@vyuhlabs/dxkit 2.10.0 → 2.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +98 -0
- package/dist/allowlist/cli.d.ts +23 -23
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +72 -34
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +7 -1
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +7 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/analysis-result.d.ts +10 -0
- package/dist/analysis-result.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +1 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +69 -0
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +90 -90
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +140 -56
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +2 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +30 -4
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +29 -7
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +133 -20
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +194 -20
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +2 -2
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +7 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +28 -0
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +22 -12
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/salt.d.ts +68 -0
- package/dist/analyzers/tools/salt.d.ts.map +1 -0
- package/dist/{baseline → analyzers/tools}/salt.js +59 -18
- package/dist/analyzers/tools/salt.js.map +1 -0
- package/dist/analyzers/tools/semgrep.d.ts +7 -7
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +14 -7
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +4 -4
- package/dist/baseline/baseline-file.d.ts +9 -2
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +14 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +78 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +1 -1
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +3 -1
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts +20 -13
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +51 -20
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/migrate.d.ts +94 -0
- package/dist/baseline/migrate.d.ts.map +1 -0
- package/dist/baseline/migrate.js +238 -0
- package/dist/baseline/migrate.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +9 -9
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js +16 -4
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/types.d.ts +145 -95
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +30 -26
- package/dist/baseline/types.js.map +1 -1
- package/dist/explore/finding-context.d.ts +17 -0
- package/dist/explore/finding-context.d.ts.map +1 -1
- package/dist/explore/finding-context.js +34 -0
- package/dist/explore/finding-context.js.map +1 -1
- package/dist/explore/queries.d.ts +32 -15
- package/dist/explore/queries.d.ts.map +1 -1
- package/dist/explore/queries.js +36 -6
- package/dist/explore/queries.js.map +1 -1
- package/dist/ingest/normalize.d.ts +1 -1
- package/dist/ingest/normalize.d.ts.map +1 -1
- package/dist/ingest/normalize.js +5 -1
- package/dist/ingest/normalize.js.map +1 -1
- package/dist/ingest/sarif.d.ts.map +1 -1
- package/dist/ingest/sarif.js +16 -7
- package/dist/ingest/sarif.js.map +1 -1
- package/dist/ingest/types.d.ts +23 -12
- package/dist/ingest/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +64 -53
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.js +4 -4
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +49 -0
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts.map +1 -1
- package/dist/upgrade.js +2 -1
- package/dist/upgrade.js.map +1 -1
- package/package.json +6 -3
- package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
- package/dist/baseline/salt.d.ts +0 -45
- package/dist/baseline/salt.d.ts.map +0 -1
- package/dist/baseline/salt.js.map +0 -1
package/dist/baseline/types.d.ts
CHANGED
|
@@ -9,20 +9,20 @@
|
|
|
9
9
|
* identity." Each finding has up to several fingerprint axes,
|
|
10
10
|
* differentiated by what they capture:
|
|
11
11
|
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
24
|
-
*
|
|
25
|
-
*
|
|
12
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
13
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
14
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
15
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
16
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
17
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
18
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
19
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
20
|
+
* is about* independent of source position. Drift-immune.
|
|
21
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
22
|
+
* when a symbol is known. Survives any vertical drift within
|
|
23
|
+
* the symbol body.
|
|
24
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
25
|
+
* hash; fallback when git history is unreachable.
|
|
26
26
|
*
|
|
27
27
|
* The hash format is identical across axes — 16-char lowercase hex
|
|
28
28
|
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
@@ -34,18 +34,18 @@
|
|
|
34
34
|
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
35
35
|
* gather pipeline:
|
|
36
36
|
*
|
|
37
|
-
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
41
|
-
*
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
37
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
38
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
39
|
+
* private-key files, env-in-git).
|
|
40
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
41
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
42
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
43
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
44
|
+
* when available, fallback to file + line range).
|
|
45
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
46
|
+
* analyzer.
|
|
47
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
48
|
+
* occurrences (per-occurrence identity).
|
|
49
49
|
*
|
|
50
50
|
* License attributions are NOT a baseline finding kind. They live in
|
|
51
51
|
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
@@ -67,38 +67,76 @@
|
|
|
67
67
|
*/
|
|
68
68
|
export type FindingId = string;
|
|
69
69
|
/**
|
|
70
|
-
* Identity-scheme version.
|
|
71
|
-
*
|
|
72
|
-
*
|
|
70
|
+
* Identity-scheme version. Bumped whenever the hashing inputs change in a
|
|
71
|
+
* way that would invalidate stored baselines / allowlists.
|
|
72
|
+
*
|
|
73
|
+
* - `v1` — the pre-2.11 scheme: code/secret/config hashed
|
|
74
|
+
* `(canonicalRule, file, lineWindow)`; dep-vuln hashed
|
|
75
|
+
* `(package, installedVersion, id)`.
|
|
76
|
+
* - `v2` (current) — content-anchored: code = `(scope, spanHash,
|
|
77
|
+
* ordinal)`, secret = salted HMAC, config = `(rule, file)`, all with
|
|
78
|
+
* a line-window fallback; dep-vuln = `(package, canonicalAdvisoryId)`.
|
|
79
|
+
*
|
|
80
|
+
* `identityFor` can compute EITHER scheme (every shipped scheme's id
|
|
81
|
+
* function is retained — see `computeFingerprintV1`), which is what lets
|
|
82
|
+
* the identity migrator build an `old → new` remap and carry allowlist
|
|
83
|
+
* entries across an upgrade. The version is stamped on the baseline +
|
|
84
|
+
* allowlist files so a later dxkit can detect the gap and migrate.
|
|
85
|
+
*
|
|
86
|
+
* Adding a future `v3`: extend this union, add its branch in
|
|
87
|
+
* `identityFor`, retain the prior scheme's id function, and the migrator
|
|
88
|
+
* + `update` handle the rest with no further wiring.
|
|
73
89
|
*/
|
|
74
|
-
export type IdentitySchemeVersion = 'v1';
|
|
90
|
+
export type IdentitySchemeVersion = 'v1' | 'v2';
|
|
91
|
+
/** The scheme `identityFor` mints new identities under by default, and the
|
|
92
|
+
* version stamped on freshly written baseline / allowlist files. */
|
|
93
|
+
export declare const CURRENT_IDENTITY_SCHEME: IdentitySchemeVersion;
|
|
75
94
|
/**
|
|
76
95
|
* Discriminated union of every finding kind that participates in
|
|
77
96
|
* identity. Producers wrap their per-tool finding shape into one of
|
|
78
97
|
* these before calling `identityFor`.
|
|
79
98
|
*
|
|
80
99
|
* Adding a new finding kind to the dispatch is a three-line change:
|
|
81
|
-
*
|
|
82
|
-
*
|
|
83
|
-
*
|
|
100
|
+
* 1. Add the per-kind interface below.
|
|
101
|
+
* 2. Append the interface name to this union.
|
|
102
|
+
* 3. Add the corresponding case branch in `identityFor`.
|
|
84
103
|
*
|
|
85
104
|
* The hash format is SHA-1[0:16] across every kind — callers store
|
|
86
105
|
* identities in one flat set without tracking provenance.
|
|
87
106
|
*/
|
|
88
107
|
export type IdentityInput = SecretIdentityInput | CodeIdentityInput | ConfigIdentityInput | DepVulnIdentityInput | DuplicationIdentityInput | CoverageGapIdentityInput | TestGapIdentityInput | HygieneOffenderIdentityInput | TestFileDegradationIdentityInput | GodFileIdentityInput | StaleFileIdentityInput | LargeFileIdentityInput | SecretHmacIdentityInput | StaleAllowIdentityInput;
|
|
108
|
+
/**
|
|
109
|
+
* Content anchor for the secret/code/config identity schemes.
|
|
110
|
+
* Derived from WHAT a finding is, not WHERE it sits, so identity
|
|
111
|
+
* survives the finding moving lines:
|
|
112
|
+
* - secret → salted HMAC of the value (`computeSecretHmac`).
|
|
113
|
+
* - code → `codeContentAnchor(scope, span, ordinal)` — enclosing
|
|
114
|
+
* symbol + normalized-span hash + in-scope ordinal.
|
|
115
|
+
* - config → `''` (identity is just `(canonicalRule, file)`; a config
|
|
116
|
+
* finding is inherently line-independent).
|
|
117
|
+
*
|
|
118
|
+
* Optional: when absent, `identityFor` falls back to the legacy
|
|
119
|
+
* line-window hash; when present, the dispatch prefers this anchor and
|
|
120
|
+
* `line` becomes display metadata only.
|
|
121
|
+
*/
|
|
122
|
+
export type ContentAnchor = string;
|
|
89
123
|
/** gitleaks + private-key files + similar secret detectors. */
|
|
90
124
|
export interface SecretIdentityInput {
|
|
91
125
|
readonly kind: 'secret';
|
|
92
126
|
/** Producer tool name as reported by the analyzer (e.g. 'gitleaks'). */
|
|
93
127
|
readonly tool: string;
|
|
94
128
|
/** Producer-specific rule id. The canonical-rule map collapses
|
|
95
|
-
*
|
|
129
|
+
* cross-tool overlaps where they exist. */
|
|
96
130
|
readonly rule: string;
|
|
97
131
|
/** Project-relative file path. */
|
|
98
132
|
readonly file: string;
|
|
99
133
|
/** 1-based line number. Bucketed to absorb small drift between
|
|
100
|
-
*
|
|
134
|
+
* tool versions; see `CODE_FINGERPRINT_LINE_WINDOW`. Display metadata
|
|
135
|
+
* once `contentAnchor` is present. */
|
|
101
136
|
readonly line: number;
|
|
137
|
+
/** Salted HMAC of the secret value (Content anchor). Present when
|
|
138
|
+
* the gather could derive a salt; absent → line-based fallback. */
|
|
139
|
+
readonly contentAnchor?: ContentAnchor;
|
|
102
140
|
}
|
|
103
141
|
/** semgrep + TLS-bypass registry + per-language code-pattern providers. */
|
|
104
142
|
export interface CodeIdentityInput {
|
|
@@ -107,6 +145,9 @@ export interface CodeIdentityInput {
|
|
|
107
145
|
readonly rule: string;
|
|
108
146
|
readonly file: string;
|
|
109
147
|
readonly line: number;
|
|
148
|
+
/** `codeContentAnchor(scope, span, ordinal)`. Present when the
|
|
149
|
+
* aggregator could resolve a span/scope; absent → line-based fallback. */
|
|
150
|
+
readonly contentAnchor?: ContentAnchor;
|
|
110
151
|
}
|
|
111
152
|
/** Configuration-class findings (e.g. .env tracked in git). */
|
|
112
153
|
export interface ConfigIdentityInput {
|
|
@@ -116,6 +157,9 @@ export interface ConfigIdentityInput {
|
|
|
116
157
|
readonly file: string;
|
|
117
158
|
/** Line 0 acceptable for whole-file findings. */
|
|
118
159
|
readonly line: number;
|
|
160
|
+
/** `''` for config (identity is `(canonicalRule, file)`). Carried for
|
|
161
|
+
* uniformity with the other code-side inputs. */
|
|
162
|
+
readonly contentAnchor?: ContentAnchor;
|
|
119
163
|
}
|
|
120
164
|
/** Dependency-advisory findings (osv-scanner / npm-audit / pip-audit / ...). */
|
|
121
165
|
export interface DepVulnIdentityInput {
|
|
@@ -123,28 +167,34 @@ export interface DepVulnIdentityInput {
|
|
|
123
167
|
/** Package name as reported by the producer. */
|
|
124
168
|
readonly package: string;
|
|
125
169
|
/** Installed version string, when known. Absent for findings produced
|
|
126
|
-
*
|
|
170
|
+
* without an accessible lockfile. Display metadata only — NOT part of
|
|
171
|
+
* the fingerprint (it's environment-dependent; see
|
|
172
|
+
* `computeFingerprint`). */
|
|
127
173
|
readonly installedVersion: string | undefined;
|
|
128
174
|
/** Advisory id (GHSA / CVE / RUSTSEC / etc.). Producer-canonical. */
|
|
129
175
|
readonly id: string;
|
|
176
|
+
/** Cross-namespace aliases (CVE / GHSA / OSV / SNYK …) the producer
|
|
177
|
+
* surfaced. Used to canonicalize identity so the same advisory found
|
|
178
|
+
* by different scanners shares one fingerprint. */
|
|
179
|
+
readonly aliases?: readonly string[];
|
|
130
180
|
}
|
|
131
181
|
/** jscpd-style duplicate-block findings. */
|
|
132
182
|
export interface DuplicationIdentityInput {
|
|
133
183
|
readonly kind: 'duplication';
|
|
134
184
|
/** Files on each side of the duplicate pair. Order is normalized
|
|
135
|
-
*
|
|
185
|
+
* inside `identityFor` so swapped sides hash identically. */
|
|
136
186
|
readonly fileA: string;
|
|
137
187
|
readonly fileB: string;
|
|
138
188
|
/** Line count of the duplicated block. `lines` is preferred over
|
|
139
|
-
*
|
|
140
|
-
*
|
|
141
|
-
*
|
|
142
|
-
*
|
|
189
|
+
* the `tokens` field jscpd also reports because jscpd's JSON
|
|
190
|
+
* reporter does not populate `tokens` in practice — it's always
|
|
191
|
+
* 0, which would degenerate the identity tuple and silently lose
|
|
192
|
+
* the "block-size changes → identity changes" property. */
|
|
143
193
|
readonly lines: number;
|
|
144
194
|
/** Start line of the block on side A. Combined with `startLineB`
|
|
145
|
-
*
|
|
146
|
-
*
|
|
147
|
-
*
|
|
195
|
+
* this distinguishes intra-file clones at different positions
|
|
196
|
+
* (same `fileA === fileB`, different line ranges) which would
|
|
197
|
+
* otherwise collapse to one identity. */
|
|
148
198
|
readonly startLineA: number;
|
|
149
199
|
/** Start line of the block on side B. */
|
|
150
200
|
readonly startLineB: number;
|
|
@@ -159,11 +209,11 @@ export interface CoverageGapIdentityInput {
|
|
|
159
209
|
readonly kind: 'coverage-gap';
|
|
160
210
|
readonly file: string;
|
|
161
211
|
/** Function / method / class symbol. Present when the gap is
|
|
162
|
-
*
|
|
163
|
-
*
|
|
212
|
+
* attributable to a named symbol; absent for line-range-only
|
|
213
|
+
* attribution. */
|
|
164
214
|
readonly symbol?: string;
|
|
165
215
|
/** Inclusive `[startLine, endLine]`. Required when `symbol` is
|
|
166
|
-
*
|
|
216
|
+
* absent. */
|
|
167
217
|
readonly lineRange?: readonly [number, number];
|
|
168
218
|
}
|
|
169
219
|
/**
|
|
@@ -233,9 +283,9 @@ export interface StaleFileIdentityInput {
|
|
|
233
283
|
readonly kind: 'stale-file';
|
|
234
284
|
readonly file: string;
|
|
235
285
|
/** Lower-case suffix without the leading dot (`'swp'`, `'bak'`,
|
|
236
|
-
*
|
|
237
|
-
*
|
|
238
|
-
*
|
|
286
|
+
* `'orig'`, `'tmp'`). The producer derives this from the file
|
|
287
|
+
* extension; storing it in identity makes the reason for the
|
|
288
|
+
* flag inspectable from the baseline alone. */
|
|
239
289
|
readonly suffix: string;
|
|
240
290
|
}
|
|
241
291
|
/**
|
|
@@ -277,8 +327,8 @@ export interface SecretHmacIdentityInput {
|
|
|
277
327
|
/** Producer tool name (e.g. 'gitleaks'). */
|
|
278
328
|
readonly tool: string;
|
|
279
329
|
/** Producer-specific rule id. The canonical-rule map applies here
|
|
280
|
-
*
|
|
281
|
-
*
|
|
330
|
+
* too: two tools detecting the same secret class collapse to one
|
|
331
|
+
* canonical rule. */
|
|
282
332
|
readonly rule: string;
|
|
283
333
|
/** 16-char hex from `computeSecretHmac(secret, repoSalt)`. */
|
|
284
334
|
readonly hmac: string;
|
|
@@ -304,9 +354,9 @@ export interface StaleAllowIdentityInput {
|
|
|
304
354
|
readonly file: string;
|
|
305
355
|
readonly line: number;
|
|
306
356
|
/** The category named in the orphaned annotation. Free-form
|
|
307
|
-
*
|
|
308
|
-
*
|
|
309
|
-
*
|
|
357
|
+
* string at identity-input level (the canonical
|
|
358
|
+
* `AllowlistCategory` union lives in `src/allowlist/categories.ts`
|
|
359
|
+
* to avoid a cross-module import here in the baseline types). */
|
|
310
360
|
readonly category: string;
|
|
311
361
|
}
|
|
312
362
|
/**
|
|
@@ -324,18 +374,18 @@ export type BaselineEntry = {
|
|
|
324
374
|
file: string;
|
|
325
375
|
line: number;
|
|
326
376
|
/** 16-char hex hash of normalized context around `line` at
|
|
327
|
-
*
|
|
328
|
-
*
|
|
329
|
-
*
|
|
330
|
-
*
|
|
331
|
-
*
|
|
377
|
+
* baseline-create time. Stamped via `computeContentHashFromCommit`;
|
|
378
|
+
* the matcher's third pass uses it as a fallback when git-aware
|
|
379
|
+
* location matching fails (shallow clones, force-pushed base,
|
|
380
|
+
* context survives but line shifts past the fuzz window). Absent
|
|
381
|
+
* when the producer couldn't read the file. */
|
|
332
382
|
contentHash?: string;
|
|
333
383
|
/** Fingerprints of cross-tool / neighbor-bucket / CWE-bridge
|
|
334
|
-
*
|
|
335
|
-
*
|
|
336
|
-
*
|
|
337
|
-
*
|
|
338
|
-
*
|
|
384
|
+
* findings that the aggregator collapsed into this one. Carried
|
|
385
|
+
* so an allowlist entry keyed on a contributing fingerprint still
|
|
386
|
+
* suppresses the merged finding — robust matching against dedup
|
|
387
|
+
* nondeterminism between runs. Present only when such a merge
|
|
388
|
+
* fired. */
|
|
339
389
|
absorbedFingerprints?: readonly string[];
|
|
340
390
|
} | {
|
|
341
391
|
id: FindingId;
|
|
@@ -369,8 +419,8 @@ export type BaselineEntry = {
|
|
|
369
419
|
line: number;
|
|
370
420
|
marker: HygieneMarker;
|
|
371
421
|
/** Same content-hash semantics as the secret/code/config variant
|
|
372
|
-
*
|
|
373
|
-
*
|
|
422
|
+
* — populated when the producer can read the file at the
|
|
423
|
+
* baseline commit. */
|
|
374
424
|
contentHash?: string;
|
|
375
425
|
} | {
|
|
376
426
|
id: FindingId;
|
|
@@ -444,17 +494,17 @@ export interface SanitizedBaselineEntry {
|
|
|
444
494
|
* the prose and use the codes for filtering / policy decisions.
|
|
445
495
|
*
|
|
446
496
|
* `priorId` and `currentId` are both optional because:
|
|
447
|
-
*
|
|
448
|
-
*
|
|
449
|
-
*
|
|
450
|
-
*
|
|
451
|
-
*
|
|
452
|
-
*
|
|
497
|
+
* - `added` → only `currentId` is present.
|
|
498
|
+
* - `removed` → only `priorId` is present.
|
|
499
|
+
* - `persisted` / `relocated` → both, and they may differ when a
|
|
500
|
+
* location fingerprint shifted across the line-window boundary
|
|
501
|
+
* (each "side" has its own hash even though they describe the
|
|
502
|
+
* same finding).
|
|
453
503
|
*/
|
|
454
504
|
export type MatchStatus = 'persisted' | 'relocated' | 'added' | 'removed';
|
|
455
505
|
export interface MatchReason {
|
|
456
506
|
/** Short code: 'exact-id', 'git-line-exact', 'git-line-fuzz',
|
|
457
|
-
*
|
|
507
|
+
* 'git-rename', 'multiset-occurrence'. */
|
|
458
508
|
readonly code: string;
|
|
459
509
|
/** Human-readable explanation suitable for end-user rendering. */
|
|
460
510
|
readonly detail: string;
|
|
@@ -464,7 +514,7 @@ export interface MatchPair {
|
|
|
464
514
|
readonly currentId?: FindingId;
|
|
465
515
|
readonly status: MatchStatus;
|
|
466
516
|
/** Confidence in [0, 1]. 1.0 = exact identity; <1.0 = paired via
|
|
467
|
-
*
|
|
517
|
+
* a fallback layer (git relocation, line-fuzz, rename). */
|
|
468
518
|
readonly confidence: number;
|
|
469
519
|
readonly reasons: ReadonlyArray<MatchReason>;
|
|
470
520
|
}
|
|
@@ -479,26 +529,26 @@ export type FindingSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
|
479
529
|
* check can emit. Wider than `MatchStatus` because policy adds context
|
|
480
530
|
* the matcher doesn't have:
|
|
481
531
|
*
|
|
482
|
-
*
|
|
483
|
-
*
|
|
484
|
-
*
|
|
485
|
-
*
|
|
486
|
-
*
|
|
487
|
-
*
|
|
488
|
-
*
|
|
489
|
-
*
|
|
490
|
-
*
|
|
491
|
-
*
|
|
492
|
-
*
|
|
493
|
-
*
|
|
494
|
-
*
|
|
495
|
-
*
|
|
496
|
-
*
|
|
497
|
-
*
|
|
498
|
-
*
|
|
499
|
-
*
|
|
500
|
-
*
|
|
501
|
-
*
|
|
532
|
+
* - `persisted` / `relocated` / `added` / `removed` — direct
|
|
533
|
+
* pass-through of the matcher's pair status.
|
|
534
|
+
* - `fixed` — a `removed` finding that the policy treats as a
|
|
535
|
+
* positive event (resolution rather than disappearance). Today
|
|
536
|
+
* this is informational only; Phase 3 distinguishes the two when
|
|
537
|
+
* `--detailed` flags it.
|
|
538
|
+
* - `newly_detected` — current-only finding that surfaced because
|
|
539
|
+
* the scanner / ruleset / advisory DB / policy config changed,
|
|
540
|
+
* not because a developer introduced new code. Parent category;
|
|
541
|
+
* `tooling_drift` and `config_drift` are the specific subtypes.
|
|
542
|
+
* - `tooling_drift` — scanner or advisory-db version differs
|
|
543
|
+
* between baseline and current. Reclassified `added` is suspect.
|
|
544
|
+
* - `config_drift` — `.dxkit-ignore` / policy / suppressions hash
|
|
545
|
+
* differs between runs.
|
|
546
|
+
* - `probable_existing` — current-only with weak evidence it's
|
|
547
|
+
* truly new (a prior near-match exists but didn't pair cleanly).
|
|
548
|
+
* Reserved for the content-hash / semantic fallback layer in
|
|
549
|
+
* Sprint 0.x.
|
|
550
|
+
* - `uncertain` — confidence below the per-severity threshold;
|
|
551
|
+
* the policy can't classify with conviction.
|
|
502
552
|
*
|
|
503
553
|
* The enum is the contract Phase 3's guardrail CLI reads. Today's
|
|
504
554
|
* classifier emits a subset — the remaining states are reserved for
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH;;;;;;;;;;GAUG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,CAAC;AAE/B;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,MAAM,qBAAqB,GAAG,IAAI,GAAG,IAAI,CAAC;AAEhD;qEACqE;AACrE,eAAO,MAAM,uBAAuB,EAAE,qBAA4B,CAAC;AAEnE;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GACrB,mBAAmB,GACnB,iBAAiB,GACjB,mBAAmB,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,wBAAwB,GACxB,oBAAoB,GACpB,4BAA4B,GAC5B,gCAAgC,GAChC,oBAAoB,GACpB,sBAAsB,GACtB,sBAAsB,GACtB,uBAAuB,GACvB,uBAAuB,CAAC;AAE5B;;;;;;;;;;;;;GAaG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,CAAC;AAEnC,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,wEAAwE;IACxE,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;+CAC2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;0CAEsC;IACtC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;uEACmE;IACnE,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,2EAA2E;AAC3E,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;8EAC0E;IAC1E,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,+DAA+D;AAC/D,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC;IACxB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,iDAAiD;IACjD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;qDACiD;IACjD,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC;CACxC;AAED,gFAAgF;AAChF,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB;;;gCAG4B;IAC5B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9C,qEAAqE;IACrE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB;;uDAEmD;IACnD,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CACtC;AAED,4CAA4C;AAC5C,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B;iEAC6D;IAC7D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;;+DAI2D;IAC3D,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB;;;6CAGyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,yCAAyC;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACvC,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;sBAEkB;IAClB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;iBACa;IACb,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChD;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC;CAC5B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,aAAa,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,aAAa,GAAG,UAAU,CAAC;AAEnF,MAAM,WAAW,4BAA4B;IAC3C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAChC;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,yBAAyB,GAAG,eAAe,GAAG,OAAO,GAAG,aAAa,CAAC;AAElF,MAAM,WAAW,gCAAgC;IAC/C,QAAQ,CAAC,IAAI,EAAE,uBAAuB,CAAC;IACvC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,yBAAyB,CAAC;CAC5C;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;mDAG+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;;;GAUG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,4CAA4C;IAC5C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;yBAEqB;IACrB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;qEAGiE;IACjE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;CAC3B;AAED;;;;;;GAMG;AACH,MAAM,MAAM,aAAa,GACrB;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,QAAQ,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb;;;;;mDAK+C;IAC/C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;gBAKY;IACZ,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,UAAU,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,aAAa,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,cAAc,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACvC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAA;CAAE,GACpE;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,SAAS,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,aAAa,CAAC;IACtB;;0BAEsB;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IACE,EAAE,EAAE,SAAS,CAAC;IACd,IAAI,EAAE,uBAAuB,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,yBAAyB,CAAC;CACnC,GACD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACjD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnE;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,YAAY,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChF;IAAE,EAAE,EAAE,SAAS,CAAC;IAAC,IAAI,EAAE,aAAa,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACpF,sBAAsB,CAAC;AAE3B;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,OAAO,CAAC,aAAa,EAAE,sBAAsB,CAAC,CAAC;AAE/E;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,EAAE,EAAE,SAAS,CAAC;IACvB,QAAQ,CAAC,IAAI,EACT,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,UAAU,GACV,aAAa,GACb,cAAc,GACd,UAAU,GACV,SAAS,GACT,uBAAuB,GACvB,UAAU,GACV,YAAY,GACZ,YAAY,GACZ,aAAa,GACb,aAAa,CAAC;IAClB,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,WAAW,GAAG,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,WAAW;IAC1B;8CAC0C;IAC1C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,kEAAkE;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,SAAS;IACxB,QAAQ,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,WAAW,CAAC;IAC7B;+DAC2D;IAC3D,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;CAC9C;AAED;;;;GAIG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,MAAM,MAAM,aAAa,GACrB,WAAW,GACX,WAAW,GACX,OAAO,GACP,SAAS,GACT,OAAO,GACP,gBAAgB,GAChB,eAAe,GACf,cAAc,GACd,mBAAmB,GACnB,WAAW,CAAC;AAEhB;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC7C,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IAC3C,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC;CAClC"}
|
package/dist/baseline/types.js
CHANGED
|
@@ -10,20 +10,20 @@
|
|
|
10
10
|
* identity." Each finding has up to several fingerprint axes,
|
|
11
11
|
* differentiated by what they capture:
|
|
12
12
|
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
24
|
-
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
13
|
+
* - **Location fingerprint** — `(canonicalRule, file, lineWindow)`
|
|
14
|
+
* for code/secret/config/hygiene findings. Locates a finding
|
|
15
|
+
* in the source tree with ±2 line drift tolerance via bucket
|
|
16
|
+
* windowing. Stable across small reformat / whitespace edits;
|
|
17
|
+
* drifts on bigger shifts (closed by git-aware match).
|
|
18
|
+
* - **Domain fingerprint** — `(package, version, advisoryId)` for
|
|
19
|
+
* dep-vulns; `(package, version, licenseType)` for licenses;
|
|
20
|
+
* normalized block hash for jscpd. Captures *what the finding
|
|
21
|
+
* is about* independent of source position. Drift-immune.
|
|
22
|
+
* - **Semantic fingerprint** — `(file, symbol)` for coverage gaps
|
|
23
|
+
* when a symbol is known. Survives any vertical drift within
|
|
24
|
+
* the symbol body.
|
|
25
|
+
* - **Content fingerprint** — Sprint 0.x. Normalized snippet
|
|
26
|
+
* hash; fallback when git history is unreachable.
|
|
27
27
|
*
|
|
28
28
|
* The hash format is identical across axes — 16-char lowercase hex
|
|
29
29
|
* (SHA-1[0:16]). Callers don't need to know which axis a hash came
|
|
@@ -35,18 +35,18 @@
|
|
|
35
35
|
* findings. Each `IdentityInput` discriminant maps 1:1 to an existing
|
|
36
36
|
* gather pipeline:
|
|
37
37
|
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
*
|
|
41
|
-
*
|
|
42
|
-
*
|
|
43
|
-
*
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
*
|
|
49
|
-
*
|
|
38
|
+
* - `secret` / `code` / `config` — security analyzer's
|
|
39
|
+
* `SecurityFinding` (gitleaks, semgrep, TLS-bypass registry,
|
|
40
|
+
* private-key files, env-in-git).
|
|
41
|
+
* - `dep-vuln` — security analyzer's `DepVulnFinding` (osv-scanner,
|
|
42
|
+
* npm-audit, pip-audit, cargo-audit, etc.).
|
|
43
|
+
* - `duplication` — quality analyzer's `CloneGroup` (jscpd).
|
|
44
|
+
* - `coverage-gap` — coverage-gap report entries (file + symbol
|
|
45
|
+
* when available, fallback to file + line range).
|
|
46
|
+
* - `test-gap` — non-test source files flagged by the test-gaps
|
|
47
|
+
* analyzer.
|
|
48
|
+
* - `hygiene` — TODO / FIXME / HACK / console-log / any-type
|
|
49
|
+
* occurrences (per-occurrence identity).
|
|
50
50
|
*
|
|
51
51
|
* License attributions are NOT a baseline finding kind. They live in
|
|
52
52
|
* the per-package BoM artifact (`.dxkit/bom.json`) — the canonical
|
|
@@ -56,4 +56,8 @@
|
|
|
56
56
|
* lifted out.
|
|
57
57
|
*/
|
|
58
58
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
59
|
+
exports.CURRENT_IDENTITY_SCHEME = void 0;
|
|
60
|
+
/** The scheme `identityFor` mints new identities under by default, and the
|
|
61
|
+
* version stamped on freshly written baseline / allowlist files. */
|
|
62
|
+
exports.CURRENT_IDENTITY_SCHEME = 'v2';
|
|
59
63
|
//# sourceMappingURL=types.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG"}
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/baseline/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;;;AAsCH;qEACqE;AACxD,QAAA,uBAAuB,GAA0B,IAAI,CAAC"}
|
|
@@ -54,6 +54,23 @@ export declare function locationKey(file: string, line?: number): string;
|
|
|
54
54
|
* repos where graphify covers only part of the tree.
|
|
55
55
|
*/
|
|
56
56
|
export declare function buildFindingContextMap(cwd: string, locations: ReadonlyArray<FindingLocation>, opts?: BuildFindingContextOpts): DetailedGraphContext | undefined;
|
|
57
|
+
/**
|
|
58
|
+
* Build a `locationKey → enclosing-symbol` map for the content-anchored
|
|
59
|
+
* code identity (the scope pre-pass). Loads the graph once (Rule 12: graph
|
|
60
|
+
* access stays in `src/explore/`), resolves each location's enclosing
|
|
61
|
+
* symbol via the canonical `enclosingSymbolFor` query, and returns only
|
|
62
|
+
* the locations that resolved to a symbol. The security orchestration
|
|
63
|
+
* applies these onto its code findings' `scope` field before
|
|
64
|
+
* aggregation — the aggregator itself never touches the graph.
|
|
65
|
+
*
|
|
66
|
+
* Fail-open + additive, like `buildFindingContextMap`: a missing /
|
|
67
|
+
* corrupt / stale graph returns `undefined`, and locations with no
|
|
68
|
+
* resolvable symbol are simply absent from the map (caller leaves
|
|
69
|
+
* `scope` unset → the identity layer falls back to file-level). Dedupes
|
|
70
|
+
* identical locations so a file:line surfaced by several tools resolves
|
|
71
|
+
* once.
|
|
72
|
+
*/
|
|
73
|
+
export declare function buildEnclosingScopeMap(cwd: string, locations: ReadonlyArray<FindingLocation>): Record<string, string> | undefined;
|
|
57
74
|
/**
|
|
58
75
|
* Compact one-cell rendering for a markdown table: `role · N caller
|
|
59
76
|
* files`. Returns `—` when there's no context for the location (file
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"finding-context.d.ts","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,
|
|
1
|
+
{"version":3,"file":"finding-context.d.ts","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAA2C,KAAK,cAAc,EAAE,MAAM,WAAW,CAAC;AAGzF,wFAAwF;AACxF,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,oBAAoB;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;CAC1C;AAED,MAAM,WAAW,uBAAuB;IACtC,gFAAgF;IAChF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,wDAAwD;IACxD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,gDAAgD;AAChD,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAE/D;AAED;;;;;;;;;GASG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,aAAa,CAAC,eAAe,CAAC,EACzC,IAAI,GAAE,uBAA4B,GACjC,oBAAoB,GAAG,SAAS,CA4BlC;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,sBAAsB,CACpC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,aAAa,CAAC,eAAe,CAAC,GACxC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,SAAS,CAYpC;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,cAAc,GAAG,SAAS,GAAG,MAAM,CAY9E;AAED;;;;GAIG;AACH,wBAAgB,0BAA0B,CAAC,EAAE,EAAE,oBAAoB,GAAG,MAAM,CAI3E"}
|
|
@@ -20,6 +20,7 @@
|
|
|
20
20
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
21
21
|
exports.locationKey = locationKey;
|
|
22
22
|
exports.buildFindingContextMap = buildFindingContextMap;
|
|
23
|
+
exports.buildEnclosingScopeMap = buildEnclosingScopeMap;
|
|
23
24
|
exports.formatGraphContextCell = formatGraphContextCell;
|
|
24
25
|
exports.graphContextProvenanceLine = graphContextProvenanceLine;
|
|
25
26
|
const load_1 = require("./load");
|
|
@@ -70,6 +71,39 @@ function buildFindingContextMap(cwd, locations, opts = {}) {
|
|
|
70
71
|
contexts,
|
|
71
72
|
};
|
|
72
73
|
}
|
|
74
|
+
/**
|
|
75
|
+
* Build a `locationKey → enclosing-symbol` map for the content-anchored
|
|
76
|
+
* code identity (the scope pre-pass). Loads the graph once (Rule 12: graph
|
|
77
|
+
* access stays in `src/explore/`), resolves each location's enclosing
|
|
78
|
+
* symbol via the canonical `enclosingSymbolFor` query, and returns only
|
|
79
|
+
* the locations that resolved to a symbol. The security orchestration
|
|
80
|
+
* applies these onto its code findings' `scope` field before
|
|
81
|
+
* aggregation — the aggregator itself never touches the graph.
|
|
82
|
+
*
|
|
83
|
+
* Fail-open + additive, like `buildFindingContextMap`: a missing /
|
|
84
|
+
* corrupt / stale graph returns `undefined`, and locations with no
|
|
85
|
+
* resolvable symbol are simply absent from the map (caller leaves
|
|
86
|
+
* `scope` unset → the identity layer falls back to file-level). Dedupes
|
|
87
|
+
* identical locations so a file:line surfaced by several tools resolves
|
|
88
|
+
* once.
|
|
89
|
+
*/
|
|
90
|
+
function buildEnclosingScopeMap(cwd, locations) {
|
|
91
|
+
const graph = (0, load_1.tryLoadGraph)(cwd);
|
|
92
|
+
if (!graph)
|
|
93
|
+
return undefined;
|
|
94
|
+
const scopes = {};
|
|
95
|
+
for (const loc of locations) {
|
|
96
|
+
if (typeof loc.line !== 'number')
|
|
97
|
+
continue;
|
|
98
|
+
const key = locationKey(loc.file, loc.line);
|
|
99
|
+
if (key in scopes)
|
|
100
|
+
continue;
|
|
101
|
+
const symbol = (0, queries_1.enclosingSymbolFor)(graph, loc.file, loc.line);
|
|
102
|
+
if (symbol)
|
|
103
|
+
scopes[key] = symbol;
|
|
104
|
+
}
|
|
105
|
+
return scopes;
|
|
106
|
+
}
|
|
73
107
|
/**
|
|
74
108
|
* Compact one-cell rendering for a markdown table: `role · N caller
|
|
75
109
|
* files`. Returns `—` when there's no context for the location (file
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"finding-context.js","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;AAkCH,kCAEC;AAYD,wDAgCC;AAOD,wDAYC;AAOD,gEAIC;
|
|
1
|
+
{"version":3,"file":"finding-context.js","sourceRoot":"","sources":["../../src/explore/finding-context.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;GAiBG;;AAkCH,kCAEC;AAYD,wDAgCC;AAkBD,wDAeC;AAOD,wDAYC;AAOD,gEAIC;AA7ID,iCAAsC;AACtC,uCAAyF;AACzF,4CAA+C;AA6B/C,gDAAgD;AAChD,SAAgB,WAAW,CAAC,IAAY,EAAE,IAAa;IACrD,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AAC7D,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,sBAAsB,CACpC,GAAW,EACX,SAAyC,EACzC,OAAgC,EAAE;IAElC,MAAM,KAAK,GAAG,IAAA,mBAAY,EAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,GAAG,CAAC;IACpC,MAAM,QAAQ,GAAmC,EAAE,CAAC;IACpD,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,IAAI,QAAQ,IAAI,GAAG;YAAE,MAAM;QAC3B,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,GAAG,IAAI,QAAQ;YAAE,SAAS;QAC9B,MAAM,GAAG,GAAG,IAAA,6BAAmB,EAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE;YACzD,cAAc,EAAE,IAAI,CAAC,cAAc;SACpC,CAAC,CAAC;QACH,QAAQ,EAAE,CAAC;QACX,IAAI,CAAC,GAAG,CAAC,KAAK;YAAE,SAAS;QACzB,kEAAkE;QAClE,mEAAmE;QACnE,qEAAqE;QACrE,MAAM,GAAG,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,IAAI,CAAC,EAAE,oBAAoB,CAAC;QAC5D,QAAQ,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,GAAG,KAAK,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,GAAG,EAAE,oBAAoB,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;IACtF,CAAC;IAED,OAAO;QACL,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,WAAW;QACnC,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS;QAC/B,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,sBAAsB,CACpC,GAAW,EACX,SAAyC;IAEzC,MAAM,KAAK,GAAG,IAAA,mBAAY,EAAC,GAAG,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;YAAE,SAAS;QAC3C,MAAM,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,GAAG,IAAI,MAAM;YAAE,SAAS;QAC5B,MAAM,MAAM,GAAG,IAAA,4BAAkB,EAAC,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QAC7D,IAAI,MAAM;YAAE,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC;IACnC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,SAAgB,sBAAsB,CAAC,GAA+B;IACpE,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK;QAAE,OAAO,GAAG,CAAC;IACnC,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,EAAE,IAAI,IAAI,aAAa,CAAC;IAClD,gEAAgE;IAChE,kEAAkE;IAClE,kEAAkE;IAClE,8DAA8D;IAC9D,IAAI,GAAG,CAAC,oBAAoB,KAAK,YAAY,EAAE,CAAC;QAC9C,OAAO,GAAG,IAAI,kCAAkC,CAAC;IACnD,CAAC;IACD,MAAM,CAAC,GAAG,GAAG,CAAC,WAAW,CAAC,WAAW,CAAC;IACtC,OAAO,GAAG,IAAI,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;AAC3D,CAAC;AAED;;;;GAIG;AACH,SAAgB,0BAA0B,CAAC,EAAwB;IACjE,MAAM,IAAI,GAAG,EAAE,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC1E,OAAO,uEAAuE,IAAI,GAAG,KAAK,wNAAwN,CAAC;AACrT,CAAC"}
|