npm - agentic-qe - Versions diffs - 3.3.3 → 3.3.4 - Mend

agentic-qe 3.3.3 → 3.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (522) hide show

package/v3/dist/domains/security-compliance/services/scanners/dast-scanner.d.ts ADDED Viewed

@@ -0,0 +1,62 @@
+/**
+ * Agentic QE v3 - DAST (Dynamic Application Security Testing) Scanner
+ * Performs dynamic analysis of running applications to detect security vulnerabilities
+ */
+import { Result } from '../../../../shared/types/index.js';
+import type { SecurityScannerConfig, DASTResult, DASTOptions, AuthCredentials, MemoryBackend, ScanStatus } from './scanner-types.js';
+/**
+ * DAST Scanner - Dynamic Application Security Testing
+ * Scans running applications for security vulnerabilities
+ *
+ * **Capabilities:**
+ * - Security header analysis (HSTS, CSP, X-Frame-Options, etc.)
+ * - Cookie security (Secure, HttpOnly, SameSite flags)
+ * - CORS misconfiguration detection
+ * - Sensitive file exposure (/.git, /.env, etc.)
+ * - Link crawling with same-origin scope
+ * - XSS reflection testing (GET parameters)
+ * - SQL injection error-based detection (GET parameters)
+ * - Form security analysis (CSRF tokens, autocomplete, action URLs)
+ *
+ * **Limitations:**
+ * - Injection testing: GET parameters only (POST form submission not implemented)
+ * - Crawling: Same-origin only, max 10 links per page, single depth
+ * - Auth flows: Header-based only, no login form automation
+ * - No JavaScript execution (static response analysis only)
+ * - No session management testing beyond cookie attributes
+ */
+export declare class DASTScanner {
+    private readonly config;
+    private readonly memory;
+    private readonly activeScans;
+    constructor(config: SecurityScannerConfig, memory: MemoryBackend, activeScans?: Map<string, ScanStatus>);
+    /**
+     * Scan running application using dynamic analysis
+     */
+    scanUrl(targetUrl: string, options?: DASTOptions): Promise<Result<DASTResult>>;
+    /**
+     * Scan authenticated endpoints
+     */
+    scanAuthenticated(targetUrl: string, credentials: AuthCredentials, options?: DASTOptions): Promise<Result<DASTResult>>;
+    /**
+     * Get scan status
+     */
+    getScanStatus(scanId: string): Promise<ScanStatus>;
+    /**
+     * Perform dynamic (DAST) scanning on a target URL
+     */
+    private performDynamicScan;
+    /**
+     * Perform authenticated dynamic scanning
+     */
+    private performAuthenticatedScan;
+    private createInvalidUrlVuln;
+    private createInsecureProtocolVuln;
+    private createAuthFailedVuln;
+    private createTokenInUrlVuln;
+    /**
+     * Test URL parameters for injection vulnerabilities
+     */
+    private testInjectionVulnerabilities;
+}
+//# sourceMappingURL=dast-scanner.d.ts.map

package/v3/dist/domains/security-compliance/services/scanners/dast-scanner.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dast-scanner.d.ts","sourceRoot":"","sources":["../../../../../src/domains/security-compliance/services/scanners/dast-scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,MAAM,EAAW,MAAM,mCAAmC,CAAC;AACpE,OAAO,KAAK,EACV,qBAAqB,EAErB,UAAU,EACV,WAAW,EACX,eAAe,EACf,aAAa,EACb,UAAU,EACX,MAAM,oBAAoB,CAAC;AAwB5B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA0B;gBAGpD,MAAM,EAAE,qBAAqB,EAC7B,MAAM,EAAE,aAAa,EACrB,WAAW,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC;IAWvC;;OAEG;IACG,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IA2C9B;;OAEG;IACG,iBAAiB,CACrB,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,eAAe,EAC5B,OAAO,CAAC,EAAE,WAAW,GACpB,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAqD9B;;OAEG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAQxD;;OAEG;YACW,kBAAkB;IAuFhC;;OAEG;YACW,wBAAwB;IA8EtC,OAAO,CAAC,oBAAoB;IAa5B,OAAO,CAAC,0BAA0B;IAalC,OAAO,CAAC,oBAAoB;IAa5B,OAAO,CAAC,oBAAoB;IAiB5B;;OAEG;YACW,4BAA4B;CAyB3C"}

package/v3/dist/domains/security-compliance/services/scanners/dast-scanner.js ADDED Viewed

@@ -0,0 +1,329 @@
+/**
+ * Agentic QE v3 - DAST (Dynamic Application Security Testing) Scanner
+ * Performs dynamic analysis of running applications to detect security vulnerabilities
+ */
+import { v4 as uuidv4 } from 'uuid';
+import { ok, err } from '../../../../shared/types/index.js';
+import { analyzeSecurityHeaders, analyzeCookieSecurity, analyzeServerHeaders, scanSensitiveFiles, analyzeCORS, extractAndCrawlLinks, testXSS, testSQLi, analyzeFormsForSecurityIssues, testAuthorizationBypass, testIDOR, validateCredentials, buildAuthHeaders, handleFetchError, calculateSummary, storeScanResults, } from './dast-helpers.js';
+// ============================================================================
+// DAST Scanner Service
+// ============================================================================
+/**
+ * DAST Scanner - Dynamic Application Security Testing
+ * Scans running applications for security vulnerabilities
+ *
+ * **Capabilities:**
+ * - Security header analysis (HSTS, CSP, X-Frame-Options, etc.)
+ * - Cookie security (Secure, HttpOnly, SameSite flags)
+ * - CORS misconfiguration detection
+ * - Sensitive file exposure (/.git, /.env, etc.)
+ * - Link crawling with same-origin scope
+ * - XSS reflection testing (GET parameters)
+ * - SQL injection error-based detection (GET parameters)
+ * - Form security analysis (CSRF tokens, autocomplete, action URLs)
+ *
+ * **Limitations:**
+ * - Injection testing: GET parameters only (POST form submission not implemented)
+ * - Crawling: Same-origin only, max 10 links per page, single depth
+ * - Auth flows: Header-based only, no login form automation
+ * - No JavaScript execution (static response analysis only)
+ * - No session management testing beyond cookie attributes
+ */
+export class DASTScanner {
+    config;
+    memory;
+    activeScans;
+    constructor(config, memory, activeScans) {
+        this.config = config;
+        this.memory = memory;
+        this.activeScans = activeScans || new Map();
+    }
+    // ==========================================================================
+    // Public Methods
+    // ==========================================================================
+    /**
+     * Scan running application using dynamic analysis
+     */
+    async scanUrl(targetUrl, options) {
+        const scanId = uuidv4();
+        try {
+            this.activeScans.set(scanId, 'running');
+            const startTime = Date.now();
+            const mergedOptions = {
+                maxDepth: options?.maxDepth ?? this.config.dastMaxDepth,
+                activeScanning: options?.activeScanning ?? this.config.dastActiveScanning,
+                timeout: options?.timeout ?? this.config.timeout,
+                excludePatterns: options?.excludePatterns ?? [],
+            };
+            // Perform dynamic analysis
+            const result = await this.performDynamicScan(targetUrl, mergedOptions);
+            const scanDurationMs = Date.now() - startTime;
+            const summary = calculateSummary(result.vulnerabilities, 1, scanDurationMs);
+            // Store results
+            await storeScanResults(this.memory, scanId, 'dast', result.vulnerabilities, summary);
+            this.activeScans.set(scanId, 'completed');
+            return ok({
+                scanId,
+                targetUrl,
+                vulnerabilities: result.vulnerabilities,
+                summary,
+                crawledUrls: result.crawledUrls,
+            });
+        }
+        catch (error) {
+            this.activeScans.set(scanId, 'failed');
+            return err(error instanceof Error ? error : new Error(String(error)));
+        }
+    }
+    /**
+     * Scan authenticated endpoints
+     */
+    async scanAuthenticated(targetUrl, credentials, options) {
+        const scanId = uuidv4();
+        try {
+            this.activeScans.set(scanId, 'running');
+            const startTime = Date.now();
+            // Validate credentials
+            const credValidation = validateCredentials(credentials);
+            if (!credValidation.valid) {
+                return err(new Error(credValidation.reason));
+            }
+            const mergedOptions = {
+                maxDepth: options?.maxDepth ?? this.config.dastMaxDepth,
+                activeScanning: options?.activeScanning ?? this.config.dastActiveScanning,
+                timeout: options?.timeout ?? this.config.timeout,
+                excludePatterns: options?.excludePatterns ?? [],
+            };
+            // Perform authenticated dynamic analysis
+            const result = await this.performAuthenticatedScan(targetUrl, credentials, mergedOptions);
+            const scanDurationMs = Date.now() - startTime;
+            const summary = calculateSummary(result.vulnerabilities, 1, scanDurationMs);
+            // Store results (without credentials)
+            await storeScanResults(this.memory, scanId, 'dast-auth', result.vulnerabilities, summary);
+            this.activeScans.set(scanId, 'completed');
+            return ok({
+                scanId,
+                targetUrl,
+                vulnerabilities: result.vulnerabilities,
+                summary,
+                crawledUrls: result.crawledUrls,
+            });
+        }
+        catch (error) {
+            this.activeScans.set(scanId, 'failed');
+            return err(error instanceof Error ? error : new Error(String(error)));
+        }
+    }
+    /**
+     * Get scan status
+     */
+    async getScanStatus(scanId) {
+        return this.activeScans.get(scanId) ?? 'pending';
+    }
+    // ==========================================================================
+    // Private Methods - Dynamic Scanning
+    // ==========================================================================
+    /**
+     * Perform dynamic (DAST) scanning on a target URL
+     */
+    async performDynamicScan(targetUrl, options) {
+        const vulnerabilities = [];
+        let crawledUrls = 0;
+        try {
+            // Validate and parse URL
+            let parsedUrl;
+            try {
+                parsedUrl = new URL(targetUrl);
+            }
+            catch {
+                vulnerabilities.push(this.createInvalidUrlVuln(targetUrl));
+                return { vulnerabilities, crawledUrls: 0 };
+            }
+            const timeout = options.timeout ?? this.config.timeout;
+            const maxDepth = options.maxDepth ?? this.config.dastMaxDepth;
+            // Perform main page scan
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), Math.min(timeout, 30000));
+            try {
+                const response = await fetch(targetUrl, {
+                    method: 'GET',
+                    headers: {
+                        'User-Agent': 'AgenticQE-DAST-Scanner/3.0',
+                        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+                    },
+                    signal: controller.signal,
+                    redirect: 'follow',
+                });
+                clearTimeout(timeoutId);
+                crawledUrls++;
+                // Security header analysis
+                analyzeSecurityHeaders(response.headers, targetUrl, vulnerabilities);
+                // Check for insecure protocol
+                if (parsedUrl.protocol === 'http:') {
+                    vulnerabilities.push(this.createInsecureProtocolVuln(targetUrl));
+                }
+                // Check for cookie security
+                analyzeCookieSecurity(response.headers, targetUrl, vulnerabilities);
+                // Check for server version disclosure
+                analyzeServerHeaders(response.headers, targetUrl, vulnerabilities);
+                // Active scanning features
+                if (options.activeScanning ?? this.config.dastActiveScanning) {
+                    crawledUrls = await scanSensitiveFiles(parsedUrl, crawledUrls, maxDepth, vulnerabilities);
+                    await analyzeCORS(targetUrl, vulnerabilities);
+                    // Enhanced DAST: Link crawling, injection testing, form analysis
+                    const responseText = await response.clone().text();
+                    crawledUrls = await extractAndCrawlLinks(responseText, parsedUrl, crawledUrls, maxDepth, vulnerabilities);
+                    if (parsedUrl.search) {
+                        await this.testInjectionVulnerabilities(targetUrl, parsedUrl, vulnerabilities);
+                    }
+                    analyzeFormsForSecurityIssues(responseText, targetUrl, vulnerabilities);
+                }
+            }
+            catch (fetchError) {
+                clearTimeout(timeoutId);
+                handleFetchError(fetchError, targetUrl, vulnerabilities);
+            }
+        }
+        catch (error) {
+            console.error('DAST scan error:', error);
+        }
+        return { vulnerabilities, crawledUrls };
+    }
+    /**
+     * Perform authenticated dynamic scanning
+     */
+    async performAuthenticatedScan(targetUrl, credentials, options) {
+        const vulnerabilities = [];
+        let crawledUrls = 0;
+        try {
+            const authHeaders = buildAuthHeaders(credentials);
+            let parsedUrl;
+            try {
+                parsedUrl = new URL(targetUrl);
+            }
+            catch {
+                vulnerabilities.push(this.createInvalidUrlVuln(targetUrl));
+                return { vulnerabilities, crawledUrls: 0 };
+            }
+            const timeout = options.timeout ?? this.config.timeout;
+            const maxDepth = options.maxDepth ?? this.config.dastMaxDepth;
+            const controller = new AbortController();
+            const timeoutId = setTimeout(() => controller.abort(), Math.min(timeout, 30000));
+            try {
+                const response = await fetch(targetUrl, {
+                    method: 'GET',
+                    headers: {
+                        'User-Agent': 'AgenticQE-DAST-Scanner/3.0',
+                        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+                        ...authHeaders,
+                    },
+                    signal: controller.signal,
+                    redirect: 'follow',
+                });
+                clearTimeout(timeoutId);
+                crawledUrls++;
+                // Check if authentication was successful
+                if (response.status === 401 || response.status === 403) {
+                    vulnerabilities.push(this.createAuthFailedVuln(targetUrl, response.status));
+                }
+                // Standard security header checks
+                analyzeSecurityHeaders(response.headers, targetUrl, vulnerabilities, true);
+                // Check for session token in URL
+                if (parsedUrl.search.includes('token=') || parsedUrl.search.includes('session=') || parsedUrl.search.includes('auth=')) {
+                    vulnerabilities.push(this.createTokenInUrlVuln(targetUrl, parsedUrl.search));
+                }
+                // Active scanning for authenticated endpoints
+                if (options.activeScanning ?? this.config.dastActiveScanning) {
+                    crawledUrls = await testAuthorizationBypass(parsedUrl, authHeaders, crawledUrls, maxDepth, vulnerabilities);
+                    crawledUrls = await testIDOR(parsedUrl, authHeaders, crawledUrls, maxDepth, vulnerabilities);
+                }
+                // Enhanced cookie security for authenticated sessions
+                analyzeCookieSecurity(response.headers, targetUrl, vulnerabilities, true);
+            }
+            catch (fetchError) {
+                clearTimeout(timeoutId);
+                handleFetchError(fetchError, targetUrl, vulnerabilities);
+            }
+        }
+        catch (error) {
+            console.error('Authenticated DAST scan error:', error);
+        }
+        return { vulnerabilities, crawledUrls };
+    }
+    // ==========================================================================
+    // Private Methods - Vulnerability Factories
+    // ==========================================================================
+    createInvalidUrlVuln(targetUrl) {
+        return {
+            id: uuidv4(),
+            title: 'Invalid Target URL',
+            description: 'The provided target URL is not valid',
+            severity: 'informational',
+            category: 'security-misconfiguration',
+            location: { file: targetUrl },
+            remediation: { description: 'Provide a valid URL', estimatedEffort: 'trivial', automatable: false },
+            references: [],
+        };
+    }
+    createInsecureProtocolVuln(targetUrl) {
+        return {
+            id: uuidv4(),
+            title: 'Insecure HTTP Protocol',
+            description: 'Application is accessible over unencrypted HTTP',
+            severity: 'high',
+            category: 'sensitive-data',
+            location: { file: targetUrl },
+            remediation: { description: 'Redirect all HTTP traffic to HTTPS', estimatedEffort: 'moderate', automatable: false },
+            references: ['https://owasp.org/www-project-web-security-testing-guide/'],
+        };
+    }
+    createAuthFailedVuln(targetUrl, status) {
+        return {
+            id: uuidv4(),
+            title: 'Authentication Failed',
+            description: `Authentication returned ${status} status`,
+            severity: 'informational',
+            category: 'broken-auth',
+            location: { file: targetUrl },
+            remediation: { description: 'Verify credentials are correct', estimatedEffort: 'trivial', automatable: false },
+            references: [],
+        };
+    }
+    createTokenInUrlVuln(targetUrl, search) {
+        return {
+            id: uuidv4(),
+            title: 'Session Token in URL',
+            description: 'Authentication token appears in URL query string',
+            severity: 'high',
+            category: 'sensitive-data',
+            location: { file: targetUrl, snippet: search.substring(0, 50) },
+            remediation: { description: 'Send tokens in headers or request body, not URL', estimatedEffort: 'moderate', automatable: false },
+            references: ['https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url'],
+        };
+    }
+    // ==========================================================================
+    // Private Methods - Injection Testing
+    // ==========================================================================
+    /**
+     * Test URL parameters for injection vulnerabilities
+     */
+    async testInjectionVulnerabilities(targetUrl, parsedUrl, vulnerabilities) {
+        const params = new URLSearchParams(parsedUrl.search);
+        const paramNames = Array.from(params.keys());
+        const xssPayloads = [
+            { payload: '<script>alert(1)</script>', name: 'Basic XSS' },
+            { payload: '"><img src=x onerror=alert(1)>', name: 'Attribute Injection' },
+            { payload: "'-alert(1)-'", name: 'JavaScript Injection' },
+        ];
+        const sqliPayloads = [
+            { payload: "' OR '1'='1", name: 'SQL OR Injection' },
+            { payload: "1; DROP TABLE test--", name: 'SQL Statement Injection' },
+            { payload: "1' AND '1'='1", name: 'SQL AND Injection' },
+        ];
+        for (const paramName of paramNames.slice(0, 3)) {
+            await testXSS(targetUrl, parsedUrl, paramName, xssPayloads, vulnerabilities);
+            await testSQLi(targetUrl, parsedUrl, paramName, sqliPayloads, vulnerabilities);
+        }
+    }
+}
+//# sourceMappingURL=dast-scanner.js.map

package/v3/dist/domains/security-compliance/services/scanners/dast-scanner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dast-scanner.js","sourceRoot":"","sources":["../../../../../src/domains/security-compliance/services/scanners/dast-scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAU,EAAE,EAAE,GAAG,EAAE,MAAM,mCAAmC,CAAC;AAUpE,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,oBAAoB,EACpB,kBAAkB,EAClB,WAAW,EACX,oBAAoB,EACpB,OAAO,EACP,QAAQ,EACR,6BAA6B,EAC7B,uBAAuB,EACvB,QAAQ,EACR,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,EAChB,gBAAgB,GACjB,MAAM,mBAAmB,CAAC;AAE3B,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,OAAO,WAAW;IACL,MAAM,CAAwB;IAC9B,MAAM,CAAgB;IACtB,WAAW,CAA0B;IAEtD,YACE,MAA6B,EAC7B,MAAqB,EACrB,WAAqC;QAErC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,WAAW,GAAG,WAAW,IAAI,IAAI,GAAG,EAAE,CAAC;IAC9C,CAAC;IAED,6EAA6E;IAC7E,iBAAiB;IACjB,6EAA6E;IAE7E;;OAEG;IACH,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,OAAqB;QAErB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;QAExB,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACxC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE7B,MAAM,aAAa,GAAgB;gBACjC,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY;gBACvD,cAAc,EAAE,OAAO,EAAE,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBACzE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO;gBAChD,eAAe,EAAE,OAAO,EAAE,eAAe,IAAI,EAAE;aAChD,CAAC;YAEF,2BAA2B;YAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,kBAAkB,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;YAEvE,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAE9C,MAAM,OAAO,GAAG,gBAAgB,CAC9B,MAAM,CAAC,eAAe,EACtB,CAAC,EACD,cAAc,CACf,CAAC;YAEF,gBAAgB;YAChB,MAAM,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;YAErF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAE1C,OAAO,EAAE,CAAC;gBACR,MAAM;gBACN,SAAS;gBACT,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,OAAO;gBACP,WAAW,EAAE,MAAM,CAAC,WAAW;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACvC,OAAO,GAAG,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,iBAAiB,CACrB,SAAiB,EACjB,WAA4B,EAC5B,OAAqB;QAErB,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;QAExB,IAAI,CAAC;YACH,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACxC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAE7B,uBAAuB;YACvB,MAAM,cAAc,GAAG,mBAAmB,CAAC,WAAW,CAAC,CAAC;YACxD,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;gBAC1B,OAAO,GAAG,CAAC,IAAI,KAAK,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC;YAC/C,CAAC;YAED,MAAM,aAAa,GAAgB;gBACjC,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY;gBACvD,cAAc,EAAE,OAAO,EAAE,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;gBACzE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO;gBAChD,eAAe,EAAE,OAAO,EAAE,eAAe,IAAI,EAAE;aAChD,CAAC;YAEF,yCAAyC;YACzC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAChD,SAAS,EACT,WAAW,EACX,aAAa,CACd,CAAC;YAEF,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAE9C,MAAM,OAAO,GAAG,gBAAgB,CAC9B,MAAM,CAAC,eAAe,EACtB,CAAC,EACD,cAAc,CACf,CAAC;YAEF,sCAAsC;YACtC,MAAM,gBAAgB,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;YAE1F,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAE1C,OAAO,EAAE,CAAC;gBACR,MAAM;gBACN,SAAS;gBACT,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,OAAO;gBACP,WAAW,EAAE,MAAM,CAAC,WAAW;aAChC,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACvC,OAAO,GAAG,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,MAAc;QAChC,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;IACnD,CAAC;IAED,6EAA6E;IAC7E,qCAAqC;IACrC,6EAA6E;IAE7E;;OAEG;IACK,KAAK,CAAC,kBAAkB,CAC9B,SAAiB,EACjB,OAAoB;QAEpB,MAAM,eAAe,GAAoB,EAAE,CAAC;QAC5C,IAAI,WAAW,GAAG,CAAC,CAAC;QAEpB,IAAI,CAAC;YACH,yBAAyB;YACzB,IAAI,SAAc,CAAC;YACnB,IAAI,CAAC;gBACH,SAAS,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC3D,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;YAC7C,CAAC;YAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;YACvD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAE9D,yBAAyB;YACzB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;YAEjF,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;oBACtC,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,YAAY,EAAE,4BAA4B;wBAC1C,QAAQ,EAAE,iEAAiE;qBAC5E;oBACD,MAAM,EAAE,UAAU,CAAC,MAAM;oBACzB,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;gBAEH,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,WAAW,EAAE,CAAC;gBAEd,2BAA2B;gBAC3B,sBAAsB,CAAC,QAAQ,CAAC,OAAO,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;gBAErE,8BAA8B;gBAC9B,IAAI,SAAS,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;oBACnC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,CAAC,CAAC;gBACnE,CAAC;gBAED,4BAA4B;gBAC5B,qBAAqB,CAAC,QAAQ,CAAC,OAAO,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;gBAEpE,sCAAsC;gBACtC,oBAAoB,CAAC,QAAQ,CAAC,OAAO,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;gBAEnE,2BAA2B;gBAC3B,IAAI,OAAO,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;oBAC7D,WAAW,GAAG,MAAM,kBAAkB,CAAC,SAAS,EAAE,WAAW,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;oBAC1F,MAAM,WAAW,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;oBAE9C,iEAAiE;oBACjE,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,CAAC;oBAEnD,WAAW,GAAG,MAAM,oBAAoB,CACtC,YAAY,EACZ,SAAS,EACT,WAAW,EACX,QAAQ,EACR,eAAe,CAChB,CAAC;oBAEF,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;wBACrB,MAAM,IAAI,CAAC,4BAA4B,CAAC,SAAS,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;oBACjF,CAAC;oBAED,6BAA6B,CAAC,YAAY,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;gBAC1E,CAAC;YAEH,CAAC;YAAC,OAAO,UAAU,EAAE,CAAC;gBACpB,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,gBAAgB,CAAC,UAAU,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;YAC3D,CAAC;QAEH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,wBAAwB,CACpC,SAAiB,EACjB,WAA4B,EAC5B,OAAoB;QAEpB,MAAM,eAAe,GAAoB,EAAE,CAAC;QAC5C,IAAI,WAAW,GAAG,CAAC,CAAC;QAEpB,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;YAElD,IAAI,SAAc,CAAC;YACnB,IAAI,CAAC;gBACH,SAAS,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,CAAC,CAAC;gBAC3D,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC;YAC7C,CAAC;YAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;YACvD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAE9D,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;YAEjF,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;oBACtC,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,YAAY,EAAE,4BAA4B;wBAC1C,QAAQ,EAAE,iEAAiE;wBAC3E,GAAG,WAAW;qBACf;oBACD,MAAM,EAAE,UAAU,CAAC,MAAM;oBACzB,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAC;gBAEH,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,WAAW,EAAE,CAAC;gBAEd,yCAAyC;gBACzC,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBACvD,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC9E,CAAC;gBAED,kCAAkC;gBAClC,sBAAsB,CAAC,QAAQ,CAAC,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,IAAI,CAAC,CAAC;gBAE3E,iCAAiC;gBACjC,IAAI,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBACvH,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,SAAS,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC/E,CAAC;gBAED,8CAA8C;gBAC9C,IAAI,OAAO,CAAC,cAAc,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;oBAC7D,WAAW,GAAG,MAAM,uBAAuB,CAAC,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;oBAC5G,WAAW,GAAG,MAAM,QAAQ,CAAC,SAAS,EAAE,WAAW,EAAE,WAAW,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;gBAC/F,CAAC;gBAED,sDAAsD;gBACtD,qBAAqB,CAAC,QAAQ,CAAC,OAAO,EAAE,SAAS,EAAE,eAAe,EAAE,IAAI,CAAC,CAAC;YAE5E,CAAC;YAAC,OAAO,UAAU,EAAE,CAAC;gBACpB,YAAY,CAAC,SAAS,CAAC,CAAC;gBACxB,gBAAgB,CAAC,UAAU,EAAE,SAAS,EAAE,eAAe,CAAC,CAAC;YAC3D,CAAC;QAEH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;QACzD,CAAC;QAED,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC;IAC1C,CAAC;IAED,6EAA6E;IAC7E,4CAA4C;IAC5C,6EAA6E;IAErE,oBAAoB,CAAC,SAAiB;QAC5C,OAAO;YACL,EAAE,EAAE,MAAM,EAAE;YACZ,KAAK,EAAE,oBAAoB;YAC3B,WAAW,EAAE,sCAAsC;YACnD,QAAQ,EAAE,eAAe;YACzB,QAAQ,EAAE,2BAA2B;YACrC,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;YAC7B,WAAW,EAAE,EAAE,WAAW,EAAE,qBAAqB,EAAE,eAAe,EAAE,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE;YACnG,UAAU,EAAE,EAAE;SACf,CAAC;IACJ,CAAC;IAEO,0BAA0B,CAAC,SAAiB;QAClD,OAAO;YACL,EAAE,EAAE,MAAM,EAAE;YACZ,KAAK,EAAE,wBAAwB;YAC/B,WAAW,EAAE,iDAAiD;YAC9D,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;YAC7B,WAAW,EAAE,EAAE,WAAW,EAAE,oCAAoC,EAAE,eAAe,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE;YACnH,UAAU,EAAE,CAAC,2DAA2D,CAAC;SAC1E,CAAC;IACJ,CAAC;IAEO,oBAAoB,CAAC,SAAiB,EAAE,MAAc;QAC5D,OAAO;YACL,EAAE,EAAE,MAAM,EAAE;YACZ,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EAAE,2BAA2B,MAAM,SAAS;YACvD,QAAQ,EAAE,eAAe;YACzB,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;YAC7B,WAAW,EAAE,EAAE,WAAW,EAAE,gCAAgC,EAAE,eAAe,EAAE,SAAS,EAAE,WAAW,EAAE,KAAK,EAAE;YAC9G,UAAU,EAAE,EAAE;SACf,CAAC;IACJ,CAAC;IAEO,oBAAoB,CAAC,SAAiB,EAAE,MAAc;QAC5D,OAAO;YACL,EAAE,EAAE,MAAM,EAAE;YACZ,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EAAE,kDAAkD;YAC/D,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;YAC/D,WAAW,EAAE,EAAE,WAAW,EAAE,iDAAiD,EAAE,eAAe,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE;YAChI,UAAU,EAAE,CAAC,mGAAmG,CAAC;SAClH,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,sCAAsC;IACtC,6EAA6E;IAE7E;;OAEG;IACK,KAAK,CAAC,4BAA4B,CACxC,SAAiB,EACjB,SAAc,EACd,eAAgC;QAEhC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAE7C,MAAM,WAAW,GAAG;YAClB,EAAE,OAAO,EAAE,2BAA2B,EAAE,IAAI,EAAE,WAAW,EAAE;YAC3D,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,qBAAqB,EAAE;YAC1E,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,sBAAsB,EAAE;SAC1D,CAAC;QAEF,MAAM,YAAY,GAAG;YACnB,EAAE,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,kBAAkB,EAAE;YACpD,EAAE,OAAO,EAAE,sBAAsB,EAAE,IAAI,EAAE,yBAAyB,EAAE;YACpE,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,mBAAmB,EAAE;SACxD,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;YAC/C,MAAM,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;YAC7E,MAAM,QAAQ,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,eAAe,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;CACF"}

package/v3/dist/domains/security-compliance/services/scanners/dependency-scanner.d.ts ADDED Viewed

@@ -0,0 +1,46 @@
+/**
+ * Agentic QE v3 - Dependency Scanner
+ * Scans npm dependencies for known vulnerabilities using OSV API
+ */
+import { Result } from '../../../../shared/types/index.js';
+import type { SecurityScannerConfig, DependencyScanResult, MemoryBackend, ScanStatus } from './scanner-types.js';
+/**
+ * Dependency Scanner - OSV-based Vulnerability Detection
+ * Scans npm dependencies for known vulnerabilities using the OSV API
+ */
+export declare class DependencyScanner {
+    private readonly config;
+    private readonly memory;
+    private readonly osvClient;
+    private readonly activeScans;
+    constructor(config: SecurityScannerConfig, memory: MemoryBackend, activeScans?: Map<string, ScanStatus>);
+    /**
+     * Scan npm dependencies for known vulnerabilities using OSV API
+     */
+    scanDependencies(dependencies: Record<string, string>): Promise<Result<DependencyScanResult>>;
+    /**
+     * Scan a package.json file for dependency vulnerabilities
+     */
+    scanPackageJson(packageJsonPath: string): Promise<Result<DependencyScanResult>>;
+    /**
+     * Get scan status
+     */
+    getScanStatus(scanId: string): Promise<ScanStatus>;
+    /**
+     * Convert OSV vulnerabilities to our internal format
+     */
+    private convertOSVVulnerabilities;
+    /**
+     * Map OSV severity to our severity type
+     */
+    private mapOSVSeverity;
+    /**
+     * Calculate scan summary
+     */
+    private calculateSummary;
+    /**
+     * Store scan results
+     */
+    private storeScanResults;
+}
+//# sourceMappingURL=dependency-scanner.d.ts.map

package/v3/dist/domains/security-compliance/services/scanners/dependency-scanner.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dependency-scanner.d.ts","sourceRoot":"","sources":["../../../../../src/domains/security-compliance/services/scanners/dependency-scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,MAAM,EAAW,MAAM,mCAAmC,CAAC;AAEpE,OAAO,KAAK,EACV,qBAAqB,EACrB,oBAAoB,EAMpB,aAAa,EAEb,UAAU,EACX,MAAM,oBAAoB,CAAC;AAM5B;;;GAGG;AACH,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAY;IACtC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA0B;gBAGpD,MAAM,EAAE,qBAAqB,EAC7B,MAAM,EAAE,aAAa,EACrB,WAAW,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC;IAYvC;;OAEG;IACG,gBAAgB,CACpB,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GACnC,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAiDxC;;OAEG;IACG,eAAe,CAAC,eAAe,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IA2BrF;;OAEG;IACG,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAQxD;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAoCjC;;OAEG;IACH,OAAO,CAAC,cAAc;IAatB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsBxB;;OAEG;YACW,gBAAgB;CAkB/B"}

package/v3/dist/domains/security-compliance/services/scanners/dependency-scanner.js ADDED Viewed

@@ -0,0 +1,180 @@
+/**
+ * Agentic QE v3 - Dependency Scanner
+ * Scans npm dependencies for known vulnerabilities using OSV API
+ */
+import { v4 as uuidv4 } from 'uuid';
+import { ok, err } from '../../../../shared/types/index.js';
+import { OSVClient } from '../../../../shared/security/index.js';
+// ============================================================================
+// Dependency Scanner Service
+// ============================================================================
+/**
+ * Dependency Scanner - OSV-based Vulnerability Detection
+ * Scans npm dependencies for known vulnerabilities using the OSV API
+ */
+export class DependencyScanner {
+    config;
+    memory;
+    osvClient;
+    activeScans;
+    constructor(config, memory, activeScans) {
+        this.config = config;
+        this.memory = memory;
+        this.osvClient = new OSVClient({ enableCache: true });
+        this.activeScans = activeScans || new Map();
+    }
+    // ==========================================================================
+    // Public Methods
+    // ==========================================================================
+    /**
+     * Scan npm dependencies for known vulnerabilities using OSV API
+     */
+    async scanDependencies(dependencies) {
+        const scanId = uuidv4();
+        const startTime = Date.now();
+        try {
+            if (Object.keys(dependencies).length === 0) {
+                return err(new Error('No dependencies provided for scanning'));
+            }
+            this.activeScans.set(scanId, 'running');
+            // Query OSV for vulnerabilities
+            const osvVulns = await this.osvClient.scanNpmDependencies(dependencies);
+            // Convert OSV vulnerabilities to our format
+            const vulnerabilities = this.convertOSVVulnerabilities(osvVulns);
+            const scanDurationMs = Date.now() - startTime;
+            // Calculate unique vulnerable packages
+            const vulnerablePackageNames = new Set(osvVulns.map((v) => v.affectedPackage));
+            // Calculate summary
+            const summary = this.calculateSummary(vulnerabilities, Object.keys(dependencies).length, scanDurationMs);
+            // Store scan results
+            await this.storeScanResults(scanId, 'dependency', vulnerabilities, summary);
+            this.activeScans.set(scanId, 'completed');
+            return ok({
+                scanId,
+                vulnerabilities,
+                packagesScanned: Object.keys(dependencies).length,
+                vulnerablePackages: vulnerablePackageNames.size,
+                summary,
+                scanDurationMs,
+            });
+        }
+        catch (error) {
+            this.activeScans.set(scanId, 'failed');
+            return err(error instanceof Error ? error : new Error(String(error)));
+        }
+    }
+    /**
+     * Scan a package.json file for dependency vulnerabilities
+     */
+    async scanPackageJson(packageJsonPath) {
+        try {
+            const fs = await import('fs/promises');
+            const content = await fs.readFile(packageJsonPath, 'utf-8');
+            const packageJson = JSON.parse(content);
+            // Combine all dependency types
+            const allDependencies = {
+                ...(packageJson.dependencies || {}),
+                ...(packageJson.devDependencies || {}),
+                ...(packageJson.peerDependencies || {}),
+                ...(packageJson.optionalDependencies || {}),
+            };
+            if (Object.keys(allDependencies).length === 0) {
+                return err(new Error('No dependencies found in package.json'));
+            }
+            return this.scanDependencies(allDependencies);
+        }
+        catch (error) {
+            if (error instanceof SyntaxError) {
+                return err(new Error(`Invalid JSON in package.json: ${error.message}`));
+            }
+            return err(error instanceof Error ? error : new Error(String(error)));
+        }
+    }
+    /**
+     * Get scan status
+     */
+    async getScanStatus(scanId) {
+        return this.activeScans.get(scanId) ?? 'pending';
+    }
+    // ==========================================================================
+    // Private Methods
+    // ==========================================================================
+    /**
+     * Convert OSV vulnerabilities to our internal format
+     */
+    convertOSVVulnerabilities(osvVulns) {
+        return osvVulns.map((osv) => {
+            const location = {
+                file: 'package.json',
+                line: 1,
+                column: 1,
+                snippet: `"${osv.affectedPackage}": "..."`,
+            };
+            const remediation = {
+                description: osv.fixedVersions.length > 0
+                    ? `Update to version ${osv.fixedVersions[0]} or later`
+                    : 'No fixed version available; consider alternative packages',
+                fixExample: osv.fixedVersions.length > 0
+                    ? `npm install ${osv.affectedPackage}@${osv.fixedVersions[0]}`
+                    : undefined,
+                estimatedEffort: 'minor',
+                automatable: true,
+            };
+            return {
+                id: uuidv4(),
+                cveId: osv.cveIds[0],
+                title: `${osv.affectedPackage}: ${osv.summary.substring(0, 80)}`,
+                description: osv.details || osv.summary,
+                severity: this.mapOSVSeverity(osv.severity),
+                category: 'vulnerable-components',
+                location,
+                remediation,
+                references: osv.references.slice(0, 5),
+            };
+        });
+    }
+    /**
+     * Map OSV severity to our severity type
+     */
+    mapOSVSeverity(osvSeverity) {
+        const mapping = {
+            critical: 'critical',
+            high: 'high',
+            medium: 'medium',
+            low: 'low',
+            unknown: 'medium',
+        };
+        return mapping[osvSeverity];
+    }
+    /**
+     * Calculate scan summary
+     */
+    calculateSummary(vulnerabilities, totalFiles, scanDurationMs) {
+        const summary = {
+            critical: 0,
+            high: 0,
+            medium: 0,
+            low: 0,
+            informational: 0,
+            totalFiles,
+            scanDurationMs,
+        };
+        for (const vuln of vulnerabilities) {
+            summary[vuln.severity]++;
+        }
+        return summary;
+    }
+    /**
+     * Store scan results
+     */
+    async storeScanResults(scanId, scanType, vulnerabilities, summary) {
+        await this.memory.set(`security:scan:${scanId}`, {
+            scanId,
+            scanType,
+            vulnerabilities,
+            summary,
+            timestamp: new Date().toISOString(),
+        }, { namespace: 'security-compliance', ttl: 86400 * 7 });
+    }
+}
+//# sourceMappingURL=dependency-scanner.js.map

package/v3/dist/domains/security-compliance/services/scanners/dependency-scanner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"dependency-scanner.js","sourceRoot":"","sources":["../../../../../src/domains/security-compliance/services/scanners/dependency-scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAU,EAAE,EAAE,GAAG,EAAE,MAAM,mCAAmC,CAAC;AACpE,OAAO,EAAE,SAAS,EAAuB,MAAM,sCAAsC,CAAC;AActF,+EAA+E;AAC/E,6BAA6B;AAC7B,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,OAAO,iBAAiB;IACX,MAAM,CAAwB;IAC9B,MAAM,CAAgB;IACtB,SAAS,CAAY;IACrB,WAAW,CAA0B;IAEtD,YACE,MAA6B,EAC7B,MAAqB,EACrB,WAAqC;QAErC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;QACtD,IAAI,CAAC,WAAW,GAAG,WAAW,IAAI,IAAI,GAAG,EAAE,CAAC;IAC9C,CAAC;IAED,6EAA6E;IAC7E,iBAAiB;IACjB,6EAA6E;IAE7E;;OAEG;IACH,KAAK,CAAC,gBAAgB,CACpB,YAAoC;QAEpC,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC;YACH,IAAI,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC3C,OAAO,GAAG,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;YACjE,CAAC;YAED,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAExC,gCAAgC;YAChC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAC;YAExE,4CAA4C;YAC5C,MAAM,eAAe,GAAG,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,CAAC;YAEjE,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAE9C,uCAAuC;YACvC,MAAM,sBAAsB,GAAG,IAAI,GAAG,CACpC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe,CAAC,CACvC,CAAC;YAEF,oBAAoB;YACpB,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CACnC,eAAe,EACf,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,EAChC,cAAc,CACf,CAAC;YAEF,qBAAqB;YACrB,MAAM,IAAI,CAAC,gBAAgB,CAAC,MAAM,EAAE,YAAY,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;YAC5E,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAE1C,OAAO,EAAE,CAAC;gBACR,MAAM;gBACN,eAAe;gBACf,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM;gBACjD,kBAAkB,EAAE,sBAAsB,CAAC,IAAI;gBAC/C,OAAO;gBACP,cAAc;aACf,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;YACvC,OAAO,GAAG,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,eAAe,CAAC,eAAuB;QAC3C,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;YACvC,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;YAC5D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YAExC,+BAA+B;YAC/B,MAAM,eAAe,GAA2B;gBAC9C,GAAG,CAAC,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;gBACnC,GAAG,CAAC,WAAW,CAAC,eAAe,IAAI,EAAE,CAAC;gBACtC,GAAG,CAAC,WAAW,CAAC,gBAAgB,IAAI,EAAE,CAAC;gBACvC,GAAG,CAAC,WAAW,CAAC,oBAAoB,IAAI,EAAE,CAAC;aAC5C,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC9C,OAAO,GAAG,CAAC,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC,CAAC;YACjE,CAAC;YAED,OAAO,IAAI,CAAC,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;gBACjC,OAAO,GAAG,CAAC,IAAI,KAAK,CAAC,iCAAiC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC1E,CAAC;YACD,OAAO,GAAG,CAAC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,aAAa,CAAC,MAAc;QAChC,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC;IACnD,CAAC;IAED,6EAA6E;IAC7E,kBAAkB;IAClB,6EAA6E;IAE7E;;OAEG;IACK,yBAAyB,CAC/B,QAA+B;QAE/B,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YAC1B,MAAM,QAAQ,GAA0B;gBACtC,IAAI,EAAE,cAAc;gBACpB,IAAI,EAAE,CAAC;gBACP,MAAM,EAAE,CAAC;gBACT,OAAO,EAAE,IAAI,GAAG,CAAC,eAAe,UAAU;aAC3C,CAAC;YAEF,MAAM,WAAW,GAAsB;gBACrC,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;oBACvC,CAAC,CAAC,qBAAqB,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,WAAW;oBACtD,CAAC,CAAC,2DAA2D;gBAC/D,UAAU,EAAE,GAAG,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;oBACtC,CAAC,CAAC,eAAe,GAAG,CAAC,eAAe,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;oBAC9D,CAAC,CAAC,SAAS;gBACb,eAAe,EAAE,OAAO;gBACxB,WAAW,EAAE,IAAI;aAClB,CAAC;YAEF,OAAO;gBACL,EAAE,EAAE,MAAM,EAAE;gBACZ,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;gBACpB,KAAK,EAAE,GAAG,GAAG,CAAC,eAAe,KAAK,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;gBAChE,WAAW,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO;gBACvC,QAAQ,EAAE,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAC3C,QAAQ,EAAE,uBAAuB;gBACjC,QAAQ;gBACR,WAAW;gBACX,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;aACvC,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,cAAc,CACpB,WAA4C;QAE5C,MAAM,OAAO,GAAmE;YAC9E,QAAQ,EAAE,UAAU;YACpB,IAAI,EAAE,MAAM;YACZ,MAAM,EAAE,QAAQ;YAChB,GAAG,EAAE,KAAK;YACV,OAAO,EAAE,QAAQ;SAClB,CAAC;QACF,OAAO,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACK,gBAAgB,CACtB,eAAgC,EAChC,UAAkB,EAClB,cAAsB;QAEtB,MAAM,OAAO,GAAuB;YAClC,QAAQ,EAAE,CAAC;YACX,IAAI,EAAE,CAAC;YACP,MAAM,EAAE,CAAC;YACT,GAAG,EAAE,CAAC;YACN,aAAa,EAAE,CAAC;YAChB,UAAU;YACV,cAAc;SACf,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,CAAC;YACnC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,CAAC;QAED,OAAO,OAAsB,CAAC;IAChC,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,gBAAgB,CAC5B,MAAc,EACd,QAAgB,EAChB,eAAgC,EAChC,OAAoB;QAEpB,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CACnB,iBAAiB,MAAM,EAAE,EACzB;YACE,MAAM;YACN,QAAQ;YACR,eAAe;YACf,OAAO;YACP,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,EACD,EAAE,SAAS,EAAE,qBAAqB,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,EAAE,CACrD,CAAC;IACJ,CAAC;CACF"}