@zhuma4/cli 4.0.0-alpha.1

package/dist/engine/finding_classifier.js

@@ -0,0 +1,440 @@
+/**
+ * ApplicationId-aware Finding Classifier — APP vs SDK vs UNKNOWN
+ *
+ * V4.1 AppID Boundary Engine
+ *
+ * 核心问题：
+ *   jadx 反编译 APK → 80%+ Java 文件是三方 SDK/库代码
+ *   当前静态包白名单过滤不可靠（混入/混淆框架无效）
+ *
+ * 方案：
+ *   解析 AndroidManifest.xml 提取 applicationId + 组件声明包前缀
+ *   对每条 Semgrep finding 基于文件路径分类为 APP/SDK/UNKNOWN
+ *
+ * 分类优先级：
+ *   EXACT match (appId 前缀)         → APP   very-high
+ *   COMPONENT match (声明的组件前缀)  → APP   high
+ *   SDK whitelist match              → SDK   very-high
+ *   Nested SDK (app 包内嵌入 SDK)    → SDK   medium
+ *   Fallback                         → UNKNOWN low
+ */
+import { readFileSync, existsSync } from 'node:fs';
+// ─── SDK Whitelist ────────────────────────────────────────
+/**
+ * 综合 SDK/框架包前缀白名单
+ *
+ * 覆盖:
+ *   - Android 系统库 (android/androidx)
+ *   - Google/Facebook/Amazon 官方 SDK
+ *   - 国内主流平台 (腾讯/阿里/百度/华为/小米/OPPO/vivo/魅族)
+ *   - 推送 SDK (个推/友盟/APICloud)
+ *   - 网络库 (OkHttp/Retrofit/Netty/Volley)
+ *   - 图片库 (Glide/Picasso/Fresco)
+ *   - 常用工具库 (Gson/RxJava/ButterKnife/EventBus)
+ *   - 地图 SDK (高德)
+ *   - 语音 SDK (科大讯飞)
+ *   - WebRTC / XMPP / DNS 库
+ *   - Spring / Hibernate / MyBatis (服务端)
+ *   - Apache / Jackson / SLF4J
+ *   - 测试框架 (JUnit/Mockito - 不应出现在 release APK，但防御性列入)
+ */
+const SDK_WHITELIST = [
+    // Android 系统 & Jetpack
+    'android',
+    'androidx',
+    'com.android',
+    'com.google',
+    // 阿里系
+    'com.alibaba',
+    'com.taobao',
+    'com.alipay',
+    // 百度
+    'com.baidu',
+    // 腾讯系
+    'com.tencent',
+    'com.qq',
+    // 高德地图
+    'com.amap',
+    // 科大讯飞
+    'com.iflytek',
+    // Facebook / Meta
+    'com.facebook',
+    // Square 系 (OkHttp/Retrofit/Picasso)
+    'com.squareup',
+    'okhttp3',
+    'okio',
+    'retrofit2',
+    // Netty
+    'io.netty',
+    // Apache 基金会
+    'org.apache',
+    // Spring 全家桶
+    'org.springframework',
+    // Hibernate
+    'org.hibernate',
+    // MyBatis
+    'org.mybatis',
+    // Jackson
+    'com.fasterxml',
+    // RxJava
+    'io.reactivex',
+    'rx',
+    // Glide (Bumptech)
+    'com.bumptech',
+    // Universal Image Loader
+    'com.nostra13',
+    // 通用 GitHub 开源库
+    'com.github',
+    // 华为 HMS
+    'com.huawei',
+    // 小米
+    'com.xiaomi',
+    // vivo
+    'com.vivo',
+    // OPPO
+    'com.oppo',
+    // 魅族
+    'com.meizu',
+    // 友盟
+    'com.umeng',
+    // APICloud
+    'com.uzmap',
+    // DCloud (uni-app / HBuilder)
+    'io.dcloud',
+    // WebRTC
+    'org.webrtc',
+    // 个推
+    'com.igexin',
+    'com.getui',
+    // AndroidViewAnimations
+    'com.wang.avi',
+    // AndPermission / YanZhenjie
+    'com.yanzhenjie',
+    // Android Async HTTP
+    'com.loopj',
+    // ZXing Android Embedded
+    'com.journeyapps',
+    // DNS Java
+    'org.xbill',
+    // JmDNS
+    'org.jmdns',
+    // Smack (XMPP)
+    'org.jivesoftware',
+    // JBoss
+    'org.jboss',
+    // Fast Android Networking
+    'com.androidnetworking',
+    // Volley (legacy)
+    'com.android.volley',
+    // Picasso standalone
+    'com.squareup.picasso',
+    // Test
+    'com.test',
+    // FinalTeam
+    'cn.finalteam',
+    // SLF4J
+    'org.slf4j',
+    // IDIK (NiceImageView)
+    'net.idik',
+    // Megvii / Face++
+    'com.megvii',
+    // metadata-extractor (Drew)
+    'com.drew',
+    // ZXing
+    'com.zxing',
+    // Airbnb (Lottie etc.)
+    'com.airbnb',
+    // AndroidUtilCode (Blankj)
+    'com.blankj',
+    // Yalantis (uCrop etc.)
+    'com.yalantis',
+    // Afollestad (Material Dialogs)
+    'com.afollestad',
+    // Tbruyelle (RxPermissions)
+    'com.tbruyelle',
+    // Caverock (androidsvg)
+    'com.caverock',
+    // Daimajia (AndroidViewAnimations, NumberProgressBar etc.)
+    'com.daimajia',
+    // NineOldAndroids
+    'com.nineoldandroids',
+    // Kevin (various)
+    'com.kevin',
+    // Orhanobut (Logger, DialogPlus etc.)
+    'com.orhanobut',
+    // JakeWharton (ButterKnife, DiskLruCache, Timber etc.)
+    'com.jakewharton',
+];
+/**
+ * SDK 标记 — 用于 nested SDK 检测
+ * 如果 app 包内出现这些二级包名，标记为 SDK
+ */
+const SDK_MARKERS = new Set([
+    'tencent', 'qq', 'alibaba', 'taobao', 'alipay', 'baidu',
+    'google', 'facebook', 'amap', 'iflytek', 'huawei', 'xiaomi',
+    'vivo', 'oppo', 'meizu', 'umeng', 'igexin', 'getui',
+    'squareup', 'bumptech', 'airbnb', 'jakewharton',
+    'github', 'android', 'androidx', 'apache', 'netty',
+    'reactivex', 'webrtc', 'dcloud', 'uzmap',
+]);
+// ─── Manifest Parser ──────────────────────────────────────
+/**
+ * 从 AndroidManifest.xml 提取 applicationId (package 属性)
+ */
+export function extractApplicationId(manifestPath) {
+    if (!existsSync(manifestPath)) {
+        throw new Error(`AndroidManifest.xml 不存在: ${manifestPath}`);
+    }
+    const xml = readFileSync(manifestPath, 'utf-8');
+    // 匹配 <manifest ... package="com.example.app" ...>
+    // 容错: 单引号、多行、属性之间有换行
+    const pkgMatch = xml.match(/<manifest[^>]*\bpackage\s*=\s*["']([^"']+)["']/s);
+    if (!pkgMatch) {
+        throw new Error(`无法从 AndroidManifest.xml 提取 package 属性: ${manifestPath}`);
+    }
+    return pkgMatch[1].trim();
+}
+/**
+ * 从 AndroidManifest.xml 提取所有声明的组件包前缀
+ *
+ * 解析 <activity>/<service>/<receiver>/<provider> 的 android:name 属性
+ * 提取其包前缀 (最后一段类名之前的包路径)
+ *
+ * 处理相对类名: 如果 android:name 以 "." 开头，拼接 applicationId
+ */
+export function getComponentPackages(manifestPath) {
+    if (!existsSync(manifestPath)) {
+        throw new Error(`AndroidManifest.xml 不存在: ${manifestPath}`);
+    }
+    const xml = readFileSync(manifestPath, 'utf-8');
+    const appId = extractApplicationId(manifestPath);
+    const prefixes = new Set();
+    // 匹配四种组件的 android:name 属性
+    // <activity android:name="com.example.MainActivity">
+    // <service android:name=".MyService">
+    // <receiver android:name="com.example.MyReceiver">
+    // <provider android:name=".MyProvider">
+    const componentPattern = /<(?:activity|service|receiver|provider)[^>]*?\bandroid:name\s*=\s*["']([^"']+)["']/gs;
+    let match;
+    while ((match = componentPattern.exec(xml)) !== null) {
+        let className = match[1].trim();
+        let fullName;
+        // 解析 android:name:
+        //   ".MyService"           → 拼接 appId
+        //   "com.example.MainAct"  → 完整类名
+        if (className.startsWith('.')) {
+            fullName = appId + className;
+        }
+        else if (!className.includes('.')) {
+            // 短类名 (无包前缀) → 拼接 appId
+            fullName = appId + '.' + className;
+        }
+        else {
+            fullName = className;
+        }
+        // 提取包前缀 (去掉最后一个 . 之后的类名)
+        const lastDot = fullName.lastIndexOf('.');
+        if (lastDot > 0) {
+            prefixes.add(fullName.substring(0, lastDot));
+        }
+    }
+    return prefixes;
+}
+// ─── Path → Package Conversion ────────────────────────────
+/**
+ * 将 jadx 反编译文件路径转换为 Java 包名
+ *
+ * 输入:  "sources/com/jxd/whj_learn/utils/AesUtils.java"
+ * 输出:  "com.jxd.whj_learn.utils"
+ *
+ * 容错: 路径可能不含 "sources/" 前缀 (Semgrep 输出路径取决于扫描根目录)
+ */
+export function pathToPackage(filePath) {
+    // 统一路径分隔符
+    let normalized = filePath.replace(/\\/g, '/');
+    // 去除 sources/ 前缀 (jadx 惯例)
+    normalized = normalized.replace(/^sources\//, '');
+    // 去除最后的文件名 (最后的 / 之后的部分)
+    const lastSlash = normalized.lastIndexOf('/');
+    if (lastSlash > 0) {
+        normalized = normalized.substring(0, lastSlash);
+    }
+    else if (lastSlash === -1) {
+        // 无目录路径 (e.g. R.java) → 无包信息
+        return '';
+    }
+    // lastSlash === 0: 路径以 / 开头, 但无中间目录 → 无包
+    // / → .
+    return normalized.replace(/\//g, '.');
+}
+// ─── Classification Logic ─────────────────────────────────
+/**
+ * 检查包名是否匹配 SDK 白名单前缀
+ */
+function matchesSdkWhitelist(pkg) {
+    const lowerPkg = pkg.toLowerCase();
+    for (const prefix of SDK_WHITELIST) {
+        const lowerPrefix = prefix.toLowerCase();
+        // 精确前缀匹配: 包名 === 前缀 或 包名以 "前缀." 开头
+        if (lowerPkg === lowerPrefix || lowerPkg.startsWith(lowerPrefix + '.')) {
+            return { matched: true, prefix };
+        }
+    }
+    return { matched: false, prefix: '' };
+}
+/**
+ * 检查包名是否是嵌套 SDK (app 包内嵌入的 SDK 代码)
+ *
+ * 例:  appId = "com.jxd.whj_learn"
+ *      包名   = "com.jxd.whj_learn.tencent.x"
+ *      → com.jxd.whj_learn 是 appId 前缀，tencent 是 SDK marker
+ *
+ * 返回: null 如果不是嵌套; 否则返回 { marker, parent }
+ */
+function checkNestedSdk(pkg, appId) {
+    if (!pkg.startsWith(appId + '.'))
+        return null;
+    // 提取 appId 之后的子段
+    const suffix = pkg.substring(appId.length + 1);
+    const parts = suffix.split('.');
+    // 检查第一个子段是否为已知 SDK marker
+    if (parts.length > 0 && SDK_MARKERS.has(parts[0].toLowerCase())) {
+        return { marker: parts[0], parent: appId };
+    }
+    return null;
+}
+/**
+ * 对单条 Semgrep finding 进行分类
+ */
+export function classifyFinding(finding, appId, componentPrefixes) {
+    const pkg = pathToPackage(finding.path);
+    // Priority 1: 精确匹配 applicationId 前缀 → APP
+    if (pkg === appId || pkg.startsWith(appId + '.')) {
+        // 再检查是否是嵌套 SDK
+        const nested = checkNestedSdk(pkg, appId);
+        if (nested) {
+            return {
+                path: finding.path,
+                package: pkg,
+                check_id: finding.check_id,
+                severity: finding.extra.severity,
+                line: finding.start.line,
+                message: finding.extra.message,
+                classification: 'SDK',
+                confidence: 'medium',
+                source: 'nested-sdk',
+                reason: `包 ${pkg} 属于应用 ${appId}，但包含内嵌 SDK 标记 \"${nested.marker}\"`,
+            };
+        }
+        return {
+            path: finding.path,
+            package: pkg,
+            check_id: finding.check_id,
+            severity: finding.extra.severity,
+            line: finding.start.line,
+            message: finding.extra.message,
+            classification: 'APP',
+            confidence: 'very-high',
+            source: 'exact-appid',
+            reason: `包 ${pkg} 直接匹配应用 ID ${appId}`,
+        };
+    }
+    // Priority 2: 匹配声明的组件包前缀 → APP
+    for (const prefix of componentPrefixes) {
+        if (pkg === prefix || pkg.startsWith(prefix + '.')) {
+            return {
+                path: finding.path,
+                package: pkg,
+                check_id: finding.check_id,
+                severity: finding.extra.severity,
+                line: finding.start.line,
+                message: finding.extra.message,
+                classification: 'APP',
+                confidence: 'high',
+                source: 'component-list',
+                reason: `包 ${pkg} 匹配已声明的组件前缀 ${prefix}`,
+            };
+        }
+    }
+    // Priority 3: SDK 白名单匹配 → SDK
+    const sdkMatch = matchesSdkWhitelist(pkg);
+    if (sdkMatch.matched) {
+        return {
+            path: finding.path,
+            package: pkg,
+            check_id: finding.check_id,
+            severity: finding.extra.severity,
+            line: finding.start.line,
+            message: finding.extra.message,
+            classification: 'SDK',
+            confidence: 'very-high',
+            source: 'sdk-whitelist',
+            reason: `包 ${pkg} 匹配 SDK 白名单前缀 ${sdkMatch.prefix}`,
+        };
+    }
+    // Priority 4: 无法分类 → UNKNOWN
+    return {
+        path: finding.path,
+        package: pkg,
+        check_id: finding.check_id,
+        severity: finding.extra.severity,
+        line: finding.start.line,
+        message: finding.extra.message,
+        classification: 'UNKNOWN',
+        confidence: 'low',
+        source: 'fallback',
+        reason: `包 ${pkg} 不匹配应用 ID、组件列表或 SDK 白名单`,
+    };
+}
+// ─── Public API ───────────────────────────────────────────
+/**
+ * 批量分类 Semgrep findings
+ *
+ * @param findings - Semgrep --json 输出的 results 数组
+ * @param manifestPath - jadx 输出中的 AndroidManifest.xml 路径
+ * @returns 带分类标签的 finding 列表
+ */
+export function classifyFindings(findings, manifestPath) {
+    const appId = extractApplicationId(manifestPath);
+    const componentPrefixes = getComponentPackages(manifestPath);
+    return findings.map((f) => classifyFinding(f, appId, componentPrefixes));
+}
+/**
+ * 按分类筛选 findings
+ *
+ * @param findings - 已分类的 findings
+ * @param classifications - 要保留的分类列表 (e.g. ['APP', 'UNKNOWN'])
+ * @returns 筛选后的 findings
+ */
+export function filterByClassification(findings, classifications) {
+    const set = new Set(classifications.map((c) => c.toUpperCase()));
+    return findings.filter((f) => set.has(f.classification));
+}
+/**
+ * 生成分类统计摘要
+ */
+export function getClassificationStats(findings) {
+    const stats = {
+        total: findings.length,
+        app: 0,
+        sdk: 0,
+        unknown: 0,
+        byConfidence: {},
+        bySource: {},
+    };
+    for (const f of findings) {
+        // 分类计数
+        if (f.classification === 'APP')
+            stats.app++;
+        else if (f.classification === 'SDK')
+            stats.sdk++;
+        else
+            stats.unknown++;
+        // 置信度分布
+        stats.byConfidence[f.confidence] = (stats.byConfidence[f.confidence] || 0) + 1;
+        // 来源分布
+        stats.bySource[f.source] = (stats.bySource[f.source] || 0) + 1;
+    }
+    return stats;
+}
+//# sourceMappingURL=finding_classifier.js.map

package/dist/engine/finding_classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding_classifier.js","sourceRoot":"","sources":["../../src/engine/finding_classifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AA0CnD,6DAA6D;AAE7D;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,aAAa,GAAa;IAC9B,uBAAuB;IACvB,SAAS;IACT,UAAU;IACV,aAAa;IACb,YAAY;IACZ,MAAM;IACN,aAAa;IACb,YAAY;IACZ,YAAY;IACZ,KAAK;IACL,WAAW;IACX,MAAM;IACN,aAAa;IACb,QAAQ;IACR,OAAO;IACP,UAAU;IACV,OAAO;IACP,aAAa;IACb,kBAAkB;IAClB,cAAc;IACd,qCAAqC;IACrC,cAAc;IACd,SAAS;IACT,MAAM;IACN,WAAW;IACX,QAAQ;IACR,UAAU;IACV,aAAa;IACb,YAAY;IACZ,aAAa;IACb,qBAAqB;IACrB,YAAY;IACZ,eAAe;IACf,UAAU;IACV,aAAa;IACb,UAAU;IACV,eAAe;IACf,SAAS;IACT,cAAc;IACd,IAAI;IACJ,mBAAmB;IACnB,cAAc;IACd,yBAAyB;IACzB,cAAc;IACd,gBAAgB;IAChB,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,KAAK;IACL,YAAY;IACZ,OAAO;IACP,UAAU;IACV,OAAO;IACP,UAAU;IACV,KAAK;IACL,WAAW;IACX,KAAK;IACL,WAAW;IACX,WAAW;IACX,WAAW;IACX,8BAA8B;IAC9B,WAAW;IACX,SAAS;IACT,YAAY;IACZ,KAAK;IACL,YAAY;IACZ,WAAW;IACX,wBAAwB;IACxB,cAAc;IACd,6BAA6B;IAC7B,gBAAgB;IAChB,qBAAqB;IACrB,WAAW;IACX,yBAAyB;IACzB,iBAAiB;IACjB,WAAW;IACX,WAAW;IACX,QAAQ;IACR,WAAW;IACX,eAAe;IACf,kBAAkB;IAClB,QAAQ;IACR,WAAW;IACX,0BAA0B;IAC1B,uBAAuB;IACvB,kBAAkB;IAClB,oBAAoB;IACpB,qBAAqB;IACrB,sBAAsB;IACtB,OAAO;IACP,UAAU;IACV,YAAY;IACZ,cAAc;IACd,QAAQ;IACR,WAAW;IACX,uBAAuB;IACvB,UAAU;IACV,kBAAkB;IAClB,YAAY;IACZ,4BAA4B;IAC5B,UAAU;IACV,QAAQ;IACR,WAAW;IACX,uBAAuB;IACvB,YAAY;IACZ,2BAA2B;IAC3B,YAAY;IACZ,wBAAwB;IACxB,cAAc;IACd,gCAAgC;IAChC,gBAAgB;IAChB,4BAA4B;IAC5B,eAAe;IACf,wBAAwB;IACxB,cAAc;IACd,2DAA2D;IAC3D,cAAc;IACd,kBAAkB;IAClB,qBAAqB;IACrB,kBAAkB;IAClB,WAAW;IACX,sCAAsC;IACtC,eAAe;IACf,uDAAuD;IACvD,iBAAiB;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,WAAW,GAAgB,IAAI,GAAG,CAAC;IACvC,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO;IACvD,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ;IAC3D,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO;IACnD,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,aAAa;IAC/C,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO;IAClD,WAAW,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO;CACzC,CAAC,CAAC;AAEH,6DAA6D;AAE7D;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAAC,YAAoB;IACvD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAEhD,kDAAkD;IAClD,qBAAqB;IACrB,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;IAC9E,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,0CAA0C,YAAY,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,YAAoB;IACvD,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,GAAG,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,0BAA0B;IAC1B,qDAAqD;IACrD,sCAAsC;IACtC,mDAAmD;IACnD,wCAAwC;IACxC,MAAM,gBAAgB,GAAG,sFAAsF,CAAC;IAEhH,IAAI,KAA6B,CAAC;IAClC,OAAO,CAAC,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACrD,IAAI,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAChC,IAAI,QAAgB,CAAC;QAErB,mBAAmB;QACnB,sCAAsC;QACtC,kCAAkC;QAClC,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,QAAQ,GAAG,KAAK,GAAG,SAAS,CAAC;QAC/B,CAAC;aAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACpC,wBAAwB;YACxB,QAAQ,GAAG,KAAK,GAAG,GAAG,GAAG,SAAS,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,QAAQ,GAAG,SAAS,CAAC;QACvB,CAAC;QAED,yBAAyB;QACzB,MAAM,OAAO,GAAG,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QAC1C,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YAChB,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,6DAA6D;AAE7D;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,UAAU;IACV,IAAI,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAE9C,2BAA2B;IAC3B,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;IAElD,yBAAyB;IACzB,MAAM,SAAS,GAAG,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAC9C,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QAClB,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAClD,CAAC;SAAM,IAAI,SAAS,KAAK,CAAC,CAAC,EAAE,CAAC;QAC5B,6BAA6B;QAC7B,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,yCAAyC;IAEzC,QAAQ;IACR,OAAO,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;AACxC,CAAC;AAED,6DAA6D;AAE7D;;GAEG;AACH,SAAS,mBAAmB,CAAC,GAAW;IACtC,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;IACnC,KAAK,MAAM,MAAM,IAAI,aAAa,EAAE,CAAC;QACnC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACzC,mCAAmC;QACnC,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,CAAC,UAAU,CAAC,WAAW,GAAG,GAAG,CAAC,EAAE,CAAC;YACvE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;QACnC,CAAC;IACH,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;AACxC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,cAAc,CAAC,GAAW,EAAE,KAAa;IAChD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAE9C,iBAAiB;IACjB,MAAM,MAAM,GAAG,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC/C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEhC,0BAA0B;IAC1B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QAChE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;IAC7C,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAC7B,OAAsB,EACtB,KAAa,EACb,iBAA8B;IAE9B,MAAM,GAAG,GAAG,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAExC,0CAA0C;IAC1C,IAAI,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC,EAAE,CAAC;QACjD,eAAe;QACf,MAAM,MAAM,GAAG,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC1C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO;gBACL,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,OAAO,EAAE,GAAG;gBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,QAAQ;gBAChC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;gBACxB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,OAAO;gBAC9B,cAAc,EAAE,KAAK;gBACrB,UAAU,EAAE,QAAQ;gBACpB,MAAM,EAAE,YAAY;gBACpB,MAAM,EAAE,KAAK,GAAG,SAAS,KAAK,mBAAmB,MAAM,CAAC,MAAM,IAAI;aACnE,CAAC;QACJ,CAAC;QAED,OAAO;YACL,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,GAAG;YACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,QAAQ;YAChC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YACxB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,OAAO;YAC9B,cAAc,EAAE,KAAK;YACrB,UAAU,EAAE,WAAW;YACvB,MAAM,EAAE,aAAa;YACrB,MAAM,EAAE,KAAK,GAAG,cAAc,KAAK,EAAE;SACtC,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,KAAK,MAAM,MAAM,IAAI,iBAAiB,EAAE,CAAC;QACvC,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC,EAAE,CAAC;YACnD,OAAO;gBACL,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,OAAO,EAAE,GAAG;gBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,QAAQ;gBAChC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;gBACxB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,OAAO;gBAC9B,cAAc,EAAE,KAAK;gBACrB,UAAU,EAAE,MAAM;gBAClB,MAAM,EAAE,gBAAgB;gBACxB,MAAM,EAAE,KAAK,GAAG,eAAe,MAAM,EAAE;aACxC,CAAC;QACJ,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,MAAM,QAAQ,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAC1C,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;QACrB,OAAO;YACL,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,GAAG;YACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,QAAQ;YAChC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;YACxB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,OAAO;YAC9B,cAAc,EAAE,KAAK;YACrB,UAAU,EAAE,WAAW;YACvB,MAAM,EAAE,eAAe;YACvB,MAAM,EAAE,KAAK,GAAG,iBAAiB,QAAQ,CAAC,MAAM,EAAE;SACnD,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,OAAO;QACL,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,OAAO,EAAE,GAAG;QACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,QAAQ,EAAE,OAAO,CAAC,KAAK,CAAC,QAAQ;QAChC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC,IAAI;QACxB,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,OAAO;QAC9B,cAAc,EAAE,SAAS;QACzB,UAAU,EAAE,KAAK;QACjB,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,KAAK,GAAG,yBAAyB;KAC1C,CAAC;AACJ,CAAC;AAED,6DAA6D;AAE7D;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,QAAyB,EACzB,YAAoB;IAEpB,MAAM,KAAK,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IACjD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,YAAY,CAAC,CAAC;IAE7D,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,EAAE,KAAK,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAA6B,EAC7B,eAAyB;IAEzB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IACjE,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,QAA6B;IAClE,MAAM,KAAK,GAAwB;QACjC,KAAK,EAAE,QAAQ,CAAC,MAAM;QACtB,GAAG,EAAE,CAAC;QACN,GAAG,EAAE,CAAC;QACN,OAAO,EAAE,CAAC;QACV,YAAY,EAAE,EAAE;QAChB,QAAQ,EAAE,EAAE;KACb,CAAC;IAEF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,OAAO;QACP,IAAI,CAAC,CAAC,cAAc,KAAK,KAAK;YAAE,KAAK,CAAC,GAAG,EAAE,CAAC;aACvC,IAAI,CAAC,CAAC,cAAc,KAAK,KAAK;YAAE,KAAK,CAAC,GAAG,EAAE,CAAC;;YAC5C,KAAK,CAAC,OAAO,EAAE,CAAC;QAErB,QAAQ;QACR,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAE/E,OAAO;QACP,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IACjE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/engine/incremental/engine.d.ts

@@ -0,0 +1,25 @@
+/**
+ * 逐码 ZhuMa V4.1 — 增量扫描引擎
+ *
+ * 核心流程:
+ *   1. 读取 .zhuma-cache/incremental-state.json
+ *   2. Git diff 获取变更文件列表
+ *   3. 对变更文件调用 Semgrep (传具体文件路径)
+ *   4. 未变更文件复用 findingsCache 缓存
+ *   5. 合并结果 + 写入新缓存
+ *   6. 返回 ScanResult + 增量元信息
+ *
+ * 回退策略: 缓存损坏/不存在/Git 不可用 → 自动回退全量扫描
+ *
+ * S1-2: 增量扫描引擎 | 众安天下 · 猎鹰情报威胁中心
+ */
+import type { ScanOptions, ScanResult } from '@zhuma4/sdk';
+/**
+ * 运行增量扫描
+ *
+ * @param targetPath - 项目根目录
+ * @param options - 扫描配置
+ * @returns ScanResult 含增量元信息
+ */
+export declare function runIncrementalScan(targetPath: string, options: ScanOptions): Promise<ScanResult>;
+//# sourceMappingURL=engine.d.ts.map

package/dist/engine/incremental/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../../../src/engine/incremental/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAYH,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAW,MAAM,aAAa,CAAC;AAgMpE;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,UAAU,CAAC,CAgMrB"}