feat: add security sink detection patterns for JavaScript/TypeScript

- Introduced `sink-detect.js` with various security sink detection patterns categorized by type (e.g., command injection, SQL injection, file operations).
- Implemented functions to build a lookup map for fast sink detection and to match sink calls against known patterns.
- Added `package-lock.json` for dependency management.

src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/EvidenceBundle.cs

@@ -33,6 +33,12 @@ public sealed record EvidenceBundle
     /// EPSS evidence.
     /// </summary>
     public EpssEvidence? Epss { get; init; }
+
+    /// <summary>
+    /// Version comparison evidence for backport explainability.
+    /// Shows which comparator was used and why a package is considered fixed/vulnerable.
+    /// </summary>
+    public VersionComparisonEvidence? VersionComparison { get; init; }
 }
 
 /// <summary>

src/Scanner/__Libraries/StellaOps.Scanner.Evidence/Models/VersionComparisonEvidence.cs

@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+// Sprint: SPRINT_4000_0002_0001
+// Task: T1 - Extend Findings API Response with version comparison metadata
+
+using System.Collections.Immutable;
+using System.Text.Json.Serialization;
+
+namespace StellaOps.Scanner.Evidence.Models;
+
+/// <summary>
+/// Evidence of version comparison used to determine vulnerability status.
+/// Provides explainability for backport detection logic.
+/// </summary>
+public sealed record VersionComparisonEvidence
+{
+    /// <summary>
+    /// Comparator algorithm used (rpm-evr, dpkg, apk, semver).
+    /// </summary>
+    [JsonPropertyName("comparator")]
+    public required string Comparator { get; init; }
+
+    /// <summary>
+    /// Installed version in native format.
+    /// </summary>
+    [JsonPropertyName("installedVersion")]
+    public required string InstalledVersion { get; init; }
+
+    /// <summary>
+    /// Fixed version threshold from advisory.
+    /// </summary>
+    [JsonPropertyName("fixedVersion")]
+    public required string FixedVersion { get; init; }
+
+    /// <summary>
+    /// Whether the installed version is >= fixed.
+    /// </summary>
+    [JsonPropertyName("isFixed")]
+    public required bool IsFixed { get; init; }
+
+    /// <summary>
+    /// Human-readable proof lines showing comparison steps.
+    /// </summary>
+    [JsonPropertyName("proofLines")]
+    public ImmutableArray<string> ProofLines { get; init; } = [];
+
+    /// <summary>
+    /// Advisory source (DSA-1234, RHSA-2025:1234, USN-1234-1).
+    /// </summary>
+    [JsonPropertyName("advisorySource")]
+    public string? AdvisorySource { get; init; }
+
+    /// <summary>
+    /// Creates VersionComparisonEvidence from a version comparison result.
+    /// </summary>
+    /// <param name="comparator">The comparator type identifier.</param>
+    /// <param name="installedVersion">The installed version string.</param>
+    /// <param name="fixedVersion">The fixed version threshold.</param>
+    /// <param name="comparisonResult">The comparison result (negative if installed < fixed).</param>
+    /// <param name="proofLines">Human-readable comparison steps.</param>
+    /// <param name="advisorySource">Optional advisory identifier.</param>
+    public static VersionComparisonEvidence Create(
+        string comparator,
+        string installedVersion,
+        string fixedVersion,
+        int comparisonResult,
+        ImmutableArray<string> proofLines,
+        string? advisorySource = null)
+    {
+        return new VersionComparisonEvidence
+        {
+            Comparator = comparator,
+            InstalledVersion = installedVersion,
+            FixedVersion = fixedVersion,
+            IsFixed = comparisonResult >= 0, // installed >= fixed means fixed
+            ProofLines = proofLines,
+            AdvisorySource = advisorySource
+        };
+    }
+}