npm - @comate/zulu - Versions diffs - 1.3.5 → 1.3.6 - Mend

@comate/zulu 1.3.5 → 1.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/comate-engine/assets/skills/code-security/scripts/parse_scan_result.py DELETED Viewed

@@ -1,301 +0,0 @@
-#!/usr/bin/env python3
-"""
-扫描结果解析与展示工具 - 解析 scan_result.json 文件，输出标准化漏洞报告。
-用法:
-    python3 parse_scan_result.py --scan-result <扫描结果文件路径> [--output-dir <输出目录>]
-输出:
-    1. 标准输出打印 Markdown 格式漏洞报告（供直接展示给用户）
-    2. 在输出目录生成 parsed_result.json，包含结构化漏洞数据（供后续修复脚本使用）
-parsed_result.json 格式:
-    {
-        "total": 10,
-        "common_count": 7,
-        "sensitive_count": 3,
-        "bundle_hash": "xxx",
-        "common_vuls": [ ... ],
-        "sensitive_vuls": [ ... ]
-    }
-每个漏洞条目包含:
-    {
-        "ruleID": "codescan_java_mybatis-java_sqli",
-        "name": "Sql 注入漏洞",
-        "description": "...",
-        "suggestion": "...",
-        "level": "ERROR",
-        "level_cn": "严重",
-        "file": "src/main/java/...",
-        "startLine": 12,
-        "endLine": 12,
-        "hash": "abc123...",
-        "is_sensitive": false,
-        "codeFlows": [ {"file": "...", "line": 63, "message": "..."}, ... ]
-    }
-"""
-import argparse
-from collections import OrderedDict
-import json
-import os
-import sys
-LEVEL_MAP = {
-    "ERROR": "严重",
-    "WARNING": "高危",
-    "NOTE": "中危",
-    "NONE": "低危",
-}
-# 等级排序优先级（越小越严重）
-LEVEL_PRIORITY = {
-    "ERROR": 0,
-    "WARNING": 1,
-    "NOTE": 2,
-    "NONE": 3,
-}
-def parse_scan_result(scan_result):
-    # type: (dict) -> dict
-    """解析扫描结果，返回结构化漏洞数据。"""
-    data = scan_result.get("data", {})
-    runs = data.get("sarif", {}).get("runs", []) or data.get("runs", [])
-    # 提取 bundleHash（由 scan_vulnerability.py 写入顶层）
-    bundle_hash = scan_result.get("bundleHash", "")
-    # 建立 ruleID -> rule 映射
-    rule_map = {}
-    for run in runs:
-        tool = run.get("tool", {})
-        # 兼容 rules 在 tool 或 tool.driver 下
-        rules = tool.get("rules", []) or tool.get("driver", {}).get("rules", [])
-        for rule in rules:
-            rule_id = rule.get("id", "")
-            if rule_id:
-                rule_map[rule_id] = rule
-    # 解析漏洞结果
-    common_vuls = []
-    sensitive_vuls = []
-    for run in runs:
-        results = run.get("results", []) or run.get("result", [])
-        for result in results:
-            rule_id = result.get("ruleID", "") or result.get("ruleId", "")
-            rule = rule_map.get(rule_id, {})
-            # 基础信息
-            name = rule.get("name", rule_id)
-            description = rule.get("description", "") or result.get("message", {}).get("text", "")
-            suggestion = rule.get("suggestion", "")
-            level_config = rule.get("defaultConfiguration", {})
-            level = level_config.get("level", "NONE") if level_config else "NONE"
-            level_cn = LEVEL_MAP.get(level, "低危")
-            vul_hash = result.get("properties", {}).get("hash", "")
-            # 位置信息
-            locations = result.get("locations", [])
-            file_uri = ""
-            start_line = 0
-            end_line = 0
-            if locations:
-                phys = locations[0].get("physicalLocation", {})
-                artifact = phys.get("artifactLocation", {})
-                file_uri = artifact.get("uri", "")
-                region = artifact.get("region", {})
-                start_line = region.get("startLine", 0)
-                end_line = region.get("endLine", start_line)
-            # 数据流信息
-            code_flows_raw = result.get("codeFlows", [])
-            code_flows = []
-            if code_flows_raw:
-                thread_flows = code_flows_raw[0].get("threadFlows", [])
-                if thread_flows:
-                    for loc_wrapper in thread_flows[0].get("locations", []):
-                        loc = loc_wrapper.get("location", {})
-                        loc_phys = loc.get("physicalLocation", {})
-                        loc_file = loc_phys.get("artifactLocation", {}).get("uri", "")
-                        loc_region = loc_phys.get("region", {})
-                        loc_line = loc_region.get("startLine", 0)
-                        loc_msg = loc.get("message", {}).get("text", "")
-                        code_flows.append({
-                            "file": loc_file,
-                            "line": loc_line,
-                            "message": loc_msg,
-                        })
-            is_sensitive = "sensitive" in rule_id.lower()
-            vul_entry = {
-                "ruleID": rule_id,
-                "name": name,
-                "description": description,
-                "suggestion": suggestion,
-                "level": level,
-                "level_cn": level_cn,
-                "file": file_uri,
-                "startLine": start_line,
-                "endLine": end_line,
-                "hash": vul_hash,
-                "is_sensitive": is_sensitive,
-                "codeFlows": code_flows,
-            }
-            if is_sensitive:
-                sensitive_vuls.append(vul_entry)
-            else:
-                common_vuls.append(vul_entry)
-    # 按严重程度排序
-    def sort_key(v):
-        return (LEVEL_PRIORITY.get(v["level"], 99), v["file"], v["startLine"])
-    common_vuls.sort(key=sort_key)
-    sensitive_vuls.sort(key=sort_key)
-    return {
-        "total": len(common_vuls) + len(sensitive_vuls),
-        "common_count": len(common_vuls),
-        "sensitive_count": len(sensitive_vuls),
-        "bundle_hash": bundle_hash,
-        "common_vuls": common_vuls,
-        "sensitive_vuls": sensitive_vuls,
-    }
-def _file_basename(file_path):
-    # type: (str) -> str
-    return os.path.basename(file_path) if file_path else ""
-def format_vul_report(vuls, title="漏洞报告"):
-    # type: (list, str) -> str
-    """将漏洞列表按类型分组格式化为 Markdown 报告。
-    同一 ruleID 的漏洞归为一组，描述/等级/修复建议只展示一次，
-    漏洞位置列表化展示，数据流用 <details> 折叠。
-    """
-    if not vuls:
-        return ""
-    # 按 ruleID 分组，保持原有排序
-    groups = OrderedDict()  # type: OrderedDict[str, list]
-    for vul in vuls:
-        rule_id = vul["ruleID"]
-        if rule_id not in groups:
-            groups[rule_id] = []
-        groups[rule_id].append(vul)
-    lines = ["**{}**\n".format(title)]
-    for group_idx, (rule_id, group_vuls) in enumerate(groups.items(), 1):
-        rep = group_vuls[0]  # 取第一个作为代表获取公共信息
-        count = len(group_vuls)
-        count_suffix = "（{} 处）".format(count) if count > 1 else ""
-        lines.append("{}. **{}**{}".format(group_idx, rep["name"], count_suffix))
-        if rep["description"]:
-            lines.append("- **漏洞描述**：{}".format(rep["description"]))
-        lines.append("- **漏洞等级**：{}".format(rep["level_cn"]))
-        if rep["suggestion"]:
-            lines.append("- **修复建议**：{}".format(rep["suggestion"]))
-        # 漏洞位置列表
-        lines.append("- **漏洞位置**：")
-        for vul in group_vuls:
-            fname = _file_basename(vul["file"])
-            loc_label = "{}:{}".format(fname, vul["startLine"]) if fname else "未知位置"
-            loc_link = "[{}]({}#L{})".format(loc_label, vul["file"], vul["startLine"]) if vul["file"] else loc_label
-            lines.append("    - {}".format(loc_link))
-            # 数据流折叠展示
-            if vul["codeFlows"]:
-                lines.append("      <details><summary>数据流</summary>\n")
-                for hop_idx, hop in enumerate(vul["codeFlows"], 1):
-                    hop_fname = _file_basename(hop["file"])
-                    hop_label = "{}:{}".format(hop_fname, hop["line"]) if hop_fname else "未知"
-                    hop_link = "[{}]({}#L{})".format(hop_label, hop["file"], hop["line"]) if hop["file"] else hop_label
-                    hop_msg = hop.get("message", "")
-                    if hop_msg:
-                        lines.append("      {}. {} — {}".format(hop_idx, hop_link, hop_msg))
-                    else:
-                        lines.append("      {}. {}".format(hop_idx, hop_link))
-                lines.append("\n      </details>")
-        lines.append("")
-    return "\n".join(lines)
-def format_full_report(parsed):
-    # type: (dict) -> str
-    """生成完整的展示报告（包含两类漏洞）。"""
-    parts = []
-    if parsed["common_count"] > 0 and parsed["sensitive_count"] > 0:
-        parts.append("扫描发现 **{}** 个普通漏洞和 **{}** 个硬编码漏洞。\n".format(
-            parsed["common_count"], parsed["sensitive_count"]))
-    elif parsed["common_count"] > 0:
-        parts.append("扫描发现 **{}** 个普通漏洞。\n".format(parsed["common_count"]))
-    elif parsed["sensitive_count"] > 0:
-        parts.append("扫描发现 **{}** 个硬编码漏洞。\n".format(parsed["sensitive_count"]))
-    else:
-        parts.append("扫描完成，未发现漏洞。\n")
-        return "\n".join(parts)
-    if parsed["common_vuls"]:
-        parts.append(format_vul_report(parsed["common_vuls"], "普通漏洞报告"))
-    if parsed["sensitive_vuls"]:
-        parts.append(format_vul_report(parsed["sensitive_vuls"], "硬编码漏洞报告"))
-    return "\n".join(parts)
-def main():
-    """
-    主函数入口，解析命令行参数并处理扫描结果
-    Args:
-        无（通过命令行参数 --scan-result 和 --output-dir 传入）
-    Returns:
-        无（结果直接输出到标准输出和文件）
-    """
-    parser = argparse.ArgumentParser(description="扫描结果解析与展示工具")
-    parser.add_argument("--scan-result", required=True, help="扫描结果文件路径 (scan_result.json)")
-    parser.add_argument("--output-dir", default=None, help="结构化结果输出目录，默认与输入文件同目录")
-    args = parser.parse_args()
-    # 读取扫描结果
-    try:
-        with open(args.scan_result, "r", encoding="utf-8") as f:
-            scan_result = json.load(f)
-    except Exception as e:
-        print("错误: 读取扫描结果失败 {}: {}".format(args.scan_result, e), file=sys.stderr)
-        sys.exit(1)
-    # 解析
-    parsed = parse_scan_result(scan_result)
-    # 输出 Markdown 报告到标准输出
-    report = format_full_report(parsed)
-    print(report)
-    # 保存结构化 JSON
-    # 默认输出到输入文件同目录，自然跟随项目隔离
-    output_dir = args.output_dir or os.path.dirname(os.path.abspath(args.scan_result))
-    os.makedirs(output_dir, exist_ok=True)
-    output_file = os.path.join(output_dir, "parsed_result.json")
-    with open(output_file, "w", encoding="utf-8") as f:
-        json.dump(parsed, f, ensure_ascii=False, indent=2)
-    print(output_file, file=sys.stderr)
-if __name__ == "__main__":
-    main()

package/comate-engine/assets/skills/code-security/scripts/repair_vulnerability.py DELETED Viewed

@@ -1,261 +0,0 @@
-#!/usr/bin/env python3
-"""
-漏洞修复工具 - 根据扫描结果修复指定文件的漏洞。
-用法:
-    python3 repair_vulnerability.py --root-path <项目目录> --username <用户名> --parsed-result <parsed_result.json路径>
-    python3 repair_vulnerability.py --root-path <项目目录> --username <用户名> --vulnerability-info '<漏洞信息JSON>'
-支持两种输入方式（二选一）:
-    --parsed-result: 直接传入 parsed_result.json 路径，脚本自动提取普通漏洞并构建修复信息
-    --vulnerability-info: 传入漏洞信息 JSON 字符串
-流程:
-    1. 解析漏洞信息，计算待修复文件的哈希
-    2. 调用修复接口
-    3. 如有缺失文件则上传后重试
-    4. 返回包含 diff_content 的修复结果
-"""
-import argparse
-import base64
-import hashlib
-import json
-import logging
-import os
-import sys
-import time
-import uuid
-from typing import Dict, List, Tuple
-import http_client  # noqa: F401 (triggers shared logging config)
-HOST = "https://comate-sec.baidu-int.com"
-USERNAME = ""
-USER_ID = ""
-logger = logging.getLogger("repair")
-def build_headers():
-    # type: () -> Dict[str, str]
-    return {
-        "Comate-Username": USERNAME,
-        "Comate-User-Id": USER_ID,
-        "SAST-Request-ID": str(uuid.uuid4()),
-    }
-def calc_sha256(file_path):
-    # type: (str) -> str
-    sha256_hash = hashlib.sha256()
-    with open(file_path, "rb") as f:
-        for chunk in iter(lambda: f.read(4096), b""):
-            sha256_hash.update(chunk)
-    return sha256_hash.hexdigest()
-def read_file_content(file_path):
-    # type: (str) -> str
-    """读取文件内容，二进制文件用 base64 编码。"""
-    try:
-        with open(file_path, "r", encoding="utf-8") as f:
-            return f.read()
-    except UnicodeDecodeError:
-        with open(file_path, "rb") as f:
-            return base64.b64encode(f.read()).decode("ascii")
-def diff_file_content(file_path, new_content):
-    # type: (str, str) -> str
-    """比较原文件与修复后内容，返回 {from_content, to_content} JSON。"""
-    with open(file_path, "r", encoding="utf-8") as f:
-        old_content = f.read()
-    old_lines = old_content.split("\n")
-    new_lines = new_content.split("\n")
-    from_parts = []  # type: List[str]
-    to_parts = []  # type: List[str]
-    oi, ni = 0, 0
-    while oi < len(old_lines) and ni < len(new_lines):
-        if old_lines[oi] == new_lines[ni]:
-            oi += 1
-            ni += 1
-        else:
-            from_parts.append(old_lines[oi] + "\n")
-            to_parts.append(new_lines[ni] + "\n")
-            oi += 1
-            ni += 1
-    while oi < len(old_lines):
-        from_parts.append(old_lines[oi] + "\n")
-        oi += 1
-    while ni < len(new_lines):
-        to_parts.append(new_lines[ni] + "\n")
-        ni += 1
-    return json.dumps(
-        {"from_content": "".join(from_parts), "to_content": "".join(to_parts)},
-        ensure_ascii=False,
-        indent=2,
-    )
-def upload_files_for_repair(root_path, missing_files):
-    # type: (str, List[str]) -> None
-    """上传修复过程中缺失的文件。"""
-    payload = {"files": {}}
-    for name in missing_files:
-        file_path = os.path.join(root_path, name)
-        try:
-            content = read_file_content(file_path)
-            file_hash = calc_sha256(file_path)
-            payload["files"][name] = {"hash": file_hash, "content": content}
-        except Exception as e:
-            print("警告: 读取文件失败 {}: {}".format(file_path, e), file=sys.stderr)
-    http_client.put("{}/api/v1/upload".format(HOST), headers=build_headers(), json_body=payload)
-def repair_vulnerability(root_path, vulnerability_info):
-    # type: (str, Dict) -> Dict
-    """执行漏洞修复，返回包含 diff 的修复结果。"""
-    # 计算待修复文件的哈希
-    for file_info in vulnerability_info.get("files", []):
-        file_path = os.path.join(root_path, file_info["name"])
-        if os.path.isfile(file_path):
-            file_info["hash"] = calc_sha256(file_path)
-    repair_type = vulnerability_info.get("type", 2)
-    file_count = len(vulnerability_info.get("files", []))
-    logger.info("repair start: type=%d, files=%d", repair_type, file_count)
-    api_url = "{}/api/v2/repair_file".format(HOST)
-    print("开始修复...", file=sys.stderr)
-    while True:
-        result = http_client.post(
-            api_url,
-            headers=build_headers(),
-            json_body=vulnerability_info,
-        )
-        # 如有缺失文件，先上传
-        missing = result.get("data", {}).get("missingFiles", [])
-        if missing:
-            print("上传缺失文件: {} 个".format(len(missing)), file=sys.stderr)
-            upload_files_for_repair(root_path, missing)
-            time.sleep(3)
-            continue
-        # status != 0 表示完成
-        if result.get("status") != 0:
-            # 生成 diff
-            files_data = result.get("data", {}).get("files", [])
-            for file_data in files_data:
-                repaired_content = file_data.get("repairedContent", "")
-                if repaired_content:
-                    file_path = os.path.join(root_path, file_data["name"])
-                    if os.path.isfile(file_path):
-                        diff_json = diff_file_content(file_path, repaired_content)
-                        file_data["diff_content"] = diff_json
-                    # 置空防止泄露完整源码
-                    file_data["repairedContent"] = ""
-            return result
-        print("修复中，等待结果...", file=sys.stderr)
-        time.sleep(3)
-def build_vulnerability_info(parsed):
-    # type: (dict) -> dict
-    """从 parsed_result.json 构建修复接口所需的 vulnerability-info。"""
-    bundle_hash = parsed.get("bundle_hash", "")
-    common_vuls = parsed.get("common_vuls", [])
-    file_map = {}  # type: dict
-    for vul in common_vuls:
-        fname = vul.get("file", "")
-        if not fname:
-            continue
-        if fname not in file_map:
-            file_map[fname] = {"name": fname, "vulList": []}
-        file_map[fname]["vulList"].append({
-            "ruleID": vul.get("ruleID", ""),
-            "line": vul.get("startLine", 0),
-            "hash": vul.get("hash", ""),
-        })
-    return {
-        "files": list(file_map.values()),
-        "type": 2,
-        "extra": {
-            "bundleHash": bundle_hash,
-        },
-    }
-def main():
-    global USERNAME, USER_ID
-    parser = argparse.ArgumentParser(description="代码安全漏洞修复工具")
-    parser.add_argument("--root-path", required=True, help="项目根目录")
-    parser.add_argument("--username", required=True, help="Comate 用户名")
-    parser.add_argument("--vulnerability-info", default=None, help="漏洞信息 JSON 字符串")
-    parser.add_argument("--parsed-result", default=None,
-                        help="解析结果文件路径 (parsed_result.json)，与 --vulnerability-info 二选一")
-    parser.add_argument("--output-dir", default=None, help="结果输出目录，默认为 skill 临时目录")
-    args = parser.parse_args()
-    if not args.vulnerability_info and not args.parsed_result:
-        print("错误: 必须提供 --vulnerability-info 或 --parsed-result 之一", file=sys.stderr)
-        sys.exit(1)
-    USERNAME = args.username
-    USER_ID = hashlib.md5(USERNAME.encode("utf-8")).hexdigest()[:12]
-    logger.info("repair_vulnerability start: username=%s, root_path=%s", USERNAME, args.root_path)
-    root_path = os.path.realpath(args.root_path)
-    if not os.path.isdir(root_path):
-        print("错误: 目录不存在 {}".format(root_path), file=sys.stderr)
-        sys.exit(1)
-    # 默认输出到 skill 临时目录，按项目路径隔离子目录避免并发冲突
-    skill_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
-    project_name = os.path.basename(root_path)
-    path_hash = hashlib.md5(root_path.encode("utf-8")).hexdigest()[:8]
-    default_output = os.path.join(skill_dir, ".tmp", "{}_{}".format(project_name, path_hash))
-    output_dir = os.path.realpath(args.output_dir) if args.output_dir else default_output
-    os.makedirs(output_dir, exist_ok=True)
-    if args.parsed_result:
-        try:
-            with open(args.parsed_result, "r", encoding="utf-8") as f:
-                parsed = json.load(f)
-        except Exception as e:
-            print("错误: 读取解析结果失败 {}: {}".format(args.parsed_result, e), file=sys.stderr)
-            sys.exit(1)
-        if not parsed.get("common_vuls"):
-            print("无普通漏洞需要修复", file=sys.stderr)
-            sys.exit(0)
-        vulnerability_info = build_vulnerability_info(parsed)
-    else:
-        try:
-            vulnerability_info = json.loads(args.vulnerability_info)
-        except json.JSONDecodeError as e:
-            print("错误: 漏洞信息 JSON 解析失败: {}".format(e), file=sys.stderr)
-            sys.exit(1)
-    result = repair_vulnerability(root_path, vulnerability_info)
-    output_file = os.path.join(output_dir, "repair_result.json")
-    with open(output_file, "w", encoding="utf-8") as f:
-        json.dump(result, f, ensure_ascii=False, indent=2)
-    print(output_file)
-if __name__ == "__main__":
-    main()