verimu 0.0.13 → 0.0.15
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +34 -2
- package/dist/cli.js +14890 -11
- package/dist/cli.js.map +1 -1
- package/dist/index.cjs +14859 -21
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +158 -1
- package/dist/index.d.ts +158 -1
- package/dist/index.mjs +14865 -5
- package/dist/index.mjs.map +1 -1
- package/package.json +5 -2
package/dist/index.d.cts
CHANGED
|
@@ -108,6 +108,108 @@ interface CveCheckResult {
|
|
|
108
108
|
/** Total time taken for all checks (ms) */
|
|
109
109
|
checkDurationMs: number;
|
|
110
110
|
}
|
|
111
|
+
/** How confidently a vulnerable package is used in source code */
|
|
112
|
+
type UsageContextStatus = 'direct_evidence' | 'indirect_no_evidence' | 'unsupported' | 'analysis_error';
|
|
113
|
+
/** Match categories for usage snippets */
|
|
114
|
+
type UsageSnippetMatchKind = 'import' | 'require' | 'dynamic_import' | 'export_from' | 'call';
|
|
115
|
+
/** A code snippet where a vulnerable package appears to be used */
|
|
116
|
+
interface UsageSnippet {
|
|
117
|
+
/** Project-relative path to the file */
|
|
118
|
+
filePath: string;
|
|
119
|
+
/** 1-based start line of the snippet in source file */
|
|
120
|
+
startLine: number;
|
|
121
|
+
/** 1-based end line of the snippet in source file */
|
|
122
|
+
endLine: number;
|
|
123
|
+
/** Snippet text including context lines */
|
|
124
|
+
code: string;
|
|
125
|
+
/** Kind of syntax match */
|
|
126
|
+
matchKind: UsageSnippetMatchKind;
|
|
127
|
+
/** Called symbol if this snippet is a call-site match */
|
|
128
|
+
calledSymbol?: string;
|
|
129
|
+
/** Confidence score in [0, 1] */
|
|
130
|
+
confidence: number;
|
|
131
|
+
}
|
|
132
|
+
/** Usage-context outcome for one vulnerability */
|
|
133
|
+
interface UsageContextVulnerabilityFinding {
|
|
134
|
+
/** Vulnerability identifier (CVE/GHSA/etc.) */
|
|
135
|
+
vulnerabilityId: string;
|
|
136
|
+
/** Package name that is vulnerable */
|
|
137
|
+
packageName: string;
|
|
138
|
+
/** Ecosystem the package belongs to */
|
|
139
|
+
ecosystem: Ecosystem;
|
|
140
|
+
/** Whether dependency scanner marked it as direct, if known */
|
|
141
|
+
directDependency: boolean | null;
|
|
142
|
+
/** Resolution status for this package usage */
|
|
143
|
+
status: UsageContextStatus;
|
|
144
|
+
/** Matched snippets for this vulnerable package */
|
|
145
|
+
snippets: UsageSnippet[];
|
|
146
|
+
/** Number of snippets in this finding */
|
|
147
|
+
evidenceCount: number;
|
|
148
|
+
/** Optional explanatory note */
|
|
149
|
+
notes?: string;
|
|
150
|
+
}
|
|
151
|
+
/** LLM-friendly usage context payload for one vulnerability */
|
|
152
|
+
interface UsageContextLlmPayload {
|
|
153
|
+
vulnerability: {
|
|
154
|
+
id: string;
|
|
155
|
+
aliases: string[];
|
|
156
|
+
severity: Severity;
|
|
157
|
+
summary: string;
|
|
158
|
+
affectedVersionRange?: string;
|
|
159
|
+
fixedVersion?: string;
|
|
160
|
+
referenceUrl?: string;
|
|
161
|
+
};
|
|
162
|
+
package: {
|
|
163
|
+
name: string;
|
|
164
|
+
ecosystem: Ecosystem;
|
|
165
|
+
directDependency: boolean | null;
|
|
166
|
+
};
|
|
167
|
+
status: UsageContextStatus;
|
|
168
|
+
evidenceCount: number;
|
|
169
|
+
snippets: UsageSnippet[];
|
|
170
|
+
notes?: string;
|
|
171
|
+
}
|
|
172
|
+
/** Analyzer-level status summary for one ecosystem */
|
|
173
|
+
interface UsageContextEcosystemStatus {
|
|
174
|
+
ecosystem: Ecosystem;
|
|
175
|
+
analyzer: string;
|
|
176
|
+
status: 'analyzed' | 'unsupported' | 'error';
|
|
177
|
+
vulnerablePackages: number;
|
|
178
|
+
snippetsFound: number;
|
|
179
|
+
note?: string;
|
|
180
|
+
}
|
|
181
|
+
/** Non-fatal usage-context analysis error */
|
|
182
|
+
interface UsageContextError {
|
|
183
|
+
analyzer: string;
|
|
184
|
+
ecosystem?: Ecosystem;
|
|
185
|
+
packageName?: string;
|
|
186
|
+
error: string;
|
|
187
|
+
}
|
|
188
|
+
/** Complete usage-context output for a scan */
|
|
189
|
+
interface UsageContextResult {
|
|
190
|
+
/** Whether usage analysis was executed */
|
|
191
|
+
triggered: boolean;
|
|
192
|
+
/** Scan duration in milliseconds */
|
|
193
|
+
durationMs: number;
|
|
194
|
+
/** Effective context lines setting (±N around each match) */
|
|
195
|
+
numContextLines: number;
|
|
196
|
+
/** Package-level snippet cap */
|
|
197
|
+
maxSnippetsPerPackage: number;
|
|
198
|
+
/** Global snippet cap */
|
|
199
|
+
maxSnippetsTotal: number;
|
|
200
|
+
/** Total snippets emitted */
|
|
201
|
+
totalSnippets: number;
|
|
202
|
+
/** Artifact path if written to disk */
|
|
203
|
+
artifactPath?: string;
|
|
204
|
+
/** Per-vulnerability findings */
|
|
205
|
+
packageFindings: UsageContextVulnerabilityFinding[];
|
|
206
|
+
/** Ecosystem-level analyzer status */
|
|
207
|
+
ecosystemStatus: UsageContextEcosystemStatus[];
|
|
208
|
+
/** Non-fatal analysis errors */
|
|
209
|
+
errors: UsageContextError[];
|
|
210
|
+
/** LLM-ready payload entries */
|
|
211
|
+
llmPayload: UsageContextLlmPayload[];
|
|
212
|
+
}
|
|
111
213
|
/** Complete output of a Verimu scan */
|
|
112
214
|
interface VerimuReport {
|
|
113
215
|
/** Project info */
|
|
@@ -122,6 +224,8 @@ interface VerimuReport {
|
|
|
122
224
|
artifacts?: SbomArtifacts;
|
|
123
225
|
/** CVE check results */
|
|
124
226
|
cveCheck: CveCheckResult;
|
|
227
|
+
/** Optional usage-context analysis for vulnerable packages */
|
|
228
|
+
usageContext?: UsageContextResult;
|
|
125
229
|
/** Overall summary */
|
|
126
230
|
summary: {
|
|
127
231
|
totalDependencies: number;
|
|
@@ -155,6 +259,8 @@ interface VerimuConfig {
|
|
|
155
259
|
apiBaseUrl?: string;
|
|
156
260
|
/** Skip CVE checking (just generate SBOM) */
|
|
157
261
|
skipCveCheck?: boolean;
|
|
262
|
+
/** Optional context lines around usage snippets (default: 4, clamped to 0..20) */
|
|
263
|
+
numContextLines?: number;
|
|
158
264
|
}
|
|
159
265
|
/** Input for the pure `generateSbom()` function */
|
|
160
266
|
interface GenerateSbomInput {
|
|
@@ -315,6 +421,7 @@ interface SbomUploadBundle {
|
|
|
315
421
|
cyclonedx: Record<string, unknown>;
|
|
316
422
|
spdx?: Record<string, unknown>;
|
|
317
423
|
swid?: string;
|
|
424
|
+
usage_context?: Omit<UsageContextResult, 'artifactPath'>;
|
|
318
425
|
}
|
|
319
426
|
declare class VerimuApiClient {
|
|
320
427
|
private readonly baseUrl;
|
|
@@ -1321,4 +1428,54 @@ declare class ConsoleReporter implements Reporter {
|
|
|
1321
1428
|
report(result: VerimuReport): string;
|
|
1322
1429
|
}
|
|
1323
1430
|
|
|
1324
|
-
|
|
1431
|
+
interface VulnerablePackageInput {
|
|
1432
|
+
packageName: string;
|
|
1433
|
+
ecosystem: Ecosystem;
|
|
1434
|
+
directDependency: boolean | null;
|
|
1435
|
+
vulnerabilities: Vulnerability[];
|
|
1436
|
+
}
|
|
1437
|
+
interface PackageAnalysisResult {
|
|
1438
|
+
packageName: string;
|
|
1439
|
+
ecosystem: Ecosystem;
|
|
1440
|
+
status: UsageContextStatus;
|
|
1441
|
+
snippets: UsageSnippet[];
|
|
1442
|
+
notes?: string;
|
|
1443
|
+
}
|
|
1444
|
+
interface AnalyzerRunContext {
|
|
1445
|
+
projectPath: string;
|
|
1446
|
+
ecosystem: Ecosystem;
|
|
1447
|
+
packages: VulnerablePackageInput[];
|
|
1448
|
+
numContextLines: number;
|
|
1449
|
+
maxSnippetsPerPackage: number;
|
|
1450
|
+
maxSnippetsTotal: number;
|
|
1451
|
+
}
|
|
1452
|
+
interface AnalyzerRunResult {
|
|
1453
|
+
packages: PackageAnalysisResult[];
|
|
1454
|
+
errors: UsageContextError[];
|
|
1455
|
+
snippetsProduced: number;
|
|
1456
|
+
}
|
|
1457
|
+
interface UsageContextAnalyzer {
|
|
1458
|
+
readonly name: string;
|
|
1459
|
+
supports(ecosystem: Ecosystem): boolean;
|
|
1460
|
+
analyze(context: AnalyzerRunContext): Promise<AnalyzerRunResult>;
|
|
1461
|
+
}
|
|
1462
|
+
|
|
1463
|
+
interface UsageContextEngineInput {
|
|
1464
|
+
projectPath: string;
|
|
1465
|
+
dependencies: Dependency[];
|
|
1466
|
+
vulnerabilities: Vulnerability[];
|
|
1467
|
+
numContextLines?: number;
|
|
1468
|
+
maxSnippetsPerPackage?: number;
|
|
1469
|
+
maxSnippetsTotal?: number;
|
|
1470
|
+
}
|
|
1471
|
+
declare class UsageContextEngine {
|
|
1472
|
+
private readonly analyzers;
|
|
1473
|
+
constructor(analyzers?: UsageContextAnalyzer[]);
|
|
1474
|
+
analyze(input: UsageContextEngineInput): Promise<UsageContextResult>;
|
|
1475
|
+
private addFindingsForPackage;
|
|
1476
|
+
private buildVulnerablePackages;
|
|
1477
|
+
private pickAnalyzer;
|
|
1478
|
+
private normalizePositiveInt;
|
|
1479
|
+
}
|
|
1480
|
+
|
|
1481
|
+
export { ApiKeyRequiredError, CargoScanner, type CiProvider, ComposerScanner, ConsoleReporter, CveAggregator, type CveCheckResult, CveSourceError, CycloneDxGenerator, DenoScanner, type Dependency, type Ecosystem, type GenerateSbomInput, type GenerateSbomResult, type GenerateSpdxSbomResult, type GenerateSwidTagResult, GoScanner, LockfileParseError, MavenScanner, NoLockfileError, NpmScanner, NugetScanner, OsvSource, PipScanner, PnpmScanner, RubyScanner, type Sbom, type SbomArtifacts, type SbomDependency, type SbomFormat, type ScanResult, ScannerRegistry, type Severity, SpdxJsonGenerator, SwidTagGenerator, type UploadResult, type UsageContextEcosystemStatus, UsageContextEngine, type UsageContextError, type UsageContextLlmPayload, type UsageContextResult, type UsageContextStatus, type UsageContextVulnerabilityFinding, type UsageSnippet, type UsageSnippetMatchKind, VerimuApiClient, type VerimuConfig, VerimuError, type VerimuReport, type Vulnerability, type VulnerabilitySource, YarnScanner, generateSbom, generateSbomArtifacts, generateSpdxSbom, generateSwidTag, printReport, scan, shouldFailCi, uploadToVerimu };
|
package/dist/index.d.ts
CHANGED
|
@@ -108,6 +108,108 @@ interface CveCheckResult {
|
|
|
108
108
|
/** Total time taken for all checks (ms) */
|
|
109
109
|
checkDurationMs: number;
|
|
110
110
|
}
|
|
111
|
+
/** How confidently a vulnerable package is used in source code */
|
|
112
|
+
type UsageContextStatus = 'direct_evidence' | 'indirect_no_evidence' | 'unsupported' | 'analysis_error';
|
|
113
|
+
/** Match categories for usage snippets */
|
|
114
|
+
type UsageSnippetMatchKind = 'import' | 'require' | 'dynamic_import' | 'export_from' | 'call';
|
|
115
|
+
/** A code snippet where a vulnerable package appears to be used */
|
|
116
|
+
interface UsageSnippet {
|
|
117
|
+
/** Project-relative path to the file */
|
|
118
|
+
filePath: string;
|
|
119
|
+
/** 1-based start line of the snippet in source file */
|
|
120
|
+
startLine: number;
|
|
121
|
+
/** 1-based end line of the snippet in source file */
|
|
122
|
+
endLine: number;
|
|
123
|
+
/** Snippet text including context lines */
|
|
124
|
+
code: string;
|
|
125
|
+
/** Kind of syntax match */
|
|
126
|
+
matchKind: UsageSnippetMatchKind;
|
|
127
|
+
/** Called symbol if this snippet is a call-site match */
|
|
128
|
+
calledSymbol?: string;
|
|
129
|
+
/** Confidence score in [0, 1] */
|
|
130
|
+
confidence: number;
|
|
131
|
+
}
|
|
132
|
+
/** Usage-context outcome for one vulnerability */
|
|
133
|
+
interface UsageContextVulnerabilityFinding {
|
|
134
|
+
/** Vulnerability identifier (CVE/GHSA/etc.) */
|
|
135
|
+
vulnerabilityId: string;
|
|
136
|
+
/** Package name that is vulnerable */
|
|
137
|
+
packageName: string;
|
|
138
|
+
/** Ecosystem the package belongs to */
|
|
139
|
+
ecosystem: Ecosystem;
|
|
140
|
+
/** Whether dependency scanner marked it as direct, if known */
|
|
141
|
+
directDependency: boolean | null;
|
|
142
|
+
/** Resolution status for this package usage */
|
|
143
|
+
status: UsageContextStatus;
|
|
144
|
+
/** Matched snippets for this vulnerable package */
|
|
145
|
+
snippets: UsageSnippet[];
|
|
146
|
+
/** Number of snippets in this finding */
|
|
147
|
+
evidenceCount: number;
|
|
148
|
+
/** Optional explanatory note */
|
|
149
|
+
notes?: string;
|
|
150
|
+
}
|
|
151
|
+
/** LLM-friendly usage context payload for one vulnerability */
|
|
152
|
+
interface UsageContextLlmPayload {
|
|
153
|
+
vulnerability: {
|
|
154
|
+
id: string;
|
|
155
|
+
aliases: string[];
|
|
156
|
+
severity: Severity;
|
|
157
|
+
summary: string;
|
|
158
|
+
affectedVersionRange?: string;
|
|
159
|
+
fixedVersion?: string;
|
|
160
|
+
referenceUrl?: string;
|
|
161
|
+
};
|
|
162
|
+
package: {
|
|
163
|
+
name: string;
|
|
164
|
+
ecosystem: Ecosystem;
|
|
165
|
+
directDependency: boolean | null;
|
|
166
|
+
};
|
|
167
|
+
status: UsageContextStatus;
|
|
168
|
+
evidenceCount: number;
|
|
169
|
+
snippets: UsageSnippet[];
|
|
170
|
+
notes?: string;
|
|
171
|
+
}
|
|
172
|
+
/** Analyzer-level status summary for one ecosystem */
|
|
173
|
+
interface UsageContextEcosystemStatus {
|
|
174
|
+
ecosystem: Ecosystem;
|
|
175
|
+
analyzer: string;
|
|
176
|
+
status: 'analyzed' | 'unsupported' | 'error';
|
|
177
|
+
vulnerablePackages: number;
|
|
178
|
+
snippetsFound: number;
|
|
179
|
+
note?: string;
|
|
180
|
+
}
|
|
181
|
+
/** Non-fatal usage-context analysis error */
|
|
182
|
+
interface UsageContextError {
|
|
183
|
+
analyzer: string;
|
|
184
|
+
ecosystem?: Ecosystem;
|
|
185
|
+
packageName?: string;
|
|
186
|
+
error: string;
|
|
187
|
+
}
|
|
188
|
+
/** Complete usage-context output for a scan */
|
|
189
|
+
interface UsageContextResult {
|
|
190
|
+
/** Whether usage analysis was executed */
|
|
191
|
+
triggered: boolean;
|
|
192
|
+
/** Scan duration in milliseconds */
|
|
193
|
+
durationMs: number;
|
|
194
|
+
/** Effective context lines setting (±N around each match) */
|
|
195
|
+
numContextLines: number;
|
|
196
|
+
/** Package-level snippet cap */
|
|
197
|
+
maxSnippetsPerPackage: number;
|
|
198
|
+
/** Global snippet cap */
|
|
199
|
+
maxSnippetsTotal: number;
|
|
200
|
+
/** Total snippets emitted */
|
|
201
|
+
totalSnippets: number;
|
|
202
|
+
/** Artifact path if written to disk */
|
|
203
|
+
artifactPath?: string;
|
|
204
|
+
/** Per-vulnerability findings */
|
|
205
|
+
packageFindings: UsageContextVulnerabilityFinding[];
|
|
206
|
+
/** Ecosystem-level analyzer status */
|
|
207
|
+
ecosystemStatus: UsageContextEcosystemStatus[];
|
|
208
|
+
/** Non-fatal analysis errors */
|
|
209
|
+
errors: UsageContextError[];
|
|
210
|
+
/** LLM-ready payload entries */
|
|
211
|
+
llmPayload: UsageContextLlmPayload[];
|
|
212
|
+
}
|
|
111
213
|
/** Complete output of a Verimu scan */
|
|
112
214
|
interface VerimuReport {
|
|
113
215
|
/** Project info */
|
|
@@ -122,6 +224,8 @@ interface VerimuReport {
|
|
|
122
224
|
artifacts?: SbomArtifacts;
|
|
123
225
|
/** CVE check results */
|
|
124
226
|
cveCheck: CveCheckResult;
|
|
227
|
+
/** Optional usage-context analysis for vulnerable packages */
|
|
228
|
+
usageContext?: UsageContextResult;
|
|
125
229
|
/** Overall summary */
|
|
126
230
|
summary: {
|
|
127
231
|
totalDependencies: number;
|
|
@@ -155,6 +259,8 @@ interface VerimuConfig {
|
|
|
155
259
|
apiBaseUrl?: string;
|
|
156
260
|
/** Skip CVE checking (just generate SBOM) */
|
|
157
261
|
skipCveCheck?: boolean;
|
|
262
|
+
/** Optional context lines around usage snippets (default: 4, clamped to 0..20) */
|
|
263
|
+
numContextLines?: number;
|
|
158
264
|
}
|
|
159
265
|
/** Input for the pure `generateSbom()` function */
|
|
160
266
|
interface GenerateSbomInput {
|
|
@@ -315,6 +421,7 @@ interface SbomUploadBundle {
|
|
|
315
421
|
cyclonedx: Record<string, unknown>;
|
|
316
422
|
spdx?: Record<string, unknown>;
|
|
317
423
|
swid?: string;
|
|
424
|
+
usage_context?: Omit<UsageContextResult, 'artifactPath'>;
|
|
318
425
|
}
|
|
319
426
|
declare class VerimuApiClient {
|
|
320
427
|
private readonly baseUrl;
|
|
@@ -1321,4 +1428,54 @@ declare class ConsoleReporter implements Reporter {
|
|
|
1321
1428
|
report(result: VerimuReport): string;
|
|
1322
1429
|
}
|
|
1323
1430
|
|
|
1324
|
-
|
|
1431
|
+
interface VulnerablePackageInput {
|
|
1432
|
+
packageName: string;
|
|
1433
|
+
ecosystem: Ecosystem;
|
|
1434
|
+
directDependency: boolean | null;
|
|
1435
|
+
vulnerabilities: Vulnerability[];
|
|
1436
|
+
}
|
|
1437
|
+
interface PackageAnalysisResult {
|
|
1438
|
+
packageName: string;
|
|
1439
|
+
ecosystem: Ecosystem;
|
|
1440
|
+
status: UsageContextStatus;
|
|
1441
|
+
snippets: UsageSnippet[];
|
|
1442
|
+
notes?: string;
|
|
1443
|
+
}
|
|
1444
|
+
interface AnalyzerRunContext {
|
|
1445
|
+
projectPath: string;
|
|
1446
|
+
ecosystem: Ecosystem;
|
|
1447
|
+
packages: VulnerablePackageInput[];
|
|
1448
|
+
numContextLines: number;
|
|
1449
|
+
maxSnippetsPerPackage: number;
|
|
1450
|
+
maxSnippetsTotal: number;
|
|
1451
|
+
}
|
|
1452
|
+
interface AnalyzerRunResult {
|
|
1453
|
+
packages: PackageAnalysisResult[];
|
|
1454
|
+
errors: UsageContextError[];
|
|
1455
|
+
snippetsProduced: number;
|
|
1456
|
+
}
|
|
1457
|
+
interface UsageContextAnalyzer {
|
|
1458
|
+
readonly name: string;
|
|
1459
|
+
supports(ecosystem: Ecosystem): boolean;
|
|
1460
|
+
analyze(context: AnalyzerRunContext): Promise<AnalyzerRunResult>;
|
|
1461
|
+
}
|
|
1462
|
+
|
|
1463
|
+
interface UsageContextEngineInput {
|
|
1464
|
+
projectPath: string;
|
|
1465
|
+
dependencies: Dependency[];
|
|
1466
|
+
vulnerabilities: Vulnerability[];
|
|
1467
|
+
numContextLines?: number;
|
|
1468
|
+
maxSnippetsPerPackage?: number;
|
|
1469
|
+
maxSnippetsTotal?: number;
|
|
1470
|
+
}
|
|
1471
|
+
declare class UsageContextEngine {
|
|
1472
|
+
private readonly analyzers;
|
|
1473
|
+
constructor(analyzers?: UsageContextAnalyzer[]);
|
|
1474
|
+
analyze(input: UsageContextEngineInput): Promise<UsageContextResult>;
|
|
1475
|
+
private addFindingsForPackage;
|
|
1476
|
+
private buildVulnerablePackages;
|
|
1477
|
+
private pickAnalyzer;
|
|
1478
|
+
private normalizePositiveInt;
|
|
1479
|
+
}
|
|
1480
|
+
|
|
1481
|
+
export { ApiKeyRequiredError, CargoScanner, type CiProvider, ComposerScanner, ConsoleReporter, CveAggregator, type CveCheckResult, CveSourceError, CycloneDxGenerator, DenoScanner, type Dependency, type Ecosystem, type GenerateSbomInput, type GenerateSbomResult, type GenerateSpdxSbomResult, type GenerateSwidTagResult, GoScanner, LockfileParseError, MavenScanner, NoLockfileError, NpmScanner, NugetScanner, OsvSource, PipScanner, PnpmScanner, RubyScanner, type Sbom, type SbomArtifacts, type SbomDependency, type SbomFormat, type ScanResult, ScannerRegistry, type Severity, SpdxJsonGenerator, SwidTagGenerator, type UploadResult, type UsageContextEcosystemStatus, UsageContextEngine, type UsageContextError, type UsageContextLlmPayload, type UsageContextResult, type UsageContextStatus, type UsageContextVulnerabilityFinding, type UsageSnippet, type UsageSnippetMatchKind, VerimuApiClient, type VerimuConfig, VerimuError, type VerimuReport, type Vulnerability, type VulnerabilitySource, YarnScanner, generateSbom, generateSbomArtifacts, generateSpdxSbom, generateSwidTag, printReport, scan, shouldFailCi, uploadToVerimu };
|