dependencyiq 2.0.0

package/src/scanners/osvScanner.js

@@ -0,0 +1,228 @@
+/**
+ * Multi-language vulnerability scanner backed by OSV-Scanner.
+ * OSV-Scanner reads native manifests/lockfiles for each ecosystem
+ * (package.json/package-lock.json, requirements.txt/poetry.lock,
+ * go.mod/go.sum, pom.xml/gradle.lockfile, Gemfile.lock, Cargo.lock, ...)
+ * and queries the OSV.dev vulnerability database, so one scan call
+ * covers npm, PyPI, Go, Maven, RubyGems, crates.io, etc.
+ *
+ * Install: https://github.com/google/osv-scanner (binary `osv-scanner`)
+ */
+
+const { execFileSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const { cvss3BaseScore } = require('./cvss');
+
+const OSV_BINARY = process.env.OSV_SCANNER_PATH || 'osv-scanner';
+
+// Last-resort fallback only: when an advisory carries neither a numeric
+// score nor a parseable CVSS vector, a coarse severity-bucket midpoint
+// keeps risk scoring functional. Preferred order (most → least precise):
+// numeric score → computed from CVSS vector → this bucket.
+const SEVERITY_TO_CVSS = {
+  CRITICAL: 9.5,
+  HIGH: 7.5,
+  MODERATE: 5.0,
+  MEDIUM: 5.0,
+  LOW: 2.5,
+};
+
+function isOsvScannerInstalled() {
+  try {
+    execFileSync(OSV_BINARY, ['--version'], { stdio: 'ignore' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Run osv-scanner recursively over a repository and normalize results.
+ * @param {string} repoPath - Path to repository
+ * @returns {Promise<Array>} Normalized vulnerability objects
+ */
+async function detectVulnerabilities(repoPath) {
+  if (!isOsvScannerInstalled()) {
+    console.warn(
+      `   ⚠️  ${OSV_BINARY} not found on PATH. Install it from ` +
+      'https://github.com/google/osv-scanner/releases, or set OSV_SCANNER_PATH. ' +
+      'Returning no results instead of guessing.'
+    );
+    return [];
+  }
+
+  console.log('🔍 Scanning for vulnerabilities (OSV-Scanner, multi-language)...');
+
+  let raw;
+  try {
+    // v1.x OSV-Scanner CLI syntax (the pinned OSV_SCANNER_VERSION in
+    // .gitlab-ci.yml): no "scan source" subcommand — that's v2.x syntax,
+    // and passing it here made v1.9.2 treat "source" itself as a literal
+    // path to scan ("Failed to walk source: lstat source: no such file
+    // or directory") rather than recognizing it as a mode keyword.
+    raw = execFileSync(
+      OSV_BINARY,
+      ['--format', 'json', '--recursive', repoPath],
+      { encoding: 'utf-8', maxBuffer: 1024 * 1024 * 50 }
+    );
+  } catch (error) {
+    // osv-scanner exits non-zero when vulnerabilities are found; the JSON is
+    // still on stdout in that case.
+    raw = error.stdout || '';
+    if (!raw) {
+      // A real scan failure (e.g. osv-scanner itself errored with no JSON
+      // at all) is NOT the same thing as "scanned cleanly, zero findings"
+      // — throw rather than returning [], so callers can't accidentally
+      // report a failed scan as "no vulnerabilities found".
+      throw new Error(`osv-scanner failed to run: ${error.message}`);
+    }
+  }
+
+  let report;
+  try {
+    report = JSON.parse(raw);
+  } catch (firstError) {
+    // Some osv-scanner versions print a status/warning line to stdout
+    // before the JSON despite --format json (e.g. a "Scanning dir ..."
+    // line, or a git-ignore-parsing warning in a shallow CI checkout).
+    // Tolerate that by parsing from the first '{' instead of assuming
+    // the whole stream is pure JSON — only throw if that also fails,
+    // since a genuine scan failure still must not be reported as clean.
+    const firstBrace = raw.indexOf('{');
+    if (firstBrace === -1) {
+      throw new Error(`osv-scanner produced unparseable output (scan likely failed, not clean): ${firstError.message}\nRaw output: ${raw.slice(0, 500)}`);
+    }
+    try {
+      report = JSON.parse(raw.slice(firstBrace));
+    } catch (secondError) {
+      throw new Error(`osv-scanner produced unparseable output even after stripping leading text (scan likely failed, not clean): ${secondError.message}\nRaw output: ${raw.slice(0, 500)}`);
+    }
+  }
+
+  const vulnerabilities = normalizeOsvReport(report, repoPath);
+  console.log(`   ✓ Found ${vulnerabilities.length} vulnerabilities across ${countEcosystems(vulnerabilities)} ecosystem(s)`);
+  return vulnerabilities;
+}
+
+function countEcosystems(vulnerabilities) {
+  return new Set(vulnerabilities.map(v => v.ecosystem)).size;
+}
+
+/**
+ * Flatten osv-scanner's `results[].packages[].vulnerabilities[]` tree into
+ * one row per (package, vulnerability) pair, matching the shape the rest of
+ * the agent (riskCalculator, prGenerator) already expects.
+ */
+function normalizeOsvReport(report, repoPath) {
+  const vulnerabilities = [];
+  const results = report.results || [];
+
+  for (const result of results) {
+    const manifestPath = result.source?.path || '';
+    const ecosystemHint = detectEcosystemFromManifest(manifestPath);
+
+    for (const pkg of result.packages || []) {
+      const pkgInfo = pkg.package || {};
+      const fixedVersion = findFixedVersion(pkg);
+
+      for (const vuln of pkg.vulnerabilities || []) {
+        const cvss = extractCvssScore(vuln);
+        vulnerabilities.push({
+          id: vuln.id || 'unknown',
+          package: pkgInfo.name || 'unknown',
+          ecosystem: pkgInfo.ecosystem || ecosystemHint,
+          currentVersion: pkgInfo.version || 'unknown',
+          vulnerability: vuln.summary || vuln.details?.slice(0, 200) || 'Unknown vulnerability',
+          severity: severityLabel(cvss),
+          cvss,
+          fixedVersion: fixedVersion || 'unknown',
+          manifestFile: path.relative(repoPath, manifestPath) || manifestPath,
+          references: (vuln.references || []).map(r => r.url).filter(Boolean),
+          cveLink: (vuln.aliases || []).find(a => a.startsWith('CVE-')) || vuln.id,
+        });
+      }
+    }
+  }
+
+  return vulnerabilities;
+}
+
+function detectEcosystemFromManifest(manifestPath = '') {
+  const base = path.basename(manifestPath).toLowerCase();
+  if (base.includes('package-lock') || base.includes('yarn.lock') || base === 'package.json') return 'npm';
+  if (base.includes('requirements') || base.includes('poetry.lock') || base === 'pyproject.toml') return 'PyPI';
+  if (base === 'go.sum' || base === 'go.mod') return 'Go';
+  if (base.includes('pom.xml') || base.includes('gradle')) return 'Maven';
+  if (base === 'gemfile.lock') return 'RubyGems';
+  if (base === 'cargo.lock') return 'crates.io';
+  if (base.includes('composer')) return 'Packagist';
+  return 'unknown';
+}
+
+function findFixedVersion(pkg) {
+  for (const vuln of pkg.vulnerabilities || []) {
+    for (const affected of vuln.affected || []) {
+      for (const range of affected.ranges || []) {
+        const fixedEvent = (range.events || []).find(e => e.fixed);
+        if (fixedEvent) return fixedEvent.fixed;
+      }
+    }
+  }
+  return null;
+}
+
+function extractCvssScore(vuln) {
+  const severities = vuln.severity || [];
+  // 1. A plain numeric score, if OSV gave one directly.
+  for (const sev of severities) {
+    const numeric = parseFloat(sev.score);
+    if (!Number.isNaN(numeric)) return numeric;
+  }
+  // 2. Compute the real base score from a CVSS v3 vector string — exact,
+  // not a guess. (sev.score holds the vector when it isn't numeric.)
+  for (const sev of severities) {
+    const computed = typeof sev.score === 'string' ? cvss3BaseScore(sev.score) : null;
+    if (computed !== null) return computed;
+  }
+  // 3. Last resort: coarse severity-bucket midpoint.
+  const dbSeverity = (vuln.database_specific?.severity || '').toUpperCase();
+  return SEVERITY_TO_CVSS[dbSeverity] ?? 5.0;
+}
+
+function severityLabel(cvss) {
+  if (cvss >= 9) return 'critical';
+  if (cvss >= 7) return 'high';
+  if (cvss >= 4) return 'medium';
+  return 'low';
+}
+
+/**
+ * Detect which ecosystem manifest files are present in a repo, so the
+ * agent can report "this is a Go + npm monorepo" instead of assuming npm.
+ */
+function detectEcosystems(repoPath) {
+  const checks = [
+    { file: 'package.json', ecosystem: 'npm' },
+    { file: 'requirements.txt', ecosystem: 'PyPI' },
+    { file: 'pyproject.toml', ecosystem: 'PyPI' },
+    { file: 'go.mod', ecosystem: 'Go' },
+    { file: 'pom.xml', ecosystem: 'Maven' },
+    { file: 'build.gradle', ecosystem: 'Maven' },
+    { file: 'Gemfile', ecosystem: 'RubyGems' },
+    { file: 'Cargo.toml', ecosystem: 'crates.io' },
+    { file: 'composer.json', ecosystem: 'Packagist' },
+  ];
+
+  return checks
+    .filter(c => fs.existsSync(path.join(repoPath, c.file)))
+    .map(c => c.ecosystem)
+    .filter((v, i, arr) => arr.indexOf(v) === i);
+}
+
+module.exports = {
+  detectVulnerabilities,
+  detectEcosystems,
+  isOsvScannerInstalled,
+  normalizeOsvReport,
+};