prscan 1.0.0

package/src/bot/lark.ts

@@ -0,0 +1,184 @@
+// SDK 使用说明 SDK user guide：https://open.feishu.cn/document/uAjLw4CM/ukTMukTMukTM/server-side-sdk/nodejs-sdk/preparation-before-development
+import http from "http";
+import * as lark from "@larksuiteoapi/node-sdk";
+import { scanPRRisks } from "../tool/prscan.js";
+import { makeReportInMd, md2Img } from "../report/index.js";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+
+const encryptKey = process.env.key;
+const verificationToken = process.env.token;
+const appId = process.env.id;
+const appSecret = process.env.secret;
+const bindPath = process.env.path || "/larkbot/event";
+const port = process.env.port || 12345;
+
+console.log("Lark Bot starting...");
+console.log("App ID:", appId);
+console.log("App Secret:", appSecret);
+console.log("Encrypt Key:", encryptKey);
+console.log("Verification Token:", verificationToken);
+console.log("Event Path:", bindPath);
+console.log("Listening on Port:", port);
+
+const client = new lark.Client({
+    appId: appId ?? "",
+    appSecret: appSecret ?? "",
+});
+
+// 注册事件 Register event
+const eventDispatcher = new lark.EventDispatcher({
+    logger: console,
+    loggerLevel: 5,
+    encryptKey: encryptKey ?? "",
+    verificationToken: verificationToken ?? "",
+}).register({
+    "im.message.receive_v1": async (data) => {
+        if (data.message.message_type !== "text") {
+            client.im.message.reply({
+                path: {
+                    message_id: data.message.message_id,
+                },
+                data: {
+                    content: JSON.stringify({
+                        text:
+                            "只支持文本消息，收到消息类型：" +
+                            data.message.message_type,
+                    }),
+                    msg_type: "text",
+                },
+            });
+            return "success";
+        }
+
+        const msg = JSON.parse(data.message.content).text as any;
+
+        // 提取PR链接
+        const prRegex =
+            /(https:\/\/github\.com\/[^\s\/]+\/[^\s\/]+\/pull\/\d+)/g;
+        const prLinks = msg.match(prRegex);
+
+        if (prLinks == null || prLinks.length === 0) {
+            client.im.message.reply({
+                path: {
+                    message_id: data.message.message_id,
+                },
+                data: {
+                    content: JSON.stringify({ text: "未提取到PR链接" }),
+                    msg_type: "text",
+                },
+            });
+            return "success";
+        }
+
+        for (const prLink of prLinks) {
+            // 提取owner、repo、pr_number
+            const match = prLink.match(
+                /https:\/\/github\.com\/([^\/]+)\/([^\/]+)\/pull\/(\d+)/
+            );
+            if (match) {
+                const owner = match[1];
+                const repo = match[2];
+                const prNumber = match[3];
+
+                scanPRRisks(owner, repo, prNumber)
+                    .then((result) => {
+                        const report = makeReportInMd(result!);
+
+                        client.im.message.reply({
+                            path: {
+                                message_id: data.message.message_id,
+                            },
+                            data: {
+                                content: JSON.stringify({
+                                    zh_cn: {
+                                        title: `PR安全扫描结果 - ${owner}/${repo}#${prNumber}`,
+                                        content: [
+                                            [
+                                                {
+                                                    tag: "text",
+                                                    text: `摘要: ${report.abstract}\n详细结果见下图:`,
+                                                },
+                                                {
+                                                    tag: "md",
+                                                    text: report.report,
+                                                },
+                                            ],
+                                        ],
+                                    },
+                                }),
+                                msg_type: "post",
+                            },
+                        });
+                    })
+                    .catch((error) => {
+                        client.im.message.reply({
+                            path: {
+                                message_id: data.message.message_id,
+                            },
+                            data: {
+                                content: JSON.stringify({
+                                    text: `扫描PR ${prLink} 失败: ${error.message}`,
+                                }),
+                                msg_type: "text",
+                            },
+                        });
+                    });
+            }
+        }
+        // console.log(data);
+
+        // client.im.message.reply({
+        //     path: {
+        //       message_id: data.message.message_id,
+        //     },
+        //     data: {
+        //       content: JSON.stringify({"text": "收到消息：" + data.message.text}),
+        //       msg_type: "text"
+        //     }
+        // });
+        return "success";
+    },
+});
+
+const server = http.createServer();
+// 创建路由处理器 Create route handler
+server.on(
+    "request",
+    lark.adaptDefault(bindPath, eventDispatcher, {
+        autoChallenge: true,
+    })
+);
+
+server.listen(port);
+
+function createReadStreamFromBuffer(buffer: Buffer, options = {}) {
+    // 在系统临时目录创建文件
+    const tempDir = os.tmpdir();
+    const tempFile = path.join(
+        tempDir,
+        `buffer-stream-${Date.now()}-${Math.random().toString(36).substr(2)}`
+    );
+
+    // 同步写入临时文件
+    fs.writeFileSync(tempFile, buffer);
+
+    // 创建 read stream
+    const readStream = fs.createReadStream(tempFile, options);
+
+    // 自动清理临时文件
+    const cleanup = () => {
+        fs.unlink(tempFile, (err) => {
+            if (err && err.code !== "ENOENT") {
+                console.error("清理临时文件失败:", err);
+            }
+        });
+    };
+
+    readStream.on("close", cleanup);
+    readStream.on("error", cleanup);
+    readStream.on("end", cleanup);
+
+    return readStream;
+}

package/src/cli/cli.ts

@@ -0,0 +1,80 @@
+import { program } from "commander";
+import { execSync } from "child_process";
+import { scanByFileDiff, scanPRRisks } from "../tool/prscan.js";
+import { writeFileSync } from "fs";
+import { makeReportInMd } from "../report/index.js";
+program
+    .command("branch")
+    .description("根据分支文件变更分析NPM依赖变更")
+    .argument("<base>", "基础分支")
+    .argument("<head>", "变更分支")
+    .option("-r, --repo <repo>", "仓库路径", ".")
+    .option("-o, --output <output>", "输出文件路径，若不指定则输出到控制台", "")
+    .action(async (base: string, head: string, options: { repo: string, output: string }) => {
+        console.log(`分析 ${options.repo} 仓库从 ${base} 到 ${head} 的变更`);
+        const output = execSync(`git diff --name-only ${base} ${head}`, { cwd: options.repo }).toString();
+        const files = [];
+        for (let line of output.split("\n")) {
+            line = line.trim();
+            if (line.endsWith("yarn.lock")) {
+                console.log(`  发现变更: ${line}`);
+            } else if (line.endsWith("pnpm-lock.yaml")) {
+                console.log(`  发现变更: ${line}`);
+            } else if (line.endsWith("package-lock.json")) {
+                console.error(`  发现变更: ${line} (暂不支持分析package-lock.json)`);
+                continue;
+            } else {
+                continue;
+            }
+
+            const file1 = execSync(`git show ${base}:${line}`, { cwd: options.repo }).toString();
+            const file2 = execSync(`git show ${head}:${line}`, { cwd: options.repo }).toString();
+            files.push({
+                filename: line,
+                oldContent: file1,
+                newContent: file2,
+            });
+        }
+
+        const sr = await scanByFileDiff(files);
+        
+        const report = makeReportInMd(sr);
+        if (options.output.length > 0) {
+            
+            writeFileSync(options.output, report.report, { encoding: "utf-8" });
+            console.log(`分析报告已写入 ${options.output}`);
+        } else {
+            console.log(report.report);
+        }
+    });
+
+program.command("github").description("根据GitHub Pull Request分析NPM依赖变更")
+    .argument("<link>", "Pull Request链接")
+    .option("-t, --token <token>", "GitHub访问令牌", "")
+    .option("-o, --output <output>", "输出文件路径，若不指定则输出到控制台", "")
+    .action(async (link: string, options: { token: string, output: string }) => {
+        console.log(`分析 Pull Request: ${link}`);
+
+        const match = link.match(
+                /https:\/\/github\.com\/([^\/]+)\/([^\/]+)\/pull\/(\d+)/
+            );
+            if (match) {
+                const owner = match[1];
+                const repo = match[2];
+                const prNumber = match[3];
+
+                const sr = await scanPRRisks(owner!, repo!, parseInt(prNumber!), options.token);
+                const report = makeReportInMd(sr!);
+                if (options.output.length > 0) {
+                    writeFileSync(options.output, report.report, { encoding: "utf-8" });
+                    console.log(`分析报告已写入 ${options.output}`);
+                } else {
+                    console.log(report.report);
+                }
+            } else {
+                console.error("无法解析Pull Request链接");
+                return;
+            }
+    });
+
+program.parse();

package/src/index.ts

@@ -0,0 +1,67 @@
+import { Octokit } from "octokit";
+import { GitHubRepo } from "./util/repo.js";
+import { parseSyml } from '@yarnpkg/parsers';
+import { YarnLockParser } from "./util/parse.js";
+import { getNpmPackageInfo, getNpmPackageDownloadStats } from "./util/npm.js";
+import { scanPRRisks } from "./tool/prscan.js";
+import { makeReportInMd, md2Img } from "./report/index.js";
+import { writeFileSync } from "node:fs";
+
+
+// https://github.com/DeBankDeFi/defi-insight-react/pull/2323
+
+const pr = await scanPRRisks(
+    "DeBankDeFi",
+    "defi-insight-react",
+    2323,
+    "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")
+
+const r = makeReportInMd(pr!);
+
+const img = await md2Img(r.report);
+if (img) {
+    writeFileSync("report.png", img);
+}
+
+console.log(r.abstract, "\n", r.report);
+
+
+// 取消注释来测试
+// await testNpmDownloads();
+
+
+// const repo = new GitHubRepo("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");
+
+// const prinfo = await repo.getPRInfo("RabbyHub", "rabby-mobile", 1082);
+
+// const prfiles = await repo.getPRChangedFiles("RabbyHub", "rabby-mobile", 1082, 100);
+// // console.log(prfiles);
+
+// for (let i = 0; i < prfiles.length; i++) {
+//     const file = prfiles[i]!;
+
+//     if (file.filename !== "yarn.lock") {
+//         continue;
+//     }
+
+//     if (file.status !== "modified") {
+//         continue;
+//     }
+
+//     const content = await repo.getTextFileContent(
+//         "RabbyHub",
+//         "rabby-mobile",
+//         file.filename,
+//         prinfo.head.sha
+//     );
+
+//     if (content === null) {
+//         console.log("Failed to fetch file content");
+//         continue;
+//     }
+    
+//     const parser = new YarnLockParser(content);
+//     const deps = parser.getDependencies();
+//     console.log(YarnLockParser.deps2Set(deps));
+//     debugger
+// }

package/src/report/index.ts

@@ -0,0 +1,50 @@
+import { type PRScanResult } from '../tool/prscan.js';
+import got from 'got';
+
+export function makeReportInMd(sr: PRScanResult): {
+    report: string;
+    abstract: string;
+} {
+    const risksCount = sr.changedDeps.reduce((acc, dep) => acc + dep.risks.length, 0);
+    let abstract = "共有 " + sr.changedDeps.length + " 个依赖变更, 包含 " + risksCount + " 个风险";
+
+    let md = "# PR扫描结果\n";
+    md += `## 依赖变更\n\n`;
+    if (sr.changedDeps.length === 0) {
+        md += "无依赖变更\n";
+    } else {
+        md += "```\n";
+        md += "| 依赖 | 版本 | 风险 | 下载 | 周下载量 | 最新版 |\n";
+        md += "|:---- |:---- |:---- |:---- |:---- |:---- |\n";
+        const depSorted = sr.changedDeps.sort((a, b) => b.risks.length - a.risks.length);
+        for (const dep of depSorted) {
+            md += `| ${dep.name} | ${dep.version} | ${dep.risks.length} | ${dep.packageInfo.versions[dep.version]!.dist.tarball} | ${dep.downloadInfo.downloads} | ${dep.packageInfo["dist-tags"].latest} |\n`;
+        }
+        md += "\n```\n\n";
+
+        md += "\n## 详细风险信息\n\n";
+        for (const dep of depSorted) {
+            if (dep.risks.length === 0) {
+                continue;
+            }
+            md += `### ${dep.name} @ ${dep.version}\n\n`;
+            for (const risk of dep.risks) {
+                md += `- **【${risk.level === "low" ? "低危" : (risk.level === "medium" ? "中危" : "高危")}】** ${risk.desc}:\n\n\`\`\`\n${risk.info}\n\`\`\`\n\n`;
+            }
+            md += "\n";
+        }
+    }
+
+    return {
+        report: md,
+        abstract
+    }
+}
+
+export async function md2Img(md: string): Promise<Buffer | null> {
+    try {
+        return (await got(`https://readpo.com/p/${encodeURIComponent(md)}`)).rawBody;
+    } catch {
+        return null;
+    }
+}