@vyuhlabs/dxkit 2.4.6 → 2.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (345) hide show
  1. package/CHANGELOG.md +885 -0
  2. package/README.md +131 -26
  3. package/dist/analysis-result.d.ts +112 -0
  4. package/dist/analysis-result.d.ts.map +1 -0
  5. package/dist/analysis-result.js +52 -0
  6. package/dist/analysis-result.js.map +1 -0
  7. package/dist/analyzers/bom/detailed.d.ts.map +1 -1
  8. package/dist/analyzers/bom/detailed.js +19 -0
  9. package/dist/analyzers/bom/detailed.js.map +1 -1
  10. package/dist/analyzers/bom/gather.d.ts +27 -26
  11. package/dist/analyzers/bom/gather.d.ts.map +1 -1
  12. package/dist/analyzers/bom/gather.js +26 -87
  13. package/dist/analyzers/bom/gather.js.map +1 -1
  14. package/dist/analyzers/bom/index.d.ts +0 -7
  15. package/dist/analyzers/bom/index.d.ts.map +1 -1
  16. package/dist/analyzers/bom/index.js +98 -48
  17. package/dist/analyzers/bom/index.js.map +1 -1
  18. package/dist/analyzers/bom/types.d.ts +11 -13
  19. package/dist/analyzers/bom/types.d.ts.map +1 -1
  20. package/dist/analyzers/cache.d.ts +95 -0
  21. package/dist/analyzers/cache.d.ts.map +1 -0
  22. package/dist/analyzers/cache.js +309 -0
  23. package/dist/analyzers/cache.js.map +1 -0
  24. package/dist/analyzers/coverage-runner.d.ts +56 -0
  25. package/dist/analyzers/coverage-runner.d.ts.map +1 -0
  26. package/dist/analyzers/coverage-runner.js +72 -0
  27. package/dist/analyzers/coverage-runner.js.map +1 -0
  28. package/dist/analyzers/dashboard/index.d.ts +24 -0
  29. package/dist/analyzers/dashboard/index.d.ts.map +1 -0
  30. package/dist/analyzers/dashboard/index.js +666 -0
  31. package/dist/analyzers/dashboard/index.js.map +1 -0
  32. package/dist/analyzers/developer/gather.d.ts.map +1 -1
  33. package/dist/analyzers/developer/gather.js +205 -37
  34. package/dist/analyzers/developer/gather.js.map +1 -1
  35. package/dist/analyzers/developer/index.d.ts +1 -1
  36. package/dist/analyzers/developer/index.d.ts.map +1 -1
  37. package/dist/analyzers/developer/index.js +19 -8
  38. package/dist/analyzers/developer/index.js.map +1 -1
  39. package/dist/analyzers/dispatcher.d.ts +37 -0
  40. package/dist/analyzers/dispatcher.d.ts.map +1 -1
  41. package/dist/analyzers/dispatcher.js +56 -9
  42. package/dist/analyzers/dispatcher.js.map +1 -1
  43. package/dist/analyzers/docs/shallow.d.ts +17 -5
  44. package/dist/analyzers/docs/shallow.d.ts.map +1 -1
  45. package/dist/analyzers/docs/shallow.js +65 -2
  46. package/dist/analyzers/docs/shallow.js.map +1 -1
  47. package/dist/analyzers/dx/shallow.d.ts +17 -5
  48. package/dist/analyzers/dx/shallow.d.ts.map +1 -1
  49. package/dist/analyzers/dx/shallow.js +66 -2
  50. package/dist/analyzers/dx/shallow.js.map +1 -1
  51. package/dist/analyzers/health/actions.d.ts +1 -1
  52. package/dist/analyzers/health/actions.d.ts.map +1 -1
  53. package/dist/analyzers/health/actions.js +27 -9
  54. package/dist/analyzers/health/actions.js.map +1 -1
  55. package/dist/analyzers/health/detailed.d.ts +2 -1
  56. package/dist/analyzers/health/detailed.d.ts.map +1 -1
  57. package/dist/analyzers/health/detailed.js +11 -7
  58. package/dist/analyzers/health/detailed.js.map +1 -1
  59. package/dist/analyzers/health.d.ts +27 -0
  60. package/dist/analyzers/health.d.ts.map +1 -1
  61. package/dist/analyzers/health.js +271 -33
  62. package/dist/analyzers/health.js.map +1 -1
  63. package/dist/analyzers/licenses/gather.d.ts +35 -8
  64. package/dist/analyzers/licenses/gather.d.ts.map +1 -1
  65. package/dist/analyzers/licenses/gather.js +70 -13
  66. package/dist/analyzers/licenses/gather.js.map +1 -1
  67. package/dist/analyzers/licenses/index.d.ts +1 -1
  68. package/dist/analyzers/licenses/index.d.ts.map +1 -1
  69. package/dist/analyzers/licenses/index.js +52 -11
  70. package/dist/analyzers/licenses/index.js.map +1 -1
  71. package/dist/analyzers/licenses/types.d.ts +15 -0
  72. package/dist/analyzers/licenses/types.d.ts.map +1 -1
  73. package/dist/analyzers/maintainability/shallow.d.ts +17 -5
  74. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
  75. package/dist/analyzers/maintainability/shallow.js +80 -2
  76. package/dist/analyzers/maintainability/shallow.js.map +1 -1
  77. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  78. package/dist/analyzers/quality/detailed.js +4 -6
  79. package/dist/analyzers/quality/detailed.js.map +1 -1
  80. package/dist/analyzers/quality/gather.d.ts +1 -14
  81. package/dist/analyzers/quality/gather.d.ts.map +1 -1
  82. package/dist/analyzers/quality/gather.js +48 -137
  83. package/dist/analyzers/quality/gather.js.map +1 -1
  84. package/dist/analyzers/quality/index.d.ts +9 -2
  85. package/dist/analyzers/quality/index.d.ts.map +1 -1
  86. package/dist/analyzers/quality/index.js +189 -117
  87. package/dist/analyzers/quality/index.js.map +1 -1
  88. package/dist/analyzers/quality/shallow.d.ts +50 -5
  89. package/dist/analyzers/quality/shallow.d.ts.map +1 -1
  90. package/dist/analyzers/quality/shallow.js +155 -2
  91. package/dist/analyzers/quality/shallow.js.map +1 -1
  92. package/dist/analyzers/quality/types.d.ts +14 -0
  93. package/dist/analyzers/quality/types.d.ts.map +1 -1
  94. package/dist/analyzers/security/actions.d.ts +11 -4
  95. package/dist/analyzers/security/actions.d.ts.map +1 -1
  96. package/dist/analyzers/security/actions.js +87 -37
  97. package/dist/analyzers/security/actions.js.map +1 -1
  98. package/dist/analyzers/security/aggregator.d.ts +236 -0
  99. package/dist/analyzers/security/aggregator.d.ts.map +1 -0
  100. package/dist/analyzers/security/aggregator.js +347 -0
  101. package/dist/analyzers/security/aggregator.js.map +1 -0
  102. package/dist/analyzers/security/detailed.d.ts +2 -2
  103. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  104. package/dist/analyzers/security/detailed.js +10 -9
  105. package/dist/analyzers/security/detailed.js.map +1 -1
  106. package/dist/analyzers/security/gather.d.ts +103 -1
  107. package/dist/analyzers/security/gather.d.ts.map +1 -1
  108. package/dist/analyzers/security/gather.js +281 -9
  109. package/dist/analyzers/security/gather.js.map +1 -1
  110. package/dist/analyzers/security/index.d.ts +15 -0
  111. package/dist/analyzers/security/index.d.ts.map +1 -1
  112. package/dist/analyzers/security/index.js +463 -50
  113. package/dist/analyzers/security/index.js.map +1 -1
  114. package/dist/analyzers/security/shallow.d.ts +50 -6
  115. package/dist/analyzers/security/shallow.d.ts.map +1 -1
  116. package/dist/analyzers/security/shallow.js +154 -2
  117. package/dist/analyzers/security/shallow.js.map +1 -1
  118. package/dist/analyzers/security/types.d.ts +51 -0
  119. package/dist/analyzers/security/types.d.ts.map +1 -1
  120. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  121. package/dist/analyzers/tests/detailed.js +2 -3
  122. package/dist/analyzers/tests/detailed.js.map +1 -1
  123. package/dist/analyzers/tests/gather.d.ts +2 -1
  124. package/dist/analyzers/tests/gather.d.ts.map +1 -1
  125. package/dist/analyzers/tests/gather.js +98 -69
  126. package/dist/analyzers/tests/gather.js.map +1 -1
  127. package/dist/analyzers/tests/index.d.ts +11 -2
  128. package/dist/analyzers/tests/index.d.ts.map +1 -1
  129. package/dist/analyzers/tests/index.js +83 -18
  130. package/dist/analyzers/tests/index.js.map +1 -1
  131. package/dist/analyzers/tests/shallow.d.ts +19 -5
  132. package/dist/analyzers/tests/shallow.d.ts.map +1 -1
  133. package/dist/analyzers/tests/shallow.js +89 -2
  134. package/dist/analyzers/tests/shallow.js.map +1 -1
  135. package/dist/analyzers/tests/types.d.ts +41 -1
  136. package/dist/analyzers/tests/types.d.ts.map +1 -1
  137. package/dist/analyzers/tools/autogen-header.d.ts +8 -0
  138. package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
  139. package/dist/analyzers/tools/autogen-header.js +107 -0
  140. package/dist/analyzers/tools/autogen-header.js.map +1 -0
  141. package/dist/analyzers/tools/cloc.d.ts.map +1 -1
  142. package/dist/analyzers/tools/cloc.js +36 -5
  143. package/dist/analyzers/tools/cloc.js.map +1 -1
  144. package/dist/analyzers/tools/debug-statements.d.ts +17 -0
  145. package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
  146. package/dist/analyzers/tools/debug-statements.js +58 -0
  147. package/dist/analyzers/tools/debug-statements.js.map +1 -0
  148. package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
  149. package/dist/analyzers/tools/exclusions.d.ts +33 -6
  150. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  151. package/dist/analyzers/tools/exclusions.js +95 -26
  152. package/dist/analyzers/tools/exclusions.js.map +1 -1
  153. package/dist/analyzers/tools/generic.d.ts +17 -2
  154. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  155. package/dist/analyzers/tools/generic.js +206 -109
  156. package/dist/analyzers/tools/generic.js.map +1 -1
  157. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  158. package/dist/analyzers/tools/gitleaks.js +48 -1
  159. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  160. package/dist/analyzers/tools/graphify.d.ts +30 -2
  161. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  162. package/dist/analyzers/tools/graphify.js +131 -15
  163. package/dist/analyzers/tools/graphify.js.map +1 -1
  164. package/dist/analyzers/tools/jscpd.d.ts +12 -2
  165. package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
  166. package/dist/analyzers/tools/jscpd.js +129 -6
  167. package/dist/analyzers/tools/jscpd.js.map +1 -1
  168. package/dist/analyzers/tools/minified-detection.d.ts +9 -0
  169. package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
  170. package/dist/analyzers/tools/minified-detection.js +147 -0
  171. package/dist/analyzers/tools/minified-detection.js.map +1 -0
  172. package/dist/analyzers/tools/nuget-package-reference.d.ts +131 -0
  173. package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
  174. package/dist/analyzers/tools/nuget-package-reference.js +175 -0
  175. package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
  176. package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
  177. package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
  178. package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
  179. package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
  180. package/dist/analyzers/tools/osv.d.ts +36 -0
  181. package/dist/analyzers/tools/osv.d.ts.map +1 -1
  182. package/dist/analyzers/tools/osv.js +26 -0
  183. package/dist/analyzers/tools/osv.js.map +1 -1
  184. package/dist/analyzers/tools/parallel.d.ts +1 -1
  185. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  186. package/dist/analyzers/tools/parallel.js +2 -2
  187. package/dist/analyzers/tools/parallel.js.map +1 -1
  188. package/dist/analyzers/tools/risk-score.d.ts +7 -0
  189. package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
  190. package/dist/analyzers/tools/risk-score.js +9 -2
  191. package/dist/analyzers/tools/risk-score.js.map +1 -1
  192. package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
  193. package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
  194. package/dist/analyzers/tools/run-tests-helper.js +156 -0
  195. package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
  196. package/dist/analyzers/tools/runner.d.ts.map +1 -1
  197. package/dist/analyzers/tools/runner.js +75 -12
  198. package/dist/analyzers/tools/runner.js.map +1 -1
  199. package/dist/analyzers/tools/semgrep.d.ts +39 -2
  200. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  201. package/dist/analyzers/tools/semgrep.js +131 -9
  202. package/dist/analyzers/tools/semgrep.js.map +1 -1
  203. package/dist/analyzers/tools/timing.d.ts +17 -3
  204. package/dist/analyzers/tools/timing.d.ts.map +1 -1
  205. package/dist/analyzers/tools/timing.js +36 -14
  206. package/dist/analyzers/tools/timing.js.map +1 -1
  207. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  208. package/dist/analyzers/tools/tool-registry.js +11 -1
  209. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  210. package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
  211. package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
  212. package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
  213. package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
  214. package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
  215. package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
  216. package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
  217. package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
  218. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
  219. package/dist/analyzers/tools/vendored-advisor.js +107 -0
  220. package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
  221. package/dist/analyzers/tools/walk-paths.d.ts +78 -0
  222. package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
  223. package/dist/analyzers/tools/walk-paths.js +150 -0
  224. package/dist/analyzers/tools/walk-paths.js.map +1 -0
  225. package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
  226. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
  227. package/dist/analyzers/tools/walk-source-files.js +369 -0
  228. package/dist/analyzers/tools/walk-source-files.js.map +1 -0
  229. package/dist/analyzers/types.d.ts +204 -4
  230. package/dist/analyzers/types.d.ts.map +1 -1
  231. package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
  232. package/dist/analyzers/xlsx/bom.js +8 -1
  233. package/dist/analyzers/xlsx/bom.js.map +1 -1
  234. package/dist/cli.d.ts.map +1 -1
  235. package/dist/cli.js +557 -189
  236. package/dist/cli.js.map +1 -1
  237. package/dist/detect.d.ts.map +1 -1
  238. package/dist/detect.js +24 -7
  239. package/dist/detect.js.map +1 -1
  240. package/dist/doctor.d.ts.map +1 -1
  241. package/dist/doctor.js +103 -53
  242. package/dist/doctor.js.map +1 -1
  243. package/dist/languages/capabilities/provider.d.ts +130 -1
  244. package/dist/languages/capabilities/provider.d.ts.map +1 -1
  245. package/dist/languages/capabilities/types.d.ts +68 -7
  246. package/dist/languages/capabilities/types.d.ts.map +1 -1
  247. package/dist/languages/csharp.d.ts +15 -1
  248. package/dist/languages/csharp.d.ts.map +1 -1
  249. package/dist/languages/csharp.js +624 -146
  250. package/dist/languages/csharp.js.map +1 -1
  251. package/dist/languages/go.d.ts.map +1 -1
  252. package/dist/languages/go.js +89 -11
  253. package/dist/languages/go.js.map +1 -1
  254. package/dist/languages/index.d.ts +131 -2
  255. package/dist/languages/index.d.ts.map +1 -1
  256. package/dist/languages/index.js +206 -0
  257. package/dist/languages/index.js.map +1 -1
  258. package/dist/languages/java.d.ts.map +1 -1
  259. package/dist/languages/java.js +113 -26
  260. package/dist/languages/java.js.map +1 -1
  261. package/dist/languages/kotlin.d.ts.map +1 -1
  262. package/dist/languages/kotlin.js +132 -26
  263. package/dist/languages/kotlin.js.map +1 -1
  264. package/dist/languages/python.d.ts.map +1 -1
  265. package/dist/languages/python.js +149 -44
  266. package/dist/languages/python.js.map +1 -1
  267. package/dist/languages/ruby.d.ts +39 -1
  268. package/dist/languages/ruby.d.ts.map +1 -1
  269. package/dist/languages/ruby.js +178 -44
  270. package/dist/languages/ruby.js.map +1 -1
  271. package/dist/languages/rust.d.ts.map +1 -1
  272. package/dist/languages/rust.js +103 -16
  273. package/dist/languages/rust.js.map +1 -1
  274. package/dist/languages/types.d.ts +228 -5
  275. package/dist/languages/types.d.ts.map +1 -1
  276. package/dist/languages/typescript.d.ts.map +1 -1
  277. package/dist/languages/typescript.js +201 -14
  278. package/dist/languages/typescript.js.map +1 -1
  279. package/dist/scoring/dimensions/documentation.d.ts +53 -0
  280. package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
  281. package/dist/scoring/dimensions/documentation.js +106 -0
  282. package/dist/scoring/dimensions/documentation.js.map +1 -0
  283. package/dist/scoring/dimensions/dx.d.ts +53 -0
  284. package/dist/scoring/dimensions/dx.d.ts.map +1 -0
  285. package/dist/scoring/dimensions/dx.js +105 -0
  286. package/dist/scoring/dimensions/dx.js.map +1 -0
  287. package/dist/scoring/dimensions/maintainability.d.ts +53 -0
  288. package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
  289. package/dist/scoring/dimensions/maintainability.js +101 -0
  290. package/dist/scoring/dimensions/maintainability.js.map +1 -0
  291. package/dist/scoring/dimensions/quality.d.ts +108 -0
  292. package/dist/scoring/dimensions/quality.d.ts.map +1 -0
  293. package/dist/scoring/dimensions/quality.js +174 -0
  294. package/dist/scoring/dimensions/quality.js.map +1 -0
  295. package/dist/scoring/dimensions/security.d.ts +84 -0
  296. package/dist/scoring/dimensions/security.d.ts.map +1 -0
  297. package/dist/scoring/dimensions/security.js +135 -0
  298. package/dist/scoring/dimensions/security.js.map +1 -0
  299. package/dist/scoring/dimensions/testing.d.ts +56 -0
  300. package/dist/scoring/dimensions/testing.d.ts.map +1 -0
  301. package/dist/scoring/dimensions/testing.js +98 -0
  302. package/dist/scoring/dimensions/testing.js.map +1 -0
  303. package/dist/scoring/evaluator.d.ts +27 -0
  304. package/dist/scoring/evaluator.d.ts.map +1 -0
  305. package/dist/scoring/evaluator.js +124 -0
  306. package/dist/scoring/evaluator.js.map +1 -0
  307. package/dist/scoring/format.d.ts +34 -0
  308. package/dist/scoring/format.d.ts.map +1 -0
  309. package/dist/scoring/format.js +63 -0
  310. package/dist/scoring/format.js.map +1 -0
  311. package/dist/scoring/index.d.ts +37 -0
  312. package/dist/scoring/index.d.ts.map +1 -0
  313. package/dist/scoring/index.js +57 -0
  314. package/dist/scoring/index.js.map +1 -0
  315. package/dist/scoring/overall.d.ts +54 -0
  316. package/dist/scoring/overall.d.ts.map +1 -0
  317. package/dist/scoring/overall.js +76 -0
  318. package/dist/scoring/overall.js.map +1 -0
  319. package/dist/scoring/result.d.ts +111 -0
  320. package/dist/scoring/result.d.ts.map +1 -0
  321. package/dist/scoring/result.js +14 -0
  322. package/dist/scoring/result.js.map +1 -0
  323. package/dist/scoring/spec.d.ts +76 -0
  324. package/dist/scoring/spec.d.ts.map +1 -0
  325. package/dist/scoring/spec.js +22 -0
  326. package/dist/scoring/spec.js.map +1 -0
  327. package/dist/scoring/thresholds.d.ts +56 -0
  328. package/dist/scoring/thresholds.d.ts.map +1 -0
  329. package/dist/scoring/thresholds.js +75 -0
  330. package/dist/scoring/thresholds.js.map +1 -0
  331. package/dist/tools-cli.d.ts.map +1 -1
  332. package/dist/tools-cli.js +21 -2
  333. package/dist/tools-cli.js.map +1 -1
  334. package/dist/types.d.ts +16 -0
  335. package/dist/types.d.ts.map +1 -1
  336. package/package.json +1 -1
  337. package/templates/.claude/commands/dashboard.md +17 -9
  338. package/dist/analyzers/scoring.d.ts +0 -49
  339. package/dist/analyzers/scoring.d.ts.map +0 -1
  340. package/dist/analyzers/scoring.js +0 -422
  341. package/dist/analyzers/scoring.js.map +0 -1
  342. package/dist/analyzers/security/scoring.d.ts +0 -29
  343. package/dist/analyzers/security/scoring.d.ts.map +0 -1
  344. package/dist/analyzers/security/scoring.js +0 -40
  345. package/dist/analyzers/security/scoring.js.map +0 -1
@@ -0,0 +1,175 @@
1
+ "use strict";
2
+ /**
3
+ * Direct `<PackageReference>` parser — D025f (2.4.7).
4
+ *
5
+ * Extracts NuGet PackageReference entries from `.csproj` XML text
6
+ * without invoking `dotnet restore` or any other .NET toolchain. The
7
+ * output feeds an ad-hoc `packages.lock.json`-shaped file that
8
+ * osv-scanner ingests via `--lockfile=<path>` (the file MUST be
9
+ * literally named `packages.lock.json` — osv-scanner v2.x detects the
10
+ * NuGet ecosystem by filename, not by a prefix). This closes the D036
11
+ * customer-outcome gap on dpl-studio (where `dotnet list package`
12
+ * couldn't run from a multi-project parent directory).
13
+ *
14
+ * Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
15
+ * `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
16
+ * keeps each language pack as a single file; ecosystem-specific tool
17
+ * helpers consumed by one or more packs go in `analyzers/tools/`.
18
+ * csharp.ts imports this module the same way it already imports
19
+ * `osv` and `osv-scanner-deps`.
20
+ *
21
+ * Architectural rationale:
22
+ *
23
+ * D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
24
+ * ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
25
+ * Microsoft-recommended non-sudo install) got dotnet discovered.
26
+ * That fix was necessary but not sufficient: `dotnet list package
27
+ * --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
28
+ * and dpl-studio's `Code/Source/Dev/Core/<Module>/<Module>.csproj`
29
+ * layout puts the project files 3 levels deeper than the natural
30
+ * `dxkit vulnerabilities Code/Source/` cwd.
31
+ *
32
+ * D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
33
+ * reachable from cwd (depth 5, matching csharp.detect()), parse
34
+ * each, and feed the union to osv-scanner via a synthetic lockfile.
35
+ * Cross-platform — `net9.0-windows` targets that won't restore on
36
+ * Linux/Mac still get scanned.
37
+ *
38
+ * Trade-off: this catches DIRECT PackageReferences only. Transitive
39
+ * deps (resolved by NuGet's dep graph from each direct ref's own
40
+ * dependencies) are NOT visible without a populated
41
+ * `project.assets.json`. Industry studies put ~80% of typical
42
+ * .NET CVE surface on direct refs; the remaining ~20% (transitives)
43
+ * land cleanly when `dotnet restore` is available and the
44
+ * dotnet-path-resolved D025c codepath runs.
45
+ *
46
+ * Shared with D031: the licenses degraded-inventory fallback uses the
47
+ * same parser to produce a "133 packages identified; license info
48
+ * unavailable" rendering when `nuget-license` isn't installed.
49
+ *
50
+ * Pure function. No I/O. Tested via a fixture suite of representative
51
+ * .csproj shapes (attribute-form, element-form, Central Package
52
+ * Management, conditional `<ItemGroup>` blocks).
53
+ */
54
+ Object.defineProperty(exports, "__esModule", { value: true });
55
+ exports.parseCsprojPackageReferences = parseCsprojPackageReferences;
56
+ exports.buildNugetAdhocLockfile = buildNugetAdhocLockfile;
57
+ /**
58
+ * Match shapes (in priority order):
59
+ *
60
+ * 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
61
+ * common; attributes can appear in any order (also matched
62
+ * `Version="1.0.0" Include="Foo"`).
63
+ * 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
64
+ * </PackageReference>` — element-form, equivalent semantics;
65
+ * common in repos that prefer multiline configs or use child
66
+ * elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
67
+ * 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
68
+ * Package Management (CPM): the version comes from a separate
69
+ * `Directory.Packages.props` file. Skipped here; the CPM-aware
70
+ * pass (a future enhancement) would resolve them.
71
+ *
72
+ * Skipped shapes:
73
+ *
74
+ * - `<PackageReference Update="Foo" Version="..." />` — CPM
75
+ * override syntax for transitive pins; NOT a direct reference.
76
+ * - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
77
+ * Not a direct reference of this csproj.
78
+ * - Comments / CDATA — best-effort; the regex is generous and
79
+ * can theoretically match `<!-- <PackageReference ... -->`
80
+ * comments; users with literal PackageReference strings inside
81
+ * comments would get false positives. Acceptable: pathological
82
+ * case, and osv-scanner won't surface advisories for non-real
83
+ * packages, so the worst case is a wasted scan entry.
84
+ */
85
+ function parseCsprojPackageReferences(xml) {
86
+ const out = [];
87
+ const seen = new Set(); // dedupe `${name}@${version}` within a single .csproj
88
+ // Form 1 (attribute-form): two attribute orderings.
89
+ // Match Include="X" ... Version="Y"
90
+ const attrIncludeFirstRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\/?>/gi;
91
+ // Match Version="Y" ... Include="X"
92
+ const attrVersionFirstRe = /<PackageReference\s+[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\/?>/gi;
93
+ let m;
94
+ while ((m = attrIncludeFirstRe.exec(xml)) !== null) {
95
+ pushEntry(out, seen, m[1], m[2]);
96
+ }
97
+ while ((m = attrVersionFirstRe.exec(xml)) !== null) {
98
+ pushEntry(out, seen, m[2], m[1]);
99
+ }
100
+ // Form 2 (element-form): <PackageReference Include="X"><Version>Y</Version>...</PackageReference>
101
+ // The element form spans multiple lines; the regex is multi-line aware.
102
+ const elementFormRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*>[\s\S]*?<Version>\s*([^<\s]+)\s*<\/Version>[\s\S]*?<\/PackageReference>/gi;
103
+ while ((m = elementFormRe.exec(xml)) !== null) {
104
+ pushEntry(out, seen, m[1], m[2]);
105
+ }
106
+ return out;
107
+ }
108
+ function pushEntry(out, seen, rawName, rawVersion) {
109
+ const name = rawName.trim();
110
+ const version = rawVersion.trim();
111
+ if (!name || !version)
112
+ return;
113
+ const key = `${name}@${version}`;
114
+ if (seen.has(key))
115
+ return;
116
+ seen.add(key);
117
+ out.push({ name, version });
118
+ }
119
+ /**
120
+ * Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
121
+ * v2.x reads via `--lockfile=<path>` (caller MUST write this content to
122
+ * a file literally named `packages.lock.json` — osv-scanner detects
123
+ * ecosystem by filename). The schema matches NuGet's native
124
+ * `dotnet restore`-produced lockfile (which osv-scanner already
125
+ * supports natively), simplified to the minimum osv-scanner consults
126
+ * for vulnerability matching:
127
+ *
128
+ * {
129
+ * "version": 1,
130
+ * "dependencies": {
131
+ * "net0.0": {
132
+ * "<Pkg>": {
133
+ * "type": "Direct",
134
+ * "resolved": "<Version>",
135
+ * "requested": "[<Version>, )"
136
+ * }
137
+ * }
138
+ * }
139
+ * }
140
+ *
141
+ * - `"version": 1` matches `dotnet restore`'s lockfile schema version.
142
+ * - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
143
+ * the package map without validating the framework key, so any
144
+ * non-empty string works. We use a non-real moniker so it can't be
145
+ * confused with a real target framework in downstream debugging.
146
+ * - `type: "Direct"` truthfully reflects that we ONLY parsed direct
147
+ * references. Transitive vulns are out of scope for this path
148
+ * (covered by D025c's `dotnet list` codepath when available).
149
+ * - `requested` is a NuGet version range; we use a single-anchored
150
+ * `[V, )` form so the lockfile is valid even though the real
151
+ * `.csproj` might have been a pinned single version.
152
+ *
153
+ * Returns a JSON-stringified string suitable for writing to a temp
154
+ * file. Callers should clean up the temp file after osv-scanner
155
+ * consumes it.
156
+ */
157
+ function buildNugetAdhocLockfile(entries) {
158
+ const dependencies = { 'net0.0': {} };
159
+ for (const entry of entries) {
160
+ // If the same package appears in multiple .csproj files at different
161
+ // versions, last-write-wins per the lockfile shape (it's one entry
162
+ // per package name within a framework). osv-scanner will scan
163
+ // whichever version we stamped; the cross-csproj merging trade-off
164
+ // is documented at the caller. For dpl-studio scale (~74 csprojs)
165
+ // collisions are common but typically converge on a single resolved
166
+ // version per the repo's dependency hygiene practices.
167
+ dependencies['net0.0'][entry.name] = {
168
+ type: 'Direct',
169
+ resolved: entry.version,
170
+ requested: `[${entry.version}, )`,
171
+ };
172
+ }
173
+ return JSON.stringify({ version: 1, dependencies }, null, 2);
174
+ }
175
+ //# sourceMappingURL=nuget-package-reference.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"nuget-package-reference.js","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmDG;;AAyCH,oEA6BC;AAuDD,0DAiBC;AAjID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,4BAA4B,CAAC,GAAW;IACtD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,sDAAsD;IAEtF,oDAAoD;IACpD,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAChG,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAEhG,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,kGAAkG;IAClG,wEAAwE;IACxE,MAAM,aAAa,GACjB,mIAAmI,CAAC;IACtI,OAAO,CAAC,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAChB,GAA4B,EAC5B,IAAiB,EACjB,OAAe,EACf,UAAkB;IAElB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO;IAC9B,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;IACjC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC1B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,SAAgB,uBAAuB,CAAC,OAA6C;IACnF,MAAM,YAAY,GAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC/E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,qEAAqE;QACrE,mEAAmE;QACnE,8DAA8D;QAC9D,mEAAmE;QACnE,kEAAkE;QAClE,oEAAoE;QACpE,uDAAuD;QACvD,YAAY,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG;YACnC,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,SAAS,EAAE,IAAI,KAAK,CAAC,OAAO,KAAK;SAClC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC"}
@@ -1,4 +1,5 @@
1
1
  import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../../languages/capabilities/types';
2
+ import type { LanguageId } from '../../types';
2
3
  /**
3
4
  * Pure parser for osv-scanner v2.x JSON output, scoped to a single
4
5
  * ecosystem. Other ecosystems are filtered out so polyglot repos
@@ -12,7 +13,7 @@ import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../..
12
13
  * Returns counts + findings + the raw OSV vuln records for downstream
13
14
  * CVSS resolution. Exported for unit tests.
14
15
  */
15
- export declare function parseOsvScannerFindings(raw: string, ecosystem: string): {
16
+ export declare function parseOsvScannerFindings(raw: string, ecosystem: string, packId?: LanguageId): {
16
17
  counts: SeverityCounts;
17
18
  findings: DepVulnFinding[];
18
19
  vulnsForCvss: Array<{
@@ -43,5 +44,5 @@ export declare function parseOsvScannerFindings(raw: string, ecosystem: string):
43
44
  * `database_specific.severity` strings. resolveCvssScores looks up
44
45
  * via CVE alias when the primary record lacks a vector.
45
46
  */
46
- export declare function gatherOsvScannerDepVulnsResult(cwd: string, source: string, ecosystem: string, manifestCandidates: string[]): Promise<DepVulnGatherOutcome>;
47
+ export declare function gatherOsvScannerDepVulnsResult(cwd: string, packId: LanguageId, ecosystem: string, manifestCandidates: string[]): Promise<DepVulnGatherOutcome>;
47
48
  //# sourceMappingURL=osv-scanner-deps.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"AA8BA,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACf,MAAM,oCAAoC,CAAC;AAiB5C;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,GAChB;IACD,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC5F,CAiEA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CA4C/B"}
1
+ {"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"AAoCA,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACf,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiB9C;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,UAAU,GAClB;IACD,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC5F,CA8EA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CAiD/B"}
@@ -45,7 +45,7 @@ const tool_registry_1 = require("./tool-registry");
45
45
  * Returns counts + findings + the raw OSV vuln records for downstream
46
46
  * CVSS resolution. Exported for unit tests.
47
47
  */
48
- function parseOsvScannerFindings(raw, ecosystem) {
48
+ function parseOsvScannerFindings(raw, ecosystem, packId) {
49
49
  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
50
50
  const findings = [];
51
51
  const vulnsForCvss = [];
@@ -87,12 +87,27 @@ function parseOsvScannerFindings(raw, ecosystem) {
87
87
  tool: 'osv-scanner',
88
88
  severity: tier,
89
89
  };
90
+ // G_v4_4 (2.4.7): stamp the producing pack so `buildUpgradeCommand`
91
+ // can dispatch to the right `LanguageSupport.upgradeCommand` without
92
+ // a hardcoded switch on `tool`. Caller passes the pack id; absent
93
+ // (`undefined`) only on legacy paths we haven't migrated yet.
94
+ if (packId)
95
+ finding.packId = packId;
90
96
  if (cvss !== null)
91
97
  finding.cvssScore = cvss;
92
98
  if (aliases.length > 0)
93
99
  finding.aliases = aliases;
94
100
  if (vuln.summary)
95
101
  finding.summary = vuln.summary;
102
+ // D042: surface the patch version when OSV's `affected[].
103
+ // ranges[].events[].fixed` is populated. This is the customer's
104
+ // actionable next-step (e.g. "upgrade Newtonsoft.Json from
105
+ // 9.0.1 to 13.0.1 to clear GHSA-5crp-9r3c-p9vr"). Pre-D042 the
106
+ // standalone scan rendered `Fix: —` for every osv-scanner-
107
+ // sourced finding because this field went unread.
108
+ const fixVersion = (0, osv_1.extractOsvFixVersion)(vuln);
109
+ if (fixVersion)
110
+ finding.fixedVersion = fixVersion;
96
111
  // OSV.dev hosts a canonical page per id — synthesize when the
97
112
  // record's `references[]` is empty, otherwise keep the
98
113
  // tool-supplied URLs.
@@ -132,7 +147,7 @@ function parseOsvScannerFindings(raw, ecosystem) {
132
147
  * `database_specific.severity` strings. resolveCvssScores looks up
133
148
  * via CVE alias when the primary record lacks a vector.
134
149
  */
135
- async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCandidates) {
150
+ async function gatherOsvScannerDepVulnsResult(cwd, packId, ecosystem, manifestCandidates) {
136
151
  let manifest = null;
137
152
  for (const rel of manifestCandidates) {
138
153
  if ((0, runner_1.fileExists)(cwd, rel)) {
@@ -140,15 +155,20 @@ async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCa
140
155
  break;
141
156
  }
142
157
  }
143
- if (!manifest)
144
- return { kind: 'tool-missing' };
158
+ if (!manifest) {
159
+ return {
160
+ kind: 'no-manifest',
161
+ reason: `no lockfile found (looked for: ${manifestCandidates.join(', ')})`,
162
+ };
163
+ }
145
164
  const scanner = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS['osv-scanner'], cwd);
146
- if (!scanner.available || !scanner.path)
147
- return { kind: 'tool-missing' };
165
+ if (!scanner.available || !scanner.path) {
166
+ return { kind: 'unavailable', reason: 'osv-scanner not installed' };
167
+ }
148
168
  const raw = (0, runner_1.run)(`${scanner.path} scan source --lockfile ${manifest} --format json 2>/dev/null`, cwd, 180000);
149
169
  if (!raw)
150
- return { kind: 'no-output' };
151
- const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem);
170
+ return { kind: 'unavailable', reason: 'osv-scanner produced no output' };
171
+ const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem, packId);
152
172
  if (findings.length > 0) {
153
173
  const resolved = await (0, osv_1.resolveCvssScores)(vulnsForCvss);
154
174
  for (const f of findings) {
@@ -164,12 +184,10 @@ async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCa
164
184
  counts,
165
185
  findings,
166
186
  };
167
- // Note: `source` is unused at the envelope level today — DepVulnResult
168
- // carries `tool: 'osv-scanner'` as the producer attribution. Reserved
169
- // for a future enhancement that distinguishes per-pack provenance
170
- // (e.g., when both kotlin and java packs run on a mixed monorepo and
171
- // we want to attribute findings to the originating pack).
172
- void source;
187
+ // G_v4_4 (2.4.7): `packId` is forwarded into `parseOsvScannerFindings`
188
+ // so each finding carries the producing pack, which `buildUpgradeCommand`
189
+ // dispatches on. Envelope-level `tool: 'osv-scanner'` stays as the
190
+ // tool-attribution string used in `toolsUsed`.
173
191
  return { kind: 'success', envelope };
174
192
  }
175
193
  //# sourceMappingURL=osv-scanner-deps.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;AAiEA,0DAwEC;AAwBD,wEAiDC;AAlND;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,+BAAkG;AAClG,qCAA2C;AAC3C,mDAAsD;AAuBtD;;;;;;;;;;;;GAYG;AACH,SAAgB,uBAAuB,CACrC,GAAW,EACX,SAAiB;IAMjB,MAAM,MAAM,GAAmB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,YAAY,GAIb,EAAE,CAAC;IACR,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IACD,oEAAoE;IACpE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS;gBAAE,SAAS;YACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;YAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;oBAAE,SAAS;gBACvB,MAAM,QAAQ,GAAG,GAAG,OAAO,KAAK,UAAU,IAAI,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC/D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAEnB,MAAM,GAAG,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GACR,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK;oBACvE,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,QAAQ,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEf,MAAM,IAAI,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtE,MAAM,OAAO,GAAmB;oBAC9B,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,OAAO;oBAChB,gBAAgB,EAAE,UAAU;oBAC5B,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,IAAI;iBACf,CAAC;gBACF,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;gBAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;gBAClD,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBACjD,8DAA8D;gBAC9D,uDAAuD;gBACvD,sBAAsB;gBACtB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1F,OAAO,CAAC,UAAU;oBAChB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,iCAAiC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEvB,YAAY,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,YAAY,EAAE,IAAI;oBAClB,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,MAAc,EACd,SAAiB,EACjB,kBAA4B;IAE5B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,GAAG,GAAG,CAAC;YACf,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IAE/C,MAAM,OAAO,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,aAAa,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IAEzE,MAAM,GAAG,GAAG,IAAA,YAAG,EACb,GAAG,OAAO,CAAC,IAAI,2BAA2B,QAAQ,4BAA4B,EAC9E,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IAEvC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAEnF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAiB,EAAC,YAAY,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;QACjE,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ;KACT,CAAC;IACF,uEAAuE;IACvE,sEAAsE;IACtE,kEAAkE;IAClE,qEAAqE;IACrE,0DAA0D;IAC1D,KAAK,MAAM,CAAC;IACZ,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC"}
1
+ {"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;AAwEA,0DAsFC;AAwBD,wEAsDC;AA5OD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,+BAMe;AACf,qCAA2C;AAC3C,mDAAsD;AAwBtD;;;;;;;;;;;;GAYG;AACH,SAAgB,uBAAuB,CACrC,GAAW,EACX,SAAiB,EACjB,MAAmB;IAMnB,MAAM,MAAM,GAAmB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,YAAY,GAIb,EAAE,CAAC;IACR,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IACD,oEAAoE;IACpE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS;gBAAE,SAAS;YACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;YAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;oBAAE,SAAS;gBACvB,MAAM,QAAQ,GAAG,GAAG,OAAO,KAAK,UAAU,IAAI,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC/D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAEnB,MAAM,GAAG,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GACR,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK;oBACvE,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,QAAQ,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEf,MAAM,IAAI,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtE,MAAM,OAAO,GAAmB;oBAC9B,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,OAAO;oBAChB,gBAAgB,EAAE,UAAU;oBAC5B,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,IAAI;iBACf,CAAC;gBACF,oEAAoE;gBACpE,qEAAqE;gBACrE,kEAAkE;gBAClE,8DAA8D;gBAC9D,IAAI,MAAM;oBAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;gBACpC,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;gBAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;gBAClD,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBACjD,0DAA0D;gBAC1D,gEAAgE;gBAChE,2DAA2D;gBAC3D,+DAA+D;gBAC/D,2DAA2D;gBAC3D,kDAAkD;gBAClD,MAAM,UAAU,GAAG,IAAA,0BAAoB,EAAC,IAAI,CAAC,CAAC;gBAC9C,IAAI,UAAU;oBAAE,OAAO,CAAC,YAAY,GAAG,UAAU,CAAC;gBAClD,8DAA8D;gBAC9D,uDAAuD;gBACvD,sBAAsB;gBACtB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1F,OAAO,CAAC,UAAU;oBAChB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,iCAAiC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEvB,YAAY,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,YAAY,EAAE,IAAI;oBAClB,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,MAAkB,EAClB,SAAiB,EACjB,kBAA4B;IAE5B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,GAAG,GAAG,CAAC;YACf,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,kCAAkC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SAC3E,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,aAAa,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACxC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,YAAG,EACb,GAAG,OAAO,CAAC,IAAI,2BAA2B,QAAQ,4BAA4B,EAC9E,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IAEnF,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAE3F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAiB,EAAC,YAAY,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;QACjE,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ;KACT,CAAC;IACF,uEAAuE;IACvE,0EAA0E;IAC1E,mEAAmE;IACnE,+CAA+C;IAC/C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC"}
@@ -25,6 +25,27 @@ export interface OsvVuln {
25
25
  type: string;
26
26
  score: string;
27
27
  }>;
28
+ /**
29
+ * D042 (2.4.7): OSV records expose patch-version info via
30
+ * `affected[].ranges[].events[]`. Each range describes one
31
+ * affected version interval with bounding events:
32
+ * `{"introduced": "0.0.0"}` (or `"introduced": "X.Y.Z"`)
33
+ * `{"fixed": "X.Y.Z"}` ← patch-available signal
34
+ * `{"limit": "X.Y.Z"}` ← exclusion upper bound
35
+ *
36
+ * We extract the first non-empty `fixed` event as the
37
+ * `fixedVersion` recommendation for the customer's upgrade
38
+ * path. Pre-D042 this field was unread; both csharp/kotlin/
39
+ * java/ruby's osv-scanner findings rendered `Fix: —`.
40
+ */
41
+ ranges?: Array<{
42
+ type?: string;
43
+ events?: Array<{
44
+ introduced?: string;
45
+ fixed?: string;
46
+ limit?: string;
47
+ }>;
48
+ }>;
28
49
  }>;
29
50
  aliases?: string[];
30
51
  summary?: string;
@@ -34,6 +55,21 @@ export interface OsvVuln {
34
55
  url: string;
35
56
  }>;
36
57
  }
58
+ /**
59
+ * Extract the patch-available version from an OSV record (D042). Walks
60
+ * `affected[].ranges[].events[]` in document order and returns the
61
+ * first non-empty `fixed` event. Multiple `fixed` events can exist
62
+ * when the advisory covers multiple version branches (e.g., a
63
+ * vulnerability backported across 1.x and 2.x lines); the first one
64
+ * is conventionally the lowest patch version — which is the right
65
+ * "minimum upgrade to clear this advisory" answer for most customers.
66
+ *
67
+ * Returns `undefined` when no `fixed` event exists (advisory exists
68
+ * but no patch has been released yet — customer should consider
69
+ * mitigations rather than waiting). Returns `undefined` for the
70
+ * pathological case of empty `affected` / `ranges` / `events` arrays.
71
+ */
72
+ export declare function extractOsvFixVersion(vuln: OsvVuln): string | undefined;
37
73
  /** Enriched OSV detail returned by lookups. cvssScore is the max CVSS base
38
74
  * score across V4/V3 vectors when parseable; null otherwise. */
39
75
  export interface OsvDetail {
@@ -1 +1 @@
1
- {"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,OAAO;IACtB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1C,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KACnD,CAAC,CAAC;IAGH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpD;AAED;iEACiE;AACjE,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAKD,qCAAqC;AACrC,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAMnD;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA2ClE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAuBhE;AAED,wFAAwF;AACxF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAW3D;AAED,yEAAyE;AACzE,MAAM,MAAM,UAAU,GAAG,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAsCjE;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EAAE,EACb,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CA6BjC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,KAAK,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,EACpF,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CA6CrC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,EAC1B,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAiBhC;AAED,yDAAyD;AACzD,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}
1
+ {"version":3,"file":"osv.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;AAE1E,MAAM,WAAW,OAAO;IACtB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAClD,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAC1C,QAAQ,CAAC,EAAE,KAAK,CAAC;QACf,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,KAAK,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAClD;;;;;;;;;;;;WAYG;QACH,MAAM,CAAC,EAAE,KAAK,CAAC;YACb,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,MAAM,CAAC,EAAE,KAAK,CAAC;gBAAE,UAAU,CAAC,EAAE,MAAM,CAAC;gBAAC,KAAK,CAAC,EAAE,MAAM,CAAC;gBAAC,KAAK,CAAC,EAAE,MAAM,CAAA;aAAE,CAAC,CAAC;SACzE,CAAC,CAAC;KACJ,CAAC,CAAC;IAGH,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACpD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAStE;AAED;iEACiE;AACjE,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAKD,qCAAqC;AACrC,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,QAAQ,CAMnD;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA2ClE;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAuBhE;AAED,wFAAwF;AACxF,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,OAAO,GAAG,QAAQ,CAW3D;AAED,yEAAyE;AACzE,MAAM,MAAM,UAAU,GAAG,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAsCjE;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,GAAG,EAAE,MAAM,EAAE,EACb,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CA6BjC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,KAAK,CAAC;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,EACpF,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC,CA6CrC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,aAAa,CAAC,MAAM,CAAC,EAC1B,OAAO,GAAE,UAA4B,GACpC,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAiBhC;AAED,yDAAyD;AACzD,wBAAgB,eAAe,IAAI,IAAI,CAEtC"}
@@ -12,6 +12,7 @@
12
12
  * The analyzer must never fail because OSV was slow.
13
13
  */
14
14
  Object.defineProperty(exports, "__esModule", { value: true });
15
+ exports.extractOsvFixVersion = extractOsvFixVersion;
15
16
  exports.scoreToTier = scoreToTier;
16
17
  exports.parseCvssV3BaseScore = parseCvssV3BaseScore;
17
18
  exports.extractOsvCvssScore = extractOsvCvssScore;
@@ -21,6 +22,31 @@ exports.resolveCvssScores = resolveCvssScores;
21
22
  exports.resolveAliases = resolveAliases;
22
23
  exports.__clearOsvCache = __clearOsvCache;
23
24
  const cvss_v4_1 = require("./cvss-v4");
25
+ /**
26
+ * Extract the patch-available version from an OSV record (D042). Walks
27
+ * `affected[].ranges[].events[]` in document order and returns the
28
+ * first non-empty `fixed` event. Multiple `fixed` events can exist
29
+ * when the advisory covers multiple version branches (e.g., a
30
+ * vulnerability backported across 1.x and 2.x lines); the first one
31
+ * is conventionally the lowest patch version — which is the right
32
+ * "minimum upgrade to clear this advisory" answer for most customers.
33
+ *
34
+ * Returns `undefined` when no `fixed` event exists (advisory exists
35
+ * but no patch has been released yet — customer should consider
36
+ * mitigations rather than waiting). Returns `undefined` for the
37
+ * pathological case of empty `affected` / `ranges` / `events` arrays.
38
+ */
39
+ function extractOsvFixVersion(vuln) {
40
+ for (const affected of vuln.affected ?? []) {
41
+ for (const range of affected.ranges ?? []) {
42
+ for (const event of range.events ?? []) {
43
+ if (event.fixed && event.fixed.length > 0)
44
+ return event.fixed;
45
+ }
46
+ }
47
+ }
48
+ return undefined;
49
+ }
24
50
  /** Process-scoped cache so repeated lookups in a session don't re-query. */
25
51
  const cache = new Map();
26
52
  /** NVD CVSS 3.x base-score bands. */
@@ -1 +1 @@
1
- {"version":3,"file":"osv.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAgCH,kCAMC;AAOD,oDA2CC;AASD,kDAuBC;AAGD,kDAWC;AAgDD,8BAgCC;AAmBD,8CAgDC;AAaD,wCAoBC;AAGD,0CAEC;AA7TD,uCAAiD;AA0BjD,4EAA4E;AAC5E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE3C,qCAAqC;AACrC,SAAgB,WAAW,CAAC,KAAa;IACvC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,UAAU,CAAC;IACpC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,QAAQ,CAAC;IAClC,IAAI,KAAK,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,MAAc;IACjD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC;YAAE,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAElE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IAChF,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,WAAW,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1E,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IACvE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,UAAU,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAEtE,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnF,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC;IAC/F,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,GAAG,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,cAAc,CAAC;IACnF,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/B,uDAAuD;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,CAAC,OAAgD,EAAE,EAAE;QACnE,KAAK,MAAM,CAAC,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC,CAAC,KAAK;gBAAE,SAAS;YACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;iBACtC,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE;QAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEzD,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClB,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAA,8BAAoB,EAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,OAAO,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,wFAAwF;AACxF,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;IAE9C,uEAAuE;IACvE,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;IAC3D,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACzC,IAAI,EAAE,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACjC,IAAI,EAAE,KAAK,QAAQ,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,QAAQ,CAAC;IAC1D,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,SAAS,CAAC;AACnB,CAAC;AAKD;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,KAAK,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,iBAAiB,CAAC,EAAU;IACnC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACvE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,eAAe,GAAe,KAAK,EAAE,EAAE,EAAE,EAAE;IAC/C,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,kBAAkB,CAAC,UAAU,CAAC,EAAE,EAAE;YACxF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,sBAAsB,CAAC;SACpD,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAY,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,KAAM,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,UAAU;QACpF,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF;;;;;;GAMG;AACI,KAAK,UAAU,SAAS,CAC7B,GAAa,EACb,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAExC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACvB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAc,IAAI;YAC5B,CAAC,CAAC,EAAE,QAAQ,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE;YAC/E,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,EAAE,EAAE,MAAM,CAAU,CAAC;IAC/B,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC7B,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,iBAAiB,CACrC,MAAoF,EACpF,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAChC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,IAAI;YAAE,SAAS;QACjD,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QACxD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAoB,CAAC;IACrD,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;YAAE,SAAS;QACpD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO;YAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC/C,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,CAAC,GAAG,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;IAChE,KAAK,MAAM,SAAS,IAAI,YAAY,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;YAC9C,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;gBACzB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,cAAc,CAClC,GAA0B,EAC1B,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC3C,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CAAU,CAAC;IAC5C,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yDAAyD;AACzD,SAAgB,eAAe;IAC7B,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}
1
+ {"version":3,"file":"osv.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;AAoDH,oDASC;AAaD,kCAMC;AAOD,oDA2CC;AASD,kDAuBC;AAGD,kDAWC;AAgDD,8BAgCC;AAmBD,8CAgDC;AAaD,wCAoBC;AAGD,0CAEC;AAvWD,uCAAiD;AAoCjD;;;;;;;;;;;;;GAaG;AACH,SAAgB,oBAAoB,CAAC,IAAa;IAChD,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QAC3C,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;gBACvC,IAAI,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,KAAK,CAAC;YAChE,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AASD,4EAA4E;AAC5E,MAAM,KAAK,GAAG,IAAI,GAAG,EAAqB,CAAC;AAE3C,qCAAqC;AACrC,SAAgB,WAAW,CAAC,KAAa;IACvC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,UAAU,CAAC;IACpC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,MAAM,CAAC;IAChC,IAAI,KAAK,IAAI,GAAG;QAAE,OAAO,QAAQ,CAAC;IAClC,IAAI,KAAK,GAAG,GAAG;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,MAAc;IACjD,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,CAAC,IAAI,CAAC;YAAE,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC9B,CAAC;IAED,wBAAwB;IACxB,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,EAAE,GAAG,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAElE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IAChF,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,WAAW,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC1E,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;IACvE,MAAM,SAAS,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;IAC/D,MAAM,UAAU,GAA2B,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IAEtE,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACvD,MAAM,EAAE,GAAG,SAAS,CAAC,EAAE,CAAC,CAAC;IACzB,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC3B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IAEnF,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,GAAG,CAAC;IAC/F,IAAI,MAAM,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IAC1B,MAAM,cAAc,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IAChD,MAAM,GAAG,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,cAAc,CAAC;IACnF,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/B,uDAAuD;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,OAAO,GAAG,CAAC,OAAgD,EAAE,EAAE;QACnE,KAAK,MAAM,CAAC,IAAI,OAAO,IAAI,EAAE,EAAE,CAAC;YAC9B,IAAI,CAAC,CAAC,CAAC,KAAK;gBAAE,SAAS;YACvB,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;iBACtC,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS;gBAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC;IACF,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE;QAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAEzD,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;IAClB,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,IAAA,8BAAoB,EAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,EAAE,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,GAAG,QAAQ;YAAE,QAAQ,GAAG,KAAK,CAAC;IAC3D,CAAC;IACD,OAAO,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAED,wFAAwF;AACxF,SAAgB,mBAAmB,CAAC,IAAa;IAC/C,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC,KAAK,CAAC,CAAC;IAE9C,uEAAuE;IACvE,MAAM,EAAE,GAAG,IAAI,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;IAC3D,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,UAAU,CAAC;IACzC,IAAI,EAAE,KAAK,MAAM;QAAE,OAAO,MAAM,CAAC;IACjC,IAAI,EAAE,KAAK,QAAQ,IAAI,EAAE,KAAK,UAAU;QAAE,OAAO,QAAQ,CAAC;IAC1D,IAAI,EAAE,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,SAAS,CAAC;AACnB,CAAC;AAKD;;;;GAIG;AACH,MAAM,sBAAsB,GAAG,KAAK,CAAC;AAErC;;;;;;;GAOG;AACH,SAAS,iBAAiB,CAAC,EAAU;IACnC,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,OAAO,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;IACvE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,MAAM,eAAe,GAAe,KAAK,EAAE,EAAE,EAAE,EAAE;IAC/C,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACzC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,gCAAgC,kBAAkB,CAAC,UAAU,CAAC,EAAE,EAAE;YACxF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,sBAAsB,CAAC;SACpD,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QACzB,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAY,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,KAAM,GAAa,CAAC,OAAO,IAAI,CAAC,CAAC,CAAC,UAAU;QACpF,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC,CAAC;AAEF;;;;;;GAMG;AACI,KAAK,UAAU,SAAS,CAC7B,GAAa,EACb,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC;YAClB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,GAAG,CAAC,EAAE,CAAE,CAAC,CAAC;QACjC,CAAC;aAAM,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACnB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAExC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACvB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,MAAM,GAAc,IAAI;YAC5B,CAAC,CAAC,EAAE,QAAQ,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,mBAAmB,CAAC,IAAI,CAAC,EAAE;YAC/E,CAAC,CAAC,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;QAC7C,OAAO,CAAC,EAAE,EAAE,MAAM,CAAU,CAAC;IAC/B,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC7B,KAAK,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;YACtB,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACI,KAAK,UAAU,iBAAiB,CACrC,MAAoF,EACpF,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAChD,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,YAAY,KAAK,IAAI,EAAE,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;YAChC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAC/D,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,KAAK,IAAI;YAAE,SAAS;QACjD,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,SAAS,CAAC;QACxD,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;IACH,CAAC;IACD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAE7C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAU,CAAC;IACrC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAoB,CAAC;IACrD,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC;YAAE,SAAS;QACpD,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,OAAO;YAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAC/C,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,SAAS,CAAC,CAAC,GAAG,UAAU,CAAC,EAAE,OAAO,CAAC,CAAC;IAChE,KAAK,MAAM,SAAS,IAAI,YAAY,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,gBAAgB,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;YAC9C,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC;gBACzB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,cAAc,CAClC,GAA0B,EAC1B,UAAsB,eAAe;IAErC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAoB,CAAC;IAC3C,MAAM,SAAS,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACpC,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CACtC,SAAS,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;QACzB,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CAAU,CAAC;IAC5C,CAAC,CAAC,CACH,CAAC;IACF,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC7B,MAAM,CAAC,EAAE,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC;YAC9B,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,OAAO,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,yDAAyD;AACzD,SAAgB,eAAe;IAC7B,KAAK,CAAC,KAAK,EAAE,CAAC;AAChB,CAAC"}
@@ -21,5 +21,5 @@
21
21
  * pre-C.7, including the exact `toolsUnavailable` phrasings.
22
22
  */
23
23
  import { HealthMetrics } from '../types';
24
- export declare function gatherLayer2Parallel(cwd: string, _verbose?: boolean): Partial<HealthMetrics>;
24
+ export declare function gatherLayer2Parallel(cwd: string, _verbose?: boolean): Promise<Partial<HealthMetrics>>;
25
25
  //# sourceMappingURL=parallel.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"parallel.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKzC,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,UAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,CAgC1F"}
1
+ {"version":3,"file":"parallel.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAKzC,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,QAAQ,UAAQ,GACf,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAgCjC"}
@@ -4,7 +4,7 @@ exports.gatherLayer2Parallel = gatherLayer2Parallel;
4
4
  const cloc_1 = require("./cloc");
5
5
  const gitleaks_1 = require("./gitleaks");
6
6
  const graphify_1 = require("./graphify");
7
- function gatherLayer2Parallel(cwd, _verbose = false) {
7
+ async function gatherLayer2Parallel(cwd, _verbose = false) {
8
8
  const clocPartial = (0, cloc_1.gatherClocMetrics)(cwd);
9
9
  const toolsUsed = [...(clocPartial.toolsUsed ?? [])];
10
10
  const toolsUnavailable = [...(clocPartial.toolsUnavailable ?? [])];
@@ -18,7 +18,7 @@ function gatherLayer2Parallel(cwd, _verbose = false) {
18
18
  // the pre-C.7 string the report surfaces.
19
19
  toolsUnavailable.push(gitleaks.reason === 'not installed' ? 'gitleaks' : `gitleaks (${gitleaks.reason})`);
20
20
  }
21
- const graphify = (0, graphify_1.gatherGraphifyResult)(cwd);
21
+ const graphify = await (0, graphify_1.gatherGraphifyResult)(cwd);
22
22
  if (graphify.kind === 'success') {
23
23
  toolsUsed.push('graphify');
24
24
  }
@@ -1 +1 @@
1
- {"version":3,"file":"parallel.js","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":";;AA2BA,oDAgCC;AApCD,iCAA2C;AAC3C,yCAAkD;AAClD,yCAAkD;AAElD,SAAgB,oBAAoB,CAAC,GAAW,EAAE,QAAQ,GAAG,KAAK;IAChE,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC,GAAG,CAAC,CAAC;IAE3C,MAAM,SAAS,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,CAAC;IAE7E,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,iEAAiE;QACjE,0CAA0C;QAC1C,gBAAgB,CAAC,IAAI,CACnB,QAAQ,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,OAAO;QACL,WAAW,EAAE,WAAW,CAAC,WAAW;QACpC,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC"}
1
+ {"version":3,"file":"parallel.js","sourceRoot":"","sources":["../../../src/analyzers/tools/parallel.ts"],"names":[],"mappings":";;AA2BA,oDAmCC;AAvCD,iCAA2C;AAC3C,yCAAkD;AAClD,yCAAkD;AAE3C,KAAK,UAAU,oBAAoB,CACxC,GAAW,EACX,QAAQ,GAAG,KAAK;IAEhB,MAAM,WAAW,GAAG,IAAA,wBAAiB,EAAC,GAAG,CAAC,CAAC;IAE3C,MAAM,SAAS,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAa,CAAC,GAAG,CAAC,WAAW,CAAC,gBAAgB,IAAI,EAAE,CAAC,CAAC,CAAC;IAE7E,MAAM,QAAQ,GAAG,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,kEAAkE;QAClE,iEAAiE;QACjE,0CAA0C;QAC1C,gBAAgB,CAAC,IAAI,CACnB,QAAQ,CAAC,MAAM,KAAK,eAAe,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAC;IACjD,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,gBAAgB,CAAC,IAAI,CAAC,aAAa,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACzD,CAAC;IAED,OAAO;QACL,WAAW,EAAE,WAAW,CAAC,WAAW;QACpC,UAAU,EAAE,WAAW,CAAC,UAAU;QAClC,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,SAAS;QACT,gBAAgB;KACjB,CAAC;AACJ,CAAC"}
@@ -50,6 +50,13 @@ export interface RiskScoreInputs {
50
50
  /**
51
51
  * Compute the composite risk score for one finding, or null when
52
52
  * CVSS is missing (we don't fabricate severity from side signals).
53
+ *
54
+ * D078 (2.4.7): treat `cvssScore === 0` the same as `undefined` —
55
+ * upstream feeds (OSV.dev) emit `cvssScore: 0` for advisories whose
56
+ * severity bucket comes from GHSA's categorical rating rather than
57
+ * CVSS. Rendering `**0.0**` next to a HIGH-bucket finding misleads
58
+ * users into reading "high severity, zero risk." Returning null
59
+ * here propagates through to a `—` cell in the BoM render.
53
60
  */
54
61
  export declare function computeRiskScore(inputs: RiskScoreInputs): number | null;
55
62
  /**
@@ -1 +1 @@
1
- {"version":3,"file":"risk-score.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM,CAAC;AAEzE,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,QAAQ,CAMvD;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI,CAK9D"}
1
+ {"version":3,"file":"risk-score.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,eAAe,GAAG,MAAM,GAAG,IAAI,CAWvE;AAED;;;;;GAKG;AACH,MAAM,MAAM,QAAQ,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM,CAAC;AAEzE,wBAAgB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,QAAQ,CAMvD;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI,CAK9D"}
@@ -48,10 +48,17 @@ exports.scoreFindings = scoreFindings;
48
48
  /**
49
49
  * Compute the composite risk score for one finding, or null when
50
50
  * CVSS is missing (we don't fabricate severity from side signals).
51
+ *
52
+ * D078 (2.4.7): treat `cvssScore === 0` the same as `undefined` —
53
+ * upstream feeds (OSV.dev) emit `cvssScore: 0` for advisories whose
54
+ * severity bucket comes from GHSA's categorical rating rather than
55
+ * CVSS. Rendering `**0.0**` next to a HIGH-bucket finding misleads
56
+ * users into reading "high severity, zero risk." Returning null
57
+ * here propagates through to a `—` cell in the BoM render.
51
58
  */
52
59
  function computeRiskScore(inputs) {
53
60
  const cvss = inputs.cvssScore;
54
- if (cvss === undefined)
61
+ if (cvss === undefined || cvss === 0)
55
62
  return null;
56
63
  const base = cvss * 10;
57
64
  const kevMul = inputs.kev ? 2.0 : 1.0;
@@ -66,7 +73,7 @@ function riskTier(score) {
66
73
  if (score >= 70)
67
74
  return 'critical';
68
75
  if (score >= 40)
69
- return 'high';
76
+ return 'high'; // scoring-spec-ok: CVSS risk-tier band, not a dimension-rating threshold
70
77
  if (score >= 15)
71
78
  return 'moderate';
72
79
  return 'low';
@@ -1 +1 @@
1
- {"version":3,"file":"risk-score.js","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;;AAeH,4CAWC;AAUD,4BAMC;AAOD,sCAKC;AA3CD;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,MAAuB;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC;IAC9B,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAEpC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;IAE3F,MAAM,GAAG,GAAG,IAAI,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;IAC/C,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC;AAUD,SAAgB,QAAQ,CAAC,KAAoB;IAC3C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC;IAC/B,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,QAA0B;IACtD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK,IAAI;YAAE,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC;IAClC,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"risk-score.js","sourceRoot":"","sources":["../../../src/analyzers/tools/risk-score.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;;AAsBH,4CAWC;AAUD,4BAMC;AAOD,sCAKC;AAlDD;;;;;;;;;;GAUG;AACH,SAAgB,gBAAgB,CAAC,MAAuB;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC;IAC9B,IAAI,IAAI,KAAK,SAAS,IAAI,IAAI,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAElD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC;IAE3F,MAAM,GAAG,GAAG,IAAI,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;IAC/C,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC;AAUD,SAAgB,QAAQ,CAAC,KAAoB;IAC3C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,MAAM,CAAC,CAAC,yEAAyE;IACzG,IAAI,KAAK,IAAI,EAAE;QAAE,OAAO,UAAU,CAAC;IACnC,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,QAA0B;IACtD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;QAC9B,IAAI,CAAC,KAAK,IAAI;YAAE,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC;IAClC,CAAC;AACH,CAAC"}
@@ -0,0 +1,43 @@
1
+ import type { RunTestsOutcome } from '../../languages/capabilities/provider';
2
+ export interface RunTestsArgs {
3
+ /** Display name for logging — usually the pack id. */
4
+ pack: string;
5
+ /** Shell command to invoke. Run via `/bin/bash -c "<cmd>"`. */
6
+ cmd: string;
7
+ /** Working directory for the spawn. */
8
+ cwd: string;
9
+ /**
10
+ * Relative path to the expected coverage artifact, OR a function that
11
+ * locates it post-run (for tools that pick non-deterministic output
12
+ * paths — e.g. .NET's `TestResults/<guid>/coverage.cobertura.xml`).
13
+ * The function form returns the discovered relative path or `null` if
14
+ * the artifact wasn't produced.
15
+ */
16
+ artifact: string | ((cwd: string) => string | null);
17
+ /** Wall-clock cap. Default 600s (10 min) per the design doc. */
18
+ timeoutMs?: number;
19
+ /**
20
+ * Optional pre-flight check. When defined and returns a non-null
21
+ * reason, `runTests` skips the spawn and returns `unavailable` with
22
+ * that reason. Use this to short-circuit "tool isn't installed" or
23
+ * "project isn't configured" without paying the spawn cost.
24
+ */
25
+ preflight?: (cwd: string) => string | null;
26
+ }
27
+ /**
28
+ * Spawn a test-with-coverage command, time it, classify the outcome.
29
+ *
30
+ * Outcome rules:
31
+ * - `preflight` returned a reason → `unavailable`
32
+ * - spawn signals ENOENT (binary missing) → `unavailable`
33
+ * - exit non-zero (test fail / compile err) → `failed`
34
+ * - exit zero AND artifact present → `success`
35
+ * - exit zero BUT artifact missing → `failed`
36
+ * (the user ran the right command but it didn't produce coverage —
37
+ * usually means simplecov / coverage-py / similar isn't actually
38
+ * wired into the test setup. The hint they need is "your test
39
+ * run succeeded but produced no coverage report" not "no test
40
+ * runner found.")
41
+ */
42
+ export declare function runTestsWithCoverage(args: RunTestsArgs): RunTestsOutcome;
43
+ //# sourceMappingURL=run-tests-helper.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"run-tests-helper.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/run-tests-helper.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uCAAuC,CAAC;AAE7E,MAAM,WAAW,YAAY;IAC3B,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,QAAQ,EAAE,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC,CAAC;IACpD,gEAAgE;IAChE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC;CAC5C;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,YAAY,GAAG,eAAe,CA6FxE"}