devvami 1.4.0 → 1.4.2

package/src/commands/vuln/search.js

@@ -0,0 +1,128 @@
+import { Command, Args, Flags } from '@oclif/core'
+import ora from 'ora'
+import chalk from 'chalk'
+import { searchCves, getCveDetail } from '../../services/nvd.js'
+import { formatCveSearchTable, colorSeverity, formatScore, formatDate, truncate } from '../../formatters/vuln.js'
+import { startInteractiveTable } from '../../utils/tui/navigable-table.js'
+import { ValidationError } from '../../utils/errors.js'
+
+// Minimum terminal rows required to show the interactive TUI
+const MIN_TTY_ROWS = 6
+
+// Column widths for the navigable table
+const COL_WIDTHS = {
+  id: 20,
+  severity: 10,
+  score: 5,
+  published: 10,
+  reference: 30,
+}
+
+export default class VulnSearch extends Command {
+  static description = 'Search for recent CVEs by keyword (omit keyword to see all recent CVEs)'
+
+  static examples = [
+    '<%= config.bin %> vuln search openssl',
+    '<%= config.bin %> vuln search openssl --days 30',
+    '<%= config.bin %> vuln search log4j --severity critical',
+    '<%= config.bin %> vuln search nginx --limit 10 --json',
+    '<%= config.bin %> vuln search',
+    '<%= config.bin %> vuln search --days 7 --severity high',
+  ]
+
+  static enableJsonFlag = true
+
+  static args = {
+    keyword: Args.string({ description: 'Product, library, or keyword to search for (optional — omit to see all recent CVEs)', required: false }),
+  }
+
+  static flags = {
+    days: Flags.integer({
+      char: 'd',
+      description: 'Time window in days (search CVEs published within last N days)',
+      default: 14,
+    }),
+    severity: Flags.string({
+      char: 's',
+      description: 'Minimum severity filter',
+      options: ['low', 'medium', 'high', 'critical'],
+    }),
+    limit: Flags.integer({
+      char: 'l',
+      description: 'Maximum number of results to display',
+      default: 20,
+    }),
+  }
+
+  async run() {
+    const { args, flags } = await this.parse(VulnSearch)
+    const isJson = flags.json
+
+    const { keyword } = args
+    const { days, severity, limit } = flags
+
+    if (days < 1 || days > 120) {
+      throw new ValidationError(
+        `--days must be between 1 and 120, got ${days}`,
+        'The NVD API supports a maximum 120-day date range per request.',
+      )
+    }
+
+    if (limit < 1 || limit > 2000) {
+      throw new ValidationError(
+        `--limit must be between 1 and 2000, got ${limit}`,
+        'The NVD API returns at most 2000 results per page.',
+      )
+    }
+
+    const spinner = isJson ? null : ora(keyword ? `Searching NVD for "${keyword}"...` : `Fetching recent CVEs (last ${days} days)...`).start()
+
+    try {
+      const { results, totalResults } = await searchCves({ keyword, days, severity, limit })
+      spinner?.stop()
+
+      const result = { keyword: keyword ?? null, days, severity: severity ?? null, totalResults, results }
+
+      if (isJson) return result
+
+      this.log(formatCveSearchTable(results, keyword, days, totalResults))
+
+      // Interactive navigable table — only in a real TTY with enough rows, skipped in CI / --json / piped output
+      const ttyRows = process.stdout.rows ?? 0
+      if (process.stdout.isTTY && results.length > 0 && ttyRows >= MIN_TTY_ROWS) {
+        const heading = keyword
+          ? `CVE Search: "${keyword}" (last ${days} days)`
+          : `CVE Search: all recent (last ${days} days)`
+
+        const termCols = process.stdout.columns || 80
+        const descWidth = Math.max(20, Math.min(60, termCols - 84))
+
+        const rows = results.map((r) => ({
+          id: r.id,
+          severity: r.severity,
+          score: formatScore(r.score),
+          published: formatDate(r.publishedDate),
+          description: truncate(r.description, descWidth),
+          reference: r.firstReference ? truncate(r.firstReference, COL_WIDTHS.reference) : '—',
+        }))
+
+        /** @type {import('../../utils/tui/navigable-table.js').TableColumnDef[]} */
+        const columns = [
+          { header: 'CVE ID',      key: 'id',          width: COL_WIDTHS.id,        colorize: (v) => chalk.cyan(v) },
+          { header: 'Severity',    key: 'severity',     width: COL_WIDTHS.severity,  colorize: (v) => colorSeverity(v) },
+          { header: 'Score',       key: 'score',        width: COL_WIDTHS.score },
+          { header: 'Published',   key: 'published',    width: COL_WIDTHS.published },
+          { header: 'Description', key: 'description',  width: descWidth },
+          { header: 'Reference',   key: 'reference',    width: COL_WIDTHS.reference },
+        ]
+
+        await startInteractiveTable(rows, columns, heading, totalResults, getCveDetail)
+      }
+
+      return result
+    } catch (err) {
+      spinner?.stop()
+      throw err
+    }
+  }
+}

package/src/formatters/vuln.js

@@ -0,0 +1,317 @@
+import chalk from 'chalk'
+import { renderTable } from './table.js'
+import { NVD_ATTRIBUTION } from '../services/nvd.js'
+
+/** @import { CveSearchResult, CveDetail, VulnerabilityFinding, ScanResult } from '../types.js' */
+
+/**
+ * Colorize a severity string for terminal output.
+ * @param {string} severity
+ * @returns {string}
+ */
+export function colorSeverity(severity) {
+  switch (severity) {
+    case 'Critical': return chalk.red.bold(severity)
+    case 'High':     return chalk.red(severity)
+    case 'Medium':   return chalk.yellow(severity)
+    case 'Low':      return chalk.blue(severity)
+    default:         return chalk.gray(severity)
+  }
+}
+
+/**
+ * Format a CVE score as a fixed-precision string or "N/A".
+ * @param {number|null} score
+ * @returns {string}
+ */
+export function formatScore(score) {
+  if (score === null || score === undefined) return 'N/A'
+  return score.toFixed(1)
+}
+
+/**
+ * Format an ISO-8601 date string as YYYY-MM-DD.
+ * @param {string} iso
+ * @returns {string}
+ */
+export function formatDate(iso) {
+  if (!iso) return ''
+  return iso.slice(0, 10)
+}
+
+/**
+ * Truncate a string to max length, appending … if needed.
+ * @param {string} str
+ * @param {number} max
+ * @returns {string}
+ */
+export function truncate(str, max) {
+  if (!str) return ''
+  if (str.length <= max) return str
+  return str.slice(0, max - 1) + '…'
+}
+
+/**
+ * Format a list of CVE search results as a terminal table string.
+ * @param {CveSearchResult[]} results
+ * @param {string|null|undefined} keyword
+ * @param {number} days
+ * @param {number} totalResults
+ * @returns {string}
+ */
+export function formatCveSearchTable(results, keyword, days, totalResults) {
+  const lines = []
+  const heading = keyword
+    ? `CVE Search: "${keyword}" (last ${days} days)`
+    : `CVE Search: all recent (last ${days} days)`
+  lines.push(chalk.bold(`${heading}\n`))
+
+  if (results.length === 0) {
+    lines.push(keyword ? '  No CVEs found for this search.' : '  No CVEs published in this time window.')
+    lines.push('')
+    lines.push(chalk.dim(NVD_ATTRIBUTION))
+    return lines.join('\n')
+  }
+
+  const rows = results.map((r) => ({
+    id: r.id,
+    severity: r.severity,
+    score: formatScore(r.score),
+    published: formatDate(r.publishedDate),
+    description: truncate(r.description, 90),
+    reference: r.firstReference ? truncate(r.firstReference, 45) : '—',
+  }))
+
+  const table = renderTable(rows, [
+    { header: 'CVE ID',      key: 'id',          colorize: (v) => chalk.cyan(v) },
+    { header: 'Severity',    key: 'severity',     colorize: (v) => colorSeverity(v) },
+    { header: 'Score',       key: 'score',        width: 5 },
+    { header: 'Published',   key: 'published',    width: 10 },
+    { header: 'Description', key: 'description',  width: 90 },
+    { header: 'Reference',   key: 'reference',    width: 45 },
+  ])
+
+  // Indent table by 2 spaces
+  lines.push(table.split('\n').map((l) => `  ${l}`).join('\n'))
+  lines.push('')
+  lines.push(`Showing ${results.length} of ${totalResults} results.`)
+  lines.push(chalk.dim(NVD_ATTRIBUTION))
+  return lines.join('\n')
+}
+
+/**
+ * Format a full CVE detail record for terminal output.
+ * @param {CveDetail} cve
+ * @returns {string}
+ */
+export function formatCveDetail(cve) {
+  const lines = []
+
+  const scoreStr = cve.score !== null ? ` (${formatScore(cve.score)})` : ''
+  lines.push(chalk.bold.cyan(`${cve.id}`) + chalk.bold(` — `) + colorSeverity(cve.severity) + chalk.bold(scoreStr))
+  lines.push('')
+
+  // Description
+  lines.push(chalk.bold('  Description'))
+  // Word-wrap at ~80 chars, indented 2 spaces
+  lines.push(wordWrap(cve.description, 78, '  '))
+  lines.push('')
+
+  // Details
+  lines.push(chalk.bold('  Details'))
+  lines.push(`  Status:        ${cve.status}`)
+  lines.push(`  Published:     ${formatDate(cve.publishedDate)}`)
+  lines.push(`  Last Modified: ${formatDate(cve.lastModified)}`)
+  if (cve.cvssVector) lines.push(`  CVSS Vector:   ${cve.cvssVector}`)
+  if (cve.weaknesses.length > 0) {
+    const cweIds = [...new Set(cve.weaknesses.map((w) => w.id))].join(', ')
+    lines.push(`  Weaknesses:    ${cweIds}`)
+  }
+  lines.push('')
+
+  // Affected products
+  if (cve.affectedProducts.length > 0) {
+    lines.push(chalk.bold('  Affected Products'))
+    lines.push('  ' + chalk.dim('─'.repeat(40)))
+    for (const p of cve.affectedProducts) {
+      lines.push(`  ${p.vendor} / ${p.product} / ${p.versions}`)
+    }
+    lines.push('')
+  }
+
+  // References
+  if (cve.references.length > 0) {
+    lines.push(chalk.bold('  References'))
+    cve.references.slice(0, 5).forEach((ref, i) => {
+      const tagStr = ref.tags.length > 0 ? ` (${ref.tags.join(', ')})` : ''
+      lines.push(`  [${i + 1}] ${ref.url}${tagStr}`)
+    })
+    lines.push('')
+    lines.push(chalk.dim('  Tip: Use --open to open the first reference in your browser.'))
+    lines.push('')
+  }
+
+  lines.push(chalk.dim(NVD_ATTRIBUTION))
+  return lines.join('\n')
+}
+
+/**
+ * Format a full CVE detail record as an array of plain-text lines (no chalk/ANSI).
+ * Used by the modal overlay in the navigable table TUI.
+ * @param {CveDetail} cve
+ * @returns {string[]}
+ */
+export function formatCveDetailPlain(cve) {
+  const lines = []
+
+  const scoreStr = cve.score !== null ? ` (${formatScore(cve.score)})` : ''
+  lines.push(`${cve.id} — ${cve.severity}${scoreStr}`)
+  lines.push('')
+
+  lines.push('  Description')
+  const wrappedDesc = wordWrap(cve.description, 78, '  ')
+  for (const l of wrappedDesc.split('\n')) lines.push(l)
+  lines.push('')
+
+  lines.push('  Details')
+  lines.push(`  Status:        ${cve.status}`)
+  lines.push(`  Published:     ${formatDate(cve.publishedDate)}`)
+  lines.push(`  Last Modified: ${formatDate(cve.lastModified)}`)
+  if (cve.cvssVector) lines.push(`  CVSS Vector:   ${cve.cvssVector}`)
+  if (cve.weaknesses.length > 0) {
+    const cweIds = [...new Set(cve.weaknesses.map((w) => w.id))].join(', ')
+    lines.push(`  Weaknesses:    ${cweIds}`)
+  }
+  lines.push('')
+
+  if (cve.affectedProducts.length > 0) {
+    lines.push('  Affected Products')
+    lines.push('  ' + '─'.repeat(40))
+    for (const p of cve.affectedProducts) {
+      lines.push(`  ${p.vendor} / ${p.product} / ${p.versions}`)
+    }
+    lines.push('')
+  }
+
+  if (cve.references.length > 0) {
+    lines.push('  References')
+    cve.references.slice(0, 5).forEach((ref, i) => {
+      const tagStr = ref.tags.length > 0 ? ` (${ref.tags.join(', ')})` : ''
+      lines.push(`  [${i + 1}] ${ref.url}${tagStr}`)
+    })
+    lines.push('')
+    lines.push('  Tip: Press o to open the first reference in your browser.')
+    lines.push('')
+  }
+
+  lines.push(NVD_ATTRIBUTION)
+  return lines
+}
+
+/**
+ * Word-wrap a string to a max line length with an indent prefix.
+ * @param {string} text
+ * @param {number} maxLen
+ * @param {string} indent
+ * @returns {string}
+ */
+function wordWrap(text, maxLen, indent) {
+  if (!text) return ''
+  const words = text.split(' ')
+  const wrappedLines = []
+  let current = indent
+
+  for (const word of words) {
+    if (current.length + word.length + 1 > maxLen && current.trim().length > 0) {
+      wrappedLines.push(current.trimEnd())
+      current = indent + word + ' '
+    } else {
+      current += word + ' '
+    }
+  }
+  if (current.trim()) wrappedLines.push(current.trimEnd())
+  return wrappedLines.join('\n')
+}
+
+/**
+ * Format a list of VulnerabilityFindings as a terminal table string.
+ * @param {VulnerabilityFinding[]} findings
+ * @returns {string}
+ */
+export function formatFindingsTable(findings) {
+  if (findings.length === 0) return ''
+
+  const rows = findings.map((f) => ({
+    pkg: f.package,
+    version: f.installedVersion,
+    severity: f.severity,
+    cve: f.cveId ?? '—',
+    title: truncate(f.title ?? '—', 40),
+  }))
+
+  const table = renderTable(rows, [
+    { header: 'Package',  key: 'pkg',      width: 20 },
+    { header: 'Version',  key: 'version',  width: 12 },
+    { header: 'Severity', key: 'severity', colorize: (v) => colorSeverity(v) },
+    { header: 'CVE',      key: 'cve',      colorize: (v) => (v !== '—' ? chalk.cyan(v) : chalk.gray(v)) },
+    { header: 'Title',    key: 'title',    width: 40 },
+  ])
+
+  return table.split('\n').map((l) => `  ${l}`).join('\n')
+}
+
+/**
+ * Format a ScanResult summary block for terminal output.
+ * @param {import('../types.js').ScanSummary} summary
+ * @returns {string}
+ */
+export function formatScanSummary(summary) {
+  const lines = []
+  lines.push('  ' + chalk.dim('─'.repeat(21)))
+  lines.push(`  Critical:  ${summary.critical}`)
+  lines.push(`  High:      ${summary.high}`)
+  lines.push(`  Medium:    ${summary.medium}`)
+  lines.push(`  Low:       ${summary.low}`)
+  lines.push(`  Total:     ${summary.total}`)
+  return lines.join('\n')
+}
+
+/**
+ * Generate a Markdown vulnerability report.
+ * @param {ScanResult} result
+ * @returns {string}
+ */
+export function formatMarkdownReport(result) {
+  const lines = []
+  lines.push('# Vulnerability Report')
+  lines.push('')
+  lines.push(`**Project**: ${result.projectPath}  `)
+  lines.push(`**Date**: ${result.scanDate}  `)
+  lines.push(`**Ecosystems scanned**: ${result.ecosystems.map((e) => e.name).join(', ')}`)
+  lines.push('')
+  lines.push('## Summary')
+  lines.push('')
+  lines.push('| Severity | Count |')
+  lines.push('|----------|-------|')
+  lines.push(`| Critical | ${result.summary.critical} |`)
+  lines.push(`| High     | ${result.summary.high} |`)
+  lines.push(`| Medium   | ${result.summary.medium} |`)
+  lines.push(`| Low      | ${result.summary.low} |`)
+  lines.push(`| **Total** | **${result.summary.total}** |`)
+  lines.push('')
+
+  if (result.findings.length > 0) {
+    lines.push('## Findings')
+    lines.push('')
+    lines.push('| Package | Version | Severity | CVE | Title |')
+    lines.push('|---------|---------|----------|-----|-------|')
+    for (const f of result.findings) {
+      lines.push(`| ${f.package} | ${f.installedVersion} | ${f.severity} | ${f.cveId ?? '—'} | ${f.title ?? '—'} |`)
+    }
+    lines.push('')
+  }
+
+  lines.push('---')
+  lines.push(`*${NVD_ATTRIBUTION}*`)
+  return lines.join('\n')
+}

package/src/help.js

@@ -87,6 +87,14 @@ const CATEGORIES = [
       { id: 'security:setup', hint: '[--json]' },
     ],
   },
+  {
+    title: 'CVE & Vulnerabilità',
+    cmds: [
+      { id: 'vuln:search', hint: '[KEYWORD] [--days] [--severity] [--limit]' },
+      { id: 'vuln:detail', hint: '<CVE-ID> [--open]' },
+      { id: 'vuln:scan',   hint: '[--severity] [--no-fail] [--report]' },
+    ],
+  },
   {
     title: 'Dotfiles & Cifratura',
     cmds: [
@@ -209,6 +217,13 @@ export default class CustomHelp extends Help {
       { cmd: 'dvmi dotfiles status --json',                           note: 'Stato dotfile gestiti (JSON)' },
       { cmd: 'dvmi dotfiles sync --push',                             note: 'Push dotfile al repository remoto' },
       { cmd: 'dvmi welcome',                                          note: 'Dashboard missione dvmi con intro animata' },
+      { cmd: 'dvmi vuln search openssl',                              note: 'Cerca CVE recenti per keyword' },
+      { cmd: 'dvmi vuln search log4j --days 30 --severity critical',  note: 'CVE critiche Log4j negli ultimi 30 giorni' },
+      { cmd: 'dvmi vuln detail CVE-2021-44228',                       note: 'Dettaglio completo di una CVE' },
+      { cmd: 'dvmi vuln detail CVE-2021-44228 --open',                note: 'Apri la prima referenza nel browser' },
+      { cmd: 'dvmi vuln scan',                                        note: 'Scansiona dipendenze del progetto corrente' },
+      { cmd: 'dvmi vuln scan --severity high --no-fail',              note: 'Scansione senza bloccare CI (solo high+)' },
+      { cmd: 'dvmi vuln scan --report ./vuln-report.md',              note: 'Esporta report Markdown delle vulnerabilità' },
     ]
 
     const lines = []

package/src/services/audit-detector.js

@@ -0,0 +1,120 @@
+import { existsSync } from 'node:fs'
+import { resolve, join } from 'node:path'
+
+/** @import { PackageEcosystem } from '../types.js' */
+
+/**
+ * Lock file detection entries in priority order.
+ * For Node.js: pnpm > npm > yarn (only highest priority used).
+ */
+const LOCK_FILE_MAP = [
+  {
+    lockFile: 'pnpm-lock.yaml',
+    name: 'pnpm',
+    auditCommand: 'pnpm audit --json',
+    builtIn: true,
+    nodeGroup: true,
+  },
+  {
+    lockFile: 'package-lock.json',
+    name: 'npm',
+    auditCommand: 'npm audit --json',
+    builtIn: true,
+    nodeGroup: true,
+  },
+  {
+    lockFile: 'yarn.lock',
+    name: 'yarn',
+    auditCommand: 'yarn audit --json',
+    builtIn: true,
+    nodeGroup: true,
+  },
+  {
+    lockFile: 'Pipfile.lock',
+    name: 'pip',
+    auditCommand: 'pip-audit -f json',
+    builtIn: false,
+    nodeGroup: false,
+  },
+  {
+    lockFile: 'poetry.lock',
+    name: 'pip',
+    auditCommand: 'pip-audit -f json',
+    builtIn: false,
+    nodeGroup: false,
+  },
+  {
+    lockFile: 'requirements.txt',
+    name: 'pip',
+    auditCommand: 'pip-audit -r requirements.txt -f json',
+    builtIn: false,
+    nodeGroup: false,
+  },
+  {
+    lockFile: 'Cargo.lock',
+    name: 'cargo',
+    auditCommand: 'cargo audit --json',
+    builtIn: false,
+    nodeGroup: false,
+  },
+  {
+    lockFile: 'Gemfile.lock',
+    name: 'bundler',
+    auditCommand: 'bundle-audit check --format json',
+    builtIn: false,
+    nodeGroup: false,
+  },
+  {
+    lockFile: 'composer.lock',
+    name: 'composer',
+    auditCommand: 'composer audit --format json',
+    builtIn: true,
+    nodeGroup: false,
+  },
+]
+
+/**
+ * Detect package manager ecosystems present in a directory by scanning for lock files.
+ * Node.js lock files are de-duplicated: only the highest-priority one is returned.
+ *
+ * @param {string} [dir] - Directory to scan (defaults to process.cwd())
+ * @returns {PackageEcosystem[]}
+ */
+export function detectEcosystems(dir = process.cwd()) {
+  const ecosystems = []
+  let nodeDetected = false
+
+  for (const entry of LOCK_FILE_MAP) {
+    // Skip lower-priority Node.js lock files if one already detected
+    if (entry.nodeGroup && nodeDetected) continue
+
+    const lockFilePath = resolve(join(dir, entry.lockFile))
+    if (existsSync(lockFilePath)) {
+      ecosystems.push({
+        name: entry.name,
+        lockFile: entry.lockFile,
+        lockFilePath,
+        auditCommand: entry.auditCommand,
+        builtIn: entry.builtIn,
+      })
+      if (entry.nodeGroup) nodeDetected = true
+    }
+  }
+
+  return ecosystems
+}
+
+/**
+ * Return the human-readable list of supported ecosystems for display in the "no package manager"
+ * error message.
+ * @returns {string}
+ */
+export function supportedEcosystemsMessage() {
+  return [
+    '  • Node.js (npm, pnpm, yarn) — requires lock file',
+    '  • Python (pip-audit) — requires Pipfile.lock, poetry.lock, or requirements.txt',
+    '  • Rust (cargo-audit) — requires Cargo.lock',
+    '  • Ruby (bundler-audit) — requires Gemfile.lock',
+    '  • PHP (composer) — requires composer.lock',
+  ].join('\n')
+}