agent-security-scanner-mcp 1.4.3 → 1.4.5

package/README.md

@@ -2,16 +2,14 @@
 
 A powerful MCP (Model Context Protocol) server for real-time security vulnerability scanning. Integrates with Claude Desktop, Claude Code, OpenCode.ai, Kilo Code, and any MCP-compatible client to automatically detect and fix security issues as you code.
 
-**275+ Semgrep-aligned security rules | 105 auto-fix templates | 4.3M+ packages indexed | AI Agent prompt security**
+**275+ Semgrep-aligned security rules | 105 auto-fix templates | 1M+ packages indexed | AI Agent prompt security**
 
-## What's New in v1.4.3
+## What's New in v1.4.5
 
-- **72% smaller package size** - Bloom Filter for npm reduces package from 84MB to 23MB
-- **4.3M+ packages indexed** - Massively expanded hallucination detection database
-- **7 ecosystems supported** - npm, PyPI, RubyGems, crates.io, pub.dev, CPAN, raku.land
-- **Python & JavaScript support** - Now detects hallucinated npm and PyPI packages
-- **Ruby & Rust support** - Coverage for RubyGems and crates.io
-- **garak-llm datasets** - Using official package snapshots from Hugging Face
+- **92% smaller package** - Only 2.7 MB (down from 84 MB)
+- **6 ecosystems included** - PyPI, RubyGems, crates.io, pub.dev, CPAN, raku.land
+- **npm available separately** - Use `agent-security-scanner-mcp-full` for npm support (adds 7.6 MB)
+- **Bloom Filters** - Efficient storage for large package lists
 
 ## What's New in v1.3.0
 
@@ -40,10 +38,22 @@ A powerful MCP (Model Context Protocol) server for real-time security vulnerabil
 
 ## Installation
 
+### Default Package (Lightweight - 2.7 MB)
+
 ```bash
 npm install -g agent-security-scanner-mcp
 ```
 
+Includes hallucination detection for: **PyPI, RubyGems, crates.io, pub.dev, CPAN, raku.land** (1M+ packages)
+
+### Full Package (With npm - 8.7 MB)
+
+If you need **npm/JavaScript hallucination detection** (3.3M packages):
+
+```bash
+npm install -g agent-security-scanner-mcp-full
+```
+
 Or run directly with npx:
 
 ```bash

package/index.js

@@ -941,14 +941,25 @@ const LEGITIMATE_PACKAGES = {
   dart: new Set(),
   perl: new Set(),
   raku: new Set(),
-  npm: null,  // Uses Bloom Filter instead of Set
-  pypi: new Set(),
-  rubygems: new Set(),
+  npm: null,       // Uses Bloom Filter
+  pypi: null,      // Uses Bloom Filter
+  rubygems: null,  // Uses Bloom Filter
   crates: new Set()
 };
 
-// Bloom Filter for npm (handles 3.3M+ packages efficiently)
-let npmBloomFilter = null;
+// Bloom Filters for large ecosystems (npm, pypi, rubygems)
+const BLOOM_FILTERS = {
+  npm: null,
+  pypi: null,
+  rubygems: null
+};
+
+// Package counts for bloom filter ecosystems (filter doesn't store count)
+const BLOOM_COUNTS = {
+  npm: 3329177,
+  pypi: 554762,
+  rubygems: 180693
+};
 
 // Package import patterns by ecosystem
 const IMPORT_PATTERNS = {
@@ -989,21 +1000,23 @@ const IMPORT_PATTERNS = {
 function loadPackageLists() {
   const packagesDir = join(__dirname, 'packages');
 
-  // Load npm packages using Bloom Filter (88% smaller than txt file)
-  try {
-    const npmBloomPath = join(packagesDir, 'npm-bloom.json');
-    if (existsSync(npmBloomPath)) {
-      const bloomData = JSON.parse(readFileSync(npmBloomPath, 'utf-8'));
-      npmBloomFilter = BloomFilter.fromJSON(bloomData);
-      console.error(`Loaded npm Bloom Filter (3.3M+ packages, 0.1% false positive rate)`);
+  // Load Bloom Filter ecosystems (npm, pypi, rubygems)
+  for (const ecosystem of Object.keys(BLOOM_FILTERS)) {
+    try {
+      const bloomPath = join(packagesDir, `${ecosystem}-bloom.json`);
+      if (existsSync(bloomPath)) {
+        const bloomData = JSON.parse(readFileSync(bloomPath, 'utf-8'));
+        BLOOM_FILTERS[ecosystem] = BloomFilter.fromJSON(bloomData);
+        console.error(`Loaded ${ecosystem} Bloom Filter (${BLOOM_COUNTS[ecosystem].toLocaleString()} packages)`);
+      }
+    } catch (error) {
+      console.error(`Warning: Could not load ${ecosystem} Bloom Filter: ${error.message}`);
     }
-  } catch (error) {
-    console.error(`Warning: Could not load npm Bloom Filter: ${error.message}`);
   }
 
-  // Load other ecosystems using regular Set
+  // Load other ecosystems using regular Set (smaller lists)
   for (const ecosystem of Object.keys(LEGITIMATE_PACKAGES)) {
-    if (ecosystem === 'npm') continue; // npm uses Bloom Filter
+    if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) continue; // Uses Bloom Filter
 
     const filePath = join(packagesDir, `${ecosystem}.txt`);
     try {
@@ -1017,6 +1030,11 @@ function loadPackageLists() {
       console.error(`Warning: Could not load ${ecosystem} packages: ${error.message}`);
     }
   }
+
+  // Note about npm if not loaded
+  if (!BLOOM_FILTERS.npm) {
+    console.error(`npm: not included (use agent-security-scanner-mcp-full for npm support)`);
+  }
 }
 
 // Extract package names from code
@@ -1042,27 +1060,33 @@ function extractPackages(code, ecosystem) {
 
 // Check if a package exists in the package list
 function packageExists(packageName, ecosystem) {
-  if (ecosystem === 'npm') {
-    return npmBloomFilter ? npmBloomFilter.has(packageName) : false;
+  // Bloom Filter ecosystems
+  if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) {
+    return BLOOM_FILTERS[ecosystem] ? BLOOM_FILTERS[ecosystem].has(packageName) : false;
   }
+  // Set-based ecosystems
   const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
   return legitPackages ? legitPackages.has(packageName) : false;
 }
 
 // Get package count for an ecosystem
 function getPackageCount(ecosystem) {
-  if (ecosystem === 'npm') {
-    return npmBloomFilter ? 3329177 : 0; // Bloom filter doesn't store count
+  // Bloom Filter ecosystems
+  if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) {
+    return BLOOM_FILTERS[ecosystem] ? BLOOM_COUNTS[ecosystem] : 0;
   }
+  // Set-based ecosystems
   const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
   return legitPackages ? legitPackages.size : 0;
 }
 
 // Check if ecosystem is loaded
 function isEcosystemLoaded(ecosystem) {
-  if (ecosystem === 'npm') {
-    return npmBloomFilter !== null;
+  // Bloom Filter ecosystems
+  if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) {
+    return BLOOM_FILTERS[ecosystem] !== null;
   }
+  // Set-based ecosystems
   const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
   return legitPackages && legitPackages.size > 0;
 }
@@ -1084,6 +1108,22 @@ server.tool(
     ecosystem: z.enum(["dart", "perl", "raku", "npm", "pypi", "rubygems", "crates"]).describe("The package ecosystem (dart=pub.dev, perl=CPAN, raku=raku.land, npm=npmjs, pypi=PyPI, rubygems=RubyGems, crates=crates.io)")
   },
   async ({ package_name, ecosystem }) => {
+    // Check if npm is requested but not available
+    if (ecosystem === 'npm' && !BLOOM_FILTERS.npm) {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            package: package_name,
+            ecosystem,
+            status: "unavailable",
+            reason: "npm hallucination detection not included in default package (saves 7.6 MB)",
+            suggestion: "Use 'agent-security-scanner-mcp-full' for npm support, or verify manually at npmjs.com"
+          }, null, 2)
+        }]
+      };
+    }
+
     const totalPackages = getPackageCount(ecosystem);
 
     if (!isEcosystemLoaded(ecosystem)) {
@@ -1094,8 +1134,8 @@ server.tool(
             package: package_name,
             ecosystem,
             status: "unknown",
-            reason: `No package list loaded for ${ecosystem}. Add packages/${ecosystem}.txt`,
-            suggestion: "Load package list or verify manually at the package registry"
+            reason: `No package list loaded for ${ecosystem}`,
+            suggestion: "Verify manually at the package registry"
           }, null, 2)
         }]
       };
@@ -1137,6 +1177,22 @@ server.tool(
       };
     }
 
+    // Check if npm is requested but not available
+    if (ecosystem === 'npm' && !BLOOM_FILTERS.npm) {
+      return {
+        content: [{
+          type: "text",
+          text: JSON.stringify({
+            file: file_path,
+            ecosystem,
+            status: "unavailable",
+            reason: "npm hallucination detection not included in default package (saves 7.6 MB)",
+            suggestion: "Use 'agent-security-scanner-mcp-full' for npm support, or verify manually at npmjs.com"
+          }, null, 2)
+        }]
+      };
+    }
+
     const code = readFileSync(file_path, 'utf-8');
     const packages = extractPackages(code, ecosystem);
     const totalKnown = getPackageCount(ecosystem);
@@ -1194,12 +1250,23 @@ server.tool(
   {},
   async () => {
     const ecosystems = ['npm', 'pypi', 'rubygems', 'crates', 'dart', 'perl', 'raku'];
-    const stats = ecosystems.map(ecosystem => ({
-      ecosystem,
-      packages_loaded: getPackageCount(ecosystem),
-      status: isEcosystemLoaded(ecosystem) ? "ready" : "not loaded",
-      storage: ecosystem === 'npm' ? "bloom filter" : "hash set"
-    }));
+    const stats = ecosystems.map(ecosystem => {
+      const loaded = isEcosystemLoaded(ecosystem);
+      let status = loaded ? "ready" : "not loaded";
+      let storage = BLOOM_FILTERS.hasOwnProperty(ecosystem) ? "bloom filter" : "hash set";
+
+      // npm is not included in default package
+      if (ecosystem === 'npm' && !loaded) {
+        status = "not included (use -full package)";
+      }
+
+      return {
+        ecosystem,
+        packages_loaded: loaded ? getPackageCount(ecosystem) : 0,
+        status,
+        storage
+      };
+    });
 
     return {
       content: [{

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "1.4.3",
+  "version": "1.4.5",
   "description": "MCP server for security scanning, AI agent prompt security & package hallucination detection. Works with Claude Desktop, Claude Code, OpenCode, Kilo Code. Detects SQL injection, XSS, secrets, prompt attacks, and AI-invented packages.",
   "main": "index.js",
   "type": "module",