@shipsafe/cli 0.1.2 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/cli/scan.d.ts.map +1 -1
- package/dist/src/cli/scan.js +17 -13
- package/dist/src/cli/scan.js.map +1 -1
- package/dist/src/engines/builtin/dependencies.d.ts +11 -0
- package/dist/src/engines/builtin/dependencies.d.ts.map +1 -0
- package/dist/src/engines/builtin/dependencies.js +402 -0
- package/dist/src/engines/builtin/dependencies.js.map +1 -0
- package/dist/src/engines/builtin/patterns.d.ts +20 -0
- package/dist/src/engines/builtin/patterns.d.ts.map +1 -0
- package/dist/src/engines/builtin/patterns.js +1015 -0
- package/dist/src/engines/builtin/patterns.js.map +1 -0
- package/dist/src/engines/builtin/secrets.d.ts +11 -0
- package/dist/src/engines/builtin/secrets.d.ts.map +1 -0
- package/dist/src/engines/builtin/secrets.js +1962 -0
- package/dist/src/engines/builtin/secrets.js.map +1 -0
- package/dist/src/engines/pattern/index.d.ts.map +1 -1
- package/dist/src/engines/pattern/index.js +24 -5
- package/dist/src/engines/pattern/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../../src/cli/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASpC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,OAAO,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;CACf;
|
|
1
|
+
{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../../src/cli/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AASpC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,OAAO,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;CACf;AAsED,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,CAqC1E;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAU1D"}
|
package/dist/src/cli/scan.js
CHANGED
|
@@ -18,26 +18,30 @@ async function formatResults(result) {
|
|
|
18
18
|
const scanners = await getAvailableScanners();
|
|
19
19
|
const graphAvailable = isGraphEngineAvailable();
|
|
20
20
|
const license = await checkLicense();
|
|
21
|
+
// Get built-in engine stats
|
|
22
|
+
const { getSecretPatternCount } = await import('../engines/builtin/secrets.js');
|
|
23
|
+
const { getPatternRuleCount } = await import('../engines/builtin/patterns.js');
|
|
21
24
|
console.log('');
|
|
22
25
|
console.log(chalk.bold(' ShipSafe Scan Results'));
|
|
23
26
|
console.log(chalk.dim(' ' + '─'.repeat(44)));
|
|
24
27
|
console.log('');
|
|
25
|
-
// Show what engines ran
|
|
26
28
|
const check = chalk.green('✓');
|
|
27
29
|
const cross = chalk.dim('✗');
|
|
28
|
-
console.log(chalk.dim(' Engines:'));
|
|
29
|
-
console.log(` ${
|
|
30
|
-
console.log(` ${
|
|
31
|
-
console.log(` ${
|
|
32
|
-
console.log(` ${graphAvailable ? check : cross} Knowledge Graph
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
30
|
+
console.log(chalk.dim(' Built-in Engines:'));
|
|
31
|
+
console.log(` ${check} Secret Scanner ${chalk.dim(`(${getSecretPatternCount()} patterns)`)}`);
|
|
32
|
+
console.log(` ${check} Vulnerability Scanner ${chalk.dim(`(${getPatternRuleCount()} rules)`)}`);
|
|
33
|
+
console.log(` ${check} Dependency Auditor`);
|
|
34
|
+
console.log(` ${graphAvailable ? check : cross} Knowledge Graph`);
|
|
35
|
+
if (scanners.semgrep || scanners.gitleaks || scanners.trivy) {
|
|
36
|
+
console.log(chalk.dim(' External (bonus):'));
|
|
37
|
+
if (scanners.semgrep)
|
|
38
|
+
console.log(` ${check} Semgrep`);
|
|
39
|
+
if (scanners.gitleaks)
|
|
40
|
+
console.log(` ${check} Gitleaks`);
|
|
41
|
+
if (scanners.trivy)
|
|
42
|
+
console.log(` ${check} Trivy`);
|
|
40
43
|
}
|
|
44
|
+
console.log('');
|
|
41
45
|
// Score
|
|
42
46
|
const duration = formatDuration(result.scan_duration_ms);
|
|
43
47
|
const scoreColor = result.score === 'A' ? chalk.green : result.score === 'B' ? chalk.yellow : chalk.red;
|
package/dist/src/cli/scan.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../../src/cli/scan.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACrF,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAQlD,MAAM,eAAe,GAA+C;IAClE,QAAQ,EAAE,KAAK,CAAC,GAAG;IACnB,IAAI,EAAE,KAAK,CAAC,GAAG;IACf,MAAM,EAAE,KAAK,CAAC,MAAM;IACpB,GAAG,EAAE,KAAK,CAAC,IAAI;IACf,IAAI,EAAE,KAAK,CAAC,IAAI;CACjB,CAAC;AAEF,SAAS,cAAc,CAAC,EAAU;IAChC,OAAO,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;AACtC,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAAkB;IAC7C,MAAM,QAAQ,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC9C,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,MAAM,YAAY,EAAE,CAAC;IAErC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,
|
|
1
|
+
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../../src/cli/scan.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACrF,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,4BAA4B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAQlD,MAAM,eAAe,GAA+C;IAClE,QAAQ,EAAE,KAAK,CAAC,GAAG;IACnB,IAAI,EAAE,KAAK,CAAC,GAAG;IACf,MAAM,EAAE,KAAK,CAAC,MAAM;IACpB,GAAG,EAAE,KAAK,CAAC,IAAI;IACf,IAAI,EAAE,KAAK,CAAC,IAAI;CACjB,CAAC;AAEF,SAAS,cAAc,CAAC,EAAU;IAChC,OAAO,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;AACtC,CAAC;AAED,KAAK,UAAU,aAAa,CAAC,MAAkB;IAC7C,MAAM,QAAQ,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAC9C,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;IAChD,MAAM,OAAO,GAAG,MAAM,YAAY,EAAE,CAAC;IAErC,4BAA4B;IAC5B,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAAC,+BAA+B,CAAC,CAAC;IAChF,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;IAE/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAE7B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,mBAAmB,KAAK,CAAC,GAAG,CAAC,IAAI,qBAAqB,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC;IACjG,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,0BAA0B,KAAK,CAAC,GAAG,CAAC,IAAI,mBAAmB,EAAE,SAAS,CAAC,EAAE,CAAC,CAAC;IACnG,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,qBAAqB,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,kBAAkB,CAAC,CAAC;IAErE,IAAI,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QAC5D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC,CAAC;QAC9C,IAAI,QAAQ,CAAC,OAAO;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,UAAU,CAAC,CAAC;QAC1D,IAAI,QAAQ,CAAC,QAAQ;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,WAAW,CAAC,CAAC;QAC5D,IAAI,QAAQ,CAAC,KAAK;YAAE,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,QAAQ;IACR,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;IACzD,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,KAAK,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,KAAK,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC;IACxG,OAAO,CAAC,GAAG,CAAC,YAAY,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,MAAM,CAAC,QAAQ,CAAC,MAAM,iBAAiB,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAClI,OAAO,CAAC,GAAG,CAAC,YAAY,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,WAAW;IACX,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAClD,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACxE,OAAO,CAAC,GAAG,CAAC,KAAK,aAAa,IAAI,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,GAAG,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClF,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;YAChE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAAoB;IACzD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAkB,CAAC;IAEzC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,WAAW,KAAK,CAAC,CAAC,CAAC;IAE/F,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC;QACpC,UAAU,EAAE,OAAO,CAAC,GAAG,EAAE;QACzB,KAAK;KACN,CAAC,CAAC;IAEH,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACtC,IAAI,OAAO,CAAC,IAAI,KAAK,kBAAkB,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;oBAChE,MAAM,GAAG,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;oBAC9C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,gBAAgB,GAAG,CAAC,UAAU,eAAe,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBACxG,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC;SAAM,CAAC;QACN,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,iBAAiB,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAC5C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAC1D,CAAC;IAEF,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,OAAgB;IAClD,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,2CAA2C,CAAC;SACxD,MAAM,CAAC,iBAAiB,EAAE,yCAAyC,EAAE,QAAQ,CAAC;SAC9E,MAAM,CAAC,OAAO,EAAE,8BAA8B,EAAE,KAAK,CAAC;SACtD,MAAM,CAAC,QAAQ,EAAE,wBAAwB,EAAE,KAAK,CAAC;SACjD,MAAM,CAAC,KAAK,EAAE,OAAoB,EAAE,EAAE;QACrC,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import type { Finding } from '../../types.js';
|
|
2
|
+
export interface DependencyAuditSummary {
|
|
3
|
+
total: number;
|
|
4
|
+
critical: number;
|
|
5
|
+
high: number;
|
|
6
|
+
moderate: number;
|
|
7
|
+
low: number;
|
|
8
|
+
}
|
|
9
|
+
export declare function scanDependencies(targetPath: string): Promise<Finding[]>;
|
|
10
|
+
export declare function getDependencySummary(targetPath: string): Promise<DependencyAuditSummary>;
|
|
11
|
+
//# sourceMappingURL=dependencies.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../../../src/engines/builtin/dependencies.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAY,MAAM,gBAAgB,CAAC;AAKxD,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC;CACb;AAqZD,wBAAsB,gBAAgB,CACpC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,OAAO,EAAE,CAAC,CA8DpB;AAID,wBAAsB,oBAAoB,CACxC,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,sBAAsB,CAAC,CA8BjC"}
|
|
@@ -0,0 +1,402 @@
|
|
|
1
|
+
import { readFile } from 'node:fs/promises';
|
|
2
|
+
import { join } from 'node:path';
|
|
3
|
+
import { editDistance } from '../../mcp/tools/check-package.js';
|
|
4
|
+
// ── Constants ──
|
|
5
|
+
const POPULAR_PACKAGES = [
|
|
6
|
+
'react',
|
|
7
|
+
'express',
|
|
8
|
+
'lodash',
|
|
9
|
+
'axios',
|
|
10
|
+
'moment',
|
|
11
|
+
'chalk',
|
|
12
|
+
'commander',
|
|
13
|
+
'next',
|
|
14
|
+
'vue',
|
|
15
|
+
'angular',
|
|
16
|
+
'webpack',
|
|
17
|
+
'typescript',
|
|
18
|
+
'zod',
|
|
19
|
+
'prisma',
|
|
20
|
+
'drizzle',
|
|
21
|
+
'hono',
|
|
22
|
+
'fastify',
|
|
23
|
+
'vite',
|
|
24
|
+
'esbuild',
|
|
25
|
+
'rollup',
|
|
26
|
+
'jest',
|
|
27
|
+
'vitest',
|
|
28
|
+
'mocha',
|
|
29
|
+
'prettier',
|
|
30
|
+
'eslint',
|
|
31
|
+
'tailwindcss',
|
|
32
|
+
'postcss',
|
|
33
|
+
'dotenv',
|
|
34
|
+
'cors',
|
|
35
|
+
'helmet',
|
|
36
|
+
'jsonwebtoken',
|
|
37
|
+
'bcrypt',
|
|
38
|
+
'mongoose',
|
|
39
|
+
'sequelize',
|
|
40
|
+
'socket.io',
|
|
41
|
+
'redis',
|
|
42
|
+
'bull',
|
|
43
|
+
'passport',
|
|
44
|
+
'multer',
|
|
45
|
+
'sharp',
|
|
46
|
+
'puppeteer',
|
|
47
|
+
'playwright',
|
|
48
|
+
];
|
|
49
|
+
const NPM_AUDIT_URL = 'https://registry.npmjs.org/-/npm/v1/security/audits';
|
|
50
|
+
// ── Helpers ──
|
|
51
|
+
function mapNpmSeverity(npmSeverity) {
|
|
52
|
+
switch (npmSeverity) {
|
|
53
|
+
case 'critical':
|
|
54
|
+
return 'critical';
|
|
55
|
+
case 'high':
|
|
56
|
+
return 'high';
|
|
57
|
+
case 'moderate':
|
|
58
|
+
return 'medium';
|
|
59
|
+
case 'low':
|
|
60
|
+
return 'low';
|
|
61
|
+
case 'info':
|
|
62
|
+
return 'info';
|
|
63
|
+
default:
|
|
64
|
+
return 'medium';
|
|
65
|
+
}
|
|
66
|
+
}
|
|
67
|
+
async function readJsonFile(filePath) {
|
|
68
|
+
try {
|
|
69
|
+
const content = await readFile(filePath, 'utf-8');
|
|
70
|
+
return JSON.parse(content);
|
|
71
|
+
}
|
|
72
|
+
catch {
|
|
73
|
+
return null;
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
function isWildcardVersion(version) {
|
|
77
|
+
return version === '*' || version === 'latest' || version === '';
|
|
78
|
+
}
|
|
79
|
+
function checkTyposquat(name) {
|
|
80
|
+
for (const popular of POPULAR_PACKAGES) {
|
|
81
|
+
if (name === popular)
|
|
82
|
+
continue;
|
|
83
|
+
const distance = editDistance(name.toLowerCase(), popular.toLowerCase());
|
|
84
|
+
if (distance > 0 && distance <= 2) {
|
|
85
|
+
return { isTyposquat: true, similarTo: popular };
|
|
86
|
+
}
|
|
87
|
+
}
|
|
88
|
+
return { isTyposquat: false };
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Build the payload that the npm audit API expects.
|
|
92
|
+
* This mimics what `npm audit` sends internally.
|
|
93
|
+
*/
|
|
94
|
+
function buildAuditPayload(pkgJson, lockData) {
|
|
95
|
+
const allDeps = {
|
|
96
|
+
...pkgJson.dependencies,
|
|
97
|
+
...pkgJson.devDependencies,
|
|
98
|
+
};
|
|
99
|
+
// Build the "requires" and "dependencies" maps for the audit API
|
|
100
|
+
const requires = {};
|
|
101
|
+
const dependencies = {};
|
|
102
|
+
for (const [name, specifier] of Object.entries(allDeps)) {
|
|
103
|
+
requires[name] = specifier;
|
|
104
|
+
// Prefer the resolved version from the lockfile
|
|
105
|
+
let resolvedVersion = specifier;
|
|
106
|
+
if (lockData) {
|
|
107
|
+
// lockfileVersion 2/3 uses "packages" with "" prefix entries
|
|
108
|
+
const lockPackages = lockData.packages;
|
|
109
|
+
if (lockPackages) {
|
|
110
|
+
const lockEntry = lockPackages[`node_modules/${name}`] ?? lockPackages[name];
|
|
111
|
+
if (lockEntry?.version) {
|
|
112
|
+
resolvedVersion = lockEntry.version;
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
// lockfileVersion 1 uses "dependencies"
|
|
116
|
+
const lockDeps = lockData.dependencies;
|
|
117
|
+
if (lockDeps?.[name]?.version) {
|
|
118
|
+
resolvedVersion = lockDeps[name].version;
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
// Strip semver range prefixes for the version field
|
|
122
|
+
const cleaned = resolvedVersion.replace(/^[\^~>=<\s]+/, '');
|
|
123
|
+
dependencies[name] = { version: cleaned || '0.0.0' };
|
|
124
|
+
}
|
|
125
|
+
return {
|
|
126
|
+
name: pkgJson.name ?? 'unknown',
|
|
127
|
+
version: pkgJson.version ?? '0.0.0',
|
|
128
|
+
requires,
|
|
129
|
+
dependencies,
|
|
130
|
+
};
|
|
131
|
+
}
|
|
132
|
+
// ── Audit API call ──
|
|
133
|
+
async function callNpmAudit(pkgJson, lockData) {
|
|
134
|
+
const payload = buildAuditPayload(pkgJson, lockData);
|
|
135
|
+
try {
|
|
136
|
+
const response = await fetch(NPM_AUDIT_URL, {
|
|
137
|
+
method: 'POST',
|
|
138
|
+
headers: { 'Content-Type': 'application/json' },
|
|
139
|
+
body: JSON.stringify(payload),
|
|
140
|
+
signal: AbortSignal.timeout(15_000),
|
|
141
|
+
});
|
|
142
|
+
if (!response.ok) {
|
|
143
|
+
return null;
|
|
144
|
+
}
|
|
145
|
+
return (await response.json());
|
|
146
|
+
}
|
|
147
|
+
catch {
|
|
148
|
+
// Offline or API unreachable — fall back to local-only checks
|
|
149
|
+
return null;
|
|
150
|
+
}
|
|
151
|
+
}
|
|
152
|
+
// ── Local checks (work offline) ──
|
|
153
|
+
function runLocalChecks(pkgJson, lockData, packageJsonPath) {
|
|
154
|
+
const findings = [];
|
|
155
|
+
const allDeps = {
|
|
156
|
+
...pkgJson.dependencies,
|
|
157
|
+
...pkgJson.devDependencies,
|
|
158
|
+
};
|
|
159
|
+
let findingIndex = 0;
|
|
160
|
+
for (const [name, versionSpec] of Object.entries(allDeps)) {
|
|
161
|
+
// 1. Wildcard / latest versions
|
|
162
|
+
if (isWildcardVersion(versionSpec)) {
|
|
163
|
+
findings.push({
|
|
164
|
+
id: `dep-wildcard-${findingIndex++}`,
|
|
165
|
+
engine: 'pattern',
|
|
166
|
+
severity: 'high',
|
|
167
|
+
type: 'dependency-wildcard-version',
|
|
168
|
+
file: packageJsonPath,
|
|
169
|
+
line: 0,
|
|
170
|
+
description: `Dependency "${name}" uses wildcard version "${versionSpec}". This allows arbitrary versions to be installed, including potentially malicious ones.`,
|
|
171
|
+
fix_suggestion: `Pin "${name}" to a specific version range (e.g., "^x.y.z") instead of "${versionSpec}".`,
|
|
172
|
+
auto_fixable: false,
|
|
173
|
+
});
|
|
174
|
+
}
|
|
175
|
+
// 2. Phantom dependencies (in package.json but not in lockfile)
|
|
176
|
+
if (lockData && !isWildcardVersion(versionSpec)) {
|
|
177
|
+
const inLock = hasLockEntry(lockData, name);
|
|
178
|
+
if (!inLock) {
|
|
179
|
+
findings.push({
|
|
180
|
+
id: `dep-phantom-${findingIndex++}`,
|
|
181
|
+
engine: 'pattern',
|
|
182
|
+
severity: 'medium',
|
|
183
|
+
type: 'dependency-phantom',
|
|
184
|
+
file: packageJsonPath,
|
|
185
|
+
line: 0,
|
|
186
|
+
description: `Dependency "${name}" is declared in package.json but has no entry in the lockfile. This may indicate the lockfile is out of date or the dependency was never installed.`,
|
|
187
|
+
fix_suggestion: `Run "npm install" to regenerate the lockfile and ensure "${name}" is properly resolved.`,
|
|
188
|
+
auto_fixable: false,
|
|
189
|
+
});
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
// 3. Deprecated packages (from lockfile metadata)
|
|
193
|
+
if (lockData) {
|
|
194
|
+
const deprecationMsg = getDeprecationMessage(lockData, name);
|
|
195
|
+
if (deprecationMsg) {
|
|
196
|
+
findings.push({
|
|
197
|
+
id: `dep-deprecated-${findingIndex++}`,
|
|
198
|
+
engine: 'pattern',
|
|
199
|
+
severity: 'medium',
|
|
200
|
+
type: 'dependency-deprecated',
|
|
201
|
+
file: packageJsonPath,
|
|
202
|
+
line: 0,
|
|
203
|
+
description: `Dependency "${name}" is deprecated: ${deprecationMsg}`,
|
|
204
|
+
fix_suggestion: `Find an actively maintained alternative to "${name}" and migrate away from this package.`,
|
|
205
|
+
auto_fixable: false,
|
|
206
|
+
});
|
|
207
|
+
}
|
|
208
|
+
}
|
|
209
|
+
// 4. Typosquat detection
|
|
210
|
+
const typoCheck = checkTyposquat(name);
|
|
211
|
+
if (typoCheck.isTyposquat) {
|
|
212
|
+
findings.push({
|
|
213
|
+
id: `dep-typosquat-${findingIndex++}`,
|
|
214
|
+
engine: 'pattern',
|
|
215
|
+
severity: 'critical',
|
|
216
|
+
type: 'dependency-typosquat',
|
|
217
|
+
file: packageJsonPath,
|
|
218
|
+
line: 0,
|
|
219
|
+
description: `Dependency "${name}" looks like a typosquat of popular package "${typoCheck.similarTo}". This could be a malicious package impersonating a legitimate one.`,
|
|
220
|
+
fix_suggestion: `Verify that "${name}" is the intended package. If you meant "${typoCheck.similarTo}", replace it immediately.`,
|
|
221
|
+
auto_fixable: false,
|
|
222
|
+
});
|
|
223
|
+
}
|
|
224
|
+
// 5. Very old version ranges (heuristic: major version 0 for well-known packages,
|
|
225
|
+
// or version specifiers that pin to extremely old majors)
|
|
226
|
+
const oldVersionWarning = checkForVeryOldVersion(name, versionSpec);
|
|
227
|
+
if (oldVersionWarning) {
|
|
228
|
+
findings.push({
|
|
229
|
+
id: `dep-outdated-${findingIndex++}`,
|
|
230
|
+
engine: 'pattern',
|
|
231
|
+
severity: 'low',
|
|
232
|
+
type: 'dependency-outdated',
|
|
233
|
+
file: packageJsonPath,
|
|
234
|
+
line: 0,
|
|
235
|
+
description: oldVersionWarning.description,
|
|
236
|
+
fix_suggestion: oldVersionWarning.fix,
|
|
237
|
+
auto_fixable: false,
|
|
238
|
+
});
|
|
239
|
+
}
|
|
240
|
+
}
|
|
241
|
+
return findings;
|
|
242
|
+
}
|
|
243
|
+
function hasLockEntry(lockData, name) {
|
|
244
|
+
// Check lockfileVersion 2/3 "packages" field
|
|
245
|
+
if (lockData.packages) {
|
|
246
|
+
if (lockData.packages[`node_modules/${name}`] ||
|
|
247
|
+
lockData.packages[name]) {
|
|
248
|
+
return true;
|
|
249
|
+
}
|
|
250
|
+
}
|
|
251
|
+
// Check lockfileVersion 1 "dependencies" field
|
|
252
|
+
if (lockData.dependencies?.[name]) {
|
|
253
|
+
return true;
|
|
254
|
+
}
|
|
255
|
+
return false;
|
|
256
|
+
}
|
|
257
|
+
function getDeprecationMessage(lockData, name) {
|
|
258
|
+
if (lockData.packages) {
|
|
259
|
+
const entry = lockData.packages[`node_modules/${name}`] ?? lockData.packages[name];
|
|
260
|
+
if (entry?.deprecated) {
|
|
261
|
+
return entry.deprecated;
|
|
262
|
+
}
|
|
263
|
+
}
|
|
264
|
+
return null;
|
|
265
|
+
}
|
|
266
|
+
/**
|
|
267
|
+
* Heuristic check for very old dependency versions.
|
|
268
|
+
* We track known "current" major versions for popular packages. If the installed
|
|
269
|
+
* major is 3+ behind, we flag it as likely outdated (> 3 years old in practice).
|
|
270
|
+
*/
|
|
271
|
+
const KNOWN_CURRENT_MAJORS = {
|
|
272
|
+
react: 19,
|
|
273
|
+
express: 5,
|
|
274
|
+
lodash: 4,
|
|
275
|
+
axios: 1,
|
|
276
|
+
chalk: 5,
|
|
277
|
+
commander: 12,
|
|
278
|
+
next: 15,
|
|
279
|
+
vue: 3,
|
|
280
|
+
webpack: 5,
|
|
281
|
+
typescript: 5,
|
|
282
|
+
zod: 3,
|
|
283
|
+
jest: 29,
|
|
284
|
+
eslint: 9,
|
|
285
|
+
prettier: 3,
|
|
286
|
+
tailwindcss: 4,
|
|
287
|
+
postcss: 8,
|
|
288
|
+
vite: 6,
|
|
289
|
+
esbuild: 0,
|
|
290
|
+
rollup: 4,
|
|
291
|
+
vitest: 2,
|
|
292
|
+
mocha: 10,
|
|
293
|
+
fastify: 5,
|
|
294
|
+
hono: 4,
|
|
295
|
+
mongoose: 8,
|
|
296
|
+
sequelize: 6,
|
|
297
|
+
redis: 4,
|
|
298
|
+
passport: 0,
|
|
299
|
+
sharp: 0,
|
|
300
|
+
puppeteer: 23,
|
|
301
|
+
playwright: 1,
|
|
302
|
+
};
|
|
303
|
+
function checkForVeryOldVersion(name, versionSpec) {
|
|
304
|
+
const currentMajor = KNOWN_CURRENT_MAJORS[name];
|
|
305
|
+
if (currentMajor === undefined)
|
|
306
|
+
return null;
|
|
307
|
+
// Extract the major version from the specifier
|
|
308
|
+
const match = versionSpec.match(/(\d+)/);
|
|
309
|
+
if (!match)
|
|
310
|
+
return null;
|
|
311
|
+
const installedMajor = parseInt(match[1], 10);
|
|
312
|
+
const majorsBehind = currentMajor - installedMajor;
|
|
313
|
+
// Only flag if 3+ major versions behind (likely > 3 years old)
|
|
314
|
+
if (majorsBehind >= 3) {
|
|
315
|
+
return {
|
|
316
|
+
description: `Dependency "${name}@${versionSpec}" is ${majorsBehind} major versions behind the current release (v${currentMajor}). Very old versions often have unpatched security vulnerabilities.`,
|
|
317
|
+
fix: `Update "${name}" to a recent version (current major: v${currentMajor}). Review the changelog for breaking changes before upgrading.`,
|
|
318
|
+
};
|
|
319
|
+
}
|
|
320
|
+
return null;
|
|
321
|
+
}
|
|
322
|
+
// ── Main scanner ──
|
|
323
|
+
export async function scanDependencies(targetPath) {
|
|
324
|
+
const packageJsonPath = join(targetPath, 'package.json');
|
|
325
|
+
const lockfilePath = join(targetPath, 'package-lock.json');
|
|
326
|
+
const pkgJson = await readJsonFile(packageJsonPath);
|
|
327
|
+
if (!pkgJson) {
|
|
328
|
+
// No package.json — nothing to scan
|
|
329
|
+
return [];
|
|
330
|
+
}
|
|
331
|
+
const allDeps = {
|
|
332
|
+
...pkgJson.dependencies,
|
|
333
|
+
...pkgJson.devDependencies,
|
|
334
|
+
};
|
|
335
|
+
if (Object.keys(allDeps).length === 0) {
|
|
336
|
+
return [];
|
|
337
|
+
}
|
|
338
|
+
const lockData = await readJsonFile(lockfilePath);
|
|
339
|
+
// Run local checks (always works, even offline)
|
|
340
|
+
const localFindings = runLocalChecks(pkgJson, lockData, 'package.json');
|
|
341
|
+
// Attempt npm audit API call for known CVEs
|
|
342
|
+
const auditResponse = await callNpmAudit(pkgJson, lockData);
|
|
343
|
+
const auditFindings = [];
|
|
344
|
+
if (auditResponse?.advisories) {
|
|
345
|
+
let auditIndex = 0;
|
|
346
|
+
for (const advisory of Object.values(auditResponse.advisories)) {
|
|
347
|
+
const severity = mapNpmSeverity(advisory.severity);
|
|
348
|
+
const cveList = advisory.cves && advisory.cves.length > 0
|
|
349
|
+
? ` (${advisory.cves.join(', ')})`
|
|
350
|
+
: '';
|
|
351
|
+
const affectedVersions = advisory.findings
|
|
352
|
+
?.map((f) => f.version)
|
|
353
|
+
.filter(Boolean)
|
|
354
|
+
.join(', ') || 'unknown';
|
|
355
|
+
const patchedInfo = advisory.patched_versions && advisory.patched_versions !== '<0.0.0'
|
|
356
|
+
? `Update to ${advisory.patched_versions}.`
|
|
357
|
+
: advisory.recommendation || 'No patched version available. Consider finding an alternative package.';
|
|
358
|
+
auditFindings.push({
|
|
359
|
+
id: `dep-vuln-${advisory.id}-${auditIndex++}`,
|
|
360
|
+
engine: 'pattern',
|
|
361
|
+
severity,
|
|
362
|
+
type: 'dependency-vulnerability',
|
|
363
|
+
file: 'package.json',
|
|
364
|
+
line: 0,
|
|
365
|
+
description: `${advisory.module_name}@${affectedVersions}: ${advisory.title}${cveList}. Vulnerable versions: ${advisory.vulnerable_versions}. See: ${advisory.url}`,
|
|
366
|
+
fix_suggestion: patchedInfo,
|
|
367
|
+
auto_fixable: false,
|
|
368
|
+
});
|
|
369
|
+
}
|
|
370
|
+
}
|
|
371
|
+
return [...auditFindings, ...localFindings];
|
|
372
|
+
}
|
|
373
|
+
// ── Summary helper ──
|
|
374
|
+
export async function getDependencySummary(targetPath) {
|
|
375
|
+
const findings = await scanDependencies(targetPath);
|
|
376
|
+
const summary = {
|
|
377
|
+
total: findings.length,
|
|
378
|
+
critical: 0,
|
|
379
|
+
high: 0,
|
|
380
|
+
moderate: 0,
|
|
381
|
+
low: 0,
|
|
382
|
+
};
|
|
383
|
+
for (const finding of findings) {
|
|
384
|
+
switch (finding.severity) {
|
|
385
|
+
case 'critical':
|
|
386
|
+
summary.critical++;
|
|
387
|
+
break;
|
|
388
|
+
case 'high':
|
|
389
|
+
summary.high++;
|
|
390
|
+
break;
|
|
391
|
+
case 'medium':
|
|
392
|
+
summary.moderate++;
|
|
393
|
+
break;
|
|
394
|
+
case 'low':
|
|
395
|
+
case 'info':
|
|
396
|
+
summary.low++;
|
|
397
|
+
break;
|
|
398
|
+
}
|
|
399
|
+
}
|
|
400
|
+
return summary;
|
|
401
|
+
}
|
|
402
|
+
//# sourceMappingURL=dependencies.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependencies.js","sourceRoot":"","sources":["../../../../src/engines/builtin/dependencies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AA2ChE,kBAAkB;AAElB,MAAM,gBAAgB,GAAG;IACvB,OAAO;IACP,SAAS;IACT,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,OAAO;IACP,WAAW;IACX,MAAM;IACN,KAAK;IACL,SAAS;IACT,SAAS;IACT,YAAY;IACZ,KAAK;IACL,QAAQ;IACR,SAAS;IACT,MAAM;IACN,SAAS;IACT,MAAM;IACN,SAAS;IACT,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,OAAO;IACP,UAAU;IACV,QAAQ;IACR,aAAa;IACb,SAAS;IACT,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,cAAc;IACd,QAAQ;IACR,UAAU;IACV,WAAW;IACX,WAAW;IACX,OAAO;IACP,MAAM;IACN,UAAU;IACV,QAAQ;IACR,OAAO;IACP,WAAW;IACX,YAAY;CACb,CAAC;AAEF,MAAM,aAAa,GAAG,qDAAqD,CAAC;AAE5E,gBAAgB;AAEhB,SAAS,cAAc,CAAC,WAAmB;IACzC,QAAQ,WAAW,EAAE,CAAC;QACpB,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,QAAQ,CAAC;IACpB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CAAI,QAAgB;IAC7C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAM,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAe;IACxC,OAAO,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,EAAE,CAAC;AACnE,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,KAAK,MAAM,OAAO,IAAI,gBAAgB,EAAE,CAAC;QACvC,IAAI,IAAI,KAAK,OAAO;YAAE,SAAS;QAC/B,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;QACzE,IAAI,QAAQ,GAAG,CAAC,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClC,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;QACnD,CAAC;IACH,CAAC;IACD,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CACxB,OAAoB,EACpB,QAAgC;IAEhC,MAAM,OAAO,GAA2B;QACtC,GAAG,OAAO,CAAC,YAAY;QACvB,GAAG,OAAO,CAAC,eAAe;KAC3B,CAAC;IAEF,iEAAiE;IACjE,MAAM,QAAQ,GAA2B,EAAE,CAAC;IAC5C,MAAM,YAAY,GAAwC,EAAE,CAAC;IAE7D,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QACxD,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC;QAE3B,gDAAgD;QAChD,IAAI,eAAe,GAAG,SAAS,CAAC;QAEhC,IAAI,QAAQ,EAAE,CAAC;YACb,6DAA6D;YAC7D,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC;YACvC,IAAI,YAAY,EAAE,CAAC;gBACjB,MAAM,SAAS,GACb,YAAY,CAAC,gBAAgB,IAAI,EAAE,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;gBAC7D,IAAI,SAAS,EAAE,OAAO,EAAE,CAAC;oBACvB,eAAe,GAAG,SAAS,CAAC,OAAO,CAAC;gBACtC,CAAC;YACH,CAAC;YACD,wCAAwC;YACxC,MAAM,QAAQ,GAAG,QAAQ,CAAC,YAAY,CAAC;YACvC,IAAI,QAAQ,EAAE,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,CAAC;gBAC9B,eAAe,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,oDAAoD;QACpD,MAAM,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC;QAC5D,YAAY,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,CAAC;IACvD,CAAC;IAED,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,IAAI,IAAI,SAAS;QAC/B,OAAO,EAAE,OAAO,CAAC,OAAO,IAAI,OAAO;QACnC,QAAQ;QACR,YAAY;KACb,CAAC;AACJ,CAAC;AAED,uBAAuB;AAEvB,KAAK,UAAU,YAAY,CACzB,OAAoB,EACpB,QAAgC;IAEhC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAErD,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE;YAC1C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;YAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YAC7B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqB,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACP,8DAA8D;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,oCAAoC;AAEpC,SAAS,cAAc,CACrB,OAAoB,EACpB,QAAgC,EAChC,eAAuB;IAEvB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,OAAO,GAA2B;QACtC,GAAG,OAAO,CAAC,YAAY;QACvB,GAAG,OAAO,CAAC,eAAe;KAC3B,CAAC;IAEF,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,KAAK,MAAM,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1D,gCAAgC;QAChC,IAAI,iBAAiB,CAAC,WAAW,CAAC,EAAE,CAAC;YACnC,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,gBAAgB,YAAY,EAAE,EAAE;gBACpC,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,6BAA6B;gBACnC,IAAI,EAAE,eAAe;gBACrB,IAAI,EAAE,CAAC;gBACP,WAAW,EAAE,eAAe,IAAI,4BAA4B,WAAW,0FAA0F;gBACjK,cAAc,EAAE,QAAQ,IAAI,8DAA8D,WAAW,IAAI;gBACzG,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;QAED,gEAAgE;QAChE,IAAI,QAAQ,IAAI,CAAC,iBAAiB,CAAC,WAAW,CAAC,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC5C,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,eAAe,YAAY,EAAE,EAAE;oBACnC,MAAM,EAAE,SAAS;oBACjB,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,oBAAoB;oBAC1B,IAAI,EAAE,eAAe;oBACrB,IAAI,EAAE,CAAC;oBACP,WAAW,EAAE,eAAe,IAAI,sJAAsJ;oBACtL,cAAc,EAAE,4DAA4D,IAAI,yBAAyB;oBACzG,YAAY,EAAE,KAAK;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,kDAAkD;QAClD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,cAAc,GAAG,qBAAqB,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;YAC7D,IAAI,cAAc,EAAE,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,kBAAkB,YAAY,EAAE,EAAE;oBACtC,MAAM,EAAE,SAAS;oBACjB,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,uBAAuB;oBAC7B,IAAI,EAAE,eAAe;oBACrB,IAAI,EAAE,CAAC;oBACP,WAAW,EAAE,eAAe,IAAI,oBAAoB,cAAc,EAAE;oBACpE,cAAc,EAAE,+CAA+C,IAAI,uCAAuC;oBAC1G,YAAY,EAAE,KAAK;iBACpB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,MAAM,SAAS,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,iBAAiB,YAAY,EAAE,EAAE;gBACrC,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,sBAAsB;gBAC5B,IAAI,EAAE,eAAe;gBACrB,IAAI,EAAE,CAAC;gBACP,WAAW,EAAE,eAAe,IAAI,gDAAgD,SAAS,CAAC,SAAS,sEAAsE;gBACzK,cAAc,EAAE,gBAAgB,IAAI,4CAA4C,SAAS,CAAC,SAAS,4BAA4B;gBAC/H,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;QAED,kFAAkF;QAClF,6DAA6D;QAC7D,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;QACpE,IAAI,iBAAiB,EAAE,CAAC;YACtB,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,gBAAgB,YAAY,EAAE,EAAE;gBACpC,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE,KAAK;gBACf,IAAI,EAAE,qBAAqB;gBAC3B,IAAI,EAAE,eAAe;gBACrB,IAAI,EAAE,CAAC;gBACP,WAAW,EAAE,iBAAiB,CAAC,WAAW;gBAC1C,cAAc,EAAE,iBAAiB,CAAC,GAAG;gBACrC,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,YAAY,CAAC,QAAyB,EAAE,IAAY;IAC3D,6CAA6C;IAC7C,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACtB,IACE,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,IAAI,EAAE,CAAC;YACzC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EACvB,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,+CAA+C;IAC/C,IAAI,QAAQ,CAAC,YAAY,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAC5B,QAAyB,EACzB,IAAY;IAEZ,IAAI,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACtB,MAAM,KAAK,GACT,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,IAAI,EAAE,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACvE,IAAI,KAAK,EAAE,UAAU,EAAE,CAAC;YACtB,OAAO,KAAK,CAAC,UAAU,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,oBAAoB,GAA2B;IACnD,KAAK,EAAE,EAAE;IACT,OAAO,EAAE,CAAC;IACV,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,CAAC;IACR,KAAK,EAAE,CAAC;IACR,SAAS,EAAE,EAAE;IACb,IAAI,EAAE,EAAE;IACR,GAAG,EAAE,CAAC;IACN,OAAO,EAAE,CAAC;IACV,UAAU,EAAE,CAAC;IACb,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,CAAC;IACT,QAAQ,EAAE,CAAC;IACX,WAAW,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;IACV,IAAI,EAAE,CAAC;IACP,OAAO,EAAE,CAAC;IACV,MAAM,EAAE,CAAC;IACT,MAAM,EAAE,CAAC;IACT,KAAK,EAAE,EAAE;IACT,OAAO,EAAE,CAAC;IACV,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;IACX,SAAS,EAAE,CAAC;IACZ,KAAK,EAAE,CAAC;IACR,QAAQ,EAAE,CAAC;IACX,KAAK,EAAE,CAAC;IACR,SAAS,EAAE,EAAE;IACb,UAAU,EAAE,CAAC;CACd,CAAC;AAEF,SAAS,sBAAsB,CAC7B,IAAY,EACZ,WAAmB;IAEnB,MAAM,YAAY,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IAChD,IAAI,YAAY,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5C,+CAA+C;IAC/C,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACzC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IAExB,MAAM,cAAc,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC9C,MAAM,YAAY,GAAG,YAAY,GAAG,cAAc,CAAC;IAEnD,+DAA+D;IAC/D,IAAI,YAAY,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO;YACL,WAAW,EAAE,eAAe,IAAI,IAAI,WAAW,QAAQ,YAAY,gDAAgD,YAAY,qEAAqE;YACpM,GAAG,EAAE,WAAW,IAAI,0CAA0C,YAAY,gEAAgE;SAC3I,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,qBAAqB;AAErB,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,UAAkB;IAElB,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;IACzD,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,EAAE,mBAAmB,CAAC,CAAC;IAE3D,MAAM,OAAO,GAAG,MAAM,YAAY,CAAc,eAAe,CAAC,CAAC;IACjE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,oCAAoC;QACpC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAAG;QACd,GAAG,OAAO,CAAC,YAAY;QACvB,GAAG,OAAO,CAAC,eAAe;KAC3B,CAAC;IACF,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAkB,YAAY,CAAC,CAAC;IAEnE,gDAAgD;IAChD,MAAM,aAAa,GAAG,cAAc,CAAC,OAAO,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAExE,4CAA4C;IAC5C,MAAM,aAAa,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5D,MAAM,aAAa,GAAc,EAAE,CAAC;IAEpC,IAAI,aAAa,EAAE,UAAU,EAAE,CAAC;QAC9B,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/D,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACnD,MAAM,OAAO,GACX,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC;gBACvC,CAAC,CAAC,KAAK,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;gBAClC,CAAC,CAAC,EAAE,CAAC;YAET,MAAM,gBAAgB,GACpB,QAAQ,CAAC,QAAQ;gBACf,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;iBACtB,MAAM,CAAC,OAAO,CAAC;iBACf,IAAI,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC;YAE7B,MAAM,WAAW,GACf,QAAQ,CAAC,gBAAgB,IAAI,QAAQ,CAAC,gBAAgB,KAAK,QAAQ;gBACjE,CAAC,CAAC,aAAa,QAAQ,CAAC,gBAAgB,GAAG;gBAC3C,CAAC,CAAC,QAAQ,CAAC,cAAc,IAAI,wEAAwE,CAAC;YAE1G,aAAa,CAAC,IAAI,CAAC;gBACjB,EAAE,EAAE,YAAY,QAAQ,CAAC,EAAE,IAAI,UAAU,EAAE,EAAE;gBAC7C,MAAM,EAAE,SAAS;gBACjB,QAAQ;gBACR,IAAI,EAAE,0BAA0B;gBAChC,IAAI,EAAE,cAAc;gBACpB,IAAI,EAAE,CAAC;gBACP,WAAW,EAAE,GAAG,QAAQ,CAAC,WAAW,IAAI,gBAAgB,KAAK,QAAQ,CAAC,KAAK,GAAG,OAAO,0BAA0B,QAAQ,CAAC,mBAAmB,UAAU,QAAQ,CAAC,GAAG,EAAE;gBACnK,cAAc,EAAE,WAAW;gBAC3B,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,aAAa,EAAE,GAAG,aAAa,CAAC,CAAC;AAC9C,CAAC;AAED,uBAAuB;AAEvB,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,UAAkB;IAElB,MAAM,QAAQ,GAAG,MAAM,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAEpD,MAAM,OAAO,GAA2B;QACtC,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,QAAQ,EAAE,CAAC;QACX,IAAI,EAAE,CAAC;QACP,QAAQ,EAAE,CAAC;QACX,GAAG,EAAE,CAAC;KACP,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,QAAQ,OAAO,CAAC,QAAQ,EAAE,CAAC;YACzB,KAAK,UAAU;gBACb,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACnB,MAAM;YACR,KAAK,MAAM;gBACT,OAAO,CAAC,IAAI,EAAE,CAAC;gBACf,MAAM;YACR,KAAK,QAAQ;gBACX,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACnB,MAAM;YACR,KAAK,KAAK,CAAC;YACX,KAAK,MAAM;gBACT,OAAO,CAAC,GAAG,EAAE,CAAC;gBACd,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ShipSafe Built-in Vulnerability Pattern Scanner
|
|
3
|
+
*
|
|
4
|
+
* Pure TypeScript, zero external dependencies.
|
|
5
|
+
* Detects code-level vulnerabilities across TypeScript, JavaScript, and Python files.
|
|
6
|
+
*/
|
|
7
|
+
import type { Finding } from '../../types.js';
|
|
8
|
+
/**
|
|
9
|
+
* Scan files at targetPath for vulnerability patterns.
|
|
10
|
+
*
|
|
11
|
+
* @param targetPath - Directory or file path to scan.
|
|
12
|
+
* @param files - Optional pre-supplied list of file paths (skips discovery).
|
|
13
|
+
* @returns Array of findings sorted by severity (critical first).
|
|
14
|
+
*/
|
|
15
|
+
export declare function scanPatterns(targetPath: string, files?: string[]): Promise<Finding[]>;
|
|
16
|
+
/**
|
|
17
|
+
* Returns the total number of vulnerability detection rules.
|
|
18
|
+
*/
|
|
19
|
+
export declare function getPatternRuleCount(): number;
|
|
20
|
+
//# sourceMappingURL=patterns.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../../src/engines/builtin/patterns.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,OAAO,EAAY,MAAM,gBAAgB,CAAC;AA6lCxD;;;;;;GAMG;AACH,wBAAsB,YAAY,CAChC,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,EAAE,GACf,OAAO,CAAC,OAAO,EAAE,CAAC,CA8BpB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,MAAM,CAE5C"}
|