dependencyiq 2.0.0

package/src/blastRadius.js

@@ -0,0 +1,134 @@
+/**
+ * Blast-radius analysis: "if this package is vulnerable, how exposed is
+ * this project really?" Backed by GitLab Orbit when it's reachable and
+ * enabled on the group; otherwise falls back to a clearly-flagged
+ * heuristic so risk scores never silently pretend to be more confident
+ * than they are.
+ */
+
+const orbitClient = require('./orbitClient');
+
+// Built-in heuristic defaults, used when AGENTS.md doesn't specify
+// public_api_paths / test_paths. A project with a non-standard layout
+// can override these via AGENTS.md (see configLoader.js) so the
+// classification matches its actual structure rather than these guesses.
+const PUBLIC_PATH_HINTS = ['/api/', '/routes/', '/controllers/', '/endpoints/', 'handler'];
+const TEST_PATH_HINTS = ['/test/', '/tests/', '/spec/', '.test.', '.spec.', '__tests__'];
+
+/**
+ * Turn an AGENTS.md glob like "src/api/**" or "**\/*.test.js" into a
+ * loose substring matcher. Not a full glob engine — these hints only
+ * need to answer "does this path look public-API / test" well enough to
+ * weight exposure, and over-engineering a globber would add risk for no
+ * real gain. Strips all "*" wildcards and surrounding slashes, leaving
+ * the literal segment to substring-match: "src/api/**" -> "src/api",
+ * "**\/*.test.js" -> ".test.js".
+ */
+function globToHint(glob) {
+  return glob.replace(/\*/g, '').replace(/^\/+|\/+$/g, '');
+}
+
+function hintsFor(configured, defaults) {
+  if (Array.isArray(configured) && configured.length > 0) {
+    return configured.map(globToHint).filter(Boolean);
+  }
+  return defaults;
+}
+
+let orbitReachable = null; // cached per-process: null = unknown, true/false once checked
+
+async function isOrbitReachable() {
+  if (orbitReachable !== null) return orbitReachable;
+  if (!process.env.GITLAB_TOKEN) {
+    orbitReachable = false;
+    return false;
+  }
+  try {
+    const status = await orbitClient.getStatus();
+    orbitReachable = status?.status === 'healthy';
+  } catch {
+    orbitReachable = false;
+  }
+  return orbitReachable;
+}
+
+/**
+ * Classify one file's path as public-api / test / internal — used to
+ * group the per-file evidence list (dashboardGenerator.js's decision
+ * trail) instead of just reporting an aggregate "is *something* in the
+ * public API" boolean. Honours AGENTS.md's public_api_paths/test_paths
+ * when provided; otherwise uses the built-in heuristic defaults.
+ */
+function categorizeFile(filePath, hints = {}) {
+  const lower = filePath?.toLowerCase() || '';
+  const testHints = hintsFor(hints.test_paths, TEST_PATH_HINTS);
+  const publicHints = hintsFor(hints.public_api_paths, PUBLIC_PATH_HINTS);
+  if (testHints.some(hint => lower.includes(hint.toLowerCase()))) return 'test';
+  if (publicHints.some(hint => lower.includes(hint.toLowerCase()))) return 'public-api';
+  return 'internal';
+}
+
+function classifyFiles(files, hints = {}) {
+  const categorized = files.map(f => categorizeFile(f.path, hints));
+  return {
+    isInPublicAPI: categorized.includes('public-api'),
+    isInTests: categorized.includes('test'),
+  };
+}
+
+/**
+ * Analyze exposure for a single vulnerable package.
+ * @param {string} projectId - GitLab project ID
+ * @param {string} packageName - package/import name
+ * @param {Object} hints - { public_api_paths, test_paths } from AGENTS.md
+ *   (configLoader); empty/omitted uses the built-in heuristic defaults.
+ * @returns {Promise<Object>} exposure analysis with a `source` field
+ *   ('orbit' | 'unavailable') so callers know how much to trust it.
+ */
+async function analyzeExposure(projectId, packageName, hints = {}) {
+  if (projectId && await isOrbitReachable()) {
+    try {
+      const files = await orbitClient.findPackageImporters(projectId, packageName);
+      const { isInPublicAPI, isInTests } = classifyFiles(files, hints);
+      const categorizedFiles = files.map(f => ({ ...f, category: categorizeFile(f.path, hints) }));
+      return {
+        source: 'orbit',
+        affectedFiles: categorizedFiles,
+        affectedFilesCount: files.length,
+        isInPublicAPI,
+        isInTests,
+        languages: [...new Set(files.map(f => f.language).filter(Boolean))],
+        // Orbit actually checked (this isn't the unavailable-fallback path)
+        // and found zero importers anywhere in the project: the dependency
+        // is most likely dead weight, so the right fix is removing it, not
+        // patching a CVE nothing uses. OSV-Scanner can't know this (it only
+        // reads manifests) and GitLab's Security Analyst Agent can't either
+        // (it only acts on already-detected vulnerabilities, never raw
+        // import graphs).
+        recommendation: files.length === 0 ? 'remove' : 'upgrade',
+      };
+    } catch (error) {
+      console.warn(`   ⚠️  Orbit query failed for ${packageName}: ${error.message}`);
+    }
+  }
+
+  return {
+    source: 'unavailable',
+    affectedFiles: [],
+    affectedFilesCount: 0,
+    isInPublicAPI: false,
+    isInTests: false,
+    languages: [],
+    // Deliberately NOT 'remove' — zero files here means "we don't know",
+    // not "Orbit confirmed zero importers". Only a real Orbit answer can
+    // justify recommending deletion.
+    recommendation: 'upgrade',
+    warning: 'GitLab Orbit is not reachable/enabled for this project — exposure defaulted to unknown rather than guessed. Enable Orbit on the group to get real blast-radius scoring.',
+  };
+}
+
+module.exports = {
+  analyzeExposure,
+  isOrbitReachable,
+  categorizeFile,
+};

package/src/configLoader.js

@@ -0,0 +1,61 @@
+/**
+ * AGENTS.md config loader.
+ *
+ * AGENTS.md has documented a YAML config block (risk_thresholds,
+ * excluded_packages, freshness_policy, ...) since early in this project,
+ * but until now nothing actually read it — it was documentation, not
+ * config. This parses the first ```yaml fenced block in AGENTS.md and
+ * merges it over sane defaults, so the file finally does what its
+ * comments always claimed.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+
+const DEFAULTS = {
+  risk_thresholds: { urgent: 80, high: 50, medium: 20, low: 0 },
+  excluded_packages: [],
+  freshness_policy: {
+    max_minor_versions_behind: null, // null = not enforced
+    max_days_behind: null,
+    stability_window_days: 14,
+  },
+  // Glob-ish path hints used to classify where a vulnerable package is
+  // imported (public-API vs internal vs test). Empty here so the
+  // classifier uses its built-in heuristic defaults; a project can
+  // override these in AGENTS.md to match its own layout.
+  public_api_paths: [],
+  test_paths: [],
+};
+
+/**
+ * @param {string} repoPath - directory containing AGENTS.md
+ * @returns {Object} merged config (defaults + whatever AGENTS.md overrides)
+ */
+function loadAgentsConfig(repoPath) {
+  const filePath = path.join(repoPath, 'AGENTS.md');
+  if (!fs.existsSync(filePath)) return { ...DEFAULTS, source: 'defaults (no AGENTS.md found)' };
+
+  const text = fs.readFileSync(filePath, 'utf-8');
+  const match = text.match(/```ya?ml\r?\n([\s\S]*?)```/);
+  if (!match) return { ...DEFAULTS, source: 'defaults (AGENTS.md found, no yaml block)' };
+
+  let parsed;
+  try {
+    parsed = yaml.load(match[1]);
+  } catch (error) {
+    return { ...DEFAULTS, source: `defaults (AGENTS.md yaml block failed to parse: ${error.message})` };
+  }
+
+  return {
+    risk_thresholds: { ...DEFAULTS.risk_thresholds, ...(parsed?.risk_thresholds || {}) },
+    excluded_packages: parsed?.excluded_packages || DEFAULTS.excluded_packages,
+    freshness_policy: { ...DEFAULTS.freshness_policy, ...(parsed?.freshness_policy || {}) },
+    public_api_paths: parsed?.public_api_paths || DEFAULTS.public_api_paths,
+    test_paths: parsed?.test_paths || DEFAULTS.test_paths,
+    source: 'AGENTS.md',
+  };
+}
+
+module.exports = { loadAgentsConfig, DEFAULTS };

package/src/crossProjectFanOut.js

@@ -0,0 +1,180 @@
+/**
+ * Emergency Supply Chain Response: org-wide fan-out for a compromised
+ * package (the Log4j/xz-utils/event-stream scenario).
+ *
+ * Most blast-radius tools in this space are scoped to one repo/MR. This
+ * is scoped to a GitLab group: it asks Orbit Remote's SDLC-wide graph
+ * "which projects in this group import this package at all," then for
+ * each one classifies whether it's a direct dependency (safe to
+ * auto-fix) or only reached transitively (imported in code, but not a
+ * direct manifest entry — flagged for manual review, since editing a
+ * transitive entry wouldn't actually pin anything).
+ *
+ * Honesty note: this only covers projects where Orbit's import graph
+ * shows actual usage. Projects that merely *declare* the package in a
+ * manifest without ever importing it in code aren't surfaced here — that
+ * would require scanning every group project's lockfile/manifest
+ * directly (Orbit's schema doesn't expose a dependency-manifest node as
+ * of this writing), which is out of scope for this pass.
+ */
+
+const orbitClient = require('./orbitClient');
+const { applyFixToContent } = require('./scanners/ecosystemFixers');
+const { findRemoteManifest, applyRemoteFix } = require('./remoteFixer');
+const { openMergeRequestForBranch, createTrackingIssue } = require('./prGenerator');
+
+/**
+ * Classify one affected project's exposure tier by attempting a dry-run
+ * fix against its manifest (without committing anything).
+ * @returns {Promise<Object>} { tier: 'direct'|'transitive'|'unknown', manifestPath, dryRunResult }
+ */
+async function classifyProjectExposure(project, vulnerability) {
+  const manifest = await findRemoteManifest(project.projectId, vulnerability.ecosystem, vulnerability.manifestFile);
+  if (!manifest.found) {
+    return { tier: 'unknown', reason: manifest.reason };
+  }
+
+  const dryRun = applyFixToContent(
+    vulnerability.ecosystem,
+    manifest.content,
+    vulnerability.package,
+    vulnerability.fixedVersion,
+    vulnerability.recommendation
+  );
+
+  return {
+    tier: dryRun.touched ? 'direct' : 'transitive',
+    manifestPath: manifest.path,
+    reason: dryRun.touched ? null : dryRun.warning,
+  };
+}
+
+/**
+ * Run the full emergency response for a compromised package across a group.
+ * @param {string} groupId - GitLab top-level group ID
+ * @param {Object} vulnerability - normalized vulnerability (package, ecosystem, fixedVersion, id, recommendation, ...)
+ * @param {Object} options - { dryRun: boolean, fixDirect: boolean }
+ * @returns {Promise<Object>} rollup report
+ */
+async function runEmergencyResponse(groupId, vulnerability, options = {}) {
+  const { dryRun = true, fixDirect = false } = options;
+
+  console.log(`\n🚨 EMERGENCY SUPPLY CHAIN RESPONSE: ${vulnerability.package} (${vulnerability.id})`);
+  console.log(`   Querying GitLab Orbit for every project in group ${groupId} that imports it...`);
+
+  const affectedProjects = await orbitClient.findProjectsImportingPackage(groupId, vulnerability.package);
+  console.log(`   Found ${affectedProjects.length} project(s) with confirmed usage.`);
+
+  const results = [];
+  for (const project of affectedProjects) {
+    const exposure = await classifyProjectExposure(project, vulnerability);
+    const entry = {
+      projectId: project.projectId,
+      projectPath: project.projectPath,
+      filesImporting: project.files.length,
+      tier: exposure.tier,
+      reason: exposure.reason,
+      issue: null,
+      mergeRequest: null,
+    };
+
+    const description = `# Supply Chain Alert: ${vulnerability.package}
+
+\`${vulnerability.package}\` (${vulnerability.ecosystem}) — **${vulnerability.vulnerability || 'compromised/vulnerable package'}** (${vulnerability.id}) — was found imported in **${project.files.length} file(s)** in this project by a GitLab Orbit group-wide scan.
+
+- **Exposure tier**: ${exposure.tier === 'direct' ? 'Direct dependency — can be auto-fixed' : exposure.tier === 'transitive' ? 'Imported in code, but not a direct manifest entry (transitive) — needs manual root-cause fix' : `Could not classify: ${exposure.reason}`}
+- **Affected files**: ${project.files.slice(0, 5).map(f => f.path).join(', ')}${project.files.length > 5 ? `, +${project.files.length - 5} more` : ''}
+
+This issue was opened automatically as part of a group-wide emergency response. ${fixDirect && exposure.tier === 'direct' ? 'A merge request with the fix is linked below.' : 'No automated fix was applied' + (exposure.tier === 'transitive' ? ' — this is a transitive dependency, editing this manifest directly would not pin anything.' : '.')}
+`;
+
+    if (!dryRun) {
+      try {
+        const issue = await createTrackingIssue(
+          project.projectId,
+          `Supply chain alert: ${vulnerability.package} (${vulnerability.id})`,
+          description
+        );
+        entry.issue = issue;
+      } catch (error) {
+        entry.issueError = error.message;
+      }
+
+      if (fixDirect && exposure.tier === 'direct') {
+        try {
+          const branchName = `security/emergency-${vulnerability.package.replace(/[^a-zA-Z0-9]+/g, '-')}-${Date.now()}`;
+          const fixResult = await applyRemoteFix(project.projectId, vulnerability, branchName);
+          if (fixResult.applied) {
+            entry.mergeRequest = await openMergeRequestForBranch(project.projectId, vulnerability, fixResult, description);
+          } else {
+            entry.fixWarning = fixResult.warning;
+          }
+        } catch (error) {
+          entry.fixError = error.message;
+        }
+      }
+    }
+
+    results.push(entry);
+  }
+
+  return buildRollup(vulnerability, results, { dryRun, fixDirect });
+}
+
+function buildRollup(vulnerability, results, options) {
+  const direct = results.filter(r => r.tier === 'direct');
+  const transitive = results.filter(r => r.tier === 'transitive');
+  const unknown = results.filter(r => r.tier === 'unknown');
+  const fixed = results.filter(r => r.mergeRequest?.success);
+
+  return {
+    package: vulnerability.package,
+    vulnerabilityId: vulnerability.id,
+    dryRun: options.dryRun,
+    totalAffectedProjects: results.length,
+    byTier: { direct: direct.length, transitive: transitive.length, unknown: unknown.length },
+    remediationProgress: results.length > 0 ? Math.round((fixed.length / direct.length || 0) * 100) : 0,
+    results,
+  };
+}
+
+/**
+ * Render the rollup as a markdown dashboard summary — the honest
+ * substitute for a live UI dashboard, postable as one tracking issue.
+ */
+function formatRollup(rollup) {
+  const lines = [
+    `# Emergency Supply Chain Response: ${rollup.package} (${rollup.vulnerabilityId})`,
+    '',
+    rollup.dryRun ? '**DRY RUN — no issues or merge requests were created.**' : '',
+    '',
+    `**Repositories impacted**: ${rollup.totalAffectedProjects}`,
+    '',
+    `- 🔴 Direct dependency (auto-fixable): ${rollup.byTier.direct}`,
+    `- 🟡 Transitive only (needs manual root-cause fix): ${rollup.byTier.transitive}`,
+    `- ⚪ Could not classify: ${rollup.byTier.unknown}`,
+    '',
+    `**Remediation progress**: ${rollup.remediationProgress}% of direct-dependency projects have an MR open`,
+    '',
+    '## Per-project detail',
+    '',
+  ];
+
+  for (const r of rollup.results) {
+    lines.push(`### ${r.projectPath || r.projectId}`);
+    lines.push(`- Tier: ${r.tier}${r.reason ? ` (${r.reason})` : ''}`);
+    lines.push(`- Files importing: ${r.filesImporting}`);
+    if (r.issue) lines.push(`- Issue: ${r.issue.url}`);
+    if (r.mergeRequest?.success) lines.push(`- Merge request: ${r.mergeRequest.url}`);
+    if (r.fixWarning) lines.push(`- Fix not applied: ${r.fixWarning}`);
+    lines.push('');
+  }
+
+  return lines.join('\n');
+}
+
+module.exports = {
+  runEmergencyResponse,
+  classifyProjectExposure,
+  formatRollup,
+};