@zhuma4/cli 4.0.0-alpha.1

package/dist/engine/project.js

@@ -0,0 +1,279 @@
+/**
+ * 项目初始化引擎 — V4.1 Sprint 1
+ * 自动检测语言/框架/构建工具，生成 .zhuma.yaml
+ *
+ * 对标 snyk init / murphysec init 一键式体验
+ */
+import { readdir, writeFile, access, readFile } from 'node:fs/promises';
+import { resolve, join, basename } from 'node:path';
+import chalk from 'chalk';
+/** 构建工具 → 语言映射 */
+const BUILD_TOOL_LANG = {
+    'pom.xml': { language: 'java', buildTool: 'maven' },
+    'build.gradle': { language: 'java', buildTool: 'gradle' },
+    'build.gradle.kts': { language: 'java', buildTool: 'gradle' },
+    'settings.gradle': { language: 'java', buildTool: 'gradle' },
+    'package.json': { language: 'javascript', buildTool: 'npm' },
+    'pnpm-lock.yaml': { language: 'javascript', buildTool: 'pnpm' },
+    'yarn.lock': { language: 'javascript', buildTool: 'yarn' },
+    'package-lock.json': { language: 'javascript', buildTool: 'npm' },
+    'requirements.txt': { language: 'python', buildTool: 'pip' },
+    'Pipfile': { language: 'python', buildTool: 'pip' },
+    'Pipfile.lock': { language: 'python', buildTool: 'pip' },
+    'pyproject.toml': { language: 'python', buildTool: 'poetry' },
+    'go.mod': { language: 'go', buildTool: 'go-mod' },
+};
+/** 框架特征检测 */
+async function detectFramework(dir, language, buildTool) {
+    if (language === 'java') {
+        try {
+            // Spring Boot 检测
+            const pomPath = join(dir, 'pom.xml');
+            const pom = await readFile(pomPath, 'utf-8');
+            if (pom.includes('spring-boot-starter') || pom.includes('spring-boot'))
+                return 'Spring Boot';
+            if (pom.includes('mybatis'))
+                return 'MyBatis';
+        }
+        catch { /* pom.xml not found, try gradle */ }
+        try {
+            const gradlePath = join(dir, 'build.gradle');
+            const gradle = await readFile(gradlePath, 'utf-8');
+            if (gradle.includes('spring-boot'))
+                return 'Spring Boot';
+        }
+        catch { /* no gradle */ }
+        return 'Maven/Java';
+    }
+    if (language === 'javascript') {
+        try {
+            const pkgPath = join(dir, 'package.json');
+            const pkg = JSON.parse(await readFile(pkgPath, 'utf-8'));
+            const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+            if (deps.next)
+                return 'Next.js';
+            if (deps.nuxt)
+                return 'Nuxt';
+            if (deps.react)
+                return 'React';
+            if (deps.vue)
+                return 'Vue';
+            if (deps.express)
+                return 'Express';
+            if (deps.fastify)
+                return 'Fastify';
+            if (deps.nestjs || deps['@nestjs/core'])
+                return 'NestJS';
+        }
+        catch { /* no package.json */ }
+        return 'Node.js';
+    }
+    if (language === 'python') {
+        try {
+            const reqPath = join(dir, 'requirements.txt');
+            const req = await readFile(reqPath, 'utf-8');
+            if (req.includes('flask') || req.includes('Flask'))
+                return 'Flask';
+            if (req.includes('django') || req.includes('Django'))
+                return 'Django';
+            if (req.includes('fastapi') || req.includes('FastAPI'))
+                return 'FastAPI';
+        }
+        catch { /* no requirements.txt */ }
+        return 'Python';
+    }
+    return 'Unknown';
+}
+async function detectTestFramework(dir, language) {
+    if (language === 'java') {
+        const files = await readdir(dir).catch(() => []);
+        if (files.includes('pom.xml')) {
+            try {
+                const pom = await readFile(join(dir, 'pom.xml'), 'utf-8');
+                if (pom.includes('junit-jupiter'))
+                    return 'JUnit 5';
+                if (pom.includes('junit'))
+                    return 'JUnit 4';
+                if (pom.includes('testng'))
+                    return 'TestNG';
+            }
+            catch { /* */ }
+        }
+        return 'JUnit';
+    }
+    if (language === 'javascript') {
+        try {
+            const pkg = JSON.parse(await readFile(join(dir, 'package.json'), 'utf-8'));
+            const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+            if (deps.vitest)
+                return 'Vitest';
+            if (deps.jest)
+                return 'Jest';
+            if (deps.mocha)
+                return 'Mocha';
+        }
+        catch { /* */ }
+        return 'Unknown';
+    }
+    if (language === 'python') {
+        try {
+            const req = await readFile(join(dir, 'requirements.txt'), 'utf-8');
+            if (req.includes('pytest'))
+                return 'Pytest';
+            if (req.includes('unittest'))
+                return 'Unittest';
+        }
+        catch { /* */ }
+        return 'Unknown';
+    }
+    return 'Unknown';
+}
+/**
+ * 全维度检测项目
+ */
+export async function detectProject(dir) {
+    const detectedBy = [];
+    let language = 'unknown';
+    let buildTool = 'unknown';
+    let framework = 'none';
+    let testFramework = 'unknown';
+    const entries = await readdir(dir).catch(() => []);
+    for (const [file, mapping] of Object.entries(BUILD_TOOL_LANG)) {
+        if (entries.includes(file)) {
+            language = mapping.language;
+            buildTool = mapping.buildTool;
+            detectedBy.push(file);
+            break; // 第一个命中即止
+        }
+    }
+    // TS 特判：package.json 中 typescript 或 tsconfig.json 存在
+    if (language === 'javascript' && (entries.includes('tsconfig.json') || entries.includes('tsconfig.base.json'))) {
+        try {
+            const pkg = JSON.parse(await readFile(join(dir, 'package.json'), 'utf-8'));
+            if (pkg.devDependencies?.typescript || pkg.dependencies?.typescript) {
+                language = 'typescript';
+            }
+        }
+        catch { /* keep javascript */ }
+    }
+    if (language !== 'unknown') {
+        framework = await detectFramework(dir, language, buildTool);
+        testFramework = await detectTestFramework(dir, language);
+    }
+    return {
+        language,
+        framework,
+        buildTool,
+        testFramework,
+        confidence: detectedBy.length > 0 ? 0.95 : 0,
+        detectedBy,
+    };
+}
+/**
+ * 生成 .zhuma.yaml
+ */
+async function generateConfig(dir, det, overrides) {
+    const rules = ['common'];
+    if (det.language === 'java' || det.language === 'kotlin')
+        rules.push('java');
+    if (det.language === 'javascript' || det.language === 'typescript')
+        rules.push('javascript');
+    if (det.language === 'python')
+        rules.push('python');
+    if (det.language === 'go')
+        rules.push('go');
+    // V4.1: 根据框架推荐额外规则
+    if (det.framework.includes('Spring'))
+        rules.push('spring');
+    if (det.framework.includes('Express') || det.framework.includes('NestJS'))
+        rules.push('express');
+    const finalLang = overrides?.language ?? det.language;
+    const config = {
+        version: '4.1.0-alpha',
+        created: new Date().toISOString(),
+        project: {
+            name: basename(dir),
+            root: dir,
+            language: finalLang,
+            framework: det.framework,
+        },
+        scan: {
+            rules,
+            exclude: ['node_modules/', 'dist/', 'build/', '.git/', 'vendor/', 'target/', '__pycache__/', '.next/', '.nuxt/'],
+            timeout: 900,
+        },
+        report: {
+            format: 'html',
+            template: 'allsec-blue',
+        },
+    };
+    return config;
+}
+/**
+ * 初始化项目 — 主入口
+ */
+export async function initProject(options) {
+    const dir = resolve(options.dir ?? process.cwd());
+    const projectName = basename(dir);
+    console.log(chalk.cyan(`\n🔍 逐码 — 正在分析项目: ${chalk.bold(projectName)}\n`));
+    // Step 1: 检测
+    const det = await detectProject(dir);
+    if (det.language === 'unknown' && !options.language) {
+        console.log(chalk.yellow('⚠ 未检测到已知项目类型。'));
+        console.log(chalk.gray('  支持的构建文件: pom.xml / build.gradle / package.json / requirements.txt / go.mod'));
+        console.log(chalk.gray('  也可手动指定: zhuma init --language java\n'));
+        return;
+    }
+    // Step 2: 展示检测结果
+    console.log(chalk.green('✅ 项目检测结果:'));
+    console.log(`   语言:       ${chalk.bold(det.language)}`);
+    console.log(`   框架:       ${chalk.bold(det.framework)}`);
+    console.log(`   构建工具:   ${chalk.bold(det.buildTool)}`);
+    if (det.testFramework !== 'unknown') {
+        console.log(`   测试框架:   ${chalk.bold(det.testFramework)}`);
+    }
+    console.log(`   检测依据:   ${chalk.gray(det.detectedBy.join(', '))}`);
+    console.log(`   置信度:     ${chalk.bold((det.confidence * 100).toFixed(0) + '%')}`);
+    // Step 3: 生成配置
+    const config = await generateConfig(dir, det, { language: options.language });
+    const configPath = join(dir, '.zhuma.yaml');
+    // 检查是否已存在
+    let exists = false;
+    try {
+        await access(configPath);
+        exists = true;
+    }
+    catch { /* 不存在 */ }
+    if (exists) {
+        console.log(chalk.yellow(`\n⚠ .zhuma.yaml 已存在，将被覆盖。`));
+    }
+    // YAML 格式输出 (比 JSON 可读性好)
+    const yaml = `# 逐码 ZhuMa — 项目扫描配置
+# 生成时间: ${config.created}
+# 版本: ${config.version}
+
+version: "${config.version}"
+created: "${config.created}"
+
+project:
+  name: "${config.project.name}"
+  root: "${config.project.root}"
+  language: "${config.project.language}"
+  framework: "${config.project.framework}"
+
+scan:
+  rules:
+${config.scan.rules.map(r => `    - ${r}`).join('\n')}
+  exclude:
+${config.scan.exclude.map(e => `    - ${e}`).join('\n')}
+  timeout: ${config.scan.timeout}
+
+report:
+  format: "${config.report.format}"
+  template: "${config.report.template}"
+`;
+    await writeFile(configPath, yaml, 'utf-8');
+    console.log(chalk.green(`\n✅ 配置文件已生成: ${chalk.bold(configPath)}`));
+    console.log(chalk.cyan(`\n🚀 运行 ${chalk.bold('zhuma scan')} 开始安全审计\n`));
+}
+//# sourceMappingURL=project.js.map

package/dist/engine/project.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"project.js","sourceRoot":"","sources":["../../src/engine/project.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AACxE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,KAAK,MAAM,OAAO,CAAC;AAS1B,kBAAkB;AAClB,MAAM,eAAe,GAAiE;IACpF,SAAS,EAAe,EAAE,QAAQ,EAAE,MAAM,EAAQ,SAAS,EAAE,OAAO,EAAE;IACtE,cAAc,EAAU,EAAE,QAAQ,EAAE,MAAM,EAAQ,SAAS,EAAE,QAAQ,EAAE;IACvE,kBAAkB,EAAM,EAAE,QAAQ,EAAE,MAAM,EAAQ,SAAS,EAAE,QAAQ,EAAE;IACvE,iBAAiB,EAAO,EAAE,QAAQ,EAAE,MAAM,EAAQ,SAAS,EAAE,QAAQ,EAAE;IACvE,cAAc,EAAU,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE;IACpE,gBAAgB,EAAQ,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE;IACrE,WAAW,EAAa,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE;IACrE,mBAAmB,EAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,KAAK,EAAE;IACpE,kBAAkB,EAAM,EAAE,QAAQ,EAAE,QAAQ,EAAM,SAAS,EAAE,KAAK,EAAE;IACpE,SAAS,EAAe,EAAE,QAAQ,EAAE,QAAQ,EAAM,SAAS,EAAE,KAAK,EAAE;IACpE,cAAc,EAAU,EAAE,QAAQ,EAAE,QAAQ,EAAM,SAAS,EAAE,KAAK,EAAE;IACpE,gBAAgB,EAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAM,SAAS,EAAE,QAAQ,EAAE;IACvE,QAAQ,EAAgB,EAAE,QAAQ,EAAE,IAAI,EAAU,SAAS,EAAE,QAAQ,EAAE;CACxE,CAAC;AAEF,aAAa;AACb,KAAK,UAAU,eAAe,CAAC,GAAW,EAAE,QAAkB,EAAE,SAAoB;IAClF,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,iBAAiB;YACjB,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACrC,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC7C,IAAI,GAAG,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAAE,OAAO,aAAa,CAAC;YAC7F,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAAE,OAAO,SAAS,CAAC;QAChD,CAAC;QAAC,MAAM,CAAC,CAAC,mCAAmC,CAAC,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;YAC7C,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACnD,IAAI,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAAE,OAAO,aAAa,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC;QAC3B,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC;YAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YACzD,MAAM,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,eAAe,EAAE,CAAC;YAC7D,IAAI,IAAI,CAAC,IAAI;gBAAE,OAAO,SAAS,CAAC;YAChC,IAAI,IAAI,CAAC,IAAI;gBAAE,OAAO,MAAM,CAAC;YAC7B,IAAI,IAAI,CAAC,KAAK;gBAAE,OAAO,OAAO,CAAC;YAC/B,IAAI,IAAI,CAAC,GAAG;gBAAE,OAAO,KAAK,CAAC;YAC3B,IAAI,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YACnC,IAAI,IAAI,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAC;YACnC,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,cAAc,CAAC;gBAAE,OAAO,QAAQ,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC;QACjC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC7C,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC;gBAAE,OAAO,OAAO,CAAC;YACnE,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;YACtE,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAAE,OAAO,SAAS,CAAC;QAC3E,CAAC;QAAC,MAAM,CAAC,CAAC,yBAAyB,CAAC,CAAC;QACrC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,GAAW,EAAE,QAAkB;IAChE,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAc,CAAC,CAAC;QAC7D,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,EAAE,OAAO,CAAC,CAAC;gBAC1D,IAAI,GAAG,CAAC,QAAQ,CAAC,eAAe,CAAC;oBAAE,OAAO,SAAS,CAAC;gBACpD,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAAE,OAAO,SAAS,CAAC;gBAC5C,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAAE,OAAO,QAAQ,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IACD,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YAC3E,MAAM,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,eAAe,EAAE,CAAC;YAC7D,IAAI,IAAI,CAAC,MAAM;gBAAE,OAAO,QAAQ,CAAC;YACjC,IAAI,IAAI,CAAC,IAAI;gBAAE,OAAO,MAAM,CAAC;YAC7B,IAAI,IAAI,CAAC,KAAK;gBAAE,OAAO,OAAO,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC;QACjB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,EAAE,OAAO,CAAC,CAAC;YACnE,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,OAAO,QAAQ,CAAC;YAC5C,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAAE,OAAO,UAAU,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC;QACjB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,IAAI,QAAQ,GAAa,SAAS,CAAC;IACnC,IAAI,SAAS,GAAc,SAAS,CAAC;IACrC,IAAI,SAAS,GAAG,MAAM,CAAC;IACvB,IAAI,aAAa,GAAG,SAAS,CAAC;IAE9B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAc,CAAC,CAAC;IAE/D,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,eAAe,CAAC,EAAE,CAAC;QAC9D,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;YAC5B,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC;YAC9B,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACtB,MAAM,CAAC,UAAU;QACnB,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,QAAQ,KAAK,YAAY,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC;QAC/G,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YAC3E,IAAI,GAAG,CAAC,eAAe,EAAE,UAAU,IAAI,GAAG,CAAC,YAAY,EAAE,UAAU,EAAE,CAAC;gBACpE,QAAQ,GAAG,YAAY,CAAC;YAC1B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,qBAAqB,CAAC,CAAC;IACnC,CAAC;IAED,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,SAAS,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QAC5D,aAAa,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO;QACL,QAAQ;QACR,SAAS;QACT,SAAS;QACT,aAAa;QACb,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5C,UAAU;KACX,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,cAAc,CAAC,GAAW,EAAE,GAAqB,EAAE,SAAiC;IACjG,MAAM,KAAK,GAAa,CAAC,QAAQ,CAAC,CAAC;IACnC,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7E,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC7F,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpD,IAAI,GAAG,CAAC,QAAQ,KAAK,IAAI;QAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE5C,mBAAmB;IACnB,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3D,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAEjG,MAAM,SAAS,GAAG,SAAS,EAAE,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC;IAEtD,MAAM,MAAM,GAAkB;QAC5B,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACjC,OAAO,EAAE;YACP,IAAI,EAAE,QAAQ,CAAC,GAAG,CAAC;YACnB,IAAI,EAAE,GAAG;YACT,QAAQ,EAAE,SAAqB;YAC/B,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB;QACD,IAAI,EAAE;YACJ,KAAK;YACL,OAAO,EAAE,CAAC,eAAe,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,cAAc,EAAE,QAAQ,EAAE,QAAQ,CAAC;YAChH,OAAO,EAAE,GAAG;SACb;QACD,MAAM,EAAE;YACN,MAAM,EAAE,MAAM;YACd,QAAQ,EAAE,aAAa;SACxB;KACF,CAAC;IAEF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoB;IACpD,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAClD,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAElC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,qBAAqB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;IAE1E,aAAa;IACb,MAAM,GAAG,GAAG,MAAM,aAAa,CAAC,GAAG,CAAC,CAAC;IAErC,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,8EAA8E,CAAC,CAAC,CAAC;QACxG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC,CAAC;QAClE,OAAO;IACT,CAAC;IAED,iBAAiB;IACjB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACxD,OAAO,CAAC,GAAG,CAAC,gBAAgB,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACzD,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACvD,IAAI,GAAG,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC,CAAC;IAElF,eAAe;IACf,MAAM,MAAM,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC9E,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAE5C,UAAU;IACV,IAAI,MAAM,GAAG,KAAK,CAAC;IACnB,IAAI,CAAC;QAAC,MAAM,MAAM,CAAC,UAAU,CAAC,CAAC;QAAC,MAAM,GAAG,IAAI,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC;IAEpE,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,2BAA2B,CAAC,CAAC,CAAC;IACzD,CAAC;IAED,0BAA0B;IAC1B,MAAM,IAAI,GAAG;UACL,MAAM,CAAC,OAAO;QAChB,MAAM,CAAC,OAAO;;YAEV,MAAM,CAAC,OAAO;YACd,MAAM,CAAC,OAAO;;;WAGf,MAAM,CAAC,OAAO,CAAC,IAAI;WACnB,MAAM,CAAC,OAAO,CAAC,IAAI;eACf,MAAM,CAAC,OAAO,CAAC,QAAQ;gBACtB,MAAM,CAAC,OAAO,CAAC,SAAS;;;;EAItC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;EAEnD,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;aAC1C,MAAM,CAAC,IAAI,CAAC,OAAO;;;aAGnB,MAAM,CAAC,MAAM,CAAC,MAAM;eAClB,MAAM,CAAC,MAAM,CAAC,QAAQ;CACpC,CAAC;IAEA,MAAM,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAE3C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,gBAAgB,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC;AAC1E,CAAC"}

package/dist/engine/sarif.d.ts

@@ -0,0 +1,13 @@
+/**
+ * SARIF 解析器 — 将 Semgrep SARIF 输出转换为逐码内部数据模型
+ */
+import type { Finding } from '@zhuma4/sdk';
+interface ParseOptions {
+    severityFilter?: string;
+}
+/**
+ * 解析 SARIF 到逐码 Finding 列表
+ */
+export declare function parseSarif(sarifRaw: unknown, options?: ParseOptions): Finding[];
+export {};
+//# sourceMappingURL=sarif.d.ts.map

package/dist/engine/sarif.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/engine/sarif.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAkB3C,UAAU,YAAY;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AASD;;GAEG;AACH,wBAAgB,UAAU,CACxB,QAAQ,EAAE,OAAO,EACjB,OAAO,GAAE,YAAiB,GACzB,OAAO,EAAE,CAmCX"}

package/dist/engine/sarif.js

@@ -0,0 +1,44 @@
+/**
+ * SARIF 解析器 — 将 Semgrep SARIF 输出转换为逐码内部数据模型
+ */
+const SEVERITY_MAP = {
+    error: 'CRITICAL',
+    warning: 'HIGH',
+    note: 'MEDIUM',
+    none: 'LOW',
+};
+/**
+ * 解析 SARIF 到逐码 Finding 列表
+ */
+export function parseSarif(sarifRaw, options = {}) {
+    const sarif = sarifRaw;
+    const results = sarif.runs?.[0]?.results ?? [];
+    const { severityFilter } = options;
+    const findings = results.map((r) => {
+        const loc = r.locations[0]?.physicalLocation;
+        const region = loc?.region;
+        // 提取 SARIF snippet（代码片段）
+        const snippet = region?.['snippet'];
+        return {
+            ruleId: r.ruleId,
+            severity: SEVERITY_MAP[r.level] ?? 'LOW',
+            message: r.message.text,
+            file: loc?.artifactLocation.uri ?? '<unknown>',
+            line: region?.startLine ?? 0,
+            column: region?.startColumn ?? 0,
+            cwe: String(r.properties?.cweCategory ?? '').replace(/^(CWE-)?(\d+).*/, 'CWE-$2') || '',
+            precision: r.properties?.precision ?? 'unknown',
+            codeSnippet: snippet,
+        };
+    });
+    // 严重等级过滤
+    if (severityFilter) {
+        const levels = ['LOW', 'MEDIUM', 'HIGH', 'CRITICAL'];
+        const minIdx = levels.indexOf(severityFilter.toUpperCase());
+        if (minIdx >= 0) {
+            return findings.filter(f => levels.indexOf(f.severity) >= minIdx);
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=sarif.js.map

package/dist/engine/sarif.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/engine/sarif.ts"],"names":[],"mappings":"AAAA;;GAEG;AAwBH,MAAM,YAAY,GAAwC;IACxD,KAAK,EAAE,UAAU;IACjB,OAAO,EAAE,MAAM;IACf,IAAI,EAAE,QAAQ;IACd,IAAI,EAAE,KAAK;CACZ,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,UAAU,CACxB,QAAiB,EACjB,UAAwB,EAAE;IAE1B,MAAM,KAAK,GAAG,QAAyD,CAAC;IACxE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,EAAE,CAAC;IAC/C,MAAM,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC;IAEnC,MAAM,QAAQ,GAAc,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAC5C,MAAM,GAAG,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,gBAAgB,CAAC;QAC7C,MAAM,MAAM,GAAG,GAAG,EAAE,MAAM,CAAC;QAE3B,yBAAyB;QACzB,MAAM,OAAO,GAAwB,MAAyC,EAAE,CAAC,SAAS,CAAuB,CAAC;QAElH,OAAO;YACL,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,QAAQ,EAAE,YAAY,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,KAAK;YACxC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;YACvB,IAAI,EAAE,GAAG,EAAE,gBAAgB,CAAC,GAAG,IAAI,WAAW;YAC9C,IAAI,EAAE,MAAM,EAAE,SAAS,IAAI,CAAC;YAC5B,MAAM,EAAE,MAAM,EAAE,WAAW,IAAI,CAAC;YAChC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,iBAAiB,EAAE,QAAQ,CAAC,IAAI,EAAE;YACvF,SAAS,EAAE,CAAC,CAAC,UAAU,EAAE,SAAS,IAAI,SAAS;YAC/C,WAAW,EAAE,OAAO;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,SAAS;IACT,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,MAAM,GAA0B,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QAC5E,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,WAAW,EAAyB,CAAC,CAAC;QACnF,IAAI,MAAM,IAAI,CAAC,EAAE,CAAC;YAChB,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,CAAC;QACpE,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/engine/sca-integration.d.ts

@@ -0,0 +1,36 @@
+/**
+ * 逐码 SCA 集成模块 — 将 SCA 引擎嵌入扫描管线
+ *
+ * scanCommand 传入 --sca → scanner → 本模块 → analyzeDependencies + reachability + SBOM 导出
+ */
+import type { Severity } from '@zhuma4/sdk';
+export interface ScaIntegrationResult {
+    /** SCA 发现（作为 Finding 注入主报告） */
+    findings: Array<{
+        ruleId: string;
+        severity: Severity;
+        message: string;
+        file: string;
+        line: number;
+        column: number;
+        cwe: string;
+        precision: string;
+    }>;
+    /** 依赖总数 */
+    totalDeps: number;
+    /** 有漏洞依赖数 */
+    vulnerableDeps: number;
+    /** SBOM 文件路径 */
+    sbomPath?: string;
+}
+/**
+ * 在扫描管线中集成 SCA 分析。
+ * target: 项目根目录
+ * outputDir: 报告输出目录（SBOM 也会放在这里）
+ */
+export declare function runScaInPipeline(target: string, outputDir: string): Promise<ScaIntegrationResult | null>;
+/**
+ * 扫描摘要中添加 SCA 行
+ */
+export declare function scaSummaryLine(scaResult: ScaIntegrationResult | null): string;
+//# sourceMappingURL=sca-integration.d.ts.map

package/dist/engine/sca-integration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sca-integration.d.ts","sourceRoot":"","sources":["../../src/engine/sca-integration.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAKH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAE5C,MAAM,WAAW,oBAAoB;IACnC,+BAA+B;IAC/B,QAAQ,EAAE,KAAK,CAAC;QACd,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,QAAQ,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH,WAAW;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CA6EtC;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,SAAS,EAAE,oBAAoB,GAAG,IAAI,GAAG,MAAM,CAG7E"}

package/dist/engine/sca-integration.js

@@ -0,0 +1,91 @@
+/**
+ * 逐码 SCA 集成模块 — 将 SCA 引擎嵌入扫描管线
+ *
+ * scanCommand 传入 --sca → scanner → 本模块 → analyzeDependencies + reachability + SBOM 导出
+ */
+import { resolve } from 'node:path';
+import { pathToFileURL } from 'node:url';
+import { existsSync, mkdirSync, writeFileSync } from 'node:fs';
+/**
+ * 在扫描管线中集成 SCA 分析。
+ * target: 项目根目录
+ * outputDir: 报告输出目录（SBOM 也会放在这里）
+ */
+export async function runScaInPipeline(target, outputDir) {
+    const absTarget = resolve(target);
+    // 检测是否有依赖清单文件
+    const hasPom = existsSync(resolve(absTarget, 'pom.xml'));
+    const hasPackageJson = existsSync(resolve(absTarget, 'package.json'));
+    const hasRequirements = existsSync(resolve(absTarget, 'requirements.txt'));
+    if (!hasPom && !hasPackageJson && !hasRequirements) {
+        // 无依赖清单 → 跳过 SCA
+        return null;
+    }
+    // 懒加载 SCA 引擎 — ESM require file:// URL
+    const { analyzeDependencies, toCycloneDX, analyzeReachability } = await import(pathToFileURL(resolve(import.meta.dirname ?? '.', '..', '..', '..', 'sca', 'dist', 'index.js')).href);
+    console.log(`\n🔬 SCA 分析中...`);
+    const scaResult = await analyzeDependencies(absTarget, { skipCve: false });
+    if (scaResult.dependencies.length === 0) {
+        return null;
+    }
+    console.log(`   📦 ${scaResult.totalDependencies} 个依赖  |  🐛 ${scaResult.vulnerableCount} 个漏洞`);
+    // ── 可达性分析 ──
+    let reachableDeps = 0;
+    let unreachableDeps = 0;
+    try {
+        const reachReport = analyzeReachability(scaResult.dependencies, absTarget, { verbose: false });
+        reachableDeps = reachReport.reachable;
+        unreachableDeps = reachReport.unreachable;
+        if (reachableDeps > 0 || unreachableDeps > 0) {
+            console.log(`   🔗 可达: ${reachableDeps} / 不可达: ${unreachableDeps}`);
+        }
+    }
+    catch {
+        // 可达性分析可选
+    }
+    // ── SBOM 导出 ──
+    let sbomPath;
+    try {
+        if (!existsSync(outputDir))
+            mkdirSync(outputDir, { recursive: true });
+        const cdx = toCycloneDX(scaResult.dependencies, {
+            projectName: 'zhuma-scanned-project',
+            toolVersion: '4.1.0',
+        });
+        sbomPath = resolve(outputDir, 'sbom.cdx.json');
+        writeFileSync(sbomPath, cdx, 'utf-8');
+        console.log(`   📋 SBOM: ${sbomPath}`);
+    }
+    catch {
+        // SBOM 失败不阻塞
+    }
+    // ── CVE 转 Finding ──
+    const findings = [];
+    for (const vuln of scaResult.vulnerabilities) {
+        findings.push({
+            ruleId: `SCA-${vuln.cveId}`,
+            severity: vuln.severity,
+            message: `[SCA] ${vuln.cveId}: ${vuln.description} (CVSS ${vuln.cvss})${vuln.fixedVersion ? ` — 修复版本: ${vuln.fixedVersion}` : ''}`,
+            file: 'N/A (dependency)',
+            line: 0,
+            column: 0,
+            cwe: vuln.cwe ?? 'CWE-???',
+            precision: 'very-high',
+        });
+    }
+    return {
+        findings,
+        totalDeps: scaResult.totalDependencies,
+        vulnerableDeps: scaResult.vulnerableCount,
+        sbomPath,
+    };
+}
+/**
+ * 扫描摘要中添加 SCA 行
+ */
+export function scaSummaryLine(scaResult) {
+    if (!scaResult)
+        return '';
+    return `  📦 SCA: ${scaResult.totalDeps} deps, ${scaResult.vulnerableDeps} vulns`;
+}
+//# sourceMappingURL=sca-integration.js.map

package/dist/engine/sca-integration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sca-integration.js","sourceRoot":"","sources":["../../src/engine/sca-integration.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAuB/D;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAc,EACd,SAAiB;IAEjB,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAElC,cAAc;IACd,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC;IACtE,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,CAAC,SAAS,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAE3E,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,IAAI,CAAC,eAAe,EAAE,CAAC;QACnD,iBAAiB;QACjB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uCAAuC;IACvC,MAAM,EAAE,mBAAmB,EAAE,WAAW,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAC5E,aAAa,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CACrG,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAC/B,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,SAAS,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,SAAS,SAAS,CAAC,iBAAiB,eAAe,SAAS,CAAC,eAAe,MAAM,CAAC,CAAC;IAEhG,cAAc;IACd,IAAI,aAAa,GAAG,CAAC,CAAC;IACtB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,mBAAmB,CAAC,SAAS,CAAC,YAAY,EAAE,SAAS,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAC/F,aAAa,GAAG,WAAW,CAAC,SAAS,CAAC;QACtC,eAAe,GAAG,WAAW,CAAC,WAAW,CAAC;QAC1C,IAAI,aAAa,GAAG,CAAC,IAAI,eAAe,GAAG,CAAC,EAAE,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,aAAa,aAAa,WAAW,eAAe,EAAE,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,gBAAgB;IAChB,IAAI,QAA4B,CAAC;IACjC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;YAAE,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,MAAM,GAAG,GAAG,WAAW,CAAC,SAAS,CAAC,YAAY,EAAE;YAC9C,WAAW,EAAE,uBAAuB;YACpC,WAAW,EAAE,OAAO;SACrB,CAAC,CAAC;QACH,QAAQ,GAAG,OAAO,CAAC,SAAS,EAAE,eAAe,CAAC,CAAC;QAC/C,aAAa,CAAC,QAAQ,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,eAAe,QAAQ,EAAE,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,aAAa;IACf,CAAC;IAED,sBAAsB;IACtB,MAAM,QAAQ,GAAqC,EAAE,CAAC;IACtD,KAAK,MAAM,IAAI,IAAI,SAAS,CAAC,eAAe,EAAE,CAAC;QAC7C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,OAAO,IAAI,CAAC,KAAK,EAAE;YAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,SAAS,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,WAAW,UAAU,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE;YAClI,IAAI,EAAE,kBAAkB;YACxB,IAAI,EAAE,CAAC;YACP,MAAM,EAAE,CAAC;YACT,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,SAAS;YAC1B,SAAS,EAAE,WAAW;SACvB,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,QAAQ;QACR,SAAS,EAAE,SAAS,CAAC,iBAAiB;QACtC,cAAc,EAAE,SAAS,CAAC,eAAe;QACzC,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,SAAsC;IACnE,IAAI,CAAC,SAAS;QAAE,OAAO,EAAE,CAAC;IAC1B,OAAO,aAAa,SAAS,CAAC,SAAS,UAAU,SAAS,CAAC,cAAc,QAAQ,CAAC;AACpF,CAAC"}

package/dist/engine/scanner.d.ts

@@ -0,0 +1,18 @@
+/**
+ * 逐码扫描引擎 — Semgrep 调用封装
+ *
+ * V4.0 Alpha: 逐码规则 = 标准 Semgrep YAML，直连 rules/ 目录，零中间层
+ *   - Semgrep 原生 `--config <dir>` 递归加载所有 YAML
+ *   - 不做合并/格式转换/二次解析——这些是伪需求
+ *   - 规则选择（quick/severity/industries）是 V4.1+ 的真实问题，
+ *     但 V4.0 只有 common，所以当前是直通
+ *
+ * V4.3+: 自研深度数据流引擎替换 Semgrep，届时规则引擎独立
+ *
+ * 环境:
+ *   - Windows: semgrep → pysemgrep (v1.168.0+)
+ *   - 编码: PYTHONUTF8=1 (PowerShell GBK 兼容)
+ */
+import type { ScanOptions, ScanResult } from '@zhuma4/sdk';
+export declare function runScan(target: string, options: ScanOptions): Promise<ScanResult>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/engine/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/engine/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAsC3D,wBAAsB,OAAO,CAC3B,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,WAAW,GACnB,OAAO,CAAC,UAAU,CAAC,CAqDrB"}