toolip 1.0.7 → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +189 -448
- package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
- package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
- package/dist/src/analyzers/ast/rules.d.ts +48 -0
- package/dist/src/analyzers/ast/rules.js +39 -0
- package/dist/src/analyzers/ast/rules.js.map +1 -0
- package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
- package/dist/src/analyzers/ast/source-analysis.js +225 -0
- package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
- package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
- package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
- package/dist/src/analyzers/docker/analyzer.js +103 -0
- package/dist/src/analyzers/docker/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
- package/dist/src/analyzers/git-history/analyzer.js +202 -0
- package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
- package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
- package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
- package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
- package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
- package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
- package/dist/src/analyzers/reachability/import-graph.js +110 -0
- package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
- package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
- package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
- package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
- package/dist/src/analyzers/vulnerability/severity.js +13 -0
- package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
- package/dist/src/application/analyzer-runner.d.ts +12 -0
- package/dist/src/application/analyzer-runner.js +45 -0
- package/dist/src/application/analyzer-runner.js.map +1 -0
- package/dist/src/commands/announce.d.ts +2 -0
- package/dist/src/commands/announce.js +27 -0
- package/dist/src/commands/announce.js.map +1 -0
- package/dist/src/commands/ast-scan.d.ts +2 -0
- package/dist/src/commands/ast-scan.js +86 -0
- package/dist/src/commands/ast-scan.js.map +1 -0
- package/dist/src/commands/audit-repo.d.ts +2 -0
- package/dist/src/commands/audit-repo.js +20 -0
- package/dist/src/commands/audit-repo.js.map +1 -0
- package/dist/src/commands/config.d.ts +2 -0
- package/dist/src/commands/config.js +69 -0
- package/dist/src/commands/config.js.map +1 -0
- package/dist/src/commands/dependency-confusion.d.ts +2 -0
- package/dist/src/commands/dependency-confusion.js +37 -0
- package/dist/src/commands/dependency-confusion.js.map +1 -0
- package/dist/src/commands/diff.d.ts +2 -0
- package/dist/src/commands/diff.js +24 -0
- package/dist/src/commands/diff.js.map +1 -0
- package/dist/src/commands/docker-scan.d.ts +2 -0
- package/dist/src/commands/docker-scan.js +34 -0
- package/dist/src/commands/docker-scan.js.map +1 -0
- package/dist/src/commands/git-history.d.ts +2 -0
- package/dist/src/commands/git-history.js +40 -0
- package/dist/src/commands/git-history.js.map +1 -0
- package/dist/src/commands/history.d.ts +2 -0
- package/dist/src/commands/history.js +69 -0
- package/dist/src/commands/history.js.map +1 -0
- package/dist/src/commands/install-scripts.d.ts +2 -0
- package/dist/src/commands/install-scripts.js +52 -0
- package/dist/src/commands/install-scripts.js.map +1 -0
- package/dist/src/commands/mcp.d.ts +2 -0
- package/dist/src/commands/mcp.js +10 -0
- package/dist/src/commands/mcp.js.map +1 -0
- package/dist/src/commands/monorepo.d.ts +2 -0
- package/dist/src/commands/monorepo.js +21 -0
- package/dist/src/commands/monorepo.js.map +1 -0
- package/dist/src/commands/package-health.d.ts +2 -0
- package/dist/src/commands/package-health.js +50 -0
- package/dist/src/commands/package-health.js.map +1 -0
- package/dist/src/commands/publish.d.ts +2 -0
- package/dist/src/commands/publish.js +25 -0
- package/dist/src/commands/publish.js.map +1 -0
- package/dist/src/commands/reachability.d.ts +2 -0
- package/dist/src/commands/reachability.js +47 -0
- package/dist/src/commands/reachability.js.map +1 -0
- package/dist/src/commands/sbom.d.ts +2 -0
- package/dist/src/commands/sbom.js +33 -0
- package/dist/src/commands/sbom.js.map +1 -0
- package/dist/src/commands/upgrade-pr.d.ts +2 -0
- package/dist/src/commands/upgrade-pr.js +15 -0
- package/dist/src/commands/upgrade-pr.js.map +1 -0
- package/dist/src/commands/vulnerabilities.d.ts +2 -0
- package/dist/src/commands/vulnerabilities.js +42 -0
- package/dist/src/commands/vulnerabilities.js.map +1 -0
- package/dist/src/commands/watch.d.ts +2 -0
- package/dist/src/commands/watch.js +34 -0
- package/dist/src/commands/watch.js.map +1 -0
- package/dist/src/contracts/analyzer.d.ts +23 -0
- package/dist/src/contracts/analyzer.js +2 -0
- package/dist/src/contracts/analyzer.js.map +1 -0
- package/dist/src/contracts/finding.d.ts +35 -0
- package/dist/src/contracts/finding.js +13 -0
- package/dist/src/contracts/finding.js.map +1 -0
- package/dist/src/contracts/report.d.ts +30 -0
- package/dist/src/contracts/report.js +2 -0
- package/dist/src/contracts/report.js.map +1 -0
- package/dist/src/contracts/rule.d.ts +12 -0
- package/dist/src/contracts/rule.js +7 -0
- package/dist/src/contracts/rule.js.map +1 -0
- package/dist/src/core/announce/generate.d.ts +9 -0
- package/dist/src/core/announce/generate.js +19 -0
- package/dist/src/core/announce/generate.js.map +1 -0
- package/dist/src/core/config/load.d.ts +3 -0
- package/dist/src/core/config/load.js +21 -0
- package/dist/src/core/config/load.js.map +1 -0
- package/dist/src/core/config/policy.d.ts +3 -0
- package/dist/src/core/config/policy.js +48 -0
- package/dist/src/core/config/policy.js.map +1 -0
- package/dist/src/core/config/schema.d.ts +172 -0
- package/dist/src/core/config/schema.js +84 -0
- package/dist/src/core/config/schema.js.map +1 -0
- package/dist/src/core/dependencies/inventory.d.ts +9 -0
- package/dist/src/core/dependencies/inventory.js +43 -0
- package/dist/src/core/dependencies/inventory.js.map +1 -0
- package/dist/src/core/diff/security-diff.d.ts +10 -0
- package/dist/src/core/diff/security-diff.js +20 -0
- package/dist/src/core/diff/security-diff.js.map +1 -0
- package/dist/src/core/github/remote-audit.d.ts +5 -0
- package/dist/src/core/github/remote-audit.js +28 -0
- package/dist/src/core/github/remote-audit.js.map +1 -0
- package/dist/src/core/github/upgrade-pr.d.ts +4 -0
- package/dist/src/core/github/upgrade-pr.js +41 -0
- package/dist/src/core/github/upgrade-pr.js.map +1 -0
- package/dist/src/core/history/git-metadata.d.ts +5 -0
- package/dist/src/core/history/git-metadata.js +37 -0
- package/dist/src/core/history/git-metadata.js.map +1 -0
- package/dist/src/core/history/store.d.ts +5 -0
- package/dist/src/core/history/store.js +65 -0
- package/dist/src/core/history/store.js.map +1 -0
- package/dist/src/core/history/types.d.ts +27 -0
- package/dist/src/core/history/types.js +2 -0
- package/dist/src/core/history/types.js.map +1 -0
- package/dist/src/core/monorepo/discover.d.ts +7 -0
- package/dist/src/core/monorepo/discover.js +49 -0
- package/dist/src/core/monorepo/discover.js.map +1 -0
- package/dist/src/core/publish/html.d.ts +6 -0
- package/dist/src/core/publish/html.js +44 -0
- package/dist/src/core/publish/html.js.map +1 -0
- package/dist/src/core/sbom/generate.d.ts +2 -0
- package/dist/src/core/sbom/generate.js +120 -0
- package/dist/src/core/sbom/generate.js.map +1 -0
- package/dist/src/core/security-doctor.js +19 -5
- package/dist/src/core/security-doctor.js.map +1 -1
- package/dist/src/core/watch/watch.d.ts +5 -0
- package/dist/src/core/watch/watch.js +49 -0
- package/dist/src/core/watch/watch.js.map +1 -0
- package/dist/src/index.js +38 -0
- package/dist/src/index.js.map +1 -1
- package/dist/src/mcp/server.d.ts +1 -0
- package/dist/src/mcp/server.js +64 -0
- package/dist/src/mcp/server.js.map +1 -0
- package/dist/src/providers/depsdev/client.d.ts +71 -0
- package/dist/src/providers/depsdev/client.js +44 -0
- package/dist/src/providers/depsdev/client.js.map +1 -0
- package/dist/src/providers/osv/client.d.ts +15 -0
- package/dist/src/providers/osv/client.js +51 -0
- package/dist/src/providers/osv/client.js.map +1 -0
- package/dist/src/providers/osv/types.d.ts +38 -0
- package/dist/src/providers/osv/types.js +2 -0
- package/dist/src/providers/osv/types.js.map +1 -0
- package/dist/src/storage/memory-cache.d.ts +7 -0
- package/dist/src/storage/memory-cache.js +25 -0
- package/dist/src/storage/memory-cache.js.map +1 -0
- package/package.json +5 -3
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
import type { Finding } from './finding.js';
|
|
2
|
+
export declare const TOOLIP_REPORT_SCHEMA_VERSION = "2.0";
|
|
3
|
+
export type ReportSummary = {
|
|
4
|
+
critical: number;
|
|
5
|
+
high: number;
|
|
6
|
+
medium: number;
|
|
7
|
+
low: number;
|
|
8
|
+
info: number;
|
|
9
|
+
total: number;
|
|
10
|
+
};
|
|
11
|
+
export type ToolipReportV2 = {
|
|
12
|
+
schemaVersion: typeof TOOLIP_REPORT_SCHEMA_VERSION;
|
|
13
|
+
generatedAt: string;
|
|
14
|
+
toolipVersion: string;
|
|
15
|
+
project: {
|
|
16
|
+
root: string;
|
|
17
|
+
name?: string;
|
|
18
|
+
packageManager?: string;
|
|
19
|
+
};
|
|
20
|
+
summary: ReportSummary;
|
|
21
|
+
findings: Finding[];
|
|
22
|
+
analyzers: Array<{
|
|
23
|
+
id: string;
|
|
24
|
+
version: string;
|
|
25
|
+
durationMs: number;
|
|
26
|
+
findingCount: number;
|
|
27
|
+
warnings?: string[];
|
|
28
|
+
}>;
|
|
29
|
+
metadata?: Record<string, unknown>;
|
|
30
|
+
};
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"report.js","sourceRoot":"","sources":["../../../src/contracts/report.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import type { FindingConfidence, FindingSeverity } from './finding.js';
|
|
2
|
+
export type RuleDefinition = {
|
|
3
|
+
id: string;
|
|
4
|
+
title: string;
|
|
5
|
+
category: string;
|
|
6
|
+
defaultSeverity: FindingSeverity;
|
|
7
|
+
defaultConfidence: FindingConfidence;
|
|
8
|
+
description: string;
|
|
9
|
+
remediation: string;
|
|
10
|
+
references?: string[];
|
|
11
|
+
};
|
|
12
|
+
export declare function assertValidRuleId(ruleId: string): void;
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"rule.js","sourceRoot":"","sources":["../../../src/contracts/rule.ts"],"names":[],"mappings":"AAgBA,MAAM,eAAe,GAAG,oBAAoB,CAAC;AAE7C,MAAM,UAAU,iBAAiB,CAAC,MAAc;IAC9C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,uCAAuC,CACzE,CAAC;IACJ,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
export function generateAnnouncement(input) {
|
|
2
|
+
const title = input.version
|
|
3
|
+
? `Toolip ${input.version} security update`
|
|
4
|
+
: 'Toolip security update';
|
|
5
|
+
const lines = [
|
|
6
|
+
title,
|
|
7
|
+
'',
|
|
8
|
+
`Fixed findings: ${input.fixed}`,
|
|
9
|
+
`New findings: ${input.added}`,
|
|
10
|
+
`Removed findings: ${input.removed}`
|
|
11
|
+
];
|
|
12
|
+
if (input.scoreBefore !== undefined &&
|
|
13
|
+
input.scoreAfter !== undefined) {
|
|
14
|
+
lines.push(`Security score: ${input.scoreBefore} → ${input.scoreAfter}`);
|
|
15
|
+
}
|
|
16
|
+
lines.push('', 'This summary was generated locally from structured Toolip scan differences.');
|
|
17
|
+
return lines.join('\n');
|
|
18
|
+
}
|
|
19
|
+
//# sourceMappingURL=generate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"generate.js","sourceRoot":"","sources":["../../../../src/core/announce/generate.ts"],"names":[],"mappings":"AASA,MAAM,UAAU,oBAAoB,CAAC,KAAwB;IAC3D,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO;QACzB,CAAC,CAAC,UAAU,KAAK,CAAC,OAAO,kBAAkB;QAC3C,CAAC,CAAC,wBAAwB,CAAC;IAE7B,MAAM,KAAK,GAAG;QACZ,KAAK;QACL,EAAE;QACF,mBAAmB,KAAK,CAAC,KAAK,EAAE;QAChC,iBAAiB,KAAK,CAAC,KAAK,EAAE;QAC9B,qBAAqB,KAAK,CAAC,OAAO,EAAE;KACrC,CAAC;IAEF,IACE,KAAK,CAAC,WAAW,KAAK,SAAS;QAC/B,KAAK,CAAC,UAAU,KAAK,SAAS,EAC9B,CAAC;QACD,KAAK,CAAC,IAAI,CACR,mBAAmB,KAAK,CAAC,WAAW,MAAM,KAAK,CAAC,UAAU,EAAE,CAC7D,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CACR,EAAE,EACF,6EAA6E,CAC9E,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import { readFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import { toolipConfigSchema } from './schema.js';
|
|
4
|
+
export const TOOLIP_CONFIG_FILE = 'toolip.config.json';
|
|
5
|
+
export async function loadToolipConfig(root) {
|
|
6
|
+
const filePath = path.join(root, TOOLIP_CONFIG_FILE);
|
|
7
|
+
try {
|
|
8
|
+
const raw = await readFile(filePath, 'utf8');
|
|
9
|
+
const parsed = JSON.parse(raw);
|
|
10
|
+
return toolipConfigSchema.parse(parsed);
|
|
11
|
+
}
|
|
12
|
+
catch (error) {
|
|
13
|
+
if (error instanceof Error &&
|
|
14
|
+
'code' in error &&
|
|
15
|
+
error.code === 'ENOENT') {
|
|
16
|
+
return toolipConfigSchema.parse({});
|
|
17
|
+
}
|
|
18
|
+
throw error;
|
|
19
|
+
}
|
|
20
|
+
}
|
|
21
|
+
//# sourceMappingURL=load.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"load.js","sourceRoot":"","sources":["../../../../src/core/config/load.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EACL,kBAAkB,EAEnB,MAAM,aAAa,CAAC;AAErB,MAAM,CAAC,MAAM,kBAAkB,GAC7B,oBAAoB,CAAC;AAEvB,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY;IAEZ,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,IAAI,EACJ,kBAAkB,CACnB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAY,CAAC;QAE1C,OAAO,kBAAkB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IACE,KAAK,YAAY,KAAK;YACtB,MAAM,IAAI,KAAK;YACf,KAAK,CAAC,IAAI,KAAK,QAAQ,EACvB,CAAC;YACD,OAAO,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACtC,CAAC;QAED,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
function wildcardMatch(value, pattern) {
|
|
2
|
+
const escaped = pattern
|
|
3
|
+
.replaceAll(/[.+^${}()|[\]\\]/g, '\\$&')
|
|
4
|
+
.replaceAll('**', '___DOUBLE_STAR___')
|
|
5
|
+
.replaceAll('*', '[^/]*')
|
|
6
|
+
.replaceAll('___DOUBLE_STAR___', '.*');
|
|
7
|
+
return new RegExp(`^${escaped}$`).test(value);
|
|
8
|
+
}
|
|
9
|
+
function suppressionActive(expiresAt) {
|
|
10
|
+
return (expiresAt === undefined ||
|
|
11
|
+
new Date(expiresAt).getTime() > Date.now());
|
|
12
|
+
}
|
|
13
|
+
export function applyFindingPolicy(findings, config) {
|
|
14
|
+
const output = [];
|
|
15
|
+
for (const finding of findings) {
|
|
16
|
+
const rule = config.rules[finding.ruleId];
|
|
17
|
+
const file = finding.location?.file ?? '';
|
|
18
|
+
if (rule?.enabled === false) {
|
|
19
|
+
continue;
|
|
20
|
+
}
|
|
21
|
+
let severity = rule?.severity ?? finding.severity;
|
|
22
|
+
for (const pathRule of rule?.paths ?? []) {
|
|
23
|
+
if (file &&
|
|
24
|
+
wildcardMatch(file, pathRule.pattern)) {
|
|
25
|
+
if (pathRule.enabled === false) {
|
|
26
|
+
severity = finding.severity;
|
|
27
|
+
break;
|
|
28
|
+
}
|
|
29
|
+
severity =
|
|
30
|
+
pathRule.severity ?? severity;
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
const suppressed = config.suppressions.some((suppression) => suppression.ruleId === finding.ruleId &&
|
|
34
|
+
suppressionActive(suppression.expiresAt) &&
|
|
35
|
+
(suppression.path === undefined ||
|
|
36
|
+
(file &&
|
|
37
|
+
wildcardMatch(file, suppression.path))));
|
|
38
|
+
if (suppressed) {
|
|
39
|
+
continue;
|
|
40
|
+
}
|
|
41
|
+
output.push({
|
|
42
|
+
...finding,
|
|
43
|
+
severity
|
|
44
|
+
});
|
|
45
|
+
}
|
|
46
|
+
return output;
|
|
47
|
+
}
|
|
48
|
+
//# sourceMappingURL=policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../../../src/core/config/policy.ts"],"names":[],"mappings":"AAGA,SAAS,aAAa,CACpB,KAAa,EACb,OAAe;IAEf,MAAM,OAAO,GAAG,OAAO;SACpB,UAAU,CAAC,mBAAmB,EAAE,MAAM,CAAC;SACvC,UAAU,CAAC,IAAI,EAAE,mBAAmB,CAAC;SACrC,UAAU,CAAC,GAAG,EAAE,OAAO,CAAC;SACxB,UAAU,CAAC,mBAAmB,EAAE,IAAI,CAAC,CAAC;IAEzC,OAAO,IAAI,MAAM,CAAC,IAAI,OAAO,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,iBAAiB,CACxB,SAAkB;IAElB,OAAO,CACL,SAAS,KAAK,SAAS;QACvB,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAC3C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,QAAmB,EACnB,MAAoB;IAEpB,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC;QAE1C,IAAI,IAAI,EAAE,OAAO,KAAK,KAAK,EAAE,CAAC;YAC5B,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,GACV,IAAI,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;QAErC,KAAK,MAAM,QAAQ,IAAI,IAAI,EAAE,KAAK,IAAI,EAAE,EAAE,CAAC;YACzC,IACE,IAAI;gBACJ,aAAa,CAAC,IAAI,EAAE,QAAQ,CAAC,OAAO,CAAC,EACrC,CAAC;gBACD,IAAI,QAAQ,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;oBAC/B,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;oBAC5B,MAAM;gBACR,CAAC;gBAED,QAAQ;oBACN,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC;YAClC,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,CACzC,CAAC,WAAW,EAAE,EAAE,CACd,WAAW,CAAC,MAAM,KAAK,OAAO,CAAC,MAAM;YACrC,iBAAiB,CACf,WAAW,CAAC,SAAS,CACtB;YACD,CACE,WAAW,CAAC,IAAI,KAAK,SAAS;gBAC9B,CACE,IAAI;oBACJ,aAAa,CACX,IAAI,EACJ,WAAW,CAAC,IAAI,CACjB,CACF,CACF,CACJ,CAAC;QAEF,IAAI,UAAU,EAAE,CAAC;YACf,SAAS;QACX,CAAC;QAED,MAAM,CAAC,IAAI,CAAC;YACV,GAAG,OAAO;YACV,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
|
|
@@ -0,0 +1,172 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export declare const toolipConfigSchema: z.ZodObject<{
|
|
3
|
+
schemaVersion: z.ZodDefault<z.ZodLiteral<"1.0">>;
|
|
4
|
+
include: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
5
|
+
exclude: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
6
|
+
rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodObject<{
|
|
7
|
+
enabled: z.ZodOptional<z.ZodBoolean>;
|
|
8
|
+
severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
|
|
9
|
+
paths: z.ZodOptional<z.ZodArray<z.ZodObject<{
|
|
10
|
+
pattern: z.ZodString;
|
|
11
|
+
severity: z.ZodOptional<z.ZodEnum<["critical", "high", "medium", "low", "info"]>>;
|
|
12
|
+
enabled: z.ZodOptional<z.ZodBoolean>;
|
|
13
|
+
}, "strip", z.ZodTypeAny, {
|
|
14
|
+
pattern: string;
|
|
15
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
16
|
+
enabled?: boolean | undefined;
|
|
17
|
+
}, {
|
|
18
|
+
pattern: string;
|
|
19
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
20
|
+
enabled?: boolean | undefined;
|
|
21
|
+
}>, "many">>;
|
|
22
|
+
}, "strip", z.ZodTypeAny, {
|
|
23
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
24
|
+
enabled?: boolean | undefined;
|
|
25
|
+
paths?: {
|
|
26
|
+
pattern: string;
|
|
27
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
28
|
+
enabled?: boolean | undefined;
|
|
29
|
+
}[] | undefined;
|
|
30
|
+
}, {
|
|
31
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
32
|
+
enabled?: boolean | undefined;
|
|
33
|
+
paths?: {
|
|
34
|
+
pattern: string;
|
|
35
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
36
|
+
enabled?: boolean | undefined;
|
|
37
|
+
}[] | undefined;
|
|
38
|
+
}>>>;
|
|
39
|
+
suppressions: z.ZodDefault<z.ZodArray<z.ZodObject<{
|
|
40
|
+
ruleId: z.ZodString;
|
|
41
|
+
path: z.ZodOptional<z.ZodString>;
|
|
42
|
+
reason: z.ZodString;
|
|
43
|
+
expiresAt: z.ZodOptional<z.ZodString>;
|
|
44
|
+
}, "strip", z.ZodTypeAny, {
|
|
45
|
+
ruleId: string;
|
|
46
|
+
reason: string;
|
|
47
|
+
expiresAt?: string | undefined;
|
|
48
|
+
path?: string | undefined;
|
|
49
|
+
}, {
|
|
50
|
+
ruleId: string;
|
|
51
|
+
reason: string;
|
|
52
|
+
expiresAt?: string | undefined;
|
|
53
|
+
path?: string | undefined;
|
|
54
|
+
}>, "many">>;
|
|
55
|
+
history: z.ZodDefault<z.ZodObject<{
|
|
56
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
57
|
+
maxEntries: z.ZodDefault<z.ZodNumber>;
|
|
58
|
+
}, "strip", z.ZodTypeAny, {
|
|
59
|
+
enabled: boolean;
|
|
60
|
+
maxEntries: number;
|
|
61
|
+
}, {
|
|
62
|
+
enabled?: boolean | undefined;
|
|
63
|
+
maxEntries?: number | undefined;
|
|
64
|
+
}>>;
|
|
65
|
+
providers: z.ZodDefault<z.ZodObject<{
|
|
66
|
+
osv: z.ZodDefault<z.ZodObject<{
|
|
67
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
68
|
+
timeoutMs: z.ZodDefault<z.ZodNumber>;
|
|
69
|
+
}, "strip", z.ZodTypeAny, {
|
|
70
|
+
timeoutMs: number;
|
|
71
|
+
enabled: boolean;
|
|
72
|
+
}, {
|
|
73
|
+
timeoutMs?: number | undefined;
|
|
74
|
+
enabled?: boolean | undefined;
|
|
75
|
+
}>>;
|
|
76
|
+
depsDev: z.ZodDefault<z.ZodObject<{
|
|
77
|
+
enabled: z.ZodDefault<z.ZodBoolean>;
|
|
78
|
+
timeoutMs: z.ZodDefault<z.ZodNumber>;
|
|
79
|
+
}, "strip", z.ZodTypeAny, {
|
|
80
|
+
timeoutMs: number;
|
|
81
|
+
enabled: boolean;
|
|
82
|
+
}, {
|
|
83
|
+
timeoutMs?: number | undefined;
|
|
84
|
+
enabled?: boolean | undefined;
|
|
85
|
+
}>>;
|
|
86
|
+
}, "strip", z.ZodTypeAny, {
|
|
87
|
+
osv: {
|
|
88
|
+
timeoutMs: number;
|
|
89
|
+
enabled: boolean;
|
|
90
|
+
};
|
|
91
|
+
depsDev: {
|
|
92
|
+
timeoutMs: number;
|
|
93
|
+
enabled: boolean;
|
|
94
|
+
};
|
|
95
|
+
}, {
|
|
96
|
+
osv?: {
|
|
97
|
+
timeoutMs?: number | undefined;
|
|
98
|
+
enabled?: boolean | undefined;
|
|
99
|
+
} | undefined;
|
|
100
|
+
depsDev?: {
|
|
101
|
+
timeoutMs?: number | undefined;
|
|
102
|
+
enabled?: boolean | undefined;
|
|
103
|
+
} | undefined;
|
|
104
|
+
}>>;
|
|
105
|
+
}, "strip", z.ZodTypeAny, {
|
|
106
|
+
schemaVersion: "1.0";
|
|
107
|
+
history: {
|
|
108
|
+
enabled: boolean;
|
|
109
|
+
maxEntries: number;
|
|
110
|
+
};
|
|
111
|
+
include: string[];
|
|
112
|
+
exclude: string[];
|
|
113
|
+
rules: Record<string, {
|
|
114
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
115
|
+
enabled?: boolean | undefined;
|
|
116
|
+
paths?: {
|
|
117
|
+
pattern: string;
|
|
118
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
119
|
+
enabled?: boolean | undefined;
|
|
120
|
+
}[] | undefined;
|
|
121
|
+
}>;
|
|
122
|
+
suppressions: {
|
|
123
|
+
ruleId: string;
|
|
124
|
+
reason: string;
|
|
125
|
+
expiresAt?: string | undefined;
|
|
126
|
+
path?: string | undefined;
|
|
127
|
+
}[];
|
|
128
|
+
providers: {
|
|
129
|
+
osv: {
|
|
130
|
+
timeoutMs: number;
|
|
131
|
+
enabled: boolean;
|
|
132
|
+
};
|
|
133
|
+
depsDev: {
|
|
134
|
+
timeoutMs: number;
|
|
135
|
+
enabled: boolean;
|
|
136
|
+
};
|
|
137
|
+
};
|
|
138
|
+
}, {
|
|
139
|
+
schemaVersion?: "1.0" | undefined;
|
|
140
|
+
history?: {
|
|
141
|
+
enabled?: boolean | undefined;
|
|
142
|
+
maxEntries?: number | undefined;
|
|
143
|
+
} | undefined;
|
|
144
|
+
include?: string[] | undefined;
|
|
145
|
+
exclude?: string[] | undefined;
|
|
146
|
+
rules?: Record<string, {
|
|
147
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
148
|
+
enabled?: boolean | undefined;
|
|
149
|
+
paths?: {
|
|
150
|
+
pattern: string;
|
|
151
|
+
severity?: "info" | "low" | "medium" | "high" | "critical" | undefined;
|
|
152
|
+
enabled?: boolean | undefined;
|
|
153
|
+
}[] | undefined;
|
|
154
|
+
}> | undefined;
|
|
155
|
+
suppressions?: {
|
|
156
|
+
ruleId: string;
|
|
157
|
+
reason: string;
|
|
158
|
+
expiresAt?: string | undefined;
|
|
159
|
+
path?: string | undefined;
|
|
160
|
+
}[] | undefined;
|
|
161
|
+
providers?: {
|
|
162
|
+
osv?: {
|
|
163
|
+
timeoutMs?: number | undefined;
|
|
164
|
+
enabled?: boolean | undefined;
|
|
165
|
+
} | undefined;
|
|
166
|
+
depsDev?: {
|
|
167
|
+
timeoutMs?: number | undefined;
|
|
168
|
+
enabled?: boolean | undefined;
|
|
169
|
+
} | undefined;
|
|
170
|
+
} | undefined;
|
|
171
|
+
}>;
|
|
172
|
+
export type ToolipConfig = z.infer<typeof toolipConfigSchema>;
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export const toolipConfigSchema = z.object({
|
|
3
|
+
schemaVersion: z.literal('1.0').default('1.0'),
|
|
4
|
+
include: z.array(z.string()).default([]),
|
|
5
|
+
exclude: z.array(z.string()).default([]),
|
|
6
|
+
rules: z
|
|
7
|
+
.record(z.object({
|
|
8
|
+
enabled: z.boolean().optional(),
|
|
9
|
+
severity: z
|
|
10
|
+
.enum([
|
|
11
|
+
'critical',
|
|
12
|
+
'high',
|
|
13
|
+
'medium',
|
|
14
|
+
'low',
|
|
15
|
+
'info'
|
|
16
|
+
])
|
|
17
|
+
.optional(),
|
|
18
|
+
paths: z
|
|
19
|
+
.array(z.object({
|
|
20
|
+
pattern: z.string(),
|
|
21
|
+
severity: z
|
|
22
|
+
.enum([
|
|
23
|
+
'critical',
|
|
24
|
+
'high',
|
|
25
|
+
'medium',
|
|
26
|
+
'low',
|
|
27
|
+
'info'
|
|
28
|
+
])
|
|
29
|
+
.optional(),
|
|
30
|
+
enabled: z.boolean().optional()
|
|
31
|
+
}))
|
|
32
|
+
.optional()
|
|
33
|
+
}))
|
|
34
|
+
.default({}),
|
|
35
|
+
suppressions: z
|
|
36
|
+
.array(z.object({
|
|
37
|
+
ruleId: z.string(),
|
|
38
|
+
path: z.string().optional(),
|
|
39
|
+
reason: z.string().min(3),
|
|
40
|
+
expiresAt: z.string().datetime().optional()
|
|
41
|
+
}))
|
|
42
|
+
.default([]),
|
|
43
|
+
history: z
|
|
44
|
+
.object({
|
|
45
|
+
enabled: z.boolean().default(true),
|
|
46
|
+
maxEntries: z.number().int().positive().max(5000).default(500)
|
|
47
|
+
})
|
|
48
|
+
.default({
|
|
49
|
+
enabled: true,
|
|
50
|
+
maxEntries: 500
|
|
51
|
+
}),
|
|
52
|
+
providers: z
|
|
53
|
+
.object({
|
|
54
|
+
osv: z
|
|
55
|
+
.object({
|
|
56
|
+
enabled: z.boolean().default(true),
|
|
57
|
+
timeoutMs: z.number().int().positive().default(20000)
|
|
58
|
+
})
|
|
59
|
+
.default({
|
|
60
|
+
enabled: true,
|
|
61
|
+
timeoutMs: 20000
|
|
62
|
+
}),
|
|
63
|
+
depsDev: z
|
|
64
|
+
.object({
|
|
65
|
+
enabled: z.boolean().default(true),
|
|
66
|
+
timeoutMs: z.number().int().positive().default(20000)
|
|
67
|
+
})
|
|
68
|
+
.default({
|
|
69
|
+
enabled: true,
|
|
70
|
+
timeoutMs: 20000
|
|
71
|
+
})
|
|
72
|
+
})
|
|
73
|
+
.default({
|
|
74
|
+
osv: {
|
|
75
|
+
enabled: true,
|
|
76
|
+
timeoutMs: 20000
|
|
77
|
+
},
|
|
78
|
+
depsDev: {
|
|
79
|
+
enabled: true,
|
|
80
|
+
timeoutMs: 20000
|
|
81
|
+
}
|
|
82
|
+
})
|
|
83
|
+
});
|
|
84
|
+
//# sourceMappingURL=schema.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../../../src/core/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IACzC,aAAa,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IAC9C,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;IACxC,KAAK,EAAE,CAAC;SACL,MAAM,CACL,CAAC,CAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAC/B,QAAQ,EAAE,CAAC;aACR,IAAI,CAAC;YACJ,UAAU;YACV,MAAM;YACN,QAAQ;YACR,KAAK;YACL,MAAM;SACP,CAAC;aACD,QAAQ,EAAE;QACb,KAAK,EAAE,CAAC;aACL,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;YACnB,QAAQ,EAAE,CAAC;iBACR,IAAI,CAAC;gBACJ,UAAU;gBACV,MAAM;gBACN,QAAQ;gBACR,KAAK;gBACL,MAAM;aACP,CAAC;iBACD,QAAQ,EAAE;YACb,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;SAChC,CAAC,CACH;aACA,QAAQ,EAAE;KACd,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,YAAY,EAAE,CAAC;SACZ,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QAC3B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;KAC5C,CAAC,CACH;SACA,OAAO,CAAC,EAAE,CAAC;IACd,OAAO,EAAE,CAAC;SACP,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;QAClC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;KAC/D,CAAC;SACD,OAAO,CAAC;QACP,OAAO,EAAE,IAAI;QACb,UAAU,EAAE,GAAG;KAChB,CAAC;IACJ,SAAS,EAAE,CAAC;SACT,MAAM,CAAC;QACN,GAAG,EAAE,CAAC;aACH,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;QACJ,OAAO,EAAE,CAAC;aACP,MAAM,CAAC;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;YAClC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;SACtD,CAAC;aACD,OAAO,CAAC;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB,CAAC;KACL,CAAC;SACD,OAAO,CAAC;QACP,GAAG,EAAE;YACH,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;QACD,OAAO,EAAE;YACP,OAAO,EAAE,IAAI;YACb,SAAS,EAAE,KAAK;SACjB;KACF,CAAC;CACL,CAAC,CAAC"}
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
import { readFile } from 'node:fs/promises';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
function packageNameFromLockPath(lockPath) {
|
|
4
|
+
const marker = 'node_modules/';
|
|
5
|
+
const markerIndex = lockPath.lastIndexOf(marker);
|
|
6
|
+
if (markerIndex === -1)
|
|
7
|
+
return undefined;
|
|
8
|
+
return lockPath.slice(markerIndex + marker.length);
|
|
9
|
+
}
|
|
10
|
+
function isDirectPackagePath(lockPath) {
|
|
11
|
+
if (!lockPath.startsWith('node_modules/'))
|
|
12
|
+
return false;
|
|
13
|
+
const remainder = lockPath.slice('node_modules/'.length);
|
|
14
|
+
if (remainder.startsWith('@'))
|
|
15
|
+
return remainder.split('/').length === 2;
|
|
16
|
+
return !remainder.includes('/');
|
|
17
|
+
}
|
|
18
|
+
export async function readNpmDependencyInventory(root) {
|
|
19
|
+
const raw = await readFile(path.join(root, 'package-lock.json'), 'utf8');
|
|
20
|
+
const lockfile = JSON.parse(raw);
|
|
21
|
+
if (!lockfile.packages) {
|
|
22
|
+
throw new Error('Toolip requires package-lock.json lockfileVersion 2 or newer.');
|
|
23
|
+
}
|
|
24
|
+
const dependencies = new Map();
|
|
25
|
+
for (const [lockPath, entry] of Object.entries(lockfile.packages)) {
|
|
26
|
+
if (lockPath === '' || !entry.version)
|
|
27
|
+
continue;
|
|
28
|
+
const name = entry.name ?? packageNameFromLockPath(lockPath);
|
|
29
|
+
if (!name)
|
|
30
|
+
continue;
|
|
31
|
+
const identity = {
|
|
32
|
+
ecosystem: 'npm',
|
|
33
|
+
name,
|
|
34
|
+
version: entry.version,
|
|
35
|
+
direct: isDirectPackagePath(lockPath),
|
|
36
|
+
development: Boolean(entry.dev),
|
|
37
|
+
source: 'package-lock'
|
|
38
|
+
};
|
|
39
|
+
dependencies.set(`npm:${identity.name}@${identity.version}`, identity);
|
|
40
|
+
}
|
|
41
|
+
return [...dependencies.values()].sort((a, b) => `${a.name}@${a.version}`.localeCompare(`${b.name}@${b.version}`));
|
|
42
|
+
}
|
|
43
|
+
//# sourceMappingURL=inventory.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"inventory.js","sourceRoot":"","sources":["../../../../src/core/dependencies/inventory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,IAAI,MAAM,WAAW,CAAC;AAmB7B,SAAS,uBAAuB,CAAC,QAAgB;IAC/C,MAAM,MAAM,GAAG,eAAe,CAAC;IAC/B,MAAM,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC;IACjD,IAAI,WAAW,KAAK,CAAC,CAAC;QAAE,OAAO,SAAS,CAAC;IACzC,OAAO,QAAQ,CAAC,KAAK,CAAC,WAAW,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAgB;IAC3C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACzD,IAAI,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC;IACxE,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAAC,IAAY;IAC3D,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,mBAAmB,CAAC,EAAE,MAAM,CAAC,CAAC;IACzE,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAkB,CAAC;IAElD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,YAAY,GAAG,IAAI,GAAG,EAA8B,CAAC;IAE3D,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAClE,IAAI,QAAQ,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAAE,SAAS;QAChD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,IAAI,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QAC7D,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,QAAQ,GAAuB;YACnC,SAAS,EAAE,KAAK;YAChB,IAAI;YACJ,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,MAAM,EAAE,mBAAmB,CAAC,QAAQ,CAAC;YACrC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC;YAC/B,MAAM,EAAE,cAAc;SACvB,CAAC;QAEF,YAAY,CAAC,GAAG,CAAC,OAAO,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzE,CAAC;IAED,OAAO,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAC9C,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC,CACjE,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
export type SecurityDiffResult = {
|
|
2
|
+
base: string;
|
|
3
|
+
head: string;
|
|
4
|
+
files: string[];
|
|
5
|
+
packageManifestChanged: boolean;
|
|
6
|
+
lockfileChanged: boolean;
|
|
7
|
+
dockerfilesChanged: string[];
|
|
8
|
+
sourceFilesChanged: string[];
|
|
9
|
+
};
|
|
10
|
+
export declare function securityDiff(root: string, base: string, head: string): Promise<SecurityDiffResult>;
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
import { execFile } from 'node:child_process';
|
|
2
|
+
import { promisify } from 'node:util';
|
|
3
|
+
const execFileAsync = promisify(execFile);
|
|
4
|
+
export async function securityDiff(root, base, head) {
|
|
5
|
+
const { stdout } = await execFileAsync('git', ['diff', '--name-only', `${base}..${head}`], {
|
|
6
|
+
cwd: root,
|
|
7
|
+
encoding: 'utf8'
|
|
8
|
+
});
|
|
9
|
+
const files = stdout.split(/\r?\n/).filter(Boolean);
|
|
10
|
+
return {
|
|
11
|
+
base,
|
|
12
|
+
head,
|
|
13
|
+
files,
|
|
14
|
+
packageManifestChanged: files.some((file) => /(^|\/)package\.json$/.test(file)),
|
|
15
|
+
lockfileChanged: files.some((file) => /(^|\/)(package-lock\.json|pnpm-lock\.yaml|yarn\.lock)$/.test(file)),
|
|
16
|
+
dockerfilesChanged: files.filter((file) => /(^|\/)Dockerfile(?:\..+)?$/.test(file)),
|
|
17
|
+
sourceFilesChanged: files.filter((file) => /\.(js|jsx|ts|tsx|mjs|cjs)$/.test(file))
|
|
18
|
+
};
|
|
19
|
+
}
|
|
20
|
+
//# sourceMappingURL=security-diff.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-diff.js","sourceRoot":"","sources":["../../../../src/core/diff/security-diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAY1C,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY,EACZ,IAAY,EACZ,IAAY;IAEZ,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,KAAK,EACL,CAAC,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,KAAK,IAAI,EAAE,CAAC,EAC3C;QACE,GAAG,EAAE,IAAI;QACT,QAAQ,EAAE,MAAM;KACjB,CACF,CAAC;IAEF,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAEpD,OAAO;QACL,IAAI;QACJ,IAAI;QACJ,KAAK;QACL,sBAAsB,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/E,eAAe,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,wDAAwD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1G,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnF,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,4BAA4B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;KACpF,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
import { mkdtemp, rm } from 'node:fs/promises';
|
|
2
|
+
import { execFile } from 'node:child_process';
|
|
3
|
+
import { promisify } from 'node:util';
|
|
4
|
+
import os from 'node:os';
|
|
5
|
+
import path from 'node:path';
|
|
6
|
+
import { runSecurityDoctor } from '../security-doctor.js';
|
|
7
|
+
const execFileAsync = promisify(execFile);
|
|
8
|
+
export async function auditRemoteRepository(url) {
|
|
9
|
+
if (!/^https:\/\/github\.com\/[^/]+\/[^/]+(?:\.git)?$/.test(url)) {
|
|
10
|
+
throw new Error('Only public GitHub repository URLs are supported.');
|
|
11
|
+
}
|
|
12
|
+
const temporaryRoot = await mkdtemp(path.join(os.tmpdir(), 'toolip-remote-audit-'));
|
|
13
|
+
const target = path.join(temporaryRoot, 'repository');
|
|
14
|
+
try {
|
|
15
|
+
await execFileAsync('gh', ['repo', 'clone', url, target, '--', '--depth=1'], {
|
|
16
|
+
encoding: 'utf8'
|
|
17
|
+
});
|
|
18
|
+
const report = await runSecurityDoctor(target);
|
|
19
|
+
return {
|
|
20
|
+
repository: url,
|
|
21
|
+
report
|
|
22
|
+
};
|
|
23
|
+
}
|
|
24
|
+
finally {
|
|
25
|
+
await rm(temporaryRoot, { recursive: true, force: true });
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
//# sourceMappingURL=remote-audit.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"remote-audit.js","sourceRoot":"","sources":["../../../../src/core/github/remote-audit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAW;IAIrD,IAAI,CAAC,iDAAiD,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,aAAa,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,sBAAsB,CAAC,CAAC,CAAC;IACpF,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;IAEtD,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,WAAW,CAAC,EAAE;YAC3E,QAAQ,EAAE,MAAM;SACjB,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAE/C,OAAO;YACL,UAAU,EAAE,GAAG;YACf,MAAM;SACP,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,EAAE,CAAC,aAAa,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5D,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
import { readFile, writeFile } from 'node:fs/promises';
|
|
2
|
+
import { execFile } from 'node:child_process';
|
|
3
|
+
import { promisify } from 'node:util';
|
|
4
|
+
import path from 'node:path';
|
|
5
|
+
const execFileAsync = promisify(execFile);
|
|
6
|
+
export async function createUpgradePullRequest(root, packageName, targetVersion, dryRun) {
|
|
7
|
+
const manifestPath = path.join(root, 'package.json');
|
|
8
|
+
const manifest = JSON.parse(await readFile(manifestPath, 'utf8'));
|
|
9
|
+
const sections = ['dependencies', 'devDependencies', 'optionalDependencies', 'peerDependencies'];
|
|
10
|
+
let changed = false;
|
|
11
|
+
for (const section of sections) {
|
|
12
|
+
if (manifest[section]?.[packageName]) {
|
|
13
|
+
manifest[section][packageName] = targetVersion;
|
|
14
|
+
changed = true;
|
|
15
|
+
}
|
|
16
|
+
}
|
|
17
|
+
if (!changed) {
|
|
18
|
+
throw new Error(`${packageName} is not declared in package.json.`);
|
|
19
|
+
}
|
|
20
|
+
const branch = `toolip/upgrade-${packageName.replaceAll(/[^A-Za-z0-9]/g, '-')}-${targetVersion}`;
|
|
21
|
+
if (dryRun) {
|
|
22
|
+
return { branch, changed: true };
|
|
23
|
+
}
|
|
24
|
+
await execFileAsync('git', ['switch', '-c', branch], { cwd: root });
|
|
25
|
+
await writeFile(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
|
|
26
|
+
await execFileAsync('npm', ['install', '--package-lock-only'], { cwd: root });
|
|
27
|
+
await execFileAsync('npm', ['test'], { cwd: root });
|
|
28
|
+
await execFileAsync('git', ['add', 'package.json', 'package-lock.json'], { cwd: root });
|
|
29
|
+
await execFileAsync('git', ['commit', '-m', `chore: upgrade ${packageName} to ${targetVersion}`], { cwd: root });
|
|
30
|
+
await execFileAsync('git', ['push', '-u', 'origin', branch], { cwd: root });
|
|
31
|
+
await execFileAsync('gh', [
|
|
32
|
+
'pr',
|
|
33
|
+
'create',
|
|
34
|
+
'--title',
|
|
35
|
+
`chore: upgrade ${packageName} to ${targetVersion}`,
|
|
36
|
+
'--body',
|
|
37
|
+
`Toolip generated this dependency upgrade after updating the lockfile and running the project test suite.`
|
|
38
|
+
], { cwd: root });
|
|
39
|
+
return { branch, changed: true };
|
|
40
|
+
}
|
|
41
|
+
//# sourceMappingURL=upgrade-pr.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"upgrade-pr.js","sourceRoot":"","sources":["../../../../src/core/github/upgrade-pr.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACvD,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,IAAY,EACZ,WAAmB,EACnB,aAAqB,EACrB,MAAe;IAEf,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAwB,CAAC;IACzF,MAAM,QAAQ,GAAG,CAAC,cAAc,EAAE,iBAAiB,EAAE,sBAAsB,EAAE,kBAAkB,CAAC,CAAC;IACjG,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,CAAC;YACrC,QAAQ,CAAC,OAAO,CAAC,CAAC,WAAW,CAAC,GAAG,aAAa,CAAC;YAC/C,OAAO,GAAG,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,GAAG,WAAW,mCAAmC,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,MAAM,GAAG,kBAAkB,WAAW,CAAC,UAAU,CAAC,eAAe,EAAE,GAAG,CAAC,IAAI,aAAa,EAAE,CAAC;IAEjG,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,MAAM,SAAS,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IACxE,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,qBAAqB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC9E,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,KAAK,EAAE,cAAc,EAAE,mBAAmB,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACxF,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,kBAAkB,WAAW,OAAO,aAAa,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACjH,MAAM,aAAa,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IAC5E,MAAM,aAAa,CACjB,IAAI,EACJ;QACE,IAAI;QACJ,QAAQ;QACR,SAAS;QACT,kBAAkB,WAAW,OAAO,aAAa,EAAE;QACnD,QAAQ;QACR,0GAA0G;KAC3G,EACD,EAAE,GAAG,EAAE,IAAI,EAAE,CACd,CAAC;IAEF,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACnC,CAAC"}
|