devvami 1.4.0 → 1.4.1

package/oclif.manifest.json

@@ -1932,7 +1932,193 @@
         "tasks",
         "today.js"
       ]
+    },
+    "vuln:detail": {
+      "aliases": [],
+      "args": {
+        "cveId": {
+          "description": "CVE identifier (e.g. CVE-2021-44228)",
+          "name": "cveId",
+          "required": true
+        }
+      },
+      "description": "View full details for a specific CVE",
+      "examples": [
+        "<%= config.bin %> vuln detail CVE-2021-44228",
+        "<%= config.bin %> vuln detail CVE-2021-44228 --open",
+        "<%= config.bin %> vuln detail CVE-2021-44228 --json"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "open": {
+          "char": "o",
+          "description": "Open the first reference URL in the default browser",
+          "name": "open",
+          "allowNo": false,
+          "type": "boolean"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "vuln:detail",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "vuln",
+        "detail.js"
+      ]
+    },
+    "vuln:scan": {
+      "aliases": [],
+      "args": {},
+      "description": "Scan the current directory for known vulnerabilities in dependencies",
+      "examples": [
+        "<%= config.bin %> vuln scan",
+        "<%= config.bin %> vuln scan --severity high",
+        "<%= config.bin %> vuln scan --no-fail",
+        "<%= config.bin %> vuln scan --report vuln-report.md",
+        "<%= config.bin %> vuln scan --json"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "severity": {
+          "char": "s",
+          "description": "Minimum severity filter",
+          "name": "severity",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "options": [
+            "low",
+            "medium",
+            "high",
+            "critical"
+          ],
+          "type": "option"
+        },
+        "no-fail": {
+          "description": "Exit with code 0 even when vulnerabilities are found",
+          "name": "no-fail",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "report": {
+          "char": "r",
+          "description": "Export vulnerability report to file path (Markdown format)",
+          "name": "report",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "vuln:scan",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "vuln",
+        "scan.js"
+      ]
+    },
+    "vuln:search": {
+      "aliases": [],
+      "args": {
+        "keyword": {
+          "description": "Product, library, or keyword to search for (optional — omit to see all recent CVEs)",
+          "name": "keyword",
+          "required": false
+        }
+      },
+      "description": "Search for recent CVEs by keyword (omit keyword to see all recent CVEs)",
+      "examples": [
+        "<%= config.bin %> vuln search openssl",
+        "<%= config.bin %> vuln search openssl --days 30",
+        "<%= config.bin %> vuln search log4j --severity critical",
+        "<%= config.bin %> vuln search nginx --limit 10 --json",
+        "<%= config.bin %> vuln search",
+        "<%= config.bin %> vuln search --days 7 --severity high"
+      ],
+      "flags": {
+        "json": {
+          "description": "Format output as json.",
+          "helpGroup": "GLOBAL",
+          "name": "json",
+          "allowNo": false,
+          "type": "boolean"
+        },
+        "days": {
+          "char": "d",
+          "description": "Time window in days (search CVEs published within last N days)",
+          "name": "days",
+          "default": 14,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        },
+        "severity": {
+          "char": "s",
+          "description": "Minimum severity filter",
+          "name": "severity",
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "options": [
+            "low",
+            "medium",
+            "high",
+            "critical"
+          ],
+          "type": "option"
+        },
+        "limit": {
+          "char": "l",
+          "description": "Maximum number of results to display",
+          "name": "limit",
+          "default": 20,
+          "hasDynamicHelp": false,
+          "multiple": false,
+          "type": "option"
+        }
+      },
+      "hasDynamicHelp": false,
+      "hiddenAliases": [],
+      "id": "vuln:search",
+      "pluginAlias": "devvami",
+      "pluginName": "devvami",
+      "pluginType": "core",
+      "strict": true,
+      "enableJsonFlag": true,
+      "isESM": true,
+      "relativePath": [
+        "src",
+        "commands",
+        "vuln",
+        "search.js"
+      ]
     }
   },
-  "version": "1.4.0"
+  "version": "1.4.1"
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "devvami",
   "description": "DevEx CLI for developers and teams — manage repos, PRs, pipelines, tasks, and costs from the terminal",
-  "version": "1.4.0",
+  "version": "1.4.1",
   "author": "",
   "type": "module",
   "bin": {

package/src/commands/vuln/detail.js

@@ -0,0 +1,65 @@
+import { Command, Args, Flags } from '@oclif/core'
+import ora from 'ora'
+import { getCveDetail } from '../../services/nvd.js'
+import { formatCveDetail } from '../../formatters/vuln.js'
+import { openBrowser } from '../../utils/open-browser.js'
+import { ValidationError } from '../../utils/errors.js'
+
+export default class VulnDetail extends Command {
+  static description = 'View full details for a specific CVE'
+
+  static examples = [
+    '<%= config.bin %> vuln detail CVE-2021-44228',
+    '<%= config.bin %> vuln detail CVE-2021-44228 --open',
+    '<%= config.bin %> vuln detail CVE-2021-44228 --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static args = {
+    cveId: Args.string({ description: 'CVE identifier (e.g. CVE-2021-44228)', required: true }),
+  }
+
+  static flags = {
+    open: Flags.boolean({
+      char: 'o',
+      description: 'Open the first reference URL in the default browser',
+      default: false,
+    }),
+  }
+
+  async run() {
+    const { args, flags } = await this.parse(VulnDetail)
+    const isJson = flags.json
+    const { cveId } = args
+
+    if (!cveId || !/^CVE-\d{4}-\d{4,}$/i.test(cveId)) {
+      throw new ValidationError(
+        `Invalid CVE ID: ${cveId}`,
+        'CVE IDs must match the format CVE-YYYY-NNNNN (e.g. CVE-2021-44228)',
+      )
+    }
+
+    const spinner = isJson ? null : ora(`Fetching ${cveId.toUpperCase()}...`).start()
+
+    try {
+      const detail = await getCveDetail(cveId)
+      spinner?.stop()
+
+      if (isJson) return detail
+
+      this.log(formatCveDetail(detail))
+
+      if (flags.open && detail.references.length > 0) {
+        const firstUrl = detail.references[0].url
+        this.log(`\nOpening ${firstUrl} ...`)
+        await openBrowser(firstUrl)
+      }
+
+      return detail
+    } catch (err) {
+      spinner?.stop()
+      throw err
+    }
+  }
+}

package/src/commands/vuln/scan.js

@@ -0,0 +1,155 @@
+import { Command, Flags } from '@oclif/core'
+import { writeFile } from 'node:fs/promises'
+import ora from 'ora'
+import chalk from 'chalk'
+import { detectEcosystems, supportedEcosystemsMessage } from '../../services/audit-detector.js'
+import { runAudit, summarizeFindings, filterBySeverity } from '../../services/audit-runner.js'
+import { formatFindingsTable, formatScanSummary, formatMarkdownReport } from '../../formatters/vuln.js'
+
+export default class VulnScan extends Command {
+  static description = 'Scan the current directory for known vulnerabilities in dependencies'
+
+  static examples = [
+    '<%= config.bin %> vuln scan',
+    '<%= config.bin %> vuln scan --severity high',
+    '<%= config.bin %> vuln scan --no-fail',
+    '<%= config.bin %> vuln scan --report vuln-report.md',
+    '<%= config.bin %> vuln scan --json',
+  ]
+
+  static enableJsonFlag = true
+
+  static flags = {
+    severity: Flags.string({
+      char: 's',
+      description: 'Minimum severity filter',
+      options: ['low', 'medium', 'high', 'critical'],
+    }),
+    'no-fail': Flags.boolean({
+      description: 'Exit with code 0 even when vulnerabilities are found',
+      default: false,
+    }),
+    report: Flags.string({
+      char: 'r',
+      description: 'Export vulnerability report to file path (Markdown format)',
+    }),
+  }
+
+  async run() {
+    const { flags } = await this.parse(VulnScan)
+    const isJson = flags.json
+    const { severity, 'no-fail': noFail, report } = flags
+
+    const projectPath = process.env.DVMI_SCAN_DIR ?? process.cwd()
+    const scanDate = new Date().toISOString()
+
+    // Detect ecosystems
+    const ecosystems = detectEcosystems(projectPath)
+
+    if (ecosystems.length === 0) {
+      if (isJson) {
+        return {
+          projectPath,
+          scanDate,
+          ecosystems: [],
+          findings: [],
+          summary: { critical: 0, high: 0, medium: 0, low: 0, unknown: 0, total: 0 },
+          errors: [{ ecosystem: 'none', message: 'No supported package manager detected.' }],
+        }
+      }
+
+      this.log(chalk.red('  ✘ No supported package manager detected.'))
+      this.log('')
+      this.log('  Supported ecosystems:')
+      this.log(supportedEcosystemsMessage())
+      this.log('')
+      this.log('  Tip: Make sure you have a lock file in the current directory.')
+      this.exit(2)
+      return
+    }
+
+    // Display detected ecosystems
+    if (!isJson) {
+      this.log(chalk.bold('Vulnerability Scan'))
+      this.log('')
+      this.log('  Detected ecosystems:')
+      for (const eco of ecosystems) {
+        this.log(`  ${chalk.green('●')} ${eco.name} (${eco.lockFile})`)
+      }
+      this.log('')
+    }
+
+    // Run audits
+    const allFindings = []
+    const errors = []
+
+    for (const eco of ecosystems) {
+      const spinner = isJson ? null : ora(`  Scanning ${eco.name} dependencies...`).start()
+
+      const { findings, error } = await runAudit(eco)
+
+      if (error) {
+        spinner?.fail(`  Scanning ${eco.name} dependencies... failed`)
+        errors.push({ ecosystem: eco.name, message: error })
+      } else {
+        spinner?.succeed(`  Scanning ${eco.name} dependencies... done`)
+        allFindings.push(...findings)
+      }
+    }
+
+    // Apply severity filter
+    const filteredFindings = filterBySeverity(allFindings, severity)
+
+    // Build summary
+    const summary = summarizeFindings(filteredFindings)
+
+    const result = {
+      projectPath,
+      scanDate,
+      ecosystems,
+      findings: filteredFindings,
+      summary,
+      errors,
+    }
+
+    // Write report if requested
+    if (report) {
+      const markdown = formatMarkdownReport(result)
+      await writeFile(report, markdown, 'utf8')
+      if (!isJson) this.log(`\n  Report saved to: ${report}`)
+    }
+
+    if (isJson) return result
+
+    this.log('')
+
+    if (filteredFindings.length === 0 && errors.length === 0) {
+      this.log(chalk.green('  ✔ No known vulnerabilities found.'))
+      return result
+    }
+
+    if (filteredFindings.length > 0) {
+      this.log(chalk.bold(`  Findings (${filteredFindings.length} ${filteredFindings.length === 1 ? 'vulnerability' : 'vulnerabilities'})`))
+      this.log('')
+      this.log(formatFindingsTable(filteredFindings))
+      this.log('')
+      this.log(chalk.bold('  Summary'))
+      this.log(formatScanSummary(summary))
+      this.log('')
+      this.log(chalk.yellow(`  ⚠ ${filteredFindings.length} ${filteredFindings.length === 1 ? 'vulnerability' : 'vulnerabilities'} found. Run \`dvmi vuln detail <CVE-ID>\` for details.`))
+    }
+
+    if (errors.length > 0) {
+      this.log('')
+      for (const err of errors) {
+        this.log(chalk.red(`  ✘ ${err.ecosystem}: ${err.message}`))
+      }
+    }
+
+    if (filteredFindings.length > 0 && !noFail) {
+      this.exit(1)
+    }
+
+    return result
+  }
+}

package/src/commands/vuln/search.js

@@ -0,0 +1,128 @@
+import { Command, Args, Flags } from '@oclif/core'
+import ora from 'ora'
+import chalk from 'chalk'
+import { searchCves, getCveDetail } from '../../services/nvd.js'
+import { formatCveSearchTable, colorSeverity, formatScore, formatDate, truncate } from '../../formatters/vuln.js'
+import { startInteractiveTable } from '../../utils/tui/navigable-table.js'
+import { ValidationError } from '../../utils/errors.js'
+
+// Minimum terminal rows required to show the interactive TUI
+const MIN_TTY_ROWS = 6
+
+// Column widths for the navigable table
+const COL_WIDTHS = {
+  id: 20,
+  severity: 10,
+  score: 5,
+  published: 10,
+  reference: 30,
+}
+
+export default class VulnSearch extends Command {
+  static description = 'Search for recent CVEs by keyword (omit keyword to see all recent CVEs)'
+
+  static examples = [
+    '<%= config.bin %> vuln search openssl',
+    '<%= config.bin %> vuln search openssl --days 30',
+    '<%= config.bin %> vuln search log4j --severity critical',
+    '<%= config.bin %> vuln search nginx --limit 10 --json',
+    '<%= config.bin %> vuln search',
+    '<%= config.bin %> vuln search --days 7 --severity high',
+  ]
+
+  static enableJsonFlag = true
+
+  static args = {
+    keyword: Args.string({ description: 'Product, library, or keyword to search for (optional — omit to see all recent CVEs)', required: false }),
+  }
+
+  static flags = {
+    days: Flags.integer({
+      char: 'd',
+      description: 'Time window in days (search CVEs published within last N days)',
+      default: 14,
+    }),
+    severity: Flags.string({
+      char: 's',
+      description: 'Minimum severity filter',
+      options: ['low', 'medium', 'high', 'critical'],
+    }),
+    limit: Flags.integer({
+      char: 'l',
+      description: 'Maximum number of results to display',
+      default: 20,
+    }),
+  }
+
+  async run() {
+    const { args, flags } = await this.parse(VulnSearch)
+    const isJson = flags.json
+
+    const { keyword } = args
+    const { days, severity, limit } = flags
+
+    if (days < 1 || days > 120) {
+      throw new ValidationError(
+        `--days must be between 1 and 120, got ${days}`,
+        'The NVD API supports a maximum 120-day date range per request.',
+      )
+    }
+
+    if (limit < 1 || limit > 2000) {
+      throw new ValidationError(
+        `--limit must be between 1 and 2000, got ${limit}`,
+        'The NVD API returns at most 2000 results per page.',
+      )
+    }
+
+    const spinner = isJson ? null : ora(keyword ? `Searching NVD for "${keyword}"...` : `Fetching recent CVEs (last ${days} days)...`).start()
+
+    try {
+      const { results, totalResults } = await searchCves({ keyword, days, severity, limit })
+      spinner?.stop()
+
+      const result = { keyword: keyword ?? null, days, severity: severity ?? null, totalResults, results }
+
+      if (isJson) return result
+
+      this.log(formatCveSearchTable(results, keyword, days, totalResults))
+
+      // Interactive navigable table — only in a real TTY with enough rows, skipped in CI / --json / piped output
+      const ttyRows = process.stdout.rows ?? 0
+      if (process.stdout.isTTY && results.length > 0 && ttyRows >= MIN_TTY_ROWS) {
+        const heading = keyword
+          ? `CVE Search: "${keyword}" (last ${days} days)`
+          : `CVE Search: all recent (last ${days} days)`
+
+        const termCols = process.stdout.columns || 80
+        const descWidth = Math.max(20, Math.min(60, termCols - 84))
+
+        const rows = results.map((r) => ({
+          id: r.id,
+          severity: r.severity,
+          score: formatScore(r.score),
+          published: formatDate(r.publishedDate),
+          description: truncate(r.description, descWidth),
+          reference: r.firstReference ? truncate(r.firstReference, COL_WIDTHS.reference) : '—',
+        }))
+
+        /** @type {import('../../utils/tui/navigable-table.js').TableColumnDef[]} */
+        const columns = [
+          { header: 'CVE ID',      key: 'id',          width: COL_WIDTHS.id,        colorize: (v) => chalk.cyan(v) },
+          { header: 'Severity',    key: 'severity',     width: COL_WIDTHS.severity,  colorize: (v) => colorSeverity(v) },
+          { header: 'Score',       key: 'score',        width: COL_WIDTHS.score },
+          { header: 'Published',   key: 'published',    width: COL_WIDTHS.published },
+          { header: 'Description', key: 'description',  width: descWidth },
+          { header: 'Reference',   key: 'reference',    width: COL_WIDTHS.reference },
+        ]
+
+        await startInteractiveTable(rows, columns, heading, totalResults, getCveDetail)
+      }
+
+      return result
+    } catch (err) {
+      spinner?.stop()
+      throw err
+    }
+  }
+}