oauthlint 0.4.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +32 -260
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +20 -3
- package/dist/cli.js.map +1 -1
- package/dist/commands/explain.d.ts +58 -0
- package/dist/commands/explain.d.ts.map +1 -0
- package/dist/commands/explain.js +245 -0
- package/dist/commands/explain.js.map +1 -0
- package/dist/commands/scan.d.ts +1 -1
- package/dist/commands/scan.d.ts.map +1 -1
- package/dist/commands/scan.js +19 -0
- package/dist/commands/scan.js.map +1 -1
- package/dist/core/reporter.d.ts.map +1 -1
- package/dist/core/reporter.js +4 -0
- package/dist/core/reporter.js.map +1 -1
- package/dist/formatters/html.d.ts +50 -0
- package/dist/formatters/html.d.ts.map +1 -0
- package/dist/formatters/html.js +308 -0
- package/dist/formatters/html.js.map +1 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/README.md
CHANGED
|
@@ -2,15 +2,16 @@
|
|
|
2
2
|
|
|
3
3
|
# oauthlint
|
|
4
4
|
|
|
5
|
-
**Catch the OAuth / OIDC / JWT anti-patterns AI coding tools systematically produce.**
|
|
5
|
+
**Catch the OAuth / OIDC / JWT / session / CORS anti-patterns AI coding tools systematically produce.**
|
|
6
6
|
|
|
7
|
-
A curated, multi-language Semgrep rule pack · JS/TS · Python · Go · Java · Rust
|
|
7
|
+
A curated, multi-language Semgrep rule pack · JS/TS · Python · Go · Java · Rust · CLI + GitHub Action + VS Code · free & MIT
|
|
8
8
|
|
|
9
9
|
[](https://www.npmjs.com/package/oauthlint)
|
|
10
10
|
[](https://www.npmjs.com/package/oauthlint)
|
|
11
11
|
[](https://github.com/Auspeo/oauthlint/actions/workflows/ci.yml)
|
|
12
12
|
[](https://opensource.org/licenses/MIT)
|
|
13
13
|
[](https://oauthlint.dev)
|
|
14
|
+
[](https://semgrep.dev)
|
|
14
15
|
|
|
15
16
|
</div>
|
|
16
17
|
|
|
@@ -20,59 +21,10 @@ npx oauthlint scan ./src
|
|
|
20
21
|
|
|
21
22
|
> Requires [Semgrep](https://semgrep.dev/docs/getting-started/) on the machine running the scan (`pipx install semgrep` or `brew install semgrep`). The CLI invokes it under the hood and normalises the output for humans and CI.
|
|
22
23
|
|
|
23
|
-
📖 **Full
|
|
24
|
+
📖 **Full docs & rule catalogue → [oauthlint.dev/docs](https://oauthlint.dev/docs)** · 🔬 **the research behind it → [oauthlint.dev/research](https://oauthlint.dev/research)**
|
|
24
25
|
|
|
25
26
|
---
|
|
26
27
|
|
|
27
|
-
## The problem
|
|
28
|
-
|
|
29
|
-
LLM coding assistants — Cursor, Claude, GitHub Copilot, Gemini — ship the *same*
|
|
30
|
-
OAuth/JWT mistakes across every project they touch:
|
|
31
|
-
|
|
32
|
-
- a JWT verified with `alg: none` accepted
|
|
33
|
-
- `client_secret` hard-coded in source
|
|
34
|
-
- an OAuth flow with no `state` and no PKCE
|
|
35
|
-
- a token written to `localStorage`, readable by any XSS
|
|
36
|
-
- `redirect_uri` allow-listed with a `*` wildcard
|
|
37
|
-
- a `/login` POST with no rate limiting
|
|
38
|
-
- a password persisted in plaintext
|
|
39
|
-
- `Math.random()` used for a CSRF token
|
|
40
|
-
|
|
41
|
-
oauthlint is the layer between generic SAST and an enterprise IAM program:
|
|
42
|
-
**free, focused, developer-first.** Every finding names the rule, the exact
|
|
43
|
-
`file:line`, *why* it's dangerous, and *how* to fix it — with CWE/OWASP mappings.
|
|
44
|
-
|
|
45
|
-
<div align="center">
|
|
46
|
-
|
|
47
|
-

|
|
48
|
-
|
|
49
|
-
</div>
|
|
50
|
-
|
|
51
|
-
## Why oauthlint, and not just Semgrep?
|
|
52
|
-
|
|
53
|
-
Honest answer: nothing stops you from writing these rules yourself. Semgrep is
|
|
54
|
-
open source — it's the engine we run — and a capable engineer could reproduce a
|
|
55
|
-
lot of this. There's no technical moat and we won't pretend otherwise. What
|
|
56
|
-
oauthlint gives you is the work most people never do:
|
|
57
|
-
|
|
58
|
-
- **Low false positives, validated against real auth libraries.** The rules are
|
|
59
|
-
run against `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`,
|
|
60
|
-
Spring Security and more. Anything that fires on mature library source goes to
|
|
61
|
-
a triage queue, not to you — validated across thousands of files of real
|
|
62
|
-
auth-library source, with **zero false positives** on the clean libraries
|
|
63
|
-
([validation report](https://oauthlint.dev/VALIDATION)).
|
|
64
|
-
- **One coherent product across every language it covers.** Same concepts, same ID scheme,
|
|
65
|
-
same docs — not a patchwork of community rules with mismatched styles.
|
|
66
|
-
- **Every finding teaches.** The 100+ rules — across JS/TS · Python · Go · Java
|
|
67
|
-
· Rust — each link to a fix page with CWE and OWASP mappings. It's a lesson,
|
|
68
|
-
not a grep hit.
|
|
69
|
-
- **The angle the registry doesn't have:** oauthlint specifically targets the
|
|
70
|
-
auth bugs AI coding tools ship on repeat, encoded in each rule's
|
|
71
|
-
`llm-prevalence` metadata and measured by a [reproducible benchmark](https://github.com/Auspeo/oauthlint/tree/main/benchmark).
|
|
72
|
-
|
|
73
|
-
Use oauthlint when you'd rather not write and maintain an auth rule pack
|
|
74
|
-
yourself. That's the whole pitch.
|
|
75
|
-
|
|
76
28
|
## Quick start
|
|
77
29
|
|
|
78
30
|
```bash
|
|
@@ -82,236 +34,56 @@ npx oauthlint scan ./src
|
|
|
82
34
|
# fail CI on HIGH severity and above
|
|
83
35
|
npx oauthlint scan ./src --fail-on HIGH
|
|
84
36
|
|
|
85
|
-
#
|
|
86
|
-
npx oauthlint scan ./src --json
|
|
87
|
-
|
|
88
|
-
# GitHub Code Scanning
|
|
37
|
+
# GitHub Code Scanning (SARIF) or a shareable HTML audit report
|
|
89
38
|
npx oauthlint scan ./src --format sarif > oauthlint.sarif
|
|
39
|
+
npx oauthlint scan ./src --format html > report.html
|
|
90
40
|
|
|
91
|
-
#
|
|
92
|
-
npx oauthlint
|
|
93
|
-
|
|
94
|
-
# scan several explicit paths (e.g. a list of changed files)
|
|
95
|
-
npx oauthlint scan src/auth.ts src/session.ts
|
|
96
|
-
|
|
97
|
-
# scan only what changed vs the default branch (fast, incremental)
|
|
98
|
-
npx oauthlint scan --diff
|
|
99
|
-
|
|
100
|
-
# scan only git-staged files (ideal in a pre-commit hook)
|
|
101
|
-
npx oauthlint scan --staged
|
|
102
|
-
|
|
103
|
-
# adopt on a large existing codebase: snapshot today's findings…
|
|
104
|
-
npx oauthlint baseline ./src
|
|
105
|
-
# …then only get alerted on NEW findings from here on
|
|
106
|
-
npx oauthlint scan ./src --baseline --fail-on HIGH
|
|
41
|
+
# learn a rule in the terminal: the why, the fix, and vulnerable/safe examples
|
|
42
|
+
npx oauthlint explain auth.jwt.alg-none
|
|
107
43
|
```
|
|
108
44
|
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
Turning a linter on for the first time on a large repo usually drowns you in
|
|
112
|
-
pre-existing findings. A **baseline** snapshots the findings that exist *today*
|
|
113
|
-
so `scan` only alerts on **new** ones — letting you adopt OAuthLint without
|
|
114
|
-
fixing everything up front.
|
|
45
|
+
Scan only what changed for fast pre-commit hooks and editors with `--diff` / `--staged`, or adopt on a large repo with a [baseline](https://oauthlint.dev/docs/baseline) (`oauthlint baseline ./src` then `scan --baseline`) so you're alerted on **new** findings only. Other commands: `list`, `explain`, `init`, `doctor`. Run `oauthlint --help` or see the [full CLI reference](https://oauthlint.dev/docs/cli).
|
|
115
46
|
|
|
116
|
-
|
|
117
|
-
# 1. capture the current findings into .oauthlint-baseline.json (commit this file)
|
|
118
|
-
oauthlint baseline ./src
|
|
119
|
-
|
|
120
|
-
# 2. from now on, scan reports only findings NOT in the baseline
|
|
121
|
-
oauthlint scan ./src --baseline --fail-on HIGH
|
|
122
|
-
```
|
|
47
|
+
### Every finding teaches
|
|
123
48
|
|
|
124
|
-
-
|
|
125
|
-
`.oauthlint-baseline.json` (override with `-o, --output <file>`). It prints how
|
|
126
|
-
many findings were baselined. Commit the file so the whole team shares it.
|
|
127
|
-
- **`oauthlint scan --baseline [file]`** runs a normal scan, then suppresses any
|
|
128
|
-
finding already in the baseline and reports only the rest. `--fail-on` and the
|
|
129
|
-
exit code consider **only the new findings**. With no value it defaults to
|
|
130
|
-
`.oauthlint-baseline.json`; a missing baseline file is a **clear error**
|
|
131
|
-
(exit `2`), never silently treated as empty.
|
|
132
|
-
|
|
133
|
-
**How a finding is fingerprinted.** Each finding gets a stable fingerprint —
|
|
134
|
-
`sha256(oauthlintRuleId + repo-relative path + a whitespace-normalised snapshot
|
|
135
|
-
of the matched code)`. Crucially the **raw line number is not part of the hash**,
|
|
136
|
-
so moving a finding up or down (adding imports, reformatting) keeps it
|
|
137
|
-
baselined, while **changing the flagged code** surfaces it as new. The same
|
|
138
|
-
fingerprint occurring multiple times in one file is disambiguated by a
|
|
139
|
-
deterministic occurrence index. Paths are normalised to repo/cwd-relative
|
|
140
|
-
(POSIX separators) so a baseline is portable across machines, and unreadable
|
|
141
|
-
files (deleted/binary) degrade gracefully instead of crashing. The baseline
|
|
142
|
-
JSON is small, sorted and human-diffable (a `version`, a `generatedAt`, and the
|
|
143
|
-
fingerprint list).
|
|
144
|
-
|
|
145
|
-
## Incremental scanning
|
|
146
|
-
|
|
147
|
-
For pre-commit hooks and editor integrations, scanning the whole tree on every
|
|
148
|
-
keystroke is wasteful. OAuthLint can scan **only the files that changed**:
|
|
49
|
+
Each finding ends with a hint, `↳ run \`oauthlint explain <rule-id>\` for details + the fix`. `oauthlint explain` brings the rule docs into your terminal, offline, from the bundled pack: severity, CWE/OWASP with canonical links, `llm-prevalence`, the why + how-to-fix, and side-by-side **vulnerable** vs **safe** code. It resolves a rule by id (`auth.jwt.alg-none`), slug (`jwt-alg-none`), or oauthlint-rule-id (`AUTH-JWT-001`); add `--json` for the structured rule object.
|
|
149
50
|
|
|
150
|
-
|
|
151
|
-
# files changed vs the merge-base with the repo's default branch
|
|
152
|
-
oauthlint scan --diff
|
|
51
|
+
## What it catches
|
|
153
52
|
|
|
154
|
-
|
|
155
|
-
oauthlint scan --diff origin/main
|
|
156
|
-
oauthlint scan --diff HEAD~5
|
|
53
|
+
LLM coding assistants (Cursor, Claude, Copilot, Gemini) ship the *same* auth bugs across every project: a JWT accepted with `alg: none`, a hard-coded `client_secret`, an OAuth flow with no `state`/PKCE, a token in `localStorage`, a `*` wildcard `redirect_uri`, an unrate-limited `/login`, a plaintext password, `Math.random()` for a CSRF token.
|
|
157
54
|
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
55
|
+
- **100+ rules** across **JS/TS · Python · Go · Java · Rust**, each mapped to CWE/OWASP with a fix page (a lesson, not a grep hit).
|
|
56
|
+
- **Dataflow (taint) analysis.** Beyond pattern-matching, the pack traces untrusted input through to dangerous sinks to catch **open-redirect** and **SSRF**.
|
|
57
|
+
- **HTML report.** `scan --format html` renders a self-contained, offline, no-JavaScript audit you can email or attach to a PR.
|
|
58
|
+
- Plus **SARIF** for Code Scanning, `--fix` for safe auto-fixes, incremental `--diff`/`--staged`, and a [baseline](https://oauthlint.dev/docs/baseline) for existing codebases.
|
|
161
59
|
|
|
162
|
-
|
|
60
|
+
👉 **Browse the always-current catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
|
|
163
61
|
|
|
164
|
-
|
|
165
|
-
repo's default branch (`origin/HEAD` → `origin/main` → `origin/master`, falling
|
|
166
|
-
back to `HEAD` when there's no remote). The change set is everything Added /
|
|
167
|
-
Copied / Modified / Renamed since that base, plus uncommitted work-tree and
|
|
168
|
-
staged changes, plus new untracked files. Deleted files are skipped.
|
|
169
|
-
- **`--staged`** — only the staged set (`git diff --cached`), the same files a
|
|
170
|
-
commit is about to capture.
|
|
171
|
-
- Explicit path args (`oauthlint scan a.ts b.ts`) scan exactly those paths.
|
|
62
|
+
## Use directly with Semgrep, no install
|
|
172
63
|
|
|
173
|
-
|
|
174
|
-
lockfiles, images, …) are filtered out automatically, and an **empty change set
|
|
175
|
-
exits `0`** with a `No changed files to scan.` note — it never fails your commit.
|
|
176
|
-
Outside a git repository, `--diff` / `--staged` print a clear error and exit `2`
|
|
177
|
-
instead of crashing. Git is always invoked with arguments passed as an array
|
|
178
|
-
(never a shell string), so a ref name can't inject a shell command.
|
|
179
|
-
|
|
180
|
-
Example pre-commit hook (`.git/hooks/pre-commit`):
|
|
64
|
+
Already have [Semgrep](https://semgrep.dev)? Run the full pack with one command, no config file:
|
|
181
65
|
|
|
182
66
|
```bash
|
|
183
|
-
|
|
184
|
-
npx oauthlint scan --staged --fail-on HIGH
|
|
185
|
-
```
|
|
186
|
-
|
|
187
|
-
## Commands
|
|
188
|
-
|
|
189
|
-
```
|
|
190
|
-
oauthlint scan [paths...] Scan files/directories (default: current dir)
|
|
191
|
-
oauthlint scan a.ts b.ts Scan an explicit list of paths
|
|
192
|
-
oauthlint scan --diff [ref] Scan only files changed vs a git ref
|
|
193
|
-
oauthlint scan --staged Scan only git-staged files (pre-commit)
|
|
194
|
-
oauthlint scan --json Emit machine-readable JSON
|
|
195
|
-
oauthlint scan --format sarif Emit SARIF for GitHub Code Scanning
|
|
196
|
-
oauthlint scan --severity HIGH Only show findings ≥ HIGH
|
|
197
|
-
oauthlint scan --fail-on off Never fail the build (CI dry-run)
|
|
198
|
-
oauthlint scan --fix Auto-apply safe fixes
|
|
199
|
-
oauthlint scan --baseline Report only findings NOT in the baseline
|
|
200
|
-
oauthlint baseline [paths...] Snapshot current findings to a baseline file
|
|
201
|
-
oauthlint baseline -o <file> Write the baseline to a custom path
|
|
202
|
-
oauthlint list List every shipped rule
|
|
203
|
-
oauthlint list --json Same, as JSON
|
|
204
|
-
oauthlint init Generate .oauthlintrc.yml at cwd
|
|
205
|
-
oauthlint init --force Overwrite an existing config
|
|
206
|
-
oauthlint doctor Check your setup (Semgrep, config, …)
|
|
207
|
-
oauthlint --no-update-check Skip the "update available" check (any command)
|
|
208
|
-
```
|
|
209
|
-
|
|
210
|
-
## Use it in CI
|
|
211
|
-
|
|
212
|
-
Run the CLI in a workflow and upload SARIF to **GitHub Code Scanning** so
|
|
213
|
-
findings appear inline on the PR:
|
|
214
|
-
|
|
215
|
-
```yaml
|
|
216
|
-
# .github/workflows/oauthlint.yml
|
|
217
|
-
jobs:
|
|
218
|
-
oauthlint:
|
|
219
|
-
runs-on: ubuntu-latest
|
|
220
|
-
steps:
|
|
221
|
-
- uses: actions/checkout@v4
|
|
222
|
-
- run: pipx install semgrep # the engine oauthlint runs
|
|
223
|
-
- run: npx oauthlint scan ./src --format sarif > oauthlint.sarif
|
|
224
|
-
- uses: github/codeql-action/upload-sarif@v3
|
|
225
|
-
with:
|
|
226
|
-
sarif_file: oauthlint.sarif
|
|
227
|
-
```
|
|
228
|
-
|
|
229
|
-
Or just fail the build on HIGH findings: `npx oauthlint scan ./src --fail-on HIGH`.
|
|
230
|
-
|
|
231
|
-
### GitHub Action
|
|
232
|
-
|
|
233
|
-
Prefer not to wire up the CLI by hand? The **[GitHub Action](https://github.com/Auspeo/oauthlint/tree/main/action)** wraps it for you — it's Docker-based, so it runs in any repo regardless of language:
|
|
234
|
-
|
|
235
|
-
```yaml
|
|
236
|
-
- uses: Auspeo/oauthlint/action@v1
|
|
237
|
-
with:
|
|
238
|
-
severity: HIGH
|
|
239
|
-
fail-on: HIGH
|
|
67
|
+
semgrep --config https://oauthlint.dev/r/oauthlint.yaml ./src
|
|
240
68
|
```
|
|
241
69
|
|
|
242
|
-
|
|
70
|
+
Per-language bundles exist too (`oauthlint-python.yaml`, `oauthlint-go.yaml`, …). That URL is always the latest pack; for a pinned ruleset in CI, use this CLI (`npx oauthlint@<version> scan`) or vendor [`oauthlint-rules`](https://www.npmjs.com/package/oauthlint-rules). See [the Semgrep docs](https://oauthlint.dev/docs/semgrep).
|
|
243
71
|
|
|
244
|
-
|
|
245
|
-
|
|
246
|
-
## What it catches
|
|
247
|
-
|
|
248
|
-
Rules across OAuth 2.0, OIDC, JWT, cookies, CORS, secrets and session hygiene —
|
|
249
|
-
each mapped to CWE & OWASP, each with a documentation page. Languages covered
|
|
250
|
-
today (more on the way):
|
|
251
|
-
|
|
252
|
-
| Language | Libraries |
|
|
253
|
-
|----------|-----------|
|
|
254
|
-
| JavaScript / TypeScript | jose, jsonwebtoken, NextAuth, express, … |
|
|
255
|
-
| Python | PyJWT, Authlib, requests, Flask, Django |
|
|
256
|
-
| Java | Spring Security, jjwt, nimbus-jose-jwt |
|
|
257
|
-
| Go | golang-jwt, crypto/tls, net/http |
|
|
258
|
-
| Rust | jsonwebtoken, reqwest, actix/tower |
|
|
259
|
-
|
|
260
|
-
👉 **Browse the full, always-current catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
|
|
261
|
-
|
|
262
|
-
## Configuration
|
|
263
|
-
|
|
264
|
-
Generate a `.oauthlintrc.yml` at your repo root with `oauthlint init`:
|
|
265
|
-
|
|
266
|
-
```yaml
|
|
267
|
-
version: 1
|
|
268
|
-
include:
|
|
269
|
-
- "src/**/*.{ts,tsx,js,jsx}"
|
|
270
|
-
exclude:
|
|
271
|
-
- "**/*.test.ts"
|
|
272
|
-
rules:
|
|
273
|
-
auth.cookie.no-samesite: warn
|
|
274
|
-
auth.session.id-in-url: off
|
|
275
|
-
failOn: HIGH
|
|
276
|
-
```
|
|
277
|
-
|
|
278
|
-
### Inline suppression
|
|
279
|
-
|
|
280
|
-
```ts
|
|
281
|
-
// oauthlint-disable-next-line auth.jwt.alg-none -- legacy code, replaced in Q2
|
|
282
|
-
return jwt.verify(token, key, { algorithms: ['RS256', 'none'] });
|
|
283
|
-
```
|
|
284
|
-
|
|
285
|
-
Wholesale silencing (`oauthlint-disable-file *`) is intentionally unsupported —
|
|
286
|
-
the next reviewer needs to see exactly which lines opted out, and why.
|
|
287
|
-
|
|
288
|
-
## Exit codes
|
|
289
|
-
|
|
290
|
-
| Code | When |
|
|
291
|
-
|:----:|------|
|
|
292
|
-
| `0` | No finding at or above the `--fail-on` threshold |
|
|
293
|
-
| `1` | At least one **HIGH** finding |
|
|
294
|
-
| `2` | At least one **CRITICAL** finding, a scan whose output could not be parsed (it never silently exits clean), or a missing/malformed `--baseline` file |
|
|
295
|
-
| `127` | Semgrep is not installed |
|
|
72
|
+
## Why oauthlint, and not just Semgrep?
|
|
296
73
|
|
|
297
|
-
|
|
298
|
-
> **new** (non-baselined) findings.
|
|
74
|
+
Honest answer: nothing stops you writing these rules yourself. Semgrep is open source and it's the engine we run, so there's no technical moat. What oauthlint gives you is the work most people never do:
|
|
299
75
|
|
|
300
|
-
|
|
76
|
+
- **Low false positives, validated against real auth libraries.** `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`, Spring Security and more. Anything that fires on mature library source goes to a triage queue, not to you ([validation report](https://oauthlint.dev/VALIDATION)).
|
|
77
|
+
- **One coherent product across every language.** Same concepts, same ID scheme, same docs, not a patchwork of community rules.
|
|
78
|
+
- **The angle the registry doesn't have.** It targets the auth bugs AI tools ship on repeat, encoded in each rule's `llm-prevalence` metadata and measured by a reproducible benchmark ([the research](https://oauthlint.dev/research)).
|
|
301
79
|
|
|
302
|
-
oauthlint
|
|
303
|
-
when a newer version is on npm. It's designed to stay out of your way:
|
|
80
|
+
Use oauthlint when you'd rather not write and maintain an auth rule pack yourself. That's the whole pitch.
|
|
304
81
|
|
|
305
|
-
|
|
306
|
-
cached), so it never slows a scan down.
|
|
307
|
-
- It writes to **stderr only** and is **silent** under `--json` / `--format
|
|
308
|
-
sarif`, when output is piped, in CI, and offline — so it can never corrupt a
|
|
309
|
-
machine-readable report or nag automated runs.
|
|
82
|
+
## Also available
|
|
310
83
|
|
|
311
|
-
|
|
312
|
-
|
|
84
|
+
- **GitHub Action.** `Auspeo/oauthlint/action@v1`, Docker-based (any language), with inline PR annotations and a job summary. [Docs](https://github.com/Auspeo/oauthlint/tree/main/action).
|
|
85
|
+
- **VS Code / Cursor / Windsurf.** [oauthlint](https://marketplace.visualstudio.com/items?itemName=auspeo.oauthlint-vscode) on the VS Code Marketplace and [OpenVSX](https://open-vsx.org/extension/auspeo/oauthlint-vscode): inline diagnostics on save, a status-bar finding count, and Quick Fix suppressions.
|
|
313
86
|
|
|
314
87
|
## License
|
|
315
88
|
|
|
316
|
-
MIT
|
|
317
|
-
Built and maintained by [Auspeo](https://github.com/Auspeo).
|
|
89
|
+
MIT. See [LICENSE](https://github.com/Auspeo/oauthlint/blob/main/LICENSE). Built and maintained by [Auspeo](https://github.com/Auspeo).
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA0EpC,wBAAsB,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,CAyIrD"}
|
package/dist/cli.js
CHANGED
|
@@ -5,6 +5,7 @@ import { Command } from 'commander';
|
|
|
5
5
|
import pc from 'picocolors';
|
|
6
6
|
import { runBaseline } from './commands/baseline.js';
|
|
7
7
|
import { runDoctor } from './commands/doctor.js';
|
|
8
|
+
import { runExplain } from './commands/explain.js';
|
|
8
9
|
import { runInit } from './commands/init.js';
|
|
9
10
|
import { runList } from './commands/list.js';
|
|
10
11
|
import { runScan } from './commands/scan.js';
|
|
@@ -80,7 +81,7 @@ export async function buildProgram() {
|
|
|
80
81
|
.argument('[paths...]', 'One or more files/directories to scan', ['.'])
|
|
81
82
|
.description('Scan files or directories for auth misconfigurations')
|
|
82
83
|
.option('--json', 'Emit JSON (shortcut for --format json)')
|
|
83
|
-
.option('--format <fmt>', 'Output format: pretty | json | sarif', parseFormat)
|
|
84
|
+
.option('--format <fmt>', 'Output format: pretty | json | sarif | html', parseFormat)
|
|
84
85
|
.option('--severity <level>', 'Only emit findings ≥ this severity', parseSeverity)
|
|
85
86
|
.option('--fail-on <level>', 'Process exits non-zero if any finding ≥ this severity', parseFailOn)
|
|
86
87
|
.option('--diff [ref]', 'Scan only files changed vs a git ref (default: merge-base with the default branch)')
|
|
@@ -101,7 +102,10 @@ export async function buildProgram() {
|
|
|
101
102
|
fix: opts.fix,
|
|
102
103
|
baseline: opts.baseline,
|
|
103
104
|
});
|
|
104
|
-
const machineReadable = opts.json === true ||
|
|
105
|
+
const machineReadable = opts.json === true ||
|
|
106
|
+
opts.format === 'json' ||
|
|
107
|
+
opts.format === 'sarif' ||
|
|
108
|
+
opts.format === 'html';
|
|
105
109
|
await finishWithNotice(code, { version, machineReadable, updateCheck: updateCheckEnabled() });
|
|
106
110
|
});
|
|
107
111
|
program
|
|
@@ -147,6 +151,19 @@ export async function buildProgram() {
|
|
|
147
151
|
updateCheck: updateCheckEnabled(),
|
|
148
152
|
});
|
|
149
153
|
});
|
|
154
|
+
program
|
|
155
|
+
.command('explain')
|
|
156
|
+
.argument('<rule>', 'A rule id (auth.jwt.alg-none), slug (jwt-alg-none), or AUTH-JWT-001')
|
|
157
|
+
.description('Explain one rule — why it matters, the fix, and vulnerable/safe examples')
|
|
158
|
+
.option('--json', 'Emit the structured rule object instead of pretty output')
|
|
159
|
+
.action(async (rule, opts) => {
|
|
160
|
+
const code = await runExplain({ rule, json: opts.json });
|
|
161
|
+
await finishWithNotice(code, {
|
|
162
|
+
version,
|
|
163
|
+
machineReadable: opts.json === true,
|
|
164
|
+
updateCheck: updateCheckEnabled(),
|
|
165
|
+
});
|
|
166
|
+
});
|
|
150
167
|
program
|
|
151
168
|
.command('doctor')
|
|
152
169
|
.description('Diagnose your OAuthLint install (Node, Semgrep, rule pack)')
|
|
@@ -174,7 +191,7 @@ function parseFailOn(v) {
|
|
|
174
191
|
return 'off';
|
|
175
192
|
return parseSeverity(v);
|
|
176
193
|
}
|
|
177
|
-
const FORMATS = ['pretty', 'json', 'sarif'];
|
|
194
|
+
const FORMATS = ['pretty', 'json', 'sarif', 'html'];
|
|
178
195
|
function parseFormat(v) {
|
|
179
196
|
const lower = v.toLowerCase();
|
|
180
197
|
if (!FORMATS.includes(lower)) {
|
package/dist/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAmB,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAqB,MAAM,YAAY,CAAC;AAM3D;;;;;;;;GAQG;AACH,KAAK,UAAU,cAAc,CAAC,IAAY;IACxC,MAAM,KAAK,GAAG,CAAC,CAAqB,EAAiB,EAAE,CACrD,IAAI,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,CAAC,cAAc,KAAK,CAAC,EAAE,CAAC;YAC3B,GAAG,EAAE,CAAC;YACN,OAAO;QACT,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IACL,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAClE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,GAAwE;IAExE,MAAM,iBAAiB,CAAC;QACtB,cAAc,EAAE,GAAG,CAAC,OAAO;QAC3B,eAAe,EAAE,GAAG,CAAC,eAAe;QACpC,QAAQ,EAAE,CAAC,GAAG,CAAC,WAAW;KAC3B,CAAC,CAAC;IACH,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,iDAAiD;IACjD,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI;QACtB,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;QACnC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;KAC1C,EAAE,CAAC;QACF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAY,CAAC;YACrE,IAAI,GAAG,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,OAAO,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAE3C,OAAO;SACJ,IAAI,CAAC,WAAW,CAAC;SACjB,WAAW,CACV,4FAA4F,CAC7F;SACA,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC;SACjC,MAAM,CAAC,mBAAmB,EAAE,gDAAgD,CAAC,CAAC;IAEjF,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,kBAAkB,GAAG,GAAY,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,WAAW,KAAK,KAAK,CAAC;IAE/E,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,CAAC,YAAY,EAAE,uCAAuC,EAAE,CAAC,GAAG,CAAC,CAAC;SACtE,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,QAAQ,EAAE,wCAAwC,CAAC;SAC1D,MAAM,CAAC,gBAAgB,EAAE,
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAmB,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAqB,MAAM,YAAY,CAAC;AAM3D;;;;;;;;GAQG;AACH,KAAK,UAAU,cAAc,CAAC,IAAY;IACxC,MAAM,KAAK,GAAG,CAAC,CAAqB,EAAiB,EAAE,CACrD,IAAI,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,CAAC,cAAc,KAAK,CAAC,EAAE,CAAC;YAC3B,GAAG,EAAE,CAAC;YACN,OAAO;QACT,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IACL,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAClE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,GAAwE;IAExE,MAAM,iBAAiB,CAAC;QACtB,cAAc,EAAE,GAAG,CAAC,OAAO;QAC3B,eAAe,EAAE,GAAG,CAAC,eAAe;QACpC,QAAQ,EAAE,CAAC,GAAG,CAAC,WAAW;KAC3B,CAAC,CAAC;IACH,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,iDAAiD;IACjD,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI;QACtB,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;QACnC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;KAC1C,EAAE,CAAC;QACF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAY,CAAC;YACrE,IAAI,GAAG,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,OAAO,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAE3C,OAAO;SACJ,IAAI,CAAC,WAAW,CAAC;SACjB,WAAW,CACV,4FAA4F,CAC7F;SACA,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC;SACjC,MAAM,CAAC,mBAAmB,EAAE,gDAAgD,CAAC,CAAC;IAEjF,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,kBAAkB,GAAG,GAAY,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,WAAW,KAAK,KAAK,CAAC;IAE/E,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,CAAC,YAAY,EAAE,uCAAuC,EAAE,CAAC,GAAG,CAAC,CAAC;SACtE,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,QAAQ,EAAE,wCAAwC,CAAC;SAC1D,MAAM,CAAC,gBAAgB,EAAE,6CAA6C,EAAE,WAAW,CAAC;SACpF,MAAM,CAAC,oBAAoB,EAAE,oCAAoC,EAAE,aAAa,CAAC;SACjF,MAAM,CACL,mBAAmB,EACnB,uDAAuD,EACvD,WAAW,CACZ;SACA,MAAM,CACL,cAAc,EACd,oFAAoF,CACrF;SACA,MAAM,CAAC,UAAU,EAAE,0DAA0D,CAAC;SAC9E,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,CAAC;SACpE,MAAM,CAAC,OAAO,EAAE,4DAA4D,CAAC;SAC7E,MAAM,CACL,mBAAmB,EACnB,4GAA4G,CAC7G;SACA,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAoB,EAAE,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC;YACzB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QACH,MAAM,eAAe,GACnB,IAAI,CAAC,IAAI,KAAK,IAAI;YAClB,IAAI,CAAC,MAAM,KAAK,MAAM;YACtB,IAAI,CAAC,MAAM,KAAK,OAAO;YACvB,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC;QACzB,MAAM,gBAAgB,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,QAAQ,CAAC,YAAY,EAAE,uCAAuC,EAAE,CAAC,GAAG,CAAC,CAAC;SACtE,WAAW,CACV,sFAAsF,CACvF;SACA,MAAM,CAAC,qBAAqB,EAAE,kCAAkC,EAAE,0BAA0B,CAAC;SAC7F,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,CAAC;SACpE,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAwB,EAAE,EAAE;QAC1D,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC;YAC7B,KAAK;YACL,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QACH,iEAAiE;QACjE,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,KAAK;YACtB,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACtD,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,aAAa,EAAE,mCAAmC,CAAC;SAC1D,MAAM,CAAC,KAAK,EAAE,IAAyB,EAAE,EAAE;QAC1C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACtE,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,KAAK;YACtB,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,SAAS,CAAC;SAClB,QAAQ,CAAC,QAAQ,EAAE,qEAAqE,CAAC;SACzF,WAAW,CAAC,0EAA0E,CAAC;SACvF,MAAM,CAAC,QAAQ,EAAE,0DAA0D,CAAC;SAC5E,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,IAAwB,EAAE,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACzD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACtD,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAClD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC,CAAC;IACtF,OAAO,OAAO,CAAC;AACjB,CAAC;AAsBD,SAAS,aAAa,CAAC,CAAS;IAC9B,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,EAAkB,CAAC;IAC9C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,uBAAuB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,OAAO,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAU,CAAC;AAC7D,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,EAAgB,CAAC;IAC5C,IAAI,CAAE,OAA6B,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,uBAAuB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
import { type SeverityName } from '../types.js';
|
|
2
|
+
export interface ExplainOptions {
|
|
3
|
+
/** The rule to explain — a rule id, slug, or oauthlint-rule-id. */
|
|
4
|
+
rule: string;
|
|
5
|
+
/** When true, emit the structured rule object as JSON instead of pretty output. */
|
|
6
|
+
json?: boolean;
|
|
7
|
+
/** Stream to write the explanation to (defaults to process.stdout). */
|
|
8
|
+
stream?: NodeJS.WritableStream;
|
|
9
|
+
/** Stream for errors / chrome (defaults to process.stderr). */
|
|
10
|
+
errStream?: NodeJS.WritableStream;
|
|
11
|
+
/** Override the bundled rules root (used by tests). */
|
|
12
|
+
rulesRoot?: string;
|
|
13
|
+
}
|
|
14
|
+
interface CodeExample {
|
|
15
|
+
/** Absolute path to the fixture file the example was read from. */
|
|
16
|
+
file: string;
|
|
17
|
+
/** The fixture source, with Semgrep test annotations stripped. */
|
|
18
|
+
code: string;
|
|
19
|
+
}
|
|
20
|
+
/** The structured object emitted by `--json` and rendered by the pretty path. */
|
|
21
|
+
export interface ExplainedRule {
|
|
22
|
+
id: string;
|
|
23
|
+
oauthlintRuleId: string;
|
|
24
|
+
slug: string;
|
|
25
|
+
/** Rule-declared Semgrep severity (INFO | WARNING | ERROR). */
|
|
26
|
+
severity: string;
|
|
27
|
+
/** The 5-level severity a scan finding would carry (mapped from `severity`). */
|
|
28
|
+
findingSeverity: SeverityName;
|
|
29
|
+
/** Rule family taken from the id, e.g. `jwt`, `oauth`, `cookie`. */
|
|
30
|
+
category: string;
|
|
31
|
+
/** Language segment of the id for language packs (e.g. `py`, `go`), else null. */
|
|
32
|
+
language: string | null;
|
|
33
|
+
languages: string[];
|
|
34
|
+
cwe: string | null;
|
|
35
|
+
cweUrl: string | null;
|
|
36
|
+
owasp: string | null;
|
|
37
|
+
owaspUrl: string | null;
|
|
38
|
+
llmPrevalence: 'HIGH' | 'MEDIUM' | 'LOW';
|
|
39
|
+
message: string;
|
|
40
|
+
docUrl: string;
|
|
41
|
+
references: string[];
|
|
42
|
+
technology: string[];
|
|
43
|
+
examples: {
|
|
44
|
+
vulnerable: CodeExample | null;
|
|
45
|
+
safe: CodeExample | null;
|
|
46
|
+
};
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* `oauthlint explain <rule>` — bring the rule docs into the terminal.
|
|
50
|
+
*
|
|
51
|
+
* Resolves `<rule>` offline from the bundled pack by rule id
|
|
52
|
+
* (`auth.jwt.alg-none`), slug (`jwt-alg-none`), or oauthlint-rule-id
|
|
53
|
+
* (`AUTH-JWT-001`), then prints the why/how-to-fix plus the vulnerable & safe
|
|
54
|
+
* code examples. `--json` emits the structured rule object instead.
|
|
55
|
+
*/
|
|
56
|
+
export declare function runExplain(opts: ExplainOptions): Promise<number>;
|
|
57
|
+
export {};
|
|
58
|
+
//# sourceMappingURL=explain.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../src/commands/explain.ts"],"names":[],"mappings":"AAIA,OAAO,EAAwB,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAEtE,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,mFAAmF;IACnF,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,uEAAuE;IACvE,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IAC/B,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IAClC,uDAAuD;IACvD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,WAAW;IACnB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,kEAAkE;IAClE,IAAI,EAAE,MAAM,CAAC;CACd;AAED,iFAAiF;AACjF,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,eAAe,EAAE,MAAM,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,eAAe,EAAE,YAAY,CAAC;IAC9B,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE;QACR,UAAU,EAAE,WAAW,GAAG,IAAI,CAAC;QAC/B,IAAI,EAAE,WAAW,GAAG,IAAI,CAAC;KAC1B,CAAC;CACH;AAED;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBtE"}
|