@feiyoug/skill-lab 0.0.0 → 0.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +73 -0
- package/esm/analyzer/astgrep/client.d.ts +20 -8
- package/esm/analyzer/astgrep/client.d.ts.map +1 -1
- package/esm/analyzer/astgrep/client.js +58 -31
- package/esm/analyzer/config/default.d.ts +8 -0
- package/esm/analyzer/config/default.d.ts.map +1 -0
- package/esm/analyzer/config/default.js +91 -0
- package/esm/analyzer/config/helpers.d.ts +8 -0
- package/esm/analyzer/config/helpers.d.ts.map +1 -0
- package/esm/analyzer/config/helpers.js +72 -0
- package/esm/analyzer/config/mod.d.ts +4 -0
- package/esm/analyzer/config/mod.d.ts.map +1 -0
- package/esm/analyzer/config/mod.js +3 -0
- package/esm/analyzer/config/types.d.ts +58 -0
- package/esm/analyzer/config/types.d.ts.map +1 -0
- package/esm/analyzer/{config.js → config/types.js} +0 -28
- package/esm/analyzer/logging.d.ts +3 -0
- package/esm/analyzer/logging.d.ts.map +1 -0
- package/esm/analyzer/logging.js +6 -0
- package/esm/analyzer/mod.d.ts +12 -5
- package/esm/analyzer/mod.d.ts.map +1 -1
- package/esm/analyzer/mod.js +25 -12
- package/esm/analyzer/result.d.ts +35 -0
- package/esm/analyzer/result.d.ts.map +1 -0
- package/esm/analyzer/result.js +311 -0
- package/esm/analyzer/rules/bash/commands/mod.d.ts +1 -0
- package/esm/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/commands/mod.js +3 -0
- package/esm/analyzer/rules/bash/commands/pip.d.ts +3 -0
- package/esm/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
- package/esm/analyzer/rules/bash/commands/pip.js +14 -0
- package/esm/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
- package/esm/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/extractFileRefs.js +2 -2
- package/esm/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
- package/esm/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
- package/esm/analyzer/rules/bash/inline-command-classifier.js +4 -4
- package/esm/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
- package/esm/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/javascript/extractFileRefs.js +3 -4
- package/esm/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
- package/esm/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
- package/esm/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/markdown/extractFileRefs.js +2 -0
- package/esm/analyzer/rules/python/extractFileRefs.d.ts +1 -1
- package/esm/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
- package/esm/analyzer/rules/python/extractFileRefs.js +2 -2
- package/esm/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
- package/esm/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
- package/esm/analyzer/steps/001-discovery/discover-files.js +18 -2
- package/esm/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/001-discovery/mod.js +39 -9
- package/esm/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/002-permissions/mod.js +156 -73
- package/esm/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
- package/esm/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
- package/esm/analyzer/steps/002-permissions/scan-file.js +40 -5
- package/esm/analyzer/steps/002-permissions/seed-frontmatter.js +2 -2
- package/esm/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
- package/esm/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
- package/esm/analyzer/steps/003-risks/dep-risks.js +74 -0
- package/esm/analyzer/steps/003-risks/helpers.d.ts +1 -0
- package/esm/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/helpers.js +1 -0
- package/esm/analyzer/steps/003-risks/mod.d.ts +3 -2
- package/esm/analyzer/steps/003-risks/mod.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/mod.js +41 -4
- package/esm/analyzer/steps/003-risks/policy.d.ts +7 -0
- package/esm/analyzer/steps/003-risks/policy.d.ts.map +1 -0
- package/esm/analyzer/steps/003-risks/policy.js +23 -0
- package/esm/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
- package/esm/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/rule-mapped.js +83 -2
- package/esm/analyzer/steps/003-risks/scoring.d.ts +9 -1
- package/esm/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
- package/esm/analyzer/steps/003-risks/scoring.js +55 -42
- package/esm/analyzer/treesitter/client.d.ts +31 -0
- package/esm/analyzer/treesitter/client.d.ts.map +1 -0
- package/esm/analyzer/{treesiter → treesitter}/client.js +43 -39
- package/esm/analyzer/treesitter/registry.d.ts +73 -0
- package/esm/analyzer/treesitter/registry.d.ts.map +1 -0
- package/esm/analyzer/treesitter/registry.js +165 -0
- package/esm/analyzer/types.d.ts +14 -28
- package/esm/analyzer/types.d.ts.map +1 -1
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +3 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +297 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +268 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
- package/esm/deps/jsr.io/@deno-library/progress/1.5.1/time.js +45 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/fmt/1.0.3/colors.js +903 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/types.js +15 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
- package/esm/deps/jsr.io/@std/io/0.225.0/write_all.js +61 -0
- package/esm/shared/deep_merge.d.ts +12 -0
- package/esm/shared/deep_merge.d.ts.map +1 -0
- package/esm/shared/deep_merge.js +49 -0
- package/esm/shared/mod.d.ts +1 -0
- package/esm/shared/mod.d.ts.map +1 -1
- package/esm/shared/mod.js +1 -0
- package/esm/shared/types/filetypes.d.ts +2 -2
- package/esm/shared/types/filetypes.d.ts.map +1 -1
- package/esm/shared/types/permissions.d.ts +1 -1
- package/esm/shared/types/permissions.d.ts.map +1 -1
- package/esm/shared/types/risks.d.ts +4 -1
- package/esm/shared/types/risks.d.ts.map +1 -1
- package/esm/skillreader/types.d.ts +2 -2
- package/esm/skillreader/types.d.ts.map +1 -1
- package/esm/skillreader/types.js +2 -2
- package/package.json +1 -1
- package/script/analyzer/astgrep/client.d.ts +20 -8
- package/script/analyzer/astgrep/client.d.ts.map +1 -1
- package/script/analyzer/astgrep/client.js +58 -64
- package/script/analyzer/config/default.d.ts +8 -0
- package/script/analyzer/config/default.d.ts.map +1 -0
- package/script/analyzer/config/default.js +94 -0
- package/script/analyzer/config/helpers.d.ts +8 -0
- package/script/analyzer/config/helpers.d.ts.map +1 -0
- package/script/analyzer/config/helpers.js +76 -0
- package/script/analyzer/config/mod.d.ts +4 -0
- package/script/analyzer/config/mod.d.ts.map +1 -0
- package/script/analyzer/config/mod.js +21 -0
- package/script/analyzer/config/types.d.ts +58 -0
- package/script/analyzer/config/types.d.ts.map +1 -0
- package/script/analyzer/{config.js → config/types.js} +1 -29
- package/script/analyzer/logging.d.ts +3 -0
- package/script/analyzer/logging.d.ts.map +1 -0
- package/script/analyzer/logging.js +9 -0
- package/script/analyzer/mod.d.ts +12 -5
- package/script/analyzer/mod.d.ts.map +1 -1
- package/script/analyzer/mod.js +35 -20
- package/script/analyzer/result.d.ts +35 -0
- package/script/analyzer/result.d.ts.map +1 -0
- package/script/analyzer/result.js +315 -0
- package/script/analyzer/rules/bash/commands/mod.d.ts +1 -0
- package/script/analyzer/rules/bash/commands/mod.d.ts.map +1 -1
- package/script/analyzer/rules/bash/commands/mod.js +3 -0
- package/script/analyzer/rules/bash/commands/pip.d.ts +3 -0
- package/script/analyzer/rules/bash/commands/pip.d.ts.map +1 -0
- package/script/analyzer/rules/bash/commands/pip.js +17 -0
- package/script/analyzer/rules/bash/extractFileRefs.d.ts +1 -1
- package/script/analyzer/rules/bash/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/bash/extractFileRefs.js +2 -2
- package/script/analyzer/rules/bash/inline-command-classifier.d.ts +1 -1
- package/script/analyzer/rules/bash/inline-command-classifier.d.ts.map +1 -1
- package/script/analyzer/rules/bash/inline-command-classifier.js +4 -4
- package/script/analyzer/rules/javascript/extractFileRefs.d.ts +3 -4
- package/script/analyzer/rules/javascript/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/javascript/extractFileRefs.js +3 -4
- package/script/analyzer/rules/markdown/extractCodeBlocks.d.ts.map +1 -1
- package/script/analyzer/rules/markdown/extractCodeBlocks.js +6 -3
- package/script/analyzer/rules/markdown/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/markdown/extractFileRefs.js +2 -0
- package/script/analyzer/rules/python/extractFileRefs.d.ts +1 -1
- package/script/analyzer/rules/python/extractFileRefs.d.ts.map +1 -1
- package/script/analyzer/rules/python/extractFileRefs.js +2 -2
- package/script/analyzer/steps/001-discovery/discover-files.d.ts +4 -0
- package/script/analyzer/steps/001-discovery/discover-files.d.ts.map +1 -1
- package/script/analyzer/steps/001-discovery/discover-files.js +18 -2
- package/script/analyzer/steps/001-discovery/mod.d.ts.map +1 -1
- package/script/analyzer/steps/001-discovery/mod.js +77 -11
- package/script/analyzer/steps/002-permissions/mod.d.ts.map +1 -1
- package/script/analyzer/steps/002-permissions/mod.js +194 -75
- package/script/analyzer/steps/002-permissions/scan-file.d.ts +1 -1
- package/script/analyzer/steps/002-permissions/scan-file.d.ts.map +1 -1
- package/script/analyzer/steps/002-permissions/scan-file.js +40 -5
- package/script/analyzer/steps/002-permissions/seed-frontmatter.js +3 -3
- package/script/analyzer/steps/003-risks/dep-risks.d.ts +3 -0
- package/script/analyzer/steps/003-risks/dep-risks.d.ts.map +1 -0
- package/script/analyzer/steps/003-risks/dep-risks.js +77 -0
- package/script/analyzer/steps/003-risks/helpers.d.ts +1 -0
- package/script/analyzer/steps/003-risks/helpers.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/helpers.js +1 -0
- package/script/analyzer/steps/003-risks/mod.d.ts +3 -2
- package/script/analyzer/steps/003-risks/mod.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/mod.js +77 -4
- package/script/analyzer/steps/003-risks/policy.d.ts +7 -0
- package/script/analyzer/steps/003-risks/policy.d.ts.map +1 -0
- package/script/analyzer/steps/003-risks/policy.js +29 -0
- package/script/analyzer/steps/003-risks/rule-mapped.d.ts +2 -2
- package/script/analyzer/steps/003-risks/rule-mapped.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/rule-mapped.js +83 -2
- package/script/analyzer/steps/003-risks/scoring.d.ts +9 -1
- package/script/analyzer/steps/003-risks/scoring.d.ts.map +1 -1
- package/script/analyzer/steps/003-risks/scoring.js +55 -42
- package/script/analyzer/treesitter/client.d.ts +31 -0
- package/script/analyzer/treesitter/client.d.ts.map +1 -0
- package/script/analyzer/treesitter/client.js +136 -0
- package/script/analyzer/treesitter/registry.d.ts +73 -0
- package/script/analyzer/treesitter/registry.d.ts.map +1 -0
- package/script/analyzer/treesitter/registry.js +206 -0
- package/script/analyzer/types.d.ts +14 -28
- package/script/analyzer/types.d.ts.map +1 -1
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts +3 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/deps.js +10 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts +93 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/mod.js +334 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts +84 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/multi.js +305 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts +18 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.d.ts.map +1 -0
- package/script/deps/jsr.io/@deno-library/progress/1.5.1/time.js +48 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts +700 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/fmt/1.0.3/colors.js +986 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts +146 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/io/0.225.0/types.js +18 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts +51 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.d.ts.map +1 -0
- package/script/deps/jsr.io/@std/io/0.225.0/write_all.js +65 -0
- package/script/shared/deep_merge.d.ts +12 -0
- package/script/shared/deep_merge.d.ts.map +1 -0
- package/script/shared/deep_merge.js +53 -0
- package/script/shared/mod.d.ts +1 -0
- package/script/shared/mod.d.ts.map +1 -1
- package/script/shared/mod.js +1 -0
- package/script/shared/types/filetypes.d.ts +2 -2
- package/script/shared/types/filetypes.d.ts.map +1 -1
- package/script/shared/types/permissions.d.ts +1 -1
- package/script/shared/types/permissions.d.ts.map +1 -1
- package/script/shared/types/risks.d.ts +4 -1
- package/script/shared/types/risks.d.ts.map +1 -1
- package/script/skillreader/types.d.ts +2 -2
- package/script/skillreader/types.d.ts.map +1 -1
- package/script/skillreader/types.js +2 -2
- package/src/_dnt.polyfills.ts +27 -0
- package/src/_dnt.shims.ts +64 -0
- package/src/analyzer/astgrep/client.ts +184 -0
- package/src/analyzer/astgrep/mod.ts +2 -0
- package/src/analyzer/config/default.ts +98 -0
- package/src/analyzer/config/helpers.ts +107 -0
- package/src/analyzer/config/mod.ts +3 -0
- package/src/analyzer/config/types.ts +103 -0
- package/src/analyzer/logging.ts +8 -0
- package/src/analyzer/mod.ts +118 -0
- package/src/analyzer/result.ts +393 -0
- package/src/analyzer/rules/bash/astTypes.ts +5 -0
- package/src/analyzer/rules/bash/commands/bd.ts +23 -0
- package/src/analyzer/rules/bash/commands/cron.ts +21 -0
- package/src/analyzer/rules/bash/commands/docker.ts +37 -0
- package/src/analyzer/rules/bash/commands/eval.ts +52 -0
- package/src/analyzer/rules/bash/commands/generic.ts +16 -0
- package/src/analyzer/rules/bash/commands/gh.ts +21 -0
- package/src/analyzer/rules/bash/commands/git.ts +28 -0
- package/src/analyzer/rules/bash/commands/mod.ts +38 -0
- package/src/analyzer/rules/bash/commands/node.ts +64 -0
- package/src/analyzer/rules/bash/commands/openspec.ts +16 -0
- package/src/analyzer/rules/bash/commands/pip.ts +16 -0
- package/src/analyzer/rules/bash/commands/sudo.ts +21 -0
- package/src/analyzer/rules/bash/destructive.ts +28 -0
- package/src/analyzer/rules/bash/extractFileRefs.ts +101 -0
- package/src/analyzer/rules/bash/filesystem.ts +50 -0
- package/src/analyzer/rules/bash/injection.ts +21 -0
- package/src/analyzer/rules/bash/inline-command-classifier.ts +94 -0
- package/src/analyzer/rules/bash/mod.ts +23 -0
- package/src/analyzer/rules/bash/network.ts +64 -0
- package/src/analyzer/rules/bash/secret-detection.ts +43 -0
- package/src/analyzer/rules/javascript/astTypes.ts +8 -0
- package/src/analyzer/rules/javascript/extractFileRefs.ts +131 -0
- package/src/analyzer/rules/javascript/filesystem.ts +28 -0
- package/src/analyzer/rules/javascript/injection.ts +21 -0
- package/src/analyzer/rules/javascript/mod.ts +26 -0
- package/src/analyzer/rules/javascript/network.ts +27 -0
- package/src/analyzer/rules/javascript/secret-detection.ts +68 -0
- package/src/analyzer/rules/javascript/subprocess.ts +16 -0
- package/src/analyzer/rules/markdown/astTypes.ts +35 -0
- package/src/analyzer/rules/markdown/extractCodeBlocks.ts +101 -0
- package/src/analyzer/rules/markdown/extractFileRefs.ts +179 -0
- package/src/analyzer/rules/markdown/mod.ts +12 -0
- package/src/analyzer/rules/mod.ts +77 -0
- package/src/analyzer/rules/python/astTypes.ts +9 -0
- package/src/analyzer/rules/python/extractFileRefs.ts +92 -0
- package/src/analyzer/rules/python/mod.ts +15 -0
- package/src/analyzer/rules/python/network.ts +26 -0
- package/src/analyzer/rules/python/secret-detection.ts +30 -0
- package/src/analyzer/rules/shared/file-refs.ts +38 -0
- package/src/analyzer/rules/shared/network-evaluators.ts +107 -0
- package/src/analyzer/rules/shared/prompt-injection.ts +48 -0
- package/src/analyzer/rules/shared/secret-evaluators.ts +13 -0
- package/src/analyzer/rules/text/mod.ts +12 -0
- package/src/analyzer/rules/typescript/mod.ts +7 -0
- package/src/analyzer/steps/001-discovery/discover-files.ts +211 -0
- package/src/analyzer/steps/001-discovery/filter-files.ts +72 -0
- package/src/analyzer/steps/001-discovery/mod.ts +103 -0
- package/src/analyzer/steps/002-permissions/mod.ts +329 -0
- package/src/analyzer/steps/002-permissions/scan-file.ts +258 -0
- package/src/analyzer/steps/002-permissions/seed-frontmatter.ts +66 -0
- package/src/analyzer/steps/002-permissions/synthesize.ts +42 -0
- package/src/analyzer/steps/003-risks/dep-risks.ts +89 -0
- package/src/analyzer/steps/003-risks/helpers.ts +41 -0
- package/src/analyzer/steps/003-risks/mod.ts +86 -0
- package/src/analyzer/steps/003-risks/policy.ts +38 -0
- package/src/analyzer/steps/003-risks/rule-mapped.ts +206 -0
- package/src/analyzer/steps/003-risks/scoring.ts +117 -0
- package/src/analyzer/steps/mod.ts +3 -0
- package/src/analyzer/treesitter/client.ts +120 -0
- package/src/analyzer/treesitter/registry.ts +198 -0
- package/src/analyzer/types.ts +78 -0
- package/src/analyzer/utils/code-block-path.ts +33 -0
- package/src/analyzer/utils/id-generator.ts +59 -0
- package/src/analyzer/utils/secret-validator.ts +29 -0
- package/src/analyzer/utils/url-parser.ts +25 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/deps.ts +3 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/mod.ts +265 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/multi.ts +250 -0
- package/src/deps/jsr.io/@deno-library/progress/1.5.1/time.ts +69 -0
- package/src/deps/jsr.io/@std/fmt/1.0.3/colors.ts +1004 -0
- package/src/deps/jsr.io/@std/internal/1.0.12/_os.ts +15 -0
- package/src/deps/jsr.io/@std/internal/1.0.12/os.ts +7 -0
- package/src/deps/jsr.io/@std/io/0.225.0/types.ts +157 -0
- package/src/deps/jsr.io/@std/io/0.225.0/write_all.ts +65 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/assert_path.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/basename.ts +53 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/common.ts +26 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/constants.ts +49 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/dirname.ts +9 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/format.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/from_file_url.ts +12 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/glob_to_reg_exp.ts +295 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize.ts +9 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/normalize_string.ts +74 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/relative.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/strip_trailing_separators.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/_common/to_file_url.ts +17 -0
- package/src/deps/jsr.io/@std/path/1.1.4/basename.ts +37 -0
- package/src/deps/jsr.io/@std/path/1.1.4/common.ts +35 -0
- package/src/deps/jsr.io/@std/path/1.1.4/constants.ts +18 -0
- package/src/deps/jsr.io/@std/path/1.1.4/dirname.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/extname.ts +29 -0
- package/src/deps/jsr.io/@std/path/1.1.4/format.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/from_file_url.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/glob_to_regexp.ts +94 -0
- package/src/deps/jsr.io/@std/path/1.1.4/is_absolute.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/is_glob.ts +49 -0
- package/src/deps/jsr.io/@std/path/1.1.4/join.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/join_globs.ts +42 -0
- package/src/deps/jsr.io/@std/path/1.1.4/mod.ts +217 -0
- package/src/deps/jsr.io/@std/path/1.1.4/normalize.ts +33 -0
- package/src/deps/jsr.io/@std/path/1.1.4/normalize_glob.ts +45 -0
- package/src/deps/jsr.io/@std/path/1.1.4/parse.ts +44 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/_util.ts +10 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/basename.ts +62 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/constants.ts +15 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/dirname.ts +72 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/extname.ts +96 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/format.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/from_file_url.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/glob_to_regexp.ts +94 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/is_absolute.ts +25 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/join.ts +46 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/join_globs.ts +45 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize.ts +63 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/normalize_glob.ts +43 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/parse.ts +121 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/relative.ts +103 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/resolve.ts +71 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/to_file_url.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/posix/to_namespaced_path.ts +21 -0
- package/src/deps/jsr.io/@std/path/1.1.4/relative.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/resolve.ts +32 -0
- package/src/deps/jsr.io/@std/path/1.1.4/to_file_url.ts +30 -0
- package/src/deps/jsr.io/@std/path/1.1.4/to_namespaced_path.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/types.ts +40 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/_util.ts +28 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/basename.ts +54 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/constants.ts +15 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/dirname.ts +118 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/extname.ts +90 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/format.ts +31 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/from_file_url.ts +34 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/glob_to_regexp.ts +92 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/is_absolute.ts +40 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/join.ts +78 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/join_globs.ts +46 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize.ts +136 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/normalize_glob.ts +43 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/parse.ts +184 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/relative.ts +128 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/resolve.ts +178 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/to_file_url.ts +38 -0
- package/src/deps/jsr.io/@std/path/1.1.4/windows/to_namespaced_path.ts +60 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_chars.ts +55 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_dumper_state.ts +841 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_loader_state.ts +1780 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_schema.ts +183 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/binary.ts +127 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/bool.ts +37 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/float.ts +112 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/int.ts +174 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/map.ts +17 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/merge.ts +13 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/nil.ts +27 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/omap.ts +30 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/pairs.ts +22 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/regexp.ts +33 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/seq.ts +13 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/set.ts +17 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/str.ts +12 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/timestamp.ts +101 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type/undefined.ts +23 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_type.ts +49 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/_utils.ts +16 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/mod.ts +54 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/parse.ts +128 -0
- package/src/deps/jsr.io/@std/yaml/1.0.11/stringify.ts +118 -0
- package/src/shared/deep_merge.ts +73 -0
- package/src/shared/mod.ts +2 -0
- package/src/shared/types/filetypes.ts +101 -0
- package/src/shared/types/findings.ts +7 -0
- package/src/shared/types/mod.ts +6 -0
- package/src/shared/types/permissions.ts +17 -0
- package/src/shared/types/references.ts +62 -0
- package/src/shared/types/risks.ts +72 -0
- package/src/shared/types/syntaxNode.ts +7 -0
- package/src/skillreader/cloudStorage/mod.ts +170 -0
- package/src/skillreader/factory.ts +71 -0
- package/src/skillreader/fs/git.ts +153 -0
- package/src/skillreader/fs/mod.ts +84 -0
- package/src/skillreader/github/base.ts +162 -0
- package/src/skillreader/github/githubApi.ts +40 -0
- package/src/skillreader/github/githubRaw.ts +24 -0
- package/src/skillreader/github/mod.ts +45 -0
- package/src/skillreader/github/utils.ts +40 -0
- package/src/skillreader/manifest.ts +67 -0
- package/src/skillreader/mod.ts +26 -0
- package/src/skillreader/types.ts +150 -0
- package/src/skillreader/utils/frontmatter-parser.ts +72 -0
- package/src/skillreader/utils/http-range.ts +38 -0
- package/src/skillreader/utils/mod.ts +12 -0
- package/esm/analyzer/astgrep/registry.d.ts +0 -18
- package/esm/analyzer/astgrep/registry.d.ts.map +0 -1
- package/esm/analyzer/astgrep/registry.js +0 -71
- package/esm/analyzer/config.d.ts +0 -27
- package/esm/analyzer/config.d.ts.map +0 -1
- package/esm/analyzer/steps/003-risks/output.d.ts +0 -3
- package/esm/analyzer/steps/003-risks/output.d.ts.map +0 -1
- package/esm/analyzer/steps/003-risks/output.js +0 -16
- package/esm/analyzer/treesiter/client.d.ts +0 -26
- package/esm/analyzer/treesiter/client.d.ts.map +0 -1
- package/script/analyzer/astgrep/registry.d.ts +0 -18
- package/script/analyzer/astgrep/registry.d.ts.map +0 -1
- package/script/analyzer/astgrep/registry.js +0 -109
- package/script/analyzer/config.d.ts +0 -27
- package/script/analyzer/config.d.ts.map +0 -1
- package/script/analyzer/steps/003-risks/output.d.ts +0 -3
- package/script/analyzer/steps/003-risks/output.d.ts.map +0 -1
- package/script/analyzer/steps/003-risks/output.js +0 -19
- package/script/analyzer/treesiter/client.d.ts +0 -26
- package/script/analyzer/treesiter/client.d.ts.map +0 -1
- package/script/analyzer/treesiter/client.js +0 -165
|
@@ -0,0 +1,393 @@
|
|
|
1
|
+
import type { Permission, Risk } from "../shared/mod.js";
|
|
2
|
+
import { scoreState } from "./steps/003-risks/scoring.js";
|
|
3
|
+
import { DEFAULT_ANALYZER_CONFIG } from "./config/mod.js";
|
|
4
|
+
import type { AnalyzerConfig } from "./config/mod.js";
|
|
5
|
+
import type { AnalyzerState, ScanConfig } from "./types.js";
|
|
6
|
+
|
|
7
|
+
const INDENT = " ";
|
|
8
|
+
const SUB_INDENT = " ";
|
|
9
|
+
|
|
10
|
+
// ---------------------------------------------------------------------------
|
|
11
|
+
// SARIF types (minimal — only what we emit)
|
|
12
|
+
// ---------------------------------------------------------------------------
|
|
13
|
+
|
|
14
|
+
type SarifArtifactLocation = {
|
|
15
|
+
uri: string;
|
|
16
|
+
uriBaseId?: string;
|
|
17
|
+
};
|
|
18
|
+
|
|
19
|
+
type SarifRegion = {
|
|
20
|
+
startLine: number;
|
|
21
|
+
endLine?: number;
|
|
22
|
+
};
|
|
23
|
+
|
|
24
|
+
type SarifLocation = {
|
|
25
|
+
physicalLocation: {
|
|
26
|
+
artifactLocation: SarifArtifactLocation;
|
|
27
|
+
region: SarifRegion;
|
|
28
|
+
};
|
|
29
|
+
};
|
|
30
|
+
|
|
31
|
+
type SarifResult = {
|
|
32
|
+
ruleId: string;
|
|
33
|
+
level: "error" | "warning" | "note";
|
|
34
|
+
message: { text: string };
|
|
35
|
+
locations: SarifLocation[];
|
|
36
|
+
fingerprints?: Record<string, string>;
|
|
37
|
+
};
|
|
38
|
+
|
|
39
|
+
type SarifRule = {
|
|
40
|
+
id: string;
|
|
41
|
+
shortDescription: { text: string };
|
|
42
|
+
help: { text: string };
|
|
43
|
+
properties?: { tags: string[] };
|
|
44
|
+
};
|
|
45
|
+
|
|
46
|
+
type SarifLog = {
|
|
47
|
+
$schema: string;
|
|
48
|
+
version: "2.1.0";
|
|
49
|
+
runs: Array<{
|
|
50
|
+
tool: {
|
|
51
|
+
driver: {
|
|
52
|
+
name: string;
|
|
53
|
+
version: string;
|
|
54
|
+
informationUri: string;
|
|
55
|
+
rules: SarifRule[];
|
|
56
|
+
};
|
|
57
|
+
};
|
|
58
|
+
results: SarifResult[];
|
|
59
|
+
artifacts: Array<{ location: SarifArtifactLocation }>;
|
|
60
|
+
}>;
|
|
61
|
+
};
|
|
62
|
+
|
|
63
|
+
// ---------------------------------------------------------------------------
|
|
64
|
+
// SkillAnalyzerResult class
|
|
65
|
+
// ---------------------------------------------------------------------------
|
|
66
|
+
|
|
67
|
+
export class SkillAnalyzerResult {
|
|
68
|
+
readonly analyzedAt: string;
|
|
69
|
+
|
|
70
|
+
private _score: number | undefined;
|
|
71
|
+
private _riskLevel: "safe" | "caution" | "attention" | "risky" | "avoid" | undefined;
|
|
72
|
+
private _summary: string | undefined;
|
|
73
|
+
|
|
74
|
+
constructor(
|
|
75
|
+
private readonly state: AnalyzerState,
|
|
76
|
+
private readonly config: AnalyzerConfig = DEFAULT_ANALYZER_CONFIG,
|
|
77
|
+
) {
|
|
78
|
+
this.analyzedAt = new Date().toISOString();
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
get skillId(): string {
|
|
82
|
+
return this.state.skillId;
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
get skillVersionId(): string {
|
|
86
|
+
return this.state.skillVersionId;
|
|
87
|
+
}
|
|
88
|
+
|
|
89
|
+
get permissions(): Permission[] {
|
|
90
|
+
return this.state.permissions;
|
|
91
|
+
}
|
|
92
|
+
|
|
93
|
+
get risks(): Risk[] {
|
|
94
|
+
return this.state.risks;
|
|
95
|
+
}
|
|
96
|
+
|
|
97
|
+
get warnings(): string[] {
|
|
98
|
+
return this.state.warnings;
|
|
99
|
+
}
|
|
100
|
+
|
|
101
|
+
get metadata(): {
|
|
102
|
+
scannedFiles: Set<string>;
|
|
103
|
+
skippedFiles: Array<{ path: string; reason: string }>;
|
|
104
|
+
rulesUsed: string[];
|
|
105
|
+
frontmatterRangeEnd?: number;
|
|
106
|
+
config: ScanConfig;
|
|
107
|
+
} {
|
|
108
|
+
return this.state.metadata;
|
|
109
|
+
}
|
|
110
|
+
|
|
111
|
+
get score(): number {
|
|
112
|
+
return this._ensureScored().score;
|
|
113
|
+
}
|
|
114
|
+
|
|
115
|
+
get riskLevel(): "safe" | "caution" | "attention" | "risky" | "avoid" {
|
|
116
|
+
return this._ensureScored().riskLevel;
|
|
117
|
+
}
|
|
118
|
+
|
|
119
|
+
get summary(): string {
|
|
120
|
+
return this._ensureScored().summary;
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
private _ensureScored() {
|
|
124
|
+
if (this._score === undefined) {
|
|
125
|
+
const scored = scoreState(this.state, this.config);
|
|
126
|
+
this._score = scored.score;
|
|
127
|
+
this._riskLevel = scored.riskLevel;
|
|
128
|
+
this._summary = scored.summary;
|
|
129
|
+
}
|
|
130
|
+
return {
|
|
131
|
+
score: this._score!,
|
|
132
|
+
riskLevel: this._riskLevel!,
|
|
133
|
+
summary: this._summary!,
|
|
134
|
+
};
|
|
135
|
+
}
|
|
136
|
+
|
|
137
|
+
// -----------------------------------------------------------------------
|
|
138
|
+
// toString() — human-readable terminal output
|
|
139
|
+
// -----------------------------------------------------------------------
|
|
140
|
+
|
|
141
|
+
toString(): string {
|
|
142
|
+
const lines: string[] = [];
|
|
143
|
+
const hr = "=".repeat(60);
|
|
144
|
+
|
|
145
|
+
lines.push(hr);
|
|
146
|
+
lines.push("Analysis Results");
|
|
147
|
+
lines.push(hr);
|
|
148
|
+
lines.push(`${INDENT}Skill: ${this.skillId}@${this.skillVersionId}`);
|
|
149
|
+
|
|
150
|
+
// lines.push("");
|
|
151
|
+
// lines.push(`${INDENT}Permissions (${this.permissions.length})`);
|
|
152
|
+
// if (this.permissions.length === 0) {
|
|
153
|
+
// lines.push(`${SUB_INDENT}- none`);
|
|
154
|
+
// } else {
|
|
155
|
+
// for (const p of this.permissions) {
|
|
156
|
+
// lines.push(`${SUB_INDENT}- ${p.tool}.${p.permission} [${p.scope}]`);
|
|
157
|
+
// if (p.args && p.args.length > 0) {
|
|
158
|
+
// lines.push(`${SUB_INDENT}${INDENT}args: ${p.args.join(", ")}`);
|
|
159
|
+
// }
|
|
160
|
+
// lines.push(`${SUB_INDENT}${INDENT}source: ${p.source}`);
|
|
161
|
+
// if (p.references.length > 0) {
|
|
162
|
+
// lines.push(
|
|
163
|
+
// `${SUB_INDENT}${INDENT}ref: ${_formatRef(p.references[0])}`,
|
|
164
|
+
// );
|
|
165
|
+
// }
|
|
166
|
+
// }
|
|
167
|
+
// }
|
|
168
|
+
|
|
169
|
+
lines.push("");
|
|
170
|
+
lines.push(`${INDENT}Risks (${this.risks.length})`);
|
|
171
|
+
if (this.risks.length === 0) {
|
|
172
|
+
lines.push(`${SUB_INDENT}- none`);
|
|
173
|
+
} else {
|
|
174
|
+
const SEVERITY_ORDER: Record<string, number> = { critical: 0, warning: 1, info: 2 };
|
|
175
|
+
|
|
176
|
+
const groups = new Map<string, Risk[]>();
|
|
177
|
+
for (const r of this.risks) {
|
|
178
|
+
const key = r.groupKey ?? `${r.type}:${r.reference.file}:${r.reference.line}`;
|
|
179
|
+
const bucket = groups.get(key) ?? [];
|
|
180
|
+
bucket.push(r);
|
|
181
|
+
groups.set(key, bucket);
|
|
182
|
+
}
|
|
183
|
+
|
|
184
|
+
const sortedGroups = Array.from(groups.entries())
|
|
185
|
+
.map(([groupKey, risks]) => ({
|
|
186
|
+
groupKey,
|
|
187
|
+
risks,
|
|
188
|
+
sortKey: Math.min(...risks.map((r) => SEVERITY_ORDER[r.severity] ?? 99)),
|
|
189
|
+
}))
|
|
190
|
+
.sort((a, b) => a.sortKey - b.sortKey);
|
|
191
|
+
|
|
192
|
+
for (const group of sortedGroups) {
|
|
193
|
+
if (group.risks.length === 1) {
|
|
194
|
+
const r = group.risks[0];
|
|
195
|
+
lines.push(`${SUB_INDENT}- ${r.severity} ${r.type}`);
|
|
196
|
+
lines.push(`${SUB_INDENT}${INDENT}message: ${r.message}`);
|
|
197
|
+
lines.push(`${SUB_INDENT}${INDENT}ref: ${_formatRef(r.reference)}`);
|
|
198
|
+
if (r.permissions.length > 0) {
|
|
199
|
+
lines.push(
|
|
200
|
+
`${SUB_INDENT}${INDENT}permissions: ${r.permissions.join(", ")}`,
|
|
201
|
+
);
|
|
202
|
+
}
|
|
203
|
+
continue;
|
|
204
|
+
}
|
|
205
|
+
|
|
206
|
+
const topRisk = group.risks.reduce((best, r) =>
|
|
207
|
+
(SEVERITY_ORDER[r.severity] ?? 99) < (SEVERITY_ORDER[best.severity] ?? 99)
|
|
208
|
+
? r
|
|
209
|
+
: best
|
|
210
|
+
);
|
|
211
|
+
lines.push(`${SUB_INDENT}[${group.groupKey}] (${topRisk.severity})`);
|
|
212
|
+
for (const r of group.risks) {
|
|
213
|
+
lines.push(`${SUB_INDENT}${INDENT}- ${r.message}`);
|
|
214
|
+
lines.push(`${SUB_INDENT}${INDENT} ref: ${_formatRef(r.reference)}`);
|
|
215
|
+
}
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
|
|
219
|
+
lines.push("");
|
|
220
|
+
lines.push(`${INDENT}Warnings (${this.warnings.length})`);
|
|
221
|
+
if (this.warnings.length === 0) {
|
|
222
|
+
lines.push(`${SUB_INDENT}- none`);
|
|
223
|
+
} else {
|
|
224
|
+
for (const w of this.warnings) {
|
|
225
|
+
lines.push(`${SUB_INDENT}- ${w}`);
|
|
226
|
+
}
|
|
227
|
+
}
|
|
228
|
+
|
|
229
|
+
lines.push("");
|
|
230
|
+
lines.push(`${INDENT}Risk Level: ${this.riskLevel}`);
|
|
231
|
+
lines.push(`${INDENT}Score: ${this.score}`);
|
|
232
|
+
lines.push(`${INDENT}Summary: ${this.summary}`);
|
|
233
|
+
|
|
234
|
+
return lines.join("\n");
|
|
235
|
+
}
|
|
236
|
+
|
|
237
|
+
// -----------------------------------------------------------------------
|
|
238
|
+
// toJson() — plain JSON matching legacy AnalyzerResult shape
|
|
239
|
+
// -----------------------------------------------------------------------
|
|
240
|
+
|
|
241
|
+
toJson(): string {
|
|
242
|
+
return JSON.stringify(
|
|
243
|
+
{
|
|
244
|
+
analyzedAt: this.analyzedAt,
|
|
245
|
+
skillId: this.skillId,
|
|
246
|
+
skillVersionId: this.skillVersionId,
|
|
247
|
+
permissions: this.permissions,
|
|
248
|
+
risks: this.risks,
|
|
249
|
+
score: this.score,
|
|
250
|
+
riskLevel: this.riskLevel,
|
|
251
|
+
summary: this.summary,
|
|
252
|
+
warnings: this.warnings,
|
|
253
|
+
metadata: {
|
|
254
|
+
...this.metadata,
|
|
255
|
+
scannedFiles: [...this.metadata.scannedFiles],
|
|
256
|
+
},
|
|
257
|
+
},
|
|
258
|
+
null,
|
|
259
|
+
2,
|
|
260
|
+
);
|
|
261
|
+
}
|
|
262
|
+
|
|
263
|
+
// -----------------------------------------------------------------------
|
|
264
|
+
// toSarif() — SARIF 2.1.0 for GitHub Code Scanning
|
|
265
|
+
// -----------------------------------------------------------------------
|
|
266
|
+
|
|
267
|
+
async toSarif(toolVersion: string): Promise<string> {
|
|
268
|
+
// --- rules ---
|
|
269
|
+
const rules: SarifRule[] = [];
|
|
270
|
+
const seenRiskTypes = new Set<string>();
|
|
271
|
+
|
|
272
|
+
for (const r of this.risks) {
|
|
273
|
+
if (!seenRiskTypes.has(r.type)) {
|
|
274
|
+
seenRiskTypes.add(r.type);
|
|
275
|
+
rules.push({
|
|
276
|
+
id: r.type,
|
|
277
|
+
shortDescription: { text: r.type },
|
|
278
|
+
help: { text: r.message },
|
|
279
|
+
properties: { tags: ["security"] },
|
|
280
|
+
});
|
|
281
|
+
}
|
|
282
|
+
}
|
|
283
|
+
|
|
284
|
+
if (this.warnings.length > 0) {
|
|
285
|
+
rules.push({
|
|
286
|
+
id: "slab/warning",
|
|
287
|
+
shortDescription: { text: "Analysis warning" },
|
|
288
|
+
help: { text: "Warnings produced during skill analysis." },
|
|
289
|
+
properties: { tags: ["maintainability"] },
|
|
290
|
+
});
|
|
291
|
+
}
|
|
292
|
+
|
|
293
|
+
for (const p of this.permissions) {
|
|
294
|
+
rules.push({
|
|
295
|
+
id: p.id,
|
|
296
|
+
shortDescription: { text: `${p.tool}.${p.permission} [${p.scope}]` },
|
|
297
|
+
help: {
|
|
298
|
+
text: p.comment ??
|
|
299
|
+
`Permission detected: ${p.tool} ${p.permission} (${p.scope})`,
|
|
300
|
+
},
|
|
301
|
+
properties: { tags: ["permissions"] },
|
|
302
|
+
});
|
|
303
|
+
}
|
|
304
|
+
|
|
305
|
+
// --- results ---
|
|
306
|
+
const results: SarifResult[] = [];
|
|
307
|
+
|
|
308
|
+
for (const r of this.risks) {
|
|
309
|
+
const fp = await _fingerprint(`${r.type}:${r.reference.file}:${r.reference.line}`);
|
|
310
|
+
results.push({
|
|
311
|
+
ruleId: r.type,
|
|
312
|
+
level: _sarifLevel(r.severity),
|
|
313
|
+
message: { text: r.message },
|
|
314
|
+
locations: [
|
|
315
|
+
_sarifLocation(r.reference.file, r.reference.line, r.reference.lineEnd),
|
|
316
|
+
],
|
|
317
|
+
fingerprints: { "slab/v1": fp },
|
|
318
|
+
});
|
|
319
|
+
}
|
|
320
|
+
|
|
321
|
+
for (const w of this.warnings) {
|
|
322
|
+
results.push({
|
|
323
|
+
ruleId: "slab/warning",
|
|
324
|
+
level: "note",
|
|
325
|
+
message: { text: w },
|
|
326
|
+
locations: [_sarifLocation("SKILL.md", 1)],
|
|
327
|
+
});
|
|
328
|
+
}
|
|
329
|
+
|
|
330
|
+
// --- artifacts ---
|
|
331
|
+
const artifacts = [...this.metadata.scannedFiles].map((f) => ({
|
|
332
|
+
location: { uri: f, uriBaseId: "%SRCROOT%" },
|
|
333
|
+
}));
|
|
334
|
+
|
|
335
|
+
const log: SarifLog = {
|
|
336
|
+
$schema: "https://json.schemastore.org/sarif-2.1.0.json",
|
|
337
|
+
version: "2.1.0",
|
|
338
|
+
runs: [
|
|
339
|
+
{
|
|
340
|
+
tool: {
|
|
341
|
+
driver: {
|
|
342
|
+
name: "slab",
|
|
343
|
+
version: toolVersion,
|
|
344
|
+
informationUri: "https://github.com/FeiyouG/skill-lab",
|
|
345
|
+
rules,
|
|
346
|
+
},
|
|
347
|
+
},
|
|
348
|
+
results,
|
|
349
|
+
artifacts,
|
|
350
|
+
},
|
|
351
|
+
],
|
|
352
|
+
};
|
|
353
|
+
|
|
354
|
+
return JSON.stringify(log, null, 2);
|
|
355
|
+
}
|
|
356
|
+
}
|
|
357
|
+
|
|
358
|
+
// ---------------------------------------------------------------------------
|
|
359
|
+
// Helpers
|
|
360
|
+
// ---------------------------------------------------------------------------
|
|
361
|
+
|
|
362
|
+
function _formatRef(ref: { file: string; line: number; lineEnd?: number; type: string }): string {
|
|
363
|
+
if (ref.lineEnd !== undefined && ref.lineEnd !== ref.line) {
|
|
364
|
+
return `${ref.file}:${ref.line}-${ref.lineEnd} (${ref.type})`;
|
|
365
|
+
}
|
|
366
|
+
return `${ref.file}:${ref.line} (${ref.type})`;
|
|
367
|
+
}
|
|
368
|
+
|
|
369
|
+
function _sarifLevel(severity: string): "error" | "warning" | "note" {
|
|
370
|
+
if (severity === "critical") return "error";
|
|
371
|
+
if (severity === "warning") return "warning";
|
|
372
|
+
return "note";
|
|
373
|
+
}
|
|
374
|
+
|
|
375
|
+
function _sarifLocation(file: string, startLine: number, endLine?: number): SarifLocation {
|
|
376
|
+
const region: SarifRegion = { startLine };
|
|
377
|
+
if (endLine !== undefined && endLine !== startLine) {
|
|
378
|
+
region.endLine = endLine;
|
|
379
|
+
}
|
|
380
|
+
return {
|
|
381
|
+
physicalLocation: {
|
|
382
|
+
artifactLocation: { uri: file, uriBaseId: "%SRCROOT%" },
|
|
383
|
+
region,
|
|
384
|
+
},
|
|
385
|
+
};
|
|
386
|
+
}
|
|
387
|
+
|
|
388
|
+
async function _fingerprint(input: string): Promise<string> {
|
|
389
|
+
const encoded = new TextEncoder().encode(input);
|
|
390
|
+
const hashBuffer = await crypto.subtle.digest("SHA-256", encoded);
|
|
391
|
+
const hashArray = Array.from(new Uint8Array(hashBuffer));
|
|
392
|
+
return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
393
|
+
}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const BD_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-bd",
|
|
6
|
+
description: "Detects bd task commands",
|
|
7
|
+
grammar: "bash",
|
|
8
|
+
patterns: [
|
|
9
|
+
"bd ready",
|
|
10
|
+
"bd show $ID",
|
|
11
|
+
"bd update $ID $$$ARGS",
|
|
12
|
+
"bd close $ID",
|
|
13
|
+
"bd sync",
|
|
14
|
+
"bd create $$$ARGS",
|
|
15
|
+
],
|
|
16
|
+
permission: {
|
|
17
|
+
tool: "bd",
|
|
18
|
+
scope: "sys",
|
|
19
|
+
permission: "shell",
|
|
20
|
+
metadata: { id: "ID" },
|
|
21
|
+
},
|
|
22
|
+
},
|
|
23
|
+
];
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const CRON_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-cron",
|
|
6
|
+
description: "Detects cron persistence",
|
|
7
|
+
grammar: "bash",
|
|
8
|
+
patterns: ["crontab $FILE", "echo $ENTRY | crontab -"],
|
|
9
|
+
permission: {
|
|
10
|
+
tool: "crontab",
|
|
11
|
+
scope: "sys",
|
|
12
|
+
permission: "shell",
|
|
13
|
+
metadata: { file: "FILE" },
|
|
14
|
+
mappedRisks: [{
|
|
15
|
+
code: "PERSISTENCE:persistence",
|
|
16
|
+
severity: "warning",
|
|
17
|
+
message: "Persistence mechanism detected",
|
|
18
|
+
}],
|
|
19
|
+
},
|
|
20
|
+
},
|
|
21
|
+
];
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const DOCKER_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-docker",
|
|
6
|
+
description: "Detects docker commands",
|
|
7
|
+
grammar: "bash",
|
|
8
|
+
patterns: [
|
|
9
|
+
"docker run $$$ARGS",
|
|
10
|
+
"docker exec $$$ARGS",
|
|
11
|
+
"docker build $$$ARGS",
|
|
12
|
+
"docker pull $$$ARGS",
|
|
13
|
+
"docker push $$$ARGS",
|
|
14
|
+
],
|
|
15
|
+
permission: {
|
|
16
|
+
tool: "docker",
|
|
17
|
+
scope: "sys",
|
|
18
|
+
permission: "shell",
|
|
19
|
+
},
|
|
20
|
+
},
|
|
21
|
+
{
|
|
22
|
+
id: "shell-docker-compose",
|
|
23
|
+
description: "Detects docker compose commands",
|
|
24
|
+
grammar: "bash",
|
|
25
|
+
patterns: [
|
|
26
|
+
"docker-compose up $$$ARGS",
|
|
27
|
+
"docker-compose down $$$ARGS",
|
|
28
|
+
"docker compose up $$$ARGS",
|
|
29
|
+
"docker compose down $$$ARGS",
|
|
30
|
+
],
|
|
31
|
+
permission: {
|
|
32
|
+
tool: "docker-compose",
|
|
33
|
+
scope: "sys",
|
|
34
|
+
permission: "shell",
|
|
35
|
+
},
|
|
36
|
+
},
|
|
37
|
+
];
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const EVAL_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-eval",
|
|
6
|
+
description: "Detects eval execution",
|
|
7
|
+
grammar: "bash",
|
|
8
|
+
patterns: ["eval $CMD", 'eval "$CMD"', "eval '$CMD'"],
|
|
9
|
+
permission: {
|
|
10
|
+
tool: "eval",
|
|
11
|
+
scope: "sys",
|
|
12
|
+
permission: "shell",
|
|
13
|
+
metadata: { command: "CMD" },
|
|
14
|
+
},
|
|
15
|
+
},
|
|
16
|
+
{
|
|
17
|
+
id: "shell-sh-c",
|
|
18
|
+
description: "Detects sh -c execution",
|
|
19
|
+
grammar: "bash",
|
|
20
|
+
patterns: ["sh -c $CMD", 'sh -c "$CMD"', "sh -c '$CMD'"],
|
|
21
|
+
permission: {
|
|
22
|
+
tool: "sh",
|
|
23
|
+
scope: "sys",
|
|
24
|
+
permission: "shell",
|
|
25
|
+
metadata: { command: "CMD" },
|
|
26
|
+
},
|
|
27
|
+
},
|
|
28
|
+
{
|
|
29
|
+
id: "shell-bash-c",
|
|
30
|
+
description: "Detects bash -c execution",
|
|
31
|
+
grammar: "bash",
|
|
32
|
+
patterns: ["bash -c $CMD", 'bash -c "$CMD"', "bash -c '$CMD'"],
|
|
33
|
+
permission: {
|
|
34
|
+
tool: "bash",
|
|
35
|
+
scope: "sys",
|
|
36
|
+
permission: "shell",
|
|
37
|
+
metadata: { command: "CMD" },
|
|
38
|
+
},
|
|
39
|
+
},
|
|
40
|
+
{
|
|
41
|
+
id: "shell-source",
|
|
42
|
+
description: "Detects source command",
|
|
43
|
+
grammar: "bash",
|
|
44
|
+
patterns: ["source $FILE", ". $FILE"],
|
|
45
|
+
permission: {
|
|
46
|
+
tool: "source",
|
|
47
|
+
scope: "fs",
|
|
48
|
+
permission: "read",
|
|
49
|
+
metadata: { file: "FILE" },
|
|
50
|
+
},
|
|
51
|
+
},
|
|
52
|
+
];
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const GENERIC_SHELL_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-generic-command",
|
|
6
|
+
description: "Catches unrecognized shell command invocations",
|
|
7
|
+
grammar: "bash",
|
|
8
|
+
patterns: ["$TOOL $$$ARGS"],
|
|
9
|
+
permission: {
|
|
10
|
+
tool: "detected",
|
|
11
|
+
scope: "sys",
|
|
12
|
+
permission: "shell",
|
|
13
|
+
metadata: { tool: "TOOL", args: "ARGS" },
|
|
14
|
+
},
|
|
15
|
+
},
|
|
16
|
+
];
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const GH_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-gh",
|
|
6
|
+
description: "Detects GitHub CLI commands",
|
|
7
|
+
grammar: "bash",
|
|
8
|
+
patterns: [
|
|
9
|
+
"gh pr $$$ARGS",
|
|
10
|
+
"gh issue $$$ARGS",
|
|
11
|
+
"gh repo $$$ARGS",
|
|
12
|
+
"gh api $$$ARGS",
|
|
13
|
+
"gh auth $$$ARGS",
|
|
14
|
+
],
|
|
15
|
+
permission: {
|
|
16
|
+
tool: "gh",
|
|
17
|
+
scope: "sys",
|
|
18
|
+
permission: "shell",
|
|
19
|
+
},
|
|
20
|
+
},
|
|
21
|
+
];
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
|
|
3
|
+
export const GIT_RULES: AstGrepRule[] = [
|
|
4
|
+
{
|
|
5
|
+
id: "shell-git",
|
|
6
|
+
description: "Detects git commands",
|
|
7
|
+
grammar: "bash",
|
|
8
|
+
patterns: [
|
|
9
|
+
"git status",
|
|
10
|
+
"git add $PATH",
|
|
11
|
+
"git commit $$$ARGS",
|
|
12
|
+
"git pull $$$ARGS",
|
|
13
|
+
"git push $$$ARGS",
|
|
14
|
+
"git checkout $BRANCH",
|
|
15
|
+
"git merge $BRANCH",
|
|
16
|
+
"git rebase $BRANCH",
|
|
17
|
+
"git clone $URL",
|
|
18
|
+
"git fetch $$$ARGS",
|
|
19
|
+
"git log $$$ARGS",
|
|
20
|
+
],
|
|
21
|
+
permission: {
|
|
22
|
+
tool: "git",
|
|
23
|
+
scope: "sys",
|
|
24
|
+
permission: "shell",
|
|
25
|
+
metadata: { url: "URL", branch: "BRANCH", path: "PATH" },
|
|
26
|
+
},
|
|
27
|
+
},
|
|
28
|
+
];
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import type { AstGrepRule } from "../../../astgrep/client.js";
|
|
2
|
+
import { BD_RULES } from "./bd.js";
|
|
3
|
+
import { CRON_RULES } from "./cron.js";
|
|
4
|
+
import { DOCKER_RULES } from "./docker.js";
|
|
5
|
+
import { EVAL_RULES } from "./eval.js";
|
|
6
|
+
import { GENERIC_SHELL_RULES } from "./generic.js";
|
|
7
|
+
import { GH_RULES } from "./gh.js";
|
|
8
|
+
import { GIT_RULES } from "./git.js";
|
|
9
|
+
import { NODE_ECOSYSTEM_RULES } from "./node.js";
|
|
10
|
+
import { OPENSPEC_RULES } from "./openspec.js";
|
|
11
|
+
import { PIP_RULES } from "./pip.js";
|
|
12
|
+
import { SUDO_RULES } from "./sudo.js";
|
|
13
|
+
|
|
14
|
+
export * from "./bd.js";
|
|
15
|
+
export * from "./cron.js";
|
|
16
|
+
export * from "./docker.js";
|
|
17
|
+
export * from "./eval.js";
|
|
18
|
+
export * from "./generic.js";
|
|
19
|
+
export * from "./gh.js";
|
|
20
|
+
export * from "./git.js";
|
|
21
|
+
export * from "./node.js";
|
|
22
|
+
export * from "./openspec.js";
|
|
23
|
+
export * from "./pip.js";
|
|
24
|
+
export * from "./sudo.js";
|
|
25
|
+
|
|
26
|
+
export const BASH_COMMAND_RULES: AstGrepRule[] = [
|
|
27
|
+
...GIT_RULES,
|
|
28
|
+
...GH_RULES,
|
|
29
|
+
...NODE_ECOSYSTEM_RULES,
|
|
30
|
+
...PIP_RULES,
|
|
31
|
+
...DOCKER_RULES,
|
|
32
|
+
...BD_RULES,
|
|
33
|
+
...SUDO_RULES,
|
|
34
|
+
...EVAL_RULES,
|
|
35
|
+
...OPENSPEC_RULES,
|
|
36
|
+
...CRON_RULES,
|
|
37
|
+
...GENERIC_SHELL_RULES,
|
|
38
|
+
];
|