core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/cmd/security/cmd_deps.go
Charon c340303314 refactor: flatten commands, extract php/ci to own repos (#2) 
## Summary
- Extract PHP/Laravel commands to `core/php` repo (42 files, standalone module)
- Extract CI/release + SDK commands to `core/ci` repo (10 files)
- Remove `internal/variants/` build tag system entirely
- Move all 30 remaining command packages from `internal/cmd/` to top-level `cmd/`
- Rewrite `main.go` with direct imports — no more variant selection
- PHP and CI are now optional via commented import lines in main.go

Co-authored-by: Claude <developers@lethean.io>
Reviewed-on: #2
Co-authored-by: Charon <charon@lthn.ai>
Co-committed-by: Charon <charon@lthn.ai>
2026-02-16 14:45:06 +00:00

210 lines
5.5 KiB
Go
Raw Blame History

package security
import (
"encoding/json"
"fmt"
"forge.lthn.ai/core/go/pkg/cli"
"forge.lthn.ai/core/go/pkg/i18n"
)
func addDepsCommand(parent *cli.Command) {
cmd := &cli.Command{
Use: "deps",
Short: i18n.T("cmd.security.deps.short"),
Long: i18n.T("cmd.security.deps.long"),
RunE: func(c *cli.Command, args []string) error {
return runDeps()
},
}
cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))
cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))
cmd.Flags().StringVar(&securitySeverity, "severity", "", i18n.T("cmd.security.flag.severity"))
cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))
cmd.Flags().StringVar(&securityTarget, "target", "", i18n.T("cmd.security.flag.target"))
parent.AddCommand(cmd)
}
// DepAlert represents a dependency vulnerability for output.
type DepAlert struct {
Repo string `json:"repo"`
Severity string `json:"severity"`
CVE string `json:"cve"`
Package string `json:"package"`
Ecosystem string `json:"ecosystem"`
Vulnerable string `json:"vulnerable_range"`
PatchedVersion string `json:"patched_version,omitempty"`
Manifest string `json:"manifest"`
Summary string `json:"summary"`
}
func runDeps() error {
if err := checkGH(); err != nil {
return err
}
// External target mode: bypass registry entirely
if securityTarget != "" {
return runDepsForTarget(securityTarget)
}
reg, err := loadRegistry(securityRegistryPath)
if err != nil {
return err
}
repoList := getReposToCheck(reg, securityRepo)
if len(repoList) == 0 {
return cli.Err("repo not found: %s", securityRepo)
}
var allAlerts []DepAlert
summary := &AlertSummary{}
for _, repo := range repoList {
repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)
alerts, err := fetchDependabotAlerts(repoFullName)
if err != nil {
cli.Print("%s %s: %v\n", cli.WarningStyle.Render(">>"), repoFullName, err)
continue
}
for _, alert := range alerts {
if alert.State != "open" {
continue
}
severity := alert.Advisory.Severity
if !filterBySeverity(severity, securitySeverity) {
continue
}
summary.Add(severity)
depAlert := DepAlert{
Repo: repo.Name,
Severity: severity,
CVE: alert.Advisory.CVEID,
Package: alert.Dependency.Package.Name,
Ecosystem: alert.Dependency.Package.Ecosystem,
Vulnerable: alert.SecurityVulnerability.VulnerableVersionRange,
PatchedVersion: alert.SecurityVulnerability.FirstPatchedVersion.Identifier,
Manifest: alert.Dependency.ManifestPath,
Summary: alert.Advisory.Summary,
}
allAlerts = append(allAlerts, depAlert)
}
}
if securityJSON {
output, err := json.MarshalIndent(allAlerts, "", " ")
if err != nil {
return cli.Wrap(err, "marshal JSON output")
}
cli.Text(string(output))
return nil
}
// Print summary
cli.Blank()
cli.Print("%s %s\n", cli.DimStyle.Render("Dependabot:"), summary.String())
cli.Blank()
if len(allAlerts) == 0 {
return nil
}
// Print table
for _, alert := range allAlerts {
sevStyle := severityStyle(alert.Severity)
// Format upgrade suggestion
upgrade := alert.Vulnerable
if alert.PatchedVersion != "" {
upgrade = fmt.Sprintf("%s -> %s", alert.Vulnerable, cli.SuccessStyle.Render(alert.PatchedVersion))
}
cli.Print("%-16s %s %-16s %-30s %s\n",
cli.ValueStyle.Render(alert.Repo),
sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),
alert.CVE,
alert.Package,
upgrade,
)
}
cli.Blank()
return nil
}
// runDepsForTarget runs dependency checks against an external repo target.
func runDepsForTarget(target string) error {
repo, fullName := buildTargetRepo(target)
if repo == nil {
return cli.Err("invalid target format: use owner/repo (e.g. wailsapp/wails)")
}
var allAlerts []DepAlert
summary := &AlertSummary{}
alerts, err := fetchDependabotAlerts(fullName)
if err != nil {
return cli.Wrap(err, "fetch dependabot alerts for "+fullName)
}
for _, alert := range alerts {
if alert.State != "open" {
continue
}
severity := alert.Advisory.Severity
if !filterBySeverity(severity, securitySeverity) {
continue
}
summary.Add(severity)
allAlerts = append(allAlerts, DepAlert{
Repo: repo.Name,
Severity: severity,
CVE: alert.Advisory.CVEID,
Package: alert.Dependency.Package.Name,
Ecosystem: alert.Dependency.Package.Ecosystem,
Vulnerable: alert.SecurityVulnerability.VulnerableVersionRange,
PatchedVersion: alert.SecurityVulnerability.FirstPatchedVersion.Identifier,
Manifest: alert.Dependency.ManifestPath,
Summary: alert.Advisory.Summary,
})
}
if securityJSON {
output, err := json.MarshalIndent(allAlerts, "", " ")
if err != nil {
return cli.Wrap(err, "marshal JSON output")
}
cli.Text(string(output))
return nil
}
cli.Blank()
cli.Print("%s %s\n", cli.DimStyle.Render("Dependabot ("+fullName+"):"), summary.String())
cli.Blank()
for _, alert := range allAlerts {
sevStyle := severityStyle(alert.Severity)
upgrade := alert.Vulnerable
if alert.PatchedVersion != "" {
upgrade = fmt.Sprintf("%s -> %s", alert.Vulnerable, cli.SuccessStyle.Render(alert.PatchedVersion))
}
cli.Print("%-16s %s %-16s %-30s %s\n",
cli.ValueStyle.Render(alert.Repo),
sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),
alert.CVE,
alert.Package,
upgrade,
)
}
cli.Blank()
return nil
}
Reference in a new issue View git blame Copy permalink