@vyuhlabs/dxkit 2.4.6 → 2.4.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1076 -0
- package/README.md +132 -27
- package/dist/analysis-result.d.ts +112 -0
- package/dist/analysis-result.d.ts.map +1 -0
- package/dist/analysis-result.js +52 -0
- package/dist/analysis-result.js.map +1 -0
- package/dist/analyzers/bom/detailed.d.ts.map +1 -1
- package/dist/analyzers/bom/detailed.js +19 -0
- package/dist/analyzers/bom/detailed.js.map +1 -1
- package/dist/analyzers/bom/gather.d.ts +27 -26
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +26 -87
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts +0 -7
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +98 -48
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +11 -13
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +95 -0
- package/dist/analyzers/cache.d.ts.map +1 -0
- package/dist/analyzers/cache.js +309 -0
- package/dist/analyzers/cache.js.map +1 -0
- package/dist/analyzers/coverage-runner.d.ts +56 -0
- package/dist/analyzers/coverage-runner.d.ts.map +1 -0
- package/dist/analyzers/coverage-runner.js +72 -0
- package/dist/analyzers/coverage-runner.js.map +1 -0
- package/dist/analyzers/dashboard/index.d.ts +24 -0
- package/dist/analyzers/dashboard/index.d.ts.map +1 -0
- package/dist/analyzers/dashboard/index.js +667 -0
- package/dist/analyzers/dashboard/index.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +205 -37
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/developer/index.d.ts +1 -1
- package/dist/analyzers/developer/index.d.ts.map +1 -1
- package/dist/analyzers/developer/index.js +21 -9
- package/dist/analyzers/developer/index.js.map +1 -1
- package/dist/analyzers/dispatcher.d.ts +52 -0
- package/dist/analyzers/dispatcher.d.ts.map +1 -1
- package/dist/analyzers/dispatcher.js +92 -9
- package/dist/analyzers/dispatcher.js.map +1 -1
- package/dist/analyzers/docs/shallow.d.ts +17 -5
- package/dist/analyzers/docs/shallow.d.ts.map +1 -1
- package/dist/analyzers/docs/shallow.js +65 -2
- package/dist/analyzers/docs/shallow.js.map +1 -1
- package/dist/analyzers/dx/shallow.d.ts +17 -5
- package/dist/analyzers/dx/shallow.d.ts.map +1 -1
- package/dist/analyzers/dx/shallow.js +66 -2
- package/dist/analyzers/dx/shallow.js.map +1 -1
- package/dist/analyzers/health/actions.d.ts +1 -1
- package/dist/analyzers/health/actions.d.ts.map +1 -1
- package/dist/analyzers/health/actions.js +27 -9
- package/dist/analyzers/health/actions.js.map +1 -1
- package/dist/analyzers/health/detailed.d.ts +2 -1
- package/dist/analyzers/health/detailed.d.ts.map +1 -1
- package/dist/analyzers/health/detailed.js +11 -7
- package/dist/analyzers/health/detailed.js.map +1 -1
- package/dist/analyzers/health.d.ts +27 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +282 -34
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/licenses/gather.d.ts +35 -8
- package/dist/analyzers/licenses/gather.d.ts.map +1 -1
- package/dist/analyzers/licenses/gather.js +86 -13
- package/dist/analyzers/licenses/gather.js.map +1 -1
- package/dist/analyzers/licenses/index.d.ts +1 -1
- package/dist/analyzers/licenses/index.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.js +52 -11
- package/dist/analyzers/licenses/index.js.map +1 -1
- package/dist/analyzers/licenses/types.d.ts +15 -0
- package/dist/analyzers/licenses/types.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.d.ts +17 -5
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.js +80 -2
- package/dist/analyzers/maintainability/shallow.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +4 -6
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/quality/gather.d.ts +1 -14
- package/dist/analyzers/quality/gather.d.ts.map +1 -1
- package/dist/analyzers/quality/gather.js +48 -137
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/quality/index.d.ts +9 -2
- package/dist/analyzers/quality/index.d.ts.map +1 -1
- package/dist/analyzers/quality/index.js +197 -117
- package/dist/analyzers/quality/index.js.map +1 -1
- package/dist/analyzers/quality/shallow.d.ts +50 -5
- package/dist/analyzers/quality/shallow.d.ts.map +1 -1
- package/dist/analyzers/quality/shallow.js +155 -2
- package/dist/analyzers/quality/shallow.js.map +1 -1
- package/dist/analyzers/quality/types.d.ts +14 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -1
- package/dist/analyzers/security/actions.d.ts +11 -4
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +87 -37
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +236 -0
- package/dist/analyzers/security/aggregator.d.ts.map +1 -0
- package/dist/analyzers/security/aggregator.js +349 -0
- package/dist/analyzers/security/aggregator.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +2 -2
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +10 -9
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +104 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +299 -9
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts +15 -0
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +463 -50
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/shallow.d.ts +50 -6
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +154 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +51 -0
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +2 -3
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tests/gather.d.ts +2 -1
- package/dist/analyzers/tests/gather.d.ts.map +1 -1
- package/dist/analyzers/tests/gather.js +98 -69
- package/dist/analyzers/tests/gather.js.map +1 -1
- package/dist/analyzers/tests/index.d.ts +11 -2
- package/dist/analyzers/tests/index.d.ts.map +1 -1
- package/dist/analyzers/tests/index.js +83 -18
- package/dist/analyzers/tests/index.js.map +1 -1
- package/dist/analyzers/tests/shallow.d.ts +19 -5
- package/dist/analyzers/tests/shallow.d.ts.map +1 -1
- package/dist/analyzers/tests/shallow.js +89 -2
- package/dist/analyzers/tests/shallow.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +41 -1
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tools/autogen-header.d.ts +8 -0
- package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
- package/dist/analyzers/tools/autogen-header.js +107 -0
- package/dist/analyzers/tools/autogen-header.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -1
- package/dist/analyzers/tools/cloc.js +36 -5
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/deadline.d.ts +67 -0
- package/dist/analyzers/tools/deadline.d.ts.map +1 -0
- package/dist/analyzers/tools/deadline.js +81 -0
- package/dist/analyzers/tools/deadline.js.map +1 -0
- package/dist/analyzers/tools/debug-statements.d.ts +17 -0
- package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
- package/dist/analyzers/tools/debug-statements.js +58 -0
- package/dist/analyzers/tools/debug-statements.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
- package/dist/analyzers/tools/exclusions.d.ts +33 -6
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +95 -26
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts +17 -2
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +206 -109
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +48 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +30 -2
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +131 -15
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts +12 -2
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +129 -6
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/lint-label.d.ts +29 -0
- package/dist/analyzers/tools/lint-label.d.ts.map +1 -0
- package/dist/analyzers/tools/lint-label.js +23 -0
- package/dist/analyzers/tools/lint-label.js.map +1 -0
- package/dist/analyzers/tools/minified-detection.d.ts +9 -0
- package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
- package/dist/analyzers/tools/minified-detection.js +147 -0
- package/dist/analyzers/tools/minified-detection.js.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts +133 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.js +177 -0
- package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
- package/dist/analyzers/tools/osv.d.ts +36 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +26 -0
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +2 -2
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/report-date.d.ts +17 -0
- package/dist/analyzers/tools/report-date.d.ts.map +1 -0
- package/dist/analyzers/tools/report-date.js +26 -0
- package/dist/analyzers/tools/report-date.js.map +1 -0
- package/dist/analyzers/tools/risk-score.d.ts +7 -0
- package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
- package/dist/analyzers/tools/risk-score.js +9 -2
- package/dist/analyzers/tools/risk-score.js.map +1 -1
- package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
- package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
- package/dist/analyzers/tools/run-tests-helper.js +156 -0
- package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +75 -12
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +39 -2
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +131 -9
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/timing.d.ts +17 -3
- package/dist/analyzers/tools/timing.d.ts.map +1 -1
- package/dist/analyzers/tools/timing.js +36 -14
- package/dist/analyzers/tools/timing.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +11 -1
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
- package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
- package/dist/analyzers/tools/vendored-advisor.js +107 -0
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
- package/dist/analyzers/tools/walk-paths.d.ts +78 -0
- package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-paths.js +150 -0
- package/dist/analyzers/tools/walk-paths.js.map +1 -0
- package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-source-files.js +369 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -0
- package/dist/analyzers/types.d.ts +204 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +8 -1
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +581 -189
- package/dist/cli.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -7
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +103 -53
- package/dist/doctor.js.map +1 -1
- package/dist/languages/capabilities/provider.d.ts +130 -1
- package/dist/languages/capabilities/provider.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +68 -7
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +15 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +624 -146
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +89 -11
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +132 -2
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +207 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +113 -26
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +132 -26
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +149 -44
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts +39 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +178 -44
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +103 -16
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +228 -5
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +201 -14
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/documentation.d.ts +53 -0
- package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
- package/dist/scoring/dimensions/documentation.js +106 -0
- package/dist/scoring/dimensions/documentation.js.map +1 -0
- package/dist/scoring/dimensions/dx.d.ts +53 -0
- package/dist/scoring/dimensions/dx.d.ts.map +1 -0
- package/dist/scoring/dimensions/dx.js +105 -0
- package/dist/scoring/dimensions/dx.js.map +1 -0
- package/dist/scoring/dimensions/maintainability.d.ts +53 -0
- package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
- package/dist/scoring/dimensions/maintainability.js +101 -0
- package/dist/scoring/dimensions/maintainability.js.map +1 -0
- package/dist/scoring/dimensions/quality.d.ts +108 -0
- package/dist/scoring/dimensions/quality.d.ts.map +1 -0
- package/dist/scoring/dimensions/quality.js +174 -0
- package/dist/scoring/dimensions/quality.js.map +1 -0
- package/dist/scoring/dimensions/security.d.ts +84 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -0
- package/dist/scoring/dimensions/security.js +135 -0
- package/dist/scoring/dimensions/security.js.map +1 -0
- package/dist/scoring/dimensions/testing.d.ts +56 -0
- package/dist/scoring/dimensions/testing.d.ts.map +1 -0
- package/dist/scoring/dimensions/testing.js +98 -0
- package/dist/scoring/dimensions/testing.js.map +1 -0
- package/dist/scoring/evaluator.d.ts +27 -0
- package/dist/scoring/evaluator.d.ts.map +1 -0
- package/dist/scoring/evaluator.js +124 -0
- package/dist/scoring/evaluator.js.map +1 -0
- package/dist/scoring/format.d.ts +34 -0
- package/dist/scoring/format.d.ts.map +1 -0
- package/dist/scoring/format.js +63 -0
- package/dist/scoring/format.js.map +1 -0
- package/dist/scoring/index.d.ts +37 -0
- package/dist/scoring/index.d.ts.map +1 -0
- package/dist/scoring/index.js +57 -0
- package/dist/scoring/index.js.map +1 -0
- package/dist/scoring/overall.d.ts +54 -0
- package/dist/scoring/overall.d.ts.map +1 -0
- package/dist/scoring/overall.js +76 -0
- package/dist/scoring/overall.js.map +1 -0
- package/dist/scoring/result.d.ts +111 -0
- package/dist/scoring/result.d.ts.map +1 -0
- package/dist/scoring/result.js +14 -0
- package/dist/scoring/result.js.map +1 -0
- package/dist/scoring/spec.d.ts +76 -0
- package/dist/scoring/spec.d.ts.map +1 -0
- package/dist/scoring/spec.js +22 -0
- package/dist/scoring/spec.js.map +1 -0
- package/dist/scoring/thresholds.d.ts +56 -0
- package/dist/scoring/thresholds.d.ts.map +1 -0
- package/dist/scoring/thresholds.js +75 -0
- package/dist/scoring/thresholds.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +21 -2
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +16 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/commands/dashboard.md +17 -9
- package/dist/analyzers/scoring.d.ts +0 -49
- package/dist/analyzers/scoring.d.ts.map +0 -1
- package/dist/analyzers/scoring.js +0 -422
- package/dist/analyzers/scoring.js.map +0 -1
- package/dist/analyzers/security/scoring.d.ts +0 -29
- package/dist/analyzers/security/scoring.d.ts.map +0 -1
- package/dist/analyzers/security/scoring.js +0 -40
- package/dist/analyzers/security/scoring.js.map +0 -1
|
@@ -0,0 +1,147 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.isLikelyMinified = isLikelyMinified;
|
|
37
|
+
/**
|
|
38
|
+
* Minified / bundled source-file detection.
|
|
39
|
+
*
|
|
40
|
+
* Complements the autogen-header probe by catching another class of
|
|
41
|
+
* machine-emitted files that frequently land in customer
|
|
42
|
+
* `src/` / `public/` trees: minified or bundled JavaScript / CSS.
|
|
43
|
+
* These files are technically "source" by extension but carry no
|
|
44
|
+
* engineering signal — they're build output (webpack / vite /
|
|
45
|
+
* esbuild hash-suffixed chunks), CDN-downloaded libraries dropped
|
|
46
|
+
* into `public/`, or pre-minified vendored editors. When they slip
|
|
47
|
+
* past the standard exclusions they distort:
|
|
48
|
+
*
|
|
49
|
+
* • `largestFileLines` + `largestFilePath` ("Largest file: 18K
|
|
50
|
+
* lines" points at a webpack chunk, not a human-authored file)
|
|
51
|
+
* • `filesOver500Lines` (every minified JS file is one line at
|
|
52
|
+
* thousands of chars, so doesn't inflate this; but the BUNDLE
|
|
53
|
+
* CHUNKS that span multiple lines do)
|
|
54
|
+
* • `densestFile` from graphify (4,000+ functions in a single
|
|
55
|
+
* minified file)
|
|
56
|
+
* • Top Files by Size (the table reads as "split these" but the
|
|
57
|
+
* files are all autogen artifacts)
|
|
58
|
+
*
|
|
59
|
+
* Detection heuristic: read the first ~4KB, count newlines, compare
|
|
60
|
+
* to byte length. If average bytes-per-line crosses a threshold the
|
|
61
|
+
* file is almost certainly minified or a hash-suffixed bundle chunk.
|
|
62
|
+
* Threshold picked at 500 bytes/line — well above typical
|
|
63
|
+
* hand-written source (~80–120 cols, ~100 bytes/line including
|
|
64
|
+
* indentation) and well below typical minified output (often
|
|
65
|
+
* 5,000–50,000 bytes per "line" in single-line minified files, or
|
|
66
|
+
* 200–800 bytes/line in webpack bundles with semicolon-split
|
|
67
|
+
* chunks).
|
|
68
|
+
*
|
|
69
|
+
* Scope: applied to `.js`, `.jsx`, `.mjs`, `.cjs`, `.css`, `.scss`,
|
|
70
|
+
* `.sass`, `.less`. NOT applied to `.ts` / `.tsx` because TS source
|
|
71
|
+
* is rarely minified in-place (the minified output lands in a
|
|
72
|
+
* separate `dist/` directory which is already excluded by the
|
|
73
|
+
* standard ignore list); checking every .ts file would burn I/O
|
|
74
|
+
* for no benefit.
|
|
75
|
+
*
|
|
76
|
+
* Repo-specific autogen that doesn't match this heuristic (e.g.
|
|
77
|
+
* vendor-tool–emitted classes with hand-typeable filenames + no
|
|
78
|
+
* autogen header) is best handled via `.dxkit-ignore` — a per-repo
|
|
79
|
+
* customization the customer maintains.
|
|
80
|
+
*/
|
|
81
|
+
const fs = __importStar(require("fs"));
|
|
82
|
+
const path = __importStar(require("path"));
|
|
83
|
+
/** Extensions where minified content is plausibly present in the source tree. */
|
|
84
|
+
const MINIFIABLE_EXTENSIONS = new Set([
|
|
85
|
+
'.js',
|
|
86
|
+
'.jsx',
|
|
87
|
+
'.mjs',
|
|
88
|
+
'.cjs',
|
|
89
|
+
'.css',
|
|
90
|
+
'.scss',
|
|
91
|
+
'.sass',
|
|
92
|
+
'.less',
|
|
93
|
+
]);
|
|
94
|
+
/** Bytes-per-line floor above which the file is almost certainly
|
|
95
|
+
* minified / bundled. Calibrated to admit hand-written code at any
|
|
96
|
+
* reasonable line length while rejecting any minifier output. */
|
|
97
|
+
const MIN_BYTES_PER_LINE_FOR_MINIFIED = 500;
|
|
98
|
+
/** Sample size — large enough to get reliable line statistics on
|
|
99
|
+
* even the shortest minified chunk, small enough to keep the I/O
|
|
100
|
+
* cost negligible vs. the existing autogen-header probe. */
|
|
101
|
+
const SAMPLE_BYTES = 4096;
|
|
102
|
+
/**
|
|
103
|
+
* True when the file at `absPath` looks like minified / bundled
|
|
104
|
+
* output by the bytes-per-line heuristic. Returns false on read
|
|
105
|
+
* errors or for files whose extension isn't in
|
|
106
|
+
* `MINIFIABLE_EXTENSIONS` — over-include is preferable to silently
|
|
107
|
+
* dropping legit source.
|
|
108
|
+
*/
|
|
109
|
+
function isLikelyMinified(absPath) {
|
|
110
|
+
const ext = path.extname(absPath).toLowerCase();
|
|
111
|
+
if (!MINIFIABLE_EXTENSIONS.has(ext))
|
|
112
|
+
return false;
|
|
113
|
+
let fd = null;
|
|
114
|
+
try {
|
|
115
|
+
fd = fs.openSync(absPath, 'r');
|
|
116
|
+
const buf = Buffer.alloc(SAMPLE_BYTES);
|
|
117
|
+
const n = fs.readSync(fd, buf, 0, SAMPLE_BYTES, 0);
|
|
118
|
+
if (n === 0)
|
|
119
|
+
return false;
|
|
120
|
+
// Count newlines in the sample. A single-line file with N bytes
|
|
121
|
+
// and zero newlines reports bytesPerLine = N (way above the
|
|
122
|
+
// floor). A normal source file with N bytes and N/100 newlines
|
|
123
|
+
// reports ~100 bytes/line.
|
|
124
|
+
let newlines = 0;
|
|
125
|
+
for (let i = 0; i < n; i++) {
|
|
126
|
+
if (buf[i] === 0x0a)
|
|
127
|
+
newlines++;
|
|
128
|
+
}
|
|
129
|
+
const linesInSample = Math.max(1, newlines);
|
|
130
|
+
const bytesPerLine = n / linesInSample;
|
|
131
|
+
return bytesPerLine >= MIN_BYTES_PER_LINE_FOR_MINIFIED;
|
|
132
|
+
}
|
|
133
|
+
catch {
|
|
134
|
+
return false;
|
|
135
|
+
}
|
|
136
|
+
finally {
|
|
137
|
+
if (fd !== null) {
|
|
138
|
+
try {
|
|
139
|
+
fs.closeSync(fd);
|
|
140
|
+
}
|
|
141
|
+
catch {
|
|
142
|
+
/* ignore */
|
|
143
|
+
}
|
|
144
|
+
}
|
|
145
|
+
}
|
|
146
|
+
}
|
|
147
|
+
//# sourceMappingURL=minified-detection.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"minified-detection.js","sourceRoot":"","sources":["../../../src/analyzers/tools/minified-detection.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4EA,4CAgCC;AA5GD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,uCAAyB;AACzB,2CAA6B;AAE7B,iFAAiF;AACjF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;CACR,CAAC,CAAC;AAEH;;kEAEkE;AAClE,MAAM,+BAA+B,GAAG,GAAG,CAAC;AAE5C;;6DAE6D;AAC7D,MAAM,YAAY,GAAG,IAAI,CAAC;AAE1B;;;;;;GAMG;AACH,SAAgB,gBAAgB,CAAC,OAAe;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAElD,IAAI,EAAE,GAAkB,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1B,gEAAgE;QAChE,4DAA4D;QAC5D,+DAA+D;QAC/D,2BAA2B;QAC3B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI;gBAAE,QAAQ,EAAE,CAAC;QAClC,CAAC;QACD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,CAAC,GAAG,aAAa,CAAC;QACvC,OAAO,YAAY,IAAI,+BAA+B,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;YAAS,CAAC;QACT,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,133 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Direct `<PackageReference>` parser — D025f (2.4.7).
|
|
3
|
+
*
|
|
4
|
+
* Extracts NuGet PackageReference entries from `.csproj` XML text
|
|
5
|
+
* without invoking `dotnet restore` or any other .NET toolchain. The
|
|
6
|
+
* output feeds an ad-hoc `packages.lock.json`-shaped file that
|
|
7
|
+
* osv-scanner ingests via `--lockfile=<path>` (the file MUST be
|
|
8
|
+
* literally named `packages.lock.json` — osv-scanner v2.x detects the
|
|
9
|
+
* NuGet ecosystem by filename, not by a prefix). This closes the D036
|
|
10
|
+
* customer-outcome gap on the .NET WinForms benchmark (where
|
|
11
|
+
* `dotnet list package` couldn't run from a multi-project parent
|
|
12
|
+
* directory).
|
|
13
|
+
*
|
|
14
|
+
* Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
|
|
15
|
+
* `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
|
|
16
|
+
* keeps each language pack as a single file; ecosystem-specific tool
|
|
17
|
+
* helpers consumed by one or more packs go in `analyzers/tools/`.
|
|
18
|
+
* csharp.ts imports this module the same way it already imports
|
|
19
|
+
* `osv` and `osv-scanner-deps`.
|
|
20
|
+
*
|
|
21
|
+
* Architectural rationale:
|
|
22
|
+
*
|
|
23
|
+
* D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
|
|
24
|
+
* ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
|
|
25
|
+
* Microsoft-recommended non-sudo install) got dotnet discovered.
|
|
26
|
+
* That fix was necessary but not sufficient: `dotnet list package
|
|
27
|
+
* --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
|
|
28
|
+
* and the .NET WinForms benchmark's
|
|
29
|
+
* `Code/Source/Dev/Core/<Module>/<Module>.csproj` layout puts the
|
|
30
|
+
* project files 3 levels deeper than the natural
|
|
31
|
+
* `dxkit vulnerabilities Code/Source/` cwd.
|
|
32
|
+
*
|
|
33
|
+
* D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
|
|
34
|
+
* reachable from cwd (depth 5, matching csharp.detect()), parse
|
|
35
|
+
* each, and feed the union to osv-scanner via a synthetic lockfile.
|
|
36
|
+
* Cross-platform — `net9.0-windows` targets that won't restore on
|
|
37
|
+
* Linux/Mac still get scanned.
|
|
38
|
+
*
|
|
39
|
+
* Trade-off: this catches DIRECT PackageReferences only. Transitive
|
|
40
|
+
* deps (resolved by NuGet's dep graph from each direct ref's own
|
|
41
|
+
* dependencies) are NOT visible without a populated
|
|
42
|
+
* `project.assets.json`. Industry studies put ~80% of typical
|
|
43
|
+
* .NET CVE surface on direct refs; the remaining ~20% (transitives)
|
|
44
|
+
* land cleanly when `dotnet restore` is available and the
|
|
45
|
+
* dotnet-path-resolved D025c codepath runs.
|
|
46
|
+
*
|
|
47
|
+
* Shared with D031: the licenses degraded-inventory fallback uses the
|
|
48
|
+
* same parser to produce a "133 packages identified; license info
|
|
49
|
+
* unavailable" rendering when `nuget-license` isn't installed.
|
|
50
|
+
*
|
|
51
|
+
* Pure function. No I/O. Tested via a fixture suite of representative
|
|
52
|
+
* .csproj shapes (attribute-form, element-form, Central Package
|
|
53
|
+
* Management, conditional `<ItemGroup>` blocks).
|
|
54
|
+
*/
|
|
55
|
+
/**
|
|
56
|
+
* Per-package entry extracted from a `.csproj`. Both fields are
|
|
57
|
+
* post-trimmed; `version` is the raw NuGet version string (which may
|
|
58
|
+
* be a single version `"9.0.1"` or a range `"[9.0.1, 10.0.0)"` —
|
|
59
|
+
* osv-scanner accepts both forms in the lockfile's `resolved` field).
|
|
60
|
+
*/
|
|
61
|
+
export interface PackageReferenceEntry {
|
|
62
|
+
name: string;
|
|
63
|
+
version: string;
|
|
64
|
+
}
|
|
65
|
+
/**
|
|
66
|
+
* Match shapes (in priority order):
|
|
67
|
+
*
|
|
68
|
+
* 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
|
|
69
|
+
* common; attributes can appear in any order (also matched
|
|
70
|
+
* `Version="1.0.0" Include="Foo"`).
|
|
71
|
+
* 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
|
|
72
|
+
* </PackageReference>` — element-form, equivalent semantics;
|
|
73
|
+
* common in repos that prefer multiline configs or use child
|
|
74
|
+
* elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
|
|
75
|
+
* 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
|
|
76
|
+
* Package Management (CPM): the version comes from a separate
|
|
77
|
+
* `Directory.Packages.props` file. Skipped here; the CPM-aware
|
|
78
|
+
* pass (a future enhancement) would resolve them.
|
|
79
|
+
*
|
|
80
|
+
* Skipped shapes:
|
|
81
|
+
*
|
|
82
|
+
* - `<PackageReference Update="Foo" Version="..." />` — CPM
|
|
83
|
+
* override syntax for transitive pins; NOT a direct reference.
|
|
84
|
+
* - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
|
|
85
|
+
* Not a direct reference of this csproj.
|
|
86
|
+
* - Comments / CDATA — best-effort; the regex is generous and
|
|
87
|
+
* can theoretically match `<!-- <PackageReference ... -->`
|
|
88
|
+
* comments; users with literal PackageReference strings inside
|
|
89
|
+
* comments would get false positives. Acceptable: pathological
|
|
90
|
+
* case, and osv-scanner won't surface advisories for non-real
|
|
91
|
+
* packages, so the worst case is a wasted scan entry.
|
|
92
|
+
*/
|
|
93
|
+
export declare function parseCsprojPackageReferences(xml: string): PackageReferenceEntry[];
|
|
94
|
+
/**
|
|
95
|
+
* Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
|
|
96
|
+
* v2.x reads via `--lockfile=<path>` (caller MUST write this content to
|
|
97
|
+
* a file literally named `packages.lock.json` — osv-scanner detects
|
|
98
|
+
* ecosystem by filename). The schema matches NuGet's native
|
|
99
|
+
* `dotnet restore`-produced lockfile (which osv-scanner already
|
|
100
|
+
* supports natively), simplified to the minimum osv-scanner consults
|
|
101
|
+
* for vulnerability matching:
|
|
102
|
+
*
|
|
103
|
+
* {
|
|
104
|
+
* "version": 1,
|
|
105
|
+
* "dependencies": {
|
|
106
|
+
* "net0.0": {
|
|
107
|
+
* "<Pkg>": {
|
|
108
|
+
* "type": "Direct",
|
|
109
|
+
* "resolved": "<Version>",
|
|
110
|
+
* "requested": "[<Version>, )"
|
|
111
|
+
* }
|
|
112
|
+
* }
|
|
113
|
+
* }
|
|
114
|
+
* }
|
|
115
|
+
*
|
|
116
|
+
* - `"version": 1` matches `dotnet restore`'s lockfile schema version.
|
|
117
|
+
* - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
|
|
118
|
+
* the package map without validating the framework key, so any
|
|
119
|
+
* non-empty string works. We use a non-real moniker so it can't be
|
|
120
|
+
* confused with a real target framework in downstream debugging.
|
|
121
|
+
* - `type: "Direct"` truthfully reflects that we ONLY parsed direct
|
|
122
|
+
* references. Transitive vulns are out of scope for this path
|
|
123
|
+
* (covered by D025c's `dotnet list` codepath when available).
|
|
124
|
+
* - `requested` is a NuGet version range; we use a single-anchored
|
|
125
|
+
* `[V, )` form so the lockfile is valid even though the real
|
|
126
|
+
* `.csproj` might have been a pinned single version.
|
|
127
|
+
*
|
|
128
|
+
* Returns a JSON-stringified string suitable for writing to a temp
|
|
129
|
+
* file. Callers should clean up the temp file after osv-scanner
|
|
130
|
+
* consumes it.
|
|
131
|
+
*/
|
|
132
|
+
export declare function buildNugetAdhocLockfile(entries: ReadonlyArray<PackageReferenceEntry>): string;
|
|
133
|
+
//# sourceMappingURL=nuget-package-reference.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nuget-package-reference.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,GAAG,qBAAqB,EAAE,CA6BjF;AAiBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,aAAa,CAAC,qBAAqB,CAAC,GAAG,MAAM,CAiB7F"}
|
|
@@ -0,0 +1,177 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Direct `<PackageReference>` parser — D025f (2.4.7).
|
|
4
|
+
*
|
|
5
|
+
* Extracts NuGet PackageReference entries from `.csproj` XML text
|
|
6
|
+
* without invoking `dotnet restore` or any other .NET toolchain. The
|
|
7
|
+
* output feeds an ad-hoc `packages.lock.json`-shaped file that
|
|
8
|
+
* osv-scanner ingests via `--lockfile=<path>` (the file MUST be
|
|
9
|
+
* literally named `packages.lock.json` — osv-scanner v2.x detects the
|
|
10
|
+
* NuGet ecosystem by filename, not by a prefix). This closes the D036
|
|
11
|
+
* customer-outcome gap on the .NET WinForms benchmark (where
|
|
12
|
+
* `dotnet list package` couldn't run from a multi-project parent
|
|
13
|
+
* directory).
|
|
14
|
+
*
|
|
15
|
+
* Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
|
|
16
|
+
* `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
|
|
17
|
+
* keeps each language pack as a single file; ecosystem-specific tool
|
|
18
|
+
* helpers consumed by one or more packs go in `analyzers/tools/`.
|
|
19
|
+
* csharp.ts imports this module the same way it already imports
|
|
20
|
+
* `osv` and `osv-scanner-deps`.
|
|
21
|
+
*
|
|
22
|
+
* Architectural rationale:
|
|
23
|
+
*
|
|
24
|
+
* D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
|
|
25
|
+
* ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
|
|
26
|
+
* Microsoft-recommended non-sudo install) got dotnet discovered.
|
|
27
|
+
* That fix was necessary but not sufficient: `dotnet list package
|
|
28
|
+
* --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
|
|
29
|
+
* and the .NET WinForms benchmark's
|
|
30
|
+
* `Code/Source/Dev/Core/<Module>/<Module>.csproj` layout puts the
|
|
31
|
+
* project files 3 levels deeper than the natural
|
|
32
|
+
* `dxkit vulnerabilities Code/Source/` cwd.
|
|
33
|
+
*
|
|
34
|
+
* D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
|
|
35
|
+
* reachable from cwd (depth 5, matching csharp.detect()), parse
|
|
36
|
+
* each, and feed the union to osv-scanner via a synthetic lockfile.
|
|
37
|
+
* Cross-platform — `net9.0-windows` targets that won't restore on
|
|
38
|
+
* Linux/Mac still get scanned.
|
|
39
|
+
*
|
|
40
|
+
* Trade-off: this catches DIRECT PackageReferences only. Transitive
|
|
41
|
+
* deps (resolved by NuGet's dep graph from each direct ref's own
|
|
42
|
+
* dependencies) are NOT visible without a populated
|
|
43
|
+
* `project.assets.json`. Industry studies put ~80% of typical
|
|
44
|
+
* .NET CVE surface on direct refs; the remaining ~20% (transitives)
|
|
45
|
+
* land cleanly when `dotnet restore` is available and the
|
|
46
|
+
* dotnet-path-resolved D025c codepath runs.
|
|
47
|
+
*
|
|
48
|
+
* Shared with D031: the licenses degraded-inventory fallback uses the
|
|
49
|
+
* same parser to produce a "133 packages identified; license info
|
|
50
|
+
* unavailable" rendering when `nuget-license` isn't installed.
|
|
51
|
+
*
|
|
52
|
+
* Pure function. No I/O. Tested via a fixture suite of representative
|
|
53
|
+
* .csproj shapes (attribute-form, element-form, Central Package
|
|
54
|
+
* Management, conditional `<ItemGroup>` blocks).
|
|
55
|
+
*/
|
|
56
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
57
|
+
exports.parseCsprojPackageReferences = parseCsprojPackageReferences;
|
|
58
|
+
exports.buildNugetAdhocLockfile = buildNugetAdhocLockfile;
|
|
59
|
+
/**
|
|
60
|
+
* Match shapes (in priority order):
|
|
61
|
+
*
|
|
62
|
+
* 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
|
|
63
|
+
* common; attributes can appear in any order (also matched
|
|
64
|
+
* `Version="1.0.0" Include="Foo"`).
|
|
65
|
+
* 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
|
|
66
|
+
* </PackageReference>` — element-form, equivalent semantics;
|
|
67
|
+
* common in repos that prefer multiline configs or use child
|
|
68
|
+
* elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
|
|
69
|
+
* 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
|
|
70
|
+
* Package Management (CPM): the version comes from a separate
|
|
71
|
+
* `Directory.Packages.props` file. Skipped here; the CPM-aware
|
|
72
|
+
* pass (a future enhancement) would resolve them.
|
|
73
|
+
*
|
|
74
|
+
* Skipped shapes:
|
|
75
|
+
*
|
|
76
|
+
* - `<PackageReference Update="Foo" Version="..." />` — CPM
|
|
77
|
+
* override syntax for transitive pins; NOT a direct reference.
|
|
78
|
+
* - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
|
|
79
|
+
* Not a direct reference of this csproj.
|
|
80
|
+
* - Comments / CDATA — best-effort; the regex is generous and
|
|
81
|
+
* can theoretically match `<!-- <PackageReference ... -->`
|
|
82
|
+
* comments; users with literal PackageReference strings inside
|
|
83
|
+
* comments would get false positives. Acceptable: pathological
|
|
84
|
+
* case, and osv-scanner won't surface advisories for non-real
|
|
85
|
+
* packages, so the worst case is a wasted scan entry.
|
|
86
|
+
*/
|
|
87
|
+
function parseCsprojPackageReferences(xml) {
|
|
88
|
+
const out = [];
|
|
89
|
+
const seen = new Set(); // dedupe `${name}@${version}` within a single .csproj
|
|
90
|
+
// Form 1 (attribute-form): two attribute orderings.
|
|
91
|
+
// Match Include="X" ... Version="Y"
|
|
92
|
+
const attrIncludeFirstRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\/?>/gi;
|
|
93
|
+
// Match Version="Y" ... Include="X"
|
|
94
|
+
const attrVersionFirstRe = /<PackageReference\s+[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\/?>/gi;
|
|
95
|
+
let m;
|
|
96
|
+
while ((m = attrIncludeFirstRe.exec(xml)) !== null) {
|
|
97
|
+
pushEntry(out, seen, m[1], m[2]);
|
|
98
|
+
}
|
|
99
|
+
while ((m = attrVersionFirstRe.exec(xml)) !== null) {
|
|
100
|
+
pushEntry(out, seen, m[2], m[1]);
|
|
101
|
+
}
|
|
102
|
+
// Form 2 (element-form): <PackageReference Include="X"><Version>Y</Version>...</PackageReference>
|
|
103
|
+
// The element form spans multiple lines; the regex is multi-line aware.
|
|
104
|
+
const elementFormRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*>[\s\S]*?<Version>\s*([^<\s]+)\s*<\/Version>[\s\S]*?<\/PackageReference>/gi;
|
|
105
|
+
while ((m = elementFormRe.exec(xml)) !== null) {
|
|
106
|
+
pushEntry(out, seen, m[1], m[2]);
|
|
107
|
+
}
|
|
108
|
+
return out;
|
|
109
|
+
}
|
|
110
|
+
function pushEntry(out, seen, rawName, rawVersion) {
|
|
111
|
+
const name = rawName.trim();
|
|
112
|
+
const version = rawVersion.trim();
|
|
113
|
+
if (!name || !version)
|
|
114
|
+
return;
|
|
115
|
+
const key = `${name}@${version}`;
|
|
116
|
+
if (seen.has(key))
|
|
117
|
+
return;
|
|
118
|
+
seen.add(key);
|
|
119
|
+
out.push({ name, version });
|
|
120
|
+
}
|
|
121
|
+
/**
|
|
122
|
+
* Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
|
|
123
|
+
* v2.x reads via `--lockfile=<path>` (caller MUST write this content to
|
|
124
|
+
* a file literally named `packages.lock.json` — osv-scanner detects
|
|
125
|
+
* ecosystem by filename). The schema matches NuGet's native
|
|
126
|
+
* `dotnet restore`-produced lockfile (which osv-scanner already
|
|
127
|
+
* supports natively), simplified to the minimum osv-scanner consults
|
|
128
|
+
* for vulnerability matching:
|
|
129
|
+
*
|
|
130
|
+
* {
|
|
131
|
+
* "version": 1,
|
|
132
|
+
* "dependencies": {
|
|
133
|
+
* "net0.0": {
|
|
134
|
+
* "<Pkg>": {
|
|
135
|
+
* "type": "Direct",
|
|
136
|
+
* "resolved": "<Version>",
|
|
137
|
+
* "requested": "[<Version>, )"
|
|
138
|
+
* }
|
|
139
|
+
* }
|
|
140
|
+
* }
|
|
141
|
+
* }
|
|
142
|
+
*
|
|
143
|
+
* - `"version": 1` matches `dotnet restore`'s lockfile schema version.
|
|
144
|
+
* - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
|
|
145
|
+
* the package map without validating the framework key, so any
|
|
146
|
+
* non-empty string works. We use a non-real moniker so it can't be
|
|
147
|
+
* confused with a real target framework in downstream debugging.
|
|
148
|
+
* - `type: "Direct"` truthfully reflects that we ONLY parsed direct
|
|
149
|
+
* references. Transitive vulns are out of scope for this path
|
|
150
|
+
* (covered by D025c's `dotnet list` codepath when available).
|
|
151
|
+
* - `requested` is a NuGet version range; we use a single-anchored
|
|
152
|
+
* `[V, )` form so the lockfile is valid even though the real
|
|
153
|
+
* `.csproj` might have been a pinned single version.
|
|
154
|
+
*
|
|
155
|
+
* Returns a JSON-stringified string suitable for writing to a temp
|
|
156
|
+
* file. Callers should clean up the temp file after osv-scanner
|
|
157
|
+
* consumes it.
|
|
158
|
+
*/
|
|
159
|
+
function buildNugetAdhocLockfile(entries) {
|
|
160
|
+
const dependencies = { 'net0.0': {} };
|
|
161
|
+
for (const entry of entries) {
|
|
162
|
+
// If the same package appears in multiple .csproj files at different
|
|
163
|
+
// versions, last-write-wins per the lockfile shape (it's one entry
|
|
164
|
+
// per package name within a framework). osv-scanner will scan
|
|
165
|
+
// whichever version we stamped; the cross-csproj merging trade-off
|
|
166
|
+
// is documented at the caller. At enterprise scale (~74 csprojs)
|
|
167
|
+
// collisions are common but typically converge on a single resolved
|
|
168
|
+
// version per the repo's dependency hygiene practices.
|
|
169
|
+
dependencies['net0.0'][entry.name] = {
|
|
170
|
+
type: 'Direct',
|
|
171
|
+
resolved: entry.version,
|
|
172
|
+
requested: `[${entry.version}, )`,
|
|
173
|
+
};
|
|
174
|
+
}
|
|
175
|
+
return JSON.stringify({ version: 1, dependencies }, null, 2);
|
|
176
|
+
}
|
|
177
|
+
//# sourceMappingURL=nuget-package-reference.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nuget-package-reference.js","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;;AAyCH,oEA6BC;AAuDD,0DAiBC;AAjID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,4BAA4B,CAAC,GAAW;IACtD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,sDAAsD;IAEtF,oDAAoD;IACpD,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAChG,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAEhG,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,kGAAkG;IAClG,wEAAwE;IACxE,MAAM,aAAa,GACjB,mIAAmI,CAAC;IACtI,OAAO,CAAC,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAChB,GAA4B,EAC5B,IAAiB,EACjB,OAAe,EACf,UAAkB;IAElB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO;IAC9B,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;IACjC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC1B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,SAAgB,uBAAuB,CAAC,OAA6C;IACnF,MAAM,YAAY,GAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC/E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,qEAAqE;QACrE,mEAAmE;QACnE,8DAA8D;QAC9D,mEAAmE;QACnE,iEAAiE;QACjE,oEAAoE;QACpE,uDAAuD;QACvD,YAAY,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG;YACnC,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,SAAS,EAAE,IAAI,KAAK,CAAC,OAAO,KAAK;SAClC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC"}
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../../languages/capabilities/types';
|
|
2
|
+
import type { LanguageId } from '../../types';
|
|
2
3
|
/**
|
|
3
4
|
* Pure parser for osv-scanner v2.x JSON output, scoped to a single
|
|
4
5
|
* ecosystem. Other ecosystems are filtered out so polyglot repos
|
|
@@ -12,7 +13,7 @@ import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../..
|
|
|
12
13
|
* Returns counts + findings + the raw OSV vuln records for downstream
|
|
13
14
|
* CVSS resolution. Exported for unit tests.
|
|
14
15
|
*/
|
|
15
|
-
export declare function parseOsvScannerFindings(raw: string, ecosystem: string): {
|
|
16
|
+
export declare function parseOsvScannerFindings(raw: string, ecosystem: string, packId?: LanguageId): {
|
|
16
17
|
counts: SeverityCounts;
|
|
17
18
|
findings: DepVulnFinding[];
|
|
18
19
|
vulnsForCvss: Array<{
|
|
@@ -43,5 +44,5 @@ export declare function parseOsvScannerFindings(raw: string, ecosystem: string):
|
|
|
43
44
|
* `database_specific.severity` strings. resolveCvssScores looks up
|
|
44
45
|
* via CVE alias when the primary record lacks a vector.
|
|
45
46
|
*/
|
|
46
|
-
export declare function gatherOsvScannerDepVulnsResult(cwd: string,
|
|
47
|
+
export declare function gatherOsvScannerDepVulnsResult(cwd: string, packId: LanguageId, ecosystem: string, manifestCandidates: string[]): Promise<DepVulnGatherOutcome>;
|
|
47
48
|
//# sourceMappingURL=osv-scanner-deps.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"AAoCA,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACf,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiB9C;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,UAAU,GAClB;IACD,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC5F,CA8EA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CAiD/B"}
|
|
@@ -45,7 +45,7 @@ const tool_registry_1 = require("./tool-registry");
|
|
|
45
45
|
* Returns counts + findings + the raw OSV vuln records for downstream
|
|
46
46
|
* CVSS resolution. Exported for unit tests.
|
|
47
47
|
*/
|
|
48
|
-
function parseOsvScannerFindings(raw, ecosystem) {
|
|
48
|
+
function parseOsvScannerFindings(raw, ecosystem, packId) {
|
|
49
49
|
const counts = { critical: 0, high: 0, medium: 0, low: 0 };
|
|
50
50
|
const findings = [];
|
|
51
51
|
const vulnsForCvss = [];
|
|
@@ -87,12 +87,27 @@ function parseOsvScannerFindings(raw, ecosystem) {
|
|
|
87
87
|
tool: 'osv-scanner',
|
|
88
88
|
severity: tier,
|
|
89
89
|
};
|
|
90
|
+
// G_v4_4 (2.4.7): stamp the producing pack so `buildUpgradeCommand`
|
|
91
|
+
// can dispatch to the right `LanguageSupport.upgradeCommand` without
|
|
92
|
+
// a hardcoded switch on `tool`. Caller passes the pack id; absent
|
|
93
|
+
// (`undefined`) only on legacy paths we haven't migrated yet.
|
|
94
|
+
if (packId)
|
|
95
|
+
finding.packId = packId;
|
|
90
96
|
if (cvss !== null)
|
|
91
97
|
finding.cvssScore = cvss;
|
|
92
98
|
if (aliases.length > 0)
|
|
93
99
|
finding.aliases = aliases;
|
|
94
100
|
if (vuln.summary)
|
|
95
101
|
finding.summary = vuln.summary;
|
|
102
|
+
// D042: surface the patch version when OSV's `affected[].
|
|
103
|
+
// ranges[].events[].fixed` is populated. This is the customer's
|
|
104
|
+
// actionable next-step (e.g. "upgrade Newtonsoft.Json from
|
|
105
|
+
// 9.0.1 to 13.0.1 to clear GHSA-5crp-9r3c-p9vr"). Pre-D042 the
|
|
106
|
+
// standalone scan rendered `Fix: —` for every osv-scanner-
|
|
107
|
+
// sourced finding because this field went unread.
|
|
108
|
+
const fixVersion = (0, osv_1.extractOsvFixVersion)(vuln);
|
|
109
|
+
if (fixVersion)
|
|
110
|
+
finding.fixedVersion = fixVersion;
|
|
96
111
|
// OSV.dev hosts a canonical page per id — synthesize when the
|
|
97
112
|
// record's `references[]` is empty, otherwise keep the
|
|
98
113
|
// tool-supplied URLs.
|
|
@@ -132,7 +147,7 @@ function parseOsvScannerFindings(raw, ecosystem) {
|
|
|
132
147
|
* `database_specific.severity` strings. resolveCvssScores looks up
|
|
133
148
|
* via CVE alias when the primary record lacks a vector.
|
|
134
149
|
*/
|
|
135
|
-
async function gatherOsvScannerDepVulnsResult(cwd,
|
|
150
|
+
async function gatherOsvScannerDepVulnsResult(cwd, packId, ecosystem, manifestCandidates) {
|
|
136
151
|
let manifest = null;
|
|
137
152
|
for (const rel of manifestCandidates) {
|
|
138
153
|
if ((0, runner_1.fileExists)(cwd, rel)) {
|
|
@@ -140,15 +155,20 @@ async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCa
|
|
|
140
155
|
break;
|
|
141
156
|
}
|
|
142
157
|
}
|
|
143
|
-
if (!manifest)
|
|
144
|
-
return {
|
|
158
|
+
if (!manifest) {
|
|
159
|
+
return {
|
|
160
|
+
kind: 'no-manifest',
|
|
161
|
+
reason: `no lockfile found (looked for: ${manifestCandidates.join(', ')})`,
|
|
162
|
+
};
|
|
163
|
+
}
|
|
145
164
|
const scanner = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS['osv-scanner'], cwd);
|
|
146
|
-
if (!scanner.available || !scanner.path)
|
|
147
|
-
return { kind: '
|
|
165
|
+
if (!scanner.available || !scanner.path) {
|
|
166
|
+
return { kind: 'unavailable', reason: 'osv-scanner not installed' };
|
|
167
|
+
}
|
|
148
168
|
const raw = (0, runner_1.run)(`${scanner.path} scan source --lockfile ${manifest} --format json 2>/dev/null`, cwd, 180000);
|
|
149
169
|
if (!raw)
|
|
150
|
-
return { kind: 'no
|
|
151
|
-
const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem);
|
|
170
|
+
return { kind: 'unavailable', reason: 'osv-scanner produced no output' };
|
|
171
|
+
const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem, packId);
|
|
152
172
|
if (findings.length > 0) {
|
|
153
173
|
const resolved = await (0, osv_1.resolveCvssScores)(vulnsForCvss);
|
|
154
174
|
for (const f of findings) {
|
|
@@ -164,12 +184,10 @@ async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCa
|
|
|
164
184
|
counts,
|
|
165
185
|
findings,
|
|
166
186
|
};
|
|
167
|
-
//
|
|
168
|
-
//
|
|
169
|
-
//
|
|
170
|
-
//
|
|
171
|
-
// we want to attribute findings to the originating pack).
|
|
172
|
-
void source;
|
|
187
|
+
// G_v4_4 (2.4.7): `packId` is forwarded into `parseOsvScannerFindings`
|
|
188
|
+
// so each finding carries the producing pack, which `buildUpgradeCommand`
|
|
189
|
+
// dispatches on. Envelope-level `tool: 'osv-scanner'` stays as the
|
|
190
|
+
// tool-attribution string used in `toolsUsed`.
|
|
173
191
|
return { kind: 'success', envelope };
|
|
174
192
|
}
|
|
175
193
|
//# sourceMappingURL=osv-scanner-deps.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;AAwEA,0DAsFC;AAwBD,wEAsDC;AA5OD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,+BAMe;AACf,qCAA2C;AAC3C,mDAAsD;AAwBtD;;;;;;;;;;;;GAYG;AACH,SAAgB,uBAAuB,CACrC,GAAW,EACX,SAAiB,EACjB,MAAmB;IAMnB,MAAM,MAAM,GAAmB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,YAAY,GAIb,EAAE,CAAC;IACR,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IACD,oEAAoE;IACpE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS;gBAAE,SAAS;YACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;YAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;oBAAE,SAAS;gBACvB,MAAM,QAAQ,GAAG,GAAG,OAAO,KAAK,UAAU,IAAI,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC/D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAEnB,MAAM,GAAG,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GACR,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK;oBACvE,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,QAAQ,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEf,MAAM,IAAI,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtE,MAAM,OAAO,GAAmB;oBAC9B,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,OAAO;oBAChB,gBAAgB,EAAE,UAAU;oBAC5B,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,IAAI;iBACf,CAAC;gBACF,oEAAoE;gBACpE,qEAAqE;gBACrE,kEAAkE;gBAClE,8DAA8D;gBAC9D,IAAI,MAAM;oBAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;gBACpC,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;gBAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;gBAClD,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBACjD,0DAA0D;gBAC1D,gEAAgE;gBAChE,2DAA2D;gBAC3D,+DAA+D;gBAC/D,2DAA2D;gBAC3D,kDAAkD;gBAClD,MAAM,UAAU,GAAG,IAAA,0BAAoB,EAAC,IAAI,CAAC,CAAC;gBAC9C,IAAI,UAAU;oBAAE,OAAO,CAAC,YAAY,GAAG,UAAU,CAAC;gBAClD,8DAA8D;gBAC9D,uDAAuD;gBACvD,sBAAsB;gBACtB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1F,OAAO,CAAC,UAAU;oBAChB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,iCAAiC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEvB,YAAY,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,YAAY,EAAE,IAAI;oBAClB,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,MAAkB,EAClB,SAAiB,EACjB,kBAA4B;IAE5B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,GAAG,GAAG,CAAC;YACf,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,kCAAkC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SAC3E,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,aAAa,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACxC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,YAAG,EACb,GAAG,OAAO,CAAC,IAAI,2BAA2B,QAAQ,4BAA4B,EAC9E,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IAEnF,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAE3F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAiB,EAAC,YAAY,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;QACjE,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ;KACT,CAAC;IACF,uEAAuE;IACvE,0EAA0E;IAC1E,mEAAmE;IACnE,+CAA+C;IAC/C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC"}
|