Skip to content

feat(security): osv-scanner universal dependency audit + rules for JVM/.NET/Elixir/Swift/Scala/Dart#394

Merged
OBenner merged 4 commits into
developfrom
feat/security-osv-universal-audit
Jul 11, 2026
Merged

feat(security): osv-scanner universal dependency audit + rules for JVM/.NET/Elixir/Swift/Scala/Dart#394
OBenner merged 4 commits into
developfrom
feat/security-osv-universal-audit

Conversation

@OBenner

@OBenner OBenner commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

Second half of roadmap phase 2 (follows #390).

Rather than one bespoke audit runner per remaining ecosystem, this adds a single osv-scanner runner — Google's cross-ecosystem known-vulnerability scanner — covering Maven/Gradle, NuGet, Hex (Elixir), SwiftPM, pub (Dart), and Go modules in one pass.

  • Triggered by those ecosystems' manifests (pom.xml, gradle.lockfile, packages.lock.json, mix.lock, Package.resolved, pubspec.lock, go.mod)
  • npm/cargo/composer manifests deliberately excluded — dedicated runners from feat(security): real SAST and dependency audits for C/C++, Go, Rust, and PHP #390 already cover them, avoiding double-reporting
  • Same graceful-skip contract: missing binary → silent skip, timeout/parse failure → scan_errors

Also completes the language_rules.py tables: java, kotlin, csharp, elixir, swift, scala, dart now have scanner entries and dangerous-function rules (Runtime.exec, BinaryFormatter, Code.eval_string, String.to_atom, unsafeBitCast, …) with secure alternatives. Every language the stack detector recognizes now has scanner + rule coverage.

Testing

tests/test_security_scanner.py + tests/test_security.py: 189 passed (6 new). Ruff clean.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Expanded security scanning to cover more ecosystems and added OSV-based dependency checks where applicable.
    • Added broader language security coverage for several JVM-adjacent and other supported languages.
  • Bug Fixes

    • Security findings from dependency scans now feed into existing blocking logic consistently.
    • Improved handling when the OSV scanner is unavailable or returns output errors.
  • Tests

    • Added coverage for new language security rules and OSV scan detection/parsing behavior.

…M/.NET/Elixir/Swift/Scala/Dart

Completes the security-scanner half of roadmap phase 2:

- osv-scanner runner covering ecosystems without a dedicated audit
  tool: Maven/Gradle, NuGet, Hex, SwiftPM, pub, and Go modules.
  Triggered by their manifests; npm/cargo/composer manifests excluded
  to avoid double-reporting with existing dedicated runners.
- LANGUAGE_SECURITY_SCANNERS and LANGUAGE_SECURITY_RULES entries for
  java, kotlin, csharp, elixir, swift, scala, dart — every language
  the stack detector recognizes now has scanner and rule coverage.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
@cursor

cursor Bot commented Jul 5, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@OBenner, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 25 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e267596e-2aed-4bb4-ba4e-72fb5f8e8ff7

📥 Commits

Reviewing files that changed from the base of the PR and between 3ef4e9e and b13c187.

📒 Files selected for processing (3)
  • apps/backend/analysis/security_scanner.py
  • tests/test_security.py
  • tests/test_security_scanner.py
📝 Walkthrough

Walkthrough

This PR adds OSV-scanner integration to SecurityScanner for dependency ecosystems lacking dedicated audit runners, introducing manifest detection, scanner execution, and JSON output parsing into vulnerabilities. Separately, it expands LANGUAGE_SECURITY_SCANNERS and LANGUAGE_SECURITY_RULES with entries for java, kotlin, csharp, elixir, swift, scala, and dart, plus corresponding tests.

Changes

OSV-scanner integration and language security rules

Layer / File(s) Summary
OSV manifest detection and audit wiring
apps/backend/analysis/security_scanner.py
Adds OSV_MANIFESTS tuple and _has_osv_manifests check, wired into _run_dependency_audits to conditionally trigger an OSV scan.
OSV-scanner execution and parsing
apps/backend/analysis/security_scanner.py
Implements _run_osv_scanner to run the external osv-scanner command with error handling, and _parse_osv_output to convert JSON results into SecurityVulnerability entries.
OSV-scanner tests
tests/test_security_scanner.py
Adds tests for manifest detection and mocked _run_osv_scanner execution covering successful parsing and FileNotFoundError handling.
Expanded language security scanners and rules
apps/backend/security/language_rules.py
Adds a shared JVM secure-random guidance string and extends scanner commands and rule definitions (dangerous functions, unsafe patterns, secure alternatives) for java, kotlin, csharp, elixir, swift, scala, and dart.
Language security rules tests
tests/test_security.py
Adds tests verifying scanner and rule completeness for the newly added languages.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
  participant SecurityScanner
  participant OsvScannerCLI
  participant ScanResult

  SecurityScanner->>SecurityScanner: _has_osv_manifests(project_dir)
  alt manifests found
    SecurityScanner->>OsvScannerCLI: run osv-scanner --json
    OsvScannerCLI-->>SecurityScanner: JSON output or error
    SecurityScanner->>SecurityScanner: _parse_osv_output(json)
    SecurityScanner->>ScanResult: append SecurityVulnerability entries
  end
Loading

Suggested labels: size/XL

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main changes: adding osv-scanner dependency audits and expanding language security rules for several languages.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/security-osv-universal-audit

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

OBenner and others added 2 commits July 5, 2026 20:58
- Extract _parse_osv_output to reduce cognitive complexity (S3776)
- Deduplicate JVM SecureRandom guidance string (S1192)
- Replace http:// literal with Uri.http pattern marker (S5332)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/backend/analysis/security_scanner.py`:
- Around line 664-680: The OSV manifest check in _has_osv_manifests() only looks
at root-level paths, so scan() can skip osv-scanner in monorepos with nested
manifests. Update _has_osv_manifests() in security_scanner.py to search
recursively from project_dir (for example using rglob for each entry in
OSV_MANIFESTS) so nested pom.xml, mix.lock, go.mod, etc. are detected and
trigger the existing osv-scanner -r . flow.
- Around line 711-731: The _parse_osv_output method is forcing every OSV finding
to severity high, which overstates the scan results. Update
SecurityScanner._parse_osv_output to read the severity from each vulnerability’s
OSV payload when available, and only default to high when that field is missing.
Keep the existing SecurityVulnerability creation flow, but ensure the severity
value comes from the vulnerability data instead of a hardcoded literal.

In `@tests/test_security.py`:
- Around line 1670-1686: Update test_jvm_dotnet_tail_languages_have_rules to
also assert unsafe_patterns for each language returned by get_security_rules,
since the new language entries in security.profile are expected to define them.
Extend the existing expectations in test_jvm_dotnet_tail_languages_have_rules
with a per-language unsafe pattern token and add an assertion that the token
appears in rules["unsafe_patterns"] alongside the existing dangerous_functions
and secure_alternatives checks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3151517c-8ae0-4bfb-b43b-382f223b954e

📥 Commits

Reviewing files that changed from the base of the PR and between 9aac5ab and 3ef4e9e.

📒 Files selected for processing (4)
  • apps/backend/analysis/security_scanner.py
  • apps/backend/security/language_rules.py
  • tests/test_security.py
  • tests/test_security_scanner.py

Comment thread apps/backend/analysis/security_scanner.py Outdated
Comment thread apps/backend/analysis/security_scanner.py
Comment thread tests/test_security.py
- _has_osv_manifests searches recursively (single os.walk with vendor
  dir pruning) so nested monorepo manifests trigger the audit
- severity read from OSV database_specific payload (critical/high/
  moderate->medium/low), high only as fallback for unknown values
- rules test also asserts unsafe_patterns per language

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
@sonarqubecloud

Copy link
Copy Markdown

@OBenner OBenner merged commit 71a3bc7 into develop Jul 11, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant