@sunchao116/mcp-audit 1.0.0

package/src/audit/test/workdir/package.json

@@ -0,0 +1 @@
+{"name":"my-site","version":"0.1.0","private":true,"scripts":{"serve":"vue-cli-service serve","build":"vue-cli-service build --modern","test:Pager":"vue serve ./src/components/Pager/test.vue","test:Avatar":"vue serve ./src/components/Avatar/test.vue","test:Icon":"vue serve ./src/components/Icon/test.vue","test:Empty":"vue serve ./src/components/Empty/test.vue","test:ImageLoader":"vue serve ./src/components/ImageLoader/test.vue","test:Contact":"vue serve ./src/components/SiteAside/Contact/test.vue","test:Menu":"vue serve ./src/components/SiteAside/Menu/test.vue","test:SiteAside":"vue serve ./src/components/SiteAside/test.vue","test:Layout":"vue serve ./src/components/Layout/test.vue","test:RightList":"vue serve ./src/views/Blog/components/RightList-test.vue"},"dependencies":{"axios":"^0.21.0","core-js":"^3.6.5","highlight.js":"^10.5.0","mockjs":"^1.1.0","nprogress":"^0.2.0","querystring":"^0.2.0","vue":"^2.6.11","vue-router":"^3.4.9","vuex":"^3.6.2"},"devDependencies":{"@vue/cli-plugin-babel":"~4.5.0","@vue/cli-service":"~4.5.0","less":"^3.0.4","less-loader":"^5.0.0","vue-template-compiler":"^2.6.11","webpack-bundle-analyzer":"^4.4.0"}}

package/src/audit/test/workdir/remote.json

@@ -0,0 +1,75 @@
+{
+  "actions": [
+    {
+      "isMajor": false,
+      "action": "install",
+      "resolves": [
+        {
+          "id": 1098366,
+          "path": "ejs",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ],
+      "module": "ejs",
+      "target": "3.1.10"
+    }
+  ],
+  "advisories": {
+    "1098366": {
+      "findings": [
+        {
+          "version": "3.1.9",
+          "paths": [
+            "ejs"
+          ]
+        }
+      ],
+      "found_by": null,
+      "deleted": null,
+      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2024-33883\n- https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5\n- https://github.com/mde/ejs/compare/v3.1.9...v3.1.10\n- https://security.netapp.com/advisory/ntap-20240605-0003\n- https://github.com/advisories/GHSA-ghr5-ch3p-vcr6",
+      "created": "2024-04-28T18:30:31.000Z",
+      "id": 1098366,
+      "npm_advisory_id": null,
+      "overview": "The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.",
+      "reported_by": null,
+      "title": "ejs lacks certain pollution protection",
+      "metadata": null,
+      "cves": [
+        "CVE-2024-33883"
+      ],
+      "access": "public",
+      "severity": "moderate",
+      "module_name": "ejs",
+      "vulnerable_versions": "<3.1.10",
+      "github_advisory_id": "GHSA-ghr5-ch3p-vcr6",
+      "recommendation": "Upgrade to version 3.1.10 or later",
+      "patched_versions": ">=3.1.10",
+      "updated": "2024-08-02T15:45:54.000Z",
+      "cvss": {
+        "score": 4,
+        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+      },
+      "cwe": [
+        "CWE-693",
+        "CWE-1321"
+      ],
+      "url": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6"
+    }
+  },
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 1,
+      "high": 0,
+      "critical": 0
+    },
+    "dependencies": 1,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 1
+  }
+}

package/src/common/utils.js

@@ -0,0 +1,35 @@
+import { fileURLToPath } from 'url';
+import { dirname } from 'path';
+import { exec } from 'child_process';
+import { promisify } from 'util';
+
+const execAsync = promisify(exec); // 将 exec 转换为返回 Promise 的函数
+
+export async function runCommand(cmd, cwd) {
+  try {
+    const stdout = await execAsync(cmd, {
+      cwd,
+      encoding: 'utf-8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+    });
+    // 返回 audit 的 JSON 结果
+    return stdout.stdout.toString();
+  } catch (err) {
+    if (err.stdout) {
+      return err.stdout.toString();
+    }
+    throw err;
+  }
+}
+
+export function uniqueId() {
+  return Math.random().toString(36).substring(2, 15) + Date.now().toString(36);
+}
+
+export function getFilename(importMetaUrl) {
+  return fileURLToPath(importMetaUrl);
+}
+
+export function getDirname(importMetaUrl) {
+  return dirname(getFilename(importMetaUrl));
+}

package/src/entry/index.js

@@ -0,0 +1,28 @@
+import { createWorkDir, deleteWorkDir } from '../workDir/index.js';
+import { parseProject } from '../parseProject/index.js';
+import { generateLock } from '../generateLock/index.js';
+import { audit } from '../audit/index.js';
+import { render } from '../render/index.js';
+import fs from 'fs';
+
+/**
+ * 根据项目根目录，审计项目中所有的包（含项目本身）
+ * @param {string} projectRoot 项目根目录，可以是本地目录的绝对路径，也可以是远程仓库的URL
+ * @param {string} savePath 保存审计结果的文件名，审计结果是一个标准格式的markdown字符串
+ */
+export async function auditPackage(projectRoot, savePath) {
+  // 1. 创建工作目录
+  const workDir = await createWorkDir();
+  // 2. 解析项目，向工作目录添加pacakge.json
+  const packageJson = await parseProject(projectRoot);
+  // 3. 生成lock文件
+  await generateLock(workDir, packageJson);
+  // 4. 对工作目录进行审计
+  const auditResult = await audit(workDir, packageJson);
+  // 5. 渲染审计结果
+  const renderedResult = await render(auditResult, packageJson);
+  // 6. 删除工作目录
+  await deleteWorkDir(workDir);
+  // 7. 将结果保存到指定路径
+  await fs.promises.writeFile(savePath, renderedResult);
+}