@bryan-thompson/inspector-assessment 1.42.3 → 1.43.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -8
- package/cli/build/lib/assessment-runner/tools-with-hints.js +13 -0
- package/cli/package.json +1 -1
- package/client/dist/assets/{OAuthCallback-H5nh9rjO.js → OAuthCallback-ngu_aFUO.js} +1 -1
- package/client/dist/assets/{OAuthDebugCallback-Drqf42qG.js → OAuthDebugCallback-CsGYu8op.js} +1 -1
- package/client/dist/assets/{index-nFJkXyWc.js → index-97IA_LWd.js} +4 -4
- package/client/dist/index.html +1 -1
- package/client/lib/lib/assessment/configSchemas.d.ts +10 -0
- package/client/lib/lib/assessment/configSchemas.d.ts.map +1 -1
- package/client/lib/lib/assessment/configSchemas.js +1 -0
- package/client/lib/lib/assessment/configTypes.d.ts +1 -0
- package/client/lib/lib/assessment/configTypes.d.ts.map +1 -1
- package/client/lib/lib/assessment/configTypes.js +1 -0
- package/client/lib/lib/assessment/dependencyVulnerabilityTypes.d.ts +227 -0
- package/client/lib/lib/assessment/dependencyVulnerabilityTypes.d.ts.map +1 -0
- package/client/lib/lib/assessment/dependencyVulnerabilityTypes.js +9 -0
- package/client/lib/lib/assessment/extendedTypes.d.ts +1 -0
- package/client/lib/lib/assessment/extendedTypes.d.ts.map +1 -1
- package/client/lib/lib/assessment/extendedTypes.js +1 -0
- package/client/lib/lib/assessment/index.d.ts +1 -0
- package/client/lib/lib/assessment/index.d.ts.map +1 -1
- package/client/lib/lib/assessment/index.js +1 -0
- package/client/lib/lib/assessment/resultTypes.d.ts +13 -1
- package/client/lib/lib/assessment/resultTypes.d.ts.map +1 -1
- package/client/lib/lib/assessment/toolAnnotationTypes.d.ts +34 -0
- package/client/lib/lib/assessment/toolAnnotationTypes.d.ts.map +1 -1
- package/client/lib/services/assessment/helpers/RuntimeAnnotationVerifier.d.ts +28 -0
- package/client/lib/services/assessment/helpers/RuntimeAnnotationVerifier.d.ts.map +1 -0
- package/client/lib/services/assessment/helpers/RuntimeAnnotationVerifier.js +149 -0
- package/client/lib/services/assessment/helpers/StaticAnnotationScanner.d.ts +137 -0
- package/client/lib/services/assessment/helpers/StaticAnnotationScanner.d.ts.map +1 -0
- package/client/lib/services/assessment/helpers/StaticAnnotationScanner.js +345 -0
- package/client/lib/services/assessment/modules/DependencyVulnerabilityAssessor.d.ts +89 -0
- package/client/lib/services/assessment/modules/DependencyVulnerabilityAssessor.d.ts.map +1 -0
- package/client/lib/services/assessment/modules/DependencyVulnerabilityAssessor.js +527 -0
- package/client/lib/services/assessment/modules/DeveloperExperienceAssessor.d.ts +17 -6
- package/client/lib/services/assessment/modules/DeveloperExperienceAssessor.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/DeveloperExperienceAssessor.js +86 -27
- package/client/lib/services/assessment/modules/ManifestValidationAssessor.d.ts +6 -0
- package/client/lib/services/assessment/modules/ManifestValidationAssessor.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/ManifestValidationAssessor.js +38 -0
- package/client/lib/services/assessment/modules/ToolAnnotationAssessor.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/ToolAnnotationAssessor.js +28 -1
- package/client/lib/services/assessment/modules/annotations/AlignmentChecker.d.ts +7 -1
- package/client/lib/services/assessment/modules/annotations/AlignmentChecker.d.ts.map +1 -1
- package/client/lib/services/assessment/modules/annotations/AlignmentChecker.js +27 -3
- package/client/lib/services/assessment/registry/AssessorDefinitions.d.ts.map +1 -1
- package/client/lib/services/assessment/registry/AssessorDefinitions.js +27 -1
- package/client/lib/services/assessment/registry/estimators.d.ts +4 -0
- package/client/lib/services/assessment/registry/estimators.d.ts.map +1 -1
- package/client/lib/services/assessment/registry/estimators.js +5 -0
- package/client/package.json +1 -1
- package/package.json +3 -1
- package/server/package.json +1 -1
package/README.md
CHANGED
|
@@ -93,7 +93,7 @@ For complete CLI documentation, see [CLI Assessment Guide](docs/CLI_ASSESSMENT_G
|
|
|
93
93
|
|
|
94
94
|
---
|
|
95
95
|
|
|
96
|
-
## Assessment Modules (
|
|
96
|
+
## Assessment Modules (19 Total: 16 Active + 3 Opt-In)
|
|
97
97
|
|
|
98
98
|
### Active Modules (16)
|
|
99
99
|
|
|
@@ -118,12 +118,13 @@ For complete CLI documentation, see [CLI Assessment Guide](docs/CLI_ASSESSMENT_G
|
|
|
118
118
|
|
|
119
119
|
> **v1.25.2+**: Protocol Compliance is a unified module combining MCP Spec Compliance and Protocol Conformance. See [CLI Guide](docs/CLI_ASSESSMENT_GUIDE.md) for details.
|
|
120
120
|
|
|
121
|
-
### Opt-In Modules (
|
|
121
|
+
### Opt-In Modules (3)
|
|
122
122
|
|
|
123
|
-
| Module
|
|
124
|
-
|
|
|
125
|
-
| **
|
|
126
|
-
| **
|
|
123
|
+
| Module | Purpose | Requirement |
|
|
124
|
+
| ---------------------------- | ------------------------------ | ------------------------------------------------------ |
|
|
125
|
+
| **Dependency Vulnerability** | npm/yarn/pnpm audit scanning | `--source` flag (requires shell execution) |
|
|
126
|
+
| **File Modularization** | Code organization quality | `--source` flag (source code analysis) |
|
|
127
|
+
| **MCP Conformance Testing** | Official conformance scenarios | HTTP/SSE transport + @modelcontextprotocol/conformance |
|
|
127
128
|
|
|
128
129
|
For detailed module documentation, see [Assessment Catalog](docs/ASSESSMENT_CATALOG.md).
|
|
129
130
|
|
|
@@ -208,10 +209,10 @@ mcp-assess-full --server my-server --output ./results.json
|
|
|
208
209
|
cat /tmp/inspector-full-assessment-my-server.json | jq '.overallStatus'
|
|
209
210
|
|
|
210
211
|
# List security vulnerabilities
|
|
211
|
-
cat /tmp/inspector-full-assessment-my-server.json | jq '.security.vulnerabilities'
|
|
212
|
+
cat /tmp/inspector-full-assessment-my-server.json | jq '.modules.security.vulnerabilities'
|
|
212
213
|
|
|
213
214
|
# Check broken tools
|
|
214
|
-
cat /tmp/inspector-full-assessment-my-server.json | jq '.functionality.brokenTools'
|
|
215
|
+
cat /tmp/inspector-full-assessment-my-server.json | jq '.modules.functionality.brokenTools'
|
|
215
216
|
|
|
216
217
|
# Get module scores
|
|
217
218
|
cat /tmp/inspector-full-assessment-my-server.json | jq '.moduleSummary'
|
|
@@ -85,6 +85,19 @@ export async function getToolsWithPreservedHints(client) {
|
|
|
85
85
|
}
|
|
86
86
|
// Start with SDK tool
|
|
87
87
|
const enrichedTool = { ...sdkTool };
|
|
88
|
+
// Issue #207: Preserve complete annotations object from raw response
|
|
89
|
+
// This ensures runtime-defined annotations are not lost when SDK strips them
|
|
90
|
+
if (rawTool.annotations && Object.keys(rawTool.annotations).length > 0) {
|
|
91
|
+
enrichedTool.annotations = {
|
|
92
|
+
...sdkTool.annotations, // Keep any SDK-preserved annotations
|
|
93
|
+
...rawTool.annotations, // Override with raw response annotations
|
|
94
|
+
};
|
|
95
|
+
// Debug logging when DEBUG_ANNOTATIONS env var is set
|
|
96
|
+
if (process.env.DEBUG_ANNOTATIONS) {
|
|
97
|
+
// eslint-disable-next-line no-console
|
|
98
|
+
console.log(`[DEBUG-HINTS] ${rawTool.name}: Preserved annotations object:`, JSON.stringify(enrichedTool.annotations));
|
|
99
|
+
}
|
|
100
|
+
}
|
|
88
101
|
// Preserve hint properties from raw response (priority order)
|
|
89
102
|
for (const hint of HINT_PROPERTIES) {
|
|
90
103
|
// Skip if SDK already has it via annotations
|
package/cli/package.json
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-
|
|
1
|
+
import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-97IA_LWd.js";
|
|
2
2
|
const OAuthCallback = ({ onConnect }) => {
|
|
3
3
|
const { toast } = useToast();
|
|
4
4
|
const hasProcessedRef = reactExports.useRef(false);
|
package/client/dist/assets/{OAuthDebugCallback-Drqf42qG.js → OAuthDebugCallback-CsGYu8op.js}
RENAMED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-
|
|
1
|
+
import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-97IA_LWd.js";
|
|
2
2
|
const OAuthDebugCallback = ({ onConnect }) => {
|
|
3
3
|
reactExports.useEffect(() => {
|
|
4
4
|
let isProcessed = false;
|
|
@@ -16373,7 +16373,7 @@ object({
|
|
|
16373
16373
|
token_type_hint: string().optional()
|
|
16374
16374
|
}).strip();
|
|
16375
16375
|
const name = "@bryan-thompson/inspector-assessment-client";
|
|
16376
|
-
const version$1 = "1.
|
|
16376
|
+
const version$1 = "1.43.1";
|
|
16377
16377
|
const packageJson = {
|
|
16378
16378
|
name,
|
|
16379
16379
|
version: version$1
|
|
@@ -49456,7 +49456,7 @@ const useTheme = () => {
|
|
|
49456
49456
|
[theme, setThemeWithSideEffect]
|
|
49457
49457
|
);
|
|
49458
49458
|
};
|
|
49459
|
-
const version = "1.
|
|
49459
|
+
const version = "1.43.1";
|
|
49460
49460
|
var [createTooltipContext] = createContextScope("Tooltip", [
|
|
49461
49461
|
createPopperScope
|
|
49462
49462
|
]);
|
|
@@ -52799,13 +52799,13 @@ const App = () => {
|
|
|
52799
52799
|
};
|
|
52800
52800
|
if (window.location.pathname === "/oauth/callback") {
|
|
52801
52801
|
const OAuthCallback = React.lazy(
|
|
52802
|
-
() => __vitePreload(() => import("./OAuthCallback-
|
|
52802
|
+
() => __vitePreload(() => import("./OAuthCallback-ngu_aFUO.js"), true ? [] : void 0)
|
|
52803
52803
|
);
|
|
52804
52804
|
return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthCallback, { onConnect: onOAuthConnect }) });
|
|
52805
52805
|
}
|
|
52806
52806
|
if (window.location.pathname === "/oauth/callback/debug") {
|
|
52807
52807
|
const OAuthDebugCallback = React.lazy(
|
|
52808
|
-
() => __vitePreload(() => import("./OAuthDebugCallback-
|
|
52808
|
+
() => __vitePreload(() => import("./OAuthDebugCallback-CsGYu8op.js"), true ? [] : void 0)
|
|
52809
52809
|
);
|
|
52810
52810
|
return /* @__PURE__ */ jsxRuntimeExports.jsx(reactExports.Suspense, { fallback: /* @__PURE__ */ jsxRuntimeExports.jsx("div", { children: "Loading..." }), children: /* @__PURE__ */ jsxRuntimeExports.jsx(OAuthDebugCallback, { onConnect: onOAuthDebugConnect }) });
|
|
52811
52811
|
}
|
package/client/dist/index.html
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
<link rel="icon" type="image/svg+xml" href="/mcp.svg" />
|
|
6
6
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
7
7
|
<title>MCP Inspector</title>
|
|
8
|
-
<script type="module" crossorigin src="/assets/index-
|
|
8
|
+
<script type="module" crossorigin src="/assets/index-97IA_LWd.js"></script>
|
|
9
9
|
<link rel="stylesheet" crossorigin href="/assets/index-BoUA5OL1.css">
|
|
10
10
|
</head>
|
|
11
11
|
<body>
|
|
@@ -184,6 +184,7 @@ export declare const AssessmentCategoriesSchema: z.ZodObject<{
|
|
|
184
184
|
aupCompliance: z.ZodOptional<z.ZodBoolean>;
|
|
185
185
|
toolAnnotations: z.ZodOptional<z.ZodBoolean>;
|
|
186
186
|
prohibitedLibraries: z.ZodOptional<z.ZodBoolean>;
|
|
187
|
+
dependencyVulnerability: z.ZodOptional<z.ZodBoolean>;
|
|
187
188
|
manifestValidation: z.ZodOptional<z.ZodBoolean>;
|
|
188
189
|
portability: z.ZodOptional<z.ZodBoolean>;
|
|
189
190
|
externalAPIScanner: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -216,6 +217,7 @@ export declare const AssessmentCategoriesSchema: z.ZodObject<{
|
|
|
216
217
|
protocolConformance?: boolean;
|
|
217
218
|
protocolCompliance?: boolean;
|
|
218
219
|
fileModularization?: boolean;
|
|
220
|
+
dependencyVulnerability?: boolean;
|
|
219
221
|
}, {
|
|
220
222
|
functionality?: boolean;
|
|
221
223
|
security?: boolean;
|
|
@@ -237,6 +239,7 @@ export declare const AssessmentCategoriesSchema: z.ZodObject<{
|
|
|
237
239
|
protocolConformance?: boolean;
|
|
238
240
|
protocolCompliance?: boolean;
|
|
239
241
|
fileModularization?: boolean;
|
|
242
|
+
dependencyVulnerability?: boolean;
|
|
240
243
|
}>;
|
|
241
244
|
/**
|
|
242
245
|
* Schema for documentation verbosity level.
|
|
@@ -396,6 +399,7 @@ export declare const AssessmentConfigurationSchema: z.ZodObject<{
|
|
|
396
399
|
aupCompliance: z.ZodOptional<z.ZodBoolean>;
|
|
397
400
|
toolAnnotations: z.ZodOptional<z.ZodBoolean>;
|
|
398
401
|
prohibitedLibraries: z.ZodOptional<z.ZodBoolean>;
|
|
402
|
+
dependencyVulnerability: z.ZodOptional<z.ZodBoolean>;
|
|
399
403
|
manifestValidation: z.ZodOptional<z.ZodBoolean>;
|
|
400
404
|
portability: z.ZodOptional<z.ZodBoolean>;
|
|
401
405
|
externalAPIScanner: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -428,6 +432,7 @@ export declare const AssessmentConfigurationSchema: z.ZodObject<{
|
|
|
428
432
|
protocolConformance?: boolean;
|
|
429
433
|
protocolCompliance?: boolean;
|
|
430
434
|
fileModularization?: boolean;
|
|
435
|
+
dependencyVulnerability?: boolean;
|
|
431
436
|
}, {
|
|
432
437
|
functionality?: boolean;
|
|
433
438
|
security?: boolean;
|
|
@@ -449,6 +454,7 @@ export declare const AssessmentConfigurationSchema: z.ZodObject<{
|
|
|
449
454
|
protocolConformance?: boolean;
|
|
450
455
|
protocolCompliance?: boolean;
|
|
451
456
|
fileModularization?: boolean;
|
|
457
|
+
dependencyVulnerability?: boolean;
|
|
452
458
|
}>>;
|
|
453
459
|
}, "strip", z.ZodTypeAny, {
|
|
454
460
|
mcpProtocolVersion?: string;
|
|
@@ -473,6 +479,7 @@ export declare const AssessmentConfigurationSchema: z.ZodObject<{
|
|
|
473
479
|
protocolConformance?: boolean;
|
|
474
480
|
protocolCompliance?: boolean;
|
|
475
481
|
fileModularization?: boolean;
|
|
482
|
+
dependencyVulnerability?: boolean;
|
|
476
483
|
};
|
|
477
484
|
configVersion?: number;
|
|
478
485
|
testTimeout?: number;
|
|
@@ -539,6 +546,7 @@ export declare const AssessmentConfigurationSchema: z.ZodObject<{
|
|
|
539
546
|
protocolConformance?: boolean;
|
|
540
547
|
protocolCompliance?: boolean;
|
|
541
548
|
fileModularization?: boolean;
|
|
549
|
+
dependencyVulnerability?: boolean;
|
|
542
550
|
};
|
|
543
551
|
configVersion?: number;
|
|
544
552
|
testTimeout?: number;
|
|
@@ -636,6 +644,7 @@ export declare function safeParseAssessmentConfig(config: unknown): z.SafeParseR
|
|
|
636
644
|
protocolConformance?: boolean;
|
|
637
645
|
protocolCompliance?: boolean;
|
|
638
646
|
fileModularization?: boolean;
|
|
647
|
+
dependencyVulnerability?: boolean;
|
|
639
648
|
};
|
|
640
649
|
configVersion?: number;
|
|
641
650
|
testTimeout?: number;
|
|
@@ -702,6 +711,7 @@ export declare function safeParseAssessmentConfig(config: unknown): z.SafeParseR
|
|
|
702
711
|
protocolConformance?: boolean;
|
|
703
712
|
protocolCompliance?: boolean;
|
|
704
713
|
fileModularization?: boolean;
|
|
714
|
+
dependencyVulnerability?: boolean;
|
|
705
715
|
};
|
|
706
716
|
configVersion?: number;
|
|
707
717
|
testTimeout?: number;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"configSchemas.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configSchemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;AAM9C;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;EAI9B,CAAC;AAMH;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;EAIpC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;EAKnC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBhC,CAAC;AAMJ;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;;IAMrC,iDAAiD
|
|
1
|
+
{"version":3,"file":"configSchemas.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configSchemas.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrE,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC;AAM9C;;GAEG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;EAI9B,CAAC;AAMH;;GAEG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;EAIpC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;EAKnC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgBhC,CAAC;AAMJ;;;GAGG;AACH,eAAO,MAAM,0BAA0B;;;;;;IAMrC,iDAAiD;;;;;;;;;;;;;;;IAejD,iDAAiD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAGjD,CAAC;AAMH;;GAEG;AACH,eAAO,MAAM,4BAA4B,+CAIvC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;IAYxC,sDAAsD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAhDtD,iDAAiD;;;;;;;;;;;;;;;QAejD,iDAAiD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA8CjD,CAAC;AAMH;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE;;GAEG;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAC9C,OAAO,0BAA0B,CAClC,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CACjD,OAAO,6BAA6B,CACrC,CAAC;AAMF;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,OAAO,GACd,6BAA6B,CAE/B;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAExD;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,CAWlE;AAED;;;;;GAKG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,EAAE,CAWlE"}
|
|
@@ -79,6 +79,7 @@ export const AssessmentCategoriesSchema = z.object({
|
|
|
79
79
|
aupCompliance: z.boolean().optional(),
|
|
80
80
|
toolAnnotations: z.boolean().optional(),
|
|
81
81
|
prohibitedLibraries: z.boolean().optional(),
|
|
82
|
+
dependencyVulnerability: z.boolean().optional(),
|
|
82
83
|
manifestValidation: z.boolean().optional(),
|
|
83
84
|
portability: z.boolean().optional(),
|
|
84
85
|
externalAPIScanner: z.boolean().optional(),
|
|
@@ -86,6 +86,7 @@ export interface AssessmentConfiguration {
|
|
|
86
86
|
aupCompliance?: boolean;
|
|
87
87
|
toolAnnotations?: boolean;
|
|
88
88
|
prohibitedLibraries?: boolean;
|
|
89
|
+
dependencyVulnerability?: boolean;
|
|
89
90
|
manifestValidation?: boolean;
|
|
90
91
|
portability?: boolean;
|
|
91
92
|
externalAPIScanner?: boolean;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,aAAa,EACb,QAAQ,EACR,sBAAsB,EACvB,MAAM,kCAAkC,CAAC;AAE1C,sDAAsD;AACtD,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AACxC,4CAA4C;AAC5C,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,mBAAmB,CAAC;CAClC;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4FAA4F;IAC5F,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,kDAAkD;IAClD,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,6EAA6E;QAC7E,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,6EAA6E;QAC7E,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAE9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;IACF;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD;;;GAGG;AACH,eAAO,MAAM,yBAAyB,EAAE,
|
|
1
|
+
{"version":3,"file":"configTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/configTypes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EACL,aAAa,EACb,QAAQ,EACR,sBAAsB,EACvB,MAAM,kCAAkC,CAAC;AAE1C,sDAAsD;AACtD,YAAY,EAAE,aAAa,EAAE,QAAQ,EAAE,CAAC;AACxC,4CAA4C;AAC5C,OAAO,EAAE,sBAAsB,EAAE,CAAC;AAElC;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE;QACR,yBAAyB,EAAE,OAAO,CAAC;QACnC,mBAAmB,EAAE,OAAO,CAAC;QAC7B,mBAAmB,EAAE,OAAO,CAAC;QAC7B,oBAAoB,EAAE,OAAO,CAAC;KAC/B,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,UAAU,CAAC,EAAE,mBAAmB,CAAC;CAClC;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,6GAA6G;IAC7G,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IAEzB,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,sBAAsB,CAAC,EAAE,SAAS,GAAG,UAAU,GAAG,SAAS,CAAC;IAI5D,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAEhC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4FAA4F;IAC5F,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAE3B,UAAU,CAAC,EAAE,gBAAgB,CAAC;IAE9B,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,kDAAkD;IAClD,OAAO,CAAC,EAAE,aAAa,CAAC;IACxB,oBAAoB,CAAC,EAAE;QACrB,aAAa,EAAE,OAAO,CAAC;QACvB,QAAQ,EAAE,OAAO,CAAC;QAClB,aAAa,EAAE,OAAO,CAAC;QACvB,aAAa,EAAE,OAAO,CAAC;QACvB,SAAS,EAAE,OAAO,CAAC;QACnB,6EAA6E;QAC7E,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAE5B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,aAAa,CAAC,EAAE,OAAO,CAAC;QACxB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;QAClC,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,WAAW,CAAC,EAAE,OAAO,CAAC;QACtB,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAC7B,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,QAAQ,CAAC,EAAE,OAAO,CAAC;QAEnB,SAAS,CAAC,EAAE,OAAO,CAAC;QACpB,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,eAAe,CAAC,EAAE,OAAO,CAAC;QAE1B,6EAA6E;QAC7E,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAE9B,kBAAkB,CAAC,EAAE,OAAO,CAAC;QAE7B,WAAW,CAAC,EAAE,OAAO,CAAC;KACvB,CAAC;IACF;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD;;;GAGG;AACH,eAAO,MAAM,yBAAyB,EAAE,uBAwCvC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,EAAE,uBAwClC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,EAAE,uBAuCnC,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,EAAE,uBAuC/B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,4BAA4B,EAAE,uBAkD1C,CAAC"}
|
|
@@ -42,6 +42,7 @@ export const DEFAULT_ASSESSMENT_CONFIG = {
|
|
|
42
42
|
aupCompliance: false,
|
|
43
43
|
toolAnnotations: false,
|
|
44
44
|
prohibitedLibraries: false,
|
|
45
|
+
dependencyVulnerability: false, // Issue #193 - npm/yarn/pnpm audit (opt-in, requires shell)
|
|
45
46
|
manifestValidation: false,
|
|
46
47
|
portability: false,
|
|
47
48
|
externalAPIScanner: false,
|
|
@@ -0,0 +1,227 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Dependency Vulnerability Assessment Types
|
|
3
|
+
*
|
|
4
|
+
* Types for npm/yarn/pnpm dependency vulnerability detection via package manager audits.
|
|
5
|
+
* Implements Issue #193: Add npm/yarn dependency vulnerability detection module.
|
|
6
|
+
*
|
|
7
|
+
* @module assessment/dependencyVulnerabilityTypes
|
|
8
|
+
*/
|
|
9
|
+
import type { AssessmentStatus } from "./coreTypes.js";
|
|
10
|
+
/**
|
|
11
|
+
* Severity level for dependency vulnerabilities.
|
|
12
|
+
* Matches npm audit severity levels.
|
|
13
|
+
*/
|
|
14
|
+
export type VulnerabilitySeverity = "critical" | "high" | "moderate" | "low";
|
|
15
|
+
/**
|
|
16
|
+
* Package manager detected and used for audit.
|
|
17
|
+
*/
|
|
18
|
+
export type PackageManager = "npm" | "yarn" | "pnpm" | "unknown";
|
|
19
|
+
/**
|
|
20
|
+
* Lock file type mapping to package manager.
|
|
21
|
+
*/
|
|
22
|
+
export type LockFileType = "package-lock.json" | "yarn.lock" | "pnpm-lock.yaml" | "none";
|
|
23
|
+
/**
|
|
24
|
+
* Individual vulnerability finding from audit.
|
|
25
|
+
*/
|
|
26
|
+
export interface DependencyVulnerability {
|
|
27
|
+
/** Package name with vulnerability */
|
|
28
|
+
packageName: string;
|
|
29
|
+
/** Current installed version */
|
|
30
|
+
version: string;
|
|
31
|
+
/** Severity level */
|
|
32
|
+
severity: VulnerabilitySeverity;
|
|
33
|
+
/** Advisory title/description */
|
|
34
|
+
advisory: string;
|
|
35
|
+
/** CVE identifier if available */
|
|
36
|
+
cve?: string;
|
|
37
|
+
/** Fixed version if available */
|
|
38
|
+
fixedIn?: string;
|
|
39
|
+
/** Dependency path (direct or transitive) */
|
|
40
|
+
dependencyPath: string[];
|
|
41
|
+
/** Whether a fix is available */
|
|
42
|
+
fixAvailable: boolean;
|
|
43
|
+
/** Whether this is a direct or transitive dependency */
|
|
44
|
+
isDirect: boolean;
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Summary counts by severity level.
|
|
48
|
+
*/
|
|
49
|
+
export interface VulnerabilityCounts {
|
|
50
|
+
critical: number;
|
|
51
|
+
high: number;
|
|
52
|
+
moderate: number;
|
|
53
|
+
low: number;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Audit execution metadata.
|
|
57
|
+
*/
|
|
58
|
+
export interface AuditExecutionInfo {
|
|
59
|
+
/** Package manager used */
|
|
60
|
+
packageManager: PackageManager;
|
|
61
|
+
/** Lock file detected */
|
|
62
|
+
lockFilePresent: boolean;
|
|
63
|
+
/** Lock file type (package-lock.json, yarn.lock, pnpm-lock.yaml) */
|
|
64
|
+
lockFileType: LockFileType;
|
|
65
|
+
/** Audit command executed */
|
|
66
|
+
auditCommand: string;
|
|
67
|
+
/** Execution time in ms */
|
|
68
|
+
executionTimeMs: number;
|
|
69
|
+
/** Whether audit completed successfully */
|
|
70
|
+
auditCompleted: boolean;
|
|
71
|
+
/** Error message if audit failed */
|
|
72
|
+
auditError?: string;
|
|
73
|
+
}
|
|
74
|
+
/**
|
|
75
|
+
* Main assessment result interface.
|
|
76
|
+
* Field name matches Issue #193 spec: dependencyVulnerability
|
|
77
|
+
*/
|
|
78
|
+
export interface DependencyVulnerabilityAssessment {
|
|
79
|
+
/** Whether a package manager was detected */
|
|
80
|
+
hasPackageManager: boolean;
|
|
81
|
+
/** Audit execution information */
|
|
82
|
+
auditInfo: AuditExecutionInfo;
|
|
83
|
+
/** Summary counts by severity */
|
|
84
|
+
vulnerabilities: VulnerabilityCounts;
|
|
85
|
+
/** Total number of advisories found */
|
|
86
|
+
totalAdvisories: number;
|
|
87
|
+
/** Individual vulnerability details */
|
|
88
|
+
findings: DependencyVulnerability[];
|
|
89
|
+
/** Computed score penalty (based on severity scoring) */
|
|
90
|
+
scorePenalty: number;
|
|
91
|
+
/** Assessment status */
|
|
92
|
+
status: AssessmentStatus;
|
|
93
|
+
/** Human-readable explanation */
|
|
94
|
+
explanation: string;
|
|
95
|
+
/** Actionable recommendations */
|
|
96
|
+
recommendations: string[];
|
|
97
|
+
/** Whether assessment was skipped */
|
|
98
|
+
skipped?: boolean;
|
|
99
|
+
/** Reason for skipping if applicable */
|
|
100
|
+
skipReason?: string;
|
|
101
|
+
/** Stage B enrichment data for Claude validation (future) */
|
|
102
|
+
enrichmentData?: DependencyVulnerabilityEnrichmentData;
|
|
103
|
+
}
|
|
104
|
+
/**
|
|
105
|
+
* Enrichment data for Stage B Claude validation.
|
|
106
|
+
* Can be used for more sophisticated analysis in future releases.
|
|
107
|
+
*/
|
|
108
|
+
export interface DependencyVulnerabilityEnrichmentData {
|
|
109
|
+
/** Top critical/high vulnerabilities for review */
|
|
110
|
+
topVulnerabilities: DependencyVulnerability[];
|
|
111
|
+
/** Summary metrics */
|
|
112
|
+
metrics: {
|
|
113
|
+
/** Total packages scanned */
|
|
114
|
+
totalPackages: number;
|
|
115
|
+
/** Number of packages with vulnerabilities */
|
|
116
|
+
vulnerablePackages: number;
|
|
117
|
+
/** Vulnerabilities in direct dependencies */
|
|
118
|
+
directDependencyVulns: number;
|
|
119
|
+
/** Vulnerabilities in transitive dependencies */
|
|
120
|
+
transitiveDependencyVulns: number;
|
|
121
|
+
};
|
|
122
|
+
}
|
|
123
|
+
/**
|
|
124
|
+
* npm vulnerability entry structure
|
|
125
|
+
*/
|
|
126
|
+
export interface NpmVulnerabilityEntry {
|
|
127
|
+
name: string;
|
|
128
|
+
severity: string;
|
|
129
|
+
via: Array<string | {
|
|
130
|
+
title?: string;
|
|
131
|
+
url?: string;
|
|
132
|
+
source?: number;
|
|
133
|
+
}>;
|
|
134
|
+
effects?: string[];
|
|
135
|
+
range?: string;
|
|
136
|
+
nodes?: string[];
|
|
137
|
+
fixAvailable?: boolean | {
|
|
138
|
+
name: string;
|
|
139
|
+
version: string;
|
|
140
|
+
isSemVerMajor: boolean;
|
|
141
|
+
};
|
|
142
|
+
}
|
|
143
|
+
/**
|
|
144
|
+
* npm audit --json output structure (npm v7+).
|
|
145
|
+
* Used internally for parsing.
|
|
146
|
+
*/
|
|
147
|
+
export interface NpmAuditOutput {
|
|
148
|
+
vulnerabilities?: Record<string, NpmVulnerabilityEntry>;
|
|
149
|
+
metadata?: {
|
|
150
|
+
vulnerabilities?: VulnerabilityCounts;
|
|
151
|
+
dependencies?: {
|
|
152
|
+
prod: number;
|
|
153
|
+
dev: number;
|
|
154
|
+
optional: number;
|
|
155
|
+
peer: number;
|
|
156
|
+
peerOptional: number;
|
|
157
|
+
total: number;
|
|
158
|
+
};
|
|
159
|
+
};
|
|
160
|
+
}
|
|
161
|
+
/**
|
|
162
|
+
* yarn audit --json output structure.
|
|
163
|
+
* Yarn emits newline-delimited JSON objects.
|
|
164
|
+
*/
|
|
165
|
+
export interface YarnAuditEntry {
|
|
166
|
+
type: "auditAdvisory" | "auditSummary";
|
|
167
|
+
data: {
|
|
168
|
+
resolution: {
|
|
169
|
+
id: number;
|
|
170
|
+
path: string;
|
|
171
|
+
dev: boolean;
|
|
172
|
+
optional: boolean;
|
|
173
|
+
bundled: boolean;
|
|
174
|
+
};
|
|
175
|
+
advisory: {
|
|
176
|
+
module_name: string;
|
|
177
|
+
severity: string;
|
|
178
|
+
title: string;
|
|
179
|
+
url?: string;
|
|
180
|
+
cves?: string[];
|
|
181
|
+
patched_versions?: string;
|
|
182
|
+
vulnerable_versions?: string;
|
|
183
|
+
};
|
|
184
|
+
} | {
|
|
185
|
+
vulnerabilities: {
|
|
186
|
+
info: number;
|
|
187
|
+
low: number;
|
|
188
|
+
moderate: number;
|
|
189
|
+
high: number;
|
|
190
|
+
critical: number;
|
|
191
|
+
};
|
|
192
|
+
dependencies: number;
|
|
193
|
+
devDependencies: number;
|
|
194
|
+
optionalDependencies: number;
|
|
195
|
+
totalDependencies: number;
|
|
196
|
+
};
|
|
197
|
+
}
|
|
198
|
+
/**
|
|
199
|
+
* pnpm advisory entry structure
|
|
200
|
+
*/
|
|
201
|
+
export interface PnpmAdvisoryEntry {
|
|
202
|
+
module_name: string;
|
|
203
|
+
severity: string;
|
|
204
|
+
title: string;
|
|
205
|
+
url?: string;
|
|
206
|
+
cves?: string[];
|
|
207
|
+
vulnerable_versions?: string;
|
|
208
|
+
patched_versions?: string;
|
|
209
|
+
findings?: Array<{
|
|
210
|
+
version: string;
|
|
211
|
+
paths: string[];
|
|
212
|
+
}>;
|
|
213
|
+
}
|
|
214
|
+
/**
|
|
215
|
+
* pnpm audit --json output structure.
|
|
216
|
+
* Similar to npm but with some differences.
|
|
217
|
+
*/
|
|
218
|
+
export interface PnpmAuditOutput {
|
|
219
|
+
advisories?: Record<string, PnpmAdvisoryEntry>;
|
|
220
|
+
metadata?: {
|
|
221
|
+
vulnerabilities?: VulnerabilityCounts;
|
|
222
|
+
dependencies?: number;
|
|
223
|
+
devDependencies?: number;
|
|
224
|
+
totalDependencies?: number;
|
|
225
|
+
};
|
|
226
|
+
}
|
|
227
|
+
//# sourceMappingURL=dependencyVulnerabilityTypes.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependencyVulnerabilityTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/dependencyVulnerabilityTypes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAMpD;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,CAAC;AAE7E;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,KAAK,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;AAEjE;;GAEG;AACH,MAAM,MAAM,YAAY,GACpB,mBAAmB,GACnB,WAAW,GACX,gBAAgB,GAChB,MAAM,CAAC;AAMX;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,gCAAgC;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,QAAQ,EAAE,qBAAqB,CAAC;IAChC,iCAAiC;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,kCAAkC;IAClC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,iCAAiC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,iCAAiC;IACjC,YAAY,EAAE,OAAO,CAAC;IACtB,wDAAwD;IACxD,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;CACb;AAMD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,2BAA2B;IAC3B,cAAc,EAAE,cAAc,CAAC;IAC/B,yBAAyB;IACzB,eAAe,EAAE,OAAO,CAAC;IACzB,oEAAoE;IACpE,YAAY,EAAE,YAAY,CAAC;IAC3B,6BAA6B;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,2BAA2B;IAC3B,eAAe,EAAE,MAAM,CAAC;IACxB,2CAA2C;IAC3C,cAAc,EAAE,OAAO,CAAC;IACxB,oCAAoC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD;;;GAGG;AACH,MAAM,WAAW,iCAAiC;IAChD,6CAA6C;IAC7C,iBAAiB,EAAE,OAAO,CAAC;IAC3B,kCAAkC;IAClC,SAAS,EAAE,kBAAkB,CAAC;IAC9B,iCAAiC;IACjC,eAAe,EAAE,mBAAmB,CAAC;IACrC,uCAAuC;IACvC,eAAe,EAAE,MAAM,CAAC;IACxB,uCAAuC;IACvC,QAAQ,EAAE,uBAAuB,EAAE,CAAC;IACpC,yDAAyD;IACzD,YAAY,EAAE,MAAM,CAAC;IACrB,wBAAwB;IACxB,MAAM,EAAE,gBAAgB,CAAC;IACzB,iCAAiC;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,qCAAqC;IACrC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,wCAAwC;IACxC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6DAA6D;IAC7D,cAAc,CAAC,EAAE,qCAAqC,CAAC;CACxD;AAMD;;;GAGG;AACH,MAAM,WAAW,qCAAqC;IACpD,mDAAmD;IACnD,kBAAkB,EAAE,uBAAuB,EAAE,CAAC;IAC9C,sBAAsB;IACtB,OAAO,EAAE;QACP,6BAA6B;QAC7B,aAAa,EAAE,MAAM,CAAC;QACtB,8CAA8C;QAC9C,kBAAkB,EAAE,MAAM,CAAC;QAC3B,6CAA6C;QAC7C,qBAAqB,EAAE,MAAM,CAAC;QAC9B,iDAAiD;QACjD,yBAAyB,EAAE,MAAM,CAAC;KACnC,CAAC;CACH;AAMD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,KAAK,CAAC,MAAM,GAAG;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACvE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,YAAY,CAAC,EACT,OAAO,GACP;QACE,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,aAAa,EAAE,OAAO,CAAC;KACxB,CAAC;CACP;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAC;IACxD,QAAQ,CAAC,EAAE;QACT,eAAe,CAAC,EAAE,mBAAmB,CAAC;QACtC,YAAY,CAAC,EAAE;YACb,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;YACZ,QAAQ,EAAE,MAAM,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;YACb,YAAY,EAAE,MAAM,CAAC;YACrB,KAAK,EAAE,MAAM,CAAC;SACf,CAAC;KACH,CAAC;CACH;AAED;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,eAAe,GAAG,cAAc,CAAC;IACvC,IAAI,EACA;QACE,UAAU,EAAE;YACV,EAAE,EAAE,MAAM,CAAC;YACX,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,OAAO,CAAC;YACb,QAAQ,EAAE,OAAO,CAAC;YAClB,OAAO,EAAE,OAAO,CAAC;SAClB,CAAC;QACF,QAAQ,EAAE;YACR,WAAW,EAAE,MAAM,CAAC;YACpB,QAAQ,EAAE,MAAM,CAAC;YACjB,KAAK,EAAE,MAAM,CAAC;YACd,GAAG,CAAC,EAAE,MAAM,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;YAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;YAC1B,mBAAmB,CAAC,EAAE,MAAM,CAAC;SAC9B,CAAC;KACH,GACD;QACE,eAAe,EAAE;YACf,IAAI,EAAE,MAAM,CAAC;YACb,GAAG,EAAE,MAAM,CAAC;YACZ,QAAQ,EAAE,MAAM,CAAC;YACjB,IAAI,EAAE,MAAM,CAAC;YACb,QAAQ,EAAE,MAAM,CAAC;SAClB,CAAC;QACF,YAAY,EAAE,MAAM,CAAC;QACrB,eAAe,EAAE,MAAM,CAAC;QACxB,oBAAoB,EAAE,MAAM,CAAC;QAC7B,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;CACP;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,EAAE,MAAM,EAAE,CAAC;KACjB,CAAC,CAAC;CACJ;AAED;;;GAGG;AACH,MAAM,WAAW,eAAe;IAC9B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC/C,QAAQ,CAAC,EAAE;QACT,eAAe,CAAC,EAAE,mBAAmB,CAAC;QACtC,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,iBAAiB,CAAC,EAAE,MAAM,CAAC;KAC5B,CAAC;CACH"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Dependency Vulnerability Assessment Types
|
|
3
|
+
*
|
|
4
|
+
* Types for npm/yarn/pnpm dependency vulnerability detection via package manager audits.
|
|
5
|
+
* Implements Issue #193: Add npm/yarn dependency vulnerability detection module.
|
|
6
|
+
*
|
|
7
|
+
* @module assessment/dependencyVulnerabilityTypes
|
|
8
|
+
*/
|
|
9
|
+
export {};
|
|
@@ -25,4 +25,5 @@ export * from "./policyComplianceTypes.js";
|
|
|
25
25
|
export * from "./externalServicesTypes.js";
|
|
26
26
|
export * from "./temporalSecurityTypes.js";
|
|
27
27
|
export * from "./capabilityAssessmentTypes.js";
|
|
28
|
+
export * from "./dependencyVulnerabilityTypes.js";
|
|
28
29
|
//# sourceMappingURL=extendedTypes.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"extendedTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/extendedTypes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC"}
|
|
1
|
+
{"version":3,"file":"extendedTypes.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/extendedTypes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,gCAAgC,CAAC"}
|
|
@@ -20,6 +20,7 @@ export * from "./configTypes.js";
|
|
|
20
20
|
export * from "./aupComplianceTypes.js";
|
|
21
21
|
export * from "./toolAnnotationTypes.js";
|
|
22
22
|
export * from "./policyComplianceTypes.js";
|
|
23
|
+
export * from "./dependencyVulnerabilityTypes.js";
|
|
23
24
|
export * from "./externalServicesTypes.js";
|
|
24
25
|
export * from "./temporalSecurityTypes.js";
|
|
25
26
|
export * from "./capabilityAssessmentTypes.js";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAgCH,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAG9B,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAGhC,cAAc,eAAe,CAAC;AAG9B,cAAc,aAAa,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/assessment/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAgCH,cAAc,aAAa,CAAC;AAC5B,cAAc,eAAe,CAAC;AAG9B,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,yBAAyB,CAAC;AACxC,cAAc,gCAAgC,CAAC;AAC/C,cAAc,yBAAyB,CAAC;AACxC,cAAc,yBAAyB,CAAC;AACxC,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAGhC,cAAc,eAAe,CAAC;AAG9B,cAAc,aAAa,CAAC"}
|
|
@@ -50,6 +50,7 @@ export * from "./configTypes.js";
|
|
|
50
50
|
export * from "./aupComplianceTypes.js";
|
|
51
51
|
export * from "./toolAnnotationTypes.js";
|
|
52
52
|
export * from "./policyComplianceTypes.js";
|
|
53
|
+
export * from "./dependencyVulnerabilityTypes.js";
|
|
53
54
|
export * from "./externalServicesTypes.js";
|
|
54
55
|
export * from "./temporalSecurityTypes.js";
|
|
55
56
|
export * from "./capabilityAssessmentTypes.js";
|
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
*/
|
|
9
9
|
import type { AssessmentStatus, SecurityRiskLevel, NamespaceDetectionResult } from "./coreTypes.js";
|
|
10
10
|
export type { NamespaceDetectionResult };
|
|
11
|
-
import type { AUPComplianceAssessment, ToolAnnotationAssessment, ProhibitedLibrariesAssessment, ManifestValidationAssessment, PortabilityAssessment, ExternalAPIScannerAssessment, AuthenticationAssessment, TemporalAssessment, ResourceAssessment, PromptAssessment, CrossCapabilitySecurityAssessment, ProtocolConformanceAssessment, FileModularizationAssessment, ConformanceAssessment, DeveloperExperienceAssessment } from "./extendedTypes.js";
|
|
11
|
+
import type { AUPComplianceAssessment, ToolAnnotationAssessment, ProhibitedLibrariesAssessment, ManifestValidationAssessment, PortabilityAssessment, ExternalAPIScannerAssessment, AuthenticationAssessment, TemporalAssessment, ResourceAssessment, PromptAssessment, CrossCapabilitySecurityAssessment, ProtocolConformanceAssessment, FileModularizationAssessment, ConformanceAssessment, DeveloperExperienceAssessment, DependencyVulnerabilityAssessment } from "./extendedTypes.js";
|
|
12
12
|
export interface TestInputMetadata {
|
|
13
13
|
toolCategory: string;
|
|
14
14
|
generationStrategy: string;
|
|
@@ -177,7 +177,17 @@ export interface DocumentationQualityChecks {
|
|
|
177
177
|
hasInstallation: boolean;
|
|
178
178
|
hasConfiguration: boolean;
|
|
179
179
|
hasExamples: boolean;
|
|
180
|
+
/**
|
|
181
|
+
* @deprecated Use hasLicenseFile for file-based check. Kept for backward compatibility.
|
|
182
|
+
* True if either license file exists OR declaration exists (legacy behavior)
|
|
183
|
+
*/
|
|
180
184
|
hasLicense: boolean;
|
|
185
|
+
/** Issue #208: True only if actual LICENSE file exists (LICENSE, LICENSE.md, etc.) */
|
|
186
|
+
hasLicenseFile: boolean;
|
|
187
|
+
/** Issue #208: True if license declared in package.json/manifest or README section (but no file) */
|
|
188
|
+
hasLicenseDeclaration: boolean;
|
|
189
|
+
/** Issue #208: Actual license file name if found */
|
|
190
|
+
licenseFile?: string;
|
|
181
191
|
licenseType?: string;
|
|
182
192
|
}
|
|
183
193
|
/**
|
|
@@ -803,6 +813,8 @@ export interface MCPDirectoryAssessment {
|
|
|
803
813
|
aupCompliance?: AUPComplianceAssessment;
|
|
804
814
|
toolAnnotations?: ToolAnnotationAssessment;
|
|
805
815
|
prohibitedLibraries?: ProhibitedLibrariesAssessment;
|
|
816
|
+
/** Dependency vulnerability audit results (npm/yarn/pnpm audit) - Issue #193 */
|
|
817
|
+
dependencyVulnerability?: DependencyVulnerabilityAssessment;
|
|
806
818
|
manifestValidation?: ManifestValidationAssessment;
|
|
807
819
|
portability?: PortabilityAssessment;
|
|
808
820
|
externalAPIScanner?: ExternalAPIScannerAssessment;
|