toolip 1.0.7 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +189 -448
- package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
- package/dist/src/analyzers/ast/rules.d.ts +48 -0
- package/dist/src/analyzers/ast/rules.js +39 -0
- package/dist/src/analyzers/ast/rules.js.map +1 -0
- package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
- package/dist/src/analyzers/ast/source-analysis.js +225 -0
- package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
- package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
- package/dist/src/analyzers/docker/analyzer.js +103 -0
- package/dist/src/analyzers/docker/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
- package/dist/src/analyzers/git-history/analyzer.js +157 -0
- package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
- package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
- package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
- package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
- package/dist/src/analyzers/reachability/import-graph.js +110 -0
- package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
- package/dist/src/analyzers/vulnerability/severity.js +13 -0
- package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
- package/dist/src/application/analyzer-runner.d.ts +12 -0
- package/dist/src/application/analyzer-runner.js +45 -0
- package/dist/src/application/analyzer-runner.js.map +1 -0
- package/dist/src/commands/announce.d.ts +2 -0
- package/dist/src/commands/announce.js +27 -0
- package/dist/src/commands/announce.js.map +1 -0
- package/dist/src/commands/ast-scan.d.ts +2 -0
- package/dist/src/commands/ast-scan.js +86 -0
- package/dist/src/commands/ast-scan.js.map +1 -0
- package/dist/src/commands/audit-repo.d.ts +2 -0
- package/dist/src/commands/audit-repo.js +20 -0
- package/dist/src/commands/audit-repo.js.map +1 -0
- package/dist/src/commands/config.d.ts +2 -0
- package/dist/src/commands/config.js +69 -0
- package/dist/src/commands/config.js.map +1 -0
- package/dist/src/commands/dependency-confusion.d.ts +2 -0
- package/dist/src/commands/dependency-confusion.js +37 -0
- package/dist/src/commands/dependency-confusion.js.map +1 -0
- package/dist/src/commands/diff.d.ts +2 -0
- package/dist/src/commands/diff.js +24 -0
- package/dist/src/commands/diff.js.map +1 -0
- package/dist/src/commands/docker-scan.d.ts +2 -0
- package/dist/src/commands/docker-scan.js +34 -0
- package/dist/src/commands/docker-scan.js.map +1 -0
- package/dist/src/commands/git-history.d.ts +2 -0
- package/dist/src/commands/git-history.js +40 -0
- package/dist/src/commands/git-history.js.map +1 -0
- package/dist/src/commands/history.d.ts +2 -0
- package/dist/src/commands/history.js +69 -0
- package/dist/src/commands/history.js.map +1 -0
- package/dist/src/commands/install-scripts.d.ts +2 -0
- package/dist/src/commands/install-scripts.js +52 -0
- package/dist/src/commands/install-scripts.js.map +1 -0
- package/dist/src/commands/mcp.d.ts +2 -0
- package/dist/src/commands/mcp.js +10 -0
- package/dist/src/commands/mcp.js.map +1 -0
- package/dist/src/commands/monorepo.d.ts +2 -0
- package/dist/src/commands/monorepo.js +21 -0
- package/dist/src/commands/monorepo.js.map +1 -0
- package/dist/src/commands/package-health.d.ts +2 -0
- package/dist/src/commands/package-health.js +50 -0
- package/dist/src/commands/package-health.js.map +1 -0
- package/dist/src/commands/publish.d.ts +2 -0
- package/dist/src/commands/publish.js +25 -0
- package/dist/src/commands/publish.js.map +1 -0
- package/dist/src/commands/reachability.d.ts +2 -0
- package/dist/src/commands/reachability.js +47 -0
- package/dist/src/commands/reachability.js.map +1 -0
- package/dist/src/commands/sbom.d.ts +2 -0
- package/dist/src/commands/sbom.js +33 -0
- package/dist/src/commands/sbom.js.map +1 -0
- package/dist/src/commands/upgrade-pr.d.ts +2 -0
- package/dist/src/commands/upgrade-pr.js +15 -0
- package/dist/src/commands/upgrade-pr.js.map +1 -0
- package/dist/src/commands/vulnerabilities.d.ts +2 -0
- package/dist/src/commands/vulnerabilities.js +42 -0
- package/dist/src/commands/vulnerabilities.js.map +1 -0
- package/dist/src/commands/watch.d.ts +2 -0
- package/dist/src/commands/watch.js +34 -0
- package/dist/src/commands/watch.js.map +1 -0
- package/dist/src/contracts/analyzer.d.ts +23 -0
- package/dist/src/contracts/analyzer.js +2 -0
- package/dist/src/contracts/analyzer.js.map +1 -0
- package/dist/src/contracts/finding.d.ts +35 -0
- package/dist/src/contracts/finding.js +13 -0
- package/dist/src/contracts/finding.js.map +1 -0
- package/dist/src/contracts/report.d.ts +30 -0
- package/dist/src/contracts/report.js +2 -0
- package/dist/src/contracts/report.js.map +1 -0
- package/dist/src/contracts/rule.d.ts +12 -0
- package/dist/src/contracts/rule.js +7 -0
- package/dist/src/contracts/rule.js.map +1 -0
- package/dist/src/core/announce/generate.d.ts +9 -0
- package/dist/src/core/announce/generate.js +19 -0
- package/dist/src/core/announce/generate.js.map +1 -0
- package/dist/src/core/config/load.d.ts +3 -0
- package/dist/src/core/config/load.js +21 -0
- package/dist/src/core/config/load.js.map +1 -0
- package/dist/src/core/config/policy.d.ts +3 -0
- package/dist/src/core/config/policy.js +48 -0
- package/dist/src/core/config/policy.js.map +1 -0
- package/dist/src/core/config/schema.d.ts +172 -0
- package/dist/src/core/config/schema.js +84 -0
- package/dist/src/core/config/schema.js.map +1 -0
- package/dist/src/core/dependencies/inventory.d.ts +9 -0
- package/dist/src/core/dependencies/inventory.js +43 -0
- package/dist/src/core/dependencies/inventory.js.map +1 -0
- package/dist/src/core/diff/security-diff.d.ts +10 -0
- package/dist/src/core/diff/security-diff.js +20 -0
- package/dist/src/core/diff/security-diff.js.map +1 -0
- package/dist/src/core/github/remote-audit.d.ts +5 -0
- package/dist/src/core/github/remote-audit.js +28 -0
- package/dist/src/core/github/remote-audit.js.map +1 -0
- package/dist/src/core/github/upgrade-pr.d.ts +4 -0
- package/dist/src/core/github/upgrade-pr.js +41 -0
- package/dist/src/core/github/upgrade-pr.js.map +1 -0
- package/dist/src/core/history/git-metadata.d.ts +5 -0
- package/dist/src/core/history/git-metadata.js +37 -0
- package/dist/src/core/history/git-metadata.js.map +1 -0
- package/dist/src/core/history/store.d.ts +5 -0
- package/dist/src/core/history/store.js +65 -0
- package/dist/src/core/history/store.js.map +1 -0
- package/dist/src/core/history/types.d.ts +27 -0
- package/dist/src/core/history/types.js +2 -0
- package/dist/src/core/history/types.js.map +1 -0
- package/dist/src/core/monorepo/discover.d.ts +7 -0
- package/dist/src/core/monorepo/discover.js +49 -0
- package/dist/src/core/monorepo/discover.js.map +1 -0
- package/dist/src/core/publish/html.d.ts +6 -0
- package/dist/src/core/publish/html.js +44 -0
- package/dist/src/core/publish/html.js.map +1 -0
- package/dist/src/core/sbom/generate.d.ts +2 -0
- package/dist/src/core/sbom/generate.js +120 -0
- package/dist/src/core/sbom/generate.js.map +1 -0
- package/dist/src/core/security-doctor.js +19 -5
- package/dist/src/core/security-doctor.js.map +1 -1
- package/dist/src/core/watch/watch.d.ts +5 -0
- package/dist/src/core/watch/watch.js +49 -0
- package/dist/src/core/watch/watch.js.map +1 -0
- package/dist/src/index.js +38 -0
- package/dist/src/index.js.map +1 -1
- package/dist/src/mcp/server.d.ts +1 -0
- package/dist/src/mcp/server.js +64 -0
- package/dist/src/mcp/server.js.map +1 -0
- package/dist/src/providers/depsdev/client.d.ts +71 -0
- package/dist/src/providers/depsdev/client.js +44 -0
- package/dist/src/providers/depsdev/client.js.map +1 -0
- package/dist/src/providers/osv/client.d.ts +15 -0
- package/dist/src/providers/osv/client.js +51 -0
- package/dist/src/providers/osv/client.js.map +1 -0
- package/dist/src/providers/osv/types.d.ts +38 -0
- package/dist/src/providers/osv/types.js +2 -0
- package/dist/src/providers/osv/types.js.map +1 -0
- package/dist/src/storage/memory-cache.d.ts +7 -0
- package/dist/src/storage/memory-cache.js +25 -0
- package/dist/src/storage/memory-cache.js.map +1 -0
- package/package.json +5 -3
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
import { TOOLIP_VERSION } from '../config/version.js';
|
|
2
|
+
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
|
|
3
|
+
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
|
|
4
|
+
import { z } from 'zod';
|
|
5
|
+
import { runSecurityDoctor } from '../core/security-doctor.js';
|
|
6
|
+
import { generateSbom } from '../core/sbom/generate.js';
|
|
7
|
+
import { securityDiff } from '../core/diff/security-diff.js';
|
|
8
|
+
export async function startMcpServer() {
|
|
9
|
+
const server = new McpServer({
|
|
10
|
+
name: 'toolip',
|
|
11
|
+
version: TOOLIP_VERSION
|
|
12
|
+
});
|
|
13
|
+
server.registerTool('toolip_doctor', {
|
|
14
|
+
title: 'Toolip Security Doctor',
|
|
15
|
+
description: 'Run local Toolip security checks inside the approved workspace.',
|
|
16
|
+
inputSchema: {
|
|
17
|
+
root: z.string().default(process.cwd())
|
|
18
|
+
}
|
|
19
|
+
}, async ({ root }) => {
|
|
20
|
+
const report = await runSecurityDoctor(root);
|
|
21
|
+
return {
|
|
22
|
+
content: [{
|
|
23
|
+
type: 'text',
|
|
24
|
+
text: JSON.stringify(report, null, 2)
|
|
25
|
+
}]
|
|
26
|
+
};
|
|
27
|
+
});
|
|
28
|
+
server.registerTool('toolip_sbom', {
|
|
29
|
+
title: 'Generate SBOM',
|
|
30
|
+
description: 'Generate a local CycloneDX or SPDX SBOM.',
|
|
31
|
+
inputSchema: {
|
|
32
|
+
root: z.string().default(process.cwd()),
|
|
33
|
+
format: z.enum(['cyclonedx', 'spdx']).default('cyclonedx')
|
|
34
|
+
}
|
|
35
|
+
}, async ({ root, format }) => {
|
|
36
|
+
const report = await generateSbom(root, format);
|
|
37
|
+
return {
|
|
38
|
+
content: [{
|
|
39
|
+
type: 'text',
|
|
40
|
+
text: JSON.stringify(report, null, 2)
|
|
41
|
+
}]
|
|
42
|
+
};
|
|
43
|
+
});
|
|
44
|
+
server.registerTool('toolip_diff', {
|
|
45
|
+
title: 'Security Diff',
|
|
46
|
+
description: 'Summarize security-relevant Git changes.',
|
|
47
|
+
inputSchema: {
|
|
48
|
+
root: z.string().default(process.cwd()),
|
|
49
|
+
base: z.string(),
|
|
50
|
+
head: z.string().default('HEAD')
|
|
51
|
+
}
|
|
52
|
+
}, async ({ root, base, head }) => {
|
|
53
|
+
const result = await securityDiff(root, base, head);
|
|
54
|
+
return {
|
|
55
|
+
content: [{
|
|
56
|
+
type: 'text',
|
|
57
|
+
text: JSON.stringify(result, null, 2)
|
|
58
|
+
}]
|
|
59
|
+
};
|
|
60
|
+
});
|
|
61
|
+
const transport = new StdioServerTransport();
|
|
62
|
+
await server.connect(transport);
|
|
63
|
+
}
|
|
64
|
+
//# sourceMappingURL=server.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/mcp/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,cAAc;KACxB,CAAC,CAAC;IAEH,MAAM,CAAC,YAAY,CACjB,eAAe,EACf;QACE,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,iEAAiE;QAC9E,WAAW,EAAE;YACX,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;SACxC;KACF,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;QACjB,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;iBACtC,CAAC;SACH,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,0CAA0C;QACvD,WAAW,EAAE;YACX,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACvC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;SAC3D;KACF,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE;QACzB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAChD,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;iBACtC,CAAC;SACH,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,aAAa,EACb;QACE,KAAK,EAAE,eAAe;QACtB,WAAW,EAAE,0CAA0C;QACvD,WAAW,EAAE;YACX,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACvC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;YAChB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC;SACjC;KACF,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE;QAC7B,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QACpD,OAAO;YACL,OAAO,EAAE,CAAC;oBACR,IAAI,EAAE,MAAM;oBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;iBACtC,CAAC;SACH,CAAC;IACJ,CAAC,CACF,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
export type DepsDevVersionResponse = {
|
|
2
|
+
versionKey?: {
|
|
3
|
+
system?: string;
|
|
4
|
+
name?: string;
|
|
5
|
+
version?: string;
|
|
6
|
+
};
|
|
7
|
+
publishedAt?: string;
|
|
8
|
+
isDefault?: boolean;
|
|
9
|
+
isDeprecated?: boolean;
|
|
10
|
+
deprecatedReason?: string;
|
|
11
|
+
licenses?: string[];
|
|
12
|
+
advisoryKeys?: Array<{
|
|
13
|
+
id?: string;
|
|
14
|
+
}>;
|
|
15
|
+
links?: Array<{
|
|
16
|
+
label?: string;
|
|
17
|
+
url?: string;
|
|
18
|
+
}>;
|
|
19
|
+
slsaProvenances?: Array<{
|
|
20
|
+
sourceRepository?: string;
|
|
21
|
+
commit?: string;
|
|
22
|
+
url?: string;
|
|
23
|
+
verified?: boolean;
|
|
24
|
+
}>;
|
|
25
|
+
attestations?: Array<{
|
|
26
|
+
type?: string;
|
|
27
|
+
url?: string;
|
|
28
|
+
verified?: boolean;
|
|
29
|
+
sourceRepository?: string;
|
|
30
|
+
commit?: string;
|
|
31
|
+
}>;
|
|
32
|
+
registries?: string[];
|
|
33
|
+
relatedProjects?: Array<{
|
|
34
|
+
projectKey?: {
|
|
35
|
+
id?: string;
|
|
36
|
+
};
|
|
37
|
+
relationType?: string;
|
|
38
|
+
relationProvenance?: string;
|
|
39
|
+
}>;
|
|
40
|
+
};
|
|
41
|
+
export type DepsDevDependenciesResponse = {
|
|
42
|
+
nodes?: Array<{
|
|
43
|
+
versionKey?: {
|
|
44
|
+
system?: string;
|
|
45
|
+
name?: string;
|
|
46
|
+
version?: string;
|
|
47
|
+
};
|
|
48
|
+
relation?: string;
|
|
49
|
+
errors?: string[];
|
|
50
|
+
}>;
|
|
51
|
+
edges?: Array<{
|
|
52
|
+
fromNode?: number;
|
|
53
|
+
toNode?: number;
|
|
54
|
+
requirement?: string;
|
|
55
|
+
}>;
|
|
56
|
+
error?: string;
|
|
57
|
+
};
|
|
58
|
+
export type DepsDevClientOptions = {
|
|
59
|
+
endpoint?: string;
|
|
60
|
+
timeoutMs?: number;
|
|
61
|
+
fetchImplementation?: typeof fetch;
|
|
62
|
+
};
|
|
63
|
+
export declare class DepsDevClient {
|
|
64
|
+
private readonly endpoint;
|
|
65
|
+
private readonly timeoutMs;
|
|
66
|
+
private readonly fetchImplementation;
|
|
67
|
+
constructor(options?: DepsDevClientOptions);
|
|
68
|
+
getVersion(packageName: string, version: string, signal?: AbortSignal): Promise<DepsDevVersionResponse>;
|
|
69
|
+
getDependencies(packageName: string, version: string, signal?: AbortSignal): Promise<DepsDevDependenciesResponse>;
|
|
70
|
+
private getJson;
|
|
71
|
+
}
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
export class DepsDevClient {
|
|
2
|
+
endpoint;
|
|
3
|
+
timeoutMs;
|
|
4
|
+
fetchImplementation;
|
|
5
|
+
constructor(options = {}) {
|
|
6
|
+
this.endpoint =
|
|
7
|
+
options.endpoint ?? 'https://api.deps.dev/v3';
|
|
8
|
+
this.timeoutMs = options.timeoutMs ?? 20_000;
|
|
9
|
+
this.fetchImplementation =
|
|
10
|
+
options.fetchImplementation ?? globalThis.fetch;
|
|
11
|
+
}
|
|
12
|
+
async getVersion(packageName, version, signal) {
|
|
13
|
+
return this.getJson(`/systems/npm/packages/${encodeURIComponent(packageName)}/versions/${encodeURIComponent(version)}`, signal);
|
|
14
|
+
}
|
|
15
|
+
async getDependencies(packageName, version, signal) {
|
|
16
|
+
return this.getJson(`/systems/npm/packages/${encodeURIComponent(packageName)}/versions/${encodeURIComponent(version)}:dependencies`, signal);
|
|
17
|
+
}
|
|
18
|
+
async getJson(pathname, outerSignal) {
|
|
19
|
+
const controller = new AbortController();
|
|
20
|
+
const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
|
|
21
|
+
const abort = () => controller.abort();
|
|
22
|
+
outerSignal?.addEventListener('abort', abort, {
|
|
23
|
+
once: true
|
|
24
|
+
});
|
|
25
|
+
try {
|
|
26
|
+
const response = await this.fetchImplementation(`${this.endpoint}${pathname}`, {
|
|
27
|
+
headers: {
|
|
28
|
+
accept: 'application/json',
|
|
29
|
+
'user-agent': 'toolip'
|
|
30
|
+
},
|
|
31
|
+
signal: controller.signal
|
|
32
|
+
});
|
|
33
|
+
if (!response.ok) {
|
|
34
|
+
throw new Error(`deps.dev request failed with HTTP ${response.status}.`);
|
|
35
|
+
}
|
|
36
|
+
return (await response.json());
|
|
37
|
+
}
|
|
38
|
+
finally {
|
|
39
|
+
clearTimeout(timeout);
|
|
40
|
+
outerSignal?.removeEventListener('abort', abort);
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
//# sourceMappingURL=client.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/providers/depsdev/client.ts"],"names":[],"mappings":"AAiEA,MAAM,OAAO,aAAa;IACP,QAAQ,CAAS;IACjB,SAAS,CAAS;IAClB,mBAAmB,CAAe;IAEnD,YAAY,UAAgC,EAAE;QAC5C,IAAI,CAAC,QAAQ;YACX,OAAO,CAAC,QAAQ,IAAI,yBAAyB,CAAC;QAChD,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC;QAC7C,IAAI,CAAC,mBAAmB;YACtB,OAAO,CAAC,mBAAmB,IAAI,UAAU,CAAC,KAAK,CAAC;IACpD,CAAC;IAED,KAAK,CAAC,UAAU,CACd,WAAmB,EACnB,OAAe,EACf,MAAoB;QAEpB,OAAO,IAAI,CAAC,OAAO,CACjB,yBAAyB,kBAAkB,CACzC,WAAW,CACZ,aAAa,kBAAkB,CAAC,OAAO,CAAC,EAAE,EAC3C,MAAM,CACP,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,WAAmB,EACnB,OAAe,EACf,MAAoB;QAEpB,OAAO,IAAI,CAAC,OAAO,CACjB,yBAAyB,kBAAkB,CACzC,WAAW,CACZ,aAAa,kBAAkB,CAC9B,OAAO,CACR,eAAe,EAChB,MAAM,CACP,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,OAAO,CACnB,QAAgB,EAChB,WAAyB;QAEzB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CACxB,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EACxB,IAAI,CAAC,SAAS,CACf,CAAC;QAEF,MAAM,KAAK,GAAG,GAAS,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QAC7C,WAAW,EAAE,gBAAgB,CAC3B,OAAO,EACP,KAAK,EACL;YACE,IAAI,EAAE,IAAI;SACX,CACF,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,QAAQ,GACZ,MAAM,IAAI,CAAC,mBAAmB,CAC5B,GAAG,IAAI,CAAC,QAAQ,GAAG,QAAQ,EAAE,EAC7B;gBACE,OAAO,EAAE;oBACP,MAAM,EAAE,kBAAkB;oBAC1B,YAAY,EAAE,QAAQ;iBACvB;gBACD,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CACF,CAAC;YAEJ,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CACb,qCAAqC,QAAQ,CAAC,MAAM,GAAG,CACxD,CAAC;YACJ,CAAC;YAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAC;QACtC,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;YACtB,WAAW,EAAE,mBAAmB,CAC9B,OAAO,EACP,KAAK,CACN,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import type { OsvBatchResponse, OsvQuery } from './types.js';
|
|
2
|
+
export type OsvQueryResult = {
|
|
3
|
+
query: OsvQuery;
|
|
4
|
+
vulnerabilities: NonNullable<OsvBatchResponse['results'][number]['vulns']>;
|
|
5
|
+
};
|
|
6
|
+
export declare class OsvClient {
|
|
7
|
+
private readonly options;
|
|
8
|
+
constructor(options?: {
|
|
9
|
+
endpoint?: string;
|
|
10
|
+
timeoutMs?: number;
|
|
11
|
+
fetchImplementation?: typeof fetch;
|
|
12
|
+
batchSize?: number;
|
|
13
|
+
});
|
|
14
|
+
queryBatch(queries: OsvQuery[], signal?: AbortSignal): Promise<OsvQueryResult[]>;
|
|
15
|
+
}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
export class OsvClient {
|
|
2
|
+
options;
|
|
3
|
+
constructor(options = {}) {
|
|
4
|
+
this.options = options;
|
|
5
|
+
}
|
|
6
|
+
async queryBatch(queries, signal) {
|
|
7
|
+
const endpoint = this.options.endpoint ?? 'https://api.osv.dev/v1/querybatch';
|
|
8
|
+
const timeoutMs = this.options.timeoutMs ?? 20000;
|
|
9
|
+
const fetchImplementation = this.options.fetchImplementation ?? globalThis.fetch;
|
|
10
|
+
const batchSize = Math.max(1, this.options.batchSize ?? 500);
|
|
11
|
+
const results = [];
|
|
12
|
+
for (let start = 0; start < queries.length; start += batchSize) {
|
|
13
|
+
const batch = queries.slice(start, start + batchSize);
|
|
14
|
+
const controller = new AbortController();
|
|
15
|
+
const timeout = setTimeout(() => controller.abort(), timeoutMs);
|
|
16
|
+
const abortFromOuter = () => controller.abort();
|
|
17
|
+
signal?.addEventListener('abort', abortFromOuter, { once: true });
|
|
18
|
+
try {
|
|
19
|
+
const response = await fetchImplementation(endpoint, {
|
|
20
|
+
method: 'POST',
|
|
21
|
+
headers: { 'content-type': 'application/json', 'user-agent': 'toolip' },
|
|
22
|
+
body: JSON.stringify({ queries: batch }),
|
|
23
|
+
signal: controller.signal
|
|
24
|
+
});
|
|
25
|
+
if (!response.ok)
|
|
26
|
+
throw new Error(`OSV request failed with HTTP ${response.status}.`);
|
|
27
|
+
const payload = (await response.json());
|
|
28
|
+
if (!Array.isArray(payload.results))
|
|
29
|
+
throw new Error('OSV returned a malformed response.');
|
|
30
|
+
if (payload.results.length !== batch.length) {
|
|
31
|
+
throw new Error(`OSV returned ${payload.results.length} results for ${batch.length} queries.`);
|
|
32
|
+
}
|
|
33
|
+
batch.forEach((query, index) => {
|
|
34
|
+
results.push({ query, vulnerabilities: payload.results[index]?.vulns ?? [] });
|
|
35
|
+
});
|
|
36
|
+
}
|
|
37
|
+
catch (error) {
|
|
38
|
+
if (error instanceof Error && error.name === 'AbortError') {
|
|
39
|
+
throw new Error('OSV vulnerability lookup timed out or was cancelled.');
|
|
40
|
+
}
|
|
41
|
+
throw error;
|
|
42
|
+
}
|
|
43
|
+
finally {
|
|
44
|
+
clearTimeout(timeout);
|
|
45
|
+
signal?.removeEventListener('abort', abortFromOuter);
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
return results;
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
//# sourceMappingURL=client.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../../src/providers/osv/client.ts"],"names":[],"mappings":"AAOA,MAAM,OAAO,SAAS;IAED;IADnB,YACmB,UAKb,EAAE;QALW,YAAO,GAAP,OAAO,CAKlB;IACL,CAAC;IAEJ,KAAK,CAAC,UAAU,CAAC,OAAmB,EAAE,MAAoB;QACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,mCAAmC,CAAC;QAC9E,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;QAClD,MAAM,mBAAmB,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,IAAI,UAAU,CAAC,KAAK,CAAC;QACjF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,GAAG,CAAC,CAAC;QAC7D,MAAM,OAAO,GAAqB,EAAE,CAAC;QAErC,KAAK,IAAI,KAAK,GAAG,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,MAAM,EAAE,KAAK,IAAI,SAAS,EAAE,CAAC;YAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,KAAK,GAAG,SAAS,CAAC,CAAC;YACtD,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;YACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;YAChE,MAAM,cAAc,GAAG,GAAS,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YACtD,MAAM,EAAE,gBAAgB,CAAC,OAAO,EAAE,cAAc,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC;YAElE,IAAI,CAAC;gBACH,MAAM,QAAQ,GAAG,MAAM,mBAAmB,CAAC,QAAQ,EAAE;oBACnD,MAAM,EAAE,MAAM;oBACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,YAAY,EAAE,QAAQ,EAAE;oBACvE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;oBACxC,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,IAAI,CAAC,QAAQ,CAAC,EAAE;oBAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;gBACtF,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAqB,CAAC;gBAC5D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC;oBAAE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBAC3F,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;oBAC5C,MAAM,IAAI,KAAK,CAAC,gBAAgB,OAAO,CAAC,OAAO,CAAC,MAAM,gBAAgB,KAAK,CAAC,MAAM,WAAW,CAAC,CAAC;gBACjG,CAAC;gBAED,KAAK,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,EAAE;oBAC7B,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC,CAAC;gBAChF,CAAC,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAC1D,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;gBAC1E,CAAC;gBACD,MAAM,KAAK,CAAC;YACd,CAAC;oBAAS,CAAC;gBACT,YAAY,CAAC,OAAO,CAAC,CAAC;gBACtB,MAAM,EAAE,mBAAmB,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;CACF"}
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
export type OsvQuery = {
|
|
2
|
+
package: {
|
|
3
|
+
ecosystem: 'npm';
|
|
4
|
+
name: string;
|
|
5
|
+
};
|
|
6
|
+
version: string;
|
|
7
|
+
};
|
|
8
|
+
export type OsvVulnerability = {
|
|
9
|
+
id: string;
|
|
10
|
+
aliases?: string[];
|
|
11
|
+
summary?: string;
|
|
12
|
+
published?: string;
|
|
13
|
+
modified?: string;
|
|
14
|
+
severity?: Array<{
|
|
15
|
+
type?: string;
|
|
16
|
+
score?: string;
|
|
17
|
+
}>;
|
|
18
|
+
references?: Array<{
|
|
19
|
+
type?: string;
|
|
20
|
+
url?: string;
|
|
21
|
+
}>;
|
|
22
|
+
affected?: Array<{
|
|
23
|
+
ranges?: Array<{
|
|
24
|
+
type?: string;
|
|
25
|
+
events?: Array<{
|
|
26
|
+
introduced?: string;
|
|
27
|
+
fixed?: string;
|
|
28
|
+
last_affected?: string;
|
|
29
|
+
}>;
|
|
30
|
+
}>;
|
|
31
|
+
}>;
|
|
32
|
+
database_specific?: Record<string, unknown>;
|
|
33
|
+
};
|
|
34
|
+
export type OsvBatchResponse = {
|
|
35
|
+
results: Array<{
|
|
36
|
+
vulns?: OsvVulnerability[];
|
|
37
|
+
}>;
|
|
38
|
+
};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/providers/osv/types.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
import type { AnalyzerCache } from '../contracts/analyzer.js';
|
|
2
|
+
export declare class MemoryCache implements AnalyzerCache {
|
|
3
|
+
private readonly entries;
|
|
4
|
+
get<T>(key: string): Promise<T | undefined>;
|
|
5
|
+
set<T>(key: string, value: T, ttlMs?: number): Promise<void>;
|
|
6
|
+
clear(): void;
|
|
7
|
+
}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
export class MemoryCache {
|
|
2
|
+
entries = new Map();
|
|
3
|
+
async get(key) {
|
|
4
|
+
const entry = this.entries.get(key);
|
|
5
|
+
if (!entry) {
|
|
6
|
+
return undefined;
|
|
7
|
+
}
|
|
8
|
+
if (entry.expiresAt !== undefined &&
|
|
9
|
+
entry.expiresAt <= Date.now()) {
|
|
10
|
+
this.entries.delete(key);
|
|
11
|
+
return undefined;
|
|
12
|
+
}
|
|
13
|
+
return entry.value;
|
|
14
|
+
}
|
|
15
|
+
async set(key, value, ttlMs) {
|
|
16
|
+
this.entries.set(key, {
|
|
17
|
+
value,
|
|
18
|
+
expiresAt: ttlMs === undefined ? undefined : Date.now() + ttlMs
|
|
19
|
+
});
|
|
20
|
+
}
|
|
21
|
+
clear() {
|
|
22
|
+
this.entries.clear();
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
//# sourceMappingURL=memory-cache.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"memory-cache.js","sourceRoot":"","sources":["../../../src/storage/memory-cache.ts"],"names":[],"mappings":"AAOA,MAAM,OAAO,WAAW;IACL,OAAO,GAAG,IAAI,GAAG,EAAsB,CAAC;IAEzD,KAAK,CAAC,GAAG,CAAI,GAAW;QACtB,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAEpC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IACE,KAAK,CAAC,SAAS,KAAK,SAAS;YAC7B,KAAK,CAAC,SAAS,IAAI,IAAI,CAAC,GAAG,EAAE,EAC7B,CAAC;YACD,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,OAAO,KAAK,CAAC,KAAU,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,GAAG,CACP,GAAW,EACX,KAAQ,EACR,KAAc;QAEd,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE;YACpB,KAAK;YACL,SAAS,EACP,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK;SACvD,CAAC,CAAC;IACL,CAAC;IAED,KAAK;QACH,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;IACvB,CAAC;CACF"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "toolip",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "2.0.0",
|
|
4
4
|
"description": "A TypeScript-powered developer security companion CLI for supply chain security, dependency intelligence, secret detection, security auditing, encrypted local secrets management, Git security checks, and secure development education.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -23,7 +23,8 @@
|
|
|
23
23
|
"verify:package": "node scripts/verify-package.mjs",
|
|
24
24
|
"verify": "npm run typecheck && npm test && npm run clean && npm run build && npm run verify:package",
|
|
25
25
|
"prepack": "npm run verify",
|
|
26
|
-
"pack:check": "npm pack --dry-run"
|
|
26
|
+
"pack:check": "npm pack --dry-run",
|
|
27
|
+
"release:check": "bash scripts/release-check.sh"
|
|
27
28
|
},
|
|
28
29
|
"keywords": [
|
|
29
30
|
"typescript",
|
|
@@ -56,6 +57,7 @@
|
|
|
56
57
|
},
|
|
57
58
|
"homepage": "https://github.com/wbizmo/toolip#readme",
|
|
58
59
|
"dependencies": {
|
|
60
|
+
"@modelcontextprotocol/sdk": "^1.29.0",
|
|
59
61
|
"chalk": "^5.4.1",
|
|
60
62
|
"commander": "^13.1.0",
|
|
61
63
|
"fast-glob": "^3.3.3",
|
|
@@ -63,13 +65,13 @@
|
|
|
63
65
|
"ora": "^8.2.0",
|
|
64
66
|
"pacote": "^21.0.4",
|
|
65
67
|
"semver": "^7.7.3",
|
|
68
|
+
"typescript": "^5.8.2",
|
|
66
69
|
"zod": "^3.24.2"
|
|
67
70
|
},
|
|
68
71
|
"devDependencies": {
|
|
69
72
|
"@types/node": "^22.13.10",
|
|
70
73
|
"@types/semver": "^7.7.1",
|
|
71
74
|
"tsx": "^4.19.3",
|
|
72
|
-
"typescript": "^5.8.2",
|
|
73
75
|
"vitest": "^3.2.6"
|
|
74
76
|
}
|
|
75
77
|
}
|