@vyuhlabs/dxkit 2.2.1 → 2.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +115 -0
- package/README.md +40 -29
- package/dist/analyzers/bom/discovery.d.ts +38 -0
- package/dist/analyzers/bom/discovery.d.ts.map +1 -0
- package/dist/analyzers/bom/discovery.js +166 -0
- package/dist/analyzers/bom/discovery.js.map +1 -0
- package/dist/analyzers/bom/gather.d.ts +28 -0
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +98 -0
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts +49 -2
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +188 -12
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +33 -1
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.d.ts +1 -1
- package/dist/analyzers/licenses/index.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.js +22 -7
- package/dist/analyzers/licenses/index.js.map +1 -1
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +21 -8
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +76 -1
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +20 -7
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/tools/epss.d.ts +55 -0
- package/dist/analyzers/tools/epss.d.ts.map +1 -0
- package/dist/analyzers/tools/epss.js +133 -0
- package/dist/analyzers/tools/epss.js.map +1 -0
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +17 -7
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/kev.d.ts +52 -0
- package/dist/analyzers/tools/kev.d.ts.map +1 -0
- package/dist/analyzers/tools/kev.js +95 -0
- package/dist/analyzers/tools/kev.js.map +1 -0
- package/dist/analyzers/tools/npm-registry.d.ts +43 -0
- package/dist/analyzers/tools/npm-registry.d.ts.map +1 -0
- package/dist/analyzers/tools/npm-registry.js +107 -0
- package/dist/analyzers/tools/npm-registry.js.map +1 -0
- package/dist/analyzers/tools/osv.d.ts +12 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +45 -2
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/reachability.d.ts +60 -0
- package/dist/analyzers/tools/reachability.d.ts.map +1 -0
- package/dist/analyzers/tools/reachability.js +104 -0
- package/dist/analyzers/tools/reachability.js.map +1 -0
- package/dist/analyzers/tools/risk-score.d.ts +69 -0
- package/dist/analyzers/tools/risk-score.d.ts.map +1 -0
- package/dist/analyzers/tools/risk-score.js +86 -0
- package/dist/analyzers/tools/risk-score.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts +10 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +35 -20
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +1 -2
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +41 -10
- package/dist/cli.js.map +1 -1
- package/dist/languages/capabilities/types.d.ts +6 -0
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +8 -0
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +24 -7
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +8 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +9 -0
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +23 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/agents-available/dashboard-builder.md +7 -7
- package/templates/.claude/agents-available/dev-report.md +4 -4
- package/templates/.claude/agents-available/health-auditor.md +1 -1
- package/templates/.claude/agents-available/strategic-planner.md +7 -7
- package/templates/.claude/agents-available/vulnerability-scanner.md +3 -3
- package/templates/.claude/commands/dashboard.md +1 -1
- package/templates/.claude/commands/deps.md +1 -1
- package/templates/.claude/commands/dev-report.md +2 -2
- package/templates/.claude/commands/docs.md +1 -1
- package/templates/.claude/commands/export-pdf.md +3 -3
- package/templates/.claude/commands/health.md +3 -3
- package/templates/.claude/commands/plan.md +1 -1
- package/templates/.claude/commands/quality.md.template +2 -2
- package/templates/.claude/commands/stealth-mode.md +1 -1
- package/templates/.claude/commands/test-gaps.md +2 -2
- package/templates/.claude/commands/vulnerabilities.md +3 -3
|
@@ -125,18 +125,31 @@ function formatSecurityDetailedMarkdown(detailed, elapsed) {
|
|
|
125
125
|
L.push(`| **Total** | **${d.total}** |`);
|
|
126
126
|
L.push('');
|
|
127
127
|
if (d.findings.length > 0) {
|
|
128
|
-
// Per-advisory inventory. Sorted by
|
|
129
|
-
//
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
a.
|
|
128
|
+
// Per-advisory inventory. Sorted by composite riskScore when
|
|
129
|
+
// available (primary triage key), falling back to severity + package
|
|
130
|
+
// for findings where CVSS was missing. Highest risk first.
|
|
131
|
+
const sortedDeps = [...d.findings].sort((a, b) => {
|
|
132
|
+
const ra = a.riskScore ?? -1;
|
|
133
|
+
const rb = b.riskScore ?? -1;
|
|
134
|
+
if (ra !== rb)
|
|
135
|
+
return rb - ra;
|
|
136
|
+
return (SEV_ORDER[a.severity] - SEV_ORDER[b.severity] ||
|
|
137
|
+
a.package.localeCompare(b.package) ||
|
|
138
|
+
a.id.localeCompare(b.id));
|
|
139
|
+
});
|
|
133
140
|
L.push(`Per-advisory detail (${sortedDeps.length} findings):`);
|
|
134
141
|
L.push('');
|
|
135
|
-
L.push('| Severity | ID | Package | Installed | Fixed | CVSS | Tool |');
|
|
136
|
-
L.push('
|
|
142
|
+
L.push('| Risk | Severity | KEV | Reach | ID | Package | Installed | Fixed | CVSS | EPSS | Tool |');
|
|
143
|
+
L.push('|-----:|----------|:---:|:-----:|----|---------|-----------|-------|-----:|-----:|------|');
|
|
137
144
|
for (const f of sortedDeps) {
|
|
138
145
|
const cvss = f.cvssScore !== undefined ? f.cvssScore.toFixed(1) : '—';
|
|
139
|
-
|
|
146
|
+
const epss = typeof f.epssScore === 'number' ? `${(f.epssScore * 100).toFixed(2)}%` : '—';
|
|
147
|
+
const kev = f.kev ? '⚠' : '';
|
|
148
|
+
const reach = f.reachable === true ? '✓' : f.reachable === false ? '·' : '';
|
|
149
|
+
// Composite risk (0–100). Bold since it's the primary sort key;
|
|
150
|
+
// dash when CVSS was missing (risk uncomputable).
|
|
151
|
+
const risk = typeof f.riskScore === 'number' ? `**${f.riskScore.toFixed(0)}**` : '—';
|
|
152
|
+
L.push(`| ${risk} | ${f.severity.toUpperCase()} | ${kev} | ${reach} | \`${f.id}\` | \`${f.package}\` | ${f.installedVersion ?? '—'} | ${f.fixedVersion ?? '—'} | ${cvss} | ${epss} | ${f.tool} |`);
|
|
140
153
|
}
|
|
141
154
|
L.push('');
|
|
142
155
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"detailed.js","sourceRoot":"","sources":["../../../src/analyzers/security/detailed.ts"],"names":[],"mappings":";;AAeA,sDAUC;AAID,
|
|
1
|
+
{"version":3,"file":"detailed.js","sourceRoot":"","sources":["../../../src/analyzers/security/detailed.ts"],"names":[],"mappings":";;AAeA,sDAUC;AAID,wEAyKC;AAjMD,gDAAoD;AACpD,uCAAmE;AACnE,uCAAgE;AAQhE,SAAgB,qBAAqB,CAAC,MAAsB;IAC1D,MAAM,MAAM,GAAG,IAAA,0BAAgB,EAAC,MAAM,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,IAAA,kBAAI,EAAC,IAAA,8BAAoB,EAAC,MAAM,CAAC,EAAE,MAAM,EAAE,6BAAmB,CAAC,CAAC;IAChF,OAAO;QACL,GAAG,MAAM;QACT,6EAA6E;QAC7E,aAAa,EAAE,IAAI;QACnB,aAAa,EAAE,IAAA,6BAAmB,EAAC,MAAM,CAAC,CAAC,KAAK;QAChD,OAAO;KACR,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AAExF,SAAgB,8BAA8B,CAC5C,QAAgC,EAChC,OAAe;IAEf,MAAM,CAAC,GAAa,EAAE,CAAC;IACvB,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,QAAQ,CAAC;IACpC,MAAM,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,CAAC;IAExC,CAAC,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IAC1C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,CAAC;IACjE,CAAC,CAAC,IAAI,CAAC,uBAAuB,QAAQ,CAAC,aAAa,MAAM,CAAC,CAAC;IAC5D,CAAC,CAAC,IAAI,CAAC,uBAAuB,QAAQ,CAAC,aAAa,EAAE,CAAC,CAAC;IACxD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,8DAA8D;IAC9D,gEAAgE;IAChE,2DAA2D;IAC3D,gEAAgE;IAChE,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAChC,CAAC,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAC;IAChG,CAAC,CAAC,IAAI,CACJ,uGAAuG,CACxG,CAAC;IACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IACjG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,yBAAyB,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,KAAK,eAAe,CAAC,CAAC,IAAI,GAAG,CAC3G,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC;IACjG,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QAC9C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC;IACzD,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,iBAAiB;IACjB,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;IACzD,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,oDAAoD,CAAC,CAAC;QAC7D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QAC/C,CAAC,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;QAC/C,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YAChC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,UAAU,MAAM,CAAC,CAAC,cAAc,QAAQ,CAAC,CAAC;QACnF,CAAC,CAAC,CAAC;QACH,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACjC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC;YAC5C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YAChC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,aAAa,MAAM,CAAC,CAAC;YACjD,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,cAAc,MAAM,CAAC,CAAC;YACnD,IAAI,CAAC,CAAC,SAAS;gBAAE,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC;YACrD,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;gBACtB,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;gBAC1B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;oBACxC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,GAAG,GAAG,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC7D,CAAC;gBACD,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;oBAC3B,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,EAAE,OAAO,CAAC,CAAC;gBACrD,CAAC;YACH,CAAC;YACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACb,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,0BAA0B;IAC1B,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IAChC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,MAAM,MAAM,GAAsB,CAAC,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,CAC3D,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CACxF,CAAC;IACF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC9B,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,CAAC,CAAC,IAAI,CACJ,KAAK,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,GAAG,IAAI,GAAG,IAAI,CAC7H,CAAC;QACJ,CAAC;IACH,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,eAAe;IACf,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QACxC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1B,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;QACrC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClC,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC;QACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1B,6DAA6D;YAC7D,qEAAqE;YACrE,2DAA2D;YAC3D,MAAM,UAAU,GAAqB,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;gBACjE,MAAM,EAAE,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;gBAC7B,MAAM,EAAE,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;gBAC7B,IAAI,EAAE,KAAK,EAAE;oBAAE,OAAO,EAAE,GAAG,EAAE,CAAC;gBAC9B,OAAO,CACL,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC;oBAC7C,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC;oBAClC,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CACzB,CAAC;YACJ,CAAC,CAAC,CAAC;YACH,CAAC,CAAC,IAAI,CAAC,wBAAwB,UAAU,CAAC,MAAM,aAAa,CAAC,CAAC;YAC/D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CACJ,2FAA2F,CAC5F,CAAC;YACF,CAAC,CAAC,IAAI,CACJ,2FAA2F,CAC5F,CAAC;YACF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;gBAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;gBACtE,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1F,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7B,MAAM,KAAK,GAAG,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC5E,gEAAgE;gBAChE,kDAAkD;gBAClD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;gBACrF,CAAC,CAAC,IAAI,CACJ,KAAK,IAAI,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,KAAK,QAAQ,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,gBAAgB,IAAI,GAAG,MAAM,CAAC,CAAC,YAAY,IAAI,GAAG,MAAM,IAAI,MAAM,IAAI,MAAM,CAAC,CAAC,IAAI,IAAI,CAC3L,CAAC;YACJ,CAAC;YACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACb,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,CAAC,CAAC,IAAI,CAAC,mBAAmB,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3D,IAAI,QAAQ,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzC,CAAC,CAAC,IAAI,CAAC,0BAA0B,QAAQ,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CACJ,gGAAgG,CACjG,CAAC;IACF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAe1D;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IACxD,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC,CAeD;AAID,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,EAAE,CAuCjE;AAID;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC7D,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC,CAeD;AAcD;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAyFzE"}
|
|
@@ -14,6 +14,11 @@ exports.gatherDepVulns = gatherDepVulns;
|
|
|
14
14
|
* dispatcher → dependency CVEs unioned across every active language pack
|
|
15
15
|
*/
|
|
16
16
|
const runner_1 = require("../tools/runner");
|
|
17
|
+
const epss_1 = require("../tools/epss");
|
|
18
|
+
const kev_1 = require("../tools/kev");
|
|
19
|
+
const osv_1 = require("../tools/osv");
|
|
20
|
+
const reachability_1 = require("../tools/reachability");
|
|
21
|
+
const risk_score_1 = require("../tools/risk-score");
|
|
17
22
|
const exclusions_1 = require("../tools/exclusions");
|
|
18
23
|
const dispatcher_1 = require("../dispatcher");
|
|
19
24
|
const languages_1 = require("../../languages");
|
|
@@ -135,6 +140,76 @@ async function gatherDepVulns(cwd) {
|
|
|
135
140
|
const envelope = await dispatcher_1.defaultDispatcher.gather(cwd, descriptors_1.DEP_VULNS, providers);
|
|
136
141
|
if (!envelope)
|
|
137
142
|
return EMPTY_DEP_VULNS;
|
|
143
|
+
// Cross-pack EPSS enrichment. Every pack's dep-vuln provider emits
|
|
144
|
+
// findings with an `id` + optional `aliases` list; we hoist CVE IDs
|
|
145
|
+
// across the whole batch, fetch once, then attach `epssScore` in
|
|
146
|
+
// place. Done here rather than per-pack so (a) one session cache
|
|
147
|
+
// serves all packs, (b) the EPSS endpoint sees at most one batched
|
|
148
|
+
// request per analyzer run, (c) non-CVE primaries (GHSA, RUSTSEC,
|
|
149
|
+
// GO-YYYY-NNNN) fall back to aliases uniformly.
|
|
150
|
+
//
|
|
151
|
+
// Two-step lookup: npm-audit only surfaces GHSA IDs with no CVE
|
|
152
|
+
// aliases. When `extractCveId` comes up empty, we fall back to
|
|
153
|
+
// OSV.dev's `/v1/vulns/<GHSA>` which returns a properly-populated
|
|
154
|
+
// alias list including the CVE. One OSV roundtrip resolves the
|
|
155
|
+
// whole batch; one EPSS roundtrip scores them all.
|
|
156
|
+
const findings = envelope.findings ?? [];
|
|
157
|
+
if (findings.length > 0) {
|
|
158
|
+
const cveByFinding = new Map();
|
|
159
|
+
const needsAliasLookup = [];
|
|
160
|
+
for (let i = 0; i < findings.length; i++) {
|
|
161
|
+
const direct = (0, epss_1.extractCveId)(findings[i]);
|
|
162
|
+
if (direct) {
|
|
163
|
+
cveByFinding.set(i, direct);
|
|
164
|
+
}
|
|
165
|
+
else {
|
|
166
|
+
needsAliasLookup.push({ idx: i, primary: findings[i].id });
|
|
167
|
+
}
|
|
168
|
+
}
|
|
169
|
+
if (needsAliasLookup.length > 0) {
|
|
170
|
+
const aliasMap = await (0, osv_1.resolveAliases)(needsAliasLookup.map((x) => x.primary));
|
|
171
|
+
for (const { idx, primary } of needsAliasLookup) {
|
|
172
|
+
const aliases = aliasMap.get(primary) ?? [];
|
|
173
|
+
const cve = aliases.find((a) => a.startsWith('CVE-'));
|
|
174
|
+
if (cve)
|
|
175
|
+
cveByFinding.set(idx, cve);
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
if (cveByFinding.size > 0) {
|
|
179
|
+
const uniqueCves = [...new Set(cveByFinding.values())];
|
|
180
|
+
// EPSS + KEV run in parallel — one roundtrip each, independent
|
|
181
|
+
// endpoints. KEV catalog is a single bulk fetch (~200KB, 1300
|
|
182
|
+
// entries), so subsequent lookups in the same session are free.
|
|
183
|
+
const [scores, kevHits] = await Promise.all([(0, epss_1.enrichEpss)(uniqueCves), (0, kev_1.enrichKev)(uniqueCves)]);
|
|
184
|
+
for (const [idx, cve] of cveByFinding) {
|
|
185
|
+
const score = scores.get(cve);
|
|
186
|
+
if (score !== undefined)
|
|
187
|
+
findings[idx].epssScore = score;
|
|
188
|
+
if (kevHits.has(cve))
|
|
189
|
+
findings[idx].kev = true;
|
|
190
|
+
}
|
|
191
|
+
}
|
|
192
|
+
// Reachability — does the repo's source actually import any of
|
|
193
|
+
// these vulnerable packages? Dispatches the IMPORTS capability
|
|
194
|
+
// (which packs populate from their per-file specifier extraction)
|
|
195
|
+
// once, unions into a name set, then marks every finding. When
|
|
196
|
+
// no pack contributes imports (no source files / all packs
|
|
197
|
+
// declined), leaves `reachable` unset rather than mass-classify
|
|
198
|
+
// everything as false.
|
|
199
|
+
const importsProviders = (0, capabilities_1.providersFor)(descriptors_1.IMPORTS);
|
|
200
|
+
if (importsProviders.length > 0) {
|
|
201
|
+
const importsEnvelope = await dispatcher_1.defaultDispatcher.gather(cwd, descriptors_1.IMPORTS, importsProviders);
|
|
202
|
+
if (importsEnvelope && importsEnvelope.extracted.size > 0) {
|
|
203
|
+
const reachable = (0, reachability_1.buildReachablePackageSet)(importsEnvelope);
|
|
204
|
+
(0, reachability_1.markReachable)(findings, reachable);
|
|
205
|
+
}
|
|
206
|
+
}
|
|
207
|
+
// Composite riskScore = f(cvss, epss, kev, reachable). Runs last
|
|
208
|
+
// so every signal is populated. Formula is documented in
|
|
209
|
+
// risk-score.ts; skipped for findings without CVSS so we don't
|
|
210
|
+
// fabricate severity from partial data.
|
|
211
|
+
(0, risk_score_1.scoreFindings)(findings);
|
|
212
|
+
}
|
|
138
213
|
const { critical, high, medium, low } = envelope.counts;
|
|
139
214
|
return {
|
|
140
215
|
critical,
|
|
@@ -143,7 +218,7 @@ async function gatherDepVulns(cwd) {
|
|
|
143
218
|
low,
|
|
144
219
|
total: critical + high + medium + low,
|
|
145
220
|
tool: envelope.tool,
|
|
146
|
-
findings
|
|
221
|
+
findings,
|
|
147
222
|
};
|
|
148
223
|
}
|
|
149
224
|
//# sourceMappingURL=gather.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gather.js","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"gather.js","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":";;AAsCA,sCAkBC;AAID,gDAuCC;AAWD,gDAkBC;AAuBD,wCAyFC;AAhPD;;;;;;;;GAQG;AACH,4CAAsC;AACtC,wCAAyD;AACzD,sCAAyC;AACzC,sCAA8C;AAC9C,wDAAgF;AAChF,oDAAoD;AACpD,oDAA0D;AAE1D,8CAAkD;AAClD,+CAAwD;AACxD,0EAKkD;AAClD,+DAA4D;AAI5D,gFAAgF;AAEhF;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CAAC,GAAW;IAI7C,MAAM,MAAM,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,qBAAO,EAAE,IAAA,2BAAY,EAAC,qBAAO,CAAC,CAAC,CAAC;IACnF,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAErD,MAAM,QAAQ,GAAsB,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9D,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,QAAiB;QAC3B,GAAG,EAAE,SAAS;QACd,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,oBAAoB,CAAC,CAAC,IAAI,EAAE;QAC9C,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,+EAA+E;AAE/E,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,IAAA,gCAAmB,EAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,mDAAmD;IAEpG,mCAAmC;IACnC,MAAM,QAAQ,GAAG,IAAA,YAAG,EAAC,iDAAiD,OAAO,cAAc,EAAE,GAAG,CAAC,CAAC;IAClG,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7D,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,SAAS;gBACd,IAAI,EAAE,kBAAkB;gBACxB,KAAK,EAAE,oCAAoC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE;gBAChE,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;gBACzB,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,MAAM;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,MAAM,QAAQ,GAAG,IAAA,YAAG,EAAC,sCAAsC,EAAE,GAAG,CAAC,CAAC;IAClE,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7D,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,SAAS;gBACd,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,6BAA6B,CAAC,EAAE;gBACvC,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,KAAK;aACZ,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAE/E;;;;;;GAMG;AACI,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAIlD,MAAM,MAAM,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,2BAAa,EAAE,IAAA,2BAAY,EAAC,2BAAa,CAAC,CAAC,CAAC;IAC/F,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAErD,MAAM,QAAQ,GAAsB,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9D,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,MAAe;QACzB,GAAG,EAAE,CAAC,CAAC,GAAG;QACV,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,+EAA+E;AAE/E,MAAM,eAAe,GAAmB;IACtC,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,IAAI;IACV,QAAQ,EAAE,EAAE;CACb,CAAC;AAEF;;;;;;;;GAQG;AACI,KAAK,UAAU,cAAc,CAAC,GAAW;IAC9C,MAAM,SAAS,GAAwC,EAAE,CAAC;IAC1D,KAAK,MAAM,IAAI,IAAI,IAAA,iCAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,IAAI,IAAI,CAAC,YAAY,EAAE,QAAQ;YAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,eAAe,CAAC;IAEnD,MAAM,QAAQ,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,uBAAS,EAAE,SAAS,CAAC,CAAC;IAC3E,IAAI,CAAC,QAAQ;QAAE,OAAO,eAAe,CAAC;IAEtC,mEAAmE;IACnE,oEAAoE;IACpE,iEAAiE;IACjE,iEAAiE;IACjE,mEAAmE;IACnE,kEAAkE;IAClE,gDAAgD;IAChD,EAAE;IACF,gEAAgE;IAChE,+DAA+D;IAC/D,kEAAkE;IAClE,+DAA+D;IAC/D,mDAAmD;IACnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC;IACzC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC/C,MAAM,gBAAgB,GAA4C,EAAE,CAAC;QACrE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,MAAM,EAAE,CAAC;gBACX,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YAC9B,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QACD,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAc,EAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9E,KAAK,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,gBAAgB,EAAE,CAAC;gBAChD,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;gBACtD,IAAI,GAAG;oBAAE,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QACD,IAAI,YAAY,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACvD,+DAA+D;YAC/D,8DAA8D;YAC9D,gEAAgE;YAChE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,IAAA,iBAAU,EAAC,UAAU,CAAC,EAAE,IAAA,eAAS,EAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAC7F,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,YAAY,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC9B,IAAI,KAAK,KAAK,SAAS;oBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;gBACzD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC;YACjD,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,+DAA+D;QAC/D,kEAAkE;QAClE,+DAA+D;QAC/D,2DAA2D;QAC3D,gEAAgE;QAChE,uBAAuB;QACvB,MAAM,gBAAgB,GAAG,IAAA,2BAAY,EAAC,qBAAO,CAAC,CAAC;QAC/C,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,eAAe,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,qBAAO,EAAE,gBAAgB,CAAC,CAAC;YACvF,IAAI,eAAe,IAAI,eAAe,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC1D,MAAM,SAAS,GAAG,IAAA,uCAAwB,EAAC,eAAe,CAAC,CAAC;gBAC5D,IAAA,4BAAa,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,yDAAyD;QACzD,+DAA+D;QAC/D,wCAAwC;QACxC,IAAA,0BAAa,EAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC;IACxD,OAAO;QACL,QAAQ;QACR,IAAI;QACJ,MAAM;QACN,GAAG;QACH,KAAK,EAAE,QAAQ,GAAG,IAAI,GAAG,MAAM,GAAG,GAAG;QACrC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ;KACT,CAAC;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/index.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,cAAc,EAA6B,MAAM,SAAS,CAAC;AAEpE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAE/D,MAAM,WAAW,sBAAsB;IACrC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAQD,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,OAAO,CAAC,cAAc,CAAC,CA6CzB;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/index.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,cAAc,EAA6B,MAAM,SAAS,CAAC;AAEpE,YAAY,EAAE,cAAc,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAE/D,MAAM,WAAW,sBAAsB;IACrC,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAQD,wBAAsB,eAAe,CACnC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,OAAO,CAAC,cAAc,CAAC,CA6CzB;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAsJpF"}
|
|
@@ -187,23 +187,36 @@ function formatSecurityReport(report, elapsed) {
|
|
|
187
187
|
// Dep-vuln per-package detail. Counts already appeared in the
|
|
188
188
|
// Executive Summary; this section gives the actionable list (which
|
|
189
189
|
// packages, which versions, which CVEs) so a reader can act without
|
|
190
|
-
// bouncing to the --detailed report.
|
|
190
|
+
// bouncing to the --detailed report. Sorted by composite riskScore
|
|
191
|
+
// desc so "this week's triage" sits at the top — matches bom's
|
|
192
|
+
// triage ordering.
|
|
191
193
|
if (d.tool && d.findings.length > 0) {
|
|
192
194
|
L.push(`## ${sectionNum}. Dependency Vulnerabilities`);
|
|
193
195
|
L.push('');
|
|
194
|
-
L.push(`${d.findings.length} advisories across third-party packages (counts above)
|
|
196
|
+
L.push(`${d.findings.length} advisories across third-party packages (counts above), ` +
|
|
197
|
+
'ranked by composite risk score (CVSS × KEV × EPSS × reachable).');
|
|
195
198
|
L.push('');
|
|
196
|
-
const sorted = [...d.findings].sort((a, b) =>
|
|
199
|
+
const sorted = [...d.findings].sort((a, b) => {
|
|
200
|
+
const ra = a.riskScore ?? -1;
|
|
201
|
+
const rb = b.riskScore ?? -1;
|
|
202
|
+
if (ra !== rb)
|
|
203
|
+
return rb - ra;
|
|
204
|
+
return SORDER[a.severity] - SORDER[b.severity] || a.package.localeCompare(b.package);
|
|
205
|
+
});
|
|
197
206
|
const cap = 50;
|
|
198
207
|
const shown = sorted.slice(0, cap);
|
|
199
|
-
L.push('| Severity | Package@Version | ID | Fix | Tool |');
|
|
200
|
-
L.push('
|
|
208
|
+
L.push('| Risk | Severity | KEV | Reach | Package@Version | ID | Fix | EPSS | Tool |');
|
|
209
|
+
L.push('|-----:|----------|:---:|:-----:|-----------------|----|-----|-----:|------|');
|
|
201
210
|
for (const f of shown) {
|
|
202
|
-
|
|
211
|
+
const risk = typeof f.riskScore === 'number' ? `**${f.riskScore.toFixed(0)}**` : '—';
|
|
212
|
+
const kev = f.kev ? '⚠' : '';
|
|
213
|
+
const reach = f.reachable === true ? '✓' : f.reachable === false ? '·' : '';
|
|
214
|
+
const epss = typeof f.epssScore === 'number' ? `${(f.epssScore * 100).toFixed(2)}%` : '—';
|
|
215
|
+
L.push(`| ${risk} | ${f.severity.toUpperCase()} | ${kev} | ${reach} | \`${f.package}@${f.installedVersion ?? '?'}\` | \`${f.id}\` | ${f.fixedVersion ?? '—'} | ${epss} | ${f.tool} |`);
|
|
203
216
|
}
|
|
204
217
|
if (sorted.length > cap) {
|
|
205
218
|
L.push('');
|
|
206
|
-
L.push(`_Showing ${cap} of ${sorted.length} advisories
|
|
219
|
+
L.push(`_Showing ${cap} of ${sorted.length} advisories ranked by risk score. Run with \`--detailed\` for the full inventory + CVSS column._`);
|
|
207
220
|
}
|
|
208
221
|
L.push('');
|
|
209
222
|
L.push('---');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/security/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsBA,0CAgDC;AAED,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/security/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsBA,0CAgDC;AAED,oDAsJC;AA9ND;;GAEG;AACH,2CAA6B;AAC7B,yCAAsC;AACtC,4CAAsC;AACtC,4CAAoD;AACpD,qCAAiG;AASjG,SAAS,eAAe,CAAC,QAA2B;IAClD,MAAM,MAAM,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IACrF,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC/C,OAAO,MAAM,CAAC;AAChB,CAAC;AAEM,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,UAAkC,EAAE;IAEpC,MAAM,OAAO,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;IAClC,MAAM,KAAK,GAAG,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,SAAS,GAAa,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC5C,MAAM,gBAAgB,GAAa,EAAE,CAAC;IAEtC,wEAAwE;IACxE,MAAM,OAAO,GAAG,MAAM,IAAA,mBAAU,EAAC,UAAU,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,IAAA,sBAAa,EAAC,QAAQ,CAAC,CAAC,CAAC;IACrF,IAAI,OAAO,CAAC,QAAQ;QAAE,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;;QAClD,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEvC,wCAAwC;IACxC,MAAM,KAAK,GAAG,IAAA,cAAK,EAAC,eAAe,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,IAAA,2BAAkB,EAAC,QAAQ,CAAC,CAAC,CAAC;IAElF,oEAAoE;IACpE,MAAM,IAAI,GAAG,MAAM,IAAA,mBAAU,EAAC,SAAS,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,IAAA,2BAAkB,EAAC,QAAQ,CAAC,CAAC,CAAC;IACtF,IAAI,IAAI,CAAC,QAAQ;QAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;;QAC5C,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAEtC,0EAA0E;IAC1E,oEAAoE;IACpE,gEAAgE;IAChE,MAAM,IAAI,GAAG,MAAM,IAAA,mBAAU,EAAC,WAAW,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,IAAA,uBAAc,EAAC,QAAQ,CAAC,CAAC,CAAC;IACpF,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACrC,CAAC;IAED,MAAM,WAAW,GAAG,CAAC,GAAG,OAAO,CAAC,QAAQ,EAAE,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtE,MAAM,MAAM,GAAG,eAAe,CAAC,WAAW,CAAC,CAAC;IAE5C,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAClD,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,SAAS,EAAE,IAAA,YAAG,EAAC,wCAAwC,EAAE,QAAQ,CAAC;QAClE,MAAM,EAAE,IAAA,YAAG,EAAC,6CAA6C,EAAE,QAAQ,CAAC;QACpE,OAAO,EAAE;YACP,QAAQ,EAAE,EAAE,GAAG,MAAM,EAAE,KAAK,EAAE,WAAW,CAAC,MAAM,EAAE;YAClD,YAAY,EAAE,IAAI;SACnB;QACD,QAAQ,EAAE,WAAW;QACrB,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED,SAAgB,oBAAoB,CAAC,MAAsB,EAAE,OAAe;IAC1E,MAAM,CAAC,GAAa,EAAE,CAAC;IACvB,CAAC,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;IACtC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,mEAAmE;IACnE,kEAAkE;IAClE,mEAAmE;IACnE,6DAA6D;IAC7D,iCAAiC;IACjC,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;IAClC,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC;IACtC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAC/B,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;IAC9D,CAAC,CAAC,IAAI,CAAC,uFAAuF,CAAC,CAAC;IAChG,CAAC,CAAC,IAAI,CACJ,uGAAuG,CACxG,CAAC;IACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAC5B,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CACJ,aAAa,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,GAAG,CAC/F,CAAC;IACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAC/B,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;IAC/B,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACnC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;IACrC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;IAClC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC;IAC5C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,CAAC,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;QAC9B,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;QACrC,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC;QAC5C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,KAAK,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC;IAC9F,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,oFAAoF,CAAC,CAAC;QAC7F,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,KAAK,cAAc,CAAC,CAAC;IACtD,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,2EAA2E;IAC3E,wEAAwE;IACxE,qEAAqE;IACrE,YAAY;IACZ,MAAM,UAAU,GAA0C;QACxD,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,uBAAuB,EAAE;QACjD,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,6BAA6B,EAAE;QACrD,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAK,EAAE,sBAAsB,EAAE;KACjD,CAAC;IACF,MAAM,MAAM,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAEnF,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ;aAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,GAAG,CAAC,GAAG,CAAC;aACrC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAEjC,CAAC,CAAC,IAAI,CAAC,MAAM,UAAU,KAAK,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC;QACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC;YACtD,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;YACjE,IAAI,CAAC,CAAC,GAAG;gBAAE,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;YACzC,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACb,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,UAAU,EAAE,CAAC;IACf,CAAC;IAED,8DAA8D;IAC9D,mEAAmE;IACnE,oEAAoE;IACpE,mEAAmE;IACnE,+DAA+D;IAC/D,mBAAmB;IACnB,IAAI,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,CAAC,CAAC,IAAI,CAAC,MAAM,UAAU,8BAA8B,CAAC,CAAC;QACvD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,GAAG,CAAC,CAAC,QAAQ,CAAC,MAAM,0DAA0D;YAC5E,iEAAiE,CACpE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YAC3C,MAAM,EAAE,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;YAC7B,MAAM,EAAE,GAAG,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;YAC7B,IAAI,EAAE,KAAK,EAAE;gBAAE,OAAO,EAAE,GAAG,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;QACvF,CAAC,CAAC,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;QACvF,CAAC,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC;QACvF,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;YACrF,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5E,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YAC1F,CAAC,CAAC,IAAI,CACJ,KAAK,IAAI,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,KAAK,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,gBAAgB,IAAI,GAAG,UAAU,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,YAAY,IAAI,GAAG,MAAM,IAAI,MAAM,CAAC,CAAC,IAAI,IAAI,CAC/K,CAAC;QACJ,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACxB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CACJ,YAAY,GAAG,OAAO,MAAM,CAAC,MAAM,kGAAkG,CACtI,CAAC;QACJ,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,SAAS;IACT,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzD,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IACzF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC"}
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* EPSS (Exploit Prediction Scoring System) enrichment.
|
|
3
|
+
*
|
|
4
|
+
* EPSS is maintained by FIRST.org and scores each CVE 0.0–1.0 for the
|
|
5
|
+
* probability of exploitation in the wild within the next 30 days.
|
|
6
|
+
* We join it onto `DepVulnFinding.epssScore` so renders can surface
|
|
7
|
+
* "this one's getting hit right now" alongside CVSS (which only
|
|
8
|
+
* measures severity if exploited, not likelihood).
|
|
9
|
+
*
|
|
10
|
+
* API: `GET https://api.first.org/data/v1/epss?cve=CVE-1,CVE-2,...`
|
|
11
|
+
* Response shape (we only read `data[]`):
|
|
12
|
+
* {
|
|
13
|
+
* "status": "OK",
|
|
14
|
+
* "data": [
|
|
15
|
+
* { "cve": "CVE-2022-1234", "epss": "0.00042",
|
|
16
|
+
* "percentile": "0.06523", "date": "2026-04-23" }
|
|
17
|
+
* ]
|
|
18
|
+
* }
|
|
19
|
+
*
|
|
20
|
+
* Design mirrors `osv.ts`:
|
|
21
|
+
* - Session-scoped Map cache so repeated runs in one process don't
|
|
22
|
+
* re-query the same CVE.
|
|
23
|
+
* - AbortSignal.timeout keeps the analyzer from hanging behind a
|
|
24
|
+
* slow/unreachable EPSS endpoint.
|
|
25
|
+
* - Fetcher is injectable for unit tests that must avoid real network.
|
|
26
|
+
* - Graceful degradation: every IO failure maps to "no score", which
|
|
27
|
+
* callers treat as "don't render an EPSS column for this finding".
|
|
28
|
+
*
|
|
29
|
+
* Only CVE IDs are scoreable — GHSA/RUSTSEC/GO-YYYY-NNNN records need
|
|
30
|
+
* a CVE alias to get an EPSS score. Callers pull CVEs from both
|
|
31
|
+
* `DepVulnFinding.id` and `aliases[]` before enrichment.
|
|
32
|
+
*/
|
|
33
|
+
/** Signature of the fetcher — swapped in tests to avoid real network. */
|
|
34
|
+
export type EpssFetcher = (ids: ReadonlyArray<string>) => Promise<Map<string, number>>;
|
|
35
|
+
/**
|
|
36
|
+
* Extract the CVE ID from a DepVulnFinding-ish input. Returns the
|
|
37
|
+
* primary `id` if it's already a CVE, otherwise the first CVE alias,
|
|
38
|
+
* or null when none exists. GHSA/RUSTSEC/GO/PYSEC primaries rely on
|
|
39
|
+
* aliases to pick up a CVE.
|
|
40
|
+
*/
|
|
41
|
+
export declare function extractCveId(finding: {
|
|
42
|
+
id: string;
|
|
43
|
+
aliases?: ReadonlyArray<string>;
|
|
44
|
+
}): string | null;
|
|
45
|
+
/**
|
|
46
|
+
* Enrich `ids` with EPSS scores. Consults the session cache first;
|
|
47
|
+
* batches everything else via the fetcher. Returns a map keyed by
|
|
48
|
+
* CVE id — IDs with no score (not in EPSS dataset, or all batches
|
|
49
|
+
* failed) are absent from the result map. Callers should treat
|
|
50
|
+
* absence as "no data available".
|
|
51
|
+
*/
|
|
52
|
+
export declare function enrichEpss(ids: ReadonlyArray<string>, fetcher?: EpssFetcher): Promise<Map<string, number>>;
|
|
53
|
+
/** Test-only — reset the process cache between tests. */
|
|
54
|
+
export declare function __clearEpssCache(): void;
|
|
55
|
+
//# sourceMappingURL=epss.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"epss.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/epss.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAKH,yEAAyE;AACzE,MAAM,MAAM,WAAW,GAAG,CAAC,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,KAAK,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAiDvF;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE;IACpC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CACjC,GAAG,MAAM,GAAG,IAAI,CAMhB;AAED;;;;;;GAMG;AACH,wBAAsB,UAAU,CAC9B,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,EAC1B,OAAO,GAAE,WAA6B,GACrC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAyB9B;AAED,yDAAyD;AACzD,wBAAgB,gBAAgB,IAAI,IAAI,CAEvC"}
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* EPSS (Exploit Prediction Scoring System) enrichment.
|
|
4
|
+
*
|
|
5
|
+
* EPSS is maintained by FIRST.org and scores each CVE 0.0–1.0 for the
|
|
6
|
+
* probability of exploitation in the wild within the next 30 days.
|
|
7
|
+
* We join it onto `DepVulnFinding.epssScore` so renders can surface
|
|
8
|
+
* "this one's getting hit right now" alongside CVSS (which only
|
|
9
|
+
* measures severity if exploited, not likelihood).
|
|
10
|
+
*
|
|
11
|
+
* API: `GET https://api.first.org/data/v1/epss?cve=CVE-1,CVE-2,...`
|
|
12
|
+
* Response shape (we only read `data[]`):
|
|
13
|
+
* {
|
|
14
|
+
* "status": "OK",
|
|
15
|
+
* "data": [
|
|
16
|
+
* { "cve": "CVE-2022-1234", "epss": "0.00042",
|
|
17
|
+
* "percentile": "0.06523", "date": "2026-04-23" }
|
|
18
|
+
* ]
|
|
19
|
+
* }
|
|
20
|
+
*
|
|
21
|
+
* Design mirrors `osv.ts`:
|
|
22
|
+
* - Session-scoped Map cache so repeated runs in one process don't
|
|
23
|
+
* re-query the same CVE.
|
|
24
|
+
* - AbortSignal.timeout keeps the analyzer from hanging behind a
|
|
25
|
+
* slow/unreachable EPSS endpoint.
|
|
26
|
+
* - Fetcher is injectable for unit tests that must avoid real network.
|
|
27
|
+
* - Graceful degradation: every IO failure maps to "no score", which
|
|
28
|
+
* callers treat as "don't render an EPSS column for this finding".
|
|
29
|
+
*
|
|
30
|
+
* Only CVE IDs are scoreable — GHSA/RUSTSEC/GO-YYYY-NNNN records need
|
|
31
|
+
* a CVE alias to get an EPSS score. Callers pull CVEs from both
|
|
32
|
+
* `DepVulnFinding.id` and `aliases[]` before enrichment.
|
|
33
|
+
*/
|
|
34
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
35
|
+
exports.extractCveId = extractCveId;
|
|
36
|
+
exports.enrichEpss = enrichEpss;
|
|
37
|
+
exports.__clearEpssCache = __clearEpssCache;
|
|
38
|
+
/** Session cache. Key: CVE id, value: EPSS score (0.0–1.0) or null when unknown. */
|
|
39
|
+
const cache = new Map();
|
|
40
|
+
/** Per-request timeout. Matches osv.ts's 10s; EPSS endpoint is usually fast. */
|
|
41
|
+
const EPSS_REQUEST_TIMEOUT_MS = 10000;
|
|
42
|
+
/** Max CVE IDs per batch — FIRST.org's docs recommend ≤100 per call. */
|
|
43
|
+
const EPSS_BATCH_SIZE = 100;
|
|
44
|
+
/**
|
|
45
|
+
* Production fetcher: issues one or more GET requests to
|
|
46
|
+
* `api.first.org` in batches of `EPSS_BATCH_SIZE`. Returns a map of
|
|
47
|
+
* `cve → epssScore`; CVEs not present in any response are absent
|
|
48
|
+
* from the map (distinct from "present but null", which the wrapper
|
|
49
|
+
* uses to cache negative lookups).
|
|
50
|
+
*/
|
|
51
|
+
const DEFAULT_FETCHER = async (ids) => {
|
|
52
|
+
const result = new Map();
|
|
53
|
+
for (let i = 0; i < ids.length; i += EPSS_BATCH_SIZE) {
|
|
54
|
+
const batch = ids.slice(i, i + EPSS_BATCH_SIZE);
|
|
55
|
+
const url = `https://api.first.org/data/v1/epss?cve=${batch.join(',')}`;
|
|
56
|
+
try {
|
|
57
|
+
const res = await fetch(url, { signal: AbortSignal.timeout(EPSS_REQUEST_TIMEOUT_MS) });
|
|
58
|
+
if (!res.ok)
|
|
59
|
+
continue;
|
|
60
|
+
const body = (await res.json());
|
|
61
|
+
for (const row of body.data ?? []) {
|
|
62
|
+
if (!row.cve || !row.epss)
|
|
63
|
+
continue;
|
|
64
|
+
const n = parseFloat(row.epss);
|
|
65
|
+
if (Number.isFinite(n))
|
|
66
|
+
result.set(row.cve, n);
|
|
67
|
+
}
|
|
68
|
+
}
|
|
69
|
+
catch (err) {
|
|
70
|
+
if (process.env.DXKIT_DEBUG_EPSS) {
|
|
71
|
+
process.stderr.write(`[dxkit-epss] batch ${i / EPSS_BATCH_SIZE}: ${err.message}\n`); // slop-ok
|
|
72
|
+
}
|
|
73
|
+
// Keep going — one bad batch shouldn't poison the rest.
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
return result;
|
|
77
|
+
};
|
|
78
|
+
/**
|
|
79
|
+
* Extract the CVE ID from a DepVulnFinding-ish input. Returns the
|
|
80
|
+
* primary `id` if it's already a CVE, otherwise the first CVE alias,
|
|
81
|
+
* or null when none exists. GHSA/RUSTSEC/GO/PYSEC primaries rely on
|
|
82
|
+
* aliases to pick up a CVE.
|
|
83
|
+
*/
|
|
84
|
+
function extractCveId(finding) {
|
|
85
|
+
if (finding.id.startsWith('CVE-'))
|
|
86
|
+
return finding.id;
|
|
87
|
+
for (const a of finding.aliases ?? []) {
|
|
88
|
+
if (a.startsWith('CVE-'))
|
|
89
|
+
return a;
|
|
90
|
+
}
|
|
91
|
+
return null;
|
|
92
|
+
}
|
|
93
|
+
/**
|
|
94
|
+
* Enrich `ids` with EPSS scores. Consults the session cache first;
|
|
95
|
+
* batches everything else via the fetcher. Returns a map keyed by
|
|
96
|
+
* CVE id — IDs with no score (not in EPSS dataset, or all batches
|
|
97
|
+
* failed) are absent from the result map. Callers should treat
|
|
98
|
+
* absence as "no data available".
|
|
99
|
+
*/
|
|
100
|
+
async function enrichEpss(ids, fetcher = DEFAULT_FETCHER) {
|
|
101
|
+
const result = new Map();
|
|
102
|
+
const toFetch = [];
|
|
103
|
+
for (const id of ids) {
|
|
104
|
+
if (cache.has(id)) {
|
|
105
|
+
const v = cache.get(id);
|
|
106
|
+
if (v !== null && v !== undefined)
|
|
107
|
+
result.set(id, v);
|
|
108
|
+
}
|
|
109
|
+
else if (!toFetch.includes(id)) {
|
|
110
|
+
toFetch.push(id);
|
|
111
|
+
}
|
|
112
|
+
}
|
|
113
|
+
if (toFetch.length === 0)
|
|
114
|
+
return result;
|
|
115
|
+
const fetched = await fetcher(toFetch);
|
|
116
|
+
for (const id of toFetch) {
|
|
117
|
+
const v = fetched.get(id);
|
|
118
|
+
if (v !== undefined) {
|
|
119
|
+
cache.set(id, v);
|
|
120
|
+
result.set(id, v);
|
|
121
|
+
}
|
|
122
|
+
else {
|
|
123
|
+
// Negative-cache so we don't re-query the same unknown CVE next pass.
|
|
124
|
+
cache.set(id, null);
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
return result;
|
|
128
|
+
}
|
|
129
|
+
/** Test-only — reset the process cache between tests. */
|
|
130
|
+
function __clearEpssCache() {
|
|
131
|
+
cache.clear();
|
|
132
|
+
}
|
|
133
|
+
//# sourceMappingURL=epss.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"epss.js","sourceRoot":"","sources":["../../../src/analyzers/tools/epss.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;;AA6DH,oCASC;AASD,gCA4BC;AAGD,4CAEC;AA9GD,oFAAoF;AACpF,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;AAK/C,gFAAgF;AAChF,MAAM,uBAAuB,GAAG,KAAK,CAAC;AAEtC,wEAAwE;AACxE,MAAM,eAAe,GAAG,GAAG,CAAC;AAU5B;;;;;;GAMG;AACH,MAAM,eAAe,GAAgB,KAAK,EAAE,GAAG,EAAE,EAAE;IACjD,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,eAAe,EAAE,CAAC;QACrD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,eAAe,CAAC,CAAC;QAChD,MAAM,GAAG,GAAG,0CAA0C,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACxE,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,uBAAuB,CAAC,EAAE,CAAC,CAAC;YACvF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,SAAS;YACtB,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAiB,CAAC;YAChD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;gBAClC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI;oBAAE,SAAS;gBACpC,MAAM,CAAC,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;gBAC/B,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;oBAAE,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;gBACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,CAAC,GAAG,eAAe,KAAM,GAAa,CAAC,OAAO,IAAI,CACzE,CAAC,CAAC,UAAU;YACf,CAAC;YACD,wDAAwD;QAC1D,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC,CAAC;AAEF;;;;;GAKG;AACH,SAAgB,YAAY,CAAC,OAG5B;IACC,IAAI,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,OAAO,CAAC,EAAE,CAAC;IACrD,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACtC,IAAI,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,UAAU,CAC9B,GAA0B,EAC1B,UAAuB,eAAe;IAEtC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACzC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YACxB,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS;gBAAE,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACvD,CAAC;aAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAExC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC1B,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YACpB,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YACjB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,sEAAsE;YACtE,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yDAAyD;AACzD,SAAgB,gBAAgB;IAC9B,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"graphify.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"graphify.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":"AAuBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AAsI3E;;;;;;;GAOG;AACH,MAAM,MAAM,uBAAuB,GAC/B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GAC/C;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAa5C;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,uBAAuB,CAMzE;AA4DD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,EAAE,kBAAkB,CAAC,gBAAgB,CAMjE,CAAC"}
|
|
@@ -46,11 +46,15 @@ exports.gatherGraphifyResult = gatherGraphifyResult;
|
|
|
46
46
|
* `tools/parallel.ts`. Memoized per-cwd so both callers share one
|
|
47
47
|
* invocation per analyzer run.
|
|
48
48
|
*
|
|
49
|
-
*
|
|
50
|
-
* cleanup
|
|
51
|
-
*
|
|
49
|
+
* D013 (10f.2) — `/tmp/graphify-venv` was prone to systemd-tmpfiles
|
|
50
|
+
* cleanup and first-install races. The venv now lives at
|
|
51
|
+
* `~/.cache/dxkit/tools-venv` via `tool-registry.ts:TOOLS_VENV`;
|
|
52
|
+
* this file's per-run tempfile also migrated to `fs.mkdtempSync` so
|
|
53
|
+
* two concurrent dxkit processes never collide on a script name.
|
|
52
54
|
*/
|
|
53
55
|
const fs = __importStar(require("fs"));
|
|
56
|
+
const os = __importStar(require("os"));
|
|
57
|
+
const path = __importStar(require("path"));
|
|
54
58
|
const runner_1 = require("./runner");
|
|
55
59
|
const tool_registry_1 = require("./tool-registry");
|
|
56
60
|
const exclusions_1 = require("./exclusions");
|
|
@@ -200,12 +204,18 @@ function computeGraphifyOutcome(cwd) {
|
|
|
200
204
|
const pythonCmd = findPython(cwd);
|
|
201
205
|
if (!pythonCmd)
|
|
202
206
|
return { kind: 'unavailable', reason: 'not installed' };
|
|
203
|
-
|
|
207
|
+
// Per-run tempdir via mkdtempSync — unique random suffix eliminates
|
|
208
|
+
// the `Date.now()` collision risk when two dxkit processes fire
|
|
209
|
+
// within the same millisecond. The whole dir is rm'd on exit so we
|
|
210
|
+
// don't litter /tmp across runs.
|
|
211
|
+
const scriptDir = fs.mkdtempSync(path.join(os.tmpdir(), 'dxkit-graphify-'));
|
|
212
|
+
const scriptPath = path.join(scriptDir, 'run.py');
|
|
204
213
|
fs.writeFileSync(scriptPath, buildGraphifyScript(cwd));
|
|
205
|
-
// Redirect stderr to suppress progress output, run from
|
|
206
|
-
|
|
214
|
+
// Redirect stderr to suppress progress output, run from the tempdir
|
|
215
|
+
// so the script doesn't drop cache files inside the analyzed repo.
|
|
216
|
+
const output = (0, runner_1.run)(`cd '${scriptDir}' && ${pythonCmd} '${scriptPath}' '${cwd}' 2>/dev/null`, cwd, 120000);
|
|
207
217
|
try {
|
|
208
|
-
fs.
|
|
218
|
+
fs.rmSync(scriptDir, { recursive: true, force: true });
|
|
209
219
|
}
|
|
210
220
|
catch {
|
|
211
221
|
/* ignore */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"graphify.js","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"graphify.js","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4LA,oDAMC;AAlMD;;;;;;;;;;;;;;;;GAgBG;AACH,uCAAyB;AACzB,uCAAyB;AACzB,2CAA6B;AAC7B,qCAA+B;AAC/B,mDAAsD;AACtD,6CAAmD;AAkBnD,8EAA8E;AAC9E,SAAS,mBAAmB,CAAC,GAAW;IACtC,OAAO;;;;;;;;;;;;;;;;;;;;iBAoBQ,IAAA,gCAAmB,EAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6FxC,CAAC;AACF,CAAC;AAcD;;;;;;;;GAQG;AACH,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAmC,CAAC;AAExE;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,GAAW;IAC9C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5C,oBAAoB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,sBAAsB,CAAC,GAAW;IACzC,MAAM,SAAS,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAExE,oEAAoE;IACpE,gEAAgE;IAChE,mEAAmE;IACnE,iCAAiC;IACjC,MAAM,SAAS,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC,CAAC;IAC5E,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;IACvD,oEAAoE;IACpE,mEAAmE;IACnE,MAAM,MAAM,GAAG,IAAA,YAAG,EAChB,OAAO,SAAS,QAAQ,SAAS,KAAK,UAAU,MAAM,GAAG,eAAe,EACxE,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,YAAY;IACd,CAAC;IAED,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAErE,mFAAmF;IACnF,MAAM,QAAQ,GAAG,MAAM;SACpB,KAAK,CAAC,IAAI,CAAC;SACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;SAChC,GAAG,EAAE,CAAC;IACT,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAExE,IAAI,IAAyC,CAAC;IAC9C,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAwC,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IACD,IAAI,IAAI,CAAC,KAAK;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;IAEnE,MAAM,QAAQ,GAAqB;QACjC,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,UAAU;QAChB,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;QAC3C,oBAAoB,EAAE,IAAI,CAAC,oBAAoB;QAC/C,YAAY,EAAE,IAAI,CAAC,YAAY;QAC/B,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;QACzC,eAAe,EAAE,IAAI,CAAC,eAAe;QACrC,kBAAkB,EAAE,IAAI,CAAC,kBAAkB;KAC5C,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACU,QAAA,gBAAgB,GAAyC;IACpE,MAAM,EAAE,UAAU;IAClB,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC;AAEF,sFAAsF;AACtF,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/C,CAAC"}
|