@conterra/vuln-scan 0.0.19 → 0.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -98,13 +98,13 @@ The following sample lists all available options with their default values:
98
98
 
99
99
  /* Defines if the process should fail or only log a warning or ignore vulnerabilities.
100
100
  If "fail" exit 1 is called.
101
- If "warn" the log statement "##vso[task.complete result=SucceededWithIssues;]NEW_VULNERABILITIES_DETECTED" is issued.
101
+ If "warn" the log statement "##vso[task.complete result=SucceededWithIssues;] is issued.
102
102
  If "ignore" nothing happens.
103
103
  */
104
104
  "onNewVulnerabilities": "fail",
105
105
  /* Defines if the process should fail or only log a warning or ignore no longer detected vulnerabilities.
106
106
  If "fail" exit 1 is called.
107
- If "warn" the log statement "##vso[task.complete result=SucceededWithIssues;]NO_LONGER_DETECTED_VULNERABILITIES" is issued.
107
+ If "warn" the log statement "##vso[task.complete result=SucceededWithIssues;] is issued.
108
108
  If "ignore" nothing happens.
109
109
  */
110
110
  "onNoLongerDetectedVulnerabilities": "ignore",
package/dist/vuln-scan.js CHANGED
@@ -8,7 +8,7 @@ GFS4: `),console.error(t)});E[M]||(Wt=global[M]||[],Ht(E,Wt),E.close=function(t)
8
8
  `,finalEOL:r=!0,replacer:n=null,spaces:i}={}){let o=r?e:"";return JSON.stringify(t,n,i).replace(/\n/g,e)+o}function $o(t){return Buffer.isBuffer(t)&&(t=t.toString("utf8")),t.replace(/^\uFEFF/,"")}nn.exports={stringify:_o,stripBom:$o}});var cn=y((tc,an)=>{var pe;try{pe=fe()}catch{pe=require("fs")}var Ae=N(),{stringify:on,stripBom:sn}=Ve();async function qo(t,e={}){typeof e=="string"&&(e={encoding:e});let r=e.fs||pe,n="throws"in e?e.throws:!0,i=await Ae.fromCallback(r.readFile)(t,e);i=sn(i);let o;try{o=JSON.parse(i,e?e.reviver:null)}catch(s){if(n)throw s.message=`${t}: ${s.message}`,s;return null}return o}var Uo=Ae.fromPromise(qo);function Bo(t,e={}){typeof e=="string"&&(e={encoding:e});let r=e.fs||pe,n="throws"in e?e.throws:!0;try{let i=r.readFileSync(t,e);return i=sn(i),JSON.parse(i,e.reviver)}catch(i){if(n)throw i.message=`${t}: ${i.message}`,i;return null}}async function Xo(t,e,r={}){let n=r.fs||pe,i=on(e,r);await Ae.fromCallback(n.writeFile)(t,i,r)}var Go=Ae.fromPromise(Xo);function Wo(t,e,r={}){let n=r.fs||pe,i=on(e,r);return n.writeFileSync(t,i,r)}var Jo={readFile:Uo,readFileSync:Bo,writeFile:Go,writeFileSync:Wo};an.exports=Jo});var un=y((rc,ln)=>{"use strict";var Me=cn();ln.exports={readJson:Me.readFile,readJsonSync:Me.readFileSync,writeJson:Me.writeFile,writeJsonSync:Me.writeFileSync}});var Re=y((nc,dn)=>{"use strict";var Ho=N().fromPromise,St=_(),fn=require("path"),mn=X(),Ko=te().pathExists;async function Yo(t,e,r="utf-8"){let n=fn.dirname(t);return await Ko(n)||await mn.mkdirs(n),St.writeFile(t,e,r)}function Qo(t,...e){let r=fn.dirname(t);St.existsSync(r)||mn.mkdirsSync(r),St.writeFileSync(t,...e)}dn.exports={outputFile:Ho(Yo),outputFileSync:Qo}});var yn=y((ic,pn)=>{"use strict";var{stringify:zo}=Ve(),{outputFile:Zo}=Re();async function es(t,e,r={}){let n=zo(e,r);await Zo(t,n,r)}pn.exports=es});var gn=y((oc,hn)=>{"use strict";var{stringify:ts}=Ve(),{outputFileSync:rs}=Re();function ns(t,e,r){let n=ts(e,r);rs(t,n,r)}hn.exports=ns});var vn=y((sc,Sn)=>{"use strict";var is=N().fromPromise,q=un();q.outputJson=is(yn());q.outputJsonSync=gn();q.outputJSON=q.outputJson;q.outputJSONSync=q.outputJsonSync;q.writeJSON=q.writeJson;q.writeJSONSync=q.writeJsonSync;q.readJSON=q.readJson;q.readJSONSync=q.readJsonSync;Sn.exports=q});var Pn=y((ac,Ln)=>{"use strict";var os=_(),wn=require("path"),{copy:ss}=Ie(),{remove:xn}=xe(),{mkdirp:as}=X(),{pathExists:cs}=te(),bn=ce();async function ls(t,e,r={}){let n=r.overwrite||r.clobber||!1,{srcStat:i,isChangingCase:o=!1}=await bn.checkPaths(t,e,"move",r);await bn.checkParentPaths(t,i,e,"move");let s=wn.dirname(e);return wn.parse(s).root!==s&&await as(s),us(t,e,n,o)}async function us(t,e,r,n){if(!n){if(r)await xn(e);else if(await cs(e))throw new Error("dest already exists.")}try{await os.rename(t,e)}catch(i){if(i.code!=="EXDEV")throw i;await fs(t,e,r)}}async function fs(t,e,r){return await ss(t,e,{overwrite:r,errorOnExist:!0,preserveTimestamps:!0}),xn(t)}Ln.exports=ls});var Nn=y((cc,On)=>{"use strict";var kn=fe(),wt=require("path"),ms=Ie().copySync,Dn=xe().removeSync,ds=X().mkdirpSync,En=ce();function ps(t,e,r){r=r||{};let n=r.overwrite||r.clobber||!1,{srcStat:i,isChangingCase:o=!1}=En.checkPathsSync(t,e,"move",r);return En.checkParentPathsSync(t,i,e,"move"),ys(e)||ds(wt.dirname(e)),hs(t,e,n,o)}function ys(t){let e=wt.dirname(t);return wt.parse(e).root===e}function hs(t,e,r,n){if(n)return vt(t,e,r);if(r)return Dn(e),vt(t,e,r);if(kn.existsSync(e))throw new Error("dest already exists.");return vt(t,e,r)}function vt(t,e,r){try{kn.renameSync(t,e)}catch(n){if(n.code!=="EXDEV")throw n;return gs(t,e,r)}}function gs(t,e,r){return ms(t,e,{overwrite:r,errorOnExist:!0,preserveTimestamps:!0}),Dn(t)}On.exports=ps});var jn=y((lc,Tn)=>{"use strict";var Ss=N().fromPromise;Tn.exports={move:Ss(Pn()),moveSync:Nn()}});var In=y((uc,Fn)=>{"use strict";Fn.exports={..._(),...Ie(),...Tr(),...rn(),...vn(),...X(),...jn(),...Re(),...te(),...xe()}});var Vn=y(Ce=>{"use strict";Object.defineProperty(Ce,"__esModule",{value:!0});Ce.EXTENSIONS_LANGUAGES=void 0;Ce.EXTENSIONS_LANGUAGES={1:"Groff",2:"Groff",3:"Groff",4:"Groff",5:"Groff",6:"Groff",7:"Groff",8:"Groff",9:"Groff",abap:"ABAP",asc:"Public Key",ash:"AGS Script",ampl:"AMPL",mod:"XML",g4:"ANTLR",apib:"API Blueprint",apl:"APL",dyalog:"APL",asp:"ASP",asax:"ASP",ascx:"ASP",ashx:"ASP",asmx:"ASP",aspx:"ASP",axd:"ASP",dats:"ATS",hats:"ATS",sats:"ATS",as:"ActionScript",adb:"Ada",ada:"Ada",ads:"Ada",agda:"Agda",als:"Alloy",apacheconf:"ApacheConf",vhost:"Nginx",cls:"Visual Basic",applescript:"AppleScript",scpt:"AppleScript",arc:"Arc",ino:"Arduino",asciidoc:"AsciiDoc",adoc:"AsciiDoc",aj:"AspectJ",asm:"Assembly",a51:"Assembly",inc:"SourcePawn",nasm:"Assembly",aug:"Augeas",ahk:"AutoHotkey",ahkl:"AutoHotkey",au3:"AutoIt",awk:"Awk",auk:"Awk",gawk:"Awk",mawk:"Awk",nawk:"Awk",bat:"Batchfile",cmd:"Batchfile",befunge:"Befunge",bison:"Bison",bb:"BlitzBasic",decls:"BlitzBasic",bmx:"BlitzMax",bsv:"Bluespec",boo:"Boo",b:"Limbo",bf:"HyPhy",brs:"Brightscript",bro:"Bro",c:"C",cats:"C",h:"Objective-C",idc:"C",w:"C",cs:"Smalltalk",cake:"CoffeeScript",cshtml:"C#",csx:"C#",cpp:"C++","c++":"C++",cc:"C++",cp:"Component Pascal",cxx:"C++","h++":"C++",hh:"Hack",hpp:"C++",hxx:"C++",inl:"C++",ipp:"C++",tcc:"C++",tpp:"C++","c-objdump":"C-ObjDump",chs:"C2hs Haskell",clp:"CLIPS",cmake:"CMake","cmake.in":"CMake",cob:"COBOL",cbl:"COBOL",ccp:"COBOL",cobol:"COBOL",cpy:"COBOL",css:"CSS",csv:"CSV",capnp:"Cap'n Proto",mss:"CartoCSS",ceylon:"Ceylon",chpl:"Chapel",ch:"xBase",ck:"ChucK",cirru:"Cirru",clw:"Clarion",icl:"Clean",dcl:"Clean",click:"Click",clj:"Clojure",boot:"Clojure",cl2:"Clojure",cljc:"Clojure",cljs:"Clojure","cljs.hl":"Clojure",cljscm:"Clojure",cljx:"Clojure",hic:"Clojure",coffee:"CoffeeScript",_coffee:"CoffeeScript",cjsx:"CoffeeScript",cson:"CoffeeScript",iced:"CoffeeScript",cfm:"ColdFusion",cfml:"ColdFusion",cfc:"ColdFusion CFC",lisp:"NewLisp",asd:"Common Lisp",cl:"OpenCL",l:"PicoLisp",lsp:"NewLisp",ny:"Common Lisp",podsl:"Common Lisp",sexp:"Common Lisp",cps:"Component Pascal",coq:"Coq",v:"Verilog",cppobjdump:"Cpp-ObjDump","c++-objdump":"Cpp-ObjDump","c++objdump":"Cpp-ObjDump","cpp-objdump":"Cpp-ObjDump","cxx-objdump":"Cpp-ObjDump",creole:"Creole",cr:"Crystal",feature:"Cucumber",cu:"Cuda",cuh:"Cuda",cy:"Cycript",pyx:"Cython",pxd:"Cython",pxi:"Cython",d:"Makefile",di:"D","d-objdump":"D-ObjDump",com:"DIGITAL Command Language",dm:"DM",zone:"DNS Zone",arpa:"DNS Zone",darcspatch:"Darcs Patch",dpatch:"Darcs Patch",dart:"Dart",diff:"Diff",patch:"Diff",dockerfile:"Dockerfile",djs:"Dogescript",dylan:"Dylan",dyl:"Dylan",intr:"Dylan",lid:"Dylan",E:"E",ecl:"ECLiPSe",eclxml:"ECL",sch:"KiCad",brd:"KiCad",epj:"Ecere Projects",e:"Eiffel",ex:"Elixir",exs:"Elixir",elm:"Elm",el:"Emacs Lisp",emacs:"Emacs Lisp","emacs.desktop":"Emacs Lisp",em:"EmberScript",emberscript:"EmberScript",erl:"Erlang",es:"JavaScript",escript:"Erlang",hrl:"Erlang",xrl:"Erlang",yrl:"Erlang",fs:"GLSL",fsi:"F#",fsx:"F#",fx:"HLSL",flux:"FLUX",f90:"FORTRAN",f:"Forth",f03:"FORTRAN",f08:"FORTRAN",f77:"FORTRAN",f95:"FORTRAN",for:"Forth",fpp:"FORTRAN",factor:"Factor",fy:"Fancy",fancypack:"Fancy",fan:"Fantom","eam.fs":"Formatted",fth:"Forth","4th":"Forth",forth:"Forth",fr:"Text",frt:"Forth",ftl:"FreeMarker",g:"GAP",gco:"G-code",gcode:"G-code",gms:"GAMS",gap:"GAP",gd:"GDScript",gi:"GAP",tst:"Scilab",s:"GAS",ms:"MAXScript",glsl:"GLSL",fp:"GLSL",frag:"JavaScript",frg:"GLSL",fsh:"GLSL",fshader:"GLSL",geo:"GLSL",geom:"GLSL",glslv:"GLSL",gshader:"GLSL",shader:"GLSL",vert:"GLSL",vrx:"GLSL",vsh:"GLSL",vshader:"GLSL",gml:"XML",kid:"Genshi",ebuild:"Gentoo Ebuild",eclass:"Gentoo Eclass",po:"Gettext Catalog",pot:"Gettext Catalog",glf:"Glyph",gp:"Gnuplot",gnu:"Gnuplot",gnuplot:"Gnuplot",plot:"Gnuplot",plt:"Gnuplot",go:"Go",golo:"Golo",gs:"JavaScript",gst:"Gosu",gsx:"Gosu",vark:"Gosu",grace:"Grace",gradle:"Gradle",gf:"Grammatical Framework",graphql:"GraphQL",dot:"Graphviz (DOT)",gv:"Graphviz (DOT)",man:"Groff","1in":"Groff","1m":"Groff","1x":"Groff","3in":"Groff","3m":"Groff","3qt":"Groff","3x":"Groff",me:"Groff",n:"Nemerle",rno:"Groff",roff:"Groff",groovy:"Groovy",grt:"Groovy",gtpl:"Groovy",gvy:"Groovy",gsp:"Groovy Server Pages",hcl:"HCL",tf:"HCL",hlsl:"HLSL",fxh:"HLSL",hlsli:"HLSL",html:"HTML",htm:"HTML","html.hl":"HTML",st:"Smalltalk",xht:"HTML",xhtml:"HTML",mustache:"HTML+Django",jinja:"HTML+Django",eex:"HTML+EEX",erb:"HTML+ERB","erb.deface":"HTML+ERB",phtml:"HTML+PHP",http:"HTTP",php:"PHP",haml:"Haml","haml.deface":"Haml",handlebars:"Handlebars",hbs:"Handlebars",hb:"Harbour",hs:"Haskell",hsc:"Haskell",hx:"Haxe",hxsl:"Haxe",hy:"Hy",pro:"QMake",dlm:"IDL",ipf:"IGOR Pro",ini:"INI",cfg:"INI",prefs:"INI",properties:"INI",irclog:"IRC log",weechatlog:"IRC log",idr:"Idris",lidr:"Idris",ni:"Inform 7",i7x:"Inform 7",iss:"Inno Setup",io:"Io",ik:"Ioke",thy:"Isabelle",ijs:"J",flex:"JFlex",jflex:"JFlex",json:"JSON",geojson:"JSON",lock:"JSON",topojson:"JSON",json5:"JSON5",jsonld:"JSONLD",jq:"JSONiq",jsx:"JSX",jade:"Jade",j:"Objective-J",java:"Java",jsp:"Java Server Pages",js:"JavaScript",_js:"JavaScript",bones:"JavaScript",es6:"JavaScript",jake:"JavaScript",jsb:"JavaScript",jscad:"JavaScript",jsfl:"JavaScript",jsm:"JavaScript",jss:"JavaScript",njs:"JavaScript",pac:"JavaScript",sjs:"JavaScript",ssjs:"JavaScript","sublime-build":"JavaScript","sublime-commands":"JavaScript","sublime-completions":"JavaScript","sublime-keymap":"JavaScript","sublime-macro":"JavaScript","sublime-menu":"JavaScript","sublime-mousemap":"JavaScript","sublime-project":"JavaScript","sublime-settings":"JavaScript","sublime-theme":"JavaScript","sublime-workspace":"JavaScript",sublime_metrics:"JavaScript",sublime_session:"JavaScript",xsjs:"JavaScript",xsjslib:"JavaScript",jl:"Julia",ipynb:"Jupyter Notebook",krl:"KRL",kicad_pcb:"KiCad",kit:"Kit",kt:"Kotlin",ktm:"Kotlin",kts:"Kotlin",lfe:"LFE",ll:"LLVM",lol:"LOLCODE",lsl:"LSL",lslp:"LSL",lvproj:"LabVIEW",lasso:"Lasso",las:"Lasso",lasso8:"Lasso",lasso9:"Lasso",ldml:"Lasso",latte:"Latte",lean:"Lean",hlean:"Lean",less:"Less",lex:"Lex",ly:"LilyPond",ily:"LilyPond",m:"Objective-C",ld:"Linker Script",lds:"Linker Script",liquid:"Liquid",lagda:"Literate Agda",litcoffee:"Literate CoffeeScript",lhs:"Literate Haskell",ls:"LoomScript",_ls:"LiveScript",xm:"Logos",x:"Logos",xi:"Logos",lgt:"Logtalk",logtalk:"Logtalk",lookml:"LookML",lua:"Lua",fcgi:"Shell",nse:"Lua",pd_lua:"Lua",rbxs:"Lua",wlua:"Lua",mumps:"M",m4:"M4Sugar",mcr:"MAXScript",mtml:"MTML",muf:"MUF",mak:"Makefile",mk:"Makefile",mkfile:"Makefile",mako:"Mako",mao:"Mako",md:"Markdown",markdown:"Markdown",mkd:"Markdown",mkdn:"Markdown",mkdown:"Markdown",ron:"Markdown",mask:"Mask",mathematica:"Mathematica",cdf:"Mathematica",ma:"Mathematica",mt:"Mathematica",nb:"Text",nbp:"Mathematica",wl:"Mathematica",wlt:"Mathematica",matlab:"Matlab",maxpat:"Max",maxhelp:"Max",maxproj:"Max",mxt:"Max",pat:"Max",mediawiki:"MediaWiki",wiki:"MediaWiki",moo:"Moocode",metal:"Metal",minid:"MiniD",druby:"Mirah",duby:"Mirah",mir:"Mirah",mirah:"Mirah",mo:"Modelica",mms:"Module Management System",mmk:"Module Management System",monkey:"Monkey",moon:"MoonScript",myt:"Myghty",ncl:"Text",nl:"NewLisp",nsi:"NSIS",nsh:"NSIS",axs:"NetLinx",axi:"NetLinx","axs.erb":"NetLinx+ERB","axi.erb":"NetLinx+ERB",nlogo:"NetLogo",nginxconf:"Nginx",nim:"Nimrod",nimrod:"Nimrod",ninja:"Ninja",nit:"Nit",nix:"Nix",nu:"Nu",numpy:"NumPy",numpyw:"NumPy",numsc:"NumPy",ml:"OCaml",eliom:"OCaml",eliomi:"OCaml",ml4:"OCaml",mli:"OCaml",mll:"OCaml",mly:"OCaml",objdump:"ObjDump",mm:"XML",sj:"Objective-J",omgrofl:"Omgrofl",opa:"Opa",opal:"Opal",opencl:"OpenCL",p:"OpenEdge ABL",scad:"OpenSCAD",org:"Org",ox:"Ox",oxh:"Ox",oxo:"Ox",oxygene:"Oxygene",oz:"Oz",pwn:"PAWN",aw:"PHP",ctp:"PHP",php3:"PHP",php4:"PHP",php5:"PHP",phps:"PHP",phpt:"PHP",pls:"PLSQL",pck:"PLSQL",pkb:"PLSQL",pks:"PLSQL",plb:"PLSQL",plsql:"PLSQL",sql:"SQLPL",pov:"POV-Ray SDL",pan:"Pan",psc:"Papyrus",parrot:"Parrot",pasm:"Parrot Assembly",pir:"Parrot Internal Representation",pas:"Pascal",dfm:"Pascal",dpr:"Pascal",lpr:"Pascal",pp:"Puppet",pl:"Prolog",al:"Perl",cgi:"Shell",perl:"Perl",ph:"Perl",plx:"Perl",pm:"Perl6",pod:"Pod",psgi:"Perl",t:"Turing","6pl":"Perl6","6pm":"Perl6",nqp:"Perl6",p6:"Perl6",p6l:"Perl6",p6m:"Perl6",pl6:"Perl6",pm6:"Perl6",pkl:"Pickle",pig:"PigLatin",pike:"Pike",pmod:"Pike",pogo:"PogoScript",pony:"Pony",ps:"PostScript",eps:"PostScript",ps1:"PowerShell",psd1:"PowerShell",psm1:"PowerShell",pde:"Processing",prolog:"Prolog",yap:"Prolog",spin:"Propeller Spin",proto:"Protocol Buffer",pub:"Public Key",pd:"Pure Data",pb:"PureBasic",pbi:"PureBasic",purs:"PureScript",py:"Python",bzl:"Python",gyp:"Python",lmi:"Python",pyde:"Python",pyp:"Python",pyt:"Python",pyw:"Python",rpy:"Ren'Py",tac:"Python",wsgi:"Python",xpy:"Python",pytb:"Python traceback",qml:"QML",qbs:"QML",pri:"QMake",r:"Rebol",rd:"R",rsx:"R",raml:"RAML",rdoc:"RDoc",rbbas:"REALbasic",rbfrm:"REALbasic",rbmnu:"REALbasic",rbres:"REALbasic",rbtbar:"REALbasic",rbuistate:"REALbasic",rhtml:"RHTML",rmd:"RMarkdown",rkt:"Racket",rktd:"Racket",rktl:"Racket",scrbl:"Racket",rl:"Ragel in Ruby Host",raw:"Raw token data",reb:"Rebol",r2:"Rebol",r3:"Rebol",rebol:"Rebol",red:"Red",reds:"Red",cw:"Redcode",rs:"Rust",rsh:"RenderScript",robot:"RobotFramework",rg:"Rouge",rb:"Ruby",builder:"Ruby",gemspec:"Ruby",god:"Ruby",irbrc:"Ruby",jbuilder:"Ruby",mspec:"Ruby",pluginspec:"XML",podspec:"Ruby",rabl:"Ruby",rake:"Ruby",rbuild:"Ruby",rbw:"Ruby",rbx:"Ruby",ru:"Ruby",ruby:"Ruby",thor:"Ruby",watchr:"Ruby","rs.in":"Rust",sas:"SAS",scss:"SCSS",smt2:"SMT",smt:"SMT",sparql:"SPARQL",rq:"SPARQL",sqf:"SQF",hqf:"SQF",cql:"SQL",ddl:"SQL",prc:"SQL",tab:"SQL",udf:"SQL",viw:"SQL",db2:"SQLPL",ston:"STON",svg:"SVG",sage:"Sage",sagews:"Sage",sls:"Scheme",sass:"Sass",scala:"Scala",sbt:"Scala",sc:"SuperCollider",scaml:"Scaml",scm:"Scheme",sld:"Scheme",sps:"Scheme",ss:"Scheme",sci:"Scilab",sce:"Scilab",self:"Self",sh:"Shell",bash:"Shell",bats:"Shell",command:"Shell",ksh:"Shell","sh.in":"Shell",tmux:"Shell",tool:"Shell",zsh:"Shell","sh-session":"ShellSession",shen:"Shen",sl:"Slash",slim:"Slim",smali:"Smali",tpl:"Smarty",sp:"SourcePawn",sma:"SourcePawn",nut:"Squirrel",stan:"Stan",ML:"Standard ML",fun:"Standard ML",sig:"Standard ML",sml:"Standard ML",do:"Stata",ado:"Stata",doh:"Stata",ihlp:"Stata",mata:"Stata",matah:"Stata",sthlp:"Stata",styl:"Stylus",scd:"SuperCollider",swift:"Swift",sv:"SystemVerilog",svh:"SystemVerilog",vh:"SystemVerilog",toml:"TOML",txl:"TXL",tcl:"Tcl",adp:"Tcl",tm:"Tcl",tcsh:"Tcsh",csh:"Tcsh",tex:"TeX",aux:"TeX",bbx:"TeX",bib:"TeX",cbx:"TeX",dtx:"TeX",ins:"TeX",lbx:"TeX",ltx:"TeX",mkii:"TeX",mkiv:"TeX",mkvi:"TeX",sty:"TeX",toc:"TeX",tea:"Tea",txt:"Text",no:"Text",textile:"Textile",thrift:"Thrift",tu:"Turing",ttl:"Turtle",twig:"Twig",ts:"XML",tsx:"XML",upc:"Unified Parallel C",anim:"Unity3D Asset",asset:"Unity3D Asset",mat:"Unity3D Asset",meta:"Unity3D Asset",prefab:"Unity3D Asset",unity:"Unity3D Asset",uno:"Uno",uc:"UnrealScript",ur:"UrWeb",urs:"UrWeb",vcl:"VCL",vhdl:"VHDL",vhd:"VHDL",vhf:"VHDL",vhi:"VHDL",vho:"VHDL",vhs:"VHDL",vht:"VHDL",vhw:"VHDL",vala:"Vala",vapi:"Vala",veo:"Verilog",vim:"VimL",vb:"Visual Basic",bas:"Visual Basic",frm:"Visual Basic",frx:"Visual Basic",vba:"Visual Basic",vbhtml:"Visual Basic",vbs:"Visual Basic",volt:"Volt",vue:"Vue",owl:"Web Ontology Language",webidl:"WebIDL",x10:"X10",xc:"XC",xml:"XML",ant:"XML",axml:"XML",ccxml:"XML",clixml:"XML",cproject:"XML",csl:"XML",csproj:"XML",ct:"XML",dita:"XML",ditamap:"XML",ditaval:"XML","dll.config":"XML",dotsettings:"XML",filters:"XML",fsproj:"XML",fxml:"XML",glade:"XML",grxml:"XML",iml:"XML",ivy:"XML",jelly:"XML",jsproj:"XML",kml:"XML",launch:"XML",mdpolicy:"XML",mxml:"XML",nproj:"XML",nuspec:"XML",odd:"XML",osm:"XML",plist:"XML",props:"XML",ps1xml:"XML",psc1:"XML",pt:"XML",rdf:"XML",rss:"XML",scxml:"XML",srdf:"XML",storyboard:"XML",stTheme:"XML","sublime-snippet":"XML",targets:"XML",tmCommand:"XML",tml:"XML",tmLanguage:"XML",tmPreferences:"XML",tmSnippet:"XML",tmTheme:"XML",ui:"XML",urdf:"XML",ux:"XML",vbproj:"XML",vcxproj:"XML",vssettings:"XML",vxml:"XML",wsdl:"XML",wsf:"XML",wxi:"XML",wxl:"XML",wxs:"XML",x3d:"XML",xacro:"XML",xaml:"XML",xib:"XML",xlf:"XML",xliff:"XML",xmi:"XML","xml.dist":"XML",xproj:"XML",xsd:"XML",xul:"XML",zcml:"XML","xsp-config":"XPages","xsp.metadata":"XPages",xpl:"XProc",xproc:"XProc",xquery:"XQuery",xq:"XQuery",xql:"XQuery",xqm:"XQuery",xqy:"XQuery",xs:"XS",xslt:"XSLT",xsl:"XSLT",xojo_code:"Xojo",xojo_menu:"Xojo",xojo_report:"Xojo",xojo_script:"Xojo",xojo_toolbar:"Xojo",xojo_window:"Xojo",xtend:"Xtend",yml:"YAML",reek:"YAML",rviz:"YAML","sublime-syntax":"YAML",syntax:"YAML",yaml:"YAML","yaml-tmlanguage":"YAML",yang:"YANG",y:"Yacc",yacc:"Yacc",yy:"Yacc",zep:"Zephir",zimpl:"Zimpl",zmpl:"Zimpl",zpl:"Zimpl",desktop:"desktop","desktop.in":"desktop",ec:"eC",eh:"eC",edn:"edn",fish:"fish",mu:"mupad",nc:"nesC",ooc:"ooc",rst:"reStructuredText",rest:"reStructuredText","rest.txt":"reStructuredText","rst.txt":"reStructuredText",wisp:"wisp",prg:"xBase",prw:"xBase"}});var Pe=y(bt=>{"use strict";Object.defineProperty(bt,"__esModule",{value:!0});bt.setOptionValues=vs;function vs(t,e){for(let r of Object.keys(e))t[r]!==void 0&&(e[r]=t[r]);return e}});var Mn=y(_e=>{"use strict";Object.defineProperty(_e,"__esModule",{value:!0});_e.SarifBuilder=void 0;var ws=require("path"),An=In(),bs=Vn(),xs=Pe(),xt=class{constructor(e={}){this.log={$schema:"http://json.schemastore.org/sarif-2.1.0.json",version:"2.1.0",runs:[]},(0,xs.setOptionValues)(e,this.log)}addRun(e){this.log.runs.push(e.run)}generateSarifFileSync(e){let r=this.buildSarifJsonString();An.writeFileSync(e,r,"utf8")}async generateSarifFile(e){let r=this.buildSarifJsonString();await An.writeFile(e,r,"utf8")}buildSarifOutput(){return this.log.runs=this.log.runs.map(e=>this.completeRunFields(e)),this.log}buildSarifJsonString(e={indent:!1}){this.buildSarifOutput();let r=e.indent?JSON.stringify(this.log,null,2):JSON.stringify(this.log);if(r.includes("SARIF_BUILDER_INVALID"))throw new Error("Your SARIF log is invalid, please solve SARIF_BUILDER_INVALID messages");return r}completeRunFields(e){var r,n,i,o;e.artifacts=e.artifacts||[];for(let l of e.results)for(let u of l.locations||[])if(!((n=(r=u?.physicalLocation)===null||r===void 0?void 0:r.artifactLocation)===null||n===void 0)&&n.uri&&e.artifacts.filter(a=>{var m;return((m=a?.location)===null||m===void 0?void 0:m.uri)===u.physicalLocation.artifactLocation.uri}).length===0){let a=ws.extname(u.physicalLocation.artifactLocation.uri).replace(".",""),m=bs.EXTENSIONS_LANGUAGES[a]||"unknown";e.artifacts.push({sourceLanguage:m,location:{uri:u.physicalLocation.artifactLocation.uri}})}let s=e.artifacts.map(l=>{var u;return(u=l?.location)===null||u===void 0?void 0:u.uri}),c=(((o=(i=e?.tool)===null||i===void 0?void 0:i.driver)===null||o===void 0?void 0:o.rules)||[]).map(l=>l.id);return e.results=e.results.map(l=>(c.indexOf(l.ruleId)>-1&&(l.ruleIndex=c.indexOf(l.ruleId)),l.locations&&(l.locations=l.locations.map(u=>{var a,m;let d=(m=(a=u?.physicalLocation)===null||a===void 0?void 0:a.artifactLocation)===null||m===void 0?void 0:m.uri;return d&&s.indexOf(d)>-1&&(u.physicalLocation.artifactLocation.index=s.indexOf(d)),u})),l)),e}};_e.SarifBuilder=xt});var Rn=y($e=>{"use strict";Object.defineProperty($e,"__esModule",{value:!0});$e.SarifResultBuilder=void 0;var Ls=Pe(),Lt=class{constructor(e={}){this.result={level:"error",message:{},ruleId:"SARIF_BUILDER_INVALID: Please send the rule Id ruleId property, or call setRuleId(ruleId)"},(0,Ls.setOptionValues)(e,this.result)}initSimple(e){if(this.setLevel(e.level),this.setMessageText(e.messageText),this.setRuleId(e.ruleId),e.fileUri&&this.setLocationArtifactUri({uri:e.fileUri}),e.startLine!==null&&e.startLine!==void 0){let r={startLine:e.startLine,startColumn:e.startColumn||1,endLine:e.endLine||e.startLine,endColumn:e.endColumn||1};if(e.startLine===0||e.startColumn===0||e.endLine===0||e.endColumn===0)throw new Error("Region limit can not be 0 (minimum line 1 or column 1) in "+JSON.stringify(e));this.setLocationRegion(r)}return this}setLevel(e){this.result.level=e}setMessageText(e){this.result.message.text=e}setRuleId(e){this.result.ruleId=e}setLocationRegion(e){this.manageInitPhysicalLocation(),this.result.locations[0].physicalLocation.region=e}setLocationArtifactUri(e){this.manageInitPhysicalLocation(),this.result.locations[0].physicalLocation.artifactLocation=e}manageInitLocation(){var e,r;!((r=(e=this.result)===null||e===void 0?void 0:e.locations)===null||r===void 0)&&r.length||(this.result.locations=[{}])}manageInitPhysicalLocation(){var e;this.manageInitLocation(),!(!((e=this.result)===null||e===void 0)&&e.locations[0].physicalLocation)&&(this.result.locations[0].physicalLocation={})}};$e.SarifResultBuilder=Lt});var Cn=y(qe=>{"use strict";Object.defineProperty(qe,"__esModule",{value:!0});qe.SarifRuleBuilder=void 0;var Ps=Pe(),Pt=class{constructor(e={}){this.rule={id:"SARIF_BUILDER_INVALID: Please send the rule identifier in id property, or call setRuleId(ruleId)",shortDescription:{text:"SARIF_BUILDER_INVALID: Please send the rule text in shortDescription.text property, or call setShortDescriptionText(text)"}},(0,Ps.setOptionValues)(e,this.rule)}initSimple(e){return this.setRuleId(e.ruleId),e.shortDescriptionText&&this.setShortDescriptionText(e.shortDescriptionText),e.fullDescriptionText&&this.setFullDescriptionText(e.fullDescriptionText),e.helpUri&&this.setHelpUri(e.helpUri),this}setRuleId(e){this.rule.id=e}setShortDescriptionText(e){this.rule.shortDescription.text=e}setFullDescriptionText(e){this.rule.fullDescription=this.rule.fullDescription||{text:""},this.rule.fullDescription.text=e}setHelpUri(e){this.rule.helpUri=e}};qe.SarifRuleBuilder=Pt});var _n=y(Ue=>{"use strict";Object.defineProperty(Ue,"__esModule",{value:!0});Ue.SarifRunBuilder=void 0;var Es=Pe(),Et=class{constructor(e={}){this.run={tool:{driver:{name:process.env.npm_package_name||"SARIF_BUILDER_INVALID: Please send the tool name in tool.driver.name property, or call setToolName(name)",rules:[]}},results:[]},(0,Es.setOptionValues)(e,this.run)}initSimple(e){return this.setToolDriverName(e.toolDriverName),this.setToolDriverVersion(e.toolDriverVersion),e.url&&this.setToolDriverUri(e.url),this}addRule(e){this.run.tool.driver.rules.push(e.rule)}addResult(e){this.run.results.push(e.result)}setToolDriverName(e){this.run.tool.driver.name=e}setToolDriverVersion(e){this.run.tool.driver.version=e}setToolDriverUri(e){this.run.tool.driver.informationUri=e}};Ue.SarifRunBuilder=Et});var $n=y(W=>{"use strict";Object.defineProperty(W,"__esModule",{value:!0});W.SarifResultBuilder=W.SarifRuleBuilder=W.SarifRunBuilder=W.SarifBuilder=void 0;var ks=Mn();Object.defineProperty(W,"SarifBuilder",{enumerable:!0,get:function(){return ks.SarifBuilder}});var Ds=Rn();Object.defineProperty(W,"SarifResultBuilder",{enumerable:!0,get:function(){return Ds.SarifResultBuilder}});var Os=Cn();Object.defineProperty(W,"SarifRuleBuilder",{enumerable:!0,get:function(){return Os.SarifRuleBuilder}});var Ns=_n();Object.defineProperty(W,"SarifRunBuilder",{enumerable:!0,get:function(){return Ns.SarifRunBuilder}})});var Un=y((Sc,qn)=>{"use strict";var Ts=/["'&<>]/;qn.exports=js;function js(t){var e=""+t,r=Ts.exec(e);if(!r)return e;var n,i="",o=0,s=0;for(o=r.index;o<e.length;o++){switch(e.charCodeAt(o)){case 34:n="&quot;";break;case 38:n="&amp;";break;case 39:n="&#39;";break;case 60:n="&lt;";break;case 62:n="&gt;";break;default:continue}s!==o&&(i+=e.substring(s,o)),s=o+1,i+=n}return s!==o?i+e.substring(s,o):i}});var ni=y((sl,sa)=>{sa.exports={name:"dotenv",version:"16.4.7",description:"Loads environment variables from .env file",main:"lib/main.js",types:"lib/main.d.ts",exports:{".":{types:"./lib/main.d.ts",require:"./lib/main.js",default:"./lib/main.js"},"./config":"./config.js","./config.js":"./config.js","./lib/env-options":"./lib/env-options.js","./lib/env-options.js":"./lib/env-options.js","./lib/cli-options":"./lib/cli-options.js","./lib/cli-options.js":"./lib/cli-options.js","./package.json":"./package.json"},scripts:{"dts-check":"tsc --project tests/types/tsconfig.json",lint:"standard",pretest:"npm run lint && npm run dts-check",test:"tap run --allow-empty-coverage --disable-coverage --timeout=60000","test:coverage":"tap run --show-full-coverage --timeout=60000 --coverage-report=lcov",prerelease:"npm test",release:"standard-version"},repository:{type:"git",url:"git://github.com/motdotla/dotenv.git"},funding:"https://dotenvx.com",keywords:["dotenv","env",".env","environment","variables","config","settings"],readmeFilename:"README.md",license:"BSD-2-Clause",devDependencies:{"@types/node":"^18.11.3",decache:"^4.6.2",sinon:"^14.0.1",standard:"^17.0.0","standard-version":"^9.5.0",tap:"^19.2.0",typescript:"^4.8.4"},engines:{node:">=12"},browser:{fs:!1}}});var ai=y((al,Q)=>{var Ft=require("fs"),It=require("path"),aa=require("os"),ca=require("crypto"),la=ni(),Vt=la.version,ua=/(?:^|^)\s*(?:export\s+)?([\w.-]+)(?:\s*=\s*?|:\s+?)(\s*'(?:\\'|[^'])*'|\s*"(?:\\"|[^"])*"|\s*`(?:\\`|[^`])*`|[^#\r\n]+)?\s*(?:#.*)?(?:$|$)/mg;function fa(t){let e={},r=t.toString();r=r.replace(/\r\n?/mg,`
9
9
  `);let n;for(;(n=ua.exec(r))!=null;){let i=n[1],o=n[2]||"";o=o.trim();let s=o[0];o=o.replace(/^(['"`])([\s\S]*)\1$/mg,"$2"),s==='"'&&(o=o.replace(/\\n/g,`
10
10
  `),o=o.replace(/\\r/g,"\r")),e[i]=o}return e}function ma(t){let e=si(t),r=D.configDotenv({path:e});if(!r.parsed){let s=new Error(`MISSING_DATA: Cannot parse ${e} for an unknown reason`);throw s.code="MISSING_DATA",s}let n=oi(t).split(","),i=n.length,o;for(let s=0;s<i;s++)try{let c=n[s].trim(),l=ya(r,c);o=D.decrypt(l.ciphertext,l.key);break}catch(c){if(s+1>=i)throw c}return D.parse(o)}function da(t){console.log(`[dotenv@${Vt}][INFO] ${t}`)}function pa(t){console.log(`[dotenv@${Vt}][WARN] ${t}`)}function Ze(t){console.log(`[dotenv@${Vt}][DEBUG] ${t}`)}function oi(t){return t&&t.DOTENV_KEY&&t.DOTENV_KEY.length>0?t.DOTENV_KEY:process.env.DOTENV_KEY&&process.env.DOTENV_KEY.length>0?process.env.DOTENV_KEY:""}function ya(t,e){let r;try{r=new URL(e)}catch(c){if(c.code==="ERR_INVALID_URL"){let l=new Error("INVALID_DOTENV_KEY: Wrong format. Must be in valid uri format like dotenv://:key_1234@dotenvx.com/vault/.env.vault?environment=development");throw l.code="INVALID_DOTENV_KEY",l}throw c}let n=r.password;if(!n){let c=new Error("INVALID_DOTENV_KEY: Missing key part");throw c.code="INVALID_DOTENV_KEY",c}let i=r.searchParams.get("environment");if(!i){let c=new Error("INVALID_DOTENV_KEY: Missing environment part");throw c.code="INVALID_DOTENV_KEY",c}let o=`DOTENV_VAULT_${i.toUpperCase()}`,s=t.parsed[o];if(!s){let c=new Error(`NOT_FOUND_DOTENV_ENVIRONMENT: Cannot locate environment ${o} in your .env.vault file.`);throw c.code="NOT_FOUND_DOTENV_ENVIRONMENT",c}return{ciphertext:s,key:n}}function si(t){let e=null;if(t&&t.path&&t.path.length>0)if(Array.isArray(t.path))for(let r of t.path)Ft.existsSync(r)&&(e=r.endsWith(".vault")?r:`${r}.vault`);else e=t.path.endsWith(".vault")?t.path:`${t.path}.vault`;else e=It.resolve(process.cwd(),".env.vault");return Ft.existsSync(e)?e:null}function ii(t){return t[0]==="~"?It.join(aa.homedir(),t.slice(1)):t}function ha(t){da("Loading env from encrypted .env.vault");let e=D._parseVault(t),r=process.env;return t&&t.processEnv!=null&&(r=t.processEnv),D.populate(r,e,t),{parsed:e}}function ga(t){let e=It.resolve(process.cwd(),".env"),r="utf8",n=!!(t&&t.debug);t&&t.encoding?r=t.encoding:n&&Ze("No encoding is specified. UTF-8 is used by default");let i=[e];if(t&&t.path)if(!Array.isArray(t.path))i=[ii(t.path)];else{i=[];for(let l of t.path)i.push(ii(l))}let o,s={};for(let l of i)try{let u=D.parse(Ft.readFileSync(l,{encoding:r}));D.populate(s,u,t)}catch(u){n&&Ze(`Failed to load ${l} ${u.message}`),o=u}let c=process.env;return t&&t.processEnv!=null&&(c=t.processEnv),D.populate(c,s,t),o?{parsed:s,error:o}:{parsed:s}}function Sa(t){if(oi(t).length===0)return D.configDotenv(t);let e=si(t);return e?D._configVault(t):(pa(`You set DOTENV_KEY but you are missing a .env.vault file at ${e}. Did you forget to build it?`),D.configDotenv(t))}function va(t,e){let r=Buffer.from(e.slice(-64),"hex"),n=Buffer.from(t,"base64"),i=n.subarray(0,12),o=n.subarray(-16);n=n.subarray(12,-16);try{let s=ca.createDecipheriv("aes-256-gcm",r,i);return s.setAuthTag(o),`${s.update(n)}${s.final()}`}catch(s){let c=s instanceof RangeError,l=s.message==="Invalid key length",u=s.message==="Unsupported state or unable to authenticate data";if(c||l){let a=new Error("INVALID_DOTENV_KEY: It must be 64 characters long (or more)");throw a.code="INVALID_DOTENV_KEY",a}else if(u){let a=new Error("DECRYPTION_FAILED: Please check your DOTENV_KEY");throw a.code="DECRYPTION_FAILED",a}else throw s}}function wa(t,e,r={}){let n=!!(r&&r.debug),i=!!(r&&r.override);if(typeof e!="object"){let o=new Error("OBJECT_REQUIRED: Please check the processEnv argument being passed to populate");throw o.code="OBJECT_REQUIRED",o}for(let o of Object.keys(e))Object.prototype.hasOwnProperty.call(t,o)?(i===!0&&(t[o]=e[o]),n&&Ze(i===!0?`"${o}" is already defined and WAS overwritten`:`"${o}" is already defined and was NOT overwritten`)):t[o]=e[o]}var D={configDotenv:ga,_configVault:ha,_parseVault:ma,config:Sa,decrypt:va,parse:fa,populate:wa};Q.exports.configDotenv=D.configDotenv;Q.exports._configVault=D._configVault;Q.exports._parseVault=D._parseVault;Q.exports.config=D.config;Q.exports.decrypt=D.decrypt;Q.exports.parse=D.parse;Q.exports.populate=D.populate;Q.exports=D});var ze=require("zx"),le=require("fs/promises");var J={UNKNOWN:0,LOW:1,MEDIUM:2,HIGH:3,CRITICAL:4};var ke=class{allById=new Map;getAllVulnIds(){return new Set(this.allById.keys())}getAllVulnerabilitiesSortedBySeverity(){let e=Array.from(this.allById.values());return e.sort((r,n)=>{let i=Ct(r.severity,n.severity);return i===0?r.id.localeCompare(n.id):-i}),e}addVulnerability(e,r){let n=e.id,i=this.allById;if(!i.has(n))i.set(n,e);else{let o=i.get(n);o.title=o.title||e.title,o.severity=hi(o.severity,e.severity),o.scannerSeverity[r]=e.severity,o.detectedBy=tt(o.detectedBy,r),o.components=tt(o.components,e.components[0]),o.refs=tt(o.refs,e.refs[0])}}enhanceWithVexData(e){let r=[];for(let n of this.allById.values()){let i=e.newestVulnerabilityStatement(n.id);if(!i){r.push({id:n.id,severity:n.severity});continue}n.vexStatement=i}return{unmatchedVulnerabilities:r}}};function hi(t,e){return Ct(t,e)>0?t:e}function Ct(t,e){return J[t]-J[e]}function tt(t,e){return e?Array.from(new Set([...t,e]).values()):t}var De=Ee(require("path"));var U=require("fs/promises"),rt=require("path");async function B(t){if(await se(t))return JSON.parse(await(0,U.readFile)(t,{encoding:"utf-8"}))}async function nt(t,e){await(0,U.writeFile)(t,JSON.stringify(e,null,4)+`
11
- `,{encoding:"utf-8"})}function H(t){return t&&t.replace(/\?.*$/,"")}async function se(t){try{return await(0,U.access)(t,U.constants.F_OK),!0}catch{return!1}}async function it(t){let e=(0,rt.resolve)(t),r=await(0,U.readdir)(e,{withFileTypes:!0});for(let n of r){let i=(0,rt.resolve)(n.parentPath,n.name);n.isDirectory()?await it(i):await(0,U.rm)(i)}await(0,U.rmdir)(e)}async function he(t,e){let r=e?.user&&e?.pw?{Authorization:`Basic ${Buffer.from(`${e.user}:${e.pw}`).toString("base64")}`}:{},n=await fetch(t,{headers:r});if(!n.ok){let i="";try{i=await n.text()}catch(o){i=`${o}`}throw new Error(`Failed to fetch: ${t}: ${n.status} - ${n.statusText}: ${i}`)}return n}var ot;async function st(t){if(ot)return ot;let e="https://repository.conterra.de/repository/maven-mirror-ct",r=Z(t.workingDir,"input/vex"),n=Z(t.workingDir,"output"),i=Z(t.workingDir,"cache"),o=["grype","trivy","ossindex"],s=Z(t.workingDir,"vuln-scan-conf.json"),c=await B(s);if(!c)throw new Error(`Missing project configuration file '${s}'`);let l=c.findNoLongerDetectedVulnerabilitiesOnlyForSnapshots??!1;return ot={projectConfigFileLocation:s,onNewVulnerabilities:c.onNewVulnerabilities??(c.failOnNewVulnerabilities?"fail":"warn"),onNoLongerDetectedVulnerabilities:c.onNoLongerDetectedVulnerabilities??"ignore",reportNoLongerDetectedVulnerabilities:c.reportNoLongerDetectedVulnerabilities??!0,createSubDirsForProject:c.createSubDirsForProject??!0,mavenRepo:c.mavenRepo??e,vexUrls:c.vexUrls??[],vexDir:Z(t.workingDir,c.vexDir)??r,outDir:Z(t.workingDir,c.outDir)??n,cacheDir:Z(t.workingDir,c.cacheDir)??i,scanners:c.scanners??o,projects:(c.projects??[]).map(u=>{let a=u;if(!a.name)throw new Error("Project name is missing on entry:"+JSON.stringify(a));if(!a.version)throw new Error("Project version is missing on entry:"+JSON.stringify(a));if(!a.purl)throw new Error("Project purl is missing on entry:"+JSON.stringify(a));return a.purlAliases||(a.purlAliases=[]),a.enabled==null&&(a.enabled=!0),a.silent==null&&(a.silent=!1),a.minimumSeverity||(a.minimumSeverity="UNKNOWN"),a.sbomFile?{...a,sbomFile:Z(t.workingDir,a.sbomFile)}:(a.detectNoLongerUsedVulnerabilities=l?a.purl.endsWith("-SNAPSHOT"):!0,u)})}}function Z(t,e){if(e)return De.default.isAbsolute(e)?e:(0,De.resolve)(t,e)}var ie=Ee($n());var Bn=Ee(Un());function Xn(t,e){let r=new ie.SarifRunBuilder().initSimple({toolDriverName:`${e.name} - ${e.version}`,toolDriverVersion:"0.0.1"}),n=new Date().toISOString().split("T")[0];r.run.tool.driver.fullDescription={text:`Security Scan from ${n}`},r.run.tool.driver.properties={"microsoft/qualityDomain":`Security Scan from ${n}`};for(let o of t){let s=Is(o.severity),c=o.id,l=Fs(o.refs),u=new ie.SarifRuleBuilder().initSimple({ruleId:c,shortDescriptionText:o.title,fullDescriptionText:o.description,helpUri:l}),a=o.vexStatement,m,d="new",f="";a?(m=[{kind:"external",status:"accepted"}],d="updated",f=`--- INVESTIGATED (${a.status}) --- `,a.status==="under_investigation"&&(m[0].status="underReview",f="--- UNDER INVESTIGATION --- ")):J[e.minimumSeverity]>J[o.severity]?(m=[{kind:"external",status:"accepted"}],d="updated",f=`--- BELOW MINIMUM SEVERITY '${e.minimumSeverity}' ---`):e.silent&&(m=[{kind:"external",status:"accepted"}],d="updated",f="--- PROJECT SILENT ---"),Object.assign(u.rule,{name:`${f}[${o.severity}] - ${o.title.replace(`[${c}]`,"")}`,messageStrings:{default:{text:o.description,markdown:Vs(o,l,f)}},properties:{severity:o.severity,scanners:o.scannerSeverity,links:o.refs,tags:["cve","vulnerability","security",`severity_${o.severity.toLowerCase()}`]}}),r.addRule(u);for(let p of o.components){let g=new ie.SarifResultBuilder().initSimple({ruleId:c,level:s,messageText:`${c} [${o.severity}] - ${p}`});g.result.message.id="default",g.result.locations=[{logicalLocations:[{fullyQualifiedName:p}]}],g.result.baselineState=d,g.result.suppressions=m,r.addResult(g)}}let i=new ie.SarifBuilder;return i.addRun(r),i.buildSarifOutput()}function Fs(t){for(let e of t)if(e.startsWith("https://nvd.nist.gov"))return e;return t[0]}function Is(t){switch(t){case"CRITICAL":return"error";case"HIGH":return"error";case"MEDIUM":return"warning";case"LOW":return"note";default:return"note"}}function Vs(t,e,r){let n=t.vexStatement,i=n?`
11
+ `,{encoding:"utf-8"})}function H(t){return t&&t.replace(/\?.*$/,"")}async function se(t){try{return await(0,U.access)(t,U.constants.F_OK),!0}catch{return!1}}async function it(t){let e=(0,rt.resolve)(t),r=await(0,U.readdir)(e,{withFileTypes:!0});for(let n of r){let i=(0,rt.resolve)(n.parentPath,n.name);n.isDirectory()?await it(i):await(0,U.rm)(i)}await(0,U.rmdir)(e)}async function he(t,e){let r=e?.user&&e?.pw?{Authorization:`Basic ${Buffer.from(`${e.user}:${e.pw}`).toString("base64")}`}:{},n=await fetch(t,{headers:r});if(!n.ok){let i="";try{i=await n.text()}catch(o){i=`${o}`}throw new Error(`Failed to fetch: ${t}: ${n.status} - ${n.statusText}: ${i}`)}return n}var ot;async function st(t){if(ot)return ot;let e="https://repository.conterra.de/repository/maven-mirror-ct",r=Z(t.workingDir,"input/vex"),n=Z(t.workingDir,"output"),i=Z(t.workingDir,"cache"),o=["grype","trivy","ossindex"],s=Z(t.workingDir,"vuln-scan-conf.json"),c=await B(s);if(!c)throw new Error(`Missing project configuration file '${s}'`);let l=c.findNoLongerDetectedVulnerabilitiesOnlyForSnapshots??!1;return ot={projectConfigFileLocation:s,onNewVulnerabilities:c.onNewVulnerabilities??(c.failOnNewVulnerabilities?"fail":"warn"),onNoLongerDetectedVulnerabilities:c.onNoLongerDetectedVulnerabilities??"ignore",reportNoLongerDetectedVulnerabilities:c.reportNoLongerDetectedVulnerabilities??!0,createSubDirsForProject:c.createSubDirsForProject??!0,mavenRepo:c.mavenRepo??e,vexUrls:c.vexUrls??[],vexDir:Z(t.workingDir,c.vexDir)??r,outDir:Z(t.workingDir,c.outDir)??n,cacheDir:Z(t.workingDir,c.cacheDir)??i,scanners:c.scanners??o,projects:(c.projects??[]).map(u=>{let a=u;if(!a.name)throw new Error("Project name is missing on entry:"+JSON.stringify(a));if(!a.version)throw new Error("Project version is missing on entry:"+JSON.stringify(a));if(!a.purl)throw new Error("Project purl is missing on entry:"+JSON.stringify(a));return a.purlAliases||(a.purlAliases=[]),a.enabled==null&&(a.enabled=!0),a.silent==null&&(a.silent=!1),a.minimumSeverity||(a.minimumSeverity="UNKNOWN"),a.sbomFile?{...a,sbomFile:Z(t.workingDir,a.sbomFile)}:(a.detectNoLongerUsedVulnerabilities=l?a.purl.endsWith("-SNAPSHOT"):!0,u)})}}function Z(t,e){if(e)return De.default.isAbsolute(e)?e:(0,De.resolve)(t,e)}var ie=Ee($n());var Bn=Ee(Un());function Xn(t,e){let r=new ie.SarifRunBuilder().initSimple({toolDriverName:`${e.name} - ${e.version}`,toolDriverVersion:"0.0.1"}),n=new Date().toISOString().split("T")[0];r.run.tool.driver.fullDescription={text:`Security Scan from ${n}`},r.run.tool.driver.properties={"microsoft/qualityDomain":`Security Scan from ${n}`};for(let o of t){let s=Is(o.severity),c=o.id,l=Fs(o.refs),u=new ie.SarifRuleBuilder().initSimple({ruleId:c,shortDescriptionText:o.title,fullDescriptionText:o.description,helpUri:l}),a=o.vexStatement,m,d="new",f="";a?(m=[{kind:"external",status:"accepted"}],d="updated",f=`--- INVESTIGATED (${a.status}) --- `,a.status==="under_investigation"&&(m[0].status="underReview",f="--- UNDER INVESTIGATION --- ")):J[e.minimumSeverity]>J[o.severity]?(m=[{kind:"external",status:"accepted"}],d="updated",f=`--- BELOW MINIMUM SEVERITY '${e.minimumSeverity}' ---`):e.silent&&(m=[{kind:"external",status:"accepted"}],d="updated",f="--- PROJECT SILENT ---"),Object.assign(u.rule,{name:`${f}[${o.severity}] - ${o.title.replace(`[${c}]`,"")}`,messageStrings:{default:{text:o.description,markdown:Vs(o,l,f)}},properties:{severity:o.severity,scanners:o.scannerSeverity,links:o.refs,tags:["cve","vulnerability","security",`severity_${o.severity.toLowerCase()}`]}}),r.addRule(u);for(let p of o.components){let g=new ie.SarifResultBuilder().initSimple({ruleId:c,level:s,messageText:`${c} [${o.severity}] - ${p}`});g.result.message.id="default",g.result.locations=[{logicalLocations:[{fullyQualifiedName:p}]}],g.result.baselineState=d,g.result.suppressions=m,r.addResult(g)}}let i=new ie.SarifBuilder;return i.addRun(r),i.buildSarifOutput()}function Fs(t){for(let e of t)if(e.startsWith("https://nvd.nist.gov"))return e;return t[0]}function Is(t){switch(t){case"CRITICAL":return"error";case"HIGH":return"error";case"MEDIUM":return"warning";case"LOW":return"warning";default:return"note"}}function Vs(t,e,r){let n=t.vexStatement,i=n?`
12
12
  ${r}
13
13
  ${n.justification??""}
14
14
  ${n.impact_statement??""}
@@ -25,7 +25,7 @@ ${(0,Bn.default)(t.description)}
25
25
  ${t.refs.map(o=>`* <${o}>`).join(`
26
26
  `)}
27
27
  `}var Xe=require("fs/promises");async function Gn(t,e,r){if("sbomFile"in t)return await(0,Xe.copyFile)(t.sbomFile,e),t.sbomFile=e,t;let n=await r.downloadArtifact(t.sbomMavenCoordinates);return await(0,Xe.writeFile)(e,n),{...t,sbomFile:e}}var Be=class{constructor(e,r){this.repo=e;this.authn=r}async downloadArtifact(e){let r=this.toArtifactInfo(e);if(this.isSnapshotVersion(r.version)&&!r.timestamp){let o=await this.fetchLatestSnapshotTimestamp(r);r={...r,timestamp:o}}let n=this.toArtifactUrl(r),i=await he(n,this.authn);return Buffer.from(await i.arrayBuffer())}async fetchLatestSnapshotTimestamp(e){let r=`${this.toArtifactBaseUrl(e)}/maven-metadata.xml`,i=await(await he(r,this.authn)).text();return As(i,e)}toArtifactUrl(e){let r=this.toArtifactBaseUrl(e),n=this.isSnapshotVersion(e.version)&&e.timestamp?e.version.replace(/SNAPSHOT$/,e.timestamp):e.version;return`${r}/${e.artifactId}-${n}-${e.classifier}.${e.extension}`}toArtifactBaseUrl(e){return`${this.repo}/${e.groupId.replace(/\./g,"/")}/${e.artifactId}/${e.version}`}isSnapshotVersion(e){return e.endsWith("-SNAPSHOT")}toArtifactInfo(e){let r=e.split(":");return{groupId:r[0],artifactId:r[1],version:r[2],classifier:r[3],extension:"json"}}};function As(t,e){if(e.classifier&&e.extension){let i=t.match(new RegExp(`<snapshotVersion>\\s*<classifier>${e.classifier}</classifier>\\s*<extension>${e.extension}</extension>\\s*<value>([^<]+)</value>\\s*<updated>[^<]+</updated>\\s*</snapshotVersion>`)),o=e.version.replace(/SNAPSHOT$/,"");if(i?.[1])return i[1].replace(o,"")}let r=t.match(/<timestamp>([^<]+)<\/timestamp>/),n=t.match(/<buildNumber>([^<]+)<\/buildNumber>/);if(!r||!n)throw new Error(`Failed to get timestamp and build number from ${t} for artifact '${e.artifactId}'`);return`${r[1]}-${n[1]}`}var Ge=require("fs/promises"),kt=require("path");var Dt=class{constructor(e){this.location=e}async read(){let e=await B(this.location);if(!e)throw new Error("Invalid VEX file");return e}async write(e){await nt(this.location,e)}async delete(){await(0,Ge.unlink)(this.location)}};async function We(t,e){for(let r of await(0,Ge.readdir)(t,{withFileTypes:!0}))r.name.endsWith(".json")?await e(new Dt((0,kt.resolve)(r.parentPath,r.name))):r.isDirectory()&&await We((0,kt.resolve)(r.parentPath,r.name),e)}function Nt(t){let e=t.vulnerability.name;return new Set([e,...t.vulnerability.aliases??[]])}var ye=class t{statements=[];filteredToProducts=[];static async fromUrl(e,r,n=new t){let o=await(await he(e,r)).json();return n.add(o),n}static async fromFiles(e,r=new t){return await We(e,async n=>{let i=await n.read();r.add(i)}),r}add(e){Rs(e);let r=e.timestamp;for(let n of e.statements){n.timestamp=n.timestamp??r;let i=Date.parse(n.timestamp),o=n.vulnerability.name,s=Nt(n),c=new Set(n.products?.map(u=>u["@id"]).filter(u=>!!u)??[]),l=new Ot(i,o,s,c,n);this.statements.push(l)}this.sortStatementsByTimestampNewestFirst()}filterByProduct(e){if(this.assertCorrectProductId(e),this.filteredToProducts.length)return this;let r=new t;return r.filteredToProducts=e.slice(0),r.statements=this.statements.filter(n=>n.matchesAtLeastOneProduct(e)),r}findNotMatchingVulnerabilities(e,r){let n=this.filterByProduct(r??this.filteredToProducts),i=new Set;for(let o of n.statements)i.add(o.vulnName);for(let o of e)i.delete(o);return Array.from(i)}newestVulnerabilityStatement(e,r){let n=this.filterByProduct(r??this.filteredToProducts);for(let i of n.statements)if(i.matchesVulnerability(e))return this.reduceToProductInformation(i,n.filteredToProducts[0])}toVexFileForProduct(e){let r=this.filterByProduct(e??this.filteredToProducts),n=r.statements.map(i=>this.reduceToProductInformation(i,r.filteredToProducts[0]));return this.toVexFile(n)}toVexFile(e){let r=e.filter(i=>i.status!=="under_investigation");if(r.length===0)return;this.sortVexStatementsByTimestampNewestFirst(r);let n=r[0].timestamp;return{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://openvex.dev/docs/public/vex-fc763e6eb63bfbcda20b7cbbddd4e9f8feaaa317fe8d8a6f51a5663a1180343e",author:"conterra",timestamp:n,last_updated:n,version:1,statements:r}}assertCorrectProductId(e){if(!e||e.length===0)throw new Error("Product ID must be provided");if(this.filteredToProducts.length&&!Ms(this.filteredToProducts,e))throw new Error("Cannot filter to a different product")}reduceToProductInformation(e,r){let n={timestamp:new Date(e.timestamp).toISOString(),...e.statement};if(!r)return n;let i=n.products?.filter(o=>o["@id"]===r);return i?.length||(i=[{"@id":r}]),{...n,products:i}}sortStatementsByTimestampNewestFirst(){this.statements.sort((e,r)=>r.timestamp-e.timestamp)}sortVexStatementsByTimestampNewestFirst(e){e.sort((r,n)=>Date.parse(n.timestamp)-Date.parse(r.timestamp))}};function Ms(t,e){return t.length===e.length&&t.every((r,n)=>r===e[n])}var Ot=class{constructor(e,r,n,i,o){this.timestamp=e;this.vulnName=r;this.vulnAliases=n;this.products=i;this.statement=o}matchesProduct(e){return this.products.has(e)}matchesAtLeastOneProduct(e){return e.some(this.matchesProduct.bind(this))}matchesVulnerability(e){return this.vulnAliases.has(e)}};function Rs(t){if(t?.["@context"]!=="https://openvex.dev/ns/v0.2.0")throw new Error("Invalid VEX file format")}var He=require("path"),Wn=require("fs/promises");var Je=class{constructor(e,r,n){this.project=e;this.outputDir=r;this.useSubDirForProject=n}async lookupOutputFileForWriting(e){let r=this.useSubDirForProject?`${this.project.name}-${this.project.version}`:"",n=`${this.project.name}-${this.project.version}-`,i=this.getFileSuffix(e),o=(0,He.resolve)(this.outputDir,r,`${n}${i}`),s=(0,He.dirname)(o);return await se(s)||await(0,Wn.mkdir)(s,{recursive:!0}),o}getFileSuffix(e){switch(e){case"grype-results":return"scan-grype-results.json";case"trivy-results":return"scan-trivy-results.json";case"ossindex-results":return"scan-ossindex-results.json";case"aggregate-results":return"scan-aggregate-results.json";case"aggregated-sarif-results":return"scan-aggregated-results.sarif.json";case"project-cyclonedx-sbom-file":return"sbom.cdx.json";case"project-openvex-file":return"openvex.vex.json";default:throw new Error(`Unknown output file key: ${e}`)}}};var Tt=require("zx");var Ke=require("path"),Jn="anchore/grype:latest";async function Hn(t){let e=await Tt.$`docker run --rm -v '${t}:/.cache' ${Jn} db update`;e.stdout&&console.log(` Grype DB Update: ${e.stdout}`),e.stderr&&console.log(` Grype DB Update error: ${e.stderr}`)}async function Kn(t,e,r,n,i){let o=(0,Ke.dirname)(e),s=(0,Ke.basename)(e),c=await Tt.$`docker run --rm -v '${t}:/.cache' -v '${o}:/tmp/output' -v '${r.sbomFile}:/tmp/input.json' -e GRYPE_DB_AUTO_UPDATE=false ${Jn} sbom:/tmp/input.json -o json --file '/tmp/output/${s}' --by-cve --quiet`;c.stdout&&i(` Scan log: ${c.stdout}`),c.stderr&&i(` Scan error: ${c.stderr}`),i(` Grype output file: ${e}`);let l=await B(e);Cs(n,l)}function Cs(t,e){if(e)for(let r of e.matches){let n=_s(r);t.addVulnerability(n,"grype")}}function _s(t){let e=t.vulnerability,r=e.id,n=H(t.artifact.purl),i=H(e.dataSource),o=$s(e.severity);return{id:r,severity:o,scannerSeverity:{grype:o},title:"",description:e.description,components:[n],detectedBy:["grype"],refs:[i]}}function $s(t){switch(t){case"Negligible":return"LOW";case"Low":return"LOW";case"Medium":return"MEDIUM";case"High":return"HIGH";case"Critical":return"CRITICAL";default:return"UNKNOWN"}}var Yn=require("fs/promises");async function Qn(t,e,r,n,i){let o={},s="";r.user&&r.token&&(o.Authorization=`Basic ${Buffer.from(`${r.user}:${r.token}`).toString("base64")}`,s="/authorized");let c=`https://ossindex.sonatype.org/api/v3${s}/component-report`,l=await qs(e.sbomFile),u=new Set(l.map(d=>d.purl.replace(/\?.*$/,"")));Js(u);let a=Array.from(u),m=[];for(let d=0;d<a.length;d+=128){let f=JSON.stringify({coordinates:a.slice(d,d+128)}),g=await(await fetch(c,{method:"POST",headers:{...o,"Content-Type":"application/vnd.ossindex.component-report-request.v1+json"},body:f})).json();Array.isArray(g)?m.push(...g.filter(S=>S.vulnerabilities.length>0)):i(` Sonatype OssIndex Error: ${g.code} - ${g.message}`)}await(0,Yn.writeFile)(t,JSON.stringify(m,null,2)),i(` Sonatype OssIndex output file: ${t}`),Xs(n,m)}async function qs(t){return(await B(t)).components.filter(r=>Us(r)&&!Bs(r))}function Us(t){return!!t.purl}function Bs(t){return t.group?t.group.startsWith("de.conterra")||t.group.startsWith("org.n52.security"):!1}function Xs(t,e){if(e)for(let r of e)for(let n of r.vulnerabilities){let i=Gs(n,r.coordinates);t.addVulnerability(i,"ossindex")}}function Gs(t,e){let r=t.cve||t.id,n=H(e),i=H(t.reference),o=Ws(t.cvssScore);return{id:r,severity:o,scannerSeverity:{ossindex:o},title:t.title,description:t.description,components:[n],detectedBy:["ossindex"],refs:i?[i]:[]}}function Ws(t){return t===0?"UNKNOWN":t<4?"LOW":t<7?"MEDIUM":t<9?"HIGH":"CRITICAL"}function Js(t){let e=Array.from(t);for(let r of e){let n=r.replace(/(@[^-]+)-.*$/g,"$1");t.add(n)}}var jt=require("zx");var Ye=require("path"),zn="aquasec/trivy:latest";async function Zn(t,e){let r=[];e&&(r.push("-e"),r.push(`GITHUB_TOKEN=${e}`));let n=[];n.push("--db-repository"),n.push("public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db");let i=await jt.$`docker run --rm -v '${t}:/.cache' ${r} ${zn} ${n} --cache-dir '/.cache' sbom --download-db-only --quiet`;!i.stdout&&!i.stderr&&console.log(" Trivy DB Update: finished"),i.stdout&&console.log(` Trivy DB Update: ${i.stdout}`),i.stderr&&console.log(` Trivy DB Update error: ${i.stderr}`)}async function ei(t,e,r,n,i){let o=(0,Ye.dirname)(e),s=(0,Ye.basename)(e),c=await jt.$`docker run --rm -v '${t}:/.cache' -v '${o}:/tmp/output' -v '${r.sbomFile}:/tmp/input.json' ${zn} sbom --cache-dir '/.cache' --format json --output '/tmp/output/${s}' --quiet --skip-db-update /tmp/input.json`;c.stdout&&i(` Scan log: ${c.stdout}`),c.stderr&&i(` Scan error: ${c.stderr}`),i(` Trivy output file: ${e}`);let l=await B(e);Hs(n,l)}function Hs(t,e){if(e){for(let r of e.Results)if(r.Vulnerabilities)for(let n of r.Vulnerabilities){let i=Ks(n);t.addVulnerability(i,"trivy")}}}function Ks(t){let e=t.VulnerabilityID,r=H(t.PkgIdentifier.PURL),n=H(t.PrimaryURL),i=Ys(t.Severity);return{id:e,severity:i,scannerSeverity:{trivy:i},title:t.Title,description:t.Description,components:[r],detectedBy:["trivy"],refs:[n]}}function Ys(t){switch(t){case"UNKNOWN":case"LOW":case"MEDIUM":case"HIGH":case"CRITICAL":return t;default:return"UNKNOWN"}}var Qe=class{constructor(e,r,n){this.scannerNames=e;this.cacheDir=r;this.options=n}async init(){let e=[];for(let r of this.scannerNames)switch(r){case"grype":e.push(Hn(this.cacheDir));break;case"trivy":e.push(Zn(this.cacheDir,this.options.trivyGithubToken));break;case"ossindex":continue}await Promise.all(e)}async scanProject(e,r,n,i){let o=[];for(let s of this.scannerNames)o.push(this.scanProjectBy(s,e,r,this.cacheDir,n,this.options.ossIndexApiUser,this.options.ossIndexApiToken,i));await Promise.all(o)}async scanProjectBy(e,r,n,i,o,s,c,l){switch(e){case"grype":return Kn(i,await n.lookupOutputFileForWriting("grype-results"),r,o,l);case"trivy":return ei(i,await n.lookupOutputFileForWriting("trivy-results"),r,o,l);case"ossindex":return Qn(await n.lookupOutputFileForWriting("ossindex-results"),r,{user:s,token:c},o,l)}}};async function ti(t,e,r){await We(t,async n=>{let i=await n.read(),o=!1,s=i.statements,c=[];for(let l of s){if(r&&!Nt(l).has(r)||!l.products)continue;let u=l.products.findIndex(a=>a["@id"]===e);u!==-1&&(l.products.splice(u,1),o=!0,l.products.length===0&&c.push(l))}if(o){for(let l of c){let u=s.indexOf(l);s.splice(u,1)}if(s.length===0){console.info(`Remove ${e} from ${n.location} and delete file.`),await n.delete();return}console.info(`Remove ${e} from ${n.location}`),await n.write(i)}})}ze.os.type().startsWith("Windows")&&(0,ze.usePowerShell)();async function ri(t){let e=await st(t),r=e.cacheDir;await se(r)||await(0,le.mkdir)(r);let n=e.outDir;await se(n)&&await it(n),await(0,le.mkdir)(n);let i=await ra(e,{user:t.vexUrlsUser,pw:t.vexUrlsPw}),o=new Be(e.mavenRepo,{user:t.mavenRepoUser,pw:t.mavenRepoPw}),s=na(e,t,r),c=Date.now();console.log("Initializing scanner engines ..."),await s.init(),console.log(`Scanner engines initialization took ${Date.now()-c}ms
28
- `);let l=ia(t),u=e.projects,a=new Map,m=Date.now();console.log("Scanning projects ...");let d=1,f=0,p=[];for(let S of u){if(!l(S))continue;f>=d&&(await Promise.race(p),--f);let x=new Je(S,n,e.createSubDirsForProject),j=[],F=oe=>{j.push(oe)};p.push(Qs(S,x,o,s,i,F,a,t,j)),++f}await Promise.all(p),console.log(`Scanning took ${Date.now()-m}ms`),t.autoRemoveUnusedStatements&&await oa(a,e.vexDir);let g=zs(a,e.reportNoLongerDetectedVulnerabilities);if(g.hasError)return 1;if(g.hasNewVuln){if(e.onNewVulnerabilities==="fail")return 1;e.onNewVulnerabilities==="warn"&&console.log("##vso[task.complete result=SucceededWithIssues;]NEW_VULNERABILITIES_DETECTED")}if(g.hasNoLongerDetectedVuln){if(e.onNoLongerDetectedVulnerabilities==="fail")return 1;e.onNoLongerDetectedVulnerabilities==="warn"&&console.log("##vso[task.complete result=SucceededWithIssues;]NO_LONGER_DETECTED_VULNERABILITIES")}return 0}async function Qs(t,e,r,n,i,o,s,c,l){try{let{unmatchedVulnerabilities:u,noLongerDetectedVulnerabilities:a}=await ea(t,e,r,n,i,o);s.set(t.purl,{project:t,newVulns:u,noLongerDetectedVulns:a})}catch(u){let a=u;s.set(t.purl,{project:t,error:a.message,newVulns:[],noLongerDetectedVulns:[]})}if(c.verbose)for(let u of l)console.log(u)}function zs(t,e){let r=!1,n=!1,i=!1;console.log(`
28
+ `);let l=ia(t),u=e.projects,a=new Map,m=Date.now();console.log("Scanning projects ...");let d=1,f=0,p=[];for(let S of u){if(!l(S))continue;f>=d&&(await Promise.race(p),--f);let x=new Je(S,n,e.createSubDirsForProject),j=[],F=oe=>{j.push(oe)};p.push(Qs(S,x,o,s,i,F,a,t,j)),++f}await Promise.all(p),console.log(`Scanning took ${Date.now()-m}ms`),t.autoRemoveUnusedStatements&&await oa(a,e.vexDir);let g=zs(a,e.reportNoLongerDetectedVulnerabilities);if(g.hasError)return 1;if(g.hasNewVuln){if(e.onNewVulnerabilities==="fail")return 1;e.onNewVulnerabilities==="warn"&&(console.log("##vso[task.logissue type=warning;]NEW_VULNERABILITIES_DETECTED"),console.log("##vso[task.complete result=SucceededWithIssues;]"))}if(g.hasNoLongerDetectedVuln){if(e.onNoLongerDetectedVulnerabilities==="fail")return 1;e.onNoLongerDetectedVulnerabilities==="warn"&&(console.log("##vso[task.logissue type=warning;]NO_LONGER_DETECTED_VULNERABILITIES"),console.log("##vso[task.complete result=SucceededWithIssues;]"))}return 0}async function Qs(t,e,r,n,i,o,s,c,l){try{let{unmatchedVulnerabilities:u,noLongerDetectedVulnerabilities:a}=await ea(t,e,r,n,i,o);s.set(t.purl,{project:t,newVulns:u,noLongerDetectedVulns:a})}catch(u){let a=u;s.set(t.purl,{project:t,error:a.message,newVulns:[],noLongerDetectedVulns:[]})}if(c.verbose)for(let u of l)console.log(u)}function zs(t,e){let r=!1,n=!1,i=!1;console.log(`
29
29
  Scan results:`);for(let o of t.values()){let s=Zs(o,e);r=r||s.hasError,n=n||s.hasNewVuln,i=i||s.hasNoLongerDetectedVuln}return!r&&!n&&!i&&console.log(" No issues found"),{hasError:r,hasNewVuln:n,hasNoLongerDetectedVuln:i}}function Zs(t,e){let r=t.project,n=r.purl,i=r.silent,o=J[r.minimumSeverity],s=!!t.error,c=i?[]:t.newVulns.filter(u=>o<=J[u.severity]),l=i||!e?[]:t.noLongerDetectedVulns;if(!s&&!c.length&&!l.length)return{hasError:s,hasNewVuln:!1,hasNoLongerDetectedVuln:!1};if(console.log(` ${r.name} - ${r.version} (${n}):`),t.error&&console.error(` Error: ${t.error}`),c.length){console.log(" New vulnerabilities:");for(let u of c)console.log(` [${u.severity}] ${u.id}`)}if(l.length){console.log(" Declared but no longer detected vulnerabilities:");for(let u of l)console.log(` ${u}`)}return{hasError:s,hasNewVuln:c.length>0,hasNoLongerDetectedVuln:l.length>0}}async function ea(t,e,r,n,i,o){let s=await Gn(t,await e.lookupOutputFileForWriting("project-cyclonedx-sbom-file"),r);o(`Analyzing project: ${s.name} - ${s.version} - ${s.sbomFile}`);let c=new ke;await n.scanProject(s,e,c,o);let l=i.filterByProduct([s.purl,...s.purlAliases]),{unmatchedVulnerabilities:u}=c.enhanceWithVexData(l),a=s.detectNoLongerUsedVulnerabilities?l.findNotMatchingVulnerabilities(c.getAllVulnIds()):[];return await ta(e,s,c,l,o),{unmatchedVulnerabilities:u,noLongerDetectedVulnerabilities:a}}async function ta(t,e,r,n,i){let o=r.getAllVulnerabilitiesSortedBySeverity(),s=await t.lookupOutputFileForWriting("aggregate-results");await(0,le.writeFile)(s,JSON.stringify(o,null,2)),i(` Vulnerabilities output file: ${s}`);let c=await t.lookupOutputFileForWriting("aggregated-sarif-results"),l=Xn(o,e);await(0,le.writeFile)(c,JSON.stringify(l,null,2)),i(` Vuln Sarif output file: ${c}`);let u=n.toVexFileForProduct();if(!u)return;let a=await t.lookupOutputFileForWriting("project-openvex-file");await(0,le.writeFile)(a,JSON.stringify(u,null,2)),i(` OpenVex file: ${a}`)}async function ra(t,e){let r=t.vexDir,n;await se(r)?n=await ye.fromFiles(r):n=new ye;for(let i of t.vexUrls)await ye.fromUrl(i,e,n);return n}function na(t,e,r){if(e.scannerEngine)return e.scannerEngine;if(t.scanners.length===0)throw new Error("No scanners configured");return new Qe(t.scanners,r,e)}function ia(t){let{reduceToProjectName:e,reduceToProjectVersion:r}=t;return n=>!(!n.enabled||e&&(n.name!==e||r&&n.version!==r))}async function oa(t,e){for(let r of t.values())if(!r.project.silent)for(let n of r.noLongerDetectedVulns)await ti(e,r.project.purl,n)}var ci=Ee(ai());(0,ci.config)();var z=process.env;(async()=>{let t=await ri({workingDir:process.cwd(),reduceToProjectName:process.argv[2],reduceToProjectVersion:process.argv[3],ossIndexApiUser:z.OSS_INDEX_API_USER,ossIndexApiToken:z.OSS_INDEX_API_TOKEN,mavenRepoUser:z.MAVEN_REPO_USER,mavenRepoPw:z.MAVEN_REPO_PW,trivyGithubToken:z.TRIVY_GITHUB_TOKEN,vexUrlsUser:z.VEX_URLS_USER,vexUrlsPw:z.VEX_URLS_PW,verbose:z.VERBOSE==="true",autoRemoveUnusedStatements:z.AUTO_REMOVE_UNUSED_STATEMENTS==="true"});process.exit(t)})();
30
30
  /*! Bundled license information:
31
31
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@conterra/vuln-scan",
3
- "version": "0.0.19",
3
+ "version": "0.0.20",
4
4
  "description": "con terra vulnerability scan process",
5
5
  "author": "con terra GmbH",
6
6
  "license": "Apache-2.0",