npm - verimu - Versions diffs - 0.0.2 → 0.0.3 - Mend

verimu 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.mjs CHANGED Viewed

@@ -75,7 +75,8 @@ var PURL_TYPE_MAP = {
   cargo: "cargo",
   maven: "maven",
   pip: "pypi",
-  go: "golang"
+  go: "golang",
+  ruby: "gem"
 };
 function buildPurl(name, version, ecosystem) {
   const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
@@ -110,7 +111,7 @@ var VerimuError = class extends Error {
 var NoLockfileError = class extends VerimuError {
   constructor(projectPath) {
     super(
-      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust)`,
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby)`,
       "NO_LOCKFILE"
     );
     this.name = "NoLockfileError";
@@ -246,26 +247,670 @@ var NpmScanner = class {
 };
 // src/scanners/nuget/nuget-scanner.ts
+import { readFile as readFile2 } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import path2 from "path";
 var NugetScanner = class {
   ecosystem = "nuget";
   lockfileNames = ["packages.lock.json"];
-  async detect(_projectPath) {
-    return null;
+  async detect(projectPath) {
+    const lockfilePath = path2.join(projectPath, "packages.lock.json");
+    return existsSync2(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await readFile2(lockfilePath, "utf-8");
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    if (!lockfile.dependencies) {
+      throw new LockfileParseError(lockfilePath, 'Missing "dependencies" field');
+    }
+    const dependencies = this.parseLockfile(lockfile);
+    return {
+      projectPath,
+      ecosystem: "nuget",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses packages.lock.json and extracts dependencies across all
+   * target frameworks. Deduplicates by package name (keeps highest version
+   * if the same package appears under multiple frameworks).
+   */
+  parseLockfile(lockfile) {
+    const depMap = /* @__PURE__ */ new Map();
+    for (const [_framework, packages] of Object.entries(lockfile.dependencies)) {
+      for (const [name, info] of Object.entries(packages)) {
+        if (!info.resolved) continue;
+        const isDirect = info.type === "Direct";
+        const existing = depMap.get(name);
+        if (!existing) {
+          depMap.set(name, {
+            name,
+            version: info.resolved,
+            direct: isDirect,
+            ecosystem: "nuget",
+            purl: this.buildPurl(name, info.resolved)
+          });
+        } else if (isDirect && !existing.direct) {
+          existing.direct = true;
+        }
+      }
+    }
+    return Array.from(depMap.values());
   }
-  async scan(_projectPath, _lockfilePath) {
-    throw new Error("NuGet scanner not yet implemented. Coming soon.");
+  /**
+   * Builds a purl for a NuGet package.
+   * NuGet purls are straightforward: pkg:nuget/Name@Version
+   */
+  buildPurl(name, version) {
+    return `pkg:nuget/${name}@${version}`;
   }
 };
 // src/scanners/cargo/cargo-scanner.ts
+import { readFile as readFile3 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import path3 from "path";
 var CargoScanner = class {
   ecosystem = "cargo";
   lockfileNames = ["Cargo.lock"];
-  async detect(_projectPath) {
+  async detect(projectPath) {
+    const lockfilePath = path3.join(projectPath, "Cargo.lock");
+    return existsSync3(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, cargoTomlRaw] = await Promise.all([
+      readFile3(lockfilePath, "utf-8"),
+      readFile3(path3.join(projectPath, "Cargo.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const directNames = cargoTomlRaw ? this.parseCargoToml(cargoTomlRaw) : /* @__PURE__ */ new Set();
+    const rootName = packages.length > 0 ? packages[0].name : null;
+    const dependencies = [];
+    for (const pkg of packages) {
+      if (pkg.name === rootName && pkg.source === void 0) continue;
+      dependencies.push({
+        name: pkg.name,
+        version: pkg.version,
+        direct: directNames.has(pkg.name),
+        ecosystem: "cargo",
+        purl: this.buildPurl(pkg.name, pkg.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "cargo",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses Cargo.lock by splitting on [[package]] blocks.
+   * This is a lightweight parser that handles the regular structure
+   * of Cargo.lock without needing a full TOML parser.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      const source = this.extractField(block, "source");
+      if (name && version) {
+        packages.push({ name, version, source: source || void 0 });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from Cargo.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Parses Cargo.toml to extract direct dependency names.
+   * Looks for [dependencies] and [dev-dependencies] sections.
+   */
+  parseCargoToml(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDepsSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepsSection = line === "[dependencies]" || line === "[dev-dependencies]" || line === "[build-dependencies]";
+        continue;
+      }
+      if (inDepsSection && line && !line.startsWith("#")) {
+        const match = line.match(/^([a-zA-Z0-9_-]+)\s*=/);
+        if (match) {
+          directNames.add(match[1]);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Builds a purl for a Cargo (crates.io) package.
+   */
+  buildPurl(name, version) {
+    return `pkg:cargo/${name}@${version}`;
+  }
+};
+// src/scanners/pip/pip-scanner.ts
+import { readFile as readFile4 } from "fs/promises";
+import { existsSync as existsSync4 } from "fs";
+import path4 from "path";
+var PipScanner = class {
+  ecosystem = "pip";
+  lockfileNames = ["requirements.txt", "Pipfile.lock"];
+  async detect(projectPath) {
+    for (const lockfile of this.lockfileNames) {
+      const fullPath = path4.join(projectPath, lockfile);
+      if (existsSync4(fullPath)) return fullPath;
+    }
     return null;
   }
-  async scan(_projectPath, _lockfilePath) {
-    throw new Error("Cargo scanner not yet implemented. Coming soon.");
+  async scan(projectPath, lockfilePath) {
+    const raw = await readFile4(lockfilePath, "utf-8");
+    const filename = path4.basename(lockfilePath);
+    let dependencies;
+    if (filename === "Pipfile.lock") {
+      dependencies = this.parsePipfileLock(raw, lockfilePath);
+    } else {
+      dependencies = this.parseRequirementsTxt(raw, lockfilePath);
+    }
+    return {
+      projectPath,
+      ecosystem: "pip",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses `requirements.txt` format.
+   *
+   * Supports:
+   *   - `package==1.2.3` (pinned)
+   *   - `package>=1.2.0` (minimum — uses the specified version)
+   *   - `package~=1.2.0` (compatible release)
+   *   - Comments (`#`) and blank lines are skipped
+   *   - `-r other-file.txt` (include directive) — skipped for now
+   *   - `--index-url` and other pip flags — skipped
+   */
+  parseRequirementsTxt(content, lockfilePath) {
+    const deps = [];
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line || line.startsWith("#") || line.startsWith("-") || line.startsWith("--")) {
+        continue;
+      }
+      const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*(?:[~=!<>]=?)\s*(.+)$/);
+      if (match) {
+        const [, name, versionSpec] = match;
+        const version = this.extractVersion(versionSpec);
+        if (name && version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            // requirements.txt doesn't distinguish
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    return deps;
+  }
+  /**
+   * Parses `Pipfile.lock` (JSON format from Pipenv).
+   *
+   * Structure:
+   * ```json
+   * {
+   *   "_meta": { ... },
+   *   "default": {
+   *     "requests": { "version": "==2.31.0", ... }
+   *   },
+   *   "develop": {
+   *     "pytest": { "version": "==7.4.0", ... }
+   *   }
+   * }
+   * ```
+   */
+  parsePipfileLock(content, lockfilePath) {
+    let lockfile;
+    try {
+      lockfile = JSON.parse(content);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON in Pipfile.lock");
+    }
+    const deps = [];
+    if (lockfile.default) {
+      for (const [name, info] of Object.entries(lockfile.default)) {
+        const version = info.version?.replace(/^==/, "") ?? "";
+        if (version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    if (lockfile.develop) {
+      for (const [name, info] of Object.entries(lockfile.develop)) {
+        const version = info.version?.replace(/^==/, "") ?? "";
+        if (version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    return deps;
+  }
+  /**
+   * Extracts the version number from a pip version specifier.
+   * "1.2.3" → "1.2.3"
+   * "1.2.3,<2.0" → "1.2.3"
+   */
+  extractVersion(spec) {
+    const cleaned = spec.split(",")[0].trim();
+    return cleaned;
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "pip").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+// src/scanners/maven/maven-scanner.ts
+import { readFile as readFile5 } from "fs/promises";
+import { existsSync as existsSync5 } from "fs";
+import { execSync } from "child_process";
+import path5 from "path";
+var MavenScanner = class {
+  ecosystem = "maven";
+  lockfileNames = ["pom.xml"];
+  /** Allow injection for testing */
+  execSyncFn;
+  constructor(execSyncImpl) {
+    this.execSyncFn = execSyncImpl ?? execSync;
+  }
+  async detect(projectPath) {
+    const pomPath = path5.join(projectPath, "pom.xml");
+    return existsSync5(pomPath) ? pomPath : null;
+  }
+  async scan(projectPath, _lockfilePath) {
+    const depTreePath = path5.join(projectPath, "dependency-tree.txt");
+    if (existsSync5(depTreePath)) {
+      const content = await readFile5(depTreePath, "utf-8");
+      const dependencies = this.parseDependencyList(content, depTreePath);
+      return this.buildResult(projectPath, depTreePath, dependencies);
+    }
+    if (this.isMavenAvailable()) {
+      const output = this.runMavenDependencyList(projectPath);
+      const dependencies = this.parseDependencyList(output, "mvn dependency:list");
+      return this.buildResult(projectPath, path5.join(projectPath, "pom.xml"), dependencies);
+    }
+    throw new LockfileParseError(
+      path5.join(projectPath, "pom.xml"),
+      "Maven project detected (pom.xml found) but could not resolve dependencies. Either install Maven (`mvn` must be on $PATH) or pre-generate a dependency list:\n  mvn dependency:list -DoutputFile=dependency-tree.txt -DappendOutput=true"
+    );
+  }
+  /**
+   * Parses Maven `dependency:list` output.
+   *
+   * Each dependency line has the format:
+   *   groupId:artifactId:type:version:scope
+   *   groupId:artifactId:type:classifier:version:scope
+   *
+   * Lines are typically indented with leading whitespace.
+   */
+  parseDependencyList(content, source) {
+    const deps = [];
+    const depPattern = /^\s*([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]+):([a-z]+):(?:([a-zA-Z0-9._-]+):)?([a-zA-Z0-9._-]+):([a-z]+)/;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line) continue;
+      const match = line.match(depPattern);
+      if (match) {
+        const groupId = match[1];
+        const artifactId = match[2];
+        const version = match[4] && match[5] ? match[5] : match[4] ?? match[5];
+        const scope = match[4] && match[5] ? match[6] : match[5] && match[6] ? match[6] : match[5];
+        const parts = line.split(":");
+        if (parts.length >= 5) {
+          const gId = parts[0].trim();
+          const aId = parts[1];
+          const ver = parts.length === 6 ? parts[4] : parts[3];
+          const scp = parts.length === 6 ? parts[5] : parts[4];
+          if (gId && aId && ver) {
+            const name = `${gId}:${aId}`;
+            deps.push({
+              name,
+              version: ver,
+              direct: scp === "compile" || scp === "runtime" || scp === "provided",
+              ecosystem: "maven",
+              purl: this.buildPurl(gId, aId, ver)
+            });
+          }
+        }
+      }
+    }
+    return deps;
+  }
+  /** Checks if `mvn` is available on PATH */
+  isMavenAvailable() {
+    try {
+      this.execSyncFn("mvn --version", { stdio: "pipe", timeout: 1e4 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Runs `mvn dependency:list` and returns the output.
+   */
+  runMavenDependencyList(projectPath) {
+    try {
+      const output = this.execSyncFn(
+        "mvn dependency:list -DoutputType=text -DincludeScope=compile",
+        {
+          cwd: projectPath,
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout
+          encoding: "utf-8"
+        }
+      );
+      return output.toString();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new LockfileParseError(
+        path5.join(projectPath, "pom.xml"),
+        `Failed to run 'mvn dependency:list': ${message}`
+      );
+    }
+  }
+  /**
+   * Builds a purl for a Maven package.
+   * Format: pkg:maven/groupId/artifactId@version
+   */
+  buildPurl(groupId, artifactId, version) {
+    return `pkg:maven/${groupId}/${artifactId}@${version}`;
+  }
+  buildResult(projectPath, lockfilePath, dependencies) {
+    return {
+      projectPath,
+      ecosystem: "maven",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+};
+// src/scanners/go/go-scanner.ts
+import { readFile as readFile6 } from "fs/promises";
+import { existsSync as existsSync6 } from "fs";
+import path6 from "path";
+var GoScanner = class {
+  ecosystem = "go";
+  lockfileNames = ["go.sum"];
+  async detect(projectPath) {
+    const goSumPath = path6.join(projectPath, "go.sum");
+    return existsSync6(goSumPath) ? goSumPath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [goSumRaw, goModRaw] = await Promise.all([
+      readFile6(lockfilePath, "utf-8"),
+      readFile6(path6.join(projectPath, "go.mod"), "utf-8").catch(() => null)
+    ]);
+    const { directNames, indirectNames } = goModRaw ? this.parseGoMod(goModRaw) : { directNames: /* @__PURE__ */ new Set(), indirectNames: /* @__PURE__ */ new Set() };
+    const dependencies = this.parseGoSum(goSumRaw, lockfilePath, directNames, indirectNames);
+    return {
+      projectPath,
+      ecosystem: "go",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses go.sum and extracts unique module dependencies.
+   *
+   * Each module may appear twice in go.sum (once for the source archive,
+   * once for go.mod). We deduplicate by module path + version, keeping
+   * only the `h1:` entry (not the `/go.mod` entry).
+   */
+  parseGoSum(content, lockfilePath, directNames, indirectNames) {
+    const depMap = /* @__PURE__ */ new Map();
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line) continue;
+      const parts = line.split(/\s+/);
+      if (parts.length < 3) continue;
+      const modulePath = parts[0];
+      let version = parts[1];
+      if (version.endsWith("/go.mod")) continue;
+      version = version.replace(/\+incompatible$/, "");
+      const key = `${modulePath}@${version}`;
+      if (depMap.has(key)) continue;
+      const isDirect = directNames.size > 0 || indirectNames.size > 0 ? directNames.has(modulePath) || (!indirectNames.has(modulePath) && !directNames.has(modulePath) ? false : directNames.has(modulePath)) : true;
+      depMap.set(key, {
+        name: modulePath,
+        version,
+        direct: isDirect,
+        ecosystem: "go",
+        purl: this.buildPurl(modulePath, version)
+      });
+    }
+    return Array.from(depMap.values());
+  }
+  /**
+   * Parses go.mod to extract direct and indirect dependency names.
+   *
+   * Handles both single-line and block `require` directives:
+   * ```
+   * require github.com/pkg/errors v0.9.1
+   *
+   * require (
+   *     github.com/gin-gonic/gin v1.9.1
+   *     golang.org/x/text v0.14.0 // indirect
+   * )
+   * ```
+   */
+  parseGoMod(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    const indirectNames = /* @__PURE__ */ new Set();
+    let inRequireBlock = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("require ") && !line.includes("(")) {
+        const match = line.match(/^require\s+(\S+)\s+\S+(.*)$/);
+        if (match) {
+          const modulePath = match[1];
+          const rest = match[2];
+          if (rest.includes("// indirect")) {
+            indirectNames.add(modulePath);
+          } else {
+            directNames.add(modulePath);
+          }
+        }
+        continue;
+      }
+      if (line === "require (" || line.startsWith("require (")) {
+        inRequireBlock = true;
+        continue;
+      }
+      if (inRequireBlock && line === ")") {
+        inRequireBlock = false;
+        continue;
+      }
+      if (inRequireBlock && line && !line.startsWith("//")) {
+        const match = line.match(/^(\S+)\s+\S+(.*)$/);
+        if (match) {
+          const modulePath = match[1];
+          const rest = match[2];
+          if (rest.includes("// indirect")) {
+            indirectNames.add(modulePath);
+          } else {
+            directNames.add(modulePath);
+          }
+        }
+      }
+    }
+    return { directNames, indirectNames };
+  }
+  /**
+   * Builds a purl for a Go module.
+   *
+   * Per purl spec, the type is "golang" and the module path
+   * uses `/` separators (no encoding needed for path segments).
+   *
+   * Example: `pkg:golang/github.com/gin-gonic/gin@v1.9.1`
+   */
+  buildPurl(modulePath, version) {
+    return `pkg:golang/${modulePath}@${version}`;
+  }
+};
+// src/scanners/ruby/ruby-scanner.ts
+import { readFile as readFile7 } from "fs/promises";
+import { existsSync as existsSync7 } from "fs";
+import path7 from "path";
+var RubyScanner = class {
+  ecosystem = "ruby";
+  lockfileNames = ["Gemfile.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path7.join(projectPath, "Gemfile.lock");
+    return existsSync7(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const content = await readFile7(lockfilePath, "utf-8");
+    const specs = this.parseSpecs(content, lockfilePath);
+    const directNames = this.parseDependencies(content);
+    const dependencies = specs.map(({ name, version }) => ({
+      name,
+      version,
+      direct: directNames.has(name),
+      ecosystem: "ruby",
+      purl: `pkg:gem/${name}@${version}`
+    }));
+    return {
+      projectPath,
+      ecosystem: "ruby",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses the GEM > specs section to extract all resolved gems.
+   *
+   * Gems at the top level of the specs section (indented 4 spaces) are
+   * resolved packages. Their sub-dependencies (indented 6+ spaces) are
+   * constraints, not separate entries — those sub-deps appear as their
+   * own top-level spec entries elsewhere.
+   *
+   * Format: `    gem-name (1.2.3)`
+   */
+  parseSpecs(content, lockfilePath) {
+    const gems = [];
+    let inGemSection = false;
+    let inSpecs = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine;
+      if (line.length > 0 && line[0] !== " ") {
+        if (line.startsWith("GEM")) {
+          inGemSection = true;
+          inSpecs = false;
+          continue;
+        }
+        inGemSection = false;
+        inSpecs = false;
+        continue;
+      }
+      if (inGemSection && line.trimStart().startsWith("specs:")) {
+        inSpecs = true;
+        continue;
+      }
+      if (!inSpecs) continue;
+      const match = line.match(/^ {4}(\S+)\s+\(([^)]+)\)$/);
+      if (match) {
+        const [, name, version] = match;
+        gems.push({ name, version });
+      }
+    }
+    if (gems.length === 0) {
+      throw new LockfileParseError(
+        lockfilePath,
+        "No gems found in GEM specs section"
+      );
+    }
+    return gems;
+  }
+  /**
+   * Parses the DEPENDENCIES section to get direct dependency names.
+   *
+   * Format: `  gem-name (>= 1.0)` or `  gem-name`
+   * The version constraint is optional and we only need the name.
+   */
+  parseDependencies(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDependencies = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine;
+      if (line.length > 0 && line[0] !== " ") {
+        if (line.startsWith("DEPENDENCIES")) {
+          inDependencies = true;
+          continue;
+        }
+        if (inDependencies) break;
+        continue;
+      }
+      if (!inDependencies) continue;
+      const match = line.match(/^ {2}(\S+?)!?\s*(?:\(|$)/);
+      if (match) {
+        directNames.add(match[1]);
+      }
+    }
+    return directNames;
   }
 };
@@ -276,8 +921,11 @@ var ScannerRegistry = class {
     this.scanners = [
       new NpmScanner(),
       new NugetScanner(),
-      new CargoScanner()
-      // Add new scanners here as they're implemented
+      new CargoScanner(),
+      new PipScanner(),
+      new MavenScanner(),
+      new GoScanner(),
+      new RubyScanner()
     ];
   }
   /**
@@ -572,7 +1220,8 @@ var OsvSource = class {
       cargo: "crates.io",
       maven: "Maven",
       pip: "PyPI",
-      go: "Go"
+      go: "Go",
+      ruby: "RubyGems"
     };
     return map[ecosystem] ?? ecosystem;
   }
@@ -802,14 +1451,20 @@ function printReport(report) {
 }
 export {
   ApiKeyRequiredError,
+  CargoScanner,
   ConsoleReporter,
   CveAggregator,
   CveSourceError,
   CycloneDxGenerator,
+  GoScanner,
   LockfileParseError,
+  MavenScanner,
   NoLockfileError,
   NpmScanner,
+  NugetScanner,
   OsvSource,
+  PipScanner,
+  RubyScanner,
   ScannerRegistry,
   VerimuError,
   generateSbom,