@vyuhlabs/dxkit 2.4.6 → 2.4.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +1076 -0
- package/README.md +132 -27
- package/dist/analysis-result.d.ts +112 -0
- package/dist/analysis-result.d.ts.map +1 -0
- package/dist/analysis-result.js +52 -0
- package/dist/analysis-result.js.map +1 -0
- package/dist/analyzers/bom/detailed.d.ts.map +1 -1
- package/dist/analyzers/bom/detailed.js +19 -0
- package/dist/analyzers/bom/detailed.js.map +1 -1
- package/dist/analyzers/bom/gather.d.ts +27 -26
- package/dist/analyzers/bom/gather.d.ts.map +1 -1
- package/dist/analyzers/bom/gather.js +26 -87
- package/dist/analyzers/bom/gather.js.map +1 -1
- package/dist/analyzers/bom/index.d.ts +0 -7
- package/dist/analyzers/bom/index.d.ts.map +1 -1
- package/dist/analyzers/bom/index.js +98 -48
- package/dist/analyzers/bom/index.js.map +1 -1
- package/dist/analyzers/bom/types.d.ts +11 -13
- package/dist/analyzers/bom/types.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +95 -0
- package/dist/analyzers/cache.d.ts.map +1 -0
- package/dist/analyzers/cache.js +309 -0
- package/dist/analyzers/cache.js.map +1 -0
- package/dist/analyzers/coverage-runner.d.ts +56 -0
- package/dist/analyzers/coverage-runner.d.ts.map +1 -0
- package/dist/analyzers/coverage-runner.js +72 -0
- package/dist/analyzers/coverage-runner.js.map +1 -0
- package/dist/analyzers/dashboard/index.d.ts +24 -0
- package/dist/analyzers/dashboard/index.d.ts.map +1 -0
- package/dist/analyzers/dashboard/index.js +667 -0
- package/dist/analyzers/dashboard/index.js.map +1 -0
- package/dist/analyzers/developer/gather.d.ts.map +1 -1
- package/dist/analyzers/developer/gather.js +205 -37
- package/dist/analyzers/developer/gather.js.map +1 -1
- package/dist/analyzers/developer/index.d.ts +1 -1
- package/dist/analyzers/developer/index.d.ts.map +1 -1
- package/dist/analyzers/developer/index.js +21 -9
- package/dist/analyzers/developer/index.js.map +1 -1
- package/dist/analyzers/dispatcher.d.ts +52 -0
- package/dist/analyzers/dispatcher.d.ts.map +1 -1
- package/dist/analyzers/dispatcher.js +92 -9
- package/dist/analyzers/dispatcher.js.map +1 -1
- package/dist/analyzers/docs/shallow.d.ts +17 -5
- package/dist/analyzers/docs/shallow.d.ts.map +1 -1
- package/dist/analyzers/docs/shallow.js +65 -2
- package/dist/analyzers/docs/shallow.js.map +1 -1
- package/dist/analyzers/dx/shallow.d.ts +17 -5
- package/dist/analyzers/dx/shallow.d.ts.map +1 -1
- package/dist/analyzers/dx/shallow.js +66 -2
- package/dist/analyzers/dx/shallow.js.map +1 -1
- package/dist/analyzers/health/actions.d.ts +1 -1
- package/dist/analyzers/health/actions.d.ts.map +1 -1
- package/dist/analyzers/health/actions.js +27 -9
- package/dist/analyzers/health/actions.js.map +1 -1
- package/dist/analyzers/health/detailed.d.ts +2 -1
- package/dist/analyzers/health/detailed.d.ts.map +1 -1
- package/dist/analyzers/health/detailed.js +11 -7
- package/dist/analyzers/health/detailed.js.map +1 -1
- package/dist/analyzers/health.d.ts +27 -0
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +282 -34
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/licenses/gather.d.ts +35 -8
- package/dist/analyzers/licenses/gather.d.ts.map +1 -1
- package/dist/analyzers/licenses/gather.js +86 -13
- package/dist/analyzers/licenses/gather.js.map +1 -1
- package/dist/analyzers/licenses/index.d.ts +1 -1
- package/dist/analyzers/licenses/index.d.ts.map +1 -1
- package/dist/analyzers/licenses/index.js +52 -11
- package/dist/analyzers/licenses/index.js.map +1 -1
- package/dist/analyzers/licenses/types.d.ts +15 -0
- package/dist/analyzers/licenses/types.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.d.ts +17 -5
- package/dist/analyzers/maintainability/shallow.d.ts.map +1 -1
- package/dist/analyzers/maintainability/shallow.js +80 -2
- package/dist/analyzers/maintainability/shallow.js.map +1 -1
- package/dist/analyzers/quality/detailed.d.ts.map +1 -1
- package/dist/analyzers/quality/detailed.js +4 -6
- package/dist/analyzers/quality/detailed.js.map +1 -1
- package/dist/analyzers/quality/gather.d.ts +1 -14
- package/dist/analyzers/quality/gather.d.ts.map +1 -1
- package/dist/analyzers/quality/gather.js +48 -137
- package/dist/analyzers/quality/gather.js.map +1 -1
- package/dist/analyzers/quality/index.d.ts +9 -2
- package/dist/analyzers/quality/index.d.ts.map +1 -1
- package/dist/analyzers/quality/index.js +197 -117
- package/dist/analyzers/quality/index.js.map +1 -1
- package/dist/analyzers/quality/shallow.d.ts +50 -5
- package/dist/analyzers/quality/shallow.d.ts.map +1 -1
- package/dist/analyzers/quality/shallow.js +155 -2
- package/dist/analyzers/quality/shallow.js.map +1 -1
- package/dist/analyzers/quality/types.d.ts +14 -0
- package/dist/analyzers/quality/types.d.ts.map +1 -1
- package/dist/analyzers/security/actions.d.ts +11 -4
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +87 -37
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +236 -0
- package/dist/analyzers/security/aggregator.d.ts.map +1 -0
- package/dist/analyzers/security/aggregator.js +349 -0
- package/dist/analyzers/security/aggregator.js.map +1 -0
- package/dist/analyzers/security/detailed.d.ts +2 -2
- package/dist/analyzers/security/detailed.d.ts.map +1 -1
- package/dist/analyzers/security/detailed.js +10 -9
- package/dist/analyzers/security/detailed.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +104 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +299 -9
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts +15 -0
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +463 -50
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/shallow.d.ts +50 -6
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +154 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +51 -0
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.d.ts.map +1 -1
- package/dist/analyzers/tests/detailed.js +2 -3
- package/dist/analyzers/tests/detailed.js.map +1 -1
- package/dist/analyzers/tests/gather.d.ts +2 -1
- package/dist/analyzers/tests/gather.d.ts.map +1 -1
- package/dist/analyzers/tests/gather.js +98 -69
- package/dist/analyzers/tests/gather.js.map +1 -1
- package/dist/analyzers/tests/index.d.ts +11 -2
- package/dist/analyzers/tests/index.d.ts.map +1 -1
- package/dist/analyzers/tests/index.js +83 -18
- package/dist/analyzers/tests/index.js.map +1 -1
- package/dist/analyzers/tests/shallow.d.ts +19 -5
- package/dist/analyzers/tests/shallow.d.ts.map +1 -1
- package/dist/analyzers/tests/shallow.js +89 -2
- package/dist/analyzers/tests/shallow.js.map +1 -1
- package/dist/analyzers/tests/types.d.ts +41 -1
- package/dist/analyzers/tests/types.d.ts.map +1 -1
- package/dist/analyzers/tools/autogen-header.d.ts +8 -0
- package/dist/analyzers/tools/autogen-header.d.ts.map +1 -0
- package/dist/analyzers/tools/autogen-header.js +107 -0
- package/dist/analyzers/tools/autogen-header.js.map +1 -0
- package/dist/analyzers/tools/cloc.d.ts.map +1 -1
- package/dist/analyzers/tools/cloc.js +36 -5
- package/dist/analyzers/tools/cloc.js.map +1 -1
- package/dist/analyzers/tools/deadline.d.ts +67 -0
- package/dist/analyzers/tools/deadline.d.ts.map +1 -0
- package/dist/analyzers/tools/deadline.js +81 -0
- package/dist/analyzers/tools/deadline.js.map +1 -0
- package/dist/analyzers/tools/debug-statements.d.ts +17 -0
- package/dist/analyzers/tools/debug-statements.d.ts.map +1 -0
- package/dist/analyzers/tools/debug-statements.js +58 -0
- package/dist/analyzers/tools/debug-statements.js.map +1 -0
- package/dist/analyzers/tools/default-exclusions.gitignore +28 -0
- package/dist/analyzers/tools/exclusions.d.ts +33 -6
- package/dist/analyzers/tools/exclusions.d.ts.map +1 -1
- package/dist/analyzers/tools/exclusions.js +95 -26
- package/dist/analyzers/tools/exclusions.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts +17 -2
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +206 -109
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +48 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +30 -2
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +131 -15
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/jscpd.d.ts +12 -2
- package/dist/analyzers/tools/jscpd.d.ts.map +1 -1
- package/dist/analyzers/tools/jscpd.js +129 -6
- package/dist/analyzers/tools/jscpd.js.map +1 -1
- package/dist/analyzers/tools/lint-label.d.ts +29 -0
- package/dist/analyzers/tools/lint-label.d.ts.map +1 -0
- package/dist/analyzers/tools/lint-label.js +23 -0
- package/dist/analyzers/tools/lint-label.js.map +1 -0
- package/dist/analyzers/tools/minified-detection.d.ts +9 -0
- package/dist/analyzers/tools/minified-detection.d.ts.map +1 -0
- package/dist/analyzers/tools/minified-detection.js +147 -0
- package/dist/analyzers/tools/minified-detection.js.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts +133 -0
- package/dist/analyzers/tools/nuget-package-reference.d.ts.map +1 -0
- package/dist/analyzers/tools/nuget-package-reference.js +177 -0
- package/dist/analyzers/tools/nuget-package-reference.js.map +1 -0
- package/dist/analyzers/tools/osv-scanner-deps.d.ts +3 -2
- package/dist/analyzers/tools/osv-scanner-deps.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-deps.js +32 -14
- package/dist/analyzers/tools/osv-scanner-deps.js.map +1 -1
- package/dist/analyzers/tools/osv.d.ts +36 -0
- package/dist/analyzers/tools/osv.d.ts.map +1 -1
- package/dist/analyzers/tools/osv.js +26 -0
- package/dist/analyzers/tools/osv.js.map +1 -1
- package/dist/analyzers/tools/parallel.d.ts +1 -1
- package/dist/analyzers/tools/parallel.d.ts.map +1 -1
- package/dist/analyzers/tools/parallel.js +2 -2
- package/dist/analyzers/tools/parallel.js.map +1 -1
- package/dist/analyzers/tools/report-date.d.ts +17 -0
- package/dist/analyzers/tools/report-date.d.ts.map +1 -0
- package/dist/analyzers/tools/report-date.js +26 -0
- package/dist/analyzers/tools/report-date.js.map +1 -0
- package/dist/analyzers/tools/risk-score.d.ts +7 -0
- package/dist/analyzers/tools/risk-score.d.ts.map +1 -1
- package/dist/analyzers/tools/risk-score.js +9 -2
- package/dist/analyzers/tools/risk-score.js.map +1 -1
- package/dist/analyzers/tools/run-tests-helper.d.ts +43 -0
- package/dist/analyzers/tools/run-tests-helper.d.ts.map +1 -0
- package/dist/analyzers/tools/run-tests-helper.js +156 -0
- package/dist/analyzers/tools/run-tests-helper.js.map +1 -0
- package/dist/analyzers/tools/runner.d.ts.map +1 -1
- package/dist/analyzers/tools/runner.js +75 -12
- package/dist/analyzers/tools/runner.js.map +1 -1
- package/dist/analyzers/tools/semgrep.d.ts +39 -2
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +131 -9
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/timing.d.ts +17 -3
- package/dist/analyzers/tools/timing.d.ts.map +1 -1
- package/dist/analyzers/tools/timing.js +36 -14
- package/dist/analyzers/tools/timing.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +11 -1
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts +18 -0
- package/dist/analyzers/tools/tools-unavailable-prose.d.ts.map +1 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js +69 -0
- package/dist/analyzers/tools/tools-unavailable-prose.js.map +1 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.d.ts.map +1 -1
- package/dist/analyzers/tools/upgrade-plan-resolver.js +7 -0
- package/dist/analyzers/tools/upgrade-plan-resolver.js.map +1 -1
- package/dist/analyzers/tools/vendored-advisor.d.ts +43 -0
- package/dist/analyzers/tools/vendored-advisor.d.ts.map +1 -0
- package/dist/analyzers/tools/vendored-advisor.js +107 -0
- package/dist/analyzers/tools/vendored-advisor.js.map +1 -0
- package/dist/analyzers/tools/walk-paths.d.ts +78 -0
- package/dist/analyzers/tools/walk-paths.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-paths.js +150 -0
- package/dist/analyzers/tools/walk-paths.js.map +1 -0
- package/dist/analyzers/tools/walk-source-files.d.ts +70 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -0
- package/dist/analyzers/tools/walk-source-files.js +369 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -0
- package/dist/analyzers/types.d.ts +204 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.d.ts.map +1 -1
- package/dist/analyzers/xlsx/bom.js +8 -1
- package/dist/analyzers/xlsx/bom.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +581 -189
- package/dist/cli.js.map +1 -1
- package/dist/detect.d.ts.map +1 -1
- package/dist/detect.js +24 -7
- package/dist/detect.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +103 -53
- package/dist/doctor.js.map +1 -1
- package/dist/languages/capabilities/provider.d.ts +130 -1
- package/dist/languages/capabilities/provider.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +68 -7
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/csharp.d.ts +15 -1
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +624 -146
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +89 -11
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +132 -2
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +207 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +113 -26
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +132 -26
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +149 -44
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts +39 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +178 -44
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +103 -16
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +228 -5
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +201 -14
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/documentation.d.ts +53 -0
- package/dist/scoring/dimensions/documentation.d.ts.map +1 -0
- package/dist/scoring/dimensions/documentation.js +106 -0
- package/dist/scoring/dimensions/documentation.js.map +1 -0
- package/dist/scoring/dimensions/dx.d.ts +53 -0
- package/dist/scoring/dimensions/dx.d.ts.map +1 -0
- package/dist/scoring/dimensions/dx.js +105 -0
- package/dist/scoring/dimensions/dx.js.map +1 -0
- package/dist/scoring/dimensions/maintainability.d.ts +53 -0
- package/dist/scoring/dimensions/maintainability.d.ts.map +1 -0
- package/dist/scoring/dimensions/maintainability.js +101 -0
- package/dist/scoring/dimensions/maintainability.js.map +1 -0
- package/dist/scoring/dimensions/quality.d.ts +108 -0
- package/dist/scoring/dimensions/quality.d.ts.map +1 -0
- package/dist/scoring/dimensions/quality.js +174 -0
- package/dist/scoring/dimensions/quality.js.map +1 -0
- package/dist/scoring/dimensions/security.d.ts +84 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -0
- package/dist/scoring/dimensions/security.js +135 -0
- package/dist/scoring/dimensions/security.js.map +1 -0
- package/dist/scoring/dimensions/testing.d.ts +56 -0
- package/dist/scoring/dimensions/testing.d.ts.map +1 -0
- package/dist/scoring/dimensions/testing.js +98 -0
- package/dist/scoring/dimensions/testing.js.map +1 -0
- package/dist/scoring/evaluator.d.ts +27 -0
- package/dist/scoring/evaluator.d.ts.map +1 -0
- package/dist/scoring/evaluator.js +124 -0
- package/dist/scoring/evaluator.js.map +1 -0
- package/dist/scoring/format.d.ts +34 -0
- package/dist/scoring/format.d.ts.map +1 -0
- package/dist/scoring/format.js +63 -0
- package/dist/scoring/format.js.map +1 -0
- package/dist/scoring/index.d.ts +37 -0
- package/dist/scoring/index.d.ts.map +1 -0
- package/dist/scoring/index.js +57 -0
- package/dist/scoring/index.js.map +1 -0
- package/dist/scoring/overall.d.ts +54 -0
- package/dist/scoring/overall.d.ts.map +1 -0
- package/dist/scoring/overall.js +76 -0
- package/dist/scoring/overall.js.map +1 -0
- package/dist/scoring/result.d.ts +111 -0
- package/dist/scoring/result.d.ts.map +1 -0
- package/dist/scoring/result.js +14 -0
- package/dist/scoring/result.js.map +1 -0
- package/dist/scoring/spec.d.ts +76 -0
- package/dist/scoring/spec.d.ts.map +1 -0
- package/dist/scoring/spec.js +22 -0
- package/dist/scoring/spec.js.map +1 -0
- package/dist/scoring/thresholds.d.ts +56 -0
- package/dist/scoring/thresholds.d.ts.map +1 -0
- package/dist/scoring/thresholds.js +75 -0
- package/dist/scoring/thresholds.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +21 -2
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +16 -0
- package/dist/types.d.ts.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/commands/dashboard.md +17 -9
- package/dist/analyzers/scoring.d.ts +0 -49
- package/dist/analyzers/scoring.d.ts.map +0 -1
- package/dist/analyzers/scoring.js +0 -422
- package/dist/analyzers/scoring.js.map +0 -1
- package/dist/analyzers/security/scoring.d.ts +0 -29
- package/dist/analyzers/security/scoring.d.ts.map +0 -1
- package/dist/analyzers/security/scoring.js +0 -40
- package/dist/analyzers/security/scoring.js.map +0 -1
|
@@ -108,6 +108,16 @@ function run(cmd, cwd, timeoutMs = 30000) {
|
|
|
108
108
|
encoding: 'utf-8',
|
|
109
109
|
stdio: ['pipe', 'pipe', 'pipe'],
|
|
110
110
|
timeout: timeoutMs,
|
|
111
|
+
// Node's default `maxBuffer` is 1MB. Tools that produce large
|
|
112
|
+
// outputs on enterprise codebases (jscpd's 25MB report on
|
|
113
|
+
// the .NET WinForms benchmark, semgrep on a huge ruleset, gitleaks on a leaky
|
|
114
|
+
// repo, npm audit on deep dep trees) silently truncated past
|
|
115
|
+
// that cap pre-fix — execSync threw `ENOBUFS`, the catch below
|
|
116
|
+
// returned empty string, and the calling gather function
|
|
117
|
+
// reported the tool as "unavailable" with reason "no output."
|
|
118
|
+
// 64MB handles the enterprise-scale observation (25MB) plus
|
|
119
|
+
// ~2x headroom without inviting runaway-tool memory explosion.
|
|
120
|
+
maxBuffer: 64 * 1024 * 1024,
|
|
111
121
|
}).trim();
|
|
112
122
|
}
|
|
113
123
|
catch (err) {
|
|
@@ -194,20 +204,53 @@ function fileExists(cwd, ...paths) {
|
|
|
194
204
|
*/
|
|
195
205
|
async function runDetached(cmd, args, opts) {
|
|
196
206
|
return new Promise((resolve) => {
|
|
207
|
+
let settled = false;
|
|
208
|
+
let stdout = '';
|
|
209
|
+
let stderr = '';
|
|
210
|
+
let timedOut = false;
|
|
211
|
+
// Single-resolve guard. The Promise resolves on exit / error /
|
|
212
|
+
// safety-deadline; whichever fires first wins and the rest are
|
|
213
|
+
// no-ops. Pre-fix the Promise relied solely on `exit` / `error`
|
|
214
|
+
// events — under resource pressure (a JS-heavy customer frontend convergence audit:
|
|
215
|
+
// jscpd + semgrep + graphify all concurrently spawning
|
|
216
|
+
// grandchildren) one of those events occasionally never fired,
|
|
217
|
+
// and the Promise stayed pending forever. Node's event loop then
|
|
218
|
+
// emptied (no more pending operations), beforeExit fired with
|
|
219
|
+
// code=0, and the parent observed a silent rc=0 with no work
|
|
220
|
+
// completed — D134. The settle() wrapper ensures the Promise
|
|
221
|
+
// ALWAYS resolves and the dispatcher above can never hang.
|
|
222
|
+
const settle = (outcome) => {
|
|
223
|
+
if (settled)
|
|
224
|
+
return;
|
|
225
|
+
settled = true;
|
|
226
|
+
resolve(outcome);
|
|
227
|
+
};
|
|
197
228
|
const child = (0, child_process_1.spawn)(cmd, args, {
|
|
198
229
|
cwd: opts.cwd,
|
|
199
230
|
detached: true, // new process group → enables -pid kill below
|
|
200
231
|
stdio: ['ignore', 'pipe', 'pipe'],
|
|
201
232
|
});
|
|
202
|
-
|
|
203
|
-
|
|
233
|
+
// Register error listener BEFORE any other setup so we never miss
|
|
234
|
+
// a synchronous spawn-time emission ('error' fires on ENOENT,
|
|
235
|
+
// EAGAIN under fd/proc exhaustion, EACCES). EventEmitter throws
|
|
236
|
+
// an unhandled-exception if 'error' fires with no listener — the
|
|
237
|
+
// pre-fix late registration could miss the emission window under
|
|
238
|
+
// pressure.
|
|
239
|
+
child.once('error', () => {
|
|
240
|
+
// spawn-time errors (e.g. ENOENT, EAGAIN). Treat as
|
|
241
|
+
// exit-with-no-output; the caller's parser sees an empty stdout
|
|
242
|
+
// and returns its empty result. Matches `run()`'s
|
|
243
|
+
// graceful-degradation convention.
|
|
244
|
+
clearTimeout(timer);
|
|
245
|
+
clearTimeout(safetyTimer);
|
|
246
|
+
settle({ stdout, stderr, code: null, timedOut: false });
|
|
247
|
+
});
|
|
204
248
|
child.stdout?.on('data', (d) => {
|
|
205
249
|
stdout += d.toString('utf8');
|
|
206
250
|
});
|
|
207
251
|
child.stderr?.on('data', (d) => {
|
|
208
252
|
stderr += d.toString('utf8');
|
|
209
253
|
});
|
|
210
|
-
let timedOut = false;
|
|
211
254
|
const timer = setTimeout(() => {
|
|
212
255
|
timedOut = true;
|
|
213
256
|
try {
|
|
@@ -226,16 +269,36 @@ async function runDetached(cmd, args, opts) {
|
|
|
226
269
|
/* process group already gone — fine */
|
|
227
270
|
}
|
|
228
271
|
}, opts.timeoutMs);
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
272
|
+
// Safety deadline: even if every event source fails (a kernel
|
|
273
|
+
// bug, a libuv corner case, an exotic WSL2 scheduling state),
|
|
274
|
+
// resolve the Promise after timeoutMs + 30s grace. The dispatcher
|
|
275
|
+
// up the stack uses Promise.allSettled which collapses any
|
|
276
|
+
// outcome cleanly, so an extra resolve is harmless; what we
|
|
277
|
+
// never want is an unbounded pending Promise. Pre-fix this was
|
|
278
|
+
// the silent-failure shape D134: the orchestrator's spawnSync
|
|
279
|
+
// health child observed rc=0 with no report written because the
|
|
280
|
+
// capabilities Promise.all hung on a runDetached that never
|
|
281
|
+
// settled — Node exited cleanly when the event loop emptied.
|
|
282
|
+
const safetyTimer = setTimeout(() => {
|
|
283
|
+
try {
|
|
284
|
+
if (child.pid !== undefined) {
|
|
285
|
+
process.kill(-child.pid, 'SIGKILL');
|
|
286
|
+
}
|
|
287
|
+
}
|
|
288
|
+
catch {
|
|
289
|
+
/* process group already gone */
|
|
290
|
+
}
|
|
291
|
+
settle({
|
|
292
|
+
stdout,
|
|
293
|
+
stderr,
|
|
294
|
+
code: null,
|
|
295
|
+
timedOut: true,
|
|
296
|
+
});
|
|
297
|
+
}, opts.timeoutMs + 30_000);
|
|
298
|
+
child.once('exit', (code) => {
|
|
237
299
|
clearTimeout(timer);
|
|
238
|
-
|
|
300
|
+
clearTimeout(safetyTimer);
|
|
301
|
+
settle({ stdout, stderr, code, timedOut });
|
|
239
302
|
});
|
|
240
303
|
});
|
|
241
304
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runner.js","sourceRoot":"","sources":["../../../src/analyzers/tools/runner.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBA,0CAqCC;AAGD,
|
|
1
|
+
{"version":3,"file":"runner.js","sourceRoot":"","sources":["../../../src/analyzers/tools/runner.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiBA,0CAqCC;AAGD,kBA0BC;AAGD,kCAYC;AAGD,0BAQC;AAGD,gCAIC;AAGD,sCAEC;AAGD,gCAEC;AA8CD,kCA2GC;AAvRD;;GAEG;AACH,iDAAgD;AAChD,uCAAyB;AACzB,2CAA6B;AAE7B;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAAC,GAAW;IACzC,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,KAAK,GAAG,CAAC,CAAC,CAAC;IACf,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,KAAK,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,EAAE,KAAK,IAAI;gBAAE,MAAM,GAAG,IAAI,CAAC;iBAC1B,IAAI,EAAE,KAAK,GAAG;gBAAE,QAAQ,GAAG,KAAK,CAAC;YACtC,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,IAAI,KAAK,KAAK,CAAC;gBAAE,KAAK,GAAG,CAAC,CAAC;YAC3B,KAAK,EAAE,CAAC;QACV,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACtB,KAAK,EAAE,CAAC;YACR,IAAI,KAAK,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;gBAC9B,IAAI,CAAC;oBACH,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,4BAA4B;gBAC9B,CAAC;gBACD,KAAK,GAAG,CAAC,CAAC,CAAC;YACb,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,wEAAwE;AACxE,SAAgB,GAAG,CAAC,GAAW,EAAE,GAAW,EAAE,SAAS,GAAG,KAAK;IAC7D,IAAI,CAAC;QACH,OAAO,IAAA,wBAAQ,EAAC,GAAG,EAAE;YACnB,GAAG;YACH,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,SAAS;YAClB,8DAA8D;YAC9D,0DAA0D;YAC1D,8EAA8E;YAC9E,6DAA6D;YAC7D,+DAA+D;YAC/D,yDAAyD;YACzD,8DAA8D;YAC9D,4DAA4D;YAC5D,+DAA+D;YAC/D,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI;SAC5B,CAAC,CAAC,IAAI,EAAE,CAAC;IACZ,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,4EAA4E;QAC5E,MAAM,CAAC,GAAG,GAA0B,CAAC;QACrC,IAAI,CAAC,CAAC,MAAM,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC7C,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,8CAA8C;AAC9C,SAAgB,WAAW,CAAC,GAAW,EAAE,GAAW,EAAE,SAAS,GAAG,KAAK;IACrE,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,GAAG,EAAE;YACZ,GAAG;YACH,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,SAAS;SACnB,CAAC,CAAC;QACH,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,CAAC,GAAG,GAA0B,CAAC;QACrC,OAAO,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC;IACvB,CAAC;AACH,CAAC;AAED,uEAAuE;AACvE,SAAgB,OAAO,CAAI,GAAW,EAAE,GAAW,EAAE,SAAS,GAAG,KAAK;IACpE,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,SAAS,CAAC,CAAC;IACxC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAM,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,qCAAqC;AACrC,SAAgB,UAAU,CAAC,GAAW,EAAE,GAAW;IACjD,MAAM,MAAM,GAAG,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC;IACtB,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;AAC3D,CAAC;AAED,uCAAuC;AACvC,SAAgB,aAAa,CAAC,GAAW,EAAE,GAAW;IACpD,OAAO,GAAG,CAAC,SAAS,GAAG,cAAc,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC;AACrD,CAAC;AAED,8CAA8C;AAC9C,SAAgB,UAAU,CAAC,GAAW,EAAE,GAAG,KAAe;IACxD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAC7D,CAAC;AAeD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACI,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,IAAc,EACd,IAAwC;IAExC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;QAErB,+DAA+D;QAC/D,+DAA+D;QAC/D,gEAAgE;QAChE,oFAAoF;QACpF,uDAAuD;QACvD,+DAA+D;QAC/D,iEAAiE;QACjE,8DAA8D;QAC9D,6DAA6D;QAC7D,6DAA6D;QAC7D,2DAA2D;QAC3D,MAAM,MAAM,GAAG,CAAC,OAA2B,EAAQ,EAAE;YACnD,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,OAAO,CAAC,OAAO,CAAC,CAAC;QACnB,CAAC,CAAC;QAEF,MAAM,KAAK,GAAG,IAAA,qBAAK,EAAC,GAAG,EAAE,IAAI,EAAE;YAC7B,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,IAAI,EAAE,8CAA8C;YAC9D,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QAEH,kEAAkE;QAClE,8DAA8D;QAC9D,gEAAgE;QAChE,iEAAiE;QACjE,iEAAiE;QACjE,YAAY;QACZ,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE;YACvB,oDAAoD;YACpD,gEAAgE;YAChE,kDAAkD;YAClD,mCAAmC;YACnC,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,YAAY,CAAC,WAAW,CAAC,CAAC;YAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE;YACrC,MAAM,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC/B,CAAC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,QAAQ,GAAG,IAAI,CAAC;YAChB,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;oBAC5B,6DAA6D;oBAC7D,+DAA+D;oBAC/D,+DAA+D;oBAC/D,6DAA6D;oBAC7D,4DAA4D;oBAC5D,2DAA2D;oBAC3D,SAAS;oBACT,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,uCAAuC;YACzC,CAAC;QACH,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAEnB,8DAA8D;QAC9D,8DAA8D;QAC9D,kEAAkE;QAClE,2DAA2D;QAC3D,4DAA4D;QAC5D,+DAA+D;QAC/D,8DAA8D;QAC9D,gEAAgE;QAChE,4DAA4D;QAC5D,6DAA6D;QAC7D,MAAM,WAAW,GAAG,UAAU,CAAC,GAAG,EAAE;YAClC,IAAI,CAAC;gBACH,IAAI,KAAK,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;oBAC5B,OAAO,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;gBACtC,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,gCAAgC;YAClC,CAAC;YACD,MAAM,CAAC;gBACL,MAAM;gBACN,MAAM;gBACN,IAAI,EAAE,IAAI;gBACV,QAAQ,EAAE,IAAI;aACf,CAAC,CAAC;QACL,CAAC,EAAE,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,CAAC;QAE5B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;YAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,YAAY,CAAC,WAAW,CAAC,CAAC;YAC1B,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC7C,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -26,14 +26,51 @@ export type CodePatternsGatherOutcome = {
|
|
|
26
26
|
kind: 'unavailable';
|
|
27
27
|
reason: string;
|
|
28
28
|
};
|
|
29
|
+
/**
|
|
30
|
+
* Map semgrep's severity + impact to the project's four-tier model.
|
|
31
|
+
* Priority: rule metadata `impact` (most meaningful — rule authors
|
|
32
|
+
* tier by business impact) → fall back to semgrep's `severity`.
|
|
33
|
+
*/
|
|
34
|
+
/**
|
|
35
|
+
* Normalize semgrep's `metadata.cwe` into a single CWE identifier.
|
|
36
|
+
*
|
|
37
|
+
* Why: semgrep rule authors write `cwe:` in YAML as either a scalar
|
|
38
|
+
* (`cwe: "CWE-295: Improper Certificate Validation"`) or a list
|
|
39
|
+
* (`cwe: ["CWE-295: ..."]`). Both shapes pass through semgrep's JSON
|
|
40
|
+
* output unchanged. Pre-fix this code did `metadata?.cwe?.[0]` which
|
|
41
|
+
* silently returned the first *character* of the scalar form (e.g.
|
|
42
|
+
* "C" for "CWE-295: ..."). D094 surfaced this on `bypass-tls-
|
|
43
|
+
* verification` rule output.
|
|
44
|
+
*/
|
|
45
|
+
export declare function extractCwe(cwe: string | string[] | undefined): string;
|
|
29
46
|
/**
|
|
30
47
|
* Single source of truth for the semgrep invocation. Consumed by
|
|
31
48
|
* `semgrepProvider` (capability dispatcher).
|
|
49
|
+
*
|
|
50
|
+
* Failure-mode honesty: when semgrep doesn't produce a parseable
|
|
51
|
+
* report, the returned `reason` distinguishes between:
|
|
52
|
+
* - timeout (we hit our wall-clock budget — the customer probably
|
|
53
|
+
* wants to install nothing and instead either prune the scan
|
|
54
|
+
* scope via `.dxkit-ignore` or bump the timeout)
|
|
55
|
+
* - non-zero exit with a captured stderr first line (semgrep
|
|
56
|
+
* itself complained — surface its complaint)
|
|
57
|
+
* - the historical fallback "no output" (rare now; means stderr
|
|
58
|
+
* was empty AND exit was zero AND the report file was missing)
|
|
59
|
+
*
|
|
60
|
+
* Pre-fix every failure collapsed to "no output," masking
|
|
61
|
+
* resource-contention deaths (parallel jscpd + graphify + semgrep
|
|
62
|
+
* on a 700-file repo OOM-killing the youngest), timeouts, and
|
|
63
|
+
* config-parse errors with the same useless string. Switched to
|
|
64
|
+
* runDetached so we capture stderr + exit code + timeout signal
|
|
65
|
+
* separately, and so the wall-clock-deadline kill cleans up
|
|
66
|
+
* grandchildren (semgrep's internal worker pool).
|
|
32
67
|
*/
|
|
33
|
-
export declare function gatherSemgrepResult(cwd: string): CodePatternsGatherOutcome
|
|
68
|
+
export declare function gatherSemgrepResult(cwd: string): Promise<CodePatternsGatherOutcome>;
|
|
34
69
|
/**
|
|
35
70
|
* Capability-shaped provider. Registered in
|
|
36
71
|
* `src/languages/capabilities/global.ts:GLOBAL_CAPABILITIES.codePatterns`.
|
|
37
72
|
*/
|
|
38
|
-
export declare const semgrepProvider: CapabilityProvider<CodePatternsResult
|
|
73
|
+
export declare const semgrepProvider: CapabilityProvider<CodePatternsResult> & {
|
|
74
|
+
gatherOutcome(cwd: string): Promise<CodePatternsGatherOutcome>;
|
|
75
|
+
};
|
|
39
76
|
//# sourceMappingURL=semgrep.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;
|
|
1
|
+
{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAsB,kBAAkB,EAAE,MAAM,oCAAoC,CAAC;AA6BjG;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GACjC;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,kBAAkB,CAAA;CAAE,GACjD;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE5C;;;;GAIG;AACH;;;;;;;;;;GAUG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,GAAG,MAAM,CAKrE;AA4BD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAuGzF;AAED;;;GAGG;AAMH,eAAO,MAAM,eAAe,EAAE,kBAAkB,CAAC,kBAAkB,CAAC,GAAG;IACrE,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,yBAAyB,CAAC,CAAC;CAUhE,CAAC"}
|
|
@@ -12,9 +12,44 @@
|
|
|
12
12
|
* rulesets in future is purely declarative: a pack lists them, this
|
|
13
13
|
* provider picks them up via `detectActiveLanguages(cwd)`.
|
|
14
14
|
*/
|
|
15
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
16
|
+
if (k2 === undefined) k2 = k;
|
|
17
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
18
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
19
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
20
|
+
}
|
|
21
|
+
Object.defineProperty(o, k2, desc);
|
|
22
|
+
}) : (function(o, m, k, k2) {
|
|
23
|
+
if (k2 === undefined) k2 = k;
|
|
24
|
+
o[k2] = m[k];
|
|
25
|
+
}));
|
|
26
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
27
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
28
|
+
}) : function(o, v) {
|
|
29
|
+
o["default"] = v;
|
|
30
|
+
});
|
|
31
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
32
|
+
var ownKeys = function(o) {
|
|
33
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
34
|
+
var ar = [];
|
|
35
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
36
|
+
return ar;
|
|
37
|
+
};
|
|
38
|
+
return ownKeys(o);
|
|
39
|
+
};
|
|
40
|
+
return function (mod) {
|
|
41
|
+
if (mod && mod.__esModule) return mod;
|
|
42
|
+
var result = {};
|
|
43
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
44
|
+
__setModuleDefault(result, mod);
|
|
45
|
+
return result;
|
|
46
|
+
};
|
|
47
|
+
})();
|
|
15
48
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
16
49
|
exports.semgrepProvider = void 0;
|
|
50
|
+
exports.extractCwe = extractCwe;
|
|
17
51
|
exports.gatherSemgrepResult = gatherSemgrepResult;
|
|
52
|
+
const fs = __importStar(require("fs"));
|
|
18
53
|
const languages_1 = require("../../languages");
|
|
19
54
|
const exclusions_1 = require("./exclusions");
|
|
20
55
|
const paths_1 = require("./paths");
|
|
@@ -26,6 +61,25 @@ const tool_registry_1 = require("./tool-registry");
|
|
|
26
61
|
* Priority: rule metadata `impact` (most meaningful — rule authors
|
|
27
62
|
* tier by business impact) → fall back to semgrep's `severity`.
|
|
28
63
|
*/
|
|
64
|
+
/**
|
|
65
|
+
* Normalize semgrep's `metadata.cwe` into a single CWE identifier.
|
|
66
|
+
*
|
|
67
|
+
* Why: semgrep rule authors write `cwe:` in YAML as either a scalar
|
|
68
|
+
* (`cwe: "CWE-295: Improper Certificate Validation"`) or a list
|
|
69
|
+
* (`cwe: ["CWE-295: ..."]`). Both shapes pass through semgrep's JSON
|
|
70
|
+
* output unchanged. Pre-fix this code did `metadata?.cwe?.[0]` which
|
|
71
|
+
* silently returned the first *character* of the scalar form (e.g.
|
|
72
|
+
* "C" for "CWE-295: ..."). D094 surfaced this on `bypass-tls-
|
|
73
|
+
* verification` rule output.
|
|
74
|
+
*/
|
|
75
|
+
function extractCwe(cwe) {
|
|
76
|
+
if (!cwe)
|
|
77
|
+
return '';
|
|
78
|
+
const raw = Array.isArray(cwe) ? cwe[0] : cwe;
|
|
79
|
+
if (typeof raw !== 'string')
|
|
80
|
+
return '';
|
|
81
|
+
return raw.split(':')[0].trim();
|
|
82
|
+
}
|
|
29
83
|
function mapSemgrepSeverity(sgSeverity, impact) {
|
|
30
84
|
const imp = (impact || '').toUpperCase();
|
|
31
85
|
if (imp === 'HIGH')
|
|
@@ -59,22 +113,82 @@ function collectRulesets(cwd) {
|
|
|
59
113
|
/**
|
|
60
114
|
* Single source of truth for the semgrep invocation. Consumed by
|
|
61
115
|
* `semgrepProvider` (capability dispatcher).
|
|
116
|
+
*
|
|
117
|
+
* Failure-mode honesty: when semgrep doesn't produce a parseable
|
|
118
|
+
* report, the returned `reason` distinguishes between:
|
|
119
|
+
* - timeout (we hit our wall-clock budget — the customer probably
|
|
120
|
+
* wants to install nothing and instead either prune the scan
|
|
121
|
+
* scope via `.dxkit-ignore` or bump the timeout)
|
|
122
|
+
* - non-zero exit with a captured stderr first line (semgrep
|
|
123
|
+
* itself complained — surface its complaint)
|
|
124
|
+
* - the historical fallback "no output" (rare now; means stderr
|
|
125
|
+
* was empty AND exit was zero AND the report file was missing)
|
|
126
|
+
*
|
|
127
|
+
* Pre-fix every failure collapsed to "no output," masking
|
|
128
|
+
* resource-contention deaths (parallel jscpd + graphify + semgrep
|
|
129
|
+
* on a 700-file repo OOM-killing the youngest), timeouts, and
|
|
130
|
+
* config-parse errors with the same useless string. Switched to
|
|
131
|
+
* runDetached so we capture stderr + exit code + timeout signal
|
|
132
|
+
* separately, and so the wall-clock-deadline kill cleans up
|
|
133
|
+
* grandchildren (semgrep's internal worker pool).
|
|
62
134
|
*/
|
|
63
|
-
function gatherSemgrepResult(cwd) {
|
|
135
|
+
async function gatherSemgrepResult(cwd) {
|
|
64
136
|
const status = (0, tool_registry_1.findTool)(tool_registry_1.TOOL_DEFS.semgrep, cwd);
|
|
65
137
|
if (!status.available || !status.path)
|
|
66
138
|
return { kind: 'unavailable', reason: 'not installed' };
|
|
67
139
|
const rulesets = collectRulesets(cwd);
|
|
68
140
|
if (rulesets.length === 0)
|
|
69
141
|
return { kind: 'unavailable', reason: 'no rulesets' };
|
|
70
|
-
const configs = rulesets.map((r) => `--config ${r}`).join(' ');
|
|
71
|
-
const excludes = (0, exclusions_1.getSemgrepExcludeFlags)(cwd);
|
|
72
142
|
const reportPath = `/tmp/dxkit-semgrep-${Date.now()}.json`;
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
143
|
+
const args = ['scan'];
|
|
144
|
+
for (const r of rulesets)
|
|
145
|
+
args.push('--config', r);
|
|
146
|
+
args.push('--json', '--quiet', '--output', reportPath);
|
|
147
|
+
// getSemgrepExcludeFlags returns a single space-separated string
|
|
148
|
+
// shaped for execSync (`--exclude foo --exclude bar`). Split it
|
|
149
|
+
// into the array form runDetached expects.
|
|
150
|
+
const excludeFlagString = (0, exclusions_1.getSemgrepExcludeFlags)(cwd);
|
|
151
|
+
if (excludeFlagString) {
|
|
152
|
+
for (const tok of excludeFlagString.split(/\s+/).filter((t) => t.length > 0)) {
|
|
153
|
+
args.push(tok);
|
|
154
|
+
}
|
|
155
|
+
}
|
|
156
|
+
args.push(cwd);
|
|
157
|
+
const outcome = await (0, runner_1.runDetached)(status.path, args, { cwd, timeoutMs: 300000 });
|
|
158
|
+
let raw;
|
|
159
|
+
try {
|
|
160
|
+
raw = fs.readFileSync(reportPath, 'utf-8');
|
|
161
|
+
}
|
|
162
|
+
catch {
|
|
163
|
+
raw = '';
|
|
164
|
+
}
|
|
165
|
+
// Cleanup: best-effort; failure here is non-fatal.
|
|
166
|
+
try {
|
|
167
|
+
fs.unlinkSync(reportPath);
|
|
168
|
+
}
|
|
169
|
+
catch {
|
|
170
|
+
/* file already gone or never written — fine */
|
|
171
|
+
}
|
|
172
|
+
if (!raw) {
|
|
173
|
+
if (outcome.timedOut) {
|
|
174
|
+
return {
|
|
175
|
+
kind: 'unavailable',
|
|
176
|
+
reason: 'timed out at 300s (try narrowing scan scope via .dxkit-ignore)',
|
|
177
|
+
};
|
|
178
|
+
}
|
|
179
|
+
const stderrFirstLine = outcome.stderr
|
|
180
|
+
.split('\n')
|
|
181
|
+
.map((l) => l.trim())
|
|
182
|
+
.find((l) => l.length > 0);
|
|
183
|
+
if (outcome.code !== 0 && outcome.code !== null) {
|
|
184
|
+
const ctx = stderrFirstLine ? ` (stderr: ${stderrFirstLine})` : '';
|
|
185
|
+
return { kind: 'unavailable', reason: `exit code ${outcome.code}${ctx}` };
|
|
186
|
+
}
|
|
187
|
+
if (stderrFirstLine) {
|
|
188
|
+
return { kind: 'unavailable', reason: `no output (stderr: ${stderrFirstLine})` };
|
|
189
|
+
}
|
|
77
190
|
return { kind: 'unavailable', reason: 'no output' };
|
|
191
|
+
}
|
|
78
192
|
let data;
|
|
79
193
|
try {
|
|
80
194
|
data = JSON.parse(raw);
|
|
@@ -99,7 +213,7 @@ function gatherSemgrepResult(cwd) {
|
|
|
99
213
|
severity: mapSemgrepSeverity(r.extra.severity, r.extra.metadata?.impact),
|
|
100
214
|
rule: r.check_id.split('.').slice(-1)[0],
|
|
101
215
|
title: r.extra.message.split('\n')[0].slice(0, 200),
|
|
102
|
-
cwe: r.extra.metadata?.cwe
|
|
216
|
+
cwe: extractCwe(r.extra.metadata?.cwe),
|
|
103
217
|
file: (0, paths_1.toProjectRelative)(cwd, r.path),
|
|
104
218
|
line: r.start.line,
|
|
105
219
|
}));
|
|
@@ -119,11 +233,19 @@ function gatherSemgrepResult(cwd) {
|
|
|
119
233
|
* Capability-shaped provider. Registered in
|
|
120
234
|
* `src/languages/capabilities/global.ts:GLOBAL_CAPABILITIES.codePatterns`.
|
|
121
235
|
*/
|
|
236
|
+
// Exposes the underlying outcome via `gatherOutcome` so the dispatcher
|
|
237
|
+
// captures semgrep's actual failure reason (timeout / exit code /
|
|
238
|
+
// stderr first line) into `DispatchOutcome.skipReasons`. Without it,
|
|
239
|
+
// every failure modes collapses to the same generic "attempted but
|
|
240
|
+
// produced no output" prose at the renderer layer.
|
|
122
241
|
exports.semgrepProvider = {
|
|
123
242
|
source: 'semgrep',
|
|
124
243
|
async gather(cwd) {
|
|
125
|
-
const outcome = gatherSemgrepResult(cwd);
|
|
244
|
+
const outcome = await gatherSemgrepResult(cwd);
|
|
126
245
|
return outcome.kind === 'success' ? outcome.envelope : null;
|
|
127
246
|
},
|
|
247
|
+
async gatherOutcome(cwd) {
|
|
248
|
+
return gatherSemgrepResult(cwd);
|
|
249
|
+
},
|
|
128
250
|
};
|
|
129
251
|
//# sourceMappingURL=semgrep.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../../src/analyzers/tools/semgrep.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG
|
|
1
|
+
{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../../src/analyzers/tools/semgrep.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4DH,gCAKC;AAkDD,kDAuGC;AAxND,uCAAyB;AACzB,+CAAwD;AAGxD,6CAAsD;AACtD,mCAA4C;AAC5C,qCAAuC;AACvC,iDAAqE;AACrE,mDAAsD;AAkCtD;;;;GAIG;AACH;;;;;;;;;;GAUG;AACH,SAAgB,UAAU,CAAC,GAAkC;IAC3D,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC9C,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,EAAE,CAAC;IACvC,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAkB,EAAE,MAAe;IAC7D,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACzC,IAAI,GAAG,KAAK,MAAM;QAAE,OAAO,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;IACxE,IAAI,GAAG,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IACtC,IAAI,GAAG,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAChC,IAAI,UAAU,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IAC1C,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IAC9C,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAS,CAAC,kBAAkB,CAAC,CAAC,CAAC;IACvD,KAAK,MAAM,IAAI,IAAI,IAAA,iCAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,eAAe;YAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;AACvB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,mBAAmB,CAAC,GAAW;IACnD,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,CAAC,MAAM,CAAC,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE/F,MAAM,QAAQ,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IAEjF,MAAM,UAAU,GAAG,sBAAsB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC;IAC3D,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IACtB,KAAK,MAAM,CAAC,IAAI,QAAQ;QAAE,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;IACvD,iEAAiE;IACjE,gEAAgE;IAChE,2CAA2C;IAC3C,MAAM,iBAAiB,GAAG,IAAA,mCAAsB,EAAC,GAAG,CAAC,CAAC;IACtD,IAAI,iBAAiB,EAAE,CAAC;QACtB,KAAK,MAAM,GAAG,IAAI,iBAAiB,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;YAC7E,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAEf,MAAM,OAAO,GAAG,MAAM,IAAA,oBAAW,EAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;IACjF,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,GAAG,GAAG,EAAE,CAAC;IACX,CAAC;IACD,mDAAmD;IACnD,IAAI,CAAC;QACH,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,+CAA+C;IACjD,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,MAAM,EAAE,gEAAgE;aACzE,CAAC;QACJ,CAAC;QACD,MAAM,eAAe,GAAG,OAAO,CAAC,MAAM;aACnC,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC7B,IAAI,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YAChD,MAAM,GAAG,GAAG,eAAe,CAAC,CAAC,CAAC,aAAa,eAAe,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YACnE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,OAAO,CAAC,IAAI,GAAG,GAAG,EAAE,EAAE,CAAC;QAC5E,CAAC;QACD,IAAI,eAAe,EAAE,CAAC;YACpB,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,sBAAsB,eAAe,GAAG,EAAE,CAAC;QACnF,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IACtD,CAAC;IAED,IAAI,IAAmB,CAAC;IACxB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAC1C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAuB;YACnC,aAAa,EAAE,CAAC;YAChB,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE,EAAE;YACZ,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;IACvC,CAAC;IAED,MAAM,YAAY,GAAyB,IAAI,CAAC,OAAO;QACrD,gEAAgE;QAChE,6BAA6B;SAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC;SAC3E,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACX,QAAQ,EAAE,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC;QACxE,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACxC,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;QACnD,GAAG,EAAE,UAAU,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC;QACtC,IAAI,EAAE,IAAA,yBAAiB,EAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;QACpC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,IAAI;KACnB,CAAC,CAAC,CAAC;IAEN,mEAAmE;IACnE,uCAAuC;IACvC,MAAM,YAAY,GAAG,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,IAAA,gCAAiB,EAC5C,YAAY,EACZ,YAAY,CAAC,OAAO,EACpB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EACb,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CACd,CAAC;IAEF,MAAM,QAAQ,GAAuB;QACnC,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,IAAI;QACd,eAAe,EAAE,UAAU,CAAC,MAAM;KACnC,CAAC;IACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC;AACvC,CAAC;AAED;;;GAGG;AACH,uEAAuE;AACvE,kEAAkE;AAClE,qEAAqE;AACrE,mEAAmE;AACnE,mDAAmD;AACtC,QAAA,eAAe,GAExB;IACF,MAAM,EAAE,SAAS;IACjB,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAC/C,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;IACD,KAAK,CAAC,aAAa,CAAC,GAAG;QACrB,OAAO,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;CACF,CAAC"}
|
|
@@ -1,8 +1,22 @@
|
|
|
1
1
|
/**
|
|
2
|
-
*
|
|
2
|
+
* Per-step progress + timing for the analyzer pipeline (F-UX-2).
|
|
3
3
|
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
4
|
+
* Pre-2.4.7, `timed` / `timedAsync` only emitted output under
|
|
5
|
+
* `--verbose` — and only AFTER the step completed. Real users
|
|
6
|
+
* running `health` on a 1.8GB-node_modules repo (Friction #20) sat
|
|
7
|
+
* for tens of minutes staring at a static banner with no indication
|
|
8
|
+
* whether dxkit was working or hung.
|
|
9
|
+
*
|
|
10
|
+
* Post-F-UX-2, the start of every step always prints a `→ <name>`
|
|
11
|
+
* line to stderr — including in non-verbose mode — so the user can
|
|
12
|
+
* see exactly which step is running. The elapsed time still only
|
|
13
|
+
* prints under `--verbose`. Stdout stays clean so `--json` is
|
|
14
|
+
* unaffected.
|
|
15
|
+
*
|
|
16
|
+
* Scope note: this is the per-top-level-step minimal version from
|
|
17
|
+
* the friction tracker. Fuller streaming inside long capabilities
|
|
18
|
+
* (e.g. semgrep across 8 rulesets, OSV.dev lookups across N
|
|
19
|
+
* advisories) can land in 2.4.8.
|
|
6
20
|
*/
|
|
7
21
|
export declare function timed<T>(name: string, verbose: boolean, fn: () => T): T;
|
|
8
22
|
export declare function timedAsync<T>(name: string, verbose: boolean, fn: () => Promise<T>): Promise<T>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"timing.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/timing.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"timing.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/timing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAcH,wBAAgB,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,GAAG,CAAC,CAMvE;AAED,wBAAsB,UAAU,CAAC,CAAC,EAChC,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,OAAO,EAChB,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACnB,OAAO,CAAC,CAAC,CAAC,CAMZ"}
|
|
@@ -1,29 +1,51 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
-
exports.timed = timed;
|
|
4
|
-
exports.timedAsync = timedAsync;
|
|
5
2
|
/**
|
|
6
|
-
*
|
|
3
|
+
* Per-step progress + timing for the analyzer pipeline (F-UX-2).
|
|
4
|
+
*
|
|
5
|
+
* Pre-2.4.7, `timed` / `timedAsync` only emitted output under
|
|
6
|
+
* `--verbose` — and only AFTER the step completed. Real users
|
|
7
|
+
* running `health` on a 1.8GB-node_modules repo (Friction #20) sat
|
|
8
|
+
* for tens of minutes staring at a static banner with no indication
|
|
9
|
+
* whether dxkit was working or hung.
|
|
7
10
|
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
11
|
+
* Post-F-UX-2, the start of every step always prints a `→ <name>`
|
|
12
|
+
* line to stderr — including in non-verbose mode — so the user can
|
|
13
|
+
* see exactly which step is running. The elapsed time still only
|
|
14
|
+
* prints under `--verbose`. Stdout stays clean so `--json` is
|
|
15
|
+
* unaffected.
|
|
16
|
+
*
|
|
17
|
+
* Scope note: this is the per-top-level-step minimal version from
|
|
18
|
+
* the friction tracker. Fuller streaming inside long capabilities
|
|
19
|
+
* (e.g. semgrep across 8 rulesets, OSV.dev lookups across N
|
|
20
|
+
* advisories) can land in 2.4.8.
|
|
10
21
|
*/
|
|
22
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
23
|
+
exports.timed = timed;
|
|
24
|
+
exports.timedAsync = timedAsync;
|
|
25
|
+
function startLine(name) {
|
|
26
|
+
// Indent to match the rest of the CLI's stderr framing (logger.info
|
|
27
|
+
// uses the same " → " prefix). Stays on stderr in all modes so it
|
|
28
|
+
// never pollutes `--json` stdout.
|
|
29
|
+
process.stderr.write(` → ${name}\n`);
|
|
30
|
+
}
|
|
31
|
+
function timingLine(name, start) {
|
|
32
|
+
const elapsed = ((Date.now() - start) / 1000).toFixed(2);
|
|
33
|
+
process.stderr.write(` [${elapsed}s] ${name}\n`);
|
|
34
|
+
}
|
|
11
35
|
function timed(name, verbose, fn) {
|
|
12
|
-
|
|
13
|
-
return fn();
|
|
36
|
+
startLine(name);
|
|
14
37
|
const start = Date.now();
|
|
15
38
|
const result = fn();
|
|
16
|
-
|
|
17
|
-
|
|
39
|
+
if (verbose)
|
|
40
|
+
timingLine(name, start);
|
|
18
41
|
return result;
|
|
19
42
|
}
|
|
20
43
|
async function timedAsync(name, verbose, fn) {
|
|
21
|
-
|
|
22
|
-
return fn();
|
|
44
|
+
startLine(name);
|
|
23
45
|
const start = Date.now();
|
|
24
46
|
const result = await fn();
|
|
25
|
-
|
|
26
|
-
|
|
47
|
+
if (verbose)
|
|
48
|
+
timingLine(name, start);
|
|
27
49
|
return result;
|
|
28
50
|
}
|
|
29
51
|
//# sourceMappingURL=timing.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"timing.js","sourceRoot":"","sources":["../../../src/analyzers/tools/timing.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"timing.js","sourceRoot":"","sources":["../../../src/analyzers/tools/timing.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;GAmBG;;AAcH,sBAMC;AAED,gCAUC;AA9BD,SAAS,SAAS,CAAC,IAAY;IAC7B,oEAAoE;IACpE,mEAAmE;IACnE,kCAAkC;IAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC;AACxC,CAAC;AAED,SAAS,UAAU,CAAC,IAAY,EAAE,KAAa;IAC7C,MAAM,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,OAAO,MAAM,IAAI,IAAI,CAAC,CAAC;AACtD,CAAC;AAED,SAAgB,KAAK,CAAI,IAAY,EAAE,OAAgB,EAAE,EAAW;IAClE,SAAS,CAAC,IAAI,CAAC,CAAC;IAChB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,MAAM,GAAG,EAAE,EAAE,CAAC;IACpB,IAAI,OAAO;QAAE,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,MAAM,CAAC;AAChB,CAAC;AAEM,KAAK,UAAU,UAAU,CAC9B,IAAY,EACZ,OAAgB,EAChB,EAAoB;IAEpB,SAAS,CAAC,IAAI,CAAC,CAAC;IAChB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACzB,MAAM,MAAM,GAAG,MAAM,EAAE,EAAE,CAAC;IAC1B,IAAI,OAAO;QAAE,UAAU,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tool-registry.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/tool-registry.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE7D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,UAAU,QAA2D,CAAC;AA2BnF,MAAM,WAAW,cAAe,SAAQ,eAAe;IACrD,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;;;;OAQG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,eAAe,EAAE;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,oEAAoE;IACpE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,GAAG,OAAO,GAAG,SAAS,CAAC;IAClF,WAAW,EAAE,cAAc,CAAC;CAC7B;AA2KD;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,UAAU,CAqGtE;AAkBD,wDAAwD;AACxD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM,CAO7D;AAMD,eAAO,MAAM,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,
|
|
1
|
+
{"version":3,"file":"tool-registry.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/tool-registry.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE7D;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,UAAU,QAA2D,CAAC;AA2BnF,MAAM,WAAW,cAAe,SAAQ,eAAe;IACrD,4DAA4D;IAC5D,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;IACtB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;;;;OAQG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,eAAe,EAAE;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;IACF,oEAAoE;IACpE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,GAAG,IAAI,GAAG,OAAO,GAAG,SAAS,CAAC;IAClF,WAAW,EAAE,cAAc,CAAC;CAC7B;AA2KD;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,GAAG,EAAE,cAAc,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,UAAU,CAqGtE;AAkBD,wDAAwD;AACxD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,MAAM,CAO7D;AAMD,eAAO,MAAM,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,cAAc,CAgepD,CAAC;AAMF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,aAAa,CAAC,WAAW,CAAC,GAAG,eAAe,EAAE,CA8B3F;AAED,sDAAsD;AACtD,wBAAgB,aAAa,CAAC,SAAS,EAAE,aAAa,CAAC,WAAW,CAAC,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,UAAU,EAAE,CAgB/F"}
|
|
@@ -481,6 +481,10 @@ exports.TOOL_DEFS = {
|
|
|
481
481
|
check: 'npx eslint --version',
|
|
482
482
|
for: 'node',
|
|
483
483
|
layer: 'language',
|
|
484
|
+
// Project-local dev-dep: lives in the consumer's package.json,
|
|
485
|
+
// not a global binary. F-UX-3 hint logic surfaces "run npm ci"
|
|
486
|
+
// for missing tools in this scope, not "vyuh-dxkit tools install".
|
|
487
|
+
installScope: 'project-local',
|
|
484
488
|
binaries: ['eslint', 'lb-eslint'],
|
|
485
489
|
versionCheck: 'npx eslint --version 2>/dev/null',
|
|
486
490
|
installCommands: {
|
|
@@ -700,7 +704,12 @@ exports.TOOL_DEFS = {
|
|
|
700
704
|
for: 'csharp',
|
|
701
705
|
layer: 'language',
|
|
702
706
|
binaries: ['nuget-license'],
|
|
703
|
-
|
|
707
|
+
// D-fix (2.4.7): use resolved home path. The literal `~/.dotnet/
|
|
708
|
+
// tools` string was passed verbatim to `path.join(...)` in
|
|
709
|
+
// `findInProbePaths`, which never expands the tilde — so the
|
|
710
|
+
// probe silently missed `nuget-license` even when installed at
|
|
711
|
+
// its canonical `dotnet tool install --global` location.
|
|
712
|
+
probePaths: [path.join(os.homedir(), '.dotnet', 'tools')],
|
|
704
713
|
versionCheck: 'nuget-license --version 2>/dev/null',
|
|
705
714
|
installCommands: {
|
|
706
715
|
macos: 'dotnet tool install --global nuget-license',
|
|
@@ -763,6 +772,7 @@ exports.TOOL_DEFS = {
|
|
|
763
772
|
check: 'node -e "require(\'@vitest/coverage-v8\')"',
|
|
764
773
|
for: 'node',
|
|
765
774
|
layer: 'language',
|
|
775
|
+
installScope: 'project-local',
|
|
766
776
|
binaries: [],
|
|
767
777
|
nodePackage: '@vitest/coverage-v8',
|
|
768
778
|
// Version auto-detect via `require('vitest/package.json')` assumed
|