toolip 1.0.6 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +189 -448
- package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
- package/dist/src/analyzers/ast/rules.d.ts +48 -0
- package/dist/src/analyzers/ast/rules.js +39 -0
- package/dist/src/analyzers/ast/rules.js.map +1 -0
- package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
- package/dist/src/analyzers/ast/source-analysis.js +225 -0
- package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
- package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
- package/dist/src/analyzers/docker/analyzer.js +103 -0
- package/dist/src/analyzers/docker/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
- package/dist/src/analyzers/git-history/analyzer.js +157 -0
- package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
- package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
- package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
- package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
- package/dist/src/analyzers/reachability/import-graph.js +110 -0
- package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
- package/dist/src/analyzers/vulnerability/severity.js +13 -0
- package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
- package/dist/src/application/analyzer-runner.d.ts +12 -0
- package/dist/src/application/analyzer-runner.js +45 -0
- package/dist/src/application/analyzer-runner.js.map +1 -0
- package/dist/src/commands/alternatives.d.ts +2 -0
- package/dist/src/commands/alternatives.js +17 -0
- package/dist/src/commands/alternatives.js.map +1 -0
- package/dist/src/commands/announce.d.ts +2 -0
- package/dist/src/commands/announce.js +27 -0
- package/dist/src/commands/announce.js.map +1 -0
- package/dist/src/commands/ast-scan.d.ts +2 -0
- package/dist/src/commands/ast-scan.js +86 -0
- package/dist/src/commands/ast-scan.js.map +1 -0
- package/dist/src/commands/audit-repo.d.ts +2 -0
- package/dist/src/commands/audit-repo.js +20 -0
- package/dist/src/commands/audit-repo.js.map +1 -0
- package/dist/src/commands/compare.d.ts +2 -0
- package/dist/src/commands/compare.js +19 -0
- package/dist/src/commands/compare.js.map +1 -0
- package/dist/src/commands/config.d.ts +2 -0
- package/dist/src/commands/config.js +69 -0
- package/dist/src/commands/config.js.map +1 -0
- package/dist/src/commands/dependency-confusion.d.ts +2 -0
- package/dist/src/commands/dependency-confusion.js +37 -0
- package/dist/src/commands/dependency-confusion.js.map +1 -0
- package/dist/src/commands/diff.d.ts +2 -0
- package/dist/src/commands/diff.js +24 -0
- package/dist/src/commands/diff.js.map +1 -0
- package/dist/src/commands/docker-scan.d.ts +2 -0
- package/dist/src/commands/docker-scan.js +34 -0
- package/dist/src/commands/docker-scan.js.map +1 -0
- package/dist/src/commands/doctor.d.ts +2 -0
- package/dist/src/commands/doctor.js +42 -0
- package/dist/src/commands/doctor.js.map +1 -0
- package/dist/src/commands/git-audit.d.ts +2 -0
- package/dist/src/commands/git-audit.js +37 -0
- package/dist/src/commands/git-audit.js.map +1 -0
- package/dist/src/commands/git-history.d.ts +2 -0
- package/dist/src/commands/git-history.js +40 -0
- package/dist/src/commands/git-history.js.map +1 -0
- package/dist/src/commands/history.d.ts +2 -0
- package/dist/src/commands/history.js +69 -0
- package/dist/src/commands/history.js.map +1 -0
- package/dist/src/commands/hook.d.ts +2 -0
- package/dist/src/commands/hook.js +16 -0
- package/dist/src/commands/hook.js.map +1 -0
- package/dist/src/commands/inspect.d.ts +2 -0
- package/dist/src/commands/inspect.js +24 -0
- package/dist/src/commands/inspect.js.map +1 -0
- package/dist/src/commands/install-scripts.d.ts +2 -0
- package/dist/src/commands/install-scripts.js +52 -0
- package/dist/src/commands/install-scripts.js.map +1 -0
- package/dist/src/commands/learn.d.ts +2 -0
- package/dist/src/commands/learn.js +42 -0
- package/dist/src/commands/learn.js.map +1 -0
- package/dist/src/commands/licenses.d.ts +2 -0
- package/dist/src/commands/licenses.js +40 -0
- package/dist/src/commands/licenses.js.map +1 -0
- package/dist/src/commands/mcp.d.ts +2 -0
- package/dist/src/commands/mcp.js +10 -0
- package/dist/src/commands/mcp.js.map +1 -0
- package/dist/src/commands/monorepo.d.ts +2 -0
- package/dist/src/commands/monorepo.js +21 -0
- package/dist/src/commands/monorepo.js.map +1 -0
- package/dist/src/commands/package-health.d.ts +2 -0
- package/dist/src/commands/package-health.js +50 -0
- package/dist/src/commands/package-health.js.map +1 -0
- package/dist/src/commands/pre-commit.d.ts +2 -0
- package/dist/src/commands/pre-commit.js +37 -0
- package/dist/src/commands/pre-commit.js.map +1 -0
- package/dist/src/commands/profile.d.ts +2 -0
- package/dist/src/commands/profile.js +18 -0
- package/dist/src/commands/profile.js.map +1 -0
- package/dist/src/commands/publish.d.ts +2 -0
- package/dist/src/commands/publish.js +25 -0
- package/dist/src/commands/publish.js.map +1 -0
- package/dist/src/commands/reachability.d.ts +2 -0
- package/dist/src/commands/reachability.js +47 -0
- package/dist/src/commands/reachability.js.map +1 -0
- package/dist/src/commands/sbom.d.ts +2 -0
- package/dist/src/commands/sbom.js +33 -0
- package/dist/src/commands/sbom.js.map +1 -0
- package/dist/src/commands/scan.d.ts +2 -0
- package/dist/src/commands/scan.js +48 -0
- package/dist/src/commands/scan.js.map +1 -0
- package/dist/src/commands/score.d.ts +2 -0
- package/dist/src/commands/score.js +24 -0
- package/dist/src/commands/score.js.map +1 -0
- package/dist/src/commands/self-test.d.ts +2 -0
- package/dist/src/commands/self-test.js +63 -0
- package/dist/src/commands/self-test.js.map +1 -0
- package/dist/src/commands/tree.d.ts +2 -0
- package/dist/src/commands/tree.js +21 -0
- package/dist/src/commands/tree.js.map +1 -0
- package/dist/src/commands/upgrade-pr.d.ts +2 -0
- package/dist/src/commands/upgrade-pr.js +15 -0
- package/dist/src/commands/upgrade-pr.js.map +1 -0
- package/dist/src/commands/vault.d.ts +2 -0
- package/dist/src/commands/vault.js +86 -0
- package/dist/src/commands/vault.js.map +1 -0
- package/dist/src/commands/vulnerabilities.d.ts +2 -0
- package/dist/src/commands/vulnerabilities.js +42 -0
- package/dist/src/commands/vulnerabilities.js.map +1 -0
- package/dist/src/commands/watch.d.ts +2 -0
- package/dist/src/commands/watch.js +34 -0
- package/dist/src/commands/watch.js.map +1 -0
- package/dist/src/config/version.d.ts +6 -0
- package/dist/src/config/version.js +29 -0
- package/dist/src/config/version.js.map +1 -0
- package/dist/src/contracts/analyzer.d.ts +23 -0
- package/dist/src/contracts/analyzer.js +2 -0
- package/dist/src/contracts/analyzer.js.map +1 -0
- package/dist/src/contracts/finding.d.ts +35 -0
- package/dist/src/contracts/finding.js +13 -0
- package/dist/src/contracts/finding.js.map +1 -0
- package/dist/src/contracts/report.d.ts +30 -0
- package/dist/src/contracts/report.js +2 -0
- package/dist/src/contracts/report.js.map +1 -0
- package/dist/src/contracts/rule.d.ts +12 -0
- package/dist/src/contracts/rule.js +7 -0
- package/dist/src/contracts/rule.js.map +1 -0
- package/dist/src/core/alternatives.d.ts +8 -0
- package/dist/src/core/alternatives.js +35 -0
- package/dist/src/core/alternatives.js.map +1 -0
- package/dist/src/core/analyze-package.d.ts +2 -0
- package/dist/src/core/analyze-package.js +49 -0
- package/dist/src/core/analyze-package.js.map +1 -0
- package/dist/src/core/announce/generate.d.ts +9 -0
- package/dist/src/core/announce/generate.js +19 -0
- package/dist/src/core/announce/generate.js.map +1 -0
- package/dist/src/core/compare-packages.d.ts +7 -0
- package/dist/src/core/compare-packages.js +19 -0
- package/dist/src/core/compare-packages.js.map +1 -0
- package/dist/src/core/config/load.d.ts +3 -0
- package/dist/src/core/config/load.js +21 -0
- package/dist/src/core/config/load.js.map +1 -0
- package/dist/src/core/config/policy.d.ts +3 -0
- package/dist/src/core/config/policy.js +48 -0
- package/dist/src/core/config/policy.js.map +1 -0
- package/dist/src/core/config/schema.d.ts +172 -0
- package/dist/src/core/config/schema.js +84 -0
- package/dist/src/core/config/schema.js.map +1 -0
- package/dist/src/core/dependencies/inventory.d.ts +9 -0
- package/dist/src/core/dependencies/inventory.js +43 -0
- package/dist/src/core/dependencies/inventory.js.map +1 -0
- package/dist/src/core/dependency-scan.d.ts +17 -0
- package/dist/src/core/dependency-scan.js +70 -0
- package/dist/src/core/dependency-scan.js.map +1 -0
- package/dist/src/core/dependency-tree.d.ts +16 -0
- package/dist/src/core/dependency-tree.js +19 -0
- package/dist/src/core/dependency-tree.js.map +1 -0
- package/dist/src/core/dependency-types.d.ts +17 -0
- package/dist/src/core/dependency-types.js +2 -0
- package/dist/src/core/dependency-types.js.map +1 -0
- package/dist/src/core/diff/security-diff.d.ts +10 -0
- package/dist/src/core/diff/security-diff.js +20 -0
- package/dist/src/core/diff/security-diff.js.map +1 -0
- package/dist/src/core/file-walker.d.ts +6 -0
- package/dist/src/core/file-walker.js +27 -0
- package/dist/src/core/file-walker.js.map +1 -0
- package/dist/src/core/git-audit.d.ts +12 -0
- package/dist/src/core/git-audit.js +111 -0
- package/dist/src/core/git-audit.js.map +1 -0
- package/dist/src/core/github/remote-audit.d.ts +5 -0
- package/dist/src/core/github/remote-audit.js +28 -0
- package/dist/src/core/github/remote-audit.js.map +1 -0
- package/dist/src/core/github/upgrade-pr.d.ts +4 -0
- package/dist/src/core/github/upgrade-pr.js +41 -0
- package/dist/src/core/github/upgrade-pr.js.map +1 -0
- package/dist/src/core/history/git-metadata.d.ts +5 -0
- package/dist/src/core/history/git-metadata.js +37 -0
- package/dist/src/core/history/git-metadata.js.map +1 -0
- package/dist/src/core/history/store.d.ts +5 -0
- package/dist/src/core/history/store.js +65 -0
- package/dist/src/core/history/store.js.map +1 -0
- package/dist/src/core/history/types.d.ts +27 -0
- package/dist/src/core/history/types.js +2 -0
- package/dist/src/core/history/types.js.map +1 -0
- package/dist/src/core/hooks.d.ts +1 -0
- package/dist/src/core/hooks.js +14 -0
- package/dist/src/core/hooks.js.map +1 -0
- package/dist/src/core/learn.d.ts +11 -0
- package/dist/src/core/learn.js +163 -0
- package/dist/src/core/learn.js.map +1 -0
- package/dist/src/core/license-analysis.d.ts +18 -0
- package/dist/src/core/license-analysis.js +98 -0
- package/dist/src/core/license-analysis.js.map +1 -0
- package/dist/src/core/load-toolip-ignore.d.ts +5 -0
- package/dist/src/core/load-toolip-ignore.js +35 -0
- package/dist/src/core/load-toolip-ignore.js.map +1 -0
- package/dist/src/core/monorepo/discover.d.ts +7 -0
- package/dist/src/core/monorepo/discover.js +49 -0
- package/dist/src/core/monorepo/discover.js.map +1 -0
- package/dist/src/core/npm-registry.d.ts +3 -0
- package/dist/src/core/npm-registry.js +5 -0
- package/dist/src/core/npm-registry.js.map +1 -0
- package/dist/src/core/pre-commit.d.ts +11 -0
- package/dist/src/core/pre-commit.js +22 -0
- package/dist/src/core/pre-commit.js.map +1 -0
- package/dist/src/core/profile-project.d.ts +23 -0
- package/dist/src/core/profile-project.js +119 -0
- package/dist/src/core/profile-project.js.map +1 -0
- package/dist/src/core/publish/html.d.ts +6 -0
- package/dist/src/core/publish/html.js +44 -0
- package/dist/src/core/publish/html.js.map +1 -0
- package/dist/src/core/read-dependencies.d.ts +2 -0
- package/dist/src/core/read-dependencies.js +24 -0
- package/dist/src/core/read-dependencies.js.map +1 -0
- package/dist/src/core/report-writer.d.ts +5 -0
- package/dist/src/core/report-writer.js +61 -0
- package/dist/src/core/report-writer.js.map +1 -0
- package/dist/src/core/report.d.ts +34 -0
- package/dist/src/core/report.js +26 -0
- package/dist/src/core/report.js.map +1 -0
- package/dist/src/core/risk-score.d.ts +5 -0
- package/dist/src/core/risk-score.js +14 -0
- package/dist/src/core/risk-score.js.map +1 -0
- package/dist/src/core/sbom/generate.d.ts +2 -0
- package/dist/src/core/sbom/generate.js +120 -0
- package/dist/src/core/sbom/generate.js.map +1 -0
- package/dist/src/core/scanner-context.d.ts +12 -0
- package/dist/src/core/scanner-context.js +27 -0
- package/dist/src/core/scanner-context.js.map +1 -0
- package/dist/src/core/score.d.ts +13 -0
- package/dist/src/core/score.js +44 -0
- package/dist/src/core/score.js.map +1 -0
- package/dist/src/core/security-doctor.d.ts +12 -0
- package/dist/src/core/security-doctor.js +158 -0
- package/dist/src/core/security-doctor.js.map +1 -0
- package/dist/src/core/security-patterns.d.ts +14 -0
- package/dist/src/core/security-patterns.js +139 -0
- package/dist/src/core/security-patterns.js.map +1 -0
- package/dist/src/core/typosquat.d.ts +6 -0
- package/dist/src/core/typosquat.js +50 -0
- package/dist/src/core/typosquat.js.map +1 -0
- package/dist/src/core/vault.d.ts +48 -0
- package/dist/src/core/vault.js +127 -0
- package/dist/src/core/vault.js.map +1 -0
- package/dist/src/core/watch/watch.d.ts +5 -0
- package/dist/src/core/watch/watch.js +49 -0
- package/dist/src/core/watch/watch.js.map +1 -0
- package/dist/src/errors/toolip-error.d.ts +8 -0
- package/dist/src/errors/toolip-error.js +11 -0
- package/dist/src/errors/toolip-error.js.map +1 -0
- package/dist/src/index.d.ts +2 -0
- package/dist/src/index.js +89 -0
- package/dist/src/index.js.map +1 -0
- package/dist/src/mcp/server.d.ts +1 -0
- package/dist/src/mcp/server.js +64 -0
- package/dist/src/mcp/server.js.map +1 -0
- package/dist/src/providers/depsdev/client.d.ts +71 -0
- package/dist/src/providers/depsdev/client.js +44 -0
- package/dist/src/providers/depsdev/client.js.map +1 -0
- package/dist/src/providers/osv/client.d.ts +15 -0
- package/dist/src/providers/osv/client.js +51 -0
- package/dist/src/providers/osv/client.js.map +1 -0
- package/dist/src/providers/osv/types.d.ts +38 -0
- package/dist/src/providers/osv/types.js +2 -0
- package/dist/src/providers/osv/types.js.map +1 -0
- package/dist/src/storage/memory-cache.d.ts +7 -0
- package/dist/src/storage/memory-cache.js +25 -0
- package/dist/src/storage/memory-cache.js.map +1 -0
- package/dist/src/utils/error-handler.d.ts +1 -0
- package/dist/src/utils/error-handler.js +24 -0
- package/dist/src/utils/error-handler.js.map +1 -0
- package/dist/src/utils/output.d.ts +6 -0
- package/dist/src/utils/output.js +72 -0
- package/dist/src/utils/output.js.map +1 -0
- package/dist/src/utils/package-output.d.ts +4 -0
- package/dist/src/utils/package-output.js +40 -0
- package/dist/src/utils/package-output.js.map +1 -0
- package/package.json +13 -8
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"version.js","sourceRoot":"","sources":["../../../src/config/version.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAOzC,SAAS,qBAAqB;IAC5B,IAAI,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC7D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;IAExC,OAAO,SAAS,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;QAE1D,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CACzB,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAChB,CAAC;YAErB,IACE,QAAQ,CAAC,IAAI,KAAK,QAAQ;gBAC1B,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,EACpC,CAAC;gBACD,OAAO,QAAQ,CAAC,OAAO,CAAC;YAC1B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;QAED,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,IAAI,KAAK,CACb,qDAAqD,CACtD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,MAAM,cAAc,GAAG,qBAAqB,EAAE,CAAC;AAEtD,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,IAAI,EAAE,qBAAqB;IAC3B,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,2BAA2B;CACpC,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import type { Finding } from './finding.js';
|
|
2
|
+
export type AnalyzerContext = {
|
|
3
|
+
root: string;
|
|
4
|
+
signal?: AbortSignal;
|
|
5
|
+
cache?: AnalyzerCache;
|
|
6
|
+
options?: Record<string, unknown>;
|
|
7
|
+
};
|
|
8
|
+
export type AnalyzerCache = {
|
|
9
|
+
get<T>(key: string): Promise<T | undefined>;
|
|
10
|
+
set<T>(key: string, value: T, ttlMs?: number): Promise<void>;
|
|
11
|
+
};
|
|
12
|
+
export type AnalyzerResult = {
|
|
13
|
+
analyzer: string;
|
|
14
|
+
durationMs: number;
|
|
15
|
+
findings: Finding[];
|
|
16
|
+
warnings?: string[];
|
|
17
|
+
metadata?: Record<string, unknown>;
|
|
18
|
+
};
|
|
19
|
+
export interface Analyzer {
|
|
20
|
+
readonly id: string;
|
|
21
|
+
readonly version: string;
|
|
22
|
+
analyze(context: AnalyzerContext): Promise<AnalyzerResult>;
|
|
23
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../../src/contracts/analyzer.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
export declare const findingSeverities: readonly ["critical", "high", "medium", "low", "info"];
|
|
2
|
+
export type FindingSeverity = (typeof findingSeverities)[number];
|
|
3
|
+
export declare const findingConfidences: readonly ["high", "medium", "low"];
|
|
4
|
+
export type FindingConfidence = (typeof findingConfidences)[number];
|
|
5
|
+
export type FindingLocation = {
|
|
6
|
+
file: string;
|
|
7
|
+
line?: number;
|
|
8
|
+
column?: number;
|
|
9
|
+
endLine?: number;
|
|
10
|
+
endColumn?: number;
|
|
11
|
+
};
|
|
12
|
+
export type FindingEvidence = {
|
|
13
|
+
summary: string;
|
|
14
|
+
excerpt?: string;
|
|
15
|
+
fingerprint?: string;
|
|
16
|
+
};
|
|
17
|
+
export type FindingRemediation = {
|
|
18
|
+
summary: string;
|
|
19
|
+
fixedVersion?: string;
|
|
20
|
+
references?: string[];
|
|
21
|
+
};
|
|
22
|
+
export type Finding = {
|
|
23
|
+
id: string;
|
|
24
|
+
ruleId: string;
|
|
25
|
+
title: string;
|
|
26
|
+
category: string;
|
|
27
|
+
severity: FindingSeverity;
|
|
28
|
+
confidence: FindingConfidence;
|
|
29
|
+
message: string;
|
|
30
|
+
source: string;
|
|
31
|
+
location?: FindingLocation;
|
|
32
|
+
evidence?: FindingEvidence[];
|
|
33
|
+
remediation?: FindingRemediation;
|
|
34
|
+
metadata?: Record<string, unknown>;
|
|
35
|
+
};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"finding.js","sourceRoot":"","sources":["../../../src/contracts/finding.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,UAAU;IACV,MAAM;IACN,QAAQ;IACR,KAAK;IACL,MAAM;CACE,CAAC;AAIX,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,MAAM;IACN,QAAQ;IACR,KAAK;CACG,CAAC"}
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
import type { Finding } from './finding.js';
|
|
2
|
+
export declare const TOOLIP_REPORT_SCHEMA_VERSION = "2.0";
|
|
3
|
+
export type ReportSummary = {
|
|
4
|
+
critical: number;
|
|
5
|
+
high: number;
|
|
6
|
+
medium: number;
|
|
7
|
+
low: number;
|
|
8
|
+
info: number;
|
|
9
|
+
total: number;
|
|
10
|
+
};
|
|
11
|
+
export type ToolipReportV2 = {
|
|
12
|
+
schemaVersion: typeof TOOLIP_REPORT_SCHEMA_VERSION;
|
|
13
|
+
generatedAt: string;
|
|
14
|
+
toolipVersion: string;
|
|
15
|
+
project: {
|
|
16
|
+
root: string;
|
|
17
|
+
name?: string;
|
|
18
|
+
packageManager?: string;
|
|
19
|
+
};
|
|
20
|
+
summary: ReportSummary;
|
|
21
|
+
findings: Finding[];
|
|
22
|
+
analyzers: Array<{
|
|
23
|
+
id: string;
|
|
24
|
+
version: string;
|
|
25
|
+
durationMs: number;
|
|
26
|
+
findingCount: number;
|
|
27
|
+
warnings?: string[];
|
|
28
|
+
}>;
|
|
29
|
+
metadata?: Record<string, unknown>;
|
|
30
|
+
};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"report.js","sourceRoot":"","sources":["../../../src/contracts/report.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { FindingConfidence, FindingSeverity } from './finding.js';
|
|
2
|
+
export type RuleDefinition = {
|
|
3
|
+
id: string;
|
|
4
|
+
title: string;
|
|
5
|
+
category: string;
|
|
6
|
+
defaultSeverity: FindingSeverity;
|
|
7
|
+
defaultConfidence: FindingConfidence;
|
|
8
|
+
description: string;
|
|
9
|
+
remediation: string;
|
|
10
|
+
references?: string[];
|
|
11
|
+
};
|
|
12
|
+
export declare function assertValidRuleId(ruleId: string): void;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rule.js","sourceRoot":"","sources":["../../../src/contracts/rule.ts"],"names":[],"mappings":"AAgBA,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAE7C,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,uCAAuC,CACzE,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
const alternativeMap = {
|
|
2
|
+
request: [
|
|
3
|
+
{ name: 'got', reason: 'Modern HTTP client with active maintenance and strong Node.js support.' },
|
|
4
|
+
{ name: 'undici', reason: 'Fast official Node.js HTTP client maintained under the Node.js project.' },
|
|
5
|
+
{ name: 'axios', reason: 'Popular promise-based HTTP client with broad ecosystem adoption.' }
|
|
6
|
+
],
|
|
7
|
+
'node-fetch': [
|
|
8
|
+
{ name: 'undici', reason: 'Native fetch-compatible HTTP client for modern Node.js.' },
|
|
9
|
+
{ name: 'ky', reason: 'Small fetch-based client for browser and modern JavaScript workflows.' }
|
|
10
|
+
],
|
|
11
|
+
moment: [
|
|
12
|
+
{ name: 'dayjs', reason: 'Small Moment-compatible API with lower bundle size.' },
|
|
13
|
+
{ name: 'date-fns', reason: 'Modular date utilities with tree-shaking support.' },
|
|
14
|
+
{ name: 'luxon', reason: 'Modern date-time library from the Moment maintainers.' }
|
|
15
|
+
],
|
|
16
|
+
lodash: [
|
|
17
|
+
{ name: 'lodash-es', reason: 'ES module build with better tree-shaking.' },
|
|
18
|
+
{ name: 'radash', reason: 'Modern utility library with TypeScript-friendly APIs.' }
|
|
19
|
+
],
|
|
20
|
+
uuid: [
|
|
21
|
+
{ name: 'crypto.randomUUID', reason: 'Built into modern Node.js and avoids an extra dependency where suitable.' }
|
|
22
|
+
]
|
|
23
|
+
};
|
|
24
|
+
export function findAlternatives(packageName) {
|
|
25
|
+
return {
|
|
26
|
+
package: packageName,
|
|
27
|
+
alternatives: alternativeMap[packageName] ?? [
|
|
28
|
+
{
|
|
29
|
+
name: 'No curated alternative yet',
|
|
30
|
+
reason: 'Toolip does not have a curated replacement for this package yet. Inspect maintenance, license, downloads, and dependency count manually.'
|
|
31
|
+
}
|
|
32
|
+
]
|
|
33
|
+
};
|
|
34
|
+
}
|
|
35
|
+
//# sourceMappingURL=alternatives.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"alternatives.js","sourceRoot":"","sources":["../../../src/core/alternatives.ts"],"names":[],"mappings":"AAQA,MAAM,cAAc,GAAuD;IACzE,OAAO,EAAE;QACP,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,wEAAwE,EAAE;QACjG,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,yEAAyE,EAAE;QACrG,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,kEAAkE,EAAE;KAC9F;IACD,YAAY,EAAE;QACZ,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,yDAAyD,EAAE;QACrF,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,uEAAuE,EAAE;KAChG;IACD,MAAM,EAAE;QACN,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,qDAAqD,EAAE;QAChF,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,mDAAmD,EAAE;QACjF,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,uDAAuD,EAAE;KACnF;IACD,MAAM,EAAE;QACN,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,2CAA2C,EAAE;QAC1E,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,uDAAuD,EAAE;KACpF;IACD,IAAI,EAAE;QACJ,EAAE,IAAI,EAAE,mBAAmB,EAAE,MAAM,EAAE,0EAA0E,EAAE;KAClH;CACF,CAAC;AAEF,MAAM,UAAU,gBAAgB,CAAC,WAAmB;IAClD,OAAO;QACL,OAAO,EAAE,WAAW;QACpB,YAAY,EAAE,cAAc,CAAC,WAAW,CAAC,IAAI;YAC3C;gBACE,IAAI,EAAE,4BAA4B;gBAClC,MAAM,EAAE,0IAA0I;aACnJ;SACF;KACF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
import semver from 'semver';
|
|
2
|
+
import { fetchPackageManifest } from './npm-registry.js';
|
|
3
|
+
import { calculateRiskScore } from './risk-score.js';
|
|
4
|
+
function cleanInstalledVersion(version) {
|
|
5
|
+
if (version === 'latest')
|
|
6
|
+
return null;
|
|
7
|
+
return semver.coerce(version)?.version ?? null;
|
|
8
|
+
}
|
|
9
|
+
function isOutdated(installedVersion, latestVersion) {
|
|
10
|
+
const cleanedInstalledVersion = cleanInstalledVersion(installedVersion);
|
|
11
|
+
if (!cleanedInstalledVersion || !latestVersion) {
|
|
12
|
+
return false;
|
|
13
|
+
}
|
|
14
|
+
const cleanedLatestVersion = semver.coerce(latestVersion)?.version;
|
|
15
|
+
if (!cleanedLatestVersion) {
|
|
16
|
+
return false;
|
|
17
|
+
}
|
|
18
|
+
return semver.lt(cleanedInstalledVersion, cleanedLatestVersion);
|
|
19
|
+
}
|
|
20
|
+
export async function analyzePackage(dependency) {
|
|
21
|
+
const manifest = await fetchPackageManifest(dependency.name);
|
|
22
|
+
const latestVersion = typeof manifest.version === 'string' ? manifest.version : null;
|
|
23
|
+
const publishedDate = manifest.time && latestVersion ? manifest.time[latestVersion] ?? null : null;
|
|
24
|
+
const ageInDays = publishedDate
|
|
25
|
+
? Math.floor((Date.now() - new Date(publishedDate).getTime()) /
|
|
26
|
+
(1000 * 60 * 60 * 24))
|
|
27
|
+
: null;
|
|
28
|
+
const maintainers = Array.isArray(manifest.maintainers)
|
|
29
|
+
? manifest.maintainers.length
|
|
30
|
+
: 0;
|
|
31
|
+
const deprecated = Boolean(manifest.deprecated);
|
|
32
|
+
return {
|
|
33
|
+
name: dependency.name,
|
|
34
|
+
installedVersion: dependency.version,
|
|
35
|
+
latestVersion,
|
|
36
|
+
outdated: isOutdated(dependency.version, latestVersion),
|
|
37
|
+
deprecated,
|
|
38
|
+
maintainers,
|
|
39
|
+
publishedAt: publishedDate,
|
|
40
|
+
ageInDays,
|
|
41
|
+
downloads: null,
|
|
42
|
+
riskScore: calculateRiskScore({
|
|
43
|
+
deprecated,
|
|
44
|
+
maintainers,
|
|
45
|
+
ageInDays
|
|
46
|
+
})
|
|
47
|
+
};
|
|
48
|
+
}
|
|
49
|
+
//# sourceMappingURL=analyze-package.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyze-package.js","sourceRoot":"","sources":["../../../src/core/analyze-package.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iBAAiB,CAAC;AAGrD,SAAS,qBAAqB,CAAC,OAAe;IAC5C,IAAI,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,OAAO,IAAI,IAAI,CAAC;AACjD,CAAC;AAED,SAAS,UAAU,CAAC,gBAAwB,EAAE,aAA4B;IACxE,MAAM,uBAAuB,GAAG,qBAAqB,CAAC,gBAAgB,CAAC,CAAC;IAExE,IAAI,CAAC,uBAAuB,IAAI,CAAC,aAAa,EAAE,CAAC;QAC/C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,oBAAoB,GAAG,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,OAAO,CAAC;IAEnE,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC,EAAE,CAAC,uBAAuB,EAAE,oBAAoB,CAAC,CAAC;AAClE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,UAA0B;IAE1B,MAAM,QAAQ,GAAG,MAAM,oBAAoB,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,aAAa,GAAG,OAAO,QAAQ,CAAC,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;IAErF,MAAM,aAAa,GACjB,QAAQ,CAAC,IAAI,IAAI,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;IAE/E,MAAM,SAAS,GAAG,aAAa;QAC7B,CAAC,CAAC,IAAI,CAAC,KAAK,CACR,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9C,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CACxB;QACH,CAAC,CAAC,IAAI,CAAC;IAET,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;QACrD,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM;QAC7B,CAAC,CAAC,CAAC,CAAC;IAEN,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAEhD,OAAO;QACL,IAAI,EAAE,UAAU,CAAC,IAAI;QACrB,gBAAgB,EAAE,UAAU,CAAC,OAAO;QACpC,aAAa;QACb,QAAQ,EAAE,UAAU,CAAC,UAAU,CAAC,OAAO,EAAE,aAAa,CAAC;QACvD,UAAU;QACV,WAAW;QACX,WAAW,EAAE,aAAa;QAC1B,SAAS;QACT,SAAS,EAAE,IAAI;QACf,SAAS,EAAE,kBAAkB,CAAC;YAC5B,UAAU;YACV,WAAW;YACX,SAAS;SACV,CAAC;KACH,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
export function generateAnnouncement(input) {
|
|
2
|
+
const title = input.version
|
|
3
|
+
? `Toolip ${input.version} security update`
|
|
4
|
+
: 'Toolip security update';
|
|
5
|
+
const lines = [
|
|
6
|
+
title,
|
|
7
|
+
'',
|
|
8
|
+
`Fixed findings: ${input.fixed}`,
|
|
9
|
+
`New findings: ${input.added}`,
|
|
10
|
+
`Removed findings: ${input.removed}`
|
|
11
|
+
];
|
|
12
|
+
if (input.scoreBefore !== undefined &&
|
|
13
|
+
input.scoreAfter !== undefined) {
|
|
14
|
+
lines.push(`Security score: ${input.scoreBefore} → ${input.scoreAfter}`);
|
|
15
|
+
}
|
|
16
|
+
lines.push('', 'This summary was generated locally from structured Toolip scan differences.');
|
|
17
|
+
return lines.join('\n');
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=generate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"generate.js","sourceRoot":"","sources":["../../../../src/core/announce/generate.ts"],"names":[],"mappings":"AASA,MAAM,UAAU,oBAAoB,CAAC,KAAwB;IAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO;QACzB,CAAC,CAAC,UAAU,KAAK,CAAC,OAAO,kBAAkB;QAC3C,CAAC,CAAC,wBAAwB,CAAC;IAE7B,MAAM,KAAK,GAAG;QACZ,KAAK;QACL,EAAE;QACF,mBAAmB,KAAK,CAAC,KAAK,EAAE;QAChC,iBAAiB,KAAK,CAAC,KAAK,EAAE;QAC9B,qBAAqB,KAAK,CAAC,OAAO,EAAE;KACrC,CAAC;IAEF,IACE,KAAK,CAAC,WAAW,KAAK,SAAS;QAC/B,KAAK,CAAC,UAAU,KAAK,SAAS,EAC9B,CAAC;QACD,KAAK,CAAC,IAAI,CACR,mBAAmB,KAAK,CAAC,WAAW,MAAM,KAAK,CAAC,UAAU,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CACR,EAAE,EACF,6EAA6E,CAC9E,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import type { PackageHealth } from './dependency-types.js';
|
|
2
|
+
export type PackageComparison = {
|
|
3
|
+
packages: PackageHealth[];
|
|
4
|
+
safest: PackageHealth | null;
|
|
5
|
+
riskiest: PackageHealth | null;
|
|
6
|
+
};
|
|
7
|
+
export declare function comparePackages(packageNames: string[]): Promise<PackageComparison>;
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import { analyzePackage } from './analyze-package.js';
|
|
2
|
+
function asDependency(packageName) {
|
|
3
|
+
return {
|
|
4
|
+
name: packageName,
|
|
5
|
+
version: 'latest',
|
|
6
|
+
type: 'dependency'
|
|
7
|
+
};
|
|
8
|
+
}
|
|
9
|
+
export async function comparePackages(packageNames) {
|
|
10
|
+
const uniqueNames = [...new Set(packageNames.map((name) => name.trim()).filter(Boolean))];
|
|
11
|
+
const packages = await Promise.all(uniqueNames.map((packageName) => analyzePackage(asDependency(packageName))));
|
|
12
|
+
const sortedByRisk = [...packages].sort((a, b) => a.riskScore - b.riskScore);
|
|
13
|
+
return {
|
|
14
|
+
packages,
|
|
15
|
+
safest: sortedByRisk[0] ?? null,
|
|
16
|
+
riskiest: sortedByRisk.at(-1) ?? null
|
|
17
|
+
};
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=compare-packages.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"compare-packages.js","sourceRoot":"","sources":["../../../src/core/compare-packages.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAStD,SAAS,YAAY,CAAC,WAAmB;IACvC,OAAO;QACL,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,QAAQ;QACjB,IAAI,EAAE,YAAY;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,YAAsB;IAC1D,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAE1F,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,GAAG,CAChC,WAAW,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,cAAc,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,CAC5E,CAAC;IAEF,MAAM,YAAY,GAAG,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;IAE7E,OAAO;QACL,QAAQ;QACR,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,IAAI;QAC/B,QAAQ,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI;KACtC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import { readFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { toolipConfigSchema } from './schema.js';
|
|
4
|
+
export const TOOLIP_CONFIG_FILE = 'toolip.config.json';
|
|
5
|
+
export async function loadToolipConfig(root) {
|
|
6
|
+
const filePath = path.join(root, TOOLIP_CONFIG_FILE);
|
|
7
|
+
try {
|
|
8
|
+
const raw = await readFile(filePath, 'utf8');
|
|
9
|
+
const parsed = JSON.parse(raw);
|
|
10
|
+
return toolipConfigSchema.parse(parsed);
|
|
11
|
+
}
|
|
12
|
+
catch (error) {
|
|
13
|
+
if (error instanceof Error &&
|
|
14
|
+
'code' in error &&
|
|
15
|
+
error.code === 'ENOENT') {
|
|
16
|
+
return toolipConfigSchema.parse({});
|
|
17
|
+
}
|
|
18
|
+
throw error;
|
|
19
|
+
}
|
|
20
|
+
}
|
|
21
|
+
//# sourceMappingURL=load.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"load.js","sourceRoot":"","sources":["../../../../src/core/config/load.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,kBAAkB,EAEnB,MAAM,aAAa,CAAC;AAErB,MAAM,CAAC,MAAM,kBAAkB,GAC7B,oBAAoB,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY;IAEZ,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,IAAI,EACJ,kBAAkB,CACnB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAE1C,OAAO,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;YACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
function wildcardMatch(value, pattern) {
|
|
2
|
+
const escaped = pattern
|
|
3
|
+
.replaceAll(/[.+^${}()|[\]\\]/g, '\\$&')
|
|
4
|
+
.replaceAll('**', '___DOUBLE_STAR___')
|
|
5
|
+
.replaceAll('*', '[^/]*')
|
|
6
|
+
.replaceAll('___DOUBLE_STAR___', '.*');
|
|
7
|
+
return new RegExp(`^${escaped}$`).test(value);
|
|
8
|
+
}
|
|
9
|
+
function suppressionActive(expiresAt) {
|
|
10
|
+
return (expiresAt === undefined ||
|
|
11
|
+
new Date(expiresAt).getTime() > Date.now());
|
|
12
|
+
}
|
|
13
|
+
export function applyFindingPolicy(findings, config) {
|
|
14
|
+
const output = [];
|
|
15
|
+
for (const finding of findings) {
|
|
16
|
+
const rule = config.rules[finding.ruleId];
|
|
17
|
+
const file = finding.location?.file ?? '';
|
|
18
|
+
if (rule?.enabled === false) {
|
|
19
|
+
continue;
|
|
20
|
+
}
|
|
21
|
+
let severity = rule?.severity ?? finding.severity;
|
|
22
|
+
for (const pathRule of rule?.paths ?? []) {
|
|
23
|
+
if (file &&
|
|
24
|
+
wildcardMatch(file, pathRule.pattern)) {
|
|
25
|
+
if (pathRule.enabled === false) {
|
|
26
|
+
severity = finding.severity;
|
|
27
|
+
break;
|
|
28
|
+
}
|
|
29
|
+
severity =
|
|
30
|
+
pathRule.severity ?? severity;
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
const suppressed = config.suppressions.some((suppression) => suppression.ruleId === finding.ruleId &&
|
|
34
|
+
suppressionActive(suppression.expiresAt) &&
|
|
35
|
+
(suppression.path === undefined ||
|
|
36
|
+
(file &&
|
|
37
|
+
wildcardMatch(file, suppression.path))));
|
|
38
|
+
if (suppressed) {
|
|
39
|
+
continue;
|
|
40
|
+
}
|
|
41
|
+
output.push({
|
|
42
|
+
...finding,
|
|
43
|
+
severity
|
|
44
|
+
});
|
|
45
|
+
}
|
|
46
|
+
return output;
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../../src/core/config/policy.ts"],"names":[],"mappings":"AAGA,SAAS,aAAa,CACpB,KAAa,EACb,OAAe;IAEf,MAAM,OAAO,GAAG,OAAO;SACpB,UAAU,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACvC,UAAU,CAAC,IAAI,EAAE,mBAAmB,CAAC;SACrC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC;SACxB,UAAU,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;IAEzC,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,iBAAiB,CACxB,SAAkB;IAElB,OAAO,CACL,SAAS,KAAK,SAAS;QACvB,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAC3C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,QAAmB,EACnB,MAAoB;IAEpB,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC;QAE1C,IAAI,IAAI,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YAC5B,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,GACV,IAAI,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;QAErC,KAAK,MAAM,QAAQ,IAAI,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC;YACzC,IACE,IAAI;gBACJ,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,EACrC,CAAC;gBACD,IAAI,QAAQ,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;oBAC/B,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;oBAC5B,MAAM;gBACR,CAAC;gBAED,QAAQ;oBACN,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC;YAClC,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,CACzC,CAAC,WAAW,EAAE,EAAE,CACd,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM;YACrC,iBAAiB,CACf,WAAW,CAAC,SAAS,CACtB;YACD,CACE,WAAW,CAAC,IAAI,KAAK,SAAS;gBAC9B,CACE,IAAI;oBACJ,aAAa,CACX,IAAI,EACJ,WAAW,CAAC,IAAI,CACjB,CACF,CACF,CACJ,CAAC;QAEF,IAAI,UAAU,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,GAAG,OAAO;YACV,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -0,0 +1,172 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export declare const toolipConfigSchema: z.ZodObject<{
|
|
3
|
+
schemaVersion: z.ZodDefault<z.ZodLiteral<"1.0">>;
|
|
4
|
+
include: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
5
|
+
exclude: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
6
|
+
rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
7
|
+
enabled: z.ZodOptional<z.ZodBoolean>;
|
|
8
|
+
severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
|
|
9
|
+
paths: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
10
|
+
pattern: z.ZodString;
|
|
11
|
+
severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
|
|
12
|
+
enabled: z.ZodOptional<z.ZodBoolean>;
|
|
13
|
+
}, "strip", z.ZodTypeAny, {
|
|
14
|
+
pattern: string;
|
|
15
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
16
|
+
enabled?: boolean | undefined;
|
|
17
|
+
}, {
|
|
18
|
+
pattern: string;
|
|
19
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
20
|
+
enabled?: boolean | undefined;
|
|
21
|
+
}>, "many">>;
|
|
22
|
+
}, "strip", z.ZodTypeAny, {
|
|
23
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
24
|
+
enabled?: boolean | undefined;
|
|
25
|
+
paths?: {
|
|
26
|
+
pattern: string;
|
|
27
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
28
|
+
enabled?: boolean | undefined;
|
|
29
|
+
}[] | undefined;
|
|
30
|
+
}, {
|
|
31
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
32
|
+
enabled?: boolean | undefined;
|
|
33
|
+
paths?: {
|
|
34
|
+
pattern: string;
|
|
35
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
36
|
+
enabled?: boolean | undefined;
|
|
37
|
+
}[] | undefined;
|
|
38
|
+
}>>>;
|
|
39
|
+
suppressions: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
40
|
+
ruleId: z.ZodString;
|
|
41
|
+
path: z.ZodOptional<z.ZodString>;
|
|
42
|
+
reason: z.ZodString;
|
|
43
|
+
expiresAt: z.ZodOptional<z.ZodString>;
|
|
44
|
+
}, "strip", z.ZodTypeAny, {
|
|
45
|
+
ruleId: string;
|
|
46
|
+
reason: string;
|
|
47
|
+
expiresAt?: string | undefined;
|
|
48
|
+
path?: string | undefined;
|
|
49
|
+
}, {
|
|
50
|
+
ruleId: string;
|
|
51
|
+
reason: string;
|
|
52
|
+
expiresAt?: string | undefined;
|
|
53
|
+
path?: string | undefined;
|
|
54
|
+
}>, "many">>;
|
|
55
|
+
history: z.ZodDefault<z.ZodObject<{
|
|
56
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
57
|
+
maxEntries: z.ZodDefault<z.ZodNumber>;
|
|
58
|
+
}, "strip", z.ZodTypeAny, {
|
|
59
|
+
enabled: boolean;
|
|
60
|
+
maxEntries: number;
|
|
61
|
+
}, {
|
|
62
|
+
enabled?: boolean | undefined;
|
|
63
|
+
maxEntries?: number | undefined;
|
|
64
|
+
}>>;
|
|
65
|
+
providers: z.ZodDefault<z.ZodObject<{
|
|
66
|
+
osv: z.ZodDefault<z.ZodObject<{
|
|
67
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
68
|
+
timeoutMs: z.ZodDefault<z.ZodNumber>;
|
|
69
|
+
}, "strip", z.ZodTypeAny, {
|
|
70
|
+
timeoutMs: number;
|
|
71
|
+
enabled: boolean;
|
|
72
|
+
}, {
|
|
73
|
+
timeoutMs?: number | undefined;
|
|
74
|
+
enabled?: boolean | undefined;
|
|
75
|
+
}>>;
|
|
76
|
+
depsDev: z.ZodDefault<z.ZodObject<{
|
|
77
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
78
|
+
timeoutMs: z.ZodDefault<z.ZodNumber>;
|
|
79
|
+
}, "strip", z.ZodTypeAny, {
|
|
80
|
+
timeoutMs: number;
|
|
81
|
+
enabled: boolean;
|
|
82
|
+
}, {
|
|
83
|
+
timeoutMs?: number | undefined;
|
|
84
|
+
enabled?: boolean | undefined;
|
|
85
|
+
}>>;
|
|
86
|
+
}, "strip", z.ZodTypeAny, {
|
|
87
|
+
osv: {
|
|
88
|
+
timeoutMs: number;
|
|
89
|
+
enabled: boolean;
|
|
90
|
+
};
|
|
91
|
+
depsDev: {
|
|
92
|
+
timeoutMs: number;
|
|
93
|
+
enabled: boolean;
|
|
94
|
+
};
|
|
95
|
+
}, {
|
|
96
|
+
osv?: {
|
|
97
|
+
timeoutMs?: number | undefined;
|
|
98
|
+
enabled?: boolean | undefined;
|
|
99
|
+
} | undefined;
|
|
100
|
+
depsDev?: {
|
|
101
|
+
timeoutMs?: number | undefined;
|
|
102
|
+
enabled?: boolean | undefined;
|
|
103
|
+
} | undefined;
|
|
104
|
+
}>>;
|
|
105
|
+
}, "strip", z.ZodTypeAny, {
|
|
106
|
+
schemaVersion: "1.0";
|
|
107
|
+
history: {
|
|
108
|
+
enabled: boolean;
|
|
109
|
+
maxEntries: number;
|
|
110
|
+
};
|
|
111
|
+
include: string[];
|
|
112
|
+
exclude: string[];
|
|
113
|
+
rules: Record<string, {
|
|
114
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
115
|
+
enabled?: boolean | undefined;
|
|
116
|
+
paths?: {
|
|
117
|
+
pattern: string;
|
|
118
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
119
|
+
enabled?: boolean | undefined;
|
|
120
|
+
}[] | undefined;
|
|
121
|
+
}>;
|
|
122
|
+
suppressions: {
|
|
123
|
+
ruleId: string;
|
|
124
|
+
reason: string;
|
|
125
|
+
expiresAt?: string | undefined;
|
|
126
|
+
path?: string | undefined;
|
|
127
|
+
}[];
|
|
128
|
+
providers: {
|
|
129
|
+
osv: {
|
|
130
|
+
timeoutMs: number;
|
|
131
|
+
enabled: boolean;
|
|
132
|
+
};
|
|
133
|
+
depsDev: {
|
|
134
|
+
timeoutMs: number;
|
|
135
|
+
enabled: boolean;
|
|
136
|
+
};
|
|
137
|
+
};
|
|
138
|
+
}, {
|
|
139
|
+
schemaVersion?: "1.0" | undefined;
|
|
140
|
+
history?: {
|
|
141
|
+
enabled?: boolean | undefined;
|
|
142
|
+
maxEntries?: number | undefined;
|
|
143
|
+
} | undefined;
|
|
144
|
+
include?: string[] | undefined;
|
|
145
|
+
exclude?: string[] | undefined;
|
|
146
|
+
rules?: Record<string, {
|
|
147
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
148
|
+
enabled?: boolean | undefined;
|
|
149
|
+
paths?: {
|
|
150
|
+
pattern: string;
|
|
151
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
152
|
+
enabled?: boolean | undefined;
|
|
153
|
+
}[] | undefined;
|
|
154
|
+
}> | undefined;
|
|
155
|
+
suppressions?: {
|
|
156
|
+
ruleId: string;
|
|
157
|
+
reason: string;
|
|
158
|
+
expiresAt?: string | undefined;
|
|
159
|
+
path?: string | undefined;
|
|
160
|
+
}[] | undefined;
|
|
161
|
+
providers?: {
|
|
162
|
+
osv?: {
|
|
163
|
+
timeoutMs?: number | undefined;
|
|
164
|
+
enabled?: boolean | undefined;
|
|
165
|
+
} | undefined;
|
|
166
|
+
depsDev?: {
|
|
167
|
+
timeoutMs?: number | undefined;
|
|
168
|
+
enabled?: boolean | undefined;
|
|
169
|
+
} | undefined;
|
|
170
|
+
} | undefined;
|
|
171
|
+
}>;
|
|
172
|
+
export type ToolipConfig = z.infer<typeof toolipConfigSchema>;
|