agent-security-scanner-mcp 4.1.0 → 4.2.0

package/src/tools/sbom-diff.js

@@ -0,0 +1,199 @@
+import { z } from 'zod';
+import { existsSync, readFileSync, writeFileSync, mkdirSync, renameSync, unlinkSync } from 'fs';
+import { join } from 'path';
+import { discoverDependencies } from '../lib/lockfile-parsers.js';
+import { serialize } from '../lib/cyclonedx.js';
+import { ecosystemFromPurlType } from '../lib/purl.js';
+
+export const sbomDiffSchema = {
+  directory_path: z.string().describe('Path to project root directory'),
+  baseline_path: z.string().optional().describe('Path to baseline SBOM file (default: .scanner/sbom-baseline.json)'),
+  save_baseline: z.boolean().optional().describe('Save current SBOM as the new baseline'),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe('Response detail level (default: compact)'),
+};
+
+export async function sbomDiff({ directory_path, baseline_path, save_baseline, verbosity }) {
+  if (!existsSync(directory_path)) {
+    return error(`Directory not found: ${directory_path}`);
+  }
+
+  // Generate current SBOM
+  const componentList = discoverDependencies(directory_path);
+  const currentBom = serialize(componentList);
+
+  // Resolve baseline path
+  const resolvedBaseline = baseline_path || join(directory_path, '.scanner', 'sbom-baseline.json');
+
+  // Check if baseline exists BEFORE potentially overwriting it
+  const baselineExists = existsSync(resolvedBaseline);
+
+  // If no baseline exists and save_baseline requested: save and return immediately
+  if (!baselineExists && save_baseline) {
+    atomicWrite(resolvedBaseline, JSON.stringify(currentBom, null, 2));
+    return {
+      content: [{
+        type: 'text',
+        text: JSON.stringify({
+          message: `Baseline saved to ${resolvedBaseline}. Run again to compare.`,
+          baseline_saved: resolvedBaseline,
+          current: {
+            total_components: componentList.metadata.total,
+            ecosystems: componentList.metadata.ecosystems,
+          },
+        }, null, 2),
+      }],
+    };
+  }
+
+  // If no baseline exists and save_baseline not requested: tell user
+  if (!baselineExists) {
+    return {
+      content: [{
+        type: 'text',
+        text: JSON.stringify({
+          message: `No baseline found at ${resolvedBaseline}. Run with save_baseline=true to create one.`,
+          current: {
+            total_components: componentList.metadata.total,
+            ecosystems: componentList.metadata.ecosystems,
+          },
+        }, null, 2),
+      }],
+    };
+  }
+
+  let baselineBom;
+  try {
+    baselineBom = JSON.parse(readFileSync(resolvedBaseline, 'utf-8'));
+  } catch {
+    return error(`Failed to parse baseline: ${resolvedBaseline}`);
+  }
+
+  // Build component maps by name+ecosystem (PURL without version for matching)
+  const currentMap = buildComponentMap(currentBom.components || []);
+  const baselineMap = buildComponentMap(baselineBom.components || []);
+
+  const added = [];
+  const removed = [];
+  const versionChanged = [];
+  const unchanged = [];
+
+  // Find added and version-changed
+  for (const [key, comp] of currentMap) {
+    const baseComp = baselineMap.get(key);
+    if (!baseComp) {
+      added.push(comp);
+    } else if (baseComp.version !== comp.version) {
+      versionChanged.push({
+        name: comp.name,
+        ecosystem: extractEcosystem(comp),
+        old_version: baseComp.version,
+        new_version: comp.version,
+      });
+    } else {
+      unchanged.push(comp);
+    }
+  }
+
+  // Find removed
+  for (const [key, comp] of baselineMap) {
+    if (!currentMap.has(key)) {
+      removed.push(comp);
+    }
+  }
+
+  // If save_baseline requested and baseline already existed: compare first, then overwrite
+  if (save_baseline) {
+    atomicWrite(resolvedBaseline, JSON.stringify(currentBom, null, 2));
+  }
+
+  const level = verbosity || 'compact';
+  let response;
+  switch (level) {
+    case 'minimal':
+      response = {
+        added: added.length,
+        removed: removed.length,
+        version_changed: versionChanged.length,
+        unchanged: unchanged.length,
+        ...(save_baseline && { baseline_saved: resolvedBaseline }),
+      };
+      break;
+    case 'full':
+      response = {
+        added_packages: added.map(formatComponent),
+        removed_packages: removed.map(formatComponent),
+        version_changed: versionChanged,
+        unchanged_count: unchanged.length,
+        current_total: currentMap.size,
+        baseline_total: baselineMap.size,
+        baseline_timestamp: baselineBom.metadata?.timestamp || 'unknown',
+        ...(save_baseline && { baseline_saved: resolvedBaseline }),
+      };
+      break;
+    case 'compact':
+    default:
+      response = {
+        summary: `+${added.length} added, -${removed.length} removed, ~${versionChanged.length} changed, ${unchanged.length} unchanged`,
+        added_packages: added.map(c => ({ name: c.name, version: c.version })),
+        removed_packages: removed.map(c => ({ name: c.name, version: c.version })),
+        version_changed: versionChanged,
+        ...(save_baseline && { baseline_saved: resolvedBaseline }),
+      };
+      break;
+  }
+
+  return {
+    content: [{ type: 'text', text: JSON.stringify(response, null, 2) }],
+  };
+}
+
+function buildComponentMap(components) {
+  const map = new Map();
+  for (const comp of components) {
+    // Key by name + ecosystem (from purl type or properties)
+    const eco = extractEcosystem(comp);
+    const key = `${eco}:${comp.name}`;
+    map.set(key, comp);
+  }
+  return map;
+}
+
+function extractEcosystem(component) {
+  if (component.properties) {
+    const eco = component.properties.find(p => p.name === 'cdx:ecosystem');
+    if (eco) return eco.value;
+  }
+  if (component.purl) {
+    const match = component.purl.match(/^pkg:([^/]+)/);
+    if (match) return ecosystemFromPurlType(match[1]);
+  }
+  return 'unknown';
+}
+
+function formatComponent(comp) {
+  return {
+    name: comp.name,
+    version: comp.version,
+    purl: comp.purl || '',
+  };
+}
+
+// Atomic write: temp file + rename (pattern from scan-skill.js:785)
+function atomicWrite(filePath, data) {
+  const dir = filePath.substring(0, filePath.lastIndexOf('/'));
+  if (dir && !existsSync(dir)) {
+    mkdirSync(dir, { recursive: true, mode: 0o700 });
+  }
+  const tmpFile = `${filePath}.tmp.${process.pid}.${Date.now().toString(36)}${Math.random().toString(36).slice(2, 6)}`;
+  writeFileSync(tmpFile, data, { encoding: 'utf-8', mode: 0o600 });
+  try {
+    renameSync(tmpFile, filePath);
+  } catch (renameErr) {
+    try { unlinkSync(tmpFile); } catch { /* best effort cleanup */ }
+    throw renameErr;
+  }
+}
+
+function error(msg) {
+  return { content: [{ type: 'text', text: JSON.stringify({ error: msg }) }] };
+}

package/src/tools/sbom-generate.js

@@ -0,0 +1,116 @@
+import { z } from 'zod';
+import { existsSync, writeFileSync, mkdirSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { discoverDependencies } from '../lib/lockfile-parsers.js';
+import { serialize } from '../lib/cyclonedx.js';
+
+// Read tool version from package.json
+let toolVersion = '0.0.0';
+try {
+  const pkg = JSON.parse(readFileSync(new URL('../../package.json', import.meta.url), 'utf-8'));
+  toolVersion = pkg.version || '0.0.0';
+} catch { /* fallback */ }
+
+export const sbomGenerateSchema = {
+  directory_path: z.string().describe('Path to project root directory'),
+  include_dev: z.boolean().optional().describe('Include dev dependencies (default: true)'),
+  output_path: z.string().optional().describe('Path to write SBOM file. Absent = no write, present = write to that path.'),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe('Response detail level (default: compact)'),
+};
+
+export async function sbomGenerate({ directory_path, include_dev, output_path, verbosity }) {
+  if (!existsSync(directory_path)) {
+    return {
+      content: [{ type: 'text', text: JSON.stringify({ error: `Directory not found: ${directory_path}` }) }],
+    };
+  }
+
+  const includeDev = include_dev !== false; // default true
+  const level = verbosity || 'compact';
+
+  // Discover dependencies
+  const componentList = discoverDependencies(directory_path, { includeDev });
+
+  // Serialize to CycloneDX
+  const bom = serialize(componentList, [], { toolVersion });
+
+  // Optionally write to file
+  let savedPath = null;
+  if (output_path) {
+    const dir = join(directory_path, '.scanner');
+    const resolvedPath = output_path.includes('/') || output_path.includes('\\')
+      ? output_path
+      : join(dir, output_path);
+
+    const parentDir = resolvedPath.substring(0, resolvedPath.lastIndexOf('/'));
+    if (parentDir && !existsSync(parentDir)) {
+      mkdirSync(parentDir, { recursive: true, mode: 0o700 });
+    }
+    writeFileSync(resolvedPath, JSON.stringify(bom, null, 2), { mode: 0o600 });
+    savedPath = resolvedPath;
+  }
+
+  // Format response based on verbosity
+  let response;
+  switch (level) {
+    case 'minimal':
+      response = formatMinimal(componentList, savedPath);
+      break;
+    case 'full':
+      response = formatFull(bom, componentList, savedPath);
+      break;
+    case 'compact':
+    default:
+      response = formatCompact(componentList, savedPath);
+      break;
+  }
+
+  return {
+    content: [{ type: 'text', text: JSON.stringify(response, null, 2) }],
+  };
+}
+
+function formatMinimal(componentList, savedPath) {
+  const { metadata } = componentList;
+  return {
+    total_components: metadata.total,
+    direct: metadata.direct,
+    dev: metadata.dev,
+    ecosystems: metadata.ecosystems,
+    ...(savedPath && { saved_to: savedPath }),
+  };
+}
+
+function formatCompact(componentList, savedPath) {
+  const { components, metadata } = componentList;
+
+  const byEcosystem = {};
+  for (const c of components) {
+    if (!byEcosystem[c.ecosystem]) byEcosystem[c.ecosystem] = [];
+    byEcosystem[c.ecosystem].push({ name: c.name, version: c.version, isDev: c.isDev });
+  }
+
+  return {
+    project: metadata.name,
+    version: metadata.version,
+    total_components: metadata.total,
+    direct: metadata.direct,
+    dev: metadata.dev,
+    ecosystems: metadata.ecosystems,
+    components: byEcosystem,
+    ...(savedPath && { saved_to: savedPath }),
+  };
+}
+
+function formatFull(bom, componentList, savedPath) {
+  return {
+    project: componentList.metadata.name,
+    version: componentList.metadata.version,
+    total_components: componentList.metadata.total,
+    direct: componentList.metadata.direct,
+    dev: componentList.metadata.dev,
+    ecosystems: componentList.metadata.ecosystems,
+    bom,
+    ...(savedPath && { saved_to: savedPath }),
+  };
+}

package/src/tools/sbom-hallucinations.js

@@ -0,0 +1,117 @@
+import { z } from 'zod';
+import { existsSync, readFileSync } from 'fs';
+import { discoverDependencies } from '../lib/lockfile-parsers.js';
+import { componentFromBomComponent } from '../lib/sbom-component.js';
+import { isHallucinated } from './check-package.js';
+
+// Ecosystems supported by the hallucination checker (bloom filters + text sets)
+const SUPPORTED_ECOSYSTEMS = new Set(['npm', 'pypi', 'rubygems', 'dart', 'perl', 'raku', 'crates']);
+
+export const sbomHallucinationsSchema = {
+  directory_path: z.string().optional().describe('Path to project root (generates fresh SBOM)'),
+  sbom_path: z.string().optional().describe('Path to existing SBOM file'),
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe('Response detail level (default: compact)'),
+};
+
+export async function sbomCheckHallucinations({ directory_path, sbom_path, verbosity }) {
+  // Enforce exactly one of directory_path or sbom_path
+  if (directory_path && sbom_path) {
+    return error('Provide either directory_path or sbom_path, not both.');
+  }
+  if (!directory_path && !sbom_path) {
+    return error('Provide either directory_path or sbom_path.');
+  }
+
+  // Load or generate components
+  let components;
+  if (sbom_path) {
+    if (!existsSync(sbom_path)) return error(`SBOM file not found: ${sbom_path}`);
+    let bom;
+    try {
+      bom = JSON.parse(readFileSync(sbom_path, 'utf-8'));
+    } catch {
+      return error(`Failed to parse SBOM: ${sbom_path}`);
+    }
+    components = (bom.components || []).map(componentFromBomComponent);
+  } else {
+    if (!existsSync(directory_path)) return error(`Directory not found: ${directory_path}`);
+    const componentList = discoverDependencies(directory_path);
+    components = componentList.components;
+  }
+
+  const hallucinated = [];
+  const unsupported = [];
+  const legitimate = [];
+
+  for (const component of components) {
+    const eco = component.ecosystem;
+
+    // Check if ecosystem is supported
+    if (!SUPPORTED_ECOSYSTEMS.has(eco)) {
+      unsupported.push({
+        name: component.name,
+        version: component.version,
+        ecosystem: eco,
+        status: 'unsupported_ecosystem',
+        message: `Registry verification not available for ${eco} ecosystem.`,
+      });
+      continue;
+    }
+
+    const result = isHallucinated(component.name, eco);
+    if (result && result.hallucinated) {
+      hallucinated.push({
+        name: component.name,
+        version: component.version,
+        ecosystem: eco,
+        confidence: result.confidence || 'medium',
+        similar_packages: result.similar_packages || [],
+      });
+    } else {
+      legitimate.push({ name: component.name, ecosystem: eco });
+    }
+  }
+
+  const level = verbosity || 'compact';
+  let response;
+  switch (level) {
+    case 'minimal':
+      response = {
+        total_checked: components.length,
+        legitimate_count: legitimate.length,
+        hallucinated_count: hallucinated.length,
+        unsupported_count: unsupported.length,
+      };
+      break;
+    case 'full':
+      response = {
+        total_checked: components.length,
+        legitimate_count: legitimate.length,
+        hallucinated_count: hallucinated.length,
+        unsupported_count: unsupported.length,
+        hallucinated_packages: hallucinated,
+        unsupported_packages: unsupported,
+        legitimate_packages: legitimate,
+      };
+      break;
+    case 'compact':
+    default:
+      response = {
+        total_checked: components.length,
+        legitimate_count: legitimate.length,
+        hallucinated_count: hallucinated.length,
+        unsupported_count: unsupported.length,
+        hallucinated_packages: hallucinated,
+        unsupported_packages: unsupported,
+      };
+      break;
+  }
+
+  return {
+    content: [{ type: 'text', text: JSON.stringify(response, null, 2) }],
+  };
+}
+
+function error(msg) {
+  return { content: [{ type: 'text', text: JSON.stringify({ error: msg }) }] };
+}