guardvibe 3.3.0 → 3.4.0

package/CHANGELOG.md

@@ -5,6 +5,17 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.4.0] - 2026-06-07
+
+### Added — dependency reachability: is the vulnerable package actually imported? (438 rules / 37 tools)
+- **The dependency scan now annotates each vulnerable package with reachability** — whether it is actually imported/required anywhere in your source. A flagged dependency you never import is far lower priority than one your code calls into; this turns the daily-CVE freshness signal into a *prioritized*, actionable one.
+- **Annotate, never suppress:** findings are labeled `reachable: true/false` (and `[imported in source]` / `[not directly imported — likely unreachable]` in the audit), but nothing is dropped — a package can still be reached transitively or via dynamic/framework loading, so there are no new false negatives.
+- New module `src/tools/reachability.ts`: `packageRoot` (specifier → installable name, scoped-package aware), `extractImportedPackages` (import/require/dynamic-import/re-export forms), `collectImportedPackages` (source-tree walk, node_modules excluded), `analyzeReachability`. Import-level (package granularity).
+- Surfaced in `scan_dependencies` (per-package `reachable` + `reachabilityStatus`, summary `reachableVulnerable`) and the `audit` dependency section (`N of M directly imported in source`).
+- No rule or tool changes (438 / 37).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.3.0] - 2026-06-07
 
 ### Added — diff-aware scanning: block what you just wrote, not the backlog (438 rules / 37 tools)

package/README.md

@@ -219,7 +219,7 @@ Malicious postinstall scripts, unpinned GitHub Actions, CI `npm` provenance / `-
 | `check_project` | Scan multiple files with security scoring (A-F) |
 | `scan_directory` | Scan a project directory from disk |
 | `scan_staged` | Pre-commit scan of git-staged files |
-| `scan_dependencies` | Check all dependencies for known CVEs (OSV) |
+| `scan_dependencies` | Check all dependencies for known CVEs (OSV) — annotates each vulnerable package with **reachability** (is it actually imported in your source?) |
 | `scan_secrets` | Detect leaked secrets, API keys, tokens |
 | `check_dependencies` | Check individual packages against OSV |
 | `check_package_health` | Typosquat detection, maintenance status, adoption metrics |

package/build/tools/full-audit.js

@@ -248,7 +248,7 @@ export async function runFullAudit(path, options) {
         }
         if (existsSync(manifestPath)) {
             try {
-                const depsJson = await scanDependencies(manifestPath, "json");
+                const depsJson = await scanDependencies(manifestPath, "json", { root: projectRoot });
                 const parsed = safeJsonParse(depsJson);
                 if (!parsed) {
                     // scanDependencies returned a markdown error (OSV API unreachable, parse failed, etc).
@@ -259,9 +259,15 @@ export async function runFullAudit(path, options) {
                 }
                 if (parsed) {
                     const vulnPackages = parsed.summary?.vulnerable ?? 0;
+                    const reachableVulnerable = parsed.summary?.reachableVulnerable;
                     const depFindings = [];
                     let depCritical = 0, depHigh = 0, depMedium = 0;
                     for (const pkg of parsed.packages ?? []) {
+                        const pkgRec = pkg;
+                        const reachable = pkgRec.reachable;
+                        const reachNote = reachable === false
+                            ? " [not directly imported — likely unreachable]"
+                            : reachable === true ? " [imported in source]" : "";
                         for (const v of pkg.vulnerabilities ?? []) {
                             const vuln2 = v;
                             const sev = (vuln2.severity ?? "high");
@@ -276,17 +282,20 @@ export async function runFullAudit(path, options) {
                                 severity: sev,
                                 file: "package.json",
                                 line: 0,
-                                name: `${pkg.name ?? "unknown"}: ${(vuln2.id ?? "CVE")}`,
-                                description: (vuln2.summary ?? vuln2.details ?? ""),
-                                fix: `Run: npm update ${pkg.name ?? ""}`,
+                                name: `${pkgRec.name ?? "unknown"}: ${(vuln2.id ?? "CVE")}`,
+                                description: `${(vuln2.summary ?? vuln2.details ?? "")}${reachNote}`,
+                                fix: `Run: npm update ${pkgRec.name ?? ""}`,
                             });
                             allFindings.push({ ruleId: `DEP:${vuln2.id ?? "CVE"}`, severity: sev, file: "package.json", line: 0 });
                         }
                     }
                     const counts = { findings: depFindings.length, critical: depCritical, high: depHigh, medium: depMedium };
+                    const reachText = typeof reachableVulnerable === "number" && vulnPackages > 0
+                        ? ` (${reachableVulnerable} of ${vulnPackages} directly imported in source)`
+                        : "";
                     const detailText = depFindings.length === 0
                         ? "No known CVEs"
-                        : `${depFindings.length} CVE(s) across ${vulnPackages} vulnerable package(s)`;
+                        : `${depFindings.length} CVE(s) across ${vulnPackages} vulnerable package(s)${reachText}`;
                     sections.push({ name: "dependencies", status: "ok", ...counts, details: detailText, sectionFindings: depFindings });
                 }
             }

package/build/tools/reachability.d.ts

@@ -0,0 +1,19 @@
+/** The installable package name behind a module specifier, or null if not a bare package. */
+export declare function packageRoot(specifier: string): string | null;
+/** All bare package roots imported/required/re-exported in a file's source. */
+export declare function extractImportedPackages(code: string): Set<string>;
+/** Walk a source tree and collect every imported package root (node_modules excluded). */
+export declare function collectImportedPackages(root: string, opts?: {
+    maxFiles?: number;
+}): Set<string>;
+export type ReachabilityStatus = "imported" | "not_imported";
+export interface ReachabilityResult {
+    reachable: boolean;
+    status: ReachabilityStatus;
+}
+/**
+ * Annotate each package name with whether it is imported anywhere under `root`.
+ * Pass `importedOverride` (a precomputed set) to avoid a filesystem walk (used in tests
+ * and to share one walk across many packages).
+ */
+export declare function analyzeReachability(packageNames: string[], root: string, importedOverride?: Set<string>): Map<string, ReachabilityResult>;

package/build/tools/reachability.js

@@ -0,0 +1,122 @@
+// guardvibe-ignore — defines import-detection regexes; the `require(...)`/`import(...)`
+// string literals here are detector patterns, not vulnerable code.
+/**
+ * Dependency reachability — is a vulnerable package actually used by YOUR code?
+ *
+ * A vulnerable version in package.json is only exploitable from your app if the
+ * package is actually imported/required somewhere in source. Flagging every
+ * advisory regardless drowns the real ones in transitive noise. Reachability
+ * answers "do you import this?" so a flagged-but-unimported dependency can be
+ * deprioritized.
+ *
+ * IMPORTANT — annotate, never suppress: a package can still be reached
+ * transitively or via dynamic/framework loading, so we LABEL findings
+ * (reachable: true/false) and never drop them. This keeps the freshness moat
+ * honest (no false negatives) while cutting the noise.
+ *
+ * This is import-level (package granularity), not call-graph/function level.
+ */
+import { readdirSync, statSync, readFileSync } from "fs";
+import { join, extname } from "path";
+const CODE_EXT = new Set([".js", ".jsx", ".mjs", ".cjs", ".ts", ".tsx", ".mts", ".cts"]);
+const SKIP_DIR = new Set([
+    "node_modules", ".git", ".next", "dist", "build", "out", "coverage",
+    ".turbo", "vendor", ".vercel", ".cache", ".svelte-kit",
+]);
+/** The installable package name behind a module specifier, or null if not a bare package. */
+export function packageRoot(specifier) {
+    if (!specifier)
+        return null;
+    if (specifier.startsWith(".") || specifier.startsWith("/"))
+        return null; // relative / absolute
+    if (specifier.startsWith("node:"))
+        return null; // node builtin
+    const parts = specifier.split("/");
+    if (specifier.startsWith("@")) {
+        if (parts.length < 2 || !parts[1])
+            return null; // incomplete scoped specifier
+        return `${parts[0]}/${parts[1]}`;
+    }
+    return parts[0];
+}
+const IMPORT_FROM = /(?:import|export)\b[^'"]*?\bfrom\s+['"]([^'"]+)['"]/g;
+const BARE_IMPORT = /\bimport\s+['"]([^'"]+)['"]/g;
+const REQUIRE_CALL = /\brequire\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+const DYNAMIC_IMPORT = /\bimport\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+/** All bare package roots imported/required/re-exported in a file's source. */
+export function extractImportedPackages(code) {
+    const out = new Set();
+    const add = (spec) => {
+        const root = packageRoot(spec);
+        if (root)
+            out.add(root);
+    };
+    for (const re of [IMPORT_FROM, BARE_IMPORT, REQUIRE_CALL, DYNAMIC_IMPORT]) {
+        re.lastIndex = 0;
+        for (const m of code.matchAll(re))
+            add(m[1]);
+    }
+    return out;
+}
+/** Walk a source tree and collect every imported package root (node_modules excluded). */
+export function collectImportedPackages(root, opts = {}) {
+    const found = new Set();
+    const maxFiles = opts.maxFiles ?? 20_000;
+    let count = 0;
+    const walk = (dir) => {
+        if (count >= maxFiles)
+            return;
+        let entries;
+        try {
+            entries = readdirSync(dir);
+        }
+        catch {
+            return;
+        }
+        for (const e of entries) {
+            if (count >= maxFiles)
+                return;
+            if (SKIP_DIR.has(e))
+                continue;
+            const p = join(dir, e);
+            let st;
+            try {
+                st = statSync(p);
+            }
+            catch {
+                continue;
+            }
+            if (st.isDirectory()) {
+                walk(p);
+            }
+            else if (CODE_EXT.has(extname(e).toLowerCase()) && st.size < 1_000_000) {
+                count++;
+                let code;
+                try {
+                    code = readFileSync(p, "utf-8");
+                }
+                catch {
+                    continue;
+                }
+                for (const pkg of extractImportedPackages(code))
+                    found.add(pkg);
+            }
+        }
+    };
+    walk(root);
+    return found;
+}
+/**
+ * Annotate each package name with whether it is imported anywhere under `root`.
+ * Pass `importedOverride` (a precomputed set) to avoid a filesystem walk (used in tests
+ * and to share one walk across many packages).
+ */
+export function analyzeReachability(packageNames, root, importedOverride) {
+    const imported = importedOverride ?? collectImportedPackages(root);
+    const out = new Map();
+    for (const name of packageNames) {
+        const reachable = imported.has(name);
+        out.set(name, { reachable, status: reachable ? "imported" : "not_imported" });
+    }
+    return out;
+}

package/build/tools/scan-dependencies.d.ts

@@ -1 +1,7 @@
-export declare function scanDependencies(manifestPath: string, format?: "markdown" | "json"): Promise<string>;
+export interface ScanDependenciesOptions {
+    /** Source root to scan for imports (defaults to the manifest's directory). */
+    root?: string;
+    /** Annotate each vulnerable package with whether it is imported in source. Default true. */
+    reachability?: boolean;
+}
+export declare function scanDependencies(manifestPath: string, format?: "markdown" | "json", opts?: ScanDependenciesOptions): Promise<string>;

package/build/tools/scan-dependencies.js

@@ -1,8 +1,9 @@
 import { readFileSync } from "fs";
-import { basename } from "path";
+import { basename, dirname } from "path";
 import { parseManifest } from "../utils/manifest-parser.js";
 import { queryOsvBatch, formatVulnerability, normalizeSeverity } from "../utils/osv-client.js";
-export async function scanDependencies(manifestPath, format = "markdown") {
+import { analyzeReachability } from "./reachability.js";
+export async function scanDependencies(manifestPath, format = "markdown", opts = {}) {
     let content;
     try {
         content = readFileSync(manifestPath, "utf-8");
@@ -42,6 +43,20 @@ export async function scanDependencies(manifestPath, format = "markdown") {
     }
     let totalVulns = 0;
     const criticalPackages = [];
+    // --- Reachability: is each vulnerable package actually imported in YOUR source? ---
+    // Annotate only (never suppress) — a package may still be reached transitively.
+    const vulnerableNames = packages
+        .filter(p => (vulnResults.get(`${p.name}@${p.version}`) || []).length > 0)
+        .map(p => p.name);
+    let reach = null;
+    if (opts.reachability !== false && vulnerableNames.length > 0) {
+        try {
+            reach = analyzeReachability(vulnerableNames, opts.root ?? dirname(manifestPath));
+        }
+        catch {
+            reach = null;
+        }
+    }
     // Build per-package vulnerability data
     const pkgResults = [];
     for (const pkg of packages) {
@@ -51,8 +66,11 @@ export async function scanDependencies(manifestPath, format = "markdown") {
             continue;
         totalVulns += vulns.length;
         criticalPackages.push(key);
+        const r = reach?.get(pkg.name);
         pkgResults.push({
             name: pkg.name, version: pkg.version, ecosystem: pkg.ecosystem,
+            reachable: r?.reachable,
+            reachabilityStatus: r?.status,
             vulnerabilities: vulns.map(v => ({
                 id: v.id, severity: normalizeSeverity(v), summary: v.summary,
                 fixedIn: (v.affected ?? []).flatMap((a) => (a.ranges ?? []).flatMap((r) => r.events.filter((e) => e.fixed).map((e) => e.fixed))).join(", ") || undefined,
@@ -60,6 +78,11 @@ export async function scanDependencies(manifestPath, format = "markdown") {
             })),
         });
         lines.push(`## ${key} (${pkg.ecosystem}) — ${vulns.length} vulnerabilities`, ``);
+        if (r) {
+            lines.push(r.reachable
+                ? `_Reachability: imported in your source._`
+                : `_Reachability: not directly imported — likely unreachable (may still be used transitively)._`, ``);
+        }
         for (const vuln of vulns) {
             lines.push(formatVulnerability(vuln), ``);
         }
@@ -78,6 +101,7 @@ export async function scanDependencies(manifestPath, format = "markdown") {
                 vulnerable: criticalPackages.length,
                 vulnerablePackages: criticalPackages.length,
                 totalAdvisories: totalVulns,
+                ...(reach ? { reachableVulnerable: [...reach.values()].filter(x => x.reachable).length } : {}),
                 ...sevCounts,
             },
             packages: pkgResults,
@@ -91,6 +115,10 @@ export async function scanDependencies(manifestPath, format = "markdown") {
         lines.push(`**${totalVulns} vulnerabilities** found in ${criticalPackages.length} packages:`, ``);
         for (const pkg of criticalPackages)
             lines.push(`- ${pkg}`);
+        if (reach) {
+            const reachableCount = [...reach.values()].filter(x => x.reachable).length;
+            lines.push(``, `**Reachability:** ${reachableCount} of ${reach.size} vulnerable package(s) are directly imported in your source — prioritize those.`);
+        }
         lines.push(``, `**Action:** Update affected packages to their fixed versions.`);
     }
     return lines.join("\n");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 438 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 67 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",