@vyuhlabs/dxkit 2.3.2 → 2.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +107 -0
- package/README.md +34 -19
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +7 -0
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +11 -0
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +15 -0
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +63 -0
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -0
- package/dist/analyzers/tools/fingerprint.js +82 -0
- package/dist/analyzers/tools/fingerprint.js.map +1 -0
- package/dist/analyzers/tools/osv-scanner-fix.d.ts +63 -0
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -0
- package/dist/analyzers/tools/osv-scanner-fix.js +202 -0
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -0
- package/dist/analyzers/tools/semver-bump.d.ts +17 -0
- package/dist/analyzers/tools/semver-bump.d.ts.map +1 -0
- package/dist/analyzers/tools/semver-bump.js +30 -0
- package/dist/analyzers/tools/semver-bump.js.map +1 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +20 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts +64 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js +146 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -0
- package/dist/languages/capabilities/types.d.ts +46 -2
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +33 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +77 -38
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +13 -0
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +17 -1
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +12 -1
- package/dist/languages/typescript.js.map +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,113 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.4.0] - 2026-04-24
|
|
11
|
+
|
|
12
|
+
Phase 10h.6 complete. Tier-2 fix tools + agent-handoff types +
|
|
13
|
+
cross-pack upgrade-plan resolver + C# multi-project attribution.
|
|
14
|
+
Closes defect D003. One user-facing theme: every `DepVulnFinding`
|
|
15
|
+
that has a viable remediation now carries a structured
|
|
16
|
+
`upgradePlan` that agents can consume directly — no more parsing
|
|
17
|
+
free-text `upgradeAdvice` to figure out what to upgrade.
|
|
18
|
+
|
|
19
|
+
### Added — agent handoff (Phase 10h.6 kickoff)
|
|
20
|
+
|
|
21
|
+
- **Advisory fingerprint** — `DepVulnFinding.fingerprint` is a stable
|
|
22
|
+
16-char hash of `(package, installedVersion, id)`, stamped by the
|
|
23
|
+
cross-pack aggregator after enrichment. Identity is input-only —
|
|
24
|
+
re-scoring or enrichment changes do not mint a new fingerprint.
|
|
25
|
+
`BomReport.summary.fingerprints` ships the sorted-deduplicated
|
|
26
|
+
manifest so external tooling (suppressions, CI gates, upgrade bots)
|
|
27
|
+
can diff two reports by plain set difference. New helper
|
|
28
|
+
`src/analyzers/tools/fingerprint.ts`.
|
|
29
|
+
|
|
30
|
+
- **Structured upgradePlan** — `DepVulnFinding.upgradePlan` is a typed
|
|
31
|
+
sibling to the existing free-text `upgradeAdvice`:
|
|
32
|
+
`{ parent, parentVersion, patches[], breaking }`. Populated by the
|
|
33
|
+
Tier-2 fix tools landing in 10h.6.1–.4 (`osv-scanner fix`,
|
|
34
|
+
`pip-audit --fix`, `cargo audit fix`, the cross-pack transitive
|
|
35
|
+
resolver). Free-text advice stays for markdown/xlsx readability;
|
|
36
|
+
autonomous upgrade bots consume the structured form. New type
|
|
37
|
+
`DepVulnUpgradePlan`.
|
|
38
|
+
|
|
39
|
+
### Added — Tier-2 fix tools (Phase 10h.6.1 + 10h.6.2)
|
|
40
|
+
|
|
41
|
+
- **TypeScript `osv-scanner fix` integration** (10h.6.1) — wraps
|
|
42
|
+
`osv-scanner fix --format json --manifest package.json --lockfile
|
|
43
|
+
package-lock.json` and stamps structured `upgradePlan` on each
|
|
44
|
+
matching `DepVulnFinding` surfaced by `npm audit`. Per-patch rollup:
|
|
45
|
+
if one top-level bump resolves N advisories, every finding's
|
|
46
|
+
`upgradePlan.patches[]` lists all N. Breaking detection normalizes
|
|
47
|
+
pre-1.x where a minor bump (0.5 → 0.6) is treated as breaking.
|
|
48
|
+
- **Rust `cargo-audit` upgradePlan population** (10h.6.3) — mirrors the
|
|
49
|
+
Python pattern: cargo-audit's existing JSON output already carries
|
|
50
|
+
per-advisory `versions.patched[]`, so we populate
|
|
51
|
+
`DepVulnFinding.upgradePlan` as a pure transformation (parent equals
|
|
52
|
+
the finding's own crate; Rust has no transitive-parent remediation
|
|
53
|
+
concept at the advisory level). New `isMajorBump` helper shared with
|
|
54
|
+
the TS/Python packs (identical implementation — flagged for
|
|
55
|
+
consolidation in 10h.6.4's cross-pack resolver). 5 new tests.
|
|
56
|
+
- **Python `pip-audit` upgradePlan population** (10h.6.2) — pip-audit
|
|
57
|
+
already returns `fix_versions[]` per advisory; we now map the first
|
|
58
|
+
(minimal-resolving) entry into `DepVulnFinding.upgradePlan` alongside
|
|
59
|
+
the existing `fixedVersion`. Python's flat dep graph means
|
|
60
|
+
`upgradePlan.parent` equals the finding's own package — no transitive
|
|
61
|
+
parent to upgrade, just bump the vulnerable package directly. No new
|
|
62
|
+
subprocess call required; pure transformation of existing output.
|
|
63
|
+
- **New tool in `TOOL_DEFS`** — `osv-scanner` (Node/TS pack, Tier-2).
|
|
64
|
+
Installs via `go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest`
|
|
65
|
+
(macOS also tries `brew install osv-scanner` first). Soft-fails when
|
|
66
|
+
the binary isn't available — existing `upgradeAdvice` (free-text,
|
|
67
|
+
from npm-audit) stays as the fallback and no findings are dropped.
|
|
68
|
+
- **New helper** — `src/analyzers/tools/osv-scanner-fix.ts` exports
|
|
69
|
+
`gatherOsvScannerFixPlans(cwd)`, `parseOsvScannerFixOutput(raw)`, and
|
|
70
|
+
`enrichWithUpgradePlans(findings, plans)`. 19 new tests with a real
|
|
71
|
+
osv-scanner sample as fixture.
|
|
72
|
+
- **New helper in Python pack** — `isMajorBump(from, to)` shared
|
|
73
|
+
between depVulns gather and tests. Same pre-1.x-minor-is-breaking
|
|
74
|
+
convention as the TypeScript pack. 5 new tests.
|
|
75
|
+
|
|
76
|
+
### Fixed — C# multi-project attribution (Phase 10h.6.7, closes D003)
|
|
77
|
+
|
|
78
|
+
- Multi-project .NET solutions (web app + tests + shared libs) now
|
|
79
|
+
get correct top-level-dep attribution from every project's graph.
|
|
80
|
+
Earlier revisions walked to the **first** `obj/project.assets.json`
|
|
81
|
+
they found and built the attribution index from that one file —
|
|
82
|
+
advisories reachable only through sibling projects' dep chains
|
|
83
|
+
ended up without a `topLevelDep`. Fix: enumerate every
|
|
84
|
+
`project.assets.json` under cwd, merge the edge maps + union
|
|
85
|
+
top-level sets, run BFS against the merged graph. New exports in
|
|
86
|
+
`src/languages/csharp.ts`: `findAllProjectAssetsJson` and
|
|
87
|
+
`mergeAssetParses`. 5 new tests covering the merge semantics + the
|
|
88
|
+
concrete D003 case (advisory reachable through sibling only).
|
|
89
|
+
|
|
90
|
+
### Added — cross-pack upgrade-plan resolver (Phase 10h.6.4)
|
|
91
|
+
|
|
92
|
+
- **Shared `isMajorBump` helper** — three identical copies
|
|
93
|
+
(TS/Python/Rust from 10h.6.1–.3) consolidated into
|
|
94
|
+
`src/analyzers/tools/semver-bump.ts`. All three packs import from
|
|
95
|
+
the shared module; 7-test suite at `test/semver-bump.test.ts`
|
|
96
|
+
supersedes the inline duplicates.
|
|
97
|
+
- **Cross-pack resolver** — new module
|
|
98
|
+
`src/analyzers/tools/upgrade-plan-resolver.ts` exposing
|
|
99
|
+
`resolveTransitiveUpgradePlans(findings)`. Runs after per-pack
|
|
100
|
+
Tier-2 tools and before riskScore composition. Two passes:
|
|
101
|
+
1. **Reconciliation** — for every advisory id listed in any
|
|
102
|
+
existing plan's `patches[]`, stamp the same plan onto the
|
|
103
|
+
matching finding (by id only, case-insensitive). Fills gaps
|
|
104
|
+
where a Tier-2 tool's `fixed[]` mentions an id that's carried
|
|
105
|
+
by another finding with a different (package, version) tuple.
|
|
106
|
+
2. **Free-text parse** — derives a plan from the npm-audit
|
|
107
|
+
transitive-fix template (`"Upgrade X to Y [major] (transitive
|
|
108
|
+
fix)"`) when no structured plan exists. Single-advisory scope
|
|
109
|
+
(patches=[finding.id]) since the free-text doesn't carry
|
|
110
|
+
cross-advisory rollup. Producer-written plans are
|
|
111
|
+
authoritative; resolver never overwrites.
|
|
112
|
+
- **Wire-up** — `gatherDepVulns` in `src/analyzers/security/gather.ts`
|
|
113
|
+
now calls `resolveTransitiveUpgradePlans` after fingerprinting and
|
|
114
|
+
tier-3 enrichment, before composite `riskScore`. 11 new tests at
|
|
115
|
+
`test/upgrade-plan-resolver.test.ts`.
|
|
116
|
+
|
|
10
117
|
## [2.3.2] - 2026-04-24
|
|
11
118
|
|
|
12
119
|
PM-grade bom reports. The xlsx and markdown outputs both restructure
|
package/README.md
CHANGED
|
@@ -41,7 +41,7 @@ Seven deterministic analyzers. Each emits a markdown report to `.dxkit/reports/`
|
|
|
41
41
|
| Command | What it does | Runtime | Output |
|
|
42
42
|
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | --------------------------------------------- |
|
|
43
43
|
| `health` | 6-dimension score (Testing, Quality, Docs, Security, Maint, DX) | 10–20s | `.dxkit/reports/health-audit-<date>.md` |
|
|
44
|
-
| `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (per-advisory detail in `--detailed`)
|
|
44
|
+
| `vulnerabilities` | gitleaks + semgrep + per-pack dep-audit (enriched with EPSS exploit probability, CISA KEV catalog, reachability from your source, composite riskScore; per-advisory detail in `--detailed`) | 5–30s | `.dxkit/reports/vulnerability-scan-<date>.md` |
|
|
45
45
|
| `test-gaps` | Coverage artifact → import-graph → filename (strongest wins) | <1s | `.dxkit/reports/test-gaps-<date>.md` |
|
|
46
46
|
| `quality` | Slop score + jscpd duplication + eslint/ruff + hygiene | 5–15s | `.dxkit/reports/quality-review-<date>.md` |
|
|
47
47
|
| `dev-report` | Commits, contributors, hot files, velocity, conventional % | <1s | `.dxkit/reports/developer-report-<date>.md` |
|
|
@@ -97,14 +97,14 @@ vyuh-dxkit tools install # interactive: prompts per tool
|
|
|
97
97
|
|
|
98
98
|
### Tools integrated
|
|
99
99
|
|
|
100
|
-
| Layer | Tools
|
|
101
|
-
| --------- |
|
|
102
|
-
| Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST)
|
|
103
|
-
| Node / TS | `eslint`, `npm audit`, `@vitest/coverage-v8`
|
|
104
|
-
| Python | `ruff`, `pip-audit`, `coverage` (coverage.py)
|
|
105
|
-
| Go | `golangci-lint`, `govulncheck`
|
|
106
|
-
| Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov`
|
|
107
|
-
| C# | `dotnet-format` (via SDK)
|
|
100
|
+
| Layer | Tools |
|
|
101
|
+
| --------- | ------------------------------------------------------------------------- |
|
|
102
|
+
| Universal | `cloc`, `gitleaks`, `semgrep`, `jscpd`, `graphify` (AST) |
|
|
103
|
+
| Node / TS | `eslint`, `npm audit`, `osv-scanner` (fix planner), `@vitest/coverage-v8` |
|
|
104
|
+
| Python | `ruff`, `pip-audit`, `coverage` (coverage.py) |
|
|
105
|
+
| Go | `golangci-lint`, `govulncheck` |
|
|
106
|
+
| Rust | `clippy`, `cargo-audit`, `cargo-llvm-cov` |
|
|
107
|
+
| C# | `dotnet-format` (via SDK — formatter, not a linter) |
|
|
108
108
|
|
|
109
109
|
Install commands are platform-aware (brew on macOS, user-local install on Linux, winget/scoop on Windows). Tools install into `~/.local/bin` or similar user paths — no `sudo` required.
|
|
110
110
|
|
|
@@ -126,7 +126,7 @@ Three layers merge: bundled defaults → repo `.gitignore` → repo `.dxkit-igno
|
|
|
126
126
|
|
|
127
127
|
### `.dxkit-suppressions.json`
|
|
128
128
|
|
|
129
|
-
Silence known-false positives without touching code.
|
|
129
|
+
Silence known-false positives without touching code. Wired to `gitleaks` (secrets) and `semgrep` (code patterns). Slop-hook wiring remains a follow-up.
|
|
130
130
|
|
|
131
131
|
```json
|
|
132
132
|
{
|
|
@@ -136,11 +136,18 @@ Silence known-false positives without touching code. Currently wired to `gitleak
|
|
|
136
136
|
"paths": ["test/fixtures/**", "**/*.test.ts"],
|
|
137
137
|
"reason": "Fake keys in test fixtures"
|
|
138
138
|
}
|
|
139
|
+
],
|
|
140
|
+
"semgrep": [
|
|
141
|
+
{
|
|
142
|
+
"rule": "javascript.express.security.audit.express-check-directory-traversal",
|
|
143
|
+
"paths": ["scripts/serve-static.js"],
|
|
144
|
+
"reason": "Controlled internal tool, not user-reachable"
|
|
145
|
+
}
|
|
139
146
|
]
|
|
140
147
|
}
|
|
141
148
|
```
|
|
142
149
|
|
|
143
|
-
A finding is suppressed when its rule matches (exact string, or `*` for any) AND at least one path glob matches. Globs support `**`, `*`, `?`.
|
|
150
|
+
A finding is suppressed when its rule matches (exact string, or `*` for any) AND at least one path glob matches. Globs support `**`, `*`, `?`. Suppressed counts are reported separately in the analyzer output so "zero visible" is distinguishable from "zero real".
|
|
144
151
|
|
|
145
152
|
### `.project.yaml` (optional, for scaffolding)
|
|
146
153
|
|
|
@@ -152,13 +159,15 @@ When present (typically written by `@vyuhlabs/create-devstack`), `dxkit init` re
|
|
|
152
159
|
|
|
153
160
|
Each language is a single `LanguageSupport` implementation in `src/languages/`. Adding a new language is one file — detection, tools, coverage parsing, import extraction, and lint severity mapping in one place.
|
|
154
161
|
|
|
155
|
-
| Language | Detection | Coverage import | Import-graph
|
|
156
|
-
| -------- | ------------------------------------ | ------------------- |
|
|
157
|
-
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export
|
|
158
|
-
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from
|
|
159
|
-
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks
|
|
160
|
-
| Rust | `Cargo.toml` | ✅ lcov + cobertura |
|
|
161
|
-
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML |
|
|
162
|
+
| Language | Detection | Coverage import | Import-graph | Native tools | Lint severity tiers | Vuln severity tiers |
|
|
163
|
+
| -------- | ------------------------------------ | ------------------- | -------------------------------------- | ----------------------------------- | ---------------------- | ----------------------------------- |
|
|
164
|
+
| TS / JS | `package.json` | ✅ Istanbul | ✅ import/require/re-export | eslint, npm audit, vitest-coverage | ✅ ESLint rule ID | ✅ npm audit native |
|
|
165
|
+
| Python | `pyproject.toml`, `setup.py`, `*.py` | ✅ coverage.py | ✅ import/from | ruff, pip-audit, coverage | ✅ ruff code prefix | ✅ pip-audit + OSV.dev (CVSS v3+v4) |
|
|
166
|
+
| Go | `go.mod` | ✅ coverprofile | ✅ import blocks | golangci-lint, govulncheck | ✅ `FromLinter` family | ✅ govulncheck embedded + OSV.dev |
|
|
167
|
+
| Rust | `Cargo.toml` | ✅ lcov + cobertura | ⚠️ use statements, extracted only¹ | clippy, cargo-audit, cargo-llvm-cov | ✅ clippy group | ✅ cargo-audit native |
|
|
168
|
+
| C# | `*.csproj`, `*.sln` | ✅ cobertura XML | ⚠️ using declarations, extracted only¹ | dotnet-format (formatter) | ❌ (no linter yet) | ✅ dotnet list --vulnerable |
|
|
169
|
+
|
|
170
|
+
¹ Rust + C# packs populate `imports.extracted` but the file-level resolver is a no-op — Rust's `use` paths and C#'s `using` namespaces don't map 1:1 to source files. Downstream analyses that need an edge graph (reachability for dep-vulns, import-graph credit for test-gaps) degrade to conservative defaults for these two languages. Resolvers are planned; see Phase 10i-L.2 in the roadmap.
|
|
162
171
|
|
|
163
172
|
✅ full support. Multi-language repos fully supported — every detected language's tools run, and dep-vuln counts aggregate across all language packs via the `depVulns` capability (pip-audit findings don't silently replace npm-audit ones).
|
|
164
173
|
|
|
@@ -187,9 +196,15 @@ Running `init` auto-detects your tech stack and generates a complete `.claude/`
|
|
|
187
196
|
CLAUDE.md # Main context file for Claude Code
|
|
188
197
|
.ai/
|
|
189
198
|
sessions/ # Session checkpoints
|
|
190
|
-
|
|
199
|
+
features/ # Feature-planning docs produced by `/feature`
|
|
200
|
+
.dxkit/
|
|
201
|
+
reports/ # Generated analyzer output (health, bom, licenses, …)
|
|
202
|
+
.dxkit-ignore # Extra analyzer-only exclusions (on top of .gitignore)
|
|
203
|
+
.dxkit-suppressions.json # Silence known-false positives (gitleaks, semgrep)
|
|
191
204
|
```
|
|
192
205
|
|
|
206
|
+
The `.dxkit/` directory holds analyzer state and was split out from `.ai/` in v2.3.0 so tool output (regeneratable, safe to gitignore) is separated from agent context (session history, feature plans).
|
|
207
|
+
|
|
193
208
|
### Slash commands → native CLI delegation
|
|
194
209
|
|
|
195
210
|
The scaffolded slash commands (`/health`, `/vulnerabilities`, `/test-gaps`, `/quality`, `/dev-report`) use a three-tier fallback:
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AASH,OAAO,KAAK,EAAY,SAAS,EAAe,MAAM,SAAS,CAAC;AAEhE,YAAY,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEnD,MAAM,MAAM,SAAS,GAAG,KAAK,GAAG,WAAW,CAAC;AAE5C,MAAM,WAAW,iBAAiB;IAChC,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB;;;;;;0EAMsE;IACtE,MAAM,CAAC,EAAE,SAAS,CAAC;IACnB;;;;;yCAKqC;IACrC,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAsB,UAAU,CAC9B,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,SAAS,CAAC,CA4DpB;AAiCD;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,EAAE,EAAE,MAAM,CAAC;IACX,gBAAgB,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,SAAS,EAAE,CAoD9F;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,CAsP1E"}
|
|
@@ -53,6 +53,7 @@ exports.buildTriageRows = buildTriageRows;
|
|
|
53
53
|
exports.formatBomReport = formatBomReport;
|
|
54
54
|
const path = __importStar(require("path"));
|
|
55
55
|
const detect_1 = require("../../detect");
|
|
56
|
+
const fingerprint_1 = require("../tools/fingerprint");
|
|
56
57
|
const runner_1 = require("../tools/runner");
|
|
57
58
|
const discovery_1 = require("./discovery");
|
|
58
59
|
const gather_1 = require("./gather");
|
|
@@ -85,6 +86,11 @@ async function analyzeBom(repoPath, options = {}) {
|
|
|
85
86
|
if (!e.joinedFromBoth)
|
|
86
87
|
vulnOnlyPackages++;
|
|
87
88
|
}
|
|
89
|
+
// Manifest of every advisory identity in the (post-filter) report.
|
|
90
|
+
// Drawn from `entries` rather than `rawEntries` so `filter=top-level`
|
|
91
|
+
// reports surface only the fingerprints the caller actually sees —
|
|
92
|
+
// diffing two filtered reports stays consistent.
|
|
93
|
+
const fingerprints = (0, fingerprint_1.collectFingerprints)(entries.flatMap((e) => e.vulns));
|
|
88
94
|
return {
|
|
89
95
|
repo: stack.projectName || path.basename(repoPath),
|
|
90
96
|
analyzedAt: new Date().toISOString(),
|
|
@@ -102,6 +108,7 @@ async function analyzeBom(repoPath, options = {}) {
|
|
|
102
108
|
filter,
|
|
103
109
|
unfilteredTotalPackages: rawEntries.length,
|
|
104
110
|
projectRoots,
|
|
111
|
+
fingerprints,
|
|
105
112
|
},
|
|
106
113
|
entries,
|
|
107
114
|
toolsUsed,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCH,gCAwDC;AAgED,0CAoDC;AAED,0CAsPC;AAncD,2CAA6B;AAC7B,yCAAsC;AACtC,4CAAsC;AACtC,2CAAmD;AACnD,qCAAuF;AACvF,6CAA8E;AA0BvE,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,UAA6B,EAAE;IAE/B,MAAM,KAAK,GAAG,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;IACtC,MAAM,YAAY,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,IAAA,yBAAgB,EAAC,QAAQ,CAAC,CAAC;IAC9F,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;IAExF,oEAAoE;IACpE,mEAAmE;IACnE,gEAAgE;IAChE,qBAAqB;IACrB,MAAM,aAAa,GAAG,IAAA,2BAAkB,EAAC,UAAU,CAAC,CAAC;IAErD,MAAM,MAAM,GAAc,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IAClD,MAAM,OAAO,GACX,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAEzF,MAAM,UAAU,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC5F,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAC3B,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAClB,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5B,kBAAkB,EAAE,CAAC;YACrB,IAAI,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC;gBAAE,eAAe,EAAE,CAAC;QACjE,CAAC;QACD,eAAe,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,cAAc;YAAE,gBAAgB,EAAE,CAAC;IAC5C,CAAC;IAED,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAClD,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,SAAS,EAAE,IAAA,YAAG,EAAC,wCAAwC,EAAE,QAAQ,CAAC;QAClE,MAAM,EAAE,IAAA,YAAG,EAAC,6CAA6C,EAAE,QAAQ,CAAC;QACpE,aAAa,EAAE,GAAG;QAClB,OAAO,EAAE;YACP,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,UAAU;YACV,kBAAkB;YAClB,eAAe;YACf,eAAe;YACf,gBAAgB;YAChB,aAAa;YACb,MAAM;YACN,uBAAuB,EAAE,UAAU,CAAC,MAAM;YAC1C,YAAY;SACb;QACD,OAAO;QACP,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,YAAY,CACzB,QAAgB;IAEhB,MAAM,QAAQ,GAAG,IAAA,gCAAoB,EAAC,QAAQ,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACzB,gEAAgE;QAChE,wDAAwD;QACxD,OAAO,IAAA,yBAAgB,EAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAC/B,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,GAAG;QAChD,MAAM,EAAE,MAAM,IAAA,yBAAgB,EAAC,OAAO,CAAC;KACxC,CAAC,CAAC,CACJ,CAAC;IACF,OAAO,IAAA,8BAAqB,EAAC,OAAO,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAgBF;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,eAAe,CAAC,MAAiB,EAAE,KAAa,EAAE,OAAe;IAW/E,MAAM,IAAI,GAAW,EAAE,CAAC;IACxB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACxB,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;gBAAE,SAAS;YAC9C,IAAI,CAAC,CAAC,SAAS,GAAG,OAAO;gBAAE,SAAS;YACpC,IAAI,CAAC,IAAI,CAAC;gBACR,IAAI,EAAE,CAAC,CAAC,SAAS;gBACjB,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,gBAAgB,EAAE,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,EAAE;gBAC7C,IAAI,EAAE,CAAC,CAAC,SAAS;gBACjB,IAAI,EAAE,CAAC,CAAC,SAAS;gBACjB,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,aAAa,EAAE,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,aAAa;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAEjC,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACnB,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC,GAAG;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI;YAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAClD,IAAI,CAAC,CAAC,SAAS,KAAK,KAAK;YAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACvD,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACxE,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACnD,CAAC;QACD,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5D,+DAA+D;QAC/D,sCAAsC;QACtC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,aAAa,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACxF,OAAO;YACL,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,SAAS;YACT,GAAG;SACJ,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,eAAe,CAAC,MAAiB,EAAE,OAAe;IAChE,MAAM,CAAC,GAAa,EAAE,CAAC;IAEvB,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,qEAAqE;IACrE,kEAAkE;IAClE,2CAA2C;IAC3C,uBAAuB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAEnC,+DAA+D;IAC/D,kEAAkE;IAClE,4DAA4D;IAC5D,8DAA8D;IAC9D,+DAA+D;IAC/D,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAChC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,OAAO,MAAM,CAAC,MAAM,WAAW,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,gBAAgB;YAC9E,8EAA8E;YAC9E,yDAAyD,CAC5D,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;QAC5D,CAAC,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;QAC5D,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;YACzB,CAAC,CAAC,IAAI,CACJ,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,EAAE,UAAU,GAAG,CAAC,gBAAgB,QAAQ,GAAG,CAAC,SAAS,MAAM,GAAG,CAAC,GAAG,IAAI,CAC/G,CAAC;QACJ,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,UAAU;IACV,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,CAAC,CAAC,IAAI,CACJ,uBAAuB,CAAC,CAAC,YAAY,CAAC,MAAM,qBAAqB;YAC/D,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YAChD,yEAAyE,CAC5E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CACJ,KAAK,CAAC,CAAC,aAAa,6BAA6B,CAAC,CAAC,uBAAuB,kDAAkD;YAC1H,+EAA+E;YAC/E,uCAAuC,CAC1C,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,aAAa,yDAAyD,CAAC,CAAC;IACxF,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CACJ,KAAK,CAAC,CAAC,kBAAkB,4CAA4C;YACnE,KAAK,CAAC,CAAC,eAAe,yBAAyB;YAC/C,oEAAoE;YACpE,+BAA+B;YAC/B,KAAK,CAAC,CAAC,eAAe,sDAAsD,CAC/E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,+DAA+D;YAC7D,sCAAsC,CAAC,CAAC,eAAe,mBAAmB;YAC1E,qBAAqB,CAAC,CAAC,kBAAkB,uBAAuB;YAChE,+BAA+B,CAClC,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,QAAQ,IAAI,CAAC,CAAC;QAClD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CACJ,QAAQ,CAAC,CAAC,gBAAgB,2DAA2D;YACnF,sEAAsE;YACtE,qEAAqE,CACxE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,oEAAoE;IACpE,+DAA+D;IAC/D,+DAA+D;IAC/D,mEAAmE;IACnE,6BAA6B;IAC7B,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IACxD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAClC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,sEAAsE;YACpE,sEAAsE;YACtE,gEAAgE,CACnE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,qFAAqF;YACnF,qFAAqF;YACrF,iFAAiF;YACjF,oFAAoF;YACpF,iFAAiF;YACjF,sEAAsE,CACzE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CACjC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;YACvD,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa;YACvC,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAC3B,CAAC;QACF,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC,CAAC,IAAI,CAAC,iFAAiF,CAAC,CAAC;QAC1F,CAAC,CAAC,IAAI,CAAC,iFAAiF,CAAC,CAAC;QAC1F,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,CAAC,CAAC;YACjB,MAAM,OAAO,GACX,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM;gBACxB,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,OAAO;gBAClF,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,GAAG,QAAQ,CAAC,CAAC,aAAa,MAAM,OAAO,IAAI,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACxB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,YAAY,GAAG,OAAO,MAAM,CAAC,MAAM,6CAA6C,CAAC,CAAC;QAC3F,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,iEAAiE;IACjE,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,qFAAqF;YACnF,uFAAuF;YACvF,yEAAyE,CAC5E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,OAAO,GAAG,CAAC,CAAW,EAAU,EAAE;YACtC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC;YACd,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;gBACxB,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,GAAG,IAAI;oBAAE,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;YAChF,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QACF,MAAM,IAAI,GAAe,MAAM,CAAC,OAAO;aACpC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;aAC5B,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YACb,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,EAAE,KAAK,EAAE;gBAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,oBAAoB;YACnD,OAAO,CACL,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAC1F,CAAC;QACJ,CAAC,CAAC,CAAC;QACL,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CACJ,oGAAoG,CACrG,CAAC;QACF,CAAC,CAAC,IAAI,CACJ,oGAAoG,CACrG,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACrD,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK;iBACvB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;iBACvB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;YACrD,wEAAwE;YACxE,8DAA8D;YAC9D,iEAAiE;YACjE,gDAAgD;YAChD,MAAM,QAAQ,GACZ,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACjF,6DAA6D;YAC7D,+DAA+D;YAC/D,8DAA8D;YAC9D,kCAAkC;YAClC,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK;iBACvB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;iBACvB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAClF,+DAA+D;YAC/D,kEAAkE;YAClE,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,8DAA8D;YAC9D,2DAA2D;YAC3D,8DAA8D;YAC9D,gEAAgE;YAChE,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACvE,iEAAiE;YACjE,8DAA8D;YAC9D,mDAAmD;YACnD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACxB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;YAC5D,CAAC,CAAC,IAAI,CACJ,KAAK,QAAQ,MAAM,SAAS,CAAC,CAAC,CAAC,WAAY,CAAC,MAAM,QAAQ,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,MAAM,CAAC,CAAC,KAAK,CAAC,MAAM,MAAM,OAAO,MAAM,SAAS,MAAM,QAAQ,MAAM,MAAM,IAAI,CAC5L,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACtB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CACJ,YAAY,GAAG,OAAO,IAAI,CAAC,MAAM,gGAAgG,CAClI,CAAC;QACJ,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,SAAS;IACT,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IACrE,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAEzF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC;AAED,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,CAAW,EAAE,MAAiB;IAC7D,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IAClC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,2EAA2E;IAC3E,qEAAqE;IACrE,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;YAC/D,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC;YACxD,IAAI,GAAG,IAAI,QAAQ;gBAAE,YAAY,EAAE,CAAC;YACpC,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,IAAI,EAAE;gBAAE,UAAU,EAAE,CAAC;QACzE,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GACf,YAAY,KAAK,CAAC;QAChB,CAAC,CAAC,kFAAkF;QACpF,CAAC,CAAC,QAAQ,YAAY,gBAAgB,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,mFAAmF,CAAC;IAC3J,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,EAAE,CAAC,CAAC;IAE3B,CAAC,CAAC,IAAI,CACJ,UAAU,UAAU,WAAW,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,sCAAsC,CACjG,CAAC;IAEF,mBAAmB;IACnB,MAAM,UAAU,GAAG,IAAI,GAAG,EAAwB,CAAC;IACnD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,IAAA,yBAAY,EAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACtC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,uCAAuC,CAAC,CAAC;IAC/E,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,UAAU,iCAAiC,CAAC,CAAC;IACjF,CAAC,CAAC,IAAI,CACJ,8BAA8B,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,mCAAmC,EAAE,CAC9G,CAAC;IAEF,YAAY;IACZ,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,0BAAa,EAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,KAAK,OAAO,CACrD,CAAC,MAAM,CAAC;IACT,CAAC,CAAC,IAAI,CACJ,wBAAwB,UAAU,WAAW,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,yBAAyB,CAClG,CAAC;IAEF,2BAA2B;IAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC3D,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,OAAO,CACL,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;YACvD,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CACxC,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5B,CAAC,CAAC,IAAI,CACJ,wCAAwC,IAAI,uBAAuB,CAAC,CAAC,aAAa,sBAAsB,CAAC,CAAC,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,WAAW,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAClL,CAAC;IACJ,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/bom/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCH,gCA+DC;AAgED,0CAoDC;AAED,0CAsPC;AA3cD,2CAA6B;AAC7B,yCAAsC;AACtC,sDAA2D;AAC3D,4CAAsC;AACtC,2CAAmD;AACnD,qCAAuF;AACvF,6CAA8E;AA0BvE,KAAK,UAAU,UAAU,CAC9B,QAAgB,EAChB,UAA6B,EAAE;IAE/B,MAAM,KAAK,GAAG,IAAA,eAAM,EAAC,QAAQ,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC;IACtC,MAAM,YAAY,GAAG,MAAM,CAAC,CAAC,CAAC,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,MAAM,IAAA,yBAAgB,EAAC,QAAQ,CAAC,CAAC;IAC9F,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,gBAAgB,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;IAExF,oEAAoE;IACpE,mEAAmE;IACnE,gEAAgE;IAChE,qBAAqB;IACrB,MAAM,aAAa,GAAG,IAAA,2BAAkB,EAAC,UAAU,CAAC,CAAC;IAErD,MAAM,MAAM,GAAc,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC;IAClD,MAAM,OAAO,GACX,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAEzF,MAAM,UAAU,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC5F,IAAI,kBAAkB,GAAG,CAAC,CAAC;IAC3B,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAClB,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC;YAC5B,kBAAkB,EAAE,CAAC;YACrB,IAAI,CAAC,CAAC,aAAa,CAAC,UAAU,CAAC,WAAW,CAAC;gBAAE,eAAe,EAAE,CAAC;QACjE,CAAC;QACD,eAAe,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,cAAc;YAAE,gBAAgB,EAAE,CAAC;IAC5C,CAAC;IAED,mEAAmE;IACnE,sEAAsE;IACtE,mEAAmE;IACnE,iDAAiD;IACjD,MAAM,YAAY,GAAG,IAAA,iCAAmB,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;IAE1E,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAClD,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACpC,SAAS,EAAE,IAAA,YAAG,EAAC,wCAAwC,EAAE,QAAQ,CAAC;QAClE,MAAM,EAAE,IAAA,YAAG,EAAC,6CAA6C,EAAE,QAAQ,CAAC;QACpE,aAAa,EAAE,GAAG;QAClB,OAAO,EAAE;YACP,aAAa,EAAE,OAAO,CAAC,MAAM;YAC7B,UAAU;YACV,kBAAkB;YAClB,eAAe;YACf,eAAe;YACf,gBAAgB;YAChB,aAAa;YACb,MAAM;YACN,uBAAuB,EAAE,UAAU,CAAC,MAAM;YAC1C,YAAY;YACZ,YAAY;SACb;QACD,OAAO;QACP,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,YAAY,CACzB,QAAgB;IAEhB,MAAM,QAAQ,GAAG,IAAA,gCAAoB,EAAC,QAAQ,CAAC,CAAC;IAChD,IAAI,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACzB,gEAAgE;QAChE,wDAAwD;QACxD,OAAO,IAAA,yBAAgB,EAAC,QAAQ,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;QAC/B,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,GAAG;QAChD,MAAM,EAAE,MAAM,IAAA,yBAAgB,EAAC,OAAO,CAAC;KACxC,CAAC,CAAC,CACJ,CAAC;IACF,OAAO,IAAA,8BAAqB,EAAC,OAAO,CAAC,CAAC;AACxC,CAAC;AAED,MAAM,SAAS,GAAgC;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAgBF;;;;;;;;;;;;;;;;GAgBG;AACH,SAAgB,eAAe,CAAC,MAAiB,EAAE,KAAa,EAAE,OAAe;IAW/E,MAAM,IAAI,GAAW,EAAE,CAAC;IACxB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACxB,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;gBAAE,SAAS;YAC9C,IAAI,CAAC,CAAC,SAAS,GAAG,OAAO;gBAAE,SAAS;YACpC,IAAI,CAAC,IAAI,CAAC;gBACR,IAAI,EAAE,CAAC,CAAC,SAAS;gBACjB,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,gBAAgB,EAAE,GAAG,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,EAAE;gBAC7C,IAAI,EAAE,CAAC,CAAC,SAAS;gBACjB,IAAI,EAAE,CAAC,CAAC,SAAS;gBACjB,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,SAAS,EAAE,CAAC,CAAC,SAAS;gBACtB,aAAa,EAAE,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,aAAa;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IAEjC,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACnB,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,CAAC,CAAC,GAAG;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC7B,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI;YAAE,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAClD,IAAI,CAAC,CAAC,SAAS,KAAK,KAAK;YAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACvD,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACxE,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;YACjD,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACnD,CAAC;QACD,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC5D,+DAA+D;QAC/D,sCAAsC;QACtC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,aAAa,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QACxF,OAAO;YACL,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,SAAS;YACT,GAAG;SACJ,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,eAAe,CAAC,MAAiB,EAAE,OAAe;IAChE,MAAM,CAAC,GAAa,EAAE,CAAC;IAEvB,CAAC,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;IAC3C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,aAAa,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC;IACtD,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,eAAe,MAAM,CAAC,MAAM,KAAK,MAAM,CAAC,SAAS,GAAG,CAAC,CAAC;IAC7D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,qEAAqE;IACrE,kEAAkE;IAClE,2CAA2C;IAC3C,uBAAuB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IAEnC,+DAA+D;IAC/D,kEAAkE;IAClE,4DAA4D;IAC5D,8DAA8D;IAC9D,+DAA+D;IAC/D,MAAM,MAAM,GAAG,eAAe,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAChC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,OAAO,MAAM,CAAC,MAAM,WAAW,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,gBAAgB;YAC9E,8EAA8E;YAC9E,yDAAyD,CAC5D,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;QAC5D,CAAC,CAAC,IAAI,CAAC,mDAAmD,CAAC,CAAC;QAC5D,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;YACzB,CAAC,CAAC,IAAI,CACJ,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,EAAE,UAAU,GAAG,CAAC,gBAAgB,QAAQ,GAAG,CAAC,SAAS,MAAM,GAAG,CAAC,GAAG,IAAI,CAC/G,CAAC;QACJ,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,UAAU;IACV,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACrB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,CAAC,CAAC,IAAI,CACJ,uBAAuB,CAAC,CAAC,YAAY,CAAC,MAAM,qBAAqB;YAC/D,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;YAChD,yEAAyE,CAC5E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CACJ,KAAK,CAAC,CAAC,aAAa,6BAA6B,CAAC,CAAC,uBAAuB,kDAAkD;YAC1H,+EAA+E;YAC/E,uCAAuC,CAC1C,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,aAAa,yDAAyD,CAAC,CAAC;IACxF,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CACJ,KAAK,CAAC,CAAC,kBAAkB,4CAA4C;YACnE,KAAK,CAAC,CAAC,eAAe,yBAAyB;YAC/C,oEAAoE;YACpE,+BAA+B;YAC/B,KAAK,CAAC,CAAC,eAAe,sDAAsD,CAC/E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,+DAA+D;YAC7D,sCAAsC,CAAC,CAAC,eAAe,mBAAmB;YAC1E,qBAAqB,CAAC,CAAC,kBAAkB,uBAAuB;YAChE,+BAA+B,CAClC,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QAChE,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,QAAQ,IAAI,CAAC,CAAC;QAClD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,IAAI,IAAI,CAAC,CAAC;QAC9C,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,MAAM,IAAI,CAAC,CAAC;QAChD,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,UAAU,CAAC,GAAG,IAAI,CAAC,CAAC;QAC7C,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,IAAI,CAAC,CAAC,gBAAgB,GAAG,CAAC,EAAE,CAAC;QAC3B,CAAC,CAAC,IAAI,CACJ,QAAQ,CAAC,CAAC,gBAAgB,2DAA2D;YACnF,sEAAsE;YACtE,qEAAqE,CACxE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEX,oEAAoE;IACpE,+DAA+D;IAC/D,+DAA+D;IAC/D,mEAAmE;IACnE,6BAA6B;IAC7B,MAAM,eAAe,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IACxD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QAClC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,sEAAsE;YACpE,sEAAsE;YACtE,gEAAgE,CACnE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,qFAAqF;YACnF,qFAAqF;YACrF,iFAAiF;YACjF,oFAAoF;YACpF,iFAAiF;YACjF,sEAAsE,CACzE,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,MAAM,GAAG,eAAe,CAAC,IAAI,CACjC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;YACvD,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa;YACvC,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAC3B,CAAC;QACF,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACnC,CAAC,CAAC,IAAI,CAAC,iFAAiF,CAAC,CAAC;QAC1F,CAAC,CAAC,IAAI,CAAC,iFAAiF,CAAC,CAAC;QAC1F,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,IAAI,KAAK,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,CAAC,CAAC;YACjB,MAAM,OAAO,GACX,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM;gBACxB,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,GAAG,MAAM,OAAO;gBAClF,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5B,CAAC,CAAC,IAAI,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,GAAG,QAAQ,CAAC,CAAC,aAAa,MAAM,OAAO,IAAI,CAAC,CAAC;QAC3F,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACxB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CAAC,YAAY,GAAG,OAAO,MAAM,CAAC,MAAM,6CAA6C,CAAC,CAAC;QAC3F,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,iEAAiE;IACjE,IAAI,CAAC,CAAC,kBAAkB,GAAG,CAAC,EAAE,CAAC;QAC7B,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CACJ,qFAAqF;YACnF,uFAAuF;YACvF,yEAAyE,CAC5E,CAAC;QACF,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,MAAM,OAAO,GAAG,CAAC,CAAW,EAAU,EAAE;YACtC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAC;YACd,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;gBACxB,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,GAAG,IAAI;oBAAE,IAAI,GAAG,CAAC,CAAC,SAAS,CAAC;YAChF,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QACF,MAAM,IAAI,GAAe,MAAM,CAAC,OAAO;aACpC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;aAC5B,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;YACb,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACtB,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,EAAE,KAAK,EAAE;gBAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,oBAAoB;YACnD,OAAO,CACL,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAY,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,CAC1F,CAAC;QACJ,CAAC,CAAC,CAAC;QACL,MAAM,GAAG,GAAG,EAAE,CAAC;QACf,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC,CAAC,IAAI,CACJ,oGAAoG,CACrG,CAAC;QACF,CAAC,CAAC,IAAI,CACJ,oGAAoG,CACrG,CAAC;QACF,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;YACrD,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK;iBACvB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;iBACvB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;YACrD,wEAAwE;YACxE,8DAA8D;YAC9D,iEAAiE;YACjE,gDAAgD;YAChD,MAAM,QAAQ,GACZ,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YACjF,6DAA6D;YAC7D,+DAA+D;YAC/D,8DAA8D;YAC9D,kCAAkC;YAClC,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK;iBACvB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;iBACvB,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;YAClF,+DAA+D;YAC/D,kEAAkE;YAClE,MAAM,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACtD,8DAA8D;YAC9D,2DAA2D;YAC3D,8DAA8D;YAC9D,gEAAgE;YAChE,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACvE,iEAAiE;YACjE,8DAA8D;YAC9D,mDAAmD;YACnD,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YACxB,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;YAC5D,CAAC,CAAC,IAAI,CACJ,KAAK,QAAQ,MAAM,SAAS,CAAC,CAAC,CAAC,WAAY,CAAC,MAAM,QAAQ,QAAQ,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,WAAW,MAAM,CAAC,CAAC,KAAK,CAAC,MAAM,MAAM,OAAO,MAAM,SAAS,MAAM,QAAQ,MAAM,MAAM,IAAI,CAC5L,CAAC;QACJ,CAAC;QACD,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACtB,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACX,CAAC,CAAC,IAAI,CACJ,YAAY,GAAG,OAAO,IAAI,CAAC,MAAM,gGAAgG,CAClI,CAAC;QACJ,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACb,CAAC;IAED,SAAS;IACT,CAAC,CAAC,IAAI,CAAC,mBAAmB,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;IACrE,IAAI,MAAM,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,CAAC,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,sBAAsB,OAAO,GAAG,CAAC,CAAC;IACzC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAEzF,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtB,CAAC;AAED,+EAA+E;AAE/E;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,CAAW,EAAE,MAAiB;IAC7D,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC;IACzB,CAAC,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;IAClC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,2EAA2E;IAC3E,qEAAqE;IACrE,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;YAC/D,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,SAAS,KAAK,IAAI,CAAC;YACxD,IAAI,GAAG,IAAI,QAAQ;gBAAE,YAAY,EAAE,CAAC;YACpC,IAAI,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ,IAAI,CAAC,CAAC,SAAS,IAAI,EAAE;gBAAE,UAAU,EAAE,CAAC;QACzE,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GACf,YAAY,KAAK,CAAC;QAChB,CAAC,CAAC,kFAAkF;QACpF,CAAC,CAAC,QAAQ,YAAY,gBAAgB,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,mFAAmF,CAAC;IAC3J,CAAC,CAAC,IAAI,CAAC,KAAK,WAAW,EAAE,CAAC,CAAC;IAE3B,CAAC,CAAC,IAAI,CACJ,UAAU,UAAU,WAAW,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,sCAAsC,CACjG,CAAC;IAEF,mBAAmB;IACnB,MAAM,UAAU,GAAG,IAAI,GAAG,EAAwB,CAAC;IACnD,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QAC/B,MAAM,CAAC,GAAG,IAAA,yBAAY,EAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QACtC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,MAAM,GAAG,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,MAAM,uCAAuC,CAAC,CAAC;IAC/E,IAAI,UAAU,GAAG,CAAC;QAAE,OAAO,CAAC,IAAI,CAAC,GAAG,UAAU,iCAAiC,CAAC,CAAC;IACjF,CAAC,CAAC,IAAI,CACJ,8BAA8B,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,mCAAmC,EAAE,CAC9G,CAAC;IAEF,YAAY;IACZ,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CACtC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAA,0BAAa,EAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,KAAK,OAAO,CACrD,CAAC,MAAM,CAAC;IACT,CAAC,CAAC,IAAI,CACJ,wBAAwB,UAAU,WAAW,UAAU,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,yBAAyB,CAClG,CAAC;IAEF,2BAA2B;IAC3B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC3D,MAAM,QAAQ,GAAgC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;QAC1F,OAAO,CACL,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;YACvD,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CACxC,CAAC;IACJ,CAAC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAC5B,CAAC,CAAC,IAAI,CACJ,wCAAwC,IAAI,uBAAuB,CAAC,CAAC,aAAa,sBAAsB,CAAC,CAAC,aAAa,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,WAAW,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,CAClL,CAAC;IACJ,CAAC;IACD,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACd,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC"}
|
|
@@ -115,6 +115,17 @@ export interface BomReport {
|
|
|
115
115
|
* distinct. When nested scan is disabled or only one root was
|
|
116
116
|
* found, this is `["."]` so consumers can treat it uniformly. */
|
|
117
117
|
projectRoots: string[];
|
|
118
|
+
/** Sorted, deduplicated list of every advisory `fingerprint`
|
|
119
|
+
* covered by this report. Each fingerprint is a stable hash of
|
|
120
|
+
* `(package, installedVersion, id)` stamped by the cross-pack
|
|
121
|
+
* dep-vuln aggregator. Consumers diff two reports by set
|
|
122
|
+
* difference on this list — added fingerprints are new
|
|
123
|
+
* advisories, removed ones are resolved. The per-finding
|
|
124
|
+
* fingerprint also lives on each `BomEntry.vulns[].fingerprint`
|
|
125
|
+
* for attribution; this field is a convenience manifest so
|
|
126
|
+
* external tooling (suppressions, CI gates, upgrade bots) can
|
|
127
|
+
* diff without walking every entry. */
|
|
128
|
+
fingerprints: string[];
|
|
118
129
|
};
|
|
119
130
|
entries: ReadonlyArray<BomEntry>;
|
|
120
131
|
toolsUsed: string[];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,QAAQ;IAEvB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAGhB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,KAAK,EAAE,cAAc,EAAE,CAAC;IAExB;uEACmE;IACnE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAEhC;;;gDAG4C;IAC5C,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;oEAIgE;IAChE,cAAc,EAAE,OAAO,CAAC;IAExB;;;;;mEAK+D;IAC/D,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;;;;;mBAQe;IACf,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,aAAa,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB;wEACoE;IACpE,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,aAAa,EAAE,GAAG,CAAC;IACnB,OAAO,EAAE;QACP,aAAa,EAAE,MAAM,CAAC;QACtB;;qCAE6B;QAC7B,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACxC;;sDAE8C;QAC9C,kBAAkB,EAAE,MAAM,CAAC;QAC3B;oEAC4D;QAC5D,eAAe,EAAE,MAAM,CAAC;QACxB;;;2DAGmD;QACnD,eAAe,EAAE,MAAM,CAAC;QACxB;wDACgD;QAChD,gBAAgB,EAAE,MAAM,CAAC;QACzB;;;;;oEAK4D;QAC5D,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;QACjD;wEACgE;QAChE,MAAM,EAAE,KAAK,GAAG,WAAW,CAAC;QAC5B;;;mCAG2B;QAC3B,uBAAuB,EAAE,MAAM,CAAC;QAChC;;;0EAGkE;QAClE,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,OAAO,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B"}
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/analyzers/bom/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEjE,MAAM,WAAW,QAAQ;IAEvB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAGhB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IAKrB,KAAK,EAAE,cAAc,EAAE,CAAC;IAExB;uEACmE;IACnE,WAAW,EAAE,WAAW,GAAG,IAAI,CAAC;IAEhC;;;gDAG4C;IAC5C,aAAa,EAAE,MAAM,CAAC;IAEtB;;;;oEAIgE;IAChE,cAAc,EAAE,OAAO,CAAC;IAExB;;;;;mEAK+D;IAC/D,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;;;;;mBAQe;IACf,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,aAAa,EAAE,MAAM,CAAC;IACtB,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB;wEACoE;IACpE,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,aAAa,EAAE,GAAG,CAAC;IACnB,OAAO,EAAE;QACP,aAAa,EAAE,MAAM,CAAC;QACtB;;qCAE6B;QAC7B,UAAU,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;QACxC;;sDAE8C;QAC9C,kBAAkB,EAAE,MAAM,CAAC;QAC3B;oEAC4D;QAC5D,eAAe,EAAE,MAAM,CAAC;QACxB;;;2DAGmD;QACnD,eAAe,EAAE,MAAM,CAAC;QACxB;wDACgD;QAChD,gBAAgB,EAAE,MAAM,CAAC;QACzB;;;;;oEAK4D;QAC5D,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;QACjD;wEACgE;QAChE,MAAM,EAAE,KAAK,GAAG,WAAW,CAAC;QAC5B;;;mCAG2B;QAC3B,uBAAuB,EAAE,MAAM,CAAC;QAChC;;;0EAGkE;QAClE,YAAY,EAAE,MAAM,EAAE,CAAC;QACvB;;;;;;;;;gDASwC;QACxC,YAAY,EAAE,MAAM,EAAE,CAAC;KACxB,CAAC;IACF,OAAO,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"gather.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAe1D;;;;;;GAMG;AACH,wBAAsB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IACxD,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC,CAeD;AAID,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,eAAe,EAAE,CAuCjE;AAID;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAC7D,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;CACzB,CAAC,CAeD;AAcD;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,CAuGzE"}
|
|
@@ -15,10 +15,12 @@ exports.gatherDepVulns = gatherDepVulns;
|
|
|
15
15
|
*/
|
|
16
16
|
const runner_1 = require("../tools/runner");
|
|
17
17
|
const epss_1 = require("../tools/epss");
|
|
18
|
+
const fingerprint_1 = require("../tools/fingerprint");
|
|
18
19
|
const kev_1 = require("../tools/kev");
|
|
19
20
|
const osv_1 = require("../tools/osv");
|
|
20
21
|
const reachability_1 = require("../tools/reachability");
|
|
21
22
|
const risk_score_1 = require("../tools/risk-score");
|
|
23
|
+
const upgrade_plan_resolver_1 = require("../tools/upgrade-plan-resolver");
|
|
22
24
|
const exclusions_1 = require("../tools/exclusions");
|
|
23
25
|
const dispatcher_1 = require("../dispatcher");
|
|
24
26
|
const languages_1 = require("../../languages");
|
|
@@ -154,6 +156,11 @@ async function gatherDepVulns(cwd) {
|
|
|
154
156
|
// alias list including the CVE. One OSV roundtrip resolves the
|
|
155
157
|
// whole batch; one EPSS roundtrip scores them all.
|
|
156
158
|
const findings = envelope.findings ?? [];
|
|
159
|
+
// Stamp durable identity on every finding before enrichment. The hash
|
|
160
|
+
// inputs are package/version/id only, so stamping is independent of
|
|
161
|
+
// EPSS/KEV/reachability results — keeps `fingerprint` stable across
|
|
162
|
+
// runs even if enrichment tooling changes underneath.
|
|
163
|
+
(0, fingerprint_1.stampFingerprints)(findings);
|
|
157
164
|
if (findings.length > 0) {
|
|
158
165
|
const cveByFinding = new Map();
|
|
159
166
|
const needsAliasLookup = [];
|
|
@@ -204,6 +211,14 @@ async function gatherDepVulns(cwd) {
|
|
|
204
211
|
(0, reachability_1.markReachable)(findings, reachable);
|
|
205
212
|
}
|
|
206
213
|
}
|
|
214
|
+
// Cross-pack upgrade-plan resolver (Phase 10h.6.4). Runs after
|
|
215
|
+
// per-pack Tier-2 tools have stamped what they can, and before
|
|
216
|
+
// risk scoring so the composite riskScore can factor in the
|
|
217
|
+
// "actionable" bit (future 10h.9.2 CI gate uses it too). Fills
|
|
218
|
+
// gaps by (a) reconciling advisories across plans' `patches[]`
|
|
219
|
+
// lists and (b) parsing the npm-audit transitive-fix free-text
|
|
220
|
+
// template into a structured plan when no tool produced one.
|
|
221
|
+
(0, upgrade_plan_resolver_1.resolveTransitiveUpgradePlans)(findings);
|
|
207
222
|
// Composite riskScore = f(cvss, epss, kev, reachable). Runs last
|
|
208
223
|
// so every signal is populated. Formula is documented in
|
|
209
224
|
// risk-score.ts; skipped for findings without CVSS so we don't
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gather.js","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"gather.js","sourceRoot":"","sources":["../../../src/analyzers/security/gather.ts"],"names":[],"mappings":";;AAwCA,sCAkBC;AAID,gDAuCC;AAWD,gDAkBC;AAuBD,wCAuGC;AAhQD;;;;;;;;GAQG;AACH,4CAAsC;AACtC,wCAAyD;AACzD,sDAAyD;AACzD,sCAAyC;AACzC,sCAA8C;AAC9C,wDAAgF;AAChF,oDAAoD;AACpD,0EAA+E;AAC/E,oDAA0D;AAE1D,8CAAkD;AAClD,+CAAwD;AACxD,0EAKkD;AAClD,+DAA4D;AAI5D,gFAAgF;AAEhF;;;;;;GAMG;AACI,KAAK,UAAU,aAAa,CAAC,GAAW;IAI7C,MAAM,MAAM,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,qBAAO,EAAE,IAAA,2BAAY,EAAC,qBAAO,CAAC,CAAC,CAAC;IACnF,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAErD,MAAM,QAAQ,GAAsB,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9D,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,QAAiB;QAC3B,GAAG,EAAE,SAAS;QACd,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,oBAAoB,CAAC,CAAC,IAAI,EAAE;QAC9C,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,+EAA+E;AAE/E,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,MAAM,QAAQ,GAAsB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,IAAA,gCAAmB,EAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAC,mDAAmD;IAEpG,mCAAmC;IACnC,MAAM,QAAQ,GAAG,IAAA,YAAG,EAAC,iDAAiD,OAAO,cAAc,EAAE,GAAG,CAAC,CAAC;IAClG,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7D,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,SAAS;gBACd,IAAI,EAAE,kBAAkB;gBACxB,KAAK,EAAE,oCAAoC,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE;gBAChE,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;gBACzB,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,MAAM;aACb,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,sBAAsB;IACtB,MAAM,QAAQ,GAAG,IAAA,YAAG,EAAC,sCAAsC,EAAE,GAAG,CAAC,CAAC;IAClE,IAAI,QAAQ,EAAE,CAAC;QACb,KAAK,MAAM,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,EAAE,CAAC;YAC7D,QAAQ,CAAC,IAAI,CAAC;gBACZ,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,QAAQ;gBAClB,GAAG,EAAE,SAAS;gBACd,IAAI,EAAE,YAAY;gBAClB,KAAK,EAAE,6BAA6B,CAAC,EAAE;gBACvC,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,CAAC;gBACP,IAAI,EAAE,KAAK;aACZ,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAE/E;;;;;;GAMG;AACI,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAIlD,MAAM,MAAM,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,2BAAa,EAAE,IAAA,2BAAY,EAAC,2BAAa,CAAC,CAAC,CAAC;IAC/F,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAErD,MAAM,QAAQ,GAAsB,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9D,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,MAAe;QACzB,GAAG,EAAE,CAAC,CAAC,GAAG;QACV,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;AAC7C,CAAC;AAED,+EAA+E;AAE/E,MAAM,eAAe,GAAmB;IACtC,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,KAAK,EAAE,CAAC;IACR,IAAI,EAAE,IAAI;IACV,QAAQ,EAAE,EAAE;CACb,CAAC;AAEF;;;;;;;;GAQG;AACI,KAAK,UAAU,cAAc,CAAC,GAAW;IAC9C,MAAM,SAAS,GAAwC,EAAE,CAAC;IAC1D,KAAK,MAAM,IAAI,IAAI,IAAA,iCAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,IAAI,IAAI,CAAC,YAAY,EAAE,QAAQ;YAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,eAAe,CAAC;IAEnD,MAAM,QAAQ,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,uBAAS,EAAE,SAAS,CAAC,CAAC;IAC3E,IAAI,CAAC,QAAQ;QAAE,OAAO,eAAe,CAAC;IAEtC,mEAAmE;IACnE,oEAAoE;IACpE,iEAAiE;IACjE,iEAAiE;IACjE,mEAAmE;IACnE,kEAAkE;IAClE,gDAAgD;IAChD,EAAE;IACF,gEAAgE;IAChE,+DAA+D;IAC/D,kEAAkE;IAClE,+DAA+D;IAC/D,mDAAmD;IACnD,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,IAAI,EAAE,CAAC;IACzC,sEAAsE;IACtE,oEAAoE;IACpE,oEAAoE;IACpE,sDAAsD;IACtD,IAAA,+BAAiB,EAAC,QAAQ,CAAC,CAAC;IAC5B,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;QAC/C,MAAM,gBAAgB,GAA4C,EAAE,CAAC;QACrE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACzC,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,MAAM,EAAE,CAAC;gBACX,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;YAC9B,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QACD,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAc,EAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9E,KAAK,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,gBAAgB,EAAE,CAAC;gBAChD,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;gBAC5C,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;gBACtD,IAAI,GAAG;oBAAE,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;QACD,IAAI,YAAY,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,UAAU,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;YACvD,+DAA+D;YAC/D,8DAA8D;YAC9D,gEAAgE;YAChE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,IAAA,iBAAU,EAAC,UAAU,CAAC,EAAE,IAAA,eAAS,EAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAC7F,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,YAAY,EAAE,CAAC;gBACtC,MAAM,KAAK,GAAG,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC9B,IAAI,KAAK,KAAK,SAAS;oBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;gBACzD,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,GAAG,IAAI,CAAC;YACjD,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,+DAA+D;QAC/D,kEAAkE;QAClE,+DAA+D;QAC/D,2DAA2D;QAC3D,gEAAgE;QAChE,uBAAuB;QACvB,MAAM,gBAAgB,GAAG,IAAA,2BAAY,EAAC,qBAAO,CAAC,CAAC;QAC/C,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,MAAM,eAAe,GAAG,MAAM,8BAAiB,CAAC,MAAM,CAAC,GAAG,EAAE,qBAAO,EAAE,gBAAgB,CAAC,CAAC;YACvF,IAAI,eAAe,IAAI,eAAe,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC1D,MAAM,SAAS,GAAG,IAAA,uCAAwB,EAAC,eAAe,CAAC,CAAC;gBAC5D,IAAA,4BAAa,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,+DAA+D;QAC/D,4DAA4D;QAC5D,+DAA+D;QAC/D,+DAA+D;QAC/D,+DAA+D;QAC/D,6DAA6D;QAC7D,IAAA,qDAA6B,EAAC,QAAQ,CAAC,CAAC;QAExC,iEAAiE;QACjE,yDAAyD;QACzD,+DAA+D;QAC/D,wCAAwC;QACxC,IAAA,0BAAa,EAAC,QAAQ,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC;IACxD,OAAO;QACL,QAAQ;QACR,IAAI;QACJ,MAAM;QACN,GAAG;QACH,KAAK,EAAE,QAAQ,GAAG,IAAI,GAAG,MAAM,GAAG,GAAG;QACrC,IAAI,EAAE,QAAQ,CAAC,IAAI;QACnB,QAAQ;KACT,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Advisory fingerprints — durable per-finding identity across runs.
|
|
3
|
+
*
|
|
4
|
+
* The dispatcher's dep-vuln aggregator (src/analyzers/security/gather.ts)
|
|
5
|
+
* stamps every finding with a stable hash of `(package, installedVersion,
|
|
6
|
+
* id)` before scoring + reporting. The same advisory against the same
|
|
7
|
+
* installed version produces the same fingerprint on every run, so
|
|
8
|
+
* consumers (agent-driven upgrade bots, suppressions, CI gates) can diff
|
|
9
|
+
* a current bom against a stored prior to detect:
|
|
10
|
+
*
|
|
11
|
+
* - new advisories (fingerprint present now, absent before)
|
|
12
|
+
* - resolved advisories (fingerprint absent now, present before)
|
|
13
|
+
* - unchanged advisories (fingerprint in both sets)
|
|
14
|
+
*
|
|
15
|
+
* Excluded from the hash:
|
|
16
|
+
* - severity / cvssScore — re-scoring the same advisory against the
|
|
17
|
+
* same install must not mint a new identity
|
|
18
|
+
* - enrichment fields (epssScore, kev, reachable, riskScore) — same
|
|
19
|
+
* reason; these are signals about the advisory, not part of it
|
|
20
|
+
* - producer `tool` — the same advisory hit by two producers (e.g.
|
|
21
|
+
* npm-audit + snyk) should collapse to one identity
|
|
22
|
+
* - `upgradeAdvice` / `upgradePlan` — resolution suggestions change
|
|
23
|
+
* across releases of the fix tooling; identity must outlive them
|
|
24
|
+
*
|
|
25
|
+
* Format: 16-char lowercase hex (first 8 bytes of SHA-1). Short enough
|
|
26
|
+
* to embed inline in reports, long enough to make collisions between
|
|
27
|
+
* non-identical tuples effectively impossible for repo-scale sets.
|
|
28
|
+
*/
|
|
29
|
+
import type { DepVulnFinding } from '../../languages/capabilities/types';
|
|
30
|
+
/**
|
|
31
|
+
* Stable 16-char hex fingerprint for one DepVulnFinding. Input tuple
|
|
32
|
+
* is NUL-separated (not present in any legal package / version / id)
|
|
33
|
+
* so distinct tuples can never collide via concatenation tricks.
|
|
34
|
+
*
|
|
35
|
+
* `installedVersion` is normalized to the empty string when absent so
|
|
36
|
+
* version-less findings (rare — some providers omit it when the lock
|
|
37
|
+
* file is missing) still get a deterministic fingerprint instead of
|
|
38
|
+
* mixing an ambient `undefined` into the hash input.
|
|
39
|
+
*/
|
|
40
|
+
export declare function computeFingerprint(finding: Pick<DepVulnFinding, 'package' | 'installedVersion' | 'id'>): string;
|
|
41
|
+
/**
|
|
42
|
+
* Stamp `fingerprint` on every finding in place. Called once in
|
|
43
|
+
* `gatherDepVulns` after cross-pack merge + enrichment so every
|
|
44
|
+
* downstream consumer (bom, security/detailed, JSON export) sees a
|
|
45
|
+
* fully-stamped finding.
|
|
46
|
+
*
|
|
47
|
+
* Idempotent: re-stamping a finding that already has a fingerprint
|
|
48
|
+
* overwrites it with the same value. Safe to call multiple times,
|
|
49
|
+
* though the gather path only invokes it once.
|
|
50
|
+
*/
|
|
51
|
+
export declare function stampFingerprints(findings: DepVulnFinding[]): void;
|
|
52
|
+
/**
|
|
53
|
+
* Sorted, deduplicated fingerprint list for a set of findings. Used by
|
|
54
|
+
* `analyzeBom` to populate `BomReport.summary.fingerprints` — a single
|
|
55
|
+
* manifest of every advisory identity the report covers, convenient
|
|
56
|
+
* for external diff tooling without walking `entries[].vulns[]`.
|
|
57
|
+
*
|
|
58
|
+
* Silently skips findings missing a fingerprint (should not happen
|
|
59
|
+
* post-gather, but a safety net against a future producer that emits
|
|
60
|
+
* findings outside the `gatherDepVulns` path).
|
|
61
|
+
*/
|
|
62
|
+
export declare function collectFingerprints(findings: ReadonlyArray<DepVulnFinding>): string[];
|
|
63
|
+
//# sourceMappingURL=fingerprint.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,IAAI,CAAC,cAAc,EAAE,SAAS,GAAG,kBAAkB,GAAG,IAAI,CAAC,GACnE,MAAM,CAGR;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI,CAIlE;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,aAAa,CAAC,cAAc,CAAC,GAAG,MAAM,EAAE,CAMrF"}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Advisory fingerprints — durable per-finding identity across runs.
|
|
4
|
+
*
|
|
5
|
+
* The dispatcher's dep-vuln aggregator (src/analyzers/security/gather.ts)
|
|
6
|
+
* stamps every finding with a stable hash of `(package, installedVersion,
|
|
7
|
+
* id)` before scoring + reporting. The same advisory against the same
|
|
8
|
+
* installed version produces the same fingerprint on every run, so
|
|
9
|
+
* consumers (agent-driven upgrade bots, suppressions, CI gates) can diff
|
|
10
|
+
* a current bom against a stored prior to detect:
|
|
11
|
+
*
|
|
12
|
+
* - new advisories (fingerprint present now, absent before)
|
|
13
|
+
* - resolved advisories (fingerprint absent now, present before)
|
|
14
|
+
* - unchanged advisories (fingerprint in both sets)
|
|
15
|
+
*
|
|
16
|
+
* Excluded from the hash:
|
|
17
|
+
* - severity / cvssScore — re-scoring the same advisory against the
|
|
18
|
+
* same install must not mint a new identity
|
|
19
|
+
* - enrichment fields (epssScore, kev, reachable, riskScore) — same
|
|
20
|
+
* reason; these are signals about the advisory, not part of it
|
|
21
|
+
* - producer `tool` — the same advisory hit by two producers (e.g.
|
|
22
|
+
* npm-audit + snyk) should collapse to one identity
|
|
23
|
+
* - `upgradeAdvice` / `upgradePlan` — resolution suggestions change
|
|
24
|
+
* across releases of the fix tooling; identity must outlive them
|
|
25
|
+
*
|
|
26
|
+
* Format: 16-char lowercase hex (first 8 bytes of SHA-1). Short enough
|
|
27
|
+
* to embed inline in reports, long enough to make collisions between
|
|
28
|
+
* non-identical tuples effectively impossible for repo-scale sets.
|
|
29
|
+
*/
|
|
30
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
31
|
+
exports.computeFingerprint = computeFingerprint;
|
|
32
|
+
exports.stampFingerprints = stampFingerprints;
|
|
33
|
+
exports.collectFingerprints = collectFingerprints;
|
|
34
|
+
const crypto_1 = require("crypto");
|
|
35
|
+
/**
|
|
36
|
+
* Stable 16-char hex fingerprint for one DepVulnFinding. Input tuple
|
|
37
|
+
* is NUL-separated (not present in any legal package / version / id)
|
|
38
|
+
* so distinct tuples can never collide via concatenation tricks.
|
|
39
|
+
*
|
|
40
|
+
* `installedVersion` is normalized to the empty string when absent so
|
|
41
|
+
* version-less findings (rare — some providers omit it when the lock
|
|
42
|
+
* file is missing) still get a deterministic fingerprint instead of
|
|
43
|
+
* mixing an ambient `undefined` into the hash input.
|
|
44
|
+
*/
|
|
45
|
+
function computeFingerprint(finding) {
|
|
46
|
+
const input = `${finding.package}\0${finding.installedVersion ?? ''}\0${finding.id}`;
|
|
47
|
+
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Stamp `fingerprint` on every finding in place. Called once in
|
|
51
|
+
* `gatherDepVulns` after cross-pack merge + enrichment so every
|
|
52
|
+
* downstream consumer (bom, security/detailed, JSON export) sees a
|
|
53
|
+
* fully-stamped finding.
|
|
54
|
+
*
|
|
55
|
+
* Idempotent: re-stamping a finding that already has a fingerprint
|
|
56
|
+
* overwrites it with the same value. Safe to call multiple times,
|
|
57
|
+
* though the gather path only invokes it once.
|
|
58
|
+
*/
|
|
59
|
+
function stampFingerprints(findings) {
|
|
60
|
+
for (const f of findings) {
|
|
61
|
+
f.fingerprint = computeFingerprint(f);
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* Sorted, deduplicated fingerprint list for a set of findings. Used by
|
|
66
|
+
* `analyzeBom` to populate `BomReport.summary.fingerprints` — a single
|
|
67
|
+
* manifest of every advisory identity the report covers, convenient
|
|
68
|
+
* for external diff tooling without walking `entries[].vulns[]`.
|
|
69
|
+
*
|
|
70
|
+
* Silently skips findings missing a fingerprint (should not happen
|
|
71
|
+
* post-gather, but a safety net against a future producer that emits
|
|
72
|
+
* findings outside the `gatherDepVulns` path).
|
|
73
|
+
*/
|
|
74
|
+
function collectFingerprints(findings) {
|
|
75
|
+
const set = new Set();
|
|
76
|
+
for (const f of findings) {
|
|
77
|
+
if (f.fingerprint)
|
|
78
|
+
set.add(f.fingerprint);
|
|
79
|
+
}
|
|
80
|
+
return [...set].sort();
|
|
81
|
+
}
|
|
82
|
+
//# sourceMappingURL=fingerprint.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;;AAeH,gDAKC;AAYD,8CAIC;AAYD,kDAMC;AApDD,mCAAoC;AAGpC;;;;;;;;;GASG;AACH,SAAgB,kBAAkB,CAChC,OAAoE;IAEpE,MAAM,KAAK,GAAG,GAAG,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,gBAAgB,IAAI,EAAE,KAAK,OAAO,CAAC,EAAE,EAAE,CAAC;IACrF,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAAC,QAA0B;IAC1D,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,CAAC,CAAC,WAAW,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CAAC,QAAuC;IACzE,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,WAAW;YAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC"}
|