@vyuhlabs/dxkit 2.9.4 → 2.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (177) hide show
  1. package/CHANGELOG.md +236 -0
  2. package/dist/allowlist/annotate.d.ts +71 -0
  3. package/dist/allowlist/annotate.d.ts.map +1 -0
  4. package/dist/allowlist/annotate.js +105 -0
  5. package/dist/allowlist/annotate.js.map +1 -0
  6. package/dist/allowlist/cli.d.ts +29 -23
  7. package/dist/allowlist/cli.d.ts.map +1 -1
  8. package/dist/allowlist/cli.js +141 -70
  9. package/dist/allowlist/cli.js.map +1 -1
  10. package/dist/allowlist/file.d.ts +7 -1
  11. package/dist/allowlist/file.d.ts.map +1 -1
  12. package/dist/allowlist/file.js +7 -1
  13. package/dist/allowlist/file.js.map +1 -1
  14. package/dist/analysis-result.d.ts +10 -0
  15. package/dist/analysis-result.d.ts.map +1 -1
  16. package/dist/analyzers/cache.d.ts +1 -0
  17. package/dist/analyzers/cache.d.ts.map +1 -1
  18. package/dist/analyzers/cache.js +69 -0
  19. package/dist/analyzers/cache.js.map +1 -1
  20. package/dist/analyzers/dashboard/index.d.ts.map +1 -1
  21. package/dist/analyzers/dashboard/index.js +6 -1
  22. package/dist/analyzers/dashboard/index.js.map +1 -1
  23. package/dist/analyzers/health.d.ts.map +1 -1
  24. package/dist/analyzers/health.js +17 -2
  25. package/dist/analyzers/health.js.map +1 -1
  26. package/dist/analyzers/security/actions.d.ts.map +1 -1
  27. package/dist/analyzers/security/actions.js +13 -0
  28. package/dist/analyzers/security/actions.js.map +1 -1
  29. package/dist/analyzers/security/aggregator.d.ts +97 -79
  30. package/dist/analyzers/security/aggregator.d.ts.map +1 -1
  31. package/dist/analyzers/security/aggregator.js +168 -56
  32. package/dist/analyzers/security/aggregator.js.map +1 -1
  33. package/dist/analyzers/security/gather.d.ts +2 -0
  34. package/dist/analyzers/security/gather.d.ts.map +1 -1
  35. package/dist/analyzers/security/gather.js +36 -4
  36. package/dist/analyzers/security/gather.js.map +1 -1
  37. package/dist/analyzers/security/index.d.ts.map +1 -1
  38. package/dist/analyzers/security/index.js +81 -2
  39. package/dist/analyzers/security/index.js.map +1 -1
  40. package/dist/analyzers/security/scanner-drift.d.ts +21 -0
  41. package/dist/analyzers/security/scanner-drift.d.ts.map +1 -0
  42. package/dist/analyzers/security/scanner-drift.js +113 -0
  43. package/dist/analyzers/security/scanner-drift.js.map +1 -0
  44. package/dist/analyzers/security/shallow.d.ts.map +1 -1
  45. package/dist/analyzers/security/shallow.js +24 -2
  46. package/dist/analyzers/security/shallow.js.map +1 -1
  47. package/dist/analyzers/security/types.d.ts +64 -4
  48. package/dist/analyzers/security/types.d.ts.map +1 -1
  49. package/dist/analyzers/tools/fingerprint.d.ts +133 -20
  50. package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
  51. package/dist/analyzers/tools/fingerprint.js +194 -20
  52. package/dist/analyzers/tools/fingerprint.js.map +1 -1
  53. package/dist/analyzers/tools/gitleaks.d.ts +2 -2
  54. package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
  55. package/dist/analyzers/tools/gitleaks.js +7 -1
  56. package/dist/analyzers/tools/gitleaks.js.map +1 -1
  57. package/dist/analyzers/tools/graphify.d.ts +11 -0
  58. package/dist/analyzers/tools/graphify.d.ts.map +1 -1
  59. package/dist/analyzers/tools/graphify.js +457 -413
  60. package/dist/analyzers/tools/graphify.js.map +1 -1
  61. package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
  62. package/dist/analyzers/tools/grep-secrets.js +31 -12
  63. package/dist/analyzers/tools/grep-secrets.js.map +1 -1
  64. package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
  65. package/dist/analyzers/tools/osv-scanner-fix.js +12 -1
  66. package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
  67. package/dist/analyzers/tools/salt.d.ts +68 -0
  68. package/dist/analyzers/tools/salt.d.ts.map +1 -0
  69. package/dist/{baseline → analyzers/tools}/salt.js +59 -18
  70. package/dist/analyzers/tools/salt.js.map +1 -0
  71. package/dist/analyzers/tools/semgrep.d.ts +7 -7
  72. package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
  73. package/dist/analyzers/tools/semgrep.js +14 -7
  74. package/dist/analyzers/tools/semgrep.js.map +1 -1
  75. package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
  76. package/dist/analyzers/tools/tool-registry.js +78 -43
  77. package/dist/analyzers/tools/tool-registry.js.map +1 -1
  78. package/dist/analyzers/tools/walk-source-files.d.ts +10 -0
  79. package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
  80. package/dist/analyzers/tools/walk-source-files.js +14 -0
  81. package/dist/analyzers/tools/walk-source-files.js.map +1 -1
  82. package/dist/analyzers/types.d.ts +9 -0
  83. package/dist/analyzers/types.d.ts.map +1 -1
  84. package/dist/baseline/baseline-file.d.ts +9 -2
  85. package/dist/baseline/baseline-file.d.ts.map +1 -1
  86. package/dist/baseline/baseline-file.js.map +1 -1
  87. package/dist/baseline/check-renderers.d.ts.map +1 -1
  88. package/dist/baseline/check-renderers.js +14 -0
  89. package/dist/baseline/check-renderers.js.map +1 -1
  90. package/dist/baseline/check.d.ts +33 -0
  91. package/dist/baseline/check.d.ts.map +1 -1
  92. package/dist/baseline/check.js +78 -2
  93. package/dist/baseline/check.js.map +1 -1
  94. package/dist/baseline/create.d.ts +1 -1
  95. package/dist/baseline/create.d.ts.map +1 -1
  96. package/dist/baseline/create.js +3 -1
  97. package/dist/baseline/create.js.map +1 -1
  98. package/dist/baseline/entry-to-located.d.ts +12 -5
  99. package/dist/baseline/entry-to-located.d.ts.map +1 -1
  100. package/dist/baseline/entry-to-located.js +21 -7
  101. package/dist/baseline/entry-to-located.js.map +1 -1
  102. package/dist/baseline/finding-identity.d.ts +20 -13
  103. package/dist/baseline/finding-identity.d.ts.map +1 -1
  104. package/dist/baseline/finding-identity.js +51 -20
  105. package/dist/baseline/finding-identity.js.map +1 -1
  106. package/dist/baseline/git-aware-match.d.ts +7 -5
  107. package/dist/baseline/git-aware-match.d.ts.map +1 -1
  108. package/dist/baseline/git-aware-match.js +78 -5
  109. package/dist/baseline/git-aware-match.js.map +1 -1
  110. package/dist/baseline/migrate.d.ts +94 -0
  111. package/dist/baseline/migrate.d.ts.map +1 -0
  112. package/dist/baseline/migrate.js +238 -0
  113. package/dist/baseline/migrate.js.map +1 -0
  114. package/dist/baseline/producers/security.d.ts +9 -9
  115. package/dist/baseline/producers/security.d.ts.map +1 -1
  116. package/dist/baseline/producers/security.js +16 -4
  117. package/dist/baseline/producers/security.js.map +1 -1
  118. package/dist/baseline/types.d.ts +145 -95
  119. package/dist/baseline/types.d.ts.map +1 -1
  120. package/dist/baseline/types.js +30 -26
  121. package/dist/baseline/types.js.map +1 -1
  122. package/dist/explore/context-hook.d.ts +49 -29
  123. package/dist/explore/context-hook.d.ts.map +1 -1
  124. package/dist/explore/context-hook.js +304 -29
  125. package/dist/explore/context-hook.js.map +1 -1
  126. package/dist/explore/finding-context.d.ts +17 -0
  127. package/dist/explore/finding-context.d.ts.map +1 -1
  128. package/dist/explore/finding-context.js +34 -0
  129. package/dist/explore/finding-context.js.map +1 -1
  130. package/dist/explore/queries.d.ts +32 -15
  131. package/dist/explore/queries.d.ts.map +1 -1
  132. package/dist/explore/queries.js +36 -6
  133. package/dist/explore/queries.js.map +1 -1
  134. package/dist/generator.d.ts.map +1 -1
  135. package/dist/generator.js +13 -7
  136. package/dist/generator.js.map +1 -1
  137. package/dist/ingest/normalize.d.ts +1 -1
  138. package/dist/ingest/normalize.d.ts.map +1 -1
  139. package/dist/ingest/normalize.js +5 -1
  140. package/dist/ingest/normalize.js.map +1 -1
  141. package/dist/ingest/sarif.d.ts.map +1 -1
  142. package/dist/ingest/sarif.js +16 -7
  143. package/dist/ingest/sarif.js.map +1 -1
  144. package/dist/ingest/snyk-policy.d.ts +22 -1
  145. package/dist/ingest/snyk-policy.d.ts.map +1 -1
  146. package/dist/ingest/snyk-policy.js +75 -18
  147. package/dist/ingest/snyk-policy.js.map +1 -1
  148. package/dist/ingest/types.d.ts +23 -12
  149. package/dist/ingest/types.d.ts.map +1 -1
  150. package/dist/languages/capabilities/types.d.ts +64 -53
  151. package/dist/languages/capabilities/types.d.ts.map +1 -1
  152. package/dist/languages/capabilities/types.js +4 -4
  153. package/dist/languages/index.d.ts +28 -5
  154. package/dist/languages/index.d.ts.map +1 -1
  155. package/dist/languages/index.js +38 -7
  156. package/dist/languages/index.js.map +1 -1
  157. package/dist/languages/typescript.d.ts.map +1 -1
  158. package/dist/languages/typescript.js +19 -0
  159. package/dist/languages/typescript.js.map +1 -1
  160. package/dist/scoring/dimensions/security.d.ts +17 -0
  161. package/dist/scoring/dimensions/security.d.ts.map +1 -1
  162. package/dist/scoring/dimensions/security.js +12 -0
  163. package/dist/scoring/dimensions/security.js.map +1 -1
  164. package/dist/update.d.ts.map +1 -1
  165. package/dist/update.js +49 -0
  166. package/dist/update.js.map +1 -1
  167. package/dist/upgrade.d.ts.map +1 -1
  168. package/dist/upgrade.js +2 -1
  169. package/dist/upgrade.js.map +1 -1
  170. package/package.json +6 -3
  171. package/templates/.claude/skills/dxkit-action/SKILL.md +11 -2
  172. package/templates/.claude/skills/dxkit-allowlist/SKILL.md +9 -0
  173. package/templates/.claude/skills/dxkit-onboard/SKILL.md +2 -2
  174. package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
  175. package/dist/baseline/salt.d.ts +0 -45
  176. package/dist/baseline/salt.d.ts.map +0 -1
  177. package/dist/baseline/salt.js.map +0 -1
@@ -0,0 +1,238 @@
1
+ "use strict";
2
+ /**
3
+ * Identity-scheme migrator — carries a repo's baseline + allowlist across
4
+ * a finding-identity scheme change so an upgrade is a single command
5
+ * instead of a manual re-baseline + re-allowlist.
6
+ *
7
+ * The mechanism rests on two properties:
8
+ *
9
+ * 1. `identityFor` can compute ANY shipped scheme (see
10
+ * `finding-identity.ts`), so for each current finding we can derive
11
+ * both its OLD-scheme id and its NEW-scheme id.
12
+ * 2. A current scan's baseline entries already carry the NEW (current)
13
+ * scheme id; recomputing the OLD id from each entry's metadata yields
14
+ * an `old → new` remap built from one scan, with no dependency on the
15
+ * stale artifact's stored ids.
16
+ *
17
+ * From that remap we:
18
+ * - rewrite the allowlist's `fingerprint`s onto the new scheme
19
+ * (preserving every reviewed suppression decision), and
20
+ * - regenerate the baseline with fresh new-scheme ids.
21
+ *
22
+ * Allowlist entries whose fingerprint matches neither the remap NOR a
23
+ * current finding's id are surfaced as `unmapped` (the finding they
24
+ * suppressed is gone — already-stale entries), never silently dropped.
25
+ *
26
+ * This is general across schemes: only the version-VARYING finding kinds
27
+ * change id between two schemes (everything else maps to itself and is
28
+ * left untouched), and `identityFor` + the retained prior-scheme id
29
+ * functions handle any `from → to` pair. A future scheme needs no new
30
+ * wiring here.
31
+ */
32
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
33
+ if (k2 === undefined) k2 = k;
34
+ var desc = Object.getOwnPropertyDescriptor(m, k);
35
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
36
+ desc = { enumerable: true, get: function() { return m[k]; } };
37
+ }
38
+ Object.defineProperty(o, k2, desc);
39
+ }) : (function(o, m, k, k2) {
40
+ if (k2 === undefined) k2 = k;
41
+ o[k2] = m[k];
42
+ }));
43
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
44
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
45
+ }) : function(o, v) {
46
+ o["default"] = v;
47
+ });
48
+ var __importStar = (this && this.__importStar) || (function () {
49
+ var ownKeys = function(o) {
50
+ ownKeys = Object.getOwnPropertyNames || function (o) {
51
+ var ar = [];
52
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
53
+ return ar;
54
+ };
55
+ return ownKeys(o);
56
+ };
57
+ return function (mod) {
58
+ if (mod && mod.__esModule) return mod;
59
+ var result = {};
60
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
61
+ __setModuleDefault(result, mod);
62
+ return result;
63
+ };
64
+ })();
65
+ Object.defineProperty(exports, "__esModule", { value: true });
66
+ exports.baselineEntryToIdentityInput = baselineEntryToIdentityInput;
67
+ exports.buildIdentityRemap = buildIdentityRemap;
68
+ exports.detectStaleScheme = detectStaleScheme;
69
+ exports.migrateIdentity = migrateIdentity;
70
+ const fs = __importStar(require("fs"));
71
+ const create_1 = require("./create");
72
+ const baseline_file_1 = require("./baseline-file");
73
+ const finding_identity_1 = require("./finding-identity");
74
+ const sanitize_1 = require("./sanitize");
75
+ const types_1 = require("./types");
76
+ const file_1 = require("../allowlist/file");
77
+ /**
78
+ * Reconstruct the `IdentityInput` a baseline entry was minted from, so its
79
+ * id can be recomputed under a different scheme. Fidelity is sufficient to
80
+ * reproduce any scheme's id: `contentAnchor` is intentionally omitted —
81
+ * only the v2 code/secret path consumes it, and an entry's stored `id`
82
+ * already IS its current-scheme id (we never recompute the current id, only
83
+ * the prior one, which no scheme derives from the anchor). Returns
84
+ * `undefined` for sanitized entries (identity-only, no metadata).
85
+ */
86
+ function baselineEntryToIdentityInput(entry) {
87
+ if ((0, sanitize_1.isSanitized)(entry))
88
+ return undefined;
89
+ const e = entry;
90
+ switch (e.kind) {
91
+ case 'secret':
92
+ case 'code':
93
+ case 'config':
94
+ return { kind: e.kind, tool: e.tool, rule: e.rule, file: e.file, line: e.line };
95
+ case 'dep-vuln':
96
+ return {
97
+ kind: 'dep-vuln',
98
+ package: e.package,
99
+ installedVersion: e.installedVersion,
100
+ id: e.advisoryId,
101
+ };
102
+ case 'duplication':
103
+ return {
104
+ kind: 'duplication',
105
+ fileA: e.fileA,
106
+ fileB: e.fileB,
107
+ lines: e.lines,
108
+ startLineA: e.startLineA,
109
+ startLineB: e.startLineB,
110
+ };
111
+ case 'coverage-gap':
112
+ return { kind: 'coverage-gap', file: e.file, symbol: e.symbol, lineRange: e.lineRange };
113
+ case 'test-gap':
114
+ return { kind: 'test-gap', file: e.file, risk: e.risk };
115
+ case 'hygiene':
116
+ return { kind: 'hygiene', file: e.file, line: e.line, marker: e.marker };
117
+ case 'test-file-degradation':
118
+ return { kind: 'test-file-degradation', file: e.file, status: e.status };
119
+ case 'god-file':
120
+ return { kind: 'god-file', file: e.file };
121
+ case 'stale-file':
122
+ return { kind: 'stale-file', file: e.file, suffix: e.suffix };
123
+ case 'large-file':
124
+ return { kind: 'large-file', file: e.file };
125
+ case 'secret-hmac':
126
+ return { kind: 'secret-hmac', tool: e.tool, rule: e.rule, hmac: e.hmac };
127
+ case 'stale-allow':
128
+ return { kind: 'stale-allow', file: e.file, line: e.line, category: e.category };
129
+ }
130
+ }
131
+ /**
132
+ * Build an `old → new` id remap from a current scan's entries. Each
133
+ * entry's own `id` is the new (current) scheme id; the old id is
134
+ * recomputed from its reconstructed input. Only ids that actually change
135
+ * between the two schemes enter the map — version-independent kinds map to
136
+ * themselves and are skipped. Pure.
137
+ */
138
+ function buildIdentityRemap(entries, from) {
139
+ const remap = new Map();
140
+ for (const entry of entries) {
141
+ const input = baselineEntryToIdentityInput(entry);
142
+ if (!input)
143
+ continue;
144
+ // The migrator legitimately recomputes a prior-scheme id to build the
145
+ // remap — it consumes identity, it doesn't mint a new finding kind.
146
+ const fromId = (0, finding_identity_1.identityFor)(input, from); // rule10-producer-ok
147
+ if (fromId !== entry.id)
148
+ remap.set(fromId, entry.id);
149
+ }
150
+ return remap;
151
+ }
152
+ /**
153
+ * Detect whether a repo's committed artifacts (baseline + allowlist) were
154
+ * written under an OLDER identity scheme than the current one, returning
155
+ * the scheme to migrate FROM (today only `'v1'`), or `null` when
156
+ * everything is already current / there's nothing to migrate. A
157
+ * lightweight probe — reads the stamped `identityScheme` (absent ⇒ `'v1'`)
158
+ * without re-scanning. Used by `vyuh-dxkit update` to decide whether to
159
+ * run the migrator after an upgrade.
160
+ */
161
+ function detectStaleScheme(cwd, baselineName = 'main') {
162
+ const found = new Set();
163
+ const blPath = (0, baseline_file_1.pathForBaseline)(cwd, baselineName);
164
+ if (fs.existsSync(blPath)) {
165
+ try {
166
+ const raw = JSON.parse(fs.readFileSync(blPath, 'utf8'));
167
+ found.add(raw.identityScheme ?? 'v1');
168
+ }
169
+ catch {
170
+ /* unreadable baseline — leave migration to an explicit re-baseline */
171
+ }
172
+ }
173
+ const allowlist = (0, file_1.loadAllowlist)(cwd);
174
+ if (allowlist && allowlist.entries.length > 0)
175
+ found.add(allowlist.identityScheme ?? 'v1');
176
+ if (found.has('v1') && types_1.CURRENT_IDENTITY_SCHEME !== 'v1')
177
+ return 'v1';
178
+ return null;
179
+ }
180
+ /**
181
+ * Migrate a repo's baseline + allowlist from `from` scheme to the current
182
+ * scheme: one scan, rewrite the allowlist through the remap, regenerate
183
+ * the baseline (only if one exists). Idempotent in spirit — running it
184
+ * when already current produces an empty remap and a re-stamped baseline.
185
+ * Returns a summary the caller renders.
186
+ */
187
+ async function migrateIdentity(opts) {
188
+ const { cwd } = opts;
189
+ const to = types_1.CURRENT_IDENTITY_SCHEME;
190
+ // One scan: entries carry the new-scheme ids; the remap recomputes the
191
+ // old id per entry.
192
+ const scan = await (0, create_1.gatherCurrentScan)({ cwd, verbose: opts.verbose });
193
+ const remap = buildIdentityRemap(scan.findings, opts.from);
194
+ const currentIds = new Set(scan.findings.map((f) => f.id));
195
+ // Rewrite the allowlist, preserving reviewed decisions.
196
+ const allowlist = (0, file_1.loadAllowlist)(cwd);
197
+ let remapped = 0;
198
+ let unchanged = 0;
199
+ const unmapped = [];
200
+ if (allowlist) {
201
+ const entries = allowlist.entries.map((entry) => {
202
+ const next = remap.get(entry.fingerprint);
203
+ if (next !== undefined) {
204
+ remapped++;
205
+ return { ...entry, fingerprint: next };
206
+ }
207
+ // Not in the remap: either it already matches a current finding
208
+ // (version-independent kind / already current scheme) — leave it —
209
+ // or it matches nothing (the suppressed finding is gone) — flag it.
210
+ if (currentIds.has(entry.fingerprint))
211
+ unchanged++;
212
+ else
213
+ unmapped.push(entry);
214
+ return entry;
215
+ });
216
+ (0, file_1.saveAllowlist)(cwd, { ...allowlist, identityScheme: to, entries });
217
+ }
218
+ // Regenerate the baseline with fresh new-scheme ids + stamped scheme —
219
+ // but only if one already exists. A repo with no committed baseline
220
+ // (ref-based posture) shouldn't gain one as a side effect of migrating;
221
+ // its allowlist still gets remapped above.
222
+ const baselineName = opts.baselineName ?? 'main';
223
+ const hasBaseline = fs.existsSync((0, baseline_file_1.pathForBaseline)(cwd, baselineName));
224
+ const created = hasBaseline
225
+ ? await (0, create_1.createBaseline)({ cwd, name: baselineName, force: true, verbose: opts.verbose })
226
+ : null;
227
+ return {
228
+ fromScheme: opts.from,
229
+ toScheme: to,
230
+ remapSize: remap.size,
231
+ allowlistTotal: allowlist?.entries.length ?? 0,
232
+ allowlistRemapped: remapped,
233
+ allowlistUnchanged: unchanged,
234
+ allowlistUnmapped: unmapped,
235
+ baselinePath: created?.path ?? null,
236
+ };
237
+ }
238
+ //# sourceMappingURL=migrate.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"migrate.js","sourceRoot":"","sources":["../../src/baseline/migrate.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+CH,oEA2CC;AASD,gDAcC;AAWD,8CAqBC;AASD,0CAyDC;AAjND,uCAAyB;AACzB,qCAA6D;AAC7D,mDAAkD;AAClD,yDAAiD;AACjD,yCAAyC;AACzC,mCAAkD;AAOlD,4CAAiE;AAwBjE;;;;;;;;GAQG;AACH,SAAgB,4BAA4B,CAAC,KAAoB;IAC/D,IAAI,IAAA,sBAAW,EAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACzC,MAAM,CAAC,GAAG,KAA0B,CAAC;IACrC,QAAQ,CAAC,CAAC,IAAI,EAAE,CAAC;QACf,KAAK,QAAQ,CAAC;QACd,KAAK,MAAM,CAAC;QACZ,KAAK,QAAQ;YACX,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAClF,KAAK,UAAU;YACb,OAAO;gBACL,IAAI,EAAE,UAAU;gBAChB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;gBACpC,EAAE,EAAE,CAAC,CAAC,UAAU;aACjB,CAAC;QACJ,KAAK,aAAa;YAChB,OAAO;gBACL,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,UAAU,EAAE,CAAC,CAAC,UAAU;aACzB,CAAC;QACJ,KAAK,cAAc;YACjB,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC,SAAS,EAAE,CAAC;QAC1F,KAAK,UAAU;YACb,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC1D,KAAK,SAAS;YACZ,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QAC3E,KAAK,uBAAuB;YAC1B,OAAO,EAAE,IAAI,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QAC3E,KAAK,UAAU;YACb,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC5C,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC;QAChE,KAAK,YAAY;YACf,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3E,KAAK,aAAa;YAChB,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;IACrF,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,kBAAkB,CAChC,OAAqC,EACrC,IAA2B;IAE3B,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;IACxC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,4BAA4B,CAAC,KAAK,CAAC,CAAC;QAClD,IAAI,CAAC,KAAK;YAAE,SAAS;QACrB,sEAAsE;QACtE,oEAAoE;QACpE,MAAM,MAAM,GAAG,IAAA,8BAAW,EAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,qBAAqB;QAC9D,IAAI,MAAM,KAAK,KAAK,CAAC,EAAE;YAAE,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,iBAAiB,CAC/B,GAAW,EACX,YAAY,GAAG,MAAM;IAErB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAyB,CAAC;IAC/C,MAAM,MAAM,GAAG,IAAA,+BAAe,EAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAClD,IAAI,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,CAErD,CAAC;YACF,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,cAAc,IAAI,IAAI,CAAC,CAAC;QACxC,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;QACxE,CAAC;IACH,CAAC;IACD,MAAM,SAAS,GAAG,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAC;IACrC,IAAI,SAAS,IAAI,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,cAAc,IAAI,IAAI,CAAC,CAAC;IAE3F,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,+BAAuB,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IACrE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,eAAe,CAAC,IAKrC;IACC,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IACrB,MAAM,EAAE,GAAG,+BAAuB,CAAC;IAEnC,uEAAuE;IACvE,oBAAoB;IACpB,MAAM,IAAI,GAAG,MAAM,IAAA,0BAAiB,EAAC,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACrE,MAAM,KAAK,GAAG,kBAAkB,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAE3D,wDAAwD;IACxD,MAAM,SAAS,GAAG,IAAA,oBAAa,EAAC,GAAG,CAAC,CAAC;IACrC,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,MAAM,QAAQ,GAAqB,EAAE,CAAC;IACtC,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YAC9C,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC1C,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;gBACvB,QAAQ,EAAE,CAAC;gBACX,OAAO,EAAE,GAAG,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;YACzC,CAAC;YACD,gEAAgE;YAChE,mEAAmE;YACnE,oEAAoE;YACpE,IAAI,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,WAAW,CAAC;gBAAE,SAAS,EAAE,CAAC;;gBAC9C,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC1B,OAAO,KAAK,CAAC;QACf,CAAC,CAAC,CAAC;QACH,IAAA,oBAAa,EAAC,GAAG,EAAE,EAAE,GAAG,SAAS,EAAE,cAAc,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,uEAAuE;IACvE,oEAAoE;IACpE,wEAAwE;IACxE,2CAA2C;IAC3C,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,MAAM,CAAC;IACjD,MAAM,WAAW,GAAG,EAAE,CAAC,UAAU,CAAC,IAAA,+BAAe,EAAC,GAAG,EAAE,YAAY,CAAC,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,WAAW;QACzB,CAAC,CAAC,MAAM,IAAA,uBAAc,EAAC,EAAE,GAAG,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;QACvF,CAAC,CAAC,IAAI,CAAC;IAET,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,IAAI;QACrB,QAAQ,EAAE,EAAE;QACZ,SAAS,EAAE,KAAK,CAAC,IAAI;QACrB,cAAc,EAAE,SAAS,EAAE,OAAO,CAAC,MAAM,IAAI,CAAC;QAC9C,iBAAiB,EAAE,QAAQ;QAC3B,kBAAkB,EAAE,SAAS;QAC7B,iBAAiB,EAAE,QAAQ;QAC3B,YAAY,EAAE,OAAO,EAAE,IAAI,IAAI,IAAI;KACpC,CAAC;AACJ,CAAC"}
@@ -11,10 +11,10 @@
11
11
  * Four `BaselineEntry` kinds are derived here, matching the four
12
12
  * categories the aggregator emits:
13
13
  *
14
- * - `findingsByCategory.secret` → kind: 'secret'
15
- * - `findingsByCategory.code` → kind: 'code'
16
- * - `findingsByCategory.config` → kind: 'config'
17
- * - `findingsByCategory.dependency`→ kind: 'dep-vuln'
14
+ * - `findingsByCategory.secret` → kind: 'secret'
15
+ * - `findingsByCategory.code` → kind: 'code'
16
+ * - `findingsByCategory.config` → kind: 'config'
17
+ * - `findingsByCategory.dependency`→ kind: 'dep-vuln'
18
18
  *
19
19
  * The location-based `secret` entries are sufficient for tracking a
20
20
  * secret that stays in the same file. The companion `secret-hmac`
@@ -41,13 +41,13 @@ import type { SecurityAggregate } from '../../analyzers/security/aggregator';
41
41
  import type { RichBaselineEntry } from '../types';
42
42
  export interface SecurityProducerOptions {
43
43
  /** Repo path; used by `computeContentHashFromCommit` to invoke
44
- * `git show`. Omitting it disables content-hash stamping. */
44
+ * `git show`. Omitting it disables content-hash stamping. */
45
45
  readonly cwd?: string;
46
46
  /** Commit SHA the baseline is anchored to. When the working tree
47
- * has uncommitted changes, callers may pass `'HEAD'` so the hash
48
- * reflects committed state — content-hash matching against a
49
- * later run will still work as long as both sides read the same
50
- * SHA. */
47
+ * has uncommitted changes, callers may pass `'HEAD'` so the hash
48
+ * reflects committed state — content-hash matching against a
49
+ * later run will still work as long as both sides read the same
50
+ * SHA. */
51
51
  readonly commitSha?: string;
52
52
  }
53
53
  /**
@@ -1 +1 @@
1
- {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,iBAAiB,EAKlB,MAAM,UAAU,CAAC;AAElB,MAAM,WAAW,uBAAuB;IACtC;kEAC8D;IAC9D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;;;eAIW;IACX,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,iBAAiB,EAC5B,OAAO,GAAE,uBAA4B,GACpC,iBAAiB,EAAE,CAiGrB"}
1
+ {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qCAAqC,CAAC;AAE7E,OAAO,KAAK,EACV,iBAAiB,EAKlB,MAAM,UAAU,CAAC;AAElB,MAAM,WAAW,uBAAuB;IACtC;iEAC6D;IAC7D,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB;;;;cAIU;IACV,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;GAIG;AACH,wBAAgB,kCAAkC,CAChD,SAAS,EAAE,iBAAiB,EAC5B,OAAO,GAAE,uBAA4B,GACpC,iBAAiB,EAAE,CA6GrB"}
@@ -12,10 +12,10 @@
12
12
  * Four `BaselineEntry` kinds are derived here, matching the four
13
13
  * categories the aggregator emits:
14
14
  *
15
- * - `findingsByCategory.secret` → kind: 'secret'
16
- * - `findingsByCategory.code` → kind: 'code'
17
- * - `findingsByCategory.config` → kind: 'config'
18
- * - `findingsByCategory.dependency`→ kind: 'dep-vuln'
15
+ * - `findingsByCategory.secret` → kind: 'secret'
16
+ * - `findingsByCategory.code` → kind: 'code'
17
+ * - `findingsByCategory.config` → kind: 'config'
18
+ * - `findingsByCategory.dependency`→ kind: 'dep-vuln'
19
19
  *
20
20
  * The location-based `secret` entries are sufficient for tracking a
21
21
  * secret that stays in the same file. The companion `secret-hmac`
@@ -62,6 +62,10 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
62
62
  rule: f.rule,
63
63
  file: f.file,
64
64
  line: f.line,
65
+ // Content-anchored identity: the aggregator stamped the final content anchor (secret HMAC)
66
+ // on the finding; pass it so identityFor recomputes the SAME id the
67
+ // finding carries. Absent → identityFor falls back to the line hash.
68
+ ...(f.contentAnchor !== undefined ? { contentAnchor: f.contentAnchor } : {}),
65
69
  };
66
70
  const contentHash = stamp(f.file, f.line);
67
71
  out.push({
@@ -84,6 +88,9 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
84
88
  rule: f.rule,
85
89
  file: f.file,
86
90
  line: f.line,
91
+ // Content-anchored identity: the (scope, spanHash, ordinal) content anchor the aggregator
92
+ // built; passing it reproduces the finding's content fingerprint.
93
+ ...(f.contentAnchor !== undefined ? { contentAnchor: f.contentAnchor } : {}),
87
94
  };
88
95
  const contentHash = stamp(f.file, f.line);
89
96
  out.push({
@@ -106,6 +113,10 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
106
113
  rule: f.rule,
107
114
  file: f.file,
108
115
  line: f.line,
116
+ // Content-anchored identity: config (.env-in-git, whole-file at line 0) stays on the
117
+ // line-stable path — the aggregator leaves its anchor unset — so this
118
+ // is normally undefined and identity is unchanged from v1.
119
+ ...(f.contentAnchor !== undefined ? { contentAnchor: f.contentAnchor } : {}),
109
120
  };
110
121
  // Whole-file findings (`.env in git`) carry line 0; content-hash
111
122
  // is meaningless for them and `stamp` returns undefined.
@@ -129,6 +140,7 @@ function securityAggregateToBaselineEntries(aggregate, options = {}) {
129
140
  package: f.package,
130
141
  installedVersion: f.installedVersion,
131
142
  id: f.id,
143
+ ...(f.aliases !== undefined ? { aliases: f.aliases } : {}),
132
144
  };
133
145
  const entry = {
134
146
  id: (0, finding_identity_1.identityFor)(input),
@@ -1 +1 @@
1
- {"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,gFAoGC;AAhID,kDAA+D;AAE/D,0DAAkD;AAqBlD;;;;GAIG;AACH,SAAgB,kCAAkC,CAChD,SAA4B,EAC5B,UAAmC,EAAE;IAErC,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,CAAC,IAAY,EAAE,IAAY,EAAsB,EAAE;QAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QACtE,MAAM,IAAI,GAAG,IAAA,2CAA4B,EAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtF,OAAO,IAAI,IAAI,SAAS,CAAC;IAC3B,CAAC,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,KAAK,GAAsB;YAC/B,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;SACb,CAAC;QACF,iEAAiE;QACjE,yDAAyD;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACxD,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,EAAE,EAAE,CAAC,CAAC,EAAE;SACT,CAAC;QACF,MAAM,KAAK,GAAsB;YAC/B,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,UAAU,EAAE,CAAC,CAAC,EAAE;YAChB,GAAG,CAAC,CAAC,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtF,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}
1
+ {"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/baseline/producers/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;;AA8BH,gFAgHC;AA5ID,kDAA+D;AAE/D,0DAAkD;AAqBlD;;;;GAIG;AACH,SAAgB,kCAAkC,CAChD,SAA4B,EAC5B,UAAmC,EAAE;IAErC,MAAM,GAAG,GAAwB,EAAE,CAAC;IACpC,MAAM,KAAK,GAAG,CAAC,IAAY,EAAE,IAAY,EAAsB,EAAE;QAC/D,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,CAAC;YAAE,OAAO,SAAS,CAAC;QACtE,MAAM,IAAI,GAAG,IAAA,2CAA4B,EAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACtF,OAAO,IAAI,IAAI,SAAS,CAAC;IAC3B,CAAC,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,2FAA2F;YAC3F,oEAAoE;YACpE,qEAAqE;YACrE,GAAG,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7E,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC;QAClD,MAAM,KAAK,GAAsB;YAC/B,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,0FAA0F;YAC1F,kEAAkE;YAClE,GAAG,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7E,CAAC;QACF,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,MAAM;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;QACpD,MAAM,KAAK,GAAwB;YACjC,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,qFAAqF;YACrF,sEAAsE;YACtE,2DAA2D;YAC3D,GAAG,CAAC,CAAC,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC7E,CAAC;QACF,iEAAiE;QACjE,yDAAyD;QACzD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC;YACP,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,GAAG,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACrD,GAAG,CAAC,CAAC,CAAC,oBAAoB,IAAI,CAAC,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;gBAC7D,CAAC,CAAC,EAAE,oBAAoB,EAAE,CAAC,CAAC,oBAAoB,EAAE;gBAClD,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,kBAAkB,CAAC,UAAU,EAAE,CAAC;QACxD,MAAM,KAAK,GAAyB;YAClC,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;YACpC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,GAAG,CAAC,CAAC,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC3D,CAAC;QACF,MAAM,KAAK,GAAsB;YAC/B,EAAE,EAAE,IAAA,8BAAW,EAAC,KAAK,CAAC;YACtB,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,CAAC,CAAC,OAAO;YAClB,UAAU,EAAE,CAAC,CAAC,EAAE;YAChB,GAAG,CAAC,CAAC,CAAC,gBAAgB,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtF,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}