verimu 0.0.13 → 0.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +34 -2
- package/dist/cli.js +14890 -11
- package/dist/cli.js.map +1 -1
- package/dist/index.cjs +14859 -21
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +158 -1
- package/dist/index.d.ts +158 -1
- package/dist/index.mjs +14865 -5
- package/dist/index.mjs.map +1 -1
- package/package.json +5 -2
package/README.md
CHANGED
|
@@ -1,10 +1,16 @@
|
|
|
1
1
|
# verimu
|
|
2
2
|
|
|
3
|
-
The
|
|
3
|
+
The infrastructure layer that makes CRA compliance easier to manage in engineering workflows.
|
|
4
|
+
`verimu` helps teams automate SBOM generation, dependency intelligence, and vulnerability visibility across CI/CD pipelines.
|
|
4
5
|
|
|
5
6
|
## Documentation and Website
|
|
6
7
|
|
|
7
|
-
[https://verimu.com](https://verimu.com)
|
|
8
|
+
- Website + documentation: [https://verimu.com](https://verimu.com)
|
|
9
|
+
- npm package: [https://www.npmjs.com/package/verimu](https://www.npmjs.com/package/verimu)
|
|
10
|
+
|
|
11
|
+
## App Platform
|
|
12
|
+
|
|
13
|
+
- [https://app.verimu.com](https://app.verimu.com)
|
|
8
14
|
|
|
9
15
|
## Supported CI / CD Platforms
|
|
10
16
|
|
|
@@ -28,6 +34,32 @@ Example CI configs are provided in the `ci-examples/` directory.
|
|
|
28
34
|
- [x] Ruby (Gemfile.lock)
|
|
29
35
|
- [x] Composer (composer.lock)
|
|
30
36
|
|
|
37
|
+
## Usage Context Analysis (Vulnerable Package Evidence)
|
|
38
|
+
|
|
39
|
+
When CVEs are found, `verimu` now runs a usage-context stage that scans source code and records where vulnerable packages appear (imports/requires and nearby call sites).
|
|
40
|
+
This stage is fail-open (non-fatal), and writes a machine-friendly artifact beside the SBOM:
|
|
41
|
+
|
|
42
|
+
- `*.usage-context.json`
|
|
43
|
+
|
|
44
|
+
You can configure snippet context size with:
|
|
45
|
+
|
|
46
|
+
- `--context-lines <n>` (default `4`, clamped to `0..20`)
|
|
47
|
+
- Programmatic API: `numContextLines?: number` in `scan()` config
|
|
48
|
+
|
|
49
|
+
### Analyzer Matrix
|
|
50
|
+
|
|
51
|
+
| Ecosystem in Verimu | Primary parser choice | Tree-sitter fallback | v1 evidence target |
|
|
52
|
+
|---|---|---|---|
|
|
53
|
+
| npm / yarn / pnpm | `@babel/parser` + `@babel/traverse` | `tree-sitter-javascript` + `tree-sitter-typescript` | imports/requires + nearby calls |
|
|
54
|
+
| deno | `@babel/parser` (JS/TS/TSX + specifier handling) | same JS/TS tree-sitter fallback | import and call evidence |
|
|
55
|
+
| pip / poetry / uv | Python stdlib `ast` (`python3`) | `tree-sitter-python` | import/from-import + call evidence |
|
|
56
|
+
| maven | `java-parser` | `tree-sitter-java` | import + method invocation evidence |
|
|
57
|
+
| nuget | Roslyn helper (`dotnet` + `Microsoft.CodeAnalysis.CSharp`) | `tree-sitter-c-sharp` | `using` + invocation evidence |
|
|
58
|
+
| cargo | Rust helper using `syn` | `tree-sitter-rust` | `use` + function/method call evidence |
|
|
59
|
+
| go | `go/parser` + `go/ast` | `tree-sitter-go` | import + selector/call evidence |
|
|
60
|
+
| ruby | stdlib `Ripper` (`ruby`) | `tree-sitter-ruby` | require/include + call evidence |
|
|
61
|
+
| composer (PHP) | `php-parser` | `tree-sitter-php` | `use`/`require` + call evidence |
|
|
62
|
+
|
|
31
63
|
## Development
|
|
32
64
|
|
|
33
65
|
To run the tests, use:
|