cryptoserve 0.1.3 → 0.2.0

package/lib/scanner-languages.mjs

@@ -0,0 +1,242 @@
+/**
+ * Multi-language crypto pattern detection.
+ *
+ * Detects crypto usage in Go, Python, Java/Kotlin, Rust, and C/C++ source files.
+ * Ported from backend/app/core/code_scanner.py LIBRARY_PATTERNS.
+ * Zero dependencies.
+ */
+
+import { extname } from 'node:path';
+
+// ---------------------------------------------------------------------------
+// Per-language regex patterns
+// ---------------------------------------------------------------------------
+
+export const LANGUAGE_PATTERNS = {
+  go: {
+    extensions: ['.go'],
+    patterns: [
+      { regex: /aes\.NewCipher/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /des\.NewCipher/g, algorithm: 'des', category: 'encryption' },
+      { regex: /des\.NewTripleDESCipher/g, algorithm: '3des', category: 'encryption' },
+      { regex: /sha256\.New\(\)|sha256\.Sum256/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /sha512\.New\(\)|sha512\.Sum512/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /sha1\.New\(\)|sha1\.Sum/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /md5\.New\(\)|md5\.Sum/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /rsa\.GenerateKey|rsa\.EncryptOAEP|rsa\.SignPKCS1v15|rsa\.EncryptPKCS1v15/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /ecdsa\.GenerateKey|ecdsa\.Sign|ecdsa\.Verify/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /ed25519\.GenerateKey|ed25519\.Sign|ed25519\.Verify/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /chacha20poly1305\.New/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /argon2\.IDKey|argon2\.Key/g, algorithm: 'argon2id', category: 'kdf' },
+      { regex: /bcrypt\.GenerateFromPassword|bcrypt\.CompareHashAndPassword/g, algorithm: 'bcrypt', category: 'kdf' },
+      { regex: /scrypt\.Key/g, algorithm: 'scrypt', category: 'kdf' },
+      { regex: /pbkdf2\.Key/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /curve25519\.X25519|ecdh\.P256\(\)|ecdh\.X25519\(\)/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /hmac\.New/g, algorithm: 'hmac', category: 'mac' },
+      { regex: /hkdf\.New|hkdf\.Expand/g, algorithm: 'hkdf', category: 'kdf' },
+      { regex: /tls\.Config\{|tls\.Listen|tls\.Dial/g, algorithm: 'tls', category: 'protocol' },
+      { regex: /circl\/.*kyber|circl\/.*dilithium/g, algorithm: 'kyber', category: 'key_exchange' },
+    ],
+    importPatterns: [
+      { regex: /["']crypto\/aes["']/g, library: 'crypto/aes' },
+      { regex: /["']crypto\/des["']/g, library: 'crypto/des' },
+      { regex: /["']crypto\/rsa["']/g, library: 'crypto/rsa' },
+      { regex: /["']crypto\/ecdsa["']/g, library: 'crypto/ecdsa' },
+      { regex: /["']crypto\/ed25519["']/g, library: 'crypto/ed25519' },
+      { regex: /["']crypto\/sha256["']/g, library: 'crypto/sha256' },
+      { regex: /["']crypto\/sha512["']/g, library: 'crypto/sha512' },
+      { regex: /["']crypto\/sha1["']/g, library: 'crypto/sha1' },
+      { regex: /["']crypto\/md5["']/g, library: 'crypto/md5' },
+      { regex: /["']crypto\/hmac["']/g, library: 'crypto/hmac' },
+      { regex: /["']crypto\/tls["']/g, library: 'crypto/tls' },
+      { regex: /["']crypto\/ecdh["']/g, library: 'crypto/ecdh' },
+      { regex: /["']golang\.org\/x\/crypto/g, library: 'golang.org/x/crypto' },
+      { regex: /["']github\.com\/cloudflare\/circl/g, library: 'circl' },
+    ],
+  },
+  python: {
+    extensions: ['.py'],
+    patterns: [
+      { regex: /hashlib\.sha256|hashlib\.new\s*\(\s*['"]sha256/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /hashlib\.sha384|hashlib\.new\s*\(\s*['"]sha384/g, algorithm: 'sha384', category: 'hashing' },
+      { regex: /hashlib\.sha512|hashlib\.new\s*\(\s*['"]sha512/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /hashlib\.md5|hashlib\.new\s*\(\s*['"]md5/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /hashlib\.sha1|hashlib\.new\s*\(\s*['"]sha1/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /hashlib\.sha3_256|hashlib\.new\s*\(\s*['"]sha3_256/g, algorithm: 'sha3-256', category: 'hashing' },
+      { regex: /hashlib\.blake2b/g, algorithm: 'blake2b', category: 'hashing' },
+      { regex: /from\s+Crypto\.Cipher\s+import\s+AES|AES\.new/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /from\s+Crypto\.Cipher\s+import\s+DES\b|DES\.new/g, algorithm: 'des', category: 'encryption' },
+      { regex: /from\s+Crypto\.Cipher\s+import\s+DES3|DES3\.new/g, algorithm: '3des', category: 'encryption' },
+      { regex: /RSA\.generate|PKCS1_OAEP|RSA\.import_key/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /from\s+cryptography.*import.*Fernet/g, algorithm: 'aes-128-cbc', category: 'encryption' },
+      { regex: /AESGCM|algorithms\.AES/g, algorithm: 'aes-gcm', category: 'encryption' },
+      { regex: /Ed25519PrivateKey|Ed25519PublicKey/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /X25519PrivateKey|X25519PublicKey/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /ECDSA|ec\.SECP256R1|ec\.SECP384R1/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /bcrypt\.hashpw|bcrypt\.gensalt/g, algorithm: 'bcrypt', category: 'kdf' },
+      { regex: /argon2\.PasswordHasher|argon2\.hash_password/g, algorithm: 'argon2', category: 'kdf' },
+      { regex: /PBKDF2HMAC/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /Scrypt/g, algorithm: 'scrypt', category: 'kdf' },
+      { regex: /ChaCha20Poly1305/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /from\s+hmac\s+import|hmac\.new/g, algorithm: 'hmac', category: 'mac' },
+    ],
+    importPatterns: [
+      { regex: /import\s+hashlib/g, library: 'hashlib' },
+      { regex: /from\s+Crypto\b/g, library: 'pycryptodome' },
+      { regex: /from\s+cryptography\b/g, library: 'cryptography' },
+      { regex: /import\s+bcrypt/g, library: 'bcrypt' },
+      { regex: /import\s+argon2/g, library: 'argon2-cffi' },
+      { regex: /from\s+nacl\b|import\s+nacl/g, library: 'pynacl' },
+      { regex: /import\s+jwt\b|from\s+jwt\b/g, library: 'pyjwt' },
+    ],
+  },
+  java: {
+    extensions: ['.java', '.kt', '.scala'],
+    patterns: [
+      { regex: /Cipher\.getInstance\s*\(\s*["']AES/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']DES\b/g, algorithm: 'des', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']DESede/g, algorithm: '3des', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']RSA/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']ChaCha20/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']Blowfish/g, algorithm: 'blowfish', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']RC4/g, algorithm: 'rc4', category: 'encryption' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-256/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-384/g, algorithm: 'sha384', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-512/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-1/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']MD5/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /KeyPairGenerator\.getInstance\s*\(\s*["']RSA/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /KeyPairGenerator\.getInstance\s*\(\s*["']EC/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /KeyPairGenerator\.getInstance\s*\(\s*["']DSA/g, algorithm: 'dsa', category: 'signing' },
+      { regex: /Signature\.getInstance\s*\(\s*["']SHA256withRSA/g, algorithm: 'rsa', category: 'signing' },
+      { regex: /Signature\.getInstance\s*\(\s*["']SHA256withECDSA/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /SecretKeyFactory\.getInstance\s*\(\s*["']PBKDF2/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /KeyAgreement\.getInstance\s*\(\s*["']ECDH/g, algorithm: 'ecdh', category: 'key_exchange' },
+      { regex: /KeyAgreement\.getInstance\s*\(\s*["']DH/g, algorithm: 'dh', category: 'key_exchange' },
+      { regex: /SSLContext\.getInstance\s*\(\s*["']TLS/g, algorithm: 'tls', category: 'protocol' },
+      { regex: /Mac\.getInstance\s*\(\s*["']HmacSHA/g, algorithm: 'hmac', category: 'mac' },
+    ],
+    importPatterns: [
+      { regex: /import\s+javax\.crypto/g, library: 'javax.crypto' },
+      { regex: /import\s+java\.security/g, library: 'java.security' },
+      { regex: /import\s+org\.bouncycastle/g, library: 'bouncycastle' },
+    ],
+  },
+  rust: {
+    extensions: ['.rs'],
+    patterns: [
+      { regex: /use\s+aes::|Aes256Gcm|Aes128Gcm|Aes256/g, algorithm: 'aes-gcm', category: 'encryption' },
+      { regex: /use\s+chacha20poly1305::|ChaCha20Poly1305/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /use\s+rsa::|RsaPrivateKey|RsaPublicKey/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /use\s+ed25519::|Ed25519/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /use\s+ed25519_dalek::/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /use\s+sha2::|Sha256::new|Sha512::new/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /use\s+sha1::|Sha1::new/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /use\s+md5::|Md5::new/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /use\s+blake2::|Blake2b/g, algorithm: 'blake2b', category: 'hashing' },
+      { regex: /use\s+argon2::|Argon2/g, algorithm: 'argon2', category: 'kdf' },
+      { regex: /use\s+bcrypt::/g, algorithm: 'bcrypt', category: 'kdf' },
+      { regex: /use\s+scrypt::/g, algorithm: 'scrypt', category: 'kdf' },
+      { regex: /use\s+pbkdf2::/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /use\s+x25519_dalek::|X25519/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /use\s+p256::|use\s+p384::/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /use\s+ring::/g, algorithm: 'aes-gcm', category: 'encryption' },
+      { regex: /use\s+pqcrypto::|use\s+oqs::/g, algorithm: 'ml-kem', category: 'key_exchange' },
+      { regex: /use\s+hmac::|Hmac::new/g, algorithm: 'hmac', category: 'mac' },
+      { regex: /use\s+hkdf::/g, algorithm: 'hkdf', category: 'kdf' },
+    ],
+    importPatterns: [
+      { regex: /\[dependencies\][\s\S]*?(?:aes-gcm|aes)\s*=/g, library: 'aes-gcm' },
+      { regex: /\[dependencies\][\s\S]*?ring\s*=/g, library: 'ring' },
+      { regex: /\[dependencies\][\s\S]*?pqcrypto\s*=/g, library: 'pqcrypto' },
+    ],
+  },
+  c: {
+    extensions: ['.c', '.h', '.cpp', '.hpp', '.cc', '.cxx'],
+    patterns: [
+      { regex: /EVP_aes_256_gcm|EVP_aes_128_gcm|EVP_aes_256_cbc|AES_encrypt|AES_set_encrypt_key/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /EVP_des_|DES_ecb_encrypt|DES_set_key/g, algorithm: 'des', category: 'encryption' },
+      { regex: /EVP_des_ede3|DES_ede3_cbc_encrypt/g, algorithm: '3des', category: 'encryption' },
+      { regex: /RSA_generate_key|EVP_PKEY_RSA|RSA_public_encrypt/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /EVP_sha256|SHA256_Init|SHA256_Update/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /EVP_sha1|SHA1_Init|SHA1_Update/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /EVP_md5|MD5_Init|MD5_Update/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /EVP_sha512|SHA512_Init/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /EVP_sha3_256/g, algorithm: 'sha3-256', category: 'hashing' },
+      { regex: /EC_KEY_generate|ECDSA_sign|ECDSA_verify/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /EVP_chacha20_poly1305/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /PKCS5_PBKDF2_HMAC/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /EVP_PKEY_X25519/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /HMAC_Init|HMAC_Update|HMAC_CTX/g, algorithm: 'hmac', category: 'mac' },
+      { regex: /EVP_PKEY_EC|EC_GROUP_new/g, algorithm: 'ecdh', category: 'key_exchange' },
+      { regex: /EVP_bf_cbc|BF_encrypt/g, algorithm: 'blowfish', category: 'encryption' },
+      { regex: /EVP_rc4|RC4_set_key/g, algorithm: 'rc4', category: 'encryption' },
+      { regex: /SSL_CTX_new|TLS_method|SSLv23_method/g, algorithm: 'tls', category: 'protocol' },
+    ],
+    importPatterns: [
+      { regex: /#include\s*<openssl\/evp\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<openssl\/aes\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<openssl\/rsa\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<openssl\/ssl\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<sodium\.h>/g, library: 'libsodium' },
+      { regex: /#include\s*<oqs\/oqs\.h>/g, library: 'liboqs' },
+    ],
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Extension → language mapping
+// ---------------------------------------------------------------------------
+
+const EXT_MAP = {};
+for (const [lang, def] of Object.entries(LANGUAGE_PATTERNS)) {
+  for (const ext of def.extensions) {
+    EXT_MAP[ext] = lang;
+  }
+}
+
+/**
+ * Detect programming language from file extension.
+ * Returns language key (go, python, java, rust, c) or null.
+ */
+export function detectLanguage(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  return EXT_MAP[ext] || null;
+}
+
+/**
+ * Scan a source file for crypto patterns in the specified language.
+ * Returns { algorithms: [{ algorithm, category, line? }], imports: [{ library }] }.
+ */
+export function scanSourceFile(filePath, content, language) {
+  const langDef = LANGUAGE_PATTERNS[language];
+  if (!langDef) return { algorithms: [], imports: [] };
+
+  const algorithms = [];
+  const imports = [];
+  const seenAlgos = new Set();
+  const seenImports = new Set();
+
+  for (const { regex, algorithm, category } of langDef.patterns) {
+    regex.lastIndex = 0;
+    if (regex.test(content) && !seenAlgos.has(algorithm)) {
+      seenAlgos.add(algorithm);
+      algorithms.push({ algorithm, category });
+    }
+  }
+
+  for (const { regex, library } of langDef.importPatterns) {
+    regex.lastIndex = 0;
+    if (regex.test(content) && !seenImports.has(library)) {
+      seenImports.add(library);
+      imports.push({ library });
+    }
+  }
+
+  return { algorithms, imports };
+}
+
+/**
+ * All supported non-JS source extensions for the file walker.
+ */
+export const MULTI_LANG_EXTENSIONS = new Set(Object.values(LANGUAGE_PATTERNS).flatMap(l => l.extensions));

package/lib/scanner-manifests.mjs

@@ -0,0 +1,200 @@
+/**
+ * Multi-ecosystem manifest parser and crypto package detector.
+ *
+ * Parses go.mod, requirements.txt, pyproject.toml, Cargo.toml, pom.xml
+ * and identifies known crypto packages.
+ * Ported from backend/app/core/dependency_scanner.py.
+ * Zero dependencies.
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'node:fs';
+import { join, basename } from 'node:path';
+import { CRYPTO_PACKAGES, lookupPackage } from './crypto-registry.mjs';
+
+// Re-export for backward compatibility
+export { CRYPTO_PACKAGES };
+
+// ---------------------------------------------------------------------------
+// Manifest parsers
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse go.mod — extract module dependencies.
+ */
+export function parseGoMod(content) {
+  const deps = [];
+  // Match require block
+  const requireBlock = content.match(/require\s*\(([\s\S]*?)\)/);
+  const lines = requireBlock ? requireBlock[1].split('\n') : content.split('\n');
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('//') || trimmed === 'require') continue;
+    const match = trimmed.match(/^([a-zA-Z0-9.\/_-]+)\s+(v[\d.]+[a-zA-Z0-9._-]*)/);
+    if (match) {
+      deps.push({ name: match[1], version: match[2] });
+    }
+  }
+
+  // Also match single-line require directives
+  const singleReqs = content.matchAll(/^require\s+([a-zA-Z0-9.\/_-]+)\s+(v[\d.]+[a-zA-Z0-9._-]*)/gm);
+  for (const m of singleReqs) {
+    if (!deps.some(d => d.name === m[1])) {
+      deps.push({ name: m[1], version: m[2] });
+    }
+  }
+
+  return deps;
+}
+
+/**
+ * Parse requirements.txt — extract package==version lines.
+ */
+export function parseRequirementsTxt(content) {
+  const deps = [];
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+    const match = trimmed.match(/^([a-zA-Z0-9._-]+)(?:\[.*?\])?\s*(?:([<>=!~]+)\s*(.*))?$/);
+    if (match) {
+      deps.push({
+        name: match[1].toLowerCase(),
+        version: match[3] || null,
+      });
+    }
+  }
+  return deps;
+}
+
+/**
+ * Parse pyproject.toml — extract [project.dependencies] section.
+ */
+export function parsePyprojectToml(content) {
+  const deps = [];
+  // Match dependencies array
+  const depsMatch = content.match(/\[project\]\s*[\s\S]*?dependencies\s*=\s*\[([\s\S]*?)\]/);
+  if (depsMatch) {
+    const lines = depsMatch[1].split('\n');
+    for (const line of lines) {
+      const match = line.match(/["']([a-zA-Z0-9._-]+)(?:\[.*?\])?(?:([<>=!~]+)([\d.]+))?/);
+      if (match) {
+        deps.push({ name: match[1].toLowerCase(), version: match[3] || null });
+      }
+    }
+  }
+
+  // Also check [tool.poetry.dependencies]
+  const poetryMatch = content.match(/\[tool\.poetry\.dependencies\]([\s\S]*?)(?:\[|$)/);
+  if (poetryMatch) {
+    const lines = poetryMatch[1].split('\n');
+    for (const line of lines) {
+      const match = line.match(/^([a-zA-Z0-9._-]+)\s*=\s*(?:"([^"]+)"|{.*?version\s*=\s*"([^"]+)")/);
+      if (match && match[1] !== 'python') {
+        const name = match[1].toLowerCase();
+        if (!deps.some(d => d.name === name)) {
+          deps.push({ name, version: match[2] || match[3] || null });
+        }
+      }
+    }
+  }
+
+  return deps;
+}
+
+/**
+ * Parse Cargo.toml — extract [dependencies] section.
+ */
+export function parseCargoToml(content) {
+  const deps = [];
+  const depsMatch = content.match(/\[dependencies\]([\s\S]*?)(?:\[|$)/);
+  if (!depsMatch) return deps;
+
+  for (const line of depsMatch[1].split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    // name = "version" or name = { version = "x.y.z" }
+    const simpleMatch = trimmed.match(/^([a-zA-Z0-9_-]+)\s*=\s*"([^"]+)"/);
+    if (simpleMatch) {
+      deps.push({ name: simpleMatch[1], version: simpleMatch[2] });
+      continue;
+    }
+    const complexMatch = trimmed.match(/^([a-zA-Z0-9_-]+)\s*=\s*\{.*?version\s*=\s*"([^"]+)"/);
+    if (complexMatch) {
+      deps.push({ name: complexMatch[1], version: complexMatch[2] });
+    }
+  }
+  return deps;
+}
+
+/**
+ * Parse pom.xml — extract <dependency> blocks.
+ */
+export function parsePomXml(content) {
+  const deps = [];
+  const depRegex = /<dependency>\s*<groupId>(.*?)<\/groupId>\s*<artifactId>(.*?)<\/artifactId>(?:\s*<version>(.*?)<\/version>)?/g;
+  let match;
+  while ((match = depRegex.exec(content)) !== null) {
+    deps.push({
+      name: `${match[1]}:${match[2]}`,
+      version: match[3] || null,
+      groupId: match[1],
+      artifactId: match[2],
+    });
+  }
+  return deps;
+}
+
+// ---------------------------------------------------------------------------
+// Manifest detection and scanning
+// ---------------------------------------------------------------------------
+
+const MANIFEST_FILES = [
+  { file: 'package.json', ecosystem: 'npm', parser: null }, // npm handled by main scanner
+  { file: 'go.mod', ecosystem: 'go', parser: parseGoMod },
+  { file: 'go.sum', ecosystem: 'go', parser: null },
+  { file: 'requirements.txt', ecosystem: 'pypi', parser: parseRequirementsTxt },
+  { file: 'pyproject.toml', ecosystem: 'pypi', parser: parsePyprojectToml },
+  { file: 'Cargo.toml', ecosystem: 'cargo', parser: parseCargoToml },
+  { file: 'pom.xml', ecosystem: 'maven', parser: parsePomXml },
+];
+
+/**
+ * Scan a project directory for manifests and identify crypto dependencies.
+ * Returns array of library entries compatible with scanner.mjs output.
+ */
+export function scanManifests(projectDir) {
+  const results = [];
+  const seen = new Set();
+
+  for (const { file, ecosystem, parser } of MANIFEST_FILES) {
+    if (!parser) continue; // npm handled by main scanner
+
+    const manifestPath = join(projectDir, file);
+    if (!existsSync(manifestPath)) continue;
+
+    let content;
+    try { content = readFileSync(manifestPath, 'utf-8'); }
+    catch { continue; }
+
+    const deps = parser(content);
+
+    for (const dep of deps) {
+      const pkg = lookupPackage(dep.name, ecosystem);
+      if (pkg && !seen.has(`${ecosystem}:${pkg.name}`)) {
+        seen.add(`${ecosystem}:${pkg.name}`);
+        results.push({
+          name: pkg.name,
+          version: dep.version || 'unknown',
+          algorithms: pkg.algorithms,
+          quantumRisk: pkg.quantumRisk,
+          category: pkg.category,
+          ecosystem,
+          source: file,
+          isDeprecated: pkg.isDeprecated || false,
+        });
+      }
+    }
+  }
+
+  return results;
+}

package/lib/scanner-tls.mjs

@@ -0,0 +1,173 @@
+/**
+ * TLS version scanner — detects deprecated TLS/SSL in config and source files.
+ *
+ * Scans nginx, Apache, Node.js, Go, Java configs and source files for
+ * deprecated TLS versions (SSLv2, SSLv3, TLSv1.0, TLSv1.1).
+ * Zero dependencies.
+ */
+
+import { readFileSync } from 'node:fs';
+import { extname, relative } from 'node:path';
+import { walkProject } from './walker.mjs';
+
+// ---------------------------------------------------------------------------
+// TLS version risk levels
+// ---------------------------------------------------------------------------
+
+const TLS_RISK = {
+  'SSLv2':   { risk: 'critical', recommendation: 'Remove immediately — completely broken' },
+  'SSLv3':   { risk: 'critical', recommendation: 'Remove immediately — POODLE attack' },
+  'TLSv1':   { risk: 'critical', recommendation: 'Remove — deprecated by RFC 8996' },
+  'TLSv1.0': { risk: 'critical', recommendation: 'Remove — deprecated by RFC 8996' },
+  'TLSv1.1': { risk: 'high', recommendation: 'Remove — deprecated by RFC 8996' },
+  'TLSv1.2': { risk: 'none', recommendation: 'Current standard, safe to use' },
+  'TLSv1.3': { risk: 'none', recommendation: 'Best available, recommended' },
+};
+
+// ---------------------------------------------------------------------------
+// Detection patterns by file type
+// ---------------------------------------------------------------------------
+
+const PATTERNS = [
+  // Nginx: ssl_protocols directive
+  {
+    filePatterns: ['nginx.conf', '*.nginx', '*.nginx.conf'],
+    extensions: ['.conf'],
+    regex: /ssl_protocols\s+([^;]+);/g,
+    extract: (match) => {
+      const protocols = match[1].split(/\s+/);
+      return protocols
+        .filter(p => p.match(/^(SSLv[23]|TLSv1(\.[0-3])?)$/))
+        .map(p => ({ protocol: p, context: 'nginx ssl_protocols' }));
+    },
+  },
+  // Apache: SSLProtocol directive
+  {
+    filePatterns: ['httpd.conf', 'apache2.conf', 'ssl.conf', '*.apache.conf'],
+    extensions: ['.conf'],
+    regex: /SSLProtocol\s+([^\n]+)/g,
+    extract: (match) => {
+      const parts = match[1].split(/\s+/);
+      return parts
+        .filter(p => p.match(/^[+-]?(SSLv[23]|TLSv1(\.[0-3])?)$/))
+        .filter(p => !p.startsWith('-'))
+        .map(p => ({ protocol: p.replace(/^\+/, ''), context: 'Apache SSLProtocol' }));
+    },
+  },
+  // Node.js: tls.createServer minVersion
+  {
+    extensions: ['.js', '.ts', '.mjs', '.cjs'],
+    regex: /minVersion:\s*['"]([^'"]+)['"]/g,
+    extract: (match) => {
+      const version = match[1];
+      return [{ protocol: version, context: 'Node.js TLS minVersion' }];
+    },
+  },
+  // Go: tls.Config MinVersion
+  {
+    extensions: ['.go'],
+    regex: /MinVersion:\s*tls\.(VersionSSL30|VersionTLS1[0-3])/g,
+    extract: (match) => {
+      const versionMap = {
+        'VersionSSL30': 'SSLv3',
+        'VersionTLS10': 'TLSv1.0',
+        'VersionTLS11': 'TLSv1.1',
+        'VersionTLS12': 'TLSv1.2',
+        'VersionTLS13': 'TLSv1.3',
+      };
+      const protocol = versionMap[match[1]] || match[1];
+      return [{ protocol, context: 'Go tls.Config MinVersion' }];
+    },
+  },
+  // Java: SSLContext.getInstance
+  {
+    extensions: ['.java', '.kt', '.scala'],
+    regex: /SSLContext\.getInstance\s*\(\s*["'](TLS(?:v1(?:\.[0-3])?)?|SSL(?:v[23])?)["']\s*\)/g,
+    extract: (match) => {
+      return [{ protocol: match[1], context: 'Java SSLContext' }];
+    },
+  },
+  // Docker / env: SSL_MIN_VERSION or similar
+  {
+    filePatterns: ['Dockerfile', 'docker-compose.yml', 'docker-compose.yaml', '.env'],
+    regex: /(?:SSL_MIN_VERSION|TLS_MIN_VERSION|MIN_TLS_VERSION)\s*[=:]\s*['"]?([^\s'"]+)/gi,
+    extract: (match) => {
+      return [{ protocol: match[1], context: 'Environment variable' }];
+    },
+  },
+  // Generic: TLS version strings in any config
+  {
+    extensions: ['.conf', '.cfg', '.ini', '.toml', '.yaml', '.yml', '.json', '.xml'],
+    regex: /\b(SSLv[23]|TLSv1\.0|TLSv1\.1)\b/g,
+    extract: (match) => {
+      return [{ protocol: match[1], context: 'Config file reference' }];
+    },
+  },
+];
+
+// ---------------------------------------------------------------------------
+// Scanner
+// ---------------------------------------------------------------------------
+
+/**
+ * Scan project for deprecated TLS/SSL versions.
+ *
+ * @param {string} projectDir - Root directory for relative path calculation
+ * @param {string[]|undefined} preFilteredFiles - Pre-walked file list (source+config).
+ *   If omitted, walks the directory internally for backward compat.
+ * @returns {Array<{file: string, line: number, protocol: string, risk: string, recommendation: string}>}
+ */
+export function scanTlsConfigs(projectDir, preFilteredFiles) {
+  const findings = [];
+  let files;
+  if (Array.isArray(preFilteredFiles)) {
+    files = preFilteredFiles;
+  } else {
+    const walked = walkProject(projectDir);
+    files = [...walked.sourceFiles, ...walked.configFiles];
+  }
+
+  for (const filePath of files) {
+    let content;
+    try { content = readFileSync(filePath, 'utf-8'); }
+    catch { continue; }
+
+    const ext = extname(filePath).toLowerCase();
+    const name = filePath.split('/').pop();
+    const relPath = relative(projectDir, filePath);
+
+    for (const pattern of PATTERNS) {
+      // Check if pattern applies to this file
+      const extMatch = pattern.extensions && pattern.extensions.includes(ext);
+      const nameMatch = pattern.filePatterns && pattern.filePatterns.some(p => {
+        if (p.startsWith('*')) return name.endsWith(p.slice(1));
+        return name === p;
+      });
+
+      if (!extMatch && !nameMatch) continue;
+
+      pattern.regex.lastIndex = 0;
+      let match;
+      while ((match = pattern.regex.exec(content)) !== null) {
+        const detected = pattern.extract(match);
+        for (const { protocol, context } of detected) {
+          const riskInfo = TLS_RISK[protocol];
+          if (riskInfo && riskInfo.risk !== 'none') {
+            // Find line number
+            const lineNum = content.substring(0, match.index).split('\n').length;
+            findings.push({
+              file: relPath,
+              line: lineNum,
+              protocol,
+              risk: riskInfo.risk,
+              recommendation: riskInfo.recommendation,
+              context,
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return findings;
+}