@vyuhlabs/dxkit 2.4.8 → 2.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +312 -0
- package/README.md +360 -439
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +4 -46
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +91 -26
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +111 -22
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/generic.d.ts.map +1 -1
- package/dist/analyzers/tools/generic.js +6 -1
- package/dist/analyzers/tools/generic.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +24 -1
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +20 -11
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +9 -5
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts +19 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +25 -0
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/types.d.ts +6 -4
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/baseline/baseline-file.d.ts +104 -0
- package/dist/baseline/baseline-file.d.ts.map +1 -0
- package/dist/baseline/baseline-file.js +110 -0
- package/dist/baseline/baseline-file.js.map +1 -0
- package/dist/baseline/check-renderers.d.ts +108 -0
- package/dist/baseline/check-renderers.d.ts.map +1 -0
- package/dist/baseline/check-renderers.js +379 -0
- package/dist/baseline/check-renderers.js.map +1 -0
- package/dist/baseline/check.d.ts +127 -0
- package/dist/baseline/check.d.ts.map +1 -0
- package/dist/baseline/check.js +462 -0
- package/dist/baseline/check.js.map +1 -0
- package/dist/baseline/content-hash.d.ts +83 -0
- package/dist/baseline/content-hash.d.ts.map +1 -0
- package/dist/baseline/content-hash.js +131 -0
- package/dist/baseline/content-hash.js.map +1 -0
- package/dist/baseline/create.d.ts +96 -0
- package/dist/baseline/create.d.ts.map +1 -0
- package/dist/baseline/create.js +339 -0
- package/dist/baseline/create.js.map +1 -0
- package/dist/baseline/entry-to-located.d.ts +35 -0
- package/dist/baseline/entry-to-located.d.ts.map +1 -0
- package/dist/baseline/entry-to-located.js +72 -0
- package/dist/baseline/entry-to-located.js.map +1 -0
- package/dist/baseline/finding-identity.d.ts +47 -0
- package/dist/baseline/finding-identity.d.ts.map +1 -0
- package/dist/baseline/finding-identity.js +292 -0
- package/dist/baseline/finding-identity.js.map +1 -0
- package/dist/baseline/git-aware-match.d.ts +146 -0
- package/dist/baseline/git-aware-match.d.ts.map +1 -0
- package/dist/baseline/git-aware-match.js +439 -0
- package/dist/baseline/git-aware-match.js.map +1 -0
- package/dist/baseline/policy.d.ts +171 -0
- package/dist/baseline/policy.d.ts.map +1 -0
- package/dist/baseline/policy.js +206 -0
- package/dist/baseline/policy.js.map +1 -0
- package/dist/baseline/producers/health.d.ts +30 -0
- package/dist/baseline/producers/health.d.ts.map +1 -0
- package/dist/baseline/producers/health.js +42 -0
- package/dist/baseline/producers/health.js.map +1 -0
- package/dist/baseline/producers/index.d.ts +164 -0
- package/dist/baseline/producers/index.d.ts.map +1 -0
- package/dist/baseline/producers/index.js +200 -0
- package/dist/baseline/producers/index.js.map +1 -0
- package/dist/baseline/producers/licenses.d.ts +23 -0
- package/dist/baseline/producers/licenses.d.ts.map +1 -0
- package/dist/baseline/producers/licenses.js +46 -0
- package/dist/baseline/producers/licenses.js.map +1 -0
- package/dist/baseline/producers/quality.d.ts +39 -0
- package/dist/baseline/producers/quality.d.ts.map +1 -0
- package/dist/baseline/producers/quality.js +84 -0
- package/dist/baseline/producers/quality.js.map +1 -0
- package/dist/baseline/producers/secret-hmac.d.ts +45 -0
- package/dist/baseline/producers/secret-hmac.d.ts.map +1 -0
- package/dist/baseline/producers/secret-hmac.js +70 -0
- package/dist/baseline/producers/secret-hmac.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +59 -0
- package/dist/baseline/producers/security.d.ts.map +1 -0
- package/dist/baseline/producers/security.js +135 -0
- package/dist/baseline/producers/security.js.map +1 -0
- package/dist/baseline/producers/tests.d.ts +36 -0
- package/dist/baseline/producers/tests.d.ts.map +1 -0
- package/dist/baseline/producers/tests.js +69 -0
- package/dist/baseline/producers/tests.js.map +1 -0
- package/dist/baseline/salt.d.ts +45 -0
- package/dist/baseline/salt.d.ts.map +1 -0
- package/dist/baseline/salt.js +113 -0
- package/dist/baseline/salt.js.map +1 -0
- package/dist/baseline/show.d.ts +79 -0
- package/dist/baseline/show.d.ts.map +1 -0
- package/dist/baseline/show.js +233 -0
- package/dist/baseline/show.js.map +1 -0
- package/dist/baseline/types.d.ts +482 -0
- package/dist/baseline/types.d.ts.map +1 -0
- package/dist/baseline/types.js +53 -0
- package/dist/baseline/types.js.map +1 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +398 -82
- package/dist/cli.js.map +1 -1
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.js +0 -4
- package/dist/constants.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +39 -35
- package/dist/doctor.js.map +1 -1
- package/dist/fail-on.d.ts +84 -0
- package/dist/fail-on.d.ts.map +1 -0
- package/dist/fail-on.js +128 -0
- package/dist/fail-on.js.map +1 -0
- package/dist/generator.d.ts +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +81 -274
- package/dist/generator.js.map +1 -1
- package/dist/hooks-cli.d.ts +20 -0
- package/dist/hooks-cli.d.ts.map +1 -0
- package/dist/hooks-cli.js +145 -0
- package/dist/hooks-cli.js.map +1 -0
- package/dist/languages/csharp.d.ts.map +1 -1
- package/dist/languages/csharp.js +4 -9
- package/dist/languages/csharp.js.map +1 -1
- package/dist/languages/go.d.ts.map +1 -1
- package/dist/languages/go.js +3 -14
- package/dist/languages/go.js.map +1 -1
- package/dist/languages/index.d.ts +19 -1
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +32 -0
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/java.d.ts.map +1 -1
- package/dist/languages/java.js +4 -6
- package/dist/languages/java.js.map +1 -1
- package/dist/languages/kotlin.d.ts.map +1 -1
- package/dist/languages/kotlin.js +9 -11
- package/dist/languages/kotlin.js.map +1 -1
- package/dist/languages/python.d.ts.map +1 -1
- package/dist/languages/python.js +4 -15
- package/dist/languages/python.js.map +1 -1
- package/dist/languages/ruby.d.ts.map +1 -1
- package/dist/languages/ruby.js +4 -6
- package/dist/languages/ruby.js.map +1 -1
- package/dist/languages/rust.d.ts.map +1 -1
- package/dist/languages/rust.js +4 -4
- package/dist/languages/rust.js.map +1 -1
- package/dist/languages/types.d.ts +29 -28
- package/dist/languages/types.d.ts.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +31 -4
- package/dist/languages/typescript.js.map +1 -1
- package/dist/lib.d.ts +2 -3
- package/dist/lib.d.ts.map +1 -1
- package/dist/lib.js +3 -6
- package/dist/lib.js.map +1 -1
- package/dist/prompts.d.ts.map +1 -1
- package/dist/prompts.js +0 -10
- package/dist/prompts.js.map +1 -1
- package/dist/report-schema.d.ts +42 -0
- package/dist/report-schema.d.ts.map +1 -0
- package/dist/report-schema.js +54 -0
- package/dist/report-schema.js.map +1 -0
- package/dist/ship-installers.d.ts +112 -0
- package/dist/ship-installers.d.ts.map +1 -0
- package/dist/ship-installers.js +530 -0
- package/dist/ship-installers.js.map +1 -0
- package/dist/tools-cli.d.ts.map +1 -1
- package/dist/tools-cli.js +45 -9
- package/dist/tools-cli.js.map +1 -1
- package/dist/types.d.ts +0 -4
- package/dist/types.d.ts.map +1 -1
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +0 -4
- package/dist/update.js.map +1 -1
- package/package.json +17 -11
- package/templates/.claude/skills/dxkit-action/SKILL.md +150 -0
- package/templates/.claude/skills/dxkit-config/SKILL.md +124 -0
- package/templates/.claude/skills/dxkit-hooks/SKILL.md +109 -0
- package/templates/.claude/skills/dxkit-init/SKILL.md +93 -0
- package/templates/.claude/skills/dxkit-learn/SKILL.md +84 -0
- package/templates/.claude/skills/dxkit-reports/SKILL.md +111 -0
- package/templates/.devcontainer/devcontainer.json +55 -0
- package/templates/.devcontainer/install-agent-clis.sh +42 -0
- package/templates/.devcontainer/post-create.sh +81 -0
- package/templates/.githooks/pre-commit +55 -0
- package/templates/.githooks/pre-push +63 -0
- package/templates/.github/workflows/dxkit-baseline-refresh.yml +78 -0
- package/templates/.github/workflows/dxkit-guardrails.yml +98 -0
- package/templates/AGENTS.md.template +137 -0
- package/templates/CLAUDE.md.template +16 -245
- package/dist/codebase-scanner.d.ts +0 -36
- package/dist/codebase-scanner.d.ts.map +0 -1
- package/dist/codebase-scanner.js +0 -688
- package/dist/codebase-scanner.js.map +0 -1
- package/dist/project-yaml.d.ts +0 -13
- package/dist/project-yaml.d.ts.map +0 -1
- package/dist/project-yaml.js +0 -188
- package/dist/project-yaml.js.map +0 -1
- package/templates/.ai/README.md +0 -117
- package/templates/.ai/prompts/execution-prompt.md +0 -9
- package/templates/.ai/prompts/planning-prompt.md +0 -18
- package/templates/.ai/prompts/session-end-template.md +0 -182
- package/templates/.ai/prompts/session-end.md +0 -132
- package/templates/.ai/prompts/session-start.md +0 -109
- package/templates/.ai/prompts/step-by-step.md +0 -113
- package/templates/.ai/sessions/.gitkeep +0 -0
- package/templates/.claude/agents/doc-writer.md +0 -107
- package/templates/.claude/agents/knowledge-bot.md +0 -64
- package/templates/.claude/agents/onboarding.md +0 -61
- package/templates/.claude/agents/quality-reviewer.md +0 -85
- package/templates/.claude/agents-available/code-reviewer.md +0 -29
- package/templates/.claude/agents-available/codebase-explorer.md +0 -100
- package/templates/.claude/agents-available/dashboard-builder.md +0 -433
- package/templates/.claude/agents-available/debugger.md +0 -29
- package/templates/.claude/agents-available/dependency-mapper.md +0 -80
- package/templates/.claude/agents-available/dev-report.md +0 -108
- package/templates/.claude/agents-available/doc-writer.md +0 -107
- package/templates/.claude/agents-available/feature-builder.md +0 -163
- package/templates/.claude/agents-available/feature-planner.md +0 -185
- package/templates/.claude/agents-available/health-auditor.md +0 -95
- package/templates/.claude/agents-available/hooks-configurator.md +0 -211
- package/templates/.claude/agents-available/knowledge-bot.md +0 -62
- package/templates/.claude/agents-available/plan-executor.md +0 -133
- package/templates/.claude/agents-available/strategic-planner.md +0 -141
- package/templates/.claude/agents-available/test-gap-finder.md +0 -67
- package/templates/.claude/agents-available/test-writer.md +0 -34
- package/templates/.claude/agents-available/vulnerability-scanner.md +0 -173
- package/templates/.claude/commands/ask.md +0 -7
- package/templates/.claude/commands/build-feature.md +0 -26
- package/templates/.claude/commands/build.md.template +0 -30
- package/templates/.claude/commands/check.md.template +0 -43
- package/templates/.claude/commands/dashboard.md +0 -28
- package/templates/.claude/commands/deps.md +0 -15
- package/templates/.claude/commands/dev-report.md +0 -50
- package/templates/.claude/commands/docs.md +0 -21
- package/templates/.claude/commands/doctor.md +0 -21
- package/templates/.claude/commands/enable-agent.md +0 -12
- package/templates/.claude/commands/execute-plan.md +0 -25
- package/templates/.claude/commands/explore-codebase.md +0 -12
- package/templates/.claude/commands/export-pdf.md +0 -30
- package/templates/.claude/commands/feature.md +0 -25
- package/templates/.claude/commands/fix-issue.md +0 -12
- package/templates/.claude/commands/fix.md.template +0 -32
- package/templates/.claude/commands/health.md +0 -58
- package/templates/.claude/commands/help.md +0 -36
- package/templates/.claude/commands/learn.md +0 -48
- package/templates/.claude/commands/onboarding.md +0 -21
- package/templates/.claude/commands/plan.md +0 -20
- package/templates/.claude/commands/quality.md.template +0 -65
- package/templates/.claude/commands/session-end.md +0 -40
- package/templates/.claude/commands/session-start.md +0 -30
- package/templates/.claude/commands/setup-hooks.md +0 -18
- package/templates/.claude/commands/setup-pr-review.md +0 -72
- package/templates/.claude/commands/stealth-mode.md +0 -17
- package/templates/.claude/commands/test-gaps.md +0 -49
- package/templates/.claude/commands/test.md.template +0 -40
- package/templates/.claude/commands/vulnerabilities.md +0 -49
- package/templates/.claude/skills/build/SKILL.md.template +0 -98
- package/templates/.claude/skills/deploy/SKILL.md.template +0 -131
- package/templates/.claude/skills/deploy/references/gotchas.md +0 -5
- package/templates/.claude/skills/doctor/SKILL.md +0 -54
- package/templates/.claude/skills/gcloud/SKILL.md +0 -66
- package/templates/.claude/skills/gcloud/references/gotchas.md +0 -5
- package/templates/.claude/skills/learned/SKILL.md +0 -55
- package/templates/.claude/skills/learned/references/conventions.md +0 -11
- package/templates/.claude/skills/learned/references/deny-recommendations.md +0 -18
- package/templates/.claude/skills/learned/references/gotchas.md +0 -11
- package/templates/.claude/skills/pulumi/SKILL.md +0 -73
- package/templates/.claude/skills/quality/SKILL.md.template +0 -108
- package/templates/.claude/skills/quality/references/gotchas.md +0 -5
- package/templates/.claude/skills/review/SKILL.md.template +0 -73
- package/templates/.claude/skills/scaffold/SKILL.md.template +0 -123
- package/templates/.claude/skills/secrets/SKILL.md +0 -52
- package/templates/.claude/skills/session/SKILL.md +0 -43
- package/templates/.claude/skills/test/SKILL.md.template +0 -122
- package/templates/.claude/skills/test/references/gotchas.md +0 -5
- package/templates/.devcontainer/Dockerfile.dev.template +0 -89
- package/templates/.devcontainer/devcontainer.json.template +0 -184
- package/templates/.devcontainer/docker-compose.yml.template +0 -105
- package/templates/.devcontainer/init-scripts/01-init.sql.template +0 -12
- package/templates/.devcontainer/post-create.sh.template +0 -298
- package/templates/.github/workflows/ci.yml.template +0 -399
- package/templates/.github/workflows/quality.yml.template +0 -376
- package/templates/.pre-commit-config.yaml.template +0 -106
- package/templates/.project/config/edit_config.py +0 -275
- package/templates/.project/config/project_config.py +0 -894
- package/templates/.project/scripts/codegen/generate-all.sh +0 -20
- package/templates/.project/scripts/codegen/validate-all.sh +0 -17
- package/templates/.project/scripts/docs/generate-all.sh +0 -30
- package/templates/.project/scripts/docs/serve.sh +0 -20
- package/templates/.project/scripts/quality/fix-all.sh +0 -138
- package/templates/.project/scripts/quality/lint-go.sh +0 -34
- package/templates/.project/scripts/quality/lint-python.sh +0 -54
- package/templates/.project/scripts/quality/run-all.sh +0 -497
- package/templates/.project/scripts/session/commit.sh +0 -70
- package/templates/.project/scripts/session/create-pr.sh +0 -165
- package/templates/.project/scripts/session/end.sh +0 -207
- package/templates/.project/scripts/session/start.sh +0 -233
- package/templates/.project/scripts/setup/doctor.sh +0 -404
- package/templates/.project/scripts/setup/interactive-setup.sh +0 -585
- package/templates/.project/scripts/sync/sync-template.sh +0 -328
- package/templates/.project/scripts/test/run-all.sh +0 -179
- package/templates/.project/scripts/test/run-quick.sh +0 -25
- package/templates/Makefile +0 -514
- package/templates/config/versions.yaml +0 -57
- package/templates/configs/go/.golangci.yml.template +0 -172
- package/templates/configs/go/go.mod.template +0 -15
- package/templates/configs/java/README.md +0 -6
- package/templates/configs/kotlin/README.md +0 -6
- package/templates/configs/node/package.json.template +0 -67
- package/templates/configs/node/tsconfig.json.template +0 -53
- package/templates/configs/python/pyproject.toml.template +0 -92
- package/templates/configs/python/pytest.ini.template +0 -64
- package/templates/configs/python/ruff.toml.template +0 -79
- package/templates/configs/ruby/README.md +0 -6
- package/templates/configs/rust/Cargo.toml.template +0 -51
- package/templates/configs/shared/.editorconfig +0 -67
- package/templates/scripts/validate-templates.sh +0 -449
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aggregator.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/aggregator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;
|
|
1
|
+
{"version":3,"file":"aggregator.d.ts","sourceRoot":"","sources":["../../../src/analyzers/security/aggregator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,KAAK,EAAE,QAAQ,EAAmB,eAAe,EAAE,MAAM,SAAS,CAAC;AAK1E,YAAY,EAAE,QAAQ,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAI1E;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,WAAY,SAAQ,eAAe;IAClD,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,YAAY,EAAE,QAAQ,CAAC;IACvB,aAAa,EAAE,aAAa,CAAC;QAC3B,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,QAAQ,CAAC;KACpB,CAAC,CAAC;CACJ;AAED;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE;QAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,GAAG,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/C,YAAY,EAAE;QAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,GAAG,EAAE,OAAO,CAAA;KAAE,CAAC;IACpD,SAAS,EAAE;QAAE,GAAG,EAAE,OAAO,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC;IAClD,YAAY,EAAE;QAAE,GAAG,EAAE,OAAO,CAAA;KAAE,CAAC;IAC/B,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,SAAS,EAAE,OAAO,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAA;KAAE,CAAC;CAClF;AAED;;;;GAIG;AACH,MAAM,WAAW,iBAAiB;IAChC;qEACiE;IACjE,cAAc,EAAE,cAAc,CAAC;IAE/B;;+DAE2D;IAC3D,aAAa,EAAE,cAAc,CAAC;IAE9B;;+BAE2B;IAC3B,iBAAiB,EAAE,cAAc,CAAC;IAElC;;2CAEuC;IACvC,kBAAkB,EAAE;QAClB,MAAM,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;QACnC,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;QACjC,MAAM,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;QACnC,UAAU,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;KAC3C,CAAC;IAEF;;;;;;OAMG;IACH,6BAA6B,EAAE,MAAM,CAAC;IAEtC;;;;;OAKG;IACH,0BAA0B,EAAE,MAAM,CAAC;IAEnC;0CACsC;IACtC,eAAe,EAAE,aAAa,CAAC,cAAc,CAAC,CAAC;IAE/C,qEAAqE;IACrE,UAAU,EAAE,mBAAmB,CAAC;CACjC;AAyCD;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE;QAAE,QAAQ,EAAE,eAAe,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IAClE,YAAY,EAAE,eAAe,EAAE,CAAC;IAChC,YAAY,EAAE;QAAE,QAAQ,EAAE,eAAe,EAAE,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAC;IACvE,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B;;;wBAGoB;IACpB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,QAAQ,EAAE;QACR,QAAQ,EAAE,cAAc,EAAE,CAAC;QAC3B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;QACpB,SAAS,EAAE,OAAO,CAAC;QACnB,iBAAiB,EAAE,MAAM,CAAC;KAC3B,CAAC;CACH;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,sBAAsB,GAAG,iBAAiB,CAuNvF"}
|
|
@@ -57,7 +57,7 @@
|
|
|
57
57
|
*/
|
|
58
58
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
59
59
|
exports.buildSecurityAggregate = buildSecurityAggregate;
|
|
60
|
-
const
|
|
60
|
+
const fingerprint_1 = require("../tools/fingerprint");
|
|
61
61
|
// ─── Canonical-rule registry ──────────────────────────────────────────────
|
|
62
62
|
/**
|
|
63
63
|
* Maps raw `(tool, rule)` pairs to a canonical rule id. Two raw
|
|
@@ -73,48 +73,6 @@ const crypto_1 = require("crypto");
|
|
|
73
73
|
* double-counting. Future entries land when a new language pack or
|
|
74
74
|
* semgrep ruleset surfaces overlap with an existing finding type.
|
|
75
75
|
*/
|
|
76
|
-
const CANONICAL_RULE_MAP = new Map([
|
|
77
|
-
// TLS / certificate validation bypass — D091 closure
|
|
78
|
-
['tls-bypass-registry:tls-validation-disabled', 'canonical:tls-bypass'],
|
|
79
|
-
['semgrep:bypass-tls-verification', 'canonical:tls-bypass'],
|
|
80
|
-
['semgrep:nodejsscan.node_tls_reject_unauthorized', 'canonical:tls-bypass'],
|
|
81
|
-
// Private-key file on disk — find + gitleaks may both surface
|
|
82
|
-
['find:private-key-file', 'canonical:private-key-on-disk'],
|
|
83
|
-
['gitleaks:private-key', 'canonical:private-key-on-disk'],
|
|
84
|
-
]);
|
|
85
|
-
function canonicalRuleFor(tool, rule) {
|
|
86
|
-
return CANONICAL_RULE_MAP.get(`${tool}:${rule}`) ?? `raw:${tool}:${rule}`;
|
|
87
|
-
}
|
|
88
|
-
/**
|
|
89
|
-
* Line-window bucketing. Tools report the same code construct at
|
|
90
|
-
* slightly-different lines (semgrep on the declaration, registry-grep
|
|
91
|
-
* on the assignment — D091's `:72` vs `:74` shape). 3-line buckets
|
|
92
|
-
* absorb that drift without collapsing genuinely-different findings
|
|
93
|
-
* in the same file.
|
|
94
|
-
*
|
|
95
|
-
* Boundary edge case closed by C1.10: the natural fixed-boundary
|
|
96
|
-
* bucketing alone would miss adjacent findings straddling a
|
|
97
|
-
* multiple-of-3 (a JS-heavy customer frontend surfaced
|
|
98
|
-
* SetupConfigForm.js:43 + :45 → buckets 42 + 45 → no collapse
|
|
99
|
-
* pre-C1.10). The grouping loop now
|
|
100
|
-
* does a neighbor-bucket lookup (naturalBucket ± 3) after the natural
|
|
101
|
-
* miss, restoring D091's intent across boundary-straddling pairs.
|
|
102
|
-
* Effective collapse window: ~3-5 lines depending on alignment.
|
|
103
|
-
*/
|
|
104
|
-
function lineWindowFor(line) {
|
|
105
|
-
return Math.floor(line / 3) * 3;
|
|
106
|
-
}
|
|
107
|
-
/**
|
|
108
|
-
* Stable 16-char hex hash of `(canonicalRule | file | lineWindow)`.
|
|
109
|
-
* NUL-separated so distinct tuples can't collide via concatenation
|
|
110
|
-
* tricks. Mirrors `tools/fingerprint.computeFingerprint`'s format
|
|
111
|
-
* (SHA-1 first 8 bytes hex) so dep-vuln and code-finding fingerprints
|
|
112
|
-
* share a downstream type contract.
|
|
113
|
-
*/
|
|
114
|
-
function computeCodeFingerprint(canonicalRule, file, line) {
|
|
115
|
-
const input = `${canonicalRule}\0${file}\0${lineWindowFor(line)}`;
|
|
116
|
-
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
117
|
-
}
|
|
118
76
|
// ─── Severity helpers ─────────────────────────────────────────────────────
|
|
119
77
|
const SEVERITY_RANK = {
|
|
120
78
|
critical: 3,
|
|
@@ -162,8 +120,8 @@ function buildSecurityAggregate(input) {
|
|
|
162
120
|
];
|
|
163
121
|
const groups = new Map();
|
|
164
122
|
for (const f of rawCodeFindings) {
|
|
165
|
-
const canonicalRule = canonicalRuleFor(f.tool, f.rule);
|
|
166
|
-
const naturalFingerprint = computeCodeFingerprint(canonicalRule, f.file, f.line);
|
|
123
|
+
const canonicalRule = (0, fingerprint_1.canonicalRuleFor)(f.tool, f.rule);
|
|
124
|
+
const naturalFingerprint = (0, fingerprint_1.computeCodeFingerprint)(canonicalRule, f.file, f.line);
|
|
167
125
|
// C1.10: neighbor-bucket lookup. The 3-line fixed bucket misses
|
|
168
126
|
// adjacent findings that straddle a multiple-of-3 line (the JS-heavy
|
|
169
127
|
// customer frontend surfaced SetupConfigForm.js:43 + :45 → buckets 42
|
|
@@ -177,7 +135,7 @@ function buildSecurityAggregate(input) {
|
|
|
177
135
|
let existing = groups.get(fingerprint);
|
|
178
136
|
if (!existing) {
|
|
179
137
|
for (const offset of [-3, 3]) {
|
|
180
|
-
const neighborFingerprint = computeCodeFingerprint(canonicalRule, f.file, f.line + offset);
|
|
138
|
+
const neighborFingerprint = (0, fingerprint_1.computeCodeFingerprint)(canonicalRule, f.file, f.line + offset);
|
|
181
139
|
const candidate = groups.get(neighborFingerprint);
|
|
182
140
|
if (candidate) {
|
|
183
141
|
existing = candidate;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"aggregator.js","sourceRoot":"","sources":["../../../src/analyzers/security/aggregator.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;;
|
|
1
|
+
{"version":3,"file":"aggregator.js","sourceRoot":"","sources":["../../../src/analyzers/security/aggregator.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuDG;;AA0NH,wDAuNC;AA7aD,sDAAgF;AAkIhF,6EAA6E;AAE7E;;;;;;;;;;;;;GAaG;AACH,6EAA6E;AAE7E,MAAM,aAAa,GAA6B;IAC9C,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;CACP,CAAC;AAEF,SAAS,WAAW,CAAC,CAAW,EAAE,CAAW;IAC3C,OAAO,aAAa,CAAC,CAAC,CAAC,IAAI,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AACtD,CAAC;AAED,SAAS,WAAW;IAClB,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,UAAU,CAAC,MAAsB,EAAE,QAAkB;IAC5D,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;AACrB,CAAC;AA4BD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,SAAgB,sBAAsB,CAAC,KAA6B;IAClE,uEAAuE;IACvE,MAAM,eAAe,GAAsB;QACzC,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ;QACzB,GAAG,KAAK,CAAC,YAAY;QACrB,GAAG,KAAK,CAAC,YAAY,CAAC,QAAQ;QAC9B,GAAG,KAAK,CAAC,SAAS;KACnB,CAAC;IAkBF,MAAM,MAAM,GAAG,IAAI,GAAG,EAAiB,CAAC;IAExC,KAAK,MAAM,CAAC,IAAI,eAAe,EAAE,CAAC;QAChC,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,kBAAkB,GAAG,IAAA,oCAAsB,EAAC,aAAa,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAEjF,gEAAgE;QAChE,qEAAqE;QACrE,sEAAsE;QACtE,sEAAsE;QACtE,qBAAqB;QACrB,gEAAgE;QAChE,oEAAoE;QACpE,gEAAgE;QAChE,gEAAgE;QAChE,IAAI,WAAW,GAAG,kBAAkB,CAAC;QACrC,IAAI,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACvC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,KAAK,MAAM,MAAM,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;gBAC7B,MAAM,mBAAmB,GAAG,IAAA,oCAAsB,EAAC,aAAa,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,GAAG,MAAM,CAAC,CAAC;gBAC3F,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;gBAClD,IAAI,SAAS,EAAE,CAAC;oBACd,QAAQ,GAAG,SAAS,CAAC;oBACrB,WAAW,GAAG,mBAAmB,CAAC;oBAClC,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;YAC/D,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC;gBACjB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;aACrB,CAAC,CAAC;YACH,+DAA+D;YAC/D,yDAAyD;YACzD,+DAA+D;YAC/D,iEAAiE;YACjE,IAAI,CAAC,CAAC,IAAI,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;gBACzB,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;gBACvB,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,IAAI,QAAQ,CAAC,GAAG,CAAC;YACvC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE;gBACtB,WAAW;gBACX,aAAa;gBACb,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,GAAG,EAAE,CAAC,CAAC,GAAG;gBACV,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,UAAU,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;gBAC7B,IAAI,EAAE;oBACJ;wBACE,IAAI,EAAE,CAAC,CAAC,IAAI;wBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;wBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;wBACZ,QAAQ,EAAE,CAAC,CAAC,QAAQ;qBACrB;iBACF;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,sBAAsB,GAAwD;QAClF,MAAM,EAAE,EAAE;QACV,IAAI,EAAE,EAAE;QACR,MAAM,EAAE,EAAE;KACX,CAAC;IACF,MAAM,cAAc,GAAG,WAAW,EAAE,CAAC;IACrC,MAAM,iBAAiB,GAAG,WAAW,EAAE,CAAC;IACxC,MAAM,eAAe,GAAqB,EAAE,CAAC;IAE7C,KAAK,MAAM,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;QAChC,MAAM,OAAO,GAAgB;YAC3B,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,GAAG,EAAE,CAAC,CAAC,GAAG;YACV,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,KAAK,EAAE,CAAC,CAAC,KAAK;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,WAAW,EAAE,CAAC,CAAC,WAAW;YAC1B,aAAa,EAAE,CAAC,CAAC,aAAa;YAC9B,UAAU,EAAE,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE;SACrC,CAAC;QAEF,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC5B,sBAAsB,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC5C,UAAU,CAAC,iBAAiB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;aAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACnC,sBAAsB,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC5C,6DAA6D;YAC7D,+DAA+D;YAC/D,8DAA8D;YAC9D,wBAAwB;YACxB,UAAU,CAAC,iBAAiB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC1C,UAAU,CAAC,cAAc,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,eAAe,CAAC,IAAI,CAAC;gBACnB,aAAa,EAAE,CAAC,CAAC,aAAa;gBAC9B,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,YAAY,EAAE,CAAC,CAAC,QAAQ;gBACxB,aAAa,EAAE,CAAC,CAAC,IAAI;aACtB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,kEAAkE;IAClE,oEAAoE;IACpE,gDAAgD;IAChD,MAAM,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;IACpD,IAAI,2BAA2B,GAAG,CAAC,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,CAAC,CAAC,WAAW,IAAI,gBAAgB,2BAA2B,EAAE,EAAE,CAAC;QAC7E,MAAM,QAAQ,GAAG,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACpC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;QACxB,CAAC;aAAM,CAAC;YACN,6DAA6D;YAC7D,2DAA2D;YAC3D,2BAA2B;YAC3B,IAAI,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACjE,SAAS,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;IACH,CAAC;IACD,MAAM,iBAAiB,GAAG,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAClD,MAAM,aAAa,GAAG,WAAW,EAAE,CAAC;IACpC,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;QAClC,UAAU,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAED,uEAAuE;IACvE,MAAM,UAAU,GAAwB;QACtC,OAAO,EAAE;YACP,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ;YAC5B,GAAG,EAAE,KAAK,CAAC,OAAO,CAAC,QAAQ,KAAK,IAAI;SACrC;QACD,YAAY,EAAE;YACZ,IAAI,EAAE,KAAK,CAAC,YAAY,CAAC,QAAQ;YACjC,GAAG,EAAE,KAAK,CAAC,YAAY,CAAC,QAAQ,KAAK,IAAI;SAC1C;QACD,SAAS,EAAE;YACT,gEAAgE;YAChE,6DAA6D;YAC7D,8DAA8D;YAC9D,4BAA4B;YAC5B,GAAG,EAAE,KAAK,CAAC,qBAAqB,GAAG,CAAC;YACpC,YAAY,EAAE,KAAK,CAAC,qBAAqB;SAC1C;QACD,YAAY,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE;QAC3B,QAAQ,EAAE;YACR,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;YACzB,SAAS,EAAE,KAAK,CAAC,QAAQ,CAAC,SAAS;YACnC,iBAAiB,EAAE,KAAK,CAAC,QAAQ,CAAC,iBAAiB;SACpD;KACF,CAAC;IAEF,OAAO;QACL,cAAc;QACd,aAAa;QACb,iBAAiB;QACjB,kBAAkB,EAAE;YAClB,MAAM,EAAE,sBAAsB,CAAC,MAAM;YACrC,IAAI,EAAE,sBAAsB,CAAC,IAAI;YACjC,MAAM,EAAE,sBAAsB,CAAC,MAAM;YACrC,UAAU,EAAE,iBAAiB;SAC9B;QACD,6BAA6B,EAAE,iBAAiB,CAAC,MAAM;QACvD,0BAA0B,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM;QAC1D,eAAe;QACf,UAAU;KACX,CAAC;AACJ,CAAC"}
|
|
@@ -1,30 +1,29 @@
|
|
|
1
1
|
/**
|
|
2
|
-
*
|
|
3
|
-
*
|
|
4
|
-
*
|
|
5
|
-
*
|
|
6
|
-
*
|
|
7
|
-
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
23
|
-
*
|
|
24
|
-
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
27
|
-
* non-identical tuples effectively impossible for repo-scale sets.
|
|
2
|
+
* Durable per-finding identity across runs — used by both intra-run dedup
|
|
3
|
+
* (the security aggregator collapses cross-tool overlaps via fingerprint)
|
|
4
|
+
* and cross-run diff tooling (baselines compare today's fingerprint set
|
|
5
|
+
* against yesterday's to surface added / removed / persisted findings).
|
|
6
|
+
*
|
|
7
|
+
* Two fingerprint families live here:
|
|
8
|
+
*
|
|
9
|
+
* 1. Dependency-advisory fingerprints — stable hash of
|
|
10
|
+
* `(package, installedVersion, id)`. Used by `gatherDepVulns` +
|
|
11
|
+
* BoM. Excludes severity / cvssScore / enrichment fields
|
|
12
|
+
* (epssScore, kev, reachable, riskScore), producer `tool`, and
|
|
13
|
+
* `upgradeAdvice` / `upgradePlan` so re-scoring the same advisory
|
|
14
|
+
* against the same install never mints a new identity.
|
|
15
|
+
*
|
|
16
|
+
* 2. Code/secret/config-finding fingerprints — stable hash of
|
|
17
|
+
* `(canonicalRule, file, lineWindow)`. The canonical-rule map
|
|
18
|
+
* collapses cross-tool overlaps (e.g. semgrep + a per-language
|
|
19
|
+
* grep-based pattern both reporting the same TLS-bypass
|
|
20
|
+
* construct). The line-window absorbs the small offset between
|
|
21
|
+
* tools that report the declaration vs. the assignment.
|
|
22
|
+
*
|
|
23
|
+
* Both families share format: 16-char lowercase hex (first 8 bytes of
|
|
24
|
+
* SHA-1). Short enough to embed inline in reports, long enough to make
|
|
25
|
+
* collisions between non-identical tuples effectively impossible at
|
|
26
|
+
* repo scale. Producers may render either inline interchangeably.
|
|
28
27
|
*/
|
|
29
28
|
import type { DepVulnFinding } from '../../languages/capabilities/types';
|
|
30
29
|
/**
|
|
@@ -60,4 +59,70 @@ export declare function stampFingerprints(findings: DepVulnFinding[]): void;
|
|
|
60
59
|
* findings outside the `gatherDepVulns` path).
|
|
61
60
|
*/
|
|
62
61
|
export declare function collectFingerprints(findings: ReadonlyArray<DepVulnFinding>): string[];
|
|
62
|
+
/**
|
|
63
|
+
* Maps raw `(tool, rule)` pairs to a canonical rule id. Two raw
|
|
64
|
+
* findings with the same canonical rule (and same file + line window)
|
|
65
|
+
* fingerprint identically — the aggregator's dedup pipeline collapses
|
|
66
|
+
* them into a single CodeFinding with `producedBy` listing every
|
|
67
|
+
* contributing tool. Adding a new collapse is a one-line addition; no
|
|
68
|
+
* algorithm changes.
|
|
69
|
+
*
|
|
70
|
+
* Unmapped pairs fall through to `raw:${tool}:${rule}` — conservative
|
|
71
|
+
* default. Never accidentally collapses unrelated findings.
|
|
72
|
+
*/
|
|
73
|
+
export declare const CANONICAL_RULE_MAP: ReadonlyMap<string, string>;
|
|
74
|
+
/** Resolve a raw `(tool, rule)` pair to its canonical rule id. */
|
|
75
|
+
export declare function canonicalRuleFor(tool: string, rule: string): string;
|
|
76
|
+
/**
|
|
77
|
+
* Width of the line-number bucket used by code-finding fingerprints.
|
|
78
|
+
* Tools report the same construct at slightly different lines (one
|
|
79
|
+
* tool on the declaration, another on the assignment). Bucketing
|
|
80
|
+
* absorbs that drift without collapsing unrelated findings on
|
|
81
|
+
* nearby lines.
|
|
82
|
+
*/
|
|
83
|
+
export declare const CODE_FINGERPRINT_LINE_WINDOW = 3;
|
|
84
|
+
/**
|
|
85
|
+
* Bucket a line number to its canonical line-window value. Findings
|
|
86
|
+
* sharing the same `(canonicalRule, file, lineWindow)` tuple share a
|
|
87
|
+
* fingerprint.
|
|
88
|
+
*
|
|
89
|
+
* Note on boundary cases: the aggregator additionally probes the two
|
|
90
|
+
* neighbor buckets (±lineWindow) to catch adjacent findings that
|
|
91
|
+
* straddle a bucket boundary; that lookup lives in the aggregator
|
|
92
|
+
* because it owns the merge policy, not here.
|
|
93
|
+
*/
|
|
94
|
+
export declare function lineWindowFor(line: number): number;
|
|
95
|
+
/**
|
|
96
|
+
* Stable 16-char hex hash of `(canonicalRule, file, lineWindow)`.
|
|
97
|
+
* NUL-separated so distinct tuples can't collide via concatenation
|
|
98
|
+
* tricks. Same byte format as `computeFingerprint` so dep-vuln and
|
|
99
|
+
* code-finding fingerprints share a downstream type contract.
|
|
100
|
+
*/
|
|
101
|
+
export declare function computeCodeFingerprint(canonicalRule: string, file: string, line: number): string;
|
|
102
|
+
/**
|
|
103
|
+
* HMAC-SHA256 of a detected secret value, keyed by a per-repo salt.
|
|
104
|
+
* The output is 16-char lowercase hex (first 8 bytes of the 32-byte
|
|
105
|
+
* HMAC) so it shares the byte format of the other fingerprint helpers
|
|
106
|
+
* and can be embedded inline in reports without taking real estate.
|
|
107
|
+
*
|
|
108
|
+
* Cryptographic posture: HMAC (not bare hash) so the producer cannot
|
|
109
|
+
* recover the secret from its identity even if the salt is leaked,
|
|
110
|
+
* and the salt cannot be recovered from the identity even if the
|
|
111
|
+
* secret is known. Truncating to 8 bytes is safe at repo scale —
|
|
112
|
+
* collision probability for distinct secrets is ~2^-32 per pair,
|
|
113
|
+
* negligible for any realistic finding set.
|
|
114
|
+
*
|
|
115
|
+
* Used by the secret-hmac identity scheme: a leaked token that moves
|
|
116
|
+
* files between runs produces the same HMAC, so the matcher can
|
|
117
|
+
* recognize "same secret, different location" as a relocated finding
|
|
118
|
+
* rather than a deleted+added pair. The salt is per-repo so
|
|
119
|
+
* cross-repo identity collisions are impossible (the same secret in
|
|
120
|
+
* two repos hashes to two different HMACs).
|
|
121
|
+
*
|
|
122
|
+
* The producer never stores the secret value itself — only the HMAC.
|
|
123
|
+
* That's the whole reason this scheme is preferred over a bare
|
|
124
|
+
* content hash of the secret: zero secret-recovery risk in the
|
|
125
|
+
* baseline file.
|
|
126
|
+
*/
|
|
127
|
+
export declare function computeSecretHmac(secret: string, salt: string): string;
|
|
63
128
|
//# sourceMappingURL=fingerprint.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AAEzE;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,IAAI,CAAC,cAAc,EAAE,SAAS,GAAG,kBAAkB,GAAG,IAAI,CAAC,GACnE,MAAM,CAGR;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,IAAI,CAIlE;AAED;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,aAAa,CAAC,cAAc,CAAC,GAAG,MAAM,EAAE,CAMrF;AAID;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,EAAE,WAAW,CAAC,MAAM,EAAE,MAAM,CASzD,CAAC;AAEH,kEAAkE;AAClE,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEnE;AAED;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,IAAI,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAElD;AAED;;;;;GAKG;AACH,wBAAgB,sBAAsB,CAAC,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAGhG;AAID;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEtE"}
|
|
@@ -1,36 +1,40 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/**
|
|
3
|
-
*
|
|
3
|
+
* Durable per-finding identity across runs — used by both intra-run dedup
|
|
4
|
+
* (the security aggregator collapses cross-tool overlaps via fingerprint)
|
|
5
|
+
* and cross-run diff tooling (baselines compare today's fingerprint set
|
|
6
|
+
* against yesterday's to surface added / removed / persisted findings).
|
|
4
7
|
*
|
|
5
|
-
*
|
|
6
|
-
* stamps every finding with a stable hash of `(package, installedVersion,
|
|
7
|
-
* id)` before scoring + reporting. The same advisory against the same
|
|
8
|
-
* installed version produces the same fingerprint on every run, so
|
|
9
|
-
* consumers (agent-driven upgrade bots, suppressions, CI gates) can diff
|
|
10
|
-
* a current bom against a stored prior to detect:
|
|
8
|
+
* Two fingerprint families live here:
|
|
11
9
|
*
|
|
12
|
-
* -
|
|
13
|
-
*
|
|
14
|
-
*
|
|
10
|
+
* 1. Dependency-advisory fingerprints — stable hash of
|
|
11
|
+
* `(package, installedVersion, id)`. Used by `gatherDepVulns` +
|
|
12
|
+
* BoM. Excludes severity / cvssScore / enrichment fields
|
|
13
|
+
* (epssScore, kev, reachable, riskScore), producer `tool`, and
|
|
14
|
+
* `upgradeAdvice` / `upgradePlan` so re-scoring the same advisory
|
|
15
|
+
* against the same install never mints a new identity.
|
|
15
16
|
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
* npm-audit + snyk) should collapse to one identity
|
|
23
|
-
* - `upgradeAdvice` / `upgradePlan` — resolution suggestions change
|
|
24
|
-
* across releases of the fix tooling; identity must outlive them
|
|
17
|
+
* 2. Code/secret/config-finding fingerprints — stable hash of
|
|
18
|
+
* `(canonicalRule, file, lineWindow)`. The canonical-rule map
|
|
19
|
+
* collapses cross-tool overlaps (e.g. semgrep + a per-language
|
|
20
|
+
* grep-based pattern both reporting the same TLS-bypass
|
|
21
|
+
* construct). The line-window absorbs the small offset between
|
|
22
|
+
* tools that report the declaration vs. the assignment.
|
|
25
23
|
*
|
|
26
|
-
*
|
|
27
|
-
* to embed inline in reports, long enough to make
|
|
28
|
-
* non-identical tuples effectively impossible
|
|
24
|
+
* Both families share format: 16-char lowercase hex (first 8 bytes of
|
|
25
|
+
* SHA-1). Short enough to embed inline in reports, long enough to make
|
|
26
|
+
* collisions between non-identical tuples effectively impossible at
|
|
27
|
+
* repo scale. Producers may render either inline interchangeably.
|
|
29
28
|
*/
|
|
30
29
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
30
|
+
exports.CODE_FINGERPRINT_LINE_WINDOW = exports.CANONICAL_RULE_MAP = void 0;
|
|
31
31
|
exports.computeFingerprint = computeFingerprint;
|
|
32
32
|
exports.stampFingerprints = stampFingerprints;
|
|
33
33
|
exports.collectFingerprints = collectFingerprints;
|
|
34
|
+
exports.canonicalRuleFor = canonicalRuleFor;
|
|
35
|
+
exports.lineWindowFor = lineWindowFor;
|
|
36
|
+
exports.computeCodeFingerprint = computeCodeFingerprint;
|
|
37
|
+
exports.computeSecretHmac = computeSecretHmac;
|
|
34
38
|
const crypto_1 = require("crypto");
|
|
35
39
|
/**
|
|
36
40
|
* Stable 16-char hex fingerprint for one DepVulnFinding. Input tuple
|
|
@@ -79,4 +83,89 @@ function collectFingerprints(findings) {
|
|
|
79
83
|
}
|
|
80
84
|
return [...set].sort();
|
|
81
85
|
}
|
|
86
|
+
// ─── Code/secret/config-finding fingerprints ─────────────────────────────────
|
|
87
|
+
/**
|
|
88
|
+
* Maps raw `(tool, rule)` pairs to a canonical rule id. Two raw
|
|
89
|
+
* findings with the same canonical rule (and same file + line window)
|
|
90
|
+
* fingerprint identically — the aggregator's dedup pipeline collapses
|
|
91
|
+
* them into a single CodeFinding with `producedBy` listing every
|
|
92
|
+
* contributing tool. Adding a new collapse is a one-line addition; no
|
|
93
|
+
* algorithm changes.
|
|
94
|
+
*
|
|
95
|
+
* Unmapped pairs fall through to `raw:${tool}:${rule}` — conservative
|
|
96
|
+
* default. Never accidentally collapses unrelated findings.
|
|
97
|
+
*/
|
|
98
|
+
exports.CANONICAL_RULE_MAP = new Map([
|
|
99
|
+
// TLS / certificate validation bypass
|
|
100
|
+
['tls-bypass-registry:tls-validation-disabled', 'canonical:tls-bypass'],
|
|
101
|
+
['semgrep:bypass-tls-verification', 'canonical:tls-bypass'],
|
|
102
|
+
['semgrep:nodejsscan.node_tls_reject_unauthorized', 'canonical:tls-bypass'],
|
|
103
|
+
// Private-key file on disk — find + gitleaks may both surface
|
|
104
|
+
['find:private-key-file', 'canonical:private-key-on-disk'],
|
|
105
|
+
['gitleaks:private-key', 'canonical:private-key-on-disk'],
|
|
106
|
+
]);
|
|
107
|
+
/** Resolve a raw `(tool, rule)` pair to its canonical rule id. */
|
|
108
|
+
function canonicalRuleFor(tool, rule) {
|
|
109
|
+
return exports.CANONICAL_RULE_MAP.get(`${tool}:${rule}`) ?? `raw:${tool}:${rule}`;
|
|
110
|
+
}
|
|
111
|
+
/**
|
|
112
|
+
* Width of the line-number bucket used by code-finding fingerprints.
|
|
113
|
+
* Tools report the same construct at slightly different lines (one
|
|
114
|
+
* tool on the declaration, another on the assignment). Bucketing
|
|
115
|
+
* absorbs that drift without collapsing unrelated findings on
|
|
116
|
+
* nearby lines.
|
|
117
|
+
*/
|
|
118
|
+
exports.CODE_FINGERPRINT_LINE_WINDOW = 3;
|
|
119
|
+
/**
|
|
120
|
+
* Bucket a line number to its canonical line-window value. Findings
|
|
121
|
+
* sharing the same `(canonicalRule, file, lineWindow)` tuple share a
|
|
122
|
+
* fingerprint.
|
|
123
|
+
*
|
|
124
|
+
* Note on boundary cases: the aggregator additionally probes the two
|
|
125
|
+
* neighbor buckets (±lineWindow) to catch adjacent findings that
|
|
126
|
+
* straddle a bucket boundary; that lookup lives in the aggregator
|
|
127
|
+
* because it owns the merge policy, not here.
|
|
128
|
+
*/
|
|
129
|
+
function lineWindowFor(line) {
|
|
130
|
+
return Math.floor(line / exports.CODE_FINGERPRINT_LINE_WINDOW) * exports.CODE_FINGERPRINT_LINE_WINDOW;
|
|
131
|
+
}
|
|
132
|
+
/**
|
|
133
|
+
* Stable 16-char hex hash of `(canonicalRule, file, lineWindow)`.
|
|
134
|
+
* NUL-separated so distinct tuples can't collide via concatenation
|
|
135
|
+
* tricks. Same byte format as `computeFingerprint` so dep-vuln and
|
|
136
|
+
* code-finding fingerprints share a downstream type contract.
|
|
137
|
+
*/
|
|
138
|
+
function computeCodeFingerprint(canonicalRule, file, line) {
|
|
139
|
+
const input = `${canonicalRule}\0${file}\0${lineWindowFor(line)}`;
|
|
140
|
+
return (0, crypto_1.createHash)('sha1').update(input).digest('hex').slice(0, 16);
|
|
141
|
+
}
|
|
142
|
+
// ─── Secret HMAC primitive ───────────────────────────────────────────────────
|
|
143
|
+
/**
|
|
144
|
+
* HMAC-SHA256 of a detected secret value, keyed by a per-repo salt.
|
|
145
|
+
* The output is 16-char lowercase hex (first 8 bytes of the 32-byte
|
|
146
|
+
* HMAC) so it shares the byte format of the other fingerprint helpers
|
|
147
|
+
* and can be embedded inline in reports without taking real estate.
|
|
148
|
+
*
|
|
149
|
+
* Cryptographic posture: HMAC (not bare hash) so the producer cannot
|
|
150
|
+
* recover the secret from its identity even if the salt is leaked,
|
|
151
|
+
* and the salt cannot be recovered from the identity even if the
|
|
152
|
+
* secret is known. Truncating to 8 bytes is safe at repo scale —
|
|
153
|
+
* collision probability for distinct secrets is ~2^-32 per pair,
|
|
154
|
+
* negligible for any realistic finding set.
|
|
155
|
+
*
|
|
156
|
+
* Used by the secret-hmac identity scheme: a leaked token that moves
|
|
157
|
+
* files between runs produces the same HMAC, so the matcher can
|
|
158
|
+
* recognize "same secret, different location" as a relocated finding
|
|
159
|
+
* rather than a deleted+added pair. The salt is per-repo so
|
|
160
|
+
* cross-repo identity collisions are impossible (the same secret in
|
|
161
|
+
* two repos hashes to two different HMACs).
|
|
162
|
+
*
|
|
163
|
+
* The producer never stores the secret value itself — only the HMAC.
|
|
164
|
+
* That's the whole reason this scheme is preferred over a bare
|
|
165
|
+
* content hash of the secret: zero secret-recovery risk in the
|
|
166
|
+
* baseline file.
|
|
167
|
+
*/
|
|
168
|
+
function computeSecretHmac(secret, salt) {
|
|
169
|
+
return (0, crypto_1.createHmac)('sha256', salt).update(secret).digest('hex').slice(0, 16);
|
|
170
|
+
}
|
|
82
171
|
//# sourceMappingURL=fingerprint.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../../src/analyzers/tools/fingerprint.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;;;AAeH,gDAKC;AAYD,8CAIC;AAYD,kDAMC;AA2BD,4CAEC;AAqBD,sCAEC;AAQD,wDAGC;AA6BD,8CAEC;AAlJD,mCAAgD;AAGhD;;;;;;;;;GASG;AACH,SAAgB,kBAAkB,CAChC,OAAoE;IAEpE,MAAM,KAAK,GAAG,GAAG,OAAO,CAAC,OAAO,KAAK,OAAO,CAAC,gBAAgB,IAAI,EAAE,KAAK,OAAO,CAAC,EAAE,EAAE,CAAC;IACrF,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,iBAAiB,CAAC,QAA0B;IAC1D,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,CAAC,CAAC,WAAW,GAAG,kBAAkB,CAAC,CAAC,CAAC,CAAC;IACxC,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,mBAAmB,CAAC,QAAuC;IACzE,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,WAAW;YAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC;IACD,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;GAUG;AACU,QAAA,kBAAkB,GAAgC,IAAI,GAAG,CAAiB;IACrF,sCAAsC;IACtC,CAAC,6CAA6C,EAAE,sBAAsB,CAAC;IACvE,CAAC,iCAAiC,EAAE,sBAAsB,CAAC;IAC3D,CAAC,iDAAiD,EAAE,sBAAsB,CAAC;IAE3E,8DAA8D;IAC9D,CAAC,uBAAuB,EAAE,+BAA+B,CAAC;IAC1D,CAAC,sBAAsB,EAAE,+BAA+B,CAAC;CAC1D,CAAC,CAAC;AAEH,kEAAkE;AAClE,SAAgB,gBAAgB,CAAC,IAAY,EAAE,IAAY;IACzD,OAAO,0BAAkB,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC,IAAI,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC;AAC5E,CAAC;AAED;;;;;;GAMG;AACU,QAAA,4BAA4B,GAAG,CAAC,CAAC;AAE9C;;;;;;;;;GASG;AACH,SAAgB,aAAa,CAAC,IAAY;IACxC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,oCAA4B,CAAC,GAAG,oCAA4B,CAAC;AACxF,CAAC;AAED;;;;;GAKG;AACH,SAAgB,sBAAsB,CAAC,aAAqB,EAAE,IAAY,EAAE,IAAY;IACtF,MAAM,KAAK,GAAG,GAAG,aAAa,KAAK,IAAI,KAAK,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;IAClE,OAAO,IAAA,mBAAU,EAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,SAAgB,iBAAiB,CAAC,MAAc,EAAE,IAAY;IAC5D,OAAO,IAAA,mBAAU,EAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AAC9E,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"generic.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/generic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AA+DjD;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,GACzC,OAAO,CAAC,aAAa,CAAC,
|
|
1
|
+
{"version":3,"file":"generic.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/generic.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AA+DjD;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,MAAM,EACX,aAAa,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,GACzC,OAAO,CAAC,aAAa,CAAC,CAsOxB"}
|
|
@@ -151,7 +151,12 @@ function gatherGenericMetrics(cwd, languageFlags) {
|
|
|
151
151
|
filesOver500Lines++;
|
|
152
152
|
}
|
|
153
153
|
const sourceFiles = sourceList.length;
|
|
154
|
-
|
|
154
|
+
// Every file over the canonical large-file threshold, sorted
|
|
155
|
+
// descending. Filtered (not pre-sliced) at this layer so the
|
|
156
|
+
// baseline `large-file` producer captures one entry per file and
|
|
157
|
+
// the per-kind count matches `filesOver500Lines` above. The
|
|
158
|
+
// markdown renderer caps to top 10 at the display site.
|
|
159
|
+
const largestFiles = filteredFiles.filter((f) => f.lines > 500).sort((a, b) => b.lines - a.lines);
|
|
155
160
|
// ─── Console / debug / type-escape / eval counts (D074 closure) ───────────
|
|
156
161
|
// skipComments: true filters lines beginning with //, /*, or # so
|
|
157
162
|
// commented-out occurrences don't inflate the count.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"generic.js","sourceRoot":"","sources":["../../../src/analyzers/tools/generic.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+EA,
|
|
1
|
+
{"version":3,"file":"generic.js","sourceRoot":"","sources":["../../../src/analyzers/tools/generic.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+EA,oDAyOC;AAhTD,qCAAuD;AACvD,6CAAmD;AACnD,2DAAwE;AACxE,yDAA2D;AAC3D,+CAMyB;AACzB,uCAAyB;AACzB,2CAA6B;AAE7B,wEAAwE;AACxE,uEAAuE;AACvE,gEAAgE;AAChE,qEAAqE;AACrE,gEAAgE;AAChE,6DAA6D;AAC7D,oEAAoE;AACpE,EAAE;AACF,kEAAkE;AAClE,iEAAiE;AACjE,6DAA6D;AAC7D,qCAAqC;AAErC;;;;;;;;;;;;;GAaG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,MAAM,GAAG,GAAG,IAAA,YAAG,EAAC,2CAA2C,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACzE,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;AACpC,CAAC;AAED;;;;GAIG;AACH,SAAS,SAAS,CAAC,OAAe;IAChC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IACnC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,QAAQ;YAAE,KAAK,EAAE,CAAC;IACrD,CAAC;IACD,8DAA8D;IAC9D,IAAI,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,EAAE;QAAE,KAAK,EAAE,CAAC;IAC3D,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,oBAAoB,CAClC,GAAW,EACX,aAA0C;IAE1C,MAAM,OAAO,GAAG,IAAA,gCAAmB,EAAC,GAAG,CAAC,CAAC;IACzC,qEAAqE;IACrE,iEAAiE;IACjE,kEAAkE;IAClE,yBAAyB;IACzB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAEzC,6EAA6E;IAC7E,oEAAoE;IACpE,qEAAqE;IACrE,kEAAkE;IAClE,wEAAwE;IACxE,kEAAkE;IAClE,EAAE;IACF,oEAAoE;IACpE,mEAAmE;IACnE,+DAA+D;IAC/D,+DAA+D;IAC/D,iEAAiE;IACjE,gEAAgE;IAChE,oCAAoC;IACpC,MAAM,UAAU,GAAG,IAAA,mCAAe,EAAC,GAAG,CAAC,CAAC;IACxC,MAAM,mBAAmB,GAAG,IAAA,mCAAe,EAAC,GAAG,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAE5E,6EAA6E;IAC7E,iEAAiE;IACjE,kEAAkE;IAClE,sEAAsE;IACtE,MAAM,aAAa,GAA2C,EAAE,CAAC;IACjE,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE,CAAC;QACjC,IAAI,OAAe,CAAC;QACpB,IAAI,CAAC;YACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,OAAO,CAAC,CAAC;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,aAAa,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,IAAI,gBAAgB,GAAG,CAAC,CAAC;IACzB,IAAI,eAAe,GAAG,EAAE,CAAC;IACzB,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAC1B,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;QAC9B,UAAU,IAAI,CAAC,CAAC,KAAK,CAAC;QACtB,IAAI,CAAC,CAAC,KAAK,GAAG,gBAAgB,EAAE,CAAC;YAC/B,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC;YAC3B,eAAe,GAAG,CAAC,CAAC,IAAI,CAAC;QAC3B,CAAC;QACD,IAAI,CAAC,CAAC,KAAK,GAAG,GAAG;YAAE,iBAAiB,EAAE,CAAC;IACzC,CAAC;IACD,MAAM,WAAW,GAAG,UAAU,CAAC,MAAM,CAAC;IACtC,6DAA6D;IAC7D,6DAA6D;IAC7D,iEAAiE;IACjE,4DAA4D;IAC5D,wDAAwD;IACxD,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IAElG,6EAA6E;IAC7E,kEAAkE;IAClE,qDAAqD;IACrD,EAAE;IACF,sEAAsE;IACtE,qEAAqE;IACrE,kEAAkE;IAClE,0DAA0D;IAC1D,MAAM,eAAe,GAAG,IAAA,wCAAqB,EAAC,GAAG,CAAC,CAAC,KAAK,CAAC;IAEzD,iCAAiC;IACjC,MAAM,OAAO,GAAG,IAAA,mCAAe,EAAC,GAAG,EAAE;QACnC,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC1C,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;IACH,kBAAkB;IAClB,MAAM,YAAY,GAAG,IAAA,oCAAgB,EAAC,GAAG,EAAE,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,UAAU;IAExG,6EAA6E;IAC7E,oDAAoD;IACpD,MAAM,YAAY,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;IACpE,MAAM,WAAW,GACf,QAAQ,CAAC,IAAA,YAAG,EAAC,gDAAgD,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC;IACjF,kEAAkE;IAClE,oEAAoE;IACpE,uEAAuE;IACvE,MAAM,kBAAkB,GAAG,IAAA,iCAAqB,GAAE,CAAC;IACnD,MAAM,eAAe,GACnB,kBAAkB,CAAC,MAAM,GAAG,CAAC;QAC3B,CAAC,CAAC,IAAA,oCAAgB,EAAC,GAAG,EAAE,UAAU,EAAE,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,KAAK;QAChF,CAAC,CAAC,CAAC,CAAC;IACR,MAAM,YAAY,GAAG,IAAA,mBAAU,EAC7B,QAAQ,EACR,cAAc,EACd,cAAc,EACd,cAAc,EACd,cAAc,CACf,CAAC;IACF,MAAM,qBAAqB,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,iBAAiB,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/F,MAAM,kBAAkB,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,iBAAiB,CAAC,CAAC;IACnE,MAAM,eAAe,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,cAAc,EAAE,YAAY,CAAC,CAAC;IAE3E,6EAA6E;IAC7E,wEAAwE;IACxE,sEAAsE;IACtE,sDAAsD;IACtD,MAAM,SAAS,GAAG,IAAA,mCAAe,EAAC,GAAG,EAAE;QACrC,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC;QACjD,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,IAAA,oCAAgB,EAAC,GAAG,EAAE,SAAS,EAAE,CAAC,YAAY,CAAC,EAAE;QACjE,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC,KAAK,CAAC;IAET,MAAM,eAAe,GAAG,IAAA,mBAAU,EAChC,iDAAiD,OAAO,cAAc,EACtE,GAAG,CACJ,CAAC;IACF,MAAM,aAAa,GAAG,IAAA,mBAAU,EAAC,sCAAsC,EAAE,GAAG,CAAC,CAAC;IAC9E,qEAAqE;IACrE,8DAA8D;IAC9D,iEAAiE;IACjE,oCAAoC;IACpC,MAAM,iBAAiB,GAAG,IAAA,gCAAoB,GAAE,CAAC;IACjD,MAAM,gBAAgB,GACpB,iBAAiB,CAAC,MAAM,GAAG,CAAC;QAC1B,CAAC,CAAC,IAAA,oCAAgB,EAAC,GAAG,EAAE,UAAU,EAAE,iBAAiB,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK;QACpF,CAAC,CAAC,CAAC,CAAC;IAER,8EAA8E;IAC9E,iEAAiE;IACjE,sEAAsE;IACtE,oEAAoE;IACpE,sEAAsE;IACtE,qEAAqE;IACrE,oEAAoE;IACpE,oEAAoE;IACpE,qEAAqE;IACrE,oEAAoE;IACpE,sBAAsB;IACtB,MAAM,KAAK,GAAG,aAAa,IAAK,EAAiC,CAAC;IAClE,MAAM,YAAY,GAAG,IAAA,oCAAwB,EAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACjF,MAAM,UAAU,GAAG,IAAA,yBAAa,EAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,IAAA,yBAAa,EAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;IACpE,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,OAAiB,EAAW,EAAE;QAC3D,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACvC,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;QAC9B,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,IAAI,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,OAAO,IAAI,CAAC;QACrC,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC,CAAC;IACF,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAC1B,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,oEAAoE;QACpE,kEAAkE;QAClE,qEAAqE;QACrE,MAAM,QAAQ,GAAG,GAAG,GAAG,GAAG,CAAC;QAC3B,IAAI,UAAU,CAAC,QAAQ,EAAE,YAAY,CAAC;YAAE,WAAW,EAAE,CAAC;QACtD,IAAI,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;YAAE,iBAAiB,EAAE,CAAC;QAC1D,IAAI,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;YAAE,MAAM,EAAE,CAAC;IACjD,CAAC;IACD,MAAM,WAAW,GAAG,IAAA,mBAAU,EAAC,kBAAkB,OAAO,cAAc,EAAE,GAAG,CAAC,CAAC;IAE7E,6EAA6E;IAC7E,MAAM,aAAa,GAAG,IAAA,mBAAU,EAC9B,oIAAoI,EACpI,QAAQ,CACT,CAAC;IACF,MAAM,iBAAiB,GAAG,IAAA,mBAAU,EAClC,kGAAkG,EAClG,QAAQ,CACT,CAAC;IACF,MAAM,oBAAoB,GAAG,IAAA,mBAAU,EACrC,wEAAwE,EACxE,QAAQ,CACT,CAAC;IACF,MAAM,cAAc,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,UAAU,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;IACpF,MAAM,gBAAgB,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,cAAc,EAAE,aAAa,EAAE,eAAe,CAAC,CAAC;IAC9F,MAAM,oBAAoB,GAAG,IAAA,mBAAU,EACrC,QAAQ,EACR,QAAQ,EACR,aAAa,EACb,OAAO,EACP,YAAY,EACZ,gBAAgB,EAChB,gBAAgB,EAChB,kBAAkB,EAClB,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,YAAY,CACb,CAAC;IAEF,OAAO;QACL,WAAW;QACX,SAAS,EAAE,QAAQ,CAAC,MAAM;QAC1B,UAAU;QACV,oBAAoB;QACpB,iBAAiB;QACjB,gBAAgB;QAChB,eAAe;QACf,YAAY;QACZ,eAAe;QACf,YAAY;QACZ,YAAY;QACZ,WAAW;QACX,eAAe;QACf,YAAY;QACZ,qBAAqB;QACrB,kBAAkB;QAClB,eAAe;QACf,SAAS;QACT,eAAe;QACf,aAAa;QACb,gBAAgB;QAChB,WAAW;QACX,MAAM;QACN,iBAAiB;QACjB,WAAW;QACX,aAAa;QACb,iBAAiB;QACjB,oBAAoB;QACpB,cAAc;QACd,gBAAgB;QAChB,SAAS,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC;QACxC,gBAAgB,EAAE,EAAE;KACrB,CAAC;AACJ,CAAC"}
|
|
@@ -1,16 +1,39 @@
|
|
|
1
1
|
import type { CapabilityProvider } from '../../languages/capabilities/provider';
|
|
2
2
|
import type { SecretsResult } from '../../languages/capabilities/types';
|
|
3
|
+
/**
|
|
4
|
+
* Per-finding raw value carried alongside the public envelope. Stays
|
|
5
|
+
* out of `SecretsResult` (and therefore out of `SecurityAggregate`,
|
|
6
|
+
* `SecurityReport`, the dashboard, JSON outputs) so the secret value
|
|
7
|
+
* never leaks through the normal reporting surfaces. The only legit
|
|
8
|
+
* consumer is the baseline-side secret-HMAC producer, which immediately
|
|
9
|
+
* HMACs the value and discards it.
|
|
10
|
+
*
|
|
11
|
+
* Lives in this outcome rather than fetched separately so the memoized
|
|
12
|
+
* gitleaks invocation (`gatherGitleaksResult` runs at most once per
|
|
13
|
+
* cwd) covers both the public envelope path and the HMAC path.
|
|
14
|
+
*/
|
|
15
|
+
export interface GitleaksRawSecret {
|
|
16
|
+
readonly file: string;
|
|
17
|
+
readonly line: number;
|
|
18
|
+
readonly rule: string;
|
|
19
|
+
/** The matched secret value as reported by gitleaks. Process-only;
|
|
20
|
+
* callers MUST NOT write this to disk, log it, or include it in
|
|
21
|
+
* any output payload. */
|
|
22
|
+
readonly secret: string;
|
|
23
|
+
}
|
|
3
24
|
/**
|
|
4
25
|
* Outcome union used by `gatherGitleaksResult`. The capability provider
|
|
5
26
|
* collapses this to `SecretsResult | null`; the Layer 2 reshape in
|
|
6
27
|
* `tools/parallel.ts` reads `unavailable.reason` so the
|
|
7
28
|
* `toolsUnavailable` strings carry install-missing vs parse-failure
|
|
8
|
-
* detail.
|
|
29
|
+
* detail. The `rawSecrets` field is read only by the baseline-side
|
|
30
|
+
* secret-HMAC producer; other consumers ignore it.
|
|
9
31
|
*/
|
|
10
32
|
export type SecretsGatherOutcome = {
|
|
11
33
|
kind: 'success';
|
|
12
34
|
envelope: SecretsResult;
|
|
13
35
|
suppressedCount: number;
|
|
36
|
+
rawSecrets: ReadonlyArray<GitleaksRawSecret>;
|
|
14
37
|
} | {
|
|
15
38
|
kind: 'unavailable';
|
|
16
39
|
reason: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAUvF
|
|
1
|
+
{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAiB,aAAa,EAAE,MAAM,oCAAoC,CAAC;AAUvF;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;8BAE0B;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,oBAAoB,GAC5B;IACE,IAAI,EAAE,SAAS,CAAC;IAChB,QAAQ,EAAE,aAAa,CAAC;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;CAC9C,GACD;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAgB5C;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAMtE;AA0FD;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,EAAE,kBAAkB,CAAC,aAAa,CAM9D,CAAC"}
|
|
@@ -117,28 +117,37 @@ function computeGitleaksOutcome(cwd) {
|
|
|
117
117
|
findings: [],
|
|
118
118
|
suppressedCount: 0,
|
|
119
119
|
};
|
|
120
|
-
return { kind: 'success', envelope, suppressedCount: 0 };
|
|
120
|
+
return { kind: 'success', envelope, suppressedCount: 0, rawSecrets: [] };
|
|
121
121
|
}
|
|
122
|
-
const
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
122
|
+
const combined = parsed.map((f) => ({
|
|
123
|
+
finding: {
|
|
124
|
+
file: (0, paths_1.toProjectRelative)(cwd, f.File),
|
|
125
|
+
line: f.StartLine,
|
|
126
|
+
rule: f.RuleID,
|
|
127
|
+
severity: f.RuleID.includes('private-key') ? 'critical' : 'high',
|
|
128
|
+
title: f.Description,
|
|
129
|
+
},
|
|
130
|
+
secret: f.Secret,
|
|
128
131
|
}));
|
|
129
132
|
// Gitleaks --no-git scans everything on disk (ignores .gitignore), so
|
|
130
133
|
// we re-apply the resolved exclusion set via isExcludedPath().
|
|
131
|
-
const
|
|
134
|
+
const filteredCombined = combined.filter((c) => !(0, exclusions_1.isExcludedPath)(cwd, c.finding.file));
|
|
132
135
|
// Apply `.dxkit-suppressions.json` so known-false positives don't count.
|
|
133
136
|
const suppressions = (0, suppressions_1.loadSuppressions)(cwd);
|
|
134
|
-
const { kept, suppressed } = (0, suppressions_1.applySuppressions)(
|
|
137
|
+
const { kept, suppressed } = (0, suppressions_1.applySuppressions)(filteredCombined, suppressions.gitleaks, (c) => c.finding.rule, (c) => c.finding.file);
|
|
135
138
|
const envelope = {
|
|
136
139
|
schemaVersion: 1,
|
|
137
140
|
tool: 'gitleaks',
|
|
138
|
-
findings: kept,
|
|
141
|
+
findings: kept.map((c) => c.finding),
|
|
139
142
|
suppressedCount: suppressed.length,
|
|
140
143
|
};
|
|
141
|
-
|
|
144
|
+
const rawSecrets = kept.map((c) => ({
|
|
145
|
+
file: c.finding.file,
|
|
146
|
+
line: c.finding.line,
|
|
147
|
+
rule: c.finding.rule,
|
|
148
|
+
secret: c.secret,
|
|
149
|
+
}));
|
|
150
|
+
return { kind: 'success', envelope, suppressedCount: suppressed.length, rawSecrets };
|
|
142
151
|
}
|
|
143
152
|
/**
|
|
144
153
|
* Capability-shaped provider. Register in
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"gitleaks.js","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"gitleaks.js","sourceRoot":"","sources":["../../../src/analyzers/tools/gitleaks.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsFA,oDAMC;AA5FD;;;;;;;;;GASG;AACH,uCAAyB;AACzB,qCAA+B;AAC/B,mDAAsD;AACtD,6CAA8C;AAC9C,mCAA4C;AAC5C,iDAAqE;AAmDrE;;;;;;;;;;;GAWG;AACH,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAgC,CAAC;AAErE;;;;;GAKG;AACH,SAAgB,oBAAoB,CAAC,GAAW;IAC9C,MAAM,MAAM,GAAG,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7C,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAC1B,MAAM,OAAO,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAC5C,oBAAoB,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,SAAS,sBAAsB,CAAC,GAAW;IACzC,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC,WAAW;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;IAE1E,yEAAyE;IACzE,MAAM,UAAU,GAAG,uBAAuB,IAAI,CAAC,GAAG,EAAE,OAAO,CAAC;IAC5D,IAAA,YAAG,EACD,GAAG,WAAW,qBAAqB,GAAG,yCAAyC,UAAU,sCAAsC,EAC/H,GAAG,EACH,MAAM,CACP,CAAC;IACF,6DAA6D;IAC7D,6DAA6D;IAC7D,kEAAkE;IAClE,kEAAkE;IAClE,0DAA0D;IAC1D,6DAA6D;IAC7D,YAAY;IACZ,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC;IACD,IAAA,YAAG,EAAC,UAAU,UAAU,GAAG,EAAE,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAEpE,IAAI,MAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAsB,CAAC;IACtD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;IACxD,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,wEAAwE;QACxE,MAAM,QAAQ,GAAkB;YAC9B,aAAa,EAAE,CAAC;YAChB,IAAI,EAAE,UAAU;YAChB,QAAQ,EAAE,EAAE;YACZ,eAAe,EAAE,CAAC;SACnB,CAAC;QACF,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;IAC3E,CAAC;IAMD,MAAM,QAAQ,GAAe,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9C,OAAO,EAAE;YACP,IAAI,EAAE,IAAA,yBAAiB,EAAC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC;YACpC,IAAI,EAAE,CAAC,CAAC,SAAS;YACjB,IAAI,EAAE,CAAC,CAAC,MAAM;YACd,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM;YAChE,KAAK,EAAE,CAAC,CAAC,WAAW;SACrB;QACD,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC,CAAC,CAAC;IAEJ,sEAAsE;IACtE,+DAA+D;IAC/D,MAAM,gBAAgB,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,2BAAc,EAAC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IAEtF,yEAAyE;IACzE,MAAM,YAAY,GAAG,IAAA,+BAAgB,EAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,IAAA,gCAAiB,EAC5C,gBAAgB,EAChB,YAAY,CAAC,QAAQ,EACrB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,EACrB,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CACtB,CAAC;IAEF,MAAM,QAAQ,GAAkB;QAC9B,aAAa,EAAE,CAAC;QAChB,IAAI,EAAE,UAAU;QAChB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;QACpC,eAAe,EAAE,UAAU,CAAC,MAAM;KACnC,CAAC;IACF,MAAM,UAAU,GAAwB,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACvD,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;QACpB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;QACpB,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;QACpB,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,UAAU,CAAC,MAAM,EAAE,UAAU,EAAE,CAAC;AACvF,CAAC;AAED;;;;GAIG;AACU,QAAA,gBAAgB,GAAsC;IACjE,MAAM,EAAE,UAAU;IAClB,KAAK,CAAC,MAAM,CAAC,GAAG;QACd,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAC1C,OAAO,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC;IAC9D,CAAC;CACF,CAAC;AAEF,SAAS,YAAY,CAAC,GAAW;IAC/B,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,yBAAS,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACjD,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;AAC/C,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"graphify.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AAE3E,UAAU,cAAc;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;CAC5B;
|
|
1
|
+
{"version":3,"file":"graphify.d.ts","sourceRoot":"","sources":["../../../src/analyzers/tools/graphify.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAChF,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AAE3E,UAAU,cAAc;IACtB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,MAAM,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAoLD;;;;;;;GAOG;AACH,MAAM,MAAM,uBAAuB,GAC/B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,gBAAgB,CAAA;CAAE,GAC/C;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAa5C;;;;;;GAMG;AACH,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAMxF;AA6ED;;;;;;;;;;GAUG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,cAAc,EAAE,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAiBzF;AAED;;;;GAIG;AAOH,eAAO,MAAM,gBAAgB,EAAE,kBAAkB,CAAC,gBAAgB,CAAC,GAAG;IACpE,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC,CAAC;CAU9D,CAAC"}
|