dependencyiq 2.0.0

package/src/scanners/ecosystemFixers.js

@@ -0,0 +1,371 @@
+/**
+ * Per-ecosystem dependency version bumpers/removers.
+ *
+ * Each ecosystem has a pure `transform*Content(content, packageName, ...)`
+ * function that takes a manifest's raw text and returns the patched text
+ * (or `touched: false` if the package wasn't found as a direct
+ * dependency). These are reused by two callers:
+ *  - the local fs-based functions below (used by `agent.js analyze --fix`
+ *    against a checked-out repo)
+ *  - `remoteFixer.js` (used by the cross-project emergency response in
+ *    `crossProjectFanOut.js`, which patches files via the GitLab API
+ *    without a local checkout)
+ *
+ * Local fixers intentionally do NOT regenerate lockfiles (npm install, go
+ * mod tidy, mvn versions:set, bundle lock) — that requires running the
+ * ecosystem's own toolchain, which the CI job does as a follow-up step
+ * (see .gitlab-ci.yml) before the commit is made.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+// --- Pure content transforms (no fs access) ---
+
+function transformNpmContent(content, packageName, fixedVersion) {
+  const pkg = JSON.parse(content);
+  let touched = false;
+
+  for (const section of ['dependencies', 'devDependencies', 'optionalDependencies']) {
+    if (pkg[section]?.[packageName]) {
+      const prefix = /^[~^]/.test(pkg[section][packageName]) ? pkg[section][packageName][0] : '';
+      pkg[section][packageName] = `${prefix}${fixedVersion}`;
+      touched = true;
+    }
+  }
+
+  if (!touched) {
+    return { touched: false, warning: `${packageName} not a direct dependency in package.json (likely transitive — run "npm audit fix" instead)` };
+  }
+  return { touched: true, content: JSON.stringify(pkg, null, 2) + '\n', followUp: 'npm install' };
+}
+
+/**
+ * Force a SECURE version of a TRANSITIVE npm package via the `overrides`
+ * field — the real-world fix for the Axios/follow-redirects class of
+ * incident, where a vulnerable package is pulled in by a dependency you
+ * don't control. You can't bump a direct line that doesn't exist; npm's
+ * `overrides` (Yarn `resolutions`, pnpm `pnpm.overrides`) force the
+ * resolver to use a version satisfying the constraint regardless of what
+ * the parent declares. The constraint is `>=floor` so the resolver can
+ * still pick a parent-compatible version, just never one below the
+ * patched floor.
+ */
+function addNpmOverrideContent(content, packageName, floorVersion) {
+  const pkg = JSON.parse(content);
+  pkg.overrides = pkg.overrides || {};
+  const constraint = `>=${floorVersion}`;
+  if (pkg.overrides[packageName] === constraint) {
+    return { touched: false, warning: `package.json already overrides ${packageName} to ${constraint}` };
+  }
+  pkg.overrides[packageName] = constraint;
+  return {
+    touched: true,
+    action: 'override',
+    content: JSON.stringify(pkg, null, 2) + '\n',
+    followUp: 'npm install (regenerates package-lock.json with the override applied)',
+    warning: `Forced transitive dependency ${packageName} to ${constraint} via package.json "overrides" — verify the resolved tree with "npm ls ${packageName}" after install`,
+  };
+}
+
+function transformPythonContent(content, packageName, fixedVersion) {
+  const lineRegex = new RegExp(`^(${escapeRegex(packageName)})\\s*(==|>=|~=)\\s*([\\w.]+)`, 'im');
+  if (!lineRegex.test(content)) {
+    return { touched: false, warning: `${packageName} not found as a pinned line in requirements.txt — review manually` };
+  }
+  return {
+    touched: true,
+    content: content.replace(lineRegex, `$1==${fixedVersion}`),
+    followUp: 'pip install -r requirements.txt (or poetry lock / pip-compile)',
+  };
+}
+
+function transformGoContent(content, packageName, fixedVersion) {
+  const lineRegex = new RegExp(`(^|\\s)(${escapeRegex(packageName)}\\s+)v?[\\w.+-]+`, 'm');
+  if (!lineRegex.test(content)) {
+    return { touched: false, warning: `${packageName} not found as a direct require in go.mod — likely transitive; run "go get ${packageName}@${fixedVersion}" then "go mod tidy"` };
+  }
+  const normalizedVersion = fixedVersion.startsWith('v') ? fixedVersion : `v${fixedVersion}`;
+  return {
+    touched: true,
+    content: content.replace(lineRegex, `$1$2${normalizedVersion}`),
+    followUp: `go get ${packageName}@${normalizedVersion} && go mod tidy`,
+  };
+}
+
+function transformMavenContent(content, packageName, fixedVersion) {
+  const artifactId = packageName.includes(':') ? packageName.split(':')[1] : packageName;
+  const blockRegex = new RegExp(
+    `(<artifactId>${escapeRegex(artifactId)}</artifactId>[\\s\\S]{0,200}?<version>)([^<]+)(</version>)`,
+    'm'
+  );
+  if (!blockRegex.test(content)) {
+    return { touched: false, warning: `Could not locate a <version> tag near <artifactId>${artifactId}</artifactId> — likely managed via a parent POM or BOM; update there instead` };
+  }
+  return {
+    touched: true,
+    content: content.replace(blockRegex, `$1${fixedVersion}$3`),
+    followUp: 'mvn verify',
+    warning: 'Maven version bump is a best-effort text patch — verify the diff before merging',
+  };
+}
+
+// --- Pure content transforms: removal (used when Orbit confirms zero
+// importers anywhere in the project — see blastRadius.js).
+
+function removeNpmContent(content, packageName) {
+  const pkg = JSON.parse(content);
+  let touched = false;
+
+  for (const section of ['dependencies', 'devDependencies', 'optionalDependencies']) {
+    if (pkg[section]?.[packageName]) {
+      delete pkg[section][packageName];
+      touched = true;
+    }
+  }
+
+  if (!touched) {
+    return { touched: false, warning: `${packageName} not a direct dependency in package.json — likely transitive, nothing to remove here` };
+  }
+  return { touched: true, action: 'remove', content: JSON.stringify(pkg, null, 2) + '\n', followUp: 'npm install' };
+}
+
+function removePythonContent(content, packageName) {
+  const lines = content.split('\n');
+  const lineRegex = new RegExp(`^${escapeRegex(packageName)}\\s*(==|>=|~=)`, 'i');
+  const filtered = lines.filter(line => !lineRegex.test(line.trim()));
+
+  if (filtered.length === lines.length) {
+    return { touched: false, warning: `${packageName} not found as a pinned line in requirements.txt — review manually` };
+  }
+  return { touched: true, action: 'remove', content: filtered.join('\n'), followUp: 'pip install -r requirements.txt (or poetry lock / pip-compile)' };
+}
+
+function removeGoContent(content, packageName) {
+  const lines = content.split('\n');
+  const lineRegex = new RegExp(`^\\s*${escapeRegex(packageName)}\\s+v?[\\w.+-]+`);
+  const filtered = lines.filter(line => !lineRegex.test(line));
+
+  if (filtered.length === lines.length) {
+    return { touched: false, warning: `${packageName} not found as a direct require in go.mod — likely transitive, nothing to remove here` };
+  }
+  return { touched: true, action: 'remove', content: filtered.join('\n'), followUp: 'go mod tidy' };
+}
+
+function removeMavenContent(content, packageName) {
+  const artifactId = packageName.includes(':') ? packageName.split(':')[1] : packageName;
+  const blockRegex = new RegExp(
+    `\\s*<dependency>(?:(?!</dependency>)[\\s\\S])*?<artifactId>${escapeRegex(artifactId)}</artifactId>[\\s\\S]*?</dependency>`,
+    'm'
+  );
+  if (!blockRegex.test(content)) {
+    return { touched: false, warning: `Could not locate a <dependency> block for <artifactId>${artifactId}</artifactId> — likely managed via a parent POM or BOM; remove it there instead` };
+  }
+  return {
+    touched: true,
+    action: 'remove',
+    content: content.replace(blockRegex, ''),
+    followUp: 'mvn verify',
+    warning: 'Maven dependency removal is a best-effort text patch — verify the diff before merging',
+  };
+}
+
+const CONTENT_TRANSFORMS = {
+  npm: transformNpmContent,
+  PyPI: transformPythonContent,
+  Go: transformGoContent,
+  Maven: transformMavenContent,
+};
+
+const CONTENT_REMOVERS = {
+  npm: removeNpmContent,
+  PyPI: removePythonContent,
+  Go: removeGoContent,
+  Maven: removeMavenContent,
+};
+
+const DEFAULT_MANIFEST = {
+  npm: 'package.json',
+  PyPI: 'requirements.txt',
+  Go: 'go.mod',
+  Maven: 'pom.xml',
+};
+
+/**
+ * Apply a content transform/removal for an ecosystem to an in-memory
+ * string — no fs access. Used directly by remoteFixer.js for cross-project
+ * fixes via the GitLab API.
+ * @returns {Object} { touched, content?, warning?, followUp?, action? }
+ */
+function applyFixToContent(ecosystem, content, packageName, fixedVersion, recommendation = 'upgrade') {
+  if (recommendation === 'remove') {
+    const remover = CONTENT_REMOVERS[ecosystem];
+    if (!remover) return { touched: false, warning: `No automated remover for ecosystem "${ecosystem}" yet` };
+    const result = remover(content, packageName);
+    return result.touched ? { ...result, action: 'remove' } : result;
+  }
+
+  if (!fixedVersion || fixedVersion === 'unknown') return { touched: false, warning: 'No fixed version reported by OSV for this advisory' };
+
+  // 'override' forces a secure version of a transitive npm dependency via
+  // the `overrides` field (the Axios/follow-redirects case) — only npm
+  // supports this mechanism here.
+  if (recommendation === 'override') {
+    if (ecosystem !== 'npm') return { touched: false, warning: `Transitive override fix is only supported for npm, not "${ecosystem}"` };
+    return addNpmOverrideContent(content, packageName, fixedVersion);
+  }
+
+  const transform = CONTENT_TRANSFORMS[ecosystem];
+  if (!transform) return { touched: false, warning: `No automated fixer for ecosystem "${ecosystem}" yet` };
+  return transform(content, packageName, fixedVersion);
+}
+
+// --- Local fs-based wrappers (used by `agent.js analyze --fix`) ---
+
+function applyContentResultToFile(repoPath, manifestRelPath, defaultName, result) {
+  if (!result.touched) return { applied: false, warning: result.warning };
+  const filePath = path.join(repoPath, manifestRelPath || defaultName);
+  fs.writeFileSync(filePath, result.content);
+  return {
+    applied: true,
+    action: result.action,
+    filePath: path.relative(repoPath, filePath),
+    followUp: result.followUp,
+    warning: result.warning || null,
+  };
+}
+
+function readManifest(repoPath, manifestRelPath, defaultName) {
+  const filePath = path.join(repoPath, manifestRelPath || defaultName);
+  if (!fs.existsSync(filePath)) return null;
+  return fs.readFileSync(filePath, 'utf-8');
+}
+
+function bumpNpm(repoPath, manifestRelPath, packageName, fixedVersion) {
+  const content = readManifest(repoPath, manifestRelPath, 'package.json');
+  if (content === null) return { applied: false, warning: 'package.json not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', transformNpmContent(content, packageName, fixedVersion));
+}
+
+function overrideNpm(repoPath, manifestRelPath, packageName, floorVersion) {
+  const content = readManifest(repoPath, manifestRelPath, 'package.json');
+  if (content === null) return { applied: false, warning: 'package.json not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', addNpmOverrideContent(content, packageName, floorVersion));
+}
+
+function bumpPython(repoPath, manifestRelPath, packageName, fixedVersion) {
+  const content = readManifest(repoPath, manifestRelPath, 'requirements.txt');
+  if (content === null) return { applied: false, warning: 'requirements.txt not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'requirements.txt', transformPythonContent(content, packageName, fixedVersion));
+}
+
+function bumpGo(repoPath, manifestRelPath, packageName, fixedVersion) {
+  const content = readManifest(repoPath, manifestRelPath, 'go.mod');
+  if (content === null) return { applied: false, warning: 'go.mod not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'go.mod', transformGoContent(content, packageName, fixedVersion));
+}
+
+function bumpMaven(repoPath, manifestRelPath, packageName, fixedVersion) {
+  const content = readManifest(repoPath, manifestRelPath, 'pom.xml');
+  if (content === null) return { applied: false, warning: 'pom.xml not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'pom.xml', transformMavenContent(content, packageName, fixedVersion));
+}
+
+function removeNpm(repoPath, manifestRelPath, packageName) {
+  const content = readManifest(repoPath, manifestRelPath, 'package.json');
+  if (content === null) return { applied: false, warning: 'package.json not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'package.json', removeNpmContent(content, packageName));
+}
+
+function removePython(repoPath, manifestRelPath, packageName) {
+  const content = readManifest(repoPath, manifestRelPath, 'requirements.txt');
+  if (content === null) return { applied: false, warning: 'requirements.txt not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'requirements.txt', removePythonContent(content, packageName));
+}
+
+function removeGo(repoPath, manifestRelPath, packageName) {
+  const content = readManifest(repoPath, manifestRelPath, 'go.mod');
+  if (content === null) return { applied: false, warning: 'go.mod not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'go.mod', removeGoContent(content, packageName));
+}
+
+function removeMaven(repoPath, manifestRelPath, packageName) {
+  const content = readManifest(repoPath, manifestRelPath, 'pom.xml');
+  if (content === null) return { applied: false, warning: 'pom.xml not found' };
+  return applyContentResultToFile(repoPath, manifestRelPath, 'pom.xml', removeMavenContent(content, packageName));
+}
+
+/**
+ * Apply the appropriate fixer for a vulnerability's ecosystem against a
+ * local checkout. If Orbit flagged the package as unused
+ * (vulnerability.recommendation === 'remove'), deletes the dependency
+ * instead of bumping its version.
+ * @param {string} repoPath - local checkout path
+ * @param {Object} vulnerability - normalized vulnerability (from osvScanner),
+ *   optionally carrying a `recommendation` field from riskCalculator
+ * @returns {Object} fix result
+ */
+function applyFix(repoPath, vulnerability) {
+  if (vulnerability.recommendation === 'remove') {
+    const removers = { npm: removeNpm, PyPI: removePython, Go: removeGo, Maven: removeMaven };
+    const remover = removers[vulnerability.ecosystem];
+    if (!remover) {
+      return { applied: false, warning: `No automated remover for ecosystem "${vulnerability.ecosystem}" yet — remove the dependency manually` };
+    }
+    return remover(repoPath, vulnerability.manifestFile, vulnerability.package);
+  }
+
+  if (!vulnerability.fixedVersion || vulnerability.fixedVersion === 'unknown') {
+    return { applied: false, warning: 'No fixed version reported by OSV for this advisory' };
+  }
+
+  // Transitive npm dependency: there's no direct line to bump, so force a
+  // secure version with an `overrides` entry instead of giving up. The
+  // floor is the original OSV fixed version (osvFloorVersion), preserved
+  // even when a smarter direct target was chosen for direct deps.
+  const chain = vulnerability.dependencyChain;
+  if (vulnerability.ecosystem === 'npm' && chain?.available && chain.isDirect === false) {
+    const floor = vulnerability.osvFloorVersion || vulnerability.fixedVersion;
+    return overrideNpm(repoPath, vulnerability.manifestFile, vulnerability.package, floor);
+  }
+
+  const fixers = { npm: bumpNpm, PyPI: bumpPython, Go: bumpGo, Maven: bumpMaven };
+  const fixer = fixers[vulnerability.ecosystem];
+  if (!fixer) {
+    return { applied: false, warning: `No automated fixer for ecosystem "${vulnerability.ecosystem}" yet — open the MR manually` };
+  }
+  const result = fixer(repoPath, vulnerability.manifestFile, vulnerability.package, vulnerability.fixedVersion);
+
+  // npm transitive fallback: if the direct bump found no line to change,
+  // the package is transitive. Rather than give up with no committable
+  // change (and therefore no MR), force a secure version through an
+  // `overrides` entry. This catches the case the dependency-chain path
+  // above missed because chain resolution was unavailable/ambiguous — so a
+  // transitive npm vuln still produces a real, automated remediation.
+  if (vulnerability.ecosystem === 'npm' && !result.applied) {
+    const floor = vulnerability.osvFloorVersion || vulnerability.fixedVersion;
+    const override = overrideNpm(repoPath, vulnerability.manifestFile, vulnerability.package, floor);
+    if (override.applied) return override;
+  }
+  return result;
+}
+
+module.exports = {
+  applyFix,
+  applyFixToContent,
+  bumpNpm,
+  bumpPython,
+  bumpGo,
+  bumpMaven,
+  overrideNpm,
+  addNpmOverrideContent,
+  removeNpm,
+  removePython,
+  removeGo,
+  removeMaven,
+  DEFAULT_MANIFEST,
+};

package/src/scanners/manifestParser.js

@@ -0,0 +1,99 @@
+/**
+ * Lists every direct dependency declared in a repo's manifests, regardless
+ * of whether OSV has flagged it as vulnerable. The vulnerability scanner
+ * (osvScanner.js) only reports packages with a known CVE; freshness
+ * policy enforcement ("never more than 2 minor versions behind") needs
+ * the full dependency list, vulnerable or not — that's the tech-debt
+ * prevention angle, not the security angle.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+function parseNpmManifest(repoPath, manifestFile) {
+  const filePath = path.join(repoPath, manifestFile);
+  if (!fs.existsSync(filePath)) return [];
+  const pkg = JSON.parse(fs.readFileSync(filePath, 'utf-8'));
+  const deps = [];
+  for (const section of ['dependencies', 'devDependencies']) {
+    for (const [name, versionRange] of Object.entries(pkg[section] || {})) {
+      const currentVersion = versionRange.replace(/^[~^]/, '');
+      deps.push({ ecosystem: 'npm', package: name, currentVersion, manifestFile });
+    }
+  }
+  return deps;
+}
+
+function parsePythonManifest(repoPath, manifestFile) {
+  const filePath = path.join(repoPath, manifestFile);
+  if (!fs.existsSync(filePath)) return [];
+  const lines = fs.readFileSync(filePath, 'utf-8').split('\n');
+  const deps = [];
+  for (const line of lines) {
+    const match = line.trim().match(/^([A-Za-z0-9_.-]+)\s*==\s*([\w.]+)/);
+    if (match) deps.push({ ecosystem: 'PyPI', package: match[1], currentVersion: match[2], manifestFile });
+  }
+  return deps;
+}
+
+function parseGoManifest(repoPath, manifestFile) {
+  const filePath = path.join(repoPath, manifestFile);
+  if (!fs.existsSync(filePath)) return [];
+  const lines = fs.readFileSync(filePath, 'utf-8').split('\n');
+  const deps = [];
+  for (const rawLine of lines) {
+    const trimmed = rawLine.trim();
+    // Strip a leading "require " (single-line form); lines inside a
+    // "require ( ... )" block are already bare "module vX.Y.Z".
+    const candidate = trimmed.replace(/^require\s+/, '');
+    const isOtherDirective = /^(module|go|require\s*\(|require\s*\)|^\)|replace|exclude|retract)\b/.test(candidate) || candidate === ')';
+    const match = candidate.match(/^([\w.\-/]+)\s+v?([\w.+-]+)/);
+    if (match && !isOtherDirective) {
+      deps.push({ ecosystem: 'Go', package: match[1], currentVersion: match[2], manifestFile });
+    }
+  }
+  return deps;
+}
+
+function parseMavenManifest(repoPath, manifestFile) {
+  const filePath = path.join(repoPath, manifestFile);
+  if (!fs.existsSync(filePath)) return [];
+  const content = fs.readFileSync(filePath, 'utf-8');
+  const blockRegex = /<dependency>([\s\S]*?)<\/dependency>/g;
+  const blocks = content.match(blockRegex) || [];
+  const deps = blocks
+    .map(block => ({
+      groupId: block.match(/<groupId>([^<]+)<\/groupId>/)?.[1],
+      artifactId: block.match(/<artifactId>([^<]+)<\/artifactId>/)?.[1],
+      version: block.match(/<version>([^<]+)<\/version>/)?.[1],
+    }))
+    .filter(({ groupId, artifactId, version }) => groupId && artifactId && version)
+    .map(({ groupId, artifactId, version }) => ({
+      ecosystem: 'Maven',
+      package: `${groupId}:${artifactId}`,
+      currentVersion: version,
+      manifestFile,
+    }));
+  return deps;
+}
+
+const PARSERS = [
+  { file: 'package.json', parser: parseNpmManifest },
+  { file: 'requirements.txt', parser: parsePythonManifest },
+  { file: 'go.mod', parser: parseGoManifest },
+  { file: 'pom.xml', parser: parseMavenManifest },
+];
+
+/**
+ * @param {string} repoPath
+ * @returns {Array} every direct dependency found, across all supported ecosystems
+ */
+function listDirectDependencies(repoPath) {
+  const deps = [];
+  for (const { file, parser } of PARSERS) {
+    deps.push(...parser(repoPath, file));
+  }
+  return deps;
+}
+
+module.exports = { listDirectDependencies, parseNpmManifest, parsePythonManifest, parseGoManifest, parseMavenManifest };