pqm-cli 1.0.0

package/src/ai/analyzer/dependency.js

@@ -0,0 +1,269 @@
+import fs from 'fs';
+import path from 'path';
+import { Severity } from '../../report/formatter.js';
+
+/**
+ * Known vulnerable package patterns (simplified)
+ * In production, this should query an actual vulnerability database
+ */
+const KNOWN_VULNERABILITIES = {
+  // Example vulnerable packages - in production use npm audit or similar
+  'lodash': {
+    vulnerable: ['<4.17.21'],
+    severity: Severity.HIGH,
+    issue: '原型污染漏洞 (CVE-2021-23337)',
+    fixed: '4.17.21'
+  },
+  'event-source': {
+    vulnerable: ['<1.1.0'],
+    severity: Severity.HIGH,
+    issue: '正则表达式拒绝服务',
+    fixed: '1.1.0'
+  },
+  'minimist': {
+    vulnerable: ['<1.2.6'],
+    severity: Severity.MEDIUM,
+    issue: '原型污染漏洞',
+    fixed: '1.2.6'
+  },
+  'axios': {
+    vulnerable: ['<0.21.1'],
+    severity: Severity.HIGH,
+    issue: 'SSRF 漏洞',
+    fixed: '0.21.1'
+  }
+};
+
+/**
+ * License risk levels
+ */
+const LICENSE_RISKS = {
+  // Copyleft licenses
+  'GPL-3.0': { risk: Severity.MEDIUM, note: '强 Copyleft 许可证，需开源项目源码' },
+  'GPL-2.0': { risk: Severity.MEDIUM, note: '强 Copyleft 许可证，需开源项目源码' },
+  'AGPL-3.0': { risk: Severity.HIGH, note: '强 Copyleft，网络服务也需开源' },
+  'LGPL-3.0': { risk: Severity.LOW, note: '弱 Copyleft，链接库需遵守限制' },
+
+  // Permissive licenses (low risk)
+  'MIT': { risk: Severity.INFO, note: '宽松许可证，可自由使用' },
+  'Apache-2.0': { risk: Severity.INFO, note: '宽松许可证，可自由使用' },
+  'BSD-2-Clause': { risk: Severity.INFO, note: '宽松许可证，可自由使用' },
+  'BSD-3-Clause': { risk: Severity.INFO, note: '宽松许可证，可自由使用' },
+  'ISC': { risk: Severity.INFO, note: '宽松许可证，可自由使用' },
+
+  // Unknown or custom
+  'UNLICENSED': { risk: Severity.HIGH, note: '未授权，禁止使用' },
+  'SEE LICENSE': { risk: Severity.MEDIUM, note: '需查看具体许可证' },
+  'CUSTOM': { risk: Severity.MEDIUM, note: '自定义许可证，需审核' }
+};
+
+/**
+ * Analyze package.json dependencies
+ * @param {string} projectPath - Project root path
+ * @returns {Array<Object>} Dependency issues
+ */
+export function analyzeDependencies(projectPath) {
+  const issues = [];
+  const packageJsonPath = path.join(projectPath, 'package.json');
+
+  if (!fs.existsSync(packageJsonPath)) {
+    return [{
+      severity: Severity.INFO,
+      type: '无 package.json',
+      line: 1,
+      message: '未找到 package.json 文件',
+      suggestion: '如果是 Node.js 项目，请创建 package.json'
+    }];
+  }
+
+  try {
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+    const dependencies = {
+      ...packageJson.dependencies,
+      ...packageJson.devDependencies,
+      ...packageJson.peerDependencies,
+      ...packageJson.optionalDependencies
+    };
+
+    Object.entries(dependencies).forEach(([name, version]) => {
+      // Clean version string
+      const cleanVersion = version.replace(/^[\^~>=<]+/, '');
+
+      // Check for known vulnerabilities
+      const vulnInfo = KNOWN_VULNERABILITIES[name];
+      if (vulnInfo) {
+        issues.push({
+          severity: vulnInfo.severity,
+          type: '安全漏洞',
+          package: name,
+          version,
+          message: `${name} ${version}: ${vulnInfo.issue}`,
+          suggestion: `升级到 ${vulnInfo.fixed} 或更高版本`
+        });
+      }
+
+      // Check for deprecated versions
+      if (version === '*' || version === 'latest') {
+        issues.push({
+          severity: Severity.LOW,
+          type: '版本锁定',
+          package: name,
+          version,
+          message: `依赖 ${name} 使用 ${version} 版本，可能导致不稳定`,
+          suggestion: '锁定具体版本号'
+        });
+      }
+
+      // Check for empty version
+      if (version === '' || version === '0.0.0') {
+        issues.push({
+          severity: Severity.MEDIUM,
+          type: '无效版本',
+          package: name,
+          version,
+          message: `依赖 ${name} 版本号无效`,
+          suggestion: '指定有效的版本号'
+        });
+      }
+    });
+
+    // Check for outdated packages by checking package-lock.json
+    const lockPath = path.join(projectPath, 'package-lock.json');
+    if (!fs.existsSync(lockPath) && Object.keys(packageJson.dependencies || {}).length > 0) {
+      issues.push({
+        severity: Severity.INFO,
+        type: '无 package-lock.json',
+        package: '',
+        version: '',
+        message: '缺少 package-lock.json，可能导致依赖版本不一致',
+        suggestion: '运行 npm install 生成 package-lock.json'
+      });
+    }
+
+    // Check for security audit availability
+    // This is informational, not an issue
+    if (Object.keys(packageJson.dependencies || {}).length > 50) {
+      issues.push({
+        severity: Severity.INFO,
+        type: '依赖数量',
+        package: '',
+        version: '',
+        message: `项目依赖较多 (${Object.keys(dependencies).length} 个)，建议定期审计`,
+        suggestion: '定期运行 npm audit 检查安全漏洞'
+      });
+    }
+
+  } catch (error) {
+    issues.push({
+      severity: Severity.MEDIUM,
+      type: '解析错误',
+      package: '',
+      version: '',
+      message: `无法解析 package.json: ${error.message}`,
+      suggestion: '检查 package.json 格式是否正确'
+    });
+  }
+
+  return issues;
+}
+
+/**
+ * Analyze license compliance
+ * @param {string} projectPath - Project root path
+ * @returns {Array<Object>} License issues
+ */
+export function analyzeLicenses(projectPath) {
+  const issues = [];
+  const packageJsonPath = path.join(projectPath, 'package.json');
+
+  if (!fs.existsSync(packageJsonPath)) {
+    return issues;
+  }
+
+  try {
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf-8'));
+    const ownLicense = packageJson.license || 'UNLICENSED';
+
+    // Check project's own license
+    const licenseInfo = LICENSE_RISKS[ownLicense] || LICENSE_RISKS.CUSTOM;
+    if (licenseInfo.risk !== Severity.INFO) {
+      issues.push({
+        severity: licenseInfo.risk,
+        type: '许可证风险',
+        package: '(项目)',
+        version: '',
+        message: `项目许可证: ${ownLicense} - ${licenseInfo.note}`,
+        suggestion: '确保许可证符合项目需求'
+      });
+    }
+
+    // If there's a license file, check it
+    const licenseFiles = ['LICENSE', 'LICENSE.md', 'license', 'license.txt'];
+    for (const file of licenseFiles) {
+      const licensePath = path.join(projectPath, file);
+      if (fs.existsSync(licensePath)) {
+        const content = fs.readFileSync(licensePath, 'utf-8');
+        if (content.length < 10) {
+          issues.push({
+            severity: Severity.MEDIUM,
+            type: '许可证文件',
+            package: '',
+            version: '',
+            message: 'LICENSE 文件内容过短或为空',
+            suggestion: '添加完整的许可证文本'
+          });
+        }
+        break;
+      }
+    }
+
+  } catch (error) {
+    issues.push({
+      severity: Severity.LOW,
+      type: '许可证解析错误',
+      package: '',
+      version: '',
+      message: `无法检查许可证: ${error.message}`,
+      suggestion: '检查 package.json 中的 license 字段'
+    });
+  }
+
+  return issues;
+}
+
+/**
+ * Run dependency analysis
+ * @param {string} projectPath - Project root path
+ * @param {Object} options - Analysis options
+ * @returns {Promise<Array<Object>>} Dependency issues
+ */
+export async function runDependencyAnalysis(projectPath, options = {}) {
+  const issues = [];
+
+  // Run pattern-based analysis
+  issues.push(...analyzeDependencies(projectPath));
+  issues.push(...analyzeLicenses(projectPath));
+
+  // Sort by severity
+  const severityOrder = {
+    [Severity.CRITICAL]: 0,
+    [Severity.HIGH]: 1,
+    [Severity.MEDIUM]: 2,
+    [Severity.LOW]: 3,
+    [Severity.INFO]: 4
+  };
+
+  issues.sort((a, b) => {
+    return (severityOrder[a.severity] || 5) - (severityOrder[b.severity] || 5);
+  });
+
+  return issues;
+}
+
+export default {
+  analyzeDependencies,
+  analyzeLicenses,
+  runDependencyAnalysis,
+  KNOWN_VULNERABILITIES,
+  LICENSE_RISKS
+};

package/src/ai/analyzer/index.js

@@ -0,0 +1,234 @@
+import { runSecurityAnalysis } from './security.js';
+import { runQualityAnalysis } from './quality.js';
+import { runDependencyAnalysis } from './dependency.js';
+import { Severity } from '../../report/formatter.js';
+
+/**
+ * Analysis types
+ */
+export const AnalysisType = {
+  SECURITY: 'security',
+  QUALITY: 'quality',
+  DEPENDENCY: 'dependency',
+  FULL: 'full'
+};
+
+/**
+ * Create analysis engine
+ * @param {Object} options - Engine options
+ * @returns {Object} Analysis engine instance
+ */
+export function createAnalyzer(options = {}) {
+  const {
+    provider,
+    useAI = false,
+    projectPath = process.cwd()
+  } = options;
+
+  return {
+    provider,
+    useAI,
+    projectPath,
+
+    /**
+     * Analyze a single file
+     * @param {string} filePath - File path
+     * @param {string} content - File content
+     * @param {string} type - Analysis type
+     * @returns {Promise<Array<Object>>} Issues
+     */
+    async analyzeFile(filePath, content, type = AnalysisType.FULL) {
+      const language = detectLanguage(filePath);
+      const issues = [];
+
+      if (type === AnalysisType.SECURITY || type === AnalysisType.FULL) {
+        issues.push(...await runSecurityAnalysis(content, language, {
+          useAI: this.useAI,
+          provider: this.provider
+        }));
+      }
+
+      if (type === AnalysisType.QUALITY || type === AnalysisType.FULL) {
+        issues.push(...await runQualityAnalysis(content, language, {
+          useAI: this.useAI,
+          provider: this.provider
+        }));
+      }
+
+      return issues;
+    },
+
+    /**
+     * Analyze dependencies
+     * @param {string} projectPath - Project path
+     * @returns {Promise<Array<Object>>} Issues
+     */
+    async analyzeDependency(projectPath) {
+      return await runDependencyAnalysis(projectPath || this.projectPath);
+    },
+
+    /**
+     * Analyze multiple files
+     * @param {Array<Object>} files - Files to analyze [{path, content}]
+     * @param {string} type - Analysis type
+     * @returns {Promise<Object>} Analysis report
+     */
+    async analyzeFiles(files, type = AnalysisType.FULL) {
+      const allIssues = [];
+      const byFile = {};
+
+      for (const file of files) {
+        const fileIssues = await this.analyzeFile(file.path, file.content, type);
+
+        if (fileIssues.length > 0) {
+          byFile[file.path] = fileIssues;
+          allIssues.push(...fileIssues);
+        }
+      }
+
+      return this.createReport(allIssues, byFile);
+    },
+
+    /**
+     * Run full project analysis
+     * @param {string} type - Analysis type
+     * @returns {Promise<Object>} Analysis report
+     */
+    async runAnalysis(type = AnalysisType.FULL) {
+      const { collectFiles } = await import('./collector.js');
+      const files = await collectFiles(this.projectPath);
+
+      let report = {
+        summary: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+        issues: [],
+        byFile: {}
+      };
+
+      // Analyze code files
+      if (type === AnalysisType.SECURITY ||
+          type === AnalysisType.QUALITY ||
+          type === AnalysisType.FULL) {
+        const codeReport = await this.analyzeFiles(files, type);
+        report = combineReports(report, codeReport);
+      }
+
+      // Analyze dependencies
+      if (type === AnalysisType.DEPENDENCY || type === AnalysisType.FULL) {
+        const depIssues = await this.analyzeDependency();
+        if (depIssues.length > 0) {
+          report.byFile['package.json'] = depIssues;
+          report.issues.push(...depIssues);
+        }
+      }
+
+      // Calculate summary
+      report.summary = calculateSummary(report.issues);
+
+      return report;
+    },
+
+    /**
+     * Create analysis report
+     * @param {Array} issues - All issues
+     * @param {Object} byFile - Issues grouped by file
+     * @returns {Object} Report object
+     */
+    createReport(issues, byFile) {
+      return {
+        summary: calculateSummary(issues),
+        issues,
+        byFile,
+        timestamp: new Date().toISOString()
+      };
+    }
+  };
+}
+
+/**
+ * Detect programming language from file path
+ * @param {string} filePath - File path
+ * @returns {string} Language name
+ */
+function detectLanguage(filePath) {
+  const ext = filePath.split('.').pop()?.toLowerCase();
+
+  const languageMap = {
+    js: 'javascript',
+    jsx: 'javascript',
+    ts: 'typescript',
+    tsx: 'typescript',
+    vue: 'vue',
+    py: 'python',
+    rb: 'ruby',
+    go: 'go',
+    java: 'java',
+    kt: 'kotlin',
+    rs: 'rust',
+    c: 'c',
+    cpp: 'cpp',
+    h: 'c',
+    hpp: 'cpp',
+    php: 'php',
+    cs: 'csharp',
+    swift: 'swift',
+    m: 'objectivec',
+    sh: 'shell',
+    bash: 'shell',
+    sql: 'sql',
+    html: 'html',
+    css: 'css',
+    scss: 'scss',
+    less: 'less',
+    json: 'json',
+    yaml: 'yaml',
+    yml: 'yaml',
+    md: 'markdown'
+  };
+
+  return languageMap[ext] || 'unknown';
+}
+
+/**
+ * Calculate issue summary
+ * @param {Array} issues - Issues array
+ * @returns {Object} Summary object
+ */
+function calculateSummary(issues) {
+  const summary = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+
+  for (const issue of issues) {
+    const sev = issue.severity?.toLowerCase();
+    if (sev in summary) {
+      summary[sev]++;
+    }
+  }
+
+  return summary;
+}
+
+/**
+ * Combine two reports
+ * @param {Object} target - Target report
+ * @param {Object} source - Source report
+ * @returns {Object} Combined report
+ */
+function combineReports(target, source) {
+  return {
+    summary: calculateSummary([...target.issues, ...source.issues]),
+    issues: [...target.issues, ...source.issues],
+    byFile: { ...target.byFile, ...source.byFile },
+    timestamp: new Date().toISOString()
+  };
+}
+
+export default {
+  createAnalyzer,
+  AnalysisType,
+  detectLanguage
+};