@vyuhlabs/dxkit 2.1.0 → 2.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +137 -0
- package/README.md +9 -9
- package/dist/analyzers/bom/gather.d.ts +12 -1
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +46 -0
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +37 -0
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +20 -0
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +11 -1
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/languages/capabilities/types.d.ts +1 -0
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +41 -6
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +225 -35
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts +35 -0
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +156 -0
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/python.d.ts +49 -0
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +202 -17
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/rust.d.ts +15 -0
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +93 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/typescript.d.ts +17 -0
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +106 -0
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +4 -3
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,143 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.2.1] - 2026-04-23
|
|
11
|
+
|
|
12
|
+
Patch release hardening the publish pipeline after `v2.2.0`'s Publish
|
|
13
|
+
workflow failed with `403 — version already published`. The failure
|
|
14
|
+
was caused by a local `npm publish` that preceded the
|
|
15
|
+
Release-triggered CI publish, not a code defect — the tarball on npm
|
|
16
|
+
byte-matches main. No functional changes in this release; all work
|
|
17
|
+
is on the release path (tracked internally as D015).
|
|
18
|
+
|
|
19
|
+
### Added — publish pipeline guardrails
|
|
20
|
+
|
|
21
|
+
- **`scripts/require-ci.js` + `prepublishOnly` guard** — any `npm publish`
|
|
22
|
+
invocation outside GitHub Actions now fails at the script hook with
|
|
23
|
+
a clear error pointing to `CLAUDE.md §"Release procedure"`. Prevents
|
|
24
|
+
accidental local publish before the registry is ever contacted.
|
|
25
|
+
|
|
26
|
+
- **`publishConfig.provenance: true`** — npm publishes now carry a
|
|
27
|
+
GitHub Actions provenance attestation. Provenance requires an OIDC
|
|
28
|
+
token that only exists inside Actions; tarball-mode publishes
|
|
29
|
+
(`npm publish *.tgz`, which skips `prepublishOnly`) also fail outside
|
|
30
|
+
CI. Belt-and-suspenders with the script guard.
|
|
31
|
+
|
|
32
|
+
- **Publish-workflow preflights** (`.github/workflows/publish.yml`) —
|
|
33
|
+
before `npm publish` runs, the workflow now verifies (in order):
|
|
34
|
+
1. tag `vX.Y.Z` matches `package.json` version `X.Y.Z`
|
|
35
|
+
2. tagged commit is reachable from `origin/main` (blocks
|
|
36
|
+
feature-branch tags)
|
|
37
|
+
3. the `CI` workflow succeeded on the tagged commit SHA
|
|
38
|
+
4. `X.Y.Z` is not already on npm (catches the exact 2.2.0 failure)
|
|
39
|
+
|
|
40
|
+
- **Explicit pack + publish + verify** — workflow packs the tarball,
|
|
41
|
+
records its sha1, publishes that exact file, then fetches
|
|
42
|
+
`npm view dist.shasum` and fails on mismatch. Eliminates drift
|
|
43
|
+
between "what npm packed" and "what we audited."
|
|
44
|
+
|
|
45
|
+
- **Tarball workflow artifact** — every release archives the published
|
|
46
|
+
`.tgz` as a workflow artifact (90-day retention) for post-mortem
|
|
47
|
+
auditability.
|
|
48
|
+
|
|
49
|
+
### Documented — `CLAUDE.md`
|
|
50
|
+
|
|
51
|
+
New "Release procedure" section codifying PR → CI-green → merge → tag
|
|
52
|
+
→ CI publishes as the only path. Explicit "no local `npm publish`"
|
|
53
|
+
rule.
|
|
54
|
+
|
|
55
|
+
## [2.2.0] - 2026-04-23
|
|
56
|
+
|
|
57
|
+
Minor release adding Snyk-style top-level dep attribution across every
|
|
58
|
+
language pack. Answers "which direct manifest dep do I upgrade to fix
|
|
59
|
+
the most advisories" alongside the existing per-leaf-package reporting.
|
|
60
|
+
Drop-in upgrade — additive `topLevelDep?: string[]` field, no schema
|
|
61
|
+
bump required.
|
|
62
|
+
|
|
63
|
+
### Added — top-level dep attribution (Phase 10h.4)
|
|
64
|
+
|
|
65
|
+
- **`DepVulnFinding.topLevelDep?: string[]`** — per-advisory list of
|
|
66
|
+
root manifest entries (direct + dev deps) that transitively pull the
|
|
67
|
+
vulnerable package. Coarse name-level attribution (unions across
|
|
68
|
+
multiple parents when the package is reachable from more than one
|
|
69
|
+
top-level). Enables Snyk-style grouping: one advisory against
|
|
70
|
+
`tar@7.5.9` surfaces as "under `@loopback/cli`" rather than just
|
|
71
|
+
"tar has a CVE".
|
|
72
|
+
|
|
73
|
+
- **TypeScript pack** — BFS over `package-lock.json` (v2/v3) from
|
|
74
|
+
each root `dependencies` / `devDependencies` entry. Pure parser
|
|
75
|
+
`buildTsTopLevelDepIndex` unit-tested; benchmark on
|
|
76
|
+
`vyuhlabs-platform`: 71/71 findings attributed across 31 vulnerable
|
|
77
|
+
packages, `@loopback/cli` rollup = 29 advisories (matches Snyk UI).
|
|
78
|
+
|
|
79
|
+
- **Python pack** — BFS over `pip show` graph from packages with empty
|
|
80
|
+
`Required-by`. Pure parsers `parsePipShowOutput` +
|
|
81
|
+
`buildPyTopLevelDepIndex`. Venv detection now includes poetry
|
|
82
|
+
(`poetry env info --path`), pipenv (`pipenv --venv`), and
|
|
83
|
+
`$VIRTUAL_ENV` env var alongside the existing `.venv`/`venv` fast
|
|
84
|
+
path — poetry with default `virtualenvs.in-project = false` now
|
|
85
|
+
resolves.
|
|
86
|
+
|
|
87
|
+
- **Go pack** — BFS over `go mod graph` output, with `go.mod`'s
|
|
88
|
+
`// indirect` markers filtering the seed set so only user-declared
|
|
89
|
+
direct deps become top-levels. Pure parsers `parseGoModDirectDeps` +
|
|
90
|
+
`buildGoTopLevelDepIndex`.
|
|
91
|
+
|
|
92
|
+
- **Rust pack** — BFS over `cargo metadata --format-version 1` resolve
|
|
93
|
+
graph from each direct dep of `resolve.root`. Pure parser
|
|
94
|
+
`buildRustTopLevelDepIndex`; maps package ids → names, collapses
|
|
95
|
+
version variants.
|
|
96
|
+
|
|
97
|
+
- **C# pack** — **two-part expansion**. First,
|
|
98
|
+
`dotnet list package --vulnerable` now uses `--include-transitive`,
|
|
99
|
+
so transitive vulns (previously invisible) are surfaced. Second,
|
|
100
|
+
attribution comes from walking `obj/project.assets.json` — pure
|
|
101
|
+
parsers `parseProjectAssetsJson` + `buildCsharpTopLevelDepIndex`.
|
|
102
|
+
Direct findings carry self-attribution; transitive findings gain
|
|
103
|
+
`topLevelDep` from the assets-json graph. Degrades gracefully when
|
|
104
|
+
the lockfile is absent (user hasn't run `dotnet restore`).
|
|
105
|
+
|
|
106
|
+
### Added — bom render surfaces top-level grouping
|
|
107
|
+
|
|
108
|
+
- **`BomReport.summary.byTopLevelDep: Record<string, BomTopLevelRollup>`**
|
|
109
|
+
where `BomTopLevelRollup = { advisoryCount, maxSeverity, packages[] }`.
|
|
110
|
+
Multi-parent advisories increment counters for each top-level they
|
|
111
|
+
list, matching Snyk's rollup semantics.
|
|
112
|
+
|
|
113
|
+
- **Markdown "Top-Level Dep Groups" section** in `bom-<date>.md` —
|
|
114
|
+
sorted by severity then advisory count. First row is the single
|
|
115
|
+
upgrade that resolves the most critical/highest-volume issues. Caps
|
|
116
|
+
at 30 top-levels, packages list truncated at 8 with "+N more".
|
|
117
|
+
|
|
118
|
+
- **Xlsx col 12 annotation** — each advisory line gains
|
|
119
|
+
` via <parent>` (single top-level) or ` via <parent> (+N more)`
|
|
120
|
+
(multi-parent). Reviewer sees upgrade guidance directly in the
|
|
121
|
+
spreadsheet cell. No suffix when `topLevelDep` is unset.
|
|
122
|
+
|
|
123
|
+
### Fixed — TS dep-vuln finding dedupe
|
|
124
|
+
|
|
125
|
+
- `gatherTsDepVulnsResult` now de-duplicates findings by
|
|
126
|
+
`(package, installedVersion, id)`. npm-audit inlines the same
|
|
127
|
+
advisory on every consumer's `via[]` across the vulnerability tree
|
|
128
|
+
(e.g. minimatch's ReDoS appearing on `@loopback/cli`, `glob-parent`,
|
|
129
|
+
`picomatch` simultaneously); the advisory-emission loop previously
|
|
130
|
+
pushed N copies of one logical finding. Platform count 94 → 71,
|
|
131
|
+
14 distinct dupe pairs → 0. Pre-existing from 2.1.0; caught during
|
|
132
|
+
10h.4 evaluation.
|
|
133
|
+
|
|
134
|
+
### Notes
|
|
135
|
+
|
|
136
|
+
- Every pack degrades gracefully when its dep-graph source is missing:
|
|
137
|
+
TS without `package-lock.json`, Python without a venv, Go without
|
|
138
|
+
`go.mod`, Rust without `cargo metadata`, C# without
|
|
139
|
+
`obj/project.assets.json`. Findings still emit; `topLevelDep` stays
|
|
140
|
+
unset.
|
|
141
|
+
|
|
142
|
+
- Release validated against `vyuhlabs-platform` TypeScript benchmark.
|
|
143
|
+
Python/Go/Rust/C# packs exercised via fixture-based unit tests
|
|
144
|
+
(+53 new tests across the 4 non-TS language test files); real-world
|
|
145
|
+
validation lands with 2.3.0's cross-ecosystem benchmark fixtures.
|
|
146
|
+
|
|
10
147
|
## [2.1.0] - 2026-04-23
|
|
11
148
|
|
|
12
149
|
Minor release adding two new analyzers and a shared XLSX converter.
|
package/README.md
CHANGED
|
@@ -34,15 +34,15 @@ The two modes are complementary. The analyzers run anywhere; the scaffolder writ
|
|
|
34
34
|
|
|
35
35
|
Seven deterministic analyzers. Each emits a markdown report to `.ai/reports/` and optional structured JSON.
|
|
36
36
|
|
|
37
|
-
| Command | What it does
|
|
38
|
-
| ----------------- |
|
|
39
|
-
| `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX)
|
|
40
|
-
| `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (per-advisory detail in `--detailed`)
|
|
41
|
-
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins)
|
|
42
|
-
| `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene
|
|
43
|
-
| `dev-report` | Commits, contributors, hot files, velocity, conventional %
|
|
44
|
-
| `licenses` | Dependency license inventory across every active pack (TS/Python/Go/Rust/C#)
|
|
45
|
-
| `bom` | **Bill of Materials** — joins licenses + vulnerabilities per package, 15-col XLSX | 10–40s | `.ai/reports/bom-<date>.{md,xlsx}` |
|
|
37
|
+
| Command | What it does | Runtime | Output |
|
|
38
|
+
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | ------------------------------------------ |
|
|
39
|
+
| `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.ai/reports/health-audit-<date>.md` |
|
|
40
|
+
| `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (per-advisory detail in `--detailed`) | 5–30s | `.ai/reports/vulnerability-scan-<date>.md` |
|
|
41
|
+
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins) | <1s | `.ai/reports/test-gaps-<date>.md` |
|
|
42
|
+
| `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.ai/reports/quality-review-<date>.md` |
|
|
43
|
+
| `dev-report` | Commits, contributors, hot files, velocity, conventional % | <1s | `.ai/reports/developer-report-<date>.md` |
|
|
44
|
+
| `licenses` | Dependency license inventory across every active pack (TS/Python/Go/Rust/C#) | 5–20s | `.ai/reports/licenses-<date>.md` |
|
|
45
|
+
| `bom` | **Bill of Materials** — joins licenses + vulnerabilities per package, 15-col XLSX; groups advisories by top-level manifest dep (Snyk-style) | 10–40s | `.ai/reports/bom-<date>.{md,xlsx}` |
|
|
46
46
|
|
|
47
47
|
Plus a converter: `vyuh-dxkit to-xlsx <json-file>` renders any `licenses` or `bom` detailed JSON as the canonical 15-column XLSX.
|
|
48
48
|
|
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* result sets to build a per-package join keyed by `package@version`.
|
|
6
6
|
*/
|
|
7
7
|
import type { DepVulnFinding } from '../../languages/capabilities/types';
|
|
8
|
-
import type { BomEntry } from './types';
|
|
8
|
+
import type { BomEntry, BomTopLevelRollup } from './types';
|
|
9
9
|
/**
|
|
10
10
|
* Compare two version strings as semver triples. Strips a leading
|
|
11
11
|
* 'v' (Go-pack convention) and compares dot-separated numeric
|
|
@@ -29,6 +29,17 @@ export declare function maxSemver(versions: string[]): string;
|
|
|
29
29
|
* picks the richest available value per package.
|
|
30
30
|
*/
|
|
31
31
|
export declare function deriveTier1Resolution(vulns: DepVulnFinding[]): string;
|
|
32
|
+
/**
|
|
33
|
+
* Build the per-top-level-dep rollup from a flat list of entries.
|
|
34
|
+
* Walks every advisory under every entry; increments the counter for
|
|
35
|
+
* each top-level the advisory lists (a vuln reachable from two
|
|
36
|
+
* top-levels increments both, matching Snyk's grouping semantics).
|
|
37
|
+
*
|
|
38
|
+
* Entries with no topLevelDep attribution contribute nothing — the
|
|
39
|
+
* rollup is best-effort based on what each pack populates. Pure
|
|
40
|
+
* function; unit-testable.
|
|
41
|
+
*/
|
|
42
|
+
export declare function buildByTopLevelDep(entries: BomEntry[]): Record<string, BomTopLevelRollup>;
|
|
32
43
|
/**
|
|
33
44
|
* Join LICENSES + DEP_VULNS by (package, version). Strategy:
|
|
34
45
|
* - Primary index: package@version. Both LicenseFinding and
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAkB,MAAM,oCAAoC,CAAC;AACzF,OAAO,KAAK,EAAE,QAAQ,EAAe,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAkB,MAAM,oCAAoC,CAAC;AACzF,OAAO,KAAK,EAAE,QAAQ,EAAe,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAIxE;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,MAAM,CAgB1D;AAED;mDACmD;AACnD,wBAAgB,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,MAAM,CAGpD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,cAAc,EAAE,GAAG,MAAM,CAQrE;AAYD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAkCzF;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,QAAQ,EAAE,CAAC;IACpB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CAiF5E"}
|
|
@@ -9,6 +9,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
9
9
|
exports.compareSemver = compareSemver;
|
|
10
10
|
exports.maxSemver = maxSemver;
|
|
11
11
|
exports.deriveTier1Resolution = deriveTier1Resolution;
|
|
12
|
+
exports.buildByTopLevelDep = buildByTopLevelDep;
|
|
12
13
|
exports.gatherBomEntries = gatherBomEntries;
|
|
13
14
|
const gather_1 = require("../licenses/gather");
|
|
14
15
|
const gather_2 = require("../security/gather");
|
|
@@ -78,6 +79,51 @@ function maxSeverityOf(vulns) {
|
|
|
78
79
|
}
|
|
79
80
|
return best;
|
|
80
81
|
}
|
|
82
|
+
/**
|
|
83
|
+
* Build the per-top-level-dep rollup from a flat list of entries.
|
|
84
|
+
* Walks every advisory under every entry; increments the counter for
|
|
85
|
+
* each top-level the advisory lists (a vuln reachable from two
|
|
86
|
+
* top-levels increments both, matching Snyk's grouping semantics).
|
|
87
|
+
*
|
|
88
|
+
* Entries with no topLevelDep attribution contribute nothing — the
|
|
89
|
+
* rollup is best-effort based on what each pack populates. Pure
|
|
90
|
+
* function; unit-testable.
|
|
91
|
+
*/
|
|
92
|
+
function buildByTopLevelDep(entries) {
|
|
93
|
+
const accum = new Map();
|
|
94
|
+
for (const e of entries) {
|
|
95
|
+
for (const v of e.vulns) {
|
|
96
|
+
const tops = v.topLevelDep;
|
|
97
|
+
if (!tops || tops.length === 0)
|
|
98
|
+
continue;
|
|
99
|
+
for (const top of tops) {
|
|
100
|
+
const cur = accum.get(top);
|
|
101
|
+
if (!cur) {
|
|
102
|
+
accum.set(top, {
|
|
103
|
+
advisoryCount: 1,
|
|
104
|
+
maxSeverity: v.severity,
|
|
105
|
+
packages: new Set([e.package]),
|
|
106
|
+
});
|
|
107
|
+
}
|
|
108
|
+
else {
|
|
109
|
+
cur.advisoryCount++;
|
|
110
|
+
if (SEV_RANK[v.severity] < SEV_RANK[cur.maxSeverity])
|
|
111
|
+
cur.maxSeverity = v.severity;
|
|
112
|
+
cur.packages.add(e.package);
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
const out = {};
|
|
118
|
+
for (const [top, data] of accum) {
|
|
119
|
+
out[top] = {
|
|
120
|
+
advisoryCount: data.advisoryCount,
|
|
121
|
+
maxSeverity: data.maxSeverity,
|
|
122
|
+
packages: [...data.packages].sort(),
|
|
123
|
+
};
|
|
124
|
+
}
|
|
125
|
+
return out;
|
|
126
|
+
}
|
|
81
127
|
async function gatherBomEntries(cwd) {
|
|
82
128
|
const [licensesEnv, depVulns] = await Promise.all([
|
|
83
129
|
(0, gather_1.gatherLicensesResult)(cwd),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gather.js","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAgBH,sCAgBC;AAID,8BAGC;AAaD,sDAQC;
|
|
1
|
+
{"version":3,"file":"gather.js","sourceRoot":"","sources":["../../../src/analyzers/bom/gather.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAgBH,sCAgBC;AAID,8BAGC;AAaD,sDAQC;AAsBD,gDAkCC;AAsBD,4CAiFC;AAzND,+CAA0D;AAC1D,+CAAoD;AAIpD,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAE1F;;;;;;GAMG;AACH,SAAgB,aAAa,CAAC,CAAS,EAAE,CAAS;IAChD,MAAM,IAAI,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;SACf,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/B,MAAM,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;SACf,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;IAC/B,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtB,IAAI,EAAE,KAAK,EAAE;YAAE,OAAO,EAAE,GAAG,EAAE,CAAC;IAChC,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;mDACmD;AACnD,SAAgB,SAAS,CAAC,QAAkB;IAC1C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACrC,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,qBAAqB,CAAC,KAAuB;IAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QAClC,OAAO,yCAAyC,CAAC;IACnD,CAAC;IACD,MAAM,MAAM,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAChC,OAAO,wBAAwB,MAAM,cAAc,KAAK,CAAC,MAAM,QAAQ,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC;AAC1G,CAAC;AAED,kDAAkD;AAClD,SAAS,aAAa,CAAC,KAAuB;IAC5C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,IAAI,GAAgB,KAAK,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,IAAI,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC;IAC/D,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,kBAAkB,CAAC,OAAmB;IACpD,MAAM,KAAK,GAAG,IAAI,GAAG,EAGlB,CAAC;IACJ,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACxB,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,CAAC;YAC3B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YACzC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC3B,IAAI,CAAC,GAAG,EAAE,CAAC;oBACT,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE;wBACb,aAAa,EAAE,CAAC;wBAChB,WAAW,EAAE,CAAC,CAAC,QAAQ;wBACvB,QAAQ,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;qBAC/B,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,GAAG,CAAC,aAAa,EAAE,CAAC;oBACpB,IAAI,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC;wBAAE,GAAG,CAAC,WAAW,GAAG,CAAC,CAAC,QAAQ,CAAC;oBACnF,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,GAAG,GAAsC,EAAE,CAAC;IAClD,KAAK,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;QAChC,GAAG,CAAC,GAAG,CAAC,GAAG;YACT,aAAa,EAAE,IAAI,CAAC,aAAa;YACjC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,EAAE;SACpC,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAsBM,KAAK,UAAU,gBAAgB,CAAC,GAAW;IAChD,MAAM,CAAC,WAAW,EAAE,QAAQ,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChD,IAAA,6BAAoB,EAAC,GAAG,CAAC;QACzB,IAAA,uBAAc,EAAC,GAAG,CAAC;KACpB,CAAC,CAAC;IAEH,MAAM,eAAe,GAAG,WAAW,EAAE,QAAQ,IAAI,EAAE,CAAC;IACpD,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC;IAEvC,mEAAmE;IACnE,MAAM,YAAY,GAAG,IAAI,GAAG,EAA4B,CAAC;IACzD,MAAM,SAAS,GAAG,IAAI,GAAG,EAA4B,CAAC;IACtD,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,gBAAgB,EAAE,CAAC;YACjD,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACxC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACZ,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC7B,CAAC;QACD,MAAM,GAAG,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAC3C,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACZ,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,OAAO,GAAe,EAAE,CAAC;IAC/B,MAAM,eAAe,GAAG,IAAI,GAAG,EAAU,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,eAAe,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,GAAG,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;QACjD,IAAI,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,QAAQ,EAAE,CAAC;YACb,eAAe,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,6DAA6D;YAC7D,6DAA6D;YAC7D,8CAA8C;YAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YAC/C,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;YAC7D,QAAQ,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QACvD,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC,CAAC;IAChD,CAAC;IAED,iEAAiE;IACjE,mEAAmE;IACnE,4CAA4C;IAC5C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACvE,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAA4B,CAAC;IAC7D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;QACxC,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACvC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAC7B,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,oDAAoD;QAC5F,MAAM,GAAG,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAC5C,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC;QACnB,gBAAgB,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACjC,CAAC;IACD,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,gBAAgB,EAAE,CAAC;QACzC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACpB,MAAM,YAAY,GAAmB;YACnC,OAAO,EAAE,EAAE,CAAC,OAAO;YACnB,OAAO,EAAE,EAAE,CAAC,gBAAgB,IAAI,SAAS;YACzC,WAAW,EAAE,SAAS;SACvB,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;IACvD,CAAC;IAED,mDAAmD;IACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAElG,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,IAAI,WAAW,EAAE,IAAI,EAAE,CAAC;QACtB,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,IAAI,CAAC;gBAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACxE,CAAC;IACD,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;QAClB,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,IAAI,CAAC;gBAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACrE,CAAC;IAED,OAAO;QACL,OAAO;QACP,SAAS,EAAE,CAAC,GAAG,SAAS,CAAC;QACzB,gBAAgB,EAAE,EAAE;KACrB,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CACjB,GAAmB,EACnB,KAAuB,EACvB,cAAuB;IAEvB,oEAAoE;IACpE,kEAAkE;IAClE,yDAAyD;IACzD,MAAM,YAAY,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtF,OAAO;QACL,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,OAAO,EAAE,GAAG,CAAC,OAAO;QACpB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,SAAS,EAAE,GAAG,CAAC,SAAS;QACxB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,QAAQ,EAAE,GAAG,CAAC,QAAQ;QACtB,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,KAAK;QACL,WAAW,EAAE,aAAa,CAAC,KAAK,CAAC;QACjC,aAAa,EAAE,YAAY,IAAI,qBAAqB,CAAC,KAAK,CAAC;QAC3D,cAAc;KACf,CAAC;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAMH,OAAO,KAAK,EAAY,SAAS,EAAe,MAAM,SAAS,CAAC;AAEhE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnD,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,iBAAsB,GAC/B,OAAO,CAAC,SAAS,CAAC,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAMH,OAAO,KAAK,EAAY,SAAS,EAAe,MAAM,SAAS,CAAC;AAEhE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnD,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,QAAQ,GAAE,iBAAsB,GAC/B,OAAO,CAAC,SAAS,CAAC,CAsCpB;AASD,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CA8I1E"}
|
|
@@ -86,6 +86,7 @@ async function analyzeBom(repoPath, _options = {}) {
|
|
|
86
86
|
actionableVulns,
|
|
87
87
|
totalAdvisories,
|
|
88
88
|
vulnOnlyPackages,
|
|
89
|
+
byTopLevelDep: (0, gather_1.buildByTopLevelDep)(entries),
|
|
89
90
|
},
|
|
90
91
|
entries,
|
|
91
92
|
toolsUsed,
|
|
@@ -142,6 +143,42 @@ function formatBomReport(report, elapsed) {
|
|
|
142
143
|
}
|
|
143
144
|
L.push('---');
|
|
144
145
|
L.push('');
|
|
146
|
+
// Snyk-style top-level dep rollup — upgrade-oriented view answering
|
|
147
|
+
// "which single `npm install X` / `go get Y` resolves the most
|
|
148
|
+
// advisories". Only rendered when at least one finding carried
|
|
149
|
+
// topLevelDep attribution (packs that can't parse a lockfile/graph
|
|
150
|
+
// simply don't populate it).
|
|
151
|
+
const topLevelEntries = Object.entries(s.byTopLevelDep);
|
|
152
|
+
if (topLevelEntries.length > 0) {
|
|
153
|
+
L.push('## Top-Level Dep Groups');
|
|
154
|
+
L.push('');
|
|
155
|
+
L.push('Grouped by direct manifest dep so each row is one upgrade decision. ' +
|
|
156
|
+
'Sorted by severity, then advisory count — the top row is the single ' +
|
|
157
|
+
'upgrade that resolves the most critical/highest-volume issues.');
|
|
158
|
+
L.push('');
|
|
159
|
+
const SEV_RANK = { critical: 0, high: 1, medium: 2, low: 3 };
|
|
160
|
+
const sorted = topLevelEntries.sort((a, b) => SEV_RANK[a[1].maxSeverity] - SEV_RANK[b[1].maxSeverity] ||
|
|
161
|
+
b[1].advisoryCount - a[1].advisoryCount ||
|
|
162
|
+
a[0].localeCompare(b[0]));
|
|
163
|
+
const cap = 30;
|
|
164
|
+
const shown = sorted.slice(0, cap);
|
|
165
|
+
L.push('| Worst Severity | Top-Level Dep | Advisories | Vulnerable Packages |');
|
|
166
|
+
L.push('|----------------|---------------|-----------:|---------------------|');
|
|
167
|
+
for (const [top, r] of shown) {
|
|
168
|
+
const pkgCap = 8;
|
|
169
|
+
const pkgList = r.packages.length > pkgCap
|
|
170
|
+
? `${r.packages.slice(0, pkgCap).join(', ')}, +${r.packages.length - pkgCap} more`
|
|
171
|
+
: r.packages.join(', ');
|
|
172
|
+
L.push(`| ${SEV_BADGE[r.maxSeverity]} | \`${top}\` | ${r.advisoryCount} | ${pkgList} |`);
|
|
173
|
+
}
|
|
174
|
+
if (sorted.length > cap) {
|
|
175
|
+
L.push('');
|
|
176
|
+
L.push(`_Showing ${cap} of ${sorted.length} top-level deps with rolled-up advisories._`);
|
|
177
|
+
}
|
|
178
|
+
L.push('');
|
|
179
|
+
L.push('---');
|
|
180
|
+
L.push('');
|
|
181
|
+
}
|
|
145
182
|
// Vulnerable packages section — worst-first, one row per package
|
|
146
183
|
if (s.vulnerablePackages > 0) {
|
|
147
184
|
L.push('## Vulnerable Packages');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcH,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAcH,gCAyCC;AASD,0CA8IC;AA5MD,2CAA6B;AAC7B,yCAAsC;AACtC,4CAAsC;AACtC,qCAAgE;AASzD,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,WAA8B,EAAE;IAEhC,MAAM,KAAK,GAAG,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,yBAAgB,EAAC,QAAQ,CAAC,CAAC;IAElF,MAAM,UAAU,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC5F,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAC3B,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAClB,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5B,kBAAkB,EAAE,CAAC;YACrB,IAAI,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC;gBAAE,eAAe,EAAE,CAAC;QACjE,CAAC;QACD,eAAe,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,cAAc;YAAE,gBAAgB,EAAE,CAAC;IAC5C,CAAC;IAED,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAClD,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,SAAS,EAAE,IAAA,YAAG,EAAC,wCAAwC,EAAE,QAAQ,CAAC;QAClE,MAAM,EAAE,IAAA,YAAG,EAAC,6CAA6C,EAAE,QAAQ,CAAC;QACpE,aAAa,EAAE,GAAG;QAClB,OAAO,EAAE;YACP,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,UAAU;YACV,kBAAkB;YAClB,eAAe;YACf,eAAe;YACf,gBAAgB;YAChB,aAAa,EAAE,IAAA,2BAAkB,EAAC,OAAO,CAAC;SAC3C;QACD,OAAO;QACP,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,SAAgB,eAAe,CAAC,MAAiB,EAAE,OAAe;IAChE,MAAM,CAAC,GAAa,EAAE,CAAC;IAEvB,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,UAAU;IACV,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,aAAa,yDAAyD,CAAC,CAAC;IACtF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CACJ,KAAK,CAAC,CAAC,kBAAkB,4CAA4C;YACnE,KAAK,CAAC,CAAC,eAAe,yBAAyB;YAC/C,oEAAoE;YACpE,+BAA+B;YAC/B,KAAK,CAAC,CAAC,eAAe,sDAAsD,CAC/E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,+DAA+D;YAC7D,sCAAsC,CAAC,CAAC,eAAe,mBAAmB;YAC1E,qBAAqB,CAAC,CAAC,kBAAkB,uBAAuB;YAChE,+BAA+B,CAClC,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,QAAQ,IAAI,CAAC,CAAC;QAClD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CACJ,QAAQ,CAAC,CAAC,gBAAgB,2DAA2D;YACnF,sEAAsE;YACtE,qEAAqE,CACxE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,oEAAoE;IACpE,+DAA+D;IAC/D,+DAA+D;IAC/D,mEAAmE;IACnE,6BAA6B;IAC7B,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IACxD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAClC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,sEAAsE;YACpE,sEAAsE;YACtE,gEAAgE,CACnE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CACjC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;YACvD,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa;YACvC,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAC3B,CAAC;QACF,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;QAChF,CAAC,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;QAChF,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,CAAC,CAAC;YACjB,MAAM,OAAO,GACX,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM;gBACxB,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,OAAO;gBAClF,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,GAAG,QAAQ,CAAC,CAAC,aAAa,MAAM,OAAO,IAAI,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACxB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,YAAY,GAAG,OAAO,MAAM,CAAC,MAAM,6CAA6C,CAAC,CAAC;QAC3F,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,iEAAiE;IACjE,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QACrE,CAAC,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;QAC3E,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,IAAI,GAAe,MAAM,CAAC,OAAO;aACpC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;aAC5B,IAAI,CACH,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAC5F,CAAC;QACJ,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;QAC1E,CAAC,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;QAC1E,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACrD,CAAC,CAAC,IAAI,CACJ,KAAK,SAAS,CAAC,CAAC,CAAC,WAAY,CAAC,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,MAAM,CAAC,CAAC,KAAK,CAAC,MAAM,MAAM,MAAM,IAAI,CACtH,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACtB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CACJ,YAAY,GAAG,OAAO,IAAI,CAAC,MAAM,gGAAgG,CAClI,CAAC;QACJ,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,SAAS;IACT,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IACrE,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAEzF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC"}
|
|
@@ -35,6 +35,21 @@ export interface BomEntry {
|
|
|
35
35
|
* user can decide whether to trust the license=UNKNOWN row. */
|
|
36
36
|
joinedFromBoth: boolean;
|
|
37
37
|
}
|
|
38
|
+
/**
|
|
39
|
+
* Per-top-level-dep aggregation. A single advisory may roll up under
|
|
40
|
+
* multiple top-levels (e.g. lodash reachable from 20 loopback packages),
|
|
41
|
+
* in which case each top-level's `advisoryCount` increments by one.
|
|
42
|
+
* Matches Snyk's UI rollup: "@loopback/cli has 49 advisories".
|
|
43
|
+
*/
|
|
44
|
+
export interface BomTopLevelRollup {
|
|
45
|
+
/** Total advisories rolled up under this top-level. */
|
|
46
|
+
advisoryCount: number;
|
|
47
|
+
/** Highest severity across all rolled-up advisories. */
|
|
48
|
+
maxSeverity: BomSeverity;
|
|
49
|
+
/** Distinct vulnerable package names reachable under this top-level.
|
|
50
|
+
* Rendered in markdown as a comma-joined list; cap in renderer. */
|
|
51
|
+
packages: string[];
|
|
52
|
+
}
|
|
38
53
|
export interface BomReport {
|
|
39
54
|
repo: string;
|
|
40
55
|
analyzedAt: string;
|
|
@@ -63,6 +78,11 @@ export interface BomReport {
|
|
|
63
78
|
/** Packages found only by a vuln scanner — license scanner
|
|
64
79
|
* missed them. See BomEntry.joinedFromBoth. */
|
|
65
80
|
vulnOnlyPackages: number;
|
|
81
|
+
/** Snyk-style upgrade-oriented grouping: per-top-level-dep rollup
|
|
82
|
+
* built from `vulns[].topLevelDep`. Empty when no findings carry
|
|
83
|
+
* topLevelDep attribution (e.g. pre-10h.4 packs or projects
|
|
84
|
+
* without a parseable dep graph). */
|
|
85
|
+
byTopLevelDep: Record<string, BomTopLevelRollup>;
|
|
66
86
|
};
|
|
67
87
|
entries: ReadonlyArray<BomEntry>;
|
|
68
88
|
toolsUsed: string[];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,QAAQ;IAEvB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAGhB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,KAAK,EAAE,cAAc,EAAE,CAAC;IAExB;uEACmE;IACnE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAEhC;;;gDAG4C;IAC5C,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;oEAIgE;IAChE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,aAAa,EAAE,GAAG,CAAC;IACnB,OAAO,EAAE;QACP,aAAa,EAAE,MAAM,CAAC;QACtB;;qCAE6B;QAC7B,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACxC;;sDAE8C;QAC9C,kBAAkB,EAAE,MAAM,CAAC;QAC3B;oEAC4D;QAC5D,eAAe,EAAE,MAAM,CAAC;QACxB;;;2DAGmD;QACnD,eAAe,EAAE,MAAM,CAAC;QACxB;wDACgD;QAChD,gBAAgB,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,QAAQ;IAEvB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAGhB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,KAAK,EAAE,cAAc,EAAE,CAAC;IAExB;uEACmE;IACnE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAEhC;;;gDAG4C;IAC5C,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;oEAIgE;IAChE,cAAc,EAAE,OAAO,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,aAAa,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB;wEACoE;IACpE,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,aAAa,EAAE,GAAG,CAAC;IACnB,OAAO,EAAE;QACP,aAAa,EAAE,MAAM,CAAC;QACtB;;qCAE6B;QAC7B,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACxC;;sDAE8C;QAC9C,kBAAkB,EAAE,MAAM,CAAC;QAC3B;oEAC4D;QAC5D,eAAe,EAAE,MAAM,CAAC;QACxB;;;2DAGmD;QACnD,eAAe,EAAE,MAAM,CAAC;QACxB;wDACgD;QAChD,gBAAgB,EAAE,MAAM,CAAC;QACzB;;;8CAGsC;QACtC,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;KAClD,CAAC;IACF,OAAO,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bom.d.ts","sourceRoot":"","sources":["../../../src/analyzers/xlsx/bom.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAe,MAAM,cAAc,CAAC;AAqC3D;;;;GAIG;AACH,wBAAsB,SAAS,CAAC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,
|
|
1
|
+
{"version":3,"file":"bom.d.ts","sourceRoot":"","sources":["../../../src/analyzers/xlsx/bom.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAe,MAAM,cAAc,CAAC;AAqC3D;;;;GAIG;AACH,wBAAsB,SAAS,CAAC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAkFlE"}
|
|
@@ -95,7 +95,17 @@ async function toBomXlsx(report) {
|
|
|
95
95
|
const vulnLines = sortedVulns.map((v) => {
|
|
96
96
|
const title = (v.summary ?? '').replace(/\s+/g, ' ').trim().slice(0, ADVISORY_SUMMARY_MAX);
|
|
97
97
|
const cvss = v.cvssScore !== undefined ? ` [CVSS ${v.cvssScore.toFixed(1)}]` : '';
|
|
98
|
-
|
|
98
|
+
// Top-level attribution: tells the reviewer which direct manifest
|
|
99
|
+
// dep to upgrade. Missing when the pack couldn't parse the graph
|
|
100
|
+
// (e.g. TS repo with no lockfile) — silent in that case so the
|
|
101
|
+
// column stays clean.
|
|
102
|
+
const tops = v.topLevelDep ?? [];
|
|
103
|
+
let via = '';
|
|
104
|
+
if (tops.length === 1)
|
|
105
|
+
via = ` via ${tops[0]}`;
|
|
106
|
+
else if (tops.length > 1)
|
|
107
|
+
via = ` via ${tops[0]} (+${tops.length - 1} more)`;
|
|
108
|
+
return title ? `${v.id}${cvss}${via}: ${title}` : `${v.id}${cvss}${via}`;
|
|
99
109
|
});
|
|
100
110
|
const vulnerabilityIssues = e.vulns.length === 0 ? NO_VULNS_ISSUES : vulnLines.join('; ');
|
|
101
111
|
const resolution = e.vulns.length === 0 ? NO_VULNS_RESOLUTION : e.upgradeAdvice;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"bom.js","sourceRoot":"","sources":["../../../src/analyzers/xlsx/bom.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;GAkBG;;;;;AA8CH,
|
|
1
|
+
{"version":3,"file":"bom.js","sourceRoot":"","sources":["../../../src/analyzers/xlsx/bom.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;GAkBG;;;;;AA8CH,8BAkFC;AA9HD,sDAA8B;AAG9B,yCAAyC;AAEzC;;2CAE2C;AAC3C,MAAM,cAAc,GAAG,KAAK,CAAC;AAE7B;yEACyE;AACzE,MAAM,oBAAoB,GAAG,GAAG,CAAC;AAEjC;;wCAEwC;AACxC,SAAS,QAAQ,CAAC,CAAqB;IACrC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAClB,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,IAAI,GAAG,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,IAAI;YAAE,SAAS;QAC7E,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACZ,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,wEAAwE,CAAC;QACxF,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC;IAC1D,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAEF;;;;GAIG;AACI,KAAK,UAAU,SAAS,CAAC,MAAiB;IAC/C,MAAM,EAAE,GAAG,IAAI,iBAAO,CAAC,QAAQ,EAAE,CAAC;IAClC,EAAE,CAAC,OAAO,GAAG,YAAY,CAAC;IAC1B,EAAE,CAAC,OAAO,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAEzC,MAAM,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IACvC,EAAE,CAAC,MAAM,CAAC,sBAAuB,CAAC,CAAC;IACnC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IAEnC,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAEpF,yEAAyE;IACzE,uEAAuE;IACvE,iEAAiE;IACjE,MAAM,oBAAoB,GAAG,MAAM,CAAC;IACpC,MAAM,eAAe,GAAG,MAAM,CAAC;IAC/B,MAAM,mBAAmB,GAAG,oBAAoB,CAAC;IAEjD,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,6DAA6D;QAC7D,MAAM,WAAW,GAAG,CAAC,CAAC,WAAW;YAC/B,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,GAAG;YAC1F,CAAC,CAAC,oBAAoB,CAAC;QAEzB,kEAAkE;QAClE,+DAA+D;QAC/D,yDAAyD;QACzD,MAAM,QAAQ,GAAgC;YAC5C,QAAQ,EAAE,CAAC;YACX,IAAI,EAAE,CAAC;YACP,MAAM,EAAE,CAAC;YACT,GAAG,EAAE,CAAC;SACP,CAAC;QACF,MAAM,WAAW,GAAG,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAClF,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACtC,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC;YAC3F,MAAM,IAAI,GAAG,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,kEAAkE;YAClE,iEAAiE;YACjE,+DAA+D;YAC/D,sBAAsB;YACtB,MAAM,IAAI,GAAG,CAAC,CAAC,WAAW,IAAI,EAAE,CAAC;YACjC,IAAI,GAAG,GAAG,EAAE,CAAC;YACb,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;gBAAE,GAAG,GAAG,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC1C,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;gBAAE,GAAG,GAAG,QAAQ,IAAI,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,GAAG,CAAC,QAAQ,CAAC;YAC7E,OAAO,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,IAAI,GAAG,GAAG,KAAK,KAAK,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,IAAI,GAAG,GAAG,EAAE,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1F,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC;QAEhF,EAAE,CAAC,MAAM,CAAC;YACR,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ;YAC7B,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,QAAQ;YAC7B,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,QAAQ;YACjC,YAAY,EAAE,iBAAiB;YAC/B,YAAY,UAAU,EAAE,EAAE,0BAA0B;YACpD,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,QAAQ;YAC/B,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,QAAQ;YACjC,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,QAAQ;YACjC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,QAAQ;YAC9B,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,wCAAwC;YACjE,uDAAuD;YACvD,QAAQ,CAAC,WAAW,CAAC,EAAE,oBAAoB;YAC3C,QAAQ,CAAC,mBAAmB,CAAC,EAAE,oBAAoB;YACnD,QAAQ,CAAC,UAAU,CAAC,EAAE,oBAAoB;YAC1C,EAAE,EAAE,gEAAgE;YACpE,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,SAAS;SACvC,CAAC,CAAC;IACL,CAAC;IAED,oEAAoE;IACpE,iEAAiE;IACjE,MAAM,MAAM,GAAG,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5E,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAC5B,IAAI,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC;YAAE,GAAG,CAAC,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACxC,OAAO,MAAM,CAAC,IAAI,CAAC,GAAkB,CAAC,CAAC;AACzC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/languages/capabilities/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gCAAgC,CAAC;AAE/D,8DAA8D;AAC9D,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb;AAED,sDAAsD;AACtD,MAAM,WAAW,kBAAkB;IACjC,iEAAiE;IACjE,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC;IAC1B,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,cAAc;IAE7B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAI1B,IAAI,EAAE,MAAM,CAAC;IAIb,QAAQ,EAAE,MAAM,cAAc,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IAInB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAK1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IAInB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/languages/capabilities/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,gCAAgC,CAAC;AAE/D,8DAA8D;AAC9D,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb;AAED,sDAAsD;AACtD,MAAM,WAAW,kBAAkB;IACjC,iEAAiE;IACjE,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC;IAC1B,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,cAAc;IAE7B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAI1B,IAAI,EAAE,MAAM,CAAC;IAIb,QAAQ,EAAE,MAAM,cAAc,CAAC;IAC/B,SAAS,CAAC,EAAE,MAAM,CAAC;IAInB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;IAK1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IAInB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IAWtB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,2DAA2D;AAC3D,MAAM,WAAW,aAAc,SAAQ,kBAAkB;IACvD,6DAA6D;IAC7D,MAAM,EAAE,cAAc,CAAC;IACvB,sEAAsE;IACtE,UAAU,EAAE,SAAS,GAAG,IAAI,CAAC;IAC7B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,cAAc,EAAE,CAAC;CAC7B;AAED,kGAAkG;AAClG,MAAM,WAAW,UAAW,SAAQ,kBAAkB;IACpD,MAAM,EAAE,cAAc,CAAC;CACxB;AAED,gFAAgF;AAChF,MAAM,WAAW,cAAe,SAAQ,kBAAkB;IACxD,QAAQ,EAAE,QAAQ,CAAC;CACpB;AAED,0DAA0D;AAC1D,MAAM,WAAW,mBAAoB,SAAQ,kBAAkB;IAC7D,mGAAmG;IACnG,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,aAAc,SAAQ,kBAAkB;IACvD,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACjD,QAAQ,CAAC,SAAS,EAAE,WAAW,CAAC,MAAM,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/D,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;CAC1D;AAED,sDAAsD;AACtD,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,+EAA+E;IAC/E,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,4CAA4C;IAC5C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,mEAAmE;IACnE,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,cAAe,SAAQ,kBAAkB;IACxD,QAAQ,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;CACzC;AAED,qDAAqD;AACrD,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,cAAc,CAAC;IAC/B,wFAAwF;IACxF,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,aAAc,SAAQ,kBAAkB;IACvD,QAAQ,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IACvC,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,0DAA0D;AAC1D,MAAM,WAAW,kBAAkB;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,cAAc,CAAC;IAC/B,mFAAmF;IACnF,KAAK,EAAE,MAAM,CAAC;IACd,qFAAqF;IACrF,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,kBAAmB,SAAQ,kBAAkB;IAC5D,QAAQ,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;IAC5C,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,kEAAkE;AAClE,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,iEAAiE;AACjE,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,CAAC,EAAE,oBAAoB,CAAC;IACxB,CAAC,EAAE,oBAAoB,CAAC;CACzB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iBAAkB,SAAQ,kBAAkB;IAC3D,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,8EAA8E;IAC9E,UAAU,EAAE,MAAM,CAAC;IACnB,0DAA0D;IAC1D,SAAS,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;CAC5C;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,gBAAiB,SAAQ,kBAAkB;IAC1D,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,sFAAsF;IACtF,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,oBAAoB,GAC5B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,aAAa,CAAA;CAAE,GAC5C;IAAE,IAAI,EAAE,cAAc,CAAA;CAAE,GACxB;IAAE,IAAI,EAAE,aAAa,CAAA;CAAE,GACvB;IAAE,IAAI,EAAE,WAAW,CAAA;CAAE,CAAC;AAE1B;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GACzB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,UAAU,CAAA;CAAE,GACzC;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC"}
|
|
@@ -3,17 +3,52 @@ import type { DepVulnFinding, SeverityCounts } from './capabilities/types';
|
|
|
3
3
|
import type { LanguageSupport } from './types';
|
|
4
4
|
export declare function parseCoberturaXml(raw: string, sourceFile: string, cwd: string): Coverage | null;
|
|
5
5
|
/**
|
|
6
|
-
* Pure parser for `dotnet list package --vulnerable --
|
|
7
|
-
* Extracted from the gather function so it can be
|
|
8
|
-
* a real .NET SDK on the dev machine (10h.5
|
|
9
|
-
* runs the full pipeline). Returns null when
|
|
10
|
-
* otherwise returns counts + findings ready
|
|
11
|
-
* enrichment.
|
|
6
|
+
* Pure parser for `dotnet list package --vulnerable --include-transitive
|
|
7
|
+
* --format json`. Extracted from the gather function so it can be
|
|
8
|
+
* unit-tested without a real .NET SDK on the dev machine (10h.5
|
|
9
|
+
* release-time validation runs the full pipeline). Returns null when
|
|
10
|
+
* the input is malformed; otherwise returns counts + findings ready
|
|
11
|
+
* for downstream alias enrichment + top-level attribution.
|
|
12
|
+
*
|
|
13
|
+
* Both top-level and transitive packages are iterated. Top-level
|
|
14
|
+
* findings carry `topLevelDep = [self]` (they ARE manifest deps);
|
|
15
|
+
* transitive findings emit with `topLevelDep` unset — the gather
|
|
16
|
+
* function then fills it from `project.assets.json` if available.
|
|
17
|
+
* Leaving attribution unset on transitives when assets.json is absent
|
|
18
|
+
* matches Python's venv-missing behavior: degrade gracefully rather
|
|
19
|
+
* than invent false parents.
|
|
12
20
|
*/
|
|
13
21
|
export declare function parseDotnetVulnerableOutput(raw: string): {
|
|
14
22
|
counts: SeverityCounts;
|
|
15
23
|
findings: DepVulnFinding[];
|
|
16
24
|
} | null;
|
|
25
|
+
/**
|
|
26
|
+
* Pure parser for `obj/project.assets.json`. Extracts the forward
|
|
27
|
+
* dep graph keyed by package name (collapsing versions — same as
|
|
28
|
+
* TS/Go/Rust packs) plus the set of top-level (direct manifest)
|
|
29
|
+
* package names across every target framework declared in `project`.
|
|
30
|
+
*
|
|
31
|
+
* Multi-framework projects: graphs are merged across target
|
|
32
|
+
* frameworks into a single name-level edge map. Top-level set is
|
|
33
|
+
* the union of declared direct deps across frameworks. This
|
|
34
|
+
* over-attributes slightly if a package is direct in netstandard2.0
|
|
35
|
+
* but transitive in net8.0 — it gets listed as a top-level — but the
|
|
36
|
+
* simplification beats per-framework multi-reporting complexity.
|
|
37
|
+
*/
|
|
38
|
+
export declare function parseProjectAssetsJson(raw: string): {
|
|
39
|
+
topLevels: string[];
|
|
40
|
+
edges: Map<string, Set<string>>;
|
|
41
|
+
} | null;
|
|
42
|
+
/**
|
|
43
|
+
* BFS the parsed asset graph to produce a per-package-name index of
|
|
44
|
+
* its top-level ancestors. Mirrors `buildTsTopLevelDepIndex` /
|
|
45
|
+
* `buildRustTopLevelDepIndex` in shape and semantics; attribution is
|
|
46
|
+
* coarse (name-level) and unions across multiple reachable parents.
|
|
47
|
+
*/
|
|
48
|
+
export declare function buildCsharpTopLevelDepIndex(parsed: {
|
|
49
|
+
topLevels: ReadonlyArray<string>;
|
|
50
|
+
edges: ReadonlyMap<string, ReadonlySet<string>>;
|
|
51
|
+
}): Map<string, string[]>;
|
|
17
52
|
/**
|
|
18
53
|
* Capture C# `using` directives from source text, including
|
|
19
54
|
* `using static Foo`, aliased (`using X = Foo.Bar`), and plain forms.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"csharp.d.ts","sourceRoot":"","sources":["../../src/languages/csharp.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAgB,MAAM,6BAA6B,CAAC;AAM1E,OAAO,KAAK,EAEV,cAAc,EAQd,cAAc,EAEf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAwD/C,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI,CAoC/F;
|
|
1
|
+
{"version":3,"file":"csharp.d.ts","sourceRoot":"","sources":["../../src/languages/csharp.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,QAAQ,EAAgB,MAAM,6BAA6B,CAAC;AAM1E,OAAO,KAAK,EAEV,cAAc,EAQd,cAAc,EAEf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAwD/C,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,QAAQ,GAAG,IAAI,CAoC/F;AAuGD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,2BAA2B,CACzC,GAAG,EAAE,MAAM,GACV;IAAE,MAAM,EAAE,cAAc,CAAC;IAAC,QAAQ,EAAE,cAAc,EAAE,CAAA;CAAE,GAAG,IAAI,CA0D/D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,GACV;IAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IAAC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC,CAAA;CAAE,GAAG,IAAI,CAqCjE;AAED;;;;;GAKG;AACH,wBAAgB,2BAA2B,CAAC,MAAM,EAAE;IAClD,SAAS,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACjC,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC;CACjD,GAAG,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAsBxB;AAgPD;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,EAAE,CAQjE;AAsKD,eAAO,MAAM,MAAM,EAAE,eAsCpB,CAAC"}
|