toolip 1.0.7 → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +189 -448
- package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
- package/dist/src/analyzers/ast/rules.d.ts +48 -0
- package/dist/src/analyzers/ast/rules.js +39 -0
- package/dist/src/analyzers/ast/rules.js.map +1 -0
- package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
- package/dist/src/analyzers/ast/source-analysis.js +225 -0
- package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
- package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
- package/dist/src/analyzers/docker/analyzer.js +103 -0
- package/dist/src/analyzers/docker/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
- package/dist/src/analyzers/git-history/analyzer.js +202 -0
- package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
- package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
- package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
- package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
- package/dist/src/analyzers/reachability/import-graph.js +110 -0
- package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
- package/dist/src/analyzers/vulnerability/severity.js +13 -0
- package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
- package/dist/src/application/analyzer-runner.d.ts +12 -0
- package/dist/src/application/analyzer-runner.js +45 -0
- package/dist/src/application/analyzer-runner.js.map +1 -0
- package/dist/src/commands/announce.d.ts +2 -0
- package/dist/src/commands/announce.js +27 -0
- package/dist/src/commands/announce.js.map +1 -0
- package/dist/src/commands/ast-scan.d.ts +2 -0
- package/dist/src/commands/ast-scan.js +86 -0
- package/dist/src/commands/ast-scan.js.map +1 -0
- package/dist/src/commands/audit-repo.d.ts +2 -0
- package/dist/src/commands/audit-repo.js +20 -0
- package/dist/src/commands/audit-repo.js.map +1 -0
- package/dist/src/commands/config.d.ts +2 -0
- package/dist/src/commands/config.js +69 -0
- package/dist/src/commands/config.js.map +1 -0
- package/dist/src/commands/dependency-confusion.d.ts +2 -0
- package/dist/src/commands/dependency-confusion.js +37 -0
- package/dist/src/commands/dependency-confusion.js.map +1 -0
- package/dist/src/commands/diff.d.ts +2 -0
- package/dist/src/commands/diff.js +24 -0
- package/dist/src/commands/diff.js.map +1 -0
- package/dist/src/commands/docker-scan.d.ts +2 -0
- package/dist/src/commands/docker-scan.js +34 -0
- package/dist/src/commands/docker-scan.js.map +1 -0
- package/dist/src/commands/git-history.d.ts +2 -0
- package/dist/src/commands/git-history.js +40 -0
- package/dist/src/commands/git-history.js.map +1 -0
- package/dist/src/commands/history.d.ts +2 -0
- package/dist/src/commands/history.js +69 -0
- package/dist/src/commands/history.js.map +1 -0
- package/dist/src/commands/install-scripts.d.ts +2 -0
- package/dist/src/commands/install-scripts.js +52 -0
- package/dist/src/commands/install-scripts.js.map +1 -0
- package/dist/src/commands/mcp.d.ts +2 -0
- package/dist/src/commands/mcp.js +10 -0
- package/dist/src/commands/mcp.js.map +1 -0
- package/dist/src/commands/monorepo.d.ts +2 -0
- package/dist/src/commands/monorepo.js +21 -0
- package/dist/src/commands/monorepo.js.map +1 -0
- package/dist/src/commands/package-health.d.ts +2 -0
- package/dist/src/commands/package-health.js +50 -0
- package/dist/src/commands/package-health.js.map +1 -0
- package/dist/src/commands/publish.d.ts +2 -0
- package/dist/src/commands/publish.js +25 -0
- package/dist/src/commands/publish.js.map +1 -0
- package/dist/src/commands/reachability.d.ts +2 -0
- package/dist/src/commands/reachability.js +47 -0
- package/dist/src/commands/reachability.js.map +1 -0
- package/dist/src/commands/sbom.d.ts +2 -0
- package/dist/src/commands/sbom.js +33 -0
- package/dist/src/commands/sbom.js.map +1 -0
- package/dist/src/commands/upgrade-pr.d.ts +2 -0
- package/dist/src/commands/upgrade-pr.js +15 -0
- package/dist/src/commands/upgrade-pr.js.map +1 -0
- package/dist/src/commands/vulnerabilities.d.ts +2 -0
- package/dist/src/commands/vulnerabilities.js +42 -0
- package/dist/src/commands/vulnerabilities.js.map +1 -0
- package/dist/src/commands/watch.d.ts +2 -0
- package/dist/src/commands/watch.js +34 -0
- package/dist/src/commands/watch.js.map +1 -0
- package/dist/src/contracts/analyzer.d.ts +23 -0
- package/dist/src/contracts/analyzer.js +2 -0
- package/dist/src/contracts/analyzer.js.map +1 -0
- package/dist/src/contracts/finding.d.ts +35 -0
- package/dist/src/contracts/finding.js +13 -0
- package/dist/src/contracts/finding.js.map +1 -0
- package/dist/src/contracts/report.d.ts +30 -0
- package/dist/src/contracts/report.js +2 -0
- package/dist/src/contracts/report.js.map +1 -0
- package/dist/src/contracts/rule.d.ts +12 -0
- package/dist/src/contracts/rule.js +7 -0
- package/dist/src/contracts/rule.js.map +1 -0
- package/dist/src/core/announce/generate.d.ts +9 -0
- package/dist/src/core/announce/generate.js +19 -0
- package/dist/src/core/announce/generate.js.map +1 -0
- package/dist/src/core/config/load.d.ts +3 -0
- package/dist/src/core/config/load.js +21 -0
- package/dist/src/core/config/load.js.map +1 -0
- package/dist/src/core/config/policy.d.ts +3 -0
- package/dist/src/core/config/policy.js +48 -0
- package/dist/src/core/config/policy.js.map +1 -0
- package/dist/src/core/config/schema.d.ts +172 -0
- package/dist/src/core/config/schema.js +84 -0
- package/dist/src/core/config/schema.js.map +1 -0
- package/dist/src/core/dependencies/inventory.d.ts +9 -0
- package/dist/src/core/dependencies/inventory.js +43 -0
- package/dist/src/core/dependencies/inventory.js.map +1 -0
- package/dist/src/core/diff/security-diff.d.ts +10 -0
- package/dist/src/core/diff/security-diff.js +20 -0
- package/dist/src/core/diff/security-diff.js.map +1 -0
- package/dist/src/core/github/remote-audit.d.ts +5 -0
- package/dist/src/core/github/remote-audit.js +28 -0
- package/dist/src/core/github/remote-audit.js.map +1 -0
- package/dist/src/core/github/upgrade-pr.d.ts +4 -0
- package/dist/src/core/github/upgrade-pr.js +41 -0
- package/dist/src/core/github/upgrade-pr.js.map +1 -0
- package/dist/src/core/history/git-metadata.d.ts +5 -0
- package/dist/src/core/history/git-metadata.js +37 -0
- package/dist/src/core/history/git-metadata.js.map +1 -0
- package/dist/src/core/history/store.d.ts +5 -0
- package/dist/src/core/history/store.js +65 -0
- package/dist/src/core/history/store.js.map +1 -0
- package/dist/src/core/history/types.d.ts +27 -0
- package/dist/src/core/history/types.js +2 -0
- package/dist/src/core/history/types.js.map +1 -0
- package/dist/src/core/monorepo/discover.d.ts +7 -0
- package/dist/src/core/monorepo/discover.js +49 -0
- package/dist/src/core/monorepo/discover.js.map +1 -0
- package/dist/src/core/publish/html.d.ts +6 -0
- package/dist/src/core/publish/html.js +44 -0
- package/dist/src/core/publish/html.js.map +1 -0
- package/dist/src/core/sbom/generate.d.ts +2 -0
- package/dist/src/core/sbom/generate.js +120 -0
- package/dist/src/core/sbom/generate.js.map +1 -0
- package/dist/src/core/security-doctor.js +19 -5
- package/dist/src/core/security-doctor.js.map +1 -1
- package/dist/src/core/watch/watch.d.ts +5 -0
- package/dist/src/core/watch/watch.js +49 -0
- package/dist/src/core/watch/watch.js.map +1 -0
- package/dist/src/index.js +38 -0
- package/dist/src/index.js.map +1 -1
- package/dist/src/mcp/server.d.ts +1 -0
- package/dist/src/mcp/server.js +64 -0
- package/dist/src/mcp/server.js.map +1 -0
- package/dist/src/providers/depsdev/client.d.ts +71 -0
- package/dist/src/providers/depsdev/client.js +44 -0
- package/dist/src/providers/depsdev/client.js.map +1 -0
- package/dist/src/providers/osv/client.d.ts +15 -0
- package/dist/src/providers/osv/client.js +51 -0
- package/dist/src/providers/osv/client.js.map +1 -0
- package/dist/src/providers/osv/types.d.ts +38 -0
- package/dist/src/providers/osv/types.js +2 -0
- package/dist/src/providers/osv/types.js.map +1 -0
- package/dist/src/storage/memory-cache.d.ts +7 -0
- package/dist/src/storage/memory-cache.js +25 -0
- package/dist/src/storage/memory-cache.js.map +1 -0
- package/package.json +5 -3
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"reachability-analyzer.js","sourceRoot":"","sources":["../../../../src/analyzers/reachability/reachability-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAO5C,OAAO,EAAE,oBAAoB,EAAE,MAAM,+BAA+B,CAAC;AACrE,OAAO,EAAE,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAClF,OAAO,EACL,qBAAqB,EAEtB,MAAM,mBAAmB,CAAC;AAE3B,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC;IAC7B,IAAI;IACJ,KAAK;IACL,IAAI;IACJ,KAAK;IACL,KAAK;IACL,KAAK;CACN,CAAC,CAAC;AAiBH,MAAM,OAAO,oBAAoB;IACtB,EAAE,GAAG,sBAAsB,CAAC;IAC5B,OAAO,GAAG,OAAO,CAAC;IAE3B,KAAK,CAAC,OAAO,CACX,OAAwB;QAExB,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QACpC,MAAM,YAAY,GAChB,MAAM,0BAA0B,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACjD,MAAM,cAAc,GAClB,MAAM,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAE3C,MAAM,UAAU,GAAG,IAAI,GAAG,EAGvB,CAAC;QAEJ,KAAK,MAAM,IAAI,IAAI,cAAc,CAAC,KAAK,EAAE,CAAC;YACxC,IACE,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC;gBACnC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC;gBACnC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,OAAO,CAAC,EACrC,CAAC;gBACD,SAAS;YACX,CAAC;YAED,IAAI,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,KAAK,CACb,sCAAsC,CACvC,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAC5B,IAAI,CAAC,YAAY,EACjB,MAAM,CACP,CAAC;YAEF,KAAK,MAAM,SAAS,IAAI,qBAAqB,CAC3C,IAAI,CAAC,YAAY,EACjB,OAAO,CACR,EAAE,CAAC;gBACF,MAAM,OAAO,GACX,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;gBAE9C,OAAO,CAAC,IAAI,CAAC;oBACX,GAAG,SAAS;oBACZ,IAAI,EAAE,IAAI,CAAC,YAAY;iBACxB,CAAC,CAAC;gBAEH,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,YAAY,CAAC,GAAG,CACpC,CAAC,UAAU,EAAuB,EAAE;YAClC,MAAM,iBAAiB,GACrB,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YAExC,OAAO;gBACL,WAAW,EAAE,UAAU,CAAC,IAAI;gBAC5B,KAAK,EACH,iBAAiB,CAAC,MAAM,GAAG,CAAC;oBAC1B,CAAC,CAAC,WAAW;oBACb,CAAC,CAAC,UAAU,CAAC,MAAM;wBACjB,CAAC,CAAC,oBAAoB;wBACtB,CAAC,CAAC,cAAc;gBACtB,MAAM,EAAE,UAAU,CAAC,MAAM;gBACzB,WAAW,EAAE,UAAU,CAAC,WAAW;gBACnC,UAAU,EAAE,iBAAiB;aAC9B,CAAC;QACJ,CAAC,CACF,CAAC;QAEF,MAAM,QAAQ,GAAc,aAAa;aACtC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,KAAK,WAAW,CAAC;aAC5C,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACd,EAAE,EAAE,aAAa,IAAI,CAAC,WAAW;iBAC9B,WAAW,EAAE;iBACb,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE;YAClC,MAAM,EAAE,eAAe;YACvB,KAAK,EAAE,2BAA2B,IAAI,CAAC,WAAW,EAAE;YACpD,QAAQ,EAAE,cAAc;YACxB,QAAQ,EAAE,MAAM;YAChB,UAAU,EAAE,MAAM;YAClB,OAAO,EACL,GAAG,IAAI,CAAC,WAAW,mDAAmD;YACxE,MAAM,EAAE,gBAAgB;YACxB,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CACxC,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;gBACd,OAAO,EACL,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,MAAM,GAAG;oBAC1D,GAAG,SAAS,CAAC,IAAI,SAAS;gBAC5B,WAAW,EACT,GAAG,IAAI,CAAC,WAAW,IAAI,SAAS,CAAC,IAAI,GAAG;oBACxC,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,MAAM,EAAE;aAC1C,CAAC,CACH;YACD,QAAQ,EAAE;gBACR,OAAO,EAAE,IAAI,CAAC,WAAW;gBACzB,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,UAAU,EAAE,IAAI,CAAC,UAAU;aAC5B;SACF,CAAC,CAAC,CAAC;QAEN,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,EAAE;YACjB,UAAU,EAAE,IAAI,CAAC,KAAK,CACpB,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAC9B;YACD,QAAQ;YACR,QAAQ,EAAE;gBACR,YAAY,EAAE,aAAa,CAAC,MAAM;gBAClC,SAAS,EAAE,aAAa,CAAC,MAAM,CAC7B,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,KAAK,WAAW,CACrC,CAAC,MAAM;gBACR,iBAAiB,EAAE,aAAa,CAAC,MAAM,CACrC,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,CAAC,KAAK,KAAK,oBAAoB,CACtC,CAAC,MAAM;gBACR,WAAW,EAAE,aAAa,CAAC,MAAM,CAC/B,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,KAAK,cAAc,CACxC,CAAC,MAAM;gBACR,QAAQ,EAAE,aAAa;aACxB;SACF,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import type { Analyzer, AnalyzerContext, AnalyzerResult } from '../../contracts/analyzer.js';
|
|
2
|
+
import { OsvClient } from '../../providers/osv/client.js';
|
|
3
|
+
export declare class OsvVulnerabilityAnalyzer implements Analyzer {
|
|
4
|
+
private readonly client;
|
|
5
|
+
readonly id = "osv-vulnerability";
|
|
6
|
+
readonly version = "1.0.0";
|
|
7
|
+
constructor(client?: OsvClient);
|
|
8
|
+
analyze(context: AnalyzerContext): Promise<AnalyzerResult>;
|
|
9
|
+
}
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
import { performance } from 'node:perf_hooks';
|
|
2
|
+
import { readNpmDependencyInventory } from '../../core/dependencies/inventory.js';
|
|
3
|
+
import { OsvClient } from '../../providers/osv/client.js';
|
|
4
|
+
import { mapOsvSeverity } from './severity.js';
|
|
5
|
+
function fixedVersions(vulnerability) {
|
|
6
|
+
const versions = new Set();
|
|
7
|
+
for (const affected of vulnerability.affected ?? []) {
|
|
8
|
+
for (const range of affected.ranges ?? []) {
|
|
9
|
+
for (const event of range.events ?? [])
|
|
10
|
+
if (event.fixed)
|
|
11
|
+
versions.add(event.fixed);
|
|
12
|
+
}
|
|
13
|
+
}
|
|
14
|
+
return [...versions];
|
|
15
|
+
}
|
|
16
|
+
function toFinding(dependency, vulnerability) {
|
|
17
|
+
const fixes = fixedVersions(vulnerability);
|
|
18
|
+
return {
|
|
19
|
+
id: `TLP-CVE-${dependency.name}-${vulnerability.id}`.toUpperCase().replaceAll(/[^A-Z0-9-]/g, '-'),
|
|
20
|
+
ruleId: 'TLP-CVE-001',
|
|
21
|
+
title: vulnerability.summary ?? `Known vulnerability in ${dependency.name}`,
|
|
22
|
+
category: 'vulnerability',
|
|
23
|
+
severity: mapOsvSeverity(vulnerability),
|
|
24
|
+
confidence: 'high',
|
|
25
|
+
message: `${dependency.name}@${dependency.version} matches ${vulnerability.id} in OSV.`,
|
|
26
|
+
source: 'osv',
|
|
27
|
+
evidence: [{
|
|
28
|
+
summary: `${dependency.name}@${dependency.version} is resolved in package-lock.json.`,
|
|
29
|
+
fingerprint: `npm:${dependency.name}@${dependency.version}:${vulnerability.id}`
|
|
30
|
+
}],
|
|
31
|
+
remediation: {
|
|
32
|
+
summary: fixes.length > 0
|
|
33
|
+
? `Upgrade ${dependency.name} to a fixed version: ${fixes.join(', ')}.`
|
|
34
|
+
: `Review ${vulnerability.id} and upgrade or replace ${dependency.name} when a fix is available.`,
|
|
35
|
+
fixedVersion: fixes[0],
|
|
36
|
+
references: (vulnerability.references ?? [])
|
|
37
|
+
.map((reference) => reference.url)
|
|
38
|
+
.filter((url) => Boolean(url))
|
|
39
|
+
.slice(0, 10)
|
|
40
|
+
},
|
|
41
|
+
metadata: {
|
|
42
|
+
package: dependency.name,
|
|
43
|
+
installedVersion: dependency.version,
|
|
44
|
+
direct: dependency.direct,
|
|
45
|
+
development: dependency.development,
|
|
46
|
+
vulnerabilityId: vulnerability.id,
|
|
47
|
+
aliases: vulnerability.aliases ?? []
|
|
48
|
+
}
|
|
49
|
+
};
|
|
50
|
+
}
|
|
51
|
+
export class OsvVulnerabilityAnalyzer {
|
|
52
|
+
client;
|
|
53
|
+
id = 'osv-vulnerability';
|
|
54
|
+
version = '1.0.0';
|
|
55
|
+
constructor(client = new OsvClient()) {
|
|
56
|
+
this.client = client;
|
|
57
|
+
}
|
|
58
|
+
async analyze(context) {
|
|
59
|
+
const startedAt = performance.now();
|
|
60
|
+
const dependencies = await readNpmDependencyInventory(context.root);
|
|
61
|
+
const cachedResults = [];
|
|
62
|
+
const uncached = [];
|
|
63
|
+
for (const dependency of dependencies) {
|
|
64
|
+
const key = `osv:v1:npm:${dependency.name}@${dependency.version}`;
|
|
65
|
+
const cached = await context.cache?.get(key);
|
|
66
|
+
if (cached)
|
|
67
|
+
cachedResults.push(cached);
|
|
68
|
+
else
|
|
69
|
+
uncached.push(dependency);
|
|
70
|
+
}
|
|
71
|
+
const freshResults = uncached.length === 0 ? [] : await this.client.queryBatch(uncached.map((dependency) => ({
|
|
72
|
+
package: { ecosystem: 'npm', name: dependency.name },
|
|
73
|
+
version: dependency.version
|
|
74
|
+
})), context.signal);
|
|
75
|
+
for (const result of freshResults) {
|
|
76
|
+
await context.cache?.set(`osv:v1:npm:${result.query.package.name}@${result.query.version}`, result, 6 * 60 * 60 * 1000);
|
|
77
|
+
}
|
|
78
|
+
const queryResults = [...cachedResults, ...freshResults];
|
|
79
|
+
const findings = queryResults.flatMap((result) => {
|
|
80
|
+
const dependency = dependencies.find((item) => item.name === result.query.package.name && item.version === result.query.version);
|
|
81
|
+
return dependency ? result.vulnerabilities.map((vulnerability) => toFinding(dependency, vulnerability)) : [];
|
|
82
|
+
});
|
|
83
|
+
return {
|
|
84
|
+
analyzer: this.id,
|
|
85
|
+
durationMs: Math.round(performance.now() - startedAt),
|
|
86
|
+
findings,
|
|
87
|
+
metadata: {
|
|
88
|
+
dependenciesChecked: dependencies.length,
|
|
89
|
+
vulnerabilities: findings.length
|
|
90
|
+
}
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
//# sourceMappingURL=osv-analyzer.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"osv-analyzer.js","sourceRoot":"","sources":["../../../../src/analyzers/vulnerability/osv-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAG9C,OAAO,EAAE,0BAA0B,EAA2B,MAAM,sCAAsC,CAAC;AAC3G,OAAO,EAAE,SAAS,EAAuB,MAAM,+BAA+B,CAAC;AAE/E,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C,SAAS,aAAa,CAAC,aAA+B;IACpD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,KAAK,MAAM,QAAQ,IAAI,aAAa,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACpD,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE;gBAAE,IAAI,KAAK,CAAC,KAAK;oBAAE,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,SAAS,CAAC,UAA8B,EAAE,aAA+B;IAChF,MAAM,KAAK,GAAG,aAAa,CAAC,aAAa,CAAC,CAAC;IAC3C,OAAO;QACL,EAAE,EAAE,WAAW,UAAU,CAAC,IAAI,IAAI,aAAa,CAAC,EAAE,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,aAAa,EAAE,GAAG,CAAC;QACjG,MAAM,EAAE,aAAa;QACrB,KAAK,EAAE,aAAa,CAAC,OAAO,IAAI,0BAA0B,UAAU,CAAC,IAAI,EAAE;QAC3E,QAAQ,EAAE,eAAe;QACzB,QAAQ,EAAE,cAAc,CAAC,aAAa,CAAC;QACvC,UAAU,EAAE,MAAM;QAClB,OAAO,EAAE,GAAG,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,YAAY,aAAa,CAAC,EAAE,UAAU;QACvF,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,CAAC;gBACT,OAAO,EAAE,GAAG,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,oCAAoC;gBACrF,WAAW,EAAE,OAAO,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,IAAI,aAAa,CAAC,EAAE,EAAE;aAChF,CAAC;QACF,WAAW,EAAE;YACX,OAAO,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC;gBACvB,CAAC,CAAC,WAAW,UAAU,CAAC,IAAI,wBAAwB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;gBACvE,CAAC,CAAC,UAAU,aAAa,CAAC,EAAE,2BAA2B,UAAU,CAAC,IAAI,2BAA2B;YACnG,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC;YACtB,UAAU,EAAE,CAAC,aAAa,CAAC,UAAU,IAAI,EAAE,CAAC;iBACzC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC;iBACjC,MAAM,CAAC,CAAC,GAAG,EAAiB,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;iBAC5C,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SAChB;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,UAAU,CAAC,IAAI;YACxB,gBAAgB,EAAE,UAAU,CAAC,OAAO;YACpC,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,eAAe,EAAE,aAAa,CAAC,EAAE;YACjC,OAAO,EAAE,aAAa,CAAC,OAAO,IAAI,EAAE;SACrC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,wBAAwB;IAIN;IAHpB,EAAE,GAAG,mBAAmB,CAAC;IACzB,OAAO,GAAG,OAAO,CAAC;IAE3B,YAA6B,SAAS,IAAI,SAAS,EAAE;QAAxB,WAAM,GAAN,MAAM,CAAkB;IAAG,CAAC;IAEzD,KAAK,CAAC,OAAO,CAAC,OAAwB;QACpC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QACpC,MAAM,YAAY,GAAG,MAAM,0BAA0B,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,aAAa,GAAqB,EAAE,CAAC;QAC3C,MAAM,QAAQ,GAAyB,EAAE,CAAC;QAE1C,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,cAAc,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YAClE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,GAAG,CAAiB,GAAG,CAAC,CAAC;YAC7D,IAAI,MAAM;gBAAE,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;;gBAClC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;QAED,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAC5E,QAAQ,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC5B,OAAO,EAAE,EAAE,SAAS,EAAE,KAAc,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE;YAC7D,OAAO,EAAE,UAAU,CAAC,OAAO;SAC5B,CAAC,CAAC,EACH,OAAO,CAAC,MAAM,CACf,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;YAClC,MAAM,OAAO,CAAC,KAAK,EAAE,GAAG,CACtB,cAAc,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,EACjE,MAAM,EACN,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CACnB,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,YAAY,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YAC/C,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAC5C,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK,CAAC,OAAO,CACjF,CAAC;YACF,OAAO,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/G,CAAC,CAAC,CAAC;QAEH,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,EAAE;YACjB,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACrD,QAAQ;YACR,QAAQ,EAAE;gBACR,mBAAmB,EAAE,YAAY,CAAC,MAAM;gBACxC,eAAe,EAAE,QAAQ,CAAC,MAAM;aACjC;SACF,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
export function mapOsvSeverity(vulnerability) {
|
|
2
|
+
const databaseSeverity = vulnerability.database_specific?.severity;
|
|
3
|
+
if (typeof databaseSeverity === 'string') {
|
|
4
|
+
const normalized = databaseSeverity.toLowerCase();
|
|
5
|
+
if (normalized === 'critical' || normalized === 'high' || normalized === 'medium' || normalized === 'low') {
|
|
6
|
+
return normalized;
|
|
7
|
+
}
|
|
8
|
+
if (normalized === 'moderate')
|
|
9
|
+
return 'medium';
|
|
10
|
+
}
|
|
11
|
+
return 'medium';
|
|
12
|
+
}
|
|
13
|
+
//# sourceMappingURL=severity.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"severity.js","sourceRoot":"","sources":["../../../../src/analyzers/vulnerability/severity.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,cAAc,CAAC,aAA+B;IAC5D,MAAM,gBAAgB,GAAG,aAAa,CAAC,iBAAiB,EAAE,QAAQ,CAAC;IACnE,IAAI,OAAO,gBAAgB,KAAK,QAAQ,EAAE,CAAC;QACzC,MAAM,UAAU,GAAG,gBAAgB,CAAC,WAAW,EAAE,CAAC;QAClD,IAAI,UAAU,KAAK,UAAU,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YAC1G,OAAO,UAAU,CAAC;QACpB,CAAC;QACD,IAAI,UAAU,KAAK,UAAU;YAAE,OAAO,QAAQ,CAAC;IACjD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { Analyzer, AnalyzerContext, AnalyzerResult } from '../contracts/analyzer.js';
|
|
2
|
+
export type AnalyzerRunnerOptions = {
|
|
3
|
+
concurrency?: number;
|
|
4
|
+
timeoutMs?: number;
|
|
5
|
+
};
|
|
6
|
+
export declare class AnalyzerRunner {
|
|
7
|
+
private readonly concurrency;
|
|
8
|
+
private readonly timeoutMs;
|
|
9
|
+
constructor(options?: AnalyzerRunnerOptions);
|
|
10
|
+
run(analyzers: Analyzer[], context: AnalyzerContext): Promise<AnalyzerResult[]>;
|
|
11
|
+
private runOne;
|
|
12
|
+
}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
import { performance } from 'node:perf_hooks';
|
|
2
|
+
export class AnalyzerRunner {
|
|
3
|
+
concurrency;
|
|
4
|
+
timeoutMs;
|
|
5
|
+
constructor(options = {}) {
|
|
6
|
+
this.concurrency = Math.max(1, options.concurrency ?? 4);
|
|
7
|
+
this.timeoutMs = Math.max(1_000, options.timeoutMs ?? 30_000);
|
|
8
|
+
}
|
|
9
|
+
async run(analyzers, context) {
|
|
10
|
+
const results = [];
|
|
11
|
+
let cursor = 0;
|
|
12
|
+
const worker = async () => {
|
|
13
|
+
while (cursor < analyzers.length) {
|
|
14
|
+
const analyzer = analyzers[cursor];
|
|
15
|
+
cursor += 1;
|
|
16
|
+
if (!analyzer) {
|
|
17
|
+
return;
|
|
18
|
+
}
|
|
19
|
+
results.push(await this.runOne(analyzer, context));
|
|
20
|
+
}
|
|
21
|
+
};
|
|
22
|
+
await Promise.all(Array.from({ length: Math.min(this.concurrency, analyzers.length) }, () => worker()));
|
|
23
|
+
return results;
|
|
24
|
+
}
|
|
25
|
+
async runOne(analyzer, context) {
|
|
26
|
+
const controller = new AbortController();
|
|
27
|
+
const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
|
|
28
|
+
const startedAt = performance.now();
|
|
29
|
+
try {
|
|
30
|
+
const result = await analyzer.analyze({
|
|
31
|
+
...context,
|
|
32
|
+
signal: controller.signal
|
|
33
|
+
});
|
|
34
|
+
return {
|
|
35
|
+
...result,
|
|
36
|
+
analyzer: analyzer.id,
|
|
37
|
+
durationMs: Math.round(performance.now() - startedAt)
|
|
38
|
+
};
|
|
39
|
+
}
|
|
40
|
+
finally {
|
|
41
|
+
clearTimeout(timeout);
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
//# sourceMappingURL=analyzer-runner.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyzer-runner.js","sourceRoot":"","sources":["../../../src/application/analyzer-runner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAY9C,MAAM,OAAO,cAAc;IACR,WAAW,CAAS;IACpB,SAAS,CAAS;IAEnC,YAAY,UAAiC,EAAE;QAC7C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,WAAW,IAAI,CAAC,CAAC,CAAC;QACzD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAqB,EACrB,OAAwB;QAExB,MAAM,OAAO,GAAqB,EAAE,CAAC;QACrC,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,MAAM,MAAM,GAAG,KAAK,IAAmB,EAAE;YACvC,OAAO,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC;gBACjC,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;gBACnC,MAAM,IAAI,CAAC,CAAC;gBAEZ,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,OAAO;gBACT,CAAC;gBAED,OAAO,CAAC,IAAI,CACV,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CACrC,CAAC;YACJ,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,IAAI,CACR,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,MAAM,CAAC,EAAE,EACxD,GAAG,EAAE,CAAC,MAAM,EAAE,CACf,CACF,CAAC;QAEF,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,QAAkB,EAClB,OAAwB;QAExB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CACxB,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EACxB,IAAI,CAAC,SAAS,CACf,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC;gBACpC,GAAG,OAAO;gBACV,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,OAAO;gBACL,GAAG,MAAM;gBACT,QAAQ,EAAE,QAAQ,CAAC,EAAE;gBACrB,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;aACtD,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;CACF"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
import { generateAnnouncement } from '../core/announce/generate.js';
|
|
2
|
+
export function registerAnnounceCommand(program) {
|
|
3
|
+
program
|
|
4
|
+
.command('announce')
|
|
5
|
+
.description('Generate a deterministic plain-language security update.')
|
|
6
|
+
.option('--version <version>', 'Release version.')
|
|
7
|
+
.option('--fixed <number>', 'Fixed findings.', '0')
|
|
8
|
+
.option('--added <number>', 'New findings.', '0')
|
|
9
|
+
.option('--removed <number>', 'Removed findings.', '0')
|
|
10
|
+
.option('--score-before <number>', 'Previous score.')
|
|
11
|
+
.option('--score-after <number>', 'Current score.')
|
|
12
|
+
.action((options) => {
|
|
13
|
+
console.log(generateAnnouncement({
|
|
14
|
+
version: options.version,
|
|
15
|
+
fixed: Number(options.fixed ?? 0),
|
|
16
|
+
added: Number(options.added ?? 0),
|
|
17
|
+
removed: Number(options.removed ?? 0),
|
|
18
|
+
scoreBefore: options.scoreBefore === undefined
|
|
19
|
+
? undefined
|
|
20
|
+
: Number(options.scoreBefore),
|
|
21
|
+
scoreAfter: options.scoreAfter === undefined
|
|
22
|
+
? undefined
|
|
23
|
+
: Number(options.scoreAfter)
|
|
24
|
+
}));
|
|
25
|
+
});
|
|
26
|
+
}
|
|
27
|
+
//# sourceMappingURL=announce.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"announce.js","sourceRoot":"","sources":["../../../src/commands/announce.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAEpE,MAAM,UAAU,uBAAuB,CAAC,OAAgB;IACtD,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CAAC,0DAA0D,CAAC;SACvE,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,MAAM,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,GAAG,CAAC;SAClD,MAAM,CAAC,kBAAkB,EAAE,eAAe,EAAE,GAAG,CAAC;SAChD,MAAM,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,GAAG,CAAC;SACtD,MAAM,CAAC,yBAAyB,EAAE,iBAAiB,CAAC;SACpD,MAAM,CAAC,wBAAwB,EAAE,gBAAgB,CAAC;SAClD,MAAM,CAAC,CAAC,OAA2C,EAAE,EAAE;QACtD,OAAO,CAAC,GAAG,CACT,oBAAoB,CAAC;YACnB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;YACjC,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,CAAC;YACrC,WAAW,EACT,OAAO,CAAC,WAAW,KAAK,SAAS;gBAC/B,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;YACjC,UAAU,EACR,OAAO,CAAC,UAAU,KAAK,SAAS;gBAC9B,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;SACjC,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
import { AnalyzerRunner } from '../application/analyzer-runner.js';
|
|
2
|
+
import { AstSecurityAnalyzer } from '../analyzers/ast/ast-security-analyzer.js';
|
|
3
|
+
const severityOrder = {
|
|
4
|
+
critical: 4,
|
|
5
|
+
high: 3,
|
|
6
|
+
medium: 2,
|
|
7
|
+
low: 1,
|
|
8
|
+
info: 0
|
|
9
|
+
};
|
|
10
|
+
function shouldFail(findings, failOn) {
|
|
11
|
+
if (!failOn || failOn === 'none') {
|
|
12
|
+
return false;
|
|
13
|
+
}
|
|
14
|
+
const threshold = severityOrder[failOn];
|
|
15
|
+
return findings.some((finding) => severityOrder[finding.severity] >= threshold);
|
|
16
|
+
}
|
|
17
|
+
function printFinding(finding) {
|
|
18
|
+
console.log(`[${finding.severity.toUpperCase()}] ${finding.ruleId} ${finding.title}`);
|
|
19
|
+
if (finding.location) {
|
|
20
|
+
console.log(`Location: ${finding.location.file}:` +
|
|
21
|
+
`${finding.location.line ?? 1}:` +
|
|
22
|
+
`${finding.location.column ?? 1}`);
|
|
23
|
+
}
|
|
24
|
+
console.log(`Message: ${finding.message}`);
|
|
25
|
+
if (finding.remediation?.summary) {
|
|
26
|
+
console.log(`Fix: ${finding.remediation.summary}`);
|
|
27
|
+
}
|
|
28
|
+
console.log('');
|
|
29
|
+
}
|
|
30
|
+
export function registerAstScanCommand(program) {
|
|
31
|
+
program
|
|
32
|
+
.command('ast-scan')
|
|
33
|
+
.description('Run TypeScript Compiler API security analysis on JavaScript and TypeScript source files.')
|
|
34
|
+
.option('-p, --path <path>', 'Project path to inspect.', process.cwd())
|
|
35
|
+
.option('--json', 'Print structured JSON output.')
|
|
36
|
+
.option('--fail-on <severity>', 'Exit non-zero at or above: critical, high, medium, low, none.', 'high')
|
|
37
|
+
.action(async (options) => {
|
|
38
|
+
const runner = new AnalyzerRunner({
|
|
39
|
+
concurrency: 1,
|
|
40
|
+
timeoutMs: 60_000
|
|
41
|
+
});
|
|
42
|
+
const [result] = await runner.run([new AstSecurityAnalyzer()], {
|
|
43
|
+
root: options.path
|
|
44
|
+
});
|
|
45
|
+
if (!result) {
|
|
46
|
+
throw new Error('The AST security analyzer returned no result.');
|
|
47
|
+
}
|
|
48
|
+
if (options.json) {
|
|
49
|
+
console.log(JSON.stringify({
|
|
50
|
+
analyzer: result.analyzer,
|
|
51
|
+
durationMs: result.durationMs,
|
|
52
|
+
summary: {
|
|
53
|
+
filesAnalyzed: result.metadata?.filesAnalyzed ?? 0,
|
|
54
|
+
findings: result.findings.length,
|
|
55
|
+
warnings: result.warnings?.length ?? 0
|
|
56
|
+
},
|
|
57
|
+
findings: result.findings,
|
|
58
|
+
warnings: result.warnings ?? []
|
|
59
|
+
}, null, 2));
|
|
60
|
+
}
|
|
61
|
+
else {
|
|
62
|
+
console.log('Toolip AST Security Analysis');
|
|
63
|
+
console.log('');
|
|
64
|
+
console.log(`Files analyzed: ${result.metadata?.filesAnalyzed ?? 0}`);
|
|
65
|
+
console.log(`Findings: ${result.findings.length}`);
|
|
66
|
+
console.log('');
|
|
67
|
+
for (const finding of result.findings) {
|
|
68
|
+
printFinding(finding);
|
|
69
|
+
}
|
|
70
|
+
if (result.findings.length === 0) {
|
|
71
|
+
console.log('No supported dangerous-code patterns were resolved through the AST.');
|
|
72
|
+
}
|
|
73
|
+
if ((result.warnings?.length ?? 0) > 0) {
|
|
74
|
+
console.log('');
|
|
75
|
+
console.log('Warnings');
|
|
76
|
+
for (const warning of result.warnings ?? []) {
|
|
77
|
+
console.log(`- ${warning}`);
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
if (shouldFail(result.findings, options.failOn)) {
|
|
82
|
+
process.exitCode = 2;
|
|
83
|
+
}
|
|
84
|
+
});
|
|
85
|
+
}
|
|
86
|
+
//# sourceMappingURL=ast-scan.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ast-scan.js","sourceRoot":"","sources":["../../../src/commands/ast-scan.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,2CAA2C,CAAC;AAShF,MAAM,aAAa,GAAG;IACpB,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACC,CAAC;AAEX,SAAS,UAAU,CACjB,QAAmB,EACnB,MAAgC;IAEhC,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAExC,OAAO,QAAQ,CAAC,IAAI,CAClB,CAAC,OAAO,EAAE,EAAE,CACV,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,SAAS,CAC/C,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,OAAgB;IACpC,OAAO,CAAC,GAAG,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,EAAE,CACzE,CAAC;IAEF,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CACT,aAAa,OAAO,CAAC,QAAQ,CAAC,IAAI,GAAG;YACrC,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,GAAG;YAChC,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAClC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAE3C,IAAI,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CACT,QAAQ,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,CACtC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CACV,0FAA0F,CAC3F;SACA,MAAM,CACL,mBAAmB,EACnB,0BAA0B,EAC1B,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,QAAQ,EAAE,+BAA+B,CAAC;SACjD,MAAM,CACL,sBAAsB,EACtB,+DAA+D,EAC/D,MAAM,CACP;SACA,MAAM,CAAC,KAAK,EAAE,OAAuB,EAAE,EAAE;QACxC,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC;YAChC,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAC/B,CAAC,IAAI,mBAAmB,EAAE,CAAC,EAC3B;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,+CAA+C,CAChD,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;gBACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE;oBACP,aAAa,EACX,MAAM,CAAC,QAAQ,EAAE,aAAa,IAAI,CAAC;oBACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;oBAChC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC;iBACvC;gBACD,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;aAChC,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,mBACE,MAAM,CAAC,QAAQ,EAAE,aAAa,IAAI,CACpC,EAAE,CACH,CAAC;YACF,OAAO,CAAC,GAAG,CACT,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CACtC,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACtC,YAAY,CAAC,OAAO,CAAC,CAAC;YACxB,CAAC;YAED,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CACT,qEAAqE,CACtE,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBAExB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;oBAC5C,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,EAAE,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC;QAED,IACE,UAAU,CACR,MAAM,CAAC,QAAQ,EACf,OAAO,CAAC,MAAM,CACf,EACD,CAAC;YACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { auditRemoteRepository } from '../core/github/remote-audit.js';
|
|
2
|
+
export function registerAuditRepoCommand(program) {
|
|
3
|
+
program
|
|
4
|
+
.command('audit-repo <url>')
|
|
5
|
+
.description('Audit a public GitHub repository through the authenticated gh CLI.')
|
|
6
|
+
.option('--json', 'Print JSON.')
|
|
7
|
+
.action(async (url, options) => {
|
|
8
|
+
const result = await auditRemoteRepository(url);
|
|
9
|
+
if (options.json) {
|
|
10
|
+
console.log(JSON.stringify(result, null, 2));
|
|
11
|
+
return;
|
|
12
|
+
}
|
|
13
|
+
console.log('Toolip Remote Repository Audit');
|
|
14
|
+
console.log('');
|
|
15
|
+
console.log(`Repository: ${result.repository}`);
|
|
16
|
+
console.log(`Findings: ${result.report.findings.length}`);
|
|
17
|
+
console.log(`Critical: ${result.report.summary.secrets}`);
|
|
18
|
+
});
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=audit-repo.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"audit-repo.js","sourceRoot":"","sources":["../../../src/commands/audit-repo.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAEvE,MAAM,UAAU,wBAAwB,CAAC,OAAgB;IACvD,OAAO;SACJ,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,oEAAoE,CAAC;SACjF,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,OAA2B,EAAE,EAAE;QACzD,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
import { access, writeFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { loadToolipConfig, TOOLIP_CONFIG_FILE } from '../core/config/load.js';
|
|
4
|
+
async function exists(filePath) {
|
|
5
|
+
try {
|
|
6
|
+
await access(filePath);
|
|
7
|
+
return true;
|
|
8
|
+
}
|
|
9
|
+
catch {
|
|
10
|
+
return false;
|
|
11
|
+
}
|
|
12
|
+
}
|
|
13
|
+
export function registerConfigCommand(program) {
|
|
14
|
+
const command = program
|
|
15
|
+
.command('config')
|
|
16
|
+
.description('Initialize and validate Toolip project configuration.');
|
|
17
|
+
command
|
|
18
|
+
.command('init')
|
|
19
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
20
|
+
.option('--force', 'Replace an existing configuration.')
|
|
21
|
+
.action(async (options) => {
|
|
22
|
+
const filePath = path.join(options.path, TOOLIP_CONFIG_FILE);
|
|
23
|
+
if (!options.force &&
|
|
24
|
+
await exists(filePath)) {
|
|
25
|
+
throw new Error(`${TOOLIP_CONFIG_FILE} already exists.`);
|
|
26
|
+
}
|
|
27
|
+
const config = {
|
|
28
|
+
schemaVersion: '1.0',
|
|
29
|
+
include: [],
|
|
30
|
+
exclude: [
|
|
31
|
+
'dist/**',
|
|
32
|
+
'coverage/**'
|
|
33
|
+
],
|
|
34
|
+
rules: {},
|
|
35
|
+
suppressions: [],
|
|
36
|
+
history: {
|
|
37
|
+
enabled: true,
|
|
38
|
+
maxEntries: 500
|
|
39
|
+
},
|
|
40
|
+
providers: {
|
|
41
|
+
osv: {
|
|
42
|
+
enabled: true,
|
|
43
|
+
timeoutMs: 20000
|
|
44
|
+
},
|
|
45
|
+
depsDev: {
|
|
46
|
+
enabled: true,
|
|
47
|
+
timeoutMs: 20000
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
};
|
|
51
|
+
await writeFile(filePath, `${JSON.stringify(config, null, 2)}\n`, 'utf8');
|
|
52
|
+
console.log(`Created ${filePath}`);
|
|
53
|
+
});
|
|
54
|
+
command
|
|
55
|
+
.command('validate')
|
|
56
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
57
|
+
.action(async (options) => {
|
|
58
|
+
await loadToolipConfig(options.path);
|
|
59
|
+
console.log('Toolip configuration is valid.');
|
|
60
|
+
});
|
|
61
|
+
command
|
|
62
|
+
.command('show')
|
|
63
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
64
|
+
.action(async (options) => {
|
|
65
|
+
const config = await loadToolipConfig(options.path);
|
|
66
|
+
console.log(JSON.stringify(config, null, 2));
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
//# sourceMappingURL=config.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/commands/config.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,SAAS,EACV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,wBAAwB,CAAC;AAEhC,KAAK,UAAU,MAAM,CACnB,QAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAgB;IAEhB,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CACV,uDAAuD,CACxD,CAAC;IAEJ,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CACL,SAAS,EACT,oCAAoC,CACrC;SACA,MAAM,CACL,KAAK,EACH,OAGC,EACD,EAAE;QACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,OAAO,CAAC,IAAI,EACZ,kBAAkB,CACnB,CAAC;QAEF,IACE,CAAC,OAAO,CAAC,KAAK;YACd,MAAM,MAAM,CAAC,QAAQ,CAAC,EACtB,CAAC;YACD,MAAM,IAAI,KAAK,CACb,GAAG,kBAAkB,kBAAkB,CACxC,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG;YACb,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,EAAE;YACX,OAAO,EAAE;gBACP,SAAS;gBACT,aAAa;aACd;YACD,KAAK,EAAE,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,GAAG;aAChB;YACD,SAAS,EAAE;gBACT,GAAG,EAAE;oBACH,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,KAAK;iBACjB;gBACD,OAAO,EAAE;oBACP,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,KAAK;iBACjB;aACF;SACF,CAAC;QAEF,MAAM,SAAS,CACb,QAAQ,EACR,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EACtC,MAAM,CACP,CAAC;QAEF,OAAO,CAAC,GAAG,CACT,WAAW,QAAQ,EAAE,CACtB,CAAC;IACJ,CAAC,CACF,CAAC;IAEJ,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,KAAK,EAAE,OAAyB,EAAE,EAAE;QAC1C,MAAM,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CACT,gCAAgC,CACjC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,KAAK,EAAE,OAAyB,EAAE,EAAE;QAC1C,MAAM,MAAM,GACV,MAAM,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEvC,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import { AnalyzerRunner } from '../application/analyzer-runner.js';
|
|
2
|
+
import { DependencyConfusionAnalyzer } from '../analyzers/dependency-confusion/analyzer.js';
|
|
3
|
+
export function registerDependencyConfusionCommand(program) {
|
|
4
|
+
program
|
|
5
|
+
.command('dependency-confusion')
|
|
6
|
+
.description('Check internal-looking dependency names against the public npm registry.')
|
|
7
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
8
|
+
.option('--json', 'Print JSON.')
|
|
9
|
+
.action(async (options) => {
|
|
10
|
+
const [result] = await new AnalyzerRunner({
|
|
11
|
+
concurrency: 1,
|
|
12
|
+
timeoutMs: 60_000
|
|
13
|
+
}).run([
|
|
14
|
+
new DependencyConfusionAnalyzer()
|
|
15
|
+
], {
|
|
16
|
+
root: options.path
|
|
17
|
+
});
|
|
18
|
+
if (!result) {
|
|
19
|
+
throw new Error('Dependency-confusion analyzer returned no result.');
|
|
20
|
+
}
|
|
21
|
+
if (options.json) {
|
|
22
|
+
console.log(JSON.stringify(result, null, 2));
|
|
23
|
+
return;
|
|
24
|
+
}
|
|
25
|
+
console.log('Toolip Dependency Confusion Audit');
|
|
26
|
+
console.log('');
|
|
27
|
+
console.log(`Candidates: ${result.metadata?.candidates ?? 0}`);
|
|
28
|
+
console.log(`Public collisions: ${result.findings.length}`);
|
|
29
|
+
console.log('');
|
|
30
|
+
for (const finding of result.findings) {
|
|
31
|
+
console.log(`[${finding.severity.toUpperCase()}] ${finding.title}`);
|
|
32
|
+
console.log(finding.message);
|
|
33
|
+
console.log('');
|
|
34
|
+
}
|
|
35
|
+
});
|
|
36
|
+
}
|
|
37
|
+
//# sourceMappingURL=dependency-confusion.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"dependency-confusion.js","sourceRoot":"","sources":["../../../src/commands/dependency-confusion.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,2BAA2B,EAAE,MAAM,+CAA+C,CAAC;AAE5F,MAAM,UAAU,kCAAkC,CAChD,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,sBAAsB,CAAC;SAC/B,WAAW,CACV,0EAA0E,CAC3E;SACA,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CACL,KAAK,EACH,OAGC,EACD,EAAE;QACF,MAAM,CAAC,MAAM,CAAC,GACZ,MAAM,IAAI,cAAc,CAAC;YACvB,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC,GAAG,CACJ;YACE,IAAI,2BAA2B,EAAE;SAClC,EACD;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEJ,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mDAAmD,CACpD,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAChC,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CACT,mCAAmC,CACpC,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,eACE,MAAM,CAAC,QAAQ,EAAE,UAAU,IAAI,CACjC,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CACT,sBAAsB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAC/C,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,KAAK,EAAE,CACvD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CACF,CAAC;AACN,CAAC"}
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
import { securityDiff } from '../core/diff/security-diff.js';
|
|
2
|
+
export function registerDiffCommand(program) {
|
|
3
|
+
program
|
|
4
|
+
.command('diff <base> [head]')
|
|
5
|
+
.description('Summarize security-relevant changes between Git revisions.')
|
|
6
|
+
.option('-p, --path <path>', 'Repository path.', process.cwd())
|
|
7
|
+
.option('--json', 'Print JSON.')
|
|
8
|
+
.action(async (base, head, options) => {
|
|
9
|
+
const result = await securityDiff(options.path, base, head ?? 'HEAD');
|
|
10
|
+
if (options.json) {
|
|
11
|
+
console.log(JSON.stringify(result, null, 2));
|
|
12
|
+
return;
|
|
13
|
+
}
|
|
14
|
+
console.log('Toolip Security Diff');
|
|
15
|
+
console.log('');
|
|
16
|
+
console.log(`Range: ${result.base}..${result.head}`);
|
|
17
|
+
console.log(`Changed files: ${result.files.length}`);
|
|
18
|
+
console.log(`Manifest changed: ${result.packageManifestChanged}`);
|
|
19
|
+
console.log(`Lockfile changed: ${result.lockfileChanged}`);
|
|
20
|
+
console.log(`Dockerfiles changed: ${result.dockerfilesChanged.length}`);
|
|
21
|
+
console.log(`Source files changed: ${result.sourceFilesChanged.length}`);
|
|
22
|
+
});
|
|
23
|
+
}
|
|
24
|
+
//# sourceMappingURL=diff.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"diff.js","sourceRoot":"","sources":["../../../src/commands/diff.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,MAAM,UAAU,mBAAmB,CAAC,OAAgB;IAClD,OAAO;SACJ,OAAO,CAAC,oBAAoB,CAAC;SAC7B,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC9D,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EACX,IAAY,EACZ,IAAwB,EACxB,OAAyC,EACzC,EAAE;QACF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,MAAM,CAAC,CAAC;QAEtE,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,sBAAsB,EAAE,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,wBAAwB,MAAM,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,CAAC,GAAG,CAAC,yBAAyB,MAAM,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
import { AnalyzerRunner } from '../application/analyzer-runner.js';
|
|
2
|
+
import { DockerfileAnalyzer } from '../analyzers/docker/analyzer.js';
|
|
3
|
+
export function registerDockerScanCommand(program) {
|
|
4
|
+
program
|
|
5
|
+
.command('docker-scan')
|
|
6
|
+
.description('Scan Dockerfiles for risky container build patterns.')
|
|
7
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
8
|
+
.option('--json', 'Print JSON.')
|
|
9
|
+
.action(async (options) => {
|
|
10
|
+
const [result] = await new AnalyzerRunner({
|
|
11
|
+
concurrency: 1,
|
|
12
|
+
timeoutMs: 60_000
|
|
13
|
+
}).run([new DockerfileAnalyzer()], {
|
|
14
|
+
root: options.path
|
|
15
|
+
});
|
|
16
|
+
if (!result)
|
|
17
|
+
throw new Error('Docker analyzer returned no result.');
|
|
18
|
+
if (options.json) {
|
|
19
|
+
console.log(JSON.stringify(result, null, 2));
|
|
20
|
+
return;
|
|
21
|
+
}
|
|
22
|
+
console.log('Toolip Dockerfile Security');
|
|
23
|
+
console.log('');
|
|
24
|
+
console.log(`Dockerfiles: ${result.metadata?.dockerfiles ?? 0}`);
|
|
25
|
+
console.log(`Findings: ${result.findings.length}`);
|
|
26
|
+
console.log('');
|
|
27
|
+
for (const finding of result.findings) {
|
|
28
|
+
console.log(`[${finding.severity.toUpperCase()}] ${finding.title}`);
|
|
29
|
+
console.log(`${finding.location?.file}:${finding.location?.line}`);
|
|
30
|
+
console.log('');
|
|
31
|
+
}
|
|
32
|
+
});
|
|
33
|
+
}
|
|
34
|
+
//# sourceMappingURL=docker-scan.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"docker-scan.js","sourceRoot":"","sources":["../../../src/commands/docker-scan.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAErE,MAAM,UAAU,yBAAyB,CAAC,OAAgB;IACxD,OAAO;SACJ,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,mBAAmB,EAAE,eAAe,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC3D,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EAAE,OAAyC,EAAE,EAAE;QAC1D,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,cAAc,CAAC;YACxC,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,kBAAkB,EAAE,CAAC,EAAE;YACjC,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAEpE,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,QAAQ,EAAE,WAAW,IAAI,CAAC,EAAE,CAAC,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
import { AnalyzerRunner } from '../application/analyzer-runner.js';
|
|
2
|
+
import { GitHistorySecretAnalyzer } from '../analyzers/git-history/analyzer.js';
|
|
3
|
+
export function registerGitHistoryCommand(program) {
|
|
4
|
+
program
|
|
5
|
+
.command('git-history')
|
|
6
|
+
.description('Scan added lines across Git commit history for secret-like values.')
|
|
7
|
+
.option('-p, --path <path>', 'Repository path.', process.cwd())
|
|
8
|
+
.option('--max-commits <number>', 'Maximum commits to scan.', '1000')
|
|
9
|
+
.option('--json', 'Print JSON.')
|
|
10
|
+
.action(async (options) => {
|
|
11
|
+
const maxCommits = Math.max(1, Number.parseInt(options.maxCommits, 10) || 1000);
|
|
12
|
+
const [result] = await new AnalyzerRunner({
|
|
13
|
+
concurrency: 1,
|
|
14
|
+
timeoutMs: 120_000
|
|
15
|
+
}).run([
|
|
16
|
+
new GitHistorySecretAnalyzer(maxCommits)
|
|
17
|
+
], {
|
|
18
|
+
root: options.path
|
|
19
|
+
});
|
|
20
|
+
if (!result) {
|
|
21
|
+
throw new Error('Git-history analyzer returned no result.');
|
|
22
|
+
}
|
|
23
|
+
if (options.json) {
|
|
24
|
+
console.log(JSON.stringify(result, null, 2));
|
|
25
|
+
return;
|
|
26
|
+
}
|
|
27
|
+
console.log('Toolip Git History Secret Audit');
|
|
28
|
+
console.log('');
|
|
29
|
+
console.log(`Commits scanned: ${result.metadata?.commitsScanned ?? 0}`);
|
|
30
|
+
console.log(`Findings: ${result.findings.length}`);
|
|
31
|
+
console.log('');
|
|
32
|
+
for (const finding of result.findings) {
|
|
33
|
+
console.log(`[${finding.severity.toUpperCase()}] ${finding.title}`);
|
|
34
|
+
console.log(`Commit: ${finding.metadata?.commit}`);
|
|
35
|
+
console.log(`Evidence: ${finding.evidence?.[0]?.summary}`);
|
|
36
|
+
console.log('');
|
|
37
|
+
}
|
|
38
|
+
});
|
|
39
|
+
}
|
|
40
|
+
//# sourceMappingURL=git-history.js.map
|