Merge branch 'main' into readme-gitlab-fix

cmd/server/mcp.go

@@ -114,22 +114,7 @@ func startMcpServer() error {
 }
 
 func doRegisterDefaultTools(mcpSrv server.McpServer, driver mcp.Driver) error {
-	err := mcpSrv.RegisterTool(tools.NewPackageInsightsTool(driver))
-	if err != nil {
-		return fmt.Errorf("failed to register package insights tool: %w", err)
-	}
-
-	err = mcpSrv.RegisterTool(tools.NewPackageRegistryTool(driver))
-	if err != nil {
-		return fmt.Errorf("failed to register package registry tool: %w", err)
-	}
-
-	err = mcpSrv.RegisterTool(tools.NewPackageMalwareTool(driver))
-	if err != nil {
-		return fmt.Errorf("failed to register package malware tool: %w", err)
-	}
-
-	return nil
+	return tools.RegisterAll(mcpSrv, driver)
 }
 
 func doRegisterVetSQLQueryTool(mcpSrv server.McpServer) error {

go.mod

@@ -3,8 +3,8 @@ module github.com/safedep/vet
 go 1.24.3
 
 require (
-	buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250610075857-7cfdb61a0bfa.2
-	buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.6-20250705071048-7ad8e6be7c05.1
+	buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250819072717-b69aa2c62a0d.2
+	buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.8-20250819072717-b69aa2c62a0d.1
 	entgo.io/ent v0.14.4
 	github.com/AlecAivazis/survey/v2 v2.3.7
 	github.com/BurntSushi/toml v1.5.0
@@ -60,7 +60,7 @@ require (
 	golang.org/x/oauth2 v0.30.0
 	google.golang.org/genai v1.14.0
 	google.golang.org/grpc v1.72.2
-	google.golang.org/protobuf v1.36.6
+	google.golang.org/protobuf v1.36.8
 	gopkg.in/yaml.v2 v2.4.0
 )
 
@@ -68,7 +68,7 @@ require (
 	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
 	4d63.com/gochecknoglobals v0.2.2 // indirect
 	ariga.io/atlas v0.34.0 // indirect
-	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 // indirect
+	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.8-20240508200655-46a4cf4ba109.1 // indirect
 	cel.dev/expr v0.24.0 // indirect
 	cloud.google.com/go v0.121.2 // indirect
 	cloud.google.com/go/auth v0.16.1 // indirect

go.sum

@@ -6,10 +6,16 @@ ariga.io/atlas v0.34.0 h1:4hdy+2x+xNs6Lx2anuJ/4Q7lCaqddbEj5CtRDVOBu0M=
 ariga.io/atlas v0.34.0/go.mod h1:WJesu2UCpGQvgUh3oVP94EiRT61nNy1W/VN5g+vqP1I=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1 h1:YhMSc48s25kr7kv31Z8vf7sPUIq5YJva9z1mn/hAt0M=
 buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.6-20250425153114-8976f5be98c1.1/go.mod h1:avRlCjnFzl98VPaeCtJ24RrV/wwHFzB8sWXhj26+n/U=
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.8-20240508200655-46a4cf4ba109.1 h1:7JbSS7TE2PJR4d/qRtynipwLl/CBFoTB69pX7xlhcJM=
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.36.8-20240508200655-46a4cf4ba109.1/go.mod h1:8EQ5GzyGJQ5tEIwMSxCl8RKJYsjCpAwkdcENoioXT6g=
 buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250610075857-7cfdb61a0bfa.2 h1:ENbt9SmU2gh4YhjcFqzceJRlg80hsD28M+Oon9l752A=
 buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250610075857-7cfdb61a0bfa.2/go.mod h1:WDOWZglnweQ4njVEJpLYYpLMx9fD+e94KbKdt8oJrxY=
+buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250819072717-b69aa2c62a0d.2 h1:A4enKVmVf69uVSG88POR59z5YE6dhATNLpL8+DmZtsg=
+buf.build/gen/go/safedep/api/grpc/go v1.5.1-20250819072717-b69aa2c62a0d.2/go.mod h1:Raps9oq+lWS0tdif5yUy8MS6UGc2pr6NMSrv3Jz4avM=
 buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.6-20250705071048-7ad8e6be7c05.1 h1:4sM5O5dx0yUucJ1trjZ8Cm9IGX2loEc4cUyh3Xy+5eU=
 buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.6-20250705071048-7ad8e6be7c05.1/go.mod h1:uR95GqsnNCRn6cTyRBte6uMJMm0rEBRxTGpakKCNL9I=
+buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.8-20250819072717-b69aa2c62a0d.1 h1:fRdyfm5aiolcZmJuWPzbbI4cSYJlssvBZXi/BQUfMWc=
+buf.build/gen/go/safedep/api/protocolbuffers/go v1.36.8-20250819072717-b69aa2c62a0d.1/go.mod h1:Q5oZou54kSUyZHl4RSPY93qr3b1ssj3ZvdBAhRAdlJA=
 cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
 cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
@@ -2058,6 +2064,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

mcp/driver.go

@@ -167,14 +167,27 @@ func (d *defaultDriver) GetPackageVersionMalwareReport(ctx context.Context, pv *
 }
 
 func (d *defaultDriver) GetPackageVersionVulnerabilities(ctx context.Context, pv *packagev1.PackageVersion) ([]*vulnerabilityv1.Vulnerability, error) {
-	insight, err := d.getPackageVersionInsight(ctx, pv)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get package version insight: %w", err)
+	if pv == nil {
+		return nil, ErrInvalidParameters
 	}
 
-	return insight.GetVulnerabilities(), nil
+	res, err := d.insightsClient.GetPackageVersionVulnerabilities(ctx, &insightsv2.GetPackageVersionVulnerabilitiesRequest{
+		PackageVersion: pv,
+	})
+	if err != nil {
+		// Handle the case where the package version is not found. This is required otherwise
+		// LLMs hallucinates
+		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
+			return nil, ErrPackageVersionInsightNotFound
+		}
+
+		return nil, fmt.Errorf("failed to get package version vulnerabilities: %w", err)
+	}
+
+	return res.GetVulnerabilities(), nil
 }
 
+
 func (d *defaultDriver) GetPackageVersionPopularity(ctx context.Context, pv *packagev1.PackageVersion) ([]*packagev1.ProjectInsight, error) {
 	insight, err := d.getPackageVersionInsight(ctx, pv)
 	if err != nil {

mcp/driver_test.go

@@ -31,6 +31,11 @@ func (m *mockInsightServiceClient) GetPackageVersionInsight(ctx context.Context,
 	return args.Get(0).(*insightsv2.GetPackageVersionInsightResponse), args.Error(1)
 }
 
+func (m *mockInsightServiceClient) GetPackageVersionVulnerabilities(ctx context.Context, req *insightsv2.GetPackageVersionVulnerabilitiesRequest, opts ...grpc.CallOption) (*insightsv2.GetPackageVersionVulnerabilitiesResponse, error) {
+	args := m.Called(ctx, req, opts)
+	return args.Get(0).(*insightsv2.GetPackageVersionVulnerabilitiesResponse), args.Error(1)
+}
+
 type mockMalwareAnalysisServiceClient struct {
 	mock.Mock
 }
@@ -60,6 +65,11 @@ func (m *mockMalwareAnalysisServiceClient) ListPackageAnalysisRecords(ctx contex
 	return args.Get(0).(*malysisv1.ListPackageAnalysisRecordsResponse), args.Error(1)
 }
 
+func (m *mockMalwareAnalysisServiceClient) InternalAgenticAnalyzePackage(ctx context.Context, req *malysisv1.InternalAgenticAnalyzePackageRequest, opts ...grpc.CallOption) (*malysisv1.InternalAgenticAnalyzePackageResponse, error) {
+	args := m.Called(ctx, req, opts)
+	return args.Get(0).(*malysisv1.InternalAgenticAnalyzePackageResponse), args.Error(1)
+}
+
 // Test helper functions
 func createTestPackageVersion() *packagev1.PackageVersion {
 	return &packagev1.PackageVersion{
@@ -198,20 +208,18 @@ func TestDefaultDriver_GetPackageVersionVulnerabilities(t *testing.T) {
 			name:           "successful vulnerabilities retrieval",
 			packageVersion: createTestPackageVersion(),
 			setupMock: func(m *mockInsightServiceClient) {
-				response := &insightsv2.GetPackageVersionInsightResponse{
-					Insight: &packagev1.PackageVersionInsight{
-						Vulnerabilities: []*vulnerabilityv1.Vulnerability{
-							{
-								Id: &vulnerabilityv1.VulnerabilityIdentifier{
-									Value: "CVE-2021-1234",
-								},
-								Summary: "Test vulnerability",
+				response := &insightsv2.GetPackageVersionVulnerabilitiesResponse{
+					Vulnerabilities: []*vulnerabilityv1.Vulnerability{
+						{
+							Id: &vulnerabilityv1.VulnerabilityIdentifier{
+								Value: "CVE-2021-1234",
 							},
+							Summary: "Test vulnerability",
 						},
 					},
 				}
-				m.On("GetPackageVersionInsight", mock.Anything,
-					mock.AnythingOfType("*insightsv2.GetPackageVersionInsightRequest"), mock.Anything).Return(response, nil)
+				m.On("GetPackageVersionVulnerabilities", mock.Anything,
+					mock.AnythingOfType("*insightsv2.GetPackageVersionVulnerabilitiesRequest"), mock.Anything).Return(response, nil)
 			},
 			expectedError: nil,
 			expectVulns:   true,
@@ -220,9 +228,9 @@ func TestDefaultDriver_GetPackageVersionVulnerabilities(t *testing.T) {
 			name:           "package version not found",
 			packageVersion: createTestPackageVersion(),
 			setupMock: func(m *mockInsightServiceClient) {
-				m.On("GetPackageVersionInsight", mock.Anything,
-					mock.AnythingOfType("*insightsv2.GetPackageVersionInsightRequest"), mock.Anything).
-					Return((*insightsv2.GetPackageVersionInsightResponse)(nil), status.Error(codes.NotFound, "not found"))
+				m.On("GetPackageVersionVulnerabilities", mock.Anything,
+					mock.AnythingOfType("*insightsv2.GetPackageVersionVulnerabilitiesRequest"), mock.Anything).
+					Return((*insightsv2.GetPackageVersionVulnerabilitiesResponse)(nil), status.Error(codes.NotFound, "not found"))
 			},
 			expectedError: ErrPackageVersionInsightNotFound,
 			expectVulns:   false,
@@ -231,11 +239,11 @@ func TestDefaultDriver_GetPackageVersionVulnerabilities(t *testing.T) {
 			name:           "grpc error",
 			packageVersion: createTestPackageVersion(),
 			setupMock: func(m *mockInsightServiceClient) {
-				m.On("GetPackageVersionInsight", mock.Anything,
-					mock.AnythingOfType("*insightsv2.GetPackageVersionInsightRequest"), mock.Anything).
-					Return((*insightsv2.GetPackageVersionInsightResponse)(nil), status.Error(codes.Internal, "internal error"))
+				m.On("GetPackageVersionVulnerabilities", mock.Anything,
+					mock.AnythingOfType("*insightsv2.GetPackageVersionVulnerabilitiesRequest"), mock.Anything).
+					Return((*insightsv2.GetPackageVersionVulnerabilitiesResponse)(nil), status.Error(codes.Internal, "internal error"))
 			},
-			expectedError: errors.New("failed to get package version insight"),
+			expectedError: errors.New("failed to get package version vulnerabilities"),
 			expectVulns:   false,
 		},
 	}
@@ -270,6 +278,8 @@ func TestDefaultDriver_GetPackageVersionVulnerabilities(t *testing.T) {
 	}
 }
 
+
+
 func TestDefaultDriver_GetPackageVersionPopularity(t *testing.T) {
 	tests := []struct {
 		name           string

mcp/tools/mock_driver.go

@@ -46,6 +46,7 @@ func (m *MockDriver) GetPackageVersionVulnerabilities(ctx context.Context, pv *p
 	return args.Get(0).([]*vulnerabilityv1.Vulnerability), args.Error(1)
 }
 
+
 func (m *MockDriver) GetPackageVersionPopularity(ctx context.Context, pv *packagev1.PackageVersion) ([]*packagev1.ProjectInsight, error) {
 	args := m.Called(ctx, pv)
 	if args.Get(0) == nil {

mcp/tools/tools_test.go

@@ -107,4 +107,5 @@ func TestRegisterAll_RegistryToolRegistrationFails(t *testing.T) {
 
 	// Verify expectations were met
 	mockServer.AssertExpectations(t)
-}
+}
+

pkg/scanner/enrich_malware_query_test.go

@@ -64,6 +64,15 @@ func (m *mockMalwareAnalysisServiceClient) ListPackageAnalysisRecords(
 	return args.Get(0).(*malysisv1.ListPackageAnalysisRecordsResponse), args.Error(1)
 }
 
+func (m *mockMalwareAnalysisServiceClient) InternalAgenticAnalyzePackage(
+	ctx context.Context,
+	in *malysisv1.InternalAgenticAnalyzePackageRequest,
+	opts ...grpc.CallOption,
+) (*malysisv1.InternalAgenticAnalyzePackageResponse, error) {
+	args := m.Called(ctx, in, opts)
+	return args.Get(0).(*malysisv1.InternalAgenticAnalyzePackageResponse), args.Error(1)
+}
+
 func TestMalysisMalwareAnalysisQueryEnricherEnrich(t *testing.T) {
 	testCases := []struct {
 		name          string