Add vulnerability management commands

.gitattributes

@@ -0,0 +1,28 @@
+# git-pkgs textconv for lockfiles
+Brewfile.lock.json diff=pkgs
+Cargo.lock diff=pkgs
+Cartfile.resolved diff=pkgs
+Gemfile.lock diff=pkgs
+Gopkg.lock diff=pkgs
+Package.resolved diff=pkgs
+Pipfile.lock diff=pkgs
+Podfile.lock diff=pkgs
+Project.lock.json diff=pkgs
+bun.lock diff=pkgs
+composer.lock diff=pkgs
+gems.locked diff=pkgs
+glide.lock diff=pkgs
+go.mod diff=pkgs
+mix.lock diff=pkgs
+npm-shrinkwrap.json diff=pkgs
+package-lock.json diff=pkgs
+packages.lock.json diff=pkgs
+paket.lock diff=pkgs
+pnpm-lock.yaml diff=pkgs
+poetry.lock diff=pkgs
+project.assets.json diff=pkgs
+pubspec.lock diff=pkgs
+pylock.toml diff=pkgs
+shard.lock diff=pkgs
+uv.lock diff=pkgs
+yarn.lock diff=pkgs

.ruby-version

@@ -1 +1 @@
-4.0.0
+4.0.0

Gemfile

@@ -7,11 +7,14 @@ gemspec
 group :development do
   # gem "ecosystems-bibliothecary", git: "https://github.com/ecosyste-ms/bibliothecary.git", require: "bibliothecary"
   # gem "ecosystems-bibliothecary", path: "../ecosystems/bibliothecary", require: "bibliothecary"
+  gem "sarif-ruby", git: "https://github.com/andrew/sarif.git", require: "sarif"
   gem "ostruct"
 
   gem "irb"
   gem "rake"
   gem "minitest"
   gem "benchmark"
   gem "simplecov"
-end
+  gem "webmock"
+  gem "json_schemer"
+end

Gemfile.lock

@@ -1,17 +1,31 @@
+GIT
+  remote: https://github.com/andrew/sarif.git
+  revision: 48857dc7c3ffcadd2b48b57c96ded48848b5ab25
+  specs:
+    sarif-ruby (0.1.0)
+
 PATH
   remote: .
   specs:
     git-pkgs (0.6.2)
       ecosystems-bibliothecary (~> 15.2)
+      purl (~> 1.7)
       rugged (~> 1.0)
+      sarif-ruby
       sequel (>= 5.0)
       sqlite3 (>= 2.0)
+      vers (~> 1.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
     benchmark (0.5.0)
     bigdecimal (4.0.1)
+    crack (1.0.1)
+      bigdecimal
+      rexml
     csv (3.3.5)
     date (3.5.1)
     docile (1.4.1)
@@ -23,12 +37,19 @@ GEM
       racc
       tomlrb (~> 2.0)
     erb (6.0.1)
+    hana (1.3.7)
+    hashdiff (1.2.1)
     io-console (0.8.2)
     irb (1.16.0)
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     json (2.18.0)
+    json_schemer (2.5.0)
+      bigdecimal
+      hana (~> 1.3)
+      regexp_parser (~> 2.0)
+      simpleidn (~> 0.2)
     minitest (6.0.1)
       prism (~> 1.5)
     ostruct (0.6.3)
@@ -41,14 +62,19 @@ GEM
     psych (5.3.1)
       date
       stringio
+    public_suffix (7.0.2)
+    purl (1.7.0)
+      addressable (~> 2.8)
     racc (1.8.1)
     rake (13.3.1)
     rdoc (7.0.3)
       erb
       psych (>= 4.0.0)
       tsort
+    regexp_parser (2.11.3)
     reline (0.6.3)
       io-console (~> 0.5)
+    rexml (3.4.4)
     rugged (1.9.0)
     sequel (5.100.0)
       bigdecimal
@@ -58,6 +84,7 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
+    simpleidn (0.2.3)
     sqlite3 (2.9.0-aarch64-linux-gnu)
     sqlite3 (2.9.0-aarch64-linux-musl)
     sqlite3 (2.9.0-arm-linux-gnu)
@@ -71,6 +98,11 @@ GEM
     stringio (3.2.0)
     tomlrb (2.0.4)
     tsort (0.2.0)
+    vers (1.0.2)
+    webmock (3.26.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
 
 PLATFORMS
   aarch64-linux-gnu
@@ -88,39 +120,53 @@ DEPENDENCIES
   benchmark
   git-pkgs!
   irb
+  json_schemer
   minitest
   ostruct
   rake
+  sarif-ruby!
   simplecov
+  webmock
 
 CHECKSUMS
+  addressable (2.8.8) sha256=7c13b8f9536cf6364c03b9d417c19986019e28f7c00ac8132da4eb0fe393b057
   benchmark (0.5.0) sha256=465df122341aedcb81a2a24b4d3bd19b6c67c1530713fd533f3ff034e419236c
   bigdecimal (4.0.1) sha256=8b07d3d065a9f921c80ceaea7c9d4ae596697295b584c296fe599dd0ad01c4a7
+  crack (1.0.1) sha256=ff4a10390cd31d66440b7524eb1841874db86201d5b70032028553130b6d4c7e
   csv (3.3.5) sha256=6e5134ac3383ef728b7f02725d9872934f523cb40b961479f69cf3afa6c8e73f
   date (3.5.1) sha256=750d06384d7b9c15d562c76291407d89e368dda4d4fff957eb94962d325a0dc0
   docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
   ecosystems-bibliothecary (15.2.0) sha256=bef81a0175f8bdf1d61938d5d5d32e226ec4ff44a54d5d5d34faea663ed67a24
   erb (6.0.1) sha256=28ecdd99c5472aebd5674d6061e3c6b0a45c049578b071e5a52c2a7f13c197e5
   git-pkgs (0.6.2)
+  hana (1.3.7) sha256=5425db42d651fea08859811c29d20446f16af196308162894db208cac5ce9b0d
+  hashdiff (1.2.1) sha256=9c079dbc513dfc8833ab59c0c2d8f230fa28499cc5efb4b8dd276cf931457cd1
   io-console (0.8.2) sha256=d6e3ae7a7cc7574f4b8893b4fca2162e57a825b223a177b7afa236c5ef9814cc
   irb (1.16.0) sha256=2abe56c9ac947cdcb2f150572904ba798c1e93c890c256f8429981a7675b0806
   json (2.18.0) sha256=b10506aee4183f5cf49e0efc48073d7b75843ce3782c68dbeb763351c08fd505
+  json_schemer (2.5.0) sha256=2f01fb4cce721a4e08dd068fc2030cffd0702a7f333f1ea2be6e8991f00ae396
   minitest (6.0.1) sha256=7854c74f48e2e975969062833adc4013f249a4b212f5e7b9d5c040bf838d54bb
   ostruct (0.6.3) sha256=95a2ed4a4bd1d190784e666b47b2d3f078e4a9efda2fccf18f84ddc6538ed912
   ox (2.14.23) sha256=4a9aedb4d6c78c5ebac1d7287dc7cc6808e14a8831d7adb727438f6a1b461b66
   pp (0.6.3) sha256=2951d514450b93ccfeb1df7d021cae0da16e0a7f95ee1e2273719669d0ab9df6
   prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193
   prism (1.7.0) sha256=10062f734bf7985c8424c44fac382ac04a58124ea3d220ec3ba9fe4f2da65103
   psych (5.3.1) sha256=eb7a57cef10c9d70173ff74e739d843ac3b2c019a003de48447b2963d81b1974
+  public_suffix (7.0.2) sha256=9114090c8e4e7135c1fd0e7acfea33afaab38101884320c65aaa0ffb8e26a857
+  purl (1.7.0) sha256=e25a6b951975e94104a17d8d40e8529fa882a5a63717c68af2390e9b8d0ac3f2
   racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
   rake (13.3.1) sha256=8c9e89d09f66a26a01264e7e3480ec0607f0c497a861ef16063604b1b08eb19c
   rdoc (7.0.3) sha256=dfe3d0981d19b7bba71d9dbaeb57c9f4e3a7a4103162148a559c4fc687ea81f9
+  regexp_parser (2.11.3) sha256=ca13f381a173b7a93450e53459075c9b76a10433caadcb2f1180f2c741fc55a4
   reline (0.6.3) sha256=1198b04973565b36ec0f11542ab3f5cfeeec34823f4e54cebde90968092b1835
+  rexml (3.4.4) sha256=19e0a2c3425dfbf2d4fc1189747bdb2f849b6c5e74180401b15734bc97b5d142
   rugged (1.9.0) sha256=7faaa912c5888d6e348d20fa31209b6409f1574346b1b80e309dbc7e8d63efac
+  sarif-ruby (0.1.0)
   sequel (5.100.0) sha256=cb0329b62287a01db68eead46759c14497a3fae01b174e2c41da108a9e9b4a12
   simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
   simplecov-html (0.13.2) sha256=bd0b8e54e7c2d7685927e8d6286466359b6f16b18cb0df47b508e8d73c777246
   simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428
+  simpleidn (0.2.3) sha256=08ce96f03fa1605286be22651ba0fc9c0b2d6272c9b27a260bc88be05b0d2c29
   sqlite3 (2.9.0-aarch64-linux-gnu) sha256=cfe1e0216f46d7483839719bf827129151e6c680317b99d7b8fc1597a3e13473
   sqlite3 (2.9.0-aarch64-linux-musl) sha256=56a35cb2d70779afc2ac191baf2c2148242285ecfed72f9b021218c5c4917913
   sqlite3 (2.9.0-arm-linux-gnu) sha256=a19a21504b0d7c8c825fbbf37b358ae316b6bd0d0134c619874060b2eef05435
@@ -134,6 +180,8 @@ CHECKSUMS
   stringio (3.2.0) sha256=c37cb2e58b4ffbd33fe5cd948c05934af997b36e0b6ca6fdf43afa234cf222e1
   tomlrb (2.0.4) sha256=262f77947ac3ac9b3366a0a5940ecd238300c553e2e14f22009e2afcd2181b99
   tsort (0.2.0) sha256=9650a793f6859a43b6641671278f79cfead60ac714148aabe4e3f0060480089f
+  vers (1.0.2) sha256=0ea9a63acbe1f197268c7da93f0708a4fc99bd88d86aa49dccf5b1b8d4c68de5
+  webmock (3.26.1) sha256=4f696fb57c90a827c20aadb2d4f9058bbff10f7f043bd0d4c3f58791143b1cd7
 
 BUNDLED WITH
   4.0.3

README.md

@@ -259,6 +259,18 @@ git pkgs outdated               # alias for stale
 
 Shows dependencies sorted by how long since they were last changed in your repo. Useful for finding packages that may have been forgotten or need review.
 
+### Vulnerability scanning
+
+```bash
+git pkgs vulns                  # scan current dependencies for known CVEs
+git pkgs vulns -s high          # only critical and high severity
+git pkgs vulns blame            # who introduced each vulnerability
+git pkgs vulns praise           # who fixed vulnerabilities
+git pkgs vulns exposure --all-time --summary  # remediation metrics
+```
+
+Uses the [OSV database](https://osv.dev) to check your dependencies against known security advisories. Because git-pkgs tracks the full history, it can show who introduced and fixed each vulnerability. See [docs/vulns.md](docs/vulns.md) for full documentation.
+
 ### Diff between commits
 
 ```bash

docs/README.md

@@ -4,6 +4,7 @@ Technical documentation for git-pkgs maintainers and contributors.
 
 - [internals.md](internals.md) - Architecture overview, how commands work, key algorithms
 - [schema.md](schema.md) - Database tables and relationships
+- [vulns.md](vulns.md) - Vulnerability scanning commands and OSV integration
 - [benchmarking.md](benchmarking.md) - Performance profiling tools
 
 For user-facing documentation, see the main [README](../README.md).