@sentriflow/cli 0.1.7 → 0.1.9

package/dist/index.js

@@ -10334,6 +10334,350 @@ function validateRegex(pattern, flags, path, ctx) {
   }
 }
 
+// ../core/src/ip/extractor.ts
+function isValidIPv4(ip) {
+  if (!ip || typeof ip !== "string") return false;
+  const octets = ip.split(".");
+  if (octets.length !== 4) return false;
+  for (const octet of octets) {
+    if (!/^\d+$/.test(octet)) return false;
+    if (octet.length > 1 && octet.startsWith("0")) return false;
+    const num = parseInt(octet, 10);
+    if (isNaN(num) || num < 0 || num > 255) return false;
+  }
+  return true;
+}
+function isValidIPv6(ip) {
+  if (!ip || typeof ip !== "string") return false;
+  let addr = ip;
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex !== -1) {
+    addr = ip.substring(0, zoneIndex);
+  }
+  if (!addr.includes(":")) return false;
+  if (addr.includes(":::")) return false;
+  const doubleColonCount = (addr.match(/::/g) || []).length;
+  if (doubleColonCount > 1) return false;
+  const parts = addr.split(":");
+  if (doubleColonCount === 1) {
+    const nonEmptyParts = parts.filter((p) => p !== "");
+    for (const part of nonEmptyParts) {
+      if (!/^[0-9a-fA-F]{1,4}$/.test(part)) return false;
+    }
+    if (nonEmptyParts.length > 7) return false;
+  } else {
+    if (parts.length !== 8) return false;
+    for (const part of parts) {
+      if (!/^[0-9a-fA-F]{1,4}$/.test(part)) return false;
+    }
+  }
+  return true;
+}
+function isValidSubnet(subnet) {
+  if (!subnet || typeof subnet !== "string") return false;
+  const slashIndex = subnet.lastIndexOf("/");
+  if (slashIndex === -1) return false;
+  const ip = subnet.substring(0, slashIndex);
+  const prefixStr = subnet.substring(slashIndex + 1);
+  if (!/^\d+$/.test(prefixStr)) return false;
+  const prefix = parseInt(prefixStr, 10);
+  if (isValidIPv4(ip)) {
+    return prefix >= 0 && prefix <= 32;
+  } else if (isValidIPv6(ip)) {
+    return prefix >= 0 && prefix <= 128;
+  }
+  return false;
+}
+function normalizeIPv4(ip) {
+  return ip.split(".").map((octet) => parseInt(octet, 10).toString()).join(".");
+}
+function normalizeIPv6(ip) {
+  let addr = ip;
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex !== -1) {
+    addr = ip.substring(0, zoneIndex);
+  }
+  addr = addr.toLowerCase();
+  if (addr.includes("::")) {
+    const sides = addr.split("::");
+    const left = sides[0] ? sides[0].split(":").filter((p) => p !== "") : [];
+    const right = sides[1] ? sides[1].split(":").filter((p) => p !== "") : [];
+    const zerosNeeded = 8 - left.length - right.length;
+    const expanded = [];
+    for (const part of left) {
+      expanded.push(parseInt(part, 16).toString(16));
+    }
+    for (let i = 0; i < zerosNeeded; i++) {
+      expanded.push("0");
+    }
+    for (const part of right) {
+      expanded.push(parseInt(part, 16).toString(16));
+    }
+    return expanded.join(":");
+  }
+  const parts = addr.split(":");
+  const result = [];
+  for (const part of parts) {
+    if (part !== "") {
+      result.push(parseInt(part, 16).toString(16));
+    }
+  }
+  return result.join(":");
+}
+function ipv4ToNumber(ip) {
+  const octets = ip.split(".").map(Number);
+  const o0 = octets[0] ?? 0;
+  const o1 = octets[1] ?? 0;
+  const o2 = octets[2] ?? 0;
+  const o3 = octets[3] ?? 0;
+  return (o0 << 24 >>> 0) + (o1 << 16) + (o2 << 8) + o3;
+}
+function compareIPv4(a, b) {
+  const numA = ipv4ToNumber(a);
+  const numB = ipv4ToNumber(b);
+  return numA < numB ? -1 : numA > numB ? 1 : 0;
+}
+function expandIPv6(ip) {
+  let addr = ip;
+  const zoneIndex = ip.indexOf("%");
+  if (zoneIndex !== -1) {
+    addr = ip.substring(0, zoneIndex);
+  }
+  const parts = addr.split(":");
+  const result = [];
+  for (let i = 0; i < parts.length; i++) {
+    if (parts[i] === "" && i > 0 && i < parts.length - 1) {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push("0");
+      }
+    } else if (parts[i] !== "") {
+      result.push(parts[i] ?? "0");
+    } else if (i === 0 && parts[1] === "") {
+      const nonEmpty = parts.filter((p) => p !== "").length;
+      const zeros = 8 - nonEmpty;
+      for (let j = 0; j < zeros; j++) {
+        result.push("0");
+      }
+    } else if (i === parts.length - 1 && parts[i - 1] === "") {
+    }
+  }
+  while (result.length < 8) {
+    result.push("0");
+  }
+  return result.slice(0, 8);
+}
+function ipv6ToBigInt(ip) {
+  const parts = expandIPv6(ip);
+  let result = 0n;
+  for (const part of parts) {
+    result = (result << 16n) + BigInt(parseInt(part, 16) || 0);
+  }
+  return result;
+}
+function compareIPv6(a, b) {
+  const bigA = ipv6ToBigInt(a);
+  const bigB = ipv6ToBigInt(b);
+  return bigA < bigB ? -1 : bigA > bigB ? 1 : 0;
+}
+function sortIPv4Addresses(ips) {
+  return [...ips].sort(compareIPv4);
+}
+function sortIPv6Addresses(ips) {
+  return [...ips].sort(compareIPv6);
+}
+function parseSubnet(subnet) {
+  const slashIndex = subnet.lastIndexOf("/");
+  return {
+    network: subnet.substring(0, slashIndex),
+    prefix: parseInt(subnet.substring(slashIndex + 1), 10)
+  };
+}
+function sortSubnets(subnets, type) {
+  const compare = type === "ipv4" ? compareIPv4 : compareIPv6;
+  return [...subnets].sort((a, b) => {
+    const subA = parseSubnet(a);
+    const subB = parseSubnet(b);
+    const netCompare = compare(subA.network, subB.network);
+    if (netCompare !== 0) return netCompare;
+    return subA.prefix - subB.prefix;
+  });
+}
+function isSubnetMask(ip) {
+  if (!ip.startsWith("255.")) return false;
+  const octets = ip.split(".").map(Number);
+  const num = ((octets[0] ?? 0) << 24) + ((octets[1] ?? 0) << 16) + ((octets[2] ?? 0) << 8) + (octets[3] ?? 0);
+  const inverted = ~num >>> 0;
+  return inverted === 0 || (inverted & inverted + 1) === 0;
+}
+function isWildcardMask(ip) {
+  if (!ip.startsWith("0.")) return false;
+  const octets = ip.split(".").map(Number);
+  const num = ((octets[0] ?? 0) << 24) + ((octets[1] ?? 0) << 16) + ((octets[2] ?? 0) << 8) + (octets[3] ?? 0);
+  return num === 0 || (num + 1 & num) === 0;
+}
+function maskToCidr(mask) {
+  if (!isSubnetMask(mask)) return -1;
+  const octets = mask.split(".").map(Number);
+  const num = ((octets[0] ?? 0) << 24) + ((octets[1] ?? 0) << 16) + ((octets[2] ?? 0) << 8) + (octets[3] ?? 0);
+  let prefix = 0;
+  let n = num >>> 0;
+  while (n & 2147483648) {
+    prefix++;
+    n = n << 1 >>> 0;
+  }
+  return prefix;
+}
+function wildcardToCidr(wildcard) {
+  if (!isWildcardMask(wildcard)) return -1;
+  const octets = wildcard.split(".").map(Number);
+  const num = ((octets[0] ?? 0) << 24) + ((octets[1] ?? 0) << 16) + ((octets[2] ?? 0) << 8) + (octets[3] ?? 0);
+  let prefix = 0;
+  let n = num >>> 0;
+  while (prefix < 32 && !(n & 2147483648)) {
+    prefix++;
+    n = n << 1 >>> 0;
+  }
+  return prefix;
+}
+var IPV4_PATTERN = /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\b/g;
+var IPV4_CIDR_PATTERN = /\b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:3[0-2]|[12]?[0-9])\b/g;
+var IPV4_WITH_MASK_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
+var IPV4_WITH_MASK_KEYWORD_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+mask\s+(255\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/gi;
+var IPV4_WITH_WILDCARD_PATTERN = /\b((?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\s+(0\.(?:(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){2}(?:25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9]))\b/g;
+var IPV6_PATTERN = /(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::/g;
+var IPV6_CIDR_PATTERN = /(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|:(?::[0-9a-fA-F]{1,4}){1,7}|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?::[0-9a-fA-F]{1,4}){1,6}|(?:[0-9a-fA-F]{1,4}:){1,7}:|::)\/(?:12[0-8]|1[01][0-9]|[1-9]?[0-9])/g;
+function createEmptyIPSummary() {
+  return {
+    ipv4Addresses: [],
+    ipv6Addresses: [],
+    ipv4Subnets: [],
+    ipv6Subnets: [],
+    counts: {
+      ipv4: 0,
+      ipv6: 0,
+      ipv4Subnets: 0,
+      ipv6Subnets: 0,
+      total: 0
+    }
+  };
+}
+function extractIPSummary(content, options = {}) {
+  if (!content || typeof content !== "string") {
+    return createEmptyIPSummary();
+  }
+  const ipv4Set = /* @__PURE__ */ new Set();
+  const ipv6Set = /* @__PURE__ */ new Set();
+  const ipv4SubnetSet = /* @__PURE__ */ new Set();
+  const ipv6SubnetSet = /* @__PURE__ */ new Set();
+  const subnetNetworks = /* @__PURE__ */ new Set();
+  const ipsWithMasks = /* @__PURE__ */ new Set();
+  if (!options.skipSubnets) {
+    const ipv4CidrMatches = content.matchAll(IPV4_CIDR_PATTERN);
+    for (const match of ipv4CidrMatches) {
+      const subnet = match[0];
+      if (isValidSubnet(subnet)) {
+        const { network } = parseSubnet(subnet);
+        const normalizedNetwork = normalizeIPv4(network);
+        ipv4SubnetSet.add(`${normalizedNetwork}/${parseSubnet(subnet).prefix}`);
+        subnetNetworks.add(normalizedNetwork);
+      }
+    }
+    const ipMaskMatches = content.matchAll(IPV4_WITH_MASK_PATTERN);
+    for (const match of ipMaskMatches) {
+      const ip = match[1];
+      const mask = match[2];
+      if (ip && mask && isValidIPv4(ip) && isSubnetMask(mask)) {
+        const normalizedIP = normalizeIPv4(ip);
+        const prefix = maskToCidr(mask);
+        if (prefix >= 0) {
+          ipv4SubnetSet.add(`${normalizedIP}/${prefix}`);
+          ipsWithMasks.add(normalizedIP);
+        }
+      }
+    }
+    const ipMaskKeywordMatches = content.matchAll(IPV4_WITH_MASK_KEYWORD_PATTERN);
+    for (const match of ipMaskKeywordMatches) {
+      const ip = match[1];
+      const mask = match[2];
+      if (ip && mask && isValidIPv4(ip) && isSubnetMask(mask)) {
+        const normalizedIP = normalizeIPv4(ip);
+        const prefix = maskToCidr(mask);
+        if (prefix >= 0) {
+          ipv4SubnetSet.add(`${normalizedIP}/${prefix}`);
+          ipsWithMasks.add(normalizedIP);
+        }
+      }
+    }
+    const ipWildcardMatches = content.matchAll(IPV4_WITH_WILDCARD_PATTERN);
+    for (const match of ipWildcardMatches) {
+      const ip = match[1];
+      const wildcard = match[2];
+      if (ip && wildcard && isValidIPv4(ip) && isWildcardMask(wildcard)) {
+        const normalizedIP = normalizeIPv4(ip);
+        const prefix = wildcardToCidr(wildcard);
+        if (prefix >= 0) {
+          ipv4SubnetSet.add(`${normalizedIP}/${prefix}`);
+          ipsWithMasks.add(normalizedIP);
+        }
+      }
+    }
+  }
+  const ipv4Matches = content.matchAll(IPV4_PATTERN);
+  for (const match of ipv4Matches) {
+    const ip = match[0];
+    if (isValidIPv4(ip)) {
+      const normalized = normalizeIPv4(ip);
+      if (!subnetNetworks.has(normalized) && !ipsWithMasks.has(normalized) && !isSubnetMask(normalized) && !isWildcardMask(normalized)) {
+        ipv4Set.add(normalized);
+      }
+    }
+  }
+  if (!options.skipIPv6) {
+    if (!options.skipSubnets) {
+      const ipv6CidrMatches = content.matchAll(IPV6_CIDR_PATTERN);
+      for (const match of ipv6CidrMatches) {
+        const subnet = match[0];
+        if (isValidSubnet(subnet)) {
+          const { network, prefix } = parseSubnet(subnet);
+          const normalizedNetwork = normalizeIPv6(network);
+          ipv6SubnetSet.add(`${normalizedNetwork}/${prefix}`);
+          subnetNetworks.add(normalizedNetwork);
+        }
+      }
+    }
+    const ipv6Matches = content.matchAll(IPV6_PATTERN);
+    for (const match of ipv6Matches) {
+      const ip = match[0];
+      if (isValidIPv6(ip)) {
+        const normalized = normalizeIPv6(ip);
+        if (!subnetNetworks.has(normalized)) {
+          ipv6Set.add(normalized);
+        }
+      }
+    }
+  }
+  const ipv4Addresses = sortIPv4Addresses([...ipv4Set]);
+  const ipv6Addresses = sortIPv6Addresses([...ipv6Set]);
+  const ipv4Subnets = sortSubnets([...ipv4SubnetSet], "ipv4");
+  const ipv6Subnets = sortSubnets([...ipv6SubnetSet], "ipv6");
+  const counts = {
+    ipv4: ipv4Addresses.length,
+    ipv6: ipv6Addresses.length,
+    ipv4Subnets: ipv4Subnets.length,
+    ipv6Subnets: ipv6Subnets.length,
+    total: ipv4Addresses.length + ipv6Addresses.length + ipv4Subnets.length + ipv6Subnets.length
+  };
+  return {
+    ipv4Addresses,
+    ipv6Addresses,
+    ipv4Subnets,
+    ipv6Subnets,
+    counts
+  };
+}
+
 // index.ts
 import { readFile } from "fs/promises";
 import { statSync as statSync2 } from "fs";
@@ -10341,7 +10685,7 @@ import { resolve as resolve4, dirname as dirname2, basename } from "path";
 
 // src/sarif.ts
 import { relative } from "path";
-function generateSarif(results, filePath, rules, options = {}) {
+function generateSarif(results, filePath, rules, options = {}, ipSummary) {
   const fileUri = options.relativePaths ? relative(options.baseDir ?? process.cwd(), filePath) : filePath;
   const sarifResults = results.map((result) => {
     return {
@@ -10383,16 +10727,18 @@ function generateSarif(results, filePath, rules, options = {}) {
         kinds: ["superset"]
       }));
     }
-    if (secMeta?.cvssScore !== void 0 || secMeta?.cvssVector || secMeta?.tags) {
+    const hasCvss = secMeta?.cvssScore !== void 0 || secMeta?.cvssVector;
+    const hasTags = rule.metadata.tags && rule.metadata.tags.length > 0;
+    if (hasCvss || hasTags) {
       base.properties = {};
-      if (secMeta.cvssScore !== void 0) {
+      if (secMeta?.cvssScore !== void 0) {
         base.properties["security-severity"] = String(secMeta.cvssScore);
       }
-      if (secMeta.cvssVector) {
+      if (secMeta?.cvssVector) {
         base.properties["cvss-vector"] = secMeta.cvssVector;
       }
-      if (secMeta.tags && secMeta.tags.length > 0) {
-        base.properties.tags = secMeta.tags;
+      if (hasTags) {
+        base.properties.tags = rule.metadata.tags.map((t) => t.label);
       }
     }
     return base;
@@ -10408,7 +10754,7 @@ function generateSarif(results, filePath, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.7",
+            version: "0.1.9",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10435,13 +10781,61 @@ function generateSarif(results, filePath, rules, options = {}) {
             }
           ]
         },
-        results: sarifResults
+        results: sarifResults,
+        // Include IP summary in properties if available
+        ...ipSummary && {
+          properties: {
+            ipSummary
+          }
+        }
       }
     ]
   };
   return JSON.stringify(report, null, 2);
 }
+function aggregateIPSummaries(summaries) {
+  if (summaries.length === 0) return void 0;
+  const ipv4Set = /* @__PURE__ */ new Set();
+  const ipv6Set = /* @__PURE__ */ new Set();
+  const ipv4SubnetSet = /* @__PURE__ */ new Set();
+  const ipv6SubnetSet = /* @__PURE__ */ new Set();
+  for (const summary of summaries) {
+    for (const ip of summary.ipv4Addresses) ipv4Set.add(ip);
+    for (const ip of summary.ipv6Addresses) ipv6Set.add(ip);
+    for (const subnet of summary.ipv4Subnets) ipv4SubnetSet.add(subnet);
+    for (const subnet of summary.ipv6Subnets) ipv6SubnetSet.add(subnet);
+  }
+  const ipv4Addresses = [...ipv4Set].sort((a, b) => {
+    const aParts = a.split(".").map(Number);
+    const bParts = b.split(".").map(Number);
+    for (let i = 0; i < 4; i++) {
+      if ((aParts[i] ?? 0) !== (bParts[i] ?? 0)) {
+        return (aParts[i] ?? 0) - (bParts[i] ?? 0);
+      }
+    }
+    return 0;
+  });
+  const ipv6Addresses = [...ipv6Set].sort();
+  const ipv4Subnets = [...ipv4SubnetSet].sort();
+  const ipv6Subnets = [...ipv6SubnetSet].sort();
+  return {
+    ipv4Addresses,
+    ipv6Addresses,
+    ipv4Subnets,
+    ipv6Subnets,
+    counts: {
+      ipv4: ipv4Addresses.length,
+      ipv6: ipv6Addresses.length,
+      ipv4Subnets: ipv4Subnets.length,
+      ipv6Subnets: ipv6Subnets.length,
+      total: ipv4Addresses.length + ipv6Addresses.length + ipv4Subnets.length + ipv6Subnets.length
+    }
+  };
+}
 function generateMultiFileSarif(fileResults, rules, options = {}) {
+  const aggregatedIpSummary = aggregateIPSummaries(
+    fileResults.map((fr) => fr.ipSummary).filter((s) => !!s)
+  );
   const allSarifResults = fileResults.flatMap(({ filePath, results }) => {
     const fileUri = options.relativePaths ? relative(options.baseDir ?? process.cwd(), filePath) : filePath;
     return results.map((result) => ({
@@ -10482,16 +10876,18 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         kinds: ["superset"]
       }));
     }
-    if (secMeta?.cvssScore !== void 0 || secMeta?.cvssVector || secMeta?.tags) {
+    const hasCvss = secMeta?.cvssScore !== void 0 || secMeta?.cvssVector;
+    const hasTags = rule.metadata.tags && rule.metadata.tags.length > 0;
+    if (hasCvss || hasTags) {
       base.properties = {};
-      if (secMeta.cvssScore !== void 0) {
+      if (secMeta?.cvssScore !== void 0) {
         base.properties["security-severity"] = String(secMeta.cvssScore);
       }
-      if (secMeta.cvssVector) {
+      if (secMeta?.cvssVector) {
         base.properties["cvss-vector"] = secMeta.cvssVector;
       }
-      if (secMeta.tags && secMeta.tags.length > 0) {
-        base.properties.tags = secMeta.tags;
+      if (hasTags) {
+        base.properties.tags = rule.metadata.tags.map((t) => t.label);
       }
     }
     return base;
@@ -10514,7 +10910,7 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
         tool: {
           driver: {
             name: "Sentriflow",
-            version: "0.1.7",
+            version: "0.1.9",
             informationUri: "https://github.com/sentriflow/sentriflow",
             rules: sarifRules,
             // SEC-007: Include CWE taxonomy when rules reference it
@@ -10545,7 +10941,13 @@ function generateMultiFileSarif(fileResults, rules, options = {}) {
             }
           ]
         },
-        results: allSarifResults
+        results: allSarifResults,
+        // Include aggregated IP summary in properties if available
+        ...aggregatedIpSummary && {
+          properties: {
+            ipSummary: aggregatedIpSummary
+          }
+        }
       }
     ]
   };
@@ -13086,9 +13488,12 @@ var cisco_json_rules_default = {
         description: "Trunk ports should disable DTP (Dynamic Trunking Protocol)",
         remediation: "Add 'switchport nonegotiate' to disable DTP on trunk ports",
         security: {
-          cwe: ["CWE-319"],
-          tags: ["vlan-hopping", "network-security"]
-        }
+          cwe: ["CWE-319"]
+        },
+        tags: [
+          { type: "security", label: "vlan-hopping" },
+          { type: "security", label: "network-security" }
+        ]
       },
       check: {
         type: "and",
@@ -13129,9 +13534,12 @@ var cisco_json_rules_default = {
         description: "VTY lines should have access-class configured for SSH access control",
         remediation: "Add 'access-class <acl> in' to restrict VTY access",
         security: {
-          cwe: ["CWE-284"],
-          tags: ["access-control", "remote-access"]
-        }
+          cwe: ["CWE-284"]
+        },
+        tags: [
+          { type: "security", label: "access-control" },
+          { type: "security", label: "remote-access" }
+        ]
       },
       check: {
         type: "child_not_exists",
@@ -13213,9 +13621,12 @@ var juniper_json_rules_default = {
         description: "SSH should be configured for version 2 only",
         remediation: "Configure 'set system services ssh protocol-version v2'",
         security: {
-          cwe: ["CWE-327"],
-          tags: ["ssh", "encryption"]
-        }
+          cwe: ["CWE-327"]
+        },
+        tags: [
+          { type: "security", label: "ssh" },
+          { type: "security", label: "encryption" }
+        ]
       },
       check: {
         type: "and",
@@ -13246,9 +13657,12 @@ var juniper_json_rules_default = {
         description: "Telnet service should be disabled",
         remediation: "Remove 'set system services telnet' or add 'delete system services telnet'",
         security: {
-          cwe: ["CWE-319"],
-          tags: ["telnet", "cleartext"]
-        }
+          cwe: ["CWE-319"]
+        },
+        tags: [
+          { type: "security", label: "telnet" },
+          { type: "security", label: "cleartext" }
+        ]
       },
       check: {
         type: "helper",
@@ -14459,7 +14873,7 @@ function isStdinRequested(files) {
 
 // index.ts
 var program = new Command();
-program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.7").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
+program.name("sentriflow").description("SentriFlow Network Configuration Validator").version("0.1.9").argument("[files...]", "Path(s) to configuration file(s) (supports multiple files)").option("--ast", "Output the AST instead of rule results").option("-f, --format <format>", "Output format (json, sarif)", "json").option("-q, --quiet", "Only output failures (suppress passed results)").option("-c, --config <path>", "Path to config file (default: auto-detect)").option("--no-config", "Ignore config file").option("-r, --rules <path>", "Additional rules file to load (legacy)").option("-p, --rule-pack <path>", "Rule pack file to load").option(
   "--encrypted-pack <path...>",
   "SEC-012: Path(s) to encrypted rule pack(s) (.grpx), can specify multiple"
 ).option(
@@ -14752,10 +15166,12 @@ Parsing complete: ${allAsts.length} files`);
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
+          const fileIpSummary = extractIPSummary(content2);
           allFileResults.push({
             filePath: filePath2,
             results: results2,
-            vendor: { id: vendor2.id, name: vendor2.name }
+            vendor: { id: vendor2.id, name: vendor2.name },
+            ipSummary: fileIpSummary
           });
         } catch (err) {
           const errMsg = err instanceof Error ? err.message : "Unknown error";
@@ -14787,7 +15203,8 @@ Parsing complete: ${allAsts.length} files`);
           files: allFileResults.map((fr) => ({
             file: fr.filePath,
             vendor: fr.vendor,
-            results: fr.results
+            results: fr.results,
+            ipSummary: fr.ipSummary
           }))
         };
         console.log(JSON.stringify(output, null, 2));
@@ -14863,17 +15280,19 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
       if (options.quiet) {
         results2 = results2.filter((r) => !r.passed);
       }
+      const stdinIpSummary = extractIPSummary(content2);
       if (options.format === "sarif") {
         const sarifOptions = {
           relativePaths: options.relativePaths,
           baseDir: process.cwd()
         };
-        console.log(generateSarif(results2, "<stdin>", stdinRules, sarifOptions));
+        console.log(generateSarif(results2, "<stdin>", stdinRules, sarifOptions, stdinIpSummary));
       } else {
         const output = {
           file: "<stdin>",
           vendor: { id: vendor2.id, name: vendor2.name },
-          results: results2
+          results: results2,
+          ipSummary: stdinIpSummary
         };
         console.log(JSON.stringify(output, null, 2));
       }
@@ -14932,10 +15351,12 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           const passed = results2.filter((r) => r.passed).length;
           totalFailures += failures;
           totalPassed += passed;
+          const fileIpSummary = extractIPSummary(content2);
           allFileResults.push({
             filePath: filePath2,
             results: results2,
-            vendor: { id: vendor2.id, name: vendor2.name }
+            vendor: { id: vendor2.id, name: vendor2.name },
+            ipSummary: fileIpSummary
           });
         } catch (err) {
           const errMsg = err instanceof Error ? err.message : "Unknown error";
@@ -14962,7 +15383,8 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           files: allFileResults.map((fr) => ({
             file: fr.filePath,
             vendor: fr.vendor,
-            results: fr.results
+            results: fr.results,
+            ipSummary: fr.ipSummary
           }))
         };
         console.log(JSON.stringify(output, null, 2));
@@ -15047,13 +15469,14 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
     if (options.quiet) {
       results = results.filter((r) => !r.passed);
     }
+    const ipSummary = extractIPSummary(content);
     if (options.format === "sarif") {
       const sarifOptions = {
         relativePaths: options.relativePaths,
         baseDir: process.cwd()
       };
       console.log(
-        generateSarif(results, filePath, singleFileRules, sarifOptions)
+        generateSarif(results, filePath, singleFileRules, sarifOptions, ipSummary)
       );
     } else {
       const output = {
@@ -15061,7 +15484,8 @@ Scan complete: ${allFileResults.length} files, ${totalFailures} failures, ${tota
           id: vendor.id,
           name: vendor.name
         },
-        results
+        results,
+        ipSummary
       };
       console.log(JSON.stringify(output, null, 2));
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentriflow/cli",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "SentriFlow CLI - Network configuration linter and validator",
   "license": "Apache-2.0",
   "main": "dist/index.js",