@vyuhlabs/dxkit 2.0.1 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +131 -0
- package/README.md +21 -15
- package/dist/analyzers/bom/detailed.d.ts +26 -0
- package/dist/analyzers/bom/detailed.d.ts.map +1 -0
- package/dist/analyzers/bom/detailed.js +227 -0
- package/dist/analyzers/bom/detailed.js.map +1 -0
- package/dist/analyzers/bom/gather.d.ts +52 -0
- package/dist/analyzers/bom/gather.d.ts.map +1 -0
- package/dist/analyzers/bom/gather.js +183 -0
- package/dist/analyzers/bom/gather.js.map +1 -0
- package/dist/analyzers/bom/index.d.ts +23 -0
- package/dist/analyzers/bom/index.d.ts.map +1 -0
- package/dist/analyzers/bom/index.js +183 -0
- package/dist/analyzers/bom/index.js.map +1 -0
- package/dist/analyzers/bom/types.d.ts +71 -0
- package/dist/analyzers/bom/types.d.ts.map +1 -0
- package/dist/analyzers/bom/types.js +3 -0
- package/dist/analyzers/bom/types.js.map +1 -0
- package/dist/analyzers/licenses/detailed.d.ts +30 -0
- package/dist/analyzers/licenses/detailed.d.ts.map +1 -0
- package/dist/analyzers/licenses/detailed.js +194 -0
- package/dist/analyzers/licenses/detailed.js.map +1 -0
- package/dist/analyzers/licenses/gather.d.ts +15 -0
- package/dist/analyzers/licenses/gather.d.ts.map +1 -0
- package/dist/analyzers/licenses/gather.js +24 -0
- package/dist/analyzers/licenses/gather.js.map +1 -0
- package/dist/analyzers/licenses/index.d.ts +21 -0
- package/dist/analyzers/licenses/index.d.ts.map +1 -0
- package/dist/analyzers/licenses/index.js +146 -0
- package/dist/analyzers/licenses/index.js.map +1 -0
- package/dist/analyzers/licenses/types.d.ts +30 -0
- package/dist/analyzers/licenses/types.d.ts.map +1 -0
- package/dist/analyzers/licenses/types.js +13 -0
- package/dist/analyzers/licenses/types.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +0 -3
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +37 -6
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +2 -0
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +53 -14
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +5 -0
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/security/types.js +0 -3
- package/dist/analyzers/security/types.js.map +1 -1
- package/dist/analyzers/tools/osv.d.ts +49 -5
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +99 -17
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/runner.d.ts +11 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +54 -0
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +77 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts +27 -0
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -0
- package/dist/analyzers/xlsx/bom.js +131 -0
- package/dist/analyzers/xlsx/bom.js.map +1 -0
- package/dist/analyzers/xlsx/index.d.ts +27 -0
- package/dist/analyzers/xlsx/index.d.ts.map +1 -0
- package/dist/analyzers/xlsx/index.js +92 -0
- package/dist/analyzers/xlsx/index.js.map +1 -0
- package/dist/analyzers/xlsx/licenses.d.ts +40 -0
- package/dist/analyzers/xlsx/licenses.d.ts.map +1 -0
- package/dist/analyzers/xlsx/licenses.js +140 -0
- package/dist/analyzers/xlsx/licenses.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +178 -1
- package/dist/cli.js.map +1 -1
- package/dist/languages/capabilities/descriptors.d.ts +4 -1
- package/dist/languages/capabilities/descriptors.d.ts.map +1 -1
- package/dist/languages/capabilities/descriptors.js +20 -1
- package/dist/languages/capabilities/descriptors.js.map +1 -1
- package/dist/languages/capabilities/types.d.ts +59 -3
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +13 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +228 -33
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +211 -26
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +187 -11
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/rust.d.ts +13 -0
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +195 -29
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +2 -1
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +252 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +7 -2
- package/dist/agents/extract.d.ts +0 -25
- package/dist/agents/extract.d.ts.map +0 -1
- package/dist/agents/extract.js +0 -186
- package/dist/agents/extract.js.map +0 -1
- package/dist/agents/schemas.d.ts +0 -106
- package/dist/agents/schemas.d.ts.map +0 -1
- package/dist/agents/schemas.js +0 -86
- package/dist/agents/schemas.js.map +0 -1
- package/dist/agents/session.d.ts +0 -28
- package/dist/agents/session.d.ts.map +0 -1
- package/dist/agents/session.js +0 -223
- package/dist/agents/session.js.map +0 -1
- package/dist/analyzers/index.d.ts +0 -3
- package/dist/analyzers/index.d.ts.map +0 -1
- package/dist/analyzers/index.js +0 -6
- package/dist/analyzers/index.js.map +0 -1
- package/dist/analyzers/security/report.d.ts +0 -6
- package/dist/analyzers/security/report.d.ts.map +0 -1
- package/dist/analyzers/security/report.js +0 -118
- package/dist/analyzers/security/report.js.map +0 -1
- package/dist/analyzers/tools/dotnet.d.ts +0 -8
- package/dist/analyzers/tools/dotnet.d.ts.map +0 -1
- package/dist/analyzers/tools/dotnet.js +0 -81
- package/dist/analyzers/tools/dotnet.js.map +0 -1
- package/dist/analyzers/tools/gather-cache.d.ts +0 -16
- package/dist/analyzers/tools/gather-cache.d.ts.map +0 -1
- package/dist/analyzers/tools/gather-cache.js +0 -126
- package/dist/analyzers/tools/gather-cache.js.map +0 -1
- package/dist/analyzers/tools/go.d.ts +0 -8
- package/dist/analyzers/tools/go.d.ts.map +0 -1
- package/dist/analyzers/tools/go.js +0 -84
- package/dist/analyzers/tools/go.js.map +0 -1
- package/dist/analyzers/tools/node.d.ts +0 -8
- package/dist/analyzers/tools/node.d.ts.map +0 -1
- package/dist/analyzers/tools/node.js +0 -160
- package/dist/analyzers/tools/node.js.map +0 -1
- package/dist/analyzers/tools/python.d.ts +0 -8
- package/dist/analyzers/tools/python.d.ts.map +0 -1
- package/dist/analyzers/tools/python.js +0 -81
- package/dist/analyzers/tools/python.js.map +0 -1
- package/dist/analyzers/tools/rust.d.ts +0 -8
- package/dist/analyzers/tools/rust.d.ts.map +0 -1
- package/dist/analyzers/tools/rust.js +0 -86
- package/dist/analyzers/tools/rust.js.map +0 -1
- package/templates/.ai/templates/session-checkpoint-template.md +0 -97
|
@@ -0,0 +1,183 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* BOM analyzer data-gather. Joins LICENSES + DEP_VULNS via the
|
|
4
|
+
* existing capability gather functions — no new tool invocation logic
|
|
5
|
+
* (CLAUDE.md rule 2). The gather just calls each, then walks both
|
|
6
|
+
* result sets to build a per-package join keyed by `package@version`.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.compareSemver = compareSemver;
|
|
10
|
+
exports.maxSemver = maxSemver;
|
|
11
|
+
exports.deriveTier1Resolution = deriveTier1Resolution;
|
|
12
|
+
exports.gatherBomEntries = gatherBomEntries;
|
|
13
|
+
const gather_1 = require("../licenses/gather");
|
|
14
|
+
const gather_2 = require("../security/gather");
|
|
15
|
+
const SEV_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
|
|
16
|
+
/**
|
|
17
|
+
* Compare two version strings as semver triples. Strips a leading
|
|
18
|
+
* 'v' (Go-pack convention) and compares dot-separated numeric
|
|
19
|
+
* components. Falls back to lexicographic comparison when either
|
|
20
|
+
* input isn't a parseable triple — preserves a deterministic
|
|
21
|
+
* ordering for non-semver versions (e.g. cargo's "0.10.55+echo.1").
|
|
22
|
+
*/
|
|
23
|
+
function compareSemver(a, b) {
|
|
24
|
+
const norm = (v) => v.replace(/^v/, '');
|
|
25
|
+
const pa = norm(a)
|
|
26
|
+
.split('.')
|
|
27
|
+
.map((p) => parseInt(p, 10));
|
|
28
|
+
const pb = norm(b)
|
|
29
|
+
.split('.')
|
|
30
|
+
.map((p) => parseInt(p, 10));
|
|
31
|
+
if (pa.some(isNaN) || pb.some(isNaN))
|
|
32
|
+
return norm(a).localeCompare(norm(b));
|
|
33
|
+
const len = Math.max(pa.length, pb.length);
|
|
34
|
+
for (let i = 0; i < len; i++) {
|
|
35
|
+
const xa = pa[i] ?? 0;
|
|
36
|
+
const xb = pb[i] ?? 0;
|
|
37
|
+
if (xa !== xb)
|
|
38
|
+
return xa - xb;
|
|
39
|
+
}
|
|
40
|
+
return 0;
|
|
41
|
+
}
|
|
42
|
+
/** Highest version in `versions` per compareSemver. Returns the input
|
|
43
|
+
* unchanged when only one version is supplied. */
|
|
44
|
+
function maxSemver(versions) {
|
|
45
|
+
if (versions.length === 0)
|
|
46
|
+
return '';
|
|
47
|
+
return versions.reduce((acc, v) => (compareSemver(v, acc) > 0 ? v : acc));
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Tier-1 resolution proposal derived purely from `fixedVersion`
|
|
51
|
+
* data shipped by each pack's depVulns provider. Per checkpoint §9:
|
|
52
|
+
* - no vulns → empty
|
|
53
|
+
* - every vuln has fixedVersion → "PROPOSAL: Upgrade to <maxFix> (resolves N)"
|
|
54
|
+
* - some vuln lacks fixedVersion → "No fix available — evaluate replacement"
|
|
55
|
+
*
|
|
56
|
+
* Higher tiers (10h.4 Snyk, 10h.6 osv-scanner fix) populate
|
|
57
|
+
* `upgradeAdvice` directly on each finding; the bom render layer
|
|
58
|
+
* picks the richest available value per package.
|
|
59
|
+
*/
|
|
60
|
+
function deriveTier1Resolution(vulns) {
|
|
61
|
+
if (vulns.length === 0)
|
|
62
|
+
return '';
|
|
63
|
+
const fixes = vulns.map((v) => v.fixedVersion).filter((v) => !!v);
|
|
64
|
+
if (fixes.length !== vulns.length) {
|
|
65
|
+
return 'No fix available — evaluate replacement';
|
|
66
|
+
}
|
|
67
|
+
const target = maxSemver(fixes);
|
|
68
|
+
return `PROPOSAL: Upgrade to ${target} (resolves ${vulns.length} vuln${vulns.length === 1 ? '' : 's'})`;
|
|
69
|
+
}
|
|
70
|
+
/** Highest severity across the supplied vulns. */
|
|
71
|
+
function maxSeverityOf(vulns) {
|
|
72
|
+
if (vulns.length === 0)
|
|
73
|
+
return null;
|
|
74
|
+
let best = 'low';
|
|
75
|
+
for (const v of vulns) {
|
|
76
|
+
if (SEV_RANK[v.severity] < SEV_RANK[best])
|
|
77
|
+
best = v.severity;
|
|
78
|
+
}
|
|
79
|
+
return best;
|
|
80
|
+
}
|
|
81
|
+
async function gatherBomEntries(cwd) {
|
|
82
|
+
const [licensesEnv, depVulns] = await Promise.all([
|
|
83
|
+
(0, gather_1.gatherLicensesResult)(cwd),
|
|
84
|
+
(0, gather_2.gatherDepVulns)(cwd),
|
|
85
|
+
]);
|
|
86
|
+
const licenseFindings = licensesEnv?.findings ?? [];
|
|
87
|
+
const vulnFindings = depVulns.findings;
|
|
88
|
+
// Index vulns by package@version (primary) and package (fallback).
|
|
89
|
+
const vulnByPkgVer = new Map();
|
|
90
|
+
const vulnByPkg = new Map();
|
|
91
|
+
for (const v of vulnFindings) {
|
|
92
|
+
if (v.installedVersion) {
|
|
93
|
+
const key = `${v.package}@${v.installedVersion}`;
|
|
94
|
+
const arr = vulnByPkgVer.get(key) ?? [];
|
|
95
|
+
arr.push(v);
|
|
96
|
+
vulnByPkgVer.set(key, arr);
|
|
97
|
+
}
|
|
98
|
+
const arr = vulnByPkg.get(v.package) ?? [];
|
|
99
|
+
arr.push(v);
|
|
100
|
+
vulnByPkg.set(v.package, arr);
|
|
101
|
+
}
|
|
102
|
+
const entries = [];
|
|
103
|
+
const matchedVulnKeys = new Set();
|
|
104
|
+
for (const lic of licenseFindings) {
|
|
105
|
+
const exactKey = `${lic.package}@${lic.version}`;
|
|
106
|
+
let attached = vulnByPkgVer.get(exactKey);
|
|
107
|
+
if (attached) {
|
|
108
|
+
matchedVulnKeys.add(exactKey);
|
|
109
|
+
}
|
|
110
|
+
else {
|
|
111
|
+
// Version-less vuln entries fall back to package-name match.
|
|
112
|
+
// Filter to only those that lacked installedVersion to avoid
|
|
113
|
+
// double-counting against other version rows.
|
|
114
|
+
const byPkg = vulnByPkg.get(lic.package) ?? [];
|
|
115
|
+
const versionless = byPkg.filter((v) => !v.installedVersion);
|
|
116
|
+
attached = versionless.length > 0 ? versionless : [];
|
|
117
|
+
}
|
|
118
|
+
entries.push(buildEntry(lic, attached, true));
|
|
119
|
+
}
|
|
120
|
+
// Vuln-only entries: vulns whose package@version did not match a
|
|
121
|
+
// license row AND whose package is absent from every license entry
|
|
122
|
+
// (versionless fallback is consumed above).
|
|
123
|
+
const licensePackages = new Set(licenseFindings.map((l) => l.package));
|
|
124
|
+
const vulnOnlyByPkgVer = new Map();
|
|
125
|
+
for (const [key, vulns] of vulnByPkgVer) {
|
|
126
|
+
if (matchedVulnKeys.has(key))
|
|
127
|
+
continue;
|
|
128
|
+
const pkg = vulns[0].package;
|
|
129
|
+
if (licensePackages.has(pkg))
|
|
130
|
+
continue; // already attached via versionless or other version
|
|
131
|
+
const arr = vulnOnlyByPkgVer.get(key) ?? [];
|
|
132
|
+
arr.push(...vulns);
|
|
133
|
+
vulnOnlyByPkgVer.set(key, arr);
|
|
134
|
+
}
|
|
135
|
+
for (const [, vulns] of vulnOnlyByPkgVer) {
|
|
136
|
+
const v0 = vulns[0];
|
|
137
|
+
const synthLicense = {
|
|
138
|
+
package: v0.package,
|
|
139
|
+
version: v0.installedVersion ?? 'unknown',
|
|
140
|
+
licenseType: 'UNKNOWN',
|
|
141
|
+
};
|
|
142
|
+
entries.push(buildEntry(synthLicense, vulns, false));
|
|
143
|
+
}
|
|
144
|
+
// Stable sort: package alphabetical, then version.
|
|
145
|
+
entries.sort((a, b) => a.package.localeCompare(b.package) || compareSemver(a.version, b.version));
|
|
146
|
+
const toolsUsed = new Set();
|
|
147
|
+
if (licensesEnv?.tool) {
|
|
148
|
+
for (const t of licensesEnv.tool.split(', '))
|
|
149
|
+
if (t)
|
|
150
|
+
toolsUsed.add(t);
|
|
151
|
+
}
|
|
152
|
+
if (depVulns.tool) {
|
|
153
|
+
for (const t of depVulns.tool.split(', '))
|
|
154
|
+
if (t)
|
|
155
|
+
toolsUsed.add(t);
|
|
156
|
+
}
|
|
157
|
+
return {
|
|
158
|
+
entries,
|
|
159
|
+
toolsUsed: [...toolsUsed],
|
|
160
|
+
toolsUnavailable: [],
|
|
161
|
+
};
|
|
162
|
+
}
|
|
163
|
+
function buildEntry(lic, vulns, joinedFromBoth) {
|
|
164
|
+
// Tier 2/4 fields on individual findings outrank Tier-1 derivation.
|
|
165
|
+
// Pick the first non-empty `upgradeAdvice` from any finding; fall
|
|
166
|
+
// back to derived advice when all vulns are Tier-1 only.
|
|
167
|
+
const tieredAdvice = vulns.map((v) => v.upgradeAdvice).find((a) => a && a.length > 0);
|
|
168
|
+
return {
|
|
169
|
+
package: lic.package,
|
|
170
|
+
version: lic.version,
|
|
171
|
+
licenseType: lic.licenseType,
|
|
172
|
+
licenseText: lic.licenseText,
|
|
173
|
+
sourceUrl: lic.sourceUrl,
|
|
174
|
+
description: lic.description,
|
|
175
|
+
supplier: lic.supplier,
|
|
176
|
+
releaseDate: lic.releaseDate,
|
|
177
|
+
vulns,
|
|
178
|
+
maxSeverity: maxSeverityOf(vulns),
|
|
179
|
+
upgradeAdvice: tieredAdvice ?? deriveTier1Resolution(vulns),
|
|
180
|
+
joinedFromBoth,
|
|
181
|
+
};
|
|
182
|
+
}
|
|
183
|
+
//# sourceMappingURL=gather.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"gather.js","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAgBH,sCAgBC;AAID,8BAGC;AAaD,sDAQC;AAgCD,4CAiFC;AA3KD,+CAA0D;AAC1D,+CAAoD;AAIpD,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAE1F;;;;;;GAMG;AACH,SAAgB,aAAa,CAAC,CAAS,EAAE,CAAS;IAChD,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;SACf,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/B,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;SACf,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/B,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;mDACmD;AACnD,SAAgB,SAAS,CAAC,QAAkB;IAC1C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACrC,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,qBAAqB,CAAC,KAAuB;IAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QAClC,OAAO,yCAAyC,CAAC;IACnD,CAAC;IACD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO,wBAAwB,MAAM,cAAc,KAAK,CAAC,MAAM,QAAQ,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;AAC1G,CAAC;AAED,kDAAkD;AAClD,SAAS,aAAa,CAAC,KAAuB;IAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,IAAI,GAAgB,KAAK,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC/D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAsBM,KAAK,UAAU,gBAAgB,CAAC,GAAW;IAChD,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChD,IAAA,6BAAoB,EAAC,GAAG,CAAC;QACzB,IAAA,uBAAc,EAAC,GAAG,CAAC;KACpB,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,WAAW,EAAE,QAAQ,IAAI,EAAE,CAAC;IACpD,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC;IAEvC,mEAAmE;IACnE,MAAM,YAAY,GAAG,IAAI,GAAG,EAA4B,CAAC;IACzD,MAAM,SAAS,GAAG,IAAI,GAAG,EAA4B,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;YACjD,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACxC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACZ,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC7B,CAAC;QACD,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC3C,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;QACjD,IAAI,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,QAAQ,EAAE,CAAC;YACb,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,6DAA6D;YAC7D,6DAA6D;YAC7D,8CAA8C;YAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAC/C,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;YAC7D,QAAQ,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,iEAAiE;IACjE,mEAAmE;IACnE,4CAA4C;IAC5C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACvE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA4B,CAAC;IAC7D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;QACxC,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACvC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAC7B,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,oDAAoD;QAC5F,MAAM,GAAG,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC5C,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;QACnB,gBAAgB,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;IACD,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,gBAAgB,EAAE,CAAC;QACzC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACpB,MAAM,YAAY,GAAmB;YACnC,OAAO,EAAE,EAAE,CAAC,OAAO;YACnB,OAAO,EAAE,EAAE,CAAC,gBAAgB,IAAI,SAAS;YACzC,WAAW,EAAE,SAAS;SACvB,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,mDAAmD;IACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAElG,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,IAAI,WAAW,EAAE,IAAI,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,IAAI,CAAC;gBAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,IAAI,CAAC;gBAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,OAAO;QACL,OAAO;QACP,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC;QACzB,gBAAgB,EAAE,EAAE;KACrB,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CACjB,GAAmB,EACnB,KAAuB,EACvB,cAAuB;IAEvB,oEAAoE;IACpE,kEAAkE;IAClE,yDAAyD;IACzD,MAAM,YAAY,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtF,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,KAAK;QACL,WAAW,EAAE,aAAa,CAAC,KAAK,CAAC;QACjC,aAAa,EAAE,YAAY,IAAI,qBAAqB,CAAC,KAAK,CAAC;QAC3D,cAAc;KACf,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* BOM (Bill of Materials) analyzer — public API.
|
|
3
|
+
*
|
|
4
|
+
* Joins the LICENSES and DEP_VULNS capabilities by `package@version`
|
|
5
|
+
* to produce one row per installed package with both license inventory
|
|
6
|
+
* data (cols 1-9, 15) and per-package vulnerability rollup
|
|
7
|
+
* (cols 11-13). Output formats:
|
|
8
|
+
*
|
|
9
|
+
* - `formatBomReport(report)` — markdown summary for
|
|
10
|
+
* `.ai/reports/bom-<date>.md` and PR comments.
|
|
11
|
+
* - JSON via the CLI's `--json` flag (10h.3.9) — schema-versioned
|
|
12
|
+
* pass-through with the added summary + repo metadata.
|
|
13
|
+
* - XLSX via the shared converter (10h.3.9) — drop-in replacement
|
|
14
|
+
* for the customer's spreadsheet workflow with cols 11-13 filled.
|
|
15
|
+
*/
|
|
16
|
+
import type { BomReport } from './types';
|
|
17
|
+
export type { BomReport, BomEntry } from './types';
|
|
18
|
+
export interface AnalyzeBomOptions {
|
|
19
|
+
verbose?: boolean;
|
|
20
|
+
}
|
|
21
|
+
export declare function analyzeBom(repoPath: string, _options?: AnalyzeBomOptions): Promise<BomReport>;
|
|
22
|
+
export declare function formatBomReport(report: BomReport, elapsed: string): string;
|
|
23
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAMH,OAAO,KAAK,EAAY,SAAS,EAAe,MAAM,SAAS,CAAC;AAEhE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnD,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,iBAAsB,GAC/B,OAAO,CAAC,SAAS,CAAC,CAqCpB;AASD,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAmG1E"}
|
|
@@ -0,0 +1,183 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* BOM (Bill of Materials) analyzer — public API.
|
|
4
|
+
*
|
|
5
|
+
* Joins the LICENSES and DEP_VULNS capabilities by `package@version`
|
|
6
|
+
* to produce one row per installed package with both license inventory
|
|
7
|
+
* data (cols 1-9, 15) and per-package vulnerability rollup
|
|
8
|
+
* (cols 11-13). Output formats:
|
|
9
|
+
*
|
|
10
|
+
* - `formatBomReport(report)` — markdown summary for
|
|
11
|
+
* `.ai/reports/bom-<date>.md` and PR comments.
|
|
12
|
+
* - JSON via the CLI's `--json` flag (10h.3.9) — schema-versioned
|
|
13
|
+
* pass-through with the added summary + repo metadata.
|
|
14
|
+
* - XLSX via the shared converter (10h.3.9) — drop-in replacement
|
|
15
|
+
* for the customer's spreadsheet workflow with cols 11-13 filled.
|
|
16
|
+
*/
|
|
17
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
18
|
+
if (k2 === undefined) k2 = k;
|
|
19
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
20
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
21
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
22
|
+
}
|
|
23
|
+
Object.defineProperty(o, k2, desc);
|
|
24
|
+
}) : (function(o, m, k, k2) {
|
|
25
|
+
if (k2 === undefined) k2 = k;
|
|
26
|
+
o[k2] = m[k];
|
|
27
|
+
}));
|
|
28
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
29
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
30
|
+
}) : function(o, v) {
|
|
31
|
+
o["default"] = v;
|
|
32
|
+
});
|
|
33
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
34
|
+
var ownKeys = function(o) {
|
|
35
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
36
|
+
var ar = [];
|
|
37
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
38
|
+
return ar;
|
|
39
|
+
};
|
|
40
|
+
return ownKeys(o);
|
|
41
|
+
};
|
|
42
|
+
return function (mod) {
|
|
43
|
+
if (mod && mod.__esModule) return mod;
|
|
44
|
+
var result = {};
|
|
45
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
46
|
+
__setModuleDefault(result, mod);
|
|
47
|
+
return result;
|
|
48
|
+
};
|
|
49
|
+
})();
|
|
50
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
51
|
+
exports.analyzeBom = analyzeBom;
|
|
52
|
+
exports.formatBomReport = formatBomReport;
|
|
53
|
+
const path = __importStar(require("path"));
|
|
54
|
+
const detect_1 = require("../../detect");
|
|
55
|
+
const runner_1 = require("../tools/runner");
|
|
56
|
+
const gather_1 = require("./gather");
|
|
57
|
+
async function analyzeBom(repoPath, _options = {}) {
|
|
58
|
+
const stack = (0, detect_1.detect)(repoPath);
|
|
59
|
+
const { entries, toolsUsed, toolsUnavailable } = await (0, gather_1.gatherBomEntries)(repoPath);
|
|
60
|
+
const bySeverity = { critical: 0, high: 0, medium: 0, low: 0 };
|
|
61
|
+
let vulnerablePackages = 0;
|
|
62
|
+
let actionableVulns = 0;
|
|
63
|
+
let totalAdvisories = 0;
|
|
64
|
+
let vulnOnlyPackages = 0;
|
|
65
|
+
for (const e of entries) {
|
|
66
|
+
if (e.maxSeverity) {
|
|
67
|
+
bySeverity[e.maxSeverity]++;
|
|
68
|
+
vulnerablePackages++;
|
|
69
|
+
if (e.upgradeAdvice.startsWith('PROPOSAL:'))
|
|
70
|
+
actionableVulns++;
|
|
71
|
+
}
|
|
72
|
+
totalAdvisories += e.vulns.length;
|
|
73
|
+
if (!e.joinedFromBoth)
|
|
74
|
+
vulnOnlyPackages++;
|
|
75
|
+
}
|
|
76
|
+
return {
|
|
77
|
+
repo: stack.projectName || path.basename(repoPath),
|
|
78
|
+
analyzedAt: new Date().toISOString(),
|
|
79
|
+
commitSha: (0, runner_1.run)('git rev-parse --short HEAD 2>/dev/null', repoPath),
|
|
80
|
+
branch: (0, runner_1.run)('git rev-parse --abbrev-ref HEAD 2>/dev/null', repoPath),
|
|
81
|
+
schemaVersion: '1',
|
|
82
|
+
summary: {
|
|
83
|
+
totalPackages: entries.length,
|
|
84
|
+
bySeverity,
|
|
85
|
+
vulnerablePackages,
|
|
86
|
+
actionableVulns,
|
|
87
|
+
totalAdvisories,
|
|
88
|
+
vulnOnlyPackages,
|
|
89
|
+
},
|
|
90
|
+
entries,
|
|
91
|
+
toolsUsed,
|
|
92
|
+
toolsUnavailable,
|
|
93
|
+
};
|
|
94
|
+
}
|
|
95
|
+
const SEV_BADGE = {
|
|
96
|
+
critical: 'CRITICAL',
|
|
97
|
+
high: 'HIGH',
|
|
98
|
+
medium: 'MEDIUM',
|
|
99
|
+
low: 'LOW',
|
|
100
|
+
};
|
|
101
|
+
function formatBomReport(report, elapsed) {
|
|
102
|
+
const L = [];
|
|
103
|
+
L.push('# Bill of Materials (BOM) Report');
|
|
104
|
+
L.push('');
|
|
105
|
+
L.push(`**Date:** ${report.analyzedAt.slice(0, 10)}`);
|
|
106
|
+
L.push(`**Repository:** ${report.repo}`);
|
|
107
|
+
L.push(`**Branch:** ${report.branch} (${report.commitSha})`);
|
|
108
|
+
L.push('');
|
|
109
|
+
L.push('---');
|
|
110
|
+
L.push('');
|
|
111
|
+
// Summary
|
|
112
|
+
const s = report.summary;
|
|
113
|
+
L.push('## Summary');
|
|
114
|
+
L.push('');
|
|
115
|
+
L.push(`**${s.totalPackages} packages** indexed across the active language pack(s).`);
|
|
116
|
+
L.push('');
|
|
117
|
+
if (s.vulnerablePackages > 0) {
|
|
118
|
+
L.push(`**${s.vulnerablePackages} packages** carry known vulnerabilities — ` +
|
|
119
|
+
`**${s.totalAdvisories} advisories** in total ` +
|
|
120
|
+
`(one package can have many advisories, e.g. multiple CVEs against ` +
|
|
121
|
+
`the same installed version). ` +
|
|
122
|
+
`**${s.actionableVulns}** of those packages have a Tier-1 upgrade proposal.`);
|
|
123
|
+
L.push('');
|
|
124
|
+
L.push(`> The numbers reconcile with \`vyuh-dxkit vulnerabilities\`: ` +
|
|
125
|
+
`that command reports per-advisory (${s.totalAdvisories}); bom collapses ` +
|
|
126
|
+
`them per-package (${s.vulnerablePackages}) so each row of the ` +
|
|
127
|
+
`xlsx is one upgrade decision.`);
|
|
128
|
+
L.push('');
|
|
129
|
+
L.push('| Severity (worst-of-package) | Vulnerable Packages |');
|
|
130
|
+
L.push('|-----------------------------|--------------------:|');
|
|
131
|
+
L.push(`| CRITICAL | ${s.bySeverity.critical} |`);
|
|
132
|
+
L.push(`| HIGH | ${s.bySeverity.high} |`);
|
|
133
|
+
L.push(`| MEDIUM | ${s.bySeverity.medium} |`);
|
|
134
|
+
L.push(`| LOW | ${s.bySeverity.low} |`);
|
|
135
|
+
L.push('');
|
|
136
|
+
}
|
|
137
|
+
if (s.vulnOnlyPackages > 0) {
|
|
138
|
+
L.push(`> ⚠️ ${s.vulnOnlyPackages} package(s) reported only by the vulnerability scanner — ` +
|
|
139
|
+
`the license scanner missed them (likely a workspace / sub-package). ` +
|
|
140
|
+
`These rows show "UNKNOWN" license; verify manually before shipping.`);
|
|
141
|
+
L.push('');
|
|
142
|
+
}
|
|
143
|
+
L.push('---');
|
|
144
|
+
L.push('');
|
|
145
|
+
// Vulnerable packages section — worst-first, one row per package
|
|
146
|
+
if (s.vulnerablePackages > 0) {
|
|
147
|
+
L.push('## Vulnerable Packages');
|
|
148
|
+
L.push('');
|
|
149
|
+
L.push('Sorted by severity (worst-first), then alphabetical. ');
|
|
150
|
+
L.push('Resolution column shows the Tier-1 derived upgrade target ');
|
|
151
|
+
L.push('(or "No fix available" when an advisory has no published patch).');
|
|
152
|
+
L.push('');
|
|
153
|
+
const SEV_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
|
|
154
|
+
const vuln = report.entries
|
|
155
|
+
.filter((e) => e.maxSeverity)
|
|
156
|
+
.sort((a, b) => SEV_RANK[a.maxSeverity] - SEV_RANK[b.maxSeverity] || a.package.localeCompare(b.package));
|
|
157
|
+
const cap = 50;
|
|
158
|
+
const shown = vuln.slice(0, cap);
|
|
159
|
+
L.push('| Severity | Package@Version | License | # Vulns | Resolution |');
|
|
160
|
+
L.push('|----------|-----------------|---------|--------:|------------|');
|
|
161
|
+
for (const e of shown) {
|
|
162
|
+
const advice = e.upgradeAdvice.replace(/\|/g, '\\|');
|
|
163
|
+
L.push(`| ${SEV_BADGE[e.maxSeverity]} | \`${e.package}@${e.version}\` | ${e.licenseType} | ${e.vulns.length} | ${advice} |`);
|
|
164
|
+
}
|
|
165
|
+
if (vuln.length > cap) {
|
|
166
|
+
L.push('');
|
|
167
|
+
L.push(`_Showing ${cap} of ${vuln.length} vulnerable packages. Run with \`--detailed\` for the full inventory + per-advisory CVE list._`);
|
|
168
|
+
}
|
|
169
|
+
L.push('');
|
|
170
|
+
L.push('---');
|
|
171
|
+
L.push('');
|
|
172
|
+
}
|
|
173
|
+
// Footer
|
|
174
|
+
L.push(`**Tools used:** ${report.toolsUsed.join(', ') || '(none)'}`);
|
|
175
|
+
if (report.toolsUnavailable.length > 0) {
|
|
176
|
+
L.push(`**Tools unavailable:** ${report.toolsUnavailable.join(', ')}`);
|
|
177
|
+
}
|
|
178
|
+
L.push(`**Analysis time:** ${elapsed}s`);
|
|
179
|
+
L.push('');
|
|
180
|
+
L.push('*Generated by [VyuhLabs DXKit](https://www.npmjs.com/package/@vyuhlabs/dxkit)*');
|
|
181
|
+
return L.join('\n');
|
|
182
|
+
}
|
|
183
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcH,gCAwCC;AASD,0CAmGC;AAhKD,2CAA6B;AAC7B,yCAAsC;AACtC,4CAAsC;AACtC,qCAA4C;AASrC,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,WAA8B,EAAE;IAEhC,MAAM,KAAK,GAAG,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,yBAAgB,EAAC,QAAQ,CAAC,CAAC;IAElF,MAAM,UAAU,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC5F,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAC3B,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAClB,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5B,kBAAkB,EAAE,CAAC;YACrB,IAAI,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC;gBAAE,eAAe,EAAE,CAAC;QACjE,CAAC;QACD,eAAe,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,cAAc;YAAE,gBAAgB,EAAE,CAAC;IAC5C,CAAC;IAED,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAClD,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,SAAS,EAAE,IAAA,YAAG,EAAC,wCAAwC,EAAE,QAAQ,CAAC;QAClE,MAAM,EAAE,IAAA,YAAG,EAAC,6CAA6C,EAAE,QAAQ,CAAC;QACpE,aAAa,EAAE,GAAG;QAClB,OAAO,EAAE;YACP,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,UAAU;YACV,kBAAkB;YAClB,eAAe;YACf,eAAe;YACf,gBAAgB;SACjB;QACD,OAAO;QACP,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,SAAgB,eAAe,CAAC,MAAiB,EAAE,OAAe;IAChE,MAAM,CAAC,GAAa,EAAE,CAAC;IAEvB,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,UAAU;IACV,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,aAAa,yDAAyD,CAAC,CAAC;IACtF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CACJ,KAAK,CAAC,CAAC,kBAAkB,4CAA4C;YACnE,KAAK,CAAC,CAAC,eAAe,yBAAyB;YAC/C,oEAAoE;YACpE,+BAA+B;YAC/B,KAAK,CAAC,CAAC,eAAe,sDAAsD,CAC/E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,+DAA+D;YAC7D,sCAAsC,CAAC,CAAC,eAAe,mBAAmB;YAC1E,qBAAqB,CAAC,CAAC,kBAAkB,uBAAuB;YAChE,+BAA+B,CAClC,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,QAAQ,IAAI,CAAC,CAAC;QAClD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CACJ,QAAQ,CAAC,CAAC,gBAAgB,2DAA2D;YACnF,sEAAsE;YACtE,qEAAqE,CACxE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,iEAAiE;IACjE,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QACrE,CAAC,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;QAC3E,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,IAAI,GAAe,MAAM,CAAC,OAAO;aACpC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;aAC5B,IAAI,CACH,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAC5F,CAAC;QACJ,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;QAC1E,CAAC,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;QAC1E,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACrD,CAAC,CAAC,IAAI,CACJ,KAAK,SAAS,CAAC,CAAC,CAAC,WAAY,CAAC,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,MAAM,CAAC,CAAC,KAAK,CAAC,MAAM,MAAM,MAAM,IAAI,CACtH,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACtB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CACJ,YAAY,GAAG,OAAO,IAAI,CAAC,MAAM,gGAAgG,CAClI,CAAC;QACJ,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,SAAS;IACT,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IACrE,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAEzF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* BOM (Bill of Materials) analyzer report shape.
|
|
3
|
+
*
|
|
4
|
+
* Joins the LICENSES and DEP_VULNS capabilities on (package, version)
|
|
5
|
+
* to produce one row per installed package with both the license
|
|
6
|
+
* inventory data the customer's spreadsheet needs (cols 1-9, 15) and
|
|
7
|
+
* the per-package vulnerability rollup (cols 11-13). Per-advisory
|
|
8
|
+
* detail stays attached to each row so the xlsx writer (10h.3.9)
|
|
9
|
+
* can render col 12 (Vulnerability Issues) as an enumerated list.
|
|
10
|
+
*/
|
|
11
|
+
import type { DepVulnFinding } from '../../languages/capabilities/types';
|
|
12
|
+
export type BomSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
13
|
+
export interface BomEntry {
|
|
14
|
+
package: string;
|
|
15
|
+
version: string;
|
|
16
|
+
licenseType: string;
|
|
17
|
+
licenseText?: string;
|
|
18
|
+
sourceUrl?: string;
|
|
19
|
+
description?: string;
|
|
20
|
+
supplier?: string;
|
|
21
|
+
releaseDate?: string;
|
|
22
|
+
vulns: DepVulnFinding[];
|
|
23
|
+
/** Highest severity across `vulns`; null when the package has no
|
|
24
|
+
* known vulnerabilities. Drives col 11 "Criticality of usage". */
|
|
25
|
+
maxSeverity: BomSeverity | null;
|
|
26
|
+
/** Tier-1 resolution proposal derived from `vulns[].fixedVersion`
|
|
27
|
+
* at gather time. Empty string when no vulns. Drives col 13
|
|
28
|
+
* "Resolution". Higher tiers (10h.4 snyk, 10h.6 osv-scanner fix)
|
|
29
|
+
* may overwrite this in future commits. */
|
|
30
|
+
upgradeAdvice: string;
|
|
31
|
+
/** Whether the package was reported by both the licenses scanner
|
|
32
|
+
* AND a dep-vuln scanner. False = vuln-only entry (license scanner
|
|
33
|
+
* didn't see it), which usually indicates a workspace/sub-package
|
|
34
|
+
* the license tool missed; surfaced in the detailed report so the
|
|
35
|
+
* user can decide whether to trust the license=UNKNOWN row. */
|
|
36
|
+
joinedFromBoth: boolean;
|
|
37
|
+
}
|
|
38
|
+
export interface BomReport {
|
|
39
|
+
repo: string;
|
|
40
|
+
analyzedAt: string;
|
|
41
|
+
commitSha: string;
|
|
42
|
+
branch: string;
|
|
43
|
+
/** Bumps when the report shape changes incompatibly. */
|
|
44
|
+
schemaVersion: '1';
|
|
45
|
+
summary: {
|
|
46
|
+
totalPackages: number;
|
|
47
|
+
/** Per-severity package count (one increment per package's
|
|
48
|
+
* maxSeverity, not per advisory). Matches what bom xlsx
|
|
49
|
+
* col 11 will summarize. */
|
|
50
|
+
bySeverity: Record<BomSeverity, number>;
|
|
51
|
+
/** Number of packages with at least one known vulnerability.
|
|
52
|
+
* Note: a single package may carry many advisories — see
|
|
53
|
+
* totalAdvisories for the per-vuln count. */
|
|
54
|
+
vulnerablePackages: number;
|
|
55
|
+
/** Number of vulnerable packages where every vuln has a
|
|
56
|
+
* fixedVersion (Tier-1 upgrade proposal is actionable). */
|
|
57
|
+
actionableVulns: number;
|
|
58
|
+
/** Total advisories across every vulnerable package (each row's
|
|
59
|
+
* vulns.length, summed). Reconciles with the count surfaced by
|
|
60
|
+
* `vyuh-dxkit vulnerabilities` — that command shows one tick
|
|
61
|
+
* per advisory; bom shows one row per package. */
|
|
62
|
+
totalAdvisories: number;
|
|
63
|
+
/** Packages found only by a vuln scanner — license scanner
|
|
64
|
+
* missed them. See BomEntry.joinedFromBoth. */
|
|
65
|
+
vulnOnlyPackages: number;
|
|
66
|
+
};
|
|
67
|
+
entries: ReadonlyArray<BomEntry>;
|
|
68
|
+
toolsUsed: string[];
|
|
69
|
+
toolsUnavailable: string[];
|
|
70
|
+
}
|
|
71
|
+
//# sourceMappingURL=types.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,QAAQ;IAEvB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAGhB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,KAAK,EAAE,cAAc,EAAE,CAAC;IAExB;uEACmE;IACnE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAEhC;;;gDAG4C;IAC5C,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;oEAIgE;IAChE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,aAAa,EAAE,GAAG,CAAC;IACnB,OAAO,EAAE;QACP,aAAa,EAAE,MAAM,CAAC;QACtB;;qCAE6B;QAC7B,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACxC;;sDAE8C;QAC9C,kBAAkB,EAAE,MAAM,CAAC;QAC3B;oEAC4D;QAC5D,eAAe,EAAE,MAAM,CAAC;QACxB;;;2DAGmD;QACnD,eAAe,EAAE,MAAM,CAAC;QACxB;wDACgD;QAChD,gBAAgB,EAAE,MAAM,CAAC;KAC1B,CAAC;IACF,OAAO,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/analyzers/bom/types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Licenses analyzer — detailed report.
|
|
3
|
+
*
|
|
4
|
+
* Extends the base LicensesReport with risk-categorized findings and a
|
|
5
|
+
* ranked action list. Unlike security/test-gaps, licenses aren't
|
|
6
|
+
* graded — there's no "license score" — so actions are prioritized by
|
|
7
|
+
* legal risk tier (unknown → strong-copyleft → weak-copyleft →
|
|
8
|
+
* missing-attribution) rather than by projected score delta.
|
|
9
|
+
*
|
|
10
|
+
* Both the markdown formatter and the XLSX converter (Phase 10h.2.3)
|
|
11
|
+
* can consume this same `LicensesDetailedReport` shape.
|
|
12
|
+
*/
|
|
13
|
+
import type { LicenseFinding } from '../../languages/capabilities/types';
|
|
14
|
+
import type { LicensesReport } from './types';
|
|
15
|
+
export interface LicenseRiskCategory {
|
|
16
|
+
/** Severity tier for ordering and display. */
|
|
17
|
+
readonly priority: 'critical' | 'high' | 'medium' | 'low';
|
|
18
|
+
/** Short category key — stable across runs for programmatic filtering. */
|
|
19
|
+
readonly id: 'unknown-license' | 'strong-copyleft' | 'weak-copyleft' | 'missing-license-text' | 'missing-supplier';
|
|
20
|
+
readonly title: string;
|
|
21
|
+
readonly rationale: string;
|
|
22
|
+
readonly recommendation: string;
|
|
23
|
+
readonly affected: ReadonlyArray<LicenseFinding>;
|
|
24
|
+
}
|
|
25
|
+
export interface LicensesDetailedReport extends LicensesReport {
|
|
26
|
+
riskCategories: ReadonlyArray<LicenseRiskCategory>;
|
|
27
|
+
}
|
|
28
|
+
export declare function buildLicensesDetailed(report: LicensesReport): LicensesDetailedReport;
|
|
29
|
+
export declare function formatLicensesDetailedMarkdown(detailed: LicensesDetailedReport, elapsed: string): string;
|
|
30
|
+
//# sourceMappingURL=detailed.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"detailed.d.ts","sourceRoot":"","sources":["../../../src/analyzers/licenses/detailed.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AA6B9C,MAAM,WAAW,mBAAmB;IAClC,8CAA8C;IAC9C,QAAQ,CAAC,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IAC1D,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,EACP,iBAAiB,GACjB,iBAAiB,GACjB,eAAe,GACf,sBAAsB,GACtB,kBAAkB,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;CAClD;AAED,MAAM,WAAW,sBAAuB,SAAQ,cAAc;IAC5D,cAAc,EAAE,aAAa,CAAC,mBAAmB,CAAC,CAAC;CACpD;AAED,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,cAAc,GAAG,sBAAsB,CAwFpF;AASD,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE,sBAAsB,EAChC,OAAO,EAAE,MAAM,GACd,MAAM,CA4FR"}
|