@sunchao116/mcp-audit 1.0.0

package/src/generateLock/test/workdir/package.json

@@ -0,0 +1 @@
+{"name":"my-site","version":"0.1.0","private":true,"scripts":{"serve":"vue-cli-service serve","build":"vue-cli-service build --modern","test:Pager":"vue serve ./src/components/Pager/test.vue","test:Avatar":"vue serve ./src/components/Avatar/test.vue","test:Icon":"vue serve ./src/components/Icon/test.vue","test:Empty":"vue serve ./src/components/Empty/test.vue","test:ImageLoader":"vue serve ./src/components/ImageLoader/test.vue","test:Contact":"vue serve ./src/components/SiteAside/Contact/test.vue","test:Menu":"vue serve ./src/components/SiteAside/Menu/test.vue","test:SiteAside":"vue serve ./src/components/SiteAside/test.vue","test:Layout":"vue serve ./src/components/Layout/test.vue","test:RightList":"vue serve ./src/views/Blog/components/RightList-test.vue"},"dependencies":{"axios":"^0.21.0","core-js":"^3.6.5","highlight.js":"^10.5.0","mockjs":"^1.1.0","nprogress":"^0.2.0","querystring":"^0.2.0","vue":"^2.6.11","vue-router":"^3.4.9","vuex":"^3.6.2"},"devDependencies":{"@vue/cli-plugin-babel":"~4.5.0","@vue/cli-service":"~4.5.0","less":"^3.0.4","less-loader":"^5.0.0","vue-template-compiler":"^2.6.11","webpack-bundle-analyzer":"^4.4.0"}}

package/src/main/index.js

@@ -0,0 +1,23 @@
+import { createWorkDir, deleteWorkDir } from '../workDir/index.js';
+import { parseProject } from '../parseProject/index.js';
+
+/**
+ * 对项目本身以及其所有直接和间接依赖进行安全审计
+ * @param {string} projectRoot 项目根目录，可以是本地项目的路径或远程项目的URL
+ */
+export async function auditProject(projectRoot) {
+  // 1. 创建工作目录
+  const workDir = await createWorkDir();
+  // 2. 解析项目的package.json文件
+  const packageJSON = await parseProject(projectRoot);
+  // 3. 在工作目录中写入
+  const depTree = await generateDepTree(packageJSON);
+  // 3. 解析依赖树，获取每个包的依赖关系
+  const parsedTree = await parseTree(depTree);
+  // 4. 创建审计任务
+  const tasks = createTasks(parsedTree);
+}
+
+auditProject(
+  '/Users/yuanjin/工作/课/录播课/付费课/60 天任务式学习/08. vue从入门到实战/案例/my-site'
+);

package/src/mcpServer.js

@@ -0,0 +1,43 @@
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { z } from 'zod';
+import { auditPackage } from './entry/index.js';
+
+const server = new McpServer({
+  name: 'audit-server',
+  title: '前端工程安全审计服务',
+  version: '0.1.0',
+});
+
+server.registerTool(
+  'auditPackage',
+  {
+    title: '审计前端工程',
+    description:
+      '审计前端工程的所有直接和间接依赖，得到安全审计结果。支持本地工程的审计，也支持远程仓库的审计。审计结果为标准格式的markdown字符串，不用修改，直接用于展示即可。',
+    inputSchema: {
+      projectRoot: z
+        .string()
+        .describe('本地工程的根路径，或者远程仓库的URL地址'),
+      savePath: z
+        .string()
+        .describe(
+          '保存审计结果的路径，传递当前工程的根路径下的工程明audit.md，如果没有当前工程，则传递桌面路径下的audit.md（注意，桌面路径必须传入绝对路径）'
+        ),
+    },
+  },
+  async ({ projectRoot, savePath }) => {
+    await auditPackage(projectRoot, savePath);
+    return {
+      content: [
+        {
+          type: 'text',
+          text: `审计完成，结果已保存到: ${savePath}`,
+        },
+      ],
+    };
+  }
+);
+
+const transport = new StdioServerTransport();
+server.connect(transport);

package/src/parseProject/index.js

@@ -0,0 +1,18 @@
+import { parseLocalProject } from './parseLocalProject.js';
+import { parseRemoteProject } from './parseRemoteProject.js';
+
+/**
+ * 解析工程根目录下的package.json文件
+ * @param {string} projectRoot 工程本地的根目录或远程仓库的URL
+ * @example
+ * parseProject('/path/to/local/project');
+ * parseProject('https://github.com/webpack/webpack');
+ * @returns {Promise<Object>} 返回解析后的package.json内容
+ * @throws {Error} 如果解析失败或文件不存在
+ */
+export function parseProject(projectRoot) {
+  if (projectRoot.startsWith('http://') || projectRoot.startsWith('https://')) {
+    return parseRemoteProject(projectRoot);
+  }
+  return parseLocalProject(projectRoot);
+}

package/src/parseProject/parseLocalProject.js

@@ -0,0 +1,8 @@
+import path from 'path';
+import fs from 'fs';
+
+export async function parseLocalProject(projectRoot) {
+  const packageJsonPath = path.join(projectRoot, 'package.json');
+  const json = await fs.promises.readFile(packageJsonPath, 'utf8');
+  return JSON.parse(json);
+}

package/src/parseProject/parseRemoteProject.js

@@ -0,0 +1,65 @@
+/**
+ * 解析 GitHub 仓库 URL，提取 owner、repo 和后续路径
+ * 支持格式：
+ *   - https://github.com/owner/repo
+ *   - https://github.com/owner/repo/tree/branch
+ *   - https://github.com/owner/repo/blame/...
+ *   等等
+ *
+ * @param {string} url - GitHub 仓库 URL
+ * @returns {Object} { owner, repo, path }
+ * @throws {Error} 如果 URL 格式不合法或无法解析
+ */
+function parseGithubUrl(url) {
+  try {
+    const parsedUrl = new URL(url);
+
+    // 确保是 github.com
+    if (parsedUrl.hostname !== 'github.com') {
+      throw new Error('Only github.com URLs are supported');
+    }
+
+    // 获取路径并去除空字符串（如开头的 /）
+    const parts = parsedUrl.pathname.split('/').filter(Boolean);
+
+    // 至少需要 owner 和 repo 两段
+    if (parts.length < 2) {
+      throw new Error(
+        'Invalid GitHub repository URL: insufficient path segments'
+      );
+    }
+
+    const owner = parts[0];
+    const repo = parts[1];
+    const restPath = parts.slice(2); // 剩余路径，如 ['tree', 'v5.2.2']
+
+    // 构造 path：如果有后续路径，则以 '/' 开头拼接；否则为空字符串
+    const path = restPath.length > 0 ? '/' + restPath.join('/') : '';
+
+    return { owner, repo, path };
+  } catch (error) {
+    if (error instanceof TypeError) {
+      throw new Error('Invalid URL: malformed or missing');
+    }
+    throw error;
+  }
+}
+
+async function getPackageJsonUrl(gitInfo) {
+  let { owner, repo, path } = gitInfo;
+  if (path.startsWith('/tree/')) {
+    const pathParts = path.split('/').filter(Boolean);
+    path = `tags/${pathParts[1]}`;
+  } else {
+    const url = `https://api.github.com/repos/${owner}/${repo}`;
+    const info = await fetch(url).then((resp) => resp.json());
+    path = `heads/${info.default_branch}`;
+  }
+  return `https://raw.githubusercontent.com/${owner}/${repo}/${path}/package.json`;
+}
+
+export async function parseRemoteProject(githubUrl) {
+  const gitInfo = parseGithubUrl(githubUrl);
+  const packgeJsonUrl = await getPackageJsonUrl(gitInfo);
+  return await fetch(packgeJsonUrl).then((resp) => resp.json());
+}

package/src/parseProject/test/test.js

@@ -0,0 +1,26 @@
+import { parseProject } from '../index.js';
+
+// 测试本地项目解析
+async function testLocalProject() {
+  const localProjectPath = '/Users/yuanjin/Desktop/mcp-audit';
+  try {
+    const packageJson = await parseProject(localProjectPath);
+    console.log('本地项目解析成功:', packageJson);
+  } catch (error) {
+    console.error('本地项目解析失败:', error);
+  }
+}
+
+// 测试远程项目解析
+async function testRemoteProject() {
+  const remoteProjectUrl = 'https://github.com/webpack/webpack';
+  try {
+    const packageJson = await parseProject(remoteProjectUrl);
+    console.log('远程项目解析成功:', packageJson);
+  } catch (error) {
+    console.error('远程项目解析失败:', error);
+  }
+}
+
+testLocalProject();
+testRemoteProject();

package/src/render/index.js

@@ -0,0 +1,24 @@
+import { renderMarkdown } from './markdown.js';
+
+const desc = {
+  severityLevels: {
+    low: '低危',
+    moderate: '中危',
+    high: '高危',
+    critical: '严重',
+  },
+};
+
+/**
+ * 讲auditResult渲染为markdown格式的字符串
+ * @param {object} auditResult 规范化的审计结果
+ * @param {object} packageJson 包的package.json内容
+ */
+export async function render(auditResult, packageJson) {
+  const data = {
+    audit: auditResult,
+    desc,
+    packageJson,
+  };
+  return await renderMarkdown(data);
+}

package/src/render/markdown.js

@@ -0,0 +1,17 @@
+import ejs from 'ejs';
+import { join } from 'path';
+import { getDirname } from '../common/utils.js';
+
+const templatePath = join(getDirname(import.meta.url), './template/index.ejs');
+
+export function renderMarkdown(data) {
+  return new Promise((resolve, reject) => {
+    ejs.renderFile(templatePath, data, (err, str) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+      resolve(str);
+    });
+  });
+}

package/src/render/template/audit.ejs

@@ -0,0 +1,30 @@
+您所审计的工程总共有 **<%- audit.summary.total %>** 个风险漏洞。
+
+其中：
+
+- **<%- desc.severityLevels.critical %>漏洞**：共计 **<%- audit.summary.critical %>** 个
+- **<%- desc.severityLevels.high %>漏洞**：共计 **<%- audit.summary.high %>** 个
+- **<%- desc.severityLevels.moderate %>漏洞**：共计 **<%- audit.summary.moderate %>** 个
+- **<%- desc.severityLevels.low %>漏洞**：共计 **<%- audit.summary.low %>** 个
+
+> 说明：
+>
+> - **<%- desc.severityLevels.critical %>**漏洞被认为是极其严重的，应该立即修复。
+> - **<%- desc.severityLevels.high %>**漏洞被认为是严重的，应该尽快修复。
+> - **<%- desc.severityLevels.moderate %>**漏洞被认为是中等严重的，可以选择在时间允许时修复。
+> - **<%- desc.severityLevels.low %>**漏洞被认为是轻微的，可以根据自行需要进行修复。
+
+下面是漏洞的详细信息
+
+<% if (audit.summary.critical) { %>
+<%- include('./detail.ejs', {type:'critical'}); %>
+<% } %>
+<% if (audit.summary.high) { %>
+<%- include('./detail.ejs', {type:'high'}); %>
+<% } %>
+<% if (audit.summary.moderate) { %>
+<%- include('./detail.ejs', {type:'moderate'}); %>
+<% } %>
+<% if (audit.summary.low) { %>
+<%- include('./detail.ejs', {type:'low'}); %> 
+<% } %>

package/src/render/template/detail-item.ejs

@@ -0,0 +1,32 @@
+### `<%- item.name -%>`
+
+**漏洞描述**：
+<% item.problems.forEach((problem) => { %>
+- <%- problem.title %>
+  - npm漏洞编号：`<%- problem.source %>`
+  - 漏洞详细说明：<%- problem.url %>
+  - 漏洞等级：<%- desc.severityLevels[problem.severity] %>
+  - 受影响的版本：`<%- problem.range %>`
+<% }); %>
+
+**依赖关系**：
+<% if(item.depChains.length === 0) { %>
+<% if(item.name === packageJson.name) { %>
+当前工程
+<% } else { %>
+- `<%- packageJson.name %>` / <%- item.name %>
+<% } %>
+<% } else { %>
+<% item.depChains.forEach((chain) => { %>
+<% if(chain.length === 1 && chain[0] === packageJson.name) { %>
+当前工程
+<% } else { %>
+- `<%- packageJson.name %>` / <%- chain.map(c=>`\`${c}\``).join(' / ') %>
+<% } %>
+  <% }); %>
+  <% } %>
+
+**漏洞包所在目录**：
+<% item.nodes.forEach((path) => { %>
+- `<%- path %>`
+<% }); %>

package/src/render/template/detail.ejs

@@ -0,0 +1,7 @@
+## <%-desc.severityLevels[type] %>漏洞
+
+共计 **<%- audit.summary[type] %>** 个
+
+<% audit.vulnerabilities[type].forEach(function(item){ %>
+<%- include('./detail-item.ejs', {item: item}) %>
+<% }); %>

package/src/render/template/index.ejs

@@ -0,0 +1,8 @@
+# `<%- packageJson.name %>`审计结果
+
+<% if(audit.summary.total) { %>
+<%- include('./audit.ejs'); %>
+<% } %>
+<% if(audit.summary.total === 0) { %>
+你项目的所有直接依赖和间接依赖都没有发现任何风险漏洞。
+<% } %>

package/src/render/test/test-index.js

@@ -0,0 +1,27 @@
+import { render } from '../index.js';
+import { getDirname } from '../../common/utils.js';
+import { join } from 'path';
+import fs from 'fs';
+
+const workDir = join(getDirname(import.meta.url), './workdir');
+const auditResultJson = join(workDir, './auditResult.json');
+const indexJson = join(workDir, './index.md');
+const packageJsonPath = join(workDir, './package.json');
+const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+const auditResult = JSON.parse(fs.readFileSync(auditResultJson, 'utf8'));
+const templatePath = join(getDirname(import.meta.url), '../template/index.ejs');
+async function test() {
+  const result = await render(auditResult, packageJson);
+  fs.writeFileSync(indexJson, result, 'utf8');
+  console.log('ok');
+}
+
+// 监听文件变化
+fs.watch(templatePath, (eventType) => {
+  if (eventType === 'change') {
+    console.log(`模板文件发生了变化，重新运行测试函数`);
+    test(); // 触发函数
+  }
+});
+
+console.log(`已开始监听文件: ${templatePath}`);