circle-ir 3.1.1 → 3.3.0

package/dist/analysis/advisory-db.js

@@ -1,104 +0,0 @@
-/**
- * RustSec Advisory Database Integration
- *
- * Provides vulnerability data from the RustSec advisory database.
- * Advisory data is bundled at build time for offline/deterministic usage.
- */
-/**
- * Bundled advisory database (loaded lazily)
- */
-let bundledDb = null;
-/**
- * Load the bundled advisory database
- */
-export function loadBundledAdvisories() {
-    if (bundledDb) {
-        return bundledDb;
-    }
-    // Try to load bundled advisories
-    try {
-        // eslint-disable-next-line @typescript-eslint/no-require-imports
-        const json = require('../../advisory-db.json');
-        bundledDb = parseAdvisoryJson(json);
-        return bundledDb;
-    }
-    catch {
-        // Return empty database if bundled data not available
-        return {
-            advisories: new Map(),
-            lastUpdated: new Date().toISOString(),
-            source: 'bundled',
-            version: '1.0',
-            stats: { totalAdvisories: 0, uniqueCrates: 0 },
-        };
-    }
-}
-/**
- * Parse advisory JSON into database structure
- */
-export function parseAdvisoryJson(json) {
-    const advisories = new Map();
-    for (const advisory of json.advisories) {
-        const existing = advisories.get(advisory.package) || [];
-        existing.push(advisory);
-        advisories.set(advisory.package, existing);
-    }
-    return {
-        advisories,
-        lastUpdated: json.lastUpdated,
-        source: 'bundled',
-        version: json.version,
-        stats: {
-            totalAdvisories: json.advisories.length,
-            uniqueCrates: advisories.size,
-        },
-    };
-}
-/**
- * Map RustSec categories to severity levels
- */
-export function categoryToSeverity(categories) {
-    const categorySet = new Set(categories);
-    // Critical: code execution, privilege escalation
-    if (categorySet.has('code-execution') ||
-        categorySet.has('privilege-escalation')) {
-        return 'critical';
-    }
-    // High: memory safety, denial of service
-    if (categorySet.has('memory-safety') || categorySet.has('denial-of-service')) {
-        return 'high';
-    }
-    // Medium: crypto issues, information disclosure
-    if (categorySet.has('crypto-failure') ||
-        categorySet.has('information-disclosure')) {
-        return 'medium';
-    }
-    // Default to medium for unknown categories
-    return 'medium';
-}
-/**
- * Get advisories for a specific crate
- */
-export function getAdvisoriesForCrate(db, crateName) {
-    return db.advisories.get(crateName) || [];
-}
-/**
- * Search advisories by CVE ID
- */
-export function findAdvisoryByCve(db, cveId) {
-    for (const advisories of db.advisories.values()) {
-        for (const advisory of advisories) {
-            if (advisory.aliases.includes(cveId)) {
-                return advisory;
-            }
-        }
-    }
-    return undefined;
-}
-/**
- * Get all unique crate names with advisories
- */
-export function getVulnerableCrates(db) {
-    return Array.from(db.advisories.keys());
-}
-//# sourceMappingURL=advisory-db.js.map

package/dist/analysis/advisory-db.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"advisory-db.js","sourceRoot":"","sources":["../../src/analysis/advisory-db.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAyDH;;GAEG;AACH,IAAI,SAAS,GAA4B,IAAI,CAAC;AAE9C;;GAEG;AACH,MAAM,UAAU,qBAAqB;IACnC,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,iCAAiC;IACjC,IAAI,CAAC;QACH,iEAAiE;QACjE,MAAM,IAAI,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC/C,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,sDAAsD;QACtD,OAAO;YACL,UAAU,EAAE,IAAI,GAAG,EAAE;YACrB,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,EAAE,eAAe,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE;SAC/C,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAIjC;IACC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAmC,CAAC;IAE9D,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACxB,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO;QACL,UAAU;QACV,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,MAAM,EAAE,SAAS;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,KAAK,EAAE;YACL,eAAe,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM;YACvC,YAAY,EAAE,UAAU,CAAC,IAAI;SAC9B;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAoB;IACrD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAExC,iDAAiD;IACjD,IACE,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACjC,WAAW,CAAC,GAAG,CAAC,sBAAsB,CAAC,EACvC,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,yCAAyC;IACzC,IAAI,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,CAAC;QAC7E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,gDAAgD;IAChD,IACE,WAAW,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACjC,WAAW,CAAC,GAAG,CAAC,wBAAwB,CAAC,EACzC,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,2CAA2C;IAC3C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,EAAoB,EACpB,SAAiB;IAEjB,OAAO,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,EAAoB,EACpB,KAAa;IAEb,KAAK,MAAM,UAAU,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC;QAChD,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;YAClC,IAAI,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBACrC,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,EAAoB;IACtD,OAAO,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;AAC1C,CAAC"}

package/dist/analysis/cargo-parser.d.ts

@@ -1,42 +0,0 @@
-/**
- * Cargo.lock parser for extracting crate dependencies and versions
- */
-export interface CargoLockDependency {
-    name: string;
-    version: string;
-    source?: string;
-    checksum?: string;
-}
-export interface CargoLock {
-    version: number;
-    dependencies: CargoLockDependency[];
-}
-/**
- * Parse Cargo.lock TOML file content
- */
-export declare function parseCargoLock(content: string): CargoLock;
-/**
- * Parse Cargo.toml to extract direct dependencies
- */
-export interface CargoTomlDependency {
-    name: string;
-    version?: string;
-    path?: string;
-    git?: string;
-    features?: string[];
-}
-export interface CargoToml {
-    name?: string;
-    version?: string;
-    dependencies: CargoTomlDependency[];
-    devDependencies: CargoTomlDependency[];
-}
-/**
- * Parse Cargo.toml file content
- */
-export declare function parseCargoToml(content: string): CargoToml;
-/**
- * Filter dependencies to only include registry-sourced crates
- * (excludes path and git dependencies which can't be vulnerability-checked)
- */
-export declare function filterRegistryDeps(deps: CargoLockDependency[]): CargoLockDependency[];

package/dist/analysis/cargo-parser.js

@@ -1,102 +0,0 @@
-/**
- * Cargo.lock parser for extracting crate dependencies and versions
- */
-/**
- * Parse Cargo.lock TOML file content
- */
-export function parseCargoLock(content) {
-    const dependencies = [];
-    // Extract version from the file
-    const versionMatch = content.match(/^version\s*=\s*(\d+)/m);
-    const version = versionMatch ? parseInt(versionMatch[1], 10) : 3;
-    // Parse [[package]] sections
-    // Format:
-    // [[package]]
-    // name = "crate-name"
-    // version = "1.0.0"
-    // source = "registry+..."
-    // checksum = "abc123..."
-    const packagePattern = /\[\[package\]\]\s*\n((?:(?!^\[\[|\[package\]).*\n?)*)/gm;
-    let match;
-    while ((match = packagePattern.exec(content)) !== null) {
-        const block = match[1];
-        const nameMatch = block.match(/^name\s*=\s*"([^"]+)"/m);
-        const versionMatch = block.match(/^version\s*=\s*"([^"]+)"/m);
-        const sourceMatch = block.match(/^source\s*=\s*"([^"]+)"/m);
-        const checksumMatch = block.match(/^checksum\s*=\s*"([^"]+)"/m);
-        if (nameMatch && versionMatch) {
-            dependencies.push({
-                name: nameMatch[1],
-                version: versionMatch[1],
-                source: sourceMatch?.[1],
-                checksum: checksumMatch?.[1],
-            });
-        }
-    }
-    return { version, dependencies };
-}
-/**
- * Parse Cargo.toml file content
- */
-export function parseCargoToml(content) {
-    const dependencies = [];
-    const devDependencies = [];
-    // Extract package name and version
-    const nameMatch = content.match(/^\[package\][^[]*name\s*=\s*"([^"]+)"/ms);
-    const versionMatch = content.match(/^\[package\][^[]*version\s*=\s*"([^"]+)"/ms);
-    // Parse [dependencies] section
-    const depsMatch = content.match(/\[dependencies\]\s*\n((?:(?!\[(?!dependencies\.))[^\n]*\n?)*)/m);
-    if (depsMatch) {
-        parseDependencySection(depsMatch[1], dependencies);
-    }
-    // Parse [dev-dependencies] section
-    const devDepsMatch = content.match(/\[dev-dependencies\]\s*\n((?:(?!\[(?!dev-dependencies\.))[^\n]*\n?)*)/m);
-    if (devDepsMatch) {
-        parseDependencySection(devDepsMatch[1], devDependencies);
-    }
-    return {
-        name: nameMatch?.[1],
-        version: versionMatch?.[1],
-        dependencies,
-        devDependencies,
-    };
-}
-function parseDependencySection(section, deps) {
-    // Simple dependency: crate = "1.0"
-    const simplePattern = /^(\w[\w-]*)\s*=\s*"([^"]+)"/gm;
-    let match;
-    while ((match = simplePattern.exec(section)) !== null) {
-        deps.push({
-            name: match[1],
-            version: match[2],
-        });
-    }
-    // Complex dependency: crate = { version = "1.0", features = [...] }
-    const complexPattern = /^(\w[\w-]*)\s*=\s*\{([^}]+)\}/gm;
-    while ((match = complexPattern.exec(section)) !== null) {
-        const name = match[1];
-        const attrs = match[2];
-        const versionMatch = attrs.match(/version\s*=\s*"([^"]+)"/);
-        const pathMatch = attrs.match(/path\s*=\s*"([^"]+)"/);
-        const gitMatch = attrs.match(/git\s*=\s*"([^"]+)"/);
-        deps.push({
-            name,
-            version: versionMatch?.[1],
-            path: pathMatch?.[1],
-            git: gitMatch?.[1],
-        });
-    }
-}
-/**
- * Filter dependencies to only include registry-sourced crates
- * (excludes path and git dependencies which can't be vulnerability-checked)
- */
-export function filterRegistryDeps(deps) {
-    return deps.filter((dep) => {
-        // Include if no source (defaults to registry) or explicitly from registry
-        if (!dep.source)
-            return true;
-        return dep.source.startsWith('registry+');
-    });
-}
-//# sourceMappingURL=cargo-parser.js.map

package/dist/analysis/cargo-parser.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"cargo-parser.js","sourceRoot":"","sources":["../../src/analysis/cargo-parser.ts"],"names":[],"mappings":"AAAA;;GAEG;AAcH;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,YAAY,GAA0B,EAAE,CAAC;IAE/C,gCAAgC;IAChC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC5D,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjE,6BAA6B;IAC7B,UAAU;IACV,cAAc;IACd,sBAAsB;IACtB,oBAAoB;IACpB,0BAA0B;IAC1B,yBAAyB;IAEzB,MAAM,cAAc,GAClB,yDAAyD,CAAC;IAC5D,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEvB,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QACxD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC9D,MAAM,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC;QAC5D,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAEhE,IAAI,SAAS,IAAI,YAAY,EAAE,CAAC;YAC9B,YAAY,CAAC,IAAI,CAAC;gBAChB,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;gBAClB,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;gBACxB,MAAM,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;gBACxB,QAAQ,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC;aAC7B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,YAAY,EAAE,CAAC;AACnC,CAAC;AAoBD;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAe;IAC5C,MAAM,YAAY,GAA0B,EAAE,CAAC;IAC/C,MAAM,eAAe,GAA0B,EAAE,CAAC;IAElD,mCAAmC;IACnC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC3E,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAChC,4CAA4C,CAC7C,CAAC;IAEF,+BAA+B;IAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAC7B,gEAAgE,CACjE,CAAC;IACF,IAAI,SAAS,EAAE,CAAC;QACd,sBAAsB,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IACrD,CAAC;IAED,mCAAmC;IACnC,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAChC,wEAAwE,CACzE,CAAC;IACF,IAAI,YAAY,EAAE,CAAC;QACjB,sBAAsB,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,eAAe,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO;QACL,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;QACpB,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;QAC1B,YAAY;QACZ,eAAe;KAChB,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAAe,EACf,IAA2B;IAE3B,mCAAmC;IACnC,MAAM,aAAa,GAAG,+BAA+B,CAAC;IACtD,IAAI,KAAK,CAAC;IAEV,OAAO,CAAC,KAAK,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtD,IAAI,CAAC,IAAI,CAAC;YACR,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;YACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;SAClB,CAAC,CAAC;IACL,CAAC;IAED,oEAAoE;IACpE,MAAM,cAAc,GAClB,iCAAiC,CAAC;IAEpC,OAAO,CAAC,KAAK,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACvD,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEvB,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC5D,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAEpD,IAAI,CAAC,IAAI,CAAC;YACR,IAAI;YACJ,OAAO,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;YAC1B,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC;YACpB,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;SACnB,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAA2B;IAE3B,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QACzB,0EAA0E;QAC1E,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAC7B,OAAO,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/analysis/dependency-scanner.d.ts

@@ -1,79 +0,0 @@
-/**
- * Dependency vulnerability scanner for Rust projects
- *
- * Scans Cargo.lock files for known vulnerable crate versions
- * using the RustSec Advisory Database.
- */
-import type { Severity } from '../types/index.js';
-import type { AdvisoryVulnerability, AdvisoryDatabase } from './advisory-db.js';
-/**
- * A finding for a vulnerable dependency
- */
-export interface DependencyFinding {
-    type: 'vulnerable_dependency';
-    /** Crate name */
-    crate: string;
-    /** Installed version */
-    version: string;
-    /** Matching advisories */
-    vulnerabilities: AdvisoryVulnerability[];
-    /** Source file (Cargo.lock) */
-    source: string;
-    /** Location information */
-    location: {
-        file: string;
-        line?: number;
-    };
-    /** Severity level */
-    severity: Severity;
-    /** CWE IDs from advisories */
-    cwes: string[];
-    /** CVE IDs from advisories */
-    cves: string[];
-}
-/**
- * Options for dependency scanning
- */
-export interface ScanOptions {
-    /** Path to Cargo.lock file */
-    cargoLockPath?: string;
-    /** Cargo.lock content (if already loaded) */
-    cargoLockContent?: string;
-    /** Custom advisory database (defaults to bundled) */
-    advisoryDb?: AdvisoryDatabase;
-    /** Include dev dependencies */
-    includeDevDeps?: boolean;
-}
-/**
- * Scan result
- */
-export interface ScanResult {
-    /** List of vulnerable dependencies */
-    findings: DependencyFinding[];
-    /** Total dependencies scanned */
-    totalDependencies: number;
-    /** Number of vulnerable dependencies */
-    vulnerableCount: number;
-    /** Advisory database info */
-    advisoryDbInfo: {
-        source: string;
-        lastUpdated: string;
-        totalAdvisories: number;
-    };
-}
-/**
- * Check if a specific crate version is vulnerable
- */
-export declare function checkCrateVulnerability(crateName: string, version: string, db: AdvisoryDatabase): AdvisoryVulnerability[];
-/**
- * Scan Cargo.lock content for vulnerable dependencies
- */
-export declare function scanCargoLock(content: string, options?: ScanOptions): ScanResult;
-/**
- * Format a dependency finding as a human-readable string
- */
-export declare function formatFinding(finding: DependencyFinding): string;
-/**
- * Format scan result as a human-readable report
- */
-export declare function formatScanReport(result: ScanResult): string;

package/dist/analysis/dependency-scanner.js

@@ -1,122 +0,0 @@
-/**
- * Dependency vulnerability scanner for Rust projects
- *
- * Scans Cargo.lock files for known vulnerable crate versions
- * using the RustSec Advisory Database.
- */
-import { loadBundledAdvisories, getAdvisoriesForCrate, categoryToSeverity, } from './advisory-db.js';
-import { parseCargoLock, filterRegistryDeps } from './cargo-parser.js';
-import { isVersionVulnerable } from './semver.js';
-/**
- * Check if a specific crate version is vulnerable
- */
-export function checkCrateVulnerability(crateName, version, db) {
-    const advisories = getAdvisoriesForCrate(db, crateName);
-    return advisories.filter((advisory) => {
-        return isVersionVulnerable(version, advisory.versions.patched, advisory.versions.unaffected);
-    });
-}
-/**
- * Scan Cargo.lock content for vulnerable dependencies
- */
-export function scanCargoLock(content, options = {}) {
-    const db = options.advisoryDb || loadBundledAdvisories();
-    const cargoLock = parseCargoLock(content);
-    const deps = filterRegistryDeps(cargoLock.dependencies);
-    const findings = [];
-    for (const dep of deps) {
-        const vulnerableAdvisories = checkCrateVulnerability(dep.name, dep.version, db);
-        if (vulnerableAdvisories.length > 0) {
-            // Extract CWEs and CVEs from advisories
-            const cwes = [];
-            const cves = [];
-            for (const advisory of vulnerableAdvisories) {
-                for (const alias of advisory.aliases) {
-                    if (alias.startsWith('CVE-')) {
-                        cves.push(alias);
-                    }
-                    else if (alias.startsWith('CWE-')) {
-                        cwes.push(alias);
-                    }
-                }
-            }
-            // Calculate severity from all advisories
-            const allCategories = vulnerableAdvisories.flatMap((a) => a.categories);
-            const severity = categoryToSeverity(allCategories);
-            findings.push({
-                type: 'vulnerable_dependency',
-                crate: dep.name,
-                version: dep.version,
-                vulnerabilities: vulnerableAdvisories,
-                source: 'Cargo.lock',
-                location: {
-                    file: options.cargoLockPath || 'Cargo.lock',
-                },
-                severity,
-                cwes: [...new Set(cwes)],
-                cves: [...new Set(cves)],
-            });
-        }
-    }
-    // Sort findings by severity
-    const severityOrder = {
-        critical: 0,
-        high: 1,
-        medium: 2,
-        low: 3,
-    };
-    findings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
-    return {
-        findings,
-        totalDependencies: deps.length,
-        vulnerableCount: findings.length,
-        advisoryDbInfo: {
-            source: db.source,
-            lastUpdated: db.lastUpdated,
-            totalAdvisories: db.stats?.totalAdvisories || 0,
-        },
-    };
-}
-/**
- * Format a dependency finding as a human-readable string
- */
-export function formatFinding(finding) {
-    const lines = [];
-    lines.push(`${finding.crate}@${finding.version} [${finding.severity.toUpperCase()}]`);
-    for (const vuln of finding.vulnerabilities) {
-        lines.push(`  ${vuln.id}: ${vuln.title || vuln.description.slice(0, 80)}`);
-        if (vuln.aliases.length > 0) {
-            lines.push(`    Aliases: ${vuln.aliases.join(', ')}`);
-        }
-        if (vuln.versions.patched && vuln.versions.patched.length > 0) {
-            lines.push(`    Patched: ${vuln.versions.patched.join(', ')}`);
-        }
-        lines.push(`    URL: ${vuln.url}`);
-    }
-    return lines.join('\n');
-}
-/**
- * Format scan result as a human-readable report
- */
-export function formatScanReport(result) {
-    const lines = [];
-    lines.push('=== RUST DEPENDENCY VULNERABILITY SCAN ===');
-    lines.push('');
-    lines.push(`Dependencies scanned: ${result.totalDependencies}`);
-    lines.push(`Vulnerable packages: ${result.vulnerableCount}`);
-    lines.push(`Advisory DB: ${result.advisoryDbInfo.source} (${result.advisoryDbInfo.lastUpdated})`);
-    lines.push('');
-    if (result.findings.length === 0) {
-        lines.push('No known vulnerabilities found.');
-    }
-    else {
-        lines.push('VULNERABLE DEPENDENCIES:');
-        lines.push('');
-        for (const finding of result.findings) {
-            lines.push(formatFinding(finding));
-            lines.push('');
-        }
-    }
-    return lines.join('\n');
-}
-//# sourceMappingURL=dependency-scanner.js.map

package/dist/analysis/dependency-scanner.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"dependency-scanner.js","sourceRoot":"","sources":["../../src/analysis/dependency-scanner.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,kBAAkB,GACnB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAA4B,MAAM,mBAAmB,CAAC;AACjG,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AA4DlD;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,SAAiB,EACjB,OAAe,EACf,EAAoB;IAEpB,MAAM,UAAU,GAAG,qBAAqB,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;IAExD,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE;QACpC,OAAO,mBAAmB,CACxB,OAAO,EACP,QAAQ,CAAC,QAAQ,CAAC,OAAO,EACzB,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAC7B,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,OAAe,EACf,UAAuB,EAAE;IAEzB,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,IAAI,qBAAqB,EAAE,CAAC;IACzD,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,kBAAkB,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IAExD,MAAM,QAAQ,GAAwB,EAAE,CAAC;IAEzC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,oBAAoB,GAAG,uBAAuB,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAEhF,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,wCAAwC;YACxC,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,MAAM,IAAI,GAAa,EAAE,CAAC;YAE1B,KAAK,MAAM,QAAQ,IAAI,oBAAoB,EAAE,CAAC;gBAC5C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;oBACrC,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC7B,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBACnB,CAAC;yBAAM,IAAI,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;wBACpC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBACnB,CAAC;gBACH,CAAC;YACH,CAAC;YAED,yCAAyC;YACzC,MAAM,aAAa,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;YACxE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC;YAEnD,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,uBAAuB;gBAC7B,KAAK,EAAE,GAAG,CAAC,IAAI;gBACf,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,eAAe,EAAE,oBAAoB;gBACrC,MAAM,EAAE,YAAY;gBACpB,QAAQ,EAAE;oBACR,IAAI,EAAE,OAAO,CAAC,aAAa,IAAI,YAAY;iBAC5C;gBACD,QAAQ;gBACR,IAAI,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;gBACxB,IAAI,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;aACzB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,aAAa,GAA6B;QAC9C,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,MAAM,EAAE,CAAC;QACT,GAAG,EAAE,CAAC;KACP,CAAC;IAEF,QAAQ,CAAC,IAAI,CACX,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAChE,CAAC;IAEF,OAAO;QACL,QAAQ;QACR,iBAAiB,EAAE,IAAI,CAAC,MAAM;QAC9B,eAAe,EAAE,QAAQ,CAAC,MAAM;QAChC,cAAc,EAAE;YACd,MAAM,EAAE,EAAE,CAAC,MAAM;YACjB,WAAW,EAAE,EAAE,CAAC,WAAW;YAC3B,eAAe,EAAE,EAAE,CAAC,KAAK,EAAE,eAAe,IAAI,CAAC;SAChD;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,OAA0B;IACtD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;IAEtF,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3C,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;QAC3E,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,KAAK,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC9D,KAAK,CAAC,IAAI,CAAC,gBAAgB,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAkB;IACjD,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;IACzD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAChE,KAAK,CAAC,IAAI,CAAC,wBAAwB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;IAC7D,KAAK,CAAC,IAAI,CAAC,gBAAgB,MAAM,CAAC,cAAc,CAAC,MAAM,KAAK,MAAM,CAAC,cAAc,CAAC,WAAW,GAAG,CAAC,CAAC;IAClG,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAChD,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACvC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}