npm - @vulcn/plugin-report - Versions diffs - 0.4.0 → 0.6.0 - Mend

@vulcn/plugin-report 0.4.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -1,5 +1,142 @@
 import { z } from 'zod';
-import { Session, RunResult, Finding, VulcnPlugin } from '@vulcn/engine';
+import { PayloadCategory, Session, RunResult, VulcnPlugin } from '@vulcn/engine';
+/**
+ * Vulcn Report Model
+ *
+ * The canonical data model from which all output formats (HTML, JSON,
+ * YAML, SARIF) are derived. This is the single source of truth for
+ * CWE mappings, severity scores, fingerprinting, risk computation,
+ * and passive analysis categorisation.
+ *
+ *   RunResult + Session
+ *          ↓
+ *     buildReport()
+ *          ↓
+ *     VulcnReport (canonical)
+ *          ↓
+ *   ┌──────┴──────────┬──────────┬──────────┐
+ *   HTML            JSON       YAML       SARIF
+ *
+ * Every output format is a projection of this model.
+ */
+interface CweEntry {
+    id: number;
+    name: string;
+}
+type Severity = "critical" | "high" | "medium" | "low" | "info";
+interface PassiveCheckDefinition {
+    id: string;
+    label: string;
+    icon: string;
+    color: string;
+    remedy: string;
+    checks: string[];
+}
+interface EnrichedFinding {
+    /** Original raw finding fields */
+    type: PayloadCategory;
+    severity: Severity;
+    title: string;
+    description: string;
+    stepId: string;
+    payload: string;
+    url: string;
+    evidence?: string;
+    metadata?: Record<string, unknown>;
+    /** Enriched fields — computed by buildReport() */
+    ruleId: string;
+    cwe: CweEntry;
+    securitySeverity: string;
+    fingerprint: string;
+    /** Detection classification */
+    detectionMethod: "active" | "passive";
+    /** Passive category (only set when detectionMethod === "passive") */
+    passiveCategory?: string;
+}
+interface ReportRule {
+    /** e.g. "VULCN-XSS" */
+    id: string;
+    /** Raw type name e.g. "xss" */
+    type: string;
+    /** CWE info */
+    cwe: CweEntry;
+    /** Severity of the first finding with this rule */
+    severity: Severity;
+    securitySeverity: string;
+    /** Description for help text */
+    description: string;
+}
+interface PassiveCategorySummary {
+    definition: PassiveCheckDefinition;
+    /** Findings in this category */
+    findings: EnrichedFinding[];
+    /** Issue count */
+    issueCount: number;
+    /** Number of checks that passed */
+    passedChecks: number;
+    /** Total checks for this category */
+    totalChecks: number;
+    /** PASS | WARN | FAIL */
+    status: "pass" | "warn" | "fail";
+}
+interface PassiveAnalysis {
+    totalIssues: number;
+    categories: PassiveCategorySummary[];
+}
+interface RiskAssessment {
+    score: number;
+    percent: number;
+    label: "Critical" | "High" | "Medium" | "Low" | "Clear";
+}
+type SeverityCounts = Record<Severity, number>;
+interface VulcnReport {
+    /** Report format version */
+    reportVersion: "2.0";
+    /** Engine version that generated the scan */
+    engineVersion: string;
+    /** ISO timestamp when this report was generated */
+    generatedAt: string;
+    /** Session metadata */
+    session: {
+        name: string;
+        driver: string;
+        driverConfig: Record<string, unknown>;
+        stepsCount: number;
+        metadata?: Record<string, unknown>;
+    };
+    /** Execution statistics */
+    stats: {
+        stepsExecuted: number;
+        payloadsTested: number;
+        durationMs: number;
+        errors: string[];
+    };
+    /** Summary / overview data */
+    summary: {
+        totalFindings: number;
+        severityCounts: SeverityCounts;
+        risk: RiskAssessment;
+        vulnerabilityTypes: string[];
+        affectedUrls: string[];
+    };
+    /** Rule registry — one rule per unique finding type */
+    rules: ReportRule[];
+    /** All findings — enriched with CWE, fingerprints, classification */
+    findings: EnrichedFinding[];
+    /** Active findings (subset) */
+    activeFindings: EnrichedFinding[];
+    /** Passive analysis summary */
+    passiveAnalysis: PassiveAnalysis;
+}
+/**
+ * Build a VulcnReport from raw scan output.
+ *
+ * This is the single transformation point. All output formats
+ * (HTML, JSON, YAML, SARIF) operate on the returned model.
+ */
+declare function buildReport(session: Session, result: RunResult, generatedAt: string, engineVersion: string): VulcnReport;
 /**
  * HTML Report Generator for Vulcn
@@ -12,33 +149,25 @@ import { Session, RunResult, Finding, VulcnPlugin } from '@vulcn/engine';
  * - Responsive design
  */
-interface HtmlReportData {
-    session: Session;
-    result: RunResult;
-    generatedAt: string;
-    engineVersion: string;
-}
-declare function generateHtml(data: HtmlReportData): string;
+declare function generateHtml(report: VulcnReport): string;
 /**
  * JSON Report Generator for Vulcn
  *
- * Produces a structured, machine-readable JSON report.
+ * Projects the canonical VulcnReport into a clean JSON structure
+ * suitable for CI/CD pipelines and programmatic consumption.
  */
+/**
+ * The JSON output shape — a clean projection of VulcnReport.
+ */
 interface JsonReport {
     vulcn: {
         version: string;
         reportVersion: string;
         generatedAt: string;
     };
-    session: {
-        name: string;
-        driver: string;
-        driverConfig: Record<string, unknown>;
-        stepsCount: number;
-        metadata?: Record<string, unknown>;
-    };
+    session: VulcnReport["session"];
     execution: {
         stepsExecuted: number;
         payloadsTested: number;
@@ -49,36 +178,47 @@ interface JsonReport {
     summary: {
         totalFindings: number;
         riskScore: number;
-        severityCounts: Record<string, number>;
+        riskLabel: string;
+        severityCounts: VulcnReport["summary"]["severityCounts"];
         vulnerabilityTypes: string[];
         affectedUrls: string[];
     };
-    findings: Finding[];
+    findings: VulcnReport["findings"];
+    passiveAnalysis: {
+        totalIssues: number;
+        categories: Array<{
+            id: string;
+            label: string;
+            status: string;
+            issueCount: number;
+            passedChecks: number;
+            totalChecks: number;
+            remedy: string;
+        }>;
+    };
+    rules: VulcnReport["rules"];
 }
-declare function generateJson(session: Session, result: RunResult, generatedAt: string, engineVersion: string): JsonReport;
+declare function generateJson(report: VulcnReport): JsonReport;
 /**
  * YAML Report Generator for Vulcn
  *
- * Produces a human-readable YAML report.
+ * Produces a human-readable YAML report from the canonical VulcnReport.
  */
-declare function generateYaml(session: Session, result: RunResult, generatedAt: string, engineVersion: string): string;
+declare function generateYaml(report: VulcnReport): string;
 /**
  * SARIF Report Generator for Vulcn
  *
- * Produces SARIF v2.1.0 (Static Analysis Results Interchange Format)
- * compatible with GitHub Code Scanning, Azure DevOps, and other
- * SARIF-consuming tools.
+ * Projects the canonical VulcnReport into SARIF v2.1.0 (Static Analysis
+ * Results Interchange Format) compatible with GitHub Code Scanning,
+ * Azure DevOps, and other SARIF-consuming tools.
  *
  * @see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
  * @see https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
  */
-/**
- * SARIF v2.1.0 Log — top-level structure
- */
 interface SarifLog {
     $schema: string;
     version: "2.1.0";
@@ -165,34 +305,22 @@ interface SarifArtifact {
     length?: number;
 }
 /**
- * Generate a SARIF v2.1.0 log from Vulcn scan results.
+ * Generate a SARIF v2.1.0 log from a VulcnReport.
  *
  * Usage:
- *   const sarif = generateSarif(session, result, generatedAt, "0.4.0");
+ *   const report = buildReport(session, result, generatedAt, "0.5.0");
+ *   const sarif = generateSarif(report);
  *   await writeFile("vulcn-report.sarif", JSON.stringify(sarif, null, 2));
- *
- * The output can be uploaded to:
- *   - GitHub Code Scanning: `gh api /repos/{owner}/{repo}/code-scanning/sarifs`
- *   - GitHub Actions: `github/codeql-action/upload-sarif@v3`
- *   - Azure DevOps: SARIF SAST Scans Tab extension
- *
- * @param session  - The session that was executed
- * @param result   - The run result with findings
- * @param generatedAt - ISO timestamp
- * @param engineVersion - Vulcn engine version
  */
-declare function generateSarif(session: Session, result: RunResult, generatedAt: string, engineVersion: string): SarifLog;
+declare function generateSarif(report: VulcnReport): SarifLog;
 /**
  * @vulcn/plugin-report
  * Report Generation Plugin for Vulcn
  *
  * Generates security reports in HTML, JSON, YAML, and SARIF formats
- * after a run completes. Features:
- * - Modern dark-themed HTML report with Vulcn branding
- * - Machine-readable JSON for CI/CD integration
- * - Human-readable YAML for documentation
- * - SARIF v2.1.0 for GitHub Code Scanning and IDE integration
+ * after a run completes. All formats are projections of the canonical
+ * VulcnReport model, built once via buildReport().
  *
  * Configuration:
  *   format:     "html" | "json" | "yaml" | "sarif" | "all"  (default: "html")
@@ -247,4 +375,4 @@ type ReportConfig = z.infer<typeof configSchema>;
  */
 declare const plugin: VulcnPlugin;
-export { type HtmlReportData, type JsonReport, type ReportConfig, type SarifLog, configSchema, plugin as default, generateHtml, generateJson, generateSarif, generateYaml };
+export { type CweEntry, type EnrichedFinding, type JsonReport, type PassiveAnalysis, type PassiveCategorySummary, type PassiveCheckDefinition, type ReportConfig, type ReportRule, type RiskAssessment, type SarifLog, type SeverityCounts, type VulcnReport, buildReport, configSchema, plugin as default, generateHtml, generateJson, generateSarif, generateYaml };

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,142 @@
 import { z } from 'zod';
-import { Session, RunResult, Finding, VulcnPlugin } from '@vulcn/engine';
+import { PayloadCategory, Session, RunResult, VulcnPlugin } from '@vulcn/engine';
+/**
+ * Vulcn Report Model
+ *
+ * The canonical data model from which all output formats (HTML, JSON,
+ * YAML, SARIF) are derived. This is the single source of truth for
+ * CWE mappings, severity scores, fingerprinting, risk computation,
+ * and passive analysis categorisation.
+ *
+ *   RunResult + Session
+ *          ↓
+ *     buildReport()
+ *          ↓
+ *     VulcnReport (canonical)
+ *          ↓
+ *   ┌──────┴──────────┬──────────┬──────────┐
+ *   HTML            JSON       YAML       SARIF
+ *
+ * Every output format is a projection of this model.
+ */
+interface CweEntry {
+    id: number;
+    name: string;
+}
+type Severity = "critical" | "high" | "medium" | "low" | "info";
+interface PassiveCheckDefinition {
+    id: string;
+    label: string;
+    icon: string;
+    color: string;
+    remedy: string;
+    checks: string[];
+}
+interface EnrichedFinding {
+    /** Original raw finding fields */
+    type: PayloadCategory;
+    severity: Severity;
+    title: string;
+    description: string;
+    stepId: string;
+    payload: string;
+    url: string;
+    evidence?: string;
+    metadata?: Record<string, unknown>;
+    /** Enriched fields — computed by buildReport() */
+    ruleId: string;
+    cwe: CweEntry;
+    securitySeverity: string;
+    fingerprint: string;
+    /** Detection classification */
+    detectionMethod: "active" | "passive";
+    /** Passive category (only set when detectionMethod === "passive") */
+    passiveCategory?: string;
+}
+interface ReportRule {
+    /** e.g. "VULCN-XSS" */
+    id: string;
+    /** Raw type name e.g. "xss" */
+    type: string;
+    /** CWE info */
+    cwe: CweEntry;
+    /** Severity of the first finding with this rule */
+    severity: Severity;
+    securitySeverity: string;
+    /** Description for help text */
+    description: string;
+}
+interface PassiveCategorySummary {
+    definition: PassiveCheckDefinition;
+    /** Findings in this category */
+    findings: EnrichedFinding[];
+    /** Issue count */
+    issueCount: number;
+    /** Number of checks that passed */
+    passedChecks: number;
+    /** Total checks for this category */
+    totalChecks: number;
+    /** PASS | WARN | FAIL */
+    status: "pass" | "warn" | "fail";
+}
+interface PassiveAnalysis {
+    totalIssues: number;
+    categories: PassiveCategorySummary[];
+}
+interface RiskAssessment {
+    score: number;
+    percent: number;
+    label: "Critical" | "High" | "Medium" | "Low" | "Clear";
+}
+type SeverityCounts = Record<Severity, number>;
+interface VulcnReport {
+    /** Report format version */
+    reportVersion: "2.0";
+    /** Engine version that generated the scan */
+    engineVersion: string;
+    /** ISO timestamp when this report was generated */
+    generatedAt: string;
+    /** Session metadata */
+    session: {
+        name: string;
+        driver: string;
+        driverConfig: Record<string, unknown>;
+        stepsCount: number;
+        metadata?: Record<string, unknown>;
+    };
+    /** Execution statistics */
+    stats: {
+        stepsExecuted: number;
+        payloadsTested: number;
+        durationMs: number;
+        errors: string[];
+    };
+    /** Summary / overview data */
+    summary: {
+        totalFindings: number;
+        severityCounts: SeverityCounts;
+        risk: RiskAssessment;
+        vulnerabilityTypes: string[];
+        affectedUrls: string[];
+    };
+    /** Rule registry — one rule per unique finding type */
+    rules: ReportRule[];
+    /** All findings — enriched with CWE, fingerprints, classification */
+    findings: EnrichedFinding[];
+    /** Active findings (subset) */
+    activeFindings: EnrichedFinding[];
+    /** Passive analysis summary */
+    passiveAnalysis: PassiveAnalysis;
+}
+/**
+ * Build a VulcnReport from raw scan output.
+ *
+ * This is the single transformation point. All output formats
+ * (HTML, JSON, YAML, SARIF) operate on the returned model.
+ */
+declare function buildReport(session: Session, result: RunResult, generatedAt: string, engineVersion: string): VulcnReport;
 /**
  * HTML Report Generator for Vulcn
@@ -12,33 +149,25 @@ import { Session, RunResult, Finding, VulcnPlugin } from '@vulcn/engine';
  * - Responsive design
  */
-interface HtmlReportData {
-    session: Session;
-    result: RunResult;
-    generatedAt: string;
-    engineVersion: string;
-}
-declare function generateHtml(data: HtmlReportData): string;
+declare function generateHtml(report: VulcnReport): string;
 /**
  * JSON Report Generator for Vulcn
  *
- * Produces a structured, machine-readable JSON report.
+ * Projects the canonical VulcnReport into a clean JSON structure
+ * suitable for CI/CD pipelines and programmatic consumption.
  */
+/**
+ * The JSON output shape — a clean projection of VulcnReport.
+ */
 interface JsonReport {
     vulcn: {
         version: string;
         reportVersion: string;
         generatedAt: string;
     };
-    session: {
-        name: string;
-        driver: string;
-        driverConfig: Record<string, unknown>;
-        stepsCount: number;
-        metadata?: Record<string, unknown>;
-    };
+    session: VulcnReport["session"];
     execution: {
         stepsExecuted: number;
         payloadsTested: number;
@@ -49,36 +178,47 @@ interface JsonReport {
     summary: {
         totalFindings: number;
         riskScore: number;
-        severityCounts: Record<string, number>;
+        riskLabel: string;
+        severityCounts: VulcnReport["summary"]["severityCounts"];
         vulnerabilityTypes: string[];
         affectedUrls: string[];
     };
-    findings: Finding[];
+    findings: VulcnReport["findings"];
+    passiveAnalysis: {
+        totalIssues: number;
+        categories: Array<{
+            id: string;
+            label: string;
+            status: string;
+            issueCount: number;
+            passedChecks: number;
+            totalChecks: number;
+            remedy: string;
+        }>;
+    };
+    rules: VulcnReport["rules"];
 }
-declare function generateJson(session: Session, result: RunResult, generatedAt: string, engineVersion: string): JsonReport;
+declare function generateJson(report: VulcnReport): JsonReport;
 /**
  * YAML Report Generator for Vulcn
  *
- * Produces a human-readable YAML report.
+ * Produces a human-readable YAML report from the canonical VulcnReport.
  */
-declare function generateYaml(session: Session, result: RunResult, generatedAt: string, engineVersion: string): string;
+declare function generateYaml(report: VulcnReport): string;
 /**
  * SARIF Report Generator for Vulcn
  *
- * Produces SARIF v2.1.0 (Static Analysis Results Interchange Format)
- * compatible with GitHub Code Scanning, Azure DevOps, and other
- * SARIF-consuming tools.
+ * Projects the canonical VulcnReport into SARIF v2.1.0 (Static Analysis
+ * Results Interchange Format) compatible with GitHub Code Scanning,
+ * Azure DevOps, and other SARIF-consuming tools.
  *
  * @see https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
  * @see https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning
  */
-/**
- * SARIF v2.1.0 Log — top-level structure
- */
 interface SarifLog {
     $schema: string;
     version: "2.1.0";
@@ -165,34 +305,22 @@ interface SarifArtifact {
     length?: number;
 }
 /**
- * Generate a SARIF v2.1.0 log from Vulcn scan results.
+ * Generate a SARIF v2.1.0 log from a VulcnReport.
  *
  * Usage:
- *   const sarif = generateSarif(session, result, generatedAt, "0.4.0");
+ *   const report = buildReport(session, result, generatedAt, "0.5.0");
+ *   const sarif = generateSarif(report);
  *   await writeFile("vulcn-report.sarif", JSON.stringify(sarif, null, 2));
- *
- * The output can be uploaded to:
- *   - GitHub Code Scanning: `gh api /repos/{owner}/{repo}/code-scanning/sarifs`
- *   - GitHub Actions: `github/codeql-action/upload-sarif@v3`
- *   - Azure DevOps: SARIF SAST Scans Tab extension
- *
- * @param session  - The session that was executed
- * @param result   - The run result with findings
- * @param generatedAt - ISO timestamp
- * @param engineVersion - Vulcn engine version
  */
-declare function generateSarif(session: Session, result: RunResult, generatedAt: string, engineVersion: string): SarifLog;
+declare function generateSarif(report: VulcnReport): SarifLog;
 /**
  * @vulcn/plugin-report
  * Report Generation Plugin for Vulcn
  *
  * Generates security reports in HTML, JSON, YAML, and SARIF formats
- * after a run completes. Features:
- * - Modern dark-themed HTML report with Vulcn branding
- * - Machine-readable JSON for CI/CD integration
- * - Human-readable YAML for documentation
- * - SARIF v2.1.0 for GitHub Code Scanning and IDE integration
+ * after a run completes. All formats are projections of the canonical
+ * VulcnReport model, built once via buildReport().
  *
  * Configuration:
  *   format:     "html" | "json" | "yaml" | "sarif" | "all"  (default: "html")
@@ -247,4 +375,4 @@ type ReportConfig = z.infer<typeof configSchema>;
  */
 declare const plugin: VulcnPlugin;
-export { type HtmlReportData, type JsonReport, type ReportConfig, type SarifLog, configSchema, plugin as default, generateHtml, generateJson, generateSarif, generateYaml };
+export { type CweEntry, type EnrichedFinding, type JsonReport, type PassiveAnalysis, type PassiveCategorySummary, type PassiveCheckDefinition, type ReportConfig, type ReportRule, type RiskAssessment, type SarifLog, type SeverityCounts, type VulcnReport, buildReport, configSchema, plugin as default, generateHtml, generateJson, generateSarif, generateYaml };