@vyuhlabs/dxkit 2.4.6 → 2.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +885 -0
- package/README.md +131 -26
- package/dist/analysis-result.d.ts +112 -0
- package/dist/analysis-result.d.ts.map +1 -0
- package/dist/analysis-result.js +52 -0
- package/dist/analysis-result.js.map +1 -0
- package/dist/analyzers/bom/detailed.d.ts.map +1 -1
- package/dist/analyzers/bom/detailed.js +19 -0
- package/dist/analyzers/bom/detailed.js.map +1 -1
- package/dist/analyzers/bom/gather.d.ts +27 -26
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +26 -87
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts +0 -7
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +98 -48
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +11 -13
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +95 -0
- package/dist/analyzers/cache.d.ts.map +1 -0
- package/dist/analyzers/cache.js +309 -0
- package/dist/analyzers/cache.js.map +1 -0
- package/dist/analyzers/coverage-runner.d.ts +56 -0
- package/dist/analyzers/coverage-runner.d.ts.map +1 -0
- package/dist/analyzers/coverage-runner.js +72 -0
- package/dist/analyzers/coverage-runner.js.map +1 -0
- package/dist/analyzers/dashboard/index.d.ts +24 -0
- package/dist/analyzers/dashboard/index.d.ts.map +1 -0
- package/dist/analyzers/dashboard/index.js +666 -0
- package/dist/analyzers/dashboard/index.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +205 -37
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/developer/index.d.ts +1 -1
- package/dist/analyzers/developer/index.d.ts.map +1 -1
- package/dist/analyzers/developer/index.js +19 -8
- package/dist/analyzers/developer/index.js.map +1 -1
- package/dist/analyzers/dispatcher.d.ts +37 -0
- package/dist/analyzers/dispatcher.d.ts.map +1 -1
- package/dist/analyzers/dispatcher.js +56 -9
- package/dist/analyzers/dispatcher.js.map +1 -1
- package/dist/analyzers/docs/shallow.d.ts +17 -5
- package/dist/analyzers/docs/shallow.d.ts.map +1 -1
- package/dist/analyzers/docs/shallow.js +65 -2
- package/dist/analyzers/docs/shallow.js.map +1 -1
- package/dist/analyzers/dx/shallow.d.ts +17 -5
- package/dist/analyzers/dx/shallow.d.ts.map +1 -1
- package/dist/analyzers/dx/shallow.js +66 -2
- package/dist/analyzers/dx/shallow.js.map +1 -1
- package/dist/analyzers/health/actions.d.ts +1 -1
- package/dist/analyzers/health/actions.d.ts.map +1 -1
- package/dist/analyzers/health/actions.js +27 -9
- package/dist/analyzers/health/actions.js.map +1 -1
- package/dist/analyzers/health/detailed.d.ts +2 -1
- package/dist/analyzers/health/detailed.d.ts.map +1 -1
- package/dist/analyzers/health/detailed.js +11 -7
- package/dist/analyzers/health/detailed.js.map +1 -1
- package/dist/analyzers/health.d.ts +27 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +271 -33
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/licenses/gather.d.ts +35 -8
- package/dist/analyzers/licenses/gather.d.ts.map +1 -1
- package/dist/analyzers/licenses/gather.js +70 -13
- package/dist/analyzers/licenses/gather.js.map +1 -1
- package/dist/analyzers/licenses/index.d.ts +1 -1
- package/dist/analyzers/licenses/index.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.js +52 -11
- package/dist/analyzers/licenses/index.js.map +1 -1
- package/dist/analyzers/licenses/types.d.ts +15 -0
- package/dist/analyzers/licenses/types.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.d.ts +17 -5
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.js +80 -2
- package/dist/analyzers/maintainability/shallow.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +4 -6
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/quality/gather.d.ts +1 -14
- package/dist/analyzers/quality/gather.d.ts.map +1 -1
- package/dist/analyzers/quality/gather.js +48 -137
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/quality/index.d.ts +9 -2
- package/dist/analyzers/quality/index.d.ts.map +1 -1
- package/dist/analyzers/quality/index.js +189 -117
- package/dist/analyzers/quality/index.js.map +1 -1
- package/dist/analyzers/quality/shallow.d.ts +50 -5
- package/dist/analyzers/quality/shallow.d.ts.map +1 -1
- package/dist/analyzers/quality/shallow.js +155 -2
- package/dist/analyzers/quality/shallow.js.map +1 -1
- package/dist/analyzers/quality/types.d.ts +14 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -1
- package/dist/analyzers/security/actions.d.ts +11 -4
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +87 -37
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +236 -0
- package/dist/analyzers/security/aggregator.d.ts.map +1 -0
- package/dist/analyzers/security/aggregator.js +347 -0
- package/dist/analyzers/security/aggregator.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +2 -2
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +10 -9
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +103 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +281 -9
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts +15 -0
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +463 -50
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/shallow.d.ts +50 -6
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +154 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +51 -0
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +2 -3
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tests/gather.d.ts +2 -1
- package/dist/analyzers/tests/gather.d.ts.map +1 -1
- package/dist/analyzers/tests/gather.js +98 -69
- package/dist/analyzers/tests/gather.js.map +1 -1
- package/dist/analyzers/tests/index.d.ts +11 -2
- package/dist/analyzers/tests/index.d.ts.map +1 -1
- package/dist/analyzers/tests/index.js +83 -18
- package/dist/analyzers/tests/index.js.map +1 -1
- package/dist/analyzers/tests/shallow.d.ts +19 -5
- package/dist/analyzers/tests/shallow.d.ts.map +1 -1
- package/dist/analyzers/tests/shallow.js +89 -2
- package/dist/analyzers/tests/shallow.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +41 -1
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tools/autogen-header.d.ts +8 -0
- package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
- package/dist/analyzers/tools/autogen-header.js +107 -0
- package/dist/analyzers/tools/autogen-header.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -1
- package/dist/analyzers/tools/cloc.js +36 -5
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/debug-statements.d.ts +17 -0
- package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
- package/dist/analyzers/tools/debug-statements.js +58 -0
- package/dist/analyzers/tools/debug-statements.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
- package/dist/analyzers/tools/exclusions.d.ts +33 -6
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +95 -26
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts +17 -2
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +206 -109
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +48 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +30 -2
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +131 -15
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts +12 -2
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +129 -6
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/minified-detection.d.ts +9 -0
- package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
- package/dist/analyzers/tools/minified-detection.js +147 -0
- package/dist/analyzers/tools/minified-detection.js.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts +131 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.js +175 -0
- package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
- package/dist/analyzers/tools/osv.d.ts +36 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +26 -0
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +2 -2
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/risk-score.d.ts +7 -0
- package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
- package/dist/analyzers/tools/risk-score.js +9 -2
- package/dist/analyzers/tools/risk-score.js.map +1 -1
- package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
- package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
- package/dist/analyzers/tools/run-tests-helper.js +156 -0
- package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +75 -12
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +39 -2
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +131 -9
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/timing.d.ts +17 -3
- package/dist/analyzers/tools/timing.d.ts.map +1 -1
- package/dist/analyzers/tools/timing.js +36 -14
- package/dist/analyzers/tools/timing.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +11 -1
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
- package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
- package/dist/analyzers/tools/vendored-advisor.js +107 -0
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
- package/dist/analyzers/tools/walk-paths.d.ts +78 -0
- package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-paths.js +150 -0
- package/dist/analyzers/tools/walk-paths.js.map +1 -0
- package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-source-files.js +369 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -0
- package/dist/analyzers/types.d.ts +204 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +8 -1
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +557 -189
- package/dist/cli.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -7
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +103 -53
- package/dist/doctor.js.map +1 -1
- package/dist/languages/capabilities/provider.d.ts +130 -1
- package/dist/languages/capabilities/provider.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +68 -7
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +15 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +624 -146
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +89 -11
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +131 -2
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +206 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +113 -26
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +132 -26
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +149 -44
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts +39 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +178 -44
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +103 -16
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +228 -5
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +201 -14
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/documentation.d.ts +53 -0
- package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
- package/dist/scoring/dimensions/documentation.js +106 -0
- package/dist/scoring/dimensions/documentation.js.map +1 -0
- package/dist/scoring/dimensions/dx.d.ts +53 -0
- package/dist/scoring/dimensions/dx.d.ts.map +1 -0
- package/dist/scoring/dimensions/dx.js +105 -0
- package/dist/scoring/dimensions/dx.js.map +1 -0
- package/dist/scoring/dimensions/maintainability.d.ts +53 -0
- package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
- package/dist/scoring/dimensions/maintainability.js +101 -0
- package/dist/scoring/dimensions/maintainability.js.map +1 -0
- package/dist/scoring/dimensions/quality.d.ts +108 -0
- package/dist/scoring/dimensions/quality.d.ts.map +1 -0
- package/dist/scoring/dimensions/quality.js +174 -0
- package/dist/scoring/dimensions/quality.js.map +1 -0
- package/dist/scoring/dimensions/security.d.ts +84 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -0
- package/dist/scoring/dimensions/security.js +135 -0
- package/dist/scoring/dimensions/security.js.map +1 -0
- package/dist/scoring/dimensions/testing.d.ts +56 -0
- package/dist/scoring/dimensions/testing.d.ts.map +1 -0
- package/dist/scoring/dimensions/testing.js +98 -0
- package/dist/scoring/dimensions/testing.js.map +1 -0
- package/dist/scoring/evaluator.d.ts +27 -0
- package/dist/scoring/evaluator.d.ts.map +1 -0
- package/dist/scoring/evaluator.js +124 -0
- package/dist/scoring/evaluator.js.map +1 -0
- package/dist/scoring/format.d.ts +34 -0
- package/dist/scoring/format.d.ts.map +1 -0
- package/dist/scoring/format.js +63 -0
- package/dist/scoring/format.js.map +1 -0
- package/dist/scoring/index.d.ts +37 -0
- package/dist/scoring/index.d.ts.map +1 -0
- package/dist/scoring/index.js +57 -0
- package/dist/scoring/index.js.map +1 -0
- package/dist/scoring/overall.d.ts +54 -0
- package/dist/scoring/overall.d.ts.map +1 -0
- package/dist/scoring/overall.js +76 -0
- package/dist/scoring/overall.js.map +1 -0
- package/dist/scoring/result.d.ts +111 -0
- package/dist/scoring/result.d.ts.map +1 -0
- package/dist/scoring/result.js +14 -0
- package/dist/scoring/result.js.map +1 -0
- package/dist/scoring/spec.d.ts +76 -0
- package/dist/scoring/spec.d.ts.map +1 -0
- package/dist/scoring/spec.js +22 -0
- package/dist/scoring/spec.js.map +1 -0
- package/dist/scoring/thresholds.d.ts +56 -0
- package/dist/scoring/thresholds.d.ts.map +1 -0
- package/dist/scoring/thresholds.js +75 -0
- package/dist/scoring/thresholds.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +21 -2
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +16 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/commands/dashboard.md +17 -9
- package/dist/analyzers/scoring.d.ts +0 -49
- package/dist/analyzers/scoring.d.ts.map +0 -1
- package/dist/analyzers/scoring.js +0 -422
- package/dist/analyzers/scoring.js.map +0 -1
- package/dist/analyzers/security/scoring.d.ts +0 -29
- package/dist/analyzers/security/scoring.d.ts.map +0 -1
- package/dist/analyzers/security/scoring.js +0 -40
- package/dist/analyzers/security/scoring.js.map +0 -1
|
@@ -14,10 +14,46 @@
|
|
|
14
14
|
* driven derivation keeps adding a new language to a one-line scaffold
|
|
15
15
|
* change rather than a cross-cutting edit here.
|
|
16
16
|
*/
|
|
17
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
18
|
+
if (k2 === undefined) k2 = k;
|
|
19
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
20
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
21
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
22
|
+
}
|
|
23
|
+
Object.defineProperty(o, k2, desc);
|
|
24
|
+
}) : (function(o, m, k, k2) {
|
|
25
|
+
if (k2 === undefined) k2 = k;
|
|
26
|
+
o[k2] = m[k];
|
|
27
|
+
}));
|
|
28
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
29
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
30
|
+
}) : function(o, v) {
|
|
31
|
+
o["default"] = v;
|
|
32
|
+
});
|
|
33
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
34
|
+
var ownKeys = function(o) {
|
|
35
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
36
|
+
var ar = [];
|
|
37
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
38
|
+
return ar;
|
|
39
|
+
};
|
|
40
|
+
return ownKeys(o);
|
|
41
|
+
};
|
|
42
|
+
return function (mod) {
|
|
43
|
+
if (mod && mod.__esModule) return mod;
|
|
44
|
+
var result = {};
|
|
45
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
46
|
+
__setModuleDefault(result, mod);
|
|
47
|
+
return result;
|
|
48
|
+
};
|
|
49
|
+
})();
|
|
17
50
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
18
51
|
exports.jscpdProvider = void 0;
|
|
19
52
|
exports.gatherJscpdResult = gatherJscpdResult;
|
|
53
|
+
const fs = __importStar(require("fs"));
|
|
54
|
+
const path = __importStar(require("path"));
|
|
20
55
|
const languages_1 = require("../../languages");
|
|
56
|
+
const exclusions_1 = require("./exclusions");
|
|
21
57
|
const runner_1 = require("./runner");
|
|
22
58
|
const tool_registry_1 = require("./tool-registry");
|
|
23
59
|
/**
|
|
@@ -65,18 +101,93 @@ function topClonesFrom(duplicates, limit = 15) {
|
|
|
65
101
|
/**
|
|
66
102
|
* Single source of truth for the jscpd invocation. Consumed by
|
|
67
103
|
* `jscpdProvider` (capability dispatcher).
|
|
104
|
+
*
|
|
105
|
+
* Failure-mode honesty: when jscpd doesn't produce a parseable
|
|
106
|
+
* report, the returned `reason` distinguishes timeout, non-zero
|
|
107
|
+
* exit (with first stderr line), or the rare true "no output"
|
|
108
|
+
* case. Same shape as the semgrep gather — switched from execSync
|
|
109
|
+
* to spawn-with-process-group so jscpd's worker pool (it splits
|
|
110
|
+
* the scan across multiple Node workers internally) isn't killed
|
|
111
|
+
* mid-run when execSync's wall-clock timer fires.
|
|
68
112
|
*/
|
|
69
|
-
function gatherJscpdResult(cwd) {
|
|
113
|
+
async function gatherJscpdResult(cwd) {
|
|
70
114
|
const status = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS.jscpd, cwd);
|
|
71
115
|
if (!status.available || !status.path)
|
|
72
116
|
return { kind: 'unavailable', reason: 'not installed' };
|
|
73
117
|
const reportDir = `/tmp/dxkit-jscpd-${Date.now()}`;
|
|
74
118
|
const pattern = buildJscpdPattern();
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
119
|
+
// jscpd's `--ignore` receives the union of:
|
|
120
|
+
//
|
|
121
|
+
// 1. dxkit's centralized exclusion set (`getJscpdIgnorePatterns`) —
|
|
122
|
+
// the same dirs / sourcePaths / filePatterns the in-process
|
|
123
|
+
// walkers (cloc, grep, semgrep, graphify's Python filter)
|
|
124
|
+
// honor. Without this, committed-vendored trees that aren't
|
|
125
|
+
// listed in the project's `.gitignore` (the `--gitignore` flag's
|
|
126
|
+
// only input) — minified bundles, hash-versioned webpack
|
|
127
|
+
// chunks, vendored library copies under `public/` — would
|
|
128
|
+
// force jscpd to tokenize them, exhaust heap, and OOM-kill
|
|
129
|
+
// before flushing its JSON report. The report would then read
|
|
130
|
+
// "Duplication unavailable" on the densest repos.
|
|
131
|
+
//
|
|
132
|
+
// 2. Pack-declared autogen patterns (`*.Designer.cs`, WCF
|
|
133
|
+
// `Reference.cs`, MSBuild `*.AssemblyInfo.cs`, etc.) so
|
|
134
|
+
// duplication detection skips the same files generic.ts +
|
|
135
|
+
// test-gaps' source walk already skip. Autogen scaffolding
|
|
136
|
+
// duplicates verbatim by its nature; including it inflates
|
|
137
|
+
// the duplication percentage and points "extract this" advice
|
|
138
|
+
// at code the developer never authored.
|
|
139
|
+
//
|
|
140
|
+
// Patterns get a `**/` prefix so they match at any directory depth.
|
|
141
|
+
const exclusionIgnore = (0, exclusions_1.getJscpdIgnorePatterns)(cwd);
|
|
142
|
+
const autogenIgnore = (0, languages_1.allAutogenSourcePatterns)().map((p) => `**/${p}`);
|
|
143
|
+
const ignorePatterns = [...exclusionIgnore, ...autogenIgnore];
|
|
144
|
+
const args = ['--reporters', 'json', '--output', reportDir, '--gitignore', '--pattern', pattern];
|
|
145
|
+
if (ignorePatterns.length > 0) {
|
|
146
|
+
args.push('--ignore', ignorePatterns.join(','));
|
|
147
|
+
}
|
|
148
|
+
args.push('--min-lines', '5', '--min-tokens', '50', cwd);
|
|
149
|
+
const outcome = await (0, runner_1.runDetached)(status.path, args, { cwd, timeoutMs: 600000 });
|
|
150
|
+
// Read the report file directly. Pre-D-fix this used
|
|
151
|
+
// `run('cat <path>')` which routed through execSync with the default
|
|
152
|
+
// 1MB maxBuffer — jscpd reports on enterprise codebases routinely
|
|
153
|
+
// exceed that (dpl-studio's was 25MB / 395k lines), causing execSync
|
|
154
|
+
// to truncate the output to empty and the gather to misreport
|
|
155
|
+
// jscpd as "unavailable" even after a fully-successful run.
|
|
156
|
+
// Direct file read sidesteps the buffer entirely.
|
|
157
|
+
const reportPath = path.join(reportDir, 'jscpd-report.json');
|
|
158
|
+
let reportRaw;
|
|
159
|
+
try {
|
|
160
|
+
reportRaw = fs.readFileSync(reportPath, 'utf-8');
|
|
161
|
+
}
|
|
162
|
+
catch {
|
|
163
|
+
reportRaw = '';
|
|
164
|
+
}
|
|
165
|
+
try {
|
|
166
|
+
fs.rmSync(reportDir, { recursive: true, force: true });
|
|
167
|
+
}
|
|
168
|
+
catch {
|
|
169
|
+
/* dir already gone or never written — fine */
|
|
170
|
+
}
|
|
171
|
+
if (!reportRaw) {
|
|
172
|
+
if (outcome.timedOut) {
|
|
173
|
+
return {
|
|
174
|
+
kind: 'unavailable',
|
|
175
|
+
reason: 'timed out at 600s (try narrowing scan scope via .dxkit-ignore)',
|
|
176
|
+
};
|
|
177
|
+
}
|
|
178
|
+
const stderrFirstLine = outcome.stderr
|
|
179
|
+
.split('\n')
|
|
180
|
+
.map((l) => l.trim())
|
|
181
|
+
.find((l) => l.length > 0);
|
|
182
|
+
if (outcome.code !== 0 && outcome.code !== null) {
|
|
183
|
+
const ctx = stderrFirstLine ? ` (stderr: ${stderrFirstLine})` : '';
|
|
184
|
+
return { kind: 'unavailable', reason: `exit code ${outcome.code}${ctx}` };
|
|
185
|
+
}
|
|
186
|
+
if (stderrFirstLine) {
|
|
187
|
+
return { kind: 'unavailable', reason: `no output (stderr: ${stderrFirstLine})` };
|
|
188
|
+
}
|
|
79
189
|
return { kind: 'unavailable', reason: 'no output' };
|
|
190
|
+
}
|
|
80
191
|
let data;
|
|
81
192
|
try {
|
|
82
193
|
data = JSON.parse(reportRaw);
|
|
@@ -103,11 +214,23 @@ function gatherJscpdResult(cwd) {
|
|
|
103
214
|
* Capability-shaped provider. Registered in
|
|
104
215
|
* `src/languages/capabilities/global.ts:GLOBAL_CAPABILITIES.duplication`.
|
|
105
216
|
*/
|
|
217
|
+
// Implements the optional `gatherOutcome` channel the dispatcher reads
|
|
218
|
+
// to populate `DispatchOutcome.skipReasons`. Without it, a failed jscpd
|
|
219
|
+
// run collapses to `null` at the gather boundary and the actual failure
|
|
220
|
+
// reason ("not installed" / "timed out at 600s" / "exit code 137" /
|
|
221
|
+
// "no output" / "parse error") is dropped — `availabilityFromOutcome`
|
|
222
|
+
// in health.ts then synthesizes generic prose that conflates
|
|
223
|
+
// install-missing with attempted-but-failed. Exposing the real outcome
|
|
224
|
+
// here lets the report show why jscpd didn't contribute, in jscpd's
|
|
225
|
+
// own words.
|
|
106
226
|
exports.jscpdProvider = {
|
|
107
227
|
source: 'jscpd',
|
|
108
228
|
async gather(cwd) {
|
|
109
|
-
const outcome = gatherJscpdResult(cwd);
|
|
229
|
+
const outcome = await gatherJscpdResult(cwd);
|
|
110
230
|
return outcome.kind === 'success' ? outcome.envelope : null;
|
|
111
231
|
},
|
|
232
|
+
async gatherOutcome(cwd) {
|
|
233
|
+
return gatherJscpdResult(cwd);
|
|
234
|
+
},
|
|
112
235
|
};
|
|
113
236
|
//# sourceMappingURL=jscpd.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"jscpd.js","sourceRoot":"","sources":["../../../src/analyzers/tools/jscpd.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG
|
|
1
|
+
{"version":3,"file":"jscpd.js","sourceRoot":"","sources":["../../../src/analyzers/tools/jscpd.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+FH,8CAqGC;AAlMD,uCAAyB;AACzB,2CAA6B;AAC7B,+CAAsE;AAGtE,6CAAsD;AACtD,qCAAuC;AACvC,mDAAsD;AA8BtD;;;;;;;;;;;GAWG;AACH,SAAS,iBAAiB;IACxB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,qBAAS,EAAE,CAAC;QAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChD,CAAC;AAED,0DAA0D;AAC1D,SAAS,aAAa,CAAC,UAA+B,EAAE,KAAK,GAAG,EAAE;IAChE,OAAO,UAAU;SACd,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,IAAI,CAAC,CAAC,UAAU,EAAE,IAAI,IAAI,CAAC,CAAC,KAAK,CAAC;SACjE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,KAAK,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC;QACnB,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC;QACrB,CAAC,EAAE;YACD,IAAI,EAAE,CAAC,CAAC,SAAU,CAAC,IAAK;YACxB,SAAS,EAAE,CAAC,CAAC,SAAU,CAAC,KAAK,IAAI,CAAC;YAClC,OAAO,EAAE,CAAC,CAAC,SAAU,CAAC,GAAG,IAAI,CAAC;SAC/B;QACD,CAAC,EAAE;YACD,IAAI,EAAE,CAAC,CAAC,UAAW,CAAC,IAAK;YACzB,SAAS,EAAE,CAAC,CAAC,UAAW,CAAC,KAAK,IAAI,CAAC;YACnC,OAAO,EAAE,CAAC,CAAC,UAAW,CAAC,GAAG,IAAI,CAAC;SAChC;KACF,CAAC,CAAC;SACF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;SACjC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,iBAAiB,CAAC,GAAW;IACjD,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE/F,MAAM,SAAS,GAAG,oBAAoB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,iBAAiB,EAAE,CAAC;IACpC,4CAA4C;IAC5C,EAAE;IACF,sEAAsE;IACtE,iEAAiE;IACjE,+DAA+D;IAC/D,iEAAiE;IACjE,sEAAsE;IACtE,8DAA8D;IAC9D,+DAA+D;IAC/D,gEAAgE;IAChE,mEAAmE;IACnE,uDAAuD;IACvD,EAAE;IACF,4DAA4D;IAC5D,6DAA6D;IAC7D,+DAA+D;IAC/D,gEAAgE;IAChE,gEAAgE;IAChE,mEAAmE;IACnE,6CAA6C;IAC7C,EAAE;IACF,oEAAoE;IACpE,MAAM,eAAe,GAAG,IAAA,mCAAsB,EAAC,GAAG,CAAC,CAAC;IACpD,MAAM,aAAa,GAAG,IAAA,oCAAwB,GAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACvE,MAAM,cAAc,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,aAAa,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,CAAC,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC;IACjG,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;IAEzD,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAW,EAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IAEjF,qDAAqD;IACrD,qEAAqE;IACrE,kEAAkE;IAClE,qEAAqE;IACrE,8DAA8D;IAC9D,4DAA4D;IAC5D,kDAAkD;IAClD,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAC7D,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC;IACD,IAAI,CAAC;QACH,EAAE,CAAC,MAAM,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,8CAA8C;IAChD,CAAC;IAED,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,gEAAgE;aACzE,CAAC;QACJ,CAAC;QACD,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM;aACnC,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC7B,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YAChD,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,CAAC,aAAa,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,OAAO,CAAC,IAAI,GAAG,GAAG,EAAE,EAAE,CAAC;QAC5E,CAAC;QACD,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,sBAAsB,eAAe,GAAG,EAAE,CAAC;QACnF,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACtD,CAAC;IAED,IAAI,IAAiB,CAAC;IACtB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAgB,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IAED,MAAM,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC;IACjC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAEjE,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC;IACzC,MAAM,QAAQ,GAAsB;QAClC,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,OAAO;QACb,UAAU,EAAE,CAAC,CAAC,KAAK;QACnB,eAAe,EAAE,CAAC,CAAC,eAAe;QAClC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,GAAG,GAAG,CAAC,GAAG,GAAG;QAChD,UAAU,EAAE,UAAU,CAAC,MAAM;QAC7B,SAAS,EAAE,aAAa,CAAC,UAAU,CAAC;KACrC,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,uEAAuE;AACvE,wEAAwE;AACxE,wEAAwE;AACxE,oEAAoE;AACpE,sEAAsE;AACtE,6DAA6D;AAC7D,uEAAuE;AACvE,oEAAoE;AACpE,aAAa;AACA,QAAA,aAAa,GAEtB;IACF,MAAM,EAAE,OAAO;IACf,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAC7C,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;IACD,KAAK,CAAC,aAAa,CAAC,GAAG;QACrB,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;CACF,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* True when the file at `absPath` looks like minified / bundled
|
|
3
|
+
* output by the bytes-per-line heuristic. Returns false on read
|
|
4
|
+
* errors or for files whose extension isn't in
|
|
5
|
+
* `MINIFIABLE_EXTENSIONS` — over-include is preferable to silently
|
|
6
|
+
* dropping legit source.
|
|
7
|
+
*/
|
|
8
|
+
export declare function isLikelyMinified(absPath: string): boolean;
|
|
9
|
+
//# sourceMappingURL=minified-detection.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"minified-detection.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/minified-detection.ts"],"names":[],"mappings":"AAqEA;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAgCzD"}
|
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.isLikelyMinified = isLikelyMinified;
|
|
37
|
+
/**
|
|
38
|
+
* Minified / bundled source-file detection.
|
|
39
|
+
*
|
|
40
|
+
* Complements the autogen-header probe by catching another class of
|
|
41
|
+
* machine-emitted files that frequently land in customer
|
|
42
|
+
* `src/` / `public/` trees: minified or bundled JavaScript / CSS.
|
|
43
|
+
* These files are technically "source" by extension but carry no
|
|
44
|
+
* engineering signal — they're build output (webpack / vite /
|
|
45
|
+
* esbuild hash-suffixed chunks), CDN-downloaded libraries dropped
|
|
46
|
+
* into `public/`, or pre-minified vendored editors. When they slip
|
|
47
|
+
* past the standard exclusions they distort:
|
|
48
|
+
*
|
|
49
|
+
* • `largestFileLines` + `largestFilePath` ("Largest file: 18K
|
|
50
|
+
* lines" points at a webpack chunk, not a human-authored file)
|
|
51
|
+
* • `filesOver500Lines` (every minified JS file is one line at
|
|
52
|
+
* thousands of chars, so doesn't inflate this; but the BUNDLE
|
|
53
|
+
* CHUNKS that span multiple lines do)
|
|
54
|
+
* • `densestFile` from graphify (4,000+ functions in a single
|
|
55
|
+
* minified file)
|
|
56
|
+
* • Top Files by Size (the table reads as "split these" but the
|
|
57
|
+
* files are all autogen artifacts)
|
|
58
|
+
*
|
|
59
|
+
* Detection heuristic: read the first ~4KB, count newlines, compare
|
|
60
|
+
* to byte length. If average bytes-per-line crosses a threshold the
|
|
61
|
+
* file is almost certainly minified or a hash-suffixed bundle chunk.
|
|
62
|
+
* Threshold picked at 500 bytes/line — well above typical
|
|
63
|
+
* hand-written source (~80–120 cols, ~100 bytes/line including
|
|
64
|
+
* indentation) and well below typical minified output (often
|
|
65
|
+
* 5,000–50,000 bytes per "line" in single-line minified files, or
|
|
66
|
+
* 200–800 bytes/line in webpack bundles with semicolon-split
|
|
67
|
+
* chunks).
|
|
68
|
+
*
|
|
69
|
+
* Scope: applied to `.js`, `.jsx`, `.mjs`, `.cjs`, `.css`, `.scss`,
|
|
70
|
+
* `.sass`, `.less`. NOT applied to `.ts` / `.tsx` because TS source
|
|
71
|
+
* is rarely minified in-place (the minified output lands in a
|
|
72
|
+
* separate `dist/` directory which is already excluded by the
|
|
73
|
+
* standard ignore list); checking every .ts file would burn I/O
|
|
74
|
+
* for no benefit.
|
|
75
|
+
*
|
|
76
|
+
* Repo-specific autogen that doesn't match this heuristic (e.g.
|
|
77
|
+
* vendor-tool–emitted classes with hand-typeable filenames + no
|
|
78
|
+
* autogen header) is best handled via `.dxkit-ignore` — a per-repo
|
|
79
|
+
* customization the customer maintains.
|
|
80
|
+
*/
|
|
81
|
+
const fs = __importStar(require("fs"));
|
|
82
|
+
const path = __importStar(require("path"));
|
|
83
|
+
/** Extensions where minified content is plausibly present in the source tree. */
|
|
84
|
+
const MINIFIABLE_EXTENSIONS = new Set([
|
|
85
|
+
'.js',
|
|
86
|
+
'.jsx',
|
|
87
|
+
'.mjs',
|
|
88
|
+
'.cjs',
|
|
89
|
+
'.css',
|
|
90
|
+
'.scss',
|
|
91
|
+
'.sass',
|
|
92
|
+
'.less',
|
|
93
|
+
]);
|
|
94
|
+
/** Bytes-per-line floor above which the file is almost certainly
|
|
95
|
+
* minified / bundled. Calibrated to admit hand-written code at any
|
|
96
|
+
* reasonable line length while rejecting any minifier output. */
|
|
97
|
+
const MIN_BYTES_PER_LINE_FOR_MINIFIED = 500;
|
|
98
|
+
/** Sample size — large enough to get reliable line statistics on
|
|
99
|
+
* even the shortest minified chunk, small enough to keep the I/O
|
|
100
|
+
* cost negligible vs. the existing autogen-header probe. */
|
|
101
|
+
const SAMPLE_BYTES = 4096;
|
|
102
|
+
/**
|
|
103
|
+
* True when the file at `absPath` looks like minified / bundled
|
|
104
|
+
* output by the bytes-per-line heuristic. Returns false on read
|
|
105
|
+
* errors or for files whose extension isn't in
|
|
106
|
+
* `MINIFIABLE_EXTENSIONS` — over-include is preferable to silently
|
|
107
|
+
* dropping legit source.
|
|
108
|
+
*/
|
|
109
|
+
function isLikelyMinified(absPath) {
|
|
110
|
+
const ext = path.extname(absPath).toLowerCase();
|
|
111
|
+
if (!MINIFIABLE_EXTENSIONS.has(ext))
|
|
112
|
+
return false;
|
|
113
|
+
let fd = null;
|
|
114
|
+
try {
|
|
115
|
+
fd = fs.openSync(absPath, 'r');
|
|
116
|
+
const buf = Buffer.alloc(SAMPLE_BYTES);
|
|
117
|
+
const n = fs.readSync(fd, buf, 0, SAMPLE_BYTES, 0);
|
|
118
|
+
if (n === 0)
|
|
119
|
+
return false;
|
|
120
|
+
// Count newlines in the sample. A single-line file with N bytes
|
|
121
|
+
// and zero newlines reports bytesPerLine = N (way above the
|
|
122
|
+
// floor). A normal source file with N bytes and N/100 newlines
|
|
123
|
+
// reports ~100 bytes/line.
|
|
124
|
+
let newlines = 0;
|
|
125
|
+
for (let i = 0; i < n; i++) {
|
|
126
|
+
if (buf[i] === 0x0a)
|
|
127
|
+
newlines++;
|
|
128
|
+
}
|
|
129
|
+
const linesInSample = Math.max(1, newlines);
|
|
130
|
+
const bytesPerLine = n / linesInSample;
|
|
131
|
+
return bytesPerLine >= MIN_BYTES_PER_LINE_FOR_MINIFIED;
|
|
132
|
+
}
|
|
133
|
+
catch {
|
|
134
|
+
return false;
|
|
135
|
+
}
|
|
136
|
+
finally {
|
|
137
|
+
if (fd !== null) {
|
|
138
|
+
try {
|
|
139
|
+
fs.closeSync(fd);
|
|
140
|
+
}
|
|
141
|
+
catch {
|
|
142
|
+
/* ignore */
|
|
143
|
+
}
|
|
144
|
+
}
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
//# sourceMappingURL=minified-detection.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"minified-detection.js","sourceRoot":"","sources":["../../../src/analyzers/tools/minified-detection.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4EA,4CAgCC;AA5GD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,uCAAyB;AACzB,2CAA6B;AAE7B,iFAAiF;AACjF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;CACR,CAAC,CAAC;AAEH;;kEAEkE;AAClE,MAAM,+BAA+B,GAAG,GAAG,CAAC;AAE5C;;6DAE6D;AAC7D,MAAM,YAAY,GAAG,IAAI,CAAC;AAE1B;;;;;;GAMG;AACH,SAAgB,gBAAgB,CAAC,OAAe;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAElD,IAAI,EAAE,GAAkB,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1B,gEAAgE;QAChE,4DAA4D;QAC5D,+DAA+D;QAC/D,2BAA2B;QAC3B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI;gBAAE,QAAQ,EAAE,CAAC;QAClC,CAAC;QACD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,CAAC,GAAG,aAAa,CAAC;QACvC,OAAO,YAAY,IAAI,+BAA+B,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;YAAS,CAAC;QACT,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,131 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Direct `<PackageReference>` parser — D025f (2.4.7).
|
|
3
|
+
*
|
|
4
|
+
* Extracts NuGet PackageReference entries from `.csproj` XML text
|
|
5
|
+
* without invoking `dotnet restore` or any other .NET toolchain. The
|
|
6
|
+
* output feeds an ad-hoc `packages.lock.json`-shaped file that
|
|
7
|
+
* osv-scanner ingests via `--lockfile=<path>` (the file MUST be
|
|
8
|
+
* literally named `packages.lock.json` — osv-scanner v2.x detects the
|
|
9
|
+
* NuGet ecosystem by filename, not by a prefix). This closes the D036
|
|
10
|
+
* customer-outcome gap on dpl-studio (where `dotnet list package`
|
|
11
|
+
* couldn't run from a multi-project parent directory).
|
|
12
|
+
*
|
|
13
|
+
* Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
|
|
14
|
+
* `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
|
|
15
|
+
* keeps each language pack as a single file; ecosystem-specific tool
|
|
16
|
+
* helpers consumed by one or more packs go in `analyzers/tools/`.
|
|
17
|
+
* csharp.ts imports this module the same way it already imports
|
|
18
|
+
* `osv` and `osv-scanner-deps`.
|
|
19
|
+
*
|
|
20
|
+
* Architectural rationale:
|
|
21
|
+
*
|
|
22
|
+
* D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
|
|
23
|
+
* ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
|
|
24
|
+
* Microsoft-recommended non-sudo install) got dotnet discovered.
|
|
25
|
+
* That fix was necessary but not sufficient: `dotnet list package
|
|
26
|
+
* --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
|
|
27
|
+
* and dpl-studio's `Code/Source/Dev/Core/<Module>/<Module>.csproj`
|
|
28
|
+
* layout puts the project files 3 levels deeper than the natural
|
|
29
|
+
* `dxkit vulnerabilities Code/Source/` cwd.
|
|
30
|
+
*
|
|
31
|
+
* D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
|
|
32
|
+
* reachable from cwd (depth 5, matching csharp.detect()), parse
|
|
33
|
+
* each, and feed the union to osv-scanner via a synthetic lockfile.
|
|
34
|
+
* Cross-platform — `net9.0-windows` targets that won't restore on
|
|
35
|
+
* Linux/Mac still get scanned.
|
|
36
|
+
*
|
|
37
|
+
* Trade-off: this catches DIRECT PackageReferences only. Transitive
|
|
38
|
+
* deps (resolved by NuGet's dep graph from each direct ref's own
|
|
39
|
+
* dependencies) are NOT visible without a populated
|
|
40
|
+
* `project.assets.json`. Industry studies put ~80% of typical
|
|
41
|
+
* .NET CVE surface on direct refs; the remaining ~20% (transitives)
|
|
42
|
+
* land cleanly when `dotnet restore` is available and the
|
|
43
|
+
* dotnet-path-resolved D025c codepath runs.
|
|
44
|
+
*
|
|
45
|
+
* Shared with D031: the licenses degraded-inventory fallback uses the
|
|
46
|
+
* same parser to produce a "133 packages identified; license info
|
|
47
|
+
* unavailable" rendering when `nuget-license` isn't installed.
|
|
48
|
+
*
|
|
49
|
+
* Pure function. No I/O. Tested via a fixture suite of representative
|
|
50
|
+
* .csproj shapes (attribute-form, element-form, Central Package
|
|
51
|
+
* Management, conditional `<ItemGroup>` blocks).
|
|
52
|
+
*/
|
|
53
|
+
/**
|
|
54
|
+
* Per-package entry extracted from a `.csproj`. Both fields are
|
|
55
|
+
* post-trimmed; `version` is the raw NuGet version string (which may
|
|
56
|
+
* be a single version `"9.0.1"` or a range `"[9.0.1, 10.0.0)"` —
|
|
57
|
+
* osv-scanner accepts both forms in the lockfile's `resolved` field).
|
|
58
|
+
*/
|
|
59
|
+
export interface PackageReferenceEntry {
|
|
60
|
+
name: string;
|
|
61
|
+
version: string;
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Match shapes (in priority order):
|
|
65
|
+
*
|
|
66
|
+
* 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
|
|
67
|
+
* common; attributes can appear in any order (also matched
|
|
68
|
+
* `Version="1.0.0" Include="Foo"`).
|
|
69
|
+
* 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
|
|
70
|
+
* </PackageReference>` — element-form, equivalent semantics;
|
|
71
|
+
* common in repos that prefer multiline configs or use child
|
|
72
|
+
* elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
|
|
73
|
+
* 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
|
|
74
|
+
* Package Management (CPM): the version comes from a separate
|
|
75
|
+
* `Directory.Packages.props` file. Skipped here; the CPM-aware
|
|
76
|
+
* pass (a future enhancement) would resolve them.
|
|
77
|
+
*
|
|
78
|
+
* Skipped shapes:
|
|
79
|
+
*
|
|
80
|
+
* - `<PackageReference Update="Foo" Version="..." />` — CPM
|
|
81
|
+
* override syntax for transitive pins; NOT a direct reference.
|
|
82
|
+
* - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
|
|
83
|
+
* Not a direct reference of this csproj.
|
|
84
|
+
* - Comments / CDATA — best-effort; the regex is generous and
|
|
85
|
+
* can theoretically match `<!-- <PackageReference ... -->`
|
|
86
|
+
* comments; users with literal PackageReference strings inside
|
|
87
|
+
* comments would get false positives. Acceptable: pathological
|
|
88
|
+
* case, and osv-scanner won't surface advisories for non-real
|
|
89
|
+
* packages, so the worst case is a wasted scan entry.
|
|
90
|
+
*/
|
|
91
|
+
export declare function parseCsprojPackageReferences(xml: string): PackageReferenceEntry[];
|
|
92
|
+
/**
|
|
93
|
+
* Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
|
|
94
|
+
* v2.x reads via `--lockfile=<path>` (caller MUST write this content to
|
|
95
|
+
* a file literally named `packages.lock.json` — osv-scanner detects
|
|
96
|
+
* ecosystem by filename). The schema matches NuGet's native
|
|
97
|
+
* `dotnet restore`-produced lockfile (which osv-scanner already
|
|
98
|
+
* supports natively), simplified to the minimum osv-scanner consults
|
|
99
|
+
* for vulnerability matching:
|
|
100
|
+
*
|
|
101
|
+
* {
|
|
102
|
+
* "version": 1,
|
|
103
|
+
* "dependencies": {
|
|
104
|
+
* "net0.0": {
|
|
105
|
+
* "<Pkg>": {
|
|
106
|
+
* "type": "Direct",
|
|
107
|
+
* "resolved": "<Version>",
|
|
108
|
+
* "requested": "[<Version>, )"
|
|
109
|
+
* }
|
|
110
|
+
* }
|
|
111
|
+
* }
|
|
112
|
+
* }
|
|
113
|
+
*
|
|
114
|
+
* - `"version": 1` matches `dotnet restore`'s lockfile schema version.
|
|
115
|
+
* - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
|
|
116
|
+
* the package map without validating the framework key, so any
|
|
117
|
+
* non-empty string works. We use a non-real moniker so it can't be
|
|
118
|
+
* confused with a real target framework in downstream debugging.
|
|
119
|
+
* - `type: "Direct"` truthfully reflects that we ONLY parsed direct
|
|
120
|
+
* references. Transitive vulns are out of scope for this path
|
|
121
|
+
* (covered by D025c's `dotnet list` codepath when available).
|
|
122
|
+
* - `requested` is a NuGet version range; we use a single-anchored
|
|
123
|
+
* `[V, )` form so the lockfile is valid even though the real
|
|
124
|
+
* `.csproj` might have been a pinned single version.
|
|
125
|
+
*
|
|
126
|
+
* Returns a JSON-stringified string suitable for writing to a temp
|
|
127
|
+
* file. Callers should clean up the temp file after osv-scanner
|
|
128
|
+
* consumes it.
|
|
129
|
+
*/
|
|
130
|
+
export declare function buildNugetAdhocLockfile(entries: ReadonlyArray<PackageReferenceEntry>): string;
|
|
131
|
+
//# sourceMappingURL=nuget-package-reference.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nuget-package-reference.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,GAAG,qBAAqB,EAAE,CA6BjF;AAiBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,aAAa,CAAC,qBAAqB,CAAC,GAAG,MAAM,CAiB7F"}
|