@etalon/core 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/chunk-C6WLBWUY.js +230 -0
  2. package/dist/index.d.ts +557 -0
  3. package/dist/index.js +3051 -0
  4. package/dist/plugin-loader-TQ2IIQED.js +8 -0
  5. package/package.json +26 -0
package/dist/chunk-C6WLBWUY.js ADDED
@@ -0,0 +1,230 @@
1
+ // src/audit/plugin-loader.ts
2
+ import { readFileSync, readdirSync, existsSync } from "fs";
3
+ import { join, extname } from "path";
4
+ import { parse as parseYaml } from "yaml";
5
+
6
+ // src/audit/gdpr-articles.ts
7
+ var GDPR_BASE = "https://gdpr-info.eu/art-";
8
+ function art(article, title) {
9
+ const num = article.replace(/\(.*/, "");
10
+ return { article, title, url: `${GDPR_BASE}${num}-gdpr/` };
11
+ }
12
+ var GDPR_RULE_MAP = {
13
+ // ── Tracker detection ──────────────────────────────────
14
+ "tracker-dependency": [
15
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
16
+ art("7", "Conditions for Consent")
17
+ ],
18
+ "tracker-import": [
19
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
20
+ art("7", "Conditions for Consent")
21
+ ],
22
+ "tracker-api-call": [
23
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
24
+ art("5(1)(a)", "Lawfulness, Fairness, Transparency")
25
+ ],
26
+ "tracker-http-call": [
27
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
28
+ art("5(1)(a)", "Lawfulness, Fairness, Transparency")
29
+ ],
30
+ "tracker-env-var": [
31
+ art("6(1)(a)", "Lawfulness \u2014 Consent")
32
+ ],
33
+ "hardcoded-tracker": [
34
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
35
+ art("25", "Data Protection by Design and by Default")
36
+ ],
37
+ "inline-tracker": [
38
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
39
+ art("7", "Conditions for Consent")
40
+ ],
41
+ "tracker-middleware": [
42
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
43
+ art("25", "Data Protection by Design and by Default")
44
+ ],
45
+ "unconditional-tracker": [
46
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
47
+ art("7(1)", "Demonstrable Consent")
48
+ ],
49
+ "analytics-proxy": [
50
+ art("5(1)(a)", "Lawfulness, Fairness, Transparency"),
51
+ art("25", "Data Protection by Design and by Default")
52
+ ],
53
+ // ── Server-side & CNAME ────────────────────────────────
54
+ "server-side-tracking": [
55
+ art("5(1)(a)", "Lawfulness, Fairness, Transparency"),
56
+ art("25", "Data Protection by Design and by Default"),
57
+ art("6(1)(a)", "Lawfulness \u2014 Consent")
58
+ ],
59
+ "cname-cloaking": [
60
+ art("5(1)(a)", "Lawfulness, Fairness, Transparency"),
61
+ art("7(1)", "Demonstrable Consent"),
62
+ art("12", "Transparent Information and Communication"),
63
+ art("25", "Data Protection by Design and by Default")
64
+ ],
65
+ // ── PII & Data ─────────────────────────────────────────
66
+ "pii-column": [
67
+ art("5(1)(c)", "Data Minimisation"),
68
+ art("5(1)(e)", "Storage Limitation"),
69
+ art("32", "Security of Processing")
70
+ ],
71
+ "pii-field-type": [
72
+ art("5(1)(c)", "Data Minimisation"),
73
+ art("25", "Data Protection by Design and by Default")
74
+ ],
75
+ "storage-pii": [
76
+ art("5(1)(f)", "Integrity and Confidentiality"),
77
+ art("32", "Security of Processing")
78
+ ],
79
+ "logging-pii": [
80
+ art("5(1)(f)", "Integrity and Confidentiality"),
81
+ art("5(1)(e)", "Storage Limitation")
82
+ ],
83
+ "no-retention-policy": [
84
+ art("5(1)(e)", "Storage Limitation"),
85
+ art("13(2)(a)", "Right to Information \u2014 Retention Period")
86
+ ],
87
+ // ── Cookies ────────────────────────────────────────────
88
+ "cookie-no-consent": [
89
+ art("6(1)(a)", "Lawfulness \u2014 Consent"),
90
+ art("7", "Conditions for Consent")
91
+ ],
92
+ "cookie-insecure": [
93
+ art("5(1)(f)", "Integrity and Confidentiality"),
94
+ art("32", "Security of Processing")
95
+ ],
96
+ "cookie-samesite": [
97
+ art("5(1)(f)", "Integrity and Confidentiality"),
98
+ art("32", "Security of Processing")
99
+ ],
100
+ // ── Security / Config ──────────────────────────────────
101
+ "missing-csp": [
102
+ art("32", "Security of Processing")
103
+ ],
104
+ "csp-unsafe-inline": [
105
+ art("32", "Security of Processing")
106
+ ],
107
+ "csp-unsafe-eval": [
108
+ art("32", "Security of Processing")
109
+ ],
110
+ "cors-wildcard": [
111
+ art("32", "Security of Processing")
112
+ ],
113
+ "cors-credentials-wildcard": [
114
+ art("32", "Security of Processing"),
115
+ art("5(1)(f)", "Integrity and Confidentiality")
116
+ ],
117
+ "missing-security-headers": [
118
+ art("32", "Security of Processing")
119
+ ],
120
+ "no-ssl": [
121
+ art("32", "Security of Processing"),
122
+ art("5(1)(f)", "Integrity and Confidentiality")
123
+ ],
124
+ "debug-mode": [
125
+ art("32", "Security of Processing"),
126
+ art("5(1)(f)", "Integrity and Confidentiality")
127
+ ]
128
+ };
129
+ function enrichWithGdpr(findings) {
130
+ return findings.map((f) => {
131
+ const articles = GDPR_RULE_MAP[f.rule];
132
+ if (articles && articles.length > 0) {
133
+ return { ...f, gdprArticles: articles };
134
+ }
135
+ return f;
136
+ });
137
+ }
138
+
139
+ // src/audit/plugin-loader.ts
140
+ function loadCustomRules(directory) {
141
+ const rulesDir = join(directory, ".etalon", "rules");
142
+ if (!existsSync(rulesDir)) return [];
143
+ const rules = [];
144
+ const files = readdirSync(rulesDir).filter((f) => {
145
+ const ext = extname(f);
146
+ return ext === ".yaml" || ext === ".yml";
147
+ });
148
+ for (const file of files) {
149
+ try {
150
+ const content = readFileSync(join(rulesDir, file), "utf-8");
151
+ const parsed = parseYaml(content);
152
+ if (!parsed.name || !parsed.severity || !parsed.patterns) {
153
+ continue;
154
+ }
155
+ rules.push(parsed);
156
+ } catch {
157
+ }
158
+ }
159
+ return rules;
160
+ }
161
+ function scanWithCustomRules(files, directory, rules) {
162
+ if (rules.length === 0) return [];
163
+ const findings = [];
164
+ let findingId = 0;
165
+ for (const file of files) {
166
+ const fullPath = join(directory, file);
167
+ let content;
168
+ try {
169
+ content = readFileSync(fullPath, "utf-8");
170
+ } catch {
171
+ continue;
172
+ }
173
+ const lines = content.split("\n");
174
+ for (const rule of rules) {
175
+ for (const pattern of rule.patterns) {
176
+ if (pattern.languages && pattern.languages.length > 0) {
177
+ const ext = extname(file).substring(1);
178
+ const langMap = {
179
+ javascript: ["js", "jsx", "mjs", "cjs"],
180
+ typescript: ["ts", "tsx", "mts", "cts"],
181
+ python: ["py"],
182
+ rust: ["rs"],
183
+ go: ["go"],
184
+ java: ["java"],
185
+ ruby: ["rb"]
186
+ };
187
+ const matches = pattern.languages.some((lang) => {
188
+ const exts = langMap[lang] ?? [lang];
189
+ return exts.includes(ext);
190
+ });
191
+ if (!matches) continue;
192
+ }
193
+ const regex = new RegExp(pattern.regex, "g");
194
+ for (let i = 0; i < lines.length; i++) {
195
+ if (regex.test(lines[i])) {
196
+ const gdprArticles = rule.gdpr_articles?.map((art2) => {
197
+ const existing = Object.values(GDPR_RULE_MAP).flat().find((r) => r.article === art2);
198
+ return existing ?? {
199
+ article: art2,
200
+ title: `GDPR Article ${art2}`,
201
+ url: `https://gdpr-info.eu/art-${art2.replace(/\(.*/, "")}-gdpr/`
202
+ };
203
+ });
204
+ findings.push({
205
+ id: `custom-${findingId++}`,
206
+ category: "code",
207
+ severity: rule.severity,
208
+ title: rule.description,
209
+ message: pattern.message,
210
+ file,
211
+ line: i + 1,
212
+ rule: `custom/${rule.name}`,
213
+ fix: rule.fix,
214
+ gdprArticles
215
+ });
216
+ }
217
+ regex.lastIndex = 0;
218
+ }
219
+ }
220
+ }
221
+ }
222
+ return findings;
223
+ }
224
+
225
+ export {
226
+ GDPR_RULE_MAP,
227
+ enrichWithGdpr,
228
+ loadCustomRules,
229
+ scanWithCustomRules
230
+ };