Context
foxguard has curated manifest rules for PQ-vulnerable crypto dependencies across several lockfile formats. That is useful, but it is not a full SCA layer: there is no OSV-backed vulnerability matching, package URL normalization, vulnerability metadata, or transitive path reporting outside the curated PQ seed lists.
Proposed work
Add an optional dependency-vulnerability scan mode that can read supported lockfiles and match packages against OSV data while keeping the existing PQ crypto dependency rules as a separate lens.
Acceptance criteria
- Supported lockfiles produce normalized package identities where possible.
- Findings include vulnerability id, affected package, installed version, fixed version when known, severity when available, and source database.
- Offline/cache behavior is explicit and documented.
- PQ manifest rules continue to work without network access.
- JSON/SARIF output includes dependency metadata in stable properties.
- Tests cover at least Cargo.lock, package-lock.json, pnpm-lock.yaml, requirements.txt, poetry.lock, and Pipfile.lock fixtures.
References
Context
foxguard has curated manifest rules for PQ-vulnerable crypto dependencies across several lockfile formats. That is useful, but it is not a full SCA layer: there is no OSV-backed vulnerability matching, package URL normalization, vulnerability metadata, or transitive path reporting outside the curated PQ seed lists.
Proposed work
Add an optional dependency-vulnerability scan mode that can read supported lockfiles and match packages against OSV data while keeping the existing PQ crypto dependency rules as a separate lens.
Acceptance criteria
References