@vibecheckai/cli 2.8.2 → 3.0.0

package/dist/commands/scan-vulnerabilities-osv.js

@@ -1,722 +0,0 @@
-"use strict";
-/**
- * scan:vulnerabilities command (OSV Integration)
- *
- * Enterprise-grade vulnerability detection using real-time OSV API
- *
- * Features:
- * - Real-time OSV API queries with 24h caching
- * - Lockfile parsing (package-lock.json, pnpm-lock.yaml, yarn.lock)
- * - Multi-ecosystem support (npm, PyPI, RubyGems, Go)
- * - CVSS scoring and vectors with optional NVD enrichment
- * - Remediation path analysis
- * - SARIF v2.1.0 output for GitHub code scanning
- * - Direct vs transitive vulnerability grouping
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.scanVulnerabilitiesOSV = scanVulnerabilitiesOSV;
-exports.toSarifVulnerabilitiesOSV = toSarifVulnerabilitiesOSV;
-exports.outputOSVVulnResults = outputOSVVulnResults;
-exports.registerScanVulnerabilitiesOSVCommand = registerScanVulnerabilitiesOSVCommand;
-const path_1 = require("path");
-const fs_1 = require("fs");
-const exit_codes_1 = require("../runtime/exit-codes");
-const security_1 = require('../bundles/vibecheck-security');
-const evidence_1 = require("./evidence");
-const c = {
-    bold: (s) => `\x1b[1m${s}\x1b[0m`,
-    dim: (s) => `\x1b[2m${s}\x1b[0m`,
-    critical: (s) => `\x1b[35m${s}\x1b[0m`,
-    high: (s) => `\x1b[31m${s}\x1b[0m`,
-    medium: (s) => `\x1b[33m${s}\x1b[0m`,
-    low: (s) => `\x1b[36m${s}\x1b[0m`,
-    success: (s) => `\x1b[32m${s}\x1b[0m`,
-    info: (s) => `\x1b[34m${s}\x1b[0m`,
-};
-/**
- * Detect ecosystems from project files
- */
-function detectEcosystems(projectPath) {
-    const ecosystems = [];
-    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'package.json')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'package-lock.json')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'pnpm-lock.yaml')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'yarn.lock'))) {
-        ecosystems.push('npm');
-    }
-    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'requirements.txt')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'Pipfile')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'poetry.lock')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'pyproject.toml'))) {
-        ecosystems.push('PyPI');
-    }
-    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'Gemfile')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'Gemfile.lock'))) {
-        ecosystems.push('RubyGems');
-    }
-    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'go.mod')) ||
-        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'go.sum'))) {
-        ecosystems.push('Go');
-    }
-    return ecosystems;
-}
-/**
- * Find line number of a dependency in package.json
- */
-function findPackageJsonLine(content, packageName) {
-    const lines = content.split('\n');
-    for (let i = 0; i < lines.length; i++) {
-        if (lines[i].includes(`"${packageName}"`)) {
-            return i + 1;
-        }
-    }
-    return undefined;
-}
-/**
- * Parse npm dependencies from package.json and lockfiles
- */
-function parseNpmDependencies(projectPath) {
-    const packages = [];
-    const lockfiles = [];
-    const packageJsonPath = (0, path_1.join)(projectPath, 'package.json');
-    if (!(0, fs_1.existsSync)(packageJsonPath))
-        return { packages, lockfiles };
-    let packageJsonContent = '';
-    try {
-        packageJsonContent = (0, fs_1.readFileSync)(packageJsonPath, 'utf-8');
-        const packageJson = JSON.parse(packageJsonContent);
-        const deps = packageJson.dependencies || {};
-        const devDeps = packageJson.devDependencies || {};
-        for (const [name, version] of Object.entries(deps)) {
-            const cleanVersion = String(version).replace(/^[\^~>=<]+/, '');
-            const line = findPackageJsonLine(packageJsonContent, name);
-            packages.push({
-                name,
-                version: cleanVersion,
-                ecosystem: 'npm',
-                isDirect: true,
-                location: { file: 'package.json', line }
-            });
-        }
-        for (const [name, version] of Object.entries(devDeps)) {
-            const cleanVersion = String(version).replace(/^[\^~>=<]+/, '');
-            const line = findPackageJsonLine(packageJsonContent, name);
-            packages.push({
-                name,
-                version: cleanVersion,
-                ecosystem: 'npm',
-                isDirect: true,
-                location: { file: 'package.json', line }
-            });
-        }
-    }
-    catch {
-        return { packages, lockfiles };
-    }
-    // Parse package-lock.json
-    const npmLockPath = (0, path_1.join)(projectPath, 'package-lock.json');
-    if ((0, fs_1.existsSync)(npmLockPath)) {
-        lockfiles.push('package-lock.json');
-        try {
-            const lockData = JSON.parse((0, fs_1.readFileSync)(npmLockPath, 'utf-8'));
-            const lockPackages = lockData.packages || {};
-            for (const [pkgPath, pkgInfo] of Object.entries(lockPackages)) {
-                if (typeof pkgInfo === 'object' && pkgInfo !== null) {
-                    const info = pkgInfo;
-                    const name = info.name || pkgPath.replace(/^node_modules\//, '');
-                    const version = info.version;
-                    if (name && version && !packages.find(p => p.name === name && p.version === version)) {
-                        packages.push({
-                            name,
-                            version,
-                            ecosystem: 'npm',
-                            isDirect: false,
-                            location: { file: 'package-lock.json' }
-                        });
-                    }
-                }
-            }
-        }
-        catch {
-            // Lockfile parsing failed
-        }
-    }
-    // Parse pnpm-lock.yaml
-    const pnpmLockPath = (0, path_1.join)(projectPath, 'pnpm-lock.yaml');
-    if ((0, fs_1.existsSync)(pnpmLockPath)) {
-        lockfiles.push('pnpm-lock.yaml');
-        try {
-            const content = (0, fs_1.readFileSync)(pnpmLockPath, 'utf-8');
-            // Simple YAML parsing for pnpm lockfile
-            const lines = content.split('\n');
-            let inPackages = false;
-            for (const line of lines) {
-                if (line.startsWith('packages:')) {
-                    inPackages = true;
-                    continue;
-                }
-                if (inPackages && line.match(/^\s{2}'?\/([^@]+)@([^':]+)/)) {
-                    const match = line.match(/^\s{2}'?\/([^@]+)@([^':]+)/);
-                    if (match) {
-                        const name = match[1];
-                        const version = match[2].replace(/['"]/g, '');
-                        if (!packages.find(p => p.name === name && p.version === version)) {
-                            packages.push({
-                                name,
-                                version,
-                                ecosystem: 'npm',
-                                isDirect: false,
-                                location: { file: 'pnpm-lock.yaml' }
-                            });
-                        }
-                    }
-                }
-            }
-        }
-        catch {
-            // Lockfile parsing failed
-        }
-    }
-    // Parse yarn.lock
-    const yarnLockPath = (0, path_1.join)(projectPath, 'yarn.lock');
-    if ((0, fs_1.existsSync)(yarnLockPath)) {
-        lockfiles.push('yarn.lock');
-        try {
-            const content = (0, fs_1.readFileSync)(yarnLockPath, 'utf-8');
-            const lines = content.split('\n');
-            let currentPackage = '';
-            for (const line of lines) {
-                // Match package header: "package@version:" or package@version:
-                const headerMatch = line.match(/^"?([^@]+)@[^"]+:?\s*$/);
-                if (headerMatch) {
-                    currentPackage = headerMatch[1];
-                    continue;
-                }
-                // Match version line
-                if (currentPackage && line.match(/^\s+version\s+"?([^"]+)"?/)) {
-                    const versionMatch = line.match(/^\s+version\s+"?([^"]+)"?/);
-                    if (versionMatch) {
-                        const version = versionMatch[1];
-                        if (!packages.find(p => p.name === currentPackage && p.version === version)) {
-                            packages.push({
-                                name: currentPackage,
-                                version,
-                                ecosystem: 'npm',
-                                isDirect: false,
-                                location: { file: 'yarn.lock' }
-                            });
-                        }
-                    }
-                    currentPackage = '';
-                }
-            }
-        }
-        catch {
-            // Lockfile parsing failed
-        }
-    }
-    return { packages, lockfiles };
-}
-/**
- * Parse Python dependencies
- */
-function parsePythonDependencies(projectPath) {
-    const packages = [];
-    const lockfiles = [];
-    const requirementsPath = (0, path_1.join)(projectPath, 'requirements.txt');
-    if ((0, fs_1.existsSync)(requirementsPath)) {
-        lockfiles.push('requirements.txt');
-        try {
-            const content = (0, fs_1.readFileSync)(requirementsPath, 'utf-8');
-            const lines = content.split('\n');
-            for (let i = 0; i < lines.length; i++) {
-                const line = lines[i].trim();
-                if (!line || line.startsWith('#'))
-                    continue;
-                const match = line.match(/^([a-zA-Z0-9_-]+)(?:==|>=|<=|~=|>|<)?([\d.]+)?/);
-                if (match) {
-                    const name = match[1];
-                    const version = match[2] || 'latest';
-                    packages.push({
-                        name,
-                        version,
-                        ecosystem: 'PyPI',
-                        isDirect: true,
-                        location: { file: 'requirements.txt', line: i + 1 }
-                    });
-                }
-            }
-        }
-        catch {
-            // Requirements parsing failed
-        }
-    }
-    // Parse Pipfile.lock
-    const pipfileLockPath = (0, path_1.join)(projectPath, 'Pipfile.lock');
-    if ((0, fs_1.existsSync)(pipfileLockPath)) {
-        lockfiles.push('Pipfile.lock');
-        try {
-            const lockData = JSON.parse((0, fs_1.readFileSync)(pipfileLockPath, 'utf-8'));
-            const sections = ['default', 'develop'];
-            for (const section of sections) {
-                const deps = lockData[section] || {};
-                for (const [name, info] of Object.entries(deps)) {
-                    if (typeof info === 'object' && info !== null) {
-                        const pkgInfo = info;
-                        const version = pkgInfo.version?.replace(/^==/, '') || 'latest';
-                        if (!packages.find(p => p.name === name)) {
-                            packages.push({
-                                name,
-                                version,
-                                ecosystem: 'PyPI',
-                                isDirect: section === 'default',
-                                location: { file: 'Pipfile.lock' }
-                            });
-                        }
-                    }
-                }
-            }
-        }
-        catch {
-            // Pipfile.lock parsing failed
-        }
-    }
-    return { packages, lockfiles };
-}
-/**
- * Parse Ruby dependencies
- */
-function parseRubyDependencies(projectPath) {
-    const packages = [];
-    const lockfiles = [];
-    // Parse Gemfile.lock for exact versions
-    const gemfileLockPath = (0, path_1.join)(projectPath, 'Gemfile.lock');
-    if ((0, fs_1.existsSync)(gemfileLockPath)) {
-        lockfiles.push('Gemfile.lock');
-        try {
-            const content = (0, fs_1.readFileSync)(gemfileLockPath, 'utf-8');
-            const lines = content.split('\n');
-            let inSpecs = false;
-            for (const line of lines) {
-                if (line.trim() === 'specs:') {
-                    inSpecs = true;
-                    continue;
-                }
-                if (inSpecs && line.match(/^\s{4}(\S+)\s+\(([^)]+)\)/)) {
-                    const match = line.match(/^\s{4}(\S+)\s+\(([^)]+)\)/);
-                    if (match) {
-                        packages.push({
-                            name: match[1],
-                            version: match[2],
-                            ecosystem: 'RubyGems',
-                            isDirect: true,
-                            location: { file: 'Gemfile.lock' }
-                        });
-                    }
-                }
-                if (inSpecs && !line.startsWith('    ') && line.trim() !== '') {
-                    inSpecs = false;
-                }
-            }
-        }
-        catch {
-            // Gemfile.lock parsing failed
-        }
-    }
-    return { packages, lockfiles };
-}
-/**
- * Parse Go dependencies
- */
-function parseGoDependencies(projectPath) {
-    const packages = [];
-    const lockfiles = [];
-    // Parse go.sum for exact versions
-    const goSumPath = (0, path_1.join)(projectPath, 'go.sum');
-    if ((0, fs_1.existsSync)(goSumPath)) {
-        lockfiles.push('go.sum');
-        try {
-            const content = (0, fs_1.readFileSync)(goSumPath, 'utf-8');
-            const lines = content.split('\n');
-            const seen = new Set();
-            for (const line of lines) {
-                const match = line.match(/^(\S+)\s+v?([^\s/]+)/);
-                if (match) {
-                    const name = match[1];
-                    const version = match[2].replace('/go.mod', '');
-                    const key = `${name}@${version}`;
-                    if (!seen.has(key)) {
-                        seen.add(key);
-                        packages.push({
-                            name,
-                            version,
-                            ecosystem: 'Go',
-                            isDirect: true,
-                            location: { file: 'go.sum' }
-                        });
-                    }
-                }
-            }
-        }
-        catch {
-            // go.sum parsing failed
-        }
-    }
-    return { packages, lockfiles };
-}
-/**
- * Scan vulnerabilities with OSV integration
- */
-async function scanVulnerabilitiesOSV(projectPath, options) {
-    const startTime = Date.now();
-    const ecosystems = options.ecosystem
-        ? [options.ecosystem]
-        : detectEcosystems(projectPath);
-    if (ecosystems.length === 0) {
-        return {
-            projectPath,
-            scanType: 'vulnerabilities',
-            ecosystem: 'npm',
-            packagesScanned: 0,
-            findings: [],
-            summary: { critical: 0, high: 0, medium: 0, low: 0 },
-            directVulnerabilities: 0,
-            transitiveVulnerabilities: 0,
-            cacheHitRate: 0,
-            scanDuration: Date.now() - startTime,
-            nvdEnriched: false,
-            lockfilesParsed: [],
-        };
-    }
-    // Parse dependencies from all detected ecosystems
-    let allPackages = [];
-    let allLockfiles = [];
-    for (const ecosystem of ecosystems) {
-        let result;
-        switch (ecosystem) {
-            case 'npm':
-                result = parseNpmDependencies(projectPath);
-                break;
-            case 'PyPI':
-                result = parsePythonDependencies(projectPath);
-                break;
-            case 'RubyGems':
-                result = parseRubyDependencies(projectPath);
-                break;
-            case 'Go':
-                result = parseGoDependencies(projectPath);
-                break;
-            default:
-                result = { packages: [], lockfiles: [] };
-        }
-        allPackages.push(...result.packages);
-        allLockfiles.push(...result.lockfiles);
-    }
-    // Deduplicate packages
-    const seen = new Set();
-    allPackages = allPackages.filter(pkg => {
-        const key = `${pkg.ecosystem}:${pkg.name}:${pkg.version}`;
-        if (seen.has(key))
-            return false;
-        seen.add(key);
-        return true;
-    });
-    // Configure and query OSV
-    const dbOptions = {
-        noCache: options.noCache,
-        nvdEnrichment: options.nvd,
-        cacheDir: (0, path_1.join)(projectPath, '.vibecheck', 'cache'),
-    };
-    const db = new security_1.VulnerabilityDatabase(dbOptions);
-    const results = await db.checkPackages(allPackages);
-    // Attach location info to results
-    const resultsWithLocation = results.map((result, idx) => ({
-        ...result,
-        location: allPackages[idx]?.location,
-    }));
-    // Calculate summary
-    const summary = {
-        critical: 0,
-        high: 0,
-        medium: 0,
-        low: 0,
-    };
-    let directVulnerabilities = 0;
-    let transitiveVulnerabilities = 0;
-    for (const result of resultsWithLocation) {
-        if (result.isVulnerable) {
-            for (const vuln of result.vulnerabilities) {
-                summary[vuln.severity]++;
-            }
-            if (result.isDirect) {
-                directVulnerabilities += result.vulnerabilities.length;
-            }
-            else {
-                transitiveVulnerabilities += result.vulnerabilities.length;
-            }
-        }
-    }
-    const cacheStats = db.getCacheStats();
-    // Warn if we had query failures (OSV unreachable)
-    const queryFailures = cacheStats.queryFailures ?? 0;
-    if (queryFailures > 0) {
-        console.error(`\n  ⚠️  WARNING: ${queryFailures} OSV queries failed. Results may be incomplete.`);
-        console.error(`     Some vulnerabilities may not have been detected due to network issues.\n`);
-    }
-    return {
-        projectPath,
-        scanType: 'vulnerabilities',
-        ecosystem: ecosystems[0],
-        packagesScanned: allPackages.length,
-        findings: resultsWithLocation.filter(r => r.isVulnerable),
-        summary,
-        directVulnerabilities,
-        transitiveVulnerabilities,
-        cacheHitRate: cacheStats.hitRate,
-        scanDuration: Date.now() - startTime,
-        nvdEnriched: options.nvd || false,
-        lockfilesParsed: [...new Set(allLockfiles)],
-    };
-}
-/**
- * Generate SARIF v2.1.0 output
- */
-function toSarifVulnerabilitiesOSV(results) {
-    const version = '1.0.0';
-    const ruleMap = new Map();
-    // Build rules from unique vulnerability IDs
-    for (const finding of results.findings) {
-        for (const vuln of finding.vulnerabilities) {
-            if (!ruleMap.has(vuln.id)) {
-                const cveId = vuln.aliases?.find(a => a.startsWith('CVE-'));
-                ruleMap.set(vuln.id, {
-                    id: vuln.id,
-                    name: vuln.title.substring(0, 100),
-                    shortDescription: { text: vuln.title },
-                    fullDescription: { text: vuln.description || vuln.title },
-                    helpUri: vuln.references?.[0] || `https://osv.dev/vulnerability/${vuln.id}`,
-                    help: {
-                        text: `Vulnerability ${vuln.id} affects this package.\n\n` +
-                            `Severity: ${vuln.severity.toUpperCase()}\n` +
-                            (vuln.cvssScore ? `CVSS Score: ${vuln.cvssScore}\n` : '') +
-                            (cveId ? `CVE: ${cveId}\n` : '') +
-                            `\nReferences:\n${vuln.references?.map(r => `- ${r}`).join('\n') || 'None'}`,
-                        markdown: `## ${vuln.title}\n\n` +
-                            `**Severity:** ${vuln.severity.toUpperCase()}\n\n` +
-                            (vuln.cvssScore ? `**CVSS Score:** ${vuln.cvssScore}\n\n` : '') +
-                            (vuln.cvssVector ? `**CVSS Vector:** \`${vuln.cvssVector}\`\n\n` : '') +
-                            (cveId ? `**CVE:** [${cveId}](https://nvd.nist.gov/vuln/detail/${cveId})\n\n` : '') +
-                            `### References\n${vuln.references?.map(r => `- [${r}](${r})`).join('\n') || 'None'}`,
-                    },
-                    defaultConfiguration: {
-                        level: vuln.severity === 'critical' || vuln.severity === 'high' ? 'error' :
-                            vuln.severity === 'medium' ? 'warning' : 'note',
-                    },
-                    properties: {
-                        'security-severity': vuln.cvssScore?.toString() ||
-                            (vuln.severity === 'critical' ? '9.0' :
-                                vuln.severity === 'high' ? '7.0' :
-                                    vuln.severity === 'medium' ? '4.0' : '2.0'),
-                        tags: ['security', 'vulnerability', 'dependency', vuln.source],
-                        precision: 'high',
-                    },
-                });
-            }
-        }
-    }
-    const sarifResults = [];
-    for (const finding of results.findings) {
-        for (const vuln of finding.vulnerabilities) {
-            const location = finding.location || { file: 'package.json', line: 1 };
-            const remediationText = finding.remediationPath
-                ? `${finding.remediationPath.description}${finding.remediationPath.breakingChange ? ' (Breaking change)' : ''}`
-                : `Upgrade to ${finding.recommendedVersion || 'latest'}`;
-            sarifResults.push({
-                ruleId: vuln.id,
-                ruleIndex: Array.from(ruleMap.keys()).indexOf(vuln.id),
-                level: vuln.severity === 'critical' || vuln.severity === 'high' ? 'error' :
-                    vuln.severity === 'medium' ? 'warning' : 'note',
-                message: {
-                    text: `${vuln.title} in ${finding.package}@${finding.version}. ${remediationText}`,
-                },
-                locations: [{
-                        physicalLocation: {
-                            artifactLocation: {
-                                uri: location.file,
-                                uriBaseId: '%SRCROOT%',
-                            },
-                            region: {
-                                startLine: location.line || 1,
-                                startColumn: 1,
-                            },
-                        },
-                    }],
-                fingerprints: {
-                    'vibecheck/v1': `${vuln.id}:${finding.package}:${finding.version}`,
-                },
-                partialFingerprints: {
-                    'primaryLocationLineHash': `${finding.package}:${finding.version}:${vuln.id}`,
-                },
-                properties: {
-                    package: finding.package,
-                    version: finding.version,
-                    ecosystem: results.ecosystem,
-                    isDirect: finding.isDirect,
-                    severity: vuln.severity,
-                    cvssScore: vuln.cvssScore,
-                    cvssVector: vuln.cvssVector,
-                    cwe: vuln.cwe,
-                    aliases: vuln.aliases,
-                    source: vuln.source,
-                    affectedVersions: vuln.affectedVersions,
-                    patchedVersions: vuln.patchedVersions,
-                    references: vuln.references,
-                    remediationPath: finding.remediationPath,
-                    recommendedVersion: finding.recommendedVersion,
-                },
-            });
-        }
-    }
-    return {
-        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
-        version: '2.1.0',
-        runs: [{
-                tool: {
-                    driver: {
-                        name: 'vibecheck-cli-tool',
-                        version,
-                        informationUri: 'https://vibecheckai.dev',
-                        rules: Array.from(ruleMap.values()),
-                    },
-                },
-                results: sarifResults,
-                invocations: [{
-                        executionSuccessful: true,
-                        commandLine: `vibecheck scan:vulnerabilities --path ${results.projectPath}`,
-                        startTimeUtc: new Date().toISOString(),
-                        workingDirectory: { uri: results.projectPath.replace(/\\/g, '/') },
-                    }],
-            }],
-    };
-}
-/**
- * Output OSV vulnerability results
- */
-function outputOSVVulnResults(results, options) {
-    if (options.format === 'json') {
-        console.log(JSON.stringify(results, null, 2));
-        return;
-    }
-    if (options.format === 'sarif') {
-        const sarif = toSarifVulnerabilitiesOSV(results);
-        console.log(JSON.stringify(sarif, null, 2));
-        return;
-    }
-    console.log(`\n  ${c.info('Ecosystem:')} ${results.ecosystem}`);
-    console.log(`  ${c.info('Packages scanned:')} ${results.packagesScanned}`);
-    console.log(`  ${c.info('Lockfiles parsed:')} ${results.lockfilesParsed.join(', ') || 'none'}`);
-    console.log(`  ${c.info('Cache hit rate:')} ${(results.cacheHitRate * 100).toFixed(1)}%`);
-    console.log(`  ${c.info('NVD enrichment:')} ${results.nvdEnriched ? 'enabled' : 'disabled'}`);
-    console.log(`  ${c.info('Scan duration:')} ${(results.scanDuration / 1000).toFixed(2)}s\n`);
-    const { summary } = results;
-    const total = summary.critical + summary.high + summary.medium + summary.low;
-    if (total === 0) {
-        console.log(`  ${c.success('✓')} ${c.bold('No vulnerabilities found!')}\n`);
-        return;
-    }
-    console.log(`  ${c.critical('CRITICAL')}  ${summary.critical}`);
-    console.log(`  ${c.high('HIGH')}      ${summary.high}`);
-    console.log(`  ${c.medium('MEDIUM')}    ${summary.medium}`);
-    console.log(`  ${c.low('LOW')}       ${summary.low}\n`);
-    console.log(`  ${c.info('Direct:')} ${results.directVulnerabilities} | ${c.info('Transitive:')} ${results.transitiveVulnerabilities}\n`);
-    // Group by direct vs transitive
-    const directFindings = results.findings.filter(f => f.isDirect);
-    const transitiveFindings = results.findings.filter(f => !f.isDirect);
-    if (directFindings.length > 0) {
-        console.log(`${c.bold('  DIRECT DEPENDENCIES:')}\n`);
-        outputFindingsList(directFindings);
-    }
-    if (transitiveFindings.length > 0) {
-        console.log(`\n${c.bold('  TRANSITIVE DEPENDENCIES:')}\n`);
-        outputFindingsList(transitiveFindings);
-    }
-}
-function outputFindingsList(findings) {
-    for (const finding of findings) {
-        for (const vuln of finding.vulnerabilities) {
-            const severityLabel = vuln.severity === 'critical' ? c.critical('CRITICAL') :
-                vuln.severity === 'high' ? c.high('HIGH') :
-                    vuln.severity === 'medium' ? c.medium('MEDIUM') :
-                        c.low('LOW');
-            console.log(`  ${severityLabel} ${finding.package}@${finding.version}`);
-            console.log(`  ${c.dim('├─')} ${c.info('ID:')} ${vuln.id}`);
-            console.log(`  ${c.dim('├─')} ${c.info('Summary:')} ${vuln.title}`);
-            if (vuln.cvssScore != null && typeof vuln.cvssScore === 'number') {
-                console.log(`  ${c.dim('├─')} ${c.info('CVSS:')} ${vuln.cvssScore.toFixed(1)}${vuln.cvssVector ? ` (${vuln.cvssVector.substring(0, 30)}...)` : ''}`);
-            }
-            if (finding.remediationPath) {
-                const remed = finding.remediationPath;
-                const breakingLabel = remed.breakingChange ? c.medium(' [BREAKING]') : c.success(' [NON-BREAKING]');
-                console.log(`  ${c.dim('└─')} ${c.info('Fix:')} ${remed.description}${breakingLabel}\n`);
-            }
-            else {
-                console.log(`  ${c.dim('└─')} ${c.info('Fix:')} Upgrade to ${finding.recommendedVersion || 'latest'}\n`);
-            }
-        }
-    }
-}
-/**
- * Register scan:vulnerabilities command with OSV integration
- */
-function registerScanVulnerabilitiesOSVCommand(program, requireAuth, printLogo) {
-    program
-        .command('scan:vulnerabilities')
-        .description('Scan dependencies for known vulnerabilities using OSV')
-        .option('-p, --path <path>', 'Project path to scan', '.')
-        .option('-f, --format <format>', 'Output format: table, json, sarif', 'table')
-        .option('-o, --output <file>', 'Output file path')
-        .option('--no-cache', 'Bypass cache and fetch fresh data from OSV')
-        .option('--nvd', 'Enable NVD enrichment for CVSS scores (slower)')
-        .option('--fail-on-critical', 'Exit with error if critical vulnerabilities found', false)
-        .option('--fail-on-high', 'Exit with error if high+ vulnerabilities found', false)
-        .option('--evidence', 'Generate signed evidence pack', false)
-        .option('--ecosystem <ecosystem>', 'Filter by ecosystem: npm, PyPI, RubyGems, Go')
-        .action(async (opts) => {
-        requireAuth();
-        printLogo();
-        console.log(`\n${c.bold('🛡️  VULNERABILITY SCAN (OSV Integration)')}\n`);
-        const projectPath = (0, path_1.resolve)(opts.path);
-        if (opts.noCache) {
-            console.log(`  ${c.dim('Cache:')} disabled (--no-cache)\n`);
-        }
-        if (opts.nvd) {
-            console.log(`  ${c.dim('NVD enrichment:')} enabled\n`);
-        }
-        const results = await scanVulnerabilitiesOSV(projectPath, {
-            noCache: opts.noCache,
-            nvd: opts.nvd,
-            ecosystem: opts.ecosystem,
-        });
-        console.log(`${c.success('✓')} Vulnerability scan complete`);
-        outputOSVVulnResults(results, opts);
-        // Write output file if specified
-        if (opts.output) {
-            const { writeFileSync } = require('fs');
-            const output = opts.format === 'sarif'
-                ? toSarifVulnerabilitiesOSV(results)
-                : results;
-            writeFileSync(opts.output, JSON.stringify(output, null, 2));
-            console.log(`\n  ${c.success('✓')} Report written to ${opts.output}`);
-        }
-        if (opts.evidence) {
-            await (0, evidence_1.generateEvidence)('vulnerabilities', results, projectPath);
-        }
-        if (opts.failOnCritical && results.summary.critical > 0) {
-            (0, exit_codes_1.exitWith)(exit_codes_1.ExitCode.POLICY_FAIL, `${results.summary.critical} critical vulnerabilities found`);
-        }
-        if (opts.failOnHigh && (results.summary.critical + results.summary.high) > 0) {
-            (0, exit_codes_1.exitWith)(exit_codes_1.ExitCode.POLICY_FAIL, `${results.summary.critical + results.summary.high} high+ vulnerabilities found`);
-        }
-    });
-}
-//# sourceMappingURL=scan-vulnerabilities-osv.js.map