@vyuhlabs/dxkit 2.4.5 → 2.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (356) hide show
  1. package/CHANGELOG.md +1022 -0
  2. package/README.md +160 -45
  3. package/dist/analysis-result.d.ts +112 -0
  4. package/dist/analysis-result.d.ts.map +1 -0
  5. package/dist/analysis-result.js +52 -0
  6. package/dist/analysis-result.js.map +1 -0
  7. package/dist/analyzers/bom/detailed.d.ts.map +1 -1
  8. package/dist/analyzers/bom/detailed.js +19 -0
  9. package/dist/analyzers/bom/detailed.js.map +1 -1
  10. package/dist/analyzers/bom/gather.d.ts +27 -26
  11. package/dist/analyzers/bom/gather.d.ts.map +1 -1
  12. package/dist/analyzers/bom/gather.js +26 -87
  13. package/dist/analyzers/bom/gather.js.map +1 -1
  14. package/dist/analyzers/bom/index.d.ts +0 -7
  15. package/dist/analyzers/bom/index.d.ts.map +1 -1
  16. package/dist/analyzers/bom/index.js +98 -48
  17. package/dist/analyzers/bom/index.js.map +1 -1
  18. package/dist/analyzers/bom/types.d.ts +11 -13
  19. package/dist/analyzers/bom/types.d.ts.map +1 -1
  20. package/dist/analyzers/cache.d.ts +95 -0
  21. package/dist/analyzers/cache.d.ts.map +1 -0
  22. package/dist/analyzers/cache.js +309 -0
  23. package/dist/analyzers/cache.js.map +1 -0
  24. package/dist/analyzers/coverage-runner.d.ts +56 -0
  25. package/dist/analyzers/coverage-runner.d.ts.map +1 -0
  26. package/dist/analyzers/coverage-runner.js +72 -0
  27. package/dist/analyzers/coverage-runner.js.map +1 -0
  28. package/dist/analyzers/dashboard/index.d.ts +24 -0
  29. package/dist/analyzers/dashboard/index.d.ts.map +1 -0
  30. package/dist/analyzers/dashboard/index.js +666 -0
  31. package/dist/analyzers/dashboard/index.js.map +1 -0
  32. package/dist/analyzers/developer/gather.d.ts.map +1 -1
  33. package/dist/analyzers/developer/gather.js +205 -37
  34. package/dist/analyzers/developer/gather.js.map +1 -1
  35. package/dist/analyzers/developer/index.d.ts +1 -1
  36. package/dist/analyzers/developer/index.d.ts.map +1 -1
  37. package/dist/analyzers/developer/index.js +19 -8
  38. package/dist/analyzers/developer/index.js.map +1 -1
  39. package/dist/analyzers/dispatcher.d.ts +37 -0
  40. package/dist/analyzers/dispatcher.d.ts.map +1 -1
  41. package/dist/analyzers/dispatcher.js +56 -9
  42. package/dist/analyzers/dispatcher.js.map +1 -1
  43. package/dist/analyzers/docs/shallow.d.ts +17 -5
  44. package/dist/analyzers/docs/shallow.d.ts.map +1 -1
  45. package/dist/analyzers/docs/shallow.js +65 -2
  46. package/dist/analyzers/docs/shallow.js.map +1 -1
  47. package/dist/analyzers/dx/shallow.d.ts +17 -5
  48. package/dist/analyzers/dx/shallow.d.ts.map +1 -1
  49. package/dist/analyzers/dx/shallow.js +66 -2
  50. package/dist/analyzers/dx/shallow.js.map +1 -1
  51. package/dist/analyzers/health/actions.d.ts +1 -1
  52. package/dist/analyzers/health/actions.d.ts.map +1 -1
  53. package/dist/analyzers/health/actions.js +27 -9
  54. package/dist/analyzers/health/actions.js.map +1 -1
  55. package/dist/analyzers/health/detailed.d.ts +2 -1
  56. package/dist/analyzers/health/detailed.d.ts.map +1 -1
  57. package/dist/analyzers/health/detailed.js +11 -7
  58. package/dist/analyzers/health/detailed.js.map +1 -1
  59. package/dist/analyzers/health.d.ts +27 -0
  60. package/dist/analyzers/health.d.ts.map +1 -1
  61. package/dist/analyzers/health.js +271 -33
  62. package/dist/analyzers/health.js.map +1 -1
  63. package/dist/analyzers/licenses/gather.d.ts +35 -8
  64. package/dist/analyzers/licenses/gather.d.ts.map +1 -1
  65. package/dist/analyzers/licenses/gather.js +70 -13
  66. package/dist/analyzers/licenses/gather.js.map +1 -1
  67. package/dist/analyzers/licenses/index.d.ts +1 -1
  68. package/dist/analyzers/licenses/index.d.ts.map +1 -1
  69. package/dist/analyzers/licenses/index.js +52 -11
  70. package/dist/analyzers/licenses/index.js.map +1 -1
  71. package/dist/analyzers/licenses/types.d.ts +15 -0
  72. package/dist/analyzers/licenses/types.d.ts.map +1 -1
  73. package/dist/analyzers/maintainability/shallow.d.ts +17 -5
  74. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
  75. package/dist/analyzers/maintainability/shallow.js +80 -2
  76. package/dist/analyzers/maintainability/shallow.js.map +1 -1
  77. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  78. package/dist/analyzers/quality/detailed.js +4 -6
  79. package/dist/analyzers/quality/detailed.js.map +1 -1
  80. package/dist/analyzers/quality/gather.d.ts +1 -14
  81. package/dist/analyzers/quality/gather.d.ts.map +1 -1
  82. package/dist/analyzers/quality/gather.js +48 -137
  83. package/dist/analyzers/quality/gather.js.map +1 -1
  84. package/dist/analyzers/quality/index.d.ts +9 -2
  85. package/dist/analyzers/quality/index.d.ts.map +1 -1
  86. package/dist/analyzers/quality/index.js +189 -117
  87. package/dist/analyzers/quality/index.js.map +1 -1
  88. package/dist/analyzers/quality/shallow.d.ts +50 -5
  89. package/dist/analyzers/quality/shallow.d.ts.map +1 -1
  90. package/dist/analyzers/quality/shallow.js +155 -2
  91. package/dist/analyzers/quality/shallow.js.map +1 -1
  92. package/dist/analyzers/quality/types.d.ts +14 -0
  93. package/dist/analyzers/quality/types.d.ts.map +1 -1
  94. package/dist/analyzers/security/actions.d.ts +11 -4
  95. package/dist/analyzers/security/actions.d.ts.map +1 -1
  96. package/dist/analyzers/security/actions.js +87 -37
  97. package/dist/analyzers/security/actions.js.map +1 -1
  98. package/dist/analyzers/security/aggregator.d.ts +236 -0
  99. package/dist/analyzers/security/aggregator.d.ts.map +1 -0
  100. package/dist/analyzers/security/aggregator.js +347 -0
  101. package/dist/analyzers/security/aggregator.js.map +1 -0
  102. package/dist/analyzers/security/detailed.d.ts +2 -2
  103. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  104. package/dist/analyzers/security/detailed.js +10 -9
  105. package/dist/analyzers/security/detailed.js.map +1 -1
  106. package/dist/analyzers/security/gather.d.ts +103 -1
  107. package/dist/analyzers/security/gather.d.ts.map +1 -1
  108. package/dist/analyzers/security/gather.js +281 -9
  109. package/dist/analyzers/security/gather.js.map +1 -1
  110. package/dist/analyzers/security/index.d.ts +15 -0
  111. package/dist/analyzers/security/index.d.ts.map +1 -1
  112. package/dist/analyzers/security/index.js +463 -50
  113. package/dist/analyzers/security/index.js.map +1 -1
  114. package/dist/analyzers/security/shallow.d.ts +50 -6
  115. package/dist/analyzers/security/shallow.d.ts.map +1 -1
  116. package/dist/analyzers/security/shallow.js +154 -2
  117. package/dist/analyzers/security/shallow.js.map +1 -1
  118. package/dist/analyzers/security/types.d.ts +51 -0
  119. package/dist/analyzers/security/types.d.ts.map +1 -1
  120. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  121. package/dist/analyzers/tests/detailed.js +2 -3
  122. package/dist/analyzers/tests/detailed.js.map +1 -1
  123. package/dist/analyzers/tests/gather.d.ts +2 -1
  124. package/dist/analyzers/tests/gather.d.ts.map +1 -1
  125. package/dist/analyzers/tests/gather.js +98 -69
  126. package/dist/analyzers/tests/gather.js.map +1 -1
  127. package/dist/analyzers/tests/index.d.ts +11 -2
  128. package/dist/analyzers/tests/index.d.ts.map +1 -1
  129. package/dist/analyzers/tests/index.js +85 -18
  130. package/dist/analyzers/tests/index.js.map +1 -1
  131. package/dist/analyzers/tests/shallow.d.ts +19 -5
  132. package/dist/analyzers/tests/shallow.d.ts.map +1 -1
  133. package/dist/analyzers/tests/shallow.js +89 -2
  134. package/dist/analyzers/tests/shallow.js.map +1 -1
  135. package/dist/analyzers/tests/types.d.ts +41 -1
  136. package/dist/analyzers/tests/types.d.ts.map +1 -1
  137. package/dist/analyzers/tools/autogen-header.d.ts +8 -0
  138. package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
  139. package/dist/analyzers/tools/autogen-header.js +107 -0
  140. package/dist/analyzers/tools/autogen-header.js.map +1 -0
  141. package/dist/analyzers/tools/cloc.d.ts.map +1 -1
  142. package/dist/analyzers/tools/cloc.js +36 -5
  143. package/dist/analyzers/tools/cloc.js.map +1 -1
  144. package/dist/analyzers/tools/coverage.d.ts +1 -1
  145. package/dist/analyzers/tools/coverage.d.ts.map +1 -1
  146. package/dist/analyzers/tools/coverage.js.map +1 -1
  147. package/dist/analyzers/tools/debug-statements.d.ts +17 -0
  148. package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
  149. package/dist/analyzers/tools/debug-statements.js +58 -0
  150. package/dist/analyzers/tools/debug-statements.js.map +1 -0
  151. package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
  152. package/dist/analyzers/tools/exclusions.d.ts +33 -6
  153. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  154. package/dist/analyzers/tools/exclusions.js +95 -26
  155. package/dist/analyzers/tools/exclusions.js.map +1 -1
  156. package/dist/analyzers/tools/generic.d.ts +17 -2
  157. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  158. package/dist/analyzers/tools/generic.js +206 -109
  159. package/dist/analyzers/tools/generic.js.map +1 -1
  160. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  161. package/dist/analyzers/tools/gitleaks.js +48 -1
  162. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  163. package/dist/analyzers/tools/graphify.d.ts +30 -2
  164. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  165. package/dist/analyzers/tools/graphify.js +131 -15
  166. package/dist/analyzers/tools/graphify.js.map +1 -1
  167. package/dist/analyzers/tools/jscpd.d.ts +12 -2
  168. package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
  169. package/dist/analyzers/tools/jscpd.js +129 -6
  170. package/dist/analyzers/tools/jscpd.js.map +1 -1
  171. package/dist/analyzers/tools/minified-detection.d.ts +9 -0
  172. package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
  173. package/dist/analyzers/tools/minified-detection.js +147 -0
  174. package/dist/analyzers/tools/minified-detection.js.map +1 -0
  175. package/dist/analyzers/tools/nuget-package-reference.d.ts +131 -0
  176. package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
  177. package/dist/analyzers/tools/nuget-package-reference.js +175 -0
  178. package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
  179. package/dist/analyzers/tools/osv-scanner-deps.d.ts +48 -0
  180. package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -0
  181. package/dist/analyzers/tools/{osv-scanner-maven.js → osv-scanner-deps.js} +78 -46
  182. package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -0
  183. package/dist/analyzers/tools/osv.d.ts +36 -0
  184. package/dist/analyzers/tools/osv.d.ts.map +1 -1
  185. package/dist/analyzers/tools/osv.js +26 -0
  186. package/dist/analyzers/tools/osv.js.map +1 -1
  187. package/dist/analyzers/tools/parallel.d.ts +1 -1
  188. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  189. package/dist/analyzers/tools/parallel.js +2 -2
  190. package/dist/analyzers/tools/parallel.js.map +1 -1
  191. package/dist/analyzers/tools/risk-score.d.ts +7 -0
  192. package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
  193. package/dist/analyzers/tools/risk-score.js +9 -2
  194. package/dist/analyzers/tools/risk-score.js.map +1 -1
  195. package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
  196. package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
  197. package/dist/analyzers/tools/run-tests-helper.js +156 -0
  198. package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
  199. package/dist/analyzers/tools/runner.d.ts.map +1 -1
  200. package/dist/analyzers/tools/runner.js +75 -12
  201. package/dist/analyzers/tools/runner.js.map +1 -1
  202. package/dist/analyzers/tools/semgrep.d.ts +39 -2
  203. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  204. package/dist/analyzers/tools/semgrep.js +131 -9
  205. package/dist/analyzers/tools/semgrep.js.map +1 -1
  206. package/dist/analyzers/tools/timing.d.ts +17 -3
  207. package/dist/analyzers/tools/timing.d.ts.map +1 -1
  208. package/dist/analyzers/tools/timing.js +36 -14
  209. package/dist/analyzers/tools/timing.js.map +1 -1
  210. package/dist/analyzers/tools/tool-registry.d.ts +10 -0
  211. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  212. package/dist/analyzers/tools/tool-registry.js +120 -1
  213. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  214. package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
  215. package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
  216. package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
  217. package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
  218. package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
  219. package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
  220. package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
  221. package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
  222. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
  223. package/dist/analyzers/tools/vendored-advisor.js +107 -0
  224. package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
  225. package/dist/analyzers/tools/walk-paths.d.ts +78 -0
  226. package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
  227. package/dist/analyzers/tools/walk-paths.js +150 -0
  228. package/dist/analyzers/tools/walk-paths.js.map +1 -0
  229. package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
  230. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
  231. package/dist/analyzers/tools/walk-source-files.js +369 -0
  232. package/dist/analyzers/tools/walk-source-files.js.map +1 -0
  233. package/dist/analyzers/types.d.ts +204 -4
  234. package/dist/analyzers/types.d.ts.map +1 -1
  235. package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
  236. package/dist/analyzers/xlsx/bom.js +8 -1
  237. package/dist/analyzers/xlsx/bom.js.map +1 -1
  238. package/dist/cli.d.ts.map +1 -1
  239. package/dist/cli.js +557 -189
  240. package/dist/cli.js.map +1 -1
  241. package/dist/constants.d.ts +1 -0
  242. package/dist/constants.d.ts.map +1 -1
  243. package/dist/detect.d.ts.map +1 -1
  244. package/dist/detect.js +24 -7
  245. package/dist/detect.js.map +1 -1
  246. package/dist/doctor.d.ts.map +1 -1
  247. package/dist/doctor.js +103 -53
  248. package/dist/doctor.js.map +1 -1
  249. package/dist/languages/capabilities/provider.d.ts +130 -1
  250. package/dist/languages/capabilities/provider.d.ts.map +1 -1
  251. package/dist/languages/capabilities/types.d.ts +68 -7
  252. package/dist/languages/capabilities/types.d.ts.map +1 -1
  253. package/dist/languages/csharp.d.ts +15 -1
  254. package/dist/languages/csharp.d.ts.map +1 -1
  255. package/dist/languages/csharp.js +624 -146
  256. package/dist/languages/csharp.js.map +1 -1
  257. package/dist/languages/go.d.ts.map +1 -1
  258. package/dist/languages/go.js +89 -11
  259. package/dist/languages/go.js.map +1 -1
  260. package/dist/languages/index.d.ts +131 -2
  261. package/dist/languages/index.d.ts.map +1 -1
  262. package/dist/languages/index.js +208 -0
  263. package/dist/languages/index.js.map +1 -1
  264. package/dist/languages/java.d.ts.map +1 -1
  265. package/dist/languages/java.js +121 -32
  266. package/dist/languages/java.js.map +1 -1
  267. package/dist/languages/kotlin.d.ts.map +1 -1
  268. package/dist/languages/kotlin.js +140 -32
  269. package/dist/languages/kotlin.js.map +1 -1
  270. package/dist/languages/python.d.ts.map +1 -1
  271. package/dist/languages/python.js +149 -44
  272. package/dist/languages/python.js.map +1 -1
  273. package/dist/languages/ruby.d.ts +115 -0
  274. package/dist/languages/ruby.d.ts.map +1 -0
  275. package/dist/languages/ruby.js +665 -0
  276. package/dist/languages/ruby.js.map +1 -0
  277. package/dist/languages/rust.d.ts.map +1 -1
  278. package/dist/languages/rust.js +103 -16
  279. package/dist/languages/rust.js.map +1 -1
  280. package/dist/languages/types.d.ts +228 -5
  281. package/dist/languages/types.d.ts.map +1 -1
  282. package/dist/languages/typescript.d.ts.map +1 -1
  283. package/dist/languages/typescript.js +201 -14
  284. package/dist/languages/typescript.js.map +1 -1
  285. package/dist/scoring/dimensions/documentation.d.ts +53 -0
  286. package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
  287. package/dist/scoring/dimensions/documentation.js +106 -0
  288. package/dist/scoring/dimensions/documentation.js.map +1 -0
  289. package/dist/scoring/dimensions/dx.d.ts +53 -0
  290. package/dist/scoring/dimensions/dx.d.ts.map +1 -0
  291. package/dist/scoring/dimensions/dx.js +105 -0
  292. package/dist/scoring/dimensions/dx.js.map +1 -0
  293. package/dist/scoring/dimensions/maintainability.d.ts +53 -0
  294. package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
  295. package/dist/scoring/dimensions/maintainability.js +101 -0
  296. package/dist/scoring/dimensions/maintainability.js.map +1 -0
  297. package/dist/scoring/dimensions/quality.d.ts +108 -0
  298. package/dist/scoring/dimensions/quality.d.ts.map +1 -0
  299. package/dist/scoring/dimensions/quality.js +174 -0
  300. package/dist/scoring/dimensions/quality.js.map +1 -0
  301. package/dist/scoring/dimensions/security.d.ts +84 -0
  302. package/dist/scoring/dimensions/security.d.ts.map +1 -0
  303. package/dist/scoring/dimensions/security.js +135 -0
  304. package/dist/scoring/dimensions/security.js.map +1 -0
  305. package/dist/scoring/dimensions/testing.d.ts +56 -0
  306. package/dist/scoring/dimensions/testing.d.ts.map +1 -0
  307. package/dist/scoring/dimensions/testing.js +98 -0
  308. package/dist/scoring/dimensions/testing.js.map +1 -0
  309. package/dist/scoring/evaluator.d.ts +27 -0
  310. package/dist/scoring/evaluator.d.ts.map +1 -0
  311. package/dist/scoring/evaluator.js +124 -0
  312. package/dist/scoring/evaluator.js.map +1 -0
  313. package/dist/scoring/format.d.ts +34 -0
  314. package/dist/scoring/format.d.ts.map +1 -0
  315. package/dist/scoring/format.js +63 -0
  316. package/dist/scoring/format.js.map +1 -0
  317. package/dist/scoring/index.d.ts +37 -0
  318. package/dist/scoring/index.d.ts.map +1 -0
  319. package/dist/scoring/index.js +57 -0
  320. package/dist/scoring/index.js.map +1 -0
  321. package/dist/scoring/overall.d.ts +54 -0
  322. package/dist/scoring/overall.d.ts.map +1 -0
  323. package/dist/scoring/overall.js +76 -0
  324. package/dist/scoring/overall.js.map +1 -0
  325. package/dist/scoring/result.d.ts +111 -0
  326. package/dist/scoring/result.d.ts.map +1 -0
  327. package/dist/scoring/result.js +14 -0
  328. package/dist/scoring/result.js.map +1 -0
  329. package/dist/scoring/spec.d.ts +76 -0
  330. package/dist/scoring/spec.d.ts.map +1 -0
  331. package/dist/scoring/spec.js +22 -0
  332. package/dist/scoring/spec.js.map +1 -0
  333. package/dist/scoring/thresholds.d.ts +56 -0
  334. package/dist/scoring/thresholds.d.ts.map +1 -0
  335. package/dist/scoring/thresholds.js +75 -0
  336. package/dist/scoring/thresholds.js.map +1 -0
  337. package/dist/tools-cli.d.ts.map +1 -1
  338. package/dist/tools-cli.js +21 -2
  339. package/dist/tools-cli.js.map +1 -1
  340. package/dist/types.d.ts +17 -1
  341. package/dist/types.d.ts.map +1 -1
  342. package/package.json +1 -1
  343. package/templates/.claude/commands/dashboard.md +17 -9
  344. package/templates/.claude/rules/ruby.md +11 -0
  345. package/templates/configs/ruby/README.md +6 -0
  346. package/dist/analyzers/scoring.d.ts +0 -49
  347. package/dist/analyzers/scoring.d.ts.map +0 -1
  348. package/dist/analyzers/scoring.js +0 -422
  349. package/dist/analyzers/scoring.js.map +0 -1
  350. package/dist/analyzers/security/scoring.d.ts +0 -29
  351. package/dist/analyzers/security/scoring.d.ts.map +0 -1
  352. package/dist/analyzers/security/scoring.js +0 -40
  353. package/dist/analyzers/security/scoring.js.map +0 -1
  354. package/dist/analyzers/tools/osv-scanner-maven.d.ts +0 -42
  355. package/dist/analyzers/tools/osv-scanner-maven.d.ts.map +0 -1
  356. package/dist/analyzers/tools/osv-scanner-maven.js.map +0 -1
@@ -0,0 +1,175 @@
1
+ "use strict";
2
+ /**
3
+ * Direct `<PackageReference>` parser — D025f (2.4.7).
4
+ *
5
+ * Extracts NuGet PackageReference entries from `.csproj` XML text
6
+ * without invoking `dotnet restore` or any other .NET toolchain. The
7
+ * output feeds an ad-hoc `packages.lock.json`-shaped file that
8
+ * osv-scanner ingests via `--lockfile=<path>` (the file MUST be
9
+ * literally named `packages.lock.json` — osv-scanner v2.x detects the
10
+ * NuGet ecosystem by filename, not by a prefix). This closes the D036
11
+ * customer-outcome gap on dpl-studio (where `dotnet list package`
12
+ * couldn't run from a multi-project parent directory).
13
+ *
14
+ * Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
15
+ * `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
16
+ * keeps each language pack as a single file; ecosystem-specific tool
17
+ * helpers consumed by one or more packs go in `analyzers/tools/`.
18
+ * csharp.ts imports this module the same way it already imports
19
+ * `osv` and `osv-scanner-deps`.
20
+ *
21
+ * Architectural rationale:
22
+ *
23
+ * D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
24
+ * ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
25
+ * Microsoft-recommended non-sudo install) got dotnet discovered.
26
+ * That fix was necessary but not sufficient: `dotnet list package
27
+ * --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
28
+ * and dpl-studio's `Code/Source/Dev/Core/<Module>/<Module>.csproj`
29
+ * layout puts the project files 3 levels deeper than the natural
30
+ * `dxkit vulnerabilities Code/Source/` cwd.
31
+ *
32
+ * D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
33
+ * reachable from cwd (depth 5, matching csharp.detect()), parse
34
+ * each, and feed the union to osv-scanner via a synthetic lockfile.
35
+ * Cross-platform — `net9.0-windows` targets that won't restore on
36
+ * Linux/Mac still get scanned.
37
+ *
38
+ * Trade-off: this catches DIRECT PackageReferences only. Transitive
39
+ * deps (resolved by NuGet's dep graph from each direct ref's own
40
+ * dependencies) are NOT visible without a populated
41
+ * `project.assets.json`. Industry studies put ~80% of typical
42
+ * .NET CVE surface on direct refs; the remaining ~20% (transitives)
43
+ * land cleanly when `dotnet restore` is available and the
44
+ * dotnet-path-resolved D025c codepath runs.
45
+ *
46
+ * Shared with D031: the licenses degraded-inventory fallback uses the
47
+ * same parser to produce a "133 packages identified; license info
48
+ * unavailable" rendering when `nuget-license` isn't installed.
49
+ *
50
+ * Pure function. No I/O. Tested via a fixture suite of representative
51
+ * .csproj shapes (attribute-form, element-form, Central Package
52
+ * Management, conditional `<ItemGroup>` blocks).
53
+ */
54
+ Object.defineProperty(exports, "__esModule", { value: true });
55
+ exports.parseCsprojPackageReferences = parseCsprojPackageReferences;
56
+ exports.buildNugetAdhocLockfile = buildNugetAdhocLockfile;
57
+ /**
58
+ * Match shapes (in priority order):
59
+ *
60
+ * 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
61
+ * common; attributes can appear in any order (also matched
62
+ * `Version="1.0.0" Include="Foo"`).
63
+ * 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
64
+ * </PackageReference>` — element-form, equivalent semantics;
65
+ * common in repos that prefer multiline configs or use child
66
+ * elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
67
+ * 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
68
+ * Package Management (CPM): the version comes from a separate
69
+ * `Directory.Packages.props` file. Skipped here; the CPM-aware
70
+ * pass (a future enhancement) would resolve them.
71
+ *
72
+ * Skipped shapes:
73
+ *
74
+ * - `<PackageReference Update="Foo" Version="..." />` — CPM
75
+ * override syntax for transitive pins; NOT a direct reference.
76
+ * - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
77
+ * Not a direct reference of this csproj.
78
+ * - Comments / CDATA — best-effort; the regex is generous and
79
+ * can theoretically match `<!-- <PackageReference ... -->`
80
+ * comments; users with literal PackageReference strings inside
81
+ * comments would get false positives. Acceptable: pathological
82
+ * case, and osv-scanner won't surface advisories for non-real
83
+ * packages, so the worst case is a wasted scan entry.
84
+ */
85
+ function parseCsprojPackageReferences(xml) {
86
+ const out = [];
87
+ const seen = new Set(); // dedupe `${name}@${version}` within a single .csproj
88
+ // Form 1 (attribute-form): two attribute orderings.
89
+ // Match Include="X" ... Version="Y"
90
+ const attrIncludeFirstRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\/?>/gi;
91
+ // Match Version="Y" ... Include="X"
92
+ const attrVersionFirstRe = /<PackageReference\s+[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\/?>/gi;
93
+ let m;
94
+ while ((m = attrIncludeFirstRe.exec(xml)) !== null) {
95
+ pushEntry(out, seen, m[1], m[2]);
96
+ }
97
+ while ((m = attrVersionFirstRe.exec(xml)) !== null) {
98
+ pushEntry(out, seen, m[2], m[1]);
99
+ }
100
+ // Form 2 (element-form): <PackageReference Include="X"><Version>Y</Version>...</PackageReference>
101
+ // The element form spans multiple lines; the regex is multi-line aware.
102
+ const elementFormRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*>[\s\S]*?<Version>\s*([^<\s]+)\s*<\/Version>[\s\S]*?<\/PackageReference>/gi;
103
+ while ((m = elementFormRe.exec(xml)) !== null) {
104
+ pushEntry(out, seen, m[1], m[2]);
105
+ }
106
+ return out;
107
+ }
108
+ function pushEntry(out, seen, rawName, rawVersion) {
109
+ const name = rawName.trim();
110
+ const version = rawVersion.trim();
111
+ if (!name || !version)
112
+ return;
113
+ const key = `${name}@${version}`;
114
+ if (seen.has(key))
115
+ return;
116
+ seen.add(key);
117
+ out.push({ name, version });
118
+ }
119
+ /**
120
+ * Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
121
+ * v2.x reads via `--lockfile=<path>` (caller MUST write this content to
122
+ * a file literally named `packages.lock.json` — osv-scanner detects
123
+ * ecosystem by filename). The schema matches NuGet's native
124
+ * `dotnet restore`-produced lockfile (which osv-scanner already
125
+ * supports natively), simplified to the minimum osv-scanner consults
126
+ * for vulnerability matching:
127
+ *
128
+ * {
129
+ * "version": 1,
130
+ * "dependencies": {
131
+ * "net0.0": {
132
+ * "<Pkg>": {
133
+ * "type": "Direct",
134
+ * "resolved": "<Version>",
135
+ * "requested": "[<Version>, )"
136
+ * }
137
+ * }
138
+ * }
139
+ * }
140
+ *
141
+ * - `"version": 1` matches `dotnet restore`'s lockfile schema version.
142
+ * - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
143
+ * the package map without validating the framework key, so any
144
+ * non-empty string works. We use a non-real moniker so it can't be
145
+ * confused with a real target framework in downstream debugging.
146
+ * - `type: "Direct"` truthfully reflects that we ONLY parsed direct
147
+ * references. Transitive vulns are out of scope for this path
148
+ * (covered by D025c's `dotnet list` codepath when available).
149
+ * - `requested` is a NuGet version range; we use a single-anchored
150
+ * `[V, )` form so the lockfile is valid even though the real
151
+ * `.csproj` might have been a pinned single version.
152
+ *
153
+ * Returns a JSON-stringified string suitable for writing to a temp
154
+ * file. Callers should clean up the temp file after osv-scanner
155
+ * consumes it.
156
+ */
157
+ function buildNugetAdhocLockfile(entries) {
158
+ const dependencies = { 'net0.0': {} };
159
+ for (const entry of entries) {
160
+ // If the same package appears in multiple .csproj files at different
161
+ // versions, last-write-wins per the lockfile shape (it's one entry
162
+ // per package name within a framework). osv-scanner will scan
163
+ // whichever version we stamped; the cross-csproj merging trade-off
164
+ // is documented at the caller. For dpl-studio scale (~74 csprojs)
165
+ // collisions are common but typically converge on a single resolved
166
+ // version per the repo's dependency hygiene practices.
167
+ dependencies['net0.0'][entry.name] = {
168
+ type: 'Direct',
169
+ resolved: entry.version,
170
+ requested: `[${entry.version}, )`,
171
+ };
172
+ }
173
+ return JSON.stringify({ version: 1, dependencies }, null, 2);
174
+ }
175
+ //# sourceMappingURL=nuget-package-reference.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"nuget-package-reference.js","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;;AAyCH,oEA6BC;AAuDD,0DAiBC;AAjID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,4BAA4B,CAAC,GAAW;IACtD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,sDAAsD;IAEtF,oDAAoD;IACpD,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAChG,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAEhG,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,kGAAkG;IAClG,wEAAwE;IACxE,MAAM,aAAa,GACjB,mIAAmI,CAAC;IACtI,OAAO,CAAC,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAChB,GAA4B,EAC5B,IAAiB,EACjB,OAAe,EACf,UAAkB;IAElB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO;IAC9B,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;IACjC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC1B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,SAAgB,uBAAuB,CAAC,OAA6C;IACnF,MAAM,YAAY,GAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC/E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,qEAAqE;QACrE,mEAAmE;QACnE,8DAA8D;QAC9D,mEAAmE;QACnE,kEAAkE;QAClE,oEAAoE;QACpE,uDAAuD;QACvD,YAAY,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG;YACnC,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,SAAS,EAAE,IAAI,KAAK,CAAC,OAAO,KAAK;SAClC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC"}
@@ -0,0 +1,48 @@
1
+ import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../../languages/capabilities/types';
2
+ import type { LanguageId } from '../../types';
3
+ /**
4
+ * Pure parser for osv-scanner v2.x JSON output, scoped to a single
5
+ * ecosystem. Other ecosystems are filtered out so polyglot repos
6
+ * don't double-count: each pack handles its own ecosystem (typescript
7
+ * → npm, python → PyPI, kotlin/java → Maven, ruby → RubyGems, etc.).
8
+ *
9
+ * The ecosystem parameter is matched against the OSV record's
10
+ * `package.ecosystem` field verbatim — use the exact strings OSV
11
+ * emits (`'Maven'`, `'RubyGems'`, `'PyPI'`, `'npm'`, `'Go'`, etc.).
12
+ *
13
+ * Returns counts + findings + the raw OSV vuln records for downstream
14
+ * CVSS resolution. Exported for unit tests.
15
+ */
16
+ export declare function parseOsvScannerFindings(raw: string, ecosystem: string, packId?: LanguageId): {
17
+ counts: SeverityCounts;
18
+ findings: DepVulnFinding[];
19
+ vulnsForCvss: Array<{
20
+ primaryId: string;
21
+ embeddedCvss: number | null;
22
+ aliases: string[];
23
+ }>;
24
+ };
25
+ /**
26
+ * Single source of truth for osv-scanner-driven dep-vuln gathering.
27
+ * Caller supplies:
28
+ * - cwd: project root
29
+ * - source: pack id for envelope attribution (currently reserved —
30
+ * see note at end of function)
31
+ * - ecosystem: OSV ecosystem string (`'Maven'`, `'RubyGems'`, ...)
32
+ * - manifestCandidates: ordered list of manifest filenames to probe.
33
+ * First existing one is passed via `--lockfile`. Lockfiles
34
+ * preferred over higher-level manifests (kotlin: gradle.lockfile
35
+ * before pom.xml; ruby: Gemfile.lock).
36
+ *
37
+ * `scan source --lockfile <path>` is the v2.x form. JSON output to
38
+ * stdout. Exit code is non-zero when findings exist — we ignore the
39
+ * exit code and parse the JSON regardless (run() already swallows
40
+ * non-zero exits cleanly via execSync's catch).
41
+ *
42
+ * CVSS alias-fallback: osv-scanner ships CVSS vectors when present,
43
+ * but advisory data quality varies by ecosystem — some carry only
44
+ * `database_specific.severity` strings. resolveCvssScores looks up
45
+ * via CVE alias when the primary record lacks a vector.
46
+ */
47
+ export declare function gatherOsvScannerDepVulnsResult(cwd: string, packId: LanguageId, ecosystem: string, manifestCandidates: string[]): Promise<DepVulnGatherOutcome>;
48
+ //# sourceMappingURL=osv-scanner-deps.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"AAoCA,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACf,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiB9C;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,UAAU,GAClB;IACD,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC5F,CA8EA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CAiD/B"}
@@ -1,38 +1,51 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.parseOsvScannerMavenFindings = parseOsvScannerMavenFindings;
4
- exports.gatherOsvScannerMavenDepVulnsResult = gatherOsvScannerMavenDepVulnsResult;
3
+ exports.parseOsvScannerFindings = parseOsvScannerFindings;
4
+ exports.gatherOsvScannerDepVulnsResult = gatherOsvScannerDepVulnsResult;
5
5
  /**
6
- * osv-scanner against the Maven ecosystem — shared across JVM packs
7
- * (kotlin, java). CLAUDE.md rule #2 the gather function lives once.
8
- * Extracted from src/languages/kotlin.ts in 10k.1.4 (Phase 10k.1
9
- * SSOT validation).
6
+ * osv-scanner against any OSV ecosystem — shared across language packs
7
+ * that use osv-scanner as their canonical depVulns source. CLAUDE.md
8
+ * rule #2 the gather function lives once.
9
+ *
10
+ * History: extracted from `src/languages/kotlin.ts` in 10k.1.4 (Phase
11
+ * 10k.1 SSOT validation), originally Maven-only. Generalized to all
12
+ * OSV ecosystems in 10k.2.6a (Ruby pack work) — caller passes the
13
+ * ecosystem string + manifest candidate list, parser filters
14
+ * accordingly so polyglot repos don't double-count across packs.
15
+ *
16
+ * Current consumers:
17
+ * - kotlin pack — `Maven` ecosystem, gradle.lockfile + pom.xml + verification-metadata.xml
18
+ * - java pack — `Maven` ecosystem (same manifest set)
19
+ * - ruby pack — `RubyGems` ecosystem, Gemfile.lock
10
20
  *
11
21
  * osv-scanner is the established multi-ecosystem scanner; no Tier-1
12
- * native equivalent exists for Maven/Gradle (CLAUDE.md rule #5).
22
+ * native equivalent exists for several of the ecosystems above
23
+ * (CLAUDE.md rule #5 — bundler-audit's JSON is unstable, so Ruby
24
+ * intentionally uses osv-scanner-only rather than dual-source).
13
25
  * The typescript pack's `osv-scanner-fix.ts` uses the `fix`
14
26
  * subcommand for upgrade planning — different mode, no shared logic.
15
27
  *
16
- * Manifest gating: osv-scanner reads `pom.xml`, `gradle.lockfile`,
17
- * `gradle/verification-metadata.xml`, and (limited) `build.gradle`. Bare
18
- * `build.gradle.kts` is NOT a reliable input — gradle.lockfile is
19
- * preferred. Without any of these, we return `tool-missing` (matches
20
- * python/csharp's manifest-gating pattern).
28
+ * Manifest gating: caller supplies the candidate list. First
29
+ * existing candidate wins. Without any of them, returns
30
+ * `tool-missing` (matches python/csharp's manifest-gating pattern).
21
31
  */
22
32
  const osv_1 = require("./osv");
23
33
  const runner_1 = require("./runner");
24
34
  const tool_registry_1 = require("./tool-registry");
25
35
  /**
26
- * Pure parser for osv-scanner v2.x JSON output, scoped to Maven
27
- * findings only. Other ecosystems (npm, PyPI, Go) are filtered out so
28
- * polyglot repos don't double-count: the typescript pack handles npm,
29
- * the python pack handles PyPI, etc. JVM packs (kotlin, java) own
30
- * Maven via this shared parser.
36
+ * Pure parser for osv-scanner v2.x JSON output, scoped to a single
37
+ * ecosystem. Other ecosystems are filtered out so polyglot repos
38
+ * don't double-count: each pack handles its own ecosystem (typescript
39
+ * npm, python PyPI, kotlin/java Maven, ruby → RubyGems, etc.).
40
+ *
41
+ * The ecosystem parameter is matched against the OSV record's
42
+ * `package.ecosystem` field verbatim — use the exact strings OSV
43
+ * emits (`'Maven'`, `'RubyGems'`, `'PyPI'`, `'npm'`, `'Go'`, etc.).
31
44
  *
32
45
  * Returns counts + findings + the raw OSV vuln records for downstream
33
46
  * CVSS resolution. Exported for unit tests.
34
47
  */
35
- function parseOsvScannerMavenFindings(raw) {
48
+ function parseOsvScannerFindings(raw, ecosystem, packId) {
36
49
  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
37
50
  const findings = [];
38
51
  const vulnsForCvss = [];
@@ -49,7 +62,7 @@ function parseOsvScannerMavenFindings(raw) {
49
62
  const seen = new Set();
50
63
  for (const result of data.results ?? []) {
51
64
  for (const pkg of result.packages ?? []) {
52
- if (pkg.package?.ecosystem !== 'Maven')
65
+ if (pkg.package?.ecosystem !== ecosystem)
53
66
  continue;
54
67
  const pkgName = pkg.package.name ?? 'unknown';
55
68
  const pkgVersion = pkg.package.version;
@@ -74,12 +87,27 @@ function parseOsvScannerMavenFindings(raw) {
74
87
  tool: 'osv-scanner',
75
88
  severity: tier,
76
89
  };
90
+ // G_v4_4 (2.4.7): stamp the producing pack so `buildUpgradeCommand`
91
+ // can dispatch to the right `LanguageSupport.upgradeCommand` without
92
+ // a hardcoded switch on `tool`. Caller passes the pack id; absent
93
+ // (`undefined`) only on legacy paths we haven't migrated yet.
94
+ if (packId)
95
+ finding.packId = packId;
77
96
  if (cvss !== null)
78
97
  finding.cvssScore = cvss;
79
98
  if (aliases.length > 0)
80
99
  finding.aliases = aliases;
81
100
  if (vuln.summary)
82
101
  finding.summary = vuln.summary;
102
+ // D042: surface the patch version when OSV's `affected[].
103
+ // ranges[].events[].fixed` is populated. This is the customer's
104
+ // actionable next-step (e.g. "upgrade Newtonsoft.Json from
105
+ // 9.0.1 to 13.0.1 to clear GHSA-5crp-9r3c-p9vr"). Pre-D042 the
106
+ // standalone scan rendered `Fix: —` for every osv-scanner-
107
+ // sourced finding because this field went unread.
108
+ const fixVersion = (0, osv_1.extractOsvFixVersion)(vuln);
109
+ if (fixVersion)
110
+ finding.fixedVersion = fixVersion;
83
111
  // OSV.dev hosts a canonical page per id — synthesize when the
84
112
  // record's `references[]` is empty, otherwise keep the
85
113
  // tool-supplied URLs.
@@ -98,27 +126,28 @@ function parseOsvScannerMavenFindings(raw) {
98
126
  return { counts, findings, vulnsForCvss };
99
127
  }
100
128
  /**
101
- * Single source of truth for osv-scanner Maven dep-vuln gathering.
102
- * Both kotlin and java packs delegate here.
103
- *
104
- * Manifest discovery order: lockfile > pom.xml > verification-metadata.
105
- * We pass the manifest explicitly via --lockfile so osv-scanner doesn't
106
- * fall back to its (unreliable) build.gradle.kts parser. Multi-module
107
- * Android/Java projects with per-module lockfiles are not yet handled —
108
- * first-module-found is the v1 behaviour.
129
+ * Single source of truth for osv-scanner-driven dep-vuln gathering.
130
+ * Caller supplies:
131
+ * - cwd: project root
132
+ * - source: pack id for envelope attribution (currently reserved —
133
+ * see note at end of function)
134
+ * - ecosystem: OSV ecosystem string (`'Maven'`, `'RubyGems'`, ...)
135
+ * - manifestCandidates: ordered list of manifest filenames to probe.
136
+ * First existing one is passed via `--lockfile`. Lockfiles
137
+ * preferred over higher-level manifests (kotlin: gradle.lockfile
138
+ * before pom.xml; ruby: Gemfile.lock).
109
139
  *
110
140
  * `scan source --lockfile <path>` is the v2.x form. JSON output to
111
141
  * stdout. Exit code is non-zero when findings exist — we ignore the
112
142
  * exit code and parse the JSON regardless (run() already swallows
113
143
  * non-zero exits cleanly via execSync's catch).
114
144
  *
115
- * CVSS alias-fallback: osv-scanner ships CVSS vectors when present, but
116
- * Maven advisories are inconsistent — some carry only
117
- * `database_specific.severity` strings. resolveCvssScores looks up via
118
- * CVE alias when the primary record lacks a vector.
145
+ * CVSS alias-fallback: osv-scanner ships CVSS vectors when present,
146
+ * but advisory data quality varies by ecosystem — some carry only
147
+ * `database_specific.severity` strings. resolveCvssScores looks up
148
+ * via CVE alias when the primary record lacks a vector.
119
149
  */
120
- async function gatherOsvScannerMavenDepVulnsResult(cwd, source) {
121
- const manifestCandidates = ['gradle.lockfile', 'pom.xml', 'gradle/verification-metadata.xml'];
150
+ async function gatherOsvScannerDepVulnsResult(cwd, packId, ecosystem, manifestCandidates) {
122
151
  let manifest = null;
123
152
  for (const rel of manifestCandidates) {
124
153
  if ((0, runner_1.fileExists)(cwd, rel)) {
@@ -126,15 +155,20 @@ async function gatherOsvScannerMavenDepVulnsResult(cwd, source) {
126
155
  break;
127
156
  }
128
157
  }
129
- if (!manifest)
130
- return { kind: 'tool-missing' };
158
+ if (!manifest) {
159
+ return {
160
+ kind: 'no-manifest',
161
+ reason: `no lockfile found (looked for: ${manifestCandidates.join(', ')})`,
162
+ };
163
+ }
131
164
  const scanner = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS['osv-scanner'], cwd);
132
- if (!scanner.available || !scanner.path)
133
- return { kind: 'tool-missing' };
165
+ if (!scanner.available || !scanner.path) {
166
+ return { kind: 'unavailable', reason: 'osv-scanner not installed' };
167
+ }
134
168
  const raw = (0, runner_1.run)(`${scanner.path} scan source --lockfile ${manifest} --format json 2>/dev/null`, cwd, 180000);
135
169
  if (!raw)
136
- return { kind: 'no-output' };
137
- const { counts, findings, vulnsForCvss } = parseOsvScannerMavenFindings(raw);
170
+ return { kind: 'unavailable', reason: 'osv-scanner produced no output' };
171
+ const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem, packId);
138
172
  if (findings.length > 0) {
139
173
  const resolved = await (0, osv_1.resolveCvssScores)(vulnsForCvss);
140
174
  for (const f of findings) {
@@ -150,12 +184,10 @@ async function gatherOsvScannerMavenDepVulnsResult(cwd, source) {
150
184
  counts,
151
185
  findings,
152
186
  };
153
- // Note: `source` is unused at the envelope level today — DepVulnResult
154
- // carries `tool: 'osv-scanner'` as the producer attribution. Reserved
155
- // for a future enhancement that distinguishes per-pack provenance
156
- // (e.g., when both kotlin and java packs run on a mixed monorepo and
157
- // we want to attribute findings to the originating pack).
158
- void source;
187
+ // G_v4_4 (2.4.7): `packId` is forwarded into `parseOsvScannerFindings`
188
+ // so each finding carries the producing pack, which `buildUpgradeCommand`
189
+ // dispatches on. Envelope-level `tool: 'osv-scanner'` stays as the
190
+ // tool-attribution string used in `toolsUsed`.
159
191
  return { kind: 'success', envelope };
160
192
  }
161
- //# sourceMappingURL=osv-scanner-maven.js.map
193
+ //# sourceMappingURL=osv-scanner-deps.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;AAwEA,0DAsFC;AAwBD,wEAsDC;AA5OD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,+BAMe;AACf,qCAA2C;AAC3C,mDAAsD;AAwBtD;;;;;;;;;;;;GAYG;AACH,SAAgB,uBAAuB,CACrC,GAAW,EACX,SAAiB,EACjB,MAAmB;IAMnB,MAAM,MAAM,GAAmB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,YAAY,GAIb,EAAE,CAAC;IACR,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IACD,oEAAoE;IACpE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS;gBAAE,SAAS;YACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;YAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;oBAAE,SAAS;gBACvB,MAAM,QAAQ,GAAG,GAAG,OAAO,KAAK,UAAU,IAAI,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC/D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAEnB,MAAM,GAAG,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GACR,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK;oBACvE,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,QAAQ,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEf,MAAM,IAAI,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtE,MAAM,OAAO,GAAmB;oBAC9B,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,OAAO;oBAChB,gBAAgB,EAAE,UAAU;oBAC5B,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,IAAI;iBACf,CAAC;gBACF,oEAAoE;gBACpE,qEAAqE;gBACrE,kEAAkE;gBAClE,8DAA8D;gBAC9D,IAAI,MAAM;oBAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;gBACpC,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;gBAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;gBAClD,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBACjD,0DAA0D;gBAC1D,gEAAgE;gBAChE,2DAA2D;gBAC3D,+DAA+D;gBAC/D,2DAA2D;gBAC3D,kDAAkD;gBAClD,MAAM,UAAU,GAAG,IAAA,0BAAoB,EAAC,IAAI,CAAC,CAAC;gBAC9C,IAAI,UAAU;oBAAE,OAAO,CAAC,YAAY,GAAG,UAAU,CAAC;gBAClD,8DAA8D;gBAC9D,uDAAuD;gBACvD,sBAAsB;gBACtB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1F,OAAO,CAAC,UAAU;oBAChB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,iCAAiC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEvB,YAAY,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,YAAY,EAAE,IAAI;oBAClB,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,MAAkB,EAClB,SAAiB,EACjB,kBAA4B;IAE5B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,GAAG,GAAG,CAAC;YACf,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,kCAAkC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SAC3E,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,aAAa,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACxC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,YAAG,EACb,GAAG,OAAO,CAAC,IAAI,2BAA2B,QAAQ,4BAA4B,EAC9E,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IAEnF,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAE3F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAiB,EAAC,YAAY,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;QACjE,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ;KACT,CAAC;IACF,uEAAuE;IACvE,0EAA0E;IAC1E,mEAAmE;IACnE,+CAA+C;IAC/C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC"}
@@ -25,6 +25,27 @@ export interface OsvVuln {
25
25
  type: string;
26
26
  score: string;
27
27
  }>;
28
+ /**
29
+ * D042 (2.4.7): OSV records expose patch-version info via
30
+ * `affected[].ranges[].events[]`. Each range describes one
31
+ * affected version interval with bounding events:
32
+ * `{"introduced": "0.0.0"}` (or `"introduced": "X.Y.Z"`)
33
+ * `{"fixed": "X.Y.Z"}` ← patch-available signal
34
+ * `{"limit": "X.Y.Z"}` ← exclusion upper bound
35
+ *
36
+ * We extract the first non-empty `fixed` event as the
37
+ * `fixedVersion` recommendation for the customer's upgrade
38
+ * path. Pre-D042 this field was unread; both csharp/kotlin/
39
+ * java/ruby's osv-scanner findings rendered `Fix: —`.
40
+ */
41
+ ranges?: Array<{
42
+ type?: string;
43
+ events?: Array<{
44
+ introduced?: string;
45
+ fixed?: string;
46
+ limit?: string;
47
+ }>;
48
+ }>;
28
49
  }>;
29
50
  aliases?: string[];
30
51
  summary?: string;
@@ -34,6 +55,21 @@ export interface OsvVuln {
34
55
  url: string;
35
56
  }>;
36
57
  }
58
+ /**
59
+ * Extract the patch-available version from an OSV record (D042). Walks
60
+ * `affected[].ranges[].events[]` in document order and returns the
61
+ * first non-empty `fixed` event. Multiple `fixed` events can exist
62
+ * when the advisory covers multiple version branches (e.g., a
63
+ * vulnerability backported across 1.x and 2.x lines); the first one
64
+ * is conventionally the lowest patch version — which is the right
65
+ * "minimum upgrade to clear this advisory" answer for most customers.
66
+ *
67
+ * Returns `undefined` when no `fixed` event exists (advisory exists
68
+ * but no patch has been released yet — customer should consider
69
+ * mitigations rather than waiting). Returns `undefined` for the
70
+ * pathological case of empty `affected` / `ranges` / `events` arrays.
71
+ */
72
+ export declare function extractOsvFixVersion(vuln: OsvVuln): string | undefined;
37
73
  /** Enriched OSV detail returned by lookups. cvssScore is the max CVSS base
38
74
  * score across V4/V3 vectors when parseable; null otherwise. */
39
75
  export interface OsvDetail {
@@ -1 +1 @@
1
- {"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,OAAO;IACtB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1C,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KACnD,CAAC,CAAC;IAGH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpD;AAED;iEACiE;AACjE,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAKD,qCAAqC;AACrC,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAMnD;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA2ClE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAuBhE;AAED,wFAAwF;AACxF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAW3D;AAED,yEAAyE;AACzE,MAAM,MAAM,UAAU,GAAG,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAsCjE;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EAAE,EACb,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CA6BjC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,KAAK,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,EACpF,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CA6CrC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,EAC1B,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAiBhC;AAED,yDAAyD;AACzD,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}
1
+ {"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,OAAO;IACtB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1C,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAClD;;;;;;;;;;;;WAYG;QACH,MAAM,CAAC,EAAE,KAAK,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,MAAM,CAAC,EAAE,KAAK,CAAC;gBAAE,UAAU,CAAC,EAAE,MAAM,CAAC;gBAAC,KAAK,CAAC,EAAE,MAAM,CAAC;gBAAC,KAAK,CAAC,EAAE,MAAM,CAAA;aAAE,CAAC,CAAC;SACzE,CAAC,CAAC;KACJ,CAAC,CAAC;IAGH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAStE;AAED;iEACiE;AACjE,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAKD,qCAAqC;AACrC,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAMnD;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA2ClE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAuBhE;AAED,wFAAwF;AACxF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAW3D;AAED,yEAAyE;AACzE,MAAM,MAAM,UAAU,GAAG,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAsCjE;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EAAE,EACb,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CA6BjC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,KAAK,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,EACpF,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CA6CrC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,EAC1B,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAiBhC;AAED,yDAAyD;AACzD,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}
@@ -12,6 +12,7 @@
12
12
  * The analyzer must never fail because OSV was slow.
13
13
  */
14
14
  Object.defineProperty(exports, "__esModule", { value: true });
15
+ exports.extractOsvFixVersion = extractOsvFixVersion;
15
16
  exports.scoreToTier = scoreToTier;
16
17
  exports.parseCvssV3BaseScore = parseCvssV3BaseScore;
17
18
  exports.extractOsvCvssScore = extractOsvCvssScore;
@@ -21,6 +22,31 @@ exports.resolveCvssScores = resolveCvssScores;
21
22
  exports.resolveAliases = resolveAliases;
22
23
  exports.__clearOsvCache = __clearOsvCache;
23
24
  const cvss_v4_1 = require("./cvss-v4");
25
+ /**
26
+ * Extract the patch-available version from an OSV record (D042). Walks
27
+ * `affected[].ranges[].events[]` in document order and returns the
28
+ * first non-empty `fixed` event. Multiple `fixed` events can exist
29
+ * when the advisory covers multiple version branches (e.g., a
30
+ * vulnerability backported across 1.x and 2.x lines); the first one
31
+ * is conventionally the lowest patch version — which is the right
32
+ * "minimum upgrade to clear this advisory" answer for most customers.
33
+ *
34
+ * Returns `undefined` when no `fixed` event exists (advisory exists
35
+ * but no patch has been released yet — customer should consider
36
+ * mitigations rather than waiting). Returns `undefined` for the
37
+ * pathological case of empty `affected` / `ranges` / `events` arrays.
38
+ */
39
+ function extractOsvFixVersion(vuln) {
40
+ for (const affected of vuln.affected ?? []) {
41
+ for (const range of affected.ranges ?? []) {
42
+ for (const event of range.events ?? []) {
43
+ if (event.fixed && event.fixed.length > 0)
44
+ return event.fixed;
45
+ }
46
+ }
47
+ }
48
+ return undefined;
49
+ }
24
50
  /** Process-scoped cache so repeated lookups in a session don't re-query. */
25
51
  const cache = new Map();
26
52
  /** NVD CVSS 3.x base-score bands. */
@@ -1 +1 @@
1
- {"version":3,"file":"osv.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAgCH,kCAMC;AAOD,oDA2CC;AASD,kDAuBC;AAGD,kDAWC;AAgDD,8BAgCC;AAmBD,8CAgDC;AAaD,wCAoBC;AAGD,0CAEC;AA7TD,uCAAiD;AA0BjD,4EAA4E;AAC5E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE3C,qCAAqC;AACrC,SAAgB,WAAW,CAAC,KAAa;IACvC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,UAAU,CAAC;IACpC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,QAAQ,CAAC;IAClC,IAAI,KAAK,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,MAAc;IACjD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC;YAAE,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAElE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IAChF,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,WAAW,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1E,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IACvE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,UAAU,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAEtE,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnF,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC;IAC/F,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,GAAG,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,cAAc,CAAC;IACnF,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/B,uDAAuD;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,CAAC,OAAgD,EAAE,EAAE;QACnE,KAAK,MAAM,CAAC,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC,CAAC,KAAK;gBAAE,SAAS;YACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;iBACtC,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE;QAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEzD,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClB,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAA,8BAAoB,EAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,OAAO,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,wFAAwF;AACxF,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;IAE9C,uEAAuE;IACvE,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;IAC3D,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACzC,IAAI,EAAE,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACjC,IAAI,EAAE,KAAK,QAAQ,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,QAAQ,CAAC;IAC1D,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,SAAS,CAAC;AACnB,CAAC;AAKD;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,KAAK,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,iBAAiB,CAAC,EAAU;IACnC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACvE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,eAAe,GAAe,KAAK,EAAE,EAAE,EAAE,EAAE;IAC/C,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,kBAAkB,CAAC,UAAU,CAAC,EAAE,EAAE;YACxF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,sBAAsB,CAAC;SACpD,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAY,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,KAAM,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,UAAU;QACpF,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF;;;;;;GAMG;AACI,KAAK,UAAU,SAAS,CAC7B,GAAa,EACb,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAExC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACvB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAc,IAAI;YAC5B,CAAC,CAAC,EAAE,QAAQ,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE;YAC/E,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,EAAE,EAAE,MAAM,CAAU,CAAC;IAC/B,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC7B,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,iBAAiB,CACrC,MAAoF,EACpF,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAChC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,IAAI;YAAE,SAAS;QACjD,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QACxD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAoB,CAAC;IACrD,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;YAAE,SAAS;QACpD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO;YAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC/C,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,CAAC,GAAG,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;IAChE,KAAK,MAAM,SAAS,IAAI,YAAY,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;YAC9C,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;gBACzB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,cAAc,CAClC,GAA0B,EAC1B,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC3C,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CAAU,CAAC;IAC5C,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yDAAyD;AACzD,SAAgB,eAAe;IAC7B,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}
1
+ {"version":3,"file":"osv.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAoDH,oDASC;AAaD,kCAMC;AAOD,oDA2CC;AASD,kDAuBC;AAGD,kDAWC;AAgDD,8BAgCC;AAmBD,8CAgDC;AAaD,wCAoBC;AAGD,0CAEC;AAvWD,uCAAiD;AAoCjD;;;;;;;;;;;;;GAaG;AACH,SAAgB,oBAAoB,CAAC,IAAa;IAChD,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC3C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;gBACvC,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,KAAK,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AASD,4EAA4E;AAC5E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE3C,qCAAqC;AACrC,SAAgB,WAAW,CAAC,KAAa;IACvC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,UAAU,CAAC;IACpC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,QAAQ,CAAC;IAClC,IAAI,KAAK,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,MAAc;IACjD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC;YAAE,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAElE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IAChF,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,WAAW,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1E,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IACvE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,UAAU,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAEtE,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnF,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC;IAC/F,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,GAAG,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,cAAc,CAAC;IACnF,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/B,uDAAuD;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,CAAC,OAAgD,EAAE,EAAE;QACnE,KAAK,MAAM,CAAC,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC,CAAC,KAAK;gBAAE,SAAS;YACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;iBACtC,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE;QAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEzD,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClB,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAA,8BAAoB,EAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,OAAO,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,wFAAwF;AACxF,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;IAE9C,uEAAuE;IACvE,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;IAC3D,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACzC,IAAI,EAAE,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACjC,IAAI,EAAE,KAAK,QAAQ,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,QAAQ,CAAC;IAC1D,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,SAAS,CAAC;AACnB,CAAC;AAKD;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,KAAK,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,iBAAiB,CAAC,EAAU;IACnC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACvE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,eAAe,GAAe,KAAK,EAAE,EAAE,EAAE,EAAE;IAC/C,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,kBAAkB,CAAC,UAAU,CAAC,EAAE,EAAE;YACxF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,sBAAsB,CAAC;SACpD,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAY,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,KAAM,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,UAAU;QACpF,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF;;;;;;GAMG;AACI,KAAK,UAAU,SAAS,CAC7B,GAAa,EACb,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAExC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACvB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAc,IAAI;YAC5B,CAAC,CAAC,EAAE,QAAQ,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE;YAC/E,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,EAAE,EAAE,MAAM,CAAU,CAAC;IAC/B,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC7B,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,iBAAiB,CACrC,MAAoF,EACpF,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAChC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,IAAI;YAAE,SAAS;QACjD,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QACxD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAoB,CAAC;IACrD,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;YAAE,SAAS;QACpD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO;YAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC/C,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,CAAC,GAAG,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;IAChE,KAAK,MAAM,SAAS,IAAI,YAAY,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;YAC9C,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;gBACzB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,cAAc,CAClC,GAA0B,EAC1B,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC3C,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CAAU,CAAC;IAC5C,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yDAAyD;AACzD,SAAgB,eAAe;IAC7B,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}
@@ -21,5 +21,5 @@
21
21
  * pre-C.7, including the exact `toolsUnavailable` phrasings.
22
22
  */
23
23
  import { HealthMetrics } from '../types';
24
- export declare function gatherLayer2Parallel(cwd: string, _verbose?: boolean): Partial<HealthMetrics>;
24
+ export declare function gatherLayer2Parallel(cwd: string, _verbose?: boolean): Promise<Partial<HealthMetrics>>;
25
25
  //# sourceMappingURL=parallel.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"parallel.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKzC,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,UAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,CAgC1F"}
1
+ {"version":3,"file":"parallel.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKzC,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,QAAQ,UAAQ,GACf,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAgCjC"}
@@ -4,7 +4,7 @@ exports.gatherLayer2Parallel = gatherLayer2Parallel;
4
4
  const cloc_1 = require("./cloc");
5
5
  const gitleaks_1 = require("./gitleaks");
6
6
  const graphify_1 = require("./graphify");
7
- function gatherLayer2Parallel(cwd, _verbose = false) {
7
+ async function gatherLayer2Parallel(cwd, _verbose = false) {
8
8
  const clocPartial = (0, cloc_1.gatherClocMetrics)(cwd);
9
9
  const toolsUsed = [...(clocPartial.toolsUsed ?? [])];
10
10
  const toolsUnavailable = [...(clocPartial.toolsUnavailable ?? [])];
@@ -18,7 +18,7 @@ function gatherLayer2Parallel(cwd, _verbose = false) {
18
18
  // the pre-C.7 string the report surfaces.
19
19
  toolsUnavailable.push(gitleaks.reason === 'not installed' ? 'gitleaks' : `gitleaks (${gitleaks.reason})`);
20
20
  }
21
- const graphify = (0, graphify_1.gatherGraphifyResult)(cwd);
21
+ const graphify = await (0, graphify_1.gatherGraphifyResult)(cwd);
22
22
  if (graphify.kind === 'success') {
23
23
  toolsUsed.push('graphify');
24
24
  }
@@ -1 +1 @@
1
- {"version":3,"file":"parallel.js","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":";;AA2BA,oDAgCC;AApCD,iCAA2C;AAC3C,yCAAkD;AAClD,yCAAkD;AAElD,SAAgB,oBAAoB,CAAC,GAAW,EAAE,QAAQ,GAAG,KAAK;IAChE,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC,GAAG,CAAC,CAAC;IAE3C,MAAM,SAAS,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,CAAC;IAE7E,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,iEAAiE;QACjE,0CAA0C;QAC1C,gBAAgB,CAAC,IAAI,CACnB,QAAQ,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,OAAO;QACL,WAAW,EAAE,WAAW,CAAC,WAAW;QACpC,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"parallel.js","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":";;AA2BA,oDAmCC;AAvCD,iCAA2C;AAC3C,yCAAkD;AAClD,yCAAkD;AAE3C,KAAK,UAAU,oBAAoB,CACxC,GAAW,EACX,QAAQ,GAAG,KAAK;IAEhB,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC,GAAG,CAAC,CAAC;IAE3C,MAAM,SAAS,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,CAAC;IAE7E,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,iEAAiE;QACjE,0CAA0C;QAC1C,gBAAgB,CAAC,IAAI,CACnB,QAAQ,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IACjD,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,OAAO;QACL,WAAW,EAAE,WAAW,CAAC,WAAW;QACpC,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC"}