@westbayberry/dg 1.3.2 → 2.0.0

package/dist/scan/collect.js

@@ -0,0 +1,153 @@
+import { readdirSync } from "node:fs";
+import { join, relative } from "node:path";
+import { verifyLockfile } from "../verify/preflight.js";
+export const LOCKFILE_ECOSYSTEMS = {
+    "package-lock.json": "npm",
+    "npm-shrinkwrap.json": "npm",
+    "yarn.lock": "npm",
+    "pnpm-lock.yaml": "npm",
+    "Pipfile.lock": "pypi",
+    "poetry.lock": "pypi",
+    "requirements.txt": "pypi"
+};
+export function isLockfileName(name) {
+    return Object.prototype.hasOwnProperty.call(LOCKFILE_ECOSYSTEMS, name);
+}
+const IGNORED_DIRECTORIES = new Set([
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    "vendor",
+    "__pycache__",
+    ".venv",
+    "venv",
+    "target",
+    "coverage"
+]);
+const MAX_DISCOVERY_DEPTH = 8;
+function readDirents(directory) {
+    try {
+        return readdirSync(directory, { withFileTypes: true });
+    }
+    catch {
+        return [];
+    }
+}
+function firstLockfile(entries) {
+    for (const [lockfile, ecosystem] of Object.entries(LOCKFILE_ECOSYSTEMS)) {
+        if (entries.some((entry) => entry.name === lockfile && entry.isFile())) {
+            return [lockfile, ecosystem];
+        }
+    }
+    return null;
+}
+function shouldDescend(entry) {
+    return entry.isDirectory() && !IGNORED_DIRECTORIES.has(entry.name) && !entry.name.startsWith(".");
+}
+export function discoverScanProjects(root) {
+    const projects = [];
+    walk(root, 0);
+    return projects;
+    function walk(directory, depth) {
+        if (depth > MAX_DISCOVERY_DEPTH) {
+            return;
+        }
+        const entries = readDirents(directory);
+        const match = firstLockfile(entries);
+        if (match) {
+            projects.push({
+                path: directory,
+                relativePath: relative(root, directory) || ".",
+                ecosystem: match[1],
+                depFile: match[0],
+                packageCount: countLockfilePackages(join(directory, match[0]))
+            });
+        }
+        for (const entry of entries) {
+            if (shouldDescend(entry)) {
+                walk(join(directory, entry.name), depth + 1);
+            }
+        }
+    }
+}
+export async function discoverScanProjectsAsync(root, onProgress) {
+    const projects = [];
+    let lastYield = Date.now();
+    await walk(root, 0);
+    return projects;
+    async function walk(directory, depth) {
+        if (depth > MAX_DISCOVERY_DEPTH) {
+            return;
+        }
+        if (Date.now() - lastYield > 8) {
+            await yieldToEventLoop();
+            lastYield = Date.now();
+        }
+        const entries = readDirents(directory);
+        const match = firstLockfile(entries);
+        if (match) {
+            const relativePath = relative(root, directory) || ".";
+            projects.push({
+                path: directory,
+                relativePath,
+                ecosystem: match[1],
+                depFile: match[0],
+                packageCount: countLockfilePackages(join(directory, match[0]))
+            });
+            onProgress?.({ path: relativePath === "." ? match[0] : `${relativePath}/${match[0]}`, found: projects.length });
+        }
+        for (const entry of entries) {
+            if (shouldDescend(entry)) {
+                await walk(join(directory, entry.name), depth + 1);
+            }
+        }
+    }
+}
+function yieldToEventLoop() {
+    return new Promise((resolve) => {
+        setImmediate(resolve);
+    });
+}
+function countLockfilePackages(lockfilePath) {
+    try {
+        return verifyLockfile(lockfilePath).packages.length;
+    }
+    catch {
+        return 0;
+    }
+}
+export function collectScanPackages(projects) {
+    const byEcosystem = new Map();
+    const seen = new Set();
+    let skipped = 0;
+    for (const project of projects) {
+        let identities;
+        try {
+            identities = verifyLockfile(join(project.path, project.depFile)).packages;
+        }
+        catch {
+            skipped += 1;
+            continue;
+        }
+        for (const identity of identities) {
+            if (identity.ecosystem !== "npm" && identity.ecosystem !== "pypi") {
+                skipped += 1;
+                continue;
+            }
+            if (!identity.version) {
+                skipped += 1;
+                continue;
+            }
+            const key = `${identity.ecosystem}:${identity.name}@${identity.version}`;
+            if (seen.has(key)) {
+                continue;
+            }
+            seen.add(key);
+            const list = byEcosystem.get(identity.ecosystem) ?? [];
+            list.push({ name: identity.name, version: identity.version });
+            byEcosystem.set(identity.ecosystem, list);
+        }
+    }
+    return { byEcosystem, skipped };
+}

package/dist/scan/command.js

@@ -0,0 +1,159 @@
+import { writeFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { scanProject } from "./discovery.js";
+import { renderJsonReport, renderSarifReport, renderTextReport } from "./render.js";
+import { resolvePresentation } from "../presentation/mode.js";
+import { createTheme } from "../presentation/theme.js";
+import { launchScanTui, shouldLaunchScanTui } from "../scan-ui/launch.js";
+import { tryScannerScan } from "./scanner-report.js";
+import { runStagedScan } from "./staged.js";
+import { scanExitCode } from "../scan-ui/shims.js";
+import { loadUserConfig } from "../config/settings.js";
+import { EXIT_USAGE } from "../commands/types.js";
+export function runScanCommand(context) {
+    const parsed = parseScanArgs(context.args);
+    if ("error" in parsed) {
+        return usageError(parsed.error);
+    }
+    if (parsed.staged) {
+        return runStagedScan({ hook: parsed.hook });
+    }
+    if (shouldLaunchScanTui({
+        targetPath: parsed.targetPath,
+        format: parsed.format,
+        outputPath: parsed.outputPath ?? undefined
+    })) {
+        void launchScanTui().catch((error) => {
+            process.stderr.write(`dg scan TUI failed: ${error instanceof Error ? error.message : "unknown error"}\n`);
+            process.exitCode = 1;
+        });
+        return {
+            exitCode: 0,
+            stdout: "",
+            stderr: ""
+        };
+    }
+    let report;
+    try {
+        report = scanProject({
+            targetPath: parsed.targetPath
+        });
+    }
+    catch (error) {
+        return {
+            exitCode: 1,
+            stdout: "",
+            stderr: `dg scan failed: ${error instanceof Error ? error.message : "unknown scan error"}\n`
+        };
+    }
+    const scannerReport = tryScannerScan(parsed.targetPath, report);
+    if (scannerReport) {
+        report = scannerReport;
+    }
+    const scannerUnavailable = scannerReport === null && report.summary.projectCount > 0;
+    const rendered = renderReport(report, parsed.format, scannerUnavailable);
+    if (parsed.outputPath) {
+        try {
+            writeFileSync(resolve(parsed.outputPath), rendered, "utf8");
+        }
+        catch (error) {
+            return {
+                exitCode: 1,
+                stdout: "",
+                stderr: `dg scan could not write ${parsed.outputPath}: ${error instanceof Error ? error.message : "unknown write error"}\n`
+            };
+        }
+        return {
+            exitCode: exitCodeForReport(report),
+            stdout: `Wrote ${parsed.format} scan report to ${parsed.outputPath}\n`,
+            stderr: ""
+        };
+    }
+    return {
+        exitCode: exitCodeForReport(report),
+        stdout: rendered,
+        stderr: ""
+    };
+}
+function parseScanArgs(args) {
+    let format = "text";
+    let outputPath = null;
+    let targetPath = ".";
+    let sawTarget = false;
+    let staged = false;
+    let hook = false;
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (!arg) {
+            return { error: "empty argument" };
+        }
+        if (arg === "--staged") {
+            staged = true;
+            continue;
+        }
+        if (arg === "--hook") {
+            hook = true;
+            continue;
+        }
+        if (arg === "--json") {
+            if (format !== "text") {
+                return { error: "choose only one output format" };
+            }
+            format = "json";
+            continue;
+        }
+        if (arg === "--sarif") {
+            if (format !== "text") {
+                return { error: "choose only one output format" };
+            }
+            format = "sarif";
+            continue;
+        }
+        if (arg === "--output" || arg === "-o") {
+            const next = args[index + 1];
+            if (!next) {
+                return { error: `${arg} requires a path` };
+            }
+            outputPath = next;
+            index += 1;
+            continue;
+        }
+        if (arg.startsWith("-")) {
+            return { error: `unknown option '${arg}'` };
+        }
+        if (sawTarget) {
+            return { error: "scan accepts at most one path" };
+        }
+        targetPath = arg;
+        sawTarget = true;
+    }
+    return {
+        format,
+        outputPath,
+        targetPath,
+        staged,
+        hook
+    };
+}
+function usageError(message) {
+    return {
+        exitCode: EXIT_USAGE,
+        stdout: "",
+        stderr: `dg scan: ${message}. Usage: dg scan [path] [--json|--sarif] [--output <path>]\n`
+    };
+}
+function renderReport(report, format, scannerUnavailable) {
+    if (format === "json") {
+        return renderJsonReport(report, scannerUnavailable);
+    }
+    if (format === "sarif") {
+        return renderSarifReport(report);
+    }
+    return renderTextReport(report, undefined, createTheme(resolvePresentation().color), scannerUnavailable);
+}
+function exitCodeForReport(report) {
+    if (report.scanner) {
+        return scanExitCode(report.scanner.action, loadUserConfig().policy.mode);
+    }
+    return report.status === "block" || report.status === "error" ? 1 : 0;
+}

package/dist/scan/discovery.js

@@ -0,0 +1,209 @@
+import { readdirSync, readFileSync, statSync } from "node:fs";
+import { basename, dirname, relative, resolve, sep } from "node:path";
+const IGNORED_DIRECTORIES = new Set([
+    ".git",
+    ".hg",
+    ".svn",
+    "coverage",
+    "dist",
+    "node_modules",
+    "vendor"
+]);
+const DEPENDENCY_SECTIONS = [
+    "dependencies",
+    "devDependencies",
+    "optionalDependencies",
+    "peerDependencies"
+];
+const RISKY_SCRIPT_NAMES = new Set(["preinstall", "install", "postinstall", "prepare"]);
+const MAX_DISCOVERY_DEPTH = 8;
+export function scanProject(options = {}) {
+    const cwd = resolve(options.cwd ?? process.cwd());
+    const requestedTarget = options.targetPath ?? ".";
+    const absoluteTarget = resolve(cwd, requestedTarget);
+    const targetInfo = statSync(absoluteTarget);
+    const root = targetInfo.isFile() ? dirname(absoluteTarget) : absoluteTarget;
+    const manifestPaths = targetInfo.isFile() && basename(absoluteTarget) === "package.json"
+        ? [absoluteTarget]
+        : discoverPackageManifests(root);
+    const projects = [];
+    const errors = [];
+    for (const manifestPath of manifestPaths) {
+        const result = readPackageProject(root, manifestPath);
+        if ("error" in result) {
+            errors.push(result.error);
+        }
+        else {
+            projects.push(result.project);
+        }
+    }
+    const findings = projects.flatMap((project) => [...project.findings]);
+    const warnCount = findings.filter((finding) => finding.severity === "warn").length;
+    const blockCount = findings.filter((finding) => finding.severity === "block").length;
+    const status = resolveStatus({
+        blockCount,
+        errorCount: errors.length,
+        warnCount
+    });
+    return {
+        target: displayPath(cwd, absoluteTarget),
+        status,
+        projects,
+        findings,
+        errors,
+        summary: {
+            projectCount: projects.length,
+            dependencyCount: projects.reduce((total, project) => total + project.dependencyCount, 0),
+            findingCount: findings.length,
+            warnCount,
+            blockCount,
+            errorCount: errors.length
+        }
+    };
+}
+function resolveStatus(counts) {
+    if (counts.errorCount > 0) {
+        return "error";
+    }
+    if (counts.blockCount > 0) {
+        return "block";
+    }
+    if (counts.warnCount > 0) {
+        return "warn";
+    }
+    return "pass";
+}
+function discoverPackageManifests(root) {
+    const manifests = [];
+    walk(root, 0, manifests);
+    return manifests.sort((left, right) => displayPath(root, left).localeCompare(displayPath(root, right)));
+}
+function walk(directory, depth, manifests) {
+    if (depth > MAX_DISCOVERY_DEPTH) {
+        return;
+    }
+    const entries = readdirSync(directory, {
+        withFileTypes: true
+    }).sort((left, right) => left.name.localeCompare(right.name));
+    for (const entry of entries) {
+        const absolutePath = resolve(directory, entry.name);
+        if (entry.isDirectory()) {
+            if (!IGNORED_DIRECTORIES.has(entry.name)) {
+                walk(absolutePath, depth + 1, manifests);
+            }
+            continue;
+        }
+        if (entry.isFile() && entry.name === "package.json") {
+            manifests.push(absolutePath);
+        }
+    }
+}
+function readPackageProject(root, manifestPath) {
+    const manifestDisplayPath = displayPath(root, manifestPath);
+    let manifest;
+    try {
+        manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
+    }
+    catch (error) {
+        return {
+            error: {
+                location: manifestDisplayPath,
+                message: error instanceof Error ? error.message : "package.json could not be parsed"
+            }
+        };
+    }
+    if (!isRecord(manifest)) {
+        return {
+            error: {
+                location: manifestDisplayPath,
+                message: "package.json must contain an object"
+            }
+        };
+    }
+    const name = typeof manifest.name === "string" && manifest.name.length > 0
+        ? manifest.name
+        : basename(dirname(manifestPath));
+    const version = typeof manifest.version === "string" ? manifest.version : null;
+    const license = typeof manifest.license === "string" ? manifest.license : null;
+    const findings = [
+        ...scriptFindings(manifest, manifestDisplayPath, name),
+        ...dependencyFindings(manifest, manifestDisplayPath, name)
+    ];
+    return {
+        project: {
+            name,
+            version,
+            license,
+            manifestPath: manifestDisplayPath,
+            dependencyCount: dependencyCount(manifest),
+            findings
+        }
+    };
+}
+function scriptFindings(manifest, manifestPath, project) {
+    const scripts = isRecord(manifest.scripts) ? manifest.scripts : {};
+    return Object.keys(scripts)
+        .filter((scriptName) => RISKY_SCRIPT_NAMES.has(scriptName))
+        .sort()
+        .map((scriptName) => ({
+        id: "npm-lifecycle-script",
+        severity: "warn",
+        title: "Install lifecycle script present",
+        message: `script '${scriptName}' can execute during package manager installs`,
+        project,
+        location: `${manifestPath}:scripts.${scriptName}`
+    }));
+}
+function dependencyFindings(manifest, manifestPath, project) {
+    const findings = [];
+    for (const section of DEPENDENCY_SECTIONS) {
+        const dependencies = isRecord(manifest[section]) ? manifest[section] : {};
+        for (const [dependencyName, specifier] of Object.entries(dependencies).sort(([left], [right]) => left.localeCompare(right))) {
+            if (typeof specifier !== "string") {
+                continue;
+            }
+            const severity = dependencySpecifierSeverity(specifier);
+            if (!severity) {
+                continue;
+            }
+            findings.push({
+                id: severity === "block" ? "unverified-network-dependency" : "local-artifact-dependency",
+                severity,
+                title: severity === "block" ? "Unverified network dependency" : "Local artifact dependency",
+                message: `${dependencyName} uses '${specifier}', which should be verified before install`,
+                project,
+                location: `${manifestPath}:${section}.${dependencyName}`
+            });
+        }
+    }
+    return findings;
+}
+function dependencySpecifierSeverity(specifier) {
+    const normalized = specifier.trim().toLowerCase();
+    if (normalized.startsWith("http://")
+        || normalized.startsWith("https://")
+        || normalized.startsWith("git+")
+        || normalized.startsWith("git://")
+        || normalized.startsWith("ssh://")
+        || normalized.startsWith("github:")) {
+        return "block";
+    }
+    if (normalized.startsWith("file:")) {
+        return "warn";
+    }
+    return null;
+}
+function dependencyCount(manifest) {
+    return DEPENDENCY_SECTIONS.reduce((total, section) => {
+        const dependencies = isRecord(manifest[section]) ? manifest[section] : {};
+        return total + Object.keys(dependencies).length;
+    }, 0);
+}
+function isRecord(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function displayPath(root, path) {
+    const relativePath = relative(root, path);
+    const display = relativePath.length === 0 ? "." : relativePath;
+    return display.split(sep).join("/");
+}