@vyuhlabs/dxkit 2.4.5 → 2.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1022 -0
- package/README.md +160 -45
- package/dist/analysis-result.d.ts +112 -0
- package/dist/analysis-result.d.ts.map +1 -0
- package/dist/analysis-result.js +52 -0
- package/dist/analysis-result.js.map +1 -0
- package/dist/analyzers/bom/detailed.d.ts.map +1 -1
- package/dist/analyzers/bom/detailed.js +19 -0
- package/dist/analyzers/bom/detailed.js.map +1 -1
- package/dist/analyzers/bom/gather.d.ts +27 -26
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +26 -87
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts +0 -7
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +98 -48
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +11 -13
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +95 -0
- package/dist/analyzers/cache.d.ts.map +1 -0
- package/dist/analyzers/cache.js +309 -0
- package/dist/analyzers/cache.js.map +1 -0
- package/dist/analyzers/coverage-runner.d.ts +56 -0
- package/dist/analyzers/coverage-runner.d.ts.map +1 -0
- package/dist/analyzers/coverage-runner.js +72 -0
- package/dist/analyzers/coverage-runner.js.map +1 -0
- package/dist/analyzers/dashboard/index.d.ts +24 -0
- package/dist/analyzers/dashboard/index.d.ts.map +1 -0
- package/dist/analyzers/dashboard/index.js +666 -0
- package/dist/analyzers/dashboard/index.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +205 -37
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/developer/index.d.ts +1 -1
- package/dist/analyzers/developer/index.d.ts.map +1 -1
- package/dist/analyzers/developer/index.js +19 -8
- package/dist/analyzers/developer/index.js.map +1 -1
- package/dist/analyzers/dispatcher.d.ts +37 -0
- package/dist/analyzers/dispatcher.d.ts.map +1 -1
- package/dist/analyzers/dispatcher.js +56 -9
- package/dist/analyzers/dispatcher.js.map +1 -1
- package/dist/analyzers/docs/shallow.d.ts +17 -5
- package/dist/analyzers/docs/shallow.d.ts.map +1 -1
- package/dist/analyzers/docs/shallow.js +65 -2
- package/dist/analyzers/docs/shallow.js.map +1 -1
- package/dist/analyzers/dx/shallow.d.ts +17 -5
- package/dist/analyzers/dx/shallow.d.ts.map +1 -1
- package/dist/analyzers/dx/shallow.js +66 -2
- package/dist/analyzers/dx/shallow.js.map +1 -1
- package/dist/analyzers/health/actions.d.ts +1 -1
- package/dist/analyzers/health/actions.d.ts.map +1 -1
- package/dist/analyzers/health/actions.js +27 -9
- package/dist/analyzers/health/actions.js.map +1 -1
- package/dist/analyzers/health/detailed.d.ts +2 -1
- package/dist/analyzers/health/detailed.d.ts.map +1 -1
- package/dist/analyzers/health/detailed.js +11 -7
- package/dist/analyzers/health/detailed.js.map +1 -1
- package/dist/analyzers/health.d.ts +27 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +271 -33
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/licenses/gather.d.ts +35 -8
- package/dist/analyzers/licenses/gather.d.ts.map +1 -1
- package/dist/analyzers/licenses/gather.js +70 -13
- package/dist/analyzers/licenses/gather.js.map +1 -1
- package/dist/analyzers/licenses/index.d.ts +1 -1
- package/dist/analyzers/licenses/index.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.js +52 -11
- package/dist/analyzers/licenses/index.js.map +1 -1
- package/dist/analyzers/licenses/types.d.ts +15 -0
- package/dist/analyzers/licenses/types.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.d.ts +17 -5
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.js +80 -2
- package/dist/analyzers/maintainability/shallow.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +4 -6
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/quality/gather.d.ts +1 -14
- package/dist/analyzers/quality/gather.d.ts.map +1 -1
- package/dist/analyzers/quality/gather.js +48 -137
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/quality/index.d.ts +9 -2
- package/dist/analyzers/quality/index.d.ts.map +1 -1
- package/dist/analyzers/quality/index.js +189 -117
- package/dist/analyzers/quality/index.js.map +1 -1
- package/dist/analyzers/quality/shallow.d.ts +50 -5
- package/dist/analyzers/quality/shallow.d.ts.map +1 -1
- package/dist/analyzers/quality/shallow.js +155 -2
- package/dist/analyzers/quality/shallow.js.map +1 -1
- package/dist/analyzers/quality/types.d.ts +14 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -1
- package/dist/analyzers/security/actions.d.ts +11 -4
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +87 -37
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +236 -0
- package/dist/analyzers/security/aggregator.d.ts.map +1 -0
- package/dist/analyzers/security/aggregator.js +347 -0
- package/dist/analyzers/security/aggregator.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +2 -2
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +10 -9
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +103 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +281 -9
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts +15 -0
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +463 -50
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/shallow.d.ts +50 -6
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +154 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +51 -0
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +2 -3
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tests/gather.d.ts +2 -1
- package/dist/analyzers/tests/gather.d.ts.map +1 -1
- package/dist/analyzers/tests/gather.js +98 -69
- package/dist/analyzers/tests/gather.js.map +1 -1
- package/dist/analyzers/tests/index.d.ts +11 -2
- package/dist/analyzers/tests/index.d.ts.map +1 -1
- package/dist/analyzers/tests/index.js +85 -18
- package/dist/analyzers/tests/index.js.map +1 -1
- package/dist/analyzers/tests/shallow.d.ts +19 -5
- package/dist/analyzers/tests/shallow.d.ts.map +1 -1
- package/dist/analyzers/tests/shallow.js +89 -2
- package/dist/analyzers/tests/shallow.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +41 -1
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tools/autogen-header.d.ts +8 -0
- package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
- package/dist/analyzers/tools/autogen-header.js +107 -0
- package/dist/analyzers/tools/autogen-header.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -1
- package/dist/analyzers/tools/cloc.js +36 -5
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/coverage.d.ts +1 -1
- package/dist/analyzers/tools/coverage.d.ts.map +1 -1
- package/dist/analyzers/tools/coverage.js.map +1 -1
- package/dist/analyzers/tools/debug-statements.d.ts +17 -0
- package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
- package/dist/analyzers/tools/debug-statements.js +58 -0
- package/dist/analyzers/tools/debug-statements.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
- package/dist/analyzers/tools/exclusions.d.ts +33 -6
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +95 -26
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts +17 -2
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +206 -109
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +48 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +30 -2
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +131 -15
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts +12 -2
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +129 -6
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/minified-detection.d.ts +9 -0
- package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
- package/dist/analyzers/tools/minified-detection.js +147 -0
- package/dist/analyzers/tools/minified-detection.js.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts +131 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.js +175 -0
- package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts +48 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -0
- package/dist/analyzers/tools/{osv-scanner-maven.js → osv-scanner-deps.js} +78 -46
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -0
- package/dist/analyzers/tools/osv.d.ts +36 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +26 -0
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +2 -2
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/risk-score.d.ts +7 -0
- package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
- package/dist/analyzers/tools/risk-score.js +9 -2
- package/dist/analyzers/tools/risk-score.js.map +1 -1
- package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
- package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
- package/dist/analyzers/tools/run-tests-helper.js +156 -0
- package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +75 -12
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +39 -2
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +131 -9
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/timing.d.ts +17 -3
- package/dist/analyzers/tools/timing.d.ts.map +1 -1
- package/dist/analyzers/tools/timing.js +36 -14
- package/dist/analyzers/tools/timing.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +10 -0
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +120 -1
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
- package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
- package/dist/analyzers/tools/vendored-advisor.js +107 -0
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
- package/dist/analyzers/tools/walk-paths.d.ts +78 -0
- package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-paths.js +150 -0
- package/dist/analyzers/tools/walk-paths.js.map +1 -0
- package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-source-files.js +369 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -0
- package/dist/analyzers/types.d.ts +204 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +8 -1
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +557 -189
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts +1 -0
- package/dist/constants.d.ts.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -7
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +103 -53
- package/dist/doctor.js.map +1 -1
- package/dist/languages/capabilities/provider.d.ts +130 -1
- package/dist/languages/capabilities/provider.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +68 -7
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +15 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +624 -146
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +89 -11
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +131 -2
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +208 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +121 -32
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +140 -32
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +149 -44
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts +115 -0
- package/dist/languages/ruby.d.ts.map +1 -0
- package/dist/languages/ruby.js +665 -0
- package/dist/languages/ruby.js.map +1 -0
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +103 -16
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +228 -5
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +201 -14
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/documentation.d.ts +53 -0
- package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
- package/dist/scoring/dimensions/documentation.js +106 -0
- package/dist/scoring/dimensions/documentation.js.map +1 -0
- package/dist/scoring/dimensions/dx.d.ts +53 -0
- package/dist/scoring/dimensions/dx.d.ts.map +1 -0
- package/dist/scoring/dimensions/dx.js +105 -0
- package/dist/scoring/dimensions/dx.js.map +1 -0
- package/dist/scoring/dimensions/maintainability.d.ts +53 -0
- package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
- package/dist/scoring/dimensions/maintainability.js +101 -0
- package/dist/scoring/dimensions/maintainability.js.map +1 -0
- package/dist/scoring/dimensions/quality.d.ts +108 -0
- package/dist/scoring/dimensions/quality.d.ts.map +1 -0
- package/dist/scoring/dimensions/quality.js +174 -0
- package/dist/scoring/dimensions/quality.js.map +1 -0
- package/dist/scoring/dimensions/security.d.ts +84 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -0
- package/dist/scoring/dimensions/security.js +135 -0
- package/dist/scoring/dimensions/security.js.map +1 -0
- package/dist/scoring/dimensions/testing.d.ts +56 -0
- package/dist/scoring/dimensions/testing.d.ts.map +1 -0
- package/dist/scoring/dimensions/testing.js +98 -0
- package/dist/scoring/dimensions/testing.js.map +1 -0
- package/dist/scoring/evaluator.d.ts +27 -0
- package/dist/scoring/evaluator.d.ts.map +1 -0
- package/dist/scoring/evaluator.js +124 -0
- package/dist/scoring/evaluator.js.map +1 -0
- package/dist/scoring/format.d.ts +34 -0
- package/dist/scoring/format.d.ts.map +1 -0
- package/dist/scoring/format.js +63 -0
- package/dist/scoring/format.js.map +1 -0
- package/dist/scoring/index.d.ts +37 -0
- package/dist/scoring/index.d.ts.map +1 -0
- package/dist/scoring/index.js +57 -0
- package/dist/scoring/index.js.map +1 -0
- package/dist/scoring/overall.d.ts +54 -0
- package/dist/scoring/overall.d.ts.map +1 -0
- package/dist/scoring/overall.js +76 -0
- package/dist/scoring/overall.js.map +1 -0
- package/dist/scoring/result.d.ts +111 -0
- package/dist/scoring/result.d.ts.map +1 -0
- package/dist/scoring/result.js +14 -0
- package/dist/scoring/result.js.map +1 -0
- package/dist/scoring/spec.d.ts +76 -0
- package/dist/scoring/spec.d.ts.map +1 -0
- package/dist/scoring/spec.js +22 -0
- package/dist/scoring/spec.js.map +1 -0
- package/dist/scoring/thresholds.d.ts +56 -0
- package/dist/scoring/thresholds.d.ts.map +1 -0
- package/dist/scoring/thresholds.js +75 -0
- package/dist/scoring/thresholds.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +21 -2
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +17 -1
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/commands/dashboard.md +17 -9
- package/templates/.claude/rules/ruby.md +11 -0
- package/templates/configs/ruby/README.md +6 -0
- package/dist/analyzers/scoring.d.ts +0 -49
- package/dist/analyzers/scoring.d.ts.map +0 -1
- package/dist/analyzers/scoring.js +0 -422
- package/dist/analyzers/scoring.js.map +0 -1
- package/dist/analyzers/security/scoring.d.ts +0 -29
- package/dist/analyzers/security/scoring.d.ts.map +0 -1
- package/dist/analyzers/security/scoring.js +0 -40
- package/dist/analyzers/security/scoring.js.map +0 -1
- package/dist/analyzers/tools/osv-scanner-maven.d.ts +0 -42
- package/dist/analyzers/tools/osv-scanner-maven.d.ts.map +0 -1
- package/dist/analyzers/tools/osv-scanner-maven.js.map +0 -1
|
@@ -50,6 +50,13 @@ export interface RiskScoreInputs {
|
|
|
50
50
|
/**
|
|
51
51
|
* Compute the composite risk score for one finding, or null when
|
|
52
52
|
* CVSS is missing (we don't fabricate severity from side signals).
|
|
53
|
+
*
|
|
54
|
+
* D078 (2.4.7): treat `cvssScore === 0` the same as `undefined` —
|
|
55
|
+
* upstream feeds (OSV.dev) emit `cvssScore: 0` for advisories whose
|
|
56
|
+
* severity bucket comes from GHSA's categorical rating rather than
|
|
57
|
+
* CVSS. Rendering `**0.0**` next to a HIGH-bucket finding misleads
|
|
58
|
+
* users into reading "high severity, zero risk." Returning null
|
|
59
|
+
* here propagates through to a `—` cell in the BoM render.
|
|
53
60
|
*/
|
|
54
61
|
export declare function computeRiskScore(inputs: RiskScoreInputs): number | null;
|
|
55
62
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"risk-score.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED
|
|
1
|
+
{"version":3,"file":"risk-score.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM,CAAC;AAEzE,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,QAAQ,CAMvD;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI,CAK9D"}
|
|
@@ -48,10 +48,17 @@ exports.scoreFindings = scoreFindings;
|
|
|
48
48
|
/**
|
|
49
49
|
* Compute the composite risk score for one finding, or null when
|
|
50
50
|
* CVSS is missing (we don't fabricate severity from side signals).
|
|
51
|
+
*
|
|
52
|
+
* D078 (2.4.7): treat `cvssScore === 0` the same as `undefined` —
|
|
53
|
+
* upstream feeds (OSV.dev) emit `cvssScore: 0` for advisories whose
|
|
54
|
+
* severity bucket comes from GHSA's categorical rating rather than
|
|
55
|
+
* CVSS. Rendering `**0.0**` next to a HIGH-bucket finding misleads
|
|
56
|
+
* users into reading "high severity, zero risk." Returning null
|
|
57
|
+
* here propagates through to a `—` cell in the BoM render.
|
|
51
58
|
*/
|
|
52
59
|
function computeRiskScore(inputs) {
|
|
53
60
|
const cvss = inputs.cvssScore;
|
|
54
|
-
if (cvss === undefined)
|
|
61
|
+
if (cvss === undefined || cvss === 0)
|
|
55
62
|
return null;
|
|
56
63
|
const base = cvss * 10;
|
|
57
64
|
const kevMul = inputs.kev ? 2.0 : 1.0;
|
|
@@ -66,7 +73,7 @@ function riskTier(score) {
|
|
|
66
73
|
if (score >= 70)
|
|
67
74
|
return 'critical';
|
|
68
75
|
if (score >= 40)
|
|
69
|
-
return 'high';
|
|
76
|
+
return 'high'; // scoring-spec-ok: CVSS risk-tier band, not a dimension-rating threshold
|
|
70
77
|
if (score >= 15)
|
|
71
78
|
return 'moderate';
|
|
72
79
|
return 'low';
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"risk-score.js","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;;
|
|
1
|
+
{"version":3,"file":"risk-score.js","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;;AAsBH,4CAWC;AAUD,4BAMC;AAOD,sCAKC;AAlDD;;;;;;;;;;GAUG;AACH,SAAgB,gBAAgB,CAAC,MAAuB;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC;IAC9B,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAElD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;IAE3F,MAAM,GAAG,GAAG,IAAI,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;IAC/C,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC;AAUD,SAAgB,QAAQ,CAAC,KAAoB;IAC3C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC,CAAC,yEAAyE;IACzG,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,QAA0B;IACtD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK,IAAI;YAAE,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC;IAClC,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import type { RunTestsOutcome } from '../../languages/capabilities/provider';
|
|
2
|
+
export interface RunTestsArgs {
|
|
3
|
+
/** Display name for logging — usually the pack id. */
|
|
4
|
+
pack: string;
|
|
5
|
+
/** Shell command to invoke. Run via `/bin/bash -c "<cmd>"`. */
|
|
6
|
+
cmd: string;
|
|
7
|
+
/** Working directory for the spawn. */
|
|
8
|
+
cwd: string;
|
|
9
|
+
/**
|
|
10
|
+
* Relative path to the expected coverage artifact, OR a function that
|
|
11
|
+
* locates it post-run (for tools that pick non-deterministic output
|
|
12
|
+
* paths — e.g. .NET's `TestResults/<guid>/coverage.cobertura.xml`).
|
|
13
|
+
* The function form returns the discovered relative path or `null` if
|
|
14
|
+
* the artifact wasn't produced.
|
|
15
|
+
*/
|
|
16
|
+
artifact: string | ((cwd: string) => string | null);
|
|
17
|
+
/** Wall-clock cap. Default 600s (10 min) per the design doc. */
|
|
18
|
+
timeoutMs?: number;
|
|
19
|
+
/**
|
|
20
|
+
* Optional pre-flight check. When defined and returns a non-null
|
|
21
|
+
* reason, `runTests` skips the spawn and returns `unavailable` with
|
|
22
|
+
* that reason. Use this to short-circuit "tool isn't installed" or
|
|
23
|
+
* "project isn't configured" without paying the spawn cost.
|
|
24
|
+
*/
|
|
25
|
+
preflight?: (cwd: string) => string | null;
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Spawn a test-with-coverage command, time it, classify the outcome.
|
|
29
|
+
*
|
|
30
|
+
* Outcome rules:
|
|
31
|
+
* - `preflight` returned a reason → `unavailable`
|
|
32
|
+
* - spawn signals ENOENT (binary missing) → `unavailable`
|
|
33
|
+
* - exit non-zero (test fail / compile err) → `failed`
|
|
34
|
+
* - exit zero AND artifact present → `success`
|
|
35
|
+
* - exit zero BUT artifact missing → `failed`
|
|
36
|
+
* (the user ran the right command but it didn't produce coverage —
|
|
37
|
+
* usually means simplecov / coverage-py / similar isn't actually
|
|
38
|
+
* wired into the test setup. The hint they need is "your test
|
|
39
|
+
* run succeeded but produced no coverage report" not "no test
|
|
40
|
+
* runner found.")
|
|
41
|
+
*/
|
|
42
|
+
export declare function runTestsWithCoverage(args: RunTestsArgs): RunTestsOutcome;
|
|
43
|
+
//# sourceMappingURL=run-tests-helper.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"run-tests-helper.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/run-tests-helper.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uCAAuC,CAAC;AAE7E,MAAM,WAAW,YAAY;IAC3B,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,QAAQ,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC;IACpD,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC5C;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,YAAY,GAAG,eAAe,CA6FxE"}
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.runTestsWithCoverage = runTestsWithCoverage;
|
|
37
|
+
/**
|
|
38
|
+
* Shared spawn helper for per-pack `runTests()` implementations (D021).
|
|
39
|
+
*
|
|
40
|
+
* Each language pack's `coverage` capability declares an optional
|
|
41
|
+
* `runTests()` method that materializes the on-disk artifact its
|
|
42
|
+
* `gather()` later reads. The actual mechanics — spawn a shell
|
|
43
|
+
* command, bracket with Date.now() for duration, surface exit code +
|
|
44
|
+
* post-run artifact check, format the `RunTestsOutcome` discriminated
|
|
45
|
+
* union — are identical across packs. This module owns those mechanics
|
|
46
|
+
* so per-pack code stays compact (just "what command + what artifact").
|
|
47
|
+
*
|
|
48
|
+
* Stdio is inherited so the user sees test output stream live —
|
|
49
|
+
* `vyuh-dxkit coverage` is a side-effecting CLI command, the user is
|
|
50
|
+
* watching their test suite run, not consuming JSON.
|
|
51
|
+
*/
|
|
52
|
+
const child_process_1 = require("child_process");
|
|
53
|
+
const fs = __importStar(require("fs"));
|
|
54
|
+
const path = __importStar(require("path"));
|
|
55
|
+
/**
|
|
56
|
+
* Spawn a test-with-coverage command, time it, classify the outcome.
|
|
57
|
+
*
|
|
58
|
+
* Outcome rules:
|
|
59
|
+
* - `preflight` returned a reason → `unavailable`
|
|
60
|
+
* - spawn signals ENOENT (binary missing) → `unavailable`
|
|
61
|
+
* - exit non-zero (test fail / compile err) → `failed`
|
|
62
|
+
* - exit zero AND artifact present → `success`
|
|
63
|
+
* - exit zero BUT artifact missing → `failed`
|
|
64
|
+
* (the user ran the right command but it didn't produce coverage —
|
|
65
|
+
* usually means simplecov / coverage-py / similar isn't actually
|
|
66
|
+
* wired into the test setup. The hint they need is "your test
|
|
67
|
+
* run succeeded but produced no coverage report" not "no test
|
|
68
|
+
* runner found.")
|
|
69
|
+
*/
|
|
70
|
+
function runTestsWithCoverage(args) {
|
|
71
|
+
const { pack, cmd, cwd, artifact, timeoutMs = 600_000, preflight } = args;
|
|
72
|
+
if (preflight) {
|
|
73
|
+
const reason = preflight(cwd);
|
|
74
|
+
if (reason) {
|
|
75
|
+
return { kind: 'unavailable', reason };
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
const start = Date.now();
|
|
79
|
+
const result = (0, child_process_1.spawnSync)('/bin/bash', ['-c', cmd], {
|
|
80
|
+
cwd,
|
|
81
|
+
stdio: 'inherit',
|
|
82
|
+
timeout: timeoutMs,
|
|
83
|
+
// Some test runners parse TTY-ness for colorized output. Inheriting
|
|
84
|
+
// stdio already plumbs TTY status through naturally.
|
|
85
|
+
});
|
|
86
|
+
const durationMs = Date.now() - start;
|
|
87
|
+
// spawn-level failure: usually means /bin/bash is missing, or the
|
|
88
|
+
// command's first token isn't on PATH. We treat these as "unavailable"
|
|
89
|
+
// because they describe an environment problem the user can fix —
|
|
90
|
+
// distinct from "tests ran and failed."
|
|
91
|
+
if (result.error) {
|
|
92
|
+
const err = result.error;
|
|
93
|
+
if (err.code === 'ENOENT') {
|
|
94
|
+
return {
|
|
95
|
+
kind: 'unavailable',
|
|
96
|
+
reason: `command not found: ${cmd.split(/\s+/)[0]}`,
|
|
97
|
+
};
|
|
98
|
+
}
|
|
99
|
+
return {
|
|
100
|
+
kind: 'failed',
|
|
101
|
+
reason: `spawn error: ${err.message}`,
|
|
102
|
+
durationMs,
|
|
103
|
+
};
|
|
104
|
+
}
|
|
105
|
+
// Test runner returned non-zero. Could be compile failure, test
|
|
106
|
+
// failure, or coverage-config errors. The user already saw the
|
|
107
|
+
// output (inherited stdio); we just record the disposition.
|
|
108
|
+
//
|
|
109
|
+
// Special cases by bash convention: 127 = "command not found",
|
|
110
|
+
// 126 = "found but not executable". These describe an environment
|
|
111
|
+
// problem (a binary is missing from PATH) rather than a test failure,
|
|
112
|
+
// so they get the `unavailable` framing — same as the direct-spawn
|
|
113
|
+
// ENOENT path above. Without this re-mapping, the user sees
|
|
114
|
+
// "test command exited with status 127" which is opaque; routing
|
|
115
|
+
// through `unavailable` surfaces the actual binary name in the
|
|
116
|
+
// CLI table.
|
|
117
|
+
if (typeof result.status === 'number' && result.status !== 0) {
|
|
118
|
+
const firstWord = cmd.trim().split(/\s+/)[0];
|
|
119
|
+
if (result.status === 127) {
|
|
120
|
+
return { kind: 'unavailable', reason: `command not found: ${firstWord}` };
|
|
121
|
+
}
|
|
122
|
+
if (result.status === 126) {
|
|
123
|
+
return { kind: 'unavailable', reason: `command not executable: ${firstWord}` };
|
|
124
|
+
}
|
|
125
|
+
return {
|
|
126
|
+
kind: 'failed',
|
|
127
|
+
reason: `${pack}: test command exited with status ${result.status}`,
|
|
128
|
+
durationMs,
|
|
129
|
+
};
|
|
130
|
+
}
|
|
131
|
+
// Signal-terminated (timeout, SIGKILL, ...).
|
|
132
|
+
if (result.signal) {
|
|
133
|
+
return {
|
|
134
|
+
kind: 'failed',
|
|
135
|
+
reason: `${pack}: test command killed by signal ${result.signal}`,
|
|
136
|
+
durationMs,
|
|
137
|
+
};
|
|
138
|
+
}
|
|
139
|
+
// Locate the artifact. Function form takes precedence over string
|
|
140
|
+
// form so packs with non-deterministic output paths can implement
|
|
141
|
+
// arbitrary discovery logic.
|
|
142
|
+
const artifactPath = typeof artifact === 'function' ? artifact(cwd) : artifact;
|
|
143
|
+
if (!artifactPath || !fs.existsSync(path.join(cwd, artifactPath))) {
|
|
144
|
+
return {
|
|
145
|
+
kind: 'failed',
|
|
146
|
+
reason: `${pack}: test command succeeded but no coverage artifact was produced. ` +
|
|
147
|
+
`Expected ${typeof artifact === 'function' ? '<computed at runtime>' : artifact}. ` +
|
|
148
|
+
`If this is a Ruby project, simplecov must be required + started in spec_helper.rb. ` +
|
|
149
|
+
`If TypeScript, the test script may not be passing --coverage to the runner. ` +
|
|
150
|
+
`If Python, ensure pytest --cov is configured.`,
|
|
151
|
+
durationMs,
|
|
152
|
+
};
|
|
153
|
+
}
|
|
154
|
+
return { kind: 'success', artifact: artifactPath, durationMs };
|
|
155
|
+
}
|
|
156
|
+
//# sourceMappingURL=run-tests-helper.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"run-tests-helper.js","sourceRoot":"","sources":["../../../src/analyzers/tools/run-tests-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6DA,oDA6FC;AA1JD;;;;;;;;;;;;;;GAcG;AACH,iDAA0C;AAC1C,uCAAyB;AACzB,2CAA6B;AA6B7B;;;;;;;;;;;;;;GAcG;AACH,SAAgB,oBAAoB,CAAC,IAAkB;IACrD,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,SAAS,GAAG,OAAO,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;IAE1E,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,CAAC;QACzC,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,MAAM,GAAG,IAAA,yBAAS,EAAC,WAAW,EAAE,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE;QACjD,GAAG;QACH,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,SAAS;QAClB,oEAAoE;QACpE,qDAAqD;KACtD,CAAC,CAAC;IACH,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC;IAEtC,kEAAkE;IAClE,uEAAuE;IACvE,kEAAkE;IAClE,wCAAwC;IACxC,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,MAAM,CAAC,KAA8B,CAAC;QAClD,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,sBAAsB,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE;aACpD,CAAC;QACJ,CAAC;QACD,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,gBAAgB,GAAG,CAAC,OAAO,EAAE;YACrC,UAAU;SACX,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,+DAA+D;IAC/D,4DAA4D;IAC5D,EAAE;IACF,+DAA+D;IAC/D,kEAAkE;IAClE,sEAAsE;IACtE,mEAAmE;IACnE,4DAA4D;IAC5D,iEAAiE;IACjE,+DAA+D;IAC/D,aAAa;IACb,IAAI,OAAO,MAAM,CAAC,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7D,MAAM,SAAS,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7C,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,sBAAsB,SAAS,EAAE,EAAE,CAAC;QAC5E,CAAC;QACD,IAAI,MAAM,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,SAAS,EAAE,EAAE,CAAC;QACjF,CAAC;QACD,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,GAAG,IAAI,qCAAqC,MAAM,CAAC,MAAM,EAAE;YACnE,UAAU;SACX,CAAC;IACJ,CAAC;IAED,6CAA6C;IAC7C,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,MAAM,EAAE,GAAG,IAAI,mCAAmC,MAAM,CAAC,MAAM,EAAE;YACjE,UAAU;SACX,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,kEAAkE;IAClE,6BAA6B;IAC7B,MAAM,YAAY,GAAG,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC;IAC/E,IAAI,CAAC,YAAY,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,EAAE,CAAC;QAClE,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,MAAM,EACJ,GAAG,IAAI,kEAAkE;gBACzE,YAAY,OAAO,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,QAAQ,IAAI;gBACnF,qFAAqF;gBACrF,8EAA8E;gBAC9E,+CAA+C;YACjD,UAAU;SACX,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;AACjE,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/runner.ts"],"names":[],"mappings":"AAOA;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,EAAE,CAqCtD;AAED,wEAAwE;AACxE,wBAAgB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAQ,GAAG,MAAM,
|
|
1
|
+
{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/runner.ts"],"names":[],"mappings":"AAOA;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,EAAE,CAqCtD;AAED,wEAAwE;AACxE,wBAAgB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAQ,GAAG,MAAM,CA0BvE;AAED,8CAA8C;AAC9C,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAQ,GAAG,MAAM,CAY/E;AAED,uEAAuE;AACvE,wBAAgB,OAAO,CAAC,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAQ,GAAG,CAAC,GAAG,IAAI,CAQhF;AAED,qCAAqC;AACrC,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM,CAI3D;AAED,uCAAuC;AACvC,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAE/D;AAED,8CAA8C;AAC9C,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAEnE;AAED;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,EAAE,EACd,IAAI,EAAE;IAAE,GAAG,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAA;CAAE,GACvC,OAAO,CAAC,kBAAkB,CAAC,CAuG7B"}
|
|
@@ -108,6 +108,16 @@ function run(cmd, cwd, timeoutMs = 30000) {
|
|
|
108
108
|
encoding: 'utf-8',
|
|
109
109
|
stdio: ['pipe', 'pipe', 'pipe'],
|
|
110
110
|
timeout: timeoutMs,
|
|
111
|
+
// Node's default `maxBuffer` is 1MB. Tools that produce large
|
|
112
|
+
// outputs on enterprise codebases (jscpd's 25MB report on
|
|
113
|
+
// dpl-studio, semgrep on a huge ruleset, gitleaks on a leaky
|
|
114
|
+
// repo, npm audit on deep dep trees) silently truncated past
|
|
115
|
+
// that cap pre-fix — execSync threw `ENOBUFS`, the catch below
|
|
116
|
+
// returned empty string, and the calling gather function
|
|
117
|
+
// reported the tool as "unavailable" with reason "no output."
|
|
118
|
+
// 64MB handles the dpl-studio-class observation (25MB) plus
|
|
119
|
+
// ~2x headroom without inviting runaway-tool memory explosion.
|
|
120
|
+
maxBuffer: 64 * 1024 * 1024,
|
|
111
121
|
}).trim();
|
|
112
122
|
}
|
|
113
123
|
catch (err) {
|
|
@@ -194,20 +204,53 @@ function fileExists(cwd, ...paths) {
|
|
|
194
204
|
*/
|
|
195
205
|
async function runDetached(cmd, args, opts) {
|
|
196
206
|
return new Promise((resolve) => {
|
|
207
|
+
let settled = false;
|
|
208
|
+
let stdout = '';
|
|
209
|
+
let stderr = '';
|
|
210
|
+
let timedOut = false;
|
|
211
|
+
// Single-resolve guard. The Promise resolves on exit / error /
|
|
212
|
+
// safety-deadline; whichever fires first wins and the rest are
|
|
213
|
+
// no-ops. Pre-fix the Promise relied solely on `exit` / `error`
|
|
214
|
+
// events — under resource pressure (web-client convergence audit:
|
|
215
|
+
// jscpd + semgrep + graphify all concurrently spawning
|
|
216
|
+
// grandchildren) one of those events occasionally never fired,
|
|
217
|
+
// and the Promise stayed pending forever. Node's event loop then
|
|
218
|
+
// emptied (no more pending operations), beforeExit fired with
|
|
219
|
+
// code=0, and the parent observed a silent rc=0 with no work
|
|
220
|
+
// completed — D134. The settle() wrapper ensures the Promise
|
|
221
|
+
// ALWAYS resolves and the dispatcher above can never hang.
|
|
222
|
+
const settle = (outcome) => {
|
|
223
|
+
if (settled)
|
|
224
|
+
return;
|
|
225
|
+
settled = true;
|
|
226
|
+
resolve(outcome);
|
|
227
|
+
};
|
|
197
228
|
const child = (0, child_process_1.spawn)(cmd, args, {
|
|
198
229
|
cwd: opts.cwd,
|
|
199
230
|
detached: true, // new process group → enables -pid kill below
|
|
200
231
|
stdio: ['ignore', 'pipe', 'pipe'],
|
|
201
232
|
});
|
|
202
|
-
|
|
203
|
-
|
|
233
|
+
// Register error listener BEFORE any other setup so we never miss
|
|
234
|
+
// a synchronous spawn-time emission ('error' fires on ENOENT,
|
|
235
|
+
// EAGAIN under fd/proc exhaustion, EACCES). EventEmitter throws
|
|
236
|
+
// an unhandled-exception if 'error' fires with no listener — the
|
|
237
|
+
// pre-fix late registration could miss the emission window under
|
|
238
|
+
// pressure.
|
|
239
|
+
child.once('error', () => {
|
|
240
|
+
// spawn-time errors (e.g. ENOENT, EAGAIN). Treat as
|
|
241
|
+
// exit-with-no-output; the caller's parser sees an empty stdout
|
|
242
|
+
// and returns its empty result. Matches `run()`'s
|
|
243
|
+
// graceful-degradation convention.
|
|
244
|
+
clearTimeout(timer);
|
|
245
|
+
clearTimeout(safetyTimer);
|
|
246
|
+
settle({ stdout, stderr, code: null, timedOut: false });
|
|
247
|
+
});
|
|
204
248
|
child.stdout?.on('data', (d) => {
|
|
205
249
|
stdout += d.toString('utf8');
|
|
206
250
|
});
|
|
207
251
|
child.stderr?.on('data', (d) => {
|
|
208
252
|
stderr += d.toString('utf8');
|
|
209
253
|
});
|
|
210
|
-
let timedOut = false;
|
|
211
254
|
const timer = setTimeout(() => {
|
|
212
255
|
timedOut = true;
|
|
213
256
|
try {
|
|
@@ -226,16 +269,36 @@ async function runDetached(cmd, args, opts) {
|
|
|
226
269
|
/* process group already gone — fine */
|
|
227
270
|
}
|
|
228
271
|
}, opts.timeoutMs);
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
272
|
+
// Safety deadline: even if every event source fails (a kernel
|
|
273
|
+
// bug, a libuv corner case, an exotic WSL2 scheduling state),
|
|
274
|
+
// resolve the Promise after timeoutMs + 30s grace. The dispatcher
|
|
275
|
+
// up the stack uses Promise.allSettled which collapses any
|
|
276
|
+
// outcome cleanly, so an extra resolve is harmless; what we
|
|
277
|
+
// never want is an unbounded pending Promise. Pre-fix this was
|
|
278
|
+
// the silent-failure shape D134: the orchestrator's spawnSync
|
|
279
|
+
// health child observed rc=0 with no report written because the
|
|
280
|
+
// capabilities Promise.all hung on a runDetached that never
|
|
281
|
+
// settled — Node exited cleanly when the event loop emptied.
|
|
282
|
+
const safetyTimer = setTimeout(() => {
|
|
283
|
+
try {
|
|
284
|
+
if (child.pid !== undefined) {
|
|
285
|
+
process.kill(-child.pid, 'SIGKILL');
|
|
286
|
+
}
|
|
287
|
+
}
|
|
288
|
+
catch {
|
|
289
|
+
/* process group already gone */
|
|
290
|
+
}
|
|
291
|
+
settle({
|
|
292
|
+
stdout,
|
|
293
|
+
stderr,
|
|
294
|
+
code: null,
|
|
295
|
+
timedOut: true,
|
|
296
|
+
});
|
|
297
|
+
}, opts.timeoutMs + 30_000);
|
|
298
|
+
child.once('exit', (code) => {
|
|
237
299
|
clearTimeout(timer);
|
|
238
|
-
|
|
300
|
+
clearTimeout(safetyTimer);
|
|
301
|
+
settle({ stdout, stderr, code, timedOut });
|
|
239
302
|
});
|
|
240
303
|
});
|
|
241
304
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runner.js","sourceRoot":"","sources":["../../../src/analyzers/tools/runner.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBA,0CAqCC;AAGD,
|
|
1
|
+
{"version":3,"file":"runner.js","sourceRoot":"","sources":["../../../src/analyzers/tools/runner.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBA,0CAqCC;AAGD,kBA0BC;AAGD,kCAYC;AAGD,0BAQC;AAGD,gCAIC;AAGD,sCAEC;AAGD,gCAEC;AA8CD,kCA2GC;AAvRD;;GAEG;AACH,iDAAgD;AAChD,uCAAyB;AACzB,2CAA6B;AAE7B;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAAC,GAAW;IACzC,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;IACf,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,KAAK,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,EAAE,KAAK,IAAI;gBAAE,MAAM,GAAG,IAAI,CAAC;iBAC1B,IAAI,EAAE,KAAK,GAAG;gBAAE,QAAQ,GAAG,KAAK,CAAC;YACtC,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,IAAI,KAAK,KAAK,CAAC;gBAAE,KAAK,GAAG,CAAC,CAAC;YAC3B,KAAK,EAAE,CAAC;QACV,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACtB,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBACH,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,4BAA4B;gBAC9B,CAAC;gBACD,KAAK,GAAG,CAAC,CAAC,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,wEAAwE;AACxE,SAAgB,GAAG,CAAC,GAAW,EAAE,GAAW,EAAE,SAAS,GAAG,KAAK;IAC7D,IAAI,CAAC;QACH,OAAO,IAAA,wBAAQ,EAAC,GAAG,EAAE;YACnB,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,SAAS;YAClB,8DAA8D;YAC9D,0DAA0D;YAC1D,6DAA6D;YAC7D,6DAA6D;YAC7D,+DAA+D;YAC/D,yDAAyD;YACzD,8DAA8D;YAC9D,4DAA4D;YAC5D,+DAA+D;YAC/D,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,4EAA4E;QAC5E,MAAM,CAAC,GAAG,GAA0B,CAAC;QACrC,IAAI,CAAC,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,8CAA8C;AAC9C,SAAgB,WAAW,CAAC,GAAW,EAAE,GAAW,EAAE,SAAS,GAAG,KAAK;IACrE,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,GAAG,EAAE;YACZ,GAAG;YACH,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QACH,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,CAAC,GAAG,GAA0B,CAAC;QACrC,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,uEAAuE;AACvE,SAAgB,OAAO,CAAI,GAAW,EAAE,GAAW,EAAE,SAAS,GAAG,KAAK;IACpE,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAM,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,qCAAqC;AACrC,SAAgB,UAAU,CAAC,GAAW,EAAE,GAAW;IACjD,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC;IACtB,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;AAC3D,CAAC;AAED,uCAAuC;AACvC,SAAgB,aAAa,CAAC,GAAW,EAAE,GAAW;IACpD,OAAO,GAAG,CAAC,SAAS,GAAG,cAAc,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;AACrD,CAAC;AAED,8CAA8C;AAC9C,SAAgB,UAAU,CAAC,GAAW,EAAE,GAAG,KAAe;IACxD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAeD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACI,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,IAAc,EACd,IAAwC;IAExC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,+DAA+D;QAC/D,+DAA+D;QAC/D,gEAAgE;QAChE,kEAAkE;QAClE,uDAAuD;QACvD,+DAA+D;QAC/D,iEAAiE;QACjE,8DAA8D;QAC9D,6DAA6D;QAC7D,6DAA6D;QAC7D,2DAA2D;QAC3D,MAAM,MAAM,GAAG,CAAC,OAA2B,EAAQ,EAAE;YACnD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,OAAO,CAAC,OAAO,CAAC,CAAC;QACnB,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,IAAA,qBAAK,EAAC,GAAG,EAAE,IAAI,EAAE;YAC7B,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,IAAI,EAAE,8CAA8C;YAC9D,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QAEH,kEAAkE;QAClE,8DAA8D;QAC9D,gEAAgE;QAChE,iEAAiE;QACjE,iEAAiE;QACjE,YAAY;QACZ,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE;YACvB,oDAAoD;YACpD,gEAAgE;YAChE,kDAAkD;YAClD,mCAAmC;YACnC,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,YAAY,CAAC,WAAW,CAAC,CAAC;YAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;oBAC5B,6DAA6D;oBAC7D,+DAA+D;oBAC/D,+DAA+D;oBAC/D,6DAA6D;oBAC7D,4DAA4D;oBAC5D,2DAA2D;oBAC3D,SAAS;oBACT,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,uCAAuC;YACzC,CAAC;QACH,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAEnB,8DAA8D;QAC9D,8DAA8D;QAC9D,kEAAkE;QAClE,2DAA2D;QAC3D,4DAA4D;QAC5D,+DAA+D;QAC/D,8DAA8D;QAC9D,gEAAgE;QAChE,4DAA4D;QAC5D,6DAA6D;QAC7D,MAAM,WAAW,GAAG,UAAU,CAAC,GAAG,EAAE;YAClC,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;oBAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;YACD,MAAM,CAAC;gBACL,MAAM;gBACN,MAAM;gBACN,IAAI,EAAE,IAAI;gBACV,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;QACL,CAAC,EAAE,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,CAAC;QAE5B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,YAAY,CAAC,WAAW,CAAC,CAAC;YAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -26,14 +26,51 @@ export type CodePatternsGatherOutcome = {
|
|
|
26
26
|
kind: 'unavailable';
|
|
27
27
|
reason: string;
|
|
28
28
|
};
|
|
29
|
+
/**
|
|
30
|
+
* Map semgrep's severity + impact to the project's four-tier model.
|
|
31
|
+
* Priority: rule metadata `impact` (most meaningful — rule authors
|
|
32
|
+
* tier by business impact) → fall back to semgrep's `severity`.
|
|
33
|
+
*/
|
|
34
|
+
/**
|
|
35
|
+
* Normalize semgrep's `metadata.cwe` into a single CWE identifier.
|
|
36
|
+
*
|
|
37
|
+
* Why: semgrep rule authors write `cwe:` in YAML as either a scalar
|
|
38
|
+
* (`cwe: "CWE-295: Improper Certificate Validation"`) or a list
|
|
39
|
+
* (`cwe: ["CWE-295: ..."]`). Both shapes pass through semgrep's JSON
|
|
40
|
+
* output unchanged. Pre-fix this code did `metadata?.cwe?.[0]` which
|
|
41
|
+
* silently returned the first *character* of the scalar form (e.g.
|
|
42
|
+
* "C" for "CWE-295: ..."). D094 surfaced this on `bypass-tls-
|
|
43
|
+
* verification` rule output.
|
|
44
|
+
*/
|
|
45
|
+
export declare function extractCwe(cwe: string | string[] | undefined): string;
|
|
29
46
|
/**
|
|
30
47
|
* Single source of truth for the semgrep invocation. Consumed by
|
|
31
48
|
* `semgrepProvider` (capability dispatcher).
|
|
49
|
+
*
|
|
50
|
+
* Failure-mode honesty: when semgrep doesn't produce a parseable
|
|
51
|
+
* report, the returned `reason` distinguishes between:
|
|
52
|
+
* - timeout (we hit our wall-clock budget — the customer probably
|
|
53
|
+
* wants to install nothing and instead either prune the scan
|
|
54
|
+
* scope via `.dxkit-ignore` or bump the timeout)
|
|
55
|
+
* - non-zero exit with a captured stderr first line (semgrep
|
|
56
|
+
* itself complained — surface its complaint)
|
|
57
|
+
* - the historical fallback "no output" (rare now; means stderr
|
|
58
|
+
* was empty AND exit was zero AND the report file was missing)
|
|
59
|
+
*
|
|
60
|
+
* Pre-fix every failure collapsed to "no output," masking
|
|
61
|
+
* resource-contention deaths (parallel jscpd + graphify + semgrep
|
|
62
|
+
* on a 700-file repo OOM-killing the youngest), timeouts, and
|
|
63
|
+
* config-parse errors with the same useless string. Switched to
|
|
64
|
+
* runDetached so we capture stderr + exit code + timeout signal
|
|
65
|
+
* separately, and so the wall-clock-deadline kill cleans up
|
|
66
|
+
* grandchildren (semgrep's internal worker pool).
|
|
32
67
|
*/
|
|
33
|
-
export declare function gatherSemgrepResult(cwd: string): CodePatternsGatherOutcome
|
|
68
|
+
export declare function gatherSemgrepResult(cwd: string): Promise<CodePatternsGatherOutcome>;
|
|
34
69
|
/**
|
|
35
70
|
* Capability-shaped provider. Registered in
|
|
36
71
|
* `src/languages/capabilities/global.ts:GLOBAL_CAPABILITIES.codePatterns`.
|
|
37
72
|
*/
|
|
38
|
-
export declare const semgrepProvider: CapabilityProvider<CodePatternsResult
|
|
73
|
+
export declare const semgrepProvider: CapabilityProvider<CodePatternsResult> & {
|
|
74
|
+
gatherOutcome(cwd: string): Promise<CodePatternsGatherOutcome>;
|
|
75
|
+
};
|
|
39
76
|
//# sourceMappingURL=semgrep.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;
|
|
1
|
+
{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAsB,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AA6BjG;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GACjC;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,kBAAkB,CAAA;CAAE,GACjD;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE5C;;;;GAIG;AACH;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,GAAG,MAAM,CAKrE;AA4BD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAuGzF;AAED;;;GAGG;AAMH,eAAO,MAAM,eAAe,EAAE,kBAAkB,CAAC,kBAAkB,CAAC,GAAG;IACrE,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAUhE,CAAC"}
|