@snovon/solast 0.2.0

package/dist/parallel-scan.d.ts

@@ -0,0 +1,66 @@
+/**
+ * Worker-pool dispatcher for SolAST's file scan.
+ *
+ * The synchronous `scanFiles` walks ~100+ detectors against every file
+ * on a single thread. `scanFilesParallel` shards a file list across
+ * `worker_threads` Workers, each of which calls the same `scanFiles`
+ * on its slice. The async public surface is intentional: Node has no
+ * non-hacky way to wait synchronously for parallel workers, and the
+ * existing CLI is already comfortable with async (see
+ * `runAddressScanCommand` in `src/cli.ts`).
+ *
+ * Design choices:
+ *
+ *   - **Opt-in, gated by a threshold.** Worker startup costs ~hundreds
+ *     of ms because each Worker imports the solast module and
+ *     constructs the detector registry. For small file sets the
+ *     overhead exceeds the parallelism win, so callers explicitly
+ *     pass `workerCount > 0` and we additionally insist on
+ *     `files.length >= MIN_FILES_PER_WORKER * workerCount` before
+ *     splitting at all.
+ *   - **Round-robin slicing.** Files are interleaved across workers
+ *     instead of contiguous chunks. Real-world contract directories
+ *     tend to have heavy files clustered (deep dependency trees in
+ *     one folder, leaf libraries in another). Round-robin spreads
+ *     the heavy ones across workers.
+ *   - **Deterministic output ordering.** Each finding carries the
+ *     index of its source file in the original list; after merging
+ *     we sort by that index then by line, restoring exactly the
+ *     order the sync path would have produced.
+ *   - **Failure propagation.** A worker that throws bubbles its
+ *     error up; the dispatcher rejects the returned Promise after
+ *     terminating any still-running siblings.
+ */
+import { ScanOptions, ScanResult } from './index';
+export declare const DEFAULT_MIN_FILES_PER_WORKER = 8;
+export interface ParallelScanOptions extends ScanOptions {
+    /**
+     * Maximum number of worker threads to use. The actual count is
+     * clamped to `[1, files.length]` and to a safety cap of 32 to keep
+     * memory predictable. When unset or `<= 1`, the call falls through
+     * to the synchronous `scanFiles` path.
+     */
+    workerCount?: number;
+    /**
+     * Minimum files per worker before the work is parallelised.
+     * Defaults to `DEFAULT_MIN_FILES_PER_WORKER`. With fewer than
+     * `workerCount * minFilesPerWorker` files the call falls through
+     * to the synchronous path so we never pay worker startup for a
+     * trivial scan.
+     */
+    minFilesPerWorker?: number;
+}
+export declare function shouldUseWorkers(fileCount: number, options: ParallelScanOptions): boolean;
+/**
+ * Run an SolAST scan over `files` using a worker_threads pool.
+ * Falls through to the synchronous `scanFiles` when the file count is
+ * below the parallelism threshold so the call site doesn't have to
+ * special-case small scans.
+ */
+export declare function scanFilesParallel(files: string[], options?: ParallelScanOptions): Promise<ScanResult[]>;
+/**
+ * Convenience helper for the CLI: pick a sensible worker count given
+ * a user request and the host CPU. Returns `0` when workers should be
+ * skipped entirely (the request was zero, negative, or NaN).
+ */
+export declare function resolveWorkerCount(requested: number | undefined): number;

package/dist/parallel-scan.js

@@ -0,0 +1,227 @@
+"use strict";
+/**
+ * Worker-pool dispatcher for SolAST's file scan.
+ *
+ * The synchronous `scanFiles` walks ~100+ detectors against every file
+ * on a single thread. `scanFilesParallel` shards a file list across
+ * `worker_threads` Workers, each of which calls the same `scanFiles`
+ * on its slice. The async public surface is intentional: Node has no
+ * non-hacky way to wait synchronously for parallel workers, and the
+ * existing CLI is already comfortable with async (see
+ * `runAddressScanCommand` in `src/cli.ts`).
+ *
+ * Design choices:
+ *
+ *   - **Opt-in, gated by a threshold.** Worker startup costs ~hundreds
+ *     of ms because each Worker imports the solast module and
+ *     constructs the detector registry. For small file sets the
+ *     overhead exceeds the parallelism win, so callers explicitly
+ *     pass `workerCount > 0` and we additionally insist on
+ *     `files.length >= MIN_FILES_PER_WORKER * workerCount` before
+ *     splitting at all.
+ *   - **Round-robin slicing.** Files are interleaved across workers
+ *     instead of contiguous chunks. Real-world contract directories
+ *     tend to have heavy files clustered (deep dependency trees in
+ *     one folder, leaf libraries in another). Round-robin spreads
+ *     the heavy ones across workers.
+ *   - **Deterministic output ordering.** Each finding carries the
+ *     index of its source file in the original list; after merging
+ *     we sort by that index then by line, restoring exactly the
+ *     order the sync path would have produced.
+ *   - **Failure propagation.** A worker that throws bubbles its
+ *     error up; the dispatcher rejects the returned Promise after
+ *     terminating any still-running siblings.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_MIN_FILES_PER_WORKER = void 0;
+exports.shouldUseWorkers = shouldUseWorkers;
+exports.scanFilesParallel = scanFilesParallel;
+exports.resolveWorkerCount = resolveWorkerCount;
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const worker_threads_1 = require("worker_threads");
+const index_1 = require("./index");
+const findings_1 = require("./dedup/findings");
+const files_1 = require("./dedup/files");
+exports.DEFAULT_MIN_FILES_PER_WORKER = 8;
+function shouldUseWorkers(fileCount, options) {
+    const requested = options.workerCount ?? 0;
+    if (requested <= 1)
+        return false;
+    const minPerWorker = options.minFilesPerWorker ?? exports.DEFAULT_MIN_FILES_PER_WORKER;
+    return fileCount >= requested * minPerWorker;
+}
+function effectiveWorkerCount(fileCount, requested) {
+    return Math.max(1, Math.min(fileCount, requested, 32));
+}
+function sliceRoundRobin(items, slices) {
+    const out = Array.from({ length: slices }, () => []);
+    for (let i = 0; i < items.length; i++)
+        out[i % slices].push(items[i]);
+    return out;
+}
+/**
+ * Run an SolAST scan over `files` using a worker_threads pool.
+ * Falls through to the synchronous `scanFiles` when the file count is
+ * below the parallelism threshold so the call site doesn't have to
+ * special-case small scans.
+ */
+async function scanFilesParallel(files, options = {}) {
+    files = (0, files_1.deduplicateFilesByContent)(files);
+    if (!shouldUseWorkers(files.length, options)) {
+        // Strip parallel-only options before delegating to keep the sync
+        // path's contract clean.
+        const { workerCount: _wc, minFilesPerWorker: _mfp, ...rest } = options;
+        return (0, index_1.scanFiles)(files, rest);
+    }
+    const requested = options.workerCount ?? 0;
+    const workerCount = effectiveWorkerCount(files.length, requested);
+    const batches = sliceRoundRobin(files, workerCount);
+    // Pass only the ScanOptions fields the worker understands. Extra
+    // ParallelScanOptions fields (workerCount, minFilesPerWorker) are
+    // intentionally not forwarded.
+    const workerScanOptions = {};
+    if (options.rules)
+        workerScanOptions.rules = options.rules;
+    if (options.enabledRules)
+        workerScanOptions.enabledRules = options.enabledRules;
+    if (options.solcVersion)
+        workerScanOptions.solcVersion = options.solcVersion;
+    if (options.ignorePatterns)
+        workerScanOptions.ignorePatterns = options.ignorePatterns;
+    if (options.tier)
+        workerScanOptions.tier = options.tier;
+    // detectorOptions carries per-detector config from `.solast.yml`
+    // (e.g. custom Vortex bracket names). It is plain YAML-derived data,
+    // so it survives the worker `postMessage` boundary as-is. Without
+    // this line a `--workers` scan silently runs detectors with their
+    // defaults while the synchronous path honours the config.
+    if (options.detectorOptions)
+        workerScanOptions.detectorOptions = options.detectorOptions;
+    const workerScript = path.join(__dirname, 'scan-worker.js');
+    const workers = [];
+    const pending = [];
+    for (let i = 0; i < batches.length; i++) {
+        const batch = batches[i];
+        const worker = new worker_threads_1.Worker(workerScript, {
+            workerData: { options: workerScanOptions },
+        });
+        workers.push(worker);
+        pending.push(new Promise((resolve, reject) => {
+            worker.once('message', (msg) => {
+                if (msg.type === 'result' && msg.batchId === i) {
+                    if (msg.sourceSuppressionDiagnostics && msg.sourceSuppressionDiagnostics.length > 0) {
+                        msg.findings._sourceSuppressionDiagnostics = msg.sourceSuppressionDiagnostics;
+                    }
+                    resolve(msg.findings);
+                }
+                else if (msg.type === 'error' && msg.batchId === i) {
+                    const err = new Error(`scan worker ${i} failed: ${msg.message}`);
+                    if (msg.stack)
+                        err.workerStack = msg.stack;
+                    reject(err);
+                }
+                else {
+                    reject(new Error(`unexpected message from scan worker ${i}: ${msg.type}`));
+                }
+            });
+            worker.once('error', reject);
+            worker.once('exit', code => {
+                if (code !== 0)
+                    reject(new Error(`scan worker ${i} exited with code ${code}`));
+            });
+            worker.postMessage({ type: 'scan', batchId: i, files: batch });
+        }));
+    }
+    let perBatchFindings;
+    try {
+        perBatchFindings = await Promise.all(pending);
+    }
+    finally {
+        for (const worker of workers) {
+            worker.postMessage({ type: 'shutdown' });
+            // terminate() is idempotent and forces shutdown if the worker
+            // ignores our shutdown message for any reason.
+            worker.terminate().catch(() => undefined);
+        }
+    }
+    // Reassemble in original file order. Each finding identifies its
+    // source file via `finding.file`, so an indexOf lookup against the
+    // original list is enough — and avoids needing the worker to echo
+    // a per-finding original index back.
+    const fileOrder = new Map();
+    for (let i = 0; i < files.length; i++)
+        fileOrder.set(files[i], i);
+    const merged = perBatchFindings.flat();
+    const sourceSuppressionDiagnostics = perBatchFindings.flatMap(findings => findings._sourceSuppressionDiagnostics ?? []);
+    merged.sort((a, b) => {
+        const orderA = fileOrder.get(a.file) ?? Number.MAX_SAFE_INTEGER;
+        const orderB = fileOrder.get(b.file) ?? Number.MAX_SAFE_INTEGER;
+        if (orderA !== orderB)
+            return orderA - orderB;
+        if ((a.line || 0) !== (b.line || 0))
+            return (a.line || 0) - (b.line || 0);
+        return (a.ruleId || '').localeCompare(b.ruleId || '');
+    });
+    if (options.dedup && merged.length > 0) {
+        const { findings: deduped, rawCount, uniqueCount } = (0, findings_1.dedupFindings)(merged);
+        deduped._dedup = { rawCount, uniqueCount };
+        if (sourceSuppressionDiagnostics.length > 0) {
+            deduped._sourceSuppressionDiagnostics = sourceSuppressionDiagnostics;
+        }
+        return deduped;
+    }
+    if (sourceSuppressionDiagnostics.length > 0) {
+        merged._sourceSuppressionDiagnostics = sourceSuppressionDiagnostics;
+    }
+    return merged;
+}
+/**
+ * Convenience helper for the CLI: pick a sensible worker count given
+ * a user request and the host CPU. Returns `0` when workers should be
+ * skipped entirely (the request was zero, negative, or NaN).
+ */
+function resolveWorkerCount(requested) {
+    if (requested === undefined)
+        return 0;
+    if (!Number.isFinite(requested) || requested <= 0)
+        return 0;
+    const cpus = typeof os.availableParallelism === 'function'
+        ? os.availableParallelism()
+        : Math.max(1, (os.cpus() || []).length || 1);
+    return Math.max(1, Math.min(Math.floor(requested), cpus, 32));
+}
+//# sourceMappingURL=parallel-scan.js.map

package/dist/registry.d.ts

@@ -0,0 +1,17 @@
+import { DetectorRegistry } from './detectors/registry-engine';
+/**
+ * Build the default registry by auto-discovering every detector class.
+ *
+ * Each src/detectors/*.ts file exports a `*Detector` class that self-declares its id
+ * and supportedAstKinds. We glob the compiled detector directory, instantiate each such
+ * class, and register it — skipping the EXPLICIT (registered below) and UNREGISTERED
+ * (curated-out) sets.
+ *
+ * Registration order is not significant: dedup picks its surviving finding by a
+ * deterministic severity/confidence/findingId sort, and scan output is location-sorted —
+ * so the id-sort below is purely for stable iteration.
+ */
+export declare function createDefaultDetectorRegistry(options?: {
+    profile?: boolean;
+    detectorOptions?: Record<string, any>;
+}): DetectorRegistry;

package/dist/registry.js

@@ -0,0 +1,118 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createDefaultDetectorRegistry = createDefaultDetectorRegistry;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const registry_engine_1 = require("./detectors/registry-engine");
+// Four detectors need non-standard construction (a constructor argument, or a
+// registry-assigned id/patternKey/supportedAstKinds the class does not self-declare),
+// so they are registered explicitly below and skipped by the auto-discovery loop.
+const vortex_interaction_guard_1 = require("./detectors/vortex-interaction-guard");
+const protocol_reentrancy_1 = require("./detectors/protocol-reentrancy");
+const readonly_reentrancy_1 = require("./detectors/readonly-reentrancy");
+const v4_hook_reentrancy_1 = require("./detectors/v4-hook-reentrancy");
+const EXPLICIT = new Set([
+    'VortexInteractionGuardDetector',
+    'ProtocolReentrancyDetector',
+    'ReadOnlyReentrancyDetector',
+    'V4HookReentrancyDetector',
+]);
+// Detector classes that exist as files but are intentionally NOT registered — kept as
+// reference implementations (e.g. they do not declare supportedAstKinds). This short,
+// explicit list is the curation that the old hand-written import list used to encode.
+const UNREGISTERED = new Set([
+    'HalbornSecurityReportAaveV3Detector',
+    'ProjectInstantRewardsUnlockedDetector',
+    'BusinessLogicDetector', // third unauthorized-transferfrom variant; original registers only the other two
+]);
+/**
+ * Build the default registry by auto-discovering every detector class.
+ *
+ * Each src/detectors/*.ts file exports a `*Detector` class that self-declares its id
+ * and supportedAstKinds. We glob the compiled detector directory, instantiate each such
+ * class, and register it — skipping the EXPLICIT (registered below) and UNREGISTERED
+ * (curated-out) sets.
+ *
+ * Registration order is not significant: dedup picks its surviving finding by a
+ * deterministic severity/confidence/findingId sort, and scan output is location-sorted —
+ * so the id-sort below is purely for stable iteration.
+ */
+function createDefaultDetectorRegistry(options = {}) {
+    const registry = new registry_engine_1.DetectorRegistry(options);
+    const dir = path.join(__dirname, 'detectors');
+    const discovered = [];
+    for (const file of fs.readdirSync(dir)) {
+        if (!file.endsWith('.js') || file === 'types.js' || file === 'registry-engine.js')
+            continue;
+        const mod = require(path.join(dir, file));
+        for (const exportName of Object.keys(mod)) {
+            if (!exportName.endsWith('Detector') || EXPLICIT.has(exportName) || UNREGISTERED.has(exportName))
+                continue;
+            const Ctor = mod[exportName];
+            if (typeof Ctor !== 'function')
+                continue;
+            let instance;
+            try {
+                instance = new Ctor();
+            }
+            catch (e) {
+                // A detector whose constructor throws would otherwise vanish from
+                // the registry with no trace — make the drop loud so a regression
+                // in one of 300+ files can't silently disable a rule.
+                process.stderr.write(`warning: detector class ${exportName} (${file}) failed to construct and was skipped: `
+                    + `${e instanceof Error ? e.message : String(e)}\n`);
+                continue;
+            }
+            if (instance && typeof instance.id === 'string')
+                discovered.push(instance);
+        }
+    }
+    discovered.sort((a, b) => a.id.localeCompare(b.id));
+    for (const detector of discovered)
+        registry.register(detector);
+    registry.register(new vortex_interaction_guard_1.VortexInteractionGuardDetector(options.detectorOptions?.['vortex-interaction-guard']));
+    registry.register(Object.assign(new protocol_reentrancy_1.ProtocolReentrancyDetector(), {
+        id: 'protocol-reentrancy', patternKey: 'protocol-reentrancy', supportedAstKinds: ['parser'],
+    }));
+    registry.register(Object.assign(new readonly_reentrancy_1.ReadOnlyReentrancyDetector(), {
+        id: 'read-only-reentrancy', patternKey: 'read-only-reentrancy', supportedAstKinds: ['parser'],
+    }));
+    registry.register(Object.assign(new v4_hook_reentrancy_1.V4HookReentrancyDetector(), {
+        id: 'v4-hook-reentrancy', patternKey: 'v4-hook-reentrancy', supportedAstKinds: ['parser'],
+    }));
+    return registry;
+}
+//# sourceMappingURL=registry.js.map

package/dist/rules/glob.d.ts

@@ -0,0 +1,5 @@
+export declare class GlobPatternError extends Error {
+    constructor(message: string);
+}
+export declare function validateGlobPattern(pattern: string): string;
+export declare function matchesRuleGlob(ruleId: string, pattern: string): boolean;

package/dist/rules/glob.js

@@ -0,0 +1,76 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GlobPatternError = void 0;
+exports.validateGlobPattern = validateGlobPattern;
+exports.matchesRuleGlob = matchesRuleGlob;
+class GlobPatternError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'GlobPatternError';
+    }
+}
+exports.GlobPatternError = GlobPatternError;
+function validateGlobPattern(pattern) {
+    const trimmed = pattern.trim();
+    if (!trimmed) {
+        throw new GlobPatternError('--ignore-pattern must not be empty');
+    }
+    compileRuleGlob(trimmed);
+    return trimmed;
+}
+function matchesRuleGlob(ruleId, pattern) {
+    return compileRuleGlob(pattern).test(ruleId);
+}
+function compileRuleGlob(pattern) {
+    let regex = '^';
+    for (let i = 0; i < pattern.length; i++) {
+        const ch = pattern[i];
+        if (ch === '*') {
+            regex += '.*';
+        }
+        else if (ch === '?') {
+            regex += '.';
+        }
+        else if (ch === '[') {
+            const end = findCharacterClassEnd(pattern, i + 1);
+            if (end === -1) {
+                throw new GlobPatternError(`malformed glob pattern ${JSON.stringify(pattern)}: unterminated character class`);
+            }
+            const body = pattern.slice(i + 1, end);
+            if (body.length === 0 || body === '!' || body === '^') {
+                throw new GlobPatternError(`malformed glob pattern ${JSON.stringify(pattern)}: empty character class`);
+            }
+            const negated = body[0] === '!' || body[0] === '^';
+            const classBody = negated ? body.slice(1) : body;
+            regex += `[${negated ? '^' : ''}${classBody.replace(/\\/g, '\\\\')}]`;
+            i = end;
+        }
+        else if (ch === '\\') {
+            if (i === pattern.length - 1) {
+                throw new GlobPatternError(`malformed glob pattern ${JSON.stringify(pattern)}: trailing escape`);
+            }
+            regex += escapeRegExp(pattern[++i]);
+        }
+        else {
+            regex += escapeRegExp(ch);
+        }
+    }
+    regex += '$';
+    try {
+        return new RegExp(regex);
+    }
+    catch (e) {
+        throw new GlobPatternError(`malformed glob pattern ${JSON.stringify(pattern)}: ${e instanceof Error ? e.message : String(e)}`);
+    }
+}
+function findCharacterClassEnd(pattern, start) {
+    for (let i = start; i < pattern.length; i++) {
+        if (pattern[i] === ']')
+            return i;
+    }
+    return -1;
+}
+function escapeRegExp(value) {
+    return value.replace(/[|\\{}()[\]^$+?.]/g, '\\$&');
+}
+//# sourceMappingURL=glob.js.map

package/dist/rules/suppressions.d.ts

@@ -0,0 +1,23 @@
+import type { ScanResult } from '../api';
+type SourceSuppression = {
+    kind: 'all';
+} | {
+    kind: 'rules';
+    ruleIds: Set<string>;
+};
+export interface SourceSuppressionDiagnostic {
+    file: string;
+    line: number;
+    ruleId: string;
+    message: string;
+}
+export interface SourceSuppressionResult {
+    findings: ScanResult[];
+    diagnostics: SourceSuppressionDiagnostic[];
+}
+export declare function applySourceSuppressions(findings: ScanResult[], file: string, sourceText: string | undefined, validRuleIds: ReadonlySet<string>): SourceSuppressionResult;
+export declare function parseSourceSuppressions(file: string, sourceText: string, validRuleIds: ReadonlySet<string>): {
+    suppressions: Map<number, SourceSuppression>;
+    diagnostics: SourceSuppressionDiagnostic[];
+};
+export {};

package/dist/rules/suppressions.js

@@ -0,0 +1,136 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applySourceSuppressions = applySourceSuppressions;
+exports.parseSourceSuppressions = parseSourceSuppressions;
+const DIRECTIVE = 'solast-disable-next-line';
+function applySourceSuppressions(findings, file, sourceText, validRuleIds) {
+    if (!sourceText) {
+        return { findings, diagnostics: [] };
+    }
+    const { suppressions, diagnostics } = parseSourceSuppressions(file, sourceText, validRuleIds);
+    if (suppressions.size === 0)
+        return { findings, diagnostics };
+    return {
+        findings: findings.filter(finding => !isSuppressed(finding, suppressions)),
+        diagnostics,
+    };
+}
+function parseSourceSuppressions(file, sourceText, validRuleIds) {
+    const suppressions = new Map();
+    const diagnostics = [];
+    const lines = sourceText.split(/\r?\n/);
+    let inBlockComment = false;
+    for (let i = 0; i < lines.length; i++) {
+        const scan = findLineCommentStart(lines[i], inBlockComment);
+        inBlockComment = scan.inBlockComment;
+        if (scan.commentStart < 0)
+            continue;
+        const comment = lines[i].slice(scan.commentStart + 2).trim();
+        if (!comment.startsWith(DIRECTIVE))
+            continue;
+        const next = comment.charAt(DIRECTIVE.length);
+        if (next && !/\s/.test(next))
+            continue;
+        const targetLine = nextNonBlankLine(lines, i + 1);
+        if (targetLine === undefined)
+            continue;
+        const scopeText = stripTrailingLineComment(comment.slice(DIRECTIVE.length)).trim();
+        if (!scopeText) {
+            mergeSuppression(suppressions, targetLine, { kind: 'all' });
+            continue;
+        }
+        const knownRuleIds = new Set();
+        for (const ruleId of parseScopedRuleIds(scopeText)) {
+            if (validRuleIds.has(ruleId)) {
+                knownRuleIds.add(ruleId);
+            }
+            else {
+                diagnostics.push({
+                    file,
+                    line: i + 1,
+                    ruleId,
+                    message: `warning: ${file}:${i + 1} solast-disable-next-line references unknown rule id '${ruleId}'`,
+                });
+            }
+        }
+        mergeSuppression(suppressions, targetLine, { kind: 'rules', ruleIds: knownRuleIds });
+    }
+    return { suppressions, diagnostics };
+}
+function isSuppressed(finding, suppressions) {
+    if (!Number.isFinite(finding.line) || finding.line <= 0)
+        return false;
+    const suppression = suppressions.get(finding.line);
+    if (!suppression)
+        return false;
+    if (suppression.kind === 'all')
+        return true;
+    return suppression.ruleIds.has(finding.ruleId);
+}
+function nextNonBlankLine(lines, startIndex) {
+    for (let i = startIndex; i < lines.length; i++) {
+        if (lines[i].trim().length > 0)
+            return i + 1;
+    }
+    return undefined;
+}
+function parseScopedRuleIds(scopeText) {
+    const ids = [];
+    for (const part of scopeText.split(',')) {
+        const token = part.trim().split(/\s+/)[0];
+        if (token)
+            ids.push(token);
+    }
+    return ids;
+}
+function stripTrailingLineComment(text) {
+    const nestedComment = text.indexOf('//');
+    return nestedComment >= 0 ? text.slice(0, nestedComment) : text;
+}
+function mergeSuppression(suppressions, line, next) {
+    const existing = suppressions.get(line);
+    if (!existing || existing.kind === 'all' || next.kind === 'all') {
+        suppressions.set(line, existing?.kind === 'all' ? existing : next);
+        return;
+    }
+    for (const ruleId of next.ruleIds)
+        existing.ruleIds.add(ruleId);
+}
+function findLineCommentStart(line, inBlockCommentAtStart) {
+    let inBlockComment = inBlockCommentAtStart;
+    let quote = null;
+    for (let i = 0; i < line.length; i++) {
+        const ch = line[i];
+        const next = line[i + 1];
+        if (quote) {
+            if (ch === '\\') {
+                i++;
+            }
+            else if (ch === quote) {
+                quote = null;
+            }
+            continue;
+        }
+        if (inBlockComment) {
+            if (ch === '*' && next === '/') {
+                inBlockComment = false;
+                i++;
+            }
+            continue;
+        }
+        if (ch === '"' || ch === "'") {
+            quote = ch;
+            continue;
+        }
+        if (ch === '/' && next === '*') {
+            inBlockComment = true;
+            i++;
+            continue;
+        }
+        if (ch === '/' && next === '/') {
+            return { commentStart: i, inBlockComment };
+        }
+    }
+    return { commentStart: -1, inBlockComment };
+}
+//# sourceMappingURL=suppressions.js.map