2026-02-01 06:04:21 +00:00
|
|
|
package security
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"encoding/json"
|
|
|
|
|
"fmt"
|
|
|
|
|
|
|
|
|
|
"github.com/host-uk/core/pkg/cli"
|
|
|
|
|
"github.com/host-uk/core/pkg/i18n"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func addDepsCommand(parent *cli.Command) {
|
|
|
|
|
cmd := &cli.Command{
|
|
|
|
|
Use: "deps",
|
|
|
|
|
Short: i18n.T("cmd.security.deps.short"),
|
|
|
|
|
Long: i18n.T("cmd.security.deps.long"),
|
|
|
|
|
RunE: func(c *cli.Command, args []string) error {
|
|
|
|
|
return runDeps()
|
|
|
|
|
},
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))
|
|
|
|
|
cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))
|
|
|
|
|
cmd.Flags().StringVar(&securitySeverity, "severity", "", i18n.T("cmd.security.flag.severity"))
|
|
|
|
|
cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))
|
|
|
|
|
|
|
|
|
|
parent.AddCommand(cmd)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// DepAlert represents a dependency vulnerability for output.
|
|
|
|
|
type DepAlert struct {
|
feat: git command, build improvements, and go fmt git-aware (#74)
* feat(go): make go fmt git-aware by default
- By default, only check changed Go files (modified, staged, untracked)
- Add --all flag to check all files (previous behaviour)
- Reduces noise when running fmt on large codebases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): minimal output by default, add missing i18n
- Default output now shows single line: "Success Built N artifacts (dir)"
- Add --verbose/-v flag to show full detailed output
- Add all missing i18n translations for build commands
- Errors still show failure reason in minimal mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add root-level `core git` command
- Create pkg/gitcmd with git workflow commands as root menu
- Export command builders from pkg/dev (AddCommitCommand, etc.)
- Commands available under both `core git` and `core dev` for compatibility
- Git commands: health, commit, push, pull, work, sync, apply
- GitHub orchestration stays in dev: issues, reviews, ci, impact
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add docblock coverage checking
Implement docblock/docstring coverage analysis for Go code:
- New `core qa docblock` command to check coverage
- Shows compact file:line list when under threshold
- Integrate with `core go qa` as a default check
- Add --docblock-threshold flag (default 80%)
The checker uses Go AST parsing to find exported symbols
(functions, types, consts, vars) without documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Fix doc comment: "status" → "health" in gitcmd package
- Implement --check flag for `core go fmt` (exits non-zero if files need formatting)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add docstrings for 100% coverage
Add documentation comments to all exported symbols:
- pkg/build: ProjectType constants
- pkg/cli: LogLevel, RenderStyle, TableStyle
- pkg/framework: ServiceFor, MustServiceFor, Core.Core
- pkg/git: GitError.Error, GitError.Unwrap
- pkg/i18n: Handler Match/Handle methods
- pkg/log: Level constants
- pkg/mcp: Tool input/output types
- pkg/php: Service constants, QA types, service methods
- pkg/process: ServiceError.Error
- pkg/repos: RepoType constants
- pkg/setup: ChangeType, ChangeCategory constants
- pkg/workspace: AddWorkspaceCommands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: standardize line endings to LF
Add .gitattributes to enforce LF line endings for all text files.
Normalize all existing files to use Unix-style line endings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- cmd_format.go: validate --check/--fix mutual exclusivity, capture stderr
- cmd_docblock.go: return error instead of os.Exit(1) for proper error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback (round 2)
- linuxkit.go: propagate state update errors, handle cmd.Wait() errors in waitForExit
- mcp.go: guard against empty old_string in editDiff to prevent runaway edits
- cmd_docblock.go: log parse errors instead of silently skipping
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 10:48:44 +00:00
|
|
|
Repo string `json:"repo"`
|
|
|
|
|
Severity string `json:"severity"`
|
|
|
|
|
CVE string `json:"cve"`
|
|
|
|
|
Package string `json:"package"`
|
|
|
|
|
Ecosystem string `json:"ecosystem"`
|
|
|
|
|
Vulnerable string `json:"vulnerable_range"`
|
2026-02-01 06:04:21 +00:00
|
|
|
PatchedVersion string `json:"patched_version,omitempty"`
|
feat: git command, build improvements, and go fmt git-aware (#74)
* feat(go): make go fmt git-aware by default
- By default, only check changed Go files (modified, staged, untracked)
- Add --all flag to check all files (previous behaviour)
- Reduces noise when running fmt on large codebases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(build): minimal output by default, add missing i18n
- Default output now shows single line: "Success Built N artifacts (dir)"
- Add --verbose/-v flag to show full detailed output
- Add all missing i18n translations for build commands
- Errors still show failure reason in minimal mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat: add root-level `core git` command
- Create pkg/gitcmd with git workflow commands as root menu
- Export command builders from pkg/dev (AddCommitCommand, etc.)
- Commands available under both `core git` and `core dev` for compatibility
- Git commands: health, commit, push, pull, work, sync, apply
- GitHub orchestration stays in dev: issues, reviews, ci, impact
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* feat(qa): add docblock coverage checking
Implement docblock/docstring coverage analysis for Go code:
- New `core qa docblock` command to check coverage
- Shows compact file:line list when under threshold
- Integrate with `core go qa` as a default check
- Add --docblock-threshold flag (default 80%)
The checker uses Go AST parsing to find exported symbols
(functions, types, consts, vars) without documentation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- Fix doc comment: "status" → "health" in gitcmd package
- Implement --check flag for `core go fmt` (exits non-zero if files need formatting)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* docs: add docstrings for 100% coverage
Add documentation comments to all exported symbols:
- pkg/build: ProjectType constants
- pkg/cli: LogLevel, RenderStyle, TableStyle
- pkg/framework: ServiceFor, MustServiceFor, Core.Core
- pkg/git: GitError.Error, GitError.Unwrap
- pkg/i18n: Handler Match/Handle methods
- pkg/log: Level constants
- pkg/mcp: Tool input/output types
- pkg/php: Service constants, QA types, service methods
- pkg/process: ServiceError.Error
- pkg/repos: RepoType constants
- pkg/setup: ChangeType, ChangeCategory constants
- pkg/workspace: AddWorkspaceCommands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: standardize line endings to LF
Add .gitattributes to enforce LF line endings for all text files.
Normalize all existing files to use Unix-style line endings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback
- cmd_format.go: validate --check/--fix mutual exclusivity, capture stderr
- cmd_docblock.go: return error instead of os.Exit(1) for proper error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: address CodeRabbit review feedback (round 2)
- linuxkit.go: propagate state update errors, handle cmd.Wait() errors in waitForExit
- mcp.go: guard against empty old_string in editDiff to prevent runaway edits
- cmd_docblock.go: log parse errors instead of silently skipping
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 10:48:44 +00:00
|
|
|
Manifest string `json:"manifest"`
|
|
|
|
|
Summary string `json:"summary"`
|
2026-02-01 06:04:21 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func runDeps() error {
|
|
|
|
|
if err := checkGH(); err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
reg, err := loadRegistry(securityRegistryPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
repoList := getReposToCheck(reg, securityRepo)
|
|
|
|
|
if len(repoList) == 0 {
|
|
|
|
|
return cli.Err("repo not found: %s", securityRepo)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var allAlerts []DepAlert
|
|
|
|
|
summary := &AlertSummary{}
|
|
|
|
|
|
|
|
|
|
for _, repo := range repoList {
|
|
|
|
|
repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)
|
|
|
|
|
|
|
|
|
|
alerts, err := fetchDependabotAlerts(repoFullName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for _, alert := range alerts {
|
|
|
|
|
if alert.State != "open" {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
severity := alert.Advisory.Severity
|
|
|
|
|
if !filterBySeverity(severity, securitySeverity) {
|
|
|
|
|
continue
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
summary.Add(severity)
|
|
|
|
|
|
|
|
|
|
depAlert := DepAlert{
|
|
|
|
|
Repo: repo.Name,
|
|
|
|
|
Severity: severity,
|
|
|
|
|
CVE: alert.Advisory.CVEID,
|
|
|
|
|
Package: alert.Dependency.Package.Name,
|
|
|
|
|
Ecosystem: alert.Dependency.Package.Ecosystem,
|
|
|
|
|
Vulnerable: alert.SecurityVulnerability.VulnerableVersionRange,
|
|
|
|
|
PatchedVersion: alert.SecurityVulnerability.FirstPatchedVersion.Identifier,
|
|
|
|
|
Manifest: alert.Dependency.ManifestPath,
|
|
|
|
|
Summary: alert.Advisory.Summary,
|
|
|
|
|
}
|
|
|
|
|
allAlerts = append(allAlerts, depAlert)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if securityJSON {
|
|
|
|
|
output, err := json.MarshalIndent(allAlerts, "", " ")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return cli.Wrap(err, "marshal JSON output")
|
|
|
|
|
}
|
|
|
|
|
cli.Text(string(output))
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Print summary
|
|
|
|
|
cli.Blank()
|
|
|
|
|
cli.Print("%s %s\n", cli.DimStyle.Render("Dependabot:"), summary.String())
|
|
|
|
|
cli.Blank()
|
|
|
|
|
|
|
|
|
|
if len(allAlerts) == 0 {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Print table
|
|
|
|
|
for _, alert := range allAlerts {
|
|
|
|
|
sevStyle := severityStyle(alert.Severity)
|
|
|
|
|
|
|
|
|
|
// Format upgrade suggestion
|
|
|
|
|
upgrade := alert.Vulnerable
|
|
|
|
|
if alert.PatchedVersion != "" {
|
|
|
|
|
upgrade = fmt.Sprintf("%s -> %s", alert.Vulnerable, cli.SuccessStyle.Render(alert.PatchedVersion))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cli.Print("%-16s %s %-16s %-30s %s\n",
|
|
|
|
|
cli.ValueStyle.Render(alert.Repo),
|
|
|
|
|
sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),
|
|
|
|
|
alert.CVE,
|
|
|
|
|
alert.Package,
|
|
|
|
|
upgrade,
|
|
|
|
|
)
|
|
|
|
|
}
|
|
|
|
|
cli.Blank()
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|