@vyuhlabs/dxkit 2.4.5 → 2.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1022 -0
- package/README.md +160 -45
- package/dist/analysis-result.d.ts +112 -0
- package/dist/analysis-result.d.ts.map +1 -0
- package/dist/analysis-result.js +52 -0
- package/dist/analysis-result.js.map +1 -0
- package/dist/analyzers/bom/detailed.d.ts.map +1 -1
- package/dist/analyzers/bom/detailed.js +19 -0
- package/dist/analyzers/bom/detailed.js.map +1 -1
- package/dist/analyzers/bom/gather.d.ts +27 -26
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +26 -87
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts +0 -7
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +98 -48
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +11 -13
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +95 -0
- package/dist/analyzers/cache.d.ts.map +1 -0
- package/dist/analyzers/cache.js +309 -0
- package/dist/analyzers/cache.js.map +1 -0
- package/dist/analyzers/coverage-runner.d.ts +56 -0
- package/dist/analyzers/coverage-runner.d.ts.map +1 -0
- package/dist/analyzers/coverage-runner.js +72 -0
- package/dist/analyzers/coverage-runner.js.map +1 -0
- package/dist/analyzers/dashboard/index.d.ts +24 -0
- package/dist/analyzers/dashboard/index.d.ts.map +1 -0
- package/dist/analyzers/dashboard/index.js +666 -0
- package/dist/analyzers/dashboard/index.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +205 -37
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/developer/index.d.ts +1 -1
- package/dist/analyzers/developer/index.d.ts.map +1 -1
- package/dist/analyzers/developer/index.js +19 -8
- package/dist/analyzers/developer/index.js.map +1 -1
- package/dist/analyzers/dispatcher.d.ts +37 -0
- package/dist/analyzers/dispatcher.d.ts.map +1 -1
- package/dist/analyzers/dispatcher.js +56 -9
- package/dist/analyzers/dispatcher.js.map +1 -1
- package/dist/analyzers/docs/shallow.d.ts +17 -5
- package/dist/analyzers/docs/shallow.d.ts.map +1 -1
- package/dist/analyzers/docs/shallow.js +65 -2
- package/dist/analyzers/docs/shallow.js.map +1 -1
- package/dist/analyzers/dx/shallow.d.ts +17 -5
- package/dist/analyzers/dx/shallow.d.ts.map +1 -1
- package/dist/analyzers/dx/shallow.js +66 -2
- package/dist/analyzers/dx/shallow.js.map +1 -1
- package/dist/analyzers/health/actions.d.ts +1 -1
- package/dist/analyzers/health/actions.d.ts.map +1 -1
- package/dist/analyzers/health/actions.js +27 -9
- package/dist/analyzers/health/actions.js.map +1 -1
- package/dist/analyzers/health/detailed.d.ts +2 -1
- package/dist/analyzers/health/detailed.d.ts.map +1 -1
- package/dist/analyzers/health/detailed.js +11 -7
- package/dist/analyzers/health/detailed.js.map +1 -1
- package/dist/analyzers/health.d.ts +27 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +271 -33
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/licenses/gather.d.ts +35 -8
- package/dist/analyzers/licenses/gather.d.ts.map +1 -1
- package/dist/analyzers/licenses/gather.js +70 -13
- package/dist/analyzers/licenses/gather.js.map +1 -1
- package/dist/analyzers/licenses/index.d.ts +1 -1
- package/dist/analyzers/licenses/index.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.js +52 -11
- package/dist/analyzers/licenses/index.js.map +1 -1
- package/dist/analyzers/licenses/types.d.ts +15 -0
- package/dist/analyzers/licenses/types.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.d.ts +17 -5
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.js +80 -2
- package/dist/analyzers/maintainability/shallow.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +4 -6
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/quality/gather.d.ts +1 -14
- package/dist/analyzers/quality/gather.d.ts.map +1 -1
- package/dist/analyzers/quality/gather.js +48 -137
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/quality/index.d.ts +9 -2
- package/dist/analyzers/quality/index.d.ts.map +1 -1
- package/dist/analyzers/quality/index.js +189 -117
- package/dist/analyzers/quality/index.js.map +1 -1
- package/dist/analyzers/quality/shallow.d.ts +50 -5
- package/dist/analyzers/quality/shallow.d.ts.map +1 -1
- package/dist/analyzers/quality/shallow.js +155 -2
- package/dist/analyzers/quality/shallow.js.map +1 -1
- package/dist/analyzers/quality/types.d.ts +14 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -1
- package/dist/analyzers/security/actions.d.ts +11 -4
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +87 -37
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +236 -0
- package/dist/analyzers/security/aggregator.d.ts.map +1 -0
- package/dist/analyzers/security/aggregator.js +347 -0
- package/dist/analyzers/security/aggregator.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +2 -2
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +10 -9
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +103 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +281 -9
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts +15 -0
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +463 -50
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/shallow.d.ts +50 -6
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +154 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +51 -0
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +2 -3
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tests/gather.d.ts +2 -1
- package/dist/analyzers/tests/gather.d.ts.map +1 -1
- package/dist/analyzers/tests/gather.js +98 -69
- package/dist/analyzers/tests/gather.js.map +1 -1
- package/dist/analyzers/tests/index.d.ts +11 -2
- package/dist/analyzers/tests/index.d.ts.map +1 -1
- package/dist/analyzers/tests/index.js +85 -18
- package/dist/analyzers/tests/index.js.map +1 -1
- package/dist/analyzers/tests/shallow.d.ts +19 -5
- package/dist/analyzers/tests/shallow.d.ts.map +1 -1
- package/dist/analyzers/tests/shallow.js +89 -2
- package/dist/analyzers/tests/shallow.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +41 -1
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tools/autogen-header.d.ts +8 -0
- package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
- package/dist/analyzers/tools/autogen-header.js +107 -0
- package/dist/analyzers/tools/autogen-header.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -1
- package/dist/analyzers/tools/cloc.js +36 -5
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/coverage.d.ts +1 -1
- package/dist/analyzers/tools/coverage.d.ts.map +1 -1
- package/dist/analyzers/tools/coverage.js.map +1 -1
- package/dist/analyzers/tools/debug-statements.d.ts +17 -0
- package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
- package/dist/analyzers/tools/debug-statements.js +58 -0
- package/dist/analyzers/tools/debug-statements.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
- package/dist/analyzers/tools/exclusions.d.ts +33 -6
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +95 -26
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts +17 -2
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +206 -109
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +48 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +30 -2
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +131 -15
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts +12 -2
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +129 -6
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/minified-detection.d.ts +9 -0
- package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
- package/dist/analyzers/tools/minified-detection.js +147 -0
- package/dist/analyzers/tools/minified-detection.js.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts +131 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.js +175 -0
- package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts +48 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -0
- package/dist/analyzers/tools/{osv-scanner-maven.js → osv-scanner-deps.js} +78 -46
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -0
- package/dist/analyzers/tools/osv.d.ts +36 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +26 -0
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +2 -2
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/risk-score.d.ts +7 -0
- package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
- package/dist/analyzers/tools/risk-score.js +9 -2
- package/dist/analyzers/tools/risk-score.js.map +1 -1
- package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
- package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
- package/dist/analyzers/tools/run-tests-helper.js +156 -0
- package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +75 -12
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +39 -2
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +131 -9
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/timing.d.ts +17 -3
- package/dist/analyzers/tools/timing.d.ts.map +1 -1
- package/dist/analyzers/tools/timing.js +36 -14
- package/dist/analyzers/tools/timing.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +10 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +120 -1
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
- package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
- package/dist/analyzers/tools/vendored-advisor.js +107 -0
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
- package/dist/analyzers/tools/walk-paths.d.ts +78 -0
- package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-paths.js +150 -0
- package/dist/analyzers/tools/walk-paths.js.map +1 -0
- package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-source-files.js +369 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -0
- package/dist/analyzers/types.d.ts +204 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +8 -1
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +557 -189
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts +1 -0
- package/dist/constants.d.ts.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -7
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +103 -53
- package/dist/doctor.js.map +1 -1
- package/dist/languages/capabilities/provider.d.ts +130 -1
- package/dist/languages/capabilities/provider.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +68 -7
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +15 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +624 -146
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +89 -11
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +131 -2
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +208 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +121 -32
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +140 -32
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +149 -44
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts +115 -0
- package/dist/languages/ruby.d.ts.map +1 -0
- package/dist/languages/ruby.js +665 -0
- package/dist/languages/ruby.js.map +1 -0
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +103 -16
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +228 -5
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +201 -14
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/documentation.d.ts +53 -0
- package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
- package/dist/scoring/dimensions/documentation.js +106 -0
- package/dist/scoring/dimensions/documentation.js.map +1 -0
- package/dist/scoring/dimensions/dx.d.ts +53 -0
- package/dist/scoring/dimensions/dx.d.ts.map +1 -0
- package/dist/scoring/dimensions/dx.js +105 -0
- package/dist/scoring/dimensions/dx.js.map +1 -0
- package/dist/scoring/dimensions/maintainability.d.ts +53 -0
- package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
- package/dist/scoring/dimensions/maintainability.js +101 -0
- package/dist/scoring/dimensions/maintainability.js.map +1 -0
- package/dist/scoring/dimensions/quality.d.ts +108 -0
- package/dist/scoring/dimensions/quality.d.ts.map +1 -0
- package/dist/scoring/dimensions/quality.js +174 -0
- package/dist/scoring/dimensions/quality.js.map +1 -0
- package/dist/scoring/dimensions/security.d.ts +84 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -0
- package/dist/scoring/dimensions/security.js +135 -0
- package/dist/scoring/dimensions/security.js.map +1 -0
- package/dist/scoring/dimensions/testing.d.ts +56 -0
- package/dist/scoring/dimensions/testing.d.ts.map +1 -0
- package/dist/scoring/dimensions/testing.js +98 -0
- package/dist/scoring/dimensions/testing.js.map +1 -0
- package/dist/scoring/evaluator.d.ts +27 -0
- package/dist/scoring/evaluator.d.ts.map +1 -0
- package/dist/scoring/evaluator.js +124 -0
- package/dist/scoring/evaluator.js.map +1 -0
- package/dist/scoring/format.d.ts +34 -0
- package/dist/scoring/format.d.ts.map +1 -0
- package/dist/scoring/format.js +63 -0
- package/dist/scoring/format.js.map +1 -0
- package/dist/scoring/index.d.ts +37 -0
- package/dist/scoring/index.d.ts.map +1 -0
- package/dist/scoring/index.js +57 -0
- package/dist/scoring/index.js.map +1 -0
- package/dist/scoring/overall.d.ts +54 -0
- package/dist/scoring/overall.d.ts.map +1 -0
- package/dist/scoring/overall.js +76 -0
- package/dist/scoring/overall.js.map +1 -0
- package/dist/scoring/result.d.ts +111 -0
- package/dist/scoring/result.d.ts.map +1 -0
- package/dist/scoring/result.js +14 -0
- package/dist/scoring/result.js.map +1 -0
- package/dist/scoring/spec.d.ts +76 -0
- package/dist/scoring/spec.d.ts.map +1 -0
- package/dist/scoring/spec.js +22 -0
- package/dist/scoring/spec.js.map +1 -0
- package/dist/scoring/thresholds.d.ts +56 -0
- package/dist/scoring/thresholds.d.ts.map +1 -0
- package/dist/scoring/thresholds.js +75 -0
- package/dist/scoring/thresholds.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +21 -2
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +17 -1
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/commands/dashboard.md +17 -9
- package/templates/.claude/rules/ruby.md +11 -0
- package/templates/configs/ruby/README.md +6 -0
- package/dist/analyzers/scoring.d.ts +0 -49
- package/dist/analyzers/scoring.d.ts.map +0 -1
- package/dist/analyzers/scoring.js +0 -422
- package/dist/analyzers/scoring.js.map +0 -1
- package/dist/analyzers/security/scoring.d.ts +0 -29
- package/dist/analyzers/security/scoring.d.ts.map +0 -1
- package/dist/analyzers/security/scoring.js +0 -40
- package/dist/analyzers/security/scoring.js.map +0 -1
- package/dist/analyzers/tools/osv-scanner-maven.d.ts +0 -42
- package/dist/analyzers/tools/osv-scanner-maven.d.ts.map +0 -1
- package/dist/analyzers/tools/osv-scanner-maven.js.map +0 -1
|
@@ -0,0 +1,175 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Direct `<PackageReference>` parser — D025f (2.4.7).
|
|
4
|
+
*
|
|
5
|
+
* Extracts NuGet PackageReference entries from `.csproj` XML text
|
|
6
|
+
* without invoking `dotnet restore` or any other .NET toolchain. The
|
|
7
|
+
* output feeds an ad-hoc `packages.lock.json`-shaped file that
|
|
8
|
+
* osv-scanner ingests via `--lockfile=<path>` (the file MUST be
|
|
9
|
+
* literally named `packages.lock.json` — osv-scanner v2.x detects the
|
|
10
|
+
* NuGet ecosystem by filename, not by a prefix). This closes the D036
|
|
11
|
+
* customer-outcome gap on dpl-studio (where `dotnet list package`
|
|
12
|
+
* couldn't run from a multi-project parent directory).
|
|
13
|
+
*
|
|
14
|
+
* Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
|
|
15
|
+
* `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
|
|
16
|
+
* keeps each language pack as a single file; ecosystem-specific tool
|
|
17
|
+
* helpers consumed by one or more packs go in `analyzers/tools/`.
|
|
18
|
+
* csharp.ts imports this module the same way it already imports
|
|
19
|
+
* `osv` and `osv-scanner-deps`.
|
|
20
|
+
*
|
|
21
|
+
* Architectural rationale:
|
|
22
|
+
*
|
|
23
|
+
* D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
|
|
24
|
+
* ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
|
|
25
|
+
* Microsoft-recommended non-sudo install) got dotnet discovered.
|
|
26
|
+
* That fix was necessary but not sufficient: `dotnet list package
|
|
27
|
+
* --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
|
|
28
|
+
* and dpl-studio's `Code/Source/Dev/Core/<Module>/<Module>.csproj`
|
|
29
|
+
* layout puts the project files 3 levels deeper than the natural
|
|
30
|
+
* `dxkit vulnerabilities Code/Source/` cwd.
|
|
31
|
+
*
|
|
32
|
+
* D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
|
|
33
|
+
* reachable from cwd (depth 5, matching csharp.detect()), parse
|
|
34
|
+
* each, and feed the union to osv-scanner via a synthetic lockfile.
|
|
35
|
+
* Cross-platform — `net9.0-windows` targets that won't restore on
|
|
36
|
+
* Linux/Mac still get scanned.
|
|
37
|
+
*
|
|
38
|
+
* Trade-off: this catches DIRECT PackageReferences only. Transitive
|
|
39
|
+
* deps (resolved by NuGet's dep graph from each direct ref's own
|
|
40
|
+
* dependencies) are NOT visible without a populated
|
|
41
|
+
* `project.assets.json`. Industry studies put ~80% of typical
|
|
42
|
+
* .NET CVE surface on direct refs; the remaining ~20% (transitives)
|
|
43
|
+
* land cleanly when `dotnet restore` is available and the
|
|
44
|
+
* dotnet-path-resolved D025c codepath runs.
|
|
45
|
+
*
|
|
46
|
+
* Shared with D031: the licenses degraded-inventory fallback uses the
|
|
47
|
+
* same parser to produce a "133 packages identified; license info
|
|
48
|
+
* unavailable" rendering when `nuget-license` isn't installed.
|
|
49
|
+
*
|
|
50
|
+
* Pure function. No I/O. Tested via a fixture suite of representative
|
|
51
|
+
* .csproj shapes (attribute-form, element-form, Central Package
|
|
52
|
+
* Management, conditional `<ItemGroup>` blocks).
|
|
53
|
+
*/
|
|
54
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
55
|
+
exports.parseCsprojPackageReferences = parseCsprojPackageReferences;
|
|
56
|
+
exports.buildNugetAdhocLockfile = buildNugetAdhocLockfile;
|
|
57
|
+
/**
|
|
58
|
+
* Match shapes (in priority order):
|
|
59
|
+
*
|
|
60
|
+
* 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
|
|
61
|
+
* common; attributes can appear in any order (also matched
|
|
62
|
+
* `Version="1.0.0" Include="Foo"`).
|
|
63
|
+
* 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
|
|
64
|
+
* </PackageReference>` — element-form, equivalent semantics;
|
|
65
|
+
* common in repos that prefer multiline configs or use child
|
|
66
|
+
* elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
|
|
67
|
+
* 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
|
|
68
|
+
* Package Management (CPM): the version comes from a separate
|
|
69
|
+
* `Directory.Packages.props` file. Skipped here; the CPM-aware
|
|
70
|
+
* pass (a future enhancement) would resolve them.
|
|
71
|
+
*
|
|
72
|
+
* Skipped shapes:
|
|
73
|
+
*
|
|
74
|
+
* - `<PackageReference Update="Foo" Version="..." />` — CPM
|
|
75
|
+
* override syntax for transitive pins; NOT a direct reference.
|
|
76
|
+
* - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
|
|
77
|
+
* Not a direct reference of this csproj.
|
|
78
|
+
* - Comments / CDATA — best-effort; the regex is generous and
|
|
79
|
+
* can theoretically match `<!-- <PackageReference ... -->`
|
|
80
|
+
* comments; users with literal PackageReference strings inside
|
|
81
|
+
* comments would get false positives. Acceptable: pathological
|
|
82
|
+
* case, and osv-scanner won't surface advisories for non-real
|
|
83
|
+
* packages, so the worst case is a wasted scan entry.
|
|
84
|
+
*/
|
|
85
|
+
function parseCsprojPackageReferences(xml) {
|
|
86
|
+
const out = [];
|
|
87
|
+
const seen = new Set(); // dedupe `${name}@${version}` within a single .csproj
|
|
88
|
+
// Form 1 (attribute-form): two attribute orderings.
|
|
89
|
+
// Match Include="X" ... Version="Y"
|
|
90
|
+
const attrIncludeFirstRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\/?>/gi;
|
|
91
|
+
// Match Version="Y" ... Include="X"
|
|
92
|
+
const attrVersionFirstRe = /<PackageReference\s+[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\/?>/gi;
|
|
93
|
+
let m;
|
|
94
|
+
while ((m = attrIncludeFirstRe.exec(xml)) !== null) {
|
|
95
|
+
pushEntry(out, seen, m[1], m[2]);
|
|
96
|
+
}
|
|
97
|
+
while ((m = attrVersionFirstRe.exec(xml)) !== null) {
|
|
98
|
+
pushEntry(out, seen, m[2], m[1]);
|
|
99
|
+
}
|
|
100
|
+
// Form 2 (element-form): <PackageReference Include="X"><Version>Y</Version>...</PackageReference>
|
|
101
|
+
// The element form spans multiple lines; the regex is multi-line aware.
|
|
102
|
+
const elementFormRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*>[\s\S]*?<Version>\s*([^<\s]+)\s*<\/Version>[\s\S]*?<\/PackageReference>/gi;
|
|
103
|
+
while ((m = elementFormRe.exec(xml)) !== null) {
|
|
104
|
+
pushEntry(out, seen, m[1], m[2]);
|
|
105
|
+
}
|
|
106
|
+
return out;
|
|
107
|
+
}
|
|
108
|
+
function pushEntry(out, seen, rawName, rawVersion) {
|
|
109
|
+
const name = rawName.trim();
|
|
110
|
+
const version = rawVersion.trim();
|
|
111
|
+
if (!name || !version)
|
|
112
|
+
return;
|
|
113
|
+
const key = `${name}@${version}`;
|
|
114
|
+
if (seen.has(key))
|
|
115
|
+
return;
|
|
116
|
+
seen.add(key);
|
|
117
|
+
out.push({ name, version });
|
|
118
|
+
}
|
|
119
|
+
/**
|
|
120
|
+
* Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
|
|
121
|
+
* v2.x reads via `--lockfile=<path>` (caller MUST write this content to
|
|
122
|
+
* a file literally named `packages.lock.json` — osv-scanner detects
|
|
123
|
+
* ecosystem by filename). The schema matches NuGet's native
|
|
124
|
+
* `dotnet restore`-produced lockfile (which osv-scanner already
|
|
125
|
+
* supports natively), simplified to the minimum osv-scanner consults
|
|
126
|
+
* for vulnerability matching:
|
|
127
|
+
*
|
|
128
|
+
* {
|
|
129
|
+
* "version": 1,
|
|
130
|
+
* "dependencies": {
|
|
131
|
+
* "net0.0": {
|
|
132
|
+
* "<Pkg>": {
|
|
133
|
+
* "type": "Direct",
|
|
134
|
+
* "resolved": "<Version>",
|
|
135
|
+
* "requested": "[<Version>, )"
|
|
136
|
+
* }
|
|
137
|
+
* }
|
|
138
|
+
* }
|
|
139
|
+
* }
|
|
140
|
+
*
|
|
141
|
+
* - `"version": 1` matches `dotnet restore`'s lockfile schema version.
|
|
142
|
+
* - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
|
|
143
|
+
* the package map without validating the framework key, so any
|
|
144
|
+
* non-empty string works. We use a non-real moniker so it can't be
|
|
145
|
+
* confused with a real target framework in downstream debugging.
|
|
146
|
+
* - `type: "Direct"` truthfully reflects that we ONLY parsed direct
|
|
147
|
+
* references. Transitive vulns are out of scope for this path
|
|
148
|
+
* (covered by D025c's `dotnet list` codepath when available).
|
|
149
|
+
* - `requested` is a NuGet version range; we use a single-anchored
|
|
150
|
+
* `[V, )` form so the lockfile is valid even though the real
|
|
151
|
+
* `.csproj` might have been a pinned single version.
|
|
152
|
+
*
|
|
153
|
+
* Returns a JSON-stringified string suitable for writing to a temp
|
|
154
|
+
* file. Callers should clean up the temp file after osv-scanner
|
|
155
|
+
* consumes it.
|
|
156
|
+
*/
|
|
157
|
+
function buildNugetAdhocLockfile(entries) {
|
|
158
|
+
const dependencies = { 'net0.0': {} };
|
|
159
|
+
for (const entry of entries) {
|
|
160
|
+
// If the same package appears in multiple .csproj files at different
|
|
161
|
+
// versions, last-write-wins per the lockfile shape (it's one entry
|
|
162
|
+
// per package name within a framework). osv-scanner will scan
|
|
163
|
+
// whichever version we stamped; the cross-csproj merging trade-off
|
|
164
|
+
// is documented at the caller. For dpl-studio scale (~74 csprojs)
|
|
165
|
+
// collisions are common but typically converge on a single resolved
|
|
166
|
+
// version per the repo's dependency hygiene practices.
|
|
167
|
+
dependencies['net0.0'][entry.name] = {
|
|
168
|
+
type: 'Direct',
|
|
169
|
+
resolved: entry.version,
|
|
170
|
+
requested: `[${entry.version}, )`,
|
|
171
|
+
};
|
|
172
|
+
}
|
|
173
|
+
return JSON.stringify({ version: 1, dependencies }, null, 2);
|
|
174
|
+
}
|
|
175
|
+
//# sourceMappingURL=nuget-package-reference.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nuget-package-reference.js","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;;AAyCH,oEA6BC;AAuDD,0DAiBC;AAjID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,4BAA4B,CAAC,GAAW;IACtD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,sDAAsD;IAEtF,oDAAoD;IACpD,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAChG,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAEhG,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,kGAAkG;IAClG,wEAAwE;IACxE,MAAM,aAAa,GACjB,mIAAmI,CAAC;IACtI,OAAO,CAAC,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAChB,GAA4B,EAC5B,IAAiB,EACjB,OAAe,EACf,UAAkB;IAElB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO;IAC9B,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;IACjC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC1B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,SAAgB,uBAAuB,CAAC,OAA6C;IACnF,MAAM,YAAY,GAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC/E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,qEAAqE;QACrE,mEAAmE;QACnE,8DAA8D;QAC9D,mEAAmE;QACnE,kEAAkE;QAClE,oEAAoE;QACpE,uDAAuD;QACvD,YAAY,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG;YACnC,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,SAAS,EAAE,IAAI,KAAK,CAAC,OAAO,KAAK;SAClC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../../languages/capabilities/types';
|
|
2
|
+
import type { LanguageId } from '../../types';
|
|
3
|
+
/**
|
|
4
|
+
* Pure parser for osv-scanner v2.x JSON output, scoped to a single
|
|
5
|
+
* ecosystem. Other ecosystems are filtered out so polyglot repos
|
|
6
|
+
* don't double-count: each pack handles its own ecosystem (typescript
|
|
7
|
+
* → npm, python → PyPI, kotlin/java → Maven, ruby → RubyGems, etc.).
|
|
8
|
+
*
|
|
9
|
+
* The ecosystem parameter is matched against the OSV record's
|
|
10
|
+
* `package.ecosystem` field verbatim — use the exact strings OSV
|
|
11
|
+
* emits (`'Maven'`, `'RubyGems'`, `'PyPI'`, `'npm'`, `'Go'`, etc.).
|
|
12
|
+
*
|
|
13
|
+
* Returns counts + findings + the raw OSV vuln records for downstream
|
|
14
|
+
* CVSS resolution. Exported for unit tests.
|
|
15
|
+
*/
|
|
16
|
+
export declare function parseOsvScannerFindings(raw: string, ecosystem: string, packId?: LanguageId): {
|
|
17
|
+
counts: SeverityCounts;
|
|
18
|
+
findings: DepVulnFinding[];
|
|
19
|
+
vulnsForCvss: Array<{
|
|
20
|
+
primaryId: string;
|
|
21
|
+
embeddedCvss: number | null;
|
|
22
|
+
aliases: string[];
|
|
23
|
+
}>;
|
|
24
|
+
};
|
|
25
|
+
/**
|
|
26
|
+
* Single source of truth for osv-scanner-driven dep-vuln gathering.
|
|
27
|
+
* Caller supplies:
|
|
28
|
+
* - cwd: project root
|
|
29
|
+
* - source: pack id for envelope attribution (currently reserved —
|
|
30
|
+
* see note at end of function)
|
|
31
|
+
* - ecosystem: OSV ecosystem string (`'Maven'`, `'RubyGems'`, ...)
|
|
32
|
+
* - manifestCandidates: ordered list of manifest filenames to probe.
|
|
33
|
+
* First existing one is passed via `--lockfile`. Lockfiles
|
|
34
|
+
* preferred over higher-level manifests (kotlin: gradle.lockfile
|
|
35
|
+
* before pom.xml; ruby: Gemfile.lock).
|
|
36
|
+
*
|
|
37
|
+
* `scan source --lockfile <path>` is the v2.x form. JSON output to
|
|
38
|
+
* stdout. Exit code is non-zero when findings exist — we ignore the
|
|
39
|
+
* exit code and parse the JSON regardless (run() already swallows
|
|
40
|
+
* non-zero exits cleanly via execSync's catch).
|
|
41
|
+
*
|
|
42
|
+
* CVSS alias-fallback: osv-scanner ships CVSS vectors when present,
|
|
43
|
+
* but advisory data quality varies by ecosystem — some carry only
|
|
44
|
+
* `database_specific.severity` strings. resolveCvssScores looks up
|
|
45
|
+
* via CVE alias when the primary record lacks a vector.
|
|
46
|
+
*/
|
|
47
|
+
export declare function gatherOsvScannerDepVulnsResult(cwd: string, packId: LanguageId, ecosystem: string, manifestCandidates: string[]): Promise<DepVulnGatherOutcome>;
|
|
48
|
+
//# sourceMappingURL=osv-scanner-deps.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"AAoCA,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACf,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiB9C;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,UAAU,GAClB;IACD,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC5F,CA8EA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CAiD/B"}
|
|
@@ -1,38 +1,51 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.
|
|
4
|
-
exports.
|
|
3
|
+
exports.parseOsvScannerFindings = parseOsvScannerFindings;
|
|
4
|
+
exports.gatherOsvScannerDepVulnsResult = gatherOsvScannerDepVulnsResult;
|
|
5
5
|
/**
|
|
6
|
-
* osv-scanner against
|
|
7
|
-
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
6
|
+
* osv-scanner against any OSV ecosystem — shared across language packs
|
|
7
|
+
* that use osv-scanner as their canonical depVulns source. CLAUDE.md
|
|
8
|
+
* rule #2 — the gather function lives once.
|
|
9
|
+
*
|
|
10
|
+
* History: extracted from `src/languages/kotlin.ts` in 10k.1.4 (Phase
|
|
11
|
+
* 10k.1 SSOT validation), originally Maven-only. Generalized to all
|
|
12
|
+
* OSV ecosystems in 10k.2.6a (Ruby pack work) — caller passes the
|
|
13
|
+
* ecosystem string + manifest candidate list, parser filters
|
|
14
|
+
* accordingly so polyglot repos don't double-count across packs.
|
|
15
|
+
*
|
|
16
|
+
* Current consumers:
|
|
17
|
+
* - kotlin pack — `Maven` ecosystem, gradle.lockfile + pom.xml + verification-metadata.xml
|
|
18
|
+
* - java pack — `Maven` ecosystem (same manifest set)
|
|
19
|
+
* - ruby pack — `RubyGems` ecosystem, Gemfile.lock
|
|
10
20
|
*
|
|
11
21
|
* osv-scanner is the established multi-ecosystem scanner; no Tier-1
|
|
12
|
-
* native equivalent exists for
|
|
22
|
+
* native equivalent exists for several of the ecosystems above
|
|
23
|
+
* (CLAUDE.md rule #5 — bundler-audit's JSON is unstable, so Ruby
|
|
24
|
+
* intentionally uses osv-scanner-only rather than dual-source).
|
|
13
25
|
* The typescript pack's `osv-scanner-fix.ts` uses the `fix`
|
|
14
26
|
* subcommand for upgrade planning — different mode, no shared logic.
|
|
15
27
|
*
|
|
16
|
-
* Manifest gating:
|
|
17
|
-
*
|
|
18
|
-
* `
|
|
19
|
-
* preferred. Without any of these, we return `tool-missing` (matches
|
|
20
|
-
* python/csharp's manifest-gating pattern).
|
|
28
|
+
* Manifest gating: caller supplies the candidate list. First
|
|
29
|
+
* existing candidate wins. Without any of them, returns
|
|
30
|
+
* `tool-missing` (matches python/csharp's manifest-gating pattern).
|
|
21
31
|
*/
|
|
22
32
|
const osv_1 = require("./osv");
|
|
23
33
|
const runner_1 = require("./runner");
|
|
24
34
|
const tool_registry_1 = require("./tool-registry");
|
|
25
35
|
/**
|
|
26
|
-
* Pure parser for osv-scanner v2.x JSON output, scoped to
|
|
27
|
-
*
|
|
28
|
-
*
|
|
29
|
-
*
|
|
30
|
-
*
|
|
36
|
+
* Pure parser for osv-scanner v2.x JSON output, scoped to a single
|
|
37
|
+
* ecosystem. Other ecosystems are filtered out so polyglot repos
|
|
38
|
+
* don't double-count: each pack handles its own ecosystem (typescript
|
|
39
|
+
* → npm, python → PyPI, kotlin/java → Maven, ruby → RubyGems, etc.).
|
|
40
|
+
*
|
|
41
|
+
* The ecosystem parameter is matched against the OSV record's
|
|
42
|
+
* `package.ecosystem` field verbatim — use the exact strings OSV
|
|
43
|
+
* emits (`'Maven'`, `'RubyGems'`, `'PyPI'`, `'npm'`, `'Go'`, etc.).
|
|
31
44
|
*
|
|
32
45
|
* Returns counts + findings + the raw OSV vuln records for downstream
|
|
33
46
|
* CVSS resolution. Exported for unit tests.
|
|
34
47
|
*/
|
|
35
|
-
function
|
|
48
|
+
function parseOsvScannerFindings(raw, ecosystem, packId) {
|
|
36
49
|
const counts = { critical: 0, high: 0, medium: 0, low: 0 };
|
|
37
50
|
const findings = [];
|
|
38
51
|
const vulnsForCvss = [];
|
|
@@ -49,7 +62,7 @@ function parseOsvScannerMavenFindings(raw) {
|
|
|
49
62
|
const seen = new Set();
|
|
50
63
|
for (const result of data.results ?? []) {
|
|
51
64
|
for (const pkg of result.packages ?? []) {
|
|
52
|
-
if (pkg.package?.ecosystem !==
|
|
65
|
+
if (pkg.package?.ecosystem !== ecosystem)
|
|
53
66
|
continue;
|
|
54
67
|
const pkgName = pkg.package.name ?? 'unknown';
|
|
55
68
|
const pkgVersion = pkg.package.version;
|
|
@@ -74,12 +87,27 @@ function parseOsvScannerMavenFindings(raw) {
|
|
|
74
87
|
tool: 'osv-scanner',
|
|
75
88
|
severity: tier,
|
|
76
89
|
};
|
|
90
|
+
// G_v4_4 (2.4.7): stamp the producing pack so `buildUpgradeCommand`
|
|
91
|
+
// can dispatch to the right `LanguageSupport.upgradeCommand` without
|
|
92
|
+
// a hardcoded switch on `tool`. Caller passes the pack id; absent
|
|
93
|
+
// (`undefined`) only on legacy paths we haven't migrated yet.
|
|
94
|
+
if (packId)
|
|
95
|
+
finding.packId = packId;
|
|
77
96
|
if (cvss !== null)
|
|
78
97
|
finding.cvssScore = cvss;
|
|
79
98
|
if (aliases.length > 0)
|
|
80
99
|
finding.aliases = aliases;
|
|
81
100
|
if (vuln.summary)
|
|
82
101
|
finding.summary = vuln.summary;
|
|
102
|
+
// D042: surface the patch version when OSV's `affected[].
|
|
103
|
+
// ranges[].events[].fixed` is populated. This is the customer's
|
|
104
|
+
// actionable next-step (e.g. "upgrade Newtonsoft.Json from
|
|
105
|
+
// 9.0.1 to 13.0.1 to clear GHSA-5crp-9r3c-p9vr"). Pre-D042 the
|
|
106
|
+
// standalone scan rendered `Fix: —` for every osv-scanner-
|
|
107
|
+
// sourced finding because this field went unread.
|
|
108
|
+
const fixVersion = (0, osv_1.extractOsvFixVersion)(vuln);
|
|
109
|
+
if (fixVersion)
|
|
110
|
+
finding.fixedVersion = fixVersion;
|
|
83
111
|
// OSV.dev hosts a canonical page per id — synthesize when the
|
|
84
112
|
// record's `references[]` is empty, otherwise keep the
|
|
85
113
|
// tool-supplied URLs.
|
|
@@ -98,27 +126,28 @@ function parseOsvScannerMavenFindings(raw) {
|
|
|
98
126
|
return { counts, findings, vulnsForCvss };
|
|
99
127
|
}
|
|
100
128
|
/**
|
|
101
|
-
* Single source of truth for osv-scanner
|
|
102
|
-
*
|
|
103
|
-
*
|
|
104
|
-
*
|
|
105
|
-
*
|
|
106
|
-
*
|
|
107
|
-
*
|
|
108
|
-
*
|
|
129
|
+
* Single source of truth for osv-scanner-driven dep-vuln gathering.
|
|
130
|
+
* Caller supplies:
|
|
131
|
+
* - cwd: project root
|
|
132
|
+
* - source: pack id for envelope attribution (currently reserved —
|
|
133
|
+
* see note at end of function)
|
|
134
|
+
* - ecosystem: OSV ecosystem string (`'Maven'`, `'RubyGems'`, ...)
|
|
135
|
+
* - manifestCandidates: ordered list of manifest filenames to probe.
|
|
136
|
+
* First existing one is passed via `--lockfile`. Lockfiles
|
|
137
|
+
* preferred over higher-level manifests (kotlin: gradle.lockfile
|
|
138
|
+
* before pom.xml; ruby: Gemfile.lock).
|
|
109
139
|
*
|
|
110
140
|
* `scan source --lockfile <path>` is the v2.x form. JSON output to
|
|
111
141
|
* stdout. Exit code is non-zero when findings exist — we ignore the
|
|
112
142
|
* exit code and parse the JSON regardless (run() already swallows
|
|
113
143
|
* non-zero exits cleanly via execSync's catch).
|
|
114
144
|
*
|
|
115
|
-
* CVSS alias-fallback: osv-scanner ships CVSS vectors when present,
|
|
116
|
-
*
|
|
117
|
-
* `database_specific.severity` strings. resolveCvssScores looks up
|
|
118
|
-
* CVE alias when the primary record lacks a vector.
|
|
145
|
+
* CVSS alias-fallback: osv-scanner ships CVSS vectors when present,
|
|
146
|
+
* but advisory data quality varies by ecosystem — some carry only
|
|
147
|
+
* `database_specific.severity` strings. resolveCvssScores looks up
|
|
148
|
+
* via CVE alias when the primary record lacks a vector.
|
|
119
149
|
*/
|
|
120
|
-
async function
|
|
121
|
-
const manifestCandidates = ['gradle.lockfile', 'pom.xml', 'gradle/verification-metadata.xml'];
|
|
150
|
+
async function gatherOsvScannerDepVulnsResult(cwd, packId, ecosystem, manifestCandidates) {
|
|
122
151
|
let manifest = null;
|
|
123
152
|
for (const rel of manifestCandidates) {
|
|
124
153
|
if ((0, runner_1.fileExists)(cwd, rel)) {
|
|
@@ -126,15 +155,20 @@ async function gatherOsvScannerMavenDepVulnsResult(cwd, source) {
|
|
|
126
155
|
break;
|
|
127
156
|
}
|
|
128
157
|
}
|
|
129
|
-
if (!manifest)
|
|
130
|
-
return {
|
|
158
|
+
if (!manifest) {
|
|
159
|
+
return {
|
|
160
|
+
kind: 'no-manifest',
|
|
161
|
+
reason: `no lockfile found (looked for: ${manifestCandidates.join(', ')})`,
|
|
162
|
+
};
|
|
163
|
+
}
|
|
131
164
|
const scanner = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS['osv-scanner'], cwd);
|
|
132
|
-
if (!scanner.available || !scanner.path)
|
|
133
|
-
return { kind: '
|
|
165
|
+
if (!scanner.available || !scanner.path) {
|
|
166
|
+
return { kind: 'unavailable', reason: 'osv-scanner not installed' };
|
|
167
|
+
}
|
|
134
168
|
const raw = (0, runner_1.run)(`${scanner.path} scan source --lockfile ${manifest} --format json 2>/dev/null`, cwd, 180000);
|
|
135
169
|
if (!raw)
|
|
136
|
-
return { kind: 'no
|
|
137
|
-
const { counts, findings, vulnsForCvss } =
|
|
170
|
+
return { kind: 'unavailable', reason: 'osv-scanner produced no output' };
|
|
171
|
+
const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem, packId);
|
|
138
172
|
if (findings.length > 0) {
|
|
139
173
|
const resolved = await (0, osv_1.resolveCvssScores)(vulnsForCvss);
|
|
140
174
|
for (const f of findings) {
|
|
@@ -150,12 +184,10 @@ async function gatherOsvScannerMavenDepVulnsResult(cwd, source) {
|
|
|
150
184
|
counts,
|
|
151
185
|
findings,
|
|
152
186
|
};
|
|
153
|
-
//
|
|
154
|
-
//
|
|
155
|
-
//
|
|
156
|
-
//
|
|
157
|
-
// we want to attribute findings to the originating pack).
|
|
158
|
-
void source;
|
|
187
|
+
// G_v4_4 (2.4.7): `packId` is forwarded into `parseOsvScannerFindings`
|
|
188
|
+
// so each finding carries the producing pack, which `buildUpgradeCommand`
|
|
189
|
+
// dispatches on. Envelope-level `tool: 'osv-scanner'` stays as the
|
|
190
|
+
// tool-attribution string used in `toolsUsed`.
|
|
159
191
|
return { kind: 'success', envelope };
|
|
160
192
|
}
|
|
161
|
-
//# sourceMappingURL=osv-scanner-
|
|
193
|
+
//# sourceMappingURL=osv-scanner-deps.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;AAwEA,0DAsFC;AAwBD,wEAsDC;AA5OD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,+BAMe;AACf,qCAA2C;AAC3C,mDAAsD;AAwBtD;;;;;;;;;;;;GAYG;AACH,SAAgB,uBAAuB,CACrC,GAAW,EACX,SAAiB,EACjB,MAAmB;IAMnB,MAAM,MAAM,GAAmB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,YAAY,GAIb,EAAE,CAAC;IACR,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IACD,oEAAoE;IACpE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS;gBAAE,SAAS;YACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;YAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;oBAAE,SAAS;gBACvB,MAAM,QAAQ,GAAG,GAAG,OAAO,KAAK,UAAU,IAAI,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC/D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAEnB,MAAM,GAAG,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GACR,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK;oBACvE,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,QAAQ,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEf,MAAM,IAAI,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtE,MAAM,OAAO,GAAmB;oBAC9B,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,OAAO;oBAChB,gBAAgB,EAAE,UAAU;oBAC5B,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,IAAI;iBACf,CAAC;gBACF,oEAAoE;gBACpE,qEAAqE;gBACrE,kEAAkE;gBAClE,8DAA8D;gBAC9D,IAAI,MAAM;oBAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;gBACpC,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;gBAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;gBAClD,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBACjD,0DAA0D;gBAC1D,gEAAgE;gBAChE,2DAA2D;gBAC3D,+DAA+D;gBAC/D,2DAA2D;gBAC3D,kDAAkD;gBAClD,MAAM,UAAU,GAAG,IAAA,0BAAoB,EAAC,IAAI,CAAC,CAAC;gBAC9C,IAAI,UAAU;oBAAE,OAAO,CAAC,YAAY,GAAG,UAAU,CAAC;gBAClD,8DAA8D;gBAC9D,uDAAuD;gBACvD,sBAAsB;gBACtB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1F,OAAO,CAAC,UAAU;oBAChB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,iCAAiC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEvB,YAAY,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,YAAY,EAAE,IAAI;oBAClB,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,MAAkB,EAClB,SAAiB,EACjB,kBAA4B;IAE5B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,GAAG,GAAG,CAAC;YACf,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,kCAAkC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SAC3E,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,aAAa,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACxC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,YAAG,EACb,GAAG,OAAO,CAAC,IAAI,2BAA2B,QAAQ,4BAA4B,EAC9E,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IAEnF,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAE3F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAiB,EAAC,YAAY,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;QACjE,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ;KACT,CAAC;IACF,uEAAuE;IACvE,0EAA0E;IAC1E,mEAAmE;IACnE,+CAA+C;IAC/C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC"}
|
|
@@ -25,6 +25,27 @@ export interface OsvVuln {
|
|
|
25
25
|
type: string;
|
|
26
26
|
score: string;
|
|
27
27
|
}>;
|
|
28
|
+
/**
|
|
29
|
+
* D042 (2.4.7): OSV records expose patch-version info via
|
|
30
|
+
* `affected[].ranges[].events[]`. Each range describes one
|
|
31
|
+
* affected version interval with bounding events:
|
|
32
|
+
* `{"introduced": "0.0.0"}` (or `"introduced": "X.Y.Z"`)
|
|
33
|
+
* `{"fixed": "X.Y.Z"}` ← patch-available signal
|
|
34
|
+
* `{"limit": "X.Y.Z"}` ← exclusion upper bound
|
|
35
|
+
*
|
|
36
|
+
* We extract the first non-empty `fixed` event as the
|
|
37
|
+
* `fixedVersion` recommendation for the customer's upgrade
|
|
38
|
+
* path. Pre-D042 this field was unread; both csharp/kotlin/
|
|
39
|
+
* java/ruby's osv-scanner findings rendered `Fix: —`.
|
|
40
|
+
*/
|
|
41
|
+
ranges?: Array<{
|
|
42
|
+
type?: string;
|
|
43
|
+
events?: Array<{
|
|
44
|
+
introduced?: string;
|
|
45
|
+
fixed?: string;
|
|
46
|
+
limit?: string;
|
|
47
|
+
}>;
|
|
48
|
+
}>;
|
|
28
49
|
}>;
|
|
29
50
|
aliases?: string[];
|
|
30
51
|
summary?: string;
|
|
@@ -34,6 +55,21 @@ export interface OsvVuln {
|
|
|
34
55
|
url: string;
|
|
35
56
|
}>;
|
|
36
57
|
}
|
|
58
|
+
/**
|
|
59
|
+
* Extract the patch-available version from an OSV record (D042). Walks
|
|
60
|
+
* `affected[].ranges[].events[]` in document order and returns the
|
|
61
|
+
* first non-empty `fixed` event. Multiple `fixed` events can exist
|
|
62
|
+
* when the advisory covers multiple version branches (e.g., a
|
|
63
|
+
* vulnerability backported across 1.x and 2.x lines); the first one
|
|
64
|
+
* is conventionally the lowest patch version — which is the right
|
|
65
|
+
* "minimum upgrade to clear this advisory" answer for most customers.
|
|
66
|
+
*
|
|
67
|
+
* Returns `undefined` when no `fixed` event exists (advisory exists
|
|
68
|
+
* but no patch has been released yet — customer should consider
|
|
69
|
+
* mitigations rather than waiting). Returns `undefined` for the
|
|
70
|
+
* pathological case of empty `affected` / `ranges` / `events` arrays.
|
|
71
|
+
*/
|
|
72
|
+
export declare function extractOsvFixVersion(vuln: OsvVuln): string | undefined;
|
|
37
73
|
/** Enriched OSV detail returned by lookups. cvssScore is the max CVSS base
|
|
38
74
|
* score across V4/V3 vectors when parseable; null otherwise. */
|
|
39
75
|
export interface OsvDetail {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,OAAO;IACtB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1C,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,OAAO;IACtB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1C,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAClD;;;;;;;;;;;;WAYG;QACH,MAAM,CAAC,EAAE,KAAK,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,MAAM,CAAC,EAAE,KAAK,CAAC;gBAAE,UAAU,CAAC,EAAE,MAAM,CAAC;gBAAC,KAAK,CAAC,EAAE,MAAM,CAAC;gBAAC,KAAK,CAAC,EAAE,MAAM,CAAA;aAAE,CAAC,CAAC;SACzE,CAAC,CAAC;KACJ,CAAC,CAAC;IAGH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAStE;AAED;iEACiE;AACjE,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAKD,qCAAqC;AACrC,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAMnD;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA2ClE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAuBhE;AAED,wFAAwF;AACxF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAW3D;AAED,yEAAyE;AACzE,MAAM,MAAM,UAAU,GAAG,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAsCjE;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EAAE,EACb,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CA6BjC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,KAAK,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,EACpF,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CA6CrC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,EAC1B,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAiBhC;AAED,yDAAyD;AACzD,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}
|
|
@@ -12,6 +12,7 @@
|
|
|
12
12
|
* The analyzer must never fail because OSV was slow.
|
|
13
13
|
*/
|
|
14
14
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.extractOsvFixVersion = extractOsvFixVersion;
|
|
15
16
|
exports.scoreToTier = scoreToTier;
|
|
16
17
|
exports.parseCvssV3BaseScore = parseCvssV3BaseScore;
|
|
17
18
|
exports.extractOsvCvssScore = extractOsvCvssScore;
|
|
@@ -21,6 +22,31 @@ exports.resolveCvssScores = resolveCvssScores;
|
|
|
21
22
|
exports.resolveAliases = resolveAliases;
|
|
22
23
|
exports.__clearOsvCache = __clearOsvCache;
|
|
23
24
|
const cvss_v4_1 = require("./cvss-v4");
|
|
25
|
+
/**
|
|
26
|
+
* Extract the patch-available version from an OSV record (D042). Walks
|
|
27
|
+
* `affected[].ranges[].events[]` in document order and returns the
|
|
28
|
+
* first non-empty `fixed` event. Multiple `fixed` events can exist
|
|
29
|
+
* when the advisory covers multiple version branches (e.g., a
|
|
30
|
+
* vulnerability backported across 1.x and 2.x lines); the first one
|
|
31
|
+
* is conventionally the lowest patch version — which is the right
|
|
32
|
+
* "minimum upgrade to clear this advisory" answer for most customers.
|
|
33
|
+
*
|
|
34
|
+
* Returns `undefined` when no `fixed` event exists (advisory exists
|
|
35
|
+
* but no patch has been released yet — customer should consider
|
|
36
|
+
* mitigations rather than waiting). Returns `undefined` for the
|
|
37
|
+
* pathological case of empty `affected` / `ranges` / `events` arrays.
|
|
38
|
+
*/
|
|
39
|
+
function extractOsvFixVersion(vuln) {
|
|
40
|
+
for (const affected of vuln.affected ?? []) {
|
|
41
|
+
for (const range of affected.ranges ?? []) {
|
|
42
|
+
for (const event of range.events ?? []) {
|
|
43
|
+
if (event.fixed && event.fixed.length > 0)
|
|
44
|
+
return event.fixed;
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
return undefined;
|
|
49
|
+
}
|
|
24
50
|
/** Process-scoped cache so repeated lookups in a session don't re-query. */
|
|
25
51
|
const cache = new Map();
|
|
26
52
|
/** NVD CVSS 3.x base-score bands. */
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"osv.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;
|
|
1
|
+
{"version":3,"file":"osv.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAoDH,oDASC;AAaD,kCAMC;AAOD,oDA2CC;AASD,kDAuBC;AAGD,kDAWC;AAgDD,8BAgCC;AAmBD,8CAgDC;AAaD,wCAoBC;AAGD,0CAEC;AAvWD,uCAAiD;AAoCjD;;;;;;;;;;;;;GAaG;AACH,SAAgB,oBAAoB,CAAC,IAAa;IAChD,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC3C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;gBACvC,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,KAAK,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AASD,4EAA4E;AAC5E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE3C,qCAAqC;AACrC,SAAgB,WAAW,CAAC,KAAa;IACvC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,UAAU,CAAC;IACpC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,QAAQ,CAAC;IAClC,IAAI,KAAK,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,MAAc;IACjD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC;YAAE,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAElE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IAChF,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,WAAW,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1E,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IACvE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,UAAU,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAEtE,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnF,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC;IAC/F,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,GAAG,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,cAAc,CAAC;IACnF,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/B,uDAAuD;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,CAAC,OAAgD,EAAE,EAAE;QACnE,KAAK,MAAM,CAAC,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC,CAAC,KAAK;gBAAE,SAAS;YACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;iBACtC,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE;QAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEzD,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClB,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAA,8BAAoB,EAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,OAAO,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,wFAAwF;AACxF,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;IAE9C,uEAAuE;IACvE,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;IAC3D,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACzC,IAAI,EAAE,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACjC,IAAI,EAAE,KAAK,QAAQ,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,QAAQ,CAAC;IAC1D,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,SAAS,CAAC;AACnB,CAAC;AAKD;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,KAAK,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,iBAAiB,CAAC,EAAU;IACnC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACvE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,eAAe,GAAe,KAAK,EAAE,EAAE,EAAE,EAAE;IAC/C,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,kBAAkB,CAAC,UAAU,CAAC,EAAE,EAAE;YACxF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,sBAAsB,CAAC;SACpD,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAY,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,KAAM,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,UAAU;QACpF,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF;;;;;;GAMG;AACI,KAAK,UAAU,SAAS,CAC7B,GAAa,EACb,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAExC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACvB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAc,IAAI;YAC5B,CAAC,CAAC,EAAE,QAAQ,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE;YAC/E,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,EAAE,EAAE,MAAM,CAAU,CAAC;IAC/B,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC7B,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,iBAAiB,CACrC,MAAoF,EACpF,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAChC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,IAAI;YAAE,SAAS;QACjD,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QACxD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAoB,CAAC;IACrD,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;YAAE,SAAS;QACpD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO;YAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC/C,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,CAAC,GAAG,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;IAChE,KAAK,MAAM,SAAS,IAAI,YAAY,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;YAC9C,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;gBACzB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,cAAc,CAClC,GAA0B,EAC1B,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC3C,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CAAU,CAAC;IAC5C,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yDAAyD;AACzD,SAAgB,eAAe;IAC7B,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}
|
|
@@ -21,5 +21,5 @@
|
|
|
21
21
|
* pre-C.7, including the exact `toolsUnavailable` phrasings.
|
|
22
22
|
*/
|
|
23
23
|
import { HealthMetrics } from '../types';
|
|
24
|
-
export declare function gatherLayer2Parallel(cwd: string, _verbose?: boolean): Partial<HealthMetrics
|
|
24
|
+
export declare function gatherLayer2Parallel(cwd: string, _verbose?: boolean): Promise<Partial<HealthMetrics>>;
|
|
25
25
|
//# sourceMappingURL=parallel.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parallel.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKzC,
|
|
1
|
+
{"version":3,"file":"parallel.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKzC,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,QAAQ,UAAQ,GACf,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAgCjC"}
|
|
@@ -4,7 +4,7 @@ exports.gatherLayer2Parallel = gatherLayer2Parallel;
|
|
|
4
4
|
const cloc_1 = require("./cloc");
|
|
5
5
|
const gitleaks_1 = require("./gitleaks");
|
|
6
6
|
const graphify_1 = require("./graphify");
|
|
7
|
-
function gatherLayer2Parallel(cwd, _verbose = false) {
|
|
7
|
+
async function gatherLayer2Parallel(cwd, _verbose = false) {
|
|
8
8
|
const clocPartial = (0, cloc_1.gatherClocMetrics)(cwd);
|
|
9
9
|
const toolsUsed = [...(clocPartial.toolsUsed ?? [])];
|
|
10
10
|
const toolsUnavailable = [...(clocPartial.toolsUnavailable ?? [])];
|
|
@@ -18,7 +18,7 @@ function gatherLayer2Parallel(cwd, _verbose = false) {
|
|
|
18
18
|
// the pre-C.7 string the report surfaces.
|
|
19
19
|
toolsUnavailable.push(gitleaks.reason === 'not installed' ? 'gitleaks' : `gitleaks (${gitleaks.reason})`);
|
|
20
20
|
}
|
|
21
|
-
const graphify = (0, graphify_1.gatherGraphifyResult)(cwd);
|
|
21
|
+
const graphify = await (0, graphify_1.gatherGraphifyResult)(cwd);
|
|
22
22
|
if (graphify.kind === 'success') {
|
|
23
23
|
toolsUsed.push('graphify');
|
|
24
24
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"parallel.js","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":";;AA2BA,
|
|
1
|
+
{"version":3,"file":"parallel.js","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":";;AA2BA,oDAmCC;AAvCD,iCAA2C;AAC3C,yCAAkD;AAClD,yCAAkD;AAE3C,KAAK,UAAU,oBAAoB,CACxC,GAAW,EACX,QAAQ,GAAG,KAAK;IAEhB,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC,GAAG,CAAC,CAAC;IAE3C,MAAM,SAAS,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,CAAC;IAE7E,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,iEAAiE;QACjE,0CAA0C;QAC1C,gBAAgB,CAAC,IAAI,CACnB,QAAQ,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IACjD,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,OAAO;QACL,WAAW,EAAE,WAAW,CAAC,WAAW;QACpC,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC"}
|