verimu 0.0.1

package/dist/index.mjs

@@ -0,0 +1,820 @@
+// src/generate-sbom.ts
+import { randomUUID } from "crypto";
+function generateSbom(input) {
+  const {
+    projectName,
+    projectVersion = "0.0.0",
+    dependencies
+  } = input;
+  const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+  const resolvedDeps = dependencies.map((dep) => ({
+    ...dep,
+    direct: dep.direct ?? true,
+    purl: dep.purl ?? buildPurl(dep.name, dep.version, dep.ecosystem)
+  }));
+  const rootPurl = buildPurl(projectName, projectVersion, "npm");
+  const sbom = {
+    $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
+    bomFormat: "CycloneDX",
+    specVersion: "1.7",
+    serialNumber: `urn:uuid:${randomUUID()}`,
+    version: 1,
+    metadata: {
+      timestamp,
+      tools: {
+        components: [
+          {
+            type: "application",
+            name: "verimu",
+            version: "0.0.1",
+            description: "Verimu CRA Compliance Scanner",
+            supplier: { name: "Verimu" },
+            externalReferences: [
+              { type: "website", url: "https://verimu.eu" }
+            ]
+          }
+        ]
+      },
+      supplier: { name: projectName },
+      component: {
+        type: "application",
+        name: projectName,
+        version: projectVersion,
+        "bom-ref": rootPurl,
+        supplier: { name: projectName }
+      }
+    },
+    components: resolvedDeps.map((dep) => ({
+      type: "library",
+      name: dep.name,
+      version: dep.version,
+      purl: dep.purl,
+      "bom-ref": dep.purl,
+      scope: dep.direct ? "required" : "optional",
+      supplier: { name: deriveSupplierName(dep.name) }
+    })),
+    dependencies: [
+      {
+        ref: rootPurl,
+        dependsOn: resolvedDeps.map((d) => d.purl)
+      }
+    ]
+  };
+  const content = JSON.stringify(sbom, null, 2);
+  return {
+    sbom,
+    content,
+    componentCount: resolvedDeps.length,
+    specVersion: "1.7",
+    generatedAt: timestamp
+  };
+}
+var PURL_TYPE_MAP = {
+  npm: "npm",
+  nuget: "nuget",
+  cargo: "cargo",
+  maven: "maven",
+  pip: "pypi",
+  go: "golang"
+};
+function buildPurl(name, version, ecosystem) {
+  const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
+  if (ecosystem === "npm" && name.startsWith("@")) {
+    return `pkg:${type}/%40${name.slice(1)}@${version}`;
+  }
+  return `pkg:${type}/${name}@${version}`;
+}
+function deriveSupplierName(packageName) {
+  if (packageName.startsWith("@")) {
+    return packageName.split("/")[0];
+  }
+  return packageName;
+}
+
+// src/scan.ts
+import { writeFile } from "fs/promises";
+
+// src/scanners/npm/npm-scanner.ts
+import { readFile } from "fs/promises";
+import { existsSync } from "fs";
+import path from "path";
+
+// src/core/errors.ts
+var VerimuError = class extends Error {
+  constructor(message, code) {
+    super(message);
+    this.code = code;
+    this.name = "VerimuError";
+  }
+};
+var NoLockfileError = class extends VerimuError {
+  constructor(projectPath) {
+    super(
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust)`,
+      "NO_LOCKFILE"
+    );
+    this.name = "NoLockfileError";
+  }
+};
+var LockfileParseError = class extends VerimuError {
+  constructor(lockfilePath, reason) {
+    super(`Failed to parse ${lockfilePath}: ${reason}`, "LOCKFILE_PARSE_ERROR");
+    this.name = "LockfileParseError";
+  }
+};
+var CveSourceError = class extends VerimuError {
+  constructor(source, reason) {
+    super(`CVE source "${source}" failed: ${reason}`, "CVE_SOURCE_ERROR");
+    this.name = "CveSourceError";
+  }
+};
+var ApiKeyRequiredError = class extends VerimuError {
+  constructor(feature) {
+    super(
+      `API key required for "${feature}". Get one at https://verimu.com/dashboard`,
+      "API_KEY_REQUIRED"
+    );
+    this.name = "ApiKeyRequiredError";
+  }
+};
+
+// src/scanners/npm/npm-scanner.ts
+var NpmScanner = class {
+  ecosystem = "npm";
+  lockfileNames = ["package-lock.json"];
+  async detect(projectPath) {
+    const lockfilePath = path.join(projectPath, "package-lock.json");
+    return existsSync(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, packageJsonRaw] = await Promise.all([
+      readFile(lockfilePath, "utf-8"),
+      readFile(path.join(projectPath, "package.json"), "utf-8").catch(() => null)
+    ]);
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    const directNames = /* @__PURE__ */ new Set();
+    if (packageJsonRaw) {
+      try {
+        const pkg = JSON.parse(packageJsonRaw);
+        for (const name of Object.keys(pkg.dependencies ?? {})) {
+          directNames.add(name);
+        }
+        for (const name of Object.keys(pkg.devDependencies ?? {})) {
+          directNames.add(name);
+        }
+      } catch {
+      }
+    }
+    const dependencies = this.parseLockfile(lockfile, directNames);
+    return {
+      projectPath,
+      ecosystem: "npm",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses package-lock.json and extracts dependencies.
+   * Supports lockfile v2 and v3 (uses the `packages` field).
+   * Falls back to `dependencies` field for lockfile v1.
+   */
+  parseLockfile(lockfile, directNames) {
+    const deps = [];
+    if (lockfile.packages) {
+      for (const [pkgPath, pkgInfo] of Object.entries(lockfile.packages)) {
+        if (pkgPath === "") continue;
+        const name = this.extractPackageName(pkgPath);
+        if (!name || !pkgInfo.version) continue;
+        if (pkgInfo.link) continue;
+        deps.push({
+          name,
+          version: pkgInfo.version,
+          direct: directNames.has(name),
+          ecosystem: "npm",
+          purl: this.buildPurl(name, pkgInfo.version)
+        });
+      }
+    } else if (lockfile.dependencies) {
+      this.parseDependenciesV1(lockfile.dependencies, directNames, deps);
+    }
+    return deps;
+  }
+  /**
+   * Builds a purl (Package URL) for an npm package.
+   *
+   * Per the purl spec (https://github.com/package-url/purl-spec/blob/main/types-doc/npm-definition.md):
+   * "The npm scope @ sign prefix is always percent encoded."
+   *
+   * So @types/node@20.11.5 → pkg:npm/%40types/node@20.11.5
+   * And express@4.18.2 → pkg:npm/express@4.18.2
+   */
+  buildPurl(name, version) {
+    if (name.startsWith("@")) {
+      return `pkg:npm/%40${name.slice(1)}@${version}`;
+    }
+    return `pkg:npm/${name}@${version}`;
+  }
+  /** Extracts the package name from a node_modules path */
+  extractPackageName(pkgPath) {
+    const parts = pkgPath.split("node_modules/");
+    const last = parts[parts.length - 1];
+    return last || null;
+  }
+  /** Recursively parses lockfile v1 `dependencies` tree */
+  parseDependenciesV1(depsObj, directNames, result) {
+    for (const [name, info] of Object.entries(depsObj)) {
+      if (info.version) {
+        result.push({
+          name,
+          version: info.version,
+          direct: directNames.has(name),
+          ecosystem: "npm",
+          purl: this.buildPurl(name, info.version)
+        });
+      }
+      if (info.dependencies) {
+        this.parseDependenciesV1(info.dependencies, directNames, result);
+      }
+    }
+  }
+};
+
+// src/scanners/nuget/nuget-scanner.ts
+var NugetScanner = class {
+  ecosystem = "nuget";
+  lockfileNames = ["packages.lock.json"];
+  async detect(_projectPath) {
+    return null;
+  }
+  async scan(_projectPath, _lockfilePath) {
+    throw new Error("NuGet scanner not yet implemented. Coming soon.");
+  }
+};
+
+// src/scanners/cargo/cargo-scanner.ts
+var CargoScanner = class {
+  ecosystem = "cargo";
+  lockfileNames = ["Cargo.lock"];
+  async detect(_projectPath) {
+    return null;
+  }
+  async scan(_projectPath, _lockfilePath) {
+    throw new Error("Cargo scanner not yet implemented. Coming soon.");
+  }
+};
+
+// src/scanners/registry.ts
+var ScannerRegistry = class {
+  scanners;
+  constructor() {
+    this.scanners = [
+      new NpmScanner(),
+      new NugetScanner(),
+      new CargoScanner()
+      // Add new scanners here as they're implemented
+    ];
+  }
+  /**
+   * Auto-detects the project's ecosystem and scans dependencies.
+   * Tries each registered scanner in order until one matches.
+   */
+  async detectAndScan(projectPath) {
+    for (const scanner of this.scanners) {
+      const lockfilePath = await scanner.detect(projectPath);
+      if (lockfilePath) {
+        return scanner.scan(projectPath, lockfilePath);
+      }
+    }
+    throw new NoLockfileError(projectPath);
+  }
+  /** Returns a specific scanner by ecosystem name */
+  getScanner(ecosystem) {
+    return this.scanners.find((s) => s.ecosystem === ecosystem);
+  }
+  /** Lists all registered ecosystems */
+  listEcosystems() {
+    return this.scanners.map((s) => s.ecosystem);
+  }
+};
+
+// src/sbom/cyclonedx.ts
+import { randomUUID as randomUUID2 } from "crypto";
+var CycloneDxGenerator = class {
+  format = "cyclonedx-json";
+  generate(scanResult, toolVersion = "0.1.0") {
+    const bom = this.buildBom(scanResult, toolVersion);
+    const content = JSON.stringify(bom, null, 2);
+    return {
+      format: "cyclonedx-json",
+      specVersion: "1.7",
+      content,
+      componentCount: scanResult.dependencies.length,
+      generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  buildBom(scanResult, toolVersion) {
+    const projectName = this.extractProjectName(scanResult.projectPath);
+    return {
+      $schema: "http://cyclonedx.org/schema/bom-1.7.schema.json",
+      bomFormat: "CycloneDX",
+      specVersion: "1.7",
+      serialNumber: `urn:uuid:${randomUUID2()}`,
+      version: 1,
+      metadata: {
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        tools: {
+          components: [
+            {
+              type: "application",
+              name: "verimu",
+              version: toolVersion,
+              description: "Verimu CRA Compliance Scanner",
+              supplier: { name: "Verimu" },
+              externalReferences: [
+                {
+                  type: "website",
+                  url: "https://verimu.com"
+                }
+              ]
+            }
+          ]
+        },
+        // NTIA: metadata.supplier — the org supplying the root software
+        supplier: {
+          name: projectName
+        },
+        component: {
+          type: "application",
+          name: projectName,
+          "bom-ref": "root-component",
+          supplier: { name: projectName }
+        }
+      },
+      components: scanResult.dependencies.map((dep) => this.toComponent(dep)),
+      dependencies: this.buildDependencyGraph(scanResult)
+    };
+  }
+  /** Converts a Verimu Dependency to a CycloneDX component */
+  toComponent(dep) {
+    return {
+      type: "library",
+      name: dep.name,
+      version: dep.version,
+      purl: dep.purl,
+      "bom-ref": dep.purl,
+      scope: dep.direct ? "required" : "optional",
+      // NTIA: component.supplier — derived from npm scope or package name
+      supplier: {
+        name: this.deriveSupplierName(dep.name)
+      }
+    };
+  }
+  /**
+   * Derives a supplier name from a package name.
+   *
+   * For scoped packages like "@vue/reactivity" → "@vue"
+   * For unscoped packages like "express" → "express"
+   *
+   * This is the same heuristic used by Syft, Trivy, and other SBOM tools
+   * when registry metadata (author/publisher) isn't available from the lockfile.
+   */
+  deriveSupplierName(packageName) {
+    if (packageName.startsWith("@")) {
+      const scope = packageName.split("/")[0];
+      return scope;
+    }
+    return packageName;
+  }
+  /**
+   * Builds the dependency graph section of the SBOM.
+   *
+   * The root component depends on all dependencies (direct + transitive).
+   * This ensures a single root node in the graph, which NTIA validators expect.
+   *
+   * We include ALL deps under root (not just direct) because from a flat lockfile
+   * we can't reliably reconstruct which transitive dep belongs to which direct dep.
+   * This is still valid per the CycloneDX spec — it represents a complete but flat
+   * dependency relationship.
+   */
+  buildDependencyGraph(scanResult) {
+    const allDepPurls = scanResult.dependencies.map((d) => d.purl);
+    return [
+      {
+        ref: "root-component",
+        dependsOn: allDepPurls
+      }
+    ];
+  }
+  /** Extracts project name from path */
+  extractProjectName(projectPath) {
+    const parts = projectPath.replace(/\\/g, "/").split("/");
+    return parts[parts.length - 1] || "unknown-project";
+  }
+};
+
+// src/cve/osv.ts
+var OSV_API_BASE = "https://api.osv.dev/v1";
+var BATCH_SIZE = 1e3;
+var OsvSource = class {
+  sourceId = "osv";
+  name = "OSV.dev (Google Open Source Vulnerabilities)";
+  fetchFn;
+  constructor(fetchImpl) {
+    this.fetchFn = fetchImpl ?? globalThis.fetch;
+  }
+  async checkDependencies(dependencies) {
+    if (dependencies.length === 0) return [];
+    const allVulns = [];
+    for (let i = 0; i < dependencies.length; i += BATCH_SIZE) {
+      const batch = dependencies.slice(i, i + BATCH_SIZE);
+      const batchVulns = await this.queryBatch(batch);
+      allVulns.push(...batchVulns);
+    }
+    return allVulns;
+  }
+  /** Uses OSV's /querybatch endpoint for efficient bulk lookups */
+  async queryBatch(dependencies) {
+    const queries = dependencies.map((dep) => ({
+      version: dep.version,
+      package: {
+        name: dep.name,
+        ecosystem: this.mapEcosystem(dep.ecosystem)
+      }
+    }));
+    const response = await this.fetchFn(`${OSV_API_BASE}/querybatch`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ queries })
+    });
+    if (!response.ok) {
+      throw new Error(`OSV API error: ${response.status} ${response.statusText}`);
+    }
+    const data = await response.json();
+    const vulnerabilities = [];
+    for (let i = 0; i < data.results.length; i++) {
+      const result = data.results[i];
+      const dep = dependencies[i];
+      if (result.vulns && result.vulns.length > 0) {
+        for (const vuln of result.vulns) {
+          vulnerabilities.push(this.mapVulnerability(vuln, dep));
+        }
+      }
+    }
+    return vulnerabilities;
+  }
+  /** Maps an OSV vulnerability record to our Vulnerability type */
+  mapVulnerability(osvVuln, dep) {
+    const cveId = this.extractCveId(osvVuln);
+    const severity = this.extractSeverity(osvVuln);
+    return {
+      id: cveId || osvVuln.id,
+      aliases: Array.from(/* @__PURE__ */ new Set([osvVuln.id, ...osvVuln.aliases ?? []])),
+      summary: osvVuln.summary ?? osvVuln.details?.slice(0, 200) ?? "No description available",
+      severity: severity.level,
+      cvssScore: severity.score,
+      packageName: dep.name,
+      ecosystem: dep.ecosystem,
+      affectedVersionRange: this.extractAffectedRange(osvVuln, dep.name),
+      fixedVersion: this.extractFixedVersion(osvVuln, dep.name),
+      exploitedInWild: false,
+      // OSV doesn't track this — CISA KEV does
+      source: "osv",
+      referenceUrl: `https://osv.dev/vulnerability/${osvVuln.id}`,
+      publishedAt: osvVuln.published
+    };
+  }
+  /** Extracts CVE ID from aliases (prefers CVE-xxxx over GHSA-xxxx) */
+  extractCveId(vuln) {
+    if (vuln.id.startsWith("CVE-")) return vuln.id;
+    if (vuln.aliases) {
+      const cve = vuln.aliases.find((a) => a.startsWith("CVE-"));
+      if (cve) return cve;
+    }
+    return null;
+  }
+  /** Extracts severity from CVSS scores in the OSV record */
+  extractSeverity(vuln) {
+    if (vuln.severity && vuln.severity.length > 0) {
+      for (const sev of vuln.severity) {
+        if (sev.type === "CVSS_V3") {
+          const score = this.parseCvssScore(sev.score);
+          if (score !== null) {
+            return { level: this.scoreToSeverity(score), score };
+          }
+        }
+      }
+    }
+    if (vuln.database_specific?.severity) {
+      const s = vuln.database_specific.severity.toUpperCase();
+      if (["CRITICAL", "HIGH", "MEDIUM", "LOW"].includes(s)) {
+        return { level: s };
+      }
+    }
+    return { level: "UNKNOWN" };
+  }
+  /** Parses CVSS v3 vector string to extract the base score */
+  parseCvssScore(vectorOrScore) {
+    const num = parseFloat(vectorOrScore);
+    if (!isNaN(num) && num >= 0 && num <= 10) return num;
+    return null;
+  }
+  /** Converts a CVSS score (0-10) to a severity level */
+  scoreToSeverity(score) {
+    if (score >= 9) return "CRITICAL";
+    if (score >= 7) return "HIGH";
+    if (score >= 4) return "MEDIUM";
+    if (score > 0) return "LOW";
+    return "UNKNOWN";
+  }
+  /** Extracts affected version range for a specific package */
+  extractAffectedRange(vuln, packageName) {
+    if (!vuln.affected) return void 0;
+    for (const affected of vuln.affected) {
+      if (affected.package?.name === packageName && affected.ranges) {
+        for (const range of affected.ranges) {
+          if (range.events) {
+            const introduced = range.events.find((e) => e.introduced)?.introduced;
+            const fixed = range.events.find((e) => e.fixed)?.fixed;
+            if (introduced && fixed) return `>=${introduced}, <${fixed}`;
+            if (introduced) return `>=${introduced}`;
+          }
+        }
+      }
+    }
+    return void 0;
+  }
+  /** Extracts the fixed version for a specific package */
+  extractFixedVersion(vuln, packageName) {
+    if (!vuln.affected) return void 0;
+    for (const affected of vuln.affected) {
+      if (affected.package?.name === packageName && affected.ranges) {
+        for (const range of affected.ranges) {
+          if (range.events) {
+            const fixed = range.events.find((e) => e.fixed)?.fixed;
+            if (fixed) return fixed;
+          }
+        }
+      }
+    }
+    return void 0;
+  }
+  /** Maps our ecosystem names to OSV ecosystem names */
+  mapEcosystem(ecosystem) {
+    const map = {
+      npm: "npm",
+      nuget: "NuGet",
+      cargo: "crates.io",
+      maven: "Maven",
+      pip: "PyPI",
+      go: "Go"
+    };
+    return map[ecosystem] ?? ecosystem;
+  }
+};
+
+// src/cve/aggregator.ts
+var CveAggregator = class {
+  sources;
+  constructor(sources) {
+    this.sources = sources ?? [
+      new OsvSource()
+      // Future: new NvdSource(), new EuvdSource(), new CisaKevSource()
+    ];
+  }
+  /**
+   * Checks dependencies against all registered CVE sources.
+   * Runs sources in parallel and merges/deduplicates results.
+   */
+  async check(dependencies) {
+    const startTime = Date.now();
+    const sourcesQueried = [];
+    const sourceErrors = [];
+    const allVulns = [];
+    const results = await Promise.allSettled(
+      this.sources.map(async (source) => {
+        const vulns = await source.checkDependencies(dependencies);
+        return { sourceId: source.sourceId, vulns };
+      })
+    );
+    for (const result of results) {
+      if (result.status === "fulfilled") {
+        sourcesQueried.push(result.value.sourceId);
+        allVulns.push(...result.value.vulns);
+      } else {
+        const sourceIndex = results.indexOf(result);
+        const sourceId = this.sources[sourceIndex].sourceId;
+        sourceErrors.push({
+          source: sourceId,
+          error: result.reason instanceof Error ? result.reason.message : String(result.reason)
+        });
+      }
+    }
+    const deduplicated = this.deduplicateVulnerabilities(allVulns);
+    return {
+      vulnerabilities: deduplicated,
+      sourcesQueried,
+      sourceErrors,
+      checkDurationMs: Date.now() - startTime
+    };
+  }
+  /**
+   * Deduplicates vulnerabilities by ID.
+   * When the same CVE appears from multiple sources,
+   * keeps the one with more complete data (has CVSS score, has fix version, etc.)
+   */
+  deduplicateVulnerabilities(vulns) {
+    const byKey = /* @__PURE__ */ new Map();
+    for (const vuln of vulns) {
+      const key = `${vuln.id}::${vuln.packageName}`;
+      const existing = byKey.get(key);
+      if (!existing) {
+        byKey.set(key, vuln);
+      } else {
+        byKey.set(key, this.pickBetterEntry(existing, vuln));
+      }
+    }
+    return Array.from(byKey.values());
+  }
+  /** Picks the vulnerability entry with more complete data */
+  pickBetterEntry(a, b) {
+    let scoreA = 0;
+    let scoreB = 0;
+    if (a.cvssScore !== void 0) scoreA++;
+    if (b.cvssScore !== void 0) scoreB++;
+    if (a.fixedVersion) scoreA++;
+    if (b.fixedVersion) scoreB++;
+    if (a.affectedVersionRange) scoreA++;
+    if (b.affectedVersionRange) scoreB++;
+    if (a.severity !== "UNKNOWN") scoreA++;
+    if (b.severity !== "UNKNOWN") scoreB++;
+    const strip = (obj) => Object.fromEntries(Object.entries(obj).filter(([, v]) => v !== void 0 && v !== null));
+    const winner = scoreB > scoreA ? { ...strip(a), ...strip(b) } : { ...strip(b), ...strip(a) };
+    const allAliases = /* @__PURE__ */ new Set([...a.aliases, ...b.aliases]);
+    winner.aliases = Array.from(allAliases);
+    winner.exploitedInWild = a.exploitedInWild || b.exploitedInWild;
+    return winner;
+  }
+};
+
+// src/reporters/console.ts
+var ConsoleReporter = class {
+  name = "console";
+  report(result) {
+    const lines = [];
+    lines.push("");
+    lines.push("\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510");
+    lines.push("\u2502          VERIMU CRA COMPLIANCE SCAN         \u2502");
+    lines.push("\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518");
+    lines.push("");
+    lines.push(`  Project:      ${result.project.path}`);
+    lines.push(`  Ecosystem:    ${result.project.ecosystem}`);
+    lines.push(`  Dependencies: ${result.project.dependencyCount}`);
+    lines.push(`  Scanned at:   ${result.generatedAt}`);
+    lines.push("");
+    lines.push(`  \u2713 SBOM generated (${result.sbom.format}, ${result.sbom.specVersion})`);
+    lines.push(`    Components: ${result.sbom.componentCount}`);
+    lines.push("");
+    const vulns = result.cveCheck.vulnerabilities;
+    if (vulns.length === 0) {
+      lines.push("  \u2713 No known vulnerabilities found");
+    } else {
+      lines.push(`  \u26A0 ${vulns.length} vulnerabilit${vulns.length === 1 ? "y" : "ies"} found:`);
+      lines.push("");
+      const sorted = [...vulns].sort((a, b) => severityOrder(a.severity) - severityOrder(b.severity));
+      for (const vuln of sorted) {
+        const badge = severityBadge(vuln.severity);
+        const fix = vuln.fixedVersion ? ` \u2192 fix: ${vuln.fixedVersion}` : "";
+        lines.push(`    ${badge}  ${vuln.id}`);
+        lines.push(`           ${vuln.packageName}@${vuln.affectedVersionRange ?? "?"}${fix}`);
+        lines.push(`           ${vuln.summary.slice(0, 100)}`);
+        if (vuln.exploitedInWild) {
+          lines.push(`           \u{1F534} ACTIVELY EXPLOITED \u2014 24h CRA reporting required`);
+        }
+        lines.push("");
+      }
+    }
+    const sources = result.cveCheck.sourcesQueried.join(", ");
+    lines.push(`  Sources queried: ${sources} (${result.cveCheck.checkDurationMs}ms)`);
+    if (result.cveCheck.sourceErrors.length > 0) {
+      for (const err of result.cveCheck.sourceErrors) {
+        lines.push(`  \u26A0 ${err.source}: ${err.error}`);
+      }
+    }
+    lines.push("");
+    lines.push("  \u2500\u2500\u2500 Summary \u2500\u2500\u2500");
+    lines.push(`  Total: ${result.summary.totalVulnerabilities}  |  Critical: ${result.summary.critical}  |  High: ${result.summary.high}  |  Medium: ${result.summary.medium}  |  Low: ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      lines.push(`  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 immediate action required`);
+    }
+    lines.push("");
+    return lines.join("\n");
+  }
+};
+function severityOrder(s) {
+  const order = {
+    CRITICAL: 0,
+    HIGH: 1,
+    MEDIUM: 2,
+    LOW: 3,
+    UNKNOWN: 4
+  };
+  return order[s] ?? 5;
+}
+function severityBadge(s) {
+  const badges = {
+    CRITICAL: "[CRIT]",
+    HIGH: "[HIGH]",
+    MEDIUM: "[MED] ",
+    LOW: "[LOW] ",
+    UNKNOWN: "[???] "
+  };
+  return badges[s] ?? "[???] ";
+}
+
+// src/scan.ts
+async function scan(config) {
+  const {
+    projectPath,
+    sbomOutput = "./sbom.cdx.json",
+    skipCveCheck = false
+  } = config;
+  const registry = new ScannerRegistry();
+  const scanResult = await registry.detectAndScan(projectPath);
+  const sbomGenerator = new CycloneDxGenerator();
+  const sbom = sbomGenerator.generate(scanResult);
+  await writeFile(sbomOutput, sbom.content, "utf-8");
+  let cveCheck;
+  if (skipCveCheck) {
+    cveCheck = {
+      vulnerabilities: [],
+      sourcesQueried: [],
+      sourceErrors: [],
+      checkDurationMs: 0
+    };
+  } else {
+    const aggregator = new CveAggregator();
+    cveCheck = await aggregator.check(scanResult.dependencies);
+  }
+  const summary = {
+    totalDependencies: scanResult.dependencies.length,
+    totalVulnerabilities: cveCheck.vulnerabilities.length,
+    critical: cveCheck.vulnerabilities.filter((v) => v.severity === "CRITICAL").length,
+    high: cveCheck.vulnerabilities.filter((v) => v.severity === "HIGH").length,
+    medium: cveCheck.vulnerabilities.filter((v) => v.severity === "MEDIUM").length,
+    low: cveCheck.vulnerabilities.filter((v) => v.severity === "LOW").length,
+    exploitedInWild: cveCheck.vulnerabilities.filter((v) => v.exploitedInWild).length
+  };
+  const report = {
+    project: {
+      path: projectPath,
+      ecosystem: scanResult.ecosystem,
+      dependencyCount: scanResult.dependencies.length
+    },
+    sbom,
+    cveCheck,
+    summary,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  return report;
+}
+function shouldFailCi(report, threshold) {
+  const severityOrder2 = {
+    CRITICAL: 0,
+    HIGH: 1,
+    MEDIUM: 2,
+    LOW: 3,
+    UNKNOWN: 4
+  };
+  const thresholdLevel = severityOrder2[threshold] ?? 4;
+  return report.cveCheck.vulnerabilities.some(
+    (v) => severityOrder2[v.severity] <= thresholdLevel
+  );
+}
+function printReport(report) {
+  const reporter = new ConsoleReporter();
+  console.log(reporter.report(report));
+}
+export {
+  ApiKeyRequiredError,
+  ConsoleReporter,
+  CveAggregator,
+  CveSourceError,
+  CycloneDxGenerator,
+  LockfileParseError,
+  NoLockfileError,
+  NpmScanner,
+  OsvSource,
+  ScannerRegistry,
+  VerimuError,
+  generateSbom,
+  printReport,
+  scan,
+  shouldFailCi
+};
+//# sourceMappingURL=index.mjs.map