@vyuhlabs/dxkit 2.4.6 → 2.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (357) hide show
  1. package/CHANGELOG.md +1076 -0
  2. package/README.md +132 -27
  3. package/dist/analysis-result.d.ts +112 -0
  4. package/dist/analysis-result.d.ts.map +1 -0
  5. package/dist/analysis-result.js +52 -0
  6. package/dist/analysis-result.js.map +1 -0
  7. package/dist/analyzers/bom/detailed.d.ts.map +1 -1
  8. package/dist/analyzers/bom/detailed.js +19 -0
  9. package/dist/analyzers/bom/detailed.js.map +1 -1
  10. package/dist/analyzers/bom/gather.d.ts +27 -26
  11. package/dist/analyzers/bom/gather.d.ts.map +1 -1
  12. package/dist/analyzers/bom/gather.js +26 -87
  13. package/dist/analyzers/bom/gather.js.map +1 -1
  14. package/dist/analyzers/bom/index.d.ts +0 -7
  15. package/dist/analyzers/bom/index.d.ts.map +1 -1
  16. package/dist/analyzers/bom/index.js +98 -48
  17. package/dist/analyzers/bom/index.js.map +1 -1
  18. package/dist/analyzers/bom/types.d.ts +11 -13
  19. package/dist/analyzers/bom/types.d.ts.map +1 -1
  20. package/dist/analyzers/cache.d.ts +95 -0
  21. package/dist/analyzers/cache.d.ts.map +1 -0
  22. package/dist/analyzers/cache.js +309 -0
  23. package/dist/analyzers/cache.js.map +1 -0
  24. package/dist/analyzers/coverage-runner.d.ts +56 -0
  25. package/dist/analyzers/coverage-runner.d.ts.map +1 -0
  26. package/dist/analyzers/coverage-runner.js +72 -0
  27. package/dist/analyzers/coverage-runner.js.map +1 -0
  28. package/dist/analyzers/dashboard/index.d.ts +24 -0
  29. package/dist/analyzers/dashboard/index.d.ts.map +1 -0
  30. package/dist/analyzers/dashboard/index.js +667 -0
  31. package/dist/analyzers/dashboard/index.js.map +1 -0
  32. package/dist/analyzers/developer/gather.d.ts.map +1 -1
  33. package/dist/analyzers/developer/gather.js +205 -37
  34. package/dist/analyzers/developer/gather.js.map +1 -1
  35. package/dist/analyzers/developer/index.d.ts +1 -1
  36. package/dist/analyzers/developer/index.d.ts.map +1 -1
  37. package/dist/analyzers/developer/index.js +21 -9
  38. package/dist/analyzers/developer/index.js.map +1 -1
  39. package/dist/analyzers/dispatcher.d.ts +52 -0
  40. package/dist/analyzers/dispatcher.d.ts.map +1 -1
  41. package/dist/analyzers/dispatcher.js +92 -9
  42. package/dist/analyzers/dispatcher.js.map +1 -1
  43. package/dist/analyzers/docs/shallow.d.ts +17 -5
  44. package/dist/analyzers/docs/shallow.d.ts.map +1 -1
  45. package/dist/analyzers/docs/shallow.js +65 -2
  46. package/dist/analyzers/docs/shallow.js.map +1 -1
  47. package/dist/analyzers/dx/shallow.d.ts +17 -5
  48. package/dist/analyzers/dx/shallow.d.ts.map +1 -1
  49. package/dist/analyzers/dx/shallow.js +66 -2
  50. package/dist/analyzers/dx/shallow.js.map +1 -1
  51. package/dist/analyzers/health/actions.d.ts +1 -1
  52. package/dist/analyzers/health/actions.d.ts.map +1 -1
  53. package/dist/analyzers/health/actions.js +27 -9
  54. package/dist/analyzers/health/actions.js.map +1 -1
  55. package/dist/analyzers/health/detailed.d.ts +2 -1
  56. package/dist/analyzers/health/detailed.d.ts.map +1 -1
  57. package/dist/analyzers/health/detailed.js +11 -7
  58. package/dist/analyzers/health/detailed.js.map +1 -1
  59. package/dist/analyzers/health.d.ts +27 -0
  60. package/dist/analyzers/health.d.ts.map +1 -1
  61. package/dist/analyzers/health.js +282 -34
  62. package/dist/analyzers/health.js.map +1 -1
  63. package/dist/analyzers/licenses/gather.d.ts +35 -8
  64. package/dist/analyzers/licenses/gather.d.ts.map +1 -1
  65. package/dist/analyzers/licenses/gather.js +86 -13
  66. package/dist/analyzers/licenses/gather.js.map +1 -1
  67. package/dist/analyzers/licenses/index.d.ts +1 -1
  68. package/dist/analyzers/licenses/index.d.ts.map +1 -1
  69. package/dist/analyzers/licenses/index.js +52 -11
  70. package/dist/analyzers/licenses/index.js.map +1 -1
  71. package/dist/analyzers/licenses/types.d.ts +15 -0
  72. package/dist/analyzers/licenses/types.d.ts.map +1 -1
  73. package/dist/analyzers/maintainability/shallow.d.ts +17 -5
  74. package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
  75. package/dist/analyzers/maintainability/shallow.js +80 -2
  76. package/dist/analyzers/maintainability/shallow.js.map +1 -1
  77. package/dist/analyzers/quality/detailed.d.ts.map +1 -1
  78. package/dist/analyzers/quality/detailed.js +4 -6
  79. package/dist/analyzers/quality/detailed.js.map +1 -1
  80. package/dist/analyzers/quality/gather.d.ts +1 -14
  81. package/dist/analyzers/quality/gather.d.ts.map +1 -1
  82. package/dist/analyzers/quality/gather.js +48 -137
  83. package/dist/analyzers/quality/gather.js.map +1 -1
  84. package/dist/analyzers/quality/index.d.ts +9 -2
  85. package/dist/analyzers/quality/index.d.ts.map +1 -1
  86. package/dist/analyzers/quality/index.js +197 -117
  87. package/dist/analyzers/quality/index.js.map +1 -1
  88. package/dist/analyzers/quality/shallow.d.ts +50 -5
  89. package/dist/analyzers/quality/shallow.d.ts.map +1 -1
  90. package/dist/analyzers/quality/shallow.js +155 -2
  91. package/dist/analyzers/quality/shallow.js.map +1 -1
  92. package/dist/analyzers/quality/types.d.ts +14 -0
  93. package/dist/analyzers/quality/types.d.ts.map +1 -1
  94. package/dist/analyzers/security/actions.d.ts +11 -4
  95. package/dist/analyzers/security/actions.d.ts.map +1 -1
  96. package/dist/analyzers/security/actions.js +87 -37
  97. package/dist/analyzers/security/actions.js.map +1 -1
  98. package/dist/analyzers/security/aggregator.d.ts +236 -0
  99. package/dist/analyzers/security/aggregator.d.ts.map +1 -0
  100. package/dist/analyzers/security/aggregator.js +349 -0
  101. package/dist/analyzers/security/aggregator.js.map +1 -0
  102. package/dist/analyzers/security/detailed.d.ts +2 -2
  103. package/dist/analyzers/security/detailed.d.ts.map +1 -1
  104. package/dist/analyzers/security/detailed.js +10 -9
  105. package/dist/analyzers/security/detailed.js.map +1 -1
  106. package/dist/analyzers/security/gather.d.ts +104 -1
  107. package/dist/analyzers/security/gather.d.ts.map +1 -1
  108. package/dist/analyzers/security/gather.js +299 -9
  109. package/dist/analyzers/security/gather.js.map +1 -1
  110. package/dist/analyzers/security/index.d.ts +15 -0
  111. package/dist/analyzers/security/index.d.ts.map +1 -1
  112. package/dist/analyzers/security/index.js +463 -50
  113. package/dist/analyzers/security/index.js.map +1 -1
  114. package/dist/analyzers/security/shallow.d.ts +50 -6
  115. package/dist/analyzers/security/shallow.d.ts.map +1 -1
  116. package/dist/analyzers/security/shallow.js +154 -2
  117. package/dist/analyzers/security/shallow.js.map +1 -1
  118. package/dist/analyzers/security/types.d.ts +51 -0
  119. package/dist/analyzers/security/types.d.ts.map +1 -1
  120. package/dist/analyzers/tests/detailed.d.ts.map +1 -1
  121. package/dist/analyzers/tests/detailed.js +2 -3
  122. package/dist/analyzers/tests/detailed.js.map +1 -1
  123. package/dist/analyzers/tests/gather.d.ts +2 -1
  124. package/dist/analyzers/tests/gather.d.ts.map +1 -1
  125. package/dist/analyzers/tests/gather.js +98 -69
  126. package/dist/analyzers/tests/gather.js.map +1 -1
  127. package/dist/analyzers/tests/index.d.ts +11 -2
  128. package/dist/analyzers/tests/index.d.ts.map +1 -1
  129. package/dist/analyzers/tests/index.js +83 -18
  130. package/dist/analyzers/tests/index.js.map +1 -1
  131. package/dist/analyzers/tests/shallow.d.ts +19 -5
  132. package/dist/analyzers/tests/shallow.d.ts.map +1 -1
  133. package/dist/analyzers/tests/shallow.js +89 -2
  134. package/dist/analyzers/tests/shallow.js.map +1 -1
  135. package/dist/analyzers/tests/types.d.ts +41 -1
  136. package/dist/analyzers/tests/types.d.ts.map +1 -1
  137. package/dist/analyzers/tools/autogen-header.d.ts +8 -0
  138. package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
  139. package/dist/analyzers/tools/autogen-header.js +107 -0
  140. package/dist/analyzers/tools/autogen-header.js.map +1 -0
  141. package/dist/analyzers/tools/cloc.d.ts.map +1 -1
  142. package/dist/analyzers/tools/cloc.js +36 -5
  143. package/dist/analyzers/tools/cloc.js.map +1 -1
  144. package/dist/analyzers/tools/deadline.d.ts +67 -0
  145. package/dist/analyzers/tools/deadline.d.ts.map +1 -0
  146. package/dist/analyzers/tools/deadline.js +81 -0
  147. package/dist/analyzers/tools/deadline.js.map +1 -0
  148. package/dist/analyzers/tools/debug-statements.d.ts +17 -0
  149. package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
  150. package/dist/analyzers/tools/debug-statements.js +58 -0
  151. package/dist/analyzers/tools/debug-statements.js.map +1 -0
  152. package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
  153. package/dist/analyzers/tools/exclusions.d.ts +33 -6
  154. package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
  155. package/dist/analyzers/tools/exclusions.js +95 -26
  156. package/dist/analyzers/tools/exclusions.js.map +1 -1
  157. package/dist/analyzers/tools/generic.d.ts +17 -2
  158. package/dist/analyzers/tools/generic.d.ts.map +1 -1
  159. package/dist/analyzers/tools/generic.js +206 -109
  160. package/dist/analyzers/tools/generic.js.map +1 -1
  161. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  162. package/dist/analyzers/tools/gitleaks.js +48 -1
  163. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  164. package/dist/analyzers/tools/graphify.d.ts +30 -2
  165. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  166. package/dist/analyzers/tools/graphify.js +131 -15
  167. package/dist/analyzers/tools/graphify.js.map +1 -1
  168. package/dist/analyzers/tools/jscpd.d.ts +12 -2
  169. package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
  170. package/dist/analyzers/tools/jscpd.js +129 -6
  171. package/dist/analyzers/tools/jscpd.js.map +1 -1
  172. package/dist/analyzers/tools/lint-label.d.ts +29 -0
  173. package/dist/analyzers/tools/lint-label.d.ts.map +1 -0
  174. package/dist/analyzers/tools/lint-label.js +23 -0
  175. package/dist/analyzers/tools/lint-label.js.map +1 -0
  176. package/dist/analyzers/tools/minified-detection.d.ts +9 -0
  177. package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
  178. package/dist/analyzers/tools/minified-detection.js +147 -0
  179. package/dist/analyzers/tools/minified-detection.js.map +1 -0
  180. package/dist/analyzers/tools/nuget-package-reference.d.ts +133 -0
  181. package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
  182. package/dist/analyzers/tools/nuget-package-reference.js +177 -0
  183. package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
  184. package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
  185. package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
  186. package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
  187. package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
  188. package/dist/analyzers/tools/osv.d.ts +36 -0
  189. package/dist/analyzers/tools/osv.d.ts.map +1 -1
  190. package/dist/analyzers/tools/osv.js +26 -0
  191. package/dist/analyzers/tools/osv.js.map +1 -1
  192. package/dist/analyzers/tools/parallel.d.ts +1 -1
  193. package/dist/analyzers/tools/parallel.d.ts.map +1 -1
  194. package/dist/analyzers/tools/parallel.js +2 -2
  195. package/dist/analyzers/tools/parallel.js.map +1 -1
  196. package/dist/analyzers/tools/report-date.d.ts +17 -0
  197. package/dist/analyzers/tools/report-date.d.ts.map +1 -0
  198. package/dist/analyzers/tools/report-date.js +26 -0
  199. package/dist/analyzers/tools/report-date.js.map +1 -0
  200. package/dist/analyzers/tools/risk-score.d.ts +7 -0
  201. package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
  202. package/dist/analyzers/tools/risk-score.js +9 -2
  203. package/dist/analyzers/tools/risk-score.js.map +1 -1
  204. package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
  205. package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
  206. package/dist/analyzers/tools/run-tests-helper.js +156 -0
  207. package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
  208. package/dist/analyzers/tools/runner.d.ts.map +1 -1
  209. package/dist/analyzers/tools/runner.js +75 -12
  210. package/dist/analyzers/tools/runner.js.map +1 -1
  211. package/dist/analyzers/tools/semgrep.d.ts +39 -2
  212. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  213. package/dist/analyzers/tools/semgrep.js +131 -9
  214. package/dist/analyzers/tools/semgrep.js.map +1 -1
  215. package/dist/analyzers/tools/timing.d.ts +17 -3
  216. package/dist/analyzers/tools/timing.d.ts.map +1 -1
  217. package/dist/analyzers/tools/timing.js +36 -14
  218. package/dist/analyzers/tools/timing.js.map +1 -1
  219. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  220. package/dist/analyzers/tools/tool-registry.js +11 -1
  221. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  222. package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
  223. package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
  224. package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
  225. package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
  226. package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
  227. package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
  228. package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
  229. package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
  230. package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
  231. package/dist/analyzers/tools/vendored-advisor.js +107 -0
  232. package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
  233. package/dist/analyzers/tools/walk-paths.d.ts +78 -0
  234. package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
  235. package/dist/analyzers/tools/walk-paths.js +150 -0
  236. package/dist/analyzers/tools/walk-paths.js.map +1 -0
  237. package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
  238. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
  239. package/dist/analyzers/tools/walk-source-files.js +369 -0
  240. package/dist/analyzers/tools/walk-source-files.js.map +1 -0
  241. package/dist/analyzers/types.d.ts +204 -4
  242. package/dist/analyzers/types.d.ts.map +1 -1
  243. package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
  244. package/dist/analyzers/xlsx/bom.js +8 -1
  245. package/dist/analyzers/xlsx/bom.js.map +1 -1
  246. package/dist/cli.d.ts.map +1 -1
  247. package/dist/cli.js +581 -189
  248. package/dist/cli.js.map +1 -1
  249. package/dist/detect.d.ts.map +1 -1
  250. package/dist/detect.js +24 -7
  251. package/dist/detect.js.map +1 -1
  252. package/dist/doctor.d.ts.map +1 -1
  253. package/dist/doctor.js +103 -53
  254. package/dist/doctor.js.map +1 -1
  255. package/dist/languages/capabilities/provider.d.ts +130 -1
  256. package/dist/languages/capabilities/provider.d.ts.map +1 -1
  257. package/dist/languages/capabilities/types.d.ts +68 -7
  258. package/dist/languages/capabilities/types.d.ts.map +1 -1
  259. package/dist/languages/csharp.d.ts +15 -1
  260. package/dist/languages/csharp.d.ts.map +1 -1
  261. package/dist/languages/csharp.js +624 -146
  262. package/dist/languages/csharp.js.map +1 -1
  263. package/dist/languages/go.d.ts.map +1 -1
  264. package/dist/languages/go.js +89 -11
  265. package/dist/languages/go.js.map +1 -1
  266. package/dist/languages/index.d.ts +132 -2
  267. package/dist/languages/index.d.ts.map +1 -1
  268. package/dist/languages/index.js +207 -0
  269. package/dist/languages/index.js.map +1 -1
  270. package/dist/languages/java.d.ts.map +1 -1
  271. package/dist/languages/java.js +113 -26
  272. package/dist/languages/java.js.map +1 -1
  273. package/dist/languages/kotlin.d.ts.map +1 -1
  274. package/dist/languages/kotlin.js +132 -26
  275. package/dist/languages/kotlin.js.map +1 -1
  276. package/dist/languages/python.d.ts.map +1 -1
  277. package/dist/languages/python.js +149 -44
  278. package/dist/languages/python.js.map +1 -1
  279. package/dist/languages/ruby.d.ts +39 -1
  280. package/dist/languages/ruby.d.ts.map +1 -1
  281. package/dist/languages/ruby.js +178 -44
  282. package/dist/languages/ruby.js.map +1 -1
  283. package/dist/languages/rust.d.ts.map +1 -1
  284. package/dist/languages/rust.js +103 -16
  285. package/dist/languages/rust.js.map +1 -1
  286. package/dist/languages/types.d.ts +228 -5
  287. package/dist/languages/types.d.ts.map +1 -1
  288. package/dist/languages/typescript.d.ts.map +1 -1
  289. package/dist/languages/typescript.js +201 -14
  290. package/dist/languages/typescript.js.map +1 -1
  291. package/dist/scoring/dimensions/documentation.d.ts +53 -0
  292. package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
  293. package/dist/scoring/dimensions/documentation.js +106 -0
  294. package/dist/scoring/dimensions/documentation.js.map +1 -0
  295. package/dist/scoring/dimensions/dx.d.ts +53 -0
  296. package/dist/scoring/dimensions/dx.d.ts.map +1 -0
  297. package/dist/scoring/dimensions/dx.js +105 -0
  298. package/dist/scoring/dimensions/dx.js.map +1 -0
  299. package/dist/scoring/dimensions/maintainability.d.ts +53 -0
  300. package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
  301. package/dist/scoring/dimensions/maintainability.js +101 -0
  302. package/dist/scoring/dimensions/maintainability.js.map +1 -0
  303. package/dist/scoring/dimensions/quality.d.ts +108 -0
  304. package/dist/scoring/dimensions/quality.d.ts.map +1 -0
  305. package/dist/scoring/dimensions/quality.js +174 -0
  306. package/dist/scoring/dimensions/quality.js.map +1 -0
  307. package/dist/scoring/dimensions/security.d.ts +84 -0
  308. package/dist/scoring/dimensions/security.d.ts.map +1 -0
  309. package/dist/scoring/dimensions/security.js +135 -0
  310. package/dist/scoring/dimensions/security.js.map +1 -0
  311. package/dist/scoring/dimensions/testing.d.ts +56 -0
  312. package/dist/scoring/dimensions/testing.d.ts.map +1 -0
  313. package/dist/scoring/dimensions/testing.js +98 -0
  314. package/dist/scoring/dimensions/testing.js.map +1 -0
  315. package/dist/scoring/evaluator.d.ts +27 -0
  316. package/dist/scoring/evaluator.d.ts.map +1 -0
  317. package/dist/scoring/evaluator.js +124 -0
  318. package/dist/scoring/evaluator.js.map +1 -0
  319. package/dist/scoring/format.d.ts +34 -0
  320. package/dist/scoring/format.d.ts.map +1 -0
  321. package/dist/scoring/format.js +63 -0
  322. package/dist/scoring/format.js.map +1 -0
  323. package/dist/scoring/index.d.ts +37 -0
  324. package/dist/scoring/index.d.ts.map +1 -0
  325. package/dist/scoring/index.js +57 -0
  326. package/dist/scoring/index.js.map +1 -0
  327. package/dist/scoring/overall.d.ts +54 -0
  328. package/dist/scoring/overall.d.ts.map +1 -0
  329. package/dist/scoring/overall.js +76 -0
  330. package/dist/scoring/overall.js.map +1 -0
  331. package/dist/scoring/result.d.ts +111 -0
  332. package/dist/scoring/result.d.ts.map +1 -0
  333. package/dist/scoring/result.js +14 -0
  334. package/dist/scoring/result.js.map +1 -0
  335. package/dist/scoring/spec.d.ts +76 -0
  336. package/dist/scoring/spec.d.ts.map +1 -0
  337. package/dist/scoring/spec.js +22 -0
  338. package/dist/scoring/spec.js.map +1 -0
  339. package/dist/scoring/thresholds.d.ts +56 -0
  340. package/dist/scoring/thresholds.d.ts.map +1 -0
  341. package/dist/scoring/thresholds.js +75 -0
  342. package/dist/scoring/thresholds.js.map +1 -0
  343. package/dist/tools-cli.d.ts.map +1 -1
  344. package/dist/tools-cli.js +21 -2
  345. package/dist/tools-cli.js.map +1 -1
  346. package/dist/types.d.ts +16 -0
  347. package/dist/types.d.ts.map +1 -1
  348. package/package.json +1 -1
  349. package/templates/.claude/commands/dashboard.md +17 -9
  350. package/dist/analyzers/scoring.d.ts +0 -49
  351. package/dist/analyzers/scoring.d.ts.map +0 -1
  352. package/dist/analyzers/scoring.js +0 -422
  353. package/dist/analyzers/scoring.js.map +0 -1
  354. package/dist/analyzers/security/scoring.d.ts +0 -29
  355. package/dist/analyzers/security/scoring.d.ts.map +0 -1
  356. package/dist/analyzers/security/scoring.js +0 -40
  357. package/dist/analyzers/security/scoring.js.map +0 -1
@@ -0,0 +1,147 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.isLikelyMinified = isLikelyMinified;
37
+ /**
38
+ * Minified / bundled source-file detection.
39
+ *
40
+ * Complements the autogen-header probe by catching another class of
41
+ * machine-emitted files that frequently land in customer
42
+ * `src/` / `public/` trees: minified or bundled JavaScript / CSS.
43
+ * These files are technically "source" by extension but carry no
44
+ * engineering signal — they're build output (webpack / vite /
45
+ * esbuild hash-suffixed chunks), CDN-downloaded libraries dropped
46
+ * into `public/`, or pre-minified vendored editors. When they slip
47
+ * past the standard exclusions they distort:
48
+ *
49
+ * • `largestFileLines` + `largestFilePath` ("Largest file: 18K
50
+ * lines" points at a webpack chunk, not a human-authored file)
51
+ * • `filesOver500Lines` (every minified JS file is one line at
52
+ * thousands of chars, so doesn't inflate this; but the BUNDLE
53
+ * CHUNKS that span multiple lines do)
54
+ * • `densestFile` from graphify (4,000+ functions in a single
55
+ * minified file)
56
+ * • Top Files by Size (the table reads as "split these" but the
57
+ * files are all autogen artifacts)
58
+ *
59
+ * Detection heuristic: read the first ~4KB, count newlines, compare
60
+ * to byte length. If average bytes-per-line crosses a threshold the
61
+ * file is almost certainly minified or a hash-suffixed bundle chunk.
62
+ * Threshold picked at 500 bytes/line — well above typical
63
+ * hand-written source (~80–120 cols, ~100 bytes/line including
64
+ * indentation) and well below typical minified output (often
65
+ * 5,000–50,000 bytes per "line" in single-line minified files, or
66
+ * 200–800 bytes/line in webpack bundles with semicolon-split
67
+ * chunks).
68
+ *
69
+ * Scope: applied to `.js`, `.jsx`, `.mjs`, `.cjs`, `.css`, `.scss`,
70
+ * `.sass`, `.less`. NOT applied to `.ts` / `.tsx` because TS source
71
+ * is rarely minified in-place (the minified output lands in a
72
+ * separate `dist/` directory which is already excluded by the
73
+ * standard ignore list); checking every .ts file would burn I/O
74
+ * for no benefit.
75
+ *
76
+ * Repo-specific autogen that doesn't match this heuristic (e.g.
77
+ * vendor-tool–emitted classes with hand-typeable filenames + no
78
+ * autogen header) is best handled via `.dxkit-ignore` — a per-repo
79
+ * customization the customer maintains.
80
+ */
81
+ const fs = __importStar(require("fs"));
82
+ const path = __importStar(require("path"));
83
+ /** Extensions where minified content is plausibly present in the source tree. */
84
+ const MINIFIABLE_EXTENSIONS = new Set([
85
+ '.js',
86
+ '.jsx',
87
+ '.mjs',
88
+ '.cjs',
89
+ '.css',
90
+ '.scss',
91
+ '.sass',
92
+ '.less',
93
+ ]);
94
+ /** Bytes-per-line floor above which the file is almost certainly
95
+ * minified / bundled. Calibrated to admit hand-written code at any
96
+ * reasonable line length while rejecting any minifier output. */
97
+ const MIN_BYTES_PER_LINE_FOR_MINIFIED = 500;
98
+ /** Sample size — large enough to get reliable line statistics on
99
+ * even the shortest minified chunk, small enough to keep the I/O
100
+ * cost negligible vs. the existing autogen-header probe. */
101
+ const SAMPLE_BYTES = 4096;
102
+ /**
103
+ * True when the file at `absPath` looks like minified / bundled
104
+ * output by the bytes-per-line heuristic. Returns false on read
105
+ * errors or for files whose extension isn't in
106
+ * `MINIFIABLE_EXTENSIONS` — over-include is preferable to silently
107
+ * dropping legit source.
108
+ */
109
+ function isLikelyMinified(absPath) {
110
+ const ext = path.extname(absPath).toLowerCase();
111
+ if (!MINIFIABLE_EXTENSIONS.has(ext))
112
+ return false;
113
+ let fd = null;
114
+ try {
115
+ fd = fs.openSync(absPath, 'r');
116
+ const buf = Buffer.alloc(SAMPLE_BYTES);
117
+ const n = fs.readSync(fd, buf, 0, SAMPLE_BYTES, 0);
118
+ if (n === 0)
119
+ return false;
120
+ // Count newlines in the sample. A single-line file with N bytes
121
+ // and zero newlines reports bytesPerLine = N (way above the
122
+ // floor). A normal source file with N bytes and N/100 newlines
123
+ // reports ~100 bytes/line.
124
+ let newlines = 0;
125
+ for (let i = 0; i < n; i++) {
126
+ if (buf[i] === 0x0a)
127
+ newlines++;
128
+ }
129
+ const linesInSample = Math.max(1, newlines);
130
+ const bytesPerLine = n / linesInSample;
131
+ return bytesPerLine >= MIN_BYTES_PER_LINE_FOR_MINIFIED;
132
+ }
133
+ catch {
134
+ return false;
135
+ }
136
+ finally {
137
+ if (fd !== null) {
138
+ try {
139
+ fs.closeSync(fd);
140
+ }
141
+ catch {
142
+ /* ignore */
143
+ }
144
+ }
145
+ }
146
+ }
147
+ //# sourceMappingURL=minified-detection.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"minified-detection.js","sourceRoot":"","sources":["../../../src/analyzers/tools/minified-detection.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4EA,4CAgCC;AA5GD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AACH,uCAAyB;AACzB,2CAA6B;AAE7B,iFAAiF;AACjF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC;IACpC,KAAK;IACL,MAAM;IACN,MAAM;IACN,MAAM;IACN,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;CACR,CAAC,CAAC;AAEH;;kEAEkE;AAClE,MAAM,+BAA+B,GAAG,GAAG,CAAC;AAE5C;;6DAE6D;AAC7D,MAAM,YAAY,GAAG,IAAI,CAAC;AAE1B;;;;;;GAMG;AACH,SAAgB,gBAAgB,CAAC,OAAe;IAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAChD,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAElD,IAAI,EAAE,GAAkB,IAAI,CAAC;IAC7B,IAAI,CAAC;QACH,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;QACnD,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC1B,gEAAgE;QAChE,4DAA4D;QAC5D,+DAA+D;QAC/D,2BAA2B;QAC3B,IAAI,QAAQ,GAAG,CAAC,CAAC;QACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAC3B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,IAAI;gBAAE,QAAQ,EAAE,CAAC;QAClC,CAAC;QACD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC5C,MAAM,YAAY,GAAG,CAAC,GAAG,aAAa,CAAC;QACvC,OAAO,YAAY,IAAI,+BAA+B,CAAC;IACzD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;YAAS,CAAC;QACT,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,IAAI,CAAC;gBACH,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;YACnB,CAAC;YAAC,MAAM,CAAC;gBACP,YAAY;YACd,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC"}
@@ -0,0 +1,133 @@
1
+ /**
2
+ * Direct `<PackageReference>` parser — D025f (2.4.7).
3
+ *
4
+ * Extracts NuGet PackageReference entries from `.csproj` XML text
5
+ * without invoking `dotnet restore` or any other .NET toolchain. The
6
+ * output feeds an ad-hoc `packages.lock.json`-shaped file that
7
+ * osv-scanner ingests via `--lockfile=<path>` (the file MUST be
8
+ * literally named `packages.lock.json` — osv-scanner v2.x detects the
9
+ * NuGet ecosystem by filename, not by a prefix). This closes the D036
10
+ * customer-outcome gap on the .NET WinForms benchmark (where
11
+ * `dotnet list package` couldn't run from a multi-project parent
12
+ * directory).
13
+ *
14
+ * Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
15
+ * `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
16
+ * keeps each language pack as a single file; ecosystem-specific tool
17
+ * helpers consumed by one or more packs go in `analyzers/tools/`.
18
+ * csharp.ts imports this module the same way it already imports
19
+ * `osv` and `osv-scanner-deps`.
20
+ *
21
+ * Architectural rationale:
22
+ *
23
+ * D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
24
+ * ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
25
+ * Microsoft-recommended non-sudo install) got dotnet discovered.
26
+ * That fix was necessary but not sufficient: `dotnet list package
27
+ * --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
28
+ * and the .NET WinForms benchmark's
29
+ * `Code/Source/Dev/Core/<Module>/<Module>.csproj` layout puts the
30
+ * project files 3 levels deeper than the natural
31
+ * `dxkit vulnerabilities Code/Source/` cwd.
32
+ *
33
+ * D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
34
+ * reachable from cwd (depth 5, matching csharp.detect()), parse
35
+ * each, and feed the union to osv-scanner via a synthetic lockfile.
36
+ * Cross-platform — `net9.0-windows` targets that won't restore on
37
+ * Linux/Mac still get scanned.
38
+ *
39
+ * Trade-off: this catches DIRECT PackageReferences only. Transitive
40
+ * deps (resolved by NuGet's dep graph from each direct ref's own
41
+ * dependencies) are NOT visible without a populated
42
+ * `project.assets.json`. Industry studies put ~80% of typical
43
+ * .NET CVE surface on direct refs; the remaining ~20% (transitives)
44
+ * land cleanly when `dotnet restore` is available and the
45
+ * dotnet-path-resolved D025c codepath runs.
46
+ *
47
+ * Shared with D031: the licenses degraded-inventory fallback uses the
48
+ * same parser to produce a "133 packages identified; license info
49
+ * unavailable" rendering when `nuget-license` isn't installed.
50
+ *
51
+ * Pure function. No I/O. Tested via a fixture suite of representative
52
+ * .csproj shapes (attribute-form, element-form, Central Package
53
+ * Management, conditional `<ItemGroup>` blocks).
54
+ */
55
+ /**
56
+ * Per-package entry extracted from a `.csproj`. Both fields are
57
+ * post-trimmed; `version` is the raw NuGet version string (which may
58
+ * be a single version `"9.0.1"` or a range `"[9.0.1, 10.0.0)"` —
59
+ * osv-scanner accepts both forms in the lockfile's `resolved` field).
60
+ */
61
+ export interface PackageReferenceEntry {
62
+ name: string;
63
+ version: string;
64
+ }
65
+ /**
66
+ * Match shapes (in priority order):
67
+ *
68
+ * 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
69
+ * common; attributes can appear in any order (also matched
70
+ * `Version="1.0.0" Include="Foo"`).
71
+ * 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
72
+ * </PackageReference>` — element-form, equivalent semantics;
73
+ * common in repos that prefer multiline configs or use child
74
+ * elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
75
+ * 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
76
+ * Package Management (CPM): the version comes from a separate
77
+ * `Directory.Packages.props` file. Skipped here; the CPM-aware
78
+ * pass (a future enhancement) would resolve them.
79
+ *
80
+ * Skipped shapes:
81
+ *
82
+ * - `<PackageReference Update="Foo" Version="..." />` — CPM
83
+ * override syntax for transitive pins; NOT a direct reference.
84
+ * - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
85
+ * Not a direct reference of this csproj.
86
+ * - Comments / CDATA — best-effort; the regex is generous and
87
+ * can theoretically match `<!-- <PackageReference ... -->`
88
+ * comments; users with literal PackageReference strings inside
89
+ * comments would get false positives. Acceptable: pathological
90
+ * case, and osv-scanner won't surface advisories for non-real
91
+ * packages, so the worst case is a wasted scan entry.
92
+ */
93
+ export declare function parseCsprojPackageReferences(xml: string): PackageReferenceEntry[];
94
+ /**
95
+ * Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
96
+ * v2.x reads via `--lockfile=<path>` (caller MUST write this content to
97
+ * a file literally named `packages.lock.json` — osv-scanner detects
98
+ * ecosystem by filename). The schema matches NuGet's native
99
+ * `dotnet restore`-produced lockfile (which osv-scanner already
100
+ * supports natively), simplified to the minimum osv-scanner consults
101
+ * for vulnerability matching:
102
+ *
103
+ * {
104
+ * "version": 1,
105
+ * "dependencies": {
106
+ * "net0.0": {
107
+ * "<Pkg>": {
108
+ * "type": "Direct",
109
+ * "resolved": "<Version>",
110
+ * "requested": "[<Version>, )"
111
+ * }
112
+ * }
113
+ * }
114
+ * }
115
+ *
116
+ * - `"version": 1` matches `dotnet restore`'s lockfile schema version.
117
+ * - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
118
+ * the package map without validating the framework key, so any
119
+ * non-empty string works. We use a non-real moniker so it can't be
120
+ * confused with a real target framework in downstream debugging.
121
+ * - `type: "Direct"` truthfully reflects that we ONLY parsed direct
122
+ * references. Transitive vulns are out of scope for this path
123
+ * (covered by D025c's `dotnet list` codepath when available).
124
+ * - `requested` is a NuGet version range; we use a single-anchored
125
+ * `[V, )` form so the lockfile is valid even though the real
126
+ * `.csproj` might have been a pinned single version.
127
+ *
128
+ * Returns a JSON-stringified string suitable for writing to a temp
129
+ * file. Callers should clean up the temp file after osv-scanner
130
+ * consumes it.
131
+ */
132
+ export declare function buildNugetAdhocLockfile(entries: ReadonlyArray<PackageReferenceEntry>): string;
133
+ //# sourceMappingURL=nuget-package-reference.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"nuget-package-reference.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAgB,4BAA4B,CAAC,GAAG,EAAE,MAAM,GAAG,qBAAqB,EAAE,CA6BjF;AAiBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,aAAa,CAAC,qBAAqB,CAAC,GAAG,MAAM,CAiB7F"}
@@ -0,0 +1,177 @@
1
+ "use strict";
2
+ /**
3
+ * Direct `<PackageReference>` parser — D025f (2.4.7).
4
+ *
5
+ * Extracts NuGet PackageReference entries from `.csproj` XML text
6
+ * without invoking `dotnet restore` or any other .NET toolchain. The
7
+ * output feeds an ad-hoc `packages.lock.json`-shaped file that
8
+ * osv-scanner ingests via `--lockfile=<path>` (the file MUST be
9
+ * literally named `packages.lock.json` — osv-scanner v2.x detects the
10
+ * NuGet ecosystem by filename, not by a prefix). This closes the D036
11
+ * customer-outcome gap on the .NET WinForms benchmark (where
12
+ * `dotnet list package` couldn't run from a multi-project parent
13
+ * directory).
14
+ *
15
+ * Lives under `src/analyzers/tools/` (alongside `osv-scanner-deps.ts`,
16
+ * `jacoco.ts`, `npm-registry.ts`, `cvss-v4.ts`) — CLAUDE.md rule #6
17
+ * keeps each language pack as a single file; ecosystem-specific tool
18
+ * helpers consumed by one or more packs go in `analyzers/tools/`.
19
+ * csharp.ts imports this module the same way it already imports
20
+ * `osv` and `osv-scanner-deps`.
21
+ *
22
+ * Architectural rationale:
23
+ *
24
+ * D025c (Sprint A) routed the gather through `findTool(TOOL_DEFS
25
+ * ['dotnet-format'])` so users with `~/.dotnet/dotnet` (the
26
+ * Microsoft-recommended non-sudo install) got dotnet discovered.
27
+ * That fix was necessary but not sufficient: `dotnet list package
28
+ * --vulnerable` still requires an explicit `.csproj`/`.sln` in cwd,
29
+ * and the .NET WinForms benchmark's
30
+ * `Code/Source/Dev/Core/<Module>/<Module>.csproj` layout puts the
31
+ * project files 3 levels deeper than the natural
32
+ * `dxkit vulnerabilities Code/Source/` cwd.
33
+ *
34
+ * D025f sidesteps the dotnet CLI entirely. We walk every `.csproj`
35
+ * reachable from cwd (depth 5, matching csharp.detect()), parse
36
+ * each, and feed the union to osv-scanner via a synthetic lockfile.
37
+ * Cross-platform — `net9.0-windows` targets that won't restore on
38
+ * Linux/Mac still get scanned.
39
+ *
40
+ * Trade-off: this catches DIRECT PackageReferences only. Transitive
41
+ * deps (resolved by NuGet's dep graph from each direct ref's own
42
+ * dependencies) are NOT visible without a populated
43
+ * `project.assets.json`. Industry studies put ~80% of typical
44
+ * .NET CVE surface on direct refs; the remaining ~20% (transitives)
45
+ * land cleanly when `dotnet restore` is available and the
46
+ * dotnet-path-resolved D025c codepath runs.
47
+ *
48
+ * Shared with D031: the licenses degraded-inventory fallback uses the
49
+ * same parser to produce a "133 packages identified; license info
50
+ * unavailable" rendering when `nuget-license` isn't installed.
51
+ *
52
+ * Pure function. No I/O. Tested via a fixture suite of representative
53
+ * .csproj shapes (attribute-form, element-form, Central Package
54
+ * Management, conditional `<ItemGroup>` blocks).
55
+ */
56
+ Object.defineProperty(exports, "__esModule", { value: true });
57
+ exports.parseCsprojPackageReferences = parseCsprojPackageReferences;
58
+ exports.buildNugetAdhocLockfile = buildNugetAdhocLockfile;
59
+ /**
60
+ * Match shapes (in priority order):
61
+ *
62
+ * 1. `<PackageReference Include="Foo" Version="1.0.0" />` — most
63
+ * common; attributes can appear in any order (also matched
64
+ * `Version="1.0.0" Include="Foo"`).
65
+ * 2. `<PackageReference Include="Foo"><Version>1.0.0</Version>
66
+ * </PackageReference>` — element-form, equivalent semantics;
67
+ * common in repos that prefer multiline configs or use child
68
+ * elements for `<PrivateAssets>`/`<IncludeAssets>` siblings.
69
+ * 3. `<PackageReference Include="Foo" />` WITHOUT Version — Central
70
+ * Package Management (CPM): the version comes from a separate
71
+ * `Directory.Packages.props` file. Skipped here; the CPM-aware
72
+ * pass (a future enhancement) would resolve them.
73
+ *
74
+ * Skipped shapes:
75
+ *
76
+ * - `<PackageReference Update="Foo" Version="..." />` — CPM
77
+ * override syntax for transitive pins; NOT a direct reference.
78
+ * - `<GlobalPackageReference ... />` — CPM-only; pins all projects.
79
+ * Not a direct reference of this csproj.
80
+ * - Comments / CDATA — best-effort; the regex is generous and
81
+ * can theoretically match `<!-- <PackageReference ... -->`
82
+ * comments; users with literal PackageReference strings inside
83
+ * comments would get false positives. Acceptable: pathological
84
+ * case, and osv-scanner won't surface advisories for non-real
85
+ * packages, so the worst case is a wasted scan entry.
86
+ */
87
+ function parseCsprojPackageReferences(xml) {
88
+ const out = [];
89
+ const seen = new Set(); // dedupe `${name}@${version}` within a single .csproj
90
+ // Form 1 (attribute-form): two attribute orderings.
91
+ // Match Include="X" ... Version="Y"
92
+ const attrIncludeFirstRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\/?>/gi;
93
+ // Match Version="Y" ... Include="X"
94
+ const attrVersionFirstRe = /<PackageReference\s+[^>]*\bVersion\s*=\s*"([^"]+)"[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*\/?>/gi;
95
+ let m;
96
+ while ((m = attrIncludeFirstRe.exec(xml)) !== null) {
97
+ pushEntry(out, seen, m[1], m[2]);
98
+ }
99
+ while ((m = attrVersionFirstRe.exec(xml)) !== null) {
100
+ pushEntry(out, seen, m[2], m[1]);
101
+ }
102
+ // Form 2 (element-form): <PackageReference Include="X"><Version>Y</Version>...</PackageReference>
103
+ // The element form spans multiple lines; the regex is multi-line aware.
104
+ const elementFormRe = /<PackageReference\s+[^>]*\bInclude\s*=\s*"([^"]+)"[^>]*>[\s\S]*?<Version>\s*([^<\s]+)\s*<\/Version>[\s\S]*?<\/PackageReference>/gi;
105
+ while ((m = elementFormRe.exec(xml)) !== null) {
106
+ pushEntry(out, seen, m[1], m[2]);
107
+ }
108
+ return out;
109
+ }
110
+ function pushEntry(out, seen, rawName, rawVersion) {
111
+ const name = rawName.trim();
112
+ const version = rawVersion.trim();
113
+ if (!name || !version)
114
+ return;
115
+ const key = `${name}@${version}`;
116
+ if (seen.has(key))
117
+ return;
118
+ seen.add(key);
119
+ out.push({ name, version });
120
+ }
121
+ /**
122
+ * Generate the body of an ad-hoc `packages.lock.json` that osv-scanner
123
+ * v2.x reads via `--lockfile=<path>` (caller MUST write this content to
124
+ * a file literally named `packages.lock.json` — osv-scanner detects
125
+ * ecosystem by filename). The schema matches NuGet's native
126
+ * `dotnet restore`-produced lockfile (which osv-scanner already
127
+ * supports natively), simplified to the minimum osv-scanner consults
128
+ * for vulnerability matching:
129
+ *
130
+ * {
131
+ * "version": 1,
132
+ * "dependencies": {
133
+ * "net0.0": {
134
+ * "<Pkg>": {
135
+ * "type": "Direct",
136
+ * "resolved": "<Version>",
137
+ * "requested": "[<Version>, )"
138
+ * }
139
+ * }
140
+ * }
141
+ * }
142
+ *
143
+ * - `"version": 1` matches `dotnet restore`'s lockfile schema version.
144
+ * - `"net0.0"` is a placeholder framework moniker — osv-scanner reads
145
+ * the package map without validating the framework key, so any
146
+ * non-empty string works. We use a non-real moniker so it can't be
147
+ * confused with a real target framework in downstream debugging.
148
+ * - `type: "Direct"` truthfully reflects that we ONLY parsed direct
149
+ * references. Transitive vulns are out of scope for this path
150
+ * (covered by D025c's `dotnet list` codepath when available).
151
+ * - `requested` is a NuGet version range; we use a single-anchored
152
+ * `[V, )` form so the lockfile is valid even though the real
153
+ * `.csproj` might have been a pinned single version.
154
+ *
155
+ * Returns a JSON-stringified string suitable for writing to a temp
156
+ * file. Callers should clean up the temp file after osv-scanner
157
+ * consumes it.
158
+ */
159
+ function buildNugetAdhocLockfile(entries) {
160
+ const dependencies = { 'net0.0': {} };
161
+ for (const entry of entries) {
162
+ // If the same package appears in multiple .csproj files at different
163
+ // versions, last-write-wins per the lockfile shape (it's one entry
164
+ // per package name within a framework). osv-scanner will scan
165
+ // whichever version we stamped; the cross-csproj merging trade-off
166
+ // is documented at the caller. At enterprise scale (~74 csprojs)
167
+ // collisions are common but typically converge on a single resolved
168
+ // version per the repo's dependency hygiene practices.
169
+ dependencies['net0.0'][entry.name] = {
170
+ type: 'Direct',
171
+ resolved: entry.version,
172
+ requested: `[${entry.version}, )`,
173
+ };
174
+ }
175
+ return JSON.stringify({ version: 1, dependencies }, null, 2);
176
+ }
177
+ //# sourceMappingURL=nuget-package-reference.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"nuget-package-reference.js","sourceRoot":"","sources":["../../../src/analyzers/tools/nuget-package-reference.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqDG;;AAyCH,oEA6BC;AAuDD,0DAiBC;AAjID;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,SAAgB,4BAA4B,CAAC,GAAW;IACtD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,sDAAsD;IAEtF,oDAAoD;IACpD,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAChG,oCAAoC;IACpC,MAAM,kBAAkB,GACtB,6FAA6F,CAAC;IAEhG,IAAI,CAAyB,CAAC;IAC9B,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,CAAC,CAAC,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,kGAAkG;IAClG,wEAAwE;IACxE,MAAM,aAAa,GACjB,mIAAmI,CAAC;IACtI,OAAO,CAAC,CAAC,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACnC,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAChB,GAA4B,EAC5B,IAAiB,EACjB,OAAe,EACf,UAAkB;IAElB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO;IAC9B,MAAM,GAAG,GAAG,GAAG,IAAI,IAAI,OAAO,EAAE,CAAC;IACjC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO;IAC1B,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACd,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,SAAgB,uBAAuB,CAAC,OAA6C;IACnF,MAAM,YAAY,GAA4C,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC/E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,qEAAqE;QACrE,mEAAmE;QACnE,8DAA8D;QAC9D,mEAAmE;QACnE,iEAAiE;QACjE,oEAAoE;QACpE,uDAAuD;QACvD,YAAY,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG;YACnC,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,SAAS,EAAE,IAAI,KAAK,CAAC,OAAO,KAAK;SAClC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC/D,CAAC"}
@@ -1,4 +1,5 @@
1
1
  import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../../languages/capabilities/types';
2
+ import type { LanguageId } from '../../types';
2
3
  /**
3
4
  * Pure parser for osv-scanner v2.x JSON output, scoped to a single
4
5
  * ecosystem. Other ecosystems are filtered out so polyglot repos
@@ -12,7 +13,7 @@ import type { DepVulnFinding, DepVulnGatherOutcome, SeverityCounts } from '../..
12
13
  * Returns counts + findings + the raw OSV vuln records for downstream
13
14
  * CVSS resolution. Exported for unit tests.
14
15
  */
15
- export declare function parseOsvScannerFindings(raw: string, ecosystem: string): {
16
+ export declare function parseOsvScannerFindings(raw: string, ecosystem: string, packId?: LanguageId): {
16
17
  counts: SeverityCounts;
17
18
  findings: DepVulnFinding[];
18
19
  vulnsForCvss: Array<{
@@ -43,5 +44,5 @@ export declare function parseOsvScannerFindings(raw: string, ecosystem: string):
43
44
  * `database_specific.severity` strings. resolveCvssScores looks up
44
45
  * via CVE alias when the primary record lacks a vector.
45
46
  */
46
- export declare function gatherOsvScannerDepVulnsResult(cwd: string, source: string, ecosystem: string, manifestCandidates: string[]): Promise<DepVulnGatherOutcome>;
47
+ export declare function gatherOsvScannerDepVulnsResult(cwd: string, packId: LanguageId, ecosystem: string, manifestCandidates: string[]): Promise<DepVulnGatherOutcome>;
47
48
  //# sourceMappingURL=osv-scanner-deps.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"AA8BA,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACf,MAAM,oCAAoC,CAAC;AAiB5C;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,GAChB;IACD,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC5F,CAiEA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CA4C/B"}
1
+ {"version":3,"file":"osv-scanner-deps.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":"AAoCA,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EAEpB,cAAc,EACf,MAAM,oCAAoC,CAAC;AAC5C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAiB9C;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,UAAU,GAClB;IACD,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,cAAc,EAAE,CAAC;IAC3B,YAAY,EAAE,KAAK,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC,CAAC;CAC5F,CA8EA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,MAAM,EACjB,kBAAkB,EAAE,MAAM,EAAE,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CAiD/B"}
@@ -45,7 +45,7 @@ const tool_registry_1 = require("./tool-registry");
45
45
  * Returns counts + findings + the raw OSV vuln records for downstream
46
46
  * CVSS resolution. Exported for unit tests.
47
47
  */
48
- function parseOsvScannerFindings(raw, ecosystem) {
48
+ function parseOsvScannerFindings(raw, ecosystem, packId) {
49
49
  const counts = { critical: 0, high: 0, medium: 0, low: 0 };
50
50
  const findings = [];
51
51
  const vulnsForCvss = [];
@@ -87,12 +87,27 @@ function parseOsvScannerFindings(raw, ecosystem) {
87
87
  tool: 'osv-scanner',
88
88
  severity: tier,
89
89
  };
90
+ // G_v4_4 (2.4.7): stamp the producing pack so `buildUpgradeCommand`
91
+ // can dispatch to the right `LanguageSupport.upgradeCommand` without
92
+ // a hardcoded switch on `tool`. Caller passes the pack id; absent
93
+ // (`undefined`) only on legacy paths we haven't migrated yet.
94
+ if (packId)
95
+ finding.packId = packId;
90
96
  if (cvss !== null)
91
97
  finding.cvssScore = cvss;
92
98
  if (aliases.length > 0)
93
99
  finding.aliases = aliases;
94
100
  if (vuln.summary)
95
101
  finding.summary = vuln.summary;
102
+ // D042: surface the patch version when OSV's `affected[].
103
+ // ranges[].events[].fixed` is populated. This is the customer's
104
+ // actionable next-step (e.g. "upgrade Newtonsoft.Json from
105
+ // 9.0.1 to 13.0.1 to clear GHSA-5crp-9r3c-p9vr"). Pre-D042 the
106
+ // standalone scan rendered `Fix: —` for every osv-scanner-
107
+ // sourced finding because this field went unread.
108
+ const fixVersion = (0, osv_1.extractOsvFixVersion)(vuln);
109
+ if (fixVersion)
110
+ finding.fixedVersion = fixVersion;
96
111
  // OSV.dev hosts a canonical page per id — synthesize when the
97
112
  // record's `references[]` is empty, otherwise keep the
98
113
  // tool-supplied URLs.
@@ -132,7 +147,7 @@ function parseOsvScannerFindings(raw, ecosystem) {
132
147
  * `database_specific.severity` strings. resolveCvssScores looks up
133
148
  * via CVE alias when the primary record lacks a vector.
134
149
  */
135
- async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCandidates) {
150
+ async function gatherOsvScannerDepVulnsResult(cwd, packId, ecosystem, manifestCandidates) {
136
151
  let manifest = null;
137
152
  for (const rel of manifestCandidates) {
138
153
  if ((0, runner_1.fileExists)(cwd, rel)) {
@@ -140,15 +155,20 @@ async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCa
140
155
  break;
141
156
  }
142
157
  }
143
- if (!manifest)
144
- return { kind: 'tool-missing' };
158
+ if (!manifest) {
159
+ return {
160
+ kind: 'no-manifest',
161
+ reason: `no lockfile found (looked for: ${manifestCandidates.join(', ')})`,
162
+ };
163
+ }
145
164
  const scanner = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS['osv-scanner'], cwd);
146
- if (!scanner.available || !scanner.path)
147
- return { kind: 'tool-missing' };
165
+ if (!scanner.available || !scanner.path) {
166
+ return { kind: 'unavailable', reason: 'osv-scanner not installed' };
167
+ }
148
168
  const raw = (0, runner_1.run)(`${scanner.path} scan source --lockfile ${manifest} --format json 2>/dev/null`, cwd, 180000);
149
169
  if (!raw)
150
- return { kind: 'no-output' };
151
- const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem);
170
+ return { kind: 'unavailable', reason: 'osv-scanner produced no output' };
171
+ const { counts, findings, vulnsForCvss } = parseOsvScannerFindings(raw, ecosystem, packId);
152
172
  if (findings.length > 0) {
153
173
  const resolved = await (0, osv_1.resolveCvssScores)(vulnsForCvss);
154
174
  for (const f of findings) {
@@ -164,12 +184,10 @@ async function gatherOsvScannerDepVulnsResult(cwd, source, ecosystem, manifestCa
164
184
  counts,
165
185
  findings,
166
186
  };
167
- // Note: `source` is unused at the envelope level today — DepVulnResult
168
- // carries `tool: 'osv-scanner'` as the producer attribution. Reserved
169
- // for a future enhancement that distinguishes per-pack provenance
170
- // (e.g., when both kotlin and java packs run on a mixed monorepo and
171
- // we want to attribute findings to the originating pack).
172
- void source;
187
+ // G_v4_4 (2.4.7): `packId` is forwarded into `parseOsvScannerFindings`
188
+ // so each finding carries the producing pack, which `buildUpgradeCommand`
189
+ // dispatches on. Envelope-level `tool: 'osv-scanner'` stays as the
190
+ // tool-attribution string used in `toolsUsed`.
173
191
  return { kind: 'success', envelope };
174
192
  }
175
193
  //# sourceMappingURL=osv-scanner-deps.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;AAiEA,0DAwEC;AAwBD,wEAiDC;AAlND;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,+BAAkG;AAClG,qCAA2C;AAC3C,mDAAsD;AAuBtD;;;;;;;;;;;;GAYG;AACH,SAAgB,uBAAuB,CACrC,GAAW,EACX,SAAiB;IAMjB,MAAM,MAAM,GAAmB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,YAAY,GAIb,EAAE,CAAC;IACR,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IACD,oEAAoE;IACpE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS;gBAAE,SAAS;YACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;YAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;oBAAE,SAAS;gBACvB,MAAM,QAAQ,GAAG,GAAG,OAAO,KAAK,UAAU,IAAI,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC/D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAEnB,MAAM,GAAG,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GACR,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK;oBACvE,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,QAAQ,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEf,MAAM,IAAI,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtE,MAAM,OAAO,GAAmB;oBAC9B,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,OAAO;oBAChB,gBAAgB,EAAE,UAAU;oBAC5B,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,IAAI;iBACf,CAAC;gBACF,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;gBAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;gBAClD,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBACjD,8DAA8D;gBAC9D,uDAAuD;gBACvD,sBAAsB;gBACtB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1F,OAAO,CAAC,UAAU;oBAChB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,iCAAiC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEvB,YAAY,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,YAAY,EAAE,IAAI;oBAClB,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,MAAc,EACd,SAAiB,EACjB,kBAA4B;IAE5B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,GAAG,GAAG,CAAC;YACf,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IAE/C,MAAM,OAAO,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,aAAa,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IAEzE,MAAM,GAAG,GAAG,IAAA,YAAG,EACb,GAAG,OAAO,CAAC,IAAI,2BAA2B,QAAQ,4BAA4B,EAC9E,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;IAEvC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAEnF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAiB,EAAC,YAAY,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;QACjE,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ;KACT,CAAC;IACF,uEAAuE;IACvE,sEAAsE;IACtE,kEAAkE;IAClE,qEAAqE;IACrE,0DAA0D;IAC1D,KAAK,MAAM,CAAC;IACZ,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC"}
1
+ {"version":3,"file":"osv-scanner-deps.js","sourceRoot":"","sources":["../../../src/analyzers/tools/osv-scanner-deps.ts"],"names":[],"mappings":";;AAwEA,0DAsFC;AAwBD,wEAsDC;AA5OD;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,+BAMe;AACf,qCAA2C;AAC3C,mDAAsD;AAwBtD;;;;;;;;;;;;GAYG;AACH,SAAgB,uBAAuB,CACrC,GAAW,EACX,SAAiB,EACjB,MAAmB;IAMnB,MAAM,MAAM,GAAmB,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3E,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,MAAM,YAAY,GAIb,EAAE,CAAC;IACR,IAAI,IAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAqB,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;IAC5C,CAAC;IACD,oEAAoE;IACpE,sEAAsE;IACtE,oEAAoE;IACpE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;QACxC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,OAAO,EAAE,SAAS,KAAK,SAAS;gBAAE,SAAS;YACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,SAAS,CAAC;YAC9C,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;YACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,eAAe,IAAI,EAAE,EAAE,CAAC;gBAC7C,IAAI,CAAC,IAAI,CAAC,EAAE;oBAAE,SAAS;gBACvB,MAAM,QAAQ,GAAG,GAAG,OAAO,KAAK,UAAU,IAAI,EAAE,KAAK,IAAI,CAAC,EAAE,EAAE,CAAC;gBAC/D,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBACjC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAEnB,MAAM,GAAG,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACtC,MAAM,IAAI,GACR,GAAG,KAAK,UAAU,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK;oBACvE,CAAC,CAAC,GAAG;oBACL,CAAC,CAAC,QAAQ,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;gBAEf,MAAM,IAAI,GAAG,IAAA,yBAAmB,EAAC,IAAI,CAAC,CAAC;gBACvC,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACtE,MAAM,OAAO,GAAmB;oBAC9B,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,OAAO,EAAE,OAAO;oBAChB,gBAAgB,EAAE,UAAU;oBAC5B,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,IAAI;iBACf,CAAC;gBACF,oEAAoE;gBACpE,qEAAqE;gBACrE,kEAAkE;gBAClE,8DAA8D;gBAC9D,IAAI,MAAM;oBAAE,OAAO,CAAC,MAAM,GAAG,MAAM,CAAC;gBACpC,IAAI,IAAI,KAAK,IAAI;oBAAE,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC;gBAC5C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;oBAAE,OAAO,CAAC,OAAO,GAAG,OAAO,CAAC;gBAClD,IAAI,IAAI,CAAC,OAAO;oBAAE,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC;gBACjD,0DAA0D;gBAC1D,gEAAgE;gBAChE,2DAA2D;gBAC3D,+DAA+D;gBAC/D,2DAA2D;gBAC3D,kDAAkD;gBAClD,MAAM,UAAU,GAAG,IAAA,0BAAoB,EAAC,IAAI,CAAC,CAAC;gBAC9C,IAAI,UAAU;oBAAE,OAAO,CAAC,YAAY,GAAG,UAAU,CAAC;gBAClD,8DAA8D;gBAC9D,uDAAuD;gBACvD,sBAAsB;gBACtB,MAAM,OAAO,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;gBAC1F,OAAO,CAAC,UAAU;oBAChB,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,iCAAiC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBAEvB,YAAY,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,IAAI,CAAC,EAAE;oBAClB,YAAY,EAAE,IAAI;oBAClB,OAAO;iBACR,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,8BAA8B,CAClD,GAAW,EACX,MAAkB,EAClB,SAAiB,EACjB,kBAA4B;IAE5B,IAAI,QAAQ,GAAkB,IAAI,CAAC;IACnC,KAAK,MAAM,GAAG,IAAI,kBAAkB,EAAE,CAAC;QACrC,IAAI,IAAA,mBAAU,EAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;YACzB,QAAQ,GAAG,GAAG,CAAC;YACf,MAAM;QACR,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,IAAI,EAAE,aAAa;YACnB,MAAM,EAAE,kCAAkC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;SAC3E,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,aAAa,CAAC,EAAE,GAAG,CAAC,CAAC;IACxD,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACxC,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;IACtE,CAAC;IAED,MAAM,GAAG,GAAG,IAAA,YAAG,EACb,GAAG,OAAO,CAAC,IAAI,2BAA2B,QAAQ,4BAA4B,EAC9E,GAAG,EACH,MAAM,CACP,CAAC;IACF,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,gCAAgC,EAAE,CAAC;IAEnF,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,GAAG,uBAAuB,CAAC,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IAE3F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAA,uBAAiB,EAAC,YAAY,CAAC,CAAC;QACvD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;gBAAE,CAAC,CAAC,SAAS,GAAG,KAAK,CAAC;QACjE,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,aAAa;QACnB,UAAU,EAAE,SAAS;QACrB,MAAM;QACN,QAAQ;KACT,CAAC;IACF,uEAAuE;IACvE,0EAA0E;IAC1E,mEAAmE;IACnE,+CAA+C;IAC/C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC"}