@vyuhlabs/dxkit 2.4.6 → 2.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (345) hide show
  1. package/CHANGELOG.md +885 -0
  2. package/README.md +131 -26
  3. package/dist/analysis-result.d.ts +112 -0
  4. package/dist/analysis-result.d.ts.map +1 -0
  5. package/dist/analysis-result.js +52 -0
  6. package/dist/analysis-result.js.map +1 -0
  7. package/dist/analyzers/bom/detailed.d.ts.map +1 -1
  8. package/dist/analyzers/bom/detailed.js +19 -0
  9. package/dist/analyzers/bom/detailed.js.map +1 -1
  10. package/dist/analyzers/bom/gather.d.ts +27 -26
  11. package/dist/analyzers/bom/gather.d.ts.map +1 -1
  12. package/dist/analyzers/bom/gather.js +26 -87
  13. package/dist/analyzers/bom/gather.js.map +1 -1
  14. package/dist/analyzers/bom/index.d.ts +0 -7
  15. package/dist/analyzers/bom/index.d.ts.map +1 -1
  16. package/dist/analyzers/bom/index.js +98 -48
  17. package/dist/analyzers/bom/index.js.map +1 -1
  18. package/dist/analyzers/bom/types.d.ts +11 -13
  19. package/dist/analyzers/bom/types.d.ts.map +1 -1
  20. package/dist/analyzers/cache.d.ts +95 -0
  21. package/dist/analyzers/cache.d.ts.map +1 -0
  22. package/dist/analyzers/cache.js +309 -0
  23. package/dist/analyzers/cache.js.map +1 -0
  24. package/dist/analyzers/coverage-runner.d.ts +56 -0
  25. package/dist/analyzers/coverage-runner.d.ts.map +1 -0
  26. package/dist/analyzers/coverage-runner.js +72 -0
  27. package/dist/analyzers/coverage-runner.js.map +1 -0
  28. package/dist/analyzers/dashboard/index.d.ts +24 -0
  29. package/dist/analyzers/dashboard/index.d.ts.map +1 -0
  30. package/dist/analyzers/dashboard/index.js +666 -0
  31. package/dist/analyzers/dashboard/index.js.map +1 -0
  32. package/dist/analyzers/developer/gather.d.ts.map +1 -1
  33. package/dist/analyzers/developer/gather.js +205 -37
  34. package/dist/analyzers/developer/gather.js.map +1 -1
  35. package/dist/analyzers/developer/index.d.ts +1 -1
  36. package/dist/analyzers/developer/index.d.ts.map +1 -1
  37. package/dist/analyzers/developer/index.js +19 -8
  38. package/dist/analyzers/developer/index.js.map +1 -1
  39. package/dist/analyzers/dispatcher.d.ts +37 -0
  40. package/dist/analyzers/dispatcher.d.ts.map +1 -1
  41. package/dist/analyzers/dispatcher.js +56 -9
  42. package/dist/analyzers/dispatcher.js.map +1 -1
  43. package/dist/analyzers/docs/shallow.d.ts +17 -5
  44. package/dist/analyzers/docs/shallow.d.ts.map +1 -1
  45. package/dist/analyzers/docs/shallow.js +65 -2
  46. package/dist/analyzers/docs/shallow.js.map +1 -1
  47. package/dist/analyzers/dx/shallow.d.ts +17 -5
  48. package/dist/analyzers/dx/shallow.d.ts.map +1 -1
  49. package/dist/analyzers/dx/shallow.js +66 -2
  50. package/dist/analyzers/dx/shallow.js.map +1 -1
  51. package/dist/analyzers/health/actions.d.ts +1 -1
  52. package/dist/analyzers/health/actions.d.ts.map +1 -1
  53. package/dist/analyzers/health/actions.js +27 -9
  54. package/dist/analyzers/health/actions.js.map +1 -1
  55. package/dist/analyzers/health/detailed.d.ts +2 -1
  56. package/dist/analyzers/health/detailed.d.ts.map +1 -1
  57. package/dist/analyzers/health/detailed.js +11 -7
  58. package/dist/analyzers/health/detailed.js.map +1 -1
  59. package/dist/analyzers/health.d.ts +27 -0
  60. package/dist/analyzers/health.d.ts.map +1 -1
  61. package/dist/analyzers/health.js +271 -33
  62. package/dist/analyzers/health.js.map +1 -1
  63. package/dist/analyzers/licenses/gather.d.ts +35 -8
  64. package/dist/analyzers/licenses/gather.d.ts.map +1 -1
  65. package/dist/analyzers/licenses/gather.js +70 -13
  66. package/dist/analyzers/licenses/gather.js.map +1 -1
  67. package/dist/analyzers/licenses/index.d.ts +1 -1
  68. package/dist/analyzers/licenses/index.d.ts.map +1 -1
  69. package/dist/analyzers/licenses/index.js +52 -11
  70. package/dist/analyzers/licenses/index.js.map +1 -1
  71. package/dist/analyzers/licenses/types.d.ts +15 -0
  72. package/dist/analyzers/licenses/types.d.ts.map +1 -1
  73. package/dist/analyzers/maintainability/shallow.d.ts +17 -5
  74. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
  75. package/dist/analyzers/maintainability/shallow.js +80 -2
  76. package/dist/analyzers/maintainability/shallow.js.map +1 -1
  77. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  78. package/dist/analyzers/quality/detailed.js +4 -6
  79. package/dist/analyzers/quality/detailed.js.map +1 -1
  80. package/dist/analyzers/quality/gather.d.ts +1 -14
  81. package/dist/analyzers/quality/gather.d.ts.map +1 -1
  82. package/dist/analyzers/quality/gather.js +48 -137
  83. package/dist/analyzers/quality/gather.js.map +1 -1
  84. package/dist/analyzers/quality/index.d.ts +9 -2
  85. package/dist/analyzers/quality/index.d.ts.map +1 -1
  86. package/dist/analyzers/quality/index.js +189 -117
  87. package/dist/analyzers/quality/index.js.map +1 -1
  88. package/dist/analyzers/quality/shallow.d.ts +50 -5
  89. package/dist/analyzers/quality/shallow.d.ts.map +1 -1
  90. package/dist/analyzers/quality/shallow.js +155 -2
  91. package/dist/analyzers/quality/shallow.js.map +1 -1
  92. package/dist/analyzers/quality/types.d.ts +14 -0
  93. package/dist/analyzers/quality/types.d.ts.map +1 -1
  94. package/dist/analyzers/security/actions.d.ts +11 -4
  95. package/dist/analyzers/security/actions.d.ts.map +1 -1
  96. package/dist/analyzers/security/actions.js +87 -37
  97. package/dist/analyzers/security/actions.js.map +1 -1
  98. package/dist/analyzers/security/aggregator.d.ts +236 -0
  99. package/dist/analyzers/security/aggregator.d.ts.map +1 -0
  100. package/dist/analyzers/security/aggregator.js +347 -0
  101. package/dist/analyzers/security/aggregator.js.map +1 -0
  102. package/dist/analyzers/security/detailed.d.ts +2 -2
  103. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  104. package/dist/analyzers/security/detailed.js +10 -9
  105. package/dist/analyzers/security/detailed.js.map +1 -1
  106. package/dist/analyzers/security/gather.d.ts +103 -1
  107. package/dist/analyzers/security/gather.d.ts.map +1 -1
  108. package/dist/analyzers/security/gather.js +281 -9
  109. package/dist/analyzers/security/gather.js.map +1 -1
  110. package/dist/analyzers/security/index.d.ts +15 -0
  111. package/dist/analyzers/security/index.d.ts.map +1 -1
  112. package/dist/analyzers/security/index.js +463 -50
  113. package/dist/analyzers/security/index.js.map +1 -1
  114. package/dist/analyzers/security/shallow.d.ts +50 -6
  115. package/dist/analyzers/security/shallow.d.ts.map +1 -1
  116. package/dist/analyzers/security/shallow.js +154 -2
  117. package/dist/analyzers/security/shallow.js.map +1 -1
  118. package/dist/analyzers/security/types.d.ts +51 -0
  119. package/dist/analyzers/security/types.d.ts.map +1 -1
  120. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  121. package/dist/analyzers/tests/detailed.js +2 -3
  122. package/dist/analyzers/tests/detailed.js.map +1 -1
  123. package/dist/analyzers/tests/gather.d.ts +2 -1
  124. package/dist/analyzers/tests/gather.d.ts.map +1 -1
  125. package/dist/analyzers/tests/gather.js +98 -69
  126. package/dist/analyzers/tests/gather.js.map +1 -1
  127. package/dist/analyzers/tests/index.d.ts +11 -2
  128. package/dist/analyzers/tests/index.d.ts.map +1 -1
  129. package/dist/analyzers/tests/index.js +83 -18
  130. package/dist/analyzers/tests/index.js.map +1 -1
  131. package/dist/analyzers/tests/shallow.d.ts +19 -5
  132. package/dist/analyzers/tests/shallow.d.ts.map +1 -1
  133. package/dist/analyzers/tests/shallow.js +89 -2
  134. package/dist/analyzers/tests/shallow.js.map +1 -1
  135. package/dist/analyzers/tests/types.d.ts +41 -1
  136. package/dist/analyzers/tests/types.d.ts.map +1 -1
  137. package/dist/analyzers/tools/autogen-header.d.ts +8 -0
  138. package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
  139. package/dist/analyzers/tools/autogen-header.js +107 -0
  140. package/dist/analyzers/tools/autogen-header.js.map +1 -0
  141. package/dist/analyzers/tools/cloc.d.ts.map +1 -1
  142. package/dist/analyzers/tools/cloc.js +36 -5
  143. package/dist/analyzers/tools/cloc.js.map +1 -1
  144. package/dist/analyzers/tools/debug-statements.d.ts +17 -0
  145. package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
  146. package/dist/analyzers/tools/debug-statements.js +58 -0
  147. package/dist/analyzers/tools/debug-statements.js.map +1 -0
  148. package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
  149. package/dist/analyzers/tools/exclusions.d.ts +33 -6
  150. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  151. package/dist/analyzers/tools/exclusions.js +95 -26
  152. package/dist/analyzers/tools/exclusions.js.map +1 -1
  153. package/dist/analyzers/tools/generic.d.ts +17 -2
  154. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  155. package/dist/analyzers/tools/generic.js +206 -109
  156. package/dist/analyzers/tools/generic.js.map +1 -1
  157. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  158. package/dist/analyzers/tools/gitleaks.js +48 -1
  159. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  160. package/dist/analyzers/tools/graphify.d.ts +30 -2
  161. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  162. package/dist/analyzers/tools/graphify.js +131 -15
  163. package/dist/analyzers/tools/graphify.js.map +1 -1
  164. package/dist/analyzers/tools/jscpd.d.ts +12 -2
  165. package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
  166. package/dist/analyzers/tools/jscpd.js +129 -6
  167. package/dist/analyzers/tools/jscpd.js.map +1 -1
  168. package/dist/analyzers/tools/minified-detection.d.ts +9 -0
  169. package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
  170. package/dist/analyzers/tools/minified-detection.js +147 -0
  171. package/dist/analyzers/tools/minified-detection.js.map +1 -0
  172. package/dist/analyzers/tools/nuget-package-reference.d.ts +131 -0
  173. package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
  174. package/dist/analyzers/tools/nuget-package-reference.js +175 -0
  175. package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
  176. package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
  177. package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
  178. package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
  179. package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
  180. package/dist/analyzers/tools/osv.d.ts +36 -0
  181. package/dist/analyzers/tools/osv.d.ts.map +1 -1
  182. package/dist/analyzers/tools/osv.js +26 -0
  183. package/dist/analyzers/tools/osv.js.map +1 -1
  184. package/dist/analyzers/tools/parallel.d.ts +1 -1
  185. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  186. package/dist/analyzers/tools/parallel.js +2 -2
  187. package/dist/analyzers/tools/parallel.js.map +1 -1
  188. package/dist/analyzers/tools/risk-score.d.ts +7 -0
  189. package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
  190. package/dist/analyzers/tools/risk-score.js +9 -2
  191. package/dist/analyzers/tools/risk-score.js.map +1 -1
  192. package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
  193. package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
  194. package/dist/analyzers/tools/run-tests-helper.js +156 -0
  195. package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
  196. package/dist/analyzers/tools/runner.d.ts.map +1 -1
  197. package/dist/analyzers/tools/runner.js +75 -12
  198. package/dist/analyzers/tools/runner.js.map +1 -1
  199. package/dist/analyzers/tools/semgrep.d.ts +39 -2
  200. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  201. package/dist/analyzers/tools/semgrep.js +131 -9
  202. package/dist/analyzers/tools/semgrep.js.map +1 -1
  203. package/dist/analyzers/tools/timing.d.ts +17 -3
  204. package/dist/analyzers/tools/timing.d.ts.map +1 -1
  205. package/dist/analyzers/tools/timing.js +36 -14
  206. package/dist/analyzers/tools/timing.js.map +1 -1
  207. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  208. package/dist/analyzers/tools/tool-registry.js +11 -1
  209. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  210. package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
  211. package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
  212. package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
  213. package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
  214. package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
  215. package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
  216. package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
  217. package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
  218. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
  219. package/dist/analyzers/tools/vendored-advisor.js +107 -0
  220. package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
  221. package/dist/analyzers/tools/walk-paths.d.ts +78 -0
  222. package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
  223. package/dist/analyzers/tools/walk-paths.js +150 -0
  224. package/dist/analyzers/tools/walk-paths.js.map +1 -0
  225. package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
  226. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
  227. package/dist/analyzers/tools/walk-source-files.js +369 -0
  228. package/dist/analyzers/tools/walk-source-files.js.map +1 -0
  229. package/dist/analyzers/types.d.ts +204 -4
  230. package/dist/analyzers/types.d.ts.map +1 -1
  231. package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
  232. package/dist/analyzers/xlsx/bom.js +8 -1
  233. package/dist/analyzers/xlsx/bom.js.map +1 -1
  234. package/dist/cli.d.ts.map +1 -1
  235. package/dist/cli.js +557 -189
  236. package/dist/cli.js.map +1 -1
  237. package/dist/detect.d.ts.map +1 -1
  238. package/dist/detect.js +24 -7
  239. package/dist/detect.js.map +1 -1
  240. package/dist/doctor.d.ts.map +1 -1
  241. package/dist/doctor.js +103 -53
  242. package/dist/doctor.js.map +1 -1
  243. package/dist/languages/capabilities/provider.d.ts +130 -1
  244. package/dist/languages/capabilities/provider.d.ts.map +1 -1
  245. package/dist/languages/capabilities/types.d.ts +68 -7
  246. package/dist/languages/capabilities/types.d.ts.map +1 -1
  247. package/dist/languages/csharp.d.ts +15 -1
  248. package/dist/languages/csharp.d.ts.map +1 -1
  249. package/dist/languages/csharp.js +624 -146
  250. package/dist/languages/csharp.js.map +1 -1
  251. package/dist/languages/go.d.ts.map +1 -1
  252. package/dist/languages/go.js +89 -11
  253. package/dist/languages/go.js.map +1 -1
  254. package/dist/languages/index.d.ts +131 -2
  255. package/dist/languages/index.d.ts.map +1 -1
  256. package/dist/languages/index.js +206 -0
  257. package/dist/languages/index.js.map +1 -1
  258. package/dist/languages/java.d.ts.map +1 -1
  259. package/dist/languages/java.js +113 -26
  260. package/dist/languages/java.js.map +1 -1
  261. package/dist/languages/kotlin.d.ts.map +1 -1
  262. package/dist/languages/kotlin.js +132 -26
  263. package/dist/languages/kotlin.js.map +1 -1
  264. package/dist/languages/python.d.ts.map +1 -1
  265. package/dist/languages/python.js +149 -44
  266. package/dist/languages/python.js.map +1 -1
  267. package/dist/languages/ruby.d.ts +39 -1
  268. package/dist/languages/ruby.d.ts.map +1 -1
  269. package/dist/languages/ruby.js +178 -44
  270. package/dist/languages/ruby.js.map +1 -1
  271. package/dist/languages/rust.d.ts.map +1 -1
  272. package/dist/languages/rust.js +103 -16
  273. package/dist/languages/rust.js.map +1 -1
  274. package/dist/languages/types.d.ts +228 -5
  275. package/dist/languages/types.d.ts.map +1 -1
  276. package/dist/languages/typescript.d.ts.map +1 -1
  277. package/dist/languages/typescript.js +201 -14
  278. package/dist/languages/typescript.js.map +1 -1
  279. package/dist/scoring/dimensions/documentation.d.ts +53 -0
  280. package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
  281. package/dist/scoring/dimensions/documentation.js +106 -0
  282. package/dist/scoring/dimensions/documentation.js.map +1 -0
  283. package/dist/scoring/dimensions/dx.d.ts +53 -0
  284. package/dist/scoring/dimensions/dx.d.ts.map +1 -0
  285. package/dist/scoring/dimensions/dx.js +105 -0
  286. package/dist/scoring/dimensions/dx.js.map +1 -0
  287. package/dist/scoring/dimensions/maintainability.d.ts +53 -0
  288. package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
  289. package/dist/scoring/dimensions/maintainability.js +101 -0
  290. package/dist/scoring/dimensions/maintainability.js.map +1 -0
  291. package/dist/scoring/dimensions/quality.d.ts +108 -0
  292. package/dist/scoring/dimensions/quality.d.ts.map +1 -0
  293. package/dist/scoring/dimensions/quality.js +174 -0
  294. package/dist/scoring/dimensions/quality.js.map +1 -0
  295. package/dist/scoring/dimensions/security.d.ts +84 -0
  296. package/dist/scoring/dimensions/security.d.ts.map +1 -0
  297. package/dist/scoring/dimensions/security.js +135 -0
  298. package/dist/scoring/dimensions/security.js.map +1 -0
  299. package/dist/scoring/dimensions/testing.d.ts +56 -0
  300. package/dist/scoring/dimensions/testing.d.ts.map +1 -0
  301. package/dist/scoring/dimensions/testing.js +98 -0
  302. package/dist/scoring/dimensions/testing.js.map +1 -0
  303. package/dist/scoring/evaluator.d.ts +27 -0
  304. package/dist/scoring/evaluator.d.ts.map +1 -0
  305. package/dist/scoring/evaluator.js +124 -0
  306. package/dist/scoring/evaluator.js.map +1 -0
  307. package/dist/scoring/format.d.ts +34 -0
  308. package/dist/scoring/format.d.ts.map +1 -0
  309. package/dist/scoring/format.js +63 -0
  310. package/dist/scoring/format.js.map +1 -0
  311. package/dist/scoring/index.d.ts +37 -0
  312. package/dist/scoring/index.d.ts.map +1 -0
  313. package/dist/scoring/index.js +57 -0
  314. package/dist/scoring/index.js.map +1 -0
  315. package/dist/scoring/overall.d.ts +54 -0
  316. package/dist/scoring/overall.d.ts.map +1 -0
  317. package/dist/scoring/overall.js +76 -0
  318. package/dist/scoring/overall.js.map +1 -0
  319. package/dist/scoring/result.d.ts +111 -0
  320. package/dist/scoring/result.d.ts.map +1 -0
  321. package/dist/scoring/result.js +14 -0
  322. package/dist/scoring/result.js.map +1 -0
  323. package/dist/scoring/spec.d.ts +76 -0
  324. package/dist/scoring/spec.d.ts.map +1 -0
  325. package/dist/scoring/spec.js +22 -0
  326. package/dist/scoring/spec.js.map +1 -0
  327. package/dist/scoring/thresholds.d.ts +56 -0
  328. package/dist/scoring/thresholds.d.ts.map +1 -0
  329. package/dist/scoring/thresholds.js +75 -0
  330. package/dist/scoring/thresholds.js.map +1 -0
  331. package/dist/tools-cli.d.ts.map +1 -1
  332. package/dist/tools-cli.js +21 -2
  333. package/dist/tools-cli.js.map +1 -1
  334. package/dist/types.d.ts +16 -0
  335. package/dist/types.d.ts.map +1 -1
  336. package/package.json +1 -1
  337. package/templates/.claude/commands/dashboard.md +17 -9
  338. package/dist/analyzers/scoring.d.ts +0 -49
  339. package/dist/analyzers/scoring.d.ts.map +0 -1
  340. package/dist/analyzers/scoring.js +0 -422
  341. package/dist/analyzers/scoring.js.map +0 -1
  342. package/dist/analyzers/security/scoring.d.ts +0 -29
  343. package/dist/analyzers/security/scoring.d.ts.map +0 -1
  344. package/dist/analyzers/security/scoring.js +0 -40
  345. package/dist/analyzers/security/scoring.js.map +0 -1
@@ -14,10 +14,46 @@
14
14
  * driven derivation keeps adding a new language to a one-line scaffold
15
15
  * change rather than a cross-cutting edit here.
16
16
  */
17
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
18
+ if (k2 === undefined) k2 = k;
19
+ var desc = Object.getOwnPropertyDescriptor(m, k);
20
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
21
+ desc = { enumerable: true, get: function() { return m[k]; } };
22
+ }
23
+ Object.defineProperty(o, k2, desc);
24
+ }) : (function(o, m, k, k2) {
25
+ if (k2 === undefined) k2 = k;
26
+ o[k2] = m[k];
27
+ }));
28
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
29
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
30
+ }) : function(o, v) {
31
+ o["default"] = v;
32
+ });
33
+ var __importStar = (this && this.__importStar) || (function () {
34
+ var ownKeys = function(o) {
35
+ ownKeys = Object.getOwnPropertyNames || function (o) {
36
+ var ar = [];
37
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
38
+ return ar;
39
+ };
40
+ return ownKeys(o);
41
+ };
42
+ return function (mod) {
43
+ if (mod && mod.__esModule) return mod;
44
+ var result = {};
45
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
46
+ __setModuleDefault(result, mod);
47
+ return result;
48
+ };
49
+ })();
17
50
  Object.defineProperty(exports, "__esModule", { value: true });
18
51
  exports.jscpdProvider = void 0;
19
52
  exports.gatherJscpdResult = gatherJscpdResult;
53
+ const fs = __importStar(require("fs"));
54
+ const path = __importStar(require("path"));
20
55
  const languages_1 = require("../../languages");
56
+ const exclusions_1 = require("./exclusions");
21
57
  const runner_1 = require("./runner");
22
58
  const tool_registry_1 = require("./tool-registry");
23
59
  /**
@@ -65,18 +101,93 @@ function topClonesFrom(duplicates, limit = 15) {
65
101
  /**
66
102
  * Single source of truth for the jscpd invocation. Consumed by
67
103
  * `jscpdProvider` (capability dispatcher).
104
+ *
105
+ * Failure-mode honesty: when jscpd doesn't produce a parseable
106
+ * report, the returned `reason` distinguishes timeout, non-zero
107
+ * exit (with first stderr line), or the rare true "no output"
108
+ * case. Same shape as the semgrep gather — switched from execSync
109
+ * to spawn-with-process-group so jscpd's worker pool (it splits
110
+ * the scan across multiple Node workers internally) isn't killed
111
+ * mid-run when execSync's wall-clock timer fires.
68
112
  */
69
- function gatherJscpdResult(cwd) {
113
+ async function gatherJscpdResult(cwd) {
70
114
  const status = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS.jscpd, cwd);
71
115
  if (!status.available || !status.path)
72
116
  return { kind: 'unavailable', reason: 'not installed' };
73
117
  const reportDir = `/tmp/dxkit-jscpd-${Date.now()}`;
74
118
  const pattern = buildJscpdPattern();
75
- (0, runner_1.run)(`${status.path} --reporters json --output '${reportDir}' --gitignore --pattern '${pattern}' --min-lines 5 --min-tokens 50 '${cwd}' > /dev/null 2>&1`, cwd, 300000);
76
- const reportRaw = (0, runner_1.run)(`cat '${reportDir}/jscpd-report.json' 2>/dev/null`, cwd);
77
- (0, runner_1.run)(`rm -rf '${reportDir}'`, cwd);
78
- if (!reportRaw)
119
+ // jscpd's `--ignore` receives the union of:
120
+ //
121
+ // 1. dxkit's centralized exclusion set (`getJscpdIgnorePatterns`)
122
+ // the same dirs / sourcePaths / filePatterns the in-process
123
+ // walkers (cloc, grep, semgrep, graphify's Python filter)
124
+ // honor. Without this, committed-vendored trees that aren't
125
+ // listed in the project's `.gitignore` (the `--gitignore` flag's
126
+ // only input) — minified bundles, hash-versioned webpack
127
+ // chunks, vendored library copies under `public/` — would
128
+ // force jscpd to tokenize them, exhaust heap, and OOM-kill
129
+ // before flushing its JSON report. The report would then read
130
+ // "Duplication unavailable" on the densest repos.
131
+ //
132
+ // 2. Pack-declared autogen patterns (`*.Designer.cs`, WCF
133
+ // `Reference.cs`, MSBuild `*.AssemblyInfo.cs`, etc.) so
134
+ // duplication detection skips the same files generic.ts +
135
+ // test-gaps' source walk already skip. Autogen scaffolding
136
+ // duplicates verbatim by its nature; including it inflates
137
+ // the duplication percentage and points "extract this" advice
138
+ // at code the developer never authored.
139
+ //
140
+ // Patterns get a `**/` prefix so they match at any directory depth.
141
+ const exclusionIgnore = (0, exclusions_1.getJscpdIgnorePatterns)(cwd);
142
+ const autogenIgnore = (0, languages_1.allAutogenSourcePatterns)().map((p) => `**/${p}`);
143
+ const ignorePatterns = [...exclusionIgnore, ...autogenIgnore];
144
+ const args = ['--reporters', 'json', '--output', reportDir, '--gitignore', '--pattern', pattern];
145
+ if (ignorePatterns.length > 0) {
146
+ args.push('--ignore', ignorePatterns.join(','));
147
+ }
148
+ args.push('--min-lines', '5', '--min-tokens', '50', cwd);
149
+ const outcome = await (0, runner_1.runDetached)(status.path, args, { cwd, timeoutMs: 600000 });
150
+ // Read the report file directly. Pre-D-fix this used
151
+ // `run('cat <path>')` which routed through execSync with the default
152
+ // 1MB maxBuffer — jscpd reports on enterprise codebases routinely
153
+ // exceed that (dpl-studio's was 25MB / 395k lines), causing execSync
154
+ // to truncate the output to empty and the gather to misreport
155
+ // jscpd as "unavailable" even after a fully-successful run.
156
+ // Direct file read sidesteps the buffer entirely.
157
+ const reportPath = path.join(reportDir, 'jscpd-report.json');
158
+ let reportRaw;
159
+ try {
160
+ reportRaw = fs.readFileSync(reportPath, 'utf-8');
161
+ }
162
+ catch {
163
+ reportRaw = '';
164
+ }
165
+ try {
166
+ fs.rmSync(reportDir, { recursive: true, force: true });
167
+ }
168
+ catch {
169
+ /* dir already gone or never written — fine */
170
+ }
171
+ if (!reportRaw) {
172
+ if (outcome.timedOut) {
173
+ return {
174
+ kind: 'unavailable',
175
+ reason: 'timed out at 600s (try narrowing scan scope via .dxkit-ignore)',
176
+ };
177
+ }
178
+ const stderrFirstLine = outcome.stderr
179
+ .split('\n')
180
+ .map((l) => l.trim())
181
+ .find((l) => l.length > 0);
182
+ if (outcome.code !== 0 && outcome.code !== null) {
183
+ const ctx = stderrFirstLine ? ` (stderr: ${stderrFirstLine})` : '';
184
+ return { kind: 'unavailable', reason: `exit code ${outcome.code}${ctx}` };
185
+ }
186
+ if (stderrFirstLine) {
187
+ return { kind: 'unavailable', reason: `no output (stderr: ${stderrFirstLine})` };
188
+ }
79
189
  return { kind: 'unavailable', reason: 'no output' };
190
+ }
80
191
  let data;
81
192
  try {
82
193
  data = JSON.parse(reportRaw);
@@ -103,11 +214,23 @@ function gatherJscpdResult(cwd) {
103
214
  * Capability-shaped provider. Registered in
104
215
  * `src/languages/capabilities/global.ts:GLOBAL_CAPABILITIES.duplication`.
105
216
  */
217
+ // Implements the optional `gatherOutcome` channel the dispatcher reads
218
+ // to populate `DispatchOutcome.skipReasons`. Without it, a failed jscpd
219
+ // run collapses to `null` at the gather boundary and the actual failure
220
+ // reason ("not installed" / "timed out at 600s" / "exit code 137" /
221
+ // "no output" / "parse error") is dropped — `availabilityFromOutcome`
222
+ // in health.ts then synthesizes generic prose that conflates
223
+ // install-missing with attempted-but-failed. Exposing the real outcome
224
+ // here lets the report show why jscpd didn't contribute, in jscpd's
225
+ // own words.
106
226
  exports.jscpdProvider = {
107
227
  source: 'jscpd',
108
228
  async gather(cwd) {
109
- const outcome = gatherJscpdResult(cwd);
229
+ const outcome = await gatherJscpdResult(cwd);
110
230
  return outcome.kind === 'success' ? outcome.envelope : null;
111
231
  },
232
+ async gatherOutcome(cwd) {
233
+ return gatherJscpdResult(cwd);
234
+ },
112
235
  };
113
236
  //# sourceMappingURL=jscpd.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"jscpd.js","sourceRoot":"","sources":["../../../src/analyzers/tools/jscpd.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;AAoFH,8CAsCC;AAxHD,+CAA4C;AAG5C,qCAA+B;AAC/B,mDAAsD;AA8BtD;;;;;;;;;;;GAWG;AACH,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,qBAAS,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChD,CAAC;AAED,0DAA0D;AAC1D,SAAS,aAAa,CAAC,UAA+B,EAAE,KAAK,GAAG,EAAE;IAChE,OAAO,UAAU;SACd,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,IAAI,CAAC,CAAC,KAAK,CAAC;SACjE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC;QACnB,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC;QACrB,CAAC,EAAE;YACD,IAAI,EAAE,CAAC,CAAC,SAAU,CAAC,IAAK;YACxB,SAAS,EAAE,CAAC,CAAC,SAAU,CAAC,KAAK,IAAI,CAAC;YAClC,OAAO,EAAE,CAAC,CAAC,SAAU,CAAC,GAAG,IAAI,CAAC;SAC/B;QACD,CAAC,EAAE;YACD,IAAI,EAAE,CAAC,CAAC,UAAW,CAAC,IAAK;YACzB,SAAS,EAAE,CAAC,CAAC,UAAW,CAAC,KAAK,IAAI,CAAC;YACnC,OAAO,EAAE,CAAC,CAAC,UAAW,CAAC,GAAG,IAAI,CAAC;SAChC;KACF,CAAC,CAAC;SACF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;SACjC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,GAAW;IAC3C,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE/F,MAAM,SAAS,GAAG,oBAAoB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,IAAA,YAAG,EACD,GAAG,MAAM,CAAC,IAAI,+BAA+B,SAAS,4BAA4B,OAAO,oCAAoC,GAAG,oBAAoB,EACpJ,GAAG,EACH,MAAM,CACP,CAAC;IAEF,MAAM,SAAS,GAAG,IAAA,YAAG,EAAC,QAAQ,SAAS,iCAAiC,EAAE,GAAG,CAAC,CAAC;IAC/E,IAAA,YAAG,EAAC,WAAW,SAAS,GAAG,EAAE,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAEpE,IAAI,IAAiB,CAAC;IACtB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAgB,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC;IACjC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAEjE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAsB;QAClC,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,OAAO;QACb,UAAU,EAAE,CAAC,CAAC,KAAK;QACnB,eAAe,EAAE,CAAC,CAAC,eAAe;QAClC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,GAAG;QAChD,UAAU,EAAE,UAAU,CAAC,MAAM;QAC7B,SAAS,EAAE,aAAa,CAAC,UAAU,CAAC;KACrC,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED;;;GAGG;AACU,QAAA,aAAa,GAA0C;IAClE,MAAM,EAAE,OAAO;IACf,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvC,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC"}
1
+ {"version":3,"file":"jscpd.js","sourceRoot":"","sources":["../../../src/analyzers/tools/jscpd.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+FH,8CAqGC;AAlMD,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAsE;AAGtE,6CAAsD;AACtD,qCAAuC;AACvC,mDAAsD;AA8BtD;;;;;;;;;;;GAWG;AACH,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,qBAAS,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChD,CAAC;AAED,0DAA0D;AAC1D,SAAS,aAAa,CAAC,UAA+B,EAAE,KAAK,GAAG,EAAE;IAChE,OAAO,UAAU;SACd,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,IAAI,CAAC,CAAC,KAAK,CAAC;SACjE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC;QACnB,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC;QACrB,CAAC,EAAE;YACD,IAAI,EAAE,CAAC,CAAC,SAAU,CAAC,IAAK;YACxB,SAAS,EAAE,CAAC,CAAC,SAAU,CAAC,KAAK,IAAI,CAAC;YAClC,OAAO,EAAE,CAAC,CAAC,SAAU,CAAC,GAAG,IAAI,CAAC;SAC/B;QACD,CAAC,EAAE;YACD,IAAI,EAAE,CAAC,CAAC,UAAW,CAAC,IAAK;YACzB,SAAS,EAAE,CAAC,CAAC,UAAW,CAAC,KAAK,IAAI,CAAC;YACnC,OAAO,EAAE,CAAC,CAAC,UAAW,CAAC,GAAG,IAAI,CAAC;SAChC;KACF,CAAC,CAAC;SACF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;SACjC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,iBAAiB,CAAC,GAAW;IACjD,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE/F,MAAM,SAAS,GAAG,oBAAoB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,4CAA4C;IAC5C,EAAE;IACF,sEAAsE;IACtE,iEAAiE;IACjE,+DAA+D;IAC/D,iEAAiE;IACjE,sEAAsE;IACtE,8DAA8D;IAC9D,+DAA+D;IAC/D,gEAAgE;IAChE,mEAAmE;IACnE,uDAAuD;IACvD,EAAE;IACF,4DAA4D;IAC5D,6DAA6D;IAC7D,+DAA+D;IAC/D,gEAAgE;IAChE,gEAAgE;IAChE,mEAAmE;IACnE,6CAA6C;IAC7C,EAAE;IACF,oEAAoE;IACpE,MAAM,eAAe,GAAG,IAAA,mCAAsB,EAAC,GAAG,CAAC,CAAC;IACpD,MAAM,aAAa,GAAG,IAAA,oCAAwB,GAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACvE,MAAM,cAAc,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,aAAa,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,CAAC,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IACjG,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAEzD,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAW,EAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAEjF,qDAAqD;IACrD,qEAAqE;IACrE,kEAAkE;IAClE,qEAAqE;IACrE,8DAA8D;IAC9D,4DAA4D;IAC5D,kDAAkD;IAClD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAC7D,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC;IACD,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,gEAAgE;aACzE,CAAC;QACJ,CAAC;QACD,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM;aACnC,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC7B,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YAChD,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,CAAC,aAAa,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,OAAO,CAAC,IAAI,GAAG,GAAG,EAAE,EAAE,CAAC;QAC5E,CAAC;QACD,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,sBAAsB,eAAe,GAAG,EAAE,CAAC;QACnF,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACtD,CAAC;IAED,IAAI,IAAiB,CAAC;IACtB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAgB,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC;IACjC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAEjE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAsB;QAClC,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,OAAO;QACb,UAAU,EAAE,CAAC,CAAC,KAAK;QACnB,eAAe,EAAE,CAAC,CAAC,eAAe;QAClC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,GAAG;QAChD,UAAU,EAAE,UAAU,CAAC,MAAM;QAC7B,SAAS,EAAE,aAAa,CAAC,UAAU,CAAC;KACrC,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,uEAAuE;AACvE,wEAAwE;AACxE,wEAAwE;AACxE,oEAAoE;AACpE,sEAAsE;AACtE,6DAA6D;AAC7D,uEAAuE;AACvE,oEAAoE;AACpE,aAAa;AACA,QAAA,aAAa,GAEtB;IACF,MAAM,EAAE,OAAO;IACf,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC7C,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;IACD,KAAK,CAAC,aAAa,CAAC,GAAG;QACrB,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;CACF,CAAC"}
@@ -0,0 +1,9 @@
1
+ /**
2
+ * True when the file at `absPath` looks like minified / bundled
3
+ * output by the bytes-per-line heuristic. Returns false on read
4
+ * errors or for files whose extension isn't in
5
+ * `MINIFIABLE_EXTENSIONS` — over-include is preferable to silently
6
+ * dropping legit source.
7
+ */
8
+ export declare function isLikelyMinified(absPath: string): boolean;
9
+ //# sourceMappingURL=minified-detection.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"minified-detection.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/minified-detection.ts"],"names":[],"mappings":"AAqEA;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAgCzD"}
@@ -0,0 +1,147 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.isLikelyMinified = isLikelyMinified;
37
+ /**
38
+ * Minified / bundled source-file detection.
39
+ *
40
+ * Complements the autogen-header probe by catching another class of
41
+ * machine-emitted files that frequently land in customer
42
+ * `src/` / `public/` trees: minified or bundled JavaScript / CSS.
43
+ * These files are technically "source" by extension but carry no
44
+ * engineering signal — they're build output (webpack / vite /
45
+ * esbuild hash-suffixed chunks), CDN-downloaded libraries dropped
46
+ * into `public/`, or pre-minified vendored editors. When they slip
47
+ * past the standard exclusions they distort:
48
+ *
49
+ * • `largestFileLines` + `largestFilePath` ("Largest file: 18K
50
+ * lines" points at a webpack chunk, not a human-authored file)
51
+ * • `filesOver500Lines` (every minified JS file is one line at
52
+ * thousands of chars, so doesn't inflate this; but the BUNDLE
53
+ * CHUNKS that span multiple lines do)
54
+ * • `densestFile` from graphify (4,000+ functions in a single
55
+ * minified file)
56
+ * • Top Files by Size (the table reads as "split these" but the
57
+ * files are all autogen artifacts)
58
+ *
59
+ * Detection heuristic: read the first ~4KB, count newlines, compare
60
+ * to byte length. If average bytes-per-line crosses a threshold the
61
+ * file is almost certainly minified or a hash-suffixed bundle chunk.
62
+ * Threshold picked at 500 bytes/line — well above typical
63
+ * hand-written source (~80–120 cols, ~100 bytes/line including
64
+ * indentation) and well below typical minified output (often
65
+ * 5,000–50,000 bytes per "line" in single-line minified files, or
66
+ * 200–800 bytes/line in webpack bundles with semicolon-split
67
+ * chunks).
68
+ *
69
+ * Scope: applied to `.js`, `.jsx`, `.mjs`, `.cjs`, `.css`, `.scss`,
70
+ * `.sass`, `.less`. NOT applied to `.ts` / `.tsx` because TS source
71
+ * is rarely minified in-place (the minified output lands in a
72
+ * separate `dist/` directory which is already excluded by the
73
+ * standard ignore list); checking every .ts file would burn I/O
74
+ * for no benefit.
75
+ *
76
+ * Repo-specific autogen that doesn't match this heuristic (e.g.
77
+ * vendor-tool–emitted classes with hand-typeable filenames + no
78
+ * autogen header) is best handled via `.dxkit-ignore` — a per-repo
79
+ * customization the customer maintains.
80
+ */
81
+ const fs = __importStar(require("fs"));
82
+ const path = __importStar(require("path"));
83
+ /** Extensions where minified content is plausibly present in the source tree. */
84
+ const MINIFIABLE_EXTENSIONS = new Set([
85
+ '.js',
86
+ '.jsx',
87
+ '.mjs',
88
+ '.cjs',
89
+ '.css',
90
+ '.scss',
91
+ '.sass',
92
+ '.less',
93
+ ]);
94
+ /** Bytes-per-line floor above which the file is almost certainly
95
+ * minified / bundled. Calibrated to admit hand-written code at any
96
+ * reasonable line length while rejecting any minifier output. */
97
+ const MIN_BYTES_PER_LINE_FOR_MINIFIED = 500;
98
+ /** Sample size — large enough to get reliable line statistics on
99
+ * even the shortest minified chunk, small enough to keep the I/O
100
+ * cost negligible vs. the existing autogen-header probe. */
101
+ const SAMPLE_BYTES = 4096;
102
+ /**
103
+ * True when the file at `absPath` looks like minified / bundled
104
+ * output by the bytes-per-line heuristic. Returns false on read
105
+ * errors or for files whose extension isn't in
106
+ * `MINIFIABLE_EXTENSIONS` — over-include is preferable to silently
107
+ * dropping legit source.
108
+ */
109
+ function isLikelyMinified(absPath) {
110
+ const ext = path.extname(absPath).toLowerCase();
111
+ if (!MINIFIABLE_EXTENSIONS.has(ext))
112
+ return false;
113
+ let fd = null;
114
+ try {
115
+ fd = fs.openSync(absPath, 'r');
116
+ const buf = Buffer.alloc(SAMPLE_BYTES);
117
+ const n = fs.readSync(fd, buf, 0, SAMPLE_BYTES, 0);
118
+ if (n === 0)
119
+ return false;
120
+ // Count newlines in the sample. A single-line file with N bytes
121
+ // and zero newlines reports bytesPerLine = N (way above the
122
+ // floor). A normal source file with N bytes and N/100 newlines
123
+ // reports ~100 bytes/line.
124
+ let newlines = 0;
125
+ for (let i = 0; i < n; i++) {
126
+ if (buf[i] === 0x0a)
127
+ newlines++;
128
+ }
129
+ const linesInSample = Math.max(1, newlines);
130
+ const bytesPerLine = n / linesInSample;
131
+ return bytesPerLine >= MIN_BYTES_PER_LINE_FOR_MINIFIED;
132
+ }
133
+ catch {
134
+ return false;
135
+ }
136
+ finally {
137
+ if (fd !== null) {
138
+ try {
139
+ fs.closeSync(fd);
140
+ }
141
+ catch {
142
+ /* ignore */
143
+ }
144
+ }
145
+ }
146
+ }
147
+ //# sourceMappingURL=minified-detection.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"minified-detection.js","sourceRoot":"","sources":["../../../src/analyzers/tools/minified-detection.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4EA,4CAgCC;AA5GD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,uCAAyB;AACzB,2CAA6B;AAE7B,iFAAiF;AACjF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;CACR,CAAC,CAAC;AAEH;;kEAEkE;AAClE,MAAM,+BAA+B,GAAG,GAAG,CAAC;AAE5C;;6DAE6D;AAC7D,MAAM,YAAY,GAAG,IAAI,CAAC;AAE1B;;;;;;GAMG;AACH,SAAgB,gBAAgB,CAAC,OAAe;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAElD,IAAI,EAAE,GAAkB,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1B,gEAAgE;QAChE,4DAA4D;QAC5D,+DAA+D;QAC/D,2BAA2B;QAC3B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI;gBAAE,QAAQ,EAAE,CAAC;QAClC,CAAC;QACD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,CAAC,GAAG,aAAa,CAAC;QACvC,OAAO,YAAY,IAAI,+BAA+B,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;YAAS,CAAC;QACT,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}
@@ -0,0 +1,131 @@
1
+ /**
2
+ * Direct `<PackageReference>` parser — D025f (2.4.7).
3
+ *
4
+ * Extracts NuGet PackageReference entries from `.csproj` XML text
5
+ * without invoking `dotnet restore` or any other .NET toolchain. The
6
+ * output feeds an ad-hoc `packages.lock.json`-shaped file that
7
+ * osv-scanner ingests via `--lockfile=<path>` (the file MUST be
8
+ * literally named `packages.lock.json` — osv-scanner v2.x detects the
9
+ * NuGet ecosystem by filename, not by a prefix). This closes the D036
10
+ * customer-outcome gap on dpl-studio (where `dotnet list package`
11
+ * couldn't run from a multi-project parent directory).
12
+ *
13
+ * Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
14
+ * `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
15
+ * keeps each language pack as a single file; ecosystem-specific tool
16
+ * helpers consumed by one or more packs go in `analyzers/tools/`.
17
+ * csharp.ts imports this module the same way it already imports
18
+ * `osv` and `osv-scanner-deps`.
19
+ *
20
+ * Architectural rationale:
21
+ *
22
+ * D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
23
+ * ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
24
+ * Microsoft-recommended non-sudo install) got dotnet discovered.
25
+ * That fix was necessary but not sufficient: `dotnet list package
26
+ * --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
27
+ * and dpl-studio's `Code/Source/Dev/Core/<Module>/<Module>.csproj`
28
+ * layout puts the project files 3 levels deeper than the natural
29
+ * `dxkit vulnerabilities Code/Source/` cwd.
30
+ *
31
+ * D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
32
+ * reachable from cwd (depth 5, matching csharp.detect()), parse
33
+ * each, and feed the union to osv-scanner via a synthetic lockfile.
34
+ * Cross-platform — `net9.0-windows` targets that won't restore on
35
+ * Linux/Mac still get scanned.
36
+ *
37
+ * Trade-off: this catches DIRECT PackageReferences only. Transitive
38
+ * deps (resolved by NuGet's dep graph from each direct ref's own
39
+ * dependencies) are NOT visible without a populated
40
+ * `project.assets.json`. Industry studies put ~80% of typical
41
+ * .NET CVE surface on direct refs; the remaining ~20% (transitives)
42
+ * land cleanly when `dotnet restore` is available and the
43
+ * dotnet-path-resolved D025c codepath runs.
44
+ *
45
+ * Shared with D031: the licenses degraded-inventory fallback uses the
46
+ * same parser to produce a "133 packages identified; license info
47
+ * unavailable" rendering when `nuget-license` isn't installed.
48
+ *
49
+ * Pure function. No I/O. Tested via a fixture suite of representative
50
+ * .csproj shapes (attribute-form, element-form, Central Package
51
+ * Management, conditional `<ItemGroup>` blocks).
52
+ */
53
+ /**
54
+ * Per-package entry extracted from a `.csproj`. Both fields are
55
+ * post-trimmed; `version` is the raw NuGet version string (which may
56
+ * be a single version `"9.0.1"` or a range `"[9.0.1, 10.0.0)"` —
57
+ * osv-scanner accepts both forms in the lockfile's `resolved` field).
58
+ */
59
+ export interface PackageReferenceEntry {
60
+ name: string;
61
+ version: string;
62
+ }
63
+ /**
64
+ * Match shapes (in priority order):
65
+ *
66
+ * 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
67
+ * common; attributes can appear in any order (also matched
68
+ * `Version="1.0.0" Include="Foo"`).
69
+ * 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
70
+ * </PackageReference>` — element-form, equivalent semantics;
71
+ * common in repos that prefer multiline configs or use child
72
+ * elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
73
+ * 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
74
+ * Package Management (CPM): the version comes from a separate
75
+ * `Directory.Packages.props` file. Skipped here; the CPM-aware
76
+ * pass (a future enhancement) would resolve them.
77
+ *
78
+ * Skipped shapes:
79
+ *
80
+ * - `<PackageReference Update="Foo" Version="..." />` — CPM
81
+ * override syntax for transitive pins; NOT a direct reference.
82
+ * - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
83
+ * Not a direct reference of this csproj.
84
+ * - Comments / CDATA — best-effort; the regex is generous and
85
+ * can theoretically match `<!-- <PackageReference ... -->`
86
+ * comments; users with literal PackageReference strings inside
87
+ * comments would get false positives. Acceptable: pathological
88
+ * case, and osv-scanner won't surface advisories for non-real
89
+ * packages, so the worst case is a wasted scan entry.
90
+ */
91
+ export declare function parseCsprojPackageReferences(xml: string): PackageReferenceEntry[];
92
+ /**
93
+ * Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
94
+ * v2.x reads via `--lockfile=<path>` (caller MUST write this content to
95
+ * a file literally named `packages.lock.json` — osv-scanner detects
96
+ * ecosystem by filename). The schema matches NuGet's native
97
+ * `dotnet restore`-produced lockfile (which osv-scanner already
98
+ * supports natively), simplified to the minimum osv-scanner consults
99
+ * for vulnerability matching:
100
+ *
101
+ * {
102
+ * "version": 1,
103
+ * "dependencies": {
104
+ * "net0.0": {
105
+ * "<Pkg>": {
106
+ * "type": "Direct",
107
+ * "resolved": "<Version>",
108
+ * "requested": "[<Version>, )"
109
+ * }
110
+ * }
111
+ * }
112
+ * }
113
+ *
114
+ * - `"version": 1` matches `dotnet restore`'s lockfile schema version.
115
+ * - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
116
+ * the package map without validating the framework key, so any
117
+ * non-empty string works. We use a non-real moniker so it can't be
118
+ * confused with a real target framework in downstream debugging.
119
+ * - `type: "Direct"` truthfully reflects that we ONLY parsed direct
120
+ * references. Transitive vulns are out of scope for this path
121
+ * (covered by D025c's `dotnet list` codepath when available).
122
+ * - `requested` is a NuGet version range; we use a single-anchored
123
+ * `[V, )` form so the lockfile is valid even though the real
124
+ * `.csproj` might have been a pinned single version.
125
+ *
126
+ * Returns a JSON-stringified string suitable for writing to a temp
127
+ * file. Callers should clean up the temp file after osv-scanner
128
+ * consumes it.
129
+ */
130
+ export declare function buildNugetAdhocLockfile(entries: ReadonlyArray<PackageReferenceEntry>): string;
131
+ //# sourceMappingURL=nuget-package-reference.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"nuget-package-reference.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,GAAG,qBAAqB,EAAE,CA6BjF;AAiBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,aAAa,CAAC,qBAAqB,CAAC,GAAG,MAAM,CAiB7F"}