api-tests-coverage 1.0.13 → 1.0.15

package/dist/src/pipeline/stages/sca/dependencyDetector.js

@@ -0,0 +1,416 @@
+"use strict";
+/**
+ * Dependency detector — parses manifest files to extract dependency names and versions.
+ *
+ * Supports:
+ * - package.json (JavaScript/TypeScript)
+ * - pom.xml (Java/Kotlin Maven)
+ * - build.gradle / build.gradle.kts (Java/Kotlin Gradle)
+ * - requirements.txt (Python)
+ * - pyproject.toml (Python)
+ * - Pipfile (Python)
+ * - Gemfile (Ruby)
+ * - go.mod (Go)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MANIFEST_FILES = void 0;
+exports.detectDependencies = detectDependencies;
+exports.parseManifest = parseManifest;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+/** Manifest file names this detector handles. */
+exports.MANIFEST_FILES = [
+    'package.json',
+    'pom.xml',
+    'build.gradle',
+    'build.gradle.kts',
+    'requirements.txt',
+    'pyproject.toml',
+    'Pipfile',
+    'Gemfile',
+    'go.mod',
+];
+/**
+ * Scan a project root for manifest files and parse all dependencies.
+ */
+function detectDependencies(projectRoot) {
+    const dependencies = [];
+    const manifestFiles = [];
+    for (const manifest of exports.MANIFEST_FILES) {
+        const fullPath = path.join(projectRoot, manifest);
+        if (!fs.existsSync(fullPath))
+            continue;
+        manifestFiles.push(manifest);
+        let content;
+        try {
+            content = fs.readFileSync(fullPath, 'utf-8');
+        }
+        catch {
+            continue;
+        }
+        const parsed = parseManifest(manifest, content, manifest);
+        dependencies.push(...parsed);
+    }
+    return { dependencies, manifestFiles };
+}
+/**
+ * Parse a single manifest file and return dependency entries.
+ */
+function parseManifest(fileName, content, sourceFile) {
+    const base = path.basename(fileName);
+    switch (base) {
+        case 'package.json':
+            return parsePackageJson(content, sourceFile);
+        case 'pom.xml':
+            return parsePomXml(content, sourceFile);
+        case 'build.gradle':
+        case 'build.gradle.kts':
+            return parseBuildGradle(content, sourceFile);
+        case 'requirements.txt':
+            return parseRequirementsTxt(content, sourceFile);
+        case 'pyproject.toml':
+            return parsePyprojectToml(content, sourceFile);
+        case 'Pipfile':
+            return parsePipfile(content, sourceFile);
+        case 'Gemfile':
+            return parseGemfile(content, sourceFile);
+        case 'go.mod':
+            return parseGoMod(content, sourceFile);
+        default:
+            return [];
+    }
+}
+// ─── package.json ───────────────────────────────────────────────────────────
+function parsePackageJson(content, sourceFile) {
+    const deps = [];
+    let pkg;
+    try {
+        pkg = JSON.parse(content);
+    }
+    catch {
+        return deps;
+    }
+    const sections = [
+        { key: 'dependencies', scope: 'production' },
+        { key: 'devDependencies', scope: 'development' },
+        { key: 'peerDependencies', scope: 'production' },
+        { key: 'optionalDependencies', scope: 'production' },
+    ];
+    for (const { key, scope } of sections) {
+        const section = pkg[key];
+        if (!section || typeof section !== 'object')
+            continue;
+        for (const [name, version] of Object.entries(section)) {
+            if (typeof version === 'string') {
+                deps.push({ name, version, scope, sourceFile });
+            }
+        }
+    }
+    return deps;
+}
+// ─── pom.xml ────────────────────────────────────────────────────────────────
+function parsePomXml(content, sourceFile) {
+    var _a;
+    const deps = [];
+    // Extract dependencies using regex (avoids XML parser dependency)
+    const depBlockRegex = /<dependency>([\s\S]*?)<\/dependency>/g;
+    let match;
+    while ((match = depBlockRegex.exec(content)) !== null) {
+        const block = match[1];
+        const groupId = extractXmlTag(block, 'groupId');
+        const artifactId = extractXmlTag(block, 'artifactId');
+        const version = (_a = extractXmlTag(block, 'version')) !== null && _a !== void 0 ? _a : 'managed';
+        const scopeTag = extractXmlTag(block, 'scope');
+        if (!artifactId)
+            continue;
+        const name = groupId ? `${groupId}:${artifactId}` : artifactId;
+        const scope = mapMavenScope(scopeTag);
+        deps.push({ name, version, scope, sourceFile });
+    }
+    return deps;
+}
+function extractXmlTag(xml, tag) {
+    const regex = new RegExp(`<${tag}>\\s*([^<]+?)\\s*</${tag}>`);
+    const match = regex.exec(xml);
+    return match === null || match === void 0 ? void 0 : match[1];
+}
+function mapMavenScope(scope) {
+    switch (scope) {
+        case 'test':
+            return 'test';
+        case 'provided':
+        case 'compile':
+        case 'runtime':
+            return 'production';
+        case 'system':
+        case 'import':
+            return 'build';
+        default:
+            return 'production'; // Maven default is compile
+    }
+}
+// ─── build.gradle / build.gradle.kts ────────────────────────────────────────
+function parseBuildGradle(content, sourceFile) {
+    var _a, _b;
+    const deps = [];
+    // Match patterns like:
+    //   implementation 'group:artifact:version'
+    //   implementation "group:artifact:version"
+    //   testImplementation("group:artifact:version")
+    //   api "group:artifact:version"
+    const depRegex = /(?:implementation|testImplementation|testRuntimeOnly|runtimeOnly|compileOnly|api|annotationProcessor|kapt)\s*[\(]?\s*['"]([\w./-]+):([\w./-]+)(?::([\w.+\-]+))?['"]\s*[\)]?/g;
+    let match;
+    while ((match = depRegex.exec(content)) !== null) {
+        const group = match[1];
+        const artifact = match[2];
+        const version = (_a = match[3]) !== null && _a !== void 0 ? _a : 'unspecified';
+        const line = content.substring(0, match.index).split('\n').length - 1;
+        const configLine = (_b = content.split('\n')[line]) !== null && _b !== void 0 ? _b : '';
+        const name = `${group}:${artifact}`;
+        const scope = mapGradleScope(configLine);
+        deps.push({ name, version, scope, sourceFile });
+    }
+    return deps;
+}
+function mapGradleScope(line) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith('testImplementation') || trimmed.startsWith('testRuntimeOnly')) {
+        return 'test';
+    }
+    if (trimmed.startsWith('annotationProcessor') || trimmed.startsWith('kapt')) {
+        return 'build';
+    }
+    return 'production';
+}
+// ─── requirements.txt ───────────────────────────────────────────────────────
+function parseRequirementsTxt(content, sourceFile) {
+    var _a;
+    const deps = [];
+    for (const rawLine of content.split('\n')) {
+        const line = rawLine.trim();
+        // Skip comments, empty lines, -r/-e/--flags
+        if (!line || line.startsWith('#') || line.startsWith('-'))
+            continue;
+        // Handle extras: package[extra1,extra2]
+        // Match: package==version, package>=version, package~=version, package (no version)
+        const match = /^([a-zA-Z0-9_][a-zA-Z0-9_.+-]*)(?:\[[^\]]*\])?\s*(?:([=><~!]+)\s*(.+))?$/.exec(line);
+        if (!match)
+            continue;
+        const name = match[1];
+        const version = (_a = match[3]) !== null && _a !== void 0 ? _a : 'unspecified';
+        deps.push({ name, version, scope: 'unknown', sourceFile });
+    }
+    return deps;
+}
+// ─── pyproject.toml ─────────────────────────────────────────────────────────
+function parsePyprojectToml(content, sourceFile) {
+    const deps = [];
+    // Extract [project.dependencies] section
+    const projectDepsMatch = /\[project\]\s[\s\S]*?dependencies\s*=\s*\[([\s\S]*?)\]/m.exec(content);
+    if (projectDepsMatch) {
+        parsePyprojectDependencyArray(projectDepsMatch[1], 'production', sourceFile, deps);
+    }
+    // Extract [project.optional-dependencies] sections
+    const optionalMatch = /\[project\.optional-dependencies\]\s*([\s\S]*?)(?=\n\[|\n$|$)/m.exec(content);
+    if (optionalMatch) {
+        const block = optionalMatch[1];
+        const sectionRegex = /(\w+)\s*=\s*\[([\s\S]*?)\]/g;
+        let sMatch;
+        while ((sMatch = sectionRegex.exec(block)) !== null) {
+            const sectionName = sMatch[1].toLowerCase();
+            const scope = sectionName === 'dev' || sectionName === 'test' || sectionName === 'testing'
+                ? 'development'
+                : 'production';
+            parsePyprojectDependencyArray(sMatch[2], scope, sourceFile, deps);
+        }
+    }
+    // Also try [tool.poetry.dependencies] for Poetry projects
+    const poetryDepsMatch = /\[tool\.poetry\.dependencies\]\s*([\s\S]*?)(?=\n\[|\n$|$)/m.exec(content);
+    if (poetryDepsMatch) {
+        parseTomlDependencyBlock(poetryDepsMatch[1], 'production', sourceFile, deps);
+    }
+    const poetryDevMatch = /\[tool\.poetry\.(?:dev-dependencies|group\.dev\.dependencies)\]\s*([\s\S]*?)(?=\n\[|\n$|$)/m.exec(content);
+    if (poetryDevMatch) {
+        parseTomlDependencyBlock(poetryDevMatch[1], 'development', sourceFile, deps);
+    }
+    return deps;
+}
+function parsePyprojectDependencyArray(block, scope, sourceFile, deps) {
+    var _a;
+    // Lines look like: "requests>=2.20", "fastapi~=0.100"
+    const lineRegex = /["']([a-zA-Z0-9_][a-zA-Z0-9_.+-]*)(?:\[[^\]]*\])?\s*(?:([=><~!]+)\s*([^"']+))?["']/g;
+    let match;
+    while ((match = lineRegex.exec(block)) !== null) {
+        deps.push({
+            name: match[1],
+            version: (_a = match[3]) !== null && _a !== void 0 ? _a : 'unspecified',
+            scope,
+            sourceFile,
+        });
+    }
+}
+function parseTomlDependencyBlock(block, scope, sourceFile, deps) {
+    // Lines look like: flask = "^2.0" or requests = {version = ">=2.20", optional = true}
+    for (const line of block.split('\n')) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('['))
+            continue;
+        const kvMatch = /^([a-zA-Z0-9_][a-zA-Z0-9_.-]*)\s*=\s*(.+)$/.exec(trimmed);
+        if (!kvMatch)
+            continue;
+        const name = kvMatch[1];
+        if (name.toLowerCase() === 'python')
+            continue; // Skip python version spec
+        const valueStr = kvMatch[2].trim();
+        let version = 'unspecified';
+        if (valueStr.startsWith('"') || valueStr.startsWith("'")) {
+            // Simple version string
+            version = valueStr.replace(/["']/g, '');
+        }
+        else if (valueStr.startsWith('{')) {
+            // Table form: {version = ">=2.0", ...}
+            const versionMatch = /version\s*=\s*["']([^"']+)["']/.exec(valueStr);
+            if (versionMatch)
+                version = versionMatch[1];
+        }
+        deps.push({ name, version, scope, sourceFile });
+    }
+}
+// ─── Pipfile ─────────────────────────────────────────────────────────────────
+function parsePipfile(content, sourceFile) {
+    const deps = [];
+    // Parse [packages] and [dev-packages] sections
+    const sections = [
+        { regex: /\[packages\]\s*([\s\S]*?)(?=\n\[|\n$|$)/m, scope: 'production' },
+        { regex: /\[dev-packages\]\s*([\s\S]*?)(?=\n\[|\n$|$)/m, scope: 'development' },
+    ];
+    for (const { regex, scope } of sections) {
+        const match = regex.exec(content);
+        if (!match)
+            continue;
+        for (const line of match[1].split('\n')) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('['))
+                continue;
+            const kvMatch = /^([a-zA-Z0-9_][a-zA-Z0-9_.-]*)\s*=\s*(.+)$/.exec(trimmed);
+            if (!kvMatch)
+                continue;
+            const name = kvMatch[1];
+            const valueStr = kvMatch[2].trim();
+            let version = '*';
+            if (valueStr.startsWith('"') || valueStr.startsWith("'")) {
+                version = valueStr.replace(/["']/g, '');
+            }
+            else if (valueStr.startsWith('{')) {
+                const versionMatch = /version\s*=\s*["']([^"']+)["']/.exec(valueStr);
+                if (versionMatch)
+                    version = versionMatch[1];
+            }
+            deps.push({ name, version, scope, sourceFile });
+        }
+    }
+    return deps;
+}
+// ─── Gemfile ────────────────────────────────────────────────────────────────
+function parseGemfile(content, sourceFile) {
+    var _a;
+    const deps = [];
+    let currentGroup = 'production';
+    for (const rawLine of content.split('\n')) {
+        const line = rawLine.trim();
+        if (!line || line.startsWith('#'))
+            continue;
+        // Track group blocks: group :development do ... end
+        const groupMatch = /^group\s+:(\w+)/.exec(line);
+        if (groupMatch) {
+            const group = groupMatch[1];
+            currentGroup =
+                group === 'development' || group === 'test' ? 'development' : 'production';
+            continue;
+        }
+        if (line === 'end') {
+            currentGroup = 'production';
+            continue;
+        }
+        // Match: gem 'name', '~> version'
+        const gemMatch = /^gem\s+['"]([a-zA-Z0-9_.-]+)['"](?:\s*,\s*['"]([^'"]+)['"])?/.exec(line);
+        if (!gemMatch)
+            continue;
+        deps.push({
+            name: gemMatch[1],
+            version: (_a = gemMatch[2]) !== null && _a !== void 0 ? _a : '*',
+            scope: currentGroup,
+            sourceFile,
+        });
+    }
+    return deps;
+}
+// ─── go.mod ─────────────────────────────────────────────────────────────────
+function parseGoMod(content, sourceFile) {
+    const deps = [];
+    // Match require block: require ( ... )
+    const requireBlockRegex = /require\s*\(([\s\S]*?)\)/g;
+    let blockMatch;
+    while ((blockMatch = requireBlockRegex.exec(content)) !== null) {
+        const block = blockMatch[1];
+        for (const line of block.split('\n')) {
+            const trimmed = line.trim();
+            if (!trimmed || trimmed.startsWith('//'))
+                continue;
+            const parts = trimmed.split(/\s+/);
+            if (parts.length >= 2) {
+                deps.push({
+                    name: parts[0],
+                    version: parts[1],
+                    scope: 'production',
+                    sourceFile,
+                });
+            }
+        }
+    }
+    // Match single-line require: require module/path v1.2.3
+    const singleRegex = /^require\s+(\S+)\s+(\S+)/gm;
+    let singleMatch;
+    while ((singleMatch = singleRegex.exec(content)) !== null) {
+        deps.push({
+            name: singleMatch[1],
+            version: singleMatch[2],
+            scope: 'production',
+            sourceFile,
+        });
+    }
+    return deps;
+}

package/dist/src/pipeline/stages/sca/scaStage.d.ts

@@ -0,0 +1,21 @@
+/**
+ * SCA (Software Composition Analysis) stage — Stage 1 of the coverage pipeline.
+ *
+ * Wraps the existing discovery engine and adds:
+ * - Manifest file parsing for dependency extraction
+ * - Dependency classification into categories
+ * - CI platform detection
+ * - Graph population with `dependency` nodes and `depends-on` edges
+ *
+ * This stage runs first so that downstream stages (AST, TIA) can use the
+ * ScaOutput to select correct analysis heuristics (e.g. which HTTP client
+ * patterns to detect, which assertion libraries to recognize).
+ */
+import type { PipelineStage, PipelineContext } from '../../stageInterface';
+import type { ScaOutput } from './types';
+export declare class ScaStage implements PipelineStage<ScaOutput> {
+    readonly name: "sca";
+    readonly optional = false;
+    execute(context: PipelineContext): Promise<ScaOutput>;
+}
+//# sourceMappingURL=scaStage.d.ts.map

package/dist/src/pipeline/stages/sca/scaStage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scaStage.d.ts","sourceRoot":"","sources":["../../../../../src/pipeline/stages/sca/scaStage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAE3E,OAAO,KAAK,EAAE,SAAS,EAAoB,MAAM,SAAS,CAAC;AAM3D,qBAAa,QAAS,YAAW,aAAa,CAAC,SAAS,CAAC;IACvD,QAAQ,CAAC,IAAI,EAAG,KAAK,CAAU;IAC/B,QAAQ,CAAC,QAAQ,SAAS;IAEpB,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,SAAS,CAAC;CAgL5D"}

package/dist/src/pipeline/stages/sca/scaStage.js

@@ -0,0 +1,208 @@
+"use strict";
+/**
+ * SCA (Software Composition Analysis) stage — Stage 1 of the coverage pipeline.
+ *
+ * Wraps the existing discovery engine and adds:
+ * - Manifest file parsing for dependency extraction
+ * - Dependency classification into categories
+ * - CI platform detection
+ * - Graph population with `dependency` nodes and `depends-on` edges
+ *
+ * This stage runs first so that downstream stages (AST, TIA) can use the
+ * ScaOutput to select correct analysis heuristics (e.g. which HTTP client
+ * patterns to detect, which assertion libraries to recognize).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ScaStage = void 0;
+const dependencyDetector_1 = require("./dependencyDetector");
+const dependencyClassification_1 = require("./dependencyClassification");
+const ciDetector_1 = require("./ciDetector");
+const projectDiscovery_1 = require("../../../discovery/projectDiscovery");
+class ScaStage {
+    constructor() {
+        this.name = 'sca';
+        this.optional = false;
+    }
+    async execute(context) {
+        const startTime = Date.now();
+        const filesScanned = [];
+        const filesSkipped = [];
+        // 1. Run the existing discovery engine
+        const artifacts = (0, projectDiscovery_1.discoverProject)({ rootDir: context.projectRoot });
+        // 2. Parse manifest files for dependencies
+        const depResult = (0, dependencyDetector_1.detectDependencies)(context.projectRoot);
+        filesScanned.push(...depResult.manifestFiles);
+        // 3. Classify dependencies by category
+        const httpClients = [];
+        const testFrameworks = [];
+        const assertionLibraries = [];
+        const mockingLibraries = [];
+        const securityLibraries = [];
+        const performanceTools = [];
+        const e2eFrameworks = [];
+        const frameworksDeps = [];
+        const dependencyVersions = {};
+        for (const dep of depResult.dependencies) {
+            // Store version (use short name for display, e.g. artifactId for Maven)
+            const shortName = getShortDependencyName(dep);
+            dependencyVersions[shortName] = dep.version;
+            // Classify
+            const category = (0, dependencyClassification_1.classifyDependency)(shortName);
+            switch (category) {
+                case 'httpClient':
+                    addUnique(httpClients, shortName);
+                    break;
+                case 'testFramework':
+                    addUnique(testFrameworks, shortName);
+                    break;
+                case 'assertionLibrary':
+                    addUnique(assertionLibraries, shortName);
+                    break;
+                case 'mockingLibrary':
+                    addUnique(mockingLibraries, shortName);
+                    break;
+                case 'securityLibrary':
+                    addUnique(securityLibraries, shortName);
+                    break;
+                case 'performanceTool':
+                    addUnique(performanceTools, shortName);
+                    break;
+                case 'e2eFramework':
+                    addUnique(e2eFrameworks, shortName);
+                    break;
+                case 'framework':
+                    addUnique(frameworksDeps, shortName);
+                    break;
+            }
+        }
+        // 4. Merge discovery-detected languages and frameworks with dependency-detected ones
+        // DetectedLanguage and DetectedFramework are string literal unions, not objects
+        const languages = artifacts.languages;
+        const frameworks = mergeStrings(artifacts.frameworks, frameworksDeps);
+        // Also enrich test frameworks from discovery's framework detection
+        for (const f of artifacts.frameworks) {
+            const name = f.toLowerCase();
+            if (['jest', 'mocha', 'pytest', 'unittest', 'junit', 'testng', 'rspec', 'minitest'].includes(name)) {
+                addUnique(testFrameworks, name);
+            }
+            if (['cypress', 'playwright', 'cucumber', 'selenium'].includes(name)) {
+                addUnique(e2eFrameworks, name);
+            }
+        }
+        // 5. Detect CI platform
+        const ciPlatform = (0, ciDetector_1.detectCiPlatform)(context.projectRoot);
+        // 6. Populate the graph with dependency nodes
+        for (const dep of depResult.dependencies) {
+            const shortName = getShortDependencyName(dep);
+            const nodeId = `dep:${shortName}`;
+            // Skip if already added (avoid duplicates from different manifest files)
+            if (context.graph.hasNode(nodeId))
+                continue;
+            const node = {
+                id: nodeId,
+                type: 'dependency',
+                label: shortName,
+                sourceStage: 'sca',
+                metadata: {
+                    version: dep.version,
+                    scope: dep.scope,
+                    category: (0, dependencyClassification_1.classifyDependency)(shortName),
+                    sourceFile: dep.sourceFile,
+                    fullName: dep.name,
+                },
+            };
+            context.graph.addNode(node);
+        }
+        // Add file-level nodes for each manifest
+        for (const manifest of depResult.manifestFiles) {
+            const fileNodeId = `file:${manifest}`;
+            if (!context.graph.hasNode(fileNodeId)) {
+                const fileNode = {
+                    id: fileNodeId,
+                    type: 'file',
+                    label: manifest,
+                    sourceStage: 'sca',
+                    filePath: manifest,
+                    metadata: { fileType: 'manifest' },
+                };
+                context.graph.addNode(fileNode);
+            }
+            // Add depends-on edges from manifest to each dependency declared in it
+            for (const dep of depResult.dependencies) {
+                if (dep.sourceFile !== manifest)
+                    continue;
+                const shortName = getShortDependencyName(dep);
+                const depNodeId = `dep:${shortName}`;
+                const edgeId = `${fileNodeId}->depends-on->${depNodeId}`;
+                if (!context.graph.hasEdge(edgeId)) {
+                    const edge = {
+                        id: edgeId,
+                        type: 'depends-on',
+                        sourceNodeId: fileNodeId,
+                        targetNodeId: depNodeId,
+                        sourceStage: 'sca',
+                        metadata: { scope: dep.scope },
+                    };
+                    context.graph.addEdge(edge);
+                }
+            }
+        }
+        // 7. Record diagnostics
+        const diagnostics = {
+            stageName: 'sca',
+            filesScanned,
+            filesSkipped,
+            durationMs: Date.now() - startTime,
+            metadata: {
+                totalDependencies: depResult.dependencies.length,
+                manifestFiles: depResult.manifestFiles,
+                ciPlatform,
+                discoveredLanguages: languages,
+                discoveredFrameworks: frameworks,
+            },
+        };
+        context.diagnostics.set('sca', diagnostics);
+        // 8. Build and return output
+        const output = {
+            languages,
+            frameworks,
+            httpClients,
+            testFrameworks,
+            assertionLibraries,
+            securityLibraries,
+            performanceTools,
+            mockingLibraries,
+            e2eFrameworks,
+            dependencyVersions,
+            ciPlatform,
+        };
+        context.stageOutputs.set('sca', output);
+        return output;
+    }
+}
+exports.ScaStage = ScaStage;
+/**
+ * Extract a short dependency name for classification and display.
+ * For Maven-style names (group:artifact), returns just the artifact.
+ * For npm scoped packages (@scope/name), returns the full scoped name.
+ */
+function getShortDependencyName(dep) {
+    const name = dep.name;
+    // Maven: "org.mockito:mockito-core" → "mockito-core"
+    if (name.includes(':')) {
+        const parts = name.split(':');
+        return parts[parts.length - 1];
+    }
+    return name;
+}
+function addUnique(arr, item) {
+    if (!arr.includes(item)) {
+        arr.push(item);
+    }
+}
+function mergeStrings(a, b) {
+    const set = new Set(a);
+    for (const item of b)
+        set.add(item);
+    return Array.from(set);
+}