{
  "id": "dependency_vulnerability_scanner",
  "label": "Dependency & Vulnerability Scanner Canonical",
  "phase": "phase-08",
  "category": "security_governance",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Define how DEVON-DEV checks packages, libraries, images and base systems for known vulnerability exposure before install, build, deploy, release promotion or operational reuse.",
  "function": "Prevent functional improvement from smuggling security debt into the platform by scanning npm, pip, composer, Docker images, container base packages, CVEs, obsolete versions, problematic licenses and untrusted package origins before FSM allows promotion.",
  "scanner_contract": {
    "requires_dependency_inventory": true,
    "requires_package_name": true,
    "requires_package_manager": true,
    "requires_version": true,
    "requires_source_origin": true,
    "requires_trusted_origin_state": true,
    "requires_scan_target_type": true,
    "requires_scan_timestamp": true,
    "requires_vulnerability_id": true,
    "requires_severity": true,
    "requires_fix_available_state": true,
    "requires_obsolete_version_state": true,
    "requires_license_signal": true,
    "requires_fsm_gate_result": true,
    "requires_human_approval_for_critical_override": true,
    "blocks_critical_vulnerability_without_approval": true,
    "blocks_unknown_origin_dependency": true,
    "blocks_unscanned_image_promotion": true,
    "blocks_unscanned_installation": true,
    "decision_authority": "NONE_FSM_DECIDES"
  },
  "scan_targets": [
    "npm_packages",
    "pip_packages",
    "composer_dependencies",
    "docker_images",
    "container_base_os_packages",
    "known_cves",
    "obsolete_versions",
    "problematic_license_signal",
    "untrusted_origin_package"
  ],
  "candidate_scanners_not_final_selection": [
    "Trivy",
    "Grype",
    "npm audit",
    "pip-audit",
    "composer audit",
    "safety",
    "OS package scanners",
    "image scanners"
  ],
  "technology_requirements": [
    {
      "technology": "Dependency Inventory Registry",
      "required_for": "Register package manager, package name, version, source origin, project scope, environment scope and scan target type before vulnerability checks can be trusted.",
      "required_by_phase": "phase-08",
      "required_by_category": "dependency_vulnerability_scanner",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until dependency inventory schema and package source records exist",
      "validation_command": "MISSING until dependency inventory can prove package_name, package_manager, version, source_origin, project_id and scan_target_type",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/dependency_vulnerability_scanner_canonical.json",
      "status_source": "Documentation Hub + future Dependency Inventory Registry + Artifact Registry + Execution Ledger Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Dependency Inventory Registry, DEVON-DEV cannot know what it must scan, which project owns the dependency, where it came from or which promotion gate should evaluate it."
    },
    {
      "technology": "Scanner Adapter Registry",
      "required_for": "Select and route scanner execution without hardcoding a final scanner before material decision; supports package, image, OS package and language-specific scan adapters.",
      "required_by_phase": "phase-08",
      "required_by_category": "dependency_vulnerability_scanner",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until scanner adapter policy and supported target mapping exist",
      "validation_command": "MISSING until adapter registry can prove target_type, selected_adapter, scanner_version, command, output_format and scan result",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/dependency_vulnerability_scanner_canonical.json",
      "status_source": "Documentation Hub + future devon-vulnerability-scanner + Tool Registry + Execution Logs",
      "blocking_if_missing": true,
      "failure_impact": "Without Scanner Adapter Registry, scanner choice becomes ad hoc terminal behavior and DEVON-DEV cannot consistently evaluate npm, pip, composer, Docker image or OS package risk."
    },
    {
      "technology": "CVE / Advisory Matcher",
      "required_for": "Match dependency and image scan results against known CVEs, advisory severity, affected versions, fixed versions and exploit-relevant metadata.",
      "required_by_phase": "phase-08",
      "required_by_category": "dependency_vulnerability_scanner",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until advisory source policy and vulnerability match records exist",
      "validation_command": "MISSING until vulnerability match can prove package, version, cve_or_advisory_id, severity, affected_range, fix_available and evidence_source",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/dependency_vulnerability_scanner_canonical.json",
      "status_source": "Documentation Hub + future Vulnerability Advisory Cache + Security Monitoring + Execution Ledger Store",
      "blocking_if_missing": true,
      "failure_impact": "Without CVE / Advisory Matcher, DEVON-DEV may run scanners but fail to convert package findings into enforceable risk decisions."
    },
    {
      "technology": "Image Vulnerability Scan",
      "required_for": "Scan Docker images and container base systems before image promotion, deployment gate review or production runtime acceptance.",
      "required_by_phase": "phase-08",
      "required_by_category": "dependency_vulnerability_scanner",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until image scan target and container image registry linkage exist",
      "validation_command": "MISSING until image scan can prove image_name, tag, digest, base_os, vulnerable_packages, severity, fix_available and promotion gate result",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/dependency_vulnerability_scanner_canonical.json",
      "status_source": "Documentation Hub + future Image Scanner + Container Image Registry & Build Pipeline + Production Deployment Gate",
      "blocking_if_missing": true,
      "failure_impact": "Without Image Vulnerability Scan, DEVON-DEV can promote a clean application build inside a compromised or obsolete container base."
    },
    {
      "technology": "Vulnerability Promotion Gate",
      "required_for": "Block install, build, deploy or promotion when critical vulnerabilities, unknown origin packages, unscanned images or unresolved high-risk findings are present.",
      "required_by_phase": "phase-08",
      "required_by_category": "dependency_vulnerability_scanner",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until FSM gate integration and approval override path exist",
      "validation_command": "MISSING until promotion gate can prove scan_result, severity, block_reason, fsm_decision, approval_required and audit_record_id",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/dependency_vulnerability_scanner_canonical.json",
      "status_source": "Documentation Hub + future FSM Decision Core + Human Approval Service + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Vulnerability Promotion Gate, DEVON-DEV can detect critical vulnerabilities and still proceed because findings are not connected to execution blocking."
    }
  ],
  "depends_on": [
    "sec",
    "rbac_permissions",
    "secrets_management",
    "multi_project_isolation",
    "data_governance",
    "compliance_legal_guardrails",
    "license_third_party_governance",
    "container_image_registry_build_pipeline",
    "model_artifact_registry",
    "artifact_registry",
    "execution_ledger",
    "execution_logs",
    "audit_trail",
    "fsm_absolute_decision",
    "decision_rule_registry",
    "architecture_source_registry"
  ],
  "used_by": [
    "license_third_party_governance",
    "host_security",
    "app_security",
    "module_security",
    "runtime_security",
    "delivery_security",
    "security_monitoring",
    "production_deployment_gate",
    "container_image_registry_build_pipeline",
    "test_validation_runner",
    "future_execution_monitoring_panel"
  ]
}
