agent-security-scanner-mcp 1.4.7 → 1.4.8

package/index.js

@@ -941,26 +941,19 @@ const LEGITIMATE_PACKAGES = {
   dart: new Set(),
   perl: new Set(),
   raku: new Set(),
-  npm: null,       // Uses Bloom Filter
-  pypi: null,      // Uses Bloom Filter
-  rubygems: null,  // Uses Bloom Filter
+  npm: new Set(),
+  pypi: new Set(),
+  rubygems: new Set(),
   crates: new Set()
 };
 
-// Bloom Filters for large ecosystems (npm, pypi, rubygems)
+// Bloom filters for large package lists (memory-efficient probabilistic lookup)
 const BLOOM_FILTERS = {
   npm: null,
   pypi: null,
   rubygems: null
 };
 
-// Package counts for bloom filter ecosystems (filter doesn't store count)
-const BLOOM_COUNTS = {
-  npm: 3329177,
-  pypi: 554762,
-  rubygems: 180693
-};
-
 // Package import patterns by ecosystem
 const IMPORT_PATTERNS = {
   dart: [
@@ -1000,24 +993,7 @@ const IMPORT_PATTERNS = {
 function loadPackageLists() {
   const packagesDir = join(__dirname, 'packages');
 
-  // Load Bloom Filter ecosystems (npm, pypi, rubygems)
-  for (const ecosystem of Object.keys(BLOOM_FILTERS)) {
-    try {
-      const bloomPath = join(packagesDir, `${ecosystem}-bloom.json`);
-      if (existsSync(bloomPath)) {
-        const bloomData = JSON.parse(readFileSync(bloomPath, 'utf-8'));
-        BLOOM_FILTERS[ecosystem] = BloomFilter.fromJSON(bloomData);
-        console.error(`Loaded ${ecosystem} Bloom Filter (${BLOOM_COUNTS[ecosystem].toLocaleString()} packages)`);
-      }
-    } catch (error) {
-      console.error(`Warning: Could not load ${ecosystem} Bloom Filter: ${error.message}`);
-    }
-  }
-
-  // Load other ecosystems using regular Set (smaller lists)
   for (const ecosystem of Object.keys(LEGITIMATE_PACKAGES)) {
-    if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) continue; // Uses Bloom Filter
-
     const filePath = join(packagesDir, `${ecosystem}.txt`);
     try {
       if (existsSync(filePath)) {
@@ -1031,9 +1007,18 @@ function loadPackageLists() {
     }
   }
 
-  // Note about npm if not loaded
-  if (!BLOOM_FILTERS.npm) {
-    console.error(`npm: not included (use agent-security-scanner-mcp-full for npm support)`);
+  // Load bloom filters for large ecosystems (npm, pypi, rubygems)
+  for (const ecosystem of Object.keys(BLOOM_FILTERS)) {
+    const bloomPath = join(packagesDir, `${ecosystem}-bloom.json`);
+    try {
+      if (existsSync(bloomPath)) {
+        const bloomData = JSON.parse(readFileSync(bloomPath, 'utf-8'));
+        BLOOM_FILTERS[ecosystem] = BloomFilter.fromJSON(bloomData);
+        console.error(`Loaded ${ecosystem} bloom filter (${bloomData._size} bits)`);
+      }
+    } catch (error) {
+      console.error(`Warning: Could not load ${ecosystem} bloom filter: ${error.message}`);
+    }
   }
 }
 
@@ -1058,45 +1043,28 @@ function extractPackages(code, ecosystem) {
   return Array.from(packages);
 }
 
-// Check if a package exists in the package list
-function packageExists(packageName, ecosystem) {
-  // Bloom Filter ecosystems
-  if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) {
-    return BLOOM_FILTERS[ecosystem] ? BLOOM_FILTERS[ecosystem].has(packageName) : false;
-  }
-  // Set-based ecosystems
+// Check if a package is hallucinated
+function isHallucinated(packageName, ecosystem) {
   const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
-  return legitPackages ? legitPackages.has(packageName) : false;
-}
 
-// Get package count for an ecosystem
-function getPackageCount(ecosystem) {
-  // Bloom Filter ecosystems
-  if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) {
-    return BLOOM_FILTERS[ecosystem] ? BLOOM_COUNTS[ecosystem] : 0;
+  // First check Set-based lookup (exact match)
+  if (legitPackages && legitPackages.size > 0) {
+    return { hallucinated: !legitPackages.has(packageName) };
   }
-  // Set-based ecosystems
-  const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
-  return legitPackages ? legitPackages.size : 0;
-}
 
-// Check if ecosystem is loaded
-function isEcosystemLoaded(ecosystem) {
-  // Bloom Filter ecosystems
-  if (BLOOM_FILTERS.hasOwnProperty(ecosystem)) {
-    return BLOOM_FILTERS[ecosystem] !== null;
+  // Fall back to bloom filter for large ecosystems (npm, pypi, rubygems)
+  const bloomFilter = BLOOM_FILTERS[ecosystem];
+  if (bloomFilter) {
+    // Bloom filter: false = definitely not in set, true = probably in set
+    const mightExist = bloomFilter.has(packageName);
+    return {
+      hallucinated: !mightExist,
+      bloomFilter: true,
+      note: mightExist ? "Package likely exists (bloom filter match)" : "Package not found in bloom filter"
+    };
   }
-  // Set-based ecosystems
-  const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
-  return legitPackages && legitPackages.size > 0;
-}
 
-// Check if a package is hallucinated
-function isHallucinated(packageName, ecosystem) {
-  if (!isEcosystemLoaded(ecosystem)) {
-    return { unknown: true, reason: `No package list loaded for ${ecosystem}` };
-  }
-  return { hallucinated: !packageExists(packageName, ecosystem) };
+  return { unknown: true, reason: `No package list loaded for ${ecosystem}` };
 }
 
 // Register check_package tool
@@ -1108,25 +1076,10 @@ server.tool(
     ecosystem: z.enum(["dart", "perl", "raku", "npm", "pypi", "rubygems", "crates"]).describe("The package ecosystem (dart=pub.dev, perl=CPAN, raku=raku.land, npm=npmjs, pypi=PyPI, rubygems=RubyGems, crates=crates.io)")
   },
   async ({ package_name, ecosystem }) => {
-    // Check if npm is requested but not available
-    if (ecosystem === 'npm' && !BLOOM_FILTERS.npm) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            package: package_name,
-            ecosystem,
-            status: "unavailable",
-            reason: "npm hallucination detection not included in default package (saves 7.6 MB)",
-            suggestion: "Use 'agent-security-scanner-mcp-full' for npm support, or verify manually at npmjs.com"
-          }, null, 2)
-        }]
-      };
-    }
-
-    const totalPackages = getPackageCount(ecosystem);
+    const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
+    const totalPackages = legitPackages?.size || 0;
 
-    if (!isEcosystemLoaded(ecosystem)) {
+    if (totalPackages === 0) {
       return {
         content: [{
           type: "text",
@@ -1134,14 +1087,14 @@ server.tool(
             package: package_name,
             ecosystem,
             status: "unknown",
-            reason: `No package list loaded for ${ecosystem}`,
-            suggestion: "Verify manually at the package registry"
+            reason: `No package list loaded for ${ecosystem}. Add packages/${ecosystem}.txt`,
+            suggestion: "Load package list or verify manually at the package registry"
           }, null, 2)
         }]
       };
     }
 
-    const exists = packageExists(package_name, ecosystem);
+    const exists = legitPackages.has(package_name);
 
     return {
       content: [{
@@ -1177,27 +1130,12 @@ server.tool(
       };
     }
 
-    // Check if npm is requested but not available
-    if (ecosystem === 'npm' && !BLOOM_FILTERS.npm) {
-      return {
-        content: [{
-          type: "text",
-          text: JSON.stringify({
-            file: file_path,
-            ecosystem,
-            status: "unavailable",
-            reason: "npm hallucination detection not included in default package (saves 7.6 MB)",
-            suggestion: "Use 'agent-security-scanner-mcp-full' for npm support, or verify manually at npmjs.com"
-          }, null, 2)
-        }]
-      };
-    }
-
     const code = readFileSync(file_path, 'utf-8');
     const packages = extractPackages(code, ecosystem);
-    const totalKnown = getPackageCount(ecosystem);
+    const legitPackages = LEGITIMATE_PACKAGES[ecosystem];
+    const totalKnown = legitPackages?.size || 0;
 
-    if (!isEcosystemLoaded(ecosystem)) {
+    if (totalKnown === 0) {
       return {
         content: [{
           type: "text",
@@ -1214,8 +1152,8 @@ server.tool(
 
     const results = packages.map(pkg => ({
       package: pkg,
-      legitimate: packageExists(pkg, ecosystem),
-      hallucinated: !packageExists(pkg, ecosystem)
+      legitimate: legitPackages.has(pkg),
+      hallucinated: !legitPackages.has(pkg)
     }));
 
     const hallucinated = results.filter(r => r.hallucinated);
@@ -1249,24 +1187,11 @@ server.tool(
   "List statistics about loaded package lists for hallucination detection",
   {},
   async () => {
-    const ecosystems = ['npm', 'pypi', 'rubygems', 'crates', 'dart', 'perl', 'raku'];
-    const stats = ecosystems.map(ecosystem => {
-      const loaded = isEcosystemLoaded(ecosystem);
-      let status = loaded ? "ready" : "not loaded";
-      let storage = BLOOM_FILTERS.hasOwnProperty(ecosystem) ? "bloom filter" : "hash set";
-
-      // npm is not included in default package
-      if (ecosystem === 'npm' && !loaded) {
-        status = "not included (use -full package)";
-      }
-
-      return {
-        ecosystem,
-        packages_loaded: loaded ? getPackageCount(ecosystem) : 0,
-        status,
-        storage
-      };
-    });
+    const stats = Object.entries(LEGITIMATE_PACKAGES).map(([ecosystem, packages]) => ({
+      ecosystem,
+      packages_loaded: packages.size,
+      status: packages.size > 0 ? "ready" : "not loaded"
+    }));
 
     return {
       content: [{

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "1.4.7",
+  "version": "1.4.8",
+  "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "MCP server for security scanning, AI agent prompt security & package hallucination detection. Works with Claude Desktop, Claude Code, OpenCode, Kilo Code. Detects SQL injection, XSS, secrets, prompt attacks, and AI-invented packages.",
   "main": "index.js",
   "type": "module",
@@ -66,7 +67,6 @@
     "index.js",
     "analyzer.py",
     "rules/**",
-    "packages/**",
-    "README.md"
+    "packages/**"
   ]
 }