@zhuma4/cli 4.0.0-alpha.1

package/dist/engine/scanner.js

@@ -0,0 +1,138 @@
+/**
+ * 逐码扫描引擎 — Semgrep 调用封装
+ *
+ * V4.0 Alpha: 逐码规则 = 标准 Semgrep YAML，直连 rules/ 目录，零中间层
+ *   - Semgrep 原生 `--config <dir>` 递归加载所有 YAML
+ *   - 不做合并/格式转换/二次解析——这些是伪需求
+ *   - 规则选择（quick/severity/industries）是 V4.1+ 的真实问题，
+ *     但 V4.0 只有 common，所以当前是直通
+ *
+ * V4.3+: 自研深度数据流引擎替换 Semgrep，届时规则引擎独立
+ *
+ * 环境:
+ *   - Windows: semgrep → pysemgrep (v1.168.0+)
+ *   - 编码: PYTHONUTF8=1 (PowerShell GBK 兼容)
+ */
+import { spawn } from 'node:child_process';
+import { resolve as resolvePath, join } from 'node:path';
+import { existsSync } from 'node:fs';
+import { semgrepNotFound, targetNotFound, semgrepCrashed, sarifParsedFailed, } from './errors.js';
+const SEMGREP_BIN = 'semgrep';
+const DEFAULT_TIMEOUT = 15 * 60 * 1000;
+function semgrepEnv() {
+    const env = {};
+    if (process.platform === 'win32') {
+        const pyScripts = join(process.env.APPDATA || join(process.env.USERPROFILE || 'C:\\Users', 'AppData', 'Roaming'), 'Python', 'Python311', 'Scripts');
+        if (existsSync(join(pyScripts, 'semgrep.exe'))) {
+            env.PATH = pyScripts + ';' + (process.env.PATH || '');
+        }
+    }
+    return env;
+}
+/** V4.1 默认规则目录 — 递归加载 common/android/iac
+ *  优先使用 CLI 包内自带的 rules/（NPM 安装），回退到 monorepo 路径 */
+function defaultRulesDir() {
+    // NPM 安装: @zhuma4/cli 包内自带 rules/ 目录
+    const pkgRoot = resolvePath(join(import.meta.dirname ?? '.', '..'));
+    const bundledRules = join(pkgRoot, 'rules');
+    if (existsSync(bundledRules))
+        return bundledRules;
+    // Monorepo 开发: packages/rules/
+    const monoRules = resolvePath(join(pkgRoot, '..', '..', 'rules'));
+    if (existsSync(monoRules))
+        return monoRules;
+    // 最后尝试 pkgRoot 上两级
+    return resolvePath(join(import.meta.dirname ?? '.', '..', '..', '..', 'rules'));
+}
+export async function runScan(target, options) {
+    const { rules, only, quick } = options;
+    // 规则目录: 用户指定 > 默认 common
+    const rulesDir = rules ? resolvePath(rules) : defaultRulesDir();
+    // severityFilter 直接用 Semgrep 原生 --severity
+    let severity;
+    if (only) {
+        const levelMap = {
+            critical: 'ERROR', high: 'WARNING', medium: 'INFO', low: 'NOTE',
+        };
+        severity = levelMap[only.toLowerCase()];
+    }
+    // quick 模式: 跳过 INFO/NOTE
+    if (quick && !severity)
+        severity = 'WARNING';
+    // 直接喂给 Semgrep — 规则目录递归加载
+    const sarif = await runSemgrep(target, rulesDir, severity);
+    // SARIF → 逐码 Finding
+    const { parseSarif } = await import('./sarif.js');
+    const findings = parseSarif(sarif, { severityFilter: only });
+    // 白名单过滤
+    const { filterFindings } = await import('./filter.js');
+    const filtered = filterFindings(findings);
+    // 生成报告
+    const { renderReport } = await import('../report/render.js');
+    const result = await renderReport(filtered, { target, output: options.output || 'html' });
+    // ── V4.1 SCA 集成 ──
+    if (options.sca) {
+        try {
+            const { runScaInPipeline, scaSummaryLine } = await import('./sca-integration.js');
+            const reportDir = resolvePath(result.outputPath, '..');
+            const scaResult = await runScaInPipeline(target, reportDir);
+            if (scaResult) {
+                // 注入 SCA findings 到主报告
+                result.findings.push(...scaResult.findings);
+                result.total += scaResult.findings.length;
+                for (const f of scaResult.findings) {
+                    result.bySeverity[f.severity] = (result.bySeverity[f.severity] ?? 0) + 1;
+                }
+                result.scaSummary = scaSummaryLine(scaResult);
+            }
+        }
+        catch (err) {
+            console.error(`[SCA] 分析失败: ${err.message}`);
+        }
+    }
+    return result;
+}
+async function runSemgrep(target, rulesDir, severity) {
+    const targetPath = resolvePath(target);
+    if (!existsSync(targetPath))
+        throw targetNotFound(target);
+    const args = ['scan', '--config', rulesDir, '--sarif', '--quiet', '--no-git-ignore', '--scan-unknown-extensions'];
+    if (severity)
+        args.push('--severity', severity);
+    args.push(targetPath);
+    return new Promise((resolve, reject) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const child = spawn(SEMGREP_BIN, args, {
+            stdio: ['ignore', 'pipe', 'pipe'],
+            timeout: DEFAULT_TIMEOUT,
+            env: {
+                ...process.env,
+                ...semgrepEnv(),
+                PYTHONUTF8: '1',
+                PYTHONIOENCODING: 'utf-8',
+            },
+        });
+        let stdout = '';
+        let stderr = '';
+        child.stdout.on('data', (d) => { stdout += d.toString(); });
+        child.stderr.on('data', (d) => { stderr += d.toString(); });
+        child.on('close', (code) => {
+            if (code !== 0 && code !== 1) {
+                reject(semgrepCrashed(code, stderr));
+                return;
+            }
+            try {
+                resolve(JSON.parse(stdout));
+            }
+            catch {
+                reject(sarifParsedFailed(`stdout=${stdout.slice(0, 300)} stderr=${stderr.slice(0, 300)}`));
+            }
+        });
+        child.on('error', (err) => {
+            reject(err.code === 'ENOENT'
+                ? semgrepNotFound(err)
+                : new Error(`Semgrep 启动失败: ${err.message}`));
+        });
+    });
+}
+//# sourceMappingURL=scanner.js.map

package/dist/engine/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../src/engine/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAC3C,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,OAAO,EACL,eAAe,EACf,cAAc,EACd,cAAc,EACd,iBAAiB,GAClB,MAAM,aAAa,CAAC;AAErB,MAAM,WAAW,GAAG,SAAS,CAAC;AAC9B,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAEvC,SAAS,UAAU;IACjB,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACjC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,IAAI,WAAW,EAAE,SAAS,EAAE,SAAS,CAAC,EAAE,QAAQ,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC;QACpJ,IAAI,UAAU,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,EAAE,CAAC;YAC/C,GAAG,CAAC,IAAI,GAAG,SAAS,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;oDACoD;AACpD,SAAS,eAAe;IACtB,qCAAqC;IACrC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC5C,IAAI,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,YAAY,CAAC;IAElD,+BAA+B;IAC/B,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IAClE,IAAI,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,SAAS,CAAC;IAE5C,mBAAmB;IACnB,OAAO,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,OAAoB;IAEpB,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC;IAEvC,yBAAyB;IACzB,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC;IAEhE,2CAA2C;IAC3C,IAAI,QAA4B,CAAC;IACjC,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,QAAQ,GAA2B;YACvC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM;SAChE,CAAC;QACF,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;IAC1C,CAAC;IACD,yBAAyB;IACzB,IAAI,KAAK,IAAI,CAAC,QAAQ;QAAE,QAAQ,GAAG,SAAS,CAAC;IAE7C,0BAA0B;IAC1B,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAE3D,qBAAqB;IACrB,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC;IAE7D,QAAQ;IACR,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IACvD,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAE1C,OAAO;IACP,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,MAAM,EAAE,CAAC,CAAC;IAE1F,oBAAoB;IACpB,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,EAAE,gBAAgB,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAClF,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;YACvD,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YAC5D,IAAI,SAAS,EAAE,CAAC;gBACd,uBAAuB;gBACvB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;gBAC5C,MAAM,CAAC,KAAK,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAC1C,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,EAAE,CAAC;oBACnC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBAC3E,CAAC;gBACA,MAA6C,CAAC,UAAU,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;YACxF,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,eAAgB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAAc,EACd,QAAgB,EAChB,QAAiB;IAEjB,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACvC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;IAE1D,MAAM,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,iBAAiB,EAAE,2BAA2B,CAAC,CAAC;IAClH,IAAI,QAAQ;QAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEtB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,8DAA8D;QAC9D,MAAM,KAAK,GAAQ,KAAK,CAAC,WAAW,EAAE,IAAI,EAAE;YAC1C,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;YACjC,OAAO,EAAE,eAAe;YACxB,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,GAAG,UAAU,EAAE;gBACf,UAAU,EAAE,GAAG;gBACf,gBAAgB,EAAE,OAAO;aAC1B;SACF,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,GAAG,MAAM,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAEpE,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAmB,EAAE,EAAE;YACxC,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBAC7B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;gBACrC,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAAC,CAAC;YACpC,MAAM,CAAC;gBAAC,MAAM,CAAC,iBAAiB,CAAC,UAAU,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,WAAW,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC;YAAC,CAAC;QACvG,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,MAAM,CAAE,GAA6B,CAAC,IAAI,KAAK,QAAQ;gBACrD,CAAC,CAAC,eAAe,CAAC,GAAG,CAAC;gBACtB,CAAC,CAAC,IAAI,KAAK,CAAC,iBAAiB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACjD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+/**
+ * 逐码 ZhuMa CLI — 入口文件
+ *
+ * Usage:
+ *   zhuma init    — 初始化项目扫描配置
+ *   zhuma config  — 管理规则和扫描配置
+ *   zhuma scan    — 执行代码安全审计
+ *
+ * V4.0 Alpha | 众安天下 · 猎鹰情报威胁中心
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;GASG"}

package/dist/index.js

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+/**
+ * 逐码 ZhuMa CLI — 入口文件
+ *
+ * Usage:
+ *   zhuma init    — 初始化项目扫描配置
+ *   zhuma config  — 管理规则和扫描配置
+ *   zhuma scan    — 执行代码安全审计
+ *
+ * V4.0 Alpha | 众安天下 · 猎鹰情报威胁中心
+ */
+import { Command } from 'commander';
+import { initCommand } from './commands/init.js';
+import { configCommand } from './commands/config.js';
+import { scanCommand } from './commands/scan.js';
+import { scanAppIdCommand } from './commands/scan_appid.js';
+import { scanManifestCommand } from './commands/scan_manifest.js';
+import { handleError } from './engine/errors.js';
+const program = new Command();
+// 全局选项
+program
+    .option('--debug', '输出完整调试信息 (堆栈跟踪)');
+program
+    .name('zhuma')
+    .description('逐码 — AI驱动的代码安全审计平台')
+    .version('4.0.0-alpha')
+    .addCommand(initCommand)
+    .addCommand(configCommand)
+    .addCommand(scanCommand)
+    .addCommand(scanAppIdCommand)
+    .addCommand(scanManifestCommand);
+// 全局错误捕获
+try {
+    await program.parseAsync(process.argv);
+}
+catch (err) {
+    const opts = program.opts();
+    handleError(err, Boolean(opts.debug));
+    process.exit(1);
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAClE,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAEjD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;AAE9B,OAAO;AACP,OAAO;KACJ,MAAM,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;AAExC,OAAO;KACJ,IAAI,CAAC,OAAO,CAAC;KACb,WAAW,CAAC,oBAAoB,CAAC;KACjC,OAAO,CAAC,aAAa,CAAC;KACtB,UAAU,CAAC,WAAW,CAAC;KACvB,UAAU,CAAC,aAAa,CAAC;KACzB,UAAU,CAAC,WAAW,CAAC;KACvB,UAAU,CAAC,gBAAgB,CAAC;KAC5B,UAAU,CAAC,mBAAmB,CAAC,CAAC;AAEnC,SAAS;AACT,IAAI,CAAC;IACH,MAAM,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;AACzC,CAAC;AAAC,OAAO,GAAG,EAAE,CAAC;IACb,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC5B,WAAW,CAAC,GAAG,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IACtC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC"}

package/dist/report/render.d.ts

@@ -0,0 +1,23 @@
+/**
+ * 逐码 HTML 报告渲染器 v2 — 浅科技蓝 + 3D 风 + Canvas 图表 + 代码片段 + 修复路线图
+ *
+ * 对标 allsec.cn 品牌色系 | V4.0 Alpha Sprint 1.5
+ */
+import type { Finding } from '@zhuma4/sdk';
+interface ScanResult {
+    target: string;
+    findings: Finding[];
+    bySeverity: Record<string, number>;
+    total: number;
+    outputPath: string;
+    durationMs: number;
+    scannedAt: string;
+}
+interface RenderOptions {
+    target: string;
+    output: string;
+    template?: string;
+}
+export declare function renderReport(findings: Finding[], options: RenderOptions): Promise<ScanResult>;
+export {};
+//# sourceMappingURL=render.d.ts.map

package/dist/report/render.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"render.d.ts","sourceRoot":"","sources":["../../src/report/render.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAE3C,UAAU,UAAU;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,UAAU,aAAa;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,YAAY,CAChC,QAAQ,EAAE,OAAO,EAAE,EACnB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,UAAU,CAAC,CAwBrB"}

package/dist/report/render.js

@@ -0,0 +1,335 @@
+/**
+ * 逐码 HTML 报告渲染器 v2 — 浅科技蓝 + 3D 风 + Canvas 图表 + 代码片段 + 修复路线图
+ *
+ * 对标 allsec.cn 品牌色系 | V4.0 Alpha Sprint 1.5
+ */
+import { writeFile } from 'node:fs/promises';
+export async function renderReport(findings, options) {
+    const { target, output } = options;
+    const bySeverity = {
+        CRITICAL: findings.filter((f) => f.severity === 'CRITICAL').length,
+        HIGH: findings.filter((f) => f.severity === 'HIGH').length,
+        MEDIUM: findings.filter((f) => f.severity === 'MEDIUM').length,
+        LOW: findings.filter((f) => f.severity === 'LOW').length,
+    };
+    const total = findings.length;
+    if (output === 'json') {
+        const json = JSON.stringify({ target, findings, bySeverity, total }, null, 2);
+        const outPath = `${target.replace(/[/\\]/g, '_')}_zhuma.json`;
+        await writeFile(outPath, json, 'utf-8');
+        return { target, findings, bySeverity, total, outputPath: outPath, durationMs: 0, scannedAt: new Date().toISOString() };
+    }
+    const html = buildHtmlReportV2(target, findings, bySeverity, total);
+    const timestamp = new Date().toISOString().replace(/[:.]/g, '-').slice(0, 19);
+    const outPath = `zhuma_report_${timestamp}.html`;
+    await writeFile(outPath, html, 'utf-8');
+    return { target, findings, bySeverity, total, outputPath: outPath, durationMs: 0, scannedAt: new Date().toISOString() };
+}
+// ─── CWE → 修复方案知识库 ──────────────────────────────────
+const REMEDIATION_KB = {
+    'CWE-89': '使用参数化查询（PreparedStatement / JdbcTemplate）代替字符串拼接；MyBatis 禁止使用 ${}，改用 #{}',
+    'CWE-79': '所有用户输入在输出前进行 HTML 实体编码（ESAPI / OWASP Encoder）；设置 Content-Security-Policy 头',
+    'CWE-78': '禁止 Runtime.exec / ProcessBuilder 拼接用户输入；改用参数化 API 或白名单命令映射',
+    'CWE-22': '使用 Path.normalize() + 校验路径前缀在允许目录内；禁止 request.getParameter() 直接拼入文件路径',
+    'CWE-352': 'Spring Security 下显式启用 csrf()（默认已启用）；RESTful API 验证 Origin/Referer 头',
+    'CWE-611': 'DocumentBuilderFactory 设置 FEATURE_SECURE_PROCESSING + 禁用外部实体和 DTD；升级至 JDK 13+ 默认安全配置',
+    'CWE-798': '密码/密钥从环境变量或密钥管理服务获取；代码中仅引用变量名，不含字面量',
+    'CWE-306': '所有 @Controller / @RestController 添加 @PreAuthorize 或 @Secured；Spring Security 默认拒绝所有未认证请求',
+    'CWE-502': '使用白名单限制允许反序列化的类型；使用 JSON/YAML 替代 Java 原生序列化；考虑升级 JDK 17+ JEP 415',
+    'CWE-200': '日志输出前脱敏密码/token/身份证号等敏感字段；生产环境禁止 printStackTrace()',
+    'CWE-94': '禁止 ScriptEngine.eval / GroovyShell 接收用户输入；必须使用时开启沙箱和字符白名单',
+    'CWE-295': '生产环境必须验证 SSL 证书链；禁止覆盖 X509TrustManager / HostnameVerifier',
+    'CWE-918': '对 URL 进行白名单校验（域名级）；禁止内网/本地地址访问（127/10/172/192网段）',
+    'CWE-434': '文件扩展名白名单 + Content-Type 校验 + Magic Number 验证；文件存储在外部对象存储且禁止执行权限',
+    'CWE-862': '所有敏感操作验证用户权限（用户ID/角色）；服务端强制鉴权，不信任前端隐藏按钮',
+    'CWE-770': 'while循环添加超时退出条件；限制输入流读取上限；设置合理的连接/线程池大小',
+    'CWE-787': '数组访问前检查 index < length；ByteBuffer put 前验证容量；使用 Objects.checkIndex()',
+    'CWE-732': '文件权限设置 600/640（禁止 777）；避免 setWritable(true, false) 接受所有用户',
+};
+// ─── HTML 模板 ──────────────────────────────────────────────
+function buildHtmlReportV2(target, findings, bySeverity, total) {
+    const sevColors = {
+        CRITICAL: '#e74c3c', HIGH: '#f39c12', MEDIUM: '#f1c40f', LOW: '#3498db',
+    };
+    const sevBadge = (s) => `<span class="badge" style="background:${sevColors[s] ?? '#6c757d'}">${s}</span>`;
+    // Canvas 环形图数据
+    const chartData = JSON.stringify([
+        { label: 'CRITICAL', value: bySeverity.CRITICAL, color: '#e74c3c' },
+        { label: 'HIGH', value: bySeverity.HIGH, color: '#f39c12' },
+        { label: 'MEDIUM', value: bySeverity.MEDIUM, color: '#f1c40f' },
+        { label: 'LOW', value: bySeverity.LOW, color: '#3498db' },
+    ].filter(d => d.value > 0));
+    // ── 漏洞详情表格（含代码片段 + 修复建议） ──
+    const findingRows = findings.slice(0, 200).map((f, i) => {
+        const codeHtml = f.codeSnippet
+            ? `<div class="code-snippet"><div class="code-header">${esc(f.file)}:${f.line}</div><pre>${esc(f.codeSnippet)}</pre></div>`
+            : '';
+        const fixHtml = f.remediation
+            ? `<div class="fix-box"><span class="fix-label">🔧 修复建议</span>${esc(f.remediation)}</div>`
+            : REMEDIATION_KB[f.cwe]
+                ? `<div class="fix-box"><span class="fix-label">🔧 修复建议</span>${esc(REMEDIATION_KB[f.cwe])}</div>`
+                : '';
+        return `
+    <tr class="finding-row">
+      <td>${sevBadge(f.severity)}</td>
+      <td><code class="rule-id">${esc(f.ruleId)}</code><br><small class="muted">${esc(f.cwe)}</small></td>
+      <td><strong>${esc(f.message)}</strong>${codeHtml}${fixHtml}</td>
+      <td class="loc-cell"><code>${esc(f.file)}:${f.line}</code></td>
+    </tr>`;
+    }).join('');
+    // ── 修复路线图（严重等级分组） ──
+    const sevOrder = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'];
+    const roadMapRows = sevOrder
+        .filter(s => bySeverity[s] > 0)
+        .map(s => {
+        const cweSet = new Set();
+        findings.filter(f => f.severity === s).forEach(f => { if (f.cwe)
+            cweSet.add(f.cwe); });
+        const cweList = [...cweSet].map(c => `<code>${esc(c)}</code>`).join(' ');
+        const action = s === 'CRITICAL' ? '24h 内修复，紧急上线' :
+            s === 'HIGH' ? '本迭代内修复，阻断发布' :
+                s === 'MEDIUM' ? '下版本修复，评估风险' :
+                    '纳入技术债务，季度清理';
+        return `<tr>
+        <td>${sevBadge(s)}</td>
+        <td>${bySeverity[s]}</td>
+        <td class="cwe-list">${cweList}</td>
+        <td><span class="action ${s.toLowerCase()}">${action}</span></td>
+      </tr>`;
+    }).join('');
+    return `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>逐码 ZhuMa — 安全审计报告</title>
+<style>
+  :root {
+    --primary: #1a6dff; --primary-dark: #0050d4; --primary-light: #e8f0ff;
+    --gradient: linear-gradient(135deg, #1a6dff, #00b8d4);
+    --critical: #e74c3c; --high: #f39c12; --medium: #f1c40f; --low: #3498db;
+    --bg: #ffffff; --bg2: #f5f8fc; --text: #1a1a2e; --body: #495057; --muted: #6c757d;
+    --shadow-sm: 0 1px 3px rgba(26,109,255,.08);
+    --shadow-md: 0 4px 16px rgba(26,109,255,.12);
+    --shadow-lg: 0 8px 30px rgba(26,109,255,.16);
+    --radius: 12px;
+    --font: "PingFang SC", -apple-system, "Microsoft YaHei", sans-serif;
+    --mono: "Fira Code", Consolas, "Courier New", monospace;
+  }
+  * { margin:0; padding:0; box-sizing:border-box; }
+  body { background: var(--bg2); color: var(--body); font-family: var(--font); line-height: 1.7; }
+  .cover {
+    background: linear-gradient(145deg, #f0f6ff 0%, #e0eeff 30%, #d0e6ff 60%, #e8f4ff 100%);
+    padding: 60px 40px 50px; text-align: center; border-bottom: 1px solid #d8e4f0;
+    box-shadow: inset 0 -4px 20px rgba(26,109,255,.05);
+  }
+  .cover h1 { font-size: 2.1em; font-weight: 800; background: var(--gradient);
+    -webkit-background-clip: text; -webkit-text-fill-color: transparent; margin-bottom: 6px;
+  }
+  .cover .subtitle { color: var(--muted); font-size: .95em; }
+  .wrap { max-width: 1020px; margin: 0 auto; padding: 28px 24px 60px; }
+
+  /* 统计卡片 */
+  .stats { display: grid; grid-template-columns: repeat(auto-fit, minmax(150px,1fr)); gap: 16px; margin: 16px 0 28px; }
+  .stat-card {
+    background: var(--bg); border: 1px solid #e4ecf6; border-radius: var(--radius);
+    padding: 20px; text-align: center; box-shadow: var(--shadow-sm);
+    transition: transform .2s, box-shadow .2s;
+  }
+  .stat-card:hover { transform: translateY(-2px); box-shadow: var(--shadow-md); }
+  .stat-card .num { font-size: 2.3em; font-weight: 800; color: var(--text); }
+  .stat-card .label { font-size: .8em; color: var(--muted); margin-top: 4px; text-transform: uppercase; letter-spacing: .5px; }
+  .stat-card.critical .num { color: var(--critical); }
+  .stat-card.high .num { color: var(--high); }
+  .stat-card.medium .num { color: var(--medium); }
+  .stat-card.low .num { color: var(--low); }
+
+  /* Canvas 图表容器 */
+  .chart-section { display: flex; align-items: center; gap: 40px; margin: 28px 0; flex-wrap: wrap; }
+  .chart-box { flex: 0 0 280px; }
+  .chart-legend { flex: 1; min-width: 200px; }
+  .chart-legend-item { display: flex; align-items: center; gap: 10px; padding: 8px 0; font-size: .92em; }
+  .chart-legend-dot { width: 14px; height: 14px; border-radius: 50%; }
+  .chart-legend-val { font-weight: 700; margin-left: auto; }
+
+  /* 表格 */
+  table { width: 100%; border-collapse: separate; border-spacing: 0; margin: 18px 0;
+    border-radius: var(--radius); overflow: hidden; box-shadow: var(--shadow-sm);
+  }
+  thead th {
+    background: linear-gradient(180deg, #f4f9ff, #eaf2fc); color: var(--primary-dark);
+    font-weight: 700; font-size: .82em; text-transform: uppercase; letter-spacing: .4px;
+    padding: 12px 14px; text-align: left; border-bottom: 2px solid #d0dff5;
+  }
+  tbody td { padding: 10px 14px; border-bottom: 1px solid #eef3f9; font-size: .88em; }
+  tr.finding-row:hover td { background: #f6faff; }
+  .badge { display: inline-block; padding: 3px 10px; border-radius: 12px; font-size: .76em; font-weight: 600; color: #fff; }
+  code { background: #f0f5fb; padding: 2px 7px; border-radius: 4px; font-family: var(--mono); font-size: .84em; color: var(--primary-dark); }
+  .rule-id { font-weight: 700; font-size: .85em; }
+  .muted { color: var(--muted); }
+  .loc-cell code { color: var(--muted); font-size: .78em; }
+
+  /* 代码片段卡片 */
+  .code-snippet {
+    margin: 8px 0; border: 1px solid #dde6f2; border-radius: 8px; overflow: hidden;
+    background: #fafbfd; box-shadow: inset 0 1px 3px rgba(0,0,0,.04);
+  }
+  .code-header {
+    background: linear-gradient(90deg, #eef3fa, #e4ecf6); padding: 6px 14px;
+    font-size: .76em; color: var(--muted); font-family: var(--mono);
+    border-bottom: 1px solid #dde6f2;
+  }
+  .code-snippet pre {
+    margin: 0; padding: 10px 14px; font-family: var(--mono); font-size: .82em;
+    line-height: 1.6; color: #2a3a52; overflow-x: auto;
+  }
+
+  /* 修复建议卡片 */
+  .fix-box {
+    margin: 8px 0; padding: 10px 14px; border-radius: 8px;
+    background: linear-gradient(135deg, #e8fbf0, #dff7eb);
+    border: 1px solid #b8e6cc; font-size: .84em; color: #1a4a2e;
+  }
+  .fix-label { display: block; font-weight: 700; margin-bottom: 4px; font-size: .82em; color: #0f6b3a; }
+
+  /* 修复路线图 */
+  .action { display: inline-block; padding: 4px 12px; border-radius: 8px; font-size: .8em; font-weight: 600; }
+  .action.critical { background: #fde8e8; color: #c0392b; }
+  .action.high { background: #fef3e6; color: #e67e22; }
+  .action.medium { background: #fefae6; color: #b7950b; }
+  .action.low { background: #e8f4fd; color: #2980b9; }
+  .cwe-list code { margin: 0 2px; }
+
+  /* Footer */
+  .footer { margin-top: 36px; padding-top: 18px; border-top: 1px solid #e0e7f0;
+    text-align: center; color: var(--muted); font-size: .8em; }
+  .footer a { color: var(--primary); text-decoration: none; }
+
+  /* 通用 */
+  h2 { color: var(--text); margin: 28px 0 10px; font-size: 1.25em; }
+  .truncated-note { color: var(--muted); font-size: .84em; margin-top: 8px; }
+</style>
+</head>
+<body>
+
+<div class="cover">
+  <h1>逐码 ZhuMa — 安全审计报告</h1>
+  <div class="subtitle">${esc(target)} · ${new Date().toLocaleString('zh-CN')}</div>
+</div>
+
+<div class="wrap">
+
+  <!-- ── 审计概览 + Canvas 图表 ── -->
+  <h2>📊 审计概览</h2>
+  <div class="stats">
+    <div class="stat-card critical"><div class="num">${bySeverity.CRITICAL ?? 0}</div><div class="label">🔴 CRITICAL</div></div>
+    <div class="stat-card high"><div class="num">${bySeverity.HIGH ?? 0}</div><div class="label">🟠 HIGH</div></div>
+    <div class="stat-card medium"><div class="num">${bySeverity.MEDIUM ?? 0}</div><div class="label">🟡 MEDIUM</div></div>
+    <div class="stat-card low"><div class="num">${bySeverity.LOW ?? 0}</div><div class="label">🔵 LOW</div></div>
+    <div class="stat-card"><div class="num">${total}</div><div class="label">总计发现</div></div>
+  </div>
+
+  <div class="chart-section">
+    <div class="chart-box">
+      <canvas id="severityChart" width="280" height="280"></canvas>
+    </div>
+    <div class="chart-legend" id="chartLegend"></div>
+  </div>
+
+  <!-- ── 漏洞发现详情（含代码片段 + 修复建议） ── -->
+  <h2>📋 漏洞发现详情</h2>
+  <table>
+    <thead><tr><th>等级</th><th>规则</th><th>描述</th><th>文件位置</th></tr></thead>
+    <tbody>
+      ${findingRows || '<tr><td colspan="4" style="text-align:center;color:var(--muted);padding:28px;">✅ 未发现漏洞</td></tr>'}
+    </tbody>
+  </table>
+  ${findings.length > 200
+        ? `<p class="truncated-note">⚠️ 仅展示前 200 条发现，共 ${findings.length} 条。完整列表请使用 <code>output: json</code> 生成。</p>`
+        : ''}
+
+  <!-- ── 修复路线图 ── -->
+  <h2>🛠️ 修复路线图</h2>
+  <table>
+    <thead><tr><th>优先级</th><th>数量</th><th>涉及 CWE</th><th>建议时间线</th></tr></thead>
+    <tbody>
+      ${roadMapRows || '<tr><td colspan="4" style="text-align:center;color:var(--muted);padding:28px;">✅ 无待修复漏洞</td></tr>'}
+    </tbody>
+  </table>
+
+  <!-- ── Footer ── -->
+  <div class="footer">
+    <p>由 <strong>逐码 ZhuMa V4.0 Alpha</strong> 生成 · <a href="https://www.allsec.cn">众安天下 · 猎鹰情报威胁中心</a></p>
+  </div>
+
+</div>
+
+<!-- ── Canvas 环形图绘制 ── -->
+<script>
+(function(){
+  const data = ${chartData};
+  if(!data.length) return;
+  const canvas = document.getElementById('severityChart');
+  if(!canvas) return;
+  const ctx = canvas.getContext('2d');
+  const cx = 140, cy = 140, rOuter = 120, rInner = 72;
+  const total = data.reduce((s,d) => s+d.value, 0);
+
+  // 阴影
+  ctx.shadowColor = 'rgba(26,109,255,.12)';
+  ctx.shadowBlur = 12;
+  ctx.shadowOffsetY = 2;
+
+  let startAngle = -Math.PI / 2;
+  data.forEach(d => {
+    const slice = (d.value / total) * Math.PI * 2;
+    ctx.beginPath();
+    ctx.arc(cx, cy, rOuter, startAngle, startAngle + slice);
+    ctx.arc(cx, cy, rInner, startAngle + slice, startAngle, true);
+    ctx.closePath();
+    ctx.fillStyle = d.color;
+    ctx.fill();
+    startAngle += slice;
+  });
+
+  // inner circle (3D 高光)
+  ctx.shadowColor = 'transparent';
+  ctx.shadowBlur = 0;
+  const grad = ctx.createRadialGradient(cx-15, cy-15, rInner*.3, cx, cy, rInner);
+  grad.addColorStop(0, '#ffffff');
+  grad.addColorStop(1, '#f0f5fb');
+  ctx.beginPath();
+  ctx.arc(cx, cy, rInner, 0, Math.PI*2);
+  ctx.fillStyle = grad;
+  ctx.fill();
+
+  // center text
+  ctx.fillStyle = '#1a1a2e';
+  ctx.font = 'bold 22px "PingFang SC",-apple-system,"Microsoft YaHei",sans-serif';
+  ctx.textAlign = 'center';
+  ctx.textBaseline = 'middle';
+  ctx.fillText(total, cx, cy-6);
+  ctx.font = '12px "PingFang SC",-apple-system,"Microsoft YaHei",sans-serif';
+  ctx.fillStyle = '#6c757d';
+  ctx.fillText('TOTAL', cx, cy+14);
+
+  // legend
+  const legend = document.getElementById('chartLegend');
+  if(legend) {
+    legend.innerHTML = data.map(d => {
+      const pct = total > 0 ? ((d.value/total)*100).toFixed(1) : 0;
+      return '<div class="chart-legend-item">' +
+        '<span class="chart-legend-dot" style="background:'+d.color+'"></span>' +
+        '<span>'+d.label+'</span>' +
+        '<span class="chart-legend-val">'+d.value+' ('+pct+'%)</span></div>';
+    }).join('');
+  }
+})();
+</script>
+</body>
+</html>`;
+}
+function esc(s) {
+    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+//# sourceMappingURL=render.js.map

package/dist/report/render.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"render.js","sourceRoot":"","sources":["../../src/report/render.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAmB7C,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,QAAmB,EACnB,OAAsB;IAEtB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAEnC,MAAM,UAAU,GAAG;QACjB,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;QAClE,IAAI,EAAM,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;QAC9D,MAAM,EAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM;QAChE,GAAG,EAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM;KAC9D,CAAC;IACF,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAC;IAE9B,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QAC9E,MAAM,OAAO,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,aAAa,CAAC;QAC9D,MAAM,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;QACxC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IAC1H,CAAC;IAED,MAAM,IAAI,GAAG,iBAAiB,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IACpE,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC9E,MAAM,OAAO,GAAG,gBAAgB,SAAS,OAAO,CAAC;IACjD,MAAM,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IAExC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;AAC1H,CAAC;AAED,uDAAuD;AAEvD,MAAM,cAAc,GAA2B;IAC7C,QAAQ,EAAE,0EAA0E;IACpF,QAAQ,EAAE,4EAA4E;IACtF,QAAQ,EAAE,4DAA4D;IACtE,QAAQ,EAAE,uEAAuE;IACjF,SAAS,EAAE,qEAAqE;IAChF,SAAS,EAAE,sFAAsF;IACjG,SAAS,EAAE,qCAAqC;IAChD,SAAS,EAAE,0FAA0F;IACrG,SAAS,EAAE,kEAAkE;IAC7E,SAAS,EAAE,oDAAoD;IAC/D,QAAQ,EAAG,2DAA2D;IACtE,SAAS,EAAE,2DAA2D;IACtE,SAAS,EAAE,kDAAkD;IAC7D,SAAS,EAAE,iEAAiE;IAC5E,SAAS,EAAE,yCAAyC;IACpD,SAAS,EAAE,yCAAyC;IACpD,SAAS,EAAE,qEAAqE;IAChF,SAAS,EAAE,2DAA2D;CACvE,CAAC;AAEF,6DAA6D;AAE7D,SAAS,iBAAiB,CACxB,MAAc,EACd,QAAmB,EACnB,UAAkC,EAClC,KAAa;IAEb,MAAM,SAAS,GAA2B;QACxC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,SAAS;KACxE,CAAC;IAEF,MAAM,QAAQ,GAAG,CAAC,CAAS,EAAE,EAAE,CAC7B,yCAAyC,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,KAAK,CAAC,SAAS,CAAC;IAEpF,eAAe;IACf,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,UAAU,CAAC,QAAQ,EAAE,KAAK,EAAE,SAAS,EAAE;QACnE,EAAE,KAAK,EAAE,MAAM,EAAM,KAAK,EAAE,UAAU,CAAC,IAAI,EAAM,KAAK,EAAE,SAAS,EAAE;QACnE,EAAE,KAAK,EAAE,QAAQ,EAAI,KAAK,EAAE,UAAU,CAAC,MAAM,EAAI,KAAK,EAAE,SAAS,EAAE;QACnE,EAAE,KAAK,EAAE,KAAK,EAAO,KAAK,EAAE,UAAU,CAAC,GAAG,EAAO,KAAK,EAAE,SAAS,EAAE;KACpE,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IAE5B,6BAA6B;IAC7B,MAAM,WAAW,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACtD,MAAM,QAAQ,GAAG,CAAC,CAAC,WAAW;YAC5B,CAAC,CAAC,sDAAsD,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,cAAc;YAC3H,CAAC,CAAC,EAAE,CAAC;QACP,MAAM,OAAO,GAAG,CAAC,CAAC,WAAW;YAC3B,CAAC,CAAC,8DAA8D,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ;YAC1F,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC;gBACrB,CAAC,CAAC,8DAA8D,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,QAAQ;gBAClG,CAAC,CAAC,EAAE,CAAC;QACT,OAAO;;YAEC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;kCACE,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,mCAAmC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;oBACxE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,QAAQ,GAAG,OAAO;mCAC7B,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI;UAC9C,CAAC;IACT,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEZ,sBAAsB;IACtB,MAAM,QAAQ,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;IACvD,MAAM,WAAW,GAAG,QAAQ;SACzB,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;SAC9B,GAAG,CAAC,CAAC,CAAC,EAAE;QACP,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG;YAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACvF,MAAM,OAAO,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzE,MAAM,MAAM,GAAG,CAAC,KAAK,UAAU,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;YACnC,CAAC,KAAK,MAAM,CAAK,CAAC,CAAC,aAAa,CAAC,CAAC;gBAClC,CAAC,KAAK,QAAQ,CAAG,CAAC,CAAC,YAAY,CAAC,CAAC;oBACd,aAAa,CAAC;QAChD,OAAO;cACC,QAAQ,CAAC,CAAC,CAAC;cACX,UAAU,CAAC,CAAC,CAAC;+BACI,OAAO;kCACJ,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM;YAChD,CAAC;IACT,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEd,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0BAqHiB,GAAG,CAAC,MAAM,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC;;;;;;;;uDAQtB,UAAU,CAAC,QAAQ,IAAI,CAAC;mDAC5B,UAAU,CAAC,IAAI,IAAI,CAAC;qDAClB,UAAU,CAAC,MAAM,IAAI,CAAC;kDACzB,UAAU,CAAC,GAAG,IAAI,CAAC;8CACvB,KAAK;;;;;;;;;;;;;;;QAe3C,WAAW,IAAI,kGAAkG;;;IAGrH,QAAQ,CAAC,MAAM,GAAG,GAAG;QACrB,CAAC,CAAC,+CAA+C,QAAQ,CAAC,MAAM,8CAA8C;QAC9G,CAAC,CAAC,EAAE;;;;;;;QAOA,WAAW,IAAI,mGAAmG;;;;;;;;;;;;;;iBAczG,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QA4DlB,CAAC;AACT,CAAC;AAED,SAAS,GAAG,CAAC,CAAS;IACpB,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC9E,CAAC"}

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@zhuma4/cli",
+  "version": "4.0.0-alpha.1",
+  "description": "逐码 CLI — 命令行代码安全审计工具 (SAST + SCA)",
+  "main": "dist/index.js",
+  "bin": {
+    "zhuma": "dist/index.js"
+  },
+  "type": "module",
+  "files": [
+    "dist",
+    "rules",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc -b",
+    "clean": "rm -rf dist",
+    "test": "node tests/test_runner.js",
+    "test:unit": "vitest run",
+    "cli": "node dist/index.js",
+    "prepublishOnly": "node scripts/copy-rules.mjs"
+  },
+  "dependencies": {
+    "@zhuma4/sdk": "^4.0.0-alpha.1",
+    "commander": "^13.0.0",
+    "chalk": "^5.4.0",
+    "ora": "^8.2.0"
+  },
+  "devDependencies": {
+    "vitest": "^2.0.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/zeracker/zhuma-v4"
+  },
+  "keywords": ["sast", "security", "code-analysis", "semgrep", "sca", "supply-chain"],
+  "license": "Apache-2.0",
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}