@zhuma4/cli 4.0.0-alpha.1

package/README.md

@@ -0,0 +1,42 @@
+# @zhuma4/cli
+
+逐码 CLI — 命令行代码安全审计工具 (SAST + SCA)
+
+## 安装
+
+```bash
+npm install -g @zhuma4/cli
+```
+
+要求: Node.js >= 18, Semgrep >= 1.168
+
+## 快速开始
+
+```bash
+# 扫描当前目录
+zhuma scan .
+
+# 输出 SARIF 格式
+zhuma scan . --output sarif
+
+# 只显示 ERROR 级别
+zhuma scan . --only critical
+
+# SCA 软件成分分析
+zhuma scan . --sca
+```
+
+## 规则集
+
+内置 **200+ 自研 SAST 规则**，覆盖：
+
+- 🔵 **Java** (104 规则) — SQL注入/SSRF/XXE/反序列化/SpEL/Shiro/Fastjson
+- 🟡 **JavaScript/TypeScript** (27 规则) — XSS/SSRF/命令注入/原型污染/JWT安全
+- 🐍 **Python** (11 规则) — SSTI/Pickle反序列化/命令注入/SQL注入
+- 🐹 **Go** (12 规则) — XSS/命令注入/路径穿越/SSRF
+- 📱 **Android** (43 规则) — OWASP Mobile Top 10
+- 🏗️ **IaC** (14 规则) — Terraform/Ansible/Docker/K8s
+
+## 许可
+
+Apache-2.0 — 北京众安天下科技有限公司 · 猎鹰情报威胁中心

package/dist/commands/config.d.ts

@@ -0,0 +1,3 @@
+import { Command } from 'commander';
+export declare const configCommand: Command;
+//# sourceMappingURL=config.d.ts.map

package/dist/commands/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../../src/commands/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,eAAO,MAAM,aAAa,SAmBvB,CAAC"}

package/dist/commands/config.js

@@ -0,0 +1,18 @@
+import { Command } from 'commander';
+export const configCommand = new Command('config')
+    .description('管理逐码扫描配置')
+    .addCommand(new Command('show')
+    .description('显示当前配置')
+    .action(async () => {
+    const { showConfig } = await import('../engine/config.js');
+    await showConfig();
+}))
+    .addCommand(new Command('set')
+    .description('设置配置项')
+    .argument('<key>', '配置键名')
+    .argument('<value>', '配置值')
+    .action(async (key, value) => {
+    const { setConfig } = await import('../engine/config.js');
+    await setConfig(key, value);
+}));
+//# sourceMappingURL=config.js.map

package/dist/commands/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/commands/config.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC;KAC/C,WAAW,CAAC,UAAU,CAAC;KACvB,UAAU,CACT,IAAI,OAAO,CAAC,MAAM,CAAC;KAChB,WAAW,CAAC,QAAQ,CAAC;KACrB,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAC3D,MAAM,UAAU,EAAE,CAAC;AACrB,CAAC,CAAC,CACL;KACA,UAAU,CACT,IAAI,OAAO,CAAC,KAAK,CAAC;KACf,WAAW,CAAC,OAAO,CAAC;KACpB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;KACzB,QAAQ,CAAC,SAAS,EAAE,KAAK,CAAC;KAC1B,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,KAAa,EAAE,EAAE;IAC3C,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAC1D,MAAM,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AAC9B,CAAC,CAAC,CACL,CAAC"}

package/dist/commands/init.d.ts

@@ -0,0 +1,3 @@
+import { Command } from 'commander';
+export declare const initCommand: Command;
+//# sourceMappingURL=init.d.ts.map

package/dist/commands/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,eAAO,MAAM,WAAW,SAQpB,CAAC"}

package/dist/commands/init.js

@@ -0,0 +1,11 @@
+import { Command } from 'commander';
+export const initCommand = new Command('init')
+    .description('初始化项目的逐码扫描配置，自动检测语言和框架')
+    .option('-d, --dir <path>', '项目目录路径', process.cwd())
+    .option('-l, --language <lang>', '手动指定语言 (java|js|ts|py|go)')
+    .option('--auto', '全自动模式：检测并立即生成配置，无需确认')
+    .action(async (options) => {
+    const { initProject } = await import('../engine/project.js');
+    await initProject(options);
+});
+//# sourceMappingURL=init.js.map

package/dist/commands/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,wBAAwB,CAAC;KACrC,MAAM,CAAC,kBAAkB,EAAE,QAAQ,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACnD,MAAM,CAAC,uBAAuB,EAAE,2BAA2B,CAAC;KAC5D,MAAM,CAAC,QAAQ,EAAE,sBAAsB,CAAC;KACxC,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;IAC7D,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;AAC7B,CAAC,CAAC,CAAC"}

package/dist/commands/scan.d.ts

@@ -0,0 +1,3 @@
+import { Command } from 'commander';
+export declare const scanCommand: Command;
+//# sourceMappingURL=scan.d.ts.map

package/dist/commands/scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../src/commands/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,eAAO,MAAM,WAAW,SA2FpB,CAAC"}

package/dist/commands/scan.js

@@ -0,0 +1,96 @@
+import { Command } from 'commander';
+import { createHash } from 'node:crypto';
+export const scanCommand = new Command('scan')
+    .description('对目标项目执行代码安全审计')
+    .argument('[path]', '项目路径', process.cwd())
+    .option('-o, --output <format>', '输出格式 (json|html|sarif)', 'html')
+    .option('-r, --rules <path>', '自定义规则目录')
+    .option('--only <severity>', '仅报告该严重等级以上的 (critical|high|medium|low)')
+    .option('--quick', '快速模式 — 仅运行 L0 规则')
+    .option('--incremental', '增量扫描 — 仅扫描变更文件')
+    .option('--sca', '启用 SCA 依赖分析')
+    .option('--api <url>', '提交扫描结果到远程 API 服务端')
+    .option('--no-color', '禁用颜色输出')
+    .option('--batch <dir>', '批量模式 — 扫描目录下所有子项目')
+    .option('--concurrency <N>', '批量并发数 (默认 1)', '1')
+    .option('--timeout <M>', '每项目超时秒数 (默认 300)', '300')
+    .action(async (target, options) => {
+    // 批量模式
+    if (options.batch) {
+        const { batchScan } = await import('../engine/batch_scan.js');
+        await batchScan({
+            batchDir: options.batch,
+            output: options.output,
+            concurrency: parseInt(String(options.concurrency ?? '1'), 10),
+            timeout: parseInt(String(options.timeout ?? '300'), 10),
+            rules: options.rules,
+            only: options.only,
+            quick: options.quick,
+        });
+        return;
+    }
+    // 单项目模式
+    let result;
+    if (options.incremental) {
+        // ── V4.1 增量扫描模式 ──
+        const { runIncrementalScan } = await import('../engine/incremental/engine.js');
+        result = await runIncrementalScan(target, {
+            target,
+            output: options.output,
+            rules: options.rules,
+            quick: options.quick,
+            only: options.only,
+            incremental: true,
+            sca: options.sca,
+        });
+    }
+    else {
+        const { runScan } = await import('../engine/scanner.js');
+        result = await runScan(target, {
+            target,
+            output: options.output,
+            rules: options.rules,
+            quick: options.quick,
+            only: options.only,
+            incremental: options.incremental,
+            sca: options.sca,
+        });
+    }
+    // V4.1: 远程 API 上报
+    if (options.api) {
+        const { submitToApi } = await import('../engine/api-submit.js');
+        const projectId = createHash('md5').update(target).digest('hex');
+        const submitResult = await submitToApi(options.api, projectId, result);
+        if (submitResult.error) {
+            console.log(`\n⚠️  API 上报失败: ${submitResult.error}`);
+        }
+        else {
+            console.log(`\n📤 已上报 ${submitResult.findingsInserted} 个发现到 ${options.api}`);
+            console.log(`   Scan ID: ${submitResult.scanId}`);
+        }
+    }
+    // V4.1: 终端摘要（HTML 模式下也展示关键数据）
+    if (!options.output || options.output === 'html') {
+        const inc = result.incremental;
+        if (inc && inc.filesReused > 0) {
+            console.log(`\n${'─'.repeat(56)}`);
+            console.log(`  ⚡ 已扫描 ${inc.filesChanged}/${inc.filesTotal} 文件（增量），复用 ${inc.filesReused} 文件缓存结果，耗时 ${(result.durationMs / 1000).toFixed(1)}s`);
+        }
+        else if (inc) {
+            console.log(`\n${'─'.repeat(56)}`);
+            console.log(`  ⚡ 已扫描 ${inc.filesTotal} 文件（全量基线建立），耗时 ${(result.durationMs / 1000).toFixed(1)}s`);
+        }
+        else {
+            console.log(`\n${'─'.repeat(50)}`);
+        }
+        console.log(`  📊 ${result.total} 个发现  |  🔴 ${result.bySeverity?.CRITICAL ?? 0}  🟠 ${result.bySeverity?.HIGH ?? 0}  🟡 ${result.bySeverity?.MEDIUM ?? 0}  🔵 ${result.bySeverity?.LOW ?? 0}`);
+        console.log(`  📄 报告: ${result.outputPath}`);
+        if (inc) {
+            console.log(`${'─'.repeat(56)}\n`);
+        }
+        else {
+            console.log(`${'─'.repeat(50)}\n`);
+        }
+    }
+});
+//# sourceMappingURL=scan.js.map

package/dist/commands/scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/commands/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGzC,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC;KAC3C,WAAW,CAAC,eAAe,CAAC;KAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACzC,MAAM,CAAC,uBAAuB,EAAE,wBAAwB,EAAE,MAAM,CAAC;KACjE,MAAM,CAAC,oBAAoB,EAAE,SAAS,CAAC;KACvC,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,CAAC;KACrE,MAAM,CAAC,SAAS,EAAE,kBAAkB,CAAC;KACrC,MAAM,CAAC,eAAe,EAAE,gBAAgB,CAAC;KACzC,MAAM,CAAC,OAAO,EAAE,aAAa,CAAC;KAC9B,MAAM,CAAC,aAAa,EAAE,mBAAmB,CAAC;KAC1C,MAAM,CAAC,YAAY,EAAE,QAAQ,CAAC;KAC9B,MAAM,CAAC,eAAe,EAAE,mBAAmB,CAAC;KAC5C,MAAM,CAAC,mBAAmB,EAAE,cAAc,EAAE,GAAG,CAAC;KAChD,MAAM,CAAC,eAAe,EAAE,kBAAkB,EAAE,KAAK,CAAC;KAClD,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,OAAgC,EAAE,EAAE;IACjE,OAAO;IACP,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAC9D,MAAM,SAAS,CAAC;YACd,QAAQ,EAAE,OAAO,CAAC,KAAe;YACjC,MAAM,EAAE,OAAO,CAAC,MAAgB;YAChC,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YAC7D,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,KAAK,CAAC,EAAE,EAAE,CAAC;YACvD,KAAK,EAAE,OAAO,CAAC,KAA2B;YAC1C,IAAI,EAAE,OAAO,CAAC,IAA0B;YACxC,KAAK,EAAE,OAAO,CAAC,KAA4B;SAC5C,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,QAAQ;IACR,IAAI,MAA6E,CAAC;IAElF,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,oBAAoB;QACpB,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;QAC/E,MAAM,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE;YACxC,MAAM;YACN,MAAM,EAAE,OAAO,CAAC,MAA+C;YAC/D,KAAK,EAAE,OAAO,CAAC,KAA2B;YAC1C,KAAK,EAAE,OAAO,CAAC,KAA4B;YAC3C,IAAI,EAAE,OAAO,CAAC,IAA4B;YAC1C,WAAW,EAAE,IAAI;YACjB,GAAG,EAAE,OAAO,CAAC,GAA0B;SACxC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;QACzD,MAAM,GAAG,MAAM,OAAO,CAAC,MAAM,EAAE;YAC7B,MAAM;YACN,MAAM,EAAE,OAAO,CAAC,MAA+C;YAC/D,KAAK,EAAE,OAAO,CAAC,KAA2B;YAC1C,KAAK,EAAE,OAAO,CAAC,KAA4B;YAC3C,IAAI,EAAE,OAAO,CAAC,IAA4B;YAC1C,WAAW,EAAE,OAAO,CAAC,WAAkC;YACvD,GAAG,EAAE,OAAO,CAAC,GAA0B;SACxC,CAAC,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,yBAAyB,CAAC,CAAC;QAChE,MAAM,SAAS,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,GAAa,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;QACjF,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,mBAAmB,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QACvD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,YAAY,YAAY,CAAC,gBAAgB,SAAS,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;YAC7E,OAAO,CAAC,GAAG,CAAC,eAAe,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;QACpD,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACjD,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC;QAC/B,IAAI,GAAG,IAAI,GAAG,CAAC,WAAW,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,CAAC,YAAY,IAAI,GAAG,CAAC,UAAU,cAAc,GAAG,CAAC,WAAW,cAAc,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAChJ,CAAC;aAAM,IAAI,GAAG,EAAE,CAAC;YACf,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,WAAW,GAAG,CAAC,UAAU,kBAAkB,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACnG,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QACrC,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,QAAQ,MAAM,CAAC,KAAK,eAAe,MAAM,CAAC,UAAU,EAAE,QAAQ,IAAI,CAAC,QAAQ,MAAM,CAAC,UAAU,EAAE,IAAI,IAAI,CAAC,QAAQ,MAAM,CAAC,UAAU,EAAE,MAAM,IAAI,CAAC,QAAQ,MAAM,CAAC,UAAU,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC;QAChM,OAAO,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QAC7C,IAAI,GAAG,EAAE,CAAC;YACR,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;AACH,CAAC,CAAC,CAAC"}

package/dist/commands/scan_appid.d.ts

@@ -0,0 +1,20 @@
+/**
+ * 逐码 scan:appid — AppID 感知扫描命令
+ *
+ * 对 jadx 反编译的 APK 项目执行扫描，自动解析 AndroidManifest.xml
+ * 按 applicationId 将 findings 分类为 APP/SDK/UNKNOWN
+ *
+ * Usage:
+ *   zhuma scan:appid <jadx_output_dir> --appid <manifest_path>
+ *   zhuma scan:appid <jadx_output_dir> --appid <manifest_path> --app-only
+ *   zhuma scan:appid <jadx_output_dir> --appid <manifest_path> --output json
+ *
+ * 核心价值:
+ *   - 80%+ findings 来自三方 SDK，传统白名单过滤不可靠
+ *   - AppID 边界引擎基于 applicationId + 组件声明精确区分 APP/SDK
+ *   - 支持 --app-only 仅输出应用自身代码的 findings
+ *   - 输出分类统计 (APP/SDK/UNKNOWN 分布)
+ */
+import { Command } from 'commander';
+export declare const scanAppIdCommand: Command;
+//# sourceMappingURL=scan_appid.d.ts.map

package/dist/commands/scan_appid.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan_appid.d.ts","sourceRoot":"","sources":["../../src/commands/scan_appid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgBpC,eAAO,MAAM,gBAAgB,SAwGzB,CAAC"}

package/dist/commands/scan_appid.js

@@ -0,0 +1,301 @@
+/**
+ * 逐码 scan:appid — AppID 感知扫描命令
+ *
+ * 对 jadx 反编译的 APK 项目执行扫描，自动解析 AndroidManifest.xml
+ * 按 applicationId 将 findings 分类为 APP/SDK/UNKNOWN
+ *
+ * Usage:
+ *   zhuma scan:appid <jadx_output_dir> --appid <manifest_path>
+ *   zhuma scan:appid <jadx_output_dir> --appid <manifest_path> --app-only
+ *   zhuma scan:appid <jadx_output_dir> --appid <manifest_path> --output json
+ *
+ * 核心价值:
+ *   - 80%+ findings 来自三方 SDK，传统白名单过滤不可靠
+ *   - AppID 边界引擎基于 applicationId + 组件声明精确区分 APP/SDK
+ *   - 支持 --app-only 仅输出应用自身代码的 findings
+ *   - 输出分类统计 (APP/SDK/UNKNOWN 分布)
+ */
+import { Command } from 'commander';
+import chalk from 'chalk';
+import ora from 'ora';
+import { writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { existsSync } from 'node:fs';
+import { extractApplicationId, getComponentPackages, classifyFindings, filterByClassification, getClassificationStats, } from '../engine/finding_classifier.js';
+export const scanAppIdCommand = new Command('scan:appid')
+    .description('AppID 感知扫描 — 自动区分 APP/SDK/UNKNOWN findings')
+    .argument('[path]', 'jadx 反编译输出目录 (sources/)', process.cwd())
+    .requiredOption('--appid <manifest>', 'AndroidManifest.xml 路径 (jadx 输出中的 resources/AndroidManifest.xml)')
+    .option('-o, --output <format>', '输出格式 (json|html)', 'json')
+    .option('-r, --rules <path>', '自定义规则目录')
+    .option('--only <severity>', '仅报告该严重等级以上的 (critical|high|medium|low)')
+    .option('--quick', '快速模式 — 仅运行 L0 规则')
+    .option('--app-only', '仅输出 APP 分类的 findings (忽略 SDK 和 UNKNOWN)')
+    .option('--no-app-only', '输出全部分类 findings (默认)')
+    .option('--include-unknown', '输出中保留 UNKNOWN 分类 findings (默认仅输出 APP + SDK)')
+    .option('--stats-only', '仅输出分类统计 (不输出具体 findings)')
+    .action(async (target, options) => {
+    const manifestPath = resolve(options.appid);
+    const appOnly = options.appOnly;
+    const includeUnknown = options.includeUnknown;
+    const statsOnly = options.statsOnly;
+    // 验证 manifest
+    const spinner = ora('解析 AndroidManifest.xml...').start();
+    let appId;
+    let componentPrefixes;
+    try {
+        appId = extractApplicationId(manifestPath);
+        componentPrefixes = getComponentPackages(manifestPath);
+    }
+    catch (err) {
+        spinner.fail(`解析 AndroidManifest.xml 失败: ${err.message}`);
+        process.exit(1);
+    }
+    spinner.succeed(`Application ID: ${chalk.cyan(appId)} (${componentPrefixes.size} 个组件包前缀)`);
+    // 运行 Semgrep 扫描
+    spinner.start('执行 Semgrep 扫描...');
+    let sarifOutput;
+    try {
+        // 直接调用 Semgrep --json (非 --sarif)，获取可分类的 raw results
+        sarifOutput = await runSemgrepJson(target, options.rules || undefined, options.only || undefined, options.quick || undefined);
+    }
+    catch (err) {
+        spinner.fail(`扫描失败: ${err.message}`);
+        process.exit(1);
+    }
+    spinner.succeed('扫描完成');
+    // 解析 Semgrep JSON
+    const rawResults = sarifOutput.results ?? [];
+    spinner.info(`原始 findings: ${rawResults.length} 条`);
+    // 分类
+    spinner.start('执行 AppID 分类...');
+    const classified = classifyFindings(rawResults, manifestPath);
+    const stats = getClassificationStats(classified);
+    spinner.succeed('分类完成');
+    // 应用筛选
+    let outputFindings = classified;
+    if (appOnly) {
+        outputFindings = filterByClassification(classified, ['APP']);
+    }
+    else if (!includeUnknown) {
+        outputFindings = filterByClassification(classified, ['APP', 'SDK']);
+    }
+    // 打印统计
+    printClassificationSummary(stats, outputFindings.length);
+    // 输出
+    if (statsOnly) {
+        // 仅统计，不写文件
+        return;
+    }
+    if (options.output === 'html') {
+        spinner.start('生成 HTML 报告...');
+        const html = buildAppIdHtmlReport(target, appId, stats, outputFindings);
+        const timestamp = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
+        const outPath = `zhuma_appid_report_${timestamp}.html`;
+        writeFileSync(outPath, html, 'utf-8');
+        spinner.succeed(`报告已保存: ${chalk.green(outPath)}`);
+    }
+    else {
+        // JSON 输出
+        spinner.start('生成 JSON 报告...');
+        const outPath = `${target.replace(/[\\/]/g, '_')}_zhuma_appid.json`;
+        const jsonOutput = {
+            applicationId: appId,
+            stats: {
+                total: stats.total,
+                app: stats.app,
+                sdk: stats.sdk,
+                unknown: stats.unknown,
+                appPercent: stats.total > 0 ? ((stats.app / stats.total) * 100).toFixed(1) + '%' : '0%',
+                sdkPercent: stats.total > 0 ? ((stats.sdk / stats.total) * 100).toFixed(1) + '%' : '0%',
+                unknownPercent: stats.total > 0 ? ((stats.unknown / stats.total) * 100).toFixed(1) + '%' : '0%',
+                byConfidence: stats.byConfidence,
+                bySource: stats.bySource,
+            },
+            findings: outputFindings,
+        };
+        writeFileSync(outPath, JSON.stringify(jsonOutput, null, 2), 'utf-8');
+        spinner.succeed(`报告已保存: ${chalk.green(outPath)}`);
+    }
+});
+// ─── Helper: 运行 Semgrep --json ─────────────────────────
+async function runSemgrepJson(target, rules, onlySeverity, quick) {
+    const { spawn } = await import('node:child_process');
+    const { resolve: resolvePath, join } = await import('node:path');
+    const SEMGREP_BIN = process.platform === 'win32' ? 'pysemgrep' : 'semgrep';
+    // 规则目录
+    const rulesDir = rules
+        ? resolvePath(rules)
+        : resolvePath(join(import.meta.dirname ?? '.', '..', '..', '..', 'rules', 'common'));
+    const targetPath = resolvePath(target);
+    if (!existsSync(targetPath)) {
+        throw new Error(`目标路径不存在: ${target}`);
+    }
+    const args = ['scan', '--config', rulesDir, '--json', '--quiet', '--no-git-ignore'];
+    // severity filter
+    if (onlySeverity) {
+        const levelMap = {
+            critical: 'ERROR', high: 'WARNING', medium: 'INFO', low: 'NOTE',
+        };
+        const sev = levelMap[onlySeverity.toLowerCase()];
+        if (sev)
+            args.push('--severity', sev);
+    }
+    if (quick && !onlySeverity)
+        args.push('--severity', 'WARNING');
+    args.push(targetPath);
+    return new Promise((resolvePromise, rejectPromise) => {
+        const child = spawn(SEMGREP_BIN, args, {
+            stdio: ['ignore', 'pipe', 'pipe'],
+            timeout: 15 * 60 * 1000,
+            env: {
+                ...process.env,
+                PYTHONUTF8: '1',
+                PYTHONIOENCODING: 'utf-8',
+            },
+        });
+        let stdout = '';
+        let stderr = '';
+        child.stdout.on('data', (d) => { stdout += d.toString(); });
+        child.stderr.on('data', (d) => { stderr += d.toString(); });
+        child.on('close', (code) => {
+            if (code !== 0 && code !== 1) {
+                rejectPromise(new Error(`Semgrep 异常退出 (exit ${code}): ${stderr.slice(-500)}`));
+                return;
+            }
+            try {
+                resolvePromise(JSON.parse(stdout));
+            }
+            catch {
+                rejectPromise(new Error(`Semgrep JSON 解析失败: ${stdout.slice(0, 300)}`));
+            }
+        });
+        child.on('error', (err) => {
+            rejectPromise(err.code === 'ENOENT'
+                ? new Error('未找到 Semgrep CLI。请执行: pip install semgrep')
+                : new Error(`Semgrep 启动失败: ${err.message}`));
+        });
+    });
+}
+// ─── Console Output ──────────────────────────────────────
+function printClassificationSummary(stats, filteredCount) {
+    console.log('');
+    console.log(chalk.bold('━━━ AppID 分类统计 ━━━'));
+    console.log('');
+    // 分类分布
+    const total = stats.total || 1;
+    const appBar = bar(stats.app / total);
+    const sdkBar = bar(stats.sdk / total);
+    const unkBar = bar(stats.unknown / total);
+    console.log(`  ${chalk.green('APP')}      ${String(stats.app).padStart(5)} ${appBar} ${((stats.app / total) * 100).toFixed(1)}%`);
+    console.log(`  ${chalk.yellow('SDK')}      ${String(stats.sdk).padStart(5)} ${sdkBar} ${((stats.sdk / total) * 100).toFixed(1)}%`);
+    console.log(`  ${chalk.gray('UNKNOWN')}  ${String(stats.unknown).padStart(5)} ${unkBar} ${((stats.unknown / total) * 100).toFixed(1)}%`);
+    console.log('');
+    console.log(`  输出 findings: ${chalk.bold(String(filteredCount))} (原始 ${stats.total})`);
+    console.log('');
+    // 置信度分布
+    if (Object.keys(stats.byConfidence).length > 0) {
+        console.log(chalk.dim('  置信度分布:'));
+        for (const [level, count] of Object.entries(stats.byConfidence).sort()) {
+            console.log(chalk.dim(`    ${level.padEnd(10)} ${count}`));
+        }
+        console.log('');
+    }
+    // 来源分布
+    if (Object.keys(stats.bySource).length > 0) {
+        console.log(chalk.dim('  来源分布:'));
+        for (const [src, count] of Object.entries(stats.bySource).sort()) {
+            console.log(chalk.dim(`    ${src.padEnd(16)} ${count}`));
+        }
+        console.log('');
+    }
+}
+function bar(ratio, width = 20) {
+    const filled = Math.round(ratio * width);
+    return chalk.green('█'.repeat(filled)) + chalk.gray('░'.repeat(width - filled));
+}
+// ─── HTML Report Builder ─────────────────────────────────
+function buildAppIdHtmlReport(target, appId, stats, findings) {
+    const classColors = {
+        APP: '#27ae60',
+        SDK: '#f39c12',
+        UNKNOWN: '#95a5a6',
+    };
+    const badge = (cls) => `<span style="display:inline-block;padding:3px 10px;border-radius:12px;font-size:.76em;font-weight:600;color:#fff;background:${classColors[cls] ?? '#6c757d'}">${cls}</span>`;
+    const findingRows = findings.map((f) => `
+    <tr>
+      <td>${badge(f.classification)}</td>
+      <td><span style="font-size:.78em;color:#6c757d">${esc(f.confidence)}</span></td>
+      <td><code>${esc(f.check_id)}</code></td>
+      <td>${esc(f.message)}</td>
+      <td><code style="font-size:.76em">${esc(f.path)}:${f.line}</code></td>
+      <td style="font-size:.72em;color:#6c757d">${esc(f.reason)}</td>
+    </tr>
+  `).join('');
+    return `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>逐码 AppID 感知扫描报告</title>
+<style>
+  * { margin:0; padding:0; box-sizing:border-box; }
+  body { background: #f5f8fc; color: #495057; font: 14px/1.7 "PingFang SC",-apple-system,"Microsoft YaHei",sans-serif; }
+  .cover { background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 60px 40px 50px; text-align: center; color: #fff; }
+  .cover h1 { font-size: 2em; font-weight: 800; margin-bottom: 6px; }
+  .cover .subtitle { opacity: .85; font-size: .9em; }
+  .wrap { max-width: 1100px; margin: 0 auto; padding: 28px 24px 60px; }
+  .stats { display: grid; grid-template-columns: repeat(auto-fit, minmax(160px,1fr)); gap: 16px; margin: 16px 0 28px; }
+  .stat-card { background: #fff; border: 1px solid #e4ecf6; border-radius: 12px; padding: 20px; text-align: center; box-shadow: 0 1px 3px rgba(0,0,0,.06); }
+  .stat-card .num { font-size: 2.3em; font-weight: 800; }
+  .stat-card .label { font-size: .8em; color: #6c757d; margin-top: 4px; text-transform: uppercase; }
+  .stat-card.app .num { color: #27ae60; }
+  .stat-card.sdk .num { color: #f39c12; }
+  .stat-card.unk .num { color: #95a5a6; }
+  table { width:100%; border-collapse:collapse; margin:18px 0; border-radius:12px; overflow:hidden; box-shadow: 0 1px 3px rgba(0,0,0,.06); }
+  thead th { background: linear-gradient(180deg,#f4f9ff,#eaf2fc); color:#1a6dff; font-weight:700; font-size:.82em; text-transform:uppercase; padding:12px 14px; text-align:left; border-bottom:2px solid #d0dff5; }
+  tbody td { padding:10px 14px; border-bottom:1px solid #eef3f9; font-size:.88em; }
+  tbody tr:hover td { background:#f6faff; }
+  code { background:#f0f5fb; padding:2px 7px; border-radius:4px; font-family:"Fira Code",Consolas,monospace; font-size:.84em; color:#1a6dff; }
+  h2 { color:#1a1a2e; margin:28px 0 10px; font-size:1.2em; }
+  .footer { margin-top:36px; padding-top:18px; border-top:1px solid #e0e7f0; text-align:center; color:#6c757d; font-size:.8em; }
+</style>
+</head>
+<body>
+<div class="cover">
+  <h1>逐码 AppID 感知扫描报告</h1>
+  <div class="subtitle">${esc(target)} · Application ID: ${esc(appId)} · ${new Date().toLocaleString('zh-CN')}</div>
+</div>
+<div class="wrap">
+  <h2>📊 分类统计</h2>
+  <div class="stats">
+    <div class="stat-card app"><div class="num">${stats.app}</div><div class="label">🟢 APP</div></div>
+    <div class="stat-card sdk"><div class="num">${stats.sdk}</div><div class="label">🟠 SDK</div></div>
+    <div class="stat-card unk"><div class="num">${stats.unknown}</div><div class="label">⚪ UNKNOWN</div></div>
+    <div class="stat-card"><div class="num">${stats.total}</div><div class="label">总计</div></div>
+  </div>
+  <p style="color:#6c757d;font-size:.84em">
+    APP 占比: ${stats.total > 0 ? ((stats.app / stats.total) * 100).toFixed(1) : 0}% |
+    SDK 占比: ${stats.total > 0 ? ((stats.sdk / stats.total) * 100).toFixed(1) : 0}% |
+    UNKNOWN 占比: ${stats.total > 0 ? ((stats.unknown / stats.total) * 100).toFixed(1) : 0}%
+  </p>
+
+  <h2>📋 发现详情</h2>
+  <table>
+    <thead><tr><th>分类</th><th>置信度</th><th>规则</th><th>描述</th><th>位置</th><th>原因</th></tr></thead>
+    <tbody>
+      ${findingRows || '<tr><td colspan="6" style="text-align:center;color:#6c757d;padding:28px;">✅ 无发现</td></tr>'}
+    </tbody>
+  </table>
+
+  <div class="footer">
+    <p>由 <strong>逐码 ZhuMa V4.1 AppID Engine</strong> 生成 · 众安天下 · 猎鹰情报威胁中心</p>
+  </div>
+</div>
+</body>
+</html>`;
+}
+function esc(s) {
+    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+//# sourceMappingURL=scan_appid.js.map

package/dist/commands/scan_appid.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan_appid.js","sourceRoot":"","sources":["../../src/commands/scan_appid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,GAAG,MAAM,KAAK,CAAC;AACtB,OAAO,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAGrC,OAAO,EACL,oBAAoB,EACpB,oBAAoB,EACpB,gBAAgB,EAChB,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,iCAAiC,CAAC;AAEzC,MAAM,CAAC,MAAM,gBAAgB,GAAG,IAAI,OAAO,CAAC,YAAY,CAAC;KACtD,WAAW,CAAC,4CAA4C,CAAC;KACzD,QAAQ,CAAC,QAAQ,EAAE,yBAAyB,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KAC5D,cAAc,CAAC,oBAAoB,EAAE,kEAAkE,CAAC;KACxG,MAAM,CAAC,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,CAAC;KAC3D,MAAM,CAAC,oBAAoB,EAAE,SAAS,CAAC;KACvC,MAAM,CAAC,mBAAmB,EAAE,wCAAwC,CAAC;KACrE,MAAM,CAAC,SAAS,EAAE,kBAAkB,CAAC;KACrC,MAAM,CAAC,YAAY,EAAE,yCAAyC,CAAC;KAC/D,MAAM,CAAC,eAAe,EAAE,sBAAsB,CAAC;KAC/C,MAAM,CAAC,mBAAmB,EAAE,6CAA6C,CAAC;KAC1E,MAAM,CAAC,cAAc,EAAE,0BAA0B,CAAC;KAClD,MAAM,CAAC,KAAK,EAAE,MAAc,EAAE,OAAgC,EAAE,EAAE;IACjE,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,KAAe,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,OAAO,CAAC,OAA8B,CAAC;IACvD,MAAM,cAAc,GAAG,OAAO,CAAC,cAAqC,CAAC;IACrE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAgC,CAAC;IAE3D,cAAc;IACd,MAAM,OAAO,GAAG,GAAG,CAAC,2BAA2B,CAAC,CAAC,KAAK,EAAE,CAAC;IACzD,IAAI,KAAa,CAAC;IAClB,IAAI,iBAA8B,CAAC;IACnC,IAAI,CAAC;QACH,KAAK,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;QAC3C,iBAAiB,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,8BAA+B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACrE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,OAAO,CAAC,mBAAmB,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,iBAAiB,CAAC,IAAI,UAAU,CAAC,CAAC;IAE3F,gBAAgB;IAChB,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAClC,IAAI,WAAoB,CAAC;IACzB,IAAI,CAAC;QACH,qDAAqD;QACrD,WAAW,GAAG,MAAM,cAAc,CAChC,MAAM,EACL,OAAO,CAAC,KAAgB,IAAI,SAAS,EACrC,OAAO,CAAC,IAAe,IAAI,SAAS,EACpC,OAAO,CAAC,KAAiB,IAAI,SAAS,CACxC,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,IAAI,CAAC,SAAU,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAExB,kBAAkB;IAClB,MAAM,UAAU,GAAI,WAA6C,CAAC,OAAO,IAAI,EAAE,CAAC;IAChF,OAAO,CAAC,IAAI,CAAC,gBAAgB,UAAU,CAAC,MAAM,IAAI,CAAC,CAAC;IAEpD,KAAK;IACL,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAChC,MAAM,UAAU,GAAG,gBAAgB,CAAC,UAAU,EAAE,YAAY,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,sBAAsB,CAAC,UAAU,CAAC,CAAC;IACjD,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAExB,OAAO;IACP,IAAI,cAAc,GAAG,UAAU,CAAC;IAChC,IAAI,OAAO,EAAE,CAAC;QACZ,cAAc,GAAG,sBAAsB,CAAC,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC;IAC/D,CAAC;SAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC3B,cAAc,GAAG,sBAAsB,CAAC,UAAU,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC;IACtE,CAAC;IAED,OAAO;IACP,0BAA0B,CAAC,KAAK,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IAEzD,KAAK;IACL,IAAI,SAAS,EAAE,CAAC;QACd,WAAW;QACX,OAAO;IACT,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAC/B,MAAM,IAAI,GAAG,oBAAoB,CAAC,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC;QACxE,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9E,MAAM,OAAO,GAAG,sBAAsB,SAAS,OAAO,CAAC;QACvD,aAAa,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QACtC,OAAO,CAAC,OAAO,CAAC,UAAU,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACpD,CAAC;SAAM,CAAC;QACN,UAAU;QACV,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAC/B,MAAM,OAAO,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,mBAAmB,CAAC;QACpE,MAAM,UAAU,GAAG;YACjB,aAAa,EAAE,KAAK;YACpB,KAAK,EAAE;gBACL,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,GAAG,EAAE,KAAK,CAAC,GAAG;gBACd,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,UAAU,EAAE,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;gBACvF,UAAU,EAAE,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;gBACvF,cAAc,EAAE,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI;gBAC/F,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,QAAQ,EAAE,KAAK,CAAC,QAAQ;aACzB;YACD,QAAQ,EAAE,cAAc;SACzB,CAAC;QACF,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QACrE,OAAO,CAAC,OAAO,CAAC,UAAU,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IACpD,CAAC;AACH,CAAC,CAAC,CAAC;AAEL,0DAA0D;AAE1D,KAAK,UAAU,cAAc,CAC3B,MAAc,EACd,KAAc,EACd,YAAqB,EACrB,KAAe;IAEf,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACrD,MAAM,EAAE,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAEjE,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;IAE3E,OAAO;IACP,MAAM,QAAQ,GAAG,KAAK;QACpB,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC;QACpB,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IAEvF,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,YAAY,MAAM,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEpF,kBAAkB;IAClB,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,QAAQ,GAA2B;YACvC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;SAChE,CAAC;QACF,MAAM,GAAG,GAAG,QAAQ,CAAC,YAAY,CAAC,WAAW,EAAE,CAAC,CAAC;QACjD,IAAI,GAAG;YAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,KAAK,IAAI,CAAC,YAAY;QAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;IAE/D,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEtB,OAAO,IAAI,OAAO,CAAC,CAAC,cAAc,EAAE,aAAa,EAAE,EAAE;QACnD,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE;YACrC,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,OAAO,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;YACvB,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,UAAU,EAAE,GAAG;gBACf,gBAAgB,EAAE,OAAO;aAC1B;SACF,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAmB,EAAE,EAAE;YACxC,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBAC7B,aAAa,CAAC,IAAI,KAAK,CAAC,sBAAsB,IAAI,MAAM,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;gBAC/E,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBACH,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACrC,CAAC;YAAC,MAAM,CAAC;gBACP,aAAa,CAAC,IAAI,KAAK,CAAC,sBAAsB,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YACzE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,aAAa,CACV,GAA6B,CAAC,IAAI,KAAK,QAAQ;gBAC9C,CAAC,CAAC,IAAI,KAAK,CAAC,0CAA0C,CAAC;gBACvD,CAAC,CAAC,IAAI,KAAK,CAAC,iBAAiB,GAAG,CAAC,OAAO,EAAE,CAAC,CAC9C,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,4DAA4D;AAE5D,SAAS,0BAA0B,CAAC,KAA0B,EAAE,aAAqB;IACnF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC;IAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,OAAO;IACP,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,GAAG,KAAK,CAAC,CAAC;IACtC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,CAAC;IAE1C,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,MAAM,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAClI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,MAAM,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACnI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,MAAM,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAEzI,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,kBAAkB,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,QAAQ,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC;IACvF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,QAAQ;IACR,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC;QACnC,KAAK,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YACvE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;IAED,OAAO;IACP,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC;QAClC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YACjE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;AAED,SAAS,GAAG,CAAC,KAAa,EAAE,KAAK,GAAG,EAAE;IACpC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC;IACzC,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,4DAA4D;AAE5D,SAAS,oBAAoB,CAC3B,MAAc,EACd,KAAa,EACb,KAA0B,EAC1B,QAA6B;IAE7B,MAAM,WAAW,GAA2B;QAC1C,GAAG,EAAE,SAAS;QACd,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,SAAS;KACnB,CAAC;IAEF,MAAM,KAAK,GAAG,CAAC,GAAW,EAAE,EAAE,CAC5B,+HAA+H,WAAW,CAAC,GAAG,CAAC,IAAI,SAAS,KAAK,GAAG,SAAS,CAAC;IAEhL,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;;YAE9B,KAAK,CAAC,CAAC,CAAC,cAAc,CAAC;wDACqB,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC;kBACvD,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC;YACrB,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC;0CACgB,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI;kDACb,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;;GAE5D,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEZ,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0BAgCiB,GAAG,CAAC,MAAM,CAAC,sBAAsB,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC;;;;;kDAK3D,KAAK,CAAC,GAAG;kDACT,KAAK,CAAC,GAAG;kDACT,KAAK,CAAC,OAAO;8CACjB,KAAK,CAAC,KAAK;;;cAG3C,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,GAAC,KAAK,CAAC,KAAK,CAAC,GAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;cAC9D,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,GAAC,KAAK,CAAC,KAAK,CAAC,GAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;kBAC1D,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,GAAC,KAAK,CAAC,KAAK,CAAC,GAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;;;;;;;QAO5E,WAAW,IAAI,2FAA2F;;;;;;;;;QAS1G,CAAC;AACT,CAAC;AAED,SAAS,GAAG,CAAC,CAAS;IACpB,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC9E,CAAC"}

package/dist/commands/scan_manifest.d.ts

@@ -0,0 +1,13 @@
+/**
+ * scan_manifest CLI — 独立 AndroidManifest.xml 安全扫描命令
+ *
+ * Usage:
+ *   zhuma scan-manifest <path>             # 扫描单个文件
+ *   zhuma scan-manifest <path> --json      # JSON 输出
+ *   zhuma scan-manifest <path> --only HIGH # 仅返回 HIGH 及以上
+ *
+ * 扫描 jadx 解码后的 AndroidManifest.xml 并输出安全发现。
+ */
+import { Command } from 'commander';
+export declare const scanManifestCommand: Command;
+//# sourceMappingURL=scan_manifest.d.ts.map

package/dist/commands/scan_manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan_manifest.d.ts","sourceRoot":"","sources":["../../src/commands/scan_manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAepC,eAAO,MAAM,mBAAmB,SAyF5B,CAAC"}