toolip 1.0.7 → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +189 -448
- package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
- package/dist/src/analyzers/ast/rules.d.ts +48 -0
- package/dist/src/analyzers/ast/rules.js +39 -0
- package/dist/src/analyzers/ast/rules.js.map +1 -0
- package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
- package/dist/src/analyzers/ast/source-analysis.js +225 -0
- package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
- package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
- package/dist/src/analyzers/docker/analyzer.js +103 -0
- package/dist/src/analyzers/docker/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
- package/dist/src/analyzers/git-history/analyzer.js +202 -0
- package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
- package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
- package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
- package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
- package/dist/src/analyzers/reachability/import-graph.js +110 -0
- package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
- package/dist/src/analyzers/vulnerability/severity.js +13 -0
- package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
- package/dist/src/application/analyzer-runner.d.ts +12 -0
- package/dist/src/application/analyzer-runner.js +45 -0
- package/dist/src/application/analyzer-runner.js.map +1 -0
- package/dist/src/commands/announce.d.ts +2 -0
- package/dist/src/commands/announce.js +27 -0
- package/dist/src/commands/announce.js.map +1 -0
- package/dist/src/commands/ast-scan.d.ts +2 -0
- package/dist/src/commands/ast-scan.js +86 -0
- package/dist/src/commands/ast-scan.js.map +1 -0
- package/dist/src/commands/audit-repo.d.ts +2 -0
- package/dist/src/commands/audit-repo.js +20 -0
- package/dist/src/commands/audit-repo.js.map +1 -0
- package/dist/src/commands/config.d.ts +2 -0
- package/dist/src/commands/config.js +69 -0
- package/dist/src/commands/config.js.map +1 -0
- package/dist/src/commands/dependency-confusion.d.ts +2 -0
- package/dist/src/commands/dependency-confusion.js +37 -0
- package/dist/src/commands/dependency-confusion.js.map +1 -0
- package/dist/src/commands/diff.d.ts +2 -0
- package/dist/src/commands/diff.js +24 -0
- package/dist/src/commands/diff.js.map +1 -0
- package/dist/src/commands/docker-scan.d.ts +2 -0
- package/dist/src/commands/docker-scan.js +34 -0
- package/dist/src/commands/docker-scan.js.map +1 -0
- package/dist/src/commands/git-history.d.ts +2 -0
- package/dist/src/commands/git-history.js +40 -0
- package/dist/src/commands/git-history.js.map +1 -0
- package/dist/src/commands/history.d.ts +2 -0
- package/dist/src/commands/history.js +69 -0
- package/dist/src/commands/history.js.map +1 -0
- package/dist/src/commands/install-scripts.d.ts +2 -0
- package/dist/src/commands/install-scripts.js +52 -0
- package/dist/src/commands/install-scripts.js.map +1 -0
- package/dist/src/commands/mcp.d.ts +2 -0
- package/dist/src/commands/mcp.js +10 -0
- package/dist/src/commands/mcp.js.map +1 -0
- package/dist/src/commands/monorepo.d.ts +2 -0
- package/dist/src/commands/monorepo.js +21 -0
- package/dist/src/commands/monorepo.js.map +1 -0
- package/dist/src/commands/package-health.d.ts +2 -0
- package/dist/src/commands/package-health.js +50 -0
- package/dist/src/commands/package-health.js.map +1 -0
- package/dist/src/commands/publish.d.ts +2 -0
- package/dist/src/commands/publish.js +25 -0
- package/dist/src/commands/publish.js.map +1 -0
- package/dist/src/commands/reachability.d.ts +2 -0
- package/dist/src/commands/reachability.js +47 -0
- package/dist/src/commands/reachability.js.map +1 -0
- package/dist/src/commands/sbom.d.ts +2 -0
- package/dist/src/commands/sbom.js +33 -0
- package/dist/src/commands/sbom.js.map +1 -0
- package/dist/src/commands/upgrade-pr.d.ts +2 -0
- package/dist/src/commands/upgrade-pr.js +15 -0
- package/dist/src/commands/upgrade-pr.js.map +1 -0
- package/dist/src/commands/vulnerabilities.d.ts +2 -0
- package/dist/src/commands/vulnerabilities.js +42 -0
- package/dist/src/commands/vulnerabilities.js.map +1 -0
- package/dist/src/commands/watch.d.ts +2 -0
- package/dist/src/commands/watch.js +34 -0
- package/dist/src/commands/watch.js.map +1 -0
- package/dist/src/contracts/analyzer.d.ts +23 -0
- package/dist/src/contracts/analyzer.js +2 -0
- package/dist/src/contracts/analyzer.js.map +1 -0
- package/dist/src/contracts/finding.d.ts +35 -0
- package/dist/src/contracts/finding.js +13 -0
- package/dist/src/contracts/finding.js.map +1 -0
- package/dist/src/contracts/report.d.ts +30 -0
- package/dist/src/contracts/report.js +2 -0
- package/dist/src/contracts/report.js.map +1 -0
- package/dist/src/contracts/rule.d.ts +12 -0
- package/dist/src/contracts/rule.js +7 -0
- package/dist/src/contracts/rule.js.map +1 -0
- package/dist/src/core/announce/generate.d.ts +9 -0
- package/dist/src/core/announce/generate.js +19 -0
- package/dist/src/core/announce/generate.js.map +1 -0
- package/dist/src/core/config/load.d.ts +3 -0
- package/dist/src/core/config/load.js +21 -0
- package/dist/src/core/config/load.js.map +1 -0
- package/dist/src/core/config/policy.d.ts +3 -0
- package/dist/src/core/config/policy.js +48 -0
- package/dist/src/core/config/policy.js.map +1 -0
- package/dist/src/core/config/schema.d.ts +172 -0
- package/dist/src/core/config/schema.js +84 -0
- package/dist/src/core/config/schema.js.map +1 -0
- package/dist/src/core/dependencies/inventory.d.ts +9 -0
- package/dist/src/core/dependencies/inventory.js +43 -0
- package/dist/src/core/dependencies/inventory.js.map +1 -0
- package/dist/src/core/diff/security-diff.d.ts +10 -0
- package/dist/src/core/diff/security-diff.js +20 -0
- package/dist/src/core/diff/security-diff.js.map +1 -0
- package/dist/src/core/github/remote-audit.d.ts +5 -0
- package/dist/src/core/github/remote-audit.js +28 -0
- package/dist/src/core/github/remote-audit.js.map +1 -0
- package/dist/src/core/github/upgrade-pr.d.ts +4 -0
- package/dist/src/core/github/upgrade-pr.js +41 -0
- package/dist/src/core/github/upgrade-pr.js.map +1 -0
- package/dist/src/core/history/git-metadata.d.ts +5 -0
- package/dist/src/core/history/git-metadata.js +37 -0
- package/dist/src/core/history/git-metadata.js.map +1 -0
- package/dist/src/core/history/store.d.ts +5 -0
- package/dist/src/core/history/store.js +65 -0
- package/dist/src/core/history/store.js.map +1 -0
- package/dist/src/core/history/types.d.ts +27 -0
- package/dist/src/core/history/types.js +2 -0
- package/dist/src/core/history/types.js.map +1 -0
- package/dist/src/core/monorepo/discover.d.ts +7 -0
- package/dist/src/core/monorepo/discover.js +49 -0
- package/dist/src/core/monorepo/discover.js.map +1 -0
- package/dist/src/core/publish/html.d.ts +6 -0
- package/dist/src/core/publish/html.js +44 -0
- package/dist/src/core/publish/html.js.map +1 -0
- package/dist/src/core/sbom/generate.d.ts +2 -0
- package/dist/src/core/sbom/generate.js +120 -0
- package/dist/src/core/sbom/generate.js.map +1 -0
- package/dist/src/core/security-doctor.js +19 -5
- package/dist/src/core/security-doctor.js.map +1 -1
- package/dist/src/core/watch/watch.d.ts +5 -0
- package/dist/src/core/watch/watch.js +49 -0
- package/dist/src/core/watch/watch.js.map +1 -0
- package/dist/src/index.js +38 -0
- package/dist/src/index.js.map +1 -1
- package/dist/src/mcp/server.d.ts +1 -0
- package/dist/src/mcp/server.js +64 -0
- package/dist/src/mcp/server.js.map +1 -0
- package/dist/src/providers/depsdev/client.d.ts +71 -0
- package/dist/src/providers/depsdev/client.js +44 -0
- package/dist/src/providers/depsdev/client.js.map +1 -0
- package/dist/src/providers/osv/client.d.ts +15 -0
- package/dist/src/providers/osv/client.js +51 -0
- package/dist/src/providers/osv/client.js.map +1 -0
- package/dist/src/providers/osv/types.d.ts +38 -0
- package/dist/src/providers/osv/types.js +2 -0
- package/dist/src/providers/osv/types.js.map +1 -0
- package/dist/src/storage/memory-cache.d.ts +7 -0
- package/dist/src/storage/memory-cache.js +25 -0
- package/dist/src/storage/memory-cache.js.map +1 -0
- package/package.json +5 -3
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"git-history.js","sourceRoot":"","sources":["../../../src/commands/git-history.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,sCAAsC,CAAC;AAEhF,MAAM,UAAU,yBAAyB,CACvC,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CACV,oEAAoE,CACrE;SACA,MAAM,CACL,mBAAmB,EACnB,kBAAkB,EAClB,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CACL,wBAAwB,EACxB,0BAA0B,EAC1B,MAAM,CACP;SACA,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CACL,KAAK,EACH,OAIC,EACD,EAAE;QACF,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CACzB,CAAC,EACD,MAAM,CAAC,QAAQ,CACb,OAAO,CAAC,UAAU,EAClB,EAAE,CACH,IAAI,IAAI,CACV,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,GACZ,MAAM,IAAI,cAAc,CAAC;YACvB,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC,GAAG,CACJ;YACE,IAAI,wBAAwB,CAC1B,UAAU,CACX;SACF,EACD;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEJ,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,0CAA0C,CAC3C,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAChC,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CACT,iCAAiC,CAClC,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,oBACE,MAAM,CAAC,QAAQ,EAAE,cAAc,IAAI,CACrC,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CACT,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CACtC,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,KAAK,EAAE,CACvD,CAAC;YACF,OAAO,CAAC,GAAG,CACT,WACE,OAAO,CAAC,QAAQ,EAAE,MACpB,EAAE,CACH,CAAC;YACF,OAAO,CAAC,GAAG,CACT,aACE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,OACzB,EAAE,CACH,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CACF,CAAC;AACN,CAAC"}
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
import { clearHistory, readHistory } from '../core/history/store.js';
|
|
2
|
+
export function registerHistoryCommand(program) {
|
|
3
|
+
const command = program
|
|
4
|
+
.command('history')
|
|
5
|
+
.description('Inspect locally stored Toolip scan history.');
|
|
6
|
+
command
|
|
7
|
+
.command('list')
|
|
8
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
9
|
+
.option('-l, --limit <number>', 'Maximum entries.', '20')
|
|
10
|
+
.option('--json', 'Print JSON.')
|
|
11
|
+
.action(async (options) => {
|
|
12
|
+
const history = await readHistory(options.path);
|
|
13
|
+
const limit = Math.max(1, Number.parseInt(options.limit, 10) || 20);
|
|
14
|
+
const entries = history.entries.slice(-limit);
|
|
15
|
+
if (options.json) {
|
|
16
|
+
console.log(JSON.stringify({
|
|
17
|
+
schemaVersion: history.schemaVersion,
|
|
18
|
+
entries
|
|
19
|
+
}, null, 2));
|
|
20
|
+
return;
|
|
21
|
+
}
|
|
22
|
+
console.log('Toolip History');
|
|
23
|
+
console.log('');
|
|
24
|
+
if (entries.length === 0) {
|
|
25
|
+
console.log('No historical scan entries are available.');
|
|
26
|
+
return;
|
|
27
|
+
}
|
|
28
|
+
for (const entry of entries.reverse()) {
|
|
29
|
+
console.log(`${entry.createdAt} ${entry.command} ` +
|
|
30
|
+
`score=${entry.score ?? 'n/a'} ` +
|
|
31
|
+
`findings=${entry.summary.total}`);
|
|
32
|
+
if (entry.git?.branch ||
|
|
33
|
+
entry.git?.commit) {
|
|
34
|
+
console.log(` ${entry.git.branch ?? 'detached'} ` +
|
|
35
|
+
`${entry.git.commit?.slice(0, 12) ?? ''}`);
|
|
36
|
+
}
|
|
37
|
+
}
|
|
38
|
+
});
|
|
39
|
+
command
|
|
40
|
+
.command('trend')
|
|
41
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
42
|
+
.option('-l, --limit <number>', 'Maximum entries.', '10')
|
|
43
|
+
.action(async (options) => {
|
|
44
|
+
const history = await readHistory(options.path);
|
|
45
|
+
const limit = Math.max(2, Number.parseInt(options.limit, 10) || 10);
|
|
46
|
+
const entries = history.entries
|
|
47
|
+
.filter((entry) => entry.score !== undefined)
|
|
48
|
+
.slice(-limit);
|
|
49
|
+
console.log('Toolip Security Trend');
|
|
50
|
+
console.log('');
|
|
51
|
+
if (entries.length < 2) {
|
|
52
|
+
console.log('At least two scored history entries are required.');
|
|
53
|
+
return;
|
|
54
|
+
}
|
|
55
|
+
const first = entries[0];
|
|
56
|
+
const last = entries[entries.length - 1];
|
|
57
|
+
console.log(`Score: ${first?.score} → ${last?.score}`);
|
|
58
|
+
console.log(`Change: ${(last?.score ?? 0) - (first?.score ?? 0)}`);
|
|
59
|
+
console.log(`Findings: ${first?.summary.total} → ${last?.summary.total}`);
|
|
60
|
+
});
|
|
61
|
+
command
|
|
62
|
+
.command('clear')
|
|
63
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
64
|
+
.action(async (options) => {
|
|
65
|
+
await clearHistory(options.path);
|
|
66
|
+
console.log('Toolip history cleared.');
|
|
67
|
+
});
|
|
68
|
+
}
|
|
69
|
+
//# sourceMappingURL=history.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"history.js","sourceRoot":"","sources":["../../../src/commands/history.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,WAAW,EACZ,MAAM,0BAA0B,CAAC;AAQlC,MAAM,UAAU,sBAAsB,CACpC,OAAgB;IAEhB,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CACV,6CAA6C,CAC9C,CAAC;IAEJ,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CACL,sBAAsB,EACtB,kBAAkB,EAClB,IAAI,CACL;SACA,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EAAE,OAAuB,EAAE,EAAE;QACxC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CACpB,CAAC,EACD,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,EAAE,CACzC,CAAC;QAEF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;QAE9C,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;gBACE,aAAa,EACX,OAAO,CAAC,aAAa;gBACvB,OAAO;aACR,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CACT,2CAA2C,CAC5C,CAAC;YACF,OAAO;QACT,CAAC;QAED,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CACT,GAAG,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,OAAO,GAAG;gBACpC,SAAS,KAAK,CAAC,KAAK,IAAI,KAAK,GAAG;gBAChC,YAAY,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CACpC,CAAC;YAEF,IACE,KAAK,CAAC,GAAG,EAAE,MAAM;gBACjB,KAAK,CAAC,GAAG,EAAE,MAAM,EACjB,CAAC;gBACD,OAAO,CAAC,GAAG,CACT,KAAK,KAAK,CAAC,GAAG,CAAC,MAAM,IAAI,UAAU,GAAG;oBACpC,GAAG,KAAK,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,EAAE,EAAE,CAC5C,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CACL,sBAAsB,EACtB,kBAAkB,EAClB,IAAI,CACL;SACA,MAAM,CAAC,KAAK,EAAE,OAAuB,EAAE,EAAE;QACxC,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAChD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CACpB,CAAC,EACD,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,EAAE,CACzC,CAAC;QAEF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO;aAC5B,MAAM,CACL,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,KAAK,SAAS,CACrC;aACA,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC;QAEjB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CACT,mDAAmD,CACpD,CAAC;YACF,OAAO;QACT,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAEzC,OAAO,CAAC,GAAG,CACT,UAAU,KAAK,EAAE,KAAK,MAAM,IAAI,EAAE,KAAK,EAAE,CAC1C,CAAC;QACF,OAAO,CAAC,GAAG,CACT,WAAW,CAAC,IAAI,EAAE,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,IAAI,CAAC,CAAC,EAAE,CACtD,CAAC;QACF,OAAO,CAAC,GAAG,CACT,aAAa,KAAK,EAAE,OAAO,CAAC,KAAK,MAAM,IAAI,EAAE,OAAO,CAAC,KAAK,EAAE,CAC7D,CAAC;IACJ,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,KAAK,EAAE,OAAyB,EAAE,EAAE;QAC1C,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACjC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
import { AnalyzerRunner } from '../application/analyzer-runner.js';
|
|
2
|
+
import { InstallScriptAnalyzer } from '../analyzers/install-scripts/install-script-analyzer.js';
|
|
3
|
+
export function registerInstallScriptsCommand(program) {
|
|
4
|
+
program
|
|
5
|
+
.command('install-scripts')
|
|
6
|
+
.description('Inspect installed npm lifecycle scripts for suspicious behavior indicators.')
|
|
7
|
+
.option('-p, --path <path>', 'Project path to inspect.', process.cwd())
|
|
8
|
+
.option('--json', 'Print structured JSON output.')
|
|
9
|
+
.option('--include-dev', 'Include development dependency findings.')
|
|
10
|
+
.action(async (options) => {
|
|
11
|
+
const runner = new AnalyzerRunner({
|
|
12
|
+
concurrency: 1,
|
|
13
|
+
timeoutMs: 60_000
|
|
14
|
+
});
|
|
15
|
+
const [result] = await runner.run([new InstallScriptAnalyzer()], {
|
|
16
|
+
root: options.path
|
|
17
|
+
});
|
|
18
|
+
if (!result) {
|
|
19
|
+
throw new Error('Install-script analyzer returned no result.');
|
|
20
|
+
}
|
|
21
|
+
const findings = options.includeDev
|
|
22
|
+
? result.findings
|
|
23
|
+
: result.findings.filter((finding) => finding.metadata?.development !== true);
|
|
24
|
+
if (options.json) {
|
|
25
|
+
console.log(JSON.stringify({
|
|
26
|
+
analyzer: result.analyzer,
|
|
27
|
+
durationMs: result.durationMs,
|
|
28
|
+
summary: result.metadata,
|
|
29
|
+
findings
|
|
30
|
+
}, null, 2));
|
|
31
|
+
return;
|
|
32
|
+
}
|
|
33
|
+
console.log('Toolip Install-Script Analysis');
|
|
34
|
+
console.log('');
|
|
35
|
+
console.log(`Packages inspected: ${result.metadata?.packagesInspected ?? 0}`);
|
|
36
|
+
console.log(`Lifecycle scripts: ${result.metadata?.lifecycleScripts ?? 0}`);
|
|
37
|
+
console.log(`Findings: ${findings.length}`);
|
|
38
|
+
console.log('');
|
|
39
|
+
for (const finding of findings) {
|
|
40
|
+
console.log(`[${finding.severity.toUpperCase()}] ${finding.title}`);
|
|
41
|
+
console.log(`Package: ${finding.metadata?.package}@` +
|
|
42
|
+
`${finding.metadata?.version}`);
|
|
43
|
+
console.log(`Lifecycle: ${finding.metadata?.lifecycle}`);
|
|
44
|
+
console.log(`Message: ${finding.message}`);
|
|
45
|
+
console.log('');
|
|
46
|
+
}
|
|
47
|
+
if (findings.length === 0) {
|
|
48
|
+
console.log('No supported suspicious lifecycle-script indicators were found.');
|
|
49
|
+
}
|
|
50
|
+
});
|
|
51
|
+
}
|
|
52
|
+
//# sourceMappingURL=install-scripts.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"install-scripts.js","sourceRoot":"","sources":["../../../src/commands/install-scripts.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,yDAAyD,CAAC;AAQhG,MAAM,UAAU,6BAA6B,CAC3C,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,iBAAiB,CAAC;SAC1B,WAAW,CACV,6EAA6E,CAC9E;SACA,MAAM,CACL,mBAAmB,EACnB,0BAA0B,EAC1B,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,QAAQ,EAAE,+BAA+B,CAAC;SACjD,MAAM,CACL,eAAe,EACf,0CAA0C,CAC3C;SACA,MAAM,CAAC,KAAK,EAAE,OAA6B,EAAE,EAAE;QAC9C,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC;YAChC,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAC/B,CAAC,IAAI,qBAAqB,EAAE,CAAC,EAC7B;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,6CAA6C,CAC9C,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU;YACjC,CAAC,CAAC,MAAM,CAAC,QAAQ;YACjB,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CACpB,CAAC,OAAO,EAAE,EAAE,CACV,OAAO,CAAC,QAAQ,EAAE,WAAW,KAAK,IAAI,CACzC,CAAC;QAEN,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;gBACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE,MAAM,CAAC,QAAQ;gBACxB,QAAQ;aACT,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,uBACE,MAAM,CAAC,QAAQ,EAAE,iBAAiB,IAAI,CACxC,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CACT,sBACE,MAAM,CAAC,QAAQ,EAAE,gBAAgB,IAAI,CACvC,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,aAAa,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,KAAK,EAAE,CACvD,CAAC;YACF,OAAO,CAAC,GAAG,CACT,YAAY,OAAO,CAAC,QAAQ,EAAE,OAAO,GAAG;gBACtC,GAAG,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,CACjC,CAAC;YACF,OAAO,CAAC,GAAG,CACT,cAAc,OAAO,CAAC,QAAQ,EAAE,SAAS,EAAE,CAC5C,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,CAAC,GAAG,CACT,iEAAiE,CAClE,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
import { startMcpServer } from '../mcp/server.js';
|
|
2
|
+
export function registerMcpCommand(program) {
|
|
3
|
+
program
|
|
4
|
+
.command('mcp')
|
|
5
|
+
.description('Start the Toolip MCP server over stdio.')
|
|
6
|
+
.action(async () => {
|
|
7
|
+
await startMcpServer();
|
|
8
|
+
});
|
|
9
|
+
}
|
|
10
|
+
//# sourceMappingURL=mcp.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"mcp.js","sourceRoot":"","sources":["../../../src/commands/mcp.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,MAAM,UAAU,kBAAkB,CAAC,OAAgB;IACjD,OAAO;SACJ,OAAO,CAAC,KAAK,CAAC;SACd,WAAW,CAAC,yCAAyC,CAAC;SACtD,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,cAAc,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import { discoverWorkspaces } from '../core/monorepo/discover.js';
|
|
2
|
+
export function registerMonorepoCommand(program) {
|
|
3
|
+
program
|
|
4
|
+
.command('monorepo')
|
|
5
|
+
.description('Discover and summarize workspace packages.')
|
|
6
|
+
.option('-p, --path <path>', 'Repository path.', process.cwd())
|
|
7
|
+
.option('--json', 'Print JSON.')
|
|
8
|
+
.action(async (options) => {
|
|
9
|
+
const workspaces = await discoverWorkspaces(options.path);
|
|
10
|
+
if (options.json) {
|
|
11
|
+
console.log(JSON.stringify({ workspaces }, null, 2));
|
|
12
|
+
return;
|
|
13
|
+
}
|
|
14
|
+
console.log('Toolip Monorepo Discovery');
|
|
15
|
+
console.log('');
|
|
16
|
+
for (const workspace of workspaces) {
|
|
17
|
+
console.log(`${workspace.relativePath} ${workspace.name ?? ''}`.trim());
|
|
18
|
+
}
|
|
19
|
+
});
|
|
20
|
+
}
|
|
21
|
+
//# sourceMappingURL=monorepo.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"monorepo.js","sourceRoot":"","sources":["../../../src/commands/monorepo.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,8BAA8B,CAAC;AAElE,MAAM,UAAU,uBAAuB,CAAC,OAAgB;IACtD,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CAAC,4CAA4C,CAAC;SACzD,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC9D,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EAAE,OAAyC,EAAE,EAAE;QAC1D,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAE1D,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,UAAU,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACrD,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,YAAY,IAAI,SAAS,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
import { DepsDevClient } from '../providers/depsdev/client.js';
|
|
2
|
+
export function registerPackageHealthCommand(program) {
|
|
3
|
+
program
|
|
4
|
+
.command('package-health <package> [version]')
|
|
5
|
+
.description('Inspect npm package health and provenance through deps.dev.')
|
|
6
|
+
.option('--json', 'Print structured JSON.')
|
|
7
|
+
.action(async (packageName, version, options) => {
|
|
8
|
+
if (!version) {
|
|
9
|
+
throw new Error('A resolved package version is required.');
|
|
10
|
+
}
|
|
11
|
+
const client = new DepsDevClient();
|
|
12
|
+
const [metadata, dependencies] = await Promise.all([
|
|
13
|
+
client.getVersion(packageName, version),
|
|
14
|
+
client.getDependencies(packageName, version)
|
|
15
|
+
]);
|
|
16
|
+
const result = {
|
|
17
|
+
package: packageName,
|
|
18
|
+
version,
|
|
19
|
+
publishedAt: metadata.publishedAt,
|
|
20
|
+
deprecated: metadata.isDeprecated ?? false,
|
|
21
|
+
deprecatedReason: metadata.deprecatedReason,
|
|
22
|
+
licenses: metadata.licenses ?? [],
|
|
23
|
+
advisories: metadata.advisoryKeys
|
|
24
|
+
?.map((item) => item.id)
|
|
25
|
+
.filter((value) => Boolean(value)) ?? [],
|
|
26
|
+
verifiedProvenance: (metadata.slsaProvenances ?? [])
|
|
27
|
+
.filter((item) => item.verified === true).length,
|
|
28
|
+
verifiedAttestations: (metadata.attestations ?? [])
|
|
29
|
+
.filter((item) => item.verified === true).length,
|
|
30
|
+
relatedProjects: metadata.relatedProjects ?? [],
|
|
31
|
+
dependencyNodes: dependencies.nodes?.length ?? 0,
|
|
32
|
+
dependencyEdges: dependencies.edges?.length ?? 0
|
|
33
|
+
};
|
|
34
|
+
if (options.json) {
|
|
35
|
+
console.log(JSON.stringify(result, null, 2));
|
|
36
|
+
return;
|
|
37
|
+
}
|
|
38
|
+
console.log('Toolip Package Health');
|
|
39
|
+
console.log('');
|
|
40
|
+
console.log(`Package: ${packageName}@${version}`);
|
|
41
|
+
console.log(`Published: ${result.publishedAt ?? 'unknown'}`);
|
|
42
|
+
console.log(`Deprecated: ${result.deprecated}`);
|
|
43
|
+
console.log(`Licenses: ${result.licenses.join(', ') || 'unknown'}`);
|
|
44
|
+
console.log(`Advisories: ${result.advisories.length}`);
|
|
45
|
+
console.log(`Dependency nodes: ${result.dependencyNodes}`);
|
|
46
|
+
console.log(`Verified provenance: ${result.verifiedProvenance}`);
|
|
47
|
+
console.log(`Verified attestations: ${result.verifiedAttestations}`);
|
|
48
|
+
});
|
|
49
|
+
}
|
|
50
|
+
//# sourceMappingURL=package-health.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"package-health.js","sourceRoot":"","sources":["../../../src/commands/package-health.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAM/D,MAAM,UAAU,4BAA4B,CAC1C,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,oCAAoC,CAAC;SAC7C,WAAW,CACV,6DAA6D,CAC9D;SACA,MAAM,CAAC,QAAQ,EAAE,wBAAwB,CAAC;SAC1C,MAAM,CACL,KAAK,EACH,WAAmB,EACnB,OAA2B,EAC3B,OAA6B,EAC7B,EAAE;QACF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CACb,yCAAyC,CAC1C,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAEnC,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,GAC5B,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,MAAM,CAAC,UAAU,CACf,WAAW,EACX,OAAO,CACR;YACD,MAAM,CAAC,eAAe,CACpB,WAAW,EACX,OAAO,CACR;SACF,CAAC,CAAC;QAEL,MAAM,MAAM,GAAG;YACb,OAAO,EAAE,WAAW;YACpB,OAAO;YACP,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,UAAU,EACR,QAAQ,CAAC,YAAY,IAAI,KAAK;YAChC,gBAAgB,EACd,QAAQ,CAAC,gBAAgB;YAC3B,QAAQ,EACN,QAAQ,CAAC,QAAQ,IAAI,EAAE;YACzB,UAAU,EACR,QAAQ,CAAC,YAAY;gBACnB,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;iBACvB,MAAM,CACL,CAAC,KAAK,EAAmB,EAAE,CACzB,OAAO,CAAC,KAAK,CAAC,CACjB,IAAI,EAAE;YACX,kBAAkB,EAChB,CAAC,QAAQ,CAAC,eAAe,IAAI,EAAE,CAAC;iBAC7B,MAAM,CACL,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,CAAC,QAAQ,KAAK,IAAI,CACzB,CAAC,MAAM;YACZ,oBAAoB,EAClB,CAAC,QAAQ,CAAC,YAAY,IAAI,EAAE,CAAC;iBAC1B,MAAM,CACL,CAAC,IAAI,EAAE,EAAE,CACP,IAAI,CAAC,QAAQ,KAAK,IAAI,CACzB,CAAC,MAAM;YACZ,eAAe,EACb,QAAQ,CAAC,eAAe,IAAI,EAAE;YAChC,eAAe,EACb,YAAY,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC;YACjC,eAAe,EACb,YAAY,CAAC,KAAK,EAAE,MAAM,IAAI,CAAC;SAClC,CAAC;QAEF,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAChC,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,YAAY,WAAW,IAAI,OAAO,EAAE,CACrC,CAAC;QACF,OAAO,CAAC,GAAG,CACT,cAAc,MAAM,CAAC,WAAW,IAAI,SAAS,EAAE,CAChD,CAAC;QACF,OAAO,CAAC,GAAG,CACT,eAAe,MAAM,CAAC,UAAU,EAAE,CACnC,CAAC;QACF,OAAO,CAAC,GAAG,CACT,aACE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,SAChC,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CACT,eAAe,MAAM,CAAC,UAAU,CAAC,MAAM,EAAE,CAC1C,CAAC;QACF,OAAO,CAAC,GAAG,CACT,qBAAqB,MAAM,CAAC,eAAe,EAAE,CAC9C,CAAC;QACF,OAAO,CAAC,GAAG,CACT,wBAAwB,MAAM,CAAC,kBAAkB,EAAE,CACpD,CAAC;QACF,OAAO,CAAC,GAAG,CACT,0BAA0B,MAAM,CAAC,oBAAoB,EAAE,CACxD,CAAC;IACJ,CAAC,CACF,CAAC;AACN,CAAC"}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { mkdir, writeFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { runSecurityDoctor } from '../core/security-doctor.js';
|
|
4
|
+
import { renderHtmlReport } from '../core/publish/html.js';
|
|
5
|
+
export function registerPublishCommand(program) {
|
|
6
|
+
program
|
|
7
|
+
.command('publish')
|
|
8
|
+
.description('Generate a static HTML security report.')
|
|
9
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
10
|
+
.option('-o, --output <directory>', 'Output directory.', '.toolip-report')
|
|
11
|
+
.action(async (options) => {
|
|
12
|
+
const report = await runSecurityDoctor(options.path);
|
|
13
|
+
const directory = path.resolve(options.path, options.output);
|
|
14
|
+
await mkdir(directory, { recursive: true });
|
|
15
|
+
const html = renderHtmlReport({
|
|
16
|
+
project: path.basename(path.resolve(options.path)),
|
|
17
|
+
generatedAt: new Date().toISOString(),
|
|
18
|
+
findings: report.findings
|
|
19
|
+
});
|
|
20
|
+
await writeFile(path.join(directory, 'index.html'), html, 'utf8');
|
|
21
|
+
console.log(`Static report written to ${path.join(directory, 'index.html')}`);
|
|
22
|
+
console.log('Deploy this directory to GitHub Pages only after reviewing it for private data.');
|
|
23
|
+
});
|
|
24
|
+
}
|
|
25
|
+
//# sourceMappingURL=publish.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"publish.js","sourceRoot":"","sources":["../../../src/commands/publish.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,MAAM,UAAU,sBAAsB,CAAC,OAAgB;IACrD,OAAO;SACJ,OAAO,CAAC,SAAS,CAAC;SAClB,WAAW,CAAC,yCAAyC,CAAC;SACtD,MAAM,CAAC,mBAAmB,EAAE,eAAe,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC3D,MAAM,CAAC,0BAA0B,EAAE,mBAAmB,EAAE,gBAAgB,CAAC;SACzE,MAAM,CAAC,KAAK,EAAE,OAAyC,EAAE,EAAE;QAC1D,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7D,MAAM,KAAK,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE5C,MAAM,IAAI,GAAG,gBAAgB,CAAC;YAC5B,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAClD,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;QAEH,MAAM,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,4BAA4B,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,EAAE,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,CAAC,iFAAiF,CAAC,CAAC;IACjG,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
import { AnalyzerRunner } from '../application/analyzer-runner.js';
|
|
2
|
+
import { ReachabilityAnalyzer } from '../analyzers/reachability/reachability-analyzer.js';
|
|
3
|
+
export function registerReachabilityCommand(program) {
|
|
4
|
+
program
|
|
5
|
+
.command('reachability')
|
|
6
|
+
.description('Show which npm packages are observed in JavaScript and TypeScript source imports.')
|
|
7
|
+
.option('-p, --path <path>', 'Project path to inspect.', process.cwd())
|
|
8
|
+
.option('--json', 'Print structured JSON output.')
|
|
9
|
+
.option('--include-dev', 'Include development dependencies.')
|
|
10
|
+
.action(async (options) => {
|
|
11
|
+
const runner = new AnalyzerRunner({
|
|
12
|
+
concurrency: 1,
|
|
13
|
+
timeoutMs: 60_000
|
|
14
|
+
});
|
|
15
|
+
const [result] = await runner.run([new ReachabilityAnalyzer()], {
|
|
16
|
+
root: options.path
|
|
17
|
+
});
|
|
18
|
+
if (!result) {
|
|
19
|
+
throw new Error('The reachability analyzer returned no result.');
|
|
20
|
+
}
|
|
21
|
+
const allPackages = (result.metadata?.packages ??
|
|
22
|
+
[]);
|
|
23
|
+
const packages = options.includeDev
|
|
24
|
+
? allPackages
|
|
25
|
+
: allPackages.filter((item) => !item.development);
|
|
26
|
+
if (options.json) {
|
|
27
|
+
console.log(JSON.stringify({
|
|
28
|
+
analyzer: result.analyzer,
|
|
29
|
+
durationMs: result.durationMs,
|
|
30
|
+
packages
|
|
31
|
+
}, null, 2));
|
|
32
|
+
return;
|
|
33
|
+
}
|
|
34
|
+
console.log('Toolip Package Reachability');
|
|
35
|
+
console.log('');
|
|
36
|
+
for (const item of packages) {
|
|
37
|
+
console.log(`${item.state.padEnd(18)} ${item.packageName}`);
|
|
38
|
+
for (const reference of item.references.slice(0, 5)) {
|
|
39
|
+
console.log(` ${reference.file}:${reference.line}:` +
|
|
40
|
+
`${reference.column} (${reference.kind})`);
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
console.log('');
|
|
44
|
+
console.log('Reachability is static evidence, not proof that exploitation is impossible.');
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
//# sourceMappingURL=reachability.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"reachability.js","sourceRoot":"","sources":["../../../src/commands/reachability.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EACL,oBAAoB,EAErB,MAAM,oDAAoD,CAAC;AAQ5D,MAAM,UAAU,2BAA2B,CACzC,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CACV,mFAAmF,CACpF;SACA,MAAM,CACL,mBAAmB,EACnB,0BAA0B,EAC1B,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,QAAQ,EAAE,+BAA+B,CAAC;SACjD,MAAM,CACL,eAAe,EACf,mCAAmC,CACpC;SACA,MAAM,CAAC,KAAK,EAAE,OAA4B,EAAE,EAAE;QAC7C,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC;YAChC,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAC/B,CAAC,IAAI,oBAAoB,EAAE,CAAC,EAC5B;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,+CAA+C,CAChD,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GACf,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ;YACxB,EAAE,CAA0B,CAAC;QAEjC,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU;YACjC,CAAC,CAAC,WAAW;YACb,CAAC,CAAC,WAAW,CAAC,MAAM,CAChB,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAC5B,CAAC;QAEN,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;gBACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,QAAQ;aACT,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CACT,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,WAAW,EAAE,CAC/C,CAAC;YAEF,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAC3C,CAAC,EACD,CAAC,CACF,EAAE,CAAC;gBACF,OAAO,CAAC,GAAG,CACT,KAAK,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,IAAI,GAAG;oBACtC,GAAG,SAAS,CAAC,MAAM,KAAK,SAAS,CAAC,IAAI,GAAG,CAC5C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,6EAA6E,CAC9E,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
import { mkdir, writeFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { generateSbom } from '../core/sbom/generate.js';
|
|
4
|
+
function assertFormat(value) {
|
|
5
|
+
if (value !== 'cyclonedx' &&
|
|
6
|
+
value !== 'spdx') {
|
|
7
|
+
throw new Error('SBOM format must be cyclonedx or spdx.');
|
|
8
|
+
}
|
|
9
|
+
}
|
|
10
|
+
export function registerSbomCommand(program) {
|
|
11
|
+
program
|
|
12
|
+
.command('sbom')
|
|
13
|
+
.description('Generate a CycloneDX 1.5 or SPDX 2.3 software bill of materials.')
|
|
14
|
+
.option('-p, --path <path>', 'Project path to inspect.', process.cwd())
|
|
15
|
+
.option('-f, --format <format>', 'cyclonedx or spdx.', 'cyclonedx')
|
|
16
|
+
.option('-o, --output <file>', 'Write JSON to a file instead of stdout.')
|
|
17
|
+
.action(async (options) => {
|
|
18
|
+
assertFormat(options.format);
|
|
19
|
+
const document = await generateSbom(options.path, options.format);
|
|
20
|
+
const output = `${JSON.stringify(document, null, 2)}\n`;
|
|
21
|
+
if (!options.output) {
|
|
22
|
+
process.stdout.write(output);
|
|
23
|
+
return;
|
|
24
|
+
}
|
|
25
|
+
const outputPath = path.resolve(options.path, options.output);
|
|
26
|
+
await mkdir(path.dirname(outputPath), {
|
|
27
|
+
recursive: true
|
|
28
|
+
});
|
|
29
|
+
await writeFile(outputPath, output, 'utf8');
|
|
30
|
+
console.log(`SBOM written to ${outputPath}`);
|
|
31
|
+
});
|
|
32
|
+
}
|
|
33
|
+
//# sourceMappingURL=sbom.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sbom.js","sourceRoot":"","sources":["../../../src/commands/sbom.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,EACL,SAAS,EACV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EACL,YAAY,EAEb,MAAM,0BAA0B,CAAC;AAQlC,SAAS,YAAY,CACnB,KAAa;IAEb,IACE,KAAK,KAAK,WAAW;QACrB,KAAK,KAAK,MAAM,EAChB,CAAC;QACD,MAAM,IAAI,KAAK,CACb,wCAAwC,CACzC,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CACV,kEAAkE,CACnE;SACA,MAAM,CACL,mBAAmB,EACnB,0BAA0B,EAC1B,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CACL,uBAAuB,EACvB,oBAAoB,EACpB,WAAW,CACZ;SACA,MAAM,CACL,qBAAqB,EACrB,yCAAyC,CAC1C;SACA,MAAM,CAAC,KAAK,EAAE,OAAoB,EAAE,EAAE;QACrC,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAE7B,MAAM,QAAQ,GAAG,MAAM,YAAY,CACjC,OAAO,CAAC,IAAI,EACZ,OAAO,CAAC,MAAM,CACf,CAAC;QAEF,MAAM,MAAM,GACV,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC;QAE3C,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YACpB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC7B,OAAO;QACT,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAC7B,OAAO,CAAC,IAAI,EACZ,OAAO,CAAC,MAAM,CACf,CAAC;QAEF,MAAM,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE;YACpC,SAAS,EAAE,IAAI;SAChB,CAAC,CAAC;QAEH,MAAM,SAAS,CACb,UAAU,EACV,MAAM,EACN,MAAM,CACP,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,mBAAmB,UAAU,EAAE,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
import { createUpgradePullRequest } from '../core/github/upgrade-pr.js';
|
|
2
|
+
export function registerUpgradePrCommand(program) {
|
|
3
|
+
program
|
|
4
|
+
.command('upgrade-pr <package> <version>')
|
|
5
|
+
.description('Create a tested dependency-upgrade pull request through gh.')
|
|
6
|
+
.option('-p, --path <path>', 'Repository path.', process.cwd())
|
|
7
|
+
.option('--dry-run', 'Validate the request without changing Git.')
|
|
8
|
+
.action(async (packageName, version, options) => {
|
|
9
|
+
const result = await createUpgradePullRequest(options.path, packageName, version, Boolean(options.dryRun));
|
|
10
|
+
console.log(options.dryRun
|
|
11
|
+
? `Dry run passed. Proposed branch: ${result.branch}`
|
|
12
|
+
: `Pull request created from ${result.branch}`);
|
|
13
|
+
});
|
|
14
|
+
}
|
|
15
|
+
//# sourceMappingURL=upgrade-pr.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"upgrade-pr.js","sourceRoot":"","sources":["../../../src/commands/upgrade-pr.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,wBAAwB,EAAE,MAAM,8BAA8B,CAAC;AAExE,MAAM,UAAU,wBAAwB,CAAC,OAAgB;IACvD,OAAO;SACJ,OAAO,CAAC,gCAAgC,CAAC;SACzC,WAAW,CAAC,6DAA6D,CAAC;SAC1E,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC9D,MAAM,CAAC,WAAW,EAAE,4CAA4C,CAAC;SACjE,MAAM,CAAC,KAAK,EACX,WAAmB,EACnB,OAAe,EACf,OAA2C,EAC3C,EAAE;QACF,MAAM,MAAM,GAAG,MAAM,wBAAwB,CAC3C,OAAO,CAAC,IAAI,EACZ,WAAW,EACX,OAAO,EACP,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CACxB,CAAC;QAEF,OAAO,CAAC,GAAG,CACT,OAAO,CAAC,MAAM;YACZ,CAAC,CAAC,oCAAoC,MAAM,CAAC,MAAM,EAAE;YACrD,CAAC,CAAC,6BAA6B,MAAM,CAAC,MAAM,EAAE,CACjD,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import { AnalyzerRunner } from '../application/analyzer-runner.js';
|
|
2
|
+
import { OsvVulnerabilityAnalyzer } from '../analyzers/vulnerability/osv-analyzer.js';
|
|
3
|
+
import { MemoryCache } from '../storage/memory-cache.js';
|
|
4
|
+
export function registerVulnerabilitiesCommand(program) {
|
|
5
|
+
program
|
|
6
|
+
.command('vulnerabilities')
|
|
7
|
+
.alias('vulns')
|
|
8
|
+
.description('Match resolved npm dependencies against OSV.dev.')
|
|
9
|
+
.option('-p, --path <path>', 'Project path to inspect.', process.cwd())
|
|
10
|
+
.option('--json', 'Print structured JSON output.')
|
|
11
|
+
.option('--include-dev', 'Include development dependency findings.')
|
|
12
|
+
.action(async (options) => {
|
|
13
|
+
const [result] = await new AnalyzerRunner({ concurrency: 1, timeoutMs: 60000 }).run([new OsvVulnerabilityAnalyzer()], { root: options.path, cache: new MemoryCache() });
|
|
14
|
+
if (!result)
|
|
15
|
+
throw new Error('OSV analyzer returned no result.');
|
|
16
|
+
const findings = options.includeDev
|
|
17
|
+
? result.findings
|
|
18
|
+
: result.findings.filter((finding) => finding.metadata?.development !== true);
|
|
19
|
+
if (options.json) {
|
|
20
|
+
console.log(JSON.stringify({ ...result, findings }, null, 2));
|
|
21
|
+
}
|
|
22
|
+
else {
|
|
23
|
+
console.log('Toolip Vulnerability Intelligence');
|
|
24
|
+
console.log('');
|
|
25
|
+
console.log(`Dependencies checked: ${result.metadata?.dependenciesChecked ?? 0}`);
|
|
26
|
+
console.log(`Known vulnerabilities: ${findings.length}`);
|
|
27
|
+
console.log('');
|
|
28
|
+
for (const finding of findings) {
|
|
29
|
+
console.log(`[${finding.severity.toUpperCase()}] ${finding.metadata?.vulnerabilityId}`);
|
|
30
|
+
console.log(`Package: ${finding.metadata?.package}@${finding.metadata?.installedVersion}`);
|
|
31
|
+
console.log(`Summary: ${finding.title}`);
|
|
32
|
+
if (finding.remediation?.summary)
|
|
33
|
+
console.log(`Fix: ${finding.remediation.summary}`);
|
|
34
|
+
console.log('');
|
|
35
|
+
}
|
|
36
|
+
if (findings.length === 0) {
|
|
37
|
+
console.log('No disclosed vulnerabilities matched the resolved npm dependency versions.');
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
});
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=vulnerabilities.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"vulnerabilities.js","sourceRoot":"","sources":["../../../src/commands/vulnerabilities.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,4CAA4C,CAAC;AACtF,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAC;AAEzD,MAAM,UAAU,8BAA8B,CAAC,OAAgB;IAC7D,OAAO;SACJ,OAAO,CAAC,iBAAiB,CAAC;SAC1B,KAAK,CAAC,OAAO,CAAC;SACd,WAAW,CAAC,kDAAkD,CAAC;SAC/D,MAAM,CAAC,mBAAmB,EAAE,0BAA0B,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SACtE,MAAM,CAAC,QAAQ,EAAE,+BAA+B,CAAC;SACjD,MAAM,CAAC,eAAe,EAAE,0CAA0C,CAAC;SACnE,MAAM,CAAC,KAAK,EAAE,OAA+D,EAAE,EAAE;QAChF,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,cAAc,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC,GAAG,CACjF,CAAC,IAAI,wBAAwB,EAAE,CAAC,EAChC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,WAAW,EAAE,EAAE,CACjD,CAAC;QAEF,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACjE,MAAM,QAAQ,GAAG,OAAO,CAAC,UAAU;YACjC,CAAC,CAAC,MAAM,CAAC,QAAQ;YACjB,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,EAAE,WAAW,KAAK,IAAI,CAAC,CAAC;QAEhF,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAChE,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,yBAAyB,MAAM,CAAC,QAAQ,EAAE,mBAAmB,IAAI,CAAC,EAAE,CAAC,CAAC;YAClF,OAAO,CAAC,GAAG,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACzD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAEhB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,QAAQ,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,QAAQ,EAAE,OAAO,IAAI,OAAO,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC,CAAC;gBAC3F,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;gBACzC,IAAI,OAAO,CAAC,WAAW,EAAE,OAAO;oBAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC,CAAC;gBACrF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAClB,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;YAC5F,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
import { runSecurityDoctor } from '../core/security-doctor.js';
|
|
2
|
+
import { watchProject } from '../core/watch/watch.js';
|
|
3
|
+
export function registerWatchCommand(program) {
|
|
4
|
+
program
|
|
5
|
+
.command('watch')
|
|
6
|
+
.description('Continuously rerun Toolip security checks as files change.')
|
|
7
|
+
.option('-p, --path <path>', 'Project path.', process.cwd())
|
|
8
|
+
.option('--once', 'Run once without watching.')
|
|
9
|
+
.action(async (options) => {
|
|
10
|
+
const render = async () => {
|
|
11
|
+
const result = await runSecurityDoctor(options.path);
|
|
12
|
+
console.clear();
|
|
13
|
+
console.log('Toolip Watch');
|
|
14
|
+
console.log('');
|
|
15
|
+
console.log(`Updated: ${new Date().toISOString()}`);
|
|
16
|
+
console.log(`Critical/secrets: ${result.summary.secrets}`);
|
|
17
|
+
console.log(`Dangerous code: ${result.summary.dangerousCode}`);
|
|
18
|
+
console.log(`Configuration: ${result.summary.configuration}`);
|
|
19
|
+
console.log(`Total findings: ${result.findings.length}`);
|
|
20
|
+
};
|
|
21
|
+
await render();
|
|
22
|
+
if (options.once)
|
|
23
|
+
return;
|
|
24
|
+
console.log('');
|
|
25
|
+
console.log('Watching for changes. Press Ctrl+C to stop.');
|
|
26
|
+
const close = watchProject(options.path, render);
|
|
27
|
+
process.once('SIGINT', () => {
|
|
28
|
+
close();
|
|
29
|
+
process.exit(0);
|
|
30
|
+
});
|
|
31
|
+
await new Promise(() => undefined);
|
|
32
|
+
});
|
|
33
|
+
}
|
|
34
|
+
//# sourceMappingURL=watch.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"watch.js","sourceRoot":"","sources":["../../../src/commands/watch.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAEtD,MAAM,UAAU,oBAAoB,CAAC,OAAgB;IACnD,OAAO;SACJ,OAAO,CAAC,OAAO,CAAC;SAChB,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,mBAAmB,EAAE,eAAe,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC3D,MAAM,CAAC,QAAQ,EAAE,4BAA4B,CAAC;SAC9C,MAAM,CAAC,KAAK,EAAE,OAAyC,EAAE,EAAE;QAC1D,MAAM,MAAM,GAAG,KAAK,IAAmB,EAAE;YACvC,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACrD,OAAO,CAAC,KAAK,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;YACpD,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3D,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;YAC/D,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;YAC9D,OAAO,CAAC,GAAG,CAAC,mBAAmB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC,CAAC;QAEF,MAAM,MAAM,EAAE,CAAC;QAEf,IAAI,OAAO,CAAC,IAAI;YAAE,OAAO;QAEzB,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAE3D,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAEjD,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,EAAE;YAC1B,KAAK,EAAE,CAAC;YACR,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;QAEH,MAAM,IAAI,OAAO,CAAO,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import type { Finding } from './finding.js';
|
|
2
|
+
export type AnalyzerContext = {
|
|
3
|
+
root: string;
|
|
4
|
+
signal?: AbortSignal;
|
|
5
|
+
cache?: AnalyzerCache;
|
|
6
|
+
options?: Record<string, unknown>;
|
|
7
|
+
};
|
|
8
|
+
export type AnalyzerCache = {
|
|
9
|
+
get<T>(key: string): Promise<T | undefined>;
|
|
10
|
+
set<T>(key: string, value: T, ttlMs?: number): Promise<void>;
|
|
11
|
+
};
|
|
12
|
+
export type AnalyzerResult = {
|
|
13
|
+
analyzer: string;
|
|
14
|
+
durationMs: number;
|
|
15
|
+
findings: Finding[];
|
|
16
|
+
warnings?: string[];
|
|
17
|
+
metadata?: Record<string, unknown>;
|
|
18
|
+
};
|
|
19
|
+
export interface Analyzer {
|
|
20
|
+
readonly id: string;
|
|
21
|
+
readonly version: string;
|
|
22
|
+
analyze(context: AnalyzerContext): Promise<AnalyzerResult>;
|
|
23
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../../src/contracts/analyzer.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
export declare const findingSeverities: readonly ["critical", "high", "medium", "low", "info"];
|
|
2
|
+
export type FindingSeverity = (typeof findingSeverities)[number];
|
|
3
|
+
export declare const findingConfidences: readonly ["high", "medium", "low"];
|
|
4
|
+
export type FindingConfidence = (typeof findingConfidences)[number];
|
|
5
|
+
export type FindingLocation = {
|
|
6
|
+
file: string;
|
|
7
|
+
line?: number;
|
|
8
|
+
column?: number;
|
|
9
|
+
endLine?: number;
|
|
10
|
+
endColumn?: number;
|
|
11
|
+
};
|
|
12
|
+
export type FindingEvidence = {
|
|
13
|
+
summary: string;
|
|
14
|
+
excerpt?: string;
|
|
15
|
+
fingerprint?: string;
|
|
16
|
+
};
|
|
17
|
+
export type FindingRemediation = {
|
|
18
|
+
summary: string;
|
|
19
|
+
fixedVersion?: string;
|
|
20
|
+
references?: string[];
|
|
21
|
+
};
|
|
22
|
+
export type Finding = {
|
|
23
|
+
id: string;
|
|
24
|
+
ruleId: string;
|
|
25
|
+
title: string;
|
|
26
|
+
category: string;
|
|
27
|
+
severity: FindingSeverity;
|
|
28
|
+
confidence: FindingConfidence;
|
|
29
|
+
message: string;
|
|
30
|
+
source: string;
|
|
31
|
+
location?: FindingLocation;
|
|
32
|
+
evidence?: FindingEvidence[];
|
|
33
|
+
remediation?: FindingRemediation;
|
|
34
|
+
metadata?: Record<string, unknown>;
|
|
35
|
+
};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"finding.js","sourceRoot":"","sources":["../../../src/contracts/finding.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,UAAU;IACV,MAAM;IACN,QAAQ;IACR,KAAK;IACL,MAAM;CACE,CAAC;AAIX,MAAM,CAAC,MAAM,kBAAkB,GAAG;IAChC,MAAM;IACN,QAAQ;IACR,KAAK;CACG,CAAC"}
|