@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/config/osv-check.js

@@ -0,0 +1,309 @@
+"use strict";
+/**
+ * Layer 3: OSV/Security Advisory Integration
+ * Checks packages against OSV.dev for known vulnerabilities
+ *
+ * Features:
+ * - Queries OSV.dev API for known malicious/vulnerable packages
+ * - Caches advisories for efficiency
+ * - Supports npm and PyPI ecosystems
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.advisoryCache = void 0;
+exports.checkPackageAdvisories = checkPackageAdvisories;
+exports.queryOSV = queryOSV;
+exports.queryOSVBatch = queryOSVBatch;
+exports.mapOSVSeverity = mapOSVSeverity;
+exports.isMaliciousPackage = isMaliciousPackage;
+exports.getCacheKey = getCacheKey;
+const registry_clients_1 = require("../../shared/registry-clients");
+// ============================================================================
+// Configuration
+// ============================================================================
+// OSV API endpoint
+const OSV_API_URL = 'https://api.osv.dev/v1/query';
+const OSV_BATCH_URL = 'https://api.osv.dev/v1/querybatch';
+// Cache TTL (24 hours)
+const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
+// Maximum packages to check per scan (cost/time control)
+const MAX_PACKAGES_TO_CHECK = 100;
+// ============================================================================
+// Advisory Cache
+// ============================================================================
+const advisoryCache = new Map();
+exports.advisoryCache = advisoryCache;
+/**
+ * Get cache key for a package
+ */
+function getCacheKey(name, ecosystem) {
+    return `${ecosystem}:${name.toLowerCase()}`;
+}
+/**
+ * Check if cached advisory is still valid
+ */
+function isCacheValid(cached) {
+    return Date.now() - cached.timestamp < CACHE_TTL_MS;
+}
+/**
+ * Get cached advisories for a package
+ */
+function getCachedAdvisories(name, ecosystem) {
+    const key = getCacheKey(name, ecosystem);
+    const cached = advisoryCache.get(key);
+    if (cached && isCacheValid(cached)) {
+        return cached.advisories;
+    }
+    return null;
+}
+/**
+ * Cache advisories for a package
+ */
+function cacheAdvisories(name, ecosystem, advisories) {
+    const key = getCacheKey(name, ecosystem);
+    advisoryCache.set(key, {
+        timestamp: Date.now(),
+        advisories,
+    });
+}
+// ============================================================================
+// OSV API Client
+// ============================================================================
+/**
+ * Query OSV.dev for vulnerabilities affecting a single package
+ */
+async function queryOSV(packageName, ecosystem, version) {
+    // Check cache first
+    const cached = getCachedAdvisories(packageName, ecosystem);
+    if (cached !== null) {
+        return cached;
+    }
+    try {
+        const query = {
+            package: {
+                name: packageName,
+                ecosystem,
+            },
+        };
+        if (version) {
+            query.version = version;
+        }
+        const response = await fetch(OSV_API_URL, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify(query),
+        });
+        if (!response.ok) {
+            // Don't throw - gracefully degrade
+            cacheAdvisories(packageName, ecosystem, []);
+            return [];
+        }
+        const data = (await response.json());
+        const advisories = data.vulns || [];
+        // Cache the result
+        cacheAdvisories(packageName, ecosystem, advisories);
+        return advisories;
+    }
+    catch {
+        // Network error - gracefully degrade
+        return [];
+    }
+}
+/**
+ * Query OSV.dev for multiple packages in batch
+ */
+async function queryOSVBatch(packages) {
+    const results = new Map();
+    // Split into cached and uncached
+    const uncached = [];
+    for (let i = 0; i < packages.length; i++) {
+        const pkg = packages[i];
+        const cached = getCachedAdvisories(pkg.name, pkg.ecosystem);
+        if (cached !== null) {
+            results.set(getCacheKey(pkg.name, pkg.ecosystem), cached);
+        }
+        else {
+            uncached.push({ ...pkg, index: i });
+        }
+    }
+    if (uncached.length === 0) {
+        return results;
+    }
+    try {
+        const queries = uncached.map(pkg => ({
+            package: {
+                name: pkg.name,
+                ecosystem: pkg.ecosystem,
+            },
+            version: pkg.version,
+        }));
+        const response = await fetch(OSV_BATCH_URL, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ queries }),
+        });
+        if (!response.ok) {
+            // Gracefully degrade - return empty for all uncached
+            for (const pkg of uncached) {
+                cacheAdvisories(pkg.name, pkg.ecosystem, []);
+                results.set(getCacheKey(pkg.name, pkg.ecosystem), []);
+            }
+            return results;
+        }
+        const data = (await response.json());
+        // Process batch results
+        for (let i = 0; i < uncached.length; i++) {
+            const pkg = uncached[i];
+            const advisories = data.results[i]?.vulns || [];
+            cacheAdvisories(pkg.name, pkg.ecosystem, advisories);
+            results.set(getCacheKey(pkg.name, pkg.ecosystem), advisories);
+        }
+        return results;
+    }
+    catch {
+        // Network error - gracefully degrade
+        for (const pkg of uncached) {
+            results.set(getCacheKey(pkg.name, pkg.ecosystem), []);
+        }
+        return results;
+    }
+}
+// ============================================================================
+// Severity Mapping
+// ============================================================================
+/**
+ * Determine severity from OSV vulnerability
+ */
+function mapOSVSeverity(vuln) {
+    // Check for malicious package (critical)
+    if (vuln.database_specific?.malicious) {
+        return 'critical';
+    }
+    // Check CVSS score
+    const cvss = vuln.severity?.find(s => s.type === 'CVSS_V3');
+    if (cvss) {
+        const score = parseFloat(cvss.score);
+        if (score >= 9.0)
+            return 'critical';
+        if (score >= 7.0)
+            return 'high';
+        if (score >= 4.0)
+            return 'medium';
+        return 'low';
+    }
+    // Check database_specific severity
+    const dbSeverity = vuln.database_specific?.severity?.toLowerCase();
+    if (dbSeverity) {
+        if (dbSeverity === 'critical')
+            return 'critical';
+        if (dbSeverity === 'high')
+            return 'high';
+        if (dbSeverity === 'moderate' || dbSeverity === 'medium')
+            return 'medium';
+        if (dbSeverity === 'low')
+            return 'low';
+    }
+    // Default to high for unknown severity (conservative)
+    return 'high';
+}
+/**
+ * Check if vulnerability is for a malicious package
+ */
+function isMaliciousPackage(vuln) {
+    return vuln.database_specific?.malicious === true ||
+        vuln.id.startsWith('MAL-') ||
+        (vuln.summary?.toLowerCase().includes('malicious') ?? false);
+}
+// ============================================================================
+// Main Check Function
+// ============================================================================
+/**
+ * Check packages in a file for known vulnerabilities via OSV.dev
+ */
+async function checkPackageAdvisories(content, filePath) {
+    const vulnerabilities = [];
+    // Determine file type
+    const fileType = (0, registry_clients_1.getPackageFileType)(filePath);
+    if (!fileType) {
+        return vulnerabilities;
+    }
+    // Extract dependencies based on file type
+    let dependencies = [];
+    if (fileType === 'npm' && filePath.endsWith('package.json')) {
+        dependencies = (0, registry_clients_1.extractNpmDependencies)(content);
+    }
+    else if (fileType === 'python') {
+        dependencies = (0, registry_clients_1.extractPythonRequirements)(content);
+    }
+    if (dependencies.length === 0) {
+        return vulnerabilities;
+    }
+    const lines = content.split('\n');
+    const ecosystem = fileType === 'npm' ? 'npm' : 'PyPI';
+    // Limit packages to check
+    const limitedDeps = dependencies.slice(0, MAX_PACKAGES_TO_CHECK);
+    // Query OSV in batch for efficiency
+    const packagesToQuery = limitedDeps.map(dep => ({
+        name: dep.name,
+        ecosystem: ecosystem,
+        version: dep.version,
+    }));
+    const advisoriesMap = await queryOSVBatch(packagesToQuery);
+    // Process results
+    for (const dep of limitedDeps) {
+        const key = getCacheKey(dep.name, ecosystem);
+        const advisories = advisoriesMap.get(key) || [];
+        if (advisories.length === 0)
+            continue;
+        // Find the most severe vulnerability
+        let mostSevere = null;
+        let highestSeverity = 'info';
+        const severityOrder = ['info', 'low', 'medium', 'high', 'critical'];
+        for (const adv of advisories) {
+            const sev = mapOSVSeverity(adv);
+            if (severityOrder.indexOf(sev) > severityOrder.indexOf(highestSeverity)) {
+                highestSeverity = sev;
+                mostSevere = adv;
+            }
+        }
+        if (!mostSevere)
+            continue;
+        // Determine category based on malicious vs vulnerable
+        const isMalicious = advisories.some(a => isMaliciousPackage(a));
+        const category = isMalicious ? 'ai_package_malicious' : 'suspicious_package';
+        // Build description
+        const advIds = advisories.map(a => a.id).slice(0, 3).join(', ');
+        const moreCount = advisories.length > 3 ? ` +${advisories.length - 3} more` : '';
+        const description = isMalicious
+            ? `Package "${dep.name}" is flagged as MALICIOUS in OSV.dev (${advIds}${moreCount}). This package may contain malware or data exfiltration code.`
+            : `Package "${dep.name}" has ${advisories.length} known security advisories (${advIds}${moreCount}). ${mostSevere.summary || 'Review before use.'}`;
+        // Build suggested fix
+        const suggestedFix = isMalicious
+            ? `Remove "${dep.name}" immediately. Do not use this package.`
+            : `Update "${dep.name}" to a patched version or find an alternative. Check: https://osv.dev/list?ecosystem=${ecosystem}&q=${encodeURIComponent(dep.name)}`;
+        vulnerabilities.push({
+            id: `osv-${filePath}-${dep.name}`,
+            filePath,
+            lineNumber: dep.line,
+            lineContent: lines[dep.line - 1]?.trim() || dep.name,
+            severity: highestSeverity,
+            category,
+            title: isMalicious
+                ? `Malicious package: ${dep.name}`
+                : `Vulnerable package: ${dep.name} (${advisories.length} advisories)`,
+            description,
+            suggestedFix,
+            confidence: 'high',
+            layer: 3,
+            source: 'config',
+            requiresAIValidation: false, // OSV data is authoritative
+        });
+        // Rate limit between individual package queries if not using batch
+        await (0, registry_clients_1.rateLimitDelay)();
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=osv-check.js.map

package/dist/detect/config/osv-check.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"osv-check.js","sourceRoot":"","sources":["../../../src/detect/config/osv-check.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AA6SH,wDAqGC;AAIC,4BAAQ;AACR,sCAAa;AACb,wCAAc;AACd,gDAAkB;AAClB,kCAAW;AAvZb,oEAMsC;AAEtC,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E,mBAAmB;AACnB,MAAM,WAAW,GAAG,8BAA8B,CAAA;AAClD,MAAM,aAAa,GAAG,mCAAmC,CAAA;AAEzD,uBAAuB;AACvB,MAAM,YAAY,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAExC,yDAAyD;AACzD,MAAM,qBAAqB,GAAG,GAAG,CAAA;AAuDjC,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,MAAM,aAAa,GAAG,IAAI,GAAG,EAA0B,CAAA;AAyUrD,sCAAa;AAvUf;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY,EAAE,SAAiB;IAClD,OAAO,GAAG,SAAS,IAAI,IAAI,CAAC,WAAW,EAAE,EAAE,CAAA;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,MAAsB;IAC1C,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,YAAY,CAAA;AACrD,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,IAAY,EAAE,SAAiB;IAC1D,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;IACxC,MAAM,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACrC,IAAI,MAAM,IAAI,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC;QACnC,OAAO,MAAM,CAAC,UAAU,CAAA;IAC1B,CAAC;IACD,OAAO,IAAI,CAAA;AACb,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAY,EAAE,SAAiB,EAAE,UAA8B;IACtF,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;IACxC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE;QACrB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;QACrB,UAAU;KACX,CAAC,CAAA;AACJ,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;GAEG;AACH,KAAK,UAAU,QAAQ,CACrB,WAAmB,EACnB,SAAyB,EACzB,OAAgB;IAEhB,oBAAoB;IACpB,MAAM,MAAM,GAAG,mBAAmB,CAAC,WAAW,EAAE,SAAS,CAAC,CAAA;IAC1D,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO,MAAM,CAAA;IACf,CAAC;IAED,IAAI,CAAC;QACH,MAAM,KAAK,GAAa;YACtB,OAAO,EAAE;gBACP,IAAI,EAAE,WAAW;gBACjB,SAAS;aACV;SACF,CAAA;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,KAAK,CAAC,OAAO,GAAG,OAAO,CAAA;QACzB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE;YACxC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;SAC5B,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,mCAAmC;YACnC,eAAe,CAAC,WAAW,EAAE,SAAS,EAAE,EAAE,CAAC,CAAA;YAC3C,OAAO,EAAE,CAAA;QACX,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAgB,CAAA;QACnD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAA;QAEnC,mBAAmB;QACnB,eAAe,CAAC,WAAW,EAAE,SAAS,EAAE,UAAU,CAAC,CAAA;QAEnD,OAAO,UAAU,CAAA;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,qCAAqC;QACrC,OAAO,EAAE,CAAA;IACX,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC1B,QAA8E;IAE9E,MAAM,OAAO,GAAG,IAAI,GAAG,EAA8B,CAAA;IAErD,iCAAiC;IACjC,MAAM,QAAQ,GAAwF,EAAE,CAAA;IAExG,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;QACvB,MAAM,MAAM,GAAG,mBAAmB,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,CAAA;QAC3D,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC,CAAA;QAC3D,CAAC;aAAM,CAAC;YACN,QAAQ,CAAC,IAAI,CAAC,EAAE,GAAG,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,CAAA;QACrC,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACnC,OAAO,EAAE;gBACP,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,SAAS,EAAE,GAAG,CAAC,SAAS;aACzB;YACD,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC,CAAC,CAAA;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;aACnC;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC;SAClC,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,qDAAqD;YACrD,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;gBAC3B,eAAe,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;gBAC5C,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC,CAAA;YACvD,CAAC;YACD,OAAO,OAAO,CAAA;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqB,CAAA;QAExD,wBAAwB;QACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,GAAG,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;YACvB,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,KAAK,IAAI,EAAE,CAAA;YAC/C,eAAe,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,EAAE,UAAU,CAAC,CAAA;YACpD,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE,UAAU,CAAC,CAAA;QAC/D,CAAC;QAED,OAAO,OAAO,CAAA;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,qCAAqC;QACrC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC,CAAA;QACvD,CAAC;QACD,OAAO,OAAO,CAAA;IAChB,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,cAAc,CAAC,IAAsB;IAC5C,yCAAyC;IACzC,IAAI,IAAI,CAAC,iBAAiB,EAAE,SAAS,EAAE,CAAC;QACtC,OAAO,UAAU,CAAA;IACnB,CAAC;IAED,mBAAmB;IACnB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,CAAA;IAC3D,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QACpC,IAAI,KAAK,IAAI,GAAG;YAAE,OAAO,UAAU,CAAA;QACnC,IAAI,KAAK,IAAI,GAAG;YAAE,OAAO,MAAM,CAAA;QAC/B,IAAI,KAAK,IAAI,GAAG;YAAE,OAAO,QAAQ,CAAA;QACjC,OAAO,KAAK,CAAA;IACd,CAAC;IAED,mCAAmC;IACnC,MAAM,UAAU,GAAG,IAAI,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAA;IAClE,IAAI,UAAU,EAAE,CAAC;QACf,IAAI,UAAU,KAAK,UAAU;YAAE,OAAO,UAAU,CAAA;QAChD,IAAI,UAAU,KAAK,MAAM;YAAE,OAAO,MAAM,CAAA;QACxC,IAAI,UAAU,KAAK,UAAU,IAAI,UAAU,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAA;QACzE,IAAI,UAAU,KAAK,KAAK;YAAE,OAAO,KAAK,CAAA;IACxC,CAAC;IAED,sDAAsD;IACtD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,IAAsB;IAChD,OAAO,IAAI,CAAC,iBAAiB,EAAE,SAAS,KAAK,IAAI;QAC/C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;QAC1B,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,CAAA;AAChE,CAAC;AAED,+EAA+E;AAC/E,sBAAsB;AACtB,+EAA+E;AAE/E;;GAEG;AACI,KAAK,UAAU,sBAAsB,CAC1C,OAAe,EACf,QAAgB;IAEhB,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,sBAAsB;IACtB,MAAM,QAAQ,GAAG,IAAA,qCAAkB,EAAC,QAAQ,CAAC,CAAA;IAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,0CAA0C;IAC1C,IAAI,YAAY,GAA0B,EAAE,CAAA;IAE5C,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC5D,YAAY,GAAG,IAAA,yCAAsB,EAAC,OAAO,CAAC,CAAA;IAChD,CAAC;SAAM,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,YAAY,GAAG,IAAA,4CAAyB,EAAC,OAAO,CAAC,CAAA;IACnD,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IACjC,MAAM,SAAS,GAAG,QAAQ,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAA;IAErD,0BAA0B;IAC1B,MAAM,WAAW,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,qBAAqB,CAAC,CAAA;IAEhE,oCAAoC;IACpC,MAAM,eAAe,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,EAAE,GAAG,CAAC,IAAI;QACd,SAAS,EAAE,SAA2B;QACtC,OAAO,EAAE,GAAG,CAAC,OAAO;KACrB,CAAC,CAAC,CAAA;IAEH,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,eAAe,CAAC,CAAA;IAE1D,kBAAkB;IAClB,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,CAAC,CAAA;QAC5C,MAAM,UAAU,GAAG,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAA;QAE/C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,SAAQ;QAErC,qCAAqC;QACrC,IAAI,UAAU,GAA4B,IAAI,CAAA;QAC9C,IAAI,eAAe,GAA0B,MAAM,CAAA;QACnD,MAAM,aAAa,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAA;QAEnE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,cAAc,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,aAAa,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;gBACxE,eAAe,GAAG,GAAG,CAAA;gBACrB,UAAU,GAAG,GAAG,CAAA;YAClB,CAAC;QACH,CAAC;QAED,IAAI,CAAC,UAAU;YAAE,SAAQ;QAEzB,sDAAsD;QACtD,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAA;QAC/D,MAAM,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,oBAAoB,CAAA;QAE5E,oBAAoB;QACpB,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/D,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,UAAU,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAA;QAChF,MAAM,WAAW,GAAG,WAAW;YAC7B,CAAC,CAAC,YAAY,GAAG,CAAC,IAAI,yCAAyC,MAAM,GAAG,SAAS,gEAAgE;YACjJ,CAAC,CAAC,YAAY,GAAG,CAAC,IAAI,SAAS,UAAU,CAAC,MAAM,+BAA+B,MAAM,GAAG,SAAS,MAAM,UAAU,CAAC,OAAO,IAAI,oBAAoB,EAAE,CAAA;QAErJ,sBAAsB;QACtB,MAAM,YAAY,GAAG,WAAW;YAC9B,CAAC,CAAC,WAAW,GAAG,CAAC,IAAI,yCAAyC;YAC9D,CAAC,CAAC,WAAW,GAAG,CAAC,IAAI,wFAAwF,SAAS,MAAM,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAA;QAE5J,eAAe,CAAC,IAAI,CAAC;YACnB,EAAE,EAAE,OAAO,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE;YACjC,QAAQ;YACR,UAAU,EAAE,GAAG,CAAC,IAAI;YACpB,WAAW,EAAE,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,GAAG,CAAC,IAAI;YACpD,QAAQ,EAAE,eAAe;YACzB,QAAQ;YACR,KAAK,EAAE,WAAW;gBAChB,CAAC,CAAC,sBAAsB,GAAG,CAAC,IAAI,EAAE;gBAClC,CAAC,CAAC,uBAAuB,GAAG,CAAC,IAAI,KAAK,UAAU,CAAC,MAAM,cAAc;YACvE,WAAW;YACX,YAAY;YACZ,UAAU,EAAE,MAAM;YAClB,KAAK,EAAE,CAAC;YACN,MAAM,EAAE,QAAiB;YAC3B,oBAAoB,EAAE,KAAK,EAAE,4BAA4B;SAC1D,CAAC,CAAA;QAEF,mEAAmE;QACnE,MAAM,IAAA,iCAAc,GAAE,CAAA;IACxB,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/config/package-check.d.ts

@@ -0,0 +1,63 @@
+/**
+ * Layer 3: Package Hallucination Check (Story C - Hallucination Firewall)
+ *
+ * Verifies if imported packages actually exist and assesses their risk
+ * Prevents typosquatting, dependency confusion, and AI-hallucinated packages
+ *
+ * Features:
+ * - Registry metadata fetching (npm, PyPI)
+ * - Risk score calculation based on multiple factors
+ * - Typosquatting detection via Levenshtein distance
+ * - Package age and popularity analysis
+ */
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types';
+import { type NPMPackageMetadata, type PyPIPackageMetadata, type ExtractedDependency } from '../../shared/registry-clients';
+declare const POPULAR_NPM_PACKAGES: Set<string>;
+declare const POPULAR_PYTHON_PACKAGES: Set<string>;
+declare const LEGITIMATE_PACKAGES: Set<string>;
+interface RiskFactor {
+    name: string;
+    score: number;
+    description: string;
+}
+interface DependencyRiskScore {
+    package: string;
+    ecosystem: 'npm' | 'python';
+    totalScore: number;
+    factors: RiskFactor[];
+    recommendation: 'allow' | 'review' | 'block';
+    severity: VulnerabilitySeverity;
+}
+/**
+ * Calculate Levenshtein distance between two strings
+ */
+declare function levenshteinDistance(a: string, b: string): number;
+/**
+ * Check if package name is similar to a popular package (potential typosquat)
+ */
+declare function checkTyposquatting(packageName: string, ecosystem: 'npm' | 'python'): {
+    isSimilar: boolean;
+    similarTo?: string;
+    distance?: number;
+};
+/**
+ * Check for suspicious naming patterns
+ */
+declare function hasSuspiciousNamingPattern(packageName: string): {
+    suspicious: boolean;
+    pattern?: string;
+};
+/**
+ * Compute risk score for an npm package
+ */
+declare function computeNPMRiskScore(dep: ExtractedDependency, metadata: NPMPackageMetadata | null): Promise<DependencyRiskScore>;
+/**
+ * Compute risk score for a Python package
+ */
+declare function computePyPIRiskScore(dep: ExtractedDependency, metadata: PyPIPackageMetadata | null): Promise<DependencyRiskScore>;
+/**
+ * Check packages in a file for hallucination and risk indicators
+ */
+export declare function checkPackages(content: string, filePath: string): Promise<Vulnerability[]>;
+export { levenshteinDistance, checkTyposquatting, hasSuspiciousNamingPattern, computeNPMRiskScore, computePyPIRiskScore, POPULAR_NPM_PACKAGES, POPULAR_PYTHON_PACKAGES, LEGITIMATE_PACKAGES, };
+//# sourceMappingURL=package-check.d.ts.map

package/dist/detect/config/package-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"package-check.d.ts","sourceRoot":"","sources":["../../../src/detect/config/package-check.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAA;AAC9E,OAAO,EAQL,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,mBAAmB,EACzB,MAAM,+BAA+B,CAAA;AAatC,QAAA,MAAM,oBAAoB,aAkBxB,CAAA;AAEF,QAAA,MAAM,uBAAuB,aAM3B,CAAA;AAMF,QAAA,MAAM,mBAAmB,aAevB,CAAA;AAMF,UAAU,UAAU;IAClB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,EAAE,MAAM,CAAA;CACpB;AAED,UAAU,mBAAmB;IAC3B,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,KAAK,GAAG,QAAQ,CAAA;IAC3B,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,cAAc,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAA;IAC5C,QAAQ,EAAE,qBAAqB,CAAA;CAChC;AAMD;;GAEG;AACH,iBAAS,mBAAmB,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAyBzD;AAED;;GAEG;AACH,iBAAS,kBAAkB,CACzB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAC1B;IAAE,SAAS,EAAE,OAAO,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,CAoB/D;AAED;;GAEG;AACH,iBAAS,0BAA0B,CAAC,WAAW,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAiBlG;AAMD;;GAEG;AACH,iBAAe,mBAAmB,CAChC,GAAG,EAAE,mBAAmB,EACxB,QAAQ,EAAE,kBAAkB,GAAG,IAAI,GAClC,OAAO,CAAC,mBAAmB,CAAC,CAwJ9B;AAED;;GAEG;AACH,iBAAe,oBAAoB,CACjC,GAAG,EAAE,mBAAmB,EACxB,QAAQ,EAAE,mBAAmB,GAAG,IAAI,GACnC,OAAO,CAAC,mBAAmB,CAAC,CAiG9B;AAiDD;;GAEG;AACH,wBAAsB,aAAa,CACjC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,aAAa,EAAE,CAAC,CAgF1B;AAGD,OAAO,EACL,mBAAmB,EACnB,kBAAkB,EAClB,0BAA0B,EAC1B,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,EACpB,uBAAuB,EACvB,mBAAmB,GACpB,CAAA"}