@vyuhlabs/dxkit 2.10.0 → 2.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +98 -0
- package/dist/allowlist/cli.d.ts +23 -23
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +72 -34
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +7 -1
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +7 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/analysis-result.d.ts +10 -0
- package/dist/analysis-result.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +1 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +69 -0
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +90 -90
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +140 -56
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +2 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +30 -4
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +29 -7
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +133 -20
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +194 -20
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +2 -2
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +7 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +28 -0
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +22 -12
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/salt.d.ts +68 -0
- package/dist/analyzers/tools/salt.d.ts.map +1 -0
- package/dist/{baseline → analyzers/tools}/salt.js +59 -18
- package/dist/analyzers/tools/salt.js.map +1 -0
- package/dist/analyzers/tools/semgrep.d.ts +7 -7
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +14 -7
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +4 -4
- package/dist/baseline/baseline-file.d.ts +9 -2
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +14 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +78 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +1 -1
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +3 -1
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts +20 -13
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +51 -20
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/migrate.d.ts +94 -0
- package/dist/baseline/migrate.d.ts.map +1 -0
- package/dist/baseline/migrate.js +238 -0
- package/dist/baseline/migrate.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +9 -9
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js +16 -4
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/types.d.ts +145 -95
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +30 -26
- package/dist/baseline/types.js.map +1 -1
- package/dist/explore/finding-context.d.ts +17 -0
- package/dist/explore/finding-context.d.ts.map +1 -1
- package/dist/explore/finding-context.js +34 -0
- package/dist/explore/finding-context.js.map +1 -1
- package/dist/explore/queries.d.ts +32 -15
- package/dist/explore/queries.d.ts.map +1 -1
- package/dist/explore/queries.js +36 -6
- package/dist/explore/queries.js.map +1 -1
- package/dist/ingest/normalize.d.ts +1 -1
- package/dist/ingest/normalize.d.ts.map +1 -1
- package/dist/ingest/normalize.js +5 -1
- package/dist/ingest/normalize.js.map +1 -1
- package/dist/ingest/sarif.d.ts.map +1 -1
- package/dist/ingest/sarif.js +16 -7
- package/dist/ingest/sarif.js.map +1 -1
- package/dist/ingest/types.d.ts +23 -12
- package/dist/ingest/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +64 -53
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.js +4 -4
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +49 -0
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts.map +1 -1
- package/dist/upgrade.js +2 -1
- package/dist/upgrade.js.map +1 -1
- package/package.json +6 -3
- package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
- package/dist/baseline/salt.d.ts +0 -45
- package/dist/baseline/salt.d.ts.map +0 -1
- package/dist/baseline/salt.js.map +0 -1
|
@@ -6,19 +6,27 @@
|
|
|
6
6
|
*
|
|
7
7
|
* Two fingerprint families live here:
|
|
8
8
|
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
9
|
+
* 1. Dependency-advisory fingerprints — stable hash of
|
|
10
|
+
* `(package, canonicalAdvisoryId)`. Used by `gatherDepVulns` +
|
|
11
|
+
* BoM. Excludes severity / cvssScore / enrichment fields
|
|
12
|
+
* (epssScore, kev, reachable, riskScore), producer `tool`, and
|
|
13
|
+
* `upgradeAdvice` / `upgradePlan` so re-scoring the same advisory
|
|
14
|
+
* against the same install never mints a new identity. Crucially
|
|
15
|
+
* it also excludes `installedVersion`: that value is only known
|
|
16
|
+
* when the dependency tree is installed (npm-audit reads
|
|
17
|
+
* node_modules), so a lockfile-only scanner (osv-scanner, or any
|
|
18
|
+
* gather in a bare git worktree) omits it — and including it forked
|
|
19
|
+
* the SAME advisory into two identities depending on the scan
|
|
20
|
+
* environment. The version is display metadata, not identity:
|
|
21
|
+
* bumping to a still-vulnerable version is the same finding, and
|
|
22
|
+
* bumping to a fixed version makes the finding disappear on its own.
|
|
15
23
|
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
24
|
+
* 2. Code/secret/config-finding fingerprints — stable hash of
|
|
25
|
+
* `(canonicalRule, file, lineWindow)`. The canonical-rule map
|
|
26
|
+
* collapses cross-tool overlaps (e.g. semgrep + a per-language
|
|
27
|
+
* grep-based pattern both reporting the same TLS-bypass
|
|
28
|
+
* construct). The line-window absorbs the small offset between
|
|
29
|
+
* tools that report the declaration vs. the assignment.
|
|
22
30
|
*
|
|
23
31
|
* Both families share format: 16-char lowercase hex (first 8 bytes of
|
|
24
32
|
* SHA-1). Short enough to embed inline in reports, long enough to make
|
|
@@ -27,16 +35,49 @@
|
|
|
27
35
|
*/
|
|
28
36
|
import type { DepVulnFinding } from '../../languages/capabilities/types';
|
|
29
37
|
/**
|
|
30
|
-
*
|
|
31
|
-
*
|
|
32
|
-
*
|
|
38
|
+
* Canonical advisory id for dep-vuln identity. Scanners label the same
|
|
39
|
+
* advisory differently — npm-audit emits an uppercase `GHSA-…`, while
|
|
40
|
+
* osv-scanner may primary an `OSV-…` / `CVE-…` / `GHSA-…` id and carry
|
|
41
|
+
* the rest in `aliases`. Collapse them to one token so the SAME
|
|
42
|
+
* vulnerability fingerprints identically regardless of which tool found
|
|
43
|
+
* it: prefer GHSA (the namespace every supported scanner shares), then
|
|
44
|
+
* CVE (the next-best cross-tool token), else the producer's own id.
|
|
45
|
+
* Lowercased so `GHSA-AB` and `ghsa-ab` don't fork identity.
|
|
46
|
+
*/
|
|
47
|
+
export declare function canonicalAdvisoryId(finding: {
|
|
48
|
+
readonly id: string;
|
|
49
|
+
readonly aliases?: readonly string[];
|
|
50
|
+
}): string;
|
|
51
|
+
/**
|
|
52
|
+
* Stable 16-char hex fingerprint for one DepVulnFinding. Input tuple is
|
|
53
|
+
* NUL-separated (not present in any legal package name / advisory id) so
|
|
54
|
+
* distinct tuples can never collide via concatenation tricks.
|
|
33
55
|
*
|
|
34
|
-
*
|
|
35
|
-
* version
|
|
36
|
-
*
|
|
37
|
-
*
|
|
56
|
+
* Identity is `(package, canonicalAdvisoryId)` — deliberately NOT the
|
|
57
|
+
* installed version (see the module header): the version is unavailable
|
|
58
|
+
* to lockfile-only scanners, so including it forked identity by scan
|
|
59
|
+
* environment.
|
|
38
60
|
*/
|
|
39
|
-
export declare function computeFingerprint(finding:
|
|
61
|
+
export declare function computeFingerprint(finding: {
|
|
62
|
+
readonly package: string;
|
|
63
|
+
readonly id: string;
|
|
64
|
+
readonly aliases?: readonly string[];
|
|
65
|
+
}): string;
|
|
66
|
+
/**
|
|
67
|
+
* Pre-2.11 dependency-advisory fingerprint: `(package, installedVersion,
|
|
68
|
+
* id)`. Superseded by `computeFingerprint` (which drops the
|
|
69
|
+
* environment-dependent installed version and canonicalizes the advisory
|
|
70
|
+
* id), but retained verbatim so the identity-scheme migrator can
|
|
71
|
+
* recompute a finding's PRIOR-scheme id and remap allowlist entries onto
|
|
72
|
+
* the current scheme. Never delete a shipped scheme's id function — a
|
|
73
|
+
* migration from it must always be able to reproduce its output
|
|
74
|
+
* byte-for-byte. Not used to mint new identities.
|
|
75
|
+
*/
|
|
76
|
+
export declare function computeFingerprintV1(finding: {
|
|
77
|
+
readonly package: string;
|
|
78
|
+
readonly installedVersion?: string;
|
|
79
|
+
readonly id: string;
|
|
80
|
+
}): string;
|
|
40
81
|
/**
|
|
41
82
|
* Stamp `fingerprint` on every finding in place. Called once in
|
|
42
83
|
* `gatherDepVulns` after cross-pack merge + enrichment so every
|
|
@@ -99,6 +140,78 @@ export declare function lineWindowFor(line: number): number;
|
|
|
99
140
|
* code-finding fingerprints share a downstream type contract.
|
|
100
141
|
*/
|
|
101
142
|
export declare function computeCodeFingerprint(canonicalRule: string, file: string, line: number): string;
|
|
143
|
+
/**
|
|
144
|
+
* Normalize a matched code span so cosmetic reformatting (reindentation,
|
|
145
|
+
* collapsed vs expanded whitespace, trailing space) doesn't re-mint
|
|
146
|
+
* identity. Runs of whitespace collapse to a single space; ends trimmed.
|
|
147
|
+
* Deliberately conservative — it does NOT strip comments or rename
|
|
148
|
+
* identifiers, so a real change to the construct still re-mints.
|
|
149
|
+
*/
|
|
150
|
+
export declare function normalizeSpan(span: string): string;
|
|
151
|
+
/** 16-char hex hash of a normalized matched span. */
|
|
152
|
+
export declare function spanHash(span: string): string;
|
|
153
|
+
/**
|
|
154
|
+
* Build the content anchor for a CODE finding: `scope\0spanHash\0ordinal`.
|
|
155
|
+
* `scope` is the enclosing symbol (graph-resolved) or '' (file-level
|
|
156
|
+
* fallback). `ordinal` is the index among findings sharing the same
|
|
157
|
+
* `(scope, spanHash)` in document order, so identical constructs in one
|
|
158
|
+
* scope stay distinct. NUL-separated so the parts can't collide via
|
|
159
|
+
* concatenation.
|
|
160
|
+
*/
|
|
161
|
+
export declare function codeContentAnchor(scope: string, span: string, ordinal: number): string;
|
|
162
|
+
/**
|
|
163
|
+
* Build a code content anchor from an ALREADY-HASHED span. The gather
|
|
164
|
+
* boundary hashes the matched span once (`spanHash`) and carries only
|
|
165
|
+
* that 16-char digest downstream — never the raw source text — so the
|
|
166
|
+
* matched code never bloats reports or rides through the dashboard /
|
|
167
|
+
* JSON surfaces. The aggregator, which knows the enclosing `scope` (from
|
|
168
|
+
* the graph scope pre-pass) and the in-scope `ordinal`, assembles the
|
|
169
|
+
* final anchor from that carried digest via this helper. Equivalent to
|
|
170
|
+
* `codeContentAnchor` when fed `spanHash(span)`.
|
|
171
|
+
*/
|
|
172
|
+
export declare function codeContentAnchorFromHash(scope: string, spanHashHex: string, ordinal: number): string;
|
|
173
|
+
/**
|
|
174
|
+
* Build the content anchor for a SECRET finding: `secret\0<ordinal>`.
|
|
175
|
+
* The `(canonicalRule, file)` half of identity already lives in
|
|
176
|
+
* `computeContentFingerprint`, so the anchor only has to disambiguate
|
|
177
|
+
* multiple secrets of the same rule in the same file — the ordinal does
|
|
178
|
+
* that, assigned in document order by the aggregator.
|
|
179
|
+
*
|
|
180
|
+
* Crucially it carries NEITHER the captured value NOR the salt. That
|
|
181
|
+
* makes a secret's per-occurrence identity byte-identical across scanners
|
|
182
|
+
* (gitleaks' `Secret` field and the grep fallback's capture group differ)
|
|
183
|
+
* and across environments (the salt resolves differently via env var /
|
|
184
|
+
* file / root-SHA), which is what a baseline/allowlist needs to stay
|
|
185
|
+
* matched between a developer's machine and CI. The `secret` prefix
|
|
186
|
+
* namespaces it away from code anchors (`scope\0spanHash\0ordinal`) so the
|
|
187
|
+
* two schemes can never collide.
|
|
188
|
+
*
|
|
189
|
+
* The value HMAC is not lost — the separate `secret-hmac` identity kind
|
|
190
|
+
* still pins it, for recognizing the same value relocating across files.
|
|
191
|
+
*/
|
|
192
|
+
export declare function secretContentAnchor(ordinal: number): string;
|
|
193
|
+
/**
|
|
194
|
+
* The tool-independent rule discriminator for SECRET identity. Unlike code
|
|
195
|
+
* findings — where two different rules firing on one construct are two
|
|
196
|
+
* distinct findings, so the rule must stay in identity — every secret
|
|
197
|
+
* detection means the same thing ("a hardcoded/leaked credential", CWE-798).
|
|
198
|
+
* Folding them onto one constant makes a secret's identity independent of
|
|
199
|
+
* WHICH scanner found it and under what rule name (gitleaks `aws-access-key`
|
|
200
|
+
* vs the grep fallback's `hardcoded-password` describe the same leak). Used
|
|
201
|
+
* in place of `canonicalRuleFor(tool, rule)` when fingerprinting secrets;
|
|
202
|
+
* the per-tool canonical rule is still used for intra-run dedup grouping and
|
|
203
|
+
* survives on the finding as display metadata.
|
|
204
|
+
*/
|
|
205
|
+
export declare const SECRET_CANONICAL_RULE = "canonical:secret";
|
|
206
|
+
/**
|
|
207
|
+
* Content-anchored finding fingerprint (scheme v2). Identity is
|
|
208
|
+
* `(canonicalRule, file, contentAnchor)` — the anchor carries the
|
|
209
|
+
* stable, location-independent content (built by the caller per kind:
|
|
210
|
+
* secret=HMAC, code=`codeContentAnchor(...)`, config=''). A finding that
|
|
211
|
+
* moves to a new line keeps its fingerprint; it re-mints only when the
|
|
212
|
+
* matched content (or, for code, its enclosing symbol) changes.
|
|
213
|
+
*/
|
|
214
|
+
export declare function computeContentFingerprint(canonicalRule: string, file: string, contentAnchor: string): string;
|
|
102
215
|
/**
|
|
103
216
|
* HMAC-SHA256 of a detected secret value, keyed by a per-repo salt.
|
|
104
217
|
* The output is 16-char lowercase hex (first 8 bytes of the 32-byte
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE;IAC3C,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACtC,GAAG,MAAM,CAST;AAED;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE;IAC1C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACtC,GAAG,MAAM,CAGT;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE;IAC5C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;CACrB,GAAG,MAAM,CAGT;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI,CAIlE;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,aAAa,CAAC,cAAc,CAAC,GAAG,MAAM,EAAE,CAMrF;AAID;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CAmBzD,CAAC;AAEH,kEAAkE;AAClE,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEnE;AAED;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,IAAI,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAElD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAGhG;AAwCD;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,qDAAqD;AACrD,wBAAgB,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE7C;AAED;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAEtF;AAED;;;;;;;;;GASG;AACH,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,MAAM,GACd,MAAM,CAER;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,qBAAqB,CAAC;AAExD;;;;;;;GAOG;AACH,wBAAgB,yBAAyB,CACvC,aAAa,EAAE,MAAM,EACrB,IAAI,EAAE,MAAM,EACZ,aAAa,EAAE,MAAM,GACpB,MAAM,CAGR;AAID;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEtE"}
|
|
@@ -7,19 +7,27 @@
|
|
|
7
7
|
*
|
|
8
8
|
* Two fingerprint families live here:
|
|
9
9
|
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
10
|
+
* 1. Dependency-advisory fingerprints — stable hash of
|
|
11
|
+
* `(package, canonicalAdvisoryId)`. Used by `gatherDepVulns` +
|
|
12
|
+
* BoM. Excludes severity / cvssScore / enrichment fields
|
|
13
|
+
* (epssScore, kev, reachable, riskScore), producer `tool`, and
|
|
14
|
+
* `upgradeAdvice` / `upgradePlan` so re-scoring the same advisory
|
|
15
|
+
* against the same install never mints a new identity. Crucially
|
|
16
|
+
* it also excludes `installedVersion`: that value is only known
|
|
17
|
+
* when the dependency tree is installed (npm-audit reads
|
|
18
|
+
* node_modules), so a lockfile-only scanner (osv-scanner, or any
|
|
19
|
+
* gather in a bare git worktree) omits it — and including it forked
|
|
20
|
+
* the SAME advisory into two identities depending on the scan
|
|
21
|
+
* environment. The version is display metadata, not identity:
|
|
22
|
+
* bumping to a still-vulnerable version is the same finding, and
|
|
23
|
+
* bumping to a fixed version makes the finding disappear on its own.
|
|
16
24
|
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
25
|
+
* 2. Code/secret/config-finding fingerprints — stable hash of
|
|
26
|
+
* `(canonicalRule, file, lineWindow)`. The canonical-rule map
|
|
27
|
+
* collapses cross-tool overlaps (e.g. semgrep + a per-language
|
|
28
|
+
* grep-based pattern both reporting the same TLS-bypass
|
|
29
|
+
* construct). The line-window absorbs the small offset between
|
|
30
|
+
* tools that report the declaration vs. the assignment.
|
|
23
31
|
*
|
|
24
32
|
* Both families share format: 16-char lowercase hex (first 8 bytes of
|
|
25
33
|
* SHA-1). Short enough to embed inline in reports, long enough to make
|
|
@@ -27,26 +35,70 @@
|
|
|
27
35
|
* repo scale. Producers may render either inline interchangeably.
|
|
28
36
|
*/
|
|
29
37
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
30
|
-
exports.CODE_FINGERPRINT_LINE_WINDOW = exports.CANONICAL_RULE_MAP = void 0;
|
|
38
|
+
exports.SECRET_CANONICAL_RULE = exports.CODE_FINGERPRINT_LINE_WINDOW = exports.CANONICAL_RULE_MAP = void 0;
|
|
39
|
+
exports.canonicalAdvisoryId = canonicalAdvisoryId;
|
|
31
40
|
exports.computeFingerprint = computeFingerprint;
|
|
41
|
+
exports.computeFingerprintV1 = computeFingerprintV1;
|
|
32
42
|
exports.stampFingerprints = stampFingerprints;
|
|
33
43
|
exports.collectFingerprints = collectFingerprints;
|
|
34
44
|
exports.canonicalRuleFor = canonicalRuleFor;
|
|
35
45
|
exports.lineWindowFor = lineWindowFor;
|
|
36
46
|
exports.computeCodeFingerprint = computeCodeFingerprint;
|
|
47
|
+
exports.normalizeSpan = normalizeSpan;
|
|
48
|
+
exports.spanHash = spanHash;
|
|
49
|
+
exports.codeContentAnchor = codeContentAnchor;
|
|
50
|
+
exports.codeContentAnchorFromHash = codeContentAnchorFromHash;
|
|
51
|
+
exports.secretContentAnchor = secretContentAnchor;
|
|
52
|
+
exports.computeContentFingerprint = computeContentFingerprint;
|
|
37
53
|
exports.computeSecretHmac = computeSecretHmac;
|
|
38
54
|
const crypto_1 = require("crypto");
|
|
39
55
|
/**
|
|
40
|
-
*
|
|
41
|
-
*
|
|
42
|
-
*
|
|
56
|
+
* Canonical advisory id for dep-vuln identity. Scanners label the same
|
|
57
|
+
* advisory differently — npm-audit emits an uppercase `GHSA-…`, while
|
|
58
|
+
* osv-scanner may primary an `OSV-…` / `CVE-…` / `GHSA-…` id and carry
|
|
59
|
+
* the rest in `aliases`. Collapse them to one token so the SAME
|
|
60
|
+
* vulnerability fingerprints identically regardless of which tool found
|
|
61
|
+
* it: prefer GHSA (the namespace every supported scanner shares), then
|
|
62
|
+
* CVE (the next-best cross-tool token), else the producer's own id.
|
|
63
|
+
* Lowercased so `GHSA-AB` and `ghsa-ab` don't fork identity.
|
|
64
|
+
*/
|
|
65
|
+
function canonicalAdvisoryId(finding) {
|
|
66
|
+
const candidates = [finding.id, ...(finding.aliases ?? [])]
|
|
67
|
+
.filter((x) => typeof x === 'string' && x.trim().length > 0)
|
|
68
|
+
.map((x) => x.trim());
|
|
69
|
+
const ghsa = candidates.find((c) => /^GHSA-/i.test(c));
|
|
70
|
+
if (ghsa)
|
|
71
|
+
return ghsa.toLowerCase();
|
|
72
|
+
const cve = candidates.find((c) => /^CVE-/i.test(c));
|
|
73
|
+
if (cve)
|
|
74
|
+
return cve.toLowerCase();
|
|
75
|
+
return finding.id.toLowerCase();
|
|
76
|
+
}
|
|
77
|
+
/**
|
|
78
|
+
* Stable 16-char hex fingerprint for one DepVulnFinding. Input tuple is
|
|
79
|
+
* NUL-separated (not present in any legal package name / advisory id) so
|
|
80
|
+
* distinct tuples can never collide via concatenation tricks.
|
|
43
81
|
*
|
|
44
|
-
*
|
|
45
|
-
* version
|
|
46
|
-
*
|
|
47
|
-
*
|
|
82
|
+
* Identity is `(package, canonicalAdvisoryId)` — deliberately NOT the
|
|
83
|
+
* installed version (see the module header): the version is unavailable
|
|
84
|
+
* to lockfile-only scanners, so including it forked identity by scan
|
|
85
|
+
* environment.
|
|
48
86
|
*/
|
|
49
87
|
function computeFingerprint(finding) {
|
|
88
|
+
const input = `${finding.package}\0${canonicalAdvisoryId(finding)}`;
|
|
89
|
+
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* Pre-2.11 dependency-advisory fingerprint: `(package, installedVersion,
|
|
93
|
+
* id)`. Superseded by `computeFingerprint` (which drops the
|
|
94
|
+
* environment-dependent installed version and canonicalizes the advisory
|
|
95
|
+
* id), but retained verbatim so the identity-scheme migrator can
|
|
96
|
+
* recompute a finding's PRIOR-scheme id and remap allowlist entries onto
|
|
97
|
+
* the current scheme. Never delete a shipped scheme's id function — a
|
|
98
|
+
* migration from it must always be able to reproduce its output
|
|
99
|
+
* byte-for-byte. Not used to mint new identities.
|
|
100
|
+
*/
|
|
101
|
+
function computeFingerprintV1(finding) {
|
|
50
102
|
const input = `${finding.package}\0${finding.installedVersion ?? ''}\0${finding.id}`;
|
|
51
103
|
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
52
104
|
}
|
|
@@ -148,6 +200,128 @@ function computeCodeFingerprint(canonicalRule, file, line) {
|
|
|
148
200
|
const input = `${canonicalRule}\0${file}\0${lineWindowFor(line)}`;
|
|
149
201
|
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
150
202
|
}
|
|
203
|
+
// ─── Content-anchored finding identity (scheme v2) ─────────────────────
|
|
204
|
+
// The line-based fingerprint above re-mints identity whenever a finding
|
|
205
|
+
// shifts more than CODE_FINGERPRINT_LINE_WINDOW lines, which strands
|
|
206
|
+
// allowlist entries + churns baselines on unrelated edits. The
|
|
207
|
+
// content-anchored scheme replaces the line component with an anchor
|
|
208
|
+
// derived from WHAT the finding is, not WHERE it sits:
|
|
209
|
+
//
|
|
210
|
+
// secret → secretContentAnchor(ordinal): (canonicalRule, file) plus an
|
|
211
|
+
// ordinal among same-(canonicalRule, file) secrets. Deliberately free of
|
|
212
|
+
// the captured value AND the salt, so a secret's identity is identical no
|
|
213
|
+
// matter which scanner found it (gitleaks and the grep fallback capture
|
|
214
|
+
// different text) or how the salt resolves (env var / file / root-SHA
|
|
215
|
+
// differ across environments). The value HMAC lives on only in the
|
|
216
|
+
// separate `secret-hmac` kind, which recognizes the same value relocating
|
|
217
|
+
// across files — a different question from per-occurrence identity.
|
|
218
|
+
// code → codeContentAnchor(scope, span, ordinal): the normalized
|
|
219
|
+
// matched span, scoped to its enclosing symbol when the graph
|
|
220
|
+
// resolves one (else file-level), with an ordinal to keep
|
|
221
|
+
// identical constructs in one scope distinct.
|
|
222
|
+
// config → '' — identity is just (canonicalRule, file); inherently
|
|
223
|
+
// line-independent (a file is tracked / on disk or it isn't).
|
|
224
|
+
//
|
|
225
|
+
// `line` becomes display metadata only. The dispatch (`identityFor`) and
|
|
226
|
+
// the security aggregator prefer this anchor when one is available and
|
|
227
|
+
// fall back to the line-window hash otherwise.
|
|
228
|
+
//
|
|
229
|
+
// Known limitation (code only): the code anchor's `spanHash` is the hash
|
|
230
|
+
// of the tool-captured matched span, which differs between engines
|
|
231
|
+
// (semgrep `extra.lines` vs an ingested SARIF `region.snippet.text` vs a
|
|
232
|
+
// grep capture). When the SAME construct is found by different engines
|
|
233
|
+
// across two environments — and the cross-tool dedup doesn't merge them
|
|
234
|
+
// because only one environment ran the second engine — the code finding's
|
|
235
|
+
// identity can drift across those environments. It does not affect
|
|
236
|
+
// secrets (their anchor carries no tool-captured content) and only
|
|
237
|
+
// surfaces under inconsistent multi-engine ingestion, never on the
|
|
238
|
+
// bundled-semgrep default path. A future release should anchor code
|
|
239
|
+
// identity to a content representation that is stable across engines.
|
|
240
|
+
/**
|
|
241
|
+
* Normalize a matched code span so cosmetic reformatting (reindentation,
|
|
242
|
+
* collapsed vs expanded whitespace, trailing space) doesn't re-mint
|
|
243
|
+
* identity. Runs of whitespace collapse to a single space; ends trimmed.
|
|
244
|
+
* Deliberately conservative — it does NOT strip comments or rename
|
|
245
|
+
* identifiers, so a real change to the construct still re-mints.
|
|
246
|
+
*/
|
|
247
|
+
function normalizeSpan(span) {
|
|
248
|
+
return span.replace(/\s+/g, ' ').trim();
|
|
249
|
+
}
|
|
250
|
+
/** 16-char hex hash of a normalized matched span. */
|
|
251
|
+
function spanHash(span) {
|
|
252
|
+
return (0, crypto_1.createHash)('sha1').update(normalizeSpan(span)).digest('hex').slice(0, 16);
|
|
253
|
+
}
|
|
254
|
+
/**
|
|
255
|
+
* Build the content anchor for a CODE finding: `scope\0spanHash\0ordinal`.
|
|
256
|
+
* `scope` is the enclosing symbol (graph-resolved) or '' (file-level
|
|
257
|
+
* fallback). `ordinal` is the index among findings sharing the same
|
|
258
|
+
* `(scope, spanHash)` in document order, so identical constructs in one
|
|
259
|
+
* scope stay distinct. NUL-separated so the parts can't collide via
|
|
260
|
+
* concatenation.
|
|
261
|
+
*/
|
|
262
|
+
function codeContentAnchor(scope, span, ordinal) {
|
|
263
|
+
return codeContentAnchorFromHash(scope, spanHash(span), ordinal);
|
|
264
|
+
}
|
|
265
|
+
/**
|
|
266
|
+
* Build a code content anchor from an ALREADY-HASHED span. The gather
|
|
267
|
+
* boundary hashes the matched span once (`spanHash`) and carries only
|
|
268
|
+
* that 16-char digest downstream — never the raw source text — so the
|
|
269
|
+
* matched code never bloats reports or rides through the dashboard /
|
|
270
|
+
* JSON surfaces. The aggregator, which knows the enclosing `scope` (from
|
|
271
|
+
* the graph scope pre-pass) and the in-scope `ordinal`, assembles the
|
|
272
|
+
* final anchor from that carried digest via this helper. Equivalent to
|
|
273
|
+
* `codeContentAnchor` when fed `spanHash(span)`.
|
|
274
|
+
*/
|
|
275
|
+
function codeContentAnchorFromHash(scope, spanHashHex, ordinal) {
|
|
276
|
+
return `${scope}\0${spanHashHex}\0${ordinal}`;
|
|
277
|
+
}
|
|
278
|
+
/**
|
|
279
|
+
* Build the content anchor for a SECRET finding: `secret\0<ordinal>`.
|
|
280
|
+
* The `(canonicalRule, file)` half of identity already lives in
|
|
281
|
+
* `computeContentFingerprint`, so the anchor only has to disambiguate
|
|
282
|
+
* multiple secrets of the same rule in the same file — the ordinal does
|
|
283
|
+
* that, assigned in document order by the aggregator.
|
|
284
|
+
*
|
|
285
|
+
* Crucially it carries NEITHER the captured value NOR the salt. That
|
|
286
|
+
* makes a secret's per-occurrence identity byte-identical across scanners
|
|
287
|
+
* (gitleaks' `Secret` field and the grep fallback's capture group differ)
|
|
288
|
+
* and across environments (the salt resolves differently via env var /
|
|
289
|
+
* file / root-SHA), which is what a baseline/allowlist needs to stay
|
|
290
|
+
* matched between a developer's machine and CI. The `secret` prefix
|
|
291
|
+
* namespaces it away from code anchors (`scope\0spanHash\0ordinal`) so the
|
|
292
|
+
* two schemes can never collide.
|
|
293
|
+
*
|
|
294
|
+
* The value HMAC is not lost — the separate `secret-hmac` identity kind
|
|
295
|
+
* still pins it, for recognizing the same value relocating across files.
|
|
296
|
+
*/
|
|
297
|
+
function secretContentAnchor(ordinal) {
|
|
298
|
+
return `secret\0${ordinal}`;
|
|
299
|
+
}
|
|
300
|
+
/**
|
|
301
|
+
* The tool-independent rule discriminator for SECRET identity. Unlike code
|
|
302
|
+
* findings — where two different rules firing on one construct are two
|
|
303
|
+
* distinct findings, so the rule must stay in identity — every secret
|
|
304
|
+
* detection means the same thing ("a hardcoded/leaked credential", CWE-798).
|
|
305
|
+
* Folding them onto one constant makes a secret's identity independent of
|
|
306
|
+
* WHICH scanner found it and under what rule name (gitleaks `aws-access-key`
|
|
307
|
+
* vs the grep fallback's `hardcoded-password` describe the same leak). Used
|
|
308
|
+
* in place of `canonicalRuleFor(tool, rule)` when fingerprinting secrets;
|
|
309
|
+
* the per-tool canonical rule is still used for intra-run dedup grouping and
|
|
310
|
+
* survives on the finding as display metadata.
|
|
311
|
+
*/
|
|
312
|
+
exports.SECRET_CANONICAL_RULE = 'canonical:secret';
|
|
313
|
+
/**
|
|
314
|
+
* Content-anchored finding fingerprint (scheme v2). Identity is
|
|
315
|
+
* `(canonicalRule, file, contentAnchor)` — the anchor carries the
|
|
316
|
+
* stable, location-independent content (built by the caller per kind:
|
|
317
|
+
* secret=HMAC, code=`codeContentAnchor(...)`, config=''). A finding that
|
|
318
|
+
* moves to a new line keeps its fingerprint; it re-mints only when the
|
|
319
|
+
* matched content (or, for code, its enclosing symbol) changes.
|
|
320
|
+
*/
|
|
321
|
+
function computeContentFingerprint(canonicalRule, file, contentAnchor) {
|
|
322
|
+
const input = `${canonicalRule}\0${file}\0${contentAnchor}`;
|
|
323
|
+
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
324
|
+
}
|
|
151
325
|
// ─── Secret HMAC primitive ───────────────────────────────────────────────────
|
|
152
326
|
/**
|
|
153
327
|
* HMAC-SHA256 of a detected secret value, keyed by a per-repo salt.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;;;AAeH,kDAYC;AAYD,gDAOC;AAYD,oDAOC;AAYD,8CAIC;AAYD,kDAMC;AAqCD,4CAEC;AAqBD,sCAEC;AAQD,wDAGC;AA+CD,sCAEC;AAGD,4BAEC;AAUD,8CAEC;AAYD,8DAMC;AAqBD,kDAEC;AAwBD,8DAOC;AA6BD,8CAEC;AAnVD,mCAAgD;AAGhD;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CAAC,OAGnC;IACC,MAAM,UAAU,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;SACxD,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;SACxE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACxB,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,IAAI,IAAI;QAAE,OAAO,IAAI,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IACrD,IAAI,GAAG;QAAE,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC;IAClC,OAAO,OAAO,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC;AAClC,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,kBAAkB,CAAC,OAIlC;IACC,MAAM,KAAK,GAAG,GAAG,OAAO,CAAC,OAAO,KAAK,mBAAmB,CAAC,OAAO,CAAC,EAAE,CAAC;IACpE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,oBAAoB,CAAC,OAIpC;IACC,MAAM,KAAK,GAAG,GAAG,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,gBAAgB,IAAI,EAAE,KAAK,OAAO,CAAC,EAAE,EAAE,CAAC;IACrF,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAAC,QAA0B;IAC1D,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,CAAC,CAAC,WAAW,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CAAC,QAAuC;IACzE,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,WAAW;YAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;GAUG;AACU,QAAA,kBAAkB,GAAgC,IAAI,GAAG,CAAiB;IACrF,sEAAsE;IACtE,qEAAqE;IACrE,kEAAkE;IAClE,+DAA+D;IAC/D,CAAC,6CAA6C,EAAE,sBAAsB,CAAC;IACvE,CAAC,iCAAiC,EAAE,sBAAsB,CAAC;IAC3D,CAAC,iDAAiD,EAAE,sBAAsB,CAAC;IAC3E,CAAC,wCAAwC,EAAE,sBAAsB,CAAC;IAElE,iEAAiE;IACjE,oEAAoE;IACpE,mCAAmC;IACnC,CAAC,yBAAyB,EAAE,0BAA0B,CAAC;IACvD,CAAC,oCAAoC,EAAE,0BAA0B,CAAC;IAElE,8DAA8D;IAC9D,CAAC,uBAAuB,EAAE,+BAA+B,CAAC;IAC1D,CAAC,sBAAsB,EAAE,+BAA+B,CAAC;CAC1D,CAAC,CAAC;AAEH,kEAAkE;AAClE,SAAgB,gBAAgB,CAAC,IAAY,EAAE,IAAY;IACzD,OAAO,0BAAkB,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,IAAI,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC;AAC5E,CAAC;AAED;;;;;;GAMG;AACU,QAAA,4BAA4B,GAAG,CAAC,CAAC;AAE9C;;;;;;;;;GASG;AACH,SAAgB,aAAa,CAAC,IAAY;IACxC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,oCAA4B,CAAC,GAAG,oCAA4B,CAAC;AACxF,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,aAAqB,EAAE,IAAY,EAAE,IAAY;IACtF,MAAM,KAAK,GAAG,GAAG,aAAa,KAAK,IAAI,KAAK,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;IAClE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,0EAA0E;AAC1E,wEAAwE;AACxE,qEAAqE;AACrE,+DAA+D;AAC/D,qEAAqE;AACrE,uDAAuD;AACvD,EAAE;AACF,uEAAuE;AACvE,yEAAyE;AACzE,0EAA0E;AAC1E,wEAAwE;AACxE,sEAAsE;AACtE,mEAAmE;AACnE,0EAA0E;AAC1E,oEAAoE;AACpE,iEAAiE;AACjE,8DAA8D;AAC9D,0DAA0D;AAC1D,8CAA8C;AAC9C,mEAAmE;AACnE,8DAA8D;AAC9D,EAAE;AACF,yEAAyE;AACzE,uEAAuE;AACvE,+CAA+C;AAC/C,EAAE;AACF,yEAAyE;AACzE,mEAAmE;AACnE,yEAAyE;AACzE,uEAAuE;AACvE,wEAAwE;AACxE,0EAA0E;AAC1E,mEAAmE;AACnE,mEAAmE;AACnE,mEAAmE;AACnE,oEAAoE;AACpE,sEAAsE;AAEtE;;;;;;GAMG;AACH,SAAgB,aAAa,CAAC,IAAY;IACxC,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AAC1C,CAAC;AAED,qDAAqD;AACrD,SAAgB,QAAQ,CAAC,IAAY;IACnC,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACnF,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,KAAa,EAAE,IAAY,EAAE,OAAe;IAC5E,OAAO,yBAAyB,CAAC,KAAK,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,CAAC;AACnE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,yBAAyB,CACvC,KAAa,EACb,WAAmB,EACnB,OAAe;IAEf,OAAO,GAAG,KAAK,KAAK,WAAW,KAAK,OAAO,EAAE,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,mBAAmB,CAAC,OAAe;IACjD,OAAO,WAAW,OAAO,EAAE,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;GAWG;AACU,QAAA,qBAAqB,GAAG,kBAAkB,CAAC;AAExD;;;;;;;GAOG;AACH,SAAgB,yBAAyB,CACvC,aAAqB,EACrB,IAAY,EACZ,aAAqB;IAErB,MAAM,KAAK,GAAG,GAAG,aAAa,KAAK,IAAI,KAAK,aAAa,EAAE,CAAC;IAC5D,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,SAAgB,iBAAiB,CAAC,MAAc,EAAE,IAAY;IAC5D,OAAO,IAAA,mBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC9E,CAAC"}
|
|
@@ -17,8 +17,8 @@ export interface GitleaksRawSecret {
|
|
|
17
17
|
readonly line: number;
|
|
18
18
|
readonly rule: string;
|
|
19
19
|
/** The matched secret value as reported by gitleaks. Process-only;
|
|
20
|
-
*
|
|
21
|
-
*
|
|
20
|
+
* callers MUST NOT write this to disk, log it, or include it in
|
|
21
|
+
* any output payload. */
|
|
22
22
|
readonly secret: string;
|
|
23
23
|
}
|
|
24
24
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAUvF;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;
|
|
1
|
+
{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAUvF;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;6BAEyB;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,oBAAoB,GAC5B;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,aAAa,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;CAC9C,GACD;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAgB5C;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAMtE;AAuHD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,EAAE,kBAAkB,CAAC,aAAa,CAM9D,CAAC"}
|
|
@@ -160,10 +160,16 @@ function computeGitleaksOutcome(cwd) {
|
|
|
160
160
|
// Apply `.dxkit-suppressions.json` so known-false positives don't count.
|
|
161
161
|
const suppressions = (0, suppressions_1.loadSuppressions)(cwd);
|
|
162
162
|
const { kept, suppressed } = (0, suppressions_1.applySuppressions)(filteredCombined, suppressions.gitleaks, (c) => c.finding.rule, (c) => c.finding.file);
|
|
163
|
+
// Per-occurrence secret identity is (canonicalRule, file, ordinal),
|
|
164
|
+
// assembled in the aggregator — value- and salt-free, so it stays stable
|
|
165
|
+
// across scanners and environments. The envelope therefore carries no
|
|
166
|
+
// content anchor. (The raw value still flows out via `rawSecrets` below,
|
|
167
|
+
// where the `secret-hmac` producer HMACs it for cross-file relocation
|
|
168
|
+
// matching — a separate identity kind.)
|
|
163
169
|
const envelope = {
|
|
164
170
|
schemaVersion: 1,
|
|
165
171
|
tool: 'gitleaks',
|
|
166
|
-
findings: kept.map((c) => c.finding),
|
|
172
|
+
findings: kept.map((c) => ({ ...c.finding })),
|
|
167
173
|
suppressedCount: suppressed.length,
|
|
168
174
|
};
|
|
169
175
|
const rawSecrets = kept.map((c) => ({
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gitleaks.js","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwFA,oDAMC;AA9FD;;;;;;;;;GASG;AACH,uCAAyB;AACzB,uCAAyB;AACzB,2CAA6B;AAC7B,qCAAuC;AACvC,mDAAsD;AACtD,6CAA8C;AAC9C,mCAA4C;AAC5C,iDAAqE;AAmDrE;;;;;;;;;;;GAWG;AACH,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAgC,CAAC;AAErE;;;;;GAKG;AACH,SAAgB,oBAAoB,CAAC,GAAW;IAC9C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5C,oBAAoB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,sBAAsB,CAAC,GAAW;IACzC,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE1E,yEAAyE;IACzE,iEAAiE;IACjE,oEAAoE;IACpE,kEAAkE;IAClE,6DAA6D;IAC7D,oEAAoE;IACpE,cAAc;IACd,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/E,IAAA,oBAAW,EACT,WAAW,EACX;QACE,QAAQ;QACR,UAAU;QACV,GAAG;QACH,iBAAiB;QACjB,MAAM;QACN,eAAe;QACf,UAAU;QACV,UAAU;QACV,aAAa;QACb,GAAG;KACJ,EACD,GAAG,EACH,MAAM,CACP,CAAC;IACF,6DAA6D;IAC7D,6DAA6D;IAC7D,kEAAkE;IAClE,kEAAkE;IAClE,0DAA0D;IAC1D,6DAA6D;IAC7D,YAAY;IACZ,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC;IACD,mEAAmE;IACnE,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IAED,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAEpE,IAAI,MAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAsB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,wEAAwE;QACxE,MAAM,QAAQ,GAAkB;YAC9B,aAAa,EAAE,CAAC;YAChB,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,EAAE;YACZ,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3E,CAAC;IAMD,MAAM,QAAQ,GAAe,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9C,OAAO,EAAE;YACP,IAAI,EAAE,IAAA,yBAAiB,EAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;YACpC,IAAI,EAAE,CAAC,CAAC,SAAS;YACjB,IAAI,EAAE,CAAC,CAAC,MAAM;YACd,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;YAChE,KAAK,EAAE,CAAC,CAAC,WAAW;SACrB;QACD,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC,CAAC,CAAC;IAEJ,sEAAsE;IACtE,+DAA+D;IAC/D,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,2BAAc,EAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAEtF,yEAAyE;IACzE,MAAM,YAAY,GAAG,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,IAAA,gCAAiB,EAC5C,gBAAgB,EAChB,YAAY,CAAC,QAAQ,EACrB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EACrB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CACtB,CAAC;IAEF,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;
|
|
1
|
+
{"version":3,"file":"gitleaks.js","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwFA,oDAMC;AA9FD;;;;;;;;;GASG;AACH,uCAAyB;AACzB,uCAAyB;AACzB,2CAA6B;AAC7B,qCAAuC;AACvC,mDAAsD;AACtD,6CAA8C;AAC9C,mCAA4C;AAC5C,iDAAqE;AAmDrE;;;;;;;;;;;GAWG;AACH,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAgC,CAAC;AAErE;;;;;GAKG;AACH,SAAgB,oBAAoB,CAAC,GAAW;IAC9C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5C,oBAAoB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,sBAAsB,CAAC,GAAW;IACzC,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE1E,yEAAyE;IACzE,iEAAiE;IACjE,oEAAoE;IACpE,kEAAkE;IAClE,6DAA6D;IAC7D,oEAAoE;IACpE,cAAc;IACd,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,kBAAkB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/E,IAAA,oBAAW,EACT,WAAW,EACX;QACE,QAAQ;QACR,UAAU;QACV,GAAG;QACH,iBAAiB;QACjB,MAAM;QACN,eAAe;QACf,UAAU;QACV,UAAU;QACV,aAAa;QACb,GAAG;KACJ,EACD,GAAG,EACH,MAAM,CACP,CAAC;IACF,6DAA6D;IAC7D,6DAA6D;IAC7D,kEAAkE;IAClE,kEAAkE;IAClE,0DAA0D;IAC1D,6DAA6D;IAC7D,YAAY;IACZ,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC;IACD,mEAAmE;IACnE,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IAED,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAEpE,IAAI,MAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAsB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,wEAAwE;QACxE,MAAM,QAAQ,GAAkB;YAC9B,aAAa,EAAE,CAAC;YAChB,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,EAAE;YACZ,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3E,CAAC;IAMD,MAAM,QAAQ,GAAe,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9C,OAAO,EAAE;YACP,IAAI,EAAE,IAAA,yBAAiB,EAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;YACpC,IAAI,EAAE,CAAC,CAAC,SAAS;YACjB,IAAI,EAAE,CAAC,CAAC,MAAM;YACd,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;YAChE,KAAK,EAAE,CAAC,CAAC,WAAW;SACrB;QACD,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC,CAAC,CAAC;IAEJ,sEAAsE;IACtE,+DAA+D;IAC/D,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,2BAAc,EAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAEtF,yEAAyE;IACzE,MAAM,YAAY,GAAG,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,IAAA,gCAAiB,EAC5C,gBAAgB,EAChB,YAAY,CAAC,QAAQ,EACrB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EACrB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CACtB,CAAC;IAEF,oEAAoE;IACpE,yEAAyE;IACzE,sEAAsE;IACtE,yEAAyE;IACzE,sEAAsE;IACtE,wCAAwC;IACxC,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;QAC7C,eAAe,EAAE,UAAU,CAAC,MAAM;KACnC,CAAC;IACF,MAAM,UAAU,GAAwB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;QACpB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;QACpB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;QACpB,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,CAAC;AACvF,CAAC;AAED;;;;GAIG;AACU,QAAA,gBAAgB,GAAsC;IACjE,MAAM,EAAE,UAAU;IAClB,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC;AAEF,SAAS,YAAY,CAAC,GAAW;IAC/B,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/C,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"graphify.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"graphify.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":"AAyBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AAC3E,OAAO,EAAqB,KAAK,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAExE,UAAU,cAAc;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,KAAK,CAAC,EAAE,SAAS,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CA6nBvD;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,uBAAuB,GAC/B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GAC/C;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE5C;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAC1B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,KAAK,EAAE,SAAS,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAwB5C;;;;GAIG;AACH,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAKxF;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,mBAAmB,CACvC,GAAG,EAAE,MAAM,EACX,IAAI,GAAE;IAAE,WAAW,CAAC,EAAE,OAAO,CAAA;CAAO,GACnC,OAAO,CAAC,kBAAkB,CAAC,CAQ7B;AAoLD;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,cAAc,EAAE,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAiBzF;AAED;;;;GAIG;AAOH,eAAO,MAAM,gBAAgB,EAAE,kBAAkB,CAAC,gBAAgB,CAAC,GAAG;IACpE,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAU9D,CAAC"}
|
|
@@ -61,6 +61,7 @@ const path = __importStar(require("path"));
|
|
|
61
61
|
const runner_1 = require("./runner");
|
|
62
62
|
const tool_registry_1 = require("./tool-registry");
|
|
63
63
|
const exclusions_1 = require("./exclusions");
|
|
64
|
+
const languages_1 = require("../../languages");
|
|
64
65
|
const paths_1 = require("./paths");
|
|
65
66
|
const types_1 = require("../../explore/types");
|
|
66
67
|
/**
|
|
@@ -75,6 +76,22 @@ const types_1 = require("../../explore/types");
|
|
|
75
76
|
*/
|
|
76
77
|
function buildGraphifyScript(cwd) {
|
|
77
78
|
const { dirsSet, pathsList, fileGlobsList } = (0, exclusions_1.getPythonExcludeFilter)(cwd);
|
|
79
|
+
// Source-extension allowlist for the CODE graph. graphify's collect_files
|
|
80
|
+
// enumerates everything its _DISPATCH table can parse — including .md / .mdx
|
|
81
|
+
// (markdown headings → "module" nodes) and .json (config + lockfile keys →
|
|
82
|
+
// nodes). On NodeGoat that produced a graph that was ~92% non-code:
|
|
83
|
+
// package-lock.json alone contributed 137 nodes, .claude/**/*.md (dxkit's
|
|
84
|
+
// own scaffolding) 205, .vyuh-dxkit.json 53 — versus 51 nodes of real app
|
|
85
|
+
// code. Doc/config nodes pollute every graph-derived surface (communities,
|
|
86
|
+
// hot-files, api-surface, god-node ranking) and the context-hook's file
|
|
87
|
+
// summaries. Restrict the walk to the pack-declared source extensions
|
|
88
|
+
// (Rule 3/6: "what counts as source" is a language fact). graphify's TS
|
|
89
|
+
// import resolution reads tsconfig.json / package.json by direct path, not
|
|
90
|
+
// from the collected set, so dropping config files from the walk does not
|
|
91
|
+
// affect import-edge resolution.
|
|
92
|
+
const includeExtsSet = `set([${(0, languages_1.allSourceExtensions)()
|
|
93
|
+
.map((e) => `'${e.toLowerCase()}'`)
|
|
94
|
+
.join(', ')}])`;
|
|
78
95
|
return `# Exclusion set derived from src/analyzers/tools/exclusions.ts
|
|
79
96
|
import json, sys, os
|
|
80
97
|
from pathlib import Path
|
|
@@ -102,6 +119,12 @@ EXCLUDE_DIRS = ${dirsSet}
|
|
|
102
119
|
EXCLUDE_PATHS = ${pathsList}
|
|
103
120
|
EXCLUDE_FILE_GLOBS = ${fileGlobsList}
|
|
104
121
|
|
|
122
|
+
# Source-extension allowlist (pack-declared via allSourceExtensions()).
|
|
123
|
+
# Keeps the CODE graph to actual source files — graphify also parses .md /
|
|
124
|
+
# .json into nodes, which is noise for code navigation. Empty set would be a
|
|
125
|
+
# bug (no files pass); the TS builder always emits a non-empty literal.
|
|
126
|
+
INCLUDE_EXTS = ${includeExtsSet}
|
|
127
|
+
|
|
105
128
|
# Bytes-per-line floor above which a file is almost certainly minified
|
|
106
129
|
# / bundled output. Mirrors the heuristic in
|
|
107
130
|
# src/analyzers/tools/minified-detection.ts so graphify's enumeration
|
|
@@ -128,6 +151,11 @@ def _is_likely_minified(f):
|
|
|
128
151
|
return False
|
|
129
152
|
|
|
130
153
|
def _is_excluded(f):
|
|
154
|
+
# Source-extension allowlist first: anything that isn't a pack-declared
|
|
155
|
+
# source file (markdown, JSON config, lockfiles, plain text) is not part
|
|
156
|
+
# of the code graph.
|
|
157
|
+
if f.suffix.lower() not in INCLUDE_EXTS:
|
|
158
|
+
return True
|
|
131
159
|
if any(seg in EXCLUDE_DIRS for seg in f.parts):
|
|
132
160
|
return True
|
|
133
161
|
name = f.name
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"graphify.js","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"graphify.js","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsDA,kDA6nBC;AAoDD,oDAKC;AAmBD,kDAWC;AA+LD,sDAiBC;AA19BD;;;;;;;;;;;;;;;;GAgBG;AACH,uCAAyB;AACzB,uCAAyB;AACzB,2CAA6B;AAC7B,qCAAuC;AACvC,mDAAsD;AACtD,6CAAsD;AACtD,+CAAsD;AACtD,mCAA4C;AAG5C,+CAAwE;AAiBxE;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CAAC,GAAW;IAC7C,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,GAAG,IAAA,mCAAsB,EAAC,GAAG,CAAC,CAAC;IAC1E,0EAA0E;IAC1E,6EAA6E;IAC7E,2EAA2E;IAC3E,oEAAoE;IACpE,0EAA0E;IAC1E,0EAA0E;IAC1E,2EAA2E;IAC3E,wEAAwE;IACxE,sEAAsE;IACtE,wEAAwE;IACxE,2EAA2E;IAC3E,0EAA0E;IAC1E,iCAAiC;IACjC,MAAM,cAAc,GAAG,QAAQ,IAAA,+BAAmB,GAAE;SACjD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC;SAClC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;IAClB,OAAO;;;;;;;;;;;;;;;;;;;;;;;iBAuBQ,OAAO;kBACN,SAAS;uBACJ,aAAa;;;;;;iBAMnB,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2kB9B,CAAC;AACF,CAAC;AAyBD;;;;;;;;GAQG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,EAAmC,CAAC;AACnE,MAAM,UAAU,GAAG,IAAI,GAAG,EAA8B,CAAC;AAEzD;;;;;;;GAOG;AACH,MAAM,WAAW,GAAG,IAAI,GAAG,EAAyB,CAAC;AAErD;;;;GAIG;AACI,KAAK,UAAU,oBAAoB,CAAC,GAAW;IACpD,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;IAC3B,mEAAmE;IACnE,mBAAmB;IACnB,OAAO,eAAe,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;AACnC,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,mBAAmB,CACvC,GAAW,EACX,OAAkC,EAAE;IAEpC,MAAM,eAAe,CAAC,GAAG,CAAC,CAAC;IAC3B,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,CAAC,GAAG,CAAE,CAAC;IACrC,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,KAAK,KAAK,CAAC;IAC/C,IAAI,WAAW,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC9C,kBAAkB,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;GAKG;AACH,SAAS,kBAAkB,CAAC,GAAW,EAAE,KAAgB;IACvD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,yBAAiB,CAAC,CAAC;IAClD,IAAI,CAAC;QACH,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,yBAAiB,KAAK,GAAG,IAAI,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,4DAA4D;IAC5D,IAAI,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC5D,IAAI,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,CAAC,EAAE,CAAC;QACP,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE;YACpC,0DAA0D;YAC1D,0DAA0D;YAC1D,qDAAqD;YACrD,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QACH,WAAW,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAC1B,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAAW;IACxC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,eAAe,CAAC;QAC/B,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1D,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,oEAAoE;IACpE,gEAAgE;IAChE,mEAAmE;IACnE,iCAAiC;IACjC,MAAM,SAAS,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClD,wEAAwE;IACxE,sEAAsE;IACtE,sEAAsE;IACtE,wEAAwE;IACxE,0DAA0D;IAC1D,oEAAoE;IACpE,wEAAwE;IACxE,4BAA4B;IAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IACxD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,2DAA2D;IAC3D,2DAA2D;IAC3D,+DAA+D;IAC/D,6DAA6D;IAC7D,2DAA2D;IAC3D,2DAA2D;IAC3D,8DAA8D;IAC9D,+CAA+C;IAC/C,EAAE;IACF,gEAAgE;IAChE,iEAAiE;IACjE,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAW,EAAC,SAAS,EAAE,CAAC,UAAU,EAAE,GAAG,EAAE,QAAQ,CAAC,EAAE;QACxE,GAAG,EAAE,SAAS;QACd,SAAS,EAAE,MAAM,EAAE,6EAA6E;KACjG,CAAC,CAAC;IACH,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAE5C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,IAAI,MAAc,CAAC;QACnB,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,GAAG,gEAAgE,CAAC;QAC5E,CAAC;aAAM,CAAC;YACN,+DAA+D;YAC/D,+DAA+D;YAC/D,8DAA8D;YAC9D,iDAAiD;YACjD,MAAM,eAAe,GAAG,aAAa;iBAClC,KAAK,CAAC,IAAI,CAAC;iBACX,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;gBACjC,EAAE,IAAI,EAAE,CAAC;YACX,MAAM,GAAG,eAAe;gBACtB,CAAC,CAAC,WAAW,eAAe,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,eAAe,EAAE;gBACrG,CAAC,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI;oBAC3C,CAAC,CAAC,yBAAyB,OAAO,CAAC,IAAI,2DAA2D;oBAClG,CAAC,CAAC,oCAAoC,CAAC;QAC7C,CAAC;QACD,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1D,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,mFAAmF;IACnF,MAAM,QAAQ,GAAG,MAAM;SACpB,KAAK,CAAC,IAAI,CAAC;SACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;SAChC,GAAG,EAAE,CAAC;IACT,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,gBAAgB,CAAC;QAChC,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1D,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,IAAI,IAAyC,CAAC;IAC9C,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAwC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,MAAM,GAAG,aAAa,CAAC;QAC7B,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1D,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC;QAC1B,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QAC1D,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,qDAAqD;IACrD,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,qBAAqB,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAE1F,+DAA+D;IAC/D,8DAA8D;IAC9D,kEAAkE;IAClE,yBAAyB;IACzB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,YAAY,GAAG,gBAAgB,EAAE,CAAC;QACxC,MAAM,aAAa,GAAc;YAC/B,GAAG,IAAI,CAAC,KAAK;YACb,IAAI,EAAE;gBACJ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI;gBAClB,YAAY;aACb;SACF,CAAC;QACF,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC,CAAC;IACjE,CAAC;SAAM,CAAC;QACN,gEAAgE;QAChE,2DAA2D;QAC3D,0CAA0C;QAC1C,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE;YAClB,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,wDAAwD;SACjE,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,gBAAgB;IACvB,IAAI,CAAC;QACH,2DAA2D;QAC3D,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;QAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAyB,CAAC;QAClF,OAAO,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,qBAAqB,CAAC,IAAoB,EAAE,GAAW;IACrE,OAAO;QACL,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,UAAU;QAChB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;QAC3C,oBAAoB,EAAE,IAAI,CAAC,oBAAoB;YAC7C,CAAC,CAAC,IAAA,yBAAiB,EAAC,GAAG,EAAE,IAAI,CAAC,oBAAoB,CAAC;YACnD,CAAC,CAAC,EAAE;QACN,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;QACzC,eAAe,EAAE,IAAI,CAAC,eAAe;QACrC,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;KAC5C,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,uEAAuE;AACvE,uEAAuE;AACvE,+DAA+D;AAC/D,gEAAgE;AAChE,oEAAoE;AACpE,qEAAqE;AACxD,QAAA,gBAAgB,GAEzB;IACF,MAAM,EAAE,UAAU;IAClB,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAChD,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;IACD,KAAK,CAAC,aAAa,CAAC,GAAG;QACrB,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;CACF,CAAC;AAEF,sFAAsF;AACtF,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/C,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"grep-secrets.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/grep-secrets.ts"],"names":[],"mappings":"AAiCA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAqCvF;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,
|
|
1
|
+
{"version":3,"file":"grep-secrets.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/grep-secrets.ts"],"names":[],"mappings":"AAiCA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAqCvF;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI,CAqEzE;AAED,eAAO,MAAM,mBAAmB,EAAE,kBAAkB,CAAC,aAAa,CAKjE,CAAC"}
|