exploit-check.sh

#!/usr/bin/env bash

set -o errexit
set -o pipefail
set -o nounset

CSV_FILE="epss_scores-current.csv"
EPSS_URL="https://epss.cyentia.com/epss_scores-current.csv.gz"
EPSS_FILE="epss_scores-current.csv.gz"

KEV_URL="https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
KEV_FILE="known_exploited_vulnerabilities.json"

# ExploitDB CSV (index maintained in the ExploitDB repo)
EXPLOITDB_URL="https://gitlab.com/exploit-database/exploitdb/-/raw/main/files_exploits.csv"
EXPLOITDB_FILE="exploitdb_exploits.csv"

FULL_OUTPUT=0
PACKAGE_INFO=0

# ANSI colors
BOLD_PURPLE="\033[1;35m"
RESET="\033[0m"

# Severity colors
DARK_GREEN="\033[0;32m"
BOLD_DARK_GREEN="\033[1;32m"
YELLOW="\033[0;93m"
BOLD_YELLOW="\033[1;93m"
BOLD_ORANGE="\033[1;38;5;208m"
BOLD_RED="\033[1;31m"
# Extra colors
PINK="\033[1;35m"
BLUE="\033[1;34m"

# Helper: safe curl
curl_get() {
    local url="$1"
    local out="$2"
    if ! curl -sSL --fail -o "$out" "$url"; then
        return 1
    fi
}

update_epss() {
    echo -e "${BLUE}[*] Checking for updated EPSS data...${RESET}"
    if [ ! -f "$EPSS_FILE" ]; then
        echo "[+] No local EPSS file found. ❌ Downloading..."
        curl_get "$EPSS_URL" "$EPSS_FILE" || {
            echo "[!] Failed to download EPSS data"
            return 1
        }
    else
        echo -e "${BLUE}[*] File exists. Checking freshness...${RESET}"
        # -z option uses timestamp to download only if remote is newer
        if ! curl -sSL --fail -z "$EPSS_FILE" -o "$EPSS_FILE" "$EPSS_URL"; then
            echo "[!] Failed to update EPSS data"
            return 1
        fi
    fi

    echo -e "${BLUE}[*] Extracting CSV...${RESET}"
    if ! gunzip -c "$EPSS_FILE" > "$CSV_FILE"; then
        echo "[!] Extraction failed. Redownloading..."
        rm -f "$EPSS_FILE"
        curl_get "$EPSS_URL" "$EPSS_FILE" || {
            echo "[!] Failed to download EPSS data"
            return 1
        }
        gunzip -c "$EPSS_FILE" > "$CSV_FILE"
    fi
}

update_kev() {
    echo -e "${BLUE}[*] Updating KEV feed...${RESET}"
    curl_get "$KEV_URL" "$KEV_FILE" || {
        echo "[!] Failed to download KEV feed"
        return 1
    }
}

update_opa() {
    echo -e "${BLUE}[*] Updating OPA Gatakeeper...${RESET}"
    kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/release-3.13/deploy/gatekeeper.yaml || {
        echo "[!] Failed to install or Update OPA Gatakeeper"
        return 1
    }
}

# Helper: check for kubectl
require_kubectl() {
    if ! command -v kubectl >/dev/null 2>&1; then
        echo "[!] kubectl is not installed or not in PATH. Please install kubectl and try again."
        exit 2
    fi
}

# Enforce Gatekeeper ConstraintTemplate + Constraint (apply)
opa_enforce() {
    require_kubectl
    echo -e "${BLUE}[*] Applying Gatekeeper ConstraintTemplate...${RESET}"
    kubectl apply -f "https://raw.githubusercontent.com/ndouglas-cloudsmith/docker-testing/refs/heads/main/constrainttemplate.yaml" || {
        echo "[!] Failed to apply constrainttemplate.yaml"
        return 1
    }

    echo -e "${BLUE}[*] Applying Gatekeeper Constraint...${RESET}"
    kubectl apply -f "https://raw.githubusercontent.com/ndouglas-cloudsmith/docker-testing/refs/heads/main/constraint.yaml" || {
        echo "[!] Failed to apply constraint.yaml"
        return 1
    }

    echo -e "${BLUE}[+] OPA enforcement resources applied.${RESET}"
    return 0
}

# Disable (delete) Gatekeeper ConstraintTemplate + Constraint
opa_disable() {
    require_kubectl
    echo -e "${BLUE}[*] Deleting Gatekeeper Constraint...${RESET}"
    kubectl delete -f "https://raw.githubusercontent.com/ndouglas-cloudsmith/docker-testing/refs/heads/main/constraint.yaml" --ignore-not-found || {
        echo "[!] Failed to delete constraint.yaml (or returned non-zero)"
        # continue to attempt template removal
    }

    echo -e "${BLUE}[*] Deleting Gatekeeper ConstraintTemplate...${RESET}"
    kubectl delete -f "https://raw.githubusercontent.com/ndouglas-cloudsmith/docker-testing/refs/heads/main/constrainttemplate.yaml" --ignore-not-found || {
        echo "[!] Failed to delete constrainttemplate.yaml (or returned non-zero)"
        return 1
    }

    echo -e "${BLUE}[+] OPA enforcement resources removed (or were not present).${RESET}"
    return 0
}

update_exploitdb() {
    echo -e "${BLUE}[*] Downloading ExploitDB index (this is fairly large-ish)...${RESET}"
    if ! curl_get "$EXPLOITDB_URL" "$EXPLOITDB_FILE"; then
        echo "[!] Failed to download ExploitDB index"
        return 1
    fi
}

# Normalize, validate and return a comma-separated uppercase severity list.
# Usage: normalize_and_validate "low,High"
normalize_and_validate() {
    local input="$1"
    # drop spaces, uppercase
    input=$(echo "$input" | tr -d ' ' | tr '[:lower:]' '[:upper:]')

    # Allowed tokens
    local allowed="LOW MEDIUM HIGH CRITICAL"

    IFS=',' read -ra toks <<< "$input"
    local out=""
    for t in "${toks[@]}"; do
        if [ -z "$t" ]; then
            continue
        fi
        if ! echo "$allowed" | grep -w -q "$t"; then
            echo "[!] Invalid severity: $t. Allowed values: LOW,MEDIUM,HIGH,CRITICAL"
            exit 1
        fi
        # avoid duplicates keeping order
        if ! echo "$out" | grep -w -q "$t"; then
            if [ -z "$out" ]; then
                out="$t"
            else
                out="${out},$t"
            fi
        fi
    done

    if [ -z "$out" ]; then
        echo "[!] No valid severities provided"
        exit 1
    fi
    echo "$out"
}

# Helper: check for grype
require_grype() {
    if ! command -v grype >/dev/null 2>&1; then
        echo "[!] grype is not installed or not in PATH. Please install grype (https://github.com/anchore/grype) and try again."
        exit 2
    fi
}

# Input: comma-separated uppercase severities (e.g. "HIGH,CRITICAL")
# Output: single severity string suitable for grype's --fail-on: CRITICAL|HIGH|MEDIUM|LOW
pick_grype_fail_on() {
    local sev_list="$1"
    # ensure uppercase, remove spaces
    sev_list=$(echo "$sev_list" | tr -d ' ' | tr '[:lower:]' '[:upper:]')
    # priority: CRITICAL > HIGH > MEDIUM > LOW
    if echo "$sev_list" | grep -q "CRITICAL"; then
        echo "CRITICAL"
    elif echo "$sev_list" | grep -q "HIGH"; then
        echo "HIGH"
    elif echo "$sev_list" | grep -q "MEDIUM"; then
        echo "MEDIUM"
    else
        echo "LOW"
    fi
}

scan_image_grype() {
    local image_ref="$1"
    local severity_list="${2:-HIGH,CRITICAL}"

    # Normalize & validate severity using your existing function
    severity_list=$(normalize_and_validate "$severity_list") || exit 1

    # determine grype --fail-on severity (single token)
    local grype_fail_on
    grype_fail_on=$(pick_grype_fail_on "$severity_list")

    echo -e "${BLUE}[*] Scanning image with grype:${RESET} $image_ref (fail-on=$grype_fail_on)"

    require_grype

    grype "$image_ref" --fail-on "$grype_fail_on" --scope squashed
}

scan_image_trivy() {
    local image_ref="$1"
    local severity_list="${2:-HIGH,CRITICAL}" # default same as your kubernetes default

    # Normalize & validate severity via existing function
    severity_list=$(normalize_and_validate "$severity_list") || exit 1

    echo -e "${BLUE}[*] Scanning image with trivy:${RESET} $image_ref (severity=$severity_list)"

    trivy image --scanners vuln --severity "$severity_list" "$image_ref"
}

scan_namespace_polaris() {
    local namespace="$1"
    echo -e "${BLUE}[*] Running Polaris audit in namespace:${RESET} $namespace"
    if ! command -v polaris >/dev/null 2>&1; then
        echo "[!] polaris CLI not found. Please install Polaris: https://www.fairwinds.com/polaris"
        exit 1
    fi

    polaris audit --namespace="$namespace" --format=pretty
}

# Helper: check for trivy
require_trivy() {
    if ! command -v trivy >/dev/null 2>&1; then
        echo "[!] trivy is not installed or not in PATH. Please install trivy (https://github.com/aquasecurity/trivy) and try again."
        exit 2
    fi
}

# OSV: Fallback check against the OSSF malicious packages repo on GitHub.
# This can find records for malicious packages that have been removed
# and may no longer be returned by the OSV API's /query endpoint.
check_malicious_history_github() {
    local ecosystem="$1"
    local pkg_name="$2"

    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required for the fallback check. Please install jq."
        return 1
    fi

    local lower_eco
    lower_eco=$(echo "$ecosystem" | tr '[:upper:]' '[:lower:]')

    echo
    echo -e "${BLUE}[*] Performing fallback check for historical malicious package records...${RESET}"

    local github_url="https://api.github.com/repos/ossf/malicious-packages/contents/osv/malicious/${lower_eco}/${pkg_name}"
    
    local resp_file
    resp_file=$(mktemp)
    local http_code
    # Ensure curl doesn't fail the script if it returns non-zero
    http_code=$(curl -sS -o "$resp_file" -w "%{http_code}" "$github_url" || true)

    if [ "$http_code" = "200" ]; then
        local gh_resp
        gh_resp=$(<"$resp_file")
        rm "$resp_file" # Clean up early
        if echo "$gh_resp" | jq -e '. | type == "array" and length > 0' >/dev/null 2>&1; then
            local mal_filename
            mal_filename=$(echo "$gh_resp" | jq -r '.[0].name // empty')

            if [[ "$mal_filename" == *.json ]]; then
                local mal_id
                mal_id="${mal_filename%.json}"
                echo -e "${BOLD_PURPLE}Found historical malicious package record:${RESET} ${BOLD_RED}$mal_id${RESET}"
                echo "[+] Querying details from OSV..."
                query_mal "$mal_id"
                return 0 # Success: record found and displayed
            else
                echo -e "${BOLD_PURPLE}Fallback Check:${RESET} Found a directory, but no valid malicious package JSON file."
            fi
        else
            echo -e "${BOLD_PURPLE}Fallback Check:${RESET} Directory found on GitHub, but it's empty or response is not an array."
        fi
    elif [ "$http_code" = "404" ]; then
        echo -e "${BOLD_PURPLE}Fallback Check:${RESET} No historical malicious package record found. ✅"
    elif [ "$http_code" = "403" ]; then
        echo -e "${BOLD_PURPLE}Fallback Check:${RESET} ${BOLD_YELLOW}GitHub API rate limit hit. Cannot perform fallback check. ❌${RESET}"
    else
        echo -e "${BOLD_PURPLE}Fallback Check:${RESET} ${BOLD_YELLOW}Failed to query GitHub API (HTTP status: ${http_code}). ❌${RESET}"
    fi
    
    # Ensure temp file is removed on all error paths
    if [ -f "$resp_file" ]; then
        rm "$resp_file"
    fi
    return 1 # Failure: no record found
}

# OSV: Query a malicious package ID (OSSF-MAL- or MAL-...)
query_mal() {
    local MAL_ID="$1"
    local resp
    echo -e "${BLUE}[*] Querying OSV for Malicious Package ID:${RESET} $MAL_ID ..."
    
    # Use curl_get logic directly here to ensure response is captured
    if resp=$(curl -sS "https://api.osv.dev/v1/vulns/$MAL_ID" || true); then
        if echo "$resp" | jq -e '.' >/dev/null 2>&1; then
            if echo "$resp" | jq -e 'has("error")' >/dev/null 2>&1; then
                echo -e "${BOLD_PURPLE}OSV/Malicious:${RESET} Not found or API error. ❌"
                return 1
            fi
            
            # --- Robustly extract data ---
            local summary
            summary=$(echo "$resp" | jq -r '.summary // empty') || true
            local details
            details=$(echo "$resp" | jq -r '.details // empty' | sed 's/\n/ /g' | sed 's/  */ /g') || true
            
            # 1. Try to extract from the top-level database_specific object (standard for new records)
            local malware_type
            malware_type=$(echo "$resp" | jq -r '.database_specific.malware_type // empty') || true
            local confidence
            confidence=$(echo "$resp" | jq -r '.database_specific.confidence // empty') || true

            # 2. If not found at the top level, search for the deeply nested structure (common in older MAL- records)
            if [ -z "$malware_type" ]; then
                malware_type=$(echo "$resp" | jq -r '.database_specific["malicious-packages-origins"][]?.malicious_package_version_info?.malicious_package_type // empty' | head -n1)
            fi
            if [ -z "$confidence" ]; then
                confidence=$(echo "$resp" | jq -r '.database_specific["malicious-packages-origins"][]?.malicious_package_version_info?.confidence // empty' | head -n1)
            fi
            
            # 3. If type is still missing, try to infer it from the details text
            if [ -z "$malware_type" ] || [ "$malware_type" = "null" ]; then
                local details_text
                # Lowercase for easier matching
                details_text=$(echo "$resp" | jq -r '.details // empty' | tr '[:upper:]' '[:lower:]')

                if [[ "$details_text" == *"communicates with a domain"* || "$details_text" == *"network traffic"* || "$details_text" == *"exfiltrates data"* ]]; then
                    malware_type="NETWORK_ACTIVITY"
                elif [[ "$details_text" == *"typosquat"* ]]; then
                    malware_type="TYPOSQUATTING"
                elif [[ "$details_text" == *"dependency confusion"* ]]; then
                    malware_type="DEPENDENCY_CONFUSION"
                elif [[ "$details_text" == *"downloads and executes"* || "$details_text" == *"remote code execution"* ]]; then
                    malware_type="EXECUTES_CODE"
                else
                    # If no specific pattern matches, set a default
                    malware_type="UNDEFINED" 
                fi
            fi
            
            # Sanitize and set fallback for display
            malware_type=$(echo "$malware_type" | tr '[:lower:]' '[:upper:]')
            malware_type=${malware_type:-N/A}
            local type_color="$RESET"
            case "$malware_type" in
                TYPOSQUATTING|DEPENDENCY_CONFUSION|BACKDOOR|INSTALLER_MALWARE|NETWORK_ACTIVITY) type_color="$BOLD_RED" ;;
                *) type_color="$YELLOW" ;;
            esac

            echo -e "${BOLD_PURPLE}MALICIOUS PACKAGE ID:${RESET} $MAL_ID"
            echo -e "${BOLD_PURPLE}Type:${RESET} ${type_color}$malware_type${RESET}"
            if [ -n "$summary" ]; then
                echo -e "${BOLD_PURPLE}Summary:${RESET} $summary"
            fi
            if [ -n "$details" ]; then
                echo -e "${BOLD_PURPLE}Details:${RESET} $details"
            fi

            # Affected packages
            echo
            echo -e "${PINK}Affected packages:${RESET}"
            # Capture the package name and ecosystem for the first affected package to check NPM/PyPI info
            local ECOSYSTEM
            ECOSYSTEM=$(echo "$resp" | jq -r '.affected[0].package.ecosystem // empty')
            local PKG_NAME
            PKG_NAME=$(echo "$resp" | jq -r '.affected[0].package.name // empty')

            echo "$resp" | jq -r '
                .affected[]? |
                "    - Ecosystem: \(.package.ecosystem // "N/A")",
                "      Package: \(.package.name // "N/A")",
                ""
            ' || true

            if [ "$(echo "$ECOSYSTEM" | tr '[:upper:]' '[:lower:]')" = "npm" ]; then
                npm_print_info "$PKG_NAME" || true
            elif [ "$(echo "$ECOSYSTEM" | tr '[:upper:]' '[:lower:]')" = "pypi" ]; then
                pypi_print_info "$PKG_NAME" || true 
            fi

            # References
            if echo "$resp" | jq -e '.references | length > 0' >/dev/null 2>&1; then
                echo -e "${PINK}References:${RESET}"
                echo "$resp" | jq -r '.references[] | "    - \(.type // "N/A"): \(.url // "N/A")"' || true
            fi

            return 0
        fi
    fi
    echo -e "${BOLD_PURPLE}OSV/Malicious:${RESET} Query failed or no JSON. ❌"
    return 1
}

# OSV: no download — use the API live when querying
query_osv() {
    local CVE_OR_ID="$1"
    local resp
    if resp=$(curl -sS "https://api.osv.dev/v1/vulns/$CVE_OR_ID" || true); then
        if echo "$resp" | jq -e '.' >/dev/null 2>&1; then
            if echo "$resp" | jq -e 'has("error")' >/dev/null 2>&1; then
                return 1
            fi
            echo -e "${BOLD_PURPLE}OSV:${RESET} Found — package ecosystem details (if any):"
            echo "$resp" | jq -r '
              .affected[]? |
              "  - Ecosystem: \(.package.ecosystem // "N/A")",
              "    Package: \(.package.name // "N/A")",
              "    Ranges: \((.ranges // []) | tostring)",
              "    Fixed: \((.versions // []) | tostring)",
              ""
            '


            local summary
            summary=$(echo "$resp" | jq -r '.summary // empty') || true
            if [ -n "$summary" ]; then
                echo -e "  Summary: $summary"
            fi
            return 0
        fi
    fi
    return 1
}

# Print PyPI package metadata nicely
pypi_print_info() {
    local pkg="$1"
    # require jq
    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required to display PyPI package info. Install jq and retry."
        return 1
    fi

    local resp
    resp=$(curl -sS "https://pypi.org/pypi/${pkg}/json" || true)

    if [ -z "$resp" ]; then
        echo "[!] Failed to fetch PyPI metadata for: $pkg (network error)"
        return 1
    fi

    if echo "$resp" | jq -e '.message == "Not Found"' >/dev/null 2>&1; then
        echo
        echo -e "${BOLD_PURPLE}PyPI Package Info:${RESET}"
        echo -e "${BOLD_RED}Package does not exist${RESET}"
        echo
        return 0
    fi

    if ! echo "$resp" | jq -e '.' >/dev/null 2>&1; then
        echo "[!] PyPI response for ${pkg} was not valid JSON."
        return 1
    fi

    local name author home
    name=$(echo "$resp" | jq -r '.info.name // empty' | sed -e 's/^/ /')
    author=$(echo "$resp" | jq -r '.info.author // empty' | sed -e 's/^/ /')
    home=$(echo "$resp" | jq -r '.info.home_page // empty' | sed -e 's/^/ /')

    echo
    echo -e "${BOLD_PURPLE}PyPI Package Info:${RESET}"
    echo -e "${BOLD_PURPLE}Package Name: ${RESET}${name:-N/A}"
    echo -e "${BOLD_PURPLE}Package Author: ${RESET}${author:-N/A}"
    echo -e "${BOLD_PURPLE}Package Homepage: ${RESET}${home:-N/A}"
    echo

    echo -e "${BOLD_PURPLE}Supporting Links: ${RESET}"
    if echo "$resp" | jq -e '.info.project_urls != null and (.info.project_urls | length > 0)' >/dev/null 2>&1; then
        echo "$resp" | jq -r '.info.project_urls | to_entries | sort_by(.key)[] | "    \(.key): \(.value)"' || true
    else
        local homepage_url package_url project_url
        homepage_url=$(echo "$resp" | jq -r '.info.home_page // empty')
        package_url=$(echo "$resp" | jq -r '.info.package_url // empty')
        project_url=$(echo "$resp" | jq -r '.info.project_url // empty')
        [ -n "$homepage_url" ] && echo "    Home: $homepage_url"
        [ -n "$project_url" ] && echo "    Project: $project_url"
        [ -n "$package_url" ] && echo "    PyPI: $package_url"
        if [ -z "$homepage_url" ] && [ -z "$project_url" ] && [ -z "$package_url" ]; then
            echo "$resp" | jq -r '..|strings' | grep -E '\.com|\.io|\.org' | sed 's/[[:space:]]*$//' | sort -u | sed 's/^/  /' | head -n 20
        fi
    fi
    echo

    local signed
    signed=$(echo "$resp" | jq '[.releases[][]?.filename | select(endswith(".asc"))] | length')
    if [ "$signed" -gt 0 ]; then
        echo -e "signed: ${BOLD_DARK_GREEN}true${RESET}"
    else
        echo -e "signed: ${BOLD_RED}false${RESET}"
    fi
    echo

    return 0
}

# Print NPM package metadata nicely
npm_print_info() {
    local pkg="$1"
    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required to display NPM package info. Install jq and retry."
        return 1
    fi

    local resp
    resp=$(curl -sS "https://registry.npmjs.org/${pkg}" || true)

    if [ -z "$resp" ]; then
        echo "[!] Failed to fetch NPM metadata for: $pkg (network error)"
        return 1
    fi

    if echo "$resp" | jq -e '.error == "Not found"' >/dev/null 2>&1; then
        echo
        echo -e "${BOLD_PURPLE}NPM Package Info:${RESET}"
        echo -e "${BOLD_RED}Package does not exist${RESET}"
        echo
        return 0
    fi

    if ! echo "$resp" | jq -e '.' >/dev/null 2>&1; then
        echo "[!] NPM response for ${pkg} was not valid JSON."
        return 1
    fi

    local latest_version
    latest_version=$(echo "$resp" | jq -r '."dist-tags".latest // empty')
    
    local latest_info
    if [ -n "$latest_version" ]; then
        latest_info=$(echo "$resp" | jq -c --arg v "$latest_version" '.versions[$v] // {}')
    else
        latest_info="{}"
    fi

    local name description author_name homepage license
    name=$(echo "$resp" | jq -r '.name // empty' | sed -e 's/^/ /')
    description=$(echo "$latest_info" | jq -r '.description // empty' | sed -e 's/^/ /')
    author_name=$(echo "$latest_info" | jq -r '(.author.name // .author // empty)' | sed -e 's/^/ /')
    homepage=$(echo "$latest_info" | jq -r '.homepage // empty' | sed -e 's/^/ /')
    license=$(echo "$latest_info" | jq -r '.license // empty' | sed -e 's/^/ /')

    echo
    echo -e "${BOLD_PURPLE}NPM Package Info:${RESET}"
    echo -e "${BOLD_PURPLE}Package Name: ${RESET}${name:-N/A}"
    echo -e "${BOLD_PURPLE}Latest Version: ${RESET}${latest_version:-N/A}"
    echo -e "${BOLD_PURPLE}Author/Publisher: ${RESET}${author_name:-N/A}"
    echo -e "${BOLD_PURPLE}License: ${RESET}${license:-N/A}"
    echo -e "${BOLD_PURPLE}Homepage: ${RESET}${homepage:-N/A}"
    echo -e "${BOLD_PURPLE}Description: ${RESET}${description:-N/A}"
    echo
    
    return 0
}

# Print Maven Central package metadata
maven_print_info() {
    local pkg="$1"
    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required. Please install jq."
        return 1
    fi
    local url="https://search.maven.org/solrsearch/select?q=a%3A%22${pkg}%22&rows=1&wt=json"
    local resp
    resp=$(curl -sS "$url" || true)

    if [ -z "$resp" ]; then
        echo "[!] Failed to fetch Maven Central metadata for: $pkg (network error)"
        return 1
    fi

    local num_found
    num_found=$(echo "$resp" | jq -r '.response.numFound // 0')

    echo
    echo -e "${BOLD_PURPLE}Maven Central Package Info:${RESET}"

    if [ "$num_found" -eq 0 ]; then
        echo -e "${BOLD_RED}Package does not exist (by artifact ID '${pkg}')${RESET}"
    else
        echo "$resp" | jq -r '
            .response.docs[0] as $doc |
            "  Package ID: \($doc.id)\n" +
            "  Latest Version: \($doc.latestVersion)\n" +
            "  Repository ID: \($doc.repositoryId)"
        '
    fi
    echo
    return 0
}

# Print RubyGems package metadata
rubygems_print_info() {
    local pkg="$1"
    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required. Please install jq."
        return 1
    fi
    local url="https://rubygems.org/api/v1/gems/${pkg}.json"
    local resp
    resp=$(curl -sS "$url" || true)

    echo
    echo -e "${BOLD_PURPLE}RubyGems Package Info:${RESET}"
    if ! echo "$resp" | jq -e '.' >/dev/null 2>&1; then
        echo -e "${BOLD_RED}Package does not exist${RESET}"
    else
        echo "$resp" | jq -r '
            "  Name: \(.name // "N/A")\n" +
            "  Latest Version: \(.version // "N/A")\n" +
            "  Info: \(.info // "N/A")\n" +
            "  Authors: \(.authors // "N/A")\n" +
            "  Homepage: \(.homepage_uri // "N/A")"
        '
    fi
    echo
    return 0
}

# Print Pub (Dart) package metadata
pub_print_info() {
    local pkg="$1"
    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required. Please install jq."
        return 1
    fi
    local url="https://pub.dev/api/packages/${pkg}"
    local resp
    resp=$(curl -sS "$url" || true)

    echo
    echo -e "${BOLD_PURPLE}Pub (Dart) Package Info:${RESET}"
    if echo "$resp" | jq -e '.error' >/dev/null 2>&1; then
        echo -e "${BOLD_RED}Package does not exist${RESET}"
    else
        echo "$resp" | jq -r '
            "  Name: \(.name // "N/A")\n" +
            "  Latest Version: \(.latest.version // "N/A")\n" +
            "  Description: \(.latest.pubspec.description // "N/A")\n" +
            "  Homepage: \(.latest.pubspec.homepage // "N/A")"
        '
    fi
    echo
    return 0
}

# Print Debian package metadata
debian_print_info() {
    local pkg="$1"
    local http_code
    local url="https://sources.debian.org/api/src/${pkg}/"
    http_code=$(curl -sS -o /dev/null -w "%{http_code}" "$url" || true)

    echo
    echo -e "${BOLD_PURPLE}Debian Package Info:${RESET}"

    if [ "$http_code" = "404" ]; then
        echo -e "${BOLD_RED}Package does not exist in Debian sources${RESET}"
        echo
        return 0
    elif [ "$http_code" != "200" ]; then
        echo "[!] Failed to query Debian API for ${pkg} (HTTP status: ${http_code})"
        return 1
    fi
    
    local resp
    resp=$(curl -sS "$url" || true)
    echo "  Package: $(echo "$resp" | jq -r '.package // "N/A"')"
    echo "  Latest Version: $(echo "$resp" | jq -r '.versions[0].version // "N/A"')"
    echo
    return 0
}

# Check ConanCenter for package existence
conancenter_print_info() {
    local pkg="$1"
    local http_code
    local url="https://conan.io/center/recipes/${pkg}"
    http_code=$(curl -sS -o /dev/null -w "%{http_code}" "$url" || true)

    echo
    echo -e "${BOLD_PURPLE}Conan Center Package Info:${RESET}"

    if [ "$http_code" = "404" ]; then
        echo -e "${BOLD_RED}Package does not exist${RESET}"
    elif [[ "$http_code" =~ ^[23] ]]; then # 2xx or 3xx status
        echo "  Package: ${pkg}"
        echo "  Status: Found (HTTP ${http_code})"
        echo "  URL: ${url}"
    else
        echo -e "${BOLD_RED}Failed to query Conan Center (HTTP ${http_code})${RESET}"
    fi
    echo
    return 0
}

# Print Hex package metadata
hex_print_info() {
    local pkg="$1"
    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required. Please install jq."
        return 1
    fi
    local url="https://hex.pm/api/packages/${pkg}"
    local http_code
    local resp_file
    resp_file=$(mktemp)
    
    http_code=$(curl -sS -o "$resp_file" -w "%{http_code}" "$url" || true)

    echo
    echo -e "${BOLD_PURPLE}Hex Package Info:${RESET}"

    if [ "$http_code" = "404" ]; then
        echo -e "${BOLD_RED}Package does not exist${RESET}"
    elif [ "$http_code" = "200" ]; then
        jq -r '
            "  Name: \(.name // "N/A")\n" +
            "  Latest Version: \(.releases[0].version // "N/A")\n" +
            "  Description: \(.meta.description // "N/A")\n" +
            "  Homepage: \((.meta.links | .Homepage) // "N/A")"
        ' "$resp_file"
    else
        echo -e "${BOLD_RED}Failed to query Hex API (HTTP ${http_code})${RESET}"
    fi
    
    rm "$resp_file"
    echo
    return 0
}

# Print Alpine Linux package metadata
alpine_print_info() {
    local pkg="$1"
    local eco_spec="$2"
    local branch
    
    if [[ "$eco_spec" == *":"* ]]; then
        branch="${eco_spec#*:}"
    else
        branch="edge"
    fi

    if ! command -v jq >/dev/null 2>&1; then
        echo "[!] jq is required. Please install jq."
        return 1
    fi
    local url="https://pkgs.alpinelinux.org/packages?name=${pkg}&branch=${branch}&_api=json"
    local resp
    resp=$(curl -sS "$url" || true)

    local result_count
    result_count=$(echo "$resp" | jq 'length')

    echo
    echo -e "${BOLD_PURPLE}Alpine Linux Package Info (Branch: ${branch}):${RESET}"
    
    if [ "$result_count" -eq 0 ]; then
        echo -e "${BOLD_RED}Package does not exist${RESET}"
    else
        echo "$resp" | jq -r '
            .[0] as $pkg |
            "  Name: \($pkg.package)\n" +
            "  Version: \($pkg.version)\n" +
            "  Repo: \($pkg.repo)\n" +
            "  Architecture: \($pkg.arch)"
        '
    fi
    echo
    return 0
}

query_exploitdb() {
    local CVE="$1"
    if [ ! -f "$EXPLOITDB_FILE" ]; then
        echo "[!] ExploitDB index missing. Run update first."
        return 2
    fi
    local matches
    matches=$(grep -i "$CVE" "$EXPLOITDB_FILE" || true)
    if [ -n "$matches" ]; then
        echo -e "${BOLD_PURPLE}ExploitDB:${RESET} Public exploit(s) / entries found:" 
        echo "$matches" | head -n 20 | awk -F',' '{
            id=$1; desc=$2;
            gsub(/^"|"$/, "", desc);
            print "  - ID:" id " | Link: https://www.exploit-db.com/exploits/" id " | Path: " desc
        }'
        if [ "$(echo "$matches" | wc -l)" -gt 20 ]; then
            echo "  ... (truncated)"
        fi
        return 0
    else
        echo -e "${BOLD_PURPLE}ExploitDB:${RESET} No public exploit entries found ❌"
        return 1
    fi
}

query_package() {
    local eco_spec="$1"
    local pkg_name="$2"
    local follow_cves="${3:-0}"

    if [ -z "$eco_spec" ] || [ -z "$pkg_name" ]; then
        echo "[!] query_package requires an ecosystem/source (or source:version) and a package name"
        return 2
    fi

    local ecosystem_token
    if [[ "$eco_spec" == *":"* ]]; then
        ecosystem_token="${eco_spec%%:*}"
    else
        ecosystem_token="$eco_spec"
    fi

    echo -e "${BLUE}[*]Querying OSV for package:${RESET} ecosystem/source=$eco_spec package=$pkg_name ..."

    local payload
    payload=$(cat <<EOF
{
  "package": {
    "ecosystem": "$(echo "$ecosystem_token" | tr '[:upper:]' '[:lower:]')",
    "name": "$pkg_name"
  }
}
EOF
)

    local resp
    resp=$(curl -sS -X POST -H "Content-Type: application/json" \
        -d "$payload" "https://api.osv.dev/v1/query" || true)

    if [ -z "$resp" ] || ! echo "$resp" | jq -e '.' >/dev/null 2>&1; then
        echo "[!] OSV query failed or returned invalid JSON."
        # Attempt fallback even if the primary query fails, as it might be a non-existent malicious pkg
        if check_malicious_history_github "$ecosystem_token" "$pkg_name"; then
            return 0 # Found and displayed by fallback
        fi
        return 1
    fi

    local vuln_count
    vuln_count=$(echo "$resp" | jq -r '.vulns | length // 0')
    if [ "$vuln_count" -eq 0 ]; then
        echo -e "${BOLD_PURPLE}OSV:${RESET} No active vulnerabilities found for $eco_spec/$pkg_name"
        # If no vulns found via API, try the fallback for historical malicious packages
        if check_malicious_history_github "$ecosystem_token" "$pkg_name"; then
            return 0 # Found and displayed by fallback, so we are done.
        fi
        # If fallback also finds nothing, continue to the normal "not found" output
    else
        echo -e "${BOLD_PURPLE}OSV:${RESET} Found $vuln_count vulnerability(ies) for $eco_spec/$pkg_name"
        echo "$resp" | jq -r '.vulns[] | "- ID: " + (.id // "N/A") + " | Summary: " + ((.summary // "") | gsub("\n"; " ")) + " | Aliases: " + ((.aliases // []) | join(", "))' || true
    fi

    local ids
    ids=$(echo "$resp" | jq -r '.vulns[]? | [(.id // "") ] + (.aliases // []) | .[]' | sort -u || true)

    if [ -n "$ids" ]; then
        echo
        echo -e "${BOLD_PURPLE}Mapped IDs:${RESET}"
        echo "$ids" | sed 's/^/  - /'
    else
        echo
        echo -e "${BOLD_PURPLE}Mapped IDs:${RESET} None found in OSV aliases for these records."
    fi

    if [ -f "$EXPLOITDB_FILE" ]; then
        echo
        echo -e "${BOLD_PURPLE}ExploitDB:${RESET} ${BLUE}Searching local index for package name / ecosystem / common name...${RESET}"
        local safe_pkg
        safe_pkg=$(printf '%s' "$pkg_name" | sed 's/[]\\$*.^|[]/\\&/g')
        grep -i -E "$safe_pkg" "$EXPLOITDB_FILE" | head -n 20 || true
    else
        echo "[!] ExploitDB index missing. Run update first to search ExploitDB locally."
    fi

    if [ "$follow_cves" -eq 1 ] && [ -n "$ids" ]; then
        echo
        echo -e "${BLUE}[*] Fetching detailed info for discovered CVEs (if any)...${RESET}"
        local old_package_info old_full_output
        old_package_info="$PACKAGE_INFO"
        old_full_output="$FULL_OUTPUT"
        PACKAGE_INFO=0
        FULL_OUTPUT=0
        while IFS= read -r id; do
            if [[ "$id" =~ ^CVE- ]]; then
                echo
                echo "=========================================="
                query_cve "$id" || true
            else
                echo -e "Note: ${PINK}Non-CVE identifier:${RESET} $id"
            fi
        done <<< "$ids"
        PACKAGE_INFO="$old_package_info"
        FULL_OUTPUT="$old_full_output"
    fi
}

query_ghsa() {
    local GHSA="$1"
    echo -e "${BLUE}[*] Querying OSV for GHSA:${RESET} $GHSA ..."
    local resp
    resp=$(curl -sS "https://api.osv.dev/v1/vulns/$GHSA" || true)
    if [ -z "$resp" ] || ! echo "$resp" | jq -e '.' >/dev/null 2>&1; then
        echo "[!] OSV query failed or returned no JSON for $GHSA"
        return 1
    fi
    if echo "$resp" | jq -e 'has("error")' >/dev/null 2>&1; then
        echo -e "${BOLD_PURPLE}OSV:${RESET} Not found for $GHSA"
        return 1
    fi

    echo -e "${BOLD_PURPLE}OSV:${RESET} Found advisory for $GHSA"
    local summary
    summary=$(echo "$resp" | jq -r '.summary // empty' || true)
    if [ -n "$summary" ]; then
        echo -e "${PINK}Summary:${RESET} $summary"
    fi

    echo
    echo -e "${PINK}Affected packages:${RESET}"
    echo "$resp" | jq -r '
      .affected[]? |
      "    - Ecosystem: \(.package.ecosystem // "N/A")",
      "      Package: \(.package.name // "N/A")",
      "      Ranges: \((.ranges // []) | tostring)",
      "      Fixed: \((.versions // []) | tostring)",
      ""
    ' || true

    local ids
    ids=$(echo "$resp" | jq -r '.aliases[]? // empty' | sort -u || true)
    if [ -n "$ids" ]; then
        echo
        echo -e "${PINK}Mapped identifiers:${RESET}" 
        echo "$ids" | sed 's/^/    - /'

        local cve_alias
        cve_alias=$(echo "$ids" | grep -E '^CVE-' | head -n1 || true)
        if [ -n "$cve_alias" ]; then
            echo
            echo "[*] GHSA maps to CVE: $cve_alias — running standard CVE query (EPSS/KEV/NVD/ExploitDB)"
            query_cve "$cve_alias"
            return 0
        else
            echo -e "${BLUE}[*]${RESET} No CVE alias present for this GHSA. ❌"
            return 0
        fi
    else
        echo -e "${BLUE}[*]${RESET} No aliases present for this GHSA. ❌"
        return 0
    fi
}

# Helper to print a single table row with color for the severity column
print_row() {
    local color="$1"
    local severity="$2"
    local cvss="$3"
    local epss="$4"
    local interp="$5"
    local action="$6"
    local ok="$7"

    printf "%b%-10s%b │ %-9s │ %-9s │ %-50s │ %-35s │ %-50s\n" \
        "$color" "$severity" "$RESET" "$cvss" "$epss" "$interp" "$action" "$ok"
}

print_table() {
    echo
    printf "${BOLD_PURPLE}%-10s │ %-9s │ %-9s │ %-50s │ %-35s │ %-50s${RESET}\n" \
        "CVE Severity" "CVSS" "EPSS" "Interpretation (short)" "Action" "When it’s OK to use"
    printf '─%.0s' {1..180}; echo

    print_row "$DARK_GREEN" "LOW         "     "0.1-3.9  "   "<10%" \
        "Low impact, unlikely to be exploited" \
        "Monitor only" \
        "Safe to use unless in regulated environments"

    print_row "$YELLOW"      "MEDIUM      " "4.0-6.9 "   "<10%" \
        "Moderate impact, low exploitability" \
        "Patch in next update cycle" \
        "OK to use if non-critical package"

    print_row "$BOLD_ORANGE" "HIGH        "   "≤6.9     "       "<5%" \
        "Mismatch severity & score: possible inflated label" \
        "Verify CVE detail; use with caution" \
        "OK if exploit is theoretical or not applicable in your setup"

    print_row "$BOLD_ORANGE" "HIGH        "   "7.0-8.9 "   ">30%" \
        "Serious issue with real-world exploit potential" \
        "Prioritise patching or mitigation" \
        "Use only if there’s no exposed vector in your deployment"

    print_row "$BOLD_RED"    "CRITICAL    " "9.0-10.0" ">50%" \
        "High-impact and high-likelihood of exploit" \
        "Patch immediately or block usage" \
        "Rarely OK to use — isolate or sandbox if unavoidable"

    print_row "$BOLD_RED"    "CRITICAL    " "9.0-10.0" "<50%" \
        "Dangerous in theory but unlikely to be exploited" \
        "Assess if attack vector applies" \
        "Use in internal-only or air-gapped environments"

    echo
}

query_cve() {
    local CVE="$1"

    if [ ! -f "$CSV_FILE" ]; then
        echo "[!] CSV file missing. Run update first."
        exit 1
    fi

    local RESULT
    RESULT=$(grep -m1 "^$CVE," "$CSV_FILE" || true)
    if [ -n "$RESULT" ]; then
        local cve epss_score percentile
        cve=$(echo "$RESULT" | awk -F',' '{gsub(/(^"|"$)/,"",$1); print $1}')
        epss_score=$(echo "$RESULT" | awk -F',' '{gsub(/(^"|"$)/,"",$2); print $2}')
        percentile=$(echo "$RESULT" | awk -F',' '{gsub(/(^"|"$)/,"",$3); print $3}')
        epss_score=${epss_score:-0}
        epss_score=$(echo "$epss_score" | tr -d '"' | tr -d ' ')

        local epss_percent
        epss_percent=$(awk -v s="$epss_score" 'BEGIN {if (s=="" || s=="NA") s=0; printf "%.2f", (s+0)*100 }')

        local epss_color epss_word
        if (( $(echo "$epss_percent <= 5" | bc -l) )); then
            epss_color="$BOLD_DARK_GREEN"
            epss_word="LOW"
        elif (( $(echo "$epss_percent > 5 && $epss_percent <= 20" | bc -l) )); then
            epss_color="$BOLD_YELLOW"
            epss_word="WARN"
        elif (( $(echo "$epss_percent > 20 && $epss_percent <= 80" | bc -l) )); then
            epss_color="$BOLD_ORANGE"
            epss_word="HIGH"
        else
            epss_color="$BOLD_RED"
            epss_word="CRITICAL"
        fi

        echo -e "${BOLD_PURPLE}CVE ID:${RESET} $cve"
        echo -e "${BOLD_PURPLE}EPSS Percentage:${RESET} ${epss_color}${epss_percent}% ($epss_word)${RESET}"
        echo -e "${BOLD_PURPLE}EPSS Score:${RESET} $epss_score"
        echo -e "${BOLD_PURPLE}EPSS Percentile:${RESET} $percentile"

        echo
        echo -e "${BOLD_PURPLE}EPSS Risk Legend:${RESET}"
        echo -e "  ${BOLD_DARK_GREEN}<5%     =  LOW${RESET}        (very low likelihood of exploitation)"
        echo -e "  ${BOLD_ORANGE}5–20%   =  WARN${RESET}       (acceptable level of exploitation risk)"
        echo -e "  ${BOLD_ORANGE}20–80%  =  HIGH${RESET}       (unacceptable level of exploitation risk)"   
        echo -e "  ${BOLD_RED}>80%    =  CRITICAL${RESET}   (critical risk of package being exploited)"
    else
        echo -e "${BOLD_PURPLE}CVE:${RESET} $CVE"
        echo -e "${BOLD_PURPLE}EPSS:${RESET} Not found"
    fi

    if [ -f "$KEV_FILE" ]; then
        local KEV_ENTRY
        KEV_ENTRY=$(jq -r --arg CVE "$CVE" '.vulnerabilities[] | select(.cveID==$CVE)' "$KEV_FILE" 2>/dev/null || true)
        if [ -z "$KEV_ENTRY" ]; then
            KEV_ENTRY=$(jq -r --arg CVE "$CVE" '.vulnerabilities[] | select(.cveID == $CVE or .cve == $CVE or .cveId == $CVE)' "$KEV_FILE" 2>/dev/null || true)
        fi

        if [ -n "$KEV_ENTRY" ]; then
            echo -e "${BOLD_PURPLE}KEV:${RESET} Known exploited ✅"
            if [ "$FULL_OUTPUT" -eq 1 ]; then
                echo "  Vendor: $(jq -r '.vendorProject' <<< "$KEV_ENTRY")"
                echo "  Product: $(jq -r '.product' <<< "$KEV_ENTRY")"
                echo "  Name: $(jq -r '.vulnerabilityName' <<< "$KEV_ENTRY")"
                echo "  Description: $(jq -r '.shortDescription' <<< "$KEV_ENTRY")"
                echo "  Date Added: $(jq -r '.dateAdded' <<< "$KEV_ENTRY")"
                echo "  Required Action: $(jq -r '.requiredAction' <<< "$KEV_ENTRY")"
                echo "  Due Date: $(jq -r '.dueDate' <<< "$KEV_ENTRY")"
                echo "  Known Ransomware Use: $(jq -r '.knownRansomwareCampaignUse' <<< "$KEV_ENTRY")"
                echo "  Notes: $(jq -r '.notes' <<< "$KEV_ENTRY")"
            fi
        else
            echo -e "${BOLD_PURPLE}KEV:${RESET} Not listed ❌"
        fi
    else
        echo "[!] KEV feed missing. Run update first."
    fi

    echo
    echo -e "${BLUE}[*] Fetching NVD data...${RESET}"
    curl -sSL "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=$CVE" \
| jq -r '
.vulnerabilities[].cve as $cve
| [
    "CVE: " + $cve.id,
    "Published: " + $cve.published,
    "Last Modified: " + $cve.lastModified,
    "Description: " + ($cve.descriptions[] | select(.lang=="en") | .value // "N/A"),
    "CVSS Score: " + ($cve.metrics.cvssMetricV31[0].cvssData.baseScore | tostring // "N/A"),
    "CVSS Severity: " + ($cve.metrics.cvssMetricV31[0].cvssData.baseSeverity // "N/A")
] | .[]' \
| while IFS= read -r line; do
    if [[ "$line" =~ CVSS\ Score:\ (null|N/A) ]]; then
        echo -e "${BOLD_PURPLE}CVSS Score:${RESET} ${BOLD_RED}No Score${RESET}"
    elif [[ "$line" =~ CVSS\ Score:\ ([0-9.]+) ]]; then
        local score="${BASH_REMATCH[1]}"
        local color
        if (( $(echo "$score >= 0.1 && $score <= 3.9" | bc -l) )); then
            color="$DARK_GREEN"
        elif (( $(echo "$score >= 4.0 && $score <= 6.9" | bc -l) )); then
            color="$YELLOW"
        elif (( $(echo "$score >= 7.0 && $score <= 8.9" | bc -l) )); then
            color="$BOLD_ORANGE"
        elif (( $(echo "$score >= 9.0 && $score <= 10.0" | bc -l) )); then
            color="$BOLD_RED"
        else
            color="$RESET"
        fi
        echo -e "${BOLD_PURPLE}CVSS Score:${RESET} ${color}$score${RESET}"
    elif [[ "$line" =~ CVSS\ Severity:\ (N|null|N/A) ]]; then
        echo -e "${BOLD_PURPLE}CVSS Severity:${RESET} ${BOLD_RED}No Score${RESET}"
    elif [[ "$line" =~ CVSS\ Severity:\ ([A-Z]+) ]]; then
        local severity="${BASH_REMATCH[1]}"
        local sev_color
        case "$severity" in
            LOW) sev_color="$DARK_GREEN" ;;
            MEDIUM) sev_color="$YELLOW" ;;
            HIGH) sev_color="$BOLD_ORANGE" ;;
            CRITICAL) sev_color="$BOLD_RED" ;;
            *) sev_color="$RESET" ;;
        esac
        echo -e "${BOLD_PURPLE}CVSS Severity:${RESET} ${sev_color}$severity${RESET}"
    elif [[ "$line" =~ ^(CVE|Published|Last\ Modified|Description): ]]; then
        local title="${BASH_REMATCH[1]}"
        local value="${line#*: }"
        echo -e "${BOLD_PURPLE}${title}:${RESET} $value"
    else
        echo "$line"
    fi
done

    echo
    echo -e "${BLUE}[*] Searching ExploitDB index for public exploit entries...${RESET}"
    query_exploitdb "$CVE" || true

    echo
    if [ "$PACKAGE_INFO" -eq 1 ]; then
        echo -e "${BLUE}[*]${RESET} Querying OSV.dev for package-level information..."
        if query_osv "$CVE"; then
            : # OSV printed info
        else
            echo -e "${BOLD_PURPLE}OSV:${RESET} Not present in OSV.dev or no package mapping found"
        fi
    fi
}

list_kevs() {
    if [ ! -f "$KEV_FILE" ]; then
        echo "[!] KEV feed missing. Run update first."
        exit 1
    fi
    if [ "$FULL_OUTPUT" -eq 1 ]; then
        jq -r '.vulnerabilities[] |
            "CVE: \(.cveID)\nVendor: \(.vendorProject)\nProduct: \(.product)\nName: \(.vulnerabilityName)\nDescription: \(.shortDescription)\nDate Added: \(.dateAdded)\nRequired Action: \(.requiredAction)\nDue Date: \(.dueDate)\n---"' \
            "$KEV_FILE"
    else
        jq -r '.vulnerabilities[] | .cveID' "$KEV_FILE"
    fi
}

usage() {
    echo -e "${BOLD_PURPLE}Usage:${RESET}"
    echo -e " ${BLUE}$0${RESET}  update                                                      # Download or update EPSS + KEV + ExploitDB datasets"
    echo -e " ${BLUE}$0${RESET}  query <CVE|GHSA|MAL-ID> [${BOLD_ORANGE}--full${RESET}] [${BOLD_ORANGE}--package-info${RESET}]           # Query an ID (e.g. CVE-2021-44228, GHSA-abcd-1234, or OSSF-MAL-2025-0001)"
    echo -e " ${BLUE}$0${RESET}  pkg <ecosystem> <package-name> [${BOLD_ORANGE}--follow-cves${RESET}]              # Query package from an upstream registry via OSV"
    echo -e " ${BLUE}$0${RESET}  scan image <image-ref> [${BOLD_ORANGE}--severity${RESET}] [${BOLD_ORANGE}--scanner${RESET}]             # Scan a single container image (optional scanners is Grype. Defaults to Trivy)"  
    echo -e " ${BLUE}$0${RESET}  kubernetes namespace <namespace> [${BOLD_ORANGE}--severity${RESET}] [${BOLD_ORANGE}--scanner${RESET}]   # List all in-use CVEs in a K8s namespace"
    echo -e " ${BLUE}$0${RESET}  images namespace <namespace> [${BOLD_ORANGE}--source${RESET}]                     # Scans for images currently in-use in a cluster. -A flag can be used for all namespaces"  
    echo -e " ${BLUE}$0${RESET}  polaris namespace <namespace>                               # Scans for misconfigurations of manifest/resources in a network namespace"  
    echo -e " ${BLUE}$0${RESET}  list [${BOLD_ORANGE}--full${RESET}]                                               # List all CVEs in the KEV catalog with details"
    echo -e " ${BLUE}$0${RESET}  opa <${BOLD_ORANGE}enforce${RESET}|disable>                                       # Apply or remove Gatekeeper ConstraintTemplate + Constraint"
    echo -e " ${BLUE}$0${RESET}  table                                                       # Print the interpretation/action table"
    echo -e " ${BLUE}$0${RESET}  ${BOLD_ORANGE}--help${RESET}                                                      # Show this help message"
    echo
    echo -e "${BOLD_PURPLE}Created by Nigel Douglas at Cloudsmith
${RESET}"
}

# --- Main Command Handler ---
case "${1:-}" in
    update)
        update_epss
        update_kev
        update_opa
        update_exploitdb
        ;;
    query)
        if [ -z "${2:-}" ]; then
            echo "[!] No ID specified."
            usage
            exit 1
        fi
        ID="$2"
        shift 2 || true
        while [ "$#" -gt 0 ]; do
            case "$1" in
                --full) FULL_OUTPUT=1 ;;
                --package-info) PACKAGE_INFO=1 ;;
                *) echo "[!] Unknown option: $1"; usage; exit 1 ;;
            esac
            shift || true
        done

        if [[ "$ID" =~ ^CVE- ]]; then
            query_cve "$ID"
        elif [[ "$ID" =~ ^GHSA- ]]; then
            query_ghsa "$ID"
        elif [[ "$ID" =~ ^(OSSF-)?MAL- ]]; then 
            query_mal "$ID"
        else
            if query_osv "$ID"; then
                echo -e "${BLUE}[*]${RESET} OSV returned data for $ID but no specific query was requested."
            else
                echo "[!] Unknown identifier or not found: $ID"
            fi
        fi
        ;;
    scan)
        if [ "${2:-}" = "image" ] && [ -n "${3:-}" ]; then
            IMG="$3"
            SEVERITIES="HIGH,CRITICAL"
            SCANNER="trivy"
            shift 3 || true
            while [ "$#" -gt 0 ]; do
                case "$1" in
                    --severity)
                        if [ -n "${2:-}" ]; then SEVERITY_INPUT="$2"; shift 2 || true;
                        else echo "[!] --severity requires an argument"; exit 1; fi ;;
                    --severity=*) SEVERITY_INPUT="${1#*=}"; shift || true ;;
                    --scanner)
                        if [ -n "${2:-}" ]; then SCANNER_INPUT="$2"; shift 2 || true;
                        else echo "[!] --scanner requires an argument"; exit 1; fi ;;
                    --scanner=*) SCANNER_INPUT="${1#*=}"; shift || true ;;
                    *) echo "[!] Unknown option: $1"; usage; exit 1 ;;
                esac
            done

            if [ -n "${SEVERITY_INPUT:-}" ]; then
                SEVERITIES=$(normalize_and_validate "$SEVERITY_INPUT")
            fi
            if [ -n "${SCANNER_INPUT:-}" ]; then
                SCANNER=$(echo "$SCANNER_INPUT" | tr '[:upper:]' '[:lower:]')
                case "$SCANNER" in
                    trivy|grype) ;;
                    *) echo "[!] Invalid scanner: $SCANNER. Allowed: trivy, grype"; exit 1 ;;
                esac
            fi

            if [ "$SCANNER" = "grype" ]; then
                scan_image_grype "$IMG" "$SEVERITIES"
            else
                scan_image_trivy "$IMG" "$SEVERITIES"
            fi
            exit $?
        else
            echo "[!] Usage: $0 scan image <image-ref> [--severity <...>] [--scanner <...>]"
            exit 1
        fi
        ;;
    pkg)
        if [ -z "${2:-}" ] || [ -z "${3:-}" ]; then
            echo "[!] pkg requires ecosystem and package name."
            usage
            exit 1
        fi
        PKG_ECOSYSTEM="$2"
        PKG_NAME="$3"
        shift 3 || true

        FOLLOW=0
        while [ "$#" -gt 0 ]; do
            case "$1" in
                --follow-cves) FOLLOW=1 ;;
                *) echo "[!] Unknown option: $1"; usage; exit 1 ;;
            esac
            shift || true
        done

        # FIX: Removed 'local' as it's not in a function scope.
        lower_eco=$(echo "$PKG_ECOSYSTEM" | tr '[:upper:]' '[:lower:]')

        if [ "$lower_eco" = "pypi" ]; then
            pypi_print_info "$PKG_NAME" || true
        elif [ "$lower_eco" = "npm" ]; then
            npm_print_info "$PKG_NAME" || true
        elif [ "$lower_eco" = "maven" ]; then
            maven_print_info "$PKG_NAME" || true
        elif [ "$lower_eco" = "rubygems" ]; then
            rubygems_print_info "$PKG_NAME" || true
        elif [ "$lower_eco" = "pub" ]; then
            pub_print_info "$PKG_NAME" || true
        elif [[ "$lower_eco" == debian* ]]; then
            debian_print_info "$PKG_NAME" || true
        elif [ "$lower_eco" = "conancenter" ]; then
            conancenter_print_info "$PKG_NAME" || true
        elif [ "$lower_eco" = "hex" ]; then
            hex_print_info "$PKG_NAME" || true
        elif [[ "$lower_eco" == alpine* ]]; then
            alpine_print_info "$PKG_NAME" "$PKG_ECOSYSTEM" || true
        fi

        query_package "$PKG_ECOSYSTEM" "$PKG_NAME" "$FOLLOW"
        ;;
    list)
        if [[ "${2:-}" == "--full" ]]; then
            FULL_OUTPUT=1
        fi
        list_kevs
        ;;
    table)
        print_table
        ;;
    opa)
        if [ "${2:-}" = "enforce" ]; then
            opa_enforce
        elif [ "${2:-}" = "disable" ]; then
            opa_disable
        else
            echo "[!] Usage: $0 opa <enforce|disable>"
            exit 1
        fi
        ;;  
    polaris)
        if [ "${2:-}" = "namespace" ] && [ -n "${3:-}" ]; then
            scan_namespace_polaris "$3"
        else
            echo "[!] Usage: $0 polaris namespace <namespace>"
            exit 1
        fi
        ;;  
    images)
        if [ "${2:-}" = "namespace" ] && [ -n "${3:-}" ]; then
            NAMESPACE="$3"
            FILTER=""
            FILTER_VALUE=""
            TAGS=""
            shift 3 || true

            while [ "$#" -gt 0 ]; do
                case "$1" in
                    --source)
                        if [ -n "${2:-}" ]; then FILTER="--source"; FILTER_VALUE="$2"; shift 2 || true;
                        else echo "[!] --source requires an argument"; exit 1; fi ;;
                    --source=*) FILTER="--source"; FILTER_VALUE="${1#*=}"; shift || true ;;
                    --tags)
                        if [ -n "${2:-}" ]; then TAGS="$2"; shift 2 || true;
                        else echo "[!] --tags requires an argument"; exit 1; fi ;;
                    --tags=*) TAGS="${1#*=}"; shift || true ;;
                    *) echo "[!] Unknown option: $1"; usage; exit 1 ;;
                esac
            done

            if [ "$NAMESPACE" = "-A" ]; then
                CMD="kubectl get pods -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,IMAGES:.spec.containers[*].image'"
            else
                CMD="kubectl get pods -n $NAMESPACE -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,IMAGES:.spec.containers[*].image'"
            fi

            echo -e "${BLUE}[*] Listing images in namespace:${RESET} $NAMESPACE"
            
            # This logic is complex and can be simplified, but preserving original for now
            # The gist is to apply filters if they exist
            # This could be refactored into a cleaner pipeline
            
            # Initial command output
            OUTPUT=$(eval "$CMD")
            
            # Filter by source if provided
            if [ -n "$FILTER_VALUE" ]; then
                OUTPUT=$(echo "$OUTPUT" | awk -v filter="$FILTER_VALUE" 'NR==1 {print; next} $0 ~ filter')
            fi
            
            # Filter by tags if provided
            if [ -n "$TAGS" ]; then
                TAG_REGEX=$(echo "$TAGS" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' | tr ',' '|')
                OUTPUT=$(echo "$OUTPUT" | awk -v regex=":$TAG_REGEX" 'BEGIN{IGNORECASE=1} NR==1 {print; next} $0 ~ regex')
            fi
            
            echo "$OUTPUT"

        else
            echo "[!] Usage: $0 images namespace <namespace-name|-A> [--source <filter>] [--tags <tag1,tag2>]"
            exit 1
        fi
        ;;
    kubernetes)
        if [ "${2:-}" = "namespace" ] && [ -n "${3:-}" ]; then
            NAMESPACE="$3"
            SEVERITIES="HIGH,CRITICAL"
            SCANNER="trivy"
            shift 3 || true

            while [ "$#" -gt 0 ]; do
                case "$1" in
                    --severity)
                        if [ -n "${2:-}" ]; then SEVERITY_INPUT="$2"; shift 2 || true;
                        else echo "[!] --severity requires an argument"; exit 1; fi ;;
                    --severity=*) SEVERITY_INPUT="${1#*=}"; shift || true ;;
                    --scanner)
                        if [ -n "${2:-}" ]; then SCANNER_INPUT="$2"; shift 2 || true;
                        else echo "[!] --scanner requires an argument"; exit 1; fi ;;
                    --scanner=*) SCANNER_INPUT="${1#*=}"; shift || true ;;
                    *) echo "[!] Unknown option: $1"; usage; exit 1 ;;
                esac
            done

            if [ -n "${SEVERITY_INPUT:-}" ]; then
                SEVERITIES=$(normalize_and_validate "$SEVERITY_INPUT")
            fi
            if [ -n "${SCANNER_INPUT:-}" ]; then
                SCANNER=$(echo "$SCANNER_INPUT" | tr '[:upper:]' '[:lower:]')
                case "$SCANNER" in
                    trivy|grype) ;;
                    *) echo "[!] Invalid scanner: $SCANNER. Allowed: trivy, grype"; exit 1 ;;
                esac
            fi

            echo -e "${BLUE}[*] Retrieving images from namespace:${RESET} $NAMESPACE"
            IMAGES=$(kubectl get pods -n "$NAMESPACE" -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | sort -u)

            if [ -z "$IMAGES" ]; then
                echo "[!] No images found in namespace: $NAMESPACE"
                exit 1
            fi

            for img in $IMAGES; do
                echo
                echo "=== Scanning $img (severity=$SEVERITIES) ==="
                if [ "$SCANNER" = "grype" ]; then
                    scan_image_grype "$img" "$SEVERITIES"
                else
                    scan_image_trivy "$img" "$SEVERITIES"
                fi
            done
        else
            echo "[!] Usage: $0 kubernetes namespace <namespace-name> [--severity <...>] [--scanner <...>]"
            exit 1
        fi
        ;;
    --help|-h)
        usage
        ;;
    *)
        usage
        ;;
esac