icdev 0.0.3__py3-none-any.whl

tools/maintenance/vulnerability_checker.py

@@ -0,0 +1,978 @@
+#!/usr/bin/env python3
+# CUI // SP-CTI
+"""Vulnerability Checker — checks dependencies against advisory databases and enforces SLAs.
+
+For each dependency in the inventory:
+- Run language-native audit tools (pip-audit, npm audit, cargo-audit, govulncheck, etc.)
+- Map severity to SLA category with deadline enforcement
+- Store findings in dependency_vulnerabilities table
+- Flag overdue SLAs
+
+CLI: python tools/maintenance/vulnerability_checker.py --project-id <id> [--json]
+"""
+# CUI // SP-CTI
+
+import argparse
+import json
+import sqlite3
+import subprocess
+import sys
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from typing import Dict, List, Optional, Tuple
+from tools.db.storage import get_connection
+
+BASE_DIR = Path(__file__).resolve().parent.parent.parent
+CONFIG_PATH = BASE_DIR / "args" / "maintenance_config.yaml"
+
+# Default SLA thresholds (overridden by maintenance_config.yaml)
+DEFAULT_SLA = {
+    "critical": 48,    # hours
+    "high": 168,       # 7 days
+    "medium": 720,     # 30 days
+    "low": 2160,       # 90 days
+}
+
+
+# ── Helpers (standard SPARKPILOT pattern) ─────────────────────────────
+
+
+def _get_project(conn: sqlite3.Connection, project_id: str) -> Optional[Dict]:
+    """Load project from projects table."""
+    row = conn.execute(
+        "SELECT * FROM projects WHERE id = ?", (project_id,)
+    ).fetchone()
+    if row is None:
+        return None
+    return dict(row)
+
+
+def _log_audit_event(
+    conn: sqlite3.Connection,
+    project_id: str,
+    action: str,
+    details: Optional[Dict] = None,
+) -> None:
+    """Append an immutable audit trail entry. event_type='vulnerability_checked'."""
+    conn.execute(
+        """INSERT INTO audit_trail
+           (project_id, event_type, actor, action, details, classification)
+           VALUES (?, ?, ?, ?, ?, ?)""",
+        (
+            project_id,
+            "vulnerability_checked",
+            "maintenance/vulnerability_checker",
+            action,
+            json.dumps(details) if details else None,
+            "CUI",
+        ),
+    )
+    conn.commit()
+
+
+def _load_maintenance_config() -> Dict:
+    """Load args/maintenance_config.yaml using stdlib YAML-subset parser.
+
+    Returns a dict with at least an 'sla' key. Falls back to DEFAULT_SLA
+    values if the config file is missing or unparseable.
+    """
+    config = {"sla": {
+        "critical_hours": DEFAULT_SLA["critical"],
+        "high_hours": DEFAULT_SLA["high"],
+        "medium_hours": DEFAULT_SLA["medium"],
+        "low_hours": DEFAULT_SLA["low"],
+    }}
+    if not CONFIG_PATH.exists():
+        return config
+
+    try:
+        text = CONFIG_PATH.read_text(encoding="utf-8")
+        # Minimal YAML parser — handles top-level keys with simple nested scalars.
+        current_section = None
+        for line in text.splitlines():
+            stripped = line.strip()
+            if not stripped or stripped.startswith("#"):
+                continue
+            # Detect section header (no leading whitespace, ends with ':')
+            if not line[0].isspace() and stripped.endswith(":"):
+                current_section = stripped[:-1].strip()
+                if current_section not in config:
+                    config[current_section] = {}
+                continue
+            # Key-value inside a section
+            if current_section is not None and ":" in stripped:
+                parts = stripped.split(":", 1)
+                key = parts[0].strip()
+                raw_val = parts[1].strip().strip('"').strip("'")
+                # Strip inline comments
+                if "  #" in raw_val:
+                    raw_val = raw_val.split("  #")[0].strip()
+                elif " #" in raw_val:
+                    raw_val = raw_val.split(" #")[0].strip().strip('"').strip("'")
+                # Coerce types
+                if raw_val.lower() in ("true",):
+                    config[current_section][key] = True
+                elif raw_val.lower() in ("false",):
+                    config[current_section][key] = False
+                else:
+                    try:
+                        config[current_section][key] = int(raw_val)
+                    except ValueError:
+                        try:
+                            config[current_section][key] = float(raw_val)
+                        except ValueError:
+                            config[current_section][key] = raw_val
+    except Exception:
+        pass
+
+    return config
+
+
+# ── SLA Mapping ──────────────────────────────────────────────────
+
+
+def _map_severity_to_sla(
+    severity: str,
+    config: Optional[Dict] = None,
+) -> Tuple[str, int]:
+    """Map vulnerability severity to SLA category and deadline hours.
+
+    Returns:
+        (sla_category: str, sla_hours: int)
+    """
+    sla = config.get("sla", {}) if config else {}
+    severity_lower = severity.lower()
+    if severity_lower in ("critical",):
+        return "critical", sla.get("critical_hours", DEFAULT_SLA["critical"])
+    elif severity_lower in ("high",):
+        return "high", sla.get("high_hours", DEFAULT_SLA["high"])
+    elif severity_lower in ("medium", "moderate"):
+        return "medium", sla.get("medium_hours", DEFAULT_SLA["medium"])
+    else:
+        return "low", sla.get("low_hours", DEFAULT_SLA["low"])
+
+
+def _calculate_sla_deadline(discovery_date: datetime, sla_hours: int) -> datetime:
+    """Calculate SLA deadline from discovery date + SLA hours."""
+    return discovery_date + timedelta(hours=sla_hours)
+
+
+def _normalize_severity(raw: str) -> str:
+    """Normalize a severity string to one of: critical/high/medium/low/unknown."""
+    val = raw.strip().lower()
+    if val in ("critical",):
+        return "critical"
+    elif val in ("high",):
+        return "high"
+    elif val in ("medium", "moderate"):
+        return "medium"
+    elif val in ("low", "info", "informational"):
+        return "low"
+    else:
+        return "unknown"
+
+
+# ── Language-Specific Vulnerability Checkers ─────────────────────
+
+
+def _check_python_vulns(project_dir: str) -> List[Dict]:
+    """Run pip-audit --format=json via subprocess, parse output.
+
+    Returns list of finding dicts with standardized keys.
+    """
+    root = Path(project_dir)
+    findings = []
+
+    # Verify a Python project is present
+    has_python = any(
+        (root / f).exists()
+        for f in ("requirements.txt", "pyproject.toml", "setup.py", "setup.cfg")
+    )
+    if not has_python:
+        return findings
+
+    # Build command
+    cmd = [sys.executable, "-m", "pip_audit", "--format=json"]
+    req_file = root / "requirements.txt"
+    if req_file.exists():
+        cmd.extend(["--requirement", str(req_file)])
+
+    try:
+        proc = subprocess.run(
+            cmd, capture_output=True, text=True, timeout=300, cwd=str(root),
+        )
+    except FileNotFoundError:
+        print("  [WARN] pip-audit not installed; skipping Python vulnerability check")
+        return findings
+    except subprocess.TimeoutExpired:
+        print("  [WARN] pip-audit timed out after 300s")
+        return findings
+
+    if not proc.stdout:
+        return findings
+
+    try:
+        data = json.loads(proc.stdout)
+    except json.JSONDecodeError:
+        return findings
+
+    deps = data if isinstance(data, list) else data.get("dependencies", [])
+    for dep in deps:
+        for vuln in dep.get("vulns", []):
+            aliases = vuln.get("aliases", [])
+            cve_id = ""
+            for a in aliases:
+                if a.startswith("CVE-"):
+                    cve_id = a
+                    break
+            if not cve_id:
+                cve_id = vuln.get("id", "")
+
+            findings.append({
+                "package_name": dep.get("name", ""),
+                "version": dep.get("version", ""),
+                "cve_id": cve_id,
+                "advisory_id": vuln.get("id", ""),
+                "severity": _normalize_severity(vuln.get("severity", "unknown")),
+                "cvss_score": None,
+                "title": vuln.get("description", vuln.get("id", "")),
+                "description": vuln.get("description", ""),
+                "affected_versions": dep.get("version", ""),
+                "fix_version": ", ".join(vuln.get("fix_versions", [])),
+                "fix_available": len(vuln.get("fix_versions", [])) > 0,
+                "source": "pip-audit",
+            })
+
+    return findings
+
+
+def _check_javascript_vulns(project_dir: str) -> List[Dict]:
+    """Run npm audit --json via subprocess, parse output.
+
+    Returns list of finding dicts with standardized keys.
+    """
+    root = Path(project_dir)
+    findings = []
+
+    if not (root / "package.json").exists():
+        return findings
+
+    try:
+        proc = subprocess.run(
+            ["npm", "audit", "--json"],
+            capture_output=True, text=True, timeout=300, cwd=str(root),
+        )
+    except FileNotFoundError:
+        print("  [WARN] npm not installed; skipping JavaScript vulnerability check")
+        return findings
+    except subprocess.TimeoutExpired:
+        print("  [WARN] npm audit timed out after 300s")
+        return findings
+
+    if not proc.stdout:
+        return findings
+
+    try:
+        data = json.loads(proc.stdout)
+    except json.JSONDecodeError:
+        return findings
+
+    # npm audit v2 format
+    vulns = data.get("vulnerabilities", {})
+    for pkg_name, vuln_data in vulns.items():
+        severity = _normalize_severity(vuln_data.get("severity", "unknown"))
+        via_list = vuln_data.get("via", [])
+        for v in via_list:
+            if isinstance(v, dict):
+                cve_id = ""
+                v.get("cwe", [])
+                url = v.get("url", "")
+                # Try to extract CVE from url or use advisory source
+                if "CVE-" in url:
+                    cve_id = url.split("CVE-")[-1]
+                    cve_id = "CVE-" + cve_id.split("/")[0].split("?")[0]
+                findings.append({
+                    "package_name": pkg_name,
+                    "version": vuln_data.get("range", ""),
+                    "cve_id": cve_id,
+                    "advisory_id": str(v.get("source", "")),
+                    "severity": _normalize_severity(v.get("severity", severity)),
+                    "cvss_score": v.get("cvss", {}).get("score") if isinstance(v.get("cvss"), dict) else None,
+                    "title": v.get("title", ""),
+                    "description": v.get("title", ""),
+                    "affected_versions": v.get("range", ""),
+                    "fix_version": "",
+                    "fix_available": bool(vuln_data.get("fixAvailable", False)),
+                    "source": "npm-audit",
+                })
+            elif isinstance(v, str):
+                # Transitive dependency reference — skip to avoid duplicates
+                pass
+
+    # npm audit v1 fallback
+    if not findings and "advisories" in data:
+        for adv_id, adv in data["advisories"].items():
+            findings.append({
+                "package_name": adv.get("module_name", ""),
+                "version": adv.get("vulnerable_versions", ""),
+                "cve_id": "",
+                "advisory_id": str(adv_id),
+                "severity": _normalize_severity(adv.get("severity", "unknown")),
+                "cvss_score": None,
+                "title": adv.get("title", ""),
+                "description": adv.get("overview", ""),
+                "affected_versions": adv.get("vulnerable_versions", ""),
+                "fix_version": adv.get("patched_versions", ""),
+                "fix_available": bool(adv.get("patched_versions")),
+                "source": "npm-audit",
+            })
+
+    return findings
+
+
+def _check_java_vulns(project_dir: str) -> List[Dict]:
+    """Run mvn dependency-check or look for existing OWASP report.
+
+    Returns list of finding dicts with standardized keys.
+    """
+    root = Path(project_dir)
+    findings = []
+
+    has_java = any(
+        (root / f).exists() for f in ("pom.xml", "build.gradle", "build.gradle.kts")
+    )
+    if not has_java:
+        return findings
+
+    # Check for existing OWASP dependency-check report
+    report_path = root / "target" / "dependency-check-report.json"
+    if not report_path.exists():
+        # Try running mvn dependency-check
+        try:
+            subprocess.run(
+                [
+                    "mvn", "org.owasp:dependency-check-maven:check",
+                    "-Dformat=JSON", "-DfailOnError=false", "-q",
+                ],
+                capture_output=True, text=True, timeout=300, cwd=str(root),
+            )
+        except FileNotFoundError:
+            print("  [WARN] mvn not installed; skipping Java vulnerability check")
+            return findings
+        except subprocess.TimeoutExpired:
+            print("  [WARN] mvn dependency-check timed out after 300s")
+            return findings
+
+    # Parse report if it exists now
+    if report_path.exists():
+        try:
+            data = json.loads(report_path.read_text(encoding="utf-8"))
+        except (json.JSONDecodeError, OSError):
+            return findings
+
+        for dep in data.get("dependencies", []):
+            for vuln in dep.get("vulnerabilities", []):
+                cvss_v3 = vuln.get("cvssv3", {})
+                cvss_v2 = vuln.get("cvssv2", {})
+                score = cvss_v3.get("baseScore") or cvss_v2.get("score")
+                raw_sev = cvss_v3.get("baseSeverity", vuln.get("severity", "unknown"))
+
+                findings.append({
+                    "package_name": dep.get("fileName", ""),
+                    "version": dep.get("version", ""),
+                    "cve_id": vuln.get("name", ""),
+                    "advisory_id": vuln.get("name", ""),
+                    "severity": _normalize_severity(raw_sev),
+                    "cvss_score": score,
+                    "title": vuln.get("description", "")[:200],
+                    "description": vuln.get("description", ""),
+                    "affected_versions": "",
+                    "fix_version": "",
+                    "fix_available": False,
+                    "source": "owasp-dependency-check",
+                })
+
+    return findings
+
+
+def _check_go_vulns(project_dir: str) -> List[Dict]:
+    """Run govulncheck -json ./... via subprocess.
+
+    Returns list of finding dicts with standardized keys.
+    """
+    root = Path(project_dir)
+    findings = []
+
+    if not (root / "go.mod").exists():
+        return findings
+
+    try:
+        proc = subprocess.run(
+            ["govulncheck", "-json", "./..."],
+            capture_output=True, text=True, timeout=300, cwd=str(root),
+        )
+    except FileNotFoundError:
+        print("  [WARN] govulncheck not installed; skipping Go vulnerability check")
+        return findings
+    except subprocess.TimeoutExpired:
+        print("  [WARN] govulncheck timed out after 300s")
+        return findings
+
+    if not proc.stdout:
+        return findings
+
+    # govulncheck outputs newline-delimited JSON objects
+    for line in proc.stdout.strip().splitlines():
+        line = line.strip()
+        if not line:
+            continue
+        try:
+            obj = json.loads(line)
+        except json.JSONDecodeError:
+            continue
+
+        # Handle govulncheck output structure
+        vuln = obj.get("finding") or obj.get("osv")
+        if vuln is None:
+            # Try top-level vuln format
+            if "id" in obj and obj["id"].startswith("GO-"):
+                vuln = obj
+            else:
+                continue
+
+        osv_entry = obj.get("osv", vuln)
+        vuln_id = osv_entry.get("id", "")
+        aliases = osv_entry.get("aliases", [])
+        cve_id = ""
+        for a in aliases:
+            if a.startswith("CVE-"):
+                cve_id = a
+                break
+
+        # Extract affected module
+        affected = osv_entry.get("affected", [{}])
+        pkg_name = ""
+        if affected:
+            pkg_info = affected[0].get("package", {})
+            pkg_name = pkg_info.get("name", "")
+
+        # Severity from database_specific or default
+        db_specific = osv_entry.get("database_specific", {})
+        raw_sev = db_specific.get("severity", "unknown")
+
+        findings.append({
+            "package_name": pkg_name,
+            "version": "",
+            "cve_id": cve_id or vuln_id,
+            "advisory_id": vuln_id,
+            "severity": _normalize_severity(raw_sev),
+            "cvss_score": None,
+            "title": osv_entry.get("summary", vuln_id),
+            "description": osv_entry.get("details", ""),
+            "affected_versions": "",
+            "fix_version": "",
+            "fix_available": False,
+            "source": "govulncheck",
+        })
+
+    return findings
+
+
+def _check_rust_vulns(project_dir: str) -> List[Dict]:
+    """Run cargo audit --json via subprocess.
+
+    Returns list of finding dicts with standardized keys.
+    """
+    root = Path(project_dir)
+    findings = []
+
+    if not (root / "Cargo.toml").exists():
+        return findings
+
+    try:
+        proc = subprocess.run(
+            ["cargo", "audit", "--json"],
+            capture_output=True, text=True, timeout=300, cwd=str(root),
+        )
+    except FileNotFoundError:
+        print("  [WARN] cargo-audit not installed; skipping Rust vulnerability check")
+        return findings
+    except subprocess.TimeoutExpired:
+        print("  [WARN] cargo audit timed out after 300s")
+        return findings
+
+    if not proc.stdout:
+        return findings
+
+    try:
+        data = json.loads(proc.stdout)
+    except json.JSONDecodeError:
+        return findings
+
+    for vuln_entry in data.get("vulnerabilities", {}).get("list", []):
+        advisory = vuln_entry.get("advisory", {})
+        pkg = vuln_entry.get("package", {})
+        cvss = advisory.get("cvss")
+
+        # Derive severity from CVSS score
+        raw_sev = "unknown"
+        cvss_score = None
+        if cvss:
+            try:
+                cvss_score = float(cvss) if isinstance(cvss, (int, float, str)) else None
+            except (ValueError, TypeError):
+                cvss_score = None
+            if cvss_score is not None:
+                if cvss_score >= 9.0:
+                    raw_sev = "critical"
+                elif cvss_score >= 7.0:
+                    raw_sev = "high"
+                elif cvss_score >= 4.0:
+                    raw_sev = "medium"
+                else:
+                    raw_sev = "low"
+
+        versions = vuln_entry.get("versions", {})
+        patched = versions.get("patched", [])
+
+        findings.append({
+            "package_name": pkg.get("name", ""),
+            "version": pkg.get("version", ""),
+            "cve_id": advisory.get("id", ""),
+            "advisory_id": advisory.get("id", ""),
+            "severity": _normalize_severity(raw_sev),
+            "cvss_score": cvss_score,
+            "title": advisory.get("title", ""),
+            "description": advisory.get("description", ""),
+            "affected_versions": "",
+            "fix_version": ", ".join(patched) if patched else "",
+            "fix_available": len(patched) > 0,
+            "source": "cargo-audit",
+        })
+
+    return findings
+
+
+def _check_csharp_vulns(project_dir: str) -> List[Dict]:
+    """Run dotnet list package --vulnerable --format json via subprocess.
+
+    Returns list of finding dicts with standardized keys.
+    """
+    root = Path(project_dir)
+    findings = []
+
+    has_csharp = any(
+        list(root.glob(p))[:1]
+        for p in ("*.csproj", "*.sln", "**/*.csproj")
+    )
+    if not has_csharp:
+        return findings
+
+    try:
+        proc = subprocess.run(
+            ["dotnet", "list", "package", "--vulnerable", "--format", "json"],
+            capture_output=True, text=True, timeout=300, cwd=str(root),
+        )
+    except FileNotFoundError:
+        print("  [WARN] dotnet not installed; skipping C# vulnerability check")
+        return findings
+    except subprocess.TimeoutExpired:
+        print("  [WARN] dotnet list package timed out after 300s")
+        return findings
+
+    if not proc.stdout:
+        return findings
+
+    try:
+        data = json.loads(proc.stdout)
+    except json.JSONDecodeError:
+        return findings
+
+    # Parse dotnet vulnerable package output
+    for project_entry in data.get("projects", []):
+        for framework in project_entry.get("frameworks", []):
+            for pkg in framework.get("topLevelPackages", []):
+                for vuln in pkg.get("vulnerabilities", []):
+                    raw_sev = vuln.get("severity", "unknown")
+                    findings.append({
+                        "package_name": pkg.get("id", ""),
+                        "version": pkg.get("resolvedVersion", ""),
+                        "cve_id": vuln.get("advisoryurl", ""),
+                        "advisory_id": vuln.get("advisoryurl", ""),
+                        "severity": _normalize_severity(raw_sev),
+                        "cvss_score": None,
+                        "title": f"Vulnerable package: {pkg.get('id', '')}",
+                        "description": "",
+                        "affected_versions": pkg.get("resolvedVersion", ""),
+                        "fix_version": "",
+                        "fix_available": False,
+                        "source": "dotnet-audit",
+                    })
+
+    return findings
+
+
+# ── SLA Compliance Check ─────────────────────────────────────────
+
+
+def _check_sla_compliance(conn: sqlite3.Connection, project_id: str) -> Dict:
+    """Check all open vulnerabilities for SLA deadline compliance.
+
+    Returns dict with:
+    - total_open: count of open vulns
+    - overdue_critical: count with sla_category='critical' past deadline
+    - overdue_high: count with sla_category='high' past deadline
+    - overdue_medium: count
+    - overdue_low: count
+    - sla_compliant_pct: percentage within SLA
+    """
+    now = datetime.now(timezone.utc).isoformat()
+
+    # Count total open vulnerabilities
+    total_row = conn.execute(
+        "SELECT COUNT(*) as cnt FROM dependency_vulnerabilities WHERE project_id = ? AND status = 'open'",
+        (project_id,),
+    ).fetchone()
+    total_open = total_row["cnt"] if total_row else 0
+
+    # Count overdue by SLA category
+    rows = conn.execute(
+        """SELECT sla_category, COUNT(*) as cnt
+           FROM dependency_vulnerabilities
+           WHERE project_id = ? AND status = 'open' AND sla_deadline < ?
+           GROUP BY sla_category""",
+        (project_id, now),
+    ).fetchall()
+
+    overdue = {"critical": 0, "high": 0, "medium": 0, "low": 0}
+    total_overdue = 0
+    for row in rows:
+        cat = row["sla_category"]
+        cnt = row["cnt"]
+        if cat in overdue:
+            overdue[cat] = cnt
+        total_overdue += cnt
+
+    sla_compliant_pct = 100.0
+    if total_open > 0:
+        sla_compliant_pct = round(((total_open - total_overdue) / total_open) * 100.0, 1)
+
+    return {
+        "total_open": total_open,
+        "total_overdue": total_overdue,
+        "overdue_critical": overdue["critical"],
+        "overdue_high": overdue["high"],
+        "overdue_medium": overdue["medium"],
+        "overdue_low": overdue["low"],
+        "sla_compliant_pct": sla_compliant_pct,
+    }
+
+
+# ── Main Function ────────────────────────────────────────────────
+
+
+def check_vulnerabilities(
+    project_id: str,
+    project_dir: Optional[str] = None,
+    db_path: Optional[str] = None,
+) -> Dict:
+    """Check all project dependencies for known vulnerabilities.
+
+    Steps:
+    1. Connect to DB, load project
+    2. Resolve project directory
+    3. Get inventory from dependency_inventory table
+    4. Detect languages from inventory
+    5. Run language-specific vulnerability checkers
+    6. For each finding:
+       a. Map severity to SLA category
+       b. Calculate SLA deadline
+       c. Check if already in DB (by cve_id + dependency)
+       d. INSERT OR REPLACE into dependency_vulnerabilities
+       e. Link to dependency_inventory via dependency_id lookup
+    7. Check for overdue SLAs (sla_deadline < now AND status = 'open')
+    8. Log audit event
+    9. Return summary
+
+    Returns:
+        dict with: project_id, total_checked, vulnerable_count,
+                    by_severity (critical/high/medium/low counts),
+                    overdue_sla_count, findings (list), check_date
+    """
+    conn = get_connection(db_path=db_path)
+    now = datetime.now(timezone.utc)
+    check_date = now.isoformat() + "Z"
+    config = _load_maintenance_config()
+
+    # 1. Load project
+    project = _get_project(conn, project_id)
+    if project is None:
+        conn.close()
+        return {
+            "error": f"Project '{project_id}' not found in database",
+            "project_id": project_id,
+            "check_date": check_date,
+        }
+
+    # 2. Resolve project directory
+    resolved_dir = project_dir or project.get("directory_path", "")
+    if not resolved_dir or not Path(resolved_dir).is_dir():
+        conn.close()
+        return {
+            "error": f"Project directory not found: {resolved_dir}",
+            "project_id": project_id,
+            "check_date": check_date,
+        }
+
+    # 3. Get inventory from dependency_inventory table
+    inventory_rows = conn.execute(
+        "SELECT * FROM dependency_inventory WHERE project_id = ?",
+        (project_id,),
+    ).fetchall()
+    inventory = [dict(r) for r in inventory_rows]
+
+    # 4. Detect languages from inventory (and filesystem as fallback)
+    languages = set()
+    for item in inventory:
+        languages.add(item.get("language", "").lower())
+
+    # Filesystem-based detection as supplement
+    root = Path(resolved_dir)
+    if (root / "requirements.txt").exists() or (root / "pyproject.toml").exists() or (root / "setup.py").exists():
+        languages.add("python")
+    if (root / "package.json").exists():
+        languages.add("javascript")
+    if (root / "pom.xml").exists() or (root / "build.gradle").exists():
+        languages.add("java")
+    if (root / "go.mod").exists():
+        languages.add("go")
+    if (root / "Cargo.toml").exists():
+        languages.add("rust")
+    if list(root.glob("*.csproj"))[:1] or list(root.glob("*.sln"))[:1]:
+        languages.add("csharp")
+
+    languages.discard("")
+
+    # 5. Run language-specific vulnerability checkers
+    all_findings: List[Dict] = []
+    checkers = {
+        "python": _check_python_vulns,
+        "javascript": _check_javascript_vulns,
+        "java": _check_java_vulns,
+        "go": _check_go_vulns,
+        "rust": _check_rust_vulns,
+        "csharp": _check_csharp_vulns,
+    }
+
+    for lang in sorted(languages):
+        checker = checkers.get(lang)
+        if checker is None:
+            continue
+        print(f"  Checking {lang} vulnerabilities...")
+        lang_findings = checker(resolved_dir)
+        all_findings.extend(lang_findings)
+
+    # 6. Store findings in dependency_vulnerabilities
+    by_severity = {"critical": 0, "high": 0, "medium": 0, "low": 0, "unknown": 0}
+
+    for finding in all_findings:
+        sev = finding.get("severity", "unknown")
+        if sev in by_severity:
+            by_severity[sev] += 1
+        else:
+            by_severity["unknown"] += 1
+
+        # 6a. Map severity to SLA
+        sla_category, sla_hours = _map_severity_to_sla(sev, config)
+
+        # 6b. Calculate SLA deadline
+        sla_deadline = _calculate_sla_deadline(now, sla_hours)
+        sla_deadline_str = sla_deadline.isoformat()
+
+        # 6e. Link to dependency_inventory via dependency_id lookup
+        dep_id = None
+        pkg_name = finding.get("package_name", "")
+        if pkg_name:
+            dep_row = conn.execute(
+                """SELECT id FROM dependency_inventory
+                   WHERE project_id = ? AND package_name = ?
+                   LIMIT 1""",
+                (project_id, pkg_name),
+            ).fetchone()
+            if dep_row:
+                dep_id = dep_row["id"]
+
+        # 6c/6d. Check if already in DB; INSERT OR REPLACE
+        cve_id = finding.get("cve_id", "") or finding.get("advisory_id", "")
+        if not cve_id:
+            cve_id = f"{finding.get('source', 'unknown')}:{pkg_name}:{finding.get('title', '')[:50]}"
+
+        existing = conn.execute(
+            """SELECT id, status, sla_deadline FROM dependency_vulnerabilities
+               WHERE project_id = ? AND cve_id = ? AND dependency_id IS ?
+               LIMIT 1""",
+            (project_id, cve_id, dep_id),
+        ).fetchone()
+
+        if existing:
+            # Update existing entry but preserve status and original SLA deadline
+            conn.execute(
+                """UPDATE dependency_vulnerabilities
+                   SET severity = ?, cvss_score = ?, title = ?, description = ?,
+                       affected_versions = ?, fix_version = ?, fix_available = ?,
+                       source = ?, updated_at = ?
+                   WHERE id = ?""",
+                (
+                    sev,
+                    finding.get("cvss_score"),
+                    finding.get("title", "")[:500],
+                    finding.get("description", "")[:2000],
+                    finding.get("affected_versions", ""),
+                    finding.get("fix_version", ""),
+                    1 if finding.get("fix_available") else 0,
+                    finding.get("source", ""),
+                    now.isoformat(),
+                    existing["id"],
+                ),
+            )
+        else:
+            # Insert new vulnerability
+            conn.execute(
+                """INSERT INTO dependency_vulnerabilities
+                   (project_id, dependency_id, cve_id, advisory_id, severity,
+                    cvss_score, title, description, affected_versions,
+                    fix_version, fix_available, sla_category, sla_deadline,
+                    status, source, created_at, updated_at)
+                   VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)""",
+                (
+                    project_id,
+                    dep_id,
+                    cve_id,
+                    finding.get("advisory_id", ""),
+                    sev,
+                    finding.get("cvss_score"),
+                    finding.get("title", "")[:500],
+                    finding.get("description", "")[:2000],
+                    finding.get("affected_versions", ""),
+                    finding.get("fix_version", ""),
+                    1 if finding.get("fix_available") else 0,
+                    sla_category,
+                    sla_deadline_str,
+                    "open",
+                    finding.get("source", ""),
+                    now.isoformat(),
+                    now.isoformat(),
+                ),
+            )
+
+    conn.commit()
+
+    # 7. Check for overdue SLAs
+    sla_compliance = _check_sla_compliance(conn, project_id)
+
+    # 8. Log audit event
+    audit_details = {
+        "languages_checked": sorted(languages),
+        "total_findings": len(all_findings),
+        "by_severity": by_severity,
+        "sla_compliance": sla_compliance,
+    }
+    _log_audit_event(
+        conn,
+        project_id,
+        f"Vulnerability check completed: {len(all_findings)} findings across {len(languages)} languages",
+        audit_details,
+    )
+
+    conn.close()
+
+    # 9. Return summary
+    return {
+        "project_id": project_id,
+        "project_dir": resolved_dir,
+        "total_checked": len(inventory),
+        "languages_checked": sorted(languages),
+        "vulnerable_count": len(all_findings),
+        "by_severity": by_severity,
+        "overdue_sla_count": sla_compliance.get("total_overdue", 0),
+        "sla_compliance": sla_compliance,
+        "findings": all_findings,
+        "check_date": check_date,
+    }
+
+
+# ── CLI ──────────────────────────────────────────────────────────
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Check dependencies for known vulnerabilities",
+    )
+    parser.add_argument("--project-id", required=True, help="Project ID to check")
+    parser.add_argument("--project-dir", help="Override project directory")
+    parser.add_argument("--db-path", help="Override database path")
+    parser.add_argument("--json", action="store_true", help="Output as JSON")
+    args = parser.parse_args()
+
+    print("SPARKPILOT Vulnerability Checker")
+    print("=" * 50)
+
+    result = check_vulnerabilities(
+        project_id=args.project_id,
+        project_dir=args.project_dir,
+        db_path=args.db_path,
+    )
+
+    if "error" in result:
+        print(f"\nERROR: {result['error']}")
+        sys.exit(1)
+
+    if args.json:
+        print(json.dumps(result, indent=2, default=str))
+    else:
+        print(f"\nProject: {result['project_id']}")
+        print(f"Directory: {result['project_dir']}")
+        print(f"Languages: {', '.join(result['languages_checked'])}")
+        print(f"Dependencies inventoried: {result['total_checked']}")
+        print(f"Check date: {result['check_date']}")
+        print()
+
+        sev = result["by_severity"]
+        print(f"Vulnerabilities found: {result['vulnerable_count']}")
+        print(f"  Critical: {sev.get('critical', 0)}")
+        print(f"  High:     {sev.get('high', 0)}")
+        print(f"  Medium:   {sev.get('medium', 0)}")
+        print(f"  Low:      {sev.get('low', 0)}")
+        print(f"  Unknown:  {sev.get('unknown', 0)}")
+        print()
+
+        sla = result["sla_compliance"]
+        print("SLA Compliance:")
+        print(f"  Total open:       {sla['total_open']}")
+        print(f"  Overdue total:    {sla['total_overdue']}")
+        print(f"  Overdue critical: {sla['overdue_critical']}")
+        print(f"  Overdue high:     {sla['overdue_high']}")
+        print(f"  Overdue medium:   {sla['overdue_medium']}")
+        print(f"  Overdue low:      {sla['overdue_low']}")
+        print(f"  Compliant:        {sla['sla_compliant_pct']}%")
+        print()
+
+        # Show top findings
+        for i, f in enumerate(result["findings"][:15], 1):
+            sev_tag = f.get("severity", "?").upper()
+            pkg = f.get("package_name", "?")
+            cve = f.get("cve_id", "")
+            title = f.get("title", "")[:60]
+            fix = " [fix available]" if f.get("fix_available") else ""
+            print(f"  {i:>3}. [{sev_tag}] {pkg} — {cve or title}{fix}")
+
+        remaining = len(result["findings"]) - 15
+        if remaining > 0:
+            print(f"       ... and {remaining} more")
+
+    print()
+    print("CUI // SP-CTI")
+
+
+if __name__ == "__main__":
+    main()