✨ feat(libraryscan): migrate to McpScanResult dedicated data model#12
Merged
marcwieserdev merged 10 commits intomainfrom Mar 24, 2026
Merged
✨ feat(libraryscan): migrate to McpScanResult dedicated data model#12marcwieserdev merged 10 commits intomainfrom
marcwieserdev merged 10 commits intomainfrom
Conversation
… model Update library scan to consume the new MCP-optimized API response format (version 1) which uses a library-centric structure with a deduplicated vulnerabilities map, replacing the old VULNERABILITY_DETECTION enricher format. - VulnerabilityFinding: replace CVEAliases with CVE, add CWEs, DatadogScore, Reachability, Ecosystem, Relation, FixType, HasRemediation, ExploitPoC; change ExploitAvailable from bool to *bool to handle null API values - parser.go: new mcpScanResult struct types; parseResponse now iterates libraries map and enriches each finding from the vulnerabilities map - formatLibraryScanResult (MCP + CLI): display new fields (CVE, Ecosystem, Relation, DatadogScore, Reachability, CWEs, ExploitPoC) - Tests updated throughout for new format and struct fields Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…nown versions Per the McpScanResult versioning contract: if the response version is higher than the supported version (1), structured parsing must be rejected to avoid misreading unknown fields. Instead, return the raw JSON so agents can still inspect the payload directly. - parser.go: check version before parsing; set ScanResult.UnsupportedVersion and skip structured parsing when version > supportedVersion - types.go: add UnsupportedVersion field to ScanResult - formatting.go: when UnsupportedVersion is set, show a warning and render the raw JSON response for agents to read - Tests added for both the parser and formatter degradation paths Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…metadata Previously only a subset of the McpScanResult schema was decoded. Both the vulnerability definition and library result contain additional fields that were silently dropped. Vulnerability definition — added fields: cvssVector, epssScore, epssPercentile, exploitSources, exploitUrls, cisaAdded Library result — added fields: licenseId, latestVersion, eolDate, rootParent All new fields are propagated through VulnerabilityFinding and rendered in the MCP formatter: CVSS vector, EPSS score/percentile, exploit sources, CISA KEV date, license, latest available version, and root dependency PURL. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
The CLI formatter (scan.go) was not updated alongside the MCP formatter when the full vulnerability and library metadata fields were added. Added the missing fields: licenseId, latestVersion, rootParent, cvssVector, epssScore/percentile, cwes, exploitSources, exploitPoC, and cisaAdded. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
When exploit URLs are present, list them beneath the exploit warning line in both the MCP and CLI formatters. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
…supported Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Collaborator
Author
|
@codex review (Seems like we still don't have access here :sadcat:) |
- Drop RawResponse from successful parse results; only store it for the unsupported-version fallback path where agents actually need to read it - Remove redundant ID field from mcpVulnerabilityDef (GHSAID already set from vulnRef.AdvisoryID) - Simplify EPSS formatting in CLI to avoid mixed Printf/Println pattern Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
The id field was dropped from mcpVulnerabilityDef but remained in the test JSON bodies where it was silently ignored by the decoder. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
jbcibois-ddhq
approved these changes
Mar 19, 2026
…output - Add Risks field to LibraryInfo, parsed from API response - Display risks in MCP table column and per-library section header - Display risks in CLI library header line - Add Root Parent column to libraries table in MCP output - Fix vulnerability pluralisation (vulnerabilitys → vulnerabilities) - Remove next steps sections from all formatters (scan, SBOM, library) Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
jbcibois-ddhq
approved these changes
Mar 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚀 Motivation
The library scan tool was forwarding the raw pipeline JSON response directly to agents. This response format is costly to parse and makes it hard for agents to correlate objects — for example, vulnerability hashes were stored in metadata maps rather than being embedded in the vulnerability objects they describe. A dedicated, library-centric data model is needed to make vulnerability metadata directly accessible to AI agents.
📚 Documentation
📝 Summary
Migrated the library scan parser and types from the old enricher-based pipeline response (
VULNERABILITY_DETECTION/SCORE_ENRICHER/REMEDIATION_ENRICHERkeys) to the newMcpScanResultschema (version 1), which is library-centric with a deduplicated vulnerability definitions map.Key changes:
VulnerabilityFinding— replacedCVEAliases []stringwithCVE string; removed free-formRemediationtext; addedCWEs,CVSSVector,EPSSScore,EPSSPercentile,ExploitSources,ExploitURLs,CISAAdded,DatadogScore,Reachability,Ecosystem,LicenseID,LatestVersion,EolDate,RootParent,FixType,HasRemediation; changedExploitAvailablefromboolto*boolto correctly represent nullable API valuesparseResponse— iterates thelibrariesmap and enriches each finding from the deduplicatedvulnerabilitiesmap, extracting closest/latest fix versions from structured remediation entriesversionfield is higher than the supported version (1), structured parsing is skipped entirely and the raw JSON is returned so agents can still inspect the payload🧪 Testing
🚧 Staging validation
🆘 Recovery
Notes for on-call - select only one: