dependencyiq 2.0.0

package/src/remoteFixer.js

@@ -0,0 +1,129 @@
+/**
+ * Remote (API-only) dependency fixer.
+ *
+ * Patches a manifest file in another project entirely through the
+ * GitLab REST API — no `git clone`, no local checkout. This is what lets
+ * crossProjectFanOut.js open real fixes across dozens of repositories in
+ * one run instead of cloning each one.
+ *
+ * Needs a real GITLAB_TOKEN (not just the automatic CI_JOB_TOKEN) for
+ * this to actually work in practice: CI_JOB_TOKEN's default scope is
+ * restricted to the project running the job, not other projects in the
+ * group, unless explicitly allowlisted on the target project's CI/CD
+ * job token settings. getAuthHeaders() still falls back to it for
+ * consistency, but cross-project emergency response realistically
+ * requires GITLAB_TOKEN to be set.
+ */
+
+const axios = require('axios');
+const { applyFixToContent, DEFAULT_MANIFEST } = require('./scanners/ecosystemFixers');
+const { getAuthHeaders } = require('./gitlabAuth');
+
+const GITLAB_API = process.env.GITLAB_API_URL
+  || (process.env.GITLAB_BASE_URL ? `${process.env.GITLAB_BASE_URL}/api/v4` : 'https://gitlab.com/api/v4');
+
+function apiConfig() {
+  return { headers: { ...getAuthHeaders(), 'Content-Type': 'application/json' } };
+}
+
+/**
+ * GET the raw content of a file in a project's default branch via the
+ * Repository Files API. Returns null (not an empty string) if the file
+ * doesn't exist there, so callers can distinguish "no such manifest" from
+ * "empty manifest".
+ */
+async function getRemoteFileContent(projectId, filePath, ref = 'main') {
+  try {
+    const response = await axios.get(
+      `${GITLAB_API}/projects/${encodeURIComponent(projectId)}/repository/files/${encodeURIComponent(filePath)}/raw`,
+      { params: { ref }, headers: apiConfig().headers, timeout: 10000, responseType: 'text' }
+    );
+    return response.data;
+  } catch (error) {
+    if (error.response?.status === 404) return null;
+    throw error;
+  }
+}
+
+/**
+ * Find the right manifest file for an ecosystem in a remote project. Tries
+ * the default manifest name for that ecosystem; doesn't guess at
+ * non-default layouts (monorepos with manifests in subdirectories need
+ * the caller to pass manifestPath explicitly, e.g. from an Orbit File
+ * node's path).
+ */
+async function findRemoteManifest(projectId, ecosystem, manifestPath, ref = 'main') {
+  const candidate = manifestPath || DEFAULT_MANIFEST[ecosystem];
+  if (!candidate) return { found: false, reason: `No default manifest path known for ecosystem "${ecosystem}"` };
+
+  const content = await getRemoteFileContent(projectId, candidate, ref);
+  if (content === null) return { found: false, reason: `${candidate} not found on ${ref}` };
+  return { found: true, path: candidate, content };
+}
+
+/**
+ * Patch a manifest in a remote project and commit the change directly to
+ * a new branch — no local checkout. Does NOT open the merge request
+ * itself; that's a separate step (crossProjectFanOut.js calls
+ * prGenerator's remote MR helper after this succeeds) so a dry run can
+ * inspect the diff before anything is opened.
+ *
+ * @returns {Object} { applied, branch, filePath, action, followUp, warning }
+ */
+async function applyRemoteFix(projectId, vulnerability, branchName) {
+  const manifest = await findRemoteManifest(projectId, vulnerability.ecosystem, vulnerability.manifestFile);
+  if (!manifest.found) {
+    return { applied: false, warning: manifest.reason };
+  }
+
+  const result = applyFixToContent(
+    vulnerability.ecosystem,
+    manifest.content,
+    vulnerability.package,
+    vulnerability.fixedVersion,
+    vulnerability.recommendation
+  );
+
+  if (!result.touched) {
+    return { applied: false, warning: result.warning };
+  }
+
+  try {
+    await axios.post(
+      `${GITLAB_API}/projects/${encodeURIComponent(projectId)}/repository/branches`,
+      { branch: branchName, ref: 'main' },
+      apiConfig()
+    );
+  } catch (error) {
+    if (error.response?.status !== 400) throw error; // 400 = branch already exists, continue
+  }
+
+  const commitMessage = result.action === 'remove'
+    ? `chore: remove unused dependency ${vulnerability.package} (${vulnerability.id}, Orbit found zero importers)`
+    : `security: upgrade ${vulnerability.package} to ${vulnerability.fixedVersion} (${vulnerability.id})`;
+
+  await axios.post(
+    `${GITLAB_API}/projects/${encodeURIComponent(projectId)}/repository/commits`,
+    {
+      branch: branchName,
+      commit_message: commitMessage,
+      actions: [{ action: 'update', file_path: manifest.path, content: result.content }],
+    },
+    apiConfig()
+  );
+
+  return {
+    applied: true,
+    branch: branchName,
+    filePath: manifest.path,
+    action: result.action || 'upgrade',
+    followUp: result.followUp,
+    warning: result.warning || null,
+  };
+}
+
+module.exports = {
+  getRemoteFileContent,
+  findRemoteManifest,
+  applyRemoteFix,
+};

package/src/riskCalculator.js

@@ -0,0 +1,143 @@
+/**
+ * Risk Scoring Calculator
+ * Calculates remediation risk based on CVSS, exposure, and effort
+ */
+
+/**
+ * Calculate risk score for a vulnerability
+ * @param {Object} vulnerability - Vulnerability object
+ * @param {Object} usageAnalysis - Usage analysis from Orbit
+ * @returns {Object} Risk score and breakdown
+ */
+// Weights are the single source of truth for the score: the README,
+// the dashboard "Decision trail", and this calculation all reference
+// these exact numbers. The score is a plain weighted sum minus a
+// test-coverage discount — no hidden multipliers — so the displayed
+// breakdown always adds up to the final score. That additivity is the
+// whole point: a "show your work" tool whose components didn't sum to
+// its own answer would be self-refuting.
+const WEIGHTS = { cvss: 0.45, exposure: 0.35, usage: 0.10, testCoverageDiscount: 0.10 };
+
+function clamp01(n) {
+  return Math.min(Math.max(n, 0), 1);
+}
+
+function calculateRiskScore(vulnerability, usageAnalysis = {}) {
+  const defaults = {
+    affectedFilesCount: 0,
+    usageCount: 0,
+    isInPublicAPI: false,
+    isInBusinessLogic: false,
+    testCoverage: 0.5,
+  };
+
+  const analysis = { ...defaults, ...usageAnalysis };
+  const recommendation = analysis.recommendation || 'upgrade';
+  const exposureDataSource = analysis.exposureDataSource || 'unavailable';
+
+  const cvss_norm = clamp01((vulnerability.cvss ?? 0) / 10);
+
+  // Exposure: 0 means 0. A package imported by no files, in no public API,
+  // in no business logic, scores zero exposure — not a baseline floor.
+  // And when Orbit is UNAVAILABLE we have no exposure data at all, so it
+  // contributes nothing (the score becomes purely CVSS-driven). This is
+  // exactly what the dashboard footer claims happens — now it's true,
+  // rather than the old behaviour of fabricating ~34% exposure from
+  // default multipliers and mislabelling it as real.
+  const filesWeight = Math.min(analysis.affectedFilesCount / 10, 1.0);
+  const exposure_norm = exposureDataSource === 'orbit'
+    ? clamp01(filesWeight * 0.5 + (analysis.isInPublicAPI ? 0.35 : 0) + (analysis.isInBusinessLogic ? 0.15 : 0))
+    : 0;
+
+  // Usage: log-scaled count of importing files, 0 importers → 0.
+  const usage_norm = analysis.usageCount > 0
+    ? Math.min(Math.log(1 + analysis.usageCount) / Math.log(1 + 100), 1.0)
+    : 0;
+
+  // Exact point contributions (out of 100). These SUM to the raw score,
+  // so the calculator — not the view — owns the arithmetic; the
+  // dashboard just displays these numbers.
+  const contributions = {
+    cvss: cvss_norm * WEIGHTS.cvss * 100,
+    exposure: exposure_norm * WEIGHTS.exposure * 100,
+    usage: usage_norm * WEIGHTS.usage * 100,
+    testCoverageDiscount: analysis.testCoverage * WEIGHTS.testCoverageDiscount * 100,
+  };
+
+  const rawScore = contributions.cvss + contributions.exposure + contributions.usage - contributions.testCoverageDiscount;
+  const score = Math.round(Math.min(Math.max(rawScore, 0), 100));
+
+  return {
+    score,
+    severity: Math.round(cvss_norm * 100),
+    exposure: Math.round(exposure_norm * 100),
+    usage: Math.round(usage_norm * 100),
+    isInPublicAPI: analysis.isInPublicAPI,
+    // UNUSED overrides the score-based bucket: Orbit confirmed nothing in
+    // the project imports this package, so "delete it" outranks any
+    // CVSS-driven urgency — there's no upgrade to prioritize.
+    priority: recommendation === 'remove' ? 'UNUSED'
+      : score >= 80 ? 'URGENT' : score >= 50 ? 'HIGH' : score >= 20 ? 'MEDIUM' : 'LOW',
+    recommendation,
+    // 'orbit' = real blast-radius data from GitLab Orbit; 'unavailable' = Orbit
+    // unreachable/disabled, exposure contributes 0 rather than being guessed.
+    exposureDataSource,
+    breakdown: {
+      cvss: cvss_norm,
+      exposure: exposure_norm,
+      usage: usage_norm,
+      testCoverage: analysis.testCoverage,
+      // Exact weighted point contributions — what the decision trail shows.
+      contributions,
+      weights: WEIGHTS,
+    },
+  };
+}
+
+/**
+ * Sort vulnerabilities by risk score
+ * @param {Array} vulnerabilities - Vulnerabilities with risk scores
+ * @returns {Array} Sorted vulnerabilities (highest risk first)
+ */
+function sortByRisk(vulnerabilities) {
+  // Plain score sort: UNUSED items naturally score low (zero exposure) and
+  // sink to the bottom of the *risk* ranking — correct, since they're not
+  // risky, they're free cleanup. Surface them as a separate "cleanup
+  // opportunities" list (see strategyGenerator) rather than reordering
+  // real risk by priority label.
+  return vulnerabilities.sort((a, b) => (b.riskScore?.score || 0) - (a.riskScore?.score || 0));
+}
+
+/**
+ * Vulnerabilities where Orbit confirmed zero importers — candidates for
+ * removal rather than upgrade.
+ * @param {Array} vulnerabilities - vulnerabilities with risk scores
+ * @returns {Array} subset flagged UNUSED
+ */
+function findUnusedDependencies(vulnerabilities) {
+  return vulnerabilities.filter(v => v.riskScore?.priority === 'UNUSED');
+}
+
+/**
+ * Filter vulnerabilities by priority
+ * @param {Array} vulnerabilities - Vulnerabilities with risk scores
+ * @param {string} priority - 'URGENT', 'HIGH', 'MEDIUM', 'LOW'
+ * @returns {Array} Filtered vulnerabilities
+ */
+function filterByPriority(vulnerabilities, priority) {
+  const priorityMap = { URGENT: 80, HIGH: 50, MEDIUM: 20, LOW: 0 };
+  const minScore = priorityMap[priority] || 0;
+  const maxScore = priorityMap[Object.keys(priorityMap)[Object.values(priorityMap).indexOf(minScore) - 1]] || 100;
+  
+  return vulnerabilities.filter(v => {
+    const score = v.riskScore?.score || 0;
+    return score >= minScore && score < maxScore;
+  });
+}
+
+module.exports = {
+  calculateRiskScore,
+  sortByRisk,
+  filterByPriority,
+  findUnusedDependencies
+};

package/src/scanners/cvss.js

@@ -0,0 +1,78 @@
+/**
+ * CVSS base-score computation from a vector string.
+ *
+ * OSV advisories very often carry a CVSS *vector*
+ * (e.g. "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") rather than a
+ * bare numeric score. The vector encodes the exact base score via a
+ * published, deterministic formula — so computing it is real data, not
+ * a guess. The previous behaviour threw the vector away and fell back to
+ * a severity-bucket midpoint (HIGH → 7.5), which loses precision and can
+ * mis-rank findings (a 9.8 and a 7.1 both collapse to "HIGH/7.5").
+ *
+ * Implements the CVSS v3.0/v3.1 base-score spec
+ * (https://www.first.org/cvss/v3.1/specification-document). v4.0 vectors
+ * are detected but not scored here (the v4 formula is substantially
+ * different); callers fall back to the severity bucket for those, which
+ * is flagged honestly rather than approximated wrongly.
+ */
+
+const METRIC_VALUES = {
+  AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.2 },
+  AC: { L: 0.77, H: 0.44 },
+  // Privileges Required is scope-dependent; both variants kept.
+  PR: { N: 0.85, L: 0.62, H: 0.27 },
+  PR_changed: { N: 0.85, L: 0.68, H: 0.5 },
+  UI: { N: 0.85, R: 0.62 },
+  C: { H: 0.56, L: 0.22, N: 0 },
+  I: { H: 0.56, L: 0.22, N: 0 },
+  A: { H: 0.56, L: 0.22, N: 0 },
+};
+
+function parseVector(vector) {
+  const parts = {};
+  for (const segment of vector.split('/')) {
+    const [key, value] = segment.split(':');
+    if (key && value) parts[key] = value;
+  }
+  return parts;
+}
+
+function roundUp1(n) {
+  // CVSS spec's "Roundup": round to 1 decimal, always up at the boundary.
+  return Math.ceil(n * 10) / 10;
+}
+
+/**
+ * @param {string} vector - a CVSS:3.0 or CVSS:3.1 vector string
+ * @returns {number|null} base score 0.0-10.0, or null if not a v3 vector
+ *   or missing required metrics (caller should fall back, not guess).
+ */
+function cvss3BaseScore(vector) {
+  if (!/^CVSS:3\.[01]\//.test(vector)) return null;
+  const m = parseVector(vector);
+
+  const scopeChanged = m.S === 'C';
+  const av = METRIC_VALUES.AV[m.AV];
+  const ac = METRIC_VALUES.AC[m.AC];
+  const pr = (scopeChanged ? METRIC_VALUES.PR_changed : METRIC_VALUES.PR)[m.PR];
+  const ui = METRIC_VALUES.UI[m.UI];
+  const c = METRIC_VALUES.C[m.C];
+  const i = METRIC_VALUES.I[m.I];
+  const a = METRIC_VALUES.A[m.A];
+
+  if ([av, ac, pr, ui, c, i, a].some(x => x === undefined)) return null;
+
+  const iss = 1 - (1 - c) * (1 - i) * (1 - a);
+  const impact = scopeChanged
+    ? 7.52 * (iss - 0.029) - 3.25 * (iss - 0.02) ** 15
+    : 6.42 * iss;
+  const exploitability = 8.22 * av * ac * pr * ui;
+
+  if (impact <= 0) return 0;
+  const base = scopeChanged
+    ? Math.min(1.08 * (impact + exploitability), 10)
+    : Math.min(impact + exploitability, 10);
+  return roundUp1(base);
+}
+
+module.exports = { cvss3BaseScore };

package/src/scanners/dependencyTreeBuilder.js

@@ -0,0 +1,227 @@
+/**
+ * Dependency tree resolution: is a vulnerable package a direct
+ * dependency, or pulled in transitively — and if transitive, through
+ * which chain ("axios → follow-redirects")?
+ *
+ * Two ecosystems get a real BFS, because both have a lockfile that
+ * records each resolved package's own direct dependency list:
+ *  - npm: package-lock.json (lockfileVersion 2/3) has a flat `packages`
+ *    map keyed by path ("node_modules/<name>").
+ *  - PyPI (Poetry projects): poetry.lock has a `[[package]]` per
+ *    resolved dependency with a `[package.dependencies]` table; the
+ *    *direct* dependency set itself lives in pyproject.toml's
+ *    `[tool.poetry.dependencies]` (poetry.lock doesn't mark which
+ *    packages are direct vs transitive — pyproject.toml does).
+ *
+ * Other ecosystems (Go, Maven, plain pip requirements.txt with no
+ * Poetry lockfile) don't get a fabricated chain here — they report
+ * `chain: null` ("unknown") rather than guessing, since reconstructing
+ * their dependency graphs needs ecosystem-specific tooling (go mod
+ * graph, mvn dependency:tree) this project doesn't shell out to.
+ *
+ * Simplification worth stating plainly: the npm path looks up a child
+ * package by its hoisted top-level path (`node_modules/<name>`), not by
+ * resolving nested/duplicated versions (`node_modules/<parent>/node_modules/<name>`).
+ * npm hoists by default, so this resolves correctly for the vast
+ * majority of real lockfiles; a version conflict that forces nesting
+ * could occasionally make a true chain look like "unknown" instead of
+ * wrong — never the reverse, since we only report a chain we actually
+ * found, never a guessed one.
+ */
+
+const fs = require('fs');
+const path = require('path');
+const toml = require('toml');
+
+const MAX_BFS_DEPTH = 12;
+
+function loadNpmLockfile(repoPath) {
+  const lockPath = path.join(repoPath, 'package-lock.json');
+  if (!fs.existsSync(lockPath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(lockPath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * @param {Object} lockfile - parsed package-lock.json
+ * @returns {Object|null} { directDeps: string[], lookup: Map<name, depNames[]> }
+ */
+function buildNpmGraph(lockfile) {
+  if (!lockfile?.packages) return null;
+  const root = lockfile.packages[''];
+  if (!root) return null;
+
+  const directDeps = [
+    ...Object.keys(root.dependencies || {}),
+    ...Object.keys(root.devDependencies || {}),
+  ];
+
+  const lookup = new Map();
+  for (const [pkgPath, entry] of Object.entries(lockfile.packages)) {
+    const name = pkgPath.startsWith('node_modules/') ? pkgPath.slice('node_modules/'.length) : pkgPath;
+    // Only index top-level (hoisted) entries — see module docstring.
+    const isTopLevelPackage = pkgPath !== '' && !name.includes('node_modules/');
+    if (isTopLevelPackage) {
+      lookup.set(name, Object.keys(entry.dependencies || {}));
+    }
+  }
+
+  return { directDeps, lookup };
+}
+
+/**
+ * BFS from every direct dependency to find the shortest chain to
+ * targetPackage. Returns the chain array (direct dep first, target
+ * last) or null if not found within MAX_BFS_DEPTH.
+ */
+function findShortestChain(graph, targetPackage) {
+  for (const start of graph.directDeps) {
+    if (start === targetPackage) return [start];
+  }
+
+  const queue = graph.directDeps.map(start => [start]);
+  const visited = new Set(graph.directDeps);
+
+  while (queue.length > 0) {
+    const chain = queue.shift();
+    const withinDepth = chain.length <= MAX_BFS_DEPTH;
+    const current = chain[chain.length - 1];
+    const children = withinDepth ? (graph.lookup.get(current) || []) : [];
+    for (const child of children) {
+      if (child === targetPackage) return [...chain, child];
+      if (!visited.has(child)) {
+        visited.add(child);
+        queue.push([...chain, child]);
+      }
+    }
+  }
+  return null;
+}
+
+// PEP 503 normalization: PyPI treats "Foo_Bar", "foo.bar", and "foo-bar"
+// as the same project. poetry.lock and pyproject.toml aren't always
+// written with consistent casing/separators, so every name is normalized
+// before it's used as a graph key or compared.
+function normalizePyPiName(name) {
+  return String(name).toLowerCase().replace(/[-_.]+/g, '-');
+}
+
+function loadToml(filePath) {
+  if (!fs.existsSync(filePath)) return null;
+  try {
+    return toml.parse(fs.readFileSync(filePath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * @returns {string[]|null} normalized direct dependency names declared in
+ *   pyproject.toml's [tool.poetry.dependencies] (+ dependency groups),
+ *   or null if pyproject.toml is missing/malformed/not a Poetry project
+ */
+function loadPoetryDirectDeps(repoPath) {
+  const parsed = loadToml(path.join(repoPath, 'pyproject.toml'));
+  const poetry = parsed?.tool?.poetry;
+  if (!poetry) return null;
+
+  const names = new Set();
+  for (const name of Object.keys(poetry.dependencies || {})) {
+    if (name.toLowerCase() !== 'python') names.add(normalizePyPiName(name));
+  }
+  for (const group of Object.values(poetry.group || {})) {
+    for (const name of Object.keys(group?.dependencies || {})) {
+      names.add(normalizePyPiName(name));
+    }
+  }
+  return [...names];
+}
+
+/**
+ * @returns {Object|null} { directDeps, lookup } in the same shape
+ *   findShortestChain() already consumes for npm, built from poetry.lock
+ */
+function buildPoetryGraph(repoPath) {
+  const lockfile = loadToml(path.join(repoPath, 'poetry.lock'));
+  const directDeps = loadPoetryDirectDeps(repoPath);
+  if (!lockfile?.package || !directDeps) return null;
+
+  const lookup = new Map();
+  for (const pkg of lockfile.package) {
+    if (pkg?.name) {
+      const deps = Object.keys(pkg.dependencies || {}).map(normalizePyPiName);
+      lookup.set(normalizePyPiName(pkg.name), deps);
+    }
+  }
+
+  return { directDeps, lookup };
+}
+
+/**
+ * @param {string} repoPath
+ * @param {string} ecosystem
+ * @param {string} packageName
+ * @returns {Object} { available, isDirect, chain } — chain is null when
+ *   not determinable (unsupported ecosystem, no lockfile, or not found
+ *   within the BFS depth limit)
+ */
+function resolveDependencyChain(repoPath, ecosystem, packageName) {
+  if (ecosystem === 'npm') {
+    const lockfile = loadNpmLockfile(repoPath);
+    if (!lockfile) {
+      return { available: false, isDirect: null, chain: null, reason: 'package-lock.json not found or unreadable' };
+    }
+    const graph = buildNpmGraph(lockfile);
+    if (!graph) {
+      return { available: false, isDirect: null, chain: null, reason: 'Unsupported or malformed lockfile format' };
+    }
+    if (graph.directDeps.includes(packageName)) {
+      return { available: true, isDirect: true, chain: [packageName] };
+    }
+    return { available: true, isDirect: false, chain: findShortestChain(graph, packageName) };
+  }
+
+  if (ecosystem === 'PyPI') {
+    const graph = buildPoetryGraph(repoPath);
+    if (!graph) {
+      return { available: false, isDirect: null, chain: null, reason: 'poetry.lock + pyproject.toml not found, unreadable, or not a Poetry project — plain requirements.txt has no recorded dependency graph' };
+    }
+    const target = normalizePyPiName(packageName);
+    if (graph.directDeps.includes(target)) {
+      return { available: true, isDirect: true, chain: [packageName] };
+    }
+    const chain = findShortestChain(graph, target);
+    return { available: true, isDirect: false, chain };
+  }
+
+  return { available: false, isDirect: null, chain: null, reason: `Chain resolution only implemented for npm and Poetry-based PyPI projects, not ${ecosystem}` };
+}
+
+/**
+ * Look up one package's lockfile entry (installed version + the URL it
+ * actually resolved from) — the `resolved` field npm writes per package
+ * in lockfileVersion 2/3. Used by the Supply-Chain Trust signals to tell
+ * "resolved from the public registry" apart from "resolved from a
+ * private registry" (the dependency-confusion check).
+ * @returns {Object|null} { version, resolved } or null if not found/no lockfile
+ */
+function getLockfileEntry(repoPath, packageName) {
+  const lockfile = loadNpmLockfile(repoPath);
+  if (!lockfile?.packages) return null;
+  const entry = lockfile.packages[`node_modules/${packageName}`];
+  if (!entry) return null;
+  return { version: entry.version || null, resolved: entry.resolved || null };
+}
+
+module.exports = {
+  resolveDependencyChain,
+  buildNpmGraph,
+  findShortestChain,
+  getLockfileEntry,
+  normalizePyPiName,
+  loadPoetryDirectDeps,
+  buildPoetryGraph,
+};