cryptoserve 0.1.3 → 0.2.1

package/lib/scanner-binary.mjs

@@ -0,0 +1,151 @@
+/**
+ * Binary crypto signature scanner.
+ *
+ * Detects compiled crypto by searching for known byte patterns
+ * (S-boxes, round constants, initial hash values) in binary files.
+ * Ported from backend/app/core/binary_scanner.py.
+ * Zero dependencies — uses only node:fs and node:path.
+ */
+
+import { readFileSync, statSync, openSync, readSync, closeSync } from 'node:fs';
+import { join, extname, basename } from 'node:path';
+import { walkProject } from './walker.mjs';
+
+// ---------------------------------------------------------------------------
+// Binary signatures — byte patterns for compiled crypto
+// ---------------------------------------------------------------------------
+
+export const BINARY_SIGNATURES = [
+  {
+    name: 'AES S-box',
+    algorithm: 'aes',
+    severity: 'info',
+    bytes: Buffer.from([0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76]),
+  },
+  {
+    name: 'AES round constant',
+    algorithm: 'aes',
+    severity: 'info',
+    bytes: Buffer.from([0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1B, 0x36]),
+  },
+  {
+    name: 'DES initial permutation',
+    algorithm: 'des',
+    severity: 'high',
+    bytes: Buffer.from([58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4]),
+  },
+  {
+    name: 'DES S-box 1',
+    algorithm: 'des',
+    severity: 'high',
+    bytes: Buffer.from([14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7]),
+  },
+  {
+    name: 'SHA-256 initial values',
+    algorithm: 'sha256',
+    severity: 'info',
+    bytes: Buffer.from([0x6A, 0x09, 0xE6, 0x67, 0xBB, 0x67, 0xAE, 0x85, 0x3C, 0x6E, 0xF3, 0x72, 0xA5, 0x4F, 0xF5, 0x3A]),
+  },
+  {
+    name: 'SHA-1 initial values',
+    algorithm: 'sha1',
+    severity: 'high',
+    bytes: Buffer.from([0x67, 0x45, 0x23, 0x01, 0xEF, 0xCD, 0xAB, 0x89, 0x98, 0xBA, 0xDC, 0xFE, 0x10, 0x32, 0x54, 0x76]),
+  },
+  {
+    name: 'MD5 initial values',
+    algorithm: 'md5',
+    severity: 'critical',
+    bytes: Buffer.from([0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10]),
+  },
+  {
+    name: 'ChaCha20 sigma constant',
+    algorithm: 'chacha20',
+    severity: 'info',
+    bytes: Buffer.from('expand 32-byte k'),
+  },
+  {
+    name: 'Blowfish P-array',
+    algorithm: 'blowfish',
+    severity: 'high',
+    bytes: Buffer.from([0x24, 0x3F, 0x6A, 0x88, 0x85, 0xA3, 0x08, 0xD3, 0x13, 0x19, 0x8A, 0x2E, 0x03, 0x70, 0x73, 0x44]),
+  },
+  {
+    name: 'RSA public exponent 65537',
+    algorithm: 'rsa',
+    severity: 'info',
+    bytes: Buffer.from([0x01, 0x00, 0x01]),
+  },
+];
+
+const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+
+// ---------------------------------------------------------------------------
+// Scanner functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Scan a single binary file for crypto byte patterns.
+ * Returns array of matches: [{ name, algorithm, severity, offset }]
+ */
+export function scanBinary(filePath) {
+  let buf;
+  try {
+    const size = statSync(filePath).size;
+    if (size > MAX_FILE_SIZE) {
+      const fd = openSync(filePath, 'r');
+      buf = Buffer.alloc(MAX_FILE_SIZE);
+      readSync(fd, buf, 0, MAX_FILE_SIZE, 0);
+      closeSync(fd);
+    } else {
+      buf = readFileSync(filePath);
+    }
+  } catch {
+    return [];
+  }
+
+  const matches = [];
+  for (const sig of BINARY_SIGNATURES) {
+    const offset = buf.indexOf(sig.bytes);
+    if (offset !== -1) {
+      matches.push({
+        name: sig.name,
+        algorithm: sig.algorithm,
+        severity: sig.severity,
+        offset,
+      });
+    }
+  }
+  return matches;
+}
+
+/**
+ * Scan binary files for crypto byte signatures.
+ *
+ * @param {string} projectDir - Root directory for relative path calculation
+ * @param {string[]|undefined} preFilteredFiles - Pre-walked binary file list.
+ *   If omitted, walks the directory internally for backward compat.
+ * @returns {Array<{name: string, algorithm: string, severity: string, offset: number, file: string}>}
+ */
+export function scanBinaries(projectDir, preFilteredFiles) {
+  const results = [];
+  let files;
+  if (Array.isArray(preFilteredFiles)) {
+    files = preFilteredFiles;
+  } else {
+    const walked = walkProject(projectDir);
+    files = walked.binaryFiles;
+  }
+
+  for (const filePath of files) {
+    const matches = scanBinary(filePath);
+    for (const match of matches) {
+      results.push({
+        ...match,
+        file: filePath.replace(projectDir + '/', ''),
+      });
+    }
+  }
+
+  return results;
+}

package/lib/scanner-languages.mjs

@@ -0,0 +1,242 @@
+/**
+ * Multi-language crypto pattern detection.
+ *
+ * Detects crypto usage in Go, Python, Java/Kotlin, Rust, and C/C++ source files.
+ * Ported from backend/app/core/code_scanner.py LIBRARY_PATTERNS.
+ * Zero dependencies.
+ */
+
+import { extname } from 'node:path';
+
+// ---------------------------------------------------------------------------
+// Per-language regex patterns
+// ---------------------------------------------------------------------------
+
+export const LANGUAGE_PATTERNS = {
+  go: {
+    extensions: ['.go'],
+    patterns: [
+      { regex: /aes\.NewCipher/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /des\.NewCipher/g, algorithm: 'des', category: 'encryption' },
+      { regex: /des\.NewTripleDESCipher/g, algorithm: '3des', category: 'encryption' },
+      { regex: /sha256\.New\(\)|sha256\.Sum256/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /sha512\.New\(\)|sha512\.Sum512/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /sha1\.New\(\)|sha1\.Sum/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /md5\.New\(\)|md5\.Sum/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /rsa\.GenerateKey|rsa\.EncryptOAEP|rsa\.SignPKCS1v15|rsa\.EncryptPKCS1v15/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /ecdsa\.GenerateKey|ecdsa\.Sign|ecdsa\.Verify/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /ed25519\.GenerateKey|ed25519\.Sign|ed25519\.Verify/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /chacha20poly1305\.New/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /argon2\.IDKey|argon2\.Key/g, algorithm: 'argon2id', category: 'kdf' },
+      { regex: /bcrypt\.GenerateFromPassword|bcrypt\.CompareHashAndPassword/g, algorithm: 'bcrypt', category: 'kdf' },
+      { regex: /scrypt\.Key/g, algorithm: 'scrypt', category: 'kdf' },
+      { regex: /pbkdf2\.Key/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /curve25519\.X25519|ecdh\.P256\(\)|ecdh\.X25519\(\)/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /hmac\.New/g, algorithm: 'hmac', category: 'mac' },
+      { regex: /hkdf\.New|hkdf\.Expand/g, algorithm: 'hkdf', category: 'kdf' },
+      { regex: /tls\.Config\{|tls\.Listen|tls\.Dial/g, algorithm: 'tls', category: 'protocol' },
+      { regex: /circl\/.*kyber|circl\/.*dilithium/g, algorithm: 'kyber', category: 'key_exchange' },
+    ],
+    importPatterns: [
+      { regex: /["']crypto\/aes["']/g, library: 'crypto/aes' },
+      { regex: /["']crypto\/des["']/g, library: 'crypto/des' },
+      { regex: /["']crypto\/rsa["']/g, library: 'crypto/rsa' },
+      { regex: /["']crypto\/ecdsa["']/g, library: 'crypto/ecdsa' },
+      { regex: /["']crypto\/ed25519["']/g, library: 'crypto/ed25519' },
+      { regex: /["']crypto\/sha256["']/g, library: 'crypto/sha256' },
+      { regex: /["']crypto\/sha512["']/g, library: 'crypto/sha512' },
+      { regex: /["']crypto\/sha1["']/g, library: 'crypto/sha1' },
+      { regex: /["']crypto\/md5["']/g, library: 'crypto/md5' },
+      { regex: /["']crypto\/hmac["']/g, library: 'crypto/hmac' },
+      { regex: /["']crypto\/tls["']/g, library: 'crypto/tls' },
+      { regex: /["']crypto\/ecdh["']/g, library: 'crypto/ecdh' },
+      { regex: /["']golang\.org\/x\/crypto/g, library: 'golang.org/x/crypto' },
+      { regex: /["']github\.com\/cloudflare\/circl/g, library: 'circl' },
+    ],
+  },
+  python: {
+    extensions: ['.py'],
+    patterns: [
+      { regex: /hashlib\.sha256|hashlib\.new\s*\(\s*['"]sha256/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /hashlib\.sha384|hashlib\.new\s*\(\s*['"]sha384/g, algorithm: 'sha384', category: 'hashing' },
+      { regex: /hashlib\.sha512|hashlib\.new\s*\(\s*['"]sha512/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /hashlib\.md5|hashlib\.new\s*\(\s*['"]md5/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /hashlib\.sha1|hashlib\.new\s*\(\s*['"]sha1/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /hashlib\.sha3_256|hashlib\.new\s*\(\s*['"]sha3_256/g, algorithm: 'sha3-256', category: 'hashing' },
+      { regex: /hashlib\.blake2b/g, algorithm: 'blake2b', category: 'hashing' },
+      { regex: /from\s+Crypto\.Cipher\s+import\s+AES|AES\.new/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /from\s+Crypto\.Cipher\s+import\s+DES\b|DES\.new/g, algorithm: 'des', category: 'encryption' },
+      { regex: /from\s+Crypto\.Cipher\s+import\s+DES3|DES3\.new/g, algorithm: '3des', category: 'encryption' },
+      { regex: /RSA\.generate|PKCS1_OAEP|RSA\.import_key/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /from\s+cryptography.*import.*Fernet/g, algorithm: 'aes-128-cbc', category: 'encryption' },
+      { regex: /AESGCM|algorithms\.AES/g, algorithm: 'aes-gcm', category: 'encryption' },
+      { regex: /Ed25519PrivateKey|Ed25519PublicKey/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /X25519PrivateKey|X25519PublicKey/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /ECDSA|ec\.SECP256R1|ec\.SECP384R1/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /bcrypt\.hashpw|bcrypt\.gensalt/g, algorithm: 'bcrypt', category: 'kdf' },
+      { regex: /argon2\.PasswordHasher|argon2\.hash_password/g, algorithm: 'argon2', category: 'kdf' },
+      { regex: /PBKDF2HMAC/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /Scrypt/g, algorithm: 'scrypt', category: 'kdf' },
+      { regex: /ChaCha20Poly1305/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /from\s+hmac\s+import|hmac\.new/g, algorithm: 'hmac', category: 'mac' },
+    ],
+    importPatterns: [
+      { regex: /import\s+hashlib/g, library: 'hashlib' },
+      { regex: /from\s+Crypto\b/g, library: 'pycryptodome' },
+      { regex: /from\s+cryptography\b/g, library: 'cryptography' },
+      { regex: /import\s+bcrypt/g, library: 'bcrypt' },
+      { regex: /import\s+argon2/g, library: 'argon2-cffi' },
+      { regex: /from\s+nacl\b|import\s+nacl/g, library: 'pynacl' },
+      { regex: /import\s+jwt\b|from\s+jwt\b/g, library: 'pyjwt' },
+    ],
+  },
+  java: {
+    extensions: ['.java', '.kt', '.scala'],
+    patterns: [
+      { regex: /Cipher\.getInstance\s*\(\s*["']AES/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']DES\b/g, algorithm: 'des', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']DESede/g, algorithm: '3des', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']RSA/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']ChaCha20/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']Blowfish/g, algorithm: 'blowfish', category: 'encryption' },
+      { regex: /Cipher\.getInstance\s*\(\s*["']RC4/g, algorithm: 'rc4', category: 'encryption' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-256/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-384/g, algorithm: 'sha384', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-512/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']SHA-1/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /MessageDigest\.getInstance\s*\(\s*["']MD5/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /KeyPairGenerator\.getInstance\s*\(\s*["']RSA/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /KeyPairGenerator\.getInstance\s*\(\s*["']EC/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /KeyPairGenerator\.getInstance\s*\(\s*["']DSA/g, algorithm: 'dsa', category: 'signing' },
+      { regex: /Signature\.getInstance\s*\(\s*["']SHA256withRSA/g, algorithm: 'rsa', category: 'signing' },
+      { regex: /Signature\.getInstance\s*\(\s*["']SHA256withECDSA/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /SecretKeyFactory\.getInstance\s*\(\s*["']PBKDF2/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /KeyAgreement\.getInstance\s*\(\s*["']ECDH/g, algorithm: 'ecdh', category: 'key_exchange' },
+      { regex: /KeyAgreement\.getInstance\s*\(\s*["']DH/g, algorithm: 'dh', category: 'key_exchange' },
+      { regex: /SSLContext\.getInstance\s*\(\s*["']TLS/g, algorithm: 'tls', category: 'protocol' },
+      { regex: /Mac\.getInstance\s*\(\s*["']HmacSHA/g, algorithm: 'hmac', category: 'mac' },
+    ],
+    importPatterns: [
+      { regex: /import\s+javax\.crypto/g, library: 'javax.crypto' },
+      { regex: /import\s+java\.security/g, library: 'java.security' },
+      { regex: /import\s+org\.bouncycastle/g, library: 'bouncycastle' },
+    ],
+  },
+  rust: {
+    extensions: ['.rs'],
+    patterns: [
+      { regex: /use\s+aes::|Aes256Gcm|Aes128Gcm|Aes256/g, algorithm: 'aes-gcm', category: 'encryption' },
+      { regex: /use\s+chacha20poly1305::|ChaCha20Poly1305/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /use\s+rsa::|RsaPrivateKey|RsaPublicKey/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /use\s+ed25519::|Ed25519/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /use\s+ed25519_dalek::/g, algorithm: 'ed25519', category: 'signing' },
+      { regex: /use\s+sha2::|Sha256::new|Sha512::new/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /use\s+sha1::|Sha1::new/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /use\s+md5::|Md5::new/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /use\s+blake2::|Blake2b/g, algorithm: 'blake2b', category: 'hashing' },
+      { regex: /use\s+argon2::|Argon2/g, algorithm: 'argon2', category: 'kdf' },
+      { regex: /use\s+bcrypt::/g, algorithm: 'bcrypt', category: 'kdf' },
+      { regex: /use\s+scrypt::/g, algorithm: 'scrypt', category: 'kdf' },
+      { regex: /use\s+pbkdf2::/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /use\s+x25519_dalek::|X25519/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /use\s+p256::|use\s+p384::/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /use\s+ring::/g, algorithm: 'aes-gcm', category: 'encryption' },
+      { regex: /use\s+pqcrypto::|use\s+oqs::/g, algorithm: 'ml-kem', category: 'key_exchange' },
+      { regex: /use\s+hmac::|Hmac::new/g, algorithm: 'hmac', category: 'mac' },
+      { regex: /use\s+hkdf::/g, algorithm: 'hkdf', category: 'kdf' },
+    ],
+    importPatterns: [
+      { regex: /\[dependencies\][\s\S]*?(?:aes-gcm|aes)\s*=/g, library: 'aes-gcm' },
+      { regex: /\[dependencies\][\s\S]*?ring\s*=/g, library: 'ring' },
+      { regex: /\[dependencies\][\s\S]*?pqcrypto\s*=/g, library: 'pqcrypto' },
+    ],
+  },
+  c: {
+    extensions: ['.c', '.h', '.cpp', '.hpp', '.cc', '.cxx'],
+    patterns: [
+      { regex: /EVP_aes_256_gcm|EVP_aes_128_gcm|EVP_aes_256_cbc|AES_encrypt|AES_set_encrypt_key/g, algorithm: 'aes', category: 'encryption' },
+      { regex: /EVP_des_|DES_ecb_encrypt|DES_set_key/g, algorithm: 'des', category: 'encryption' },
+      { regex: /EVP_des_ede3|DES_ede3_cbc_encrypt/g, algorithm: '3des', category: 'encryption' },
+      { regex: /RSA_generate_key|EVP_PKEY_RSA|RSA_public_encrypt/g, algorithm: 'rsa', category: 'encryption' },
+      { regex: /EVP_sha256|SHA256_Init|SHA256_Update/g, algorithm: 'sha256', category: 'hashing' },
+      { regex: /EVP_sha1|SHA1_Init|SHA1_Update/g, algorithm: 'sha1', category: 'hashing' },
+      { regex: /EVP_md5|MD5_Init|MD5_Update/g, algorithm: 'md5', category: 'hashing' },
+      { regex: /EVP_sha512|SHA512_Init/g, algorithm: 'sha512', category: 'hashing' },
+      { regex: /EVP_sha3_256/g, algorithm: 'sha3-256', category: 'hashing' },
+      { regex: /EC_KEY_generate|ECDSA_sign|ECDSA_verify/g, algorithm: 'ecdsa', category: 'signing' },
+      { regex: /EVP_chacha20_poly1305/g, algorithm: 'chacha20-poly1305', category: 'encryption' },
+      { regex: /PKCS5_PBKDF2_HMAC/g, algorithm: 'pbkdf2', category: 'kdf' },
+      { regex: /EVP_PKEY_X25519/g, algorithm: 'x25519', category: 'key_exchange' },
+      { regex: /HMAC_Init|HMAC_Update|HMAC_CTX/g, algorithm: 'hmac', category: 'mac' },
+      { regex: /EVP_PKEY_EC|EC_GROUP_new/g, algorithm: 'ecdh', category: 'key_exchange' },
+      { regex: /EVP_bf_cbc|BF_encrypt/g, algorithm: 'blowfish', category: 'encryption' },
+      { regex: /EVP_rc4|RC4_set_key/g, algorithm: 'rc4', category: 'encryption' },
+      { regex: /SSL_CTX_new|TLS_method|SSLv23_method/g, algorithm: 'tls', category: 'protocol' },
+    ],
+    importPatterns: [
+      { regex: /#include\s*<openssl\/evp\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<openssl\/aes\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<openssl\/rsa\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<openssl\/ssl\.h>/g, library: 'openssl' },
+      { regex: /#include\s*<sodium\.h>/g, library: 'libsodium' },
+      { regex: /#include\s*<oqs\/oqs\.h>/g, library: 'liboqs' },
+    ],
+  },
+};
+
+// ---------------------------------------------------------------------------
+// Extension → language mapping
+// ---------------------------------------------------------------------------
+
+const EXT_MAP = {};
+for (const [lang, def] of Object.entries(LANGUAGE_PATTERNS)) {
+  for (const ext of def.extensions) {
+    EXT_MAP[ext] = lang;
+  }
+}
+
+/**
+ * Detect programming language from file extension.
+ * Returns language key (go, python, java, rust, c) or null.
+ */
+export function detectLanguage(filePath) {
+  const ext = extname(filePath).toLowerCase();
+  return EXT_MAP[ext] || null;
+}
+
+/**
+ * Scan a source file for crypto patterns in the specified language.
+ * Returns { algorithms: [{ algorithm, category, line? }], imports: [{ library }] }.
+ */
+export function scanSourceFile(filePath, content, language) {
+  const langDef = LANGUAGE_PATTERNS[language];
+  if (!langDef) return { algorithms: [], imports: [] };
+
+  const algorithms = [];
+  const imports = [];
+  const seenAlgos = new Set();
+  const seenImports = new Set();
+
+  for (const { regex, algorithm, category } of langDef.patterns) {
+    regex.lastIndex = 0;
+    if (regex.test(content) && !seenAlgos.has(algorithm)) {
+      seenAlgos.add(algorithm);
+      algorithms.push({ algorithm, category });
+    }
+  }
+
+  for (const { regex, library } of langDef.importPatterns) {
+    regex.lastIndex = 0;
+    if (regex.test(content) && !seenImports.has(library)) {
+      seenImports.add(library);
+      imports.push({ library });
+    }
+  }
+
+  return { algorithms, imports };
+}
+
+/**
+ * All supported non-JS source extensions for the file walker.
+ */
+export const MULTI_LANG_EXTENSIONS = new Set(Object.values(LANGUAGE_PATTERNS).flatMap(l => l.extensions));

package/lib/scanner-manifests.mjs

@@ -0,0 +1,200 @@
+/**
+ * Multi-ecosystem manifest parser and crypto package detector.
+ *
+ * Parses go.mod, requirements.txt, pyproject.toml, Cargo.toml, pom.xml
+ * and identifies known crypto packages.
+ * Ported from backend/app/core/dependency_scanner.py.
+ * Zero dependencies.
+ */
+
+import { existsSync, readFileSync, readdirSync } from 'node:fs';
+import { join, basename } from 'node:path';
+import { CRYPTO_PACKAGES, lookupPackage } from './crypto-registry.mjs';
+
+// Re-export for backward compatibility
+export { CRYPTO_PACKAGES };
+
+// ---------------------------------------------------------------------------
+// Manifest parsers
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse go.mod — extract module dependencies.
+ */
+export function parseGoMod(content) {
+  const deps = [];
+  // Match require block
+  const requireBlock = content.match(/require\s*\(([\s\S]*?)\)/);
+  const lines = requireBlock ? requireBlock[1].split('\n') : content.split('\n');
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('//') || trimmed === 'require') continue;
+    const match = trimmed.match(/^([a-zA-Z0-9.\/_-]+)\s+(v[\d.]+[a-zA-Z0-9._-]*)/);
+    if (match) {
+      deps.push({ name: match[1], version: match[2] });
+    }
+  }
+
+  // Also match single-line require directives
+  const singleReqs = content.matchAll(/^require\s+([a-zA-Z0-9.\/_-]+)\s+(v[\d.]+[a-zA-Z0-9._-]*)/gm);
+  for (const m of singleReqs) {
+    if (!deps.some(d => d.name === m[1])) {
+      deps.push({ name: m[1], version: m[2] });
+    }
+  }
+
+  return deps;
+}
+
+/**
+ * Parse requirements.txt — extract package==version lines.
+ */
+export function parseRequirementsTxt(content) {
+  const deps = [];
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#') || trimmed.startsWith('-')) continue;
+    const match = trimmed.match(/^([a-zA-Z0-9._-]+)(?:\[.*?\])?\s*(?:([<>=!~]+)\s*(.*))?$/);
+    if (match) {
+      deps.push({
+        name: match[1].toLowerCase(),
+        version: match[3] || null,
+      });
+    }
+  }
+  return deps;
+}
+
+/**
+ * Parse pyproject.toml — extract [project.dependencies] section.
+ */
+export function parsePyprojectToml(content) {
+  const deps = [];
+  // Match dependencies array
+  const depsMatch = content.match(/\[project\]\s*[\s\S]*?dependencies\s*=\s*\[([\s\S]*?)\]/);
+  if (depsMatch) {
+    const lines = depsMatch[1].split('\n');
+    for (const line of lines) {
+      const match = line.match(/["']([a-zA-Z0-9._-]+)(?:\[.*?\])?(?:([<>=!~]+)([\d.]+))?/);
+      if (match) {
+        deps.push({ name: match[1].toLowerCase(), version: match[3] || null });
+      }
+    }
+  }
+
+  // Also check [tool.poetry.dependencies]
+  const poetryMatch = content.match(/\[tool\.poetry\.dependencies\]([\s\S]*?)(?:\[|$)/);
+  if (poetryMatch) {
+    const lines = poetryMatch[1].split('\n');
+    for (const line of lines) {
+      const match = line.match(/^([a-zA-Z0-9._-]+)\s*=\s*(?:"([^"]+)"|{.*?version\s*=\s*"([^"]+)")/);
+      if (match && match[1] !== 'python') {
+        const name = match[1].toLowerCase();
+        if (!deps.some(d => d.name === name)) {
+          deps.push({ name, version: match[2] || match[3] || null });
+        }
+      }
+    }
+  }
+
+  return deps;
+}
+
+/**
+ * Parse Cargo.toml — extract [dependencies] section.
+ */
+export function parseCargoToml(content) {
+  const deps = [];
+  const depsMatch = content.match(/\[dependencies\]([\s\S]*?)(?:\[|$)/);
+  if (!depsMatch) return deps;
+
+  for (const line of depsMatch[1].split('\n')) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    // name = "version" or name = { version = "x.y.z" }
+    const simpleMatch = trimmed.match(/^([a-zA-Z0-9_-]+)\s*=\s*"([^"]+)"/);
+    if (simpleMatch) {
+      deps.push({ name: simpleMatch[1], version: simpleMatch[2] });
+      continue;
+    }
+    const complexMatch = trimmed.match(/^([a-zA-Z0-9_-]+)\s*=\s*\{.*?version\s*=\s*"([^"]+)"/);
+    if (complexMatch) {
+      deps.push({ name: complexMatch[1], version: complexMatch[2] });
+    }
+  }
+  return deps;
+}
+
+/**
+ * Parse pom.xml — extract <dependency> blocks.
+ */
+export function parsePomXml(content) {
+  const deps = [];
+  const depRegex = /<dependency>\s*<groupId>(.*?)<\/groupId>\s*<artifactId>(.*?)<\/artifactId>(?:\s*<version>(.*?)<\/version>)?/g;
+  let match;
+  while ((match = depRegex.exec(content)) !== null) {
+    deps.push({
+      name: `${match[1]}:${match[2]}`,
+      version: match[3] || null,
+      groupId: match[1],
+      artifactId: match[2],
+    });
+  }
+  return deps;
+}
+
+// ---------------------------------------------------------------------------
+// Manifest detection and scanning
+// ---------------------------------------------------------------------------
+
+const MANIFEST_FILES = [
+  { file: 'package.json', ecosystem: 'npm', parser: null }, // npm handled by main scanner
+  { file: 'go.mod', ecosystem: 'go', parser: parseGoMod },
+  { file: 'go.sum', ecosystem: 'go', parser: null },
+  { file: 'requirements.txt', ecosystem: 'pypi', parser: parseRequirementsTxt },
+  { file: 'pyproject.toml', ecosystem: 'pypi', parser: parsePyprojectToml },
+  { file: 'Cargo.toml', ecosystem: 'cargo', parser: parseCargoToml },
+  { file: 'pom.xml', ecosystem: 'maven', parser: parsePomXml },
+];
+
+/**
+ * Scan a project directory for manifests and identify crypto dependencies.
+ * Returns array of library entries compatible with scanner.mjs output.
+ */
+export function scanManifests(projectDir) {
+  const results = [];
+  const seen = new Set();
+
+  for (const { file, ecosystem, parser } of MANIFEST_FILES) {
+    if (!parser) continue; // npm handled by main scanner
+
+    const manifestPath = join(projectDir, file);
+    if (!existsSync(manifestPath)) continue;
+
+    let content;
+    try { content = readFileSync(manifestPath, 'utf-8'); }
+    catch { continue; }
+
+    const deps = parser(content);
+
+    for (const dep of deps) {
+      const pkg = lookupPackage(dep.name, ecosystem);
+      if (pkg && !seen.has(`${ecosystem}:${pkg.name}`)) {
+        seen.add(`${ecosystem}:${pkg.name}`);
+        results.push({
+          name: pkg.name,
+          version: dep.version || 'unknown',
+          algorithms: pkg.algorithms,
+          quantumRisk: pkg.quantumRisk,
+          category: pkg.category,
+          ecosystem,
+          source: file,
+          isDeprecated: pkg.isDeprecated || false,
+        });
+      }
+    }
+  }
+
+  return results;
+}