA2B,CAAC;YAClD;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;IACH,CAAC;IAED;;OAEG;IACK,0BAA0B,CAAC,UAAkB;QACnD,qBAAqB;QACrB,sBAAsB;QACtB,8BAA8B;QAC9B,gCAAgC;QAChC,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;QACvE,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACjC,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,SAAiB;IAMvD,gBAAgB;IAChB,IAAI,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IAC/C,CAAC;IAED,aAAa;IACb,IAAI,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACjG,IAAI,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACjE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACzB,CAAC;IAED,2BAA2B;IAC3B,IAAI,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACzB,CAAC;IAED,iBAAiB;IACjB,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAChC,6CAA6C,CAC9C,CAAC;IACF,IAAI,UAAU,EAAE,CAAC;QACf,OAAO;YACL,IAAI,EAAE,OAAO;YACb,UAAU,EAAE,UAAU,CAAC,CAAC,CAAC;SAC1B,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;AAC3B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,6BAA6B,CAC3C,YAAgC,EAChC,UAII,EAAE;IAEN,+CAA+C;IAC/C,MAAM,cAAc,GAAG,OAAO,CAAC,sBAAsB,IAAI,IAAI,CAAC;IAC9D,MAAM,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,IAAI,IAAI,CAAC;IAC5D,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;IAE/C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACjC,8BAA8B;QAC9B,IAAI,UAAU,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,qDAAqD;QACrD,IAAI,CAAC,iBAAiB,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,kDAAkD;QAClD,IAAI,CAAC,cAAc,IAAI,GAAG,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;YACtD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,YAAgC;IAEhC,MAAM,IAAI,GAAG,IAAI,GAAG,EAA4B,CAAC;IAEjD,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpC,IAAI,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YAC9B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;AACnC,CAAC"}

package/dist/cve/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @fileoverview CVE module exports
+ * @module @nahisaho/musubix-security/cve
+ * @trace REQ-CVE-001
+ */
+export { NVDClient, NVDAPIError, } from './nvd-client.js';
+export type { NVDClientOptions, CVESearchResult, } from './nvd-client.js';
+export { RateLimiter, RateLimiterPool, withRateLimit, } from './rate-limiter.js';
+export type { RateLimiterOptions, RateLimitStatus, } from './rate-limiter.js';
+export { CPEMatcher, createCPESearchQuery, extractPackageFromCPE, } from './cpe-matcher.js';
+export type { CPEComponents, VersionRange, CPEMatch, VulnerabilityMatch, } from './cpe-matcher.js';
+export { DependencyParser, resolveVersionSpecifier, filterDependenciesForScanning, getUniquePackages, } from './dependency-parser.js';
+export type { DependencyType, ParsedDependency, PackageJson, PackageLockJson, PackageLockEntry, LegacyLockEntry, DependencyParserOptions, ParseResult, } from './dependency-parser.js';
+export { VulnerabilityScanner, scanProjectForVulnerabilities, } from './vulnerability-scanner.js';
+export type { VulnerabilityScannerOptions, ScanProgress, DetectedVulnerability, ScanResult, } from './vulnerability-scanner.js';
+export { CVECache, createMemoryCache, getDefaultCache, closeDefaultCache, } from './cve-cache.js';
+export type { CVECacheOptions, CacheEntry, CacheStats, } from './cve-cache.js';
+export { ReportGenerator, generateReport, generateReportToFile, getFormatFromExtension, } from './report-generator.js';
+export type { ReportFormat, ReportOptions, SARIFReport, } from './report-generator.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/cve/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/cve/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,SAAS,EACT,WAAW,GACZ,MAAM,iBAAiB,CAAC;AAEzB,YAAY,EACV,gBAAgB,EAChB,eAAe,GAChB,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EACL,WAAW,EACX,eAAe,EACf,aAAa,GACd,MAAM,mBAAmB,CAAC;AAE3B,YAAY,EACV,kBAAkB,EAClB,eAAe,GAChB,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAE1B,YAAY,EACV,aAAa,EACb,YAAY,EACZ,QAAQ,EACR,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,6BAA6B,EAC7B,iBAAiB,GAClB,MAAM,wBAAwB,CAAC;AAEhC,YAAY,EACV,cAAc,EACd,gBAAgB,EAChB,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,uBAAuB,EACvB,WAAW,GACZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,oBAAoB,EACpB,6BAA6B,GAC9B,MAAM,4BAA4B,CAAC;AAEpC,YAAY,EACV,2BAA2B,EAC3B,YAAY,EACZ,qBAAqB,EACrB,UAAU,GACX,MAAM,4BAA4B,CAAC;AAEpC,OAAO,EACL,QAAQ,EACR,iBAAiB,EACjB,eAAe,EACf,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,eAAe,EACf,UAAU,EACV,UAAU,GACX,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC;AAE/B,YAAY,EACV,YAAY,EACZ,aAAa,EACb,WAAW,GACZ,MAAM,uBAAuB,CAAC"}

package/dist/cve/index.js

@@ -0,0 +1,13 @@
+/**
+ * @fileoverview CVE module exports
+ * @module @nahisaho/musubix-security/cve
+ * @trace REQ-CVE-001
+ */
+export { NVDClient, NVDAPIError, } from './nvd-client.js';
+export { RateLimiter, RateLimiterPool, withRateLimit, } from './rate-limiter.js';
+export { CPEMatcher, createCPESearchQuery, extractPackageFromCPE, } from './cpe-matcher.js';
+export { DependencyParser, resolveVersionSpecifier, filterDependenciesForScanning, getUniquePackages, } from './dependency-parser.js';
+export { VulnerabilityScanner, scanProjectForVulnerabilities, } from './vulnerability-scanner.js';
+export { CVECache, createMemoryCache, getDefaultCache, closeDefaultCache, } from './cve-cache.js';
+export { ReportGenerator, generateReport, generateReportToFile, getFormatFromExtension, } from './report-generator.js';
+//# sourceMappingURL=index.js.map

package/dist/cve/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cve/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,SAAS,EACT,WAAW,GACZ,MAAM,iBAAiB,CAAC;AAOzB,OAAO,EACL,WAAW,EACX,eAAe,EACf,aAAa,GACd,MAAM,mBAAmB,CAAC;AAO3B,OAAO,EACL,UAAU,EACV,oBAAoB,EACpB,qBAAqB,GACtB,MAAM,kBAAkB,CAAC;AAS1B,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,6BAA6B,EAC7B,iBAAiB,GAClB,MAAM,wBAAwB,CAAC;AAahC,OAAO,EACL,oBAAoB,EACpB,6BAA6B,GAC9B,MAAM,4BAA4B,CAAC;AASpC,OAAO,EACL,QAAQ,EACR,iBAAiB,EACjB,eAAe,EACf,iBAAiB,GAClB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,EACL,eAAe,EACf,cAAc,EACd,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,uBAAuB,CAAC"}

package/dist/cve/nvd-client.d.ts

@@ -0,0 +1,137 @@
+/**
+ * @fileoverview NVD (National Vulnerability Database) API 2.0 Client
+ * @module @nahisaho/musubix-security/cve/nvd-client
+ * @trace REQ-CVE-001, DES-CVE-001
+ */
+import type { CVE, CVESearchQuery } from '../types/cve.js';
+/**
+ * NVD API client options
+ */
+export interface NVDClientOptions {
+    /** NVD API key (optional, increases rate limit from 5 to 50 req/30s) */
+    apiKey?: string;
+    /** Base URL for NVD API */
+    baseUrl?: string;
+    /** Request timeout in milliseconds (default: 30000) */
+    timeout?: number;
+    /** Maximum retry attempts (default: 3) */
+    maxRetries?: number;
+    /** Initial retry delay in milliseconds (default: 1000) */
+    retryDelay?: number;
+}
+/**
+ * CVE search result with pagination
+ */
+export interface CVESearchResult {
+    /** Total number of results */
+    totalResults: number;
+    /** Results per page */
+    resultsPerPage: number;
+    /** Start index */
+    startIndex: number;
+    /** CVE entries */
+    cves: CVE[];
+    /** Response timestamp */
+    timestamp: Date;
+}
+/**
+ * NVD API error
+ */
+export declare class NVDAPIError extends Error {
+    readonly statusCode?: number | undefined;
+    readonly retryable: boolean;
+    constructor(message: string, statusCode?: number | undefined, retryable?: boolean);
+}
+/**
+ * NVD API 2.0 Client
+ * @see https://nvd.nist.gov/developers/vulnerabilities
+ * @trace REQ-CVE-001, DES-CVE-001
+ */
+export declare class NVDClient {
+    private readonly baseUrl;
+    private readonly apiKey?;
+    private readonly timeout;
+    private readonly maxRetries;
+    private readonly retryDelay;
+    constructor(options?: NVDClientOptions);
+    /**
+     * Check if API key is configured
+     */
+    hasApiKey(): boolean;
+    /**
+     * Get a single CVE by ID
+     * @param cveId CVE identifier (e.g., "CVE-2021-44228")
+     */
+    getCVE(cveId: string): Promise<CVE | null>;
+    /**
+     * Search CVEs by keyword
+     * @param keyword Search keyword
+     * @param options Additional search options
+     */
+    searchByKeyword(keyword: string, options?: CVESearchQuery): Promise<CVESearchResult>;
+    /**
+     * Search CVEs by CPE (Common Platform Enumeration)
+     * @param cpe CPE 2.3 URI
+     * @param options Additional search options
+     */
+    searchByCPE(cpe: string, options?: CVESearchQuery): Promise<CVESearchResult>;
+    /**
+     * Search CVEs by CWE ID
+     * @param cweId CWE identifier (e.g., "CWE-79")
+     * @param options Additional search options
+     */
+    searchByCWE(cweId: string, options?: CVESearchQuery): Promise<CVESearchResult>;
+    /**
+     * Search CVEs by date range
+     * @param startDate Start date
+     * @param endDate End date
+     * @param options Additional search options
+     */
+    searchByDateRange(startDate: Date, endDate: Date, options?: CVESearchQuery): Promise<CVESearchResult>;
+    /**
+     * Search CVEs by CVSS score range
+     * @param minScore Minimum CVSS score
+     * @param maxScore Maximum CVSS score
+     * @param options Additional search options
+     */
+    searchByCVSSRange(minScore: number, maxScore: number, options?: CVESearchQuery): Promise<CVESearchResult>;
+    /**
+     * Get recently modified CVEs
+     * @param daysBack Number of days to look back (default: 7)
+     * @param options Additional search options
+     */
+    getRecentlyModified(daysBack?: number, options?: CVESearchQuery): Promise<CVESearchResult>;
+    /**
+     * Apply search options to URL
+     */
+    private applySearchOptions;
+    /**
+     * Execute search and return results
+     */
+    private executeSearch;
+    /**
+     * Make HTTP request with retry logic
+     */
+    private makeRequest;
+    /**
+     * Transform NVD API response to CVE type
+     */
+    private transformVulnerability;
+    /**
+     * Normalize CVE ID format
+     */
+    private normalizeCVEId;
+    /**
+     * Format date for NVD API
+     */
+    private formatDate;
+    /**
+     * Get CVSS severity string from score
+     */
+    private getSeverityFromScore;
+    /**
+     * Sleep for specified milliseconds
+     */
+    private sleep;
+}
+//# sourceMappingURL=nvd-client.d.ts.map

package/dist/cve/nvd-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"nvd-client.d.ts","sourceRoot":"","sources":["../../src/cve/nvd-client.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EACV,GAAG,EACH,cAAc,EAQf,MAAM,iBAAiB,CAAC;AAEzB;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,wEAAwE;IACxE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,uDAAuD;IACvD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,0CAA0C;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0DAA0D;IAC1D,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,8BAA8B;IAC9B,YAAY,EAAE,MAAM,CAAC;IACrB,uBAAuB;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB;IAClB,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,yBAAyB;IACzB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,WAAY,SAAQ,KAAK;aAGlB,UAAU,CAAC,EAAE,MAAM;aACnB,SAAS,EAAE,OAAO;gBAFlC,OAAO,EAAE,MAAM,EACC,UAAU,CAAC,EAAE,MAAM,YAAA,EACnB,SAAS,GAAE,OAAe;CAK7C;AAED;;;;GAIG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,OAAO,GAAE,gBAAqB;IAQ1C;;OAEG;IACH,SAAS,IAAI,OAAO;IAIpB;;;OAGG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC;IAchD;;;;OAIG;IACG,eAAe,CACnB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,eAAe,CAAC;IAQ3B;;;;OAIG;IACG,WAAW,CACf,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,eAAe,CAAC;IAQ3B;;;;OAIG;IACG,WAAW,CACf,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,eAAe,CAAC;IAU3B;;;;;OAKG;IACG,iBAAiB,CACrB,SAAS,EAAE,IAAI,EACf,OAAO,EAAE,IAAI,EACb,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,eAAe,CAAC;IAS3B;;;;;OAKG;IACG,iBAAiB,CACrB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,eAAe,CAAC;IAgB3B;;;;OAIG;IACG,mBAAmB,CACvB,QAAQ,GAAE,MAAU,EACpB,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,eAAe,CAAC;IAa3B;;OAEG;IACH,OAAO,CAAC,kBAAkB;IAgC1B;;OAEG;YACW,aAAa;IAY3B;;OAEG;YACW,WAAW;IAuDzB;;OAEG;IACH,OAAO,CAAC,sBAAsB;IA8E9B;;OAEG;IACH,OAAO,CAAC,cAAc;IAQtB;;OAEG;IACH,OAAO,CAAC,UAAU;IAIlB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAQ5B;;OAEG;IACH,OAAO,CAAC,KAAK;CAGd"}