/** * @fileoverview Dependency Scanner - SCA and SBOM generation * @module @nahisaho/musubix-security/analyzers/sca/dependency-scanner * @trace DES-SEC3-SCA-001, REQ-SEC3-SCA-001 */ import type { Vulnerability, Severity } from '../../types/vulnerability.js'; /** * Dependency information */ export interface DependencyInfo { name: string; version: string; type: 'production' | 'development' | 'peer' | 'optional'; license: string; repository?: string; description?: string; dependencies?: string[]; devDependencies?: string[]; } /** * Dependency vulnerability */ export interface DependencyVulnerability { id: string; package: string; severity: Severity; vulnerableVersions: string; patchedVersions?: string; title: string; description: string; cve?: string; cwe?: string[]; references: string[]; recommendation: string; } /** * License risk information */ export interface LicenseRisk { package: string; version: string; license: string; riskLevel: 'low' | 'medium' | 'high' | 'critical'; reason: string; recommendation?: string; } /** * SBOM entry (CycloneDX format) */ export interface SBOMComponent { type: 'library' | 'application' | 'framework' | 'file' | 'container'; name: string; version: string; purl?: string; licenses?: Array<{ id: string; name: string; }>; hashes?: Array<{ alg: string; content: string; }>; externalReferences?: Array<{ type: string; url: string; }>; } /** * SBOM document */ export interface SBOMDocument { bomFormat: 'CycloneDX'; specVersion: string; serialNumber: string; version: number; metadata: { timestamp: string; tools: Array<{ vendor: string; name: string; version: string; }>; component?: { type: string; name: string; version: string; }; }; components: SBOMComponent[]; dependencies?: Array<{ ref: string; dependsOn: string[]; }>; } /** * Dependency scan result */ export interface DependencyScanResult { timestamp: Date; projectPath: string; packageManager: 'npm' | 'yarn' | 'pnpm' | 'unknown'; totalDependencies: number; directDependencies: number; devDependencies: number; vulnerabilities: DependencyVulnerability[]; licenseRisks: LicenseRisk[]; outdatedPackages: OutdatedPackage[]; sbom: SBOMDocument; summary: DependencySummary; } /** * Outdated package info */ export interface OutdatedPackage { name: string; currentVersion: string; latestVersion: string; type: 'major' | 'minor' | 'patch'; breaking: boolean; } /** * Dependency scan summary */ export interface DependencySummary { vulnerabilityCount: { critical: number; high: number; medium: number; low: number; }; licenseRiskCount: { high: number; medium: number; low: number; }; outdatedCount: number; healthScore: number; } /** * Dependency scanner options */ export interface DependencyScannerOptions { checkVulnerabilities?: boolean; checkLicenses?: boolean; checkOutdated?: boolean; generateSBOM?: boolean; includeDev?: boolean; depth?: number; ignoredPackages?: string[]; allowedLicenses?: string[]; blockedLicenses?: string[]; } /** * Dependency Scanner * @trace DES-SEC3-SCA-001 */ export declare class DependencyScanner { private options; constructor(options?: DependencyScannerOptions); /** * Scan project dependencies * @trace REQ-SEC3-SCA-001 */ scan(projectPath: string): Promise; /** * Alias for scan() - for API compatibility */ scanDependencies(projectPath: string): Promise<{ packageManager: DependencyScanResult['packageManager']; dependencies: Array<{ name: string; version: string; isDev: boolean; }>; vulnerabilities: Array<{ name: string; severity: string; advisory: string; }>; outdatedPackages: Array<{ name: string; current: string; latest: string; updateType: string; }>; licenseRisks: Array<{ package: string; license: string; risk: string; }>; summary: { totalDependencies: number; vulnerableCount: number; outdatedCount: number; healthScore: number; }; }>; /** * Public accessor for parsing dependencies */ private parseDependenciesPublic; /** * Generate SBOM from scan result (public) */ generateSBOM(scanResult: DependencyScanResult | string, deps?: DependencyInfo[]): SBOMDocument; /** * Internal SBOM generation */ private generateSBOMInternal; /** * Detect package manager */ private detectPackageManager; /** * Parse dependencies from package.json */ private parseDependencies; /** * Get license for a package */ private getLicense; /** * Check for vulnerabilities using npm audit */ private checkVulnerabilities; /** * Map npm severity to our severity type */ private mapNpmSeverity; /** * Check license risks */ private checkLicenses; /** * Normalize license identifier */ private normalizeLicense; /** * Check for outdated packages */ private checkOutdated; /** * Determine update type */ private determineUpdateType; /** * Generate SBOM document */ private generateSBOMPrivate; /** * Build dependency graph for SBOM */ private buildDependencyGraph; /** * Create empty SBOM */ private createEmptySBOM; /** * Generate UUID v4 */ private generateUUID; /** * Generate scan summary */ private generateSummary; /** * Convert scan result to vulnerabilities */ toVulnerabilities(result: DependencyScanResult): Vulnerability[]; } /** * Create dependency scanner instance */ export declare function createDependencyScanner(options?: DependencyScannerOptions): DependencyScanner; //# sourceMappingURL=dependency-scanner.d.ts.map