verimu 0.0.2 → 0.0.4

package/dist/index.mjs

@@ -75,7 +75,8 @@ var PURL_TYPE_MAP = {
   cargo: "cargo",
   maven: "maven",
   pip: "pypi",
-  go: "golang"
+  go: "golang",
+  ruby: "gem"
 };
 function buildPurl(name, version, ecosystem) {
   const type = PURL_TYPE_MAP[ecosystem] || ecosystem;
@@ -93,6 +94,7 @@ function deriveSupplierName(packageName) {
 
 // src/scan.ts
 import { writeFile } from "fs/promises";
+import { basename } from "path";
 
 // src/scanners/npm/npm-scanner.ts
 import { readFile } from "fs/promises";
@@ -110,7 +112,7 @@ var VerimuError = class extends Error {
 var NoLockfileError = class extends VerimuError {
   constructor(projectPath) {
     super(
-      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust)`,
+      `No supported lockfile found in ${projectPath}. Supported: package-lock.json (npm), packages.lock.json (NuGet), Cargo.lock (Rust), requirements.txt / Pipfile.lock (Python), pom.xml (Maven), go.sum (Go), Gemfile.lock (Ruby)`,
       "NO_LOCKFILE"
     );
     this.name = "NoLockfileError";
@@ -246,26 +248,670 @@ var NpmScanner = class {
 };
 
 // src/scanners/nuget/nuget-scanner.ts
+import { readFile as readFile2 } from "fs/promises";
+import { existsSync as existsSync2 } from "fs";
+import path2 from "path";
 var NugetScanner = class {
   ecosystem = "nuget";
   lockfileNames = ["packages.lock.json"];
-  async detect(_projectPath) {
-    return null;
+  async detect(projectPath) {
+    const lockfilePath = path2.join(projectPath, "packages.lock.json");
+    return existsSync2(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const lockfileRaw = await readFile2(lockfilePath, "utf-8");
+    let lockfile;
+    try {
+      lockfile = JSON.parse(lockfileRaw);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON");
+    }
+    if (!lockfile.dependencies) {
+      throw new LockfileParseError(lockfilePath, 'Missing "dependencies" field');
+    }
+    const dependencies = this.parseLockfile(lockfile);
+    return {
+      projectPath,
+      ecosystem: "nuget",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses packages.lock.json and extracts dependencies across all
+   * target frameworks. Deduplicates by package name (keeps highest version
+   * if the same package appears under multiple frameworks).
+   */
+  parseLockfile(lockfile) {
+    const depMap = /* @__PURE__ */ new Map();
+    for (const [_framework, packages] of Object.entries(lockfile.dependencies)) {
+      for (const [name, info] of Object.entries(packages)) {
+        if (!info.resolved) continue;
+        const isDirect = info.type === "Direct";
+        const existing = depMap.get(name);
+        if (!existing) {
+          depMap.set(name, {
+            name,
+            version: info.resolved,
+            direct: isDirect,
+            ecosystem: "nuget",
+            purl: this.buildPurl(name, info.resolved)
+          });
+        } else if (isDirect && !existing.direct) {
+          existing.direct = true;
+        }
+      }
+    }
+    return Array.from(depMap.values());
   }
-  async scan(_projectPath, _lockfilePath) {
-    throw new Error("NuGet scanner not yet implemented. Coming soon.");
+  /**
+   * Builds a purl for a NuGet package.
+   * NuGet purls are straightforward: pkg:nuget/Name@Version
+   */
+  buildPurl(name, version) {
+    return `pkg:nuget/${name}@${version}`;
   }
 };
 
 // src/scanners/cargo/cargo-scanner.ts
+import { readFile as readFile3 } from "fs/promises";
+import { existsSync as existsSync3 } from "fs";
+import path3 from "path";
 var CargoScanner = class {
   ecosystem = "cargo";
   lockfileNames = ["Cargo.lock"];
-  async detect(_projectPath) {
+  async detect(projectPath) {
+    const lockfilePath = path3.join(projectPath, "Cargo.lock");
+    return existsSync3(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [lockfileRaw, cargoTomlRaw] = await Promise.all([
+      readFile3(lockfilePath, "utf-8"),
+      readFile3(path3.join(projectPath, "Cargo.toml"), "utf-8").catch(() => null)
+    ]);
+    const packages = this.parseLockfile(lockfileRaw, lockfilePath);
+    const directNames = cargoTomlRaw ? this.parseCargoToml(cargoTomlRaw) : /* @__PURE__ */ new Set();
+    const rootName = packages.length > 0 ? packages[0].name : null;
+    const dependencies = [];
+    for (const pkg of packages) {
+      if (pkg.name === rootName && pkg.source === void 0) continue;
+      dependencies.push({
+        name: pkg.name,
+        version: pkg.version,
+        direct: directNames.has(pkg.name),
+        ecosystem: "cargo",
+        purl: this.buildPurl(pkg.name, pkg.version)
+      });
+    }
+    return {
+      projectPath,
+      ecosystem: "cargo",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses Cargo.lock by splitting on [[package]] blocks.
+   * This is a lightweight parser that handles the regular structure
+   * of Cargo.lock without needing a full TOML parser.
+   */
+  parseLockfile(content, lockfilePath) {
+    const packages = [];
+    const blocks = content.split(/^\[\[package\]\]$/m);
+    for (const block of blocks) {
+      if (!block.trim()) continue;
+      const name = this.extractField(block, "name");
+      const version = this.extractField(block, "version");
+      const source = this.extractField(block, "source");
+      if (name && version) {
+        packages.push({ name, version, source: source || void 0 });
+      }
+    }
+    if (packages.length === 0 && content.includes("[[package]]")) {
+      throw new LockfileParseError(lockfilePath, "Failed to parse any packages from Cargo.lock");
+    }
+    return packages;
+  }
+  /**
+   * Extracts a string field value from a TOML block.
+   * Handles: `name = "value"` format.
+   */
+  extractField(block, fieldName) {
+    const regex = new RegExp(`^${fieldName}\\s*=\\s*"([^"]*)"`, "m");
+    const match = block.match(regex);
+    return match ? match[1] : null;
+  }
+  /**
+   * Parses Cargo.toml to extract direct dependency names.
+   * Looks for [dependencies] and [dev-dependencies] sections.
+   */
+  parseCargoToml(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDepsSection = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("[")) {
+        inDepsSection = line === "[dependencies]" || line === "[dev-dependencies]" || line === "[build-dependencies]";
+        continue;
+      }
+      if (inDepsSection && line && !line.startsWith("#")) {
+        const match = line.match(/^([a-zA-Z0-9_-]+)\s*=/);
+        if (match) {
+          directNames.add(match[1]);
+        }
+      }
+    }
+    return directNames;
+  }
+  /**
+   * Builds a purl for a Cargo (crates.io) package.
+   */
+  buildPurl(name, version) {
+    return `pkg:cargo/${name}@${version}`;
+  }
+};
+
+// src/scanners/pip/pip-scanner.ts
+import { readFile as readFile4 } from "fs/promises";
+import { existsSync as existsSync4 } from "fs";
+import path4 from "path";
+var PipScanner = class {
+  ecosystem = "pip";
+  lockfileNames = ["requirements.txt", "Pipfile.lock"];
+  async detect(projectPath) {
+    for (const lockfile of this.lockfileNames) {
+      const fullPath = path4.join(projectPath, lockfile);
+      if (existsSync4(fullPath)) return fullPath;
+    }
     return null;
   }
-  async scan(_projectPath, _lockfilePath) {
-    throw new Error("Cargo scanner not yet implemented. Coming soon.");
+  async scan(projectPath, lockfilePath) {
+    const raw = await readFile4(lockfilePath, "utf-8");
+    const filename = path4.basename(lockfilePath);
+    let dependencies;
+    if (filename === "Pipfile.lock") {
+      dependencies = this.parsePipfileLock(raw, lockfilePath);
+    } else {
+      dependencies = this.parseRequirementsTxt(raw, lockfilePath);
+    }
+    return {
+      projectPath,
+      ecosystem: "pip",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses `requirements.txt` format.
+   *
+   * Supports:
+   *   - `package==1.2.3` (pinned)
+   *   - `package>=1.2.0` (minimum — uses the specified version)
+   *   - `package~=1.2.0` (compatible release)
+   *   - Comments (`#`) and blank lines are skipped
+   *   - `-r other-file.txt` (include directive) — skipped for now
+   *   - `--index-url` and other pip flags — skipped
+   */
+  parseRequirementsTxt(content, lockfilePath) {
+    const deps = [];
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line || line.startsWith("#") || line.startsWith("-") || line.startsWith("--")) {
+        continue;
+      }
+      const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*(?:[~=!<>]=?)\s*(.+)$/);
+      if (match) {
+        const [, name, versionSpec] = match;
+        const version = this.extractVersion(versionSpec);
+        if (name && version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            // requirements.txt doesn't distinguish
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    return deps;
+  }
+  /**
+   * Parses `Pipfile.lock` (JSON format from Pipenv).
+   *
+   * Structure:
+   * ```json
+   * {
+   *   "_meta": { ... },
+   *   "default": {
+   *     "requests": { "version": "==2.31.0", ... }
+   *   },
+   *   "develop": {
+   *     "pytest": { "version": "==7.4.0", ... }
+   *   }
+   * }
+   * ```
+   */
+  parsePipfileLock(content, lockfilePath) {
+    let lockfile;
+    try {
+      lockfile = JSON.parse(content);
+    } catch {
+      throw new LockfileParseError(lockfilePath, "Invalid JSON in Pipfile.lock");
+    }
+    const deps = [];
+    if (lockfile.default) {
+      for (const [name, info] of Object.entries(lockfile.default)) {
+        const version = info.version?.replace(/^==/, "") ?? "";
+        if (version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    if (lockfile.develop) {
+      for (const [name, info] of Object.entries(lockfile.develop)) {
+        const version = info.version?.replace(/^==/, "") ?? "";
+        if (version) {
+          deps.push({
+            name: this.normalizePipName(name),
+            version,
+            direct: true,
+            ecosystem: "pip",
+            purl: this.buildPurl(name, version)
+          });
+        }
+      }
+    }
+    return deps;
+  }
+  /**
+   * Extracts the version number from a pip version specifier.
+   * "1.2.3" → "1.2.3"
+   * "1.2.3,<2.0" → "1.2.3"
+   */
+  extractVersion(spec) {
+    const cleaned = spec.split(",")[0].trim();
+    return cleaned;
+  }
+  /**
+   * Normalizes a pip package name per PEP 503.
+   * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
+   */
+  normalizePipName(name) {
+    return name.toLowerCase().replace(/[-_.]+/g, "-");
+  }
+  /**
+   * Builds a purl for a PyPI package.
+   * Per purl spec, the type is "pypi" (not "pip").
+   */
+  buildPurl(name, version) {
+    return `pkg:pypi/${this.normalizePipName(name)}@${version}`;
+  }
+};
+
+// src/scanners/maven/maven-scanner.ts
+import { readFile as readFile5 } from "fs/promises";
+import { existsSync as existsSync5 } from "fs";
+import { execSync } from "child_process";
+import path5 from "path";
+var MavenScanner = class {
+  ecosystem = "maven";
+  lockfileNames = ["pom.xml"];
+  /** Allow injection for testing */
+  execSyncFn;
+  constructor(execSyncImpl) {
+    this.execSyncFn = execSyncImpl ?? execSync;
+  }
+  async detect(projectPath) {
+    const pomPath = path5.join(projectPath, "pom.xml");
+    return existsSync5(pomPath) ? pomPath : null;
+  }
+  async scan(projectPath, _lockfilePath) {
+    const depTreePath = path5.join(projectPath, "dependency-tree.txt");
+    if (existsSync5(depTreePath)) {
+      const content = await readFile5(depTreePath, "utf-8");
+      const dependencies = this.parseDependencyList(content, depTreePath);
+      return this.buildResult(projectPath, depTreePath, dependencies);
+    }
+    if (this.isMavenAvailable()) {
+      const output = this.runMavenDependencyList(projectPath);
+      const dependencies = this.parseDependencyList(output, "mvn dependency:list");
+      return this.buildResult(projectPath, path5.join(projectPath, "pom.xml"), dependencies);
+    }
+    throw new LockfileParseError(
+      path5.join(projectPath, "pom.xml"),
+      "Maven project detected (pom.xml found) but could not resolve dependencies. Either install Maven (`mvn` must be on $PATH) or pre-generate a dependency list:\n  mvn dependency:list -DoutputFile=dependency-tree.txt -DappendOutput=true"
+    );
+  }
+  /**
+   * Parses Maven `dependency:list` output.
+   *
+   * Each dependency line has the format:
+   *   groupId:artifactId:type:version:scope
+   *   groupId:artifactId:type:classifier:version:scope
+   *
+   * Lines are typically indented with leading whitespace.
+   */
+  parseDependencyList(content, source) {
+    const deps = [];
+    const depPattern = /^\s*([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]+):([a-z]+):(?:([a-zA-Z0-9._-]+):)?([a-zA-Z0-9._-]+):([a-z]+)/;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line) continue;
+      const match = line.match(depPattern);
+      if (match) {
+        const groupId = match[1];
+        const artifactId = match[2];
+        const version = match[4] && match[5] ? match[5] : match[4] ?? match[5];
+        const scope = match[4] && match[5] ? match[6] : match[5] && match[6] ? match[6] : match[5];
+        const parts = line.split(":");
+        if (parts.length >= 5) {
+          const gId = parts[0].trim();
+          const aId = parts[1];
+          const ver = parts.length === 6 ? parts[4] : parts[3];
+          const scp = parts.length === 6 ? parts[5] : parts[4];
+          if (gId && aId && ver) {
+            const name = `${gId}:${aId}`;
+            deps.push({
+              name,
+              version: ver,
+              direct: scp === "compile" || scp === "runtime" || scp === "provided",
+              ecosystem: "maven",
+              purl: this.buildPurl(gId, aId, ver)
+            });
+          }
+        }
+      }
+    }
+    return deps;
+  }
+  /** Checks if `mvn` is available on PATH */
+  isMavenAvailable() {
+    try {
+      this.execSyncFn("mvn --version", { stdio: "pipe", timeout: 1e4 });
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Runs `mvn dependency:list` and returns the output.
+   */
+  runMavenDependencyList(projectPath) {
+    try {
+      const output = this.execSyncFn(
+        "mvn dependency:list -DoutputType=text -DincludeScope=compile",
+        {
+          cwd: projectPath,
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout
+          encoding: "utf-8"
+        }
+      );
+      return output.toString();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      throw new LockfileParseError(
+        path5.join(projectPath, "pom.xml"),
+        `Failed to run 'mvn dependency:list': ${message}`
+      );
+    }
+  }
+  /**
+   * Builds a purl for a Maven package.
+   * Format: pkg:maven/groupId/artifactId@version
+   */
+  buildPurl(groupId, artifactId, version) {
+    return `pkg:maven/${groupId}/${artifactId}@${version}`;
+  }
+  buildResult(projectPath, lockfilePath, dependencies) {
+    return {
+      projectPath,
+      ecosystem: "maven",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+};
+
+// src/scanners/go/go-scanner.ts
+import { readFile as readFile6 } from "fs/promises";
+import { existsSync as existsSync6 } from "fs";
+import path6 from "path";
+var GoScanner = class {
+  ecosystem = "go";
+  lockfileNames = ["go.sum"];
+  async detect(projectPath) {
+    const goSumPath = path6.join(projectPath, "go.sum");
+    return existsSync6(goSumPath) ? goSumPath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const [goSumRaw, goModRaw] = await Promise.all([
+      readFile6(lockfilePath, "utf-8"),
+      readFile6(path6.join(projectPath, "go.mod"), "utf-8").catch(() => null)
+    ]);
+    const { directNames, indirectNames } = goModRaw ? this.parseGoMod(goModRaw) : { directNames: /* @__PURE__ */ new Set(), indirectNames: /* @__PURE__ */ new Set() };
+    const dependencies = this.parseGoSum(goSumRaw, lockfilePath, directNames, indirectNames);
+    return {
+      projectPath,
+      ecosystem: "go",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses go.sum and extracts unique module dependencies.
+   *
+   * Each module may appear twice in go.sum (once for the source archive,
+   * once for go.mod). We deduplicate by module path + version, keeping
+   * only the `h1:` entry (not the `/go.mod` entry).
+   */
+  parseGoSum(content, lockfilePath, directNames, indirectNames) {
+    const depMap = /* @__PURE__ */ new Map();
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (!line) continue;
+      const parts = line.split(/\s+/);
+      if (parts.length < 3) continue;
+      const modulePath = parts[0];
+      let version = parts[1];
+      if (version.endsWith("/go.mod")) continue;
+      version = version.replace(/\+incompatible$/, "");
+      const key = `${modulePath}@${version}`;
+      if (depMap.has(key)) continue;
+      const isDirect = directNames.size > 0 || indirectNames.size > 0 ? directNames.has(modulePath) || (!indirectNames.has(modulePath) && !directNames.has(modulePath) ? false : directNames.has(modulePath)) : true;
+      depMap.set(key, {
+        name: modulePath,
+        version,
+        direct: isDirect,
+        ecosystem: "go",
+        purl: this.buildPurl(modulePath, version)
+      });
+    }
+    return Array.from(depMap.values());
+  }
+  /**
+   * Parses go.mod to extract direct and indirect dependency names.
+   *
+   * Handles both single-line and block `require` directives:
+   * ```
+   * require github.com/pkg/errors v0.9.1
+   *
+   * require (
+   *     github.com/gin-gonic/gin v1.9.1
+   *     golang.org/x/text v0.14.0 // indirect
+   * )
+   * ```
+   */
+  parseGoMod(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    const indirectNames = /* @__PURE__ */ new Set();
+    let inRequireBlock = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine.trim();
+      if (line.startsWith("require ") && !line.includes("(")) {
+        const match = line.match(/^require\s+(\S+)\s+\S+(.*)$/);
+        if (match) {
+          const modulePath = match[1];
+          const rest = match[2];
+          if (rest.includes("// indirect")) {
+            indirectNames.add(modulePath);
+          } else {
+            directNames.add(modulePath);
+          }
+        }
+        continue;
+      }
+      if (line === "require (" || line.startsWith("require (")) {
+        inRequireBlock = true;
+        continue;
+      }
+      if (inRequireBlock && line === ")") {
+        inRequireBlock = false;
+        continue;
+      }
+      if (inRequireBlock && line && !line.startsWith("//")) {
+        const match = line.match(/^(\S+)\s+\S+(.*)$/);
+        if (match) {
+          const modulePath = match[1];
+          const rest = match[2];
+          if (rest.includes("// indirect")) {
+            indirectNames.add(modulePath);
+          } else {
+            directNames.add(modulePath);
+          }
+        }
+      }
+    }
+    return { directNames, indirectNames };
+  }
+  /**
+   * Builds a purl for a Go module.
+   *
+   * Per purl spec, the type is "golang" and the module path
+   * uses `/` separators (no encoding needed for path segments).
+   *
+   * Example: `pkg:golang/github.com/gin-gonic/gin@v1.9.1`
+   */
+  buildPurl(modulePath, version) {
+    return `pkg:golang/${modulePath}@${version}`;
+  }
+};
+
+// src/scanners/ruby/ruby-scanner.ts
+import { readFile as readFile7 } from "fs/promises";
+import { existsSync as existsSync7 } from "fs";
+import path7 from "path";
+var RubyScanner = class {
+  ecosystem = "ruby";
+  lockfileNames = ["Gemfile.lock"];
+  async detect(projectPath) {
+    const lockfilePath = path7.join(projectPath, "Gemfile.lock");
+    return existsSync7(lockfilePath) ? lockfilePath : null;
+  }
+  async scan(projectPath, lockfilePath) {
+    const content = await readFile7(lockfilePath, "utf-8");
+    const specs = this.parseSpecs(content, lockfilePath);
+    const directNames = this.parseDependencies(content);
+    const dependencies = specs.map(({ name, version }) => ({
+      name,
+      version,
+      direct: directNames.has(name),
+      ecosystem: "ruby",
+      purl: `pkg:gem/${name}@${version}`
+    }));
+    return {
+      projectPath,
+      ecosystem: "ruby",
+      dependencies,
+      lockfilePath,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  /**
+   * Parses the GEM > specs section to extract all resolved gems.
+   *
+   * Gems at the top level of the specs section (indented 4 spaces) are
+   * resolved packages. Their sub-dependencies (indented 6+ spaces) are
+   * constraints, not separate entries — those sub-deps appear as their
+   * own top-level spec entries elsewhere.
+   *
+   * Format: `    gem-name (1.2.3)`
+   */
+  parseSpecs(content, lockfilePath) {
+    const gems = [];
+    let inGemSection = false;
+    let inSpecs = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine;
+      if (line.length > 0 && line[0] !== " ") {
+        if (line.startsWith("GEM")) {
+          inGemSection = true;
+          inSpecs = false;
+          continue;
+        }
+        inGemSection = false;
+        inSpecs = false;
+        continue;
+      }
+      if (inGemSection && line.trimStart().startsWith("specs:")) {
+        inSpecs = true;
+        continue;
+      }
+      if (!inSpecs) continue;
+      const match = line.match(/^ {4}(\S+)\s+\(([^)]+)\)$/);
+      if (match) {
+        const [, name, version] = match;
+        gems.push({ name, version });
+      }
+    }
+    if (gems.length === 0) {
+      throw new LockfileParseError(
+        lockfilePath,
+        "No gems found in GEM specs section"
+      );
+    }
+    return gems;
+  }
+  /**
+   * Parses the DEPENDENCIES section to get direct dependency names.
+   *
+   * Format: `  gem-name (>= 1.0)` or `  gem-name`
+   * The version constraint is optional and we only need the name.
+   */
+  parseDependencies(content) {
+    const directNames = /* @__PURE__ */ new Set();
+    let inDependencies = false;
+    for (const rawLine of content.split("\n")) {
+      const line = rawLine;
+      if (line.length > 0 && line[0] !== " ") {
+        if (line.startsWith("DEPENDENCIES")) {
+          inDependencies = true;
+          continue;
+        }
+        if (inDependencies) break;
+        continue;
+      }
+      if (!inDependencies) continue;
+      const match = line.match(/^ {2}(\S+?)!?\s*(?:\(|$)/);
+      if (match) {
+        directNames.add(match[1]);
+      }
+    }
+    return directNames;
   }
 };
 
@@ -276,8 +922,11 @@ var ScannerRegistry = class {
     this.scanners = [
       new NpmScanner(),
       new NugetScanner(),
-      new CargoScanner()
-      // Add new scanners here as they're implemented
+      new CargoScanner(),
+      new PipScanner(),
+      new MavenScanner(),
+      new GoScanner(),
+      new RubyScanner()
     ];
   }
   /**
@@ -572,7 +1221,8 @@ var OsvSource = class {
       cargo: "crates.io",
       maven: "Maven",
       pip: "PyPI",
-      go: "Go"
+      go: "Go",
+      ruby: "RubyGems"
     };
     return map[ecosystem] ?? ecosystem;
   }
@@ -737,6 +1387,76 @@ function severityBadge(s) {
   return badges[s] ?? "[???] ";
 }
 
+// src/api/client.ts
+var DEFAULT_API_BASE = "https://api.verimu.com";
+var VerimuApiClient = class {
+  baseUrl;
+  apiKey;
+  constructor(apiKey, baseUrl) {
+    this.apiKey = apiKey;
+    this.baseUrl = (baseUrl ?? DEFAULT_API_BASE).replace(/\/+$/, "");
+  }
+  /**
+   * Upsert a project — finds by name or creates it.
+   * Used so `npx verimu` auto-registers projects without manual dashboard setup.
+   */
+  async upsertProject(opts) {
+    const res = await fetch(`${this.baseUrl}/api/projects/upsert`, {
+      method: "POST",
+      headers: this.headers(),
+      body: JSON.stringify({
+        name: opts.name,
+        ecosystem: this.mapEcosystem(opts.ecosystem),
+        repository_url: opts.repositoryUrl ?? null,
+        platform: opts.platform ?? null
+      })
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Verimu API: upsert project failed (${res.status}): ${body}`);
+    }
+    return res.json();
+  }
+  /**
+   * Upload a CycloneDX SBOM to a project and trigger CVE scanning.
+   */
+  async uploadSbom(projectId, sbomContent) {
+    const sbomJson = JSON.parse(sbomContent);
+    const res = await fetch(`${this.baseUrl}/api/projects/${projectId}/scan`, {
+      method: "POST",
+      headers: this.headers(),
+      body: JSON.stringify(sbomJson)
+    });
+    if (!res.ok) {
+      const body = await res.text();
+      throw new Error(`Verimu API: upload SBOM failed (${res.status}): ${body}`);
+    }
+    return res.json();
+  }
+  headers() {
+    return {
+      "Content-Type": "application/json",
+      "X-API-Key": this.apiKey
+    };
+  }
+  /**
+   * Maps internal ecosystem names to what the backend expects.
+   * Currently 1:1, but keeps the mapping explicit.
+   */
+  mapEcosystem(eco) {
+    const map = {
+      npm: "npm",
+      pip: "pip",
+      maven: "maven",
+      nuget: "nuget",
+      go: "gomod",
+      cargo: "cargo",
+      ruby: "bundler"
+    };
+    return map[eco] ?? eco;
+  }
+};
+
 // src/scan.ts
 async function scan(config) {
   const {
@@ -781,8 +1501,35 @@ async function scan(config) {
     summary,
     generatedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
+  if (config.apiKey) {
+    try {
+      const uploadResult = await uploadToVerimu(report, config);
+      report.upload = uploadResult;
+    } catch {
+    }
+  }
   return report;
 }
+async function uploadToVerimu(report, config) {
+  if (!config.apiKey) {
+    throw new Error("API key required for upload");
+  }
+  const client = new VerimuApiClient(config.apiKey, config.apiBaseUrl);
+  const projectName = basename(config.projectPath);
+  const upsertRes = await client.upsertProject({
+    name: projectName,
+    ecosystem: report.project.ecosystem
+  });
+  const projectId = upsertRes.project.id;
+  const scanRes = await client.uploadSbom(projectId, report.sbom.content);
+  return {
+    projectId,
+    projectCreated: upsertRes.created,
+    totalDependencies: scanRes.summary.total_dependencies,
+    vulnerableDependencies: scanRes.summary.vulnerable_dependencies,
+    dashboardUrl: `https://app.verimu.com/dashboard/projects/${projectId}`
+  };
+}
 function shouldFailCi(report, threshold) {
   const severityOrder2 = {
     CRITICAL: 0,
@@ -802,19 +1549,27 @@ function printReport(report) {
 }
 export {
   ApiKeyRequiredError,
+  CargoScanner,
   ConsoleReporter,
   CveAggregator,
   CveSourceError,
   CycloneDxGenerator,
+  GoScanner,
   LockfileParseError,
+  MavenScanner,
   NoLockfileError,
   NpmScanner,
+  NugetScanner,
   OsvSource,
+  PipScanner,
+  RubyScanner,
   ScannerRegistry,
+  VerimuApiClient,
   VerimuError,
   generateSbom,
   printReport,
   scan,
-  shouldFailCi
+  shouldFailCi,
+  uploadToVerimu
 };
 //# sourceMappingURL=index.mjs.map