deps: remove fanal framework, call Trivy parsers directly (#2476)

* test: add golden tests for AnalyzeLibrary

Add golden tests that snapshot the output of AnalyzeLibrary() for all 35
lockfile fixtures in integration/data/lockfile/. This establishes a
regression baseline before refactoring the Trivy fanal integration.

- Covers all supported languages: npm, yarn, pnpm, bun, pip, pipenv,
  poetry, uv, bundler, cargo, composer, go mod/sum/binary, pom.xml,
  gradle, JAR/WAR, NuGet, conan, pubspec, mix, cocoapods, swift
- Results are sorted by name+version for deterministic comparison
- Run with -update flag to regenerate: go test ./scanner/... -args -update

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* refactor: extract file-to-parser dispatch function

Extract detectParserType() that maps file paths to parser types,
replicating the logic of each Trivy fanal analyzer's Required() method.

This is a preparatory step for removing the fanal framework dependency.
No changes to existing behavior — the function is not yet called from
production code.

Covers all edge cases:
- node_modules/ and .yarn/ exclusions for npm/yarn/pnpm
- Case-insensitive matching for .NET packages.props and JAR extensions
- Suffix matching for gradle.lockfile and .deps.json
- Executable filemode detection for Go/Rust binaries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* deps: remove fanal framework, call Trivy parsers directly

Replace the Trivy fanal analyzer framework with direct calls to
dependency parsers, eliminating the IaC/misconf package tree that was
pulled in transitively.

Changes:
- Rewrite AnalyzeLibrary() to use detectParserType() + direct parser calls
- Remove all fanal blank imports (25+ analyzer registrations)
- Remove fanal analyzer framework usage (NewAnalyzerGroup, AnalyzeFile, etc.)
- Simplify JAR parser to standalone function, removing fanal PostAnalyzer
- Remove DummyFileInfo (no longer needed)

Scanner-only binary: 191 MB -> 46 MB (-76%)
Trivy deps: 352 -> 144 (-59%)
misconf packages: 1 -> 0

All golden tests pass. Both scanner-only and full builds verified.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* style: fix goimports formatting and go mod tidy

- Fix goimports formatting in scanner/base.go, dispatch.go, dispatch_test.go
- golang.org/x/sync moved from direct to indirect (errgroup no longer used)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: address Copilot review on golden tests

- Skip test when integration/ submodule is not checked out (t.Skip with
  instructions to init submodule)
- Use filepath.ToSlash for cross-platform golden file naming

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: copy text fixtures to testdata for CI compatibility

Copy lockfile fixtures from integration submodule to scanner/testdata/fixtures/
so golden tests run in CI without requiring submodule checkout.

Binary fixtures (JAR, WAR, Go/Rust binaries) remain in the integration
submodule and are skipped when not available.

CI coverage: 29/34 tests run (5 binary fixtures skipped)
Local coverage: 34/34 tests run (with submodule initialized)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: force-add requirements.txt ignored by *.txt gitignore

The repo-level .gitignore has *.txt which prevented requirements.txt
from being committed. Use git add -f to override.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address Copilot review on PR #2476

- Return parse errors from AnalyzeLibrary instead of silently swallowing
  them. Caller (scanLibraries) logs warning and continues to next file.
- Use io.SeekEnd/io.SeekStart instead of magic numbers in JAR parser.
- Golden test treats parse errors as empty result (matches production
  behavior where scanLibraries warns and continues).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address Copilot review round 2 on PR #2476

- Remove unused parserRustBinary constant (dispatch returns parserGoBinary
  for all executables, language determined at parse time)
- Make suffix-based dispatch case-insensitive (.deps.json, gradle.lockfile)
  for cross-platform compatibility
- Aggregate parse errors into l.warns so they surface in scan results
- Remove unused fanal blank imports from golden test file

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address Copilot review round 3

  - Collect parse errors in l.errs (ScanResult.Errors) with comments
  - Rename parserGoBinary to parserExecutable (value "executable")
  - Add expectParseError to golden test entries

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: add diff-lockfile for A/B regression testing

  Add scripts/compare-lockfile.go and scripts/lockfile-fixtures.json for
  comparing AnalyzeLibrary output between Git refs using real-world
  lockfiles from popular OSS projects.

  17 fixtures: npm, yarn, pnpm, pip, pipenv, poetry, bundler, cargo,
  composer, go.mod, pom.xml, mix, swift, JAR (x2), Go binary, Rust binary

  Supports tar.gz extraction for binary fixtures and custom filemodes.

  Add diff-lockfile target to GNUmakefile:
    make diff-lockfile              # compare against master
    make diff-lockfile BASE=commit  # compare against specific ref

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: gitignore compare-lockfile binary

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: add scripts/README.md for diff-lockfile usage

  Document when and how to run the lockfile regression test.
  Also gitignore the compare-lockfile binary.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address Copilot review round 4 on PR #2476

  scanner/base.go:
  - Add Rust binary error types (ErrUnrecognizedExe, ErrNonRustBinary)
    to parseBinary suppression list
  - Wrap parse errors with file path context in l.errs

  scripts/compare-lockfile.go:
  - Fix file header (compare-analyze.go -> compare-lockfile.go)
  - Add HTTP client timeout (5 min)
  - Remove dead code in base runner safe variable

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: update fixtures to non-zero libs and fix docs

  Fixtures:
  - pip: home-assistant/core (43 libs, was django 0 libs)
  - pom: apache/spark (2 libs, was apache/maven 0 libs)
  - rustbinary: cargo-bins/cargo-binstall (399 libs, built with
    cargo-auditable, was sharkdp/fd 0 libs)
  - Fix .tgz archive extraction

  scanner/base.go:
  - Add Rust binary error types to parseBinary suppression
  - Wrap parse errors with file path context

  scripts/compare-lockfile.go:
  - Fix file header, add HTTP timeout, remove dead code, support .tgz

  Update scripts/README.md and PR description to match current fixtures.

  Result: 17/17 IDENTICAL across 7,194 libraries, all non-zero.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: surface all filesystem errors in compare-lockfile

  - Check copyFile return when copying fixtures to worktree
  - Check MkdirAll and WriteFile for base_runner.go setup
  - Fix MkdirAll error in copyFile itself

  All errors now logged and cause runOnBase to return nil, which
  triggers the skipped > 0 exit condition in main.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add complete sort tie-breakers and harden error handling

Add Dev field to sort comparators for deterministic ordering across
all normalize functions (main script, runner, golden test). Fix
os.MkdirAll error handling in main() and runner. Replace custom
replaceAll/indexOf with strings.ReplaceAll. Handle diff command errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: sort imports per gofmt and sanitize worktree path

- Reorder imports in base.go and compare-lockfile.go to match gofmt
  conventions (stdlib alphabetical, then third-party groups)
- Sanitize baseRef in worktree directory name to handle branch names
  containing slashes (e.g. feature/foo → feature_foo)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use MkdirTemp for worktree and handle result-counting errors

- Replace os.RemoveAll with os.MkdirTemp for worktree directory
  creation to avoid path traversal risks from unsanitized baseRef
- Handle errors from os.ReadDir, os.ReadFile, and json.Unmarshal
  in result-counting block so failures are diagnosable

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: check os.Remove and worktree cleanup errors

  Handle errors from os.Remove (temp dir removal before git worktree add)
  and git worktree remove (deferred cleanup) to avoid silent failures.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: use abspath instead of trivypath in error messages

  Error messages in ScanResult.Errors are user-facing. Use the original
  filesystem path (abspath) so users can locate the failing lockfile,
  not the Trivy-internal cleaned path (trivypath).

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: use workdir-relative path in README instead of hardcoded /tmp

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address remaining code quality issues

  - Use io.SeekStart instead of magic number 0 in parseExecutableBinary
  - Ensure parent directory exists in newLogger before creating log file
  - Sanitize path separators and ".." in safeFilename (main and runner)
  - Use http.StatusOK instead of magic number 200
  - Use os.TempDir() for default workdir instead of hardcoded /tmp
  - Return error from logger.close() instead of discarding it
  - Include HTTP status text in fetch error messages
  - Update README to use $TMPDIR instead of /tmp/diet-compare

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: fix result map key and add diff fallback

  - Fix TrimSuffix to trim ".result.json" instead of ".json" so the
    result map keys match safeFilename() output
  - Use exec.LookPath to detect diff availability and fall back to
    printing file paths when diff is not installed

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: comprehensive code quality sweep

  - Handle deferred log.close() error instead of discarding
  - Fix io.Copy + defer Close pattern to not lose write errors
    in fetchFixture and extractFromTarGz
  - Add os.Args bounds check in generated runner
  - Hoist strings.NewReplacer to package var (pathSanitizer)
    and outside loop in runner
  - Distinguish parse error from OK in log output (main + runner)
  - Fix result map key to trim ".result.json" not ".json"
  - Add diff command fallback when diff is not installed

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add ComposerVendor dispatch and complete test coverage

  Add installed.json (ComposerInstalledJson) to detectParserType as
  parserComposerVendor, preventing regression from fanal removal.
  Verified all FindLockFiles entries are covered by detectParserType.

  - dispatch.go/base.go: add parserComposerVendor using same Composer
    parser with ComposerVendor type
  - dispatch_test.go: add installed.json test cases
  - Golden test: add installed.json fixture and golden file

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add ComposerVendor dispatch, fix lint, use request context

  - Add installed.json (ComposerInstalledJson) to detectParserType as
    parserComposerVendor, preventing regression from fanal removal
  - Fix goimports alignment in dispatch.go const block
  - Use http.NewRequestWithContext in fetchFixture for cancellation support
  - Add golden test fixture and dispatch test cases for installed.json

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: make diff-lockfile fetch optional via FETCH variable

  Default FETCH=1 (download fixtures). Use FETCH=0 to re-run comparison
  with cached fixtures, avoiding repeated network downloads during
  development iterations.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: fix README wording to match actual script behavior

  The script generates a runner and executes it via go run, not a
  separate build step.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: detect .exe and exclude non-regular files in isExecutable

  Mimic Trivy's utils.IsExecutable: check .exe extension for Windows,
  exclude directories/symlinks, then check Unix execute bits.
  Fixes Windows .exe binaries not being scanned.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address review feedback (rename, typo, comments, unused arg)

  - Rename diff-lockfile to compare-lockfile in GNUmakefile and README
  - Fix typo: Text -> Test in analyze_golden_test.go
  - Add comment explaining why lockfileParser is defined locally
  - Remove unused fixtures parameter from runOnBase

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: add security rationale for not using submodules in CI

  Explain the concrete attack scenario (fork PR rewriting .gitmodules)
  to document why binary fixture tests are local-only.

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: expand diff-lockfile to 129 fixtures, remove unused jar method

  - Expand lockfile-fixtures.json from 17 to 129 entries (10 per ecosystem)
  - Replace all 0-libs fixtures with projects that have actual dependencies
  - pipenv reduced to 5 fixtures (Pipfile.lock is extremely rare in OSS)
  - Add pom.xml online mode golden file for TestAnalyzeLibrary_PomOnline
  - Remove unused properties.string() method in jar parser (Trivy fork code)

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: add /compare-lockfile binary to .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* style: fix goimports alignment in dispatch_test.go

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: check IsRegular before .exe in isExecutable

  Move non-regular file check before .exe extension check so that
  directories/symlinks ending in .exe are excluded. Allow mode==0
  for Windows compatibility (stat returns 0 permission bits).

  Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* docs: update fixture count in scripts/README.md (17 → 129)

* test: compare lib count instead of byte length in pom online test

* fix: unmarshal golden JSON as slice in PomOnline test

* fix: address MaineK00n review feedback

- Rename golden files: .golden.json → .json (redundant under testdata/golden/)
- Use cmp.Or for sort comparators in normalizeResult
- Switch on langType in parseBinary to isolate sentinel errors per language
- Wrap parseExecutableBinary errors with language name, symmetrize structure
- Simplify dispatch.go: inline filepath.Base in switch, use slices.Contains
- Extract base-runner.go from compare-lockfile.go via //go:embed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: kotakanbe

.gitignore

@@ -23,3 +23,5 @@ vuls
 /trivy-to-vuls
 snmp2cpe
 !snmp2cpe/
+/scripts/compare-lockfile
+/compare-lockfile

GNUmakefile

@@ -10,7 +10,8 @@
 	pretest \
 	test \
 	cov \
-	clean
+	clean \
+	compare-lockfile
 
 SRCS = $(shell git ls-files '*.go')
 PKGS = $(shell go list ./...)
@@ -241,6 +242,17 @@ define sed-d
 	find ${ONE_SEC_AFTER_JSON_DIR} -type f -exec sed -i -e '/scannedRevision/d' {} \;
 endef
 
+# Compare AnalyzeLibrary output between current branch and BASE ref.
+# Fetches real-world lockfiles from popular OSS projects and compares results.
+# Usage:
+#   make compare-lockfile              # fetch fixtures and compare against master
+#   make compare-lockfile BASE=commit  # compare against specific ref
+#   make compare-lockfile FETCH=0      # re-run with cached fixtures (skip download)
+BASE ?= master
+FETCH ?= 1
+compare-lockfile:
+	$(GO) run scripts/compare-lockfile.go $(if $(filter 1,$(FETCH)),-fetch) -base $(BASE)
+
 define count-cve
 	for jsonfile in ${NOW_JSON_DIR}/*.json ;  do \
 		echo $$jsonfile; cat $$jsonfile | jq ".scannedCves | length" ; \

go.mod

@@ -59,7 +59,6 @@ require (
 	github.com/vulsio/gost v0.7.2
 	go.etcd.io/bbolt v1.4.3
 	golang.org/x/oauth2 v0.35.0
-	golang.org/x/sync v0.20.0
 	golang.org/x/term v0.40.0
 	golang.org/x/text v0.34.0
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da
@@ -347,6 +346,7 @@ require (
 	golang.org/x/exp v0.0.0-20251219203646-944ab1f22d93 // indirect
 	golang.org/x/mod v0.33.0 // indirect
 	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.42.0 // indirect

scanner/analyze_golden_test.go

@@ -0,0 +1,317 @@
+package scanner
+
+import (
+	"cmp"
+	"context"
+	"encoding/json"
+	"flag"
+	"os"
+	"path/filepath"
+	"slices"
+	"strings"
+	"testing"
+
+	"github.com/future-architect/vuls/models"
+)
+
+var update = flag.Bool("update", false, "update golden files")
+
+// lockfileEntry defines a test fixture for AnalyzeLibrary golden testing.
+type lockfileEntry struct {
+	// path is the relative path from the fixtures directory.
+	path string
+	// filemode to pass to AnalyzeLibrary (0755 for executables, 0644 otherwise).
+	filemode os.FileMode
+	// binary indicates the fixture is a binary file only available in the
+	// integration submodule (not copied to testdata/fixtures/).
+	binary bool
+	// expectParseError indicates this fixture is known to produce a parse error
+	// (e.g. unsupported lockfile version). The test treats errors as empty result.
+	expectParseError bool
+}
+
+var lockfiles = []lockfileEntry{
+	// Node.js
+	{"npm-v1/package-lock.json", 0644, false, false},
+	{"npm-v2/package-lock.json", 0644, false, false},
+	{"npm-v3/package-lock.json", 0644, false, false},
+	{"yarn.lock", 0644, false, false},
+	{"pnpm/pnpm-lock.yaml", 0644, false, true}, // pnpm v8: known parse error
+	{"pnpm-v9/pnpm-lock.yaml", 0644, false, false},
+	{"bun.lock", 0644, false, false},
+
+	// Python
+	{"requirements.txt", 0644, false, false},
+	{"Pipfile.lock", 0644, false, false},
+	{"poetry-v1/poetry.lock", 0644, false, false},
+	{"poetry-v2/poetry.lock", 0644, false, false},
+	{"uv.lock", 0644, false, false},
+
+	// Ruby
+	{"Gemfile.lock", 0644, false, false},
+
+	// Rust
+	{"Cargo.lock", 0644, false, false},
+	{"hello-rust", 0755, true, false},
+
+	// PHP
+	{"composer.lock", 0644, false, false},
+	{"installed.json", 0644, false, false},
+
+	// Go
+	{"go.mod", 0644, false, false},
+	{"go.sum", 0644, false, false},
+	{"gobinary", 0755, true, false},
+
+	// Java
+	{"pom.xml", 0644, false, false},
+	{"gradle.lockfile", 0644, false, false},
+	{"log4j-core-2.13.0.jar", 0644, true, false},
+	{"wrong-name-log4j-core.jar", 0644, true, false},
+	{"juddiv3-war-3.3.5.war", 0644, true, false},
+
+	// .NET
+	{"packages.lock.json", 0644, false, false},
+	{"packages.config", 0644, false, false},
+	{"datacollector.deps.json", 0644, false, false},
+	{"Directory.Packages.props", 0644, false, false},
+
+	// C/C++
+	{"conan-v1/conan.lock", 0644, false, false},
+	{"conan-v2/conan.lock", 0644, false, false},
+
+	// Dart
+	{"pubspec.lock", 0644, false, false},
+
+	// Elixir
+	{"mix.lock", 0644, false, false},
+
+	// Swift
+	{"Podfile.lock", 0644, false, false},
+	{"Package.resolved", 0644, false, false},
+}
+
+// goldenFileName converts a lockfile path to a golden file name.
+// e.g. "npm-v3/package-lock.json" -> "npm-v3_package-lock.json"
+// Uses filepath.ToSlash to normalize path separators across platforms.
+func goldenFileName(lockfilePath string) string {
+	return strings.ReplaceAll(filepath.ToSlash(lockfilePath), "/", "_") + ".json"
+}
+
+func TestAnalyzeLibrary_Golden(t *testing.T) {
+	fixturesDir := filepath.Join("testdata", "fixtures")
+	integrationDir := filepath.Join("..", "integration", "data", "lockfile")
+	goldenDir := filepath.Join("testdata", "golden")
+
+	for _, lf := range lockfiles {
+		t.Run(lf.path, func(t *testing.T) {
+			// Test fixtures are in testdata/fixtures/ (committed to repo).
+			// Binary fixtures (JAR, WAR, Go/Rust binaries) are only in the
+			// integration submodule — skip if not available.
+			// NOTE: We intentionally do NOT add submodules: true to CI checkout.
+			// Attack scenario: an attacker forks this repo, edits .gitmodules to
+			// replace the integration submodule URL with their own repo containing
+			// a malicious go.mod or _test.go, then opens a PR. If CI checks out
+			// submodules, `go test` executes attacker-controlled code with access
+			// to the CI environment (secrets, GITHUB_TOKEN, network).
+			// Binary fixture tests therefore run locally only.
+			srcPath := filepath.Join(fixturesDir, lf.path)
+			if lf.binary {
+				srcPath = filepath.Join(integrationDir, lf.path)
+			}
+			contents, err := os.ReadFile(srcPath)
+			if err != nil {
+				if lf.binary {
+					t.Skipf("Binary fixture not found: %s (requires: git submodule update --init)", srcPath)
+				}
+				t.Fatalf("Failed to read %s: %v", srcPath, err)
+			}
+
+			got, err := AnalyzeLibrary(context.Background(), lf.path, contents, lf.filemode, true)
+			if err != nil {
+				if lf.expectParseError {
+					// Verify the error is actually a parse error (contains "parse error" or the parser type)
+					errMsg := err.Error()
+					if !strings.Contains(errMsg, "parse error") && !strings.Contains(errMsg, "Failed to parse") {
+						t.Fatalf("AnalyzeLibrary(%s) expected parse error but got: %v", lf.path, err)
+					}
+					t.Logf("AnalyzeLibrary(%s) returned expected parse error: %v", lf.path, err)
+					got = nil
+				} else {
+					t.Fatalf("AnalyzeLibrary(%s) unexpected error: %v", lf.path, err)
+				}
+			}
+
+			gotJSON, err := json.MarshalIndent(normalizeResult(got), "", "  ")
+			if err != nil {
+				t.Fatalf("Failed to marshal result: %v", err)
+			}
+
+			goldenPath := filepath.Join(goldenDir, goldenFileName(lf.path))
+
+			if *update {
+				if err := os.MkdirAll(goldenDir, 0755); err != nil {
+					t.Fatalf("Failed to create golden dir: %v", err)
+				}
+				if err := os.WriteFile(goldenPath, gotJSON, 0644); err != nil {
+					t.Fatalf("Failed to write golden file: %v", err)
+				}
+				t.Logf("Updated golden file: %s", goldenPath)
+				return
+			}
+
+			wantJSON, err := os.ReadFile(goldenPath)
+			if err != nil {
+				t.Fatalf("Golden file not found: %s (run with -update to generate)", goldenPath)
+			}
+
+			if string(gotJSON) != string(wantJSON) {
+				t.Errorf("AnalyzeLibrary(%s) output differs from golden file.\nGot:\n%s\nWant:\n%s",
+					lf.path, string(gotJSON), string(wantJSON))
+			}
+		})
+	}
+}
+
+// TestAnalyzeLibrary_PomOnline verifies that pom.xml parsing in online mode
+// (resolving transitive dependencies from Maven Central) works correctly.
+// Skipped with -short since it requires network access.
+func TestAnalyzeLibrary_PomOnline(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping online pom.xml test (requires network access)")
+	}
+
+	fixturesDir := filepath.Join("testdata", "fixtures")
+	goldenDir := filepath.Join("testdata", "golden")
+
+	contents, err := os.ReadFile(filepath.Join(fixturesDir, "pom.xml"))
+	if err != nil {
+		t.Fatalf("Failed to read pom.xml: %v", err)
+	}
+
+	got, err := AnalyzeLibrary(context.Background(), "pom.xml", contents, 0644, false)
+	if err != nil {
+		t.Fatalf("AnalyzeLibrary(pom.xml, online) unexpected error: %v", err)
+	}
+
+	gotJSON, err := json.MarshalIndent(normalizeResult(got), "", "  ")
+	if err != nil {
+		t.Fatalf("Failed to marshal result: %v", err)
+	}
+
+	goldenPath := filepath.Join(goldenDir, "pom.xml.online.json")
+
+	if *update {
+		if err := os.MkdirAll(goldenDir, 0755); err != nil {
+			t.Fatalf("Failed to create golden dir: %v", err)
+		}
+		if err := os.WriteFile(goldenPath, gotJSON, 0644); err != nil {
+			t.Fatalf("Failed to write golden file: %v", err)
+		}
+		t.Logf("Updated golden file: %s", goldenPath)
+		return
+	}
+
+	wantJSON, err := os.ReadFile(goldenPath)
+	if err != nil {
+		t.Fatalf("Golden file not found: %s (run with -update to generate)", goldenPath)
+	}
+
+	if string(gotJSON) != string(wantJSON) {
+		t.Errorf("AnalyzeLibrary(pom.xml, online) output differs from golden file.\nGot:\n%s\nWant:\n%s",
+			string(gotJSON), string(wantJSON))
+	}
+
+	// Online mode should resolve transitive dependencies, producing more results than offline.
+	offlineGoldenPath := filepath.Join(goldenDir, "pom.xml.json")
+	offlineJSON, err := os.ReadFile(offlineGoldenPath)
+	if err != nil {
+		t.Logf("Offline golden file not found, skipping comparison: %s", offlineGoldenPath)
+		return
+	}
+
+	var onlineRes []goldenLibraryScanner
+	if err := json.Unmarshal(gotJSON, &onlineRes); err != nil {
+		t.Fatalf("Failed to unmarshal online JSON result: %v", err)
+	}
+	var offlineRes []goldenLibraryScanner
+	if err := json.Unmarshal(offlineJSON, &offlineRes); err != nil {
+		t.Fatalf("Failed to unmarshal offline golden JSON: %v", err)
+	}
+	var onlineLibs, offlineLibs int
+	for _, s := range onlineRes {
+		onlineLibs += len(s.Libs)
+	}
+	for _, s := range offlineRes {
+		offlineLibs += len(s.Libs)
+	}
+	if onlineLibs <= offlineLibs {
+		t.Errorf("Online mode should resolve more dependencies than offline mode.\nOnline libs: %d\nOffline libs: %d",
+			onlineLibs, offlineLibs)
+	}
+}
+
+// normalizeResult produces a stable, comparable representation of the scan result.
+// It sorts libraries by name+version to avoid ordering-dependent diffs.
+type goldenLibraryScanner struct {
+	Type         string          `json:"type"`
+	LockfilePath string          `json:"lockfilePath"`
+	Libs         []goldenLibrary `json:"libs"`
+}
+
+type goldenLibrary struct {
+	Name     string `json:"name"`
+	Version  string `json:"version"`
+	PURL     string `json:"purl,omitempty"`
+	FilePath string `json:"filePath,omitempty"`
+	Digest   string `json:"digest,omitempty"`
+	Dev      bool   `json:"dev,omitempty"`
+}
+
+func normalizeResult(scanners []models.LibraryScanner) []goldenLibraryScanner {
+	result := make([]goldenLibraryScanner, 0, len(scanners))
+	for _, s := range scanners {
+		gs := goldenLibraryScanner{
+			Type:         string(s.Type),
+			LockfilePath: s.LockfilePath,
+			Libs:         make([]goldenLibrary, 0, len(s.Libs)),
+		}
+		for _, lib := range s.Libs {
+			gs.Libs = append(gs.Libs, goldenLibrary{
+				Name:     lib.Name,
+				Version:  lib.Version,
+				PURL:     lib.PURL,
+				FilePath: lib.FilePath,
+				Digest:   lib.Digest,
+				Dev:      lib.Dev,
+			})
+		}
+		slices.SortFunc(gs.Libs, func(a, b goldenLibrary) int {
+			return cmp.Or(
+				cmp.Compare(a.Name, b.Name),
+				cmp.Compare(a.Version, b.Version),
+				cmp.Compare(a.PURL, b.PURL),
+				cmp.Compare(a.FilePath, b.FilePath),
+				cmp.Compare(a.Digest, b.Digest),
+				func() int {
+					switch {
+					case !a.Dev && b.Dev:
+						return -1
+					case a.Dev && !b.Dev:
+						return +1
+					default:
+						return 0
+					}
+				}(),
+			)
+		})
+		result = append(result, gs)
+	}
+	slices.SortFunc(result, func(a, b goldenLibraryScanner) int {
+		return cmp.Or(
+			cmp.Compare(a.Type, b.Type),
+			cmp.Compare(a.LockfilePath, b.LockfilePath),
+		)
+	})
+	return result
+}