@rexymayderio/sentinel 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +10 -3
- package/dist/analyzers/match-evidence.d.ts +6 -1
- package/dist/analyzers/match-evidence.d.ts.map +1 -1
- package/dist/analyzers/match-evidence.js +10 -3
- package/dist/analyzers/match-evidence.js.map +1 -1
- package/dist/analyzers/source-analyzer.d.ts.map +1 -1
- package/dist/analyzers/source-analyzer.js +14 -11
- package/dist/analyzers/source-analyzer.js.map +1 -1
- package/dist/analyzers/static-code-analyzer.d.ts.map +1 -1
- package/dist/analyzers/static-code-analyzer.js +4 -2
- package/dist/analyzers/static-code-analyzer.js.map +1 -1
- package/dist/analyzers/strip-comments.d.ts +9 -0
- package/dist/analyzers/strip-comments.d.ts.map +1 -0
- package/dist/analyzers/strip-comments.js +86 -0
- package/dist/analyzers/strip-comments.js.map +1 -0
- package/dist/analyzers/test-path.d.ts +7 -0
- package/dist/analyzers/test-path.d.ts.map +1 -1
- package/dist/analyzers/test-path.js +45 -0
- package/dist/analyzers/test-path.js.map +1 -1
- package/dist/analyzers/typosquat.d.ts +4 -0
- package/dist/analyzers/typosquat.d.ts.map +1 -0
- package/dist/analyzers/typosquat.js +45 -0
- package/dist/analyzers/typosquat.js.map +1 -0
- package/dist/cli/index.js +7 -5
- package/dist/cli/index.js.map +1 -1
- package/dist/core/sentinel.d.ts.map +1 -1
- package/dist/core/sentinel.js +26 -8
- package/dist/core/sentinel.js.map +1 -1
- package/dist/engine/default-policy.d.ts +5 -0
- package/dist/engine/default-policy.d.ts.map +1 -1
- package/dist/engine/default-policy.js.map +1 -1
- package/dist/engine/risk-calculator.d.ts +1 -5
- package/dist/engine/risk-calculator.d.ts.map +1 -1
- package/dist/engine/risk-calculator.js +2 -6
- package/dist/engine/risk-calculator.js.map +1 -1
- package/dist/report/report-generator.js +1 -1
- package/dist/report/report-generator.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -55,7 +55,7 @@ sentinel verify npm express --markdown
|
|
|
55
55
|
# Custom policy file
|
|
56
56
|
sentinel verify npm express --policy ./policy.json
|
|
57
57
|
|
|
58
|
-
#
|
|
58
|
+
# Scan test/fixture files with the full ruleset (default: secrets + malware only)
|
|
59
59
|
sentinel verify local ./my-project --score-tests
|
|
60
60
|
|
|
61
61
|
# CLI help
|
|
@@ -139,7 +139,14 @@ Each finding has a severity. The Risk Calculator sums severity weights, subtract
|
|
|
139
139
|
|
|
140
140
|
Positive signals (verified publisher, long history, etc.) each subtract `5`, capped at `-30` total.
|
|
141
141
|
|
|
142
|
-
**Test/fixture code** is detected by path (`test/`, `tests/`, `__tests__/`, `fixtures/`, `*.test.*`, `*.spec.*`, etc.)
|
|
142
|
+
**Test/fixture code** is detected by path (`test/`, `tests/`, `__tests__/`, `fixtures/`, `*.test.*`, `*.spec.*`, etc.) and scanned with a **narrower ruleset** than production code. Everyday dev patterns (`child_process`, `spawn`, `eval`, dynamic imports, `rm -rf`, ...) are expected in tests and are **not** flagged there. Instead, test files are checked only for the things that genuinely matter in tests — the places malware likes to hide:
|
|
143
|
+
|
|
144
|
+
- **Leaked secrets** (AWS/GCP/OpenAI keys, private keys, tokens, ...)
|
|
145
|
+
- **Malware signatures**: remote payload delivery (`curl … | sh`, `wget … | sh`), crypto miners, UPX-packed blobs
|
|
146
|
+
- **Exfiltration / C2 channels**: Discord/Telegram webhooks, Pastebin, ngrok, Cloudflare tunnels, `.onion`, dynamic DNS
|
|
147
|
+
- **Prompt-injection attacks** hidden in fixtures
|
|
148
|
+
|
|
149
|
+
Findings that survive this filter are real, so they are reported (tagged `[test-file]` in terminal output, `isTest: true` in JSON) and counted at **full weight** in the risk score and policy. Use `--score-tests` (or set `scoreTestCodeFully: true` in policy) to scan test files with the full production ruleset instead.
|
|
143
150
|
|
|
144
151
|
The final score maps to a **risk level**:
|
|
145
152
|
|
|
@@ -246,7 +253,7 @@ Pass a JSON file via `--policy <file>` to override defaults (`src/engine/default
|
|
|
246
253
|
| `warnOnInstallScript` | boolean | `true` | Install scripts -> `WARN`. |
|
|
247
254
|
| `warnOnShellAccess` | boolean | `true` | Shell access -> `WARN`/`REQUIRE_APPROVAL`. |
|
|
248
255
|
| `allowOverrides` | boolean | `true` | Allow human overrides of non-`BLOCK` decisions. |
|
|
249
|
-
| `scoreTestCodeFully` | boolean | `false` | When `
|
|
256
|
+
| `scoreTestCodeFully` | boolean | `false` | When `false`, test/fixture files are scanned only for leaked secrets and malware signatures. When `true`, they are scanned with the full production ruleset. |
|
|
250
257
|
|
|
251
258
|
Example `policy.json`:
|
|
252
259
|
|
|
@@ -1,5 +1,10 @@
|
|
|
1
1
|
export declare const MAX_EVIDENCE_LENGTH = 120;
|
|
2
|
-
|
|
2
|
+
/**
|
|
3
|
+
* Finds the first line matching `pattern`. Matching runs against `searchContent`
|
|
4
|
+
* (which may have comments masked out), while the returned evidence is taken from
|
|
5
|
+
* `displayContent` so the user still sees the real source line.
|
|
6
|
+
*/
|
|
7
|
+
export declare function findMatchingLine(searchContent: string, pattern: RegExp, displayContent?: string): {
|
|
3
8
|
line: number;
|
|
4
9
|
evidence: string;
|
|
5
10
|
} | undefined;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"match-evidence.d.ts","sourceRoot":"","sources":["../../src/analyzers/match-evidence.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,mBAAmB,MAAM,CAAC;AAEvC,wBAAgB,gBAAgB,CAC9B,
|
|
1
|
+
{"version":3,"file":"match-evidence.d.ts","sourceRoot":"","sources":["../../src/analyzers/match-evidence.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,mBAAmB,MAAM,CAAC;AAEvC;;;;GAIG;AACH,wBAAgB,gBAAgB,CAC9B,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,EACf,cAAc,GAAE,MAAsB,GACrC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,SAAS,CAchD"}
|
|
@@ -1,12 +1,19 @@
|
|
|
1
1
|
export const MAX_EVIDENCE_LENGTH = 120;
|
|
2
|
-
|
|
3
|
-
|
|
2
|
+
/**
|
|
3
|
+
* Finds the first line matching `pattern`. Matching runs against `searchContent`
|
|
4
|
+
* (which may have comments masked out), while the returned evidence is taken from
|
|
5
|
+
* `displayContent` so the user still sees the real source line.
|
|
6
|
+
*/
|
|
7
|
+
export function findMatchingLine(searchContent, pattern, displayContent = searchContent) {
|
|
8
|
+
const lines = searchContent.split('\n');
|
|
9
|
+
const displayLines = displayContent.split('\n');
|
|
4
10
|
for (let i = 0; i < lines.length; i++) {
|
|
5
11
|
pattern.lastIndex = 0;
|
|
6
12
|
if (pattern.test(lines[i])) {
|
|
13
|
+
const source = displayLines[i] ?? lines[i];
|
|
7
14
|
return {
|
|
8
15
|
line: i + 1,
|
|
9
|
-
evidence:
|
|
16
|
+
evidence: source.trim().slice(0, MAX_EVIDENCE_LENGTH),
|
|
10
17
|
};
|
|
11
18
|
}
|
|
12
19
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"match-evidence.js","sourceRoot":"","sources":["../../src/analyzers/match-evidence.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEvC,MAAM,UAAU,gBAAgB,CAC9B,OAAe,EACf,
|
|
1
|
+
{"version":3,"file":"match-evidence.js","sourceRoot":"","sources":["../../src/analyzers/match-evidence.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEvC;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAC9B,aAAqB,EACrB,OAAe,EACf,iBAAyB,aAAa;IAEtC,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QACtB,IAAI,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAE,CAAC;YAC5C,OAAO;gBACL,IAAI,EAAE,CAAC,GAAG,CAAC;gBACX,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,mBAAmB,CAAC;aACtD,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"source-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"source-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAkB/D,qBAAa,cAAe,YAAW,QAAQ;IAC7C,QAAQ,CAAC,EAAE,YAAY;IAEvB,QAAQ,IAAI,OAAO;IAIb,OAAO,CAAC,GAAG,EAAE,eAAe;CAwDnC"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { createFinding } from '../domain/finding.js';
|
|
2
2
|
import { POPULAR_NPM_PACKAGES, SUSPICIOUS_TLDS } from './rules/index.js';
|
|
3
|
+
import { isSuspiciousTyposquatCandidate } from './typosquat.js';
|
|
3
4
|
function levenshtein(a, b) {
|
|
4
5
|
const matrix = [];
|
|
5
6
|
for (let i = 0; i <= b.length; i++)
|
|
@@ -52,17 +53,19 @@ export class SourceAnalyzer {
|
|
|
52
53
|
}
|
|
53
54
|
if (target.ecosystem === 'npm' && metadata.name) {
|
|
54
55
|
const pkgName = metadata.name.toLowerCase();
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
56
|
+
if (isSuspiciousTyposquatCandidate(metadata)) {
|
|
57
|
+
for (const popular of POPULAR_NPM_PACKAGES) {
|
|
58
|
+
if (pkgName !== popular) {
|
|
59
|
+
const distance = levenshtein(pkgName, popular);
|
|
60
|
+
if (distance > 0 && distance <= 2) {
|
|
61
|
+
findings.push(createFinding({
|
|
62
|
+
category: 'source',
|
|
63
|
+
severity: 'CRITICAL',
|
|
64
|
+
title: 'Possible typosquatting',
|
|
65
|
+
description: `Package name "${pkgName}" is similar to popular package "${popular}" (distance: ${distance})`,
|
|
66
|
+
ruleId: 'typosquatting',
|
|
67
|
+
}));
|
|
68
|
+
}
|
|
66
69
|
}
|
|
67
70
|
}
|
|
68
71
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"source-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"source-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/source-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACzE,OAAO,EAAE,8BAA8B,EAAE,MAAM,gBAAgB,CAAC;AAEhE,SAAS,WAAW,CAAC,CAAS,EAAE,CAAS;IACvC,MAAM,MAAM,GAAe,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACpD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBACnC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,GAAG,CAAC,CAAE;gBACxB,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,GAAG,CAAC,CAAE,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,CAAE,CAAC,CAAC,GAAG,CAAC,CAAE,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC;QAC3F,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC,CAAC,CAAC,MAAM,CAAE,CAAC;AACtC,CAAC;AAED,MAAM,OAAO,cAAc;IAChB,EAAE,GAAG,QAAQ,CAAC;IAEvB,QAAQ;QACN,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC1C,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,IAAI,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,QAAQ,CAAC;QAEjF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAE7G,IAAI,CAAC,WAAW,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtD,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,kBAAkB;oBACzB,WAAW,EAAE,kCAAkC,SAAS,EAAE;oBAC1D,MAAM,EAAE,WAAW;iBACpB,CAAC,CAAC,CAAC;YACN,CAAC;YAED,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;oBAClC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC5B,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;4BAC1B,QAAQ,EAAE,QAAQ;4BAClB,QAAQ,EAAE,MAAM;4BAChB,KAAK,EAAE,gBAAgB;4BACvB,WAAW,EAAE,4CAA4C,GAAG,EAAE;4BAC9D,MAAM,EAAE,gBAAgB;4BACxB,QAAQ,EAAE,SAAS;yBACpB,CAAC,CAAC,CAAC;oBACN,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,KAAK,KAAK,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAChD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YAC5C,IAAI,8BAA8B,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7C,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;oBAC3C,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;wBACxB,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;wBAC/C,IAAI,QAAQ,GAAG,CAAC,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;4BAClC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;gCAC1B,QAAQ,EAAE,QAAQ;gCAClB,QAAQ,EAAE,UAAU;gCACpB,KAAK,EAAE,wBAAwB;gCAC/B,WAAW,EAAE,iBAAiB,OAAO,oCAAoC,OAAO,gBAAgB,QAAQ,GAAG;gCAC3G,MAAM,EAAE,eAAe;6BACxB,CAAC,CAAC,CAAC;wBACN,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"static-code-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/static-code-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;
|
|
1
|
+
{"version":3,"file":"static-code-analyzer.d.ts","sourceRoot":"","sources":["../../src/analyzers/static-code-analyzer.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAoB/D,qBAAa,kBAAmB,YAAW,QAAQ;IACjD,QAAQ,CAAC,EAAE,iBAAiB;IAE5B,QAAQ,CAAC,GAAG,EAAE,eAAe,GAAG,OAAO;IAIjC,OAAO,CAAC,GAAG,EAAE,eAAe;CAqDnC"}
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { createFinding } from '../domain/finding.js';
|
|
2
2
|
import { findMatchingLine } from './match-evidence.js';
|
|
3
|
+
import { stripComments } from './strip-comments.js';
|
|
3
4
|
import { DANGEROUS_API_RULES, OBFUSCATION_RULES } from './rules/index.js';
|
|
4
5
|
const CODE_EXTENSIONS = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.py', '.go', '.rs', '.sh', '.bash', '.lua'];
|
|
5
6
|
function calculateEntropy(content) {
|
|
@@ -23,10 +24,11 @@ export class StaticCodeAnalyzer {
|
|
|
23
24
|
const findings = [];
|
|
24
25
|
const codeFiles = ctx.artifact.files.filter((f) => CODE_EXTENSIONS.some((ext) => f.path.endsWith(ext)));
|
|
25
26
|
for (const file of codeFiles) {
|
|
27
|
+
const codeOnly = stripComments(file.content, file.path);
|
|
26
28
|
for (const rule of [...DANGEROUS_API_RULES, ...OBFUSCATION_RULES]) {
|
|
27
29
|
rule.pattern.lastIndex = 0;
|
|
28
|
-
if (rule.pattern.test(
|
|
29
|
-
const match = findMatchingLine(
|
|
30
|
+
if (rule.pattern.test(codeOnly)) {
|
|
31
|
+
const match = findMatchingLine(codeOnly, rule.pattern, file.content);
|
|
30
32
|
findings.push(createFinding({
|
|
31
33
|
category: 'static-code',
|
|
32
34
|
severity: rule.severity,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"static-code-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/static-code-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAE1E,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAEpH,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC;QACjC,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,OAAO,kBAAkB;IACpB,EAAE,GAAG,aAAa,CAAC;IAE5B,QAAQ,CAAC,GAAoB;QAC3B,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC7F,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAChD,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CACpD,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,mBAAmB,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC;gBAClE,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,
|
|
1
|
+
{"version":3,"file":"static-code-analyzer.js","sourceRoot":"","sources":["../../src/analyzers/static-code-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAErD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AACvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAE1E,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAEpH,SAAS,gBAAgB,CAAC,OAAe;IACvC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5C,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC;QACjC,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,OAAO,kBAAkB;IACpB,EAAE,GAAG,aAAa,CAAC;IAE5B,QAAQ,CAAC,GAAoB;QAC3B,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC7F,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,GAAoB;QAChC,MAAM,QAAQ,GAAG,EAAE,CAAC;QACpB,MAAM,SAAS,GAAG,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAChD,eAAe,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CACpD,CAAC;QAEF,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;YAExD,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,mBAAmB,EAAE,GAAG,iBAAiB,CAAC,EAAE,CAAC;gBAClE,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBAC3B,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAChC,MAAM,KAAK,GAAG,gBAAgB,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;oBAErE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;wBAC1B,QAAQ,EAAE,aAAa;wBACvB,QAAQ,EAAE,IAAI,CAAC,QAAQ;wBACvB,KAAK,EAAE,IAAI,CAAC,KAAK;wBACjB,WAAW,EAAE,IAAI,CAAC,WAAW;wBAC7B,MAAM,EAAE,IAAI,CAAC,EAAE;wBACf,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,IAAI,EAAE,KAAK,EAAE,IAAI;wBACjB,QAAQ,EAAE,KAAK,EAAE,QAAQ;qBAC1B,CAAC,CAAC,CAAC;gBACN,CAAC;YACH,CAAC;YAED,IAAI,IAAI,CAAC,IAAI,GAAG,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;gBAChE,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,aAAa;oBACvB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,qBAAqB;oBAC5B,WAAW,EAAE,QAAQ,IAAI,CAAC,IAAI,sBAAsB,IAAI,CAAC,IAAI,oBAAoB;oBACjF,MAAM,EAAE,UAAU;oBAClB,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC,CAAC;YACN,CAAC;YAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;YAC/D,IAAI,OAAO,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,GAAG,IAAI,EAAE,CAAC;gBACtC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC;oBAC1B,QAAQ,EAAE,aAAa;oBACvB,QAAQ,EAAE,QAAQ;oBAClB,KAAK,EAAE,sBAAsB;oBAC7B,WAAW,EAAE,QAAQ,IAAI,CAAC,IAAI,sBAAsB,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,0BAA0B;oBAChG,MAAM,EAAE,cAAc;oBACtB,IAAI,EAAE,IAAI,CAAC,IAAI;iBAChB,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Replaces comment content with spaces while preserving newlines, string
|
|
3
|
+
* literals, and overall character positions. Line numbers and column offsets
|
|
4
|
+
* stay intact so findings still map to the right source location.
|
|
5
|
+
*
|
|
6
|
+
* String-aware: a `//` inside "http://..." is NOT treated as a comment.
|
|
7
|
+
*/
|
|
8
|
+
export declare function stripComments(content: string, path: string): string;
|
|
9
|
+
//# sourceMappingURL=strip-comments.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"strip-comments.d.ts","sourceRoot":"","sources":["../../src/analyzers/strip-comments.ts"],"names":[],"mappings":"AAcA;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAmEnE"}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
const C_STYLE_EXTENSIONS = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs', '.go', '.rs'];
|
|
2
|
+
const HASH_STYLE_EXTENSIONS = ['.py', '.sh', '.bash', '.zsh'];
|
|
3
|
+
const LUA_STYLE_EXTENSIONS = ['.lua'];
|
|
4
|
+
function commentStyleFor(path) {
|
|
5
|
+
const lower = path.toLowerCase();
|
|
6
|
+
if (C_STYLE_EXTENSIONS.some((ext) => lower.endsWith(ext)))
|
|
7
|
+
return 'c';
|
|
8
|
+
if (HASH_STYLE_EXTENSIONS.some((ext) => lower.endsWith(ext)))
|
|
9
|
+
return 'hash';
|
|
10
|
+
if (LUA_STYLE_EXTENSIONS.some((ext) => lower.endsWith(ext)))
|
|
11
|
+
return 'lua';
|
|
12
|
+
return undefined;
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Replaces comment content with spaces while preserving newlines, string
|
|
16
|
+
* literals, and overall character positions. Line numbers and column offsets
|
|
17
|
+
* stay intact so findings still map to the right source location.
|
|
18
|
+
*
|
|
19
|
+
* String-aware: a `//` inside "http://..." is NOT treated as a comment.
|
|
20
|
+
*/
|
|
21
|
+
export function stripComments(content, path) {
|
|
22
|
+
const style = commentStyleFor(path);
|
|
23
|
+
if (!style)
|
|
24
|
+
return content;
|
|
25
|
+
const out = [];
|
|
26
|
+
let i = 0;
|
|
27
|
+
const n = content.length;
|
|
28
|
+
const isLineComment = (idx) => {
|
|
29
|
+
if (style === 'c' && content[idx] === '/' && content[idx + 1] === '/')
|
|
30
|
+
return 2;
|
|
31
|
+
if (style === 'hash' && content[idx] === '#')
|
|
32
|
+
return 1;
|
|
33
|
+
if (style === 'lua' && content[idx] === '-' && content[idx + 1] === '-')
|
|
34
|
+
return 2;
|
|
35
|
+
return 0;
|
|
36
|
+
};
|
|
37
|
+
while (i < n) {
|
|
38
|
+
const ch = content[i];
|
|
39
|
+
// String literals - copy verbatim, respecting escapes.
|
|
40
|
+
if (ch === '"' || ch === "'" || (style === 'c' && ch === '`')) {
|
|
41
|
+
const quote = ch;
|
|
42
|
+
out.push(ch);
|
|
43
|
+
i++;
|
|
44
|
+
while (i < n) {
|
|
45
|
+
const c = content[i];
|
|
46
|
+
out.push(c === '\n' ? '\n' : c);
|
|
47
|
+
if (c === '\\') {
|
|
48
|
+
if (i + 1 < n) {
|
|
49
|
+
out.push(content[i + 1] === '\n' ? '\n' : content[i + 1]);
|
|
50
|
+
i += 2;
|
|
51
|
+
continue;
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
i++;
|
|
55
|
+
if (c === quote)
|
|
56
|
+
break;
|
|
57
|
+
}
|
|
58
|
+
continue;
|
|
59
|
+
}
|
|
60
|
+
// C-style block comment.
|
|
61
|
+
if (style === 'c' && ch === '/' && content[i + 1] === '*') {
|
|
62
|
+
while (i < n && !(content[i] === '*' && content[i + 1] === '/')) {
|
|
63
|
+
out.push(content[i] === '\n' ? '\n' : ' ');
|
|
64
|
+
i++;
|
|
65
|
+
}
|
|
66
|
+
if (i < n) {
|
|
67
|
+
out.push(' ');
|
|
68
|
+
i += 2;
|
|
69
|
+
}
|
|
70
|
+
continue;
|
|
71
|
+
}
|
|
72
|
+
// Line comment - blank out to end of line.
|
|
73
|
+
const lineCommentLen = isLineComment(i);
|
|
74
|
+
if (lineCommentLen > 0) {
|
|
75
|
+
while (i < n && content[i] !== '\n') {
|
|
76
|
+
out.push(' ');
|
|
77
|
+
i++;
|
|
78
|
+
}
|
|
79
|
+
continue;
|
|
80
|
+
}
|
|
81
|
+
out.push(ch);
|
|
82
|
+
i++;
|
|
83
|
+
}
|
|
84
|
+
return out.join('');
|
|
85
|
+
}
|
|
86
|
+
//# sourceMappingURL=strip-comments.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"strip-comments.js","sourceRoot":"","sources":["../../src/analyzers/strip-comments.ts"],"names":[],"mappings":"AAEA,MAAM,kBAAkB,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;AACxF,MAAM,qBAAqB,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;AAC9D,MAAM,oBAAoB,GAAG,CAAC,MAAM,CAAC,CAAC;AAEtC,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,GAAG,CAAC;IACtE,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,MAAM,CAAC;IAC5E,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IAC1E,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,OAAe,EAAE,IAAY;IACzD,MAAM,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK;QAAE,OAAO,OAAO,CAAC;IAE3B,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;IAEzB,MAAM,aAAa,GAAG,CAAC,GAAW,EAAU,EAAE;QAC5C,IAAI,KAAK,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG;YAAE,OAAO,CAAC,CAAC;QAChF,IAAI,KAAK,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG;YAAE,OAAO,CAAC,CAAC;QACvD,IAAI,KAAK,KAAK,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,GAAG;YAAE,OAAO,CAAC,CAAC;QAClF,OAAO,CAAC,CAAC;IACX,CAAC,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACb,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QAEvB,uDAAuD;QACvD,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,CAAC,EAAE,CAAC;YAC9D,MAAM,KAAK,GAAG,EAAE,CAAC;YACjB,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACb,CAAC,EAAE,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;gBACb,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;gBACtB,GAAG,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAChC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;oBACf,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;wBACd,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAE,CAAC,CAAC;wBAC3D,CAAC,IAAI,CAAC,CAAC;wBACP,SAAS;oBACX,CAAC;gBACH,CAAC;gBACD,CAAC,EAAE,CAAC;gBACJ,IAAI,CAAC,KAAK,KAAK;oBAAE,MAAM;YACzB,CAAC;YACD,SAAS;QACX,CAAC;QAED,yBAAyB;QACzB,IAAI,KAAK,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YAC1D,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;gBAChE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC3C,CAAC,EAAE,CAAC;YACN,CAAC;YACD,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACV,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACf,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;YACD,SAAS;QACX,CAAC;QAED,2CAA2C;QAC3C,MAAM,cAAc,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QACxC,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACpC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACd,CAAC,EAAE,CAAC;YACN,CAAC;YACD,SAAS;QACX,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACb,CAAC,EAAE,CAAC;IACN,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACtB,CAAC"}
|
|
@@ -1,2 +1,9 @@
|
|
|
1
|
+
import type { Finding } from '../domain/finding.js';
|
|
1
2
|
export declare function isTestPath(filePath: string): boolean;
|
|
3
|
+
/**
|
|
4
|
+
* Whether a finding is worth surfacing when it lives in a test/fixture file.
|
|
5
|
+
* Leaked secrets and explicit malware signatures qualify; benign dev-pattern
|
|
6
|
+
* findings (shell APIs, dynamic imports, etc.) do not.
|
|
7
|
+
*/
|
|
8
|
+
export declare function isTestRelevantFinding(finding: Finding): boolean;
|
|
2
9
|
//# sourceMappingURL=test-path.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"test-path.d.ts","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"test-path.d.ts","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AA4DpD,wBAAgB,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAYpD;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAI/D"}
|
|
@@ -11,6 +11,39 @@ const TEST_DIR_SEGMENTS = new Set([
|
|
|
11
11
|
'e2e',
|
|
12
12
|
'mocks',
|
|
13
13
|
'testdata',
|
|
14
|
+
'test_runner',
|
|
15
|
+
'test-runner',
|
|
16
|
+
'testing',
|
|
17
|
+
]);
|
|
18
|
+
/**
|
|
19
|
+
* Rule IDs that stay meaningful inside test/fixture code. Everyday dev patterns
|
|
20
|
+
* (child_process, spawn, eval, dynamic import, ...) are expected in tests and
|
|
21
|
+
* are NOT flagged there - but malware loves to hide in fixtures, so we keep the
|
|
22
|
+
* unambiguous attack signatures: remote payload delivery, miners, packed
|
|
23
|
+
* binaries, exfiltration/C2 channels, and prompt-injection attacks.
|
|
24
|
+
*/
|
|
25
|
+
const TEST_MALWARE_RULE_IDS = new Set([
|
|
26
|
+
'curl-pipe',
|
|
27
|
+
'wget-pipe',
|
|
28
|
+
'crypto-miner',
|
|
29
|
+
'packed-upx',
|
|
30
|
+
'discord-webhook',
|
|
31
|
+
'telegram-bot',
|
|
32
|
+
'pastebin',
|
|
33
|
+
'ngrok',
|
|
34
|
+
'cloudflare-tunnel',
|
|
35
|
+
'tor',
|
|
36
|
+
'dynamic-dns',
|
|
37
|
+
'ignore-instructions',
|
|
38
|
+
'system-prompt-extract',
|
|
39
|
+
'tool-escalation',
|
|
40
|
+
'memory-poison',
|
|
41
|
+
'self-update',
|
|
42
|
+
'hidden-goal',
|
|
43
|
+
'jailbreak',
|
|
44
|
+
'recursive-agent',
|
|
45
|
+
'fake-success',
|
|
46
|
+
'activation-phrase',
|
|
14
47
|
]);
|
|
15
48
|
function isTestFileName(name) {
|
|
16
49
|
const lower = name.toLowerCase();
|
|
@@ -29,4 +62,16 @@ export function isTestPath(filePath) {
|
|
|
29
62
|
.slice(0, -1)
|
|
30
63
|
.some((segment) => TEST_DIR_SEGMENTS.has(segment.toLowerCase()));
|
|
31
64
|
}
|
|
65
|
+
/**
|
|
66
|
+
* Whether a finding is worth surfacing when it lives in a test/fixture file.
|
|
67
|
+
* Leaked secrets and explicit malware signatures qualify; benign dev-pattern
|
|
68
|
+
* findings (shell APIs, dynamic imports, etc.) do not.
|
|
69
|
+
*/
|
|
70
|
+
export function isTestRelevantFinding(finding) {
|
|
71
|
+
if (finding.positive)
|
|
72
|
+
return true;
|
|
73
|
+
if (finding.category === 'secret')
|
|
74
|
+
return true;
|
|
75
|
+
return finding.ruleId !== undefined && TEST_MALWARE_RULE_IDS.has(finding.ruleId);
|
|
76
|
+
}
|
|
32
77
|
//# sourceMappingURL=test-path.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"test-path.js","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"test-path.js","sourceRoot":"","sources":["../../src/analyzers/test-path.ts"],"names":[],"mappings":"AAEA,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,MAAM;IACN,OAAO;IACP,WAAW;IACX,WAAW;IACX,cAAc;IACd,UAAU;IACV,SAAS;IACT,MAAM;IACN,OAAO;IACP,KAAK;IACL,OAAO;IACP,UAAU;IACV,aAAa;IACb,aAAa;IACb,SAAS;CACV,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,WAAW;IACX,WAAW;IACX,cAAc;IACd,YAAY;IACZ,iBAAiB;IACjB,cAAc;IACd,UAAU;IACV,OAAO;IACP,mBAAmB;IACnB,KAAK;IACL,aAAa;IACb,qBAAqB;IACrB,uBAAuB;IACvB,iBAAiB;IACjB,eAAe;IACf,aAAa;IACb,aAAa;IACb,WAAW;IACX,iBAAiB;IACjB,cAAc;IACd,mBAAmB;CACpB,CAAC,CAAC;AAEH,SAAS,cAAc,CAAC,IAAY;IAClC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,OAAO,CACL,gCAAgC,CAAC,IAAI,CAAC,KAAK,CAAC;QAC5C,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC;QAC/B,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAC5B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,QAAgB;IACzC,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAErD,IAAI,cAAc,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,QAAQ;SACZ,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;SACZ,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,iBAAiB,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;AACrE,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,IAAI,OAAO,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAClC,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC/C,OAAO,OAAO,CAAC,MAAM,KAAK,SAAS,IAAI,qBAAqB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;AACnF,CAAC"}
|
|
@@ -0,0 +1,4 @@
|
|
|
1
|
+
import type { PackageMetadata } from '../domain/artifact.js';
|
|
2
|
+
export declare function hasTrustedRepository(metadata: PackageMetadata): boolean;
|
|
3
|
+
export declare function isSuspiciousTyposquatCandidate(metadata: PackageMetadata): boolean;
|
|
4
|
+
//# sourceMappingURL=typosquat.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"typosquat.d.ts","sourceRoot":"","sources":["../../src/analyzers/typosquat.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAe7D,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CAIvE;AAED,wBAAgB,8BAA8B,CAAC,QAAQ,EAAE,eAAe,GAAG,OAAO,CA4BjF"}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
const MS_PER_DAY = 1000 * 60 * 60 * 24;
|
|
2
|
+
const NEW_PACKAGE_DAYS = 30;
|
|
3
|
+
const LOW_DOWNLOAD_THRESHOLD = 100;
|
|
4
|
+
const ESTABLISHED_DOWNLOAD_THRESHOLD = 10_000;
|
|
5
|
+
const TRUSTED_REPO_PREFIXES = [
|
|
6
|
+
'https://github.com/nodejs/',
|
|
7
|
+
'https://github.com/expressjs/',
|
|
8
|
+
'https://github.com/lodash/',
|
|
9
|
+
'https://github.com/facebook/',
|
|
10
|
+
'https://github.com/vercel/',
|
|
11
|
+
];
|
|
12
|
+
export function hasTrustedRepository(metadata) {
|
|
13
|
+
const repo = (metadata.repository ?? metadata.homepage ?? '').toLowerCase();
|
|
14
|
+
if (!repo)
|
|
15
|
+
return false;
|
|
16
|
+
return TRUSTED_REPO_PREFIXES.some((prefix) => repo.includes(prefix));
|
|
17
|
+
}
|
|
18
|
+
export function isSuspiciousTyposquatCandidate(metadata) {
|
|
19
|
+
if (metadata.verifiedPublisher)
|
|
20
|
+
return false;
|
|
21
|
+
if (hasTrustedRepository(metadata))
|
|
22
|
+
return false;
|
|
23
|
+
const firstPublish = metadata.firstPublishDate ?? metadata.publishDate;
|
|
24
|
+
if (firstPublish) {
|
|
25
|
+
const daysOld = (Date.now() - new Date(firstPublish).getTime()) / MS_PER_DAY;
|
|
26
|
+
if (daysOld >= 365)
|
|
27
|
+
return false;
|
|
28
|
+
}
|
|
29
|
+
if (metadata.downloadCount !== undefined && metadata.downloadCount >= ESTABLISHED_DOWNLOAD_THRESHOLD) {
|
|
30
|
+
return false;
|
|
31
|
+
}
|
|
32
|
+
if (firstPublish) {
|
|
33
|
+
const daysOld = (Date.now() - new Date(firstPublish).getTime()) / MS_PER_DAY;
|
|
34
|
+
if (daysOld < NEW_PACKAGE_DAYS)
|
|
35
|
+
return true;
|
|
36
|
+
}
|
|
37
|
+
if (metadata.downloadCount !== undefined && metadata.downloadCount < LOW_DOWNLOAD_THRESHOLD) {
|
|
38
|
+
return true;
|
|
39
|
+
}
|
|
40
|
+
if (!metadata.repository && !metadata.homepage) {
|
|
41
|
+
return true;
|
|
42
|
+
}
|
|
43
|
+
return false;
|
|
44
|
+
}
|
|
45
|
+
//# sourceMappingURL=typosquat.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"typosquat.js","sourceRoot":"","sources":["../../src/analyzers/typosquat.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AACvC,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAC5B,MAAM,sBAAsB,GAAG,GAAG,CAAC;AACnC,MAAM,8BAA8B,GAAG,MAAM,CAAC;AAE9C,MAAM,qBAAqB,GAAG;IAC5B,4BAA4B;IAC5B,+BAA+B;IAC/B,4BAA4B;IAC5B,8BAA8B;IAC9B,4BAA4B;CAC7B,CAAC;AAEF,MAAM,UAAU,oBAAoB,CAAC,QAAyB;IAC5D,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,IAAI,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5E,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,OAAO,qBAAqB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,8BAA8B,CAAC,QAAyB;IACtE,IAAI,QAAQ,CAAC,iBAAiB;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,oBAAoB,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAC;IAEjD,MAAM,YAAY,GAAG,QAAQ,CAAC,gBAAgB,IAAI,QAAQ,CAAC,WAAW,CAAC;IACvE,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC;QAC7E,IAAI,OAAO,IAAI,GAAG;YAAE,OAAO,KAAK,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,CAAC,aAAa,KAAK,SAAS,IAAI,QAAQ,CAAC,aAAa,IAAI,8BAA8B,EAAE,CAAC;QACrG,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC,GAAG,UAAU,CAAC;QAC7E,IAAI,OAAO,GAAG,gBAAgB;YAAE,OAAO,IAAI,CAAC;IAC9C,CAAC;IAED,IAAI,QAAQ,CAAC,aAAa,KAAK,SAAS,IAAI,QAAQ,CAAC,aAAa,GAAG,sBAAsB,EAAE,CAAC;QAC5F,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
package/dist/cli/index.js
CHANGED
|
@@ -66,15 +66,16 @@ program
|
|
|
66
66
|
.option('--json', 'Output the full verification report as JSON (machine-readable)')
|
|
67
67
|
.option('--markdown', 'Output the report as Markdown')
|
|
68
68
|
.option('--policy <file>', 'Path to a JSON policy file (overrides default thresholds and lists)')
|
|
69
|
-
.option('--score-tests', '
|
|
69
|
+
.option('--score-tests', 'Scan test/fixture files with the full ruleset (default: secrets and malware only)')
|
|
70
70
|
.addHelpText('after', `${VERIFY_EXAMPLES}
|
|
71
71
|
Options (default output is a colored terminal report):
|
|
72
72
|
--json Structured JSON with findings, risk, policy, permissions, evidence
|
|
73
73
|
--markdown Markdown table suitable for docs or PR comments
|
|
74
74
|
--policy Custom policy: blockThreshold, warnThreshold, minConfidence,
|
|
75
75
|
trustedPublishers, corporateWhitelist, corporateBlacklist, etc.
|
|
76
|
-
--score-tests
|
|
77
|
-
|
|
76
|
+
--score-tests Scan test/fixture files with the full production ruleset.
|
|
77
|
+
By default tests are only checked for leaked secrets and
|
|
78
|
+
malware signatures (curl|bash, miners, exfiltration, etc.)
|
|
78
79
|
|
|
79
80
|
${TARGET_TYPES_HELP}`)
|
|
80
81
|
.action(async (type, target, opts) => {
|
|
@@ -109,13 +110,14 @@ program
|
|
|
109
110
|
.option('--json', 'Output the verification report as JSON instead of terminal format')
|
|
110
111
|
.option('--yes', 'Auto-approve installation after verification (cannot override BLOCK)')
|
|
111
112
|
.option('--policy <file>', 'Path to a JSON policy file (overrides default thresholds and lists)')
|
|
112
|
-
.option('--score-tests', '
|
|
113
|
+
.option('--score-tests', 'Scan test/fixture files with the full ruleset (default: secrets and malware only)')
|
|
113
114
|
.addHelpText('after', `${INSTALL_EXAMPLES}
|
|
114
115
|
Options:
|
|
115
116
|
--json Output report as JSON (terminal format is default)
|
|
116
117
|
--yes Skip the interactive [y/N] approval prompt when policy allows it
|
|
117
118
|
--policy Custom policy file (same fields as verify --policy)
|
|
118
|
-
--score-tests
|
|
119
|
+
--score-tests Scan test/fixture files with the full production ruleset
|
|
120
|
+
(default: tests checked only for secrets and malware)
|
|
119
121
|
|
|
120
122
|
Install behavior by ecosystem:
|
|
121
123
|
npm npm install <name> --ignore-scripts
|
package/dist/cli/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,MAAM,iBAAiB,GAAG;;;;;;;;;;;CAWzB,CAAC;AAEF,MAAM,eAAe,GAAG;;;;;;;;;;CAUvB,CAAC;AAEF,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;CAaxB,CAAC;AAEF,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,sEAAsE,CAAC;KACnF,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,OAAO,EAAE;;;;;;;;;;;EAWtB,iBAAiB,EAAE,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yEAAyE,CAAC;KACtF,QAAQ,CAAC,QAAQ,EAAE,gDAAgD,CAAC;KACpE,QAAQ,CAAC,UAAU,EAAE,8CAA8C,CAAC;KACpE,MAAM,CAAC,QAAQ,EAAE,gEAAgE,CAAC;KAClF,MAAM,CAAC,YAAY,EAAE,+BAA+B,CAAC;KACrD,MAAM,CAAC,iBAAiB,EAAE,qEAAqE,CAAC;KAChG,MAAM,CAAC,eAAe,EAAE,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAGtD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,MAAM,iBAAiB,GAAG;;;;;;;;;;;CAWzB,CAAC;AAEF,MAAM,eAAe,GAAG;;;;;;;;;;CAUvB,CAAC;AAEF,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;CAaxB,CAAC;AAEF,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,sEAAsE,CAAC;KACnF,OAAO,CAAC,OAAO,CAAC;KAChB,WAAW,CAAC,OAAO,EAAE;;;;;;;;;;;EAWtB,iBAAiB,EAAE,CAAC,CAAC;AAEvB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yEAAyE,CAAC;KACtF,QAAQ,CAAC,QAAQ,EAAE,gDAAgD,CAAC;KACpE,QAAQ,CAAC,UAAU,EAAE,8CAA8C,CAAC;KACpE,MAAM,CAAC,QAAQ,EAAE,gEAAgE,CAAC;KAClF,MAAM,CAAC,YAAY,EAAE,+BAA+B,CAAC;KACrD,MAAM,CAAC,iBAAiB,EAAE,qEAAqE,CAAC;KAChG,MAAM,CAAC,eAAe,EAAE,mFAAmF,CAAC;KAC5G,WAAW,CAAC,OAAO,EAAE,GAAG,eAAe;;;;;;;;;;EAUxC,iBAAiB,EAAE,CAAC;KACnB,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,MAAc,EAAE,IAAmF,EAAE,EAAE;IAClI,IAAI,CAAC;QACH,MAAM,MAAM,GAAiB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;QAC1F,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7E,MAAM,QAAQ,GAAG,qBAAqB,CAAC,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,EAAE,CAAC,CAAC;QAE/E,MAAM,OAAO,GAAG,YAAY,CAAC,aAAa,IAAI,IAAI,MAAM,KAAK,CAAC,CAAC;QAC/D,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC/C,CAAC;gBAAS,CAAC;YACT,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,CAAC;QACD,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACvD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,OAAO;KACJ,OAAO,CAAC,SAAS,CAAC;KAClB,WAAW,CAAC,sEAAsE,CAAC;KACnF,QAAQ,CAAC,QAAQ,EAAE,gDAAgD,CAAC;KACpE,QAAQ,CAAC,UAAU,EAAE,8CAA8C,CAAC;KACpE,MAAM,CAAC,QAAQ,EAAE,mEAAmE,CAAC;KACrF,MAAM,CAAC,OAAO,EAAE,sEAAsE,CAAC;KACvF,MAAM,CAAC,iBAAiB,EAAE,qEAAqE,CAAC;KAChG,MAAM,CAAC,eAAe,EAAE,mFAAmF,CAAC;KAC5G,WAAW,CAAC,OAAO,EAAE,GAAG,gBAAgB;;;;;;;;;;;;;;EAczC,iBAAiB,EAAE,CAAC;KACnB,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,MAAc,EAAE,IAA8E,EAAE,EAAE;IAC7H,IAAI,CAAC;QACH,MAAM,MAAM,GAAiB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;QAC7D,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7E,MAAM,QAAQ,GAAG,qBAAqB,CAAC;YACrC,YAAY;YACZ,YAAY,EAAE,MAAM;YACpB,WAAW,EAAE,IAAI,CAAC,GAAG;SACtB,CAAC,CAAC;QAEH,MAAM,OAAO,GAAG,YAAY,CAAC,aAAa,IAAI,IAAI,MAAM,KAAK,CAAC,CAAC;QAC/D,IAAI,cAAc,GAAG,KAAK,CAAC;QAC3B,MAAM,WAAW,GAAG,GAAS,EAAE;YAC7B,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,OAAO,CAAC,IAAI,EAAE,CAAC;gBACf,cAAc,GAAG,IAAI,CAAC;YACxB,CAAC;QACH,CAAC,CAAC;QACF,IAAI,MAAM,CAAC;QACX,IAAI,CAAC;YACH,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAC;QAC7E,CAAC;gBAAS,CAAC;YACT,WAAW,EAAE,CAAC;QAChB,CAAC;QACD,MAAM,MAAM,GAAG,QAAQ,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAEpB,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAChD,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAClE,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,KAAK,UAAU,cAAc,CAAC,IAAY;IACxC,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA0B,CAAC;AACtD,CAAC;AAED,KAAK,UAAU,mBAAmB,CAChC,UAA8B,EAC9B,UAA+B;IAE/B,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC3E,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,QAAQ,CAAC;IAClB,CAAC;IACD,OAAO,EAAE,GAAG,QAAQ,EAAE,kBAAkB,EAAE,IAAI,EAAE,CAAC;AACnD,CAAC;AAED,OAAO,CAAC,KAAK,EAAE,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;
|
|
1
|
+
{"version":3,"file":"sentinel.d.ts","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG/D,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AAKzD,OAAO,KAAK,EAAE,YAAY,EAAE,aAAa,EAAgB,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAGzG,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAKhE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,4BAA4B,CAAC;AAGhE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAC5C,QAAQ,CAAC,SAAS,EAAE,QAAQ,EAAE,CAAC;IAC/B,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAC;IACxC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;CACtC;AAED,qBAAa,QAAQ;IAMP,OAAO,CAAC,QAAQ,CAAC,OAAO;IALpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;IAC5C,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAyB;IACzD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAe;gBAEf,OAAO,EAAE,eAAe;IAO/C,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA6CzE,OAAO,CAAC,uBAAuB;IA6BzB,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,IAAI,CAAA;KAAE,GAC5D,OAAO,CAAC,aAAa,CAAC;IAoCzB,cAAc,CAAC,MAAM,EAAE,kBAAkB,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,MAAM;YAI3D,YAAY;CAmB3B;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,QAAQ,CAEjE"}
|
package/dist/core/sentinel.js
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
import { cleanupArtifact } from '../acquire/acquirer.js';
|
|
2
2
|
import { runAnalyzers } from '../analyzers/analyzer.js';
|
|
3
|
-
import { isTestPath } from '../analyzers/test-path.js';
|
|
3
|
+
import { isTestPath, isTestRelevantFinding } from '../analyzers/test-path.js';
|
|
4
4
|
import { buildPermissionGraph } from './permissions.js';
|
|
5
5
|
import { parseTarget } from '../domain/target.js';
|
|
6
6
|
import { DEFAULT_POLICY } from '../engine/default-policy.js';
|
|
7
7
|
import { assessData, hasMeaningfulMetadata, unverifiableAssessment } from '../engine/data-assessment.js';
|
|
8
8
|
import { PolicyEngine } from '../engine/policy-engine.js';
|
|
9
|
-
import { RiskCalculator
|
|
9
|
+
import { RiskCalculator } from '../engine/risk-calculator.js';
|
|
10
10
|
import { ReportGenerator } from '../report/report-generator.js';
|
|
11
11
|
export class Sentinel {
|
|
12
12
|
options;
|
|
@@ -35,14 +35,13 @@ export class Sentinel {
|
|
|
35
35
|
}
|
|
36
36
|
try {
|
|
37
37
|
const rawFindings = await runAnalyzers(this.options.analyzers, { artifact, target });
|
|
38
|
-
const findings =
|
|
39
|
-
const permissions = buildPermissionGraph(findings
|
|
38
|
+
const findings = processTestFindings(rawFindings, this.policyConfig.scoreTestCodeFully);
|
|
39
|
+
const permissions = buildPermissionGraph(findings);
|
|
40
40
|
const evidence = {
|
|
41
41
|
hasMetadata: hasMeaningfulMetadata(artifact.metadata),
|
|
42
42
|
fileCount: artifact.files.length,
|
|
43
43
|
};
|
|
44
|
-
const
|
|
45
|
-
const risk = this.riskCalculator.calculate(findings, evidence, { testFindingWeight });
|
|
44
|
+
const risk = this.riskCalculator.calculate(findings, evidence);
|
|
46
45
|
const dataAssessment = assessData(target, artifact, findings, risk, this.policyConfig);
|
|
47
46
|
const policy = this.policyEngine.evaluate(target, risk, findings, permissions, dataAssessment);
|
|
48
47
|
const criticalCount = findings.filter((f) => f.severity === 'CRITICAL' && !f.positive).length;
|
|
@@ -146,8 +145,27 @@ export class Sentinel {
|
|
|
146
145
|
export function createSentinel(options) {
|
|
147
146
|
return new Sentinel(options);
|
|
148
147
|
}
|
|
149
|
-
|
|
150
|
-
|
|
148
|
+
/**
|
|
149
|
+
* Test/fixture files are scanned with a narrower lens than production code.
|
|
150
|
+
* Benign dev patterns (shell APIs, dynamic imports, ...) are expected in tests
|
|
151
|
+
* and dropped, while real attack signatures (secrets, malware, prompt injection)
|
|
152
|
+
* are kept and tagged so they still count toward the risk score and policy.
|
|
153
|
+
* `scoreTestCodeFully` opts back into scoring test files like production code.
|
|
154
|
+
*/
|
|
155
|
+
function processTestFindings(findings, scoreTestCodeFully) {
|
|
156
|
+
const result = [];
|
|
157
|
+
for (const finding of findings) {
|
|
158
|
+
const inTestFile = finding.file !== undefined && isTestPath(finding.file);
|
|
159
|
+
if (!inTestFile) {
|
|
160
|
+
result.push(finding);
|
|
161
|
+
continue;
|
|
162
|
+
}
|
|
163
|
+
if (!scoreTestCodeFully && !isTestRelevantFinding(finding)) {
|
|
164
|
+
continue;
|
|
165
|
+
}
|
|
166
|
+
result.push(finding.isTest ? finding : { ...finding, isTest: true });
|
|
167
|
+
}
|
|
168
|
+
return result;
|
|
151
169
|
}
|
|
152
170
|
function recommendedActionFor(decision) {
|
|
153
171
|
switch (decision) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sentinel.js","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;
|
|
1
|
+
{"version":3,"file":"sentinel.js","sourceRoot":"","sources":["../../src/core/sentinel.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAG9E,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAC;AAExD,OAAO,EAAE,WAAW,EAAe,MAAM,qBAAqB,CAAC;AAG/D,OAAO,EAAE,cAAc,EAAE,MAAM,6BAA6B,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,qBAAqB,EAAE,sBAAsB,EAAE,MAAM,8BAA8B,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAC1D,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAG9D,OAAO,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAC;AAWhE,MAAM,OAAO,QAAQ;IAMU;IALZ,cAAc,GAAG,IAAI,cAAc,EAAE,CAAC;IACtC,YAAY,CAAe;IAC3B,eAAe,GAAG,IAAI,eAAe,EAAE,CAAC;IACxC,YAAY,CAAe;IAE5C,YAA6B,OAAwB;QAAxB,YAAO,GAAP,OAAO,CAAiB;QACnD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY;YACtC,CAAC,CAAC,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE;YAChD,CAAC,CAAC,cAAc,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,SAAiB,EAAE,GAAW;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,WAAW,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC3C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAErE,IAAI,QAA8B,CAAC;QACnC,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACrF,MAAM,QAAQ,GAAG,mBAAmB,CAAC,WAAW,EAAE,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;YACxF,MAAM,WAAW,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG;gBACf,WAAW,EAAE,qBAAqB,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACrD,SAAS,EAAE,QAAQ,CAAC,KAAK,CAAC,MAAM;aACjC,CAAC;YACF,MAAM,IAAI,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;YAC/D,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC;YACvF,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,CAAC,CAAC;YAE/F,MAAM,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;YAC9F,MAAM,OAAO,GAAG,GAAG,IAAI,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,WAAW,aAAa,oBAAoB,CAAC;YAE9F,OAAO;gBACL,MAAM;gBACN,QAAQ;gBACR,IAAI;gBACJ,MAAM;gBACN,WAAW;gBACX,cAAc;gBACd,OAAO;gBACP,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;gBACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;aAC/B,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAEO,uBAAuB,CAAC,MAAc,EAAE,MAAc,EAAE,KAAa;QAC3E,MAAM,cAAc,GAAG,sBAAsB,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;QACrF,MAAM,IAAI,GAAc;YACtB,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,KAAK;YACZ,UAAU,EAAE,CAAC;YACb,eAAe,EAAE,CAAC;YAClB,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,MAAM,MAAM,GAAiB;YAC3B,QAAQ,EAAE,kBAAkB;YAC5B,OAAO,EAAE,CAAC,kEAAkE,EAAE,GAAG,cAAc,CAAC,OAAO,CAAC;YACxG,SAAS,EAAE,EAAE;SACd,CAAC;QAEF,OAAO;YACL,MAAM;YACN,QAAQ,EAAE,EAAE;YACZ,IAAI;YACJ,MAAM;YACN,WAAW,EAAE,EAAE;YACf,cAAc;YACd,OAAO,EAAE,gDAAgD;YACzD,iBAAiB,EAAE,oBAAoB,CAAC,MAAM,CAAC,QAAQ,CAAC;YACxD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SAC/B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,OAAO,CACX,SAAiB,EACjB,GAAW,EACX,OAA6D;QAE7D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QACjD,OAAO,EAAE,UAAU,EAAE,EAAE,CAAC;QAExB,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACvC,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,gCAAgC;gBACzC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,EAAE,YAAY;YACpC,CAAC,CAAC,IAAI;YACN,CAAC,CAAC,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;QAE9D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,OAAO,EAAE,6BAA6B;gBACtC,MAAM;aACP,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC7B,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QAEtD,OAAO;YACL,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;YACrC,OAAO,EAAE,aAAa,CAAC,QAAQ,KAAK,CAAC;gBACnC,CAAC,CAAC,0BAA0B,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,EAAE;gBAC7D,CAAC,CAAC,wBAAwB,aAAa,CAAC,MAAM,IAAI,aAAa,CAAC,MAAM,EAAE;YAC1E,MAAM;SACP,CAAC;IACJ,CAAC;IAED,cAAc,CAAC,MAA0B,EAAE,MAAqB;QAC9D,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,IAAI,UAAU,CAAC,CAAC;IAClG,CAAC;IAEO,KAAK,CAAC,YAAY,CAAC,MAAc;QACvC,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC;QAEvC,QAAQ,MAAM,CAAC,SAAS,EAAE,CAAC;YACzB,KAAK,KAAK;gBACR,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,EAAE,kBAAkB,CAAC,EAAE;oBAC5E,GAAG,EAAE,EAAE,yBAAyB,EAAE,MAAM,EAAE;iBAC3C,CAAC,CAAC;YACL,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBAC7C,OAAO,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,sBAAsB,KAAK,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC;YACxF,CAAC;YACD,KAAK,OAAO,CAAC;YACb,KAAK,OAAO;gBACV,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,yDAAyD,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;YACxG;gBACE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,+BAA+B,MAAM,CAAC,SAAS,EAAE,EAAE,CAAC;QAClG,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,cAAc,CAAC,OAAwB;IACrD,OAAO,IAAI,QAAQ,CAAC,OAAO,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,QAAmB,EAAE,kBAA2B;IAC3E,MAAM,MAAM,GAAc,EAAE,CAAC;IAC7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC1E,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrB,SAAS;QACX,CAAC;QACD,IAAI,CAAC,kBAAkB,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,SAAS;QACX,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IACvE,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,oBAAoB,CAAC,QAAkC;IAC9D,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,gBAAgB,CAAC;QAC1B,KAAK,kBAAkB;YACrB,OAAO,sCAAsC,CAAC;QAChD,KAAK,MAAM;YACT,OAAO,sBAAsB,CAAC;QAChC;YACE,OAAO,iBAAiB,CAAC;IAC7B,CAAC;AACH,CAAC"}
|
|
@@ -10,6 +10,11 @@ export interface PolicyConfig {
|
|
|
10
10
|
readonly warnOnInstallScript: boolean;
|
|
11
11
|
readonly warnOnShellAccess: boolean;
|
|
12
12
|
readonly allowOverrides: boolean;
|
|
13
|
+
/**
|
|
14
|
+
* When false (default), test/fixture files are scanned only for leaked secrets
|
|
15
|
+
* and malware signatures. When true, they are scanned with the full production
|
|
16
|
+
* ruleset like any other source file.
|
|
17
|
+
*/
|
|
13
18
|
readonly scoreTestCodeFully: boolean;
|
|
14
19
|
}
|
|
15
20
|
export declare const DEFAULT_POLICY: PolicyConfig;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"default-policy.d.ts","sourceRoot":"","sources":["../../src/engine/default-policy.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;IACrC,QAAQ,CAAC,yBAAyB,EAAE,OAAO,CAAC;IAC5C,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IACtC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;CACtC;AAED,eAAO,MAAM,cAAc,EAAE,YAa5B,CAAC"}
|
|
1
|
+
{"version":3,"file":"default-policy.d.ts","sourceRoot":"","sources":["../../src/engine/default-policy.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,CAAC;IACrC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,CAAC;IACtC,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;IACrC,QAAQ,CAAC,yBAAyB,EAAE,OAAO,CAAC;IAC5C,QAAQ,CAAC,mBAAmB,EAAE,OAAO,CAAC;IACtC,QAAQ,CAAC,iBAAiB,EAAE,OAAO,CAAC;IACpC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC;;;;OAIG;IACH,QAAQ,CAAC,kBAAkB,EAAE,OAAO,CAAC;CACtC;AAED,eAAO,MAAM,cAAc,EAAE,YAa5B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"default-policy.js","sourceRoot":"","sources":["../../src/engine/default-policy.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"default-policy.js","sourceRoot":"","sources":["../../src/engine/default-policy.ts"],"names":[],"mappings":"AAoBA,MAAM,CAAC,MAAM,cAAc,GAAiB;IAC1C,cAAc,EAAE,EAAE;IAClB,aAAa,EAAE,EAAE;IACjB,aAAa,EAAE,EAAE;IACjB,iBAAiB,EAAE,EAAE;IACrB,kBAAkB,EAAE,EAAE;IACtB,kBAAkB,EAAE,EAAE;IACtB,kBAAkB,EAAE,IAAI;IACxB,yBAAyB,EAAE,IAAI;IAC/B,mBAAmB,EAAE,IAAI;IACzB,iBAAiB,EAAE,IAAI;IACvB,cAAc,EAAE,IAAI;IACpB,kBAAkB,EAAE,KAAK;CAC1B,CAAC"}
|
|
@@ -1,15 +1,11 @@
|
|
|
1
1
|
import type { Finding } from '../domain/finding.js';
|
|
2
2
|
import type { RiskScore } from '../domain/risk.js';
|
|
3
|
-
export declare const TEST_FINDING_WEIGHT = 0.1;
|
|
4
3
|
export interface AnalysisEvidence {
|
|
5
4
|
readonly hasMetadata: boolean;
|
|
6
5
|
readonly fileCount: number;
|
|
7
6
|
}
|
|
8
|
-
export interface RiskOptions {
|
|
9
|
-
readonly testFindingWeight?: number;
|
|
10
|
-
}
|
|
11
7
|
export declare class RiskCalculator {
|
|
12
|
-
calculate(findings: Finding[], evidence?: AnalysisEvidence
|
|
8
|
+
calculate(findings: Finding[], evidence?: AnalysisEvidence): RiskScore;
|
|
13
9
|
private computeConfidence;
|
|
14
10
|
}
|
|
15
11
|
//# sourceMappingURL=risk-calculator.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"risk-calculator.d.ts","sourceRoot":"","sources":["../../src/engine/risk-calculator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAEpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;
|
|
1
|
+
{"version":3,"file":"risk-calculator.d.ts","sourceRoot":"","sources":["../../src/engine/risk-calculator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAEpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAanD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,qBAAa,cAAc;IACzB,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,QAAQ,CAAC,EAAE,gBAAgB,GAAG,SAAS;IA6BtE,OAAO,CAAC,iBAAiB;CAe1B"}
|
|
@@ -2,8 +2,6 @@ import { SEVERITY_WEIGHTS } from '../domain/finding.js';
|
|
|
2
2
|
import { clampScore, scoreToLevel } from '../domain/risk.js';
|
|
3
3
|
const POSITIVE_SIGNAL_WEIGHT = 5;
|
|
4
4
|
const MAX_POSITIVE_REDUCTION = 30;
|
|
5
|
-
export const TEST_FINDING_WEIGHT = 0.1;
|
|
6
|
-
const FULL_WEIGHT = 1;
|
|
7
5
|
const CONFIDENCE_METADATA = 35;
|
|
8
6
|
const CONFIDENCE_HAS_FILES = 25;
|
|
9
7
|
const CONFIDENCE_PER_FILE = 2;
|
|
@@ -11,8 +9,7 @@ const CONFIDENCE_MAX_FILE_BONUS = 20;
|
|
|
11
9
|
const CONFIDENCE_PER_SIGNAL = 2;
|
|
12
10
|
const CONFIDENCE_MAX_SIGNAL_BONUS = 20;
|
|
13
11
|
export class RiskCalculator {
|
|
14
|
-
calculate(findings, evidence
|
|
15
|
-
const testFindingWeight = options?.testFindingWeight ?? FULL_WEIGHT;
|
|
12
|
+
calculate(findings, evidence) {
|
|
16
13
|
let negativeScore = 0;
|
|
17
14
|
let positiveReduction = 0;
|
|
18
15
|
let positiveSignals = 0;
|
|
@@ -24,8 +21,7 @@ export class RiskCalculator {
|
|
|
24
21
|
}
|
|
25
22
|
else if (finding.severity !== 'INFO') {
|
|
26
23
|
negativeSignals++;
|
|
27
|
-
|
|
28
|
-
negativeScore += SEVERITY_WEIGHTS[finding.severity] * weight;
|
|
24
|
+
negativeScore += SEVERITY_WEIGHTS[finding.severity];
|
|
29
25
|
}
|
|
30
26
|
}
|
|
31
27
|
const cappedReduction = Math.min(positiveReduction, MAX_POSITIVE_REDUCTION);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"risk-calculator.js","sourceRoot":"","sources":["../../src/engine/risk-calculator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAE7D,MAAM,sBAAsB,GAAG,CAAC,CAAC;AACjC,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAElC,MAAM,
|
|
1
|
+
{"version":3,"file":"risk-calculator.js","sourceRoot":"","sources":["../../src/engine/risk-calculator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAExD,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAE7D,MAAM,sBAAsB,GAAG,CAAC,CAAC;AACjC,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAElC,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAChC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AAC9B,MAAM,yBAAyB,GAAG,EAAE,CAAC;AACrC,MAAM,qBAAqB,GAAG,CAAC,CAAC;AAChC,MAAM,2BAA2B,GAAG,EAAE,CAAC;AAOvC,MAAM,OAAO,cAAc;IACzB,SAAS,CAAC,QAAmB,EAAE,QAA2B;QACxD,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,iBAAiB,GAAG,CAAC,CAAC;QAC1B,IAAI,eAAe,GAAG,CAAC,CAAC;QACxB,IAAI,eAAe,GAAG,CAAC,CAAC;QAExB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACrB,eAAe,EAAE,CAAC;gBAClB,iBAAiB,IAAI,sBAAsB,CAAC;YAC9C,CAAC;iBAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACvC,eAAe,EAAE,CAAC;gBAClB,aAAa,IAAI,gBAAgB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACtD,CAAC;QACH,CAAC;QAED,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,iBAAiB,EAAE,sBAAsB,CAAC,CAAC;QAC5E,MAAM,UAAU,GAAG,UAAU,CAAC,aAAa,GAAG,eAAe,CAAC,CAAC;QAC/D,MAAM,YAAY,GAAG,eAAe,GAAG,eAAe,CAAC;QAEvD,OAAO;YACL,KAAK,EAAE,UAAU;YACjB,KAAK,EAAE,YAAY,CAAC,UAAU,CAAC;YAC/B,UAAU,EAAE,IAAI,CAAC,iBAAiB,CAAC,YAAY,EAAE,QAAQ,CAAC;YAC1D,eAAe;YACf,eAAe;SAChB,CAAC;IACJ,CAAC;IAEO,iBAAiB,CAAC,YAAoB,EAAE,QAA2B;QACzE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,GAAG,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtE,CAAC;QAED,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,IAAI,QAAQ,CAAC,WAAW;YAAE,UAAU,IAAI,mBAAmB,CAAC;QAC5D,IAAI,QAAQ,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;YAC3B,UAAU,IAAI,oBAAoB,CAAC;YACnC,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,GAAG,mBAAmB,EAAE,yBAAyB,CAAC,CAAC;QAC9F,CAAC;QACD,UAAU,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,GAAG,qBAAqB,EAAE,2BAA2B,CAAC,CAAC;QAE1F,OAAO,UAAU,CAAC,UAAU,CAAC,CAAC;IAChC,CAAC;CACF"}
|
|
@@ -53,7 +53,7 @@ export class TerminalReporter {
|
|
|
53
53
|
lines.push(kleur.bold(' Findings Summary:'));
|
|
54
54
|
lines.push(` Critical: ${kleur.red(String(critical.length))} High: ${kleur.red(String(high.length))} Medium: ${kleur.yellow(String(medium.length))} Low: ${kleur.green(String(low.length))} Positive: ${kleur.green(String(positive.length))}`);
|
|
55
55
|
if (testFindingCount > 0) {
|
|
56
|
-
lines.push(kleur.dim(` (${testFindingCount} finding(s) in test/fixture files
|
|
56
|
+
lines.push(kleur.dim(` (${testFindingCount} high-signal finding(s) located in test/fixture files)`));
|
|
57
57
|
}
|
|
58
58
|
lines.push('');
|
|
59
59
|
const displayFindings = [...critical, ...high, ...medium].slice(0, 20);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"report-generator.js","sourceRoot":"","sources":["../../src/report/report-generator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAU1B,SAAS,SAAS,CAAC,KAAgB;IACjC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QACzC,KAAK,MAAM,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,CAAC;QAC9B,KAAK,QAAQ,CAAC,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC;QACnC,KAAK,KAAK,CAAC,CAAC,OAAO,KAAK,CAAC,KAAK,CAAC;IACjC,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB;IACrC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QACtC,KAAK,kBAAkB,CAAC,CAAC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC;QACpD,KAAK,MAAM,CAAC,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC;QACjC,KAAK,cAAc,CAAC,CAAC,OAAO,KAAK,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC;QAC/C,OAAO,CAAC,CAAC,OAAO,KAAK,CAAC,KAAK,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,MAAM,OAAO,gBAAgB;IAClB,MAAM,GAAG,UAAmB,CAAC;IAEtC,QAAQ,CAAC,MAA0B;QACjC,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC,CAAC;QAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtG,KAAK,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,CAAC;QACnF,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACvD,KAAK,CAAC,IAAI,CAAC,iBAAiB,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC7F,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,IAAI,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC,CAAC;YACxF,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;gBACnD,KAAK,CAAC,IAAI,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC;YAChC,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;YAC5C,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC3C,KAAK,CAAC,IAAI,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC;YAChC,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACzF,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACjF,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACrF,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC/E,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3D,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;QAEvF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAC9C,KAAK,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,WAAW,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,aAAa,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,eAAe,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;QACvP,IAAI,gBAAgB,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,gBAAgB,
|
|
1
|
+
{"version":3,"file":"report-generator.js","sourceRoot":"","sources":["../../src/report/report-generator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAU1B,SAAS,SAAS,CAAC,KAAgB;IACjC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,UAAU,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QACzC,KAAK,MAAM,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,CAAC;QAC9B,KAAK,QAAQ,CAAC,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC;QACnC,KAAK,KAAK,CAAC,CAAC,OAAO,KAAK,CAAC,KAAK,CAAC;IACjC,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,QAAgB;IACrC,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO,CAAC,CAAC,OAAO,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC;QACtC,KAAK,kBAAkB,CAAC,CAAC,OAAO,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC;QACpD,KAAK,MAAM,CAAC,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC;QACjC,KAAK,cAAc,CAAC,CAAC,OAAO,KAAK,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC;QAC/C,OAAO,CAAC,CAAC,OAAO,KAAK,CAAC,KAAK,CAAC;IAC9B,CAAC;AACH,CAAC;AAED,MAAM,OAAO,gBAAgB;IAClB,MAAM,GAAG,UAAmB,CAAC;IAEtC,QAAQ,CAAC,MAA0B;QACjC,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE3C,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC,CAAC;QAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACtG,KAAK,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,CAAC;QACnF,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACvD,KAAK,CAAC,IAAI,CAAC,iBAAiB,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC7F,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;QACxD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,IAAI,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC,CAAC;YACxF,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;gBACnD,KAAK,CAAC,IAAI,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC;YAChC,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;YAC5C,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;gBAC3C,KAAK,CAAC,IAAI,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC;YAChC,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACzF,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACjF,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACrF,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC/E,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3D,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC;QAEvF,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAC9C,KAAK,CAAC,IAAI,CAAC,iBAAiB,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,WAAW,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,aAAa,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,eAAe,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC;QACvP,IAAI,gBAAgB,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,gBAAgB,wDAAwD,CAAC,CAAC,CAAC;QAC1G,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,MAAM,eAAe,GAAG,CAAC,GAAG,QAAQ,EAAE,GAAG,IAAI,EAAE,GAAG,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC1C,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;gBAChC,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;oBAC/D,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;wBAC7C,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,GAAG,CAAC,CAAC;gBAClC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACtE,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1D,KAAK,CAAC,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,KAAK,GAAG,GAAG,GAAG,OAAO,EAAE,CAAC,CAAC;gBACpD,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;gBACrD,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;oBACf,KAAK,CAAC,IAAI,CAAC,cAAc,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QAED,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC,CAAC;YACnD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACnC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAClD,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QAED,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,SAAS,KAAK,MAAM,CAAC,UAAU,KAAK,CAAC,CAAC,CAAC;QACnF,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;CACF;AAED,MAAM,OAAO,YAAY;IACd,MAAM,GAAG,MAAe,CAAC;IAElC,QAAQ,CAAC,MAA0B;QACjC,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IACzC,CAAC;CACF;AAED,MAAM,OAAO,gBAAgB;IAClB,MAAM,GAAG,UAAmB,CAAC;IAEtC,QAAQ,CAAC,MAA0B;QACjC,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3E,KAAK,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,IAAI,CAAC,KAAK,KAAK,MAAM,CAAC,IAAI,CAAC,KAAK,OAAO,CAAC,CAAC;QACxE,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC;QACzD,KAAK,CAAC,IAAI,CAAC,iBAAiB,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,2BAA2B,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;QAClE,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,IAAI,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClF,KAAK,CAAC,IAAI,CAAC,kFAAkF,CAAC,CAAC;YAC/F,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;YAClC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,CAAC;gBACnD,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;YAC5B,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QAChC,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAC3C,KAAK,CAAC,IAAI,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC;QAC5B,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;QACvE,KAAK,CAAC,IAAI,CAAC,0DAA0D,CAAC,CAAC;QACvE,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3D,MAAM,QAAQ,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;YAC9E,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;YACtE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,KAAK,MAAM,IAAI,MAAM,CAAC,CAAC,IAAI,IAAI,GAAG,MAAM,QAAQ,IAAI,CAAC,CAAC;QAC1G,CAAC;QACD,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACnC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;YAClD,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;CACF;AAED,MAAM,OAAO,YAAY;IACF;IAArB,YAAqB,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;IAAG,CAAC;IAE7C,QAAQ,CAAC,OAA2B;QAClC,OAAO,IAAI,IAAI,CAAC,MAAM,4CAA4C,CAAC;IACrE,CAAC;CACF;AAED,MAAM,OAAO,eAAe;IACT,UAAU,CAAoC;IAE/D;QACE,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,CAA+B;YACtD,CAAC,UAAU,EAAE,IAAI,gBAAgB,EAAE,CAAC;YACpC,CAAC,MAAM,EAAE,IAAI,YAAY,EAAE,CAAC;YAC5B,CAAC,UAAU,EAAE,IAAI,gBAAgB,EAAE,CAAC;YACpC,CAAC,OAAO,EAAE,IAAI,YAAY,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC,MAAM,EAAE,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;YAClC,CAAC,KAAK,EAAE,IAAI,YAAY,CAAC,KAAK,CAAC,CAAC;SACjC,CAAC,CAAC;IACL,CAAC;IAED,QAAQ,CAAC,MAA0B,EAAE,SAAuB,UAAU;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,8BAA8B,MAAM,EAAE,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnC,CAAC;CACF"}
|