verimu 0.0.5 → 0.0.6

package/README.md

@@ -11,7 +11,7 @@ The NPM package for `verimu`, a tool for producing CRA-compliant SBOMs via CI /
 The core scanning pipeline is CI-agnostic — it works in any environment with Node.js 20+.
 Example CI configs are provided in the `ci-examples/` directory.
 
-- [x] GitHub Actions (`.github/workflows/test.yml`)
+- [x] GitHub Actions (`.github/workflows/release.yml`)
 - [x] GitLab CI (`ci-examples/gitlab-ci.yml`)
 - [x] Bitbucket Pipelines (`ci-examples/bitbucket-pipelines.yml`)
 
@@ -33,6 +33,42 @@ To run the tests, use:
 npm test
 ```
 
+## Releasing to npm (Tag Pipelines)
+
+`verimu` can publish from GitHub Actions, GitLab CI, and Bitbucket Pipelines when a semver tag is pushed.
+Each pipeline validates:
+
+- tag is semver (`v1.2.3` or `1.2.3`)
+- tag version matches `package.json` version
+- tagged commit exists on `main`
+
+### Publish credentials
+
+- GitHub Actions (`.github/workflows/release.yml`): uses npm Trusted Publishing (OIDC), so no `NPM_TOKEN` secret is required.
+- GitLab and Bitbucket pipelines in this repo still use `NPM_TOKEN` (`.gitlab-ci.yml`, `bitbucket-pipelines.yml`).
+
+### Recommended release flow
+
+1. Bump version on `main` with npm (this updates `package.json` and `package-lock.json`, then creates a git tag):
+
+```bash
+npm version patch
+```
+
+2. Push commit and tag:
+
+```bash
+git push origin main --follow-tags
+```
+
+3. Your CI provider runs the publish job on that tag and releases to npm.
+
+### Why this avoids version conflicts
+
+The source of truth remains the version committed on `main`.
+The tag is only a release trigger for that exact versioned commit.
+You should not tag arbitrary commits with a new version string that is not already committed in `package.json`.
+
 ## Maven Scanner Notes
 
 The Maven scanner needs resolved dependencies. Since Maven has no lockfile, it uses two strategies:
@@ -42,4 +78,6 @@ The Maven scanner needs resolved dependencies. Since Maven has no lockfile, it u
 
 ## Three CI / CD Pipelines as Self Check on the `verimu` package itself
 
-There is a `bitbucket-pipelines.yml` and `.gitlab-ci.yml` in the root of the project, as well as a `.github/workflows/test.yml` file, all of which would run `verimu` against itself in each of the 3 frameworks we support (GitHub Actions, GitLab CI, Bitbucket Pipelines). The tests should pass in all 3 environments, confirming that `verimu` can successfully scan its own dependencies and produce a report.
+There is a `bitbucket-pipelines.yml` and `.gitlab-ci.yml` in the root of the project, as well as a `.github/workflows/release.yml` file, all of which would run `verimu` against itself in each of the 3 frameworks we support (GitHub Actions, GitLab CI, Bitbucket Pipelines). The tests should pass in all 3 environments, confirming that `verimu` can successfully scan its own dependencies and produce a report.
+
+The same three provider configs now also include tag-based npm release automation, so this repo is a working cross-provider reference for both scanning and publishing.

package/dist/cli.mjs

@@ -316,7 +316,7 @@ import { existsSync as existsSync4 } from "fs";
 import path4 from "path";
 var PipScanner = class {
   ecosystem = "pip";
-  lockfileNames = ["requirements.txt", "Pipfile.lock"];
+  lockfileNames = ["Pipfile.lock", "requirements.txt"];
   async detect(projectPath) {
     for (const lockfile of this.lockfileNames) {
       const fullPath = path4.join(projectPath, lockfile);
@@ -331,7 +331,7 @@ var PipScanner = class {
     if (filename === "Pipfile.lock") {
       dependencies = this.parsePipfileLock(raw, lockfilePath);
     } else {
-      dependencies = this.parseRequirementsTxt(raw, lockfilePath);
+      dependencies = await this.parseRequirementsTxt(raw, lockfilePath);
     }
     return {
       projectPath,
@@ -345,24 +345,43 @@ var PipScanner = class {
    * Parses `requirements.txt` format.
    *
    * Supports:
-   *   - `package==1.2.3` (pinned)
-   *   - `package>=1.2.0` (minimum — uses the specified version)
-   *   - `package~=1.2.0` (compatible release)
+   *   - `package==1.2.3` (pinned) — REQUIRED
    *   - Comments (`#`) and blank lines are skipped
-   *   - `-r other-file.txt` (include directive) — skipped for now
+   *   - `-r other-file.txt` (include directive) — recursively parsed
    *   - `--index-url` and other pip flags — skipped
+   *
+   * Throws if any dependency is not strictly pinned with ==.
+   * Use `pip freeze` to generate a properly pinned requirements.txt.
    */
-  parseRequirementsTxt(content, lockfilePath) {
+  async parseRequirementsTxt(content, lockfilePath, visited = /* @__PURE__ */ new Set()) {
     const deps = [];
+    const currentDir = path4.dirname(lockfilePath);
+    const normalizedPath = path4.resolve(lockfilePath);
+    if (visited.has(normalizedPath)) {
+      return deps;
+    }
+    visited.add(normalizedPath);
     for (const rawLine of content.split("\n")) {
       const line = rawLine.trim();
-      if (!line || line.startsWith("#") || line.startsWith("-") || line.startsWith("--")) {
+      if (!line || line.startsWith("#")) {
         continue;
       }
-      const match = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*(?:[~=!<>]=?)\s*(.+)$/);
-      if (match) {
-        const [, name, versionSpec] = match;
-        const version = this.extractVersion(versionSpec);
+      const includeMatch = line.match(/^-r\s+(.+)$/) || line.match(/^--requirement\s+(.+)$/);
+      if (includeMatch) {
+        const includePath = path4.resolve(currentDir, includeMatch[1].trim());
+        if (existsSync4(includePath)) {
+          const includeContent = await readFile4(includePath, "utf-8");
+          const includedDeps = await this.parseRequirementsTxt(includeContent, includePath, visited);
+          deps.push(...includedDeps);
+        }
+        continue;
+      }
+      if (line.startsWith("-") || line.startsWith("--")) {
+        continue;
+      }
+      const pinnedMatch = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*==\s*([^,\s]+)$/);
+      if (pinnedMatch) {
+        const [, name, version] = pinnedMatch;
         if (name && version) {
           deps.push({
             name: this.normalizePipName(name),
@@ -373,6 +392,14 @@ var PipScanner = class {
             purl: this.buildPurl(name, version)
           });
         }
+        continue;
+      }
+      const depMatch = line.match(/^([a-zA-Z0-9_][a-zA-Z0-9._-]*)\s*([~=!<>].*)$/);
+      if (depMatch) {
+        throw new LockfileParseError(
+          lockfilePath,
+          `Non-pinned dependency detected: "${line}". Use pip freeze or Pipfile.lock.`
+        );
       }
     }
     return deps;
@@ -431,15 +458,6 @@ var PipScanner = class {
     }
     return deps;
   }
-  /**
-   * Extracts the version number from a pip version specifier.
-   * "1.2.3" → "1.2.3"
-   * "1.2.3,<2.0" → "1.2.3"
-   */
-  extractVersion(spec) {
-    const cleaned = spec.split(",")[0].trim();
-    return cleaned;
-  }
   /**
    * Normalizes a pip package name per PEP 503.
    * Converts to lowercase and replaces any run of [-_.] with a single hyphen.
@@ -474,61 +492,88 @@ var MavenScanner = class {
     return existsSync5(pomPath) ? pomPath : null;
   }
   async scan(projectPath, _lockfilePath) {
+    const pomPath = path5.join(projectPath, "pom.xml");
+    const pomContent = await readFile5(pomPath, "utf-8").catch(() => null);
+    const directDeps = pomContent ? this.parsePomDependencies(pomContent) : /* @__PURE__ */ new Set();
     const depTreePath = path5.join(projectPath, "dependency-tree.txt");
     if (existsSync5(depTreePath)) {
       const content = await readFile5(depTreePath, "utf-8");
-      const dependencies = this.parseDependencyList(content, depTreePath);
+      const dependencies = this.parseDependencyList(content, directDeps);
       return this.buildResult(projectPath, depTreePath, dependencies);
     }
     if (this.isMavenAvailable()) {
       const output = this.runMavenDependencyList(projectPath);
-      const dependencies = this.parseDependencyList(output, "mvn dependency:list");
-      return this.buildResult(projectPath, path5.join(projectPath, "pom.xml"), dependencies);
+      const dependencies = this.parseDependencyList(output, directDeps);
+      return this.buildResult(projectPath, pomPath, dependencies);
     }
     throw new LockfileParseError(
-      path5.join(projectPath, "pom.xml"),
+      pomPath,
       "Maven project detected (pom.xml found) but could not resolve dependencies. Either install Maven (`mvn` must be on $PATH) or pre-generate a dependency list:\n  mvn dependency:list -DoutputFile=dependency-tree.txt -DappendOutput=true"
     );
   }
+  /**
+   * Parses pom.xml to extract direct dependency coordinates (groupId:artifactId).
+   * This is a simple regex-based parser that handles standard dependency declarations.
+   */
+  parsePomDependencies(pomContent) {
+    const directDeps = /* @__PURE__ */ new Set();
+    const depBlockRegex = /<dependency>\s*([\s\S]*?)<\/dependency>/g;
+    const groupIdRegex = /<groupId>\s*([^<]+)\s*<\/groupId>/;
+    const artifactIdRegex = /<artifactId>\s*([^<]+)\s*<\/artifactId>/;
+    let match;
+    while ((match = depBlockRegex.exec(pomContent)) !== null) {
+      const block = match[1];
+      const groupMatch = block.match(groupIdRegex);
+      const artifactMatch = block.match(artifactIdRegex);
+      if (groupMatch && artifactMatch) {
+        const groupId = groupMatch[1].trim();
+        const artifactId = artifactMatch[1].trim();
+        directDeps.add(`${groupId}:${artifactId}`);
+      }
+    }
+    return directDeps;
+  }
   /**
    * Parses Maven `dependency:list` output.
    *
    * Each dependency line has the format:
-   *   groupId:artifactId:type:version:scope
-   *   groupId:artifactId:type:classifier:version:scope
+   *   groupId:artifactId:type:version:scope (5 parts)
+   *   groupId:artifactId:type:classifier:version:scope (6 parts)
    *
    * Lines are typically indented with leading whitespace.
    */
-  parseDependencyList(content, source) {
+  parseDependencyList(content, directDeps) {
     const deps = [];
-    const depPattern = /^\s*([a-zA-Z0-9._-]+):([a-zA-Z0-9._-]+):([a-z]+):(?:([a-zA-Z0-9._-]+):)?([a-zA-Z0-9._-]+):([a-z]+)/;
+    const seen = /* @__PURE__ */ new Set();
     for (const rawLine of content.split("\n")) {
       const line = rawLine.trim();
       if (!line) continue;
-      const match = line.match(depPattern);
-      if (match) {
-        const groupId = match[1];
-        const artifactId = match[2];
-        const version = match[4] && match[5] ? match[5] : match[4] ?? match[5];
-        const scope = match[4] && match[5] ? match[6] : match[5] && match[6] ? match[6] : match[5];
-        const parts = line.split(":");
-        if (parts.length >= 5) {
-          const gId = parts[0].trim();
-          const aId = parts[1];
-          const ver = parts.length === 6 ? parts[4] : parts[3];
-          const scp = parts.length === 6 ? parts[5] : parts[4];
-          if (gId && aId && ver) {
-            const name = `${gId}:${aId}`;
-            deps.push({
-              name,
-              version: ver,
-              direct: scp === "compile" || scp === "runtime" || scp === "provided",
-              ecosystem: "maven",
-              purl: this.buildPurl(gId, aId, ver)
-            });
-          }
-        }
+      const parts = line.split(":");
+      if (parts.length < 5) continue;
+      const groupId = parts[0];
+      const artifactId = parts[1];
+      let version;
+      let scope;
+      if (parts.length >= 6) {
+        version = parts[4];
+        scope = parts[5];
+      } else {
+        version = parts[3];
+        scope = parts[4];
       }
+      if (!groupId || !artifactId || !version) continue;
+      if (scope === "test") continue;
+      const name = `${groupId}:${artifactId}`;
+      if (seen.has(name)) continue;
+      seen.add(name);
+      const isDirect = directDeps.has(name);
+      deps.push({
+        name,
+        version,
+        direct: isDirect,
+        ecosystem: "maven",
+        purl: this.buildPurl(groupId, artifactId, version)
+      });
     }
     return deps;
   }
@@ -1054,7 +1099,10 @@ var OsvSource = class {
     }
     return allVulns;
   }
-  /** Uses OSV's /querybatch endpoint for efficient bulk lookups */
+  /**
+   * Uses OSV's /querybatch endpoint to get vulnerability IDs,
+   * then fetches full details for each unique vulnerability.
+   */
   async queryBatch(dependencies) {
     const queries = dependencies.map((dep) => ({
       version: dep.version,
@@ -1072,18 +1120,65 @@ var OsvSource = class {
       throw new Error(`OSV API error: ${response.status} ${response.statusText}`);
     }
     const data = await response.json();
-    const vulnerabilities = [];
+    const vulnIdToDeps = /* @__PURE__ */ new Map();
     for (let i = 0; i < data.results.length; i++) {
       const result = data.results[i];
       const dep = dependencies[i];
       if (result.vulns && result.vulns.length > 0) {
         for (const vuln of result.vulns) {
-          vulnerabilities.push(this.mapVulnerability(vuln, dep));
+          const existing = vulnIdToDeps.get(vuln.id);
+          if (existing) {
+            existing.push(dep);
+          } else {
+            vulnIdToDeps.set(vuln.id, [dep]);
+          }
         }
       }
     }
+    if (vulnIdToDeps.size === 0) {
+      return [];
+    }
+    const vulnIds = Array.from(vulnIdToDeps.keys());
+    const fullVulns = await this.fetchVulnerabilityDetails(vulnIds);
+    const vulnerabilities = [];
+    for (const osvVuln of fullVulns) {
+      const affectedDeps = vulnIdToDeps.get(osvVuln.id) ?? [];
+      for (const dep of affectedDeps) {
+        vulnerabilities.push(this.mapVulnerability(osvVuln, dep));
+      }
+    }
     return vulnerabilities;
   }
+  /**
+   * Fetches full vulnerability details from /v1/vulns/{id} for each ID.
+   * Makes parallel requests for efficiency.
+   */
+  async fetchVulnerabilityDetails(vulnIds) {
+    const results = [];
+    const CONCURRENCY = 10;
+    for (let i = 0; i < vulnIds.length; i += CONCURRENCY) {
+      const batch = vulnIds.slice(i, i + CONCURRENCY);
+      const promises = batch.map(async (id) => {
+        try {
+          const response = await this.fetchFn(`${OSV_API_BASE}/vulns/${encodeURIComponent(id)}`, {
+            method: "GET",
+            headers: { "Content-Type": "application/json" }
+          });
+          if (!response.ok) {
+            console.warn(`Failed to fetch vulnerability ${id}: ${response.status}`);
+            return null;
+          }
+          return await response.json();
+        } catch (err) {
+          console.warn(`Error fetching vulnerability ${id}:`, err);
+          return null;
+        }
+      });
+      const batchResults = await Promise.all(promises);
+      results.push(...batchResults.filter((v) => v !== null));
+    }
+    return results;
+  }
   /** Maps an OSV vulnerability record to our Vulnerability type */
   mapVulnerability(osvVuln, dep) {
     const cveId = this.extractCveId(osvVuln);
@@ -1134,12 +1229,75 @@ var OsvSource = class {
     }
     return { level: "UNKNOWN" };
   }
-  /** Parses CVSS v3 vector string to extract the base score */
+  /** Parses CVSS v3 vector string to extract/calculate the base score */
   parseCvssScore(vectorOrScore) {
     const num = parseFloat(vectorOrScore);
     if (!isNaN(num) && num >= 0 && num <= 10) return num;
+    if (vectorOrScore.startsWith("CVSS:3")) {
+      return this.calculateCvss3Score(vectorOrScore);
+    }
     return null;
   }
+  /** Calculate CVSS v3.x base score from vector string */
+  calculateCvss3Score(vector) {
+    const metricValues = {
+      AV: { N: 0.85, A: 0.62, L: 0.55, P: 0.2 },
+      // Attack Vector
+      AC: { L: 0.77, H: 0.44 },
+      // Attack Complexity
+      PR: {
+        // Privileges Required (varies by Scope)
+        N_U: 0.85,
+        L_U: 0.62,
+        H_U: 0.27,
+        N_C: 0.85,
+        L_C: 0.68,
+        H_C: 0.5
+      },
+      UI: { N: 0.85, R: 0.62 },
+      // User Interaction
+      C: { H: 0.56, L: 0.22, N: 0 },
+      // Confidentiality Impact
+      I: { H: 0.56, L: 0.22, N: 0 },
+      // Integrity Impact
+      A: { H: 0.56, L: 0.22, N: 0 }
+      // Availability Impact
+    };
+    const parts = vector.split("/");
+    const metrics = {};
+    for (const part of parts) {
+      const [key, value] = part.split(":");
+      if (key && value) metrics[key] = value;
+    }
+    const av = metricValues.AV[metrics.AV];
+    const ac = metricValues.AC[metrics.AC];
+    const ui = metricValues.UI[metrics.UI];
+    const scope = metrics.S;
+    const c = metricValues.C[metrics.C];
+    const i = metricValues.I[metrics.I];
+    const a = metricValues.A[metrics.A];
+    const prKey = `${metrics.PR}_${scope}`;
+    const pr = metricValues.PR[prKey];
+    if ([av, ac, pr, ui, c, i, a].some((v) => v === void 0)) {
+      return null;
+    }
+    const iss = 1 - (1 - c) * (1 - i) * (1 - a);
+    let impact;
+    if (scope === "U") {
+      impact = 6.42 * iss;
+    } else {
+      impact = 7.52 * (iss - 0.029) - 3.25 * Math.pow(iss - 0.02, 15);
+    }
+    const exploitability = 8.22 * av * ac * pr * ui;
+    if (impact <= 0) return 0;
+    let baseScore;
+    if (scope === "U") {
+      baseScore = Math.min(impact + exploitability, 10);
+    } else {
+      baseScore = Math.min(1.08 * (impact + exploitability), 10);
+    }
+    return Math.ceil(baseScore * 10) / 10;
+  }
   /** Converts a CVSS score (0-10) to a severity level */
   scoreToSeverity(score) {
     if (score >= 9) return "CRITICAL";