feat(pq): dependency-level PQ scanning (closes #221)

Cargo.toml

@@ -37,6 +37,7 @@ globset = "0.4"
 tempfile = "3"
 ratatui = "0.30"
 crossterm = "0.28"
+toml = "0.8"
 
 [[bin]]
 name = "foxguard-mcp"

src/app.rs

@@ -493,9 +493,23 @@ fn validate_rules_path(rules: Option<&str>) -> Result<(), String> {
 
 /// Returns `true` if the rule ID belongs to the PQ audit rule set.
 fn is_pq_rule_id(id: &str) -> bool {
-    id.contains("pq-vulnerable")
-        || id.contains("hardcoded-crypto-algorithm")
-        || (id.starts_with("config/") && id.contains("tls"))
+    matches!(
+        id,
+        "py/pq-vulnerable-crypto"
+            | "js/pq-vulnerable-crypto"
+            | "go/pq-vulnerable-crypto"
+            | "java/pq-vulnerable-crypto"
+            | "rs/pq-vulnerable-crypto"
+            | "config/nginx-pq-vulnerable-tls"
+            | "config/apache-pq-vulnerable-tls"
+            | "config/haproxy-pq-vulnerable-tls"
+            | "config/dockerfile-insecure-tls-env"
+            | "manifest/cargo-pq-vulnerable-dep"
+            | "manifest/pip-pq-vulnerable-dep"
+            | "py/hardcoded-crypto-algorithm"
+            | "js/hardcoded-crypto-algorithm"
+            | "java/hardcoded-crypto-algorithm"
+    )
 }
 
 fn collect_changed_targets(path: &str, changed: bool) -> Result<Option<Vec<PathBuf>>, String> {

src/baseline.rs

@@ -176,6 +176,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 

src/bin/gen_rules_ts.rs

@@ -29,6 +29,7 @@ const LANGUAGE_ORDER: &[Language] = &[
     Language::ApacheConf,
     Language::HAProxyConf,
     Language::Dockerfile,
+    Language::Manifest,
 ];
 
 fn language_slug(language: Language) -> &'static str {
@@ -47,6 +48,7 @@ fn language_slug(language: Language) -> &'static str {
         Language::ApacheConf => "apacheconf",
         Language::HAProxyConf => "haproxyconf",
         Language::Dockerfile => "dockerfile",
+        Language::Manifest => "manifest",
     }
 }
 
@@ -66,6 +68,7 @@ fn language_display_name(language: Language) -> &'static str {
         Language::ApacheConf => "Apache",
         Language::HAProxyConf => "HAProxy",
         Language::Dockerfile => "Dockerfile",
+        Language::Manifest => "Manifest",
     }
 }
 
@@ -85,6 +88,7 @@ fn language_array_name(language: Language) -> &'static str {
         Language::ApacheConf => "apacheconfRules",
         Language::HAProxyConf => "haproxyconfRules",
         Language::Dockerfile => "dockerfileRules",
+        Language::Manifest => "manifestRules",
     }
 }
 

src/compliance.rs

@@ -262,6 +262,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: deadline.map(String::from),
+            dep_name: None,
         }
     }
 

src/config.rs

@@ -1238,6 +1238,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         };
 
         let (config_path, added) =
@@ -1303,6 +1304,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 

src/diff.rs

@@ -289,6 +289,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 

src/engine/parser.rs

@@ -18,7 +18,8 @@ pub fn parse_file(source: &str, language: Language) -> Option<tree_sitter::Tree>
         Language::NginxConf
         | Language::ApacheConf
         | Language::HAProxyConf
-        | Language::Dockerfile => tree_sitter_bash::LANGUAGE.into(),
+        | Language::Dockerfile
+        | Language::Manifest => tree_sitter_bash::LANGUAGE.into(),
     };
 
     parser.set_language(&ts_language).ok()?;

src/engine/scanner.rs

@@ -116,6 +116,7 @@ fn detect_config_language(path: &Path) -> Option<Language> {
         "nginx.conf" => return Some(Language::NginxConf),
         "httpd.conf" | "apache2.conf" => return Some(Language::ApacheConf),
         "haproxy.cfg" => return Some(Language::HAProxyConf),
+        "Cargo.lock" | "requirements.txt" => return Some(Language::Manifest),
         _ => {}
     }
 
@@ -492,7 +493,8 @@ fn comment_markers(language: Language) -> &'static [&'static str] {
         Language::NginxConf
         | Language::ApacheConf
         | Language::HAProxyConf
-        | Language::Dockerfile => &["#"],
+        | Language::Dockerfile
+        | Language::Manifest => &["#"],
     }
 }
 

src/lib.rs

@@ -51,6 +51,7 @@ pub enum Language {
     ApacheConf,
     HAProxyConf,
     Dockerfile,
+    Manifest,
 }
 
 impl std::fmt::Display for Language {
@@ -70,6 +71,7 @@ impl std::fmt::Display for Language {
             Language::ApacheConf => write!(f, "apacheconf"),
             Language::HAProxyConf => write!(f, "haproxyconf"),
             Language::Dockerfile => write!(f, "dockerfile"),
+            Language::Manifest => write!(f, "manifest"),
         }
     }
 }
@@ -129,4 +131,8 @@ pub struct Finding {
     /// compliance module after scanning. `None` for non-crypto findings.
     #[serde(skip_serializing_if = "Option::is_none")]
     pub cnsa2_deadline: Option<String>,
+    /// Dependency name for manifest-level findings (e.g. "rustls", "paramiko").
+    /// `None` for source-level rules.
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub dep_name: Option<String>,
 }

src/report/cbom.rs

@@ -334,6 +334,7 @@ mod tests {
             tags: vec!["PQ".to_string()],
             crypto_algorithm: Some(algo.to_string()),
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 
@@ -382,6 +383,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }];
 
         let groups: BTreeMap<String, Vec<&Finding>> = findings

src/report/github_pr.rs

@@ -186,6 +186,7 @@ mod tests {
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         }
     }
 

src/rules/common.rs

@@ -233,6 +233,7 @@ pub fn make_finding(
         tags: vec![],
         crypto_algorithm: None,
         cnsa2_deadline: None,
+        dep_name: None,
     }
 }
 
@@ -281,6 +282,7 @@ pub fn make_finding_from_offsets(
         tags: vec![],
         crypto_algorithm: None,
         cnsa2_deadline: None,
+        dep_name: None,
     }
 }
 

src/rules/go.rs

@@ -876,6 +876,7 @@ fn map_go_taint_findings(
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         })
         .collect()
 }
@@ -1602,6 +1603,7 @@ pub fn run_go_taint_batched(
                 tags: vec![],
                 crypto_algorithm: None,
                 cnsa2_deadline: None,
+                dep_name: None,
             })
         })
         .collect()

src/rules/javascript.rs

@@ -1924,6 +1924,7 @@ fn map_js_taint_findings(
             tags: vec![],
             crypto_algorithm: None,
             cnsa2_deadline: None,
+            dep_name: None,
         })
         .collect()
 }
@@ -2931,6 +2932,7 @@ pub fn run_js_taint_batched(
                 tags: vec![],
                 crypto_algorithm: None,
                 cnsa2_deadline: None,
+                dep_name: None,
             })
         })
         .collect()

src/rules/kotlin.rs

@@ -1138,6 +1138,7 @@ fn run_kt_taint(
                     tags: vec![],
                     crypto_algorithm: None,
                     cnsa2_deadline: None,
+                    dep_name: None,
                 });
             }
         }