feat(security): osv-scanner universal dependency audit + rules for JVM/.NET/Elixir/Swift/Scala/Dart#394
Conversation
…M/.NET/Elixir/Swift/Scala/Dart Completes the security-scanner half of roadmap phase 2: - osv-scanner runner covering ecosystems without a dedicated audit tool: Maven/Gradle, NuGet, Hex, SwiftPM, pub, and Go modules. Triggered by their manifests; npm/cargo/composer manifests excluded to avoid double-reporting with existing dedicated runners. - LANGUAGE_SECURITY_SCANNERS and LANGUAGE_SECURITY_RULES entries for java, kotlin, csharp, elixir, swift, scala, dart — every language the stack detector recognizes now has scanner and rule coverage. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
Warning Review limit reached
Next review available in: 25 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis PR adds OSV-scanner integration to SecurityScanner for dependency ecosystems lacking dedicated audit runners, introducing manifest detection, scanner execution, and JSON output parsing into vulnerabilities. Separately, it expands LANGUAGE_SECURITY_SCANNERS and LANGUAGE_SECURITY_RULES with entries for java, kotlin, csharp, elixir, swift, scala, and dart, plus corresponding tests. ChangesOSV-scanner integration and language security rules
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant SecurityScanner
participant OsvScannerCLI
participant ScanResult
SecurityScanner->>SecurityScanner: _has_osv_manifests(project_dir)
alt manifests found
SecurityScanner->>OsvScannerCLI: run osv-scanner --json
OsvScannerCLI-->>SecurityScanner: JSON output or error
SecurityScanner->>SecurityScanner: _parse_osv_output(json)
SecurityScanner->>ScanResult: append SecurityVulnerability entries
end
Suggested labels: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Extract _parse_osv_output to reduce cognitive complexity (S3776) - Deduplicate JVM SecureRandom guidance string (S1192) - Replace http:// literal with Uri.http pattern marker (S5332) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/backend/analysis/security_scanner.py`:
- Around line 664-680: The OSV manifest check in _has_osv_manifests() only looks
at root-level paths, so scan() can skip osv-scanner in monorepos with nested
manifests. Update _has_osv_manifests() in security_scanner.py to search
recursively from project_dir (for example using rglob for each entry in
OSV_MANIFESTS) so nested pom.xml, mix.lock, go.mod, etc. are detected and
trigger the existing osv-scanner -r . flow.
- Around line 711-731: The _parse_osv_output method is forcing every OSV finding
to severity high, which overstates the scan results. Update
SecurityScanner._parse_osv_output to read the severity from each vulnerability’s
OSV payload when available, and only default to high when that field is missing.
Keep the existing SecurityVulnerability creation flow, but ensure the severity
value comes from the vulnerability data instead of a hardcoded literal.
In `@tests/test_security.py`:
- Around line 1670-1686: Update test_jvm_dotnet_tail_languages_have_rules to
also assert unsafe_patterns for each language returned by get_security_rules,
since the new language entries in security.profile are expected to define them.
Extend the existing expectations in test_jvm_dotnet_tail_languages_have_rules
with a per-language unsafe pattern token and add an assertion that the token
appears in rules["unsafe_patterns"] alongside the existing dangerous_functions
and secure_alternatives checks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: 3151517c-8ae0-4bfb-b43b-382f223b954e
📒 Files selected for processing (4)
apps/backend/analysis/security_scanner.pyapps/backend/security/language_rules.pytests/test_security.pytests/test_security_scanner.py
- _has_osv_manifests searches recursively (single os.walk with vendor dir pruning) so nested monorepo manifests trigger the audit - severity read from OSV database_specific payload (critical/high/ moderate->medium/low), high only as fallback for unknown values - rules test also asserts unsafe_patterns per language Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Signed-off-by: Oleg Miagkov <mrobenner@gmail.com>
|



Summary
Second half of roadmap phase 2 (follows #390).
Rather than one bespoke audit runner per remaining ecosystem, this adds a single
osv-scannerrunner — Google's cross-ecosystem known-vulnerability scanner — covering Maven/Gradle, NuGet, Hex (Elixir), SwiftPM, pub (Dart), and Go modules in one pass.pom.xml,gradle.lockfile,packages.lock.json,mix.lock,Package.resolved,pubspec.lock,go.mod)scan_errorsAlso completes the
language_rules.pytables:java,kotlin,csharp,elixir,swift,scala,dartnow have scanner entries and dangerous-function rules (Runtime.exec,BinaryFormatter,Code.eval_string,String.to_atom,unsafeBitCast, …) with secure alternatives. Every language the stack detector recognizes now has scanner + rule coverage.Testing
tests/test_security_scanner.py+tests/test_security.py: 189 passed (6 new). Ruff clean.🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Bug Fixes
Tests