ship-safe 5.0.0 → 6.0.0

package/cli/commands/deps.js

@@ -87,15 +87,34 @@ export async function depsCommand(targetPath = '.', options = {}) {
     process.exit(0);
   }
 
-  // ── 4. Display findings ───────────────────────────────────────────────────
+  // ── 4. Enrich with EPSS scores ──────────────────────────────────────────
+  const cves = vulns.map(v => v.cve).filter(Boolean);
+  if (cves.length > 0) {
+    const epssSpinner = ora({ text: 'Fetching EPSS exploit probability scores...', color: 'cyan' }).start();
+    try {
+      const epssData = await fetchEPSS(cves);
+      for (const v of vulns) {
+        if (v.cve && epssData[v.cve]) {
+          v.epss = epssData[v.cve].epss;
+          v.percentile = epssData[v.cve].percentile;
+        }
+      }
+      epssSpinner.succeed(chalk.gray(`EPSS scores fetched for ${Object.keys(epssData).length} CVE(s)`));
+    } catch {
+      epssSpinner.stop();
+      // EPSS is optional — continue without it
+    }
+  }
+
+  // ── 5. Display findings ───────────────────────────────────────────────────
   printDepFindings(vulns, pm);
 
-  // ── 5. Optionally fix ─────────────────────────────────────────────────────
+  // ── 6. Optionally fix ─────────────────────────────────────────────────────
   if (options.fix) {
     console.log();
     console.log(chalk.cyan(`  Running: ${pm.fixCommand}`));
     try {
-      execSync(pm.fixCommand, { cwd: absolutePath, stdio: 'inherit' });
+      execSync(pm.fixCommand, { cwd: absolutePath, stdio: 'inherit' }); // ship-safe-ignore — command is a hardcoded package manager command, not user input
     } catch {
       output.warning('Fix command exited with errors — some vulnerabilities may require manual updates.');
     }
@@ -178,7 +197,7 @@ function detectPackageManager(rootPath) {
 function runAudit(pm, cwd) {
   let stdout;
   try {
-    stdout = execSync(pm.auditCommand, { cwd, stdio: ['pipe', 'pipe', 'pipe'] }).toString();
+    stdout = execSync(pm.auditCommand, { cwd, stdio: ['pipe', 'pipe', 'pipe'] }).toString(); // ship-safe-ignore — command is a hardcoded package manager audit command, not user input
   } catch (err) {
     // npm/yarn/pnpm exit with code 1 when vulns found — that's expected
     if (err.stdout) {
@@ -366,6 +385,46 @@ function parseBundlerAudit(text) {
   return vulns;
 }
 
+// =============================================================================
+// EPSS (Exploit Prediction Scoring System)
+// =============================================================================
+
+/**
+ * Fetch EPSS scores from FIRST.org API for a list of CVEs.
+ * Returns { 'CVE-2023-1234': { epss: 0.942, percentile: 0.99 }, ... }
+ * API docs: https://www.first.org/epss/api
+ */
+async function fetchEPSS(cves) {
+  if (cves.length === 0) return {};
+
+  // API accepts up to 100 CVEs per request — batch if needed
+  const results = {};
+  const batches = [];
+  for (let i = 0; i < cves.length; i += 100) {
+    batches.push(cves.slice(i, i + 100));
+  }
+
+  for (const batch of batches) {
+    const url = `https://api.first.org/data/v1/epss?cve=${batch.join(',')}`; // ship-safe-ignore — hardcoded FIRST.org API endpoint, CVE IDs are from audit results not user input
+    const response = await fetch(url, { // ship-safe-ignore — EPSS API fetch with fixed base URL
+      headers: { 'Accept': 'application/json' },
+      signal: AbortSignal.timeout(10000),
+    });
+
+    if (!response.ok) continue;
+
+    const json = await response.json();
+    for (const entry of (json.data || [])) {
+      results[entry.cve] = {
+        epss: parseFloat(entry.epss),
+        percentile: parseFloat(entry.percentile),
+      };
+    }
+  }
+
+  return results;
+}
+
 // =============================================================================
 // OUTPUT
 // =============================================================================
@@ -408,6 +467,16 @@ function printDepFindings(vulns, pm) {
     if (v.cve) {
       console.log(chalk.gray(`              ${v.cve}`) + (v.url ? chalk.gray(`  ${v.url}`) : ''));
     }
+    if (v.epss != null) {
+      const pct = (v.epss * 100).toFixed(1);
+      const epssColor = v.epss >= 0.5 ? chalk.red.bold
+        : v.epss >= 0.1 ? chalk.yellow
+        : chalk.gray;
+      const label = v.epss >= 0.5 ? ' — actively exploited in the wild'
+        : v.epss >= 0.1 ? ' — elevated exploit activity'
+        : '';
+      console.log(epssColor(`              EPSS: ${pct}% exploit probability`) + chalk.gray(label));
+    }
     if (v.fix) {
       console.log(chalk.gray('              Fix: ') + chalk.cyan(v.fix));
     }

package/cli/commands/diff.js

@@ -0,0 +1,200 @@
+/**
+ * Diff Command
+ * =============
+ *
+ * Scan only changed files (git diff) for security issues.
+ * Much faster than a full audit — perfect for pre-commit hooks and PR reviews.
+ *
+ * USAGE:
+ *   ship-safe diff              Scan uncommitted changes (staged + unstaged)
+ *   ship-safe diff --staged     Scan only staged changes
+ *   ship-safe diff HEAD~3       Scan changes in last 3 commits
+ *   ship-safe diff main         Scan changes since branching from main
+ */
+
+import { execFileSync } from 'child_process';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_EXTENSIONS, SKIP_FILENAMES } from '../utils/patterns.js';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+
+// =============================================================================
+// DIFF COMMAND
+// =============================================================================
+
+export async function diffCommand(ref, options) {
+  const targetPath = options.path || process.cwd();
+  const absolutePath = path.resolve(targetPath);
+
+  // ── Get changed files from git ────────────────────────────────────────────
+  const spinner = ora(chalk.white('Getting changed files from git...')).start();
+
+  let gitArgs;
+  if (options.staged) {
+    gitArgs = ['diff', '--cached', '--name-only', '--diff-filter=ACMR'];
+  } else if (ref) {
+    gitArgs = ['diff', '--name-only', '--diff-filter=ACMR', ref];
+  } else {
+    // Uncommitted changes: both staged and unstaged
+    gitArgs = ['diff', '--name-only', '--diff-filter=ACMR', 'HEAD'];
+  }
+
+  let changedFiles;
+  try {
+    const output = execFileSync('git', gitArgs, {
+      cwd: absolutePath,
+      encoding: 'utf-8',
+      timeout: 10_000,
+    }).trim();
+
+    if (!output) {
+      spinner.succeed(chalk.green('No changed files detected'));
+      console.log(chalk.gray('\n  Nothing to scan. Your working tree is clean.\n'));
+      return;
+    }
+
+    changedFiles = output
+      .split('\n')
+      .map(f => f.trim())
+      .filter(f => f.length > 0)
+      .map(f => path.resolve(absolutePath, f))
+      .filter(f => {
+        const ext = path.extname(f).toLowerCase();
+        if (SKIP_EXTENSIONS.has(ext)) return false;
+        const basename = path.basename(f);
+        if (SKIP_FILENAMES.has(basename)) return false;
+        return true;
+      });
+
+    spinner.succeed(chalk.white(`${changedFiles.length} changed file(s) to scan`));
+  } catch (err) {
+    // Fallback for repos with no commits yet
+    if (err.message?.includes('unknown revision')) {
+      try {
+        const output = execFileSync('git', ['diff', '--cached', '--name-only', '--diff-filter=ACMR'], {
+          cwd: absolutePath,
+          encoding: 'utf-8',
+          timeout: 10_000,
+        }).trim();
+
+        changedFiles = output
+          .split('\n')
+          .map(f => f.trim())
+          .filter(f => f.length > 0)
+          .map(f => path.resolve(absolutePath, f))
+          .filter(f => {
+            const ext = path.extname(f).toLowerCase();
+            if (SKIP_EXTENSIONS.has(ext)) return false;
+            const basename = path.basename(f);
+            if (SKIP_FILENAMES.has(basename)) return false;
+            return true;
+          });
+
+        if (!changedFiles.length) {
+          spinner.succeed(chalk.green('No changed files detected'));
+          return;
+        }
+        spinner.succeed(chalk.white(`${changedFiles.length} changed file(s) to scan`));
+      } catch {
+        spinner.fail(chalk.red('Not a git repository or git not available'));
+        process.exit(1);
+      }
+    } else {
+      spinner.fail(chalk.red('Failed to get changed files from git'));
+      console.error(chalk.gray(`  ${err.message}`));
+      process.exit(1);
+    }
+  }
+
+  if (changedFiles.length === 0) {
+    console.log(chalk.gray('\n  No scannable files in the diff.\n'));
+    return;
+  }
+
+  // ── Print header ──────────────────────────────────────────────────────────
+  console.log();
+  console.log(chalk.cyan('═'.repeat(60)));
+  console.log(chalk.cyan.bold('  Ship Safe — Diff Scan'));
+  console.log(chalk.cyan('═'.repeat(60)));
+  console.log();
+  console.log(chalk.gray(`  Scanning ${changedFiles.length} changed file(s):`));
+  for (const f of changedFiles.slice(0, 10)) {
+    console.log(chalk.gray(`    ${path.relative(absolutePath, f)}`));
+  }
+  if (changedFiles.length > 10) {
+    console.log(chalk.gray(`    ... and ${changedFiles.length - 10} more`));
+  }
+  console.log();
+
+  // ── Run agents on changed files only ──────────────────────────────────────
+  const agentSpinner = ora(chalk.white('Running security agents on diff...')).start();
+
+  const orchestrator = buildOrchestrator();
+  const results = await orchestrator.runAll(absolutePath, {
+    timeout: options.timeout || 30_000,
+    changedFiles,
+  });
+
+  const findings = results.findings || [];
+  agentSpinner.succeed(
+    findings.length === 0
+      ? chalk.green('No security issues in changed files')
+      : chalk.yellow(`${findings.length} finding(s) in changed files`)
+  );
+
+  // ── Score ─────────────────────────────────────────────────────────────────
+  if (findings.length > 0) {
+    const scoringEngine = new ScoringEngine();
+    const scoreResult = scoringEngine.compute(findings, []);
+    scoreResult.score = Math.round(scoreResult.score * 10) / 10;
+
+    const scoreColor = scoreResult.score >= 75 ? chalk.green.bold : scoreResult.score >= 60 ? chalk.yellow.bold : chalk.red.bold;
+
+    console.log();
+    console.log(chalk.cyan('  ' + '─'.repeat(56)));
+
+    // Print findings
+    let shown = 0;
+    for (const f of findings) {
+      if (shown >= 20) {
+        console.log(chalk.gray(`\n  ... and ${findings.length - 20} more findings`));
+        break;
+      }
+      const sevColor = f.severity === 'critical' ? chalk.red :
+                        f.severity === 'high' ? chalk.yellow :
+                        f.severity === 'medium' ? chalk.cyan : chalk.gray;
+      const relPath = path.relative(absolutePath, f.file);
+      console.log(`  ${sevColor(`[${f.severity.toUpperCase()}]`)} ${chalk.white(f.title)}`);
+      console.log(chalk.gray(`    ${relPath}:${f.line} → ${f.fix || f.description}`));
+      shown++;
+    }
+
+    console.log();
+    console.log(chalk.cyan('  ' + '─'.repeat(56)));
+    console.log(
+      chalk.white.bold('  Diff Score: ') +
+      scoreColor(`${scoreResult.score}/100 ${scoreResult.grade.letter}`)
+    );
+    console.log(chalk.cyan('  ' + '─'.repeat(56)));
+  }
+
+  // ── JSON output ───────────────────────────────────────────────────────────
+  if (options.json) {
+    const output = {
+      command: 'diff',
+      ref: ref || (options.staged ? '--staged' : 'HEAD'),
+      changedFiles: changedFiles.map(f => path.relative(absolutePath, f)),
+      findings,
+      totalFindings: findings.length,
+    };
+    console.log(JSON.stringify(output, null, 2));
+  }
+
+  console.log();
+  console.log(chalk.cyan('═'.repeat(60)));
+  console.log();
+
+  process.exit(findings.length > 0 ? 1 : 0);
+}

package/cli/commands/doctor.js

@@ -17,10 +17,20 @@ import { readFileSync } from 'fs';
 import { fileURLToPath } from 'url';
 import { dirname, join } from 'path';
 
-const __filename = fileURLToPath(import.meta.url);
+const __filename = fileURLToPath(import.meta.url); // ship-safe-ignore — module's own path via import.meta.url, not user input
 const __dirname = dirname(__filename);
 const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
 
+function isNewerVersion(latest, current) {
+  const a = latest.split('.').map(Number);
+  const b = current.split('.').map(Number);
+  for (let i = 0; i < 3; i++) {
+    if ((a[i] || 0) > (b[i] || 0)) return true;
+    if ((a[i] || 0) < (b[i] || 0)) return false;
+  }
+  return false;
+}
+
 export async function doctorCommand() {
   console.log();
   console.log(chalk.cyan.bold('  Ship Safe Doctor'));
@@ -66,8 +76,8 @@ export async function doctorCommand() {
 
   // 4. API keys
   const apiKeys = [
-    { name: 'Anthropic API key', env: 'ANTHROPIC_API_KEY', required: false },
-    { name: 'OpenAI API key', env: 'OPENAI_API_KEY', required: false },
+    { name: 'Anthropic API key', env: 'ANTHROPIC_API_KEY', required: false }, // ship-safe-ignore — env var names in diagnostic check, no key values
+    { name: 'OpenAI API key', env: 'OPENAI_API_KEY', required: false }, // ship-safe-ignore — env var name in diagnostic check, no key value
     { name: 'Google AI API key', env: 'GOOGLE_API_KEY', required: false },
   ];
   for (const key of apiKeys) {
@@ -115,7 +125,7 @@ export async function doctorCommand() {
     const latest = execFileSync('npm', ['view', 'ship-safe', 'version'], {
       encoding: 'utf-8', timeout: 5000, shell: true,
     }).trim();
-    if (latest && latest !== PACKAGE_VERSION) {
+    if (latest && latest !== PACKAGE_VERSION && isNewerVersion(latest, PACKAGE_VERSION)) {
       const msg = ['v', latest, ' available (current: v', PACKAGE_VERSION, ')'].join('');
       info(msg);
     } else if (latest) {