pqm-cli 1.0.0

package/src/ai/analyzer/quality.js

@@ -0,0 +1,241 @@
+import { Severity } from '../../report/formatter.js';
+
+/**
+ * Default configuration for quality analysis
+ */
+const CONFIG = {
+  maxLineLength: 120,
+  maxFunctionLength: 50,
+  maxComplexity: 15,
+  maxParams: 5,
+  maxNestingLevel: 4
+};
+
+/**
+ * Analyze code quality
+ * @param {string} code - Code to analyze
+ * @param {string} language - Programming language
+ * @returns {Array<Object>} Quality issues
+ */
+export function analyzeQualityPatterns(code, language) {
+  const issues = [];
+  const lines = code.split('\n');
+
+  // Check line lengths
+  lines.forEach((line, index) => {
+    // Skip comments and strings for length check
+    const trimmed = line.trimEnd();
+    if (trimmed.length > CONFIG.maxLineLength) {
+      issues.push({
+        severity: Severity.LOW,
+        type: '行过长',
+        line: index + 1,
+        message: `行长度 ${trimmed.length} 超过建议值 ${CONFIG.maxLineLength}`,
+        suggestion: '将长行拆分为多行，提高可读性'
+      });
+    }
+  });
+
+  // Check for TODO/FIXME/HACK
+  const todoPatterns = [
+    { pattern: /\/\/\s*TODO:/gi, type: 'TODO' },
+    { pattern: /\/\/\s*FIXME:/gi, type: 'FIXME' },
+    { pattern: /\/\/\s*HACK:/gi, type: 'HACK' },
+    { pattern: /\/\/\s*XXX:/gi, type: 'XXX' },
+    { pattern: /#\s*TODO:/gi, type: 'TODO' },
+    { pattern: /#\s*FIXME:/gi, type: 'FIXME' },
+    { pattern: /\/\*\s*TODO:/gi, type: 'TODO' }
+  ];
+
+  lines.forEach((line, index) => {
+    for (const { pattern, type } of todoPatterns) {
+      if (pattern.test(line)) {
+        issues.push({
+          severity: Severity.INFO,
+          type: `${type} 标记`,
+          line: index + 1,
+          message: `检测到 ${type} 标记`,
+          suggestion: '处理待办事项或移除标记'
+        });
+      }
+    }
+  });
+
+  // Check for console.log/debug statements
+  const debugPatterns = [
+    /console\.log\s*\(/g,
+    /console\.debug\s*\(/g,
+    /console\.warn\s*\(/g,
+    /debugger\s*;?/g
+  ];
+
+  debugPatterns.forEach(pattern => {
+    lines.forEach((line, index) => {
+      if (pattern.test(line)) {
+        // Skip if it's in a comment
+        if (line.trim().startsWith('//') || line.trim().startsWith('*')) {
+          return;
+        }
+
+        issues.push({
+          severity: Severity.INFO,
+          type: '调试代码',
+          line: index + 1,
+          message: '检测到调试语句',
+          suggestion: '生产环境应移除或使用日志框架'
+        });
+      }
+    });
+  });
+
+  // Check for empty catch blocks
+  const emptyCatchPattern = /catch\s*\([^)]*\)\s*\{\s*\}/g;
+  let match;
+  while ((match = emptyCatchPattern.exec(code)) !== null) {
+    const lineNumber = code.substring(0, match.index).split('\n').length;
+    issues.push({
+      severity: Severity.MEDIUM,
+      type: '空 catch 块',
+      line: lineNumber,
+      message: '检测到空的 catch 块，可能隐藏错误',
+      suggestion: '添加错误处理逻辑或日志'
+    });
+  }
+
+  // Check for var keyword in JS
+  if (language === 'javascript' || language === 'typescript') {
+    const varPattern = /\bvar\s+\w+/g;
+    lines.forEach((line, index) => {
+      if (varPattern.test(line) && !line.includes('//') && !line.trim().startsWith('*')) {
+        issues.push({
+          severity: Severity.LOW,
+          type: 'var 关键字',
+          line: index + 1,
+          message: '使用 var 声明变量可能导致作用域问题',
+          suggestion: '使用 const 或 let 替代'
+        });
+      }
+    });
+  }
+
+  // Check for == instead of ===
+  if (language === 'javascript' || language === 'typescript') {
+    const looseEqPattern = /[^=!]==[^=]/g;
+    lines.forEach((line, index) => {
+      // Skip comments
+      const commentIndex = line.indexOf('//');
+      const codePart = commentIndex >= 0 ? line.substring(0, commentIndex) : line;
+
+      if (looseEqPattern.test(codePart)) {
+        issues.push({
+          severity: Severity.LOW,
+          type: '宽松相等',
+          line: index + 1,
+          message: '使用 == 可能导致类型转换问题',
+          suggestion: '使用 === 进行严格相等比较'
+        });
+      }
+    });
+  }
+
+  // Check function length (simplified)
+  const functionPattern = /function\s+\w+\s*\([^)]*\)\s*\{((?:[^{}]|\{(?:[^{}]|\{[^{}]*\})*\})*)\}/g;
+  while ((match = functionPattern.exec(code)) !== null) {
+    const functionBody = match[1];
+    const bodyLines = functionBody.split('\n').length;
+    const lineNumber = code.substring(0, match.index).split('\n').length;
+
+    if (bodyLines > CONFIG.maxFunctionLength) {
+      issues.push({
+        severity: Severity.LOW,
+        type: '函数过长',
+        line: lineNumber,
+        message: `函数体 ${bodyLines} 行，超过建议值 ${CONFIG.maxFunctionLength}`,
+        suggestion: '拆分函数，保持单一职责'
+      });
+    }
+  }
+
+  // Check for deeply nested code (simplified)
+  let maxIndent = 0;
+  lines.forEach((line, index) => {
+    if (line.trim().length === 0) return;
+
+    const indent = line.search(/\S|$/);
+    const nestingLevel = Math.floor(indent / 2);
+
+    if (nestingLevel > CONFIG.maxNestingLevel) {
+      issues.push({
+        severity: Severity.LOW,
+        type: '嵌套过深',
+        line: index + 1,
+        message: `嵌套深度 ${nestingLevel}，超过建议值 ${CONFIG.maxNestingLevel}`,
+        suggestion: '重构代码，减少嵌套层级'
+      });
+    }
+  });
+
+  return issues;
+}
+
+/**
+ * Analyze code quality with AI (optional)
+ * @param {Object} provider - AI provider instance
+ * @param {string} code - Code to analyze
+ * @param {string} language - Programming language
+ * @returns {Promise<Array<Object>>} Quality issues
+ */
+export async function analyzeQualityWithAI(provider, code, language) {
+  if (!provider) {
+    return [];
+  }
+
+  try {
+    const result = await provider.analyzeCode(code, language, { type: 'quality' });
+
+    if (result.raw) {
+      return [{
+        severity: Severity.INFO,
+        type: 'AI 分析',
+        line: 1,
+        message: result.analysis,
+        suggestion: ''
+      }];
+    }
+
+    return result.issues || [];
+  } catch (error) {
+    return [{
+      severity: Severity.LOW,
+      type: 'AI 分析错误',
+      line: 1,
+      message: `AI 分析失败: ${error.message}`,
+      suggestion: '请检查网络连接和 API 配置'
+    }];
+  }
+}
+
+/**
+ * Run quality analysis
+ * @param {string} code - Code to analyze
+ * @param {string} language - Programming language
+ * @param {Object} options - Analysis options
+ * @returns {Array<Object>} Quality issues
+ */
+export async function runQualityAnalysis(code, language, options = {}) {
+  const patternIssues = analyzeQualityPatterns(code, language);
+
+  let aiIssues = [];
+  if (options.useAI && options.provider) {
+    aiIssues = await analyzeQualityWithAI(options.provider, code, language);
+  }
+
+  return [...patternIssues, ...aiIssues];
+}
+
+export default {
+  analyzeQualityPatterns,
+  analyzeQualityWithAI,
+  runQualityAnalysis,
+  CONFIG
+};

package/src/ai/analyzer/security.js

@@ -0,0 +1,302 @@
+import { Severity } from '../../report/formatter.js';
+
+/**
+ * Security vulnerability patterns
+ */
+const PATTERNS = {
+  // XSS vulnerabilities
+  xss: [
+    {
+      pattern: /innerHTML\s*=\s*[^;]*\+/gi,
+      message: '使用 innerHTML 拼接内容可能导致 XSS 攻击',
+      suggestion: '使用 textContent 或创建 DOM 节点来设置内容'
+    },
+    {
+      pattern: /document\.write\s*\(/gi,
+      message: '使用 document.write 可能导致 XSS 攻击',
+      suggestion: '使用 DOM 操作方法替代 document.write'
+    },
+    {
+      pattern: /\.html\s*\(\s*[^)]*\+/gi,
+      message: 'jQuery .html() 拼接内容可能导致 XSS 攻击',
+      suggestion: '使用 .text() 或对内容进行转义处理'
+    },
+    {
+      pattern: /dangerouslySetInnerHTML/gi,
+      message: 'React dangerouslySetInnerHTML 可能导致 XSS 攻击',
+      suggestion: '避免使用 dangerouslySetInnerHTML，或确保内容已转义'
+    }
+  ],
+
+  // SQL injection
+  sqlInjection: [
+    {
+      pattern: /query\s*\(\s*[`'"]\s*SELECT.*\$\{.*\}/gis,
+      message: 'SQL 查询拼接变量可能导致 SQL 注入',
+      suggestion: '使用参数化查询或 ORM'
+    },
+    {
+      pattern: /\.query\s*\(\s*[`'"].*\+/gi,
+      message: 'SQL 查询拼接字符串可能导致 SQL 注入',
+      suggestion: '使用参数化查询，避免直接拼接用户输入'
+    },
+    {
+      pattern: /execute\s*\(\s*[`'"].*\+/gi,
+      message: 'SQL 执行拼接字符串可能导致 SQL 注入',
+      suggestion: '使用参数化查询'
+    }
+  ],
+
+  // Command injection
+  commandInjection: [
+    {
+      pattern: /exec\s*\(\s*[`'"].*\+/gi,
+      message: '命令执行拼接字符串可能导致命令注入',
+      suggestion: '使用 child_process.spawn 并传递参数数组'
+    },
+    {
+      pattern: /execSync\s*\(\s*[`'"].*\+/gi,
+      message: '同步命令执行拼接字符串可能导致命令注入',
+      suggestion: '使用 child_process.spawnSync 并传递参数数组'
+    },
+    {
+      pattern: /spawn\s*\([^)]*\+/gi,
+      message: 'spawn 拼接命令可能导致命令注入',
+      suggestion: '分离命令和参数，使用数组形式传递'
+    }
+  ],
+
+  // Dangerous eval
+  evalUsage: [
+    {
+      pattern: /\beval\s*\(/gi,
+      message: '使用 eval 可能执行恶意代码',
+      suggestion: '避免使用 eval，使用 JSON.parse 解析 JSON'
+    },
+    {
+      pattern: /new\s+Function\s*\(/gi,
+      message: '使用 new Function 可能执行恶意代码',
+      suggestion: '避免动态创建函数'
+    },
+    {
+      pattern: /setTimeout\s*\(\s*[`'"]/gi,
+      message: 'setTimeout 传递字符串参数可能执行恶意代码',
+      suggestion: '传递函数引用而非字符串'
+    },
+    {
+      pattern: /setInterval\s*\(\s*[`'"]/gi,
+      message: 'setInterval 传递字符串参数可能执行恶意代码',
+      suggestion: '传递函数引用而非字符串'
+    }
+  ],
+
+  // Hardcoded secrets
+  hardcodedSecrets: [
+    {
+      pattern: /password\s*[:=]\s*['"][^'"]+['"]/gi,
+      message: '检测到硬编码密码',
+      suggestion: '从环境变量或配置文件读取密码'
+    },
+    {
+      pattern: /api[_-]?key\s*[:=]\s*['"][^'"]+['"]/gi,
+      message: '检测到硬编码 API Key',
+      suggestion: '从环境变量读取 API Key'
+    },
+    {
+      pattern: /secret[_-]?key\s*[:=]\s*['"][^'"]+['"]/gi,
+      message: '检测到硬编码密钥',
+      suggestion: '从环境变量或密钥管理服务读取'
+    },
+    {
+      pattern: /token\s*[:=]\s*['"]\w{16,}['"]/gi,
+      message: '检测到硬编码 Token',
+      suggestion: '从环境变量读取 Token'
+    },
+    {
+      pattern: /private[_-]?key\s*[:=]\s*['"][^'"]+['"]/gi,
+      message: '检测到硬编码私钥',
+      suggestion: '从安全存储读取私钥'
+    }
+  ],
+
+  // Path traversal
+  pathTraversal: [
+    {
+      pattern: /path\.join\s*\([^)]*\+/gi,
+      message: '路径拼接用户输入可能导致路径遍历攻击',
+      suggestion: '验证和清理用户输入，使用 path.resolve'
+    },
+    {
+      pattern: /\.+\//gi,
+      message: '检测到可能的路径遍历模式',
+      suggestion: '验证路径，确保不包含 ../ 等危险模式'
+    }
+  ],
+
+  // Insecure deserialization
+  insecureDeserialization: [
+    {
+      pattern: /yaml\.load\s*\(/gi,
+      message: 'yaml.load 可能导致不安全的反序列化',
+      suggestion: '使用 yaml.safeLoad 并限制对象类型'
+    },
+    {
+      pattern: /pickle\.loads?\s*\(/gi,
+      message: 'pickle 可能导致不安全的反序列化',
+      suggestion: '避免 pickle，使用 JSON 等 safer 格式'
+    }
+  ]
+};
+
+/**
+ * Analyze code for security vulnerabilities
+ * @param {string} code - Code to analyze
+ * @param {string} language - Programming language
+ * @returns {Array<Object>} List of security issues
+ */
+export function analyzeSecurityPatterns(code, language) {
+  const issues = [];
+  const lines = code.split('\n');
+
+  for (const [type, patterns] of Object.entries(PATTERNS)) {
+    for (const { pattern, message, suggestion } of patterns) {
+      let match;
+      const regex = new RegExp(pattern.source, pattern.flags);
+
+      while ((match = regex.exec(code)) !== null) {
+        // Line number
+        const lineNumber = code.substring(0, match.index).split('\n').length;
+
+        // Determine severity
+        const severity = getSeverity(type);
+
+        issues.push({
+          severity,
+          type: getTypeName(type),
+          line: lineNumber,
+          message,
+          suggestion,
+          match: match[0].substring(0, 50)
+        });
+      }
+    }
+  }
+
+  return issues;
+}
+
+/**
+ * Get severity based on vulnerability type
+ * @param {string} type - Vulnerability type
+ * @returns {string} Severity level
+ */
+function getSeverity(type) {
+  const critical = ['evalUsage', 'commandInjection', 'sqlInjection'];
+  const high = ['xss', 'hardcodedSecrets'];
+  const medium = ['pathTraversal', 'insecureDeserialization'];
+
+  if (critical.includes(type)) return Severity.CRITICAL;
+  if (high.includes(type)) return Severity.HIGH;
+  if (medium.includes(type)) return Severity.MEDIUM;
+  return Severity.LOW;
+}
+
+/**
+ * Get human readable type name
+ * @param {string} type - Internal type name
+ * @returns {string} Human readable name
+ */
+function getTypeName(type) {
+  const names = {
+    xss: 'XSS 跨站脚本',
+    sqlInjection: 'SQL 注入',
+    commandInjection: '命令注入',
+    evalUsage: '危险 eval',
+    hardcodedSecrets: '硬编码密钥',
+    pathTraversal: '路径遍历',
+    insecureDeserialization: '不安全反序列化'
+  };
+
+  return names[type] || type;
+}
+
+/**
+ * Analyze security with AI (optional)
+ * @param {Object} provider - AI provider instance
+ * @param {string} code - Code to analyze
+ * @param {string} language - Programming language
+ * @returns {Promise<Array<Object>>} Security issues
+ */
+export async function analyzeWithAI(provider, code, language) {
+  if (!provider) {
+    return [];
+  }
+
+  try {
+    const result = await provider.analyzeCode(code, language, { type: 'security' });
+
+    if (result.raw) {
+      // If AI returned raw text, try to extract issues
+      return [{
+        severity: Severity.INFO,
+        type: 'AI 分析',
+        line: 1,
+        message: result.analysis,
+        suggestion: ''
+      }];
+    }
+
+    return result.issues || [];
+  } catch (error) {
+    return [{
+      severity: Severity.LOW,
+      type: 'AI 分析错误',
+      line: 1,
+      message: `AI 分析失败: ${error.message}`,
+      suggestion: '请检查网络连接和 API 配置'
+    }];
+  }
+}
+
+/**
+ * Run security analysis
+ * @param {string} code - Code to analyze
+ * @param {string} language - Programming language
+ * @param {Object} options - Analysis options
+ * @returns {Array<Object>} Security issues
+ */
+export async function runSecurityAnalysis(code, language, options = {}) {
+  // First run pattern-based analysis
+  const patternIssues = analyzeSecurityPatterns(code, language);
+
+  // Optionally run AI analysis
+  let aiIssues = [];
+  if (options.useAI && options.provider) {
+    aiIssues = await analyzeWithAI(options.provider, code, language);
+  }
+
+  // Combine and deduplicate
+  const allIssues = [...patternIssues, ...aiIssues];
+
+  // Sort by severity
+  const severityOrder = {
+    [Severity.CRITICAL]: 0,
+    [Severity.HIGH]: 1,
+    [Severity.MEDIUM]: 2,
+    [Severity.LOW]: 3,
+    [Severity.INFO]: 4
+  };
+
+  allIssues.sort((a, b) => {
+    return (severityOrder[a.severity] || 5) - (severityOrder[b.severity] || 5);
+  });
+
+  return allIssues;
+}
+
+export default {
+  analyzeSecurityPatterns,
+  analyzeWithAI,
+  runSecurityAnalysis,
+  PATTERNS
+};

package/src/ai/index.js

@@ -0,0 +1,16 @@
+import { createProvider, getSupportedProviders } from './providers/index.js';
+import { createAnalyzer, AnalysisType } from './analyzer/index.js';
+
+export {
+  createProvider,
+  getSupportedProviders,
+  createAnalyzer,
+  AnalysisType
+};
+
+export default {
+  createProvider,
+  getSupportedProviders,
+  createAnalyzer,
+  AnalysisType
+};

package/src/ai/providers/bailian.js

@@ -0,0 +1,121 @@
+import { BaseAIProvider } from './base.js';
+import { post } from '../../utils/http.js';
+
+/**
+ * Alibaba Cloud Bailian (阿里云百炼) Provider
+ * API Documentation: https://help.aliyun.com/document_detail/2712195.html
+ */
+export class BailianProvider extends BaseAIProvider {
+  constructor(config = {}) {
+    super(config);
+    this.endpoint = config.endpoint || 'https://dashscope.aliyuncs.com/api/v1';
+    this.model = config.model || 'qwen-turbo';
+  }
+
+  getDefaultModel() {
+    return 'qwen-turbo';
+  }
+
+  getDefaultEndpoint() {
+    return 'https://dashscope.aliyuncs.com/api/v1';
+  }
+
+  async chat(prompt, options = {}) {
+    const url = `${this.endpoint}/services/aigc/text-generation/generation`;
+
+    const body = {
+      model: this.model,
+      input: {
+        messages: [
+          {
+            role: 'user',
+            content: prompt
+          }
+        ]
+      },
+      parameters: {
+        max_tokens: options.maxTokens || 4096,
+        temperature: options.temperature || 0.7,
+        result_format: 'message'
+      }
+    };
+
+    const headers = {
+      'Authorization': `Bearer ${this.apiKey}`,
+      'Content-Type': 'application/json'
+    };
+
+    try {
+      const response = await post(url, body, headers, 60000);
+
+      // Handle different response formats
+      if (response.output?.text) {
+        return response.output.text;
+      }
+
+      if (response.output?.choices?.[0]?.message?.content) {
+        return response.output.choices[0].message.content;
+      }
+
+      if (response.choices?.[0]?.message?.content) {
+        return response.choices[0].message.content;
+      }
+
+      throw new Error('Unexpected response format from Bailian API');
+    } catch (error) {
+      throw new Error(`Bailian API error: ${error.message}`);
+    }
+  }
+
+  async validateConfig() {
+    if (!this.apiKey) {
+      return false;
+    }
+
+    // Basic API key format check for Bailian
+    if (!this.apiKey.startsWith('sk-')) {
+      return false;
+    }
+
+    try {
+      // Try a minimal request to validate
+      const url = `${this.endpoint}/services/aigc/text-generation/generation`;
+      const body = {
+        model: this.model,
+        input: {
+          messages: [{ role: 'user', content: 'Hi' }]
+        },
+        parameters: {
+          max_tokens: 10,
+          result_format: 'message'
+        }
+      };
+
+      const headers = {
+        'Authorization': `Bearer ${this.apiKey}`,
+        'Content-Type': 'application/json'
+      };
+
+      await post(url, body, headers, 10000);
+      return true;
+    } catch (error) {
+      // If we get a 400 or 401, the key format is wrong
+      // If we get other errors, the endpoint might be working but other issues
+      return !error.message.includes('HTTP 401') && !error.message.includes('HTTP 403');
+    }
+  }
+
+  getInfo() {
+    return {
+      name: 'bailian',
+      displayName: '阿里云百炼',
+      model: this.model,
+      models: ['qwen-turbo', 'qwen-plus', 'qwen-max', 'qwen-max-longcontext'],
+      endpoint: this.endpoint,
+      configured: !!this.apiKey,
+      free: true // 百炼有免费额度
+    };
+  }
+}
+
+export default BailianProvider;