vite-plugin-vue-security 1.5.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +34 -0
- package/index.js +83 -50
- package/package.json +8 -3
package/README.md
CHANGED
|
@@ -2,6 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
A Vite plugin that performs security scans on Vue.js projects during the build process. This plugin integrates the Vue Security Scanner directly into your Vite build pipeline, allowing you to detect security vulnerabilities in real-time during development and build.
|
|
4
4
|
|
|
5
|
+
## Vue 3.6 Support
|
|
6
|
+
|
|
7
|
+
This plugin fully supports Vue 3.6, including the experimental Vapor Mode and other new features. It can detect security issues specific to Vue 3.6's enhanced reactivity system and optimized rendering pipeline.
|
|
8
|
+
|
|
5
9
|
## Installation
|
|
6
10
|
|
|
7
11
|
```bash
|
|
@@ -60,13 +64,43 @@ export default defineConfig({
|
|
|
60
64
|
- `outputFile`: Optional path to write a JSON security report (default: null)
|
|
61
65
|
- `exclude`: Array of patterns to exclude from scanning (default: [])
|
|
62
66
|
|
|
67
|
+
### Advanced Configuration Options
|
|
68
|
+
|
|
69
|
+
- `enableSemanticAnalysis`: Boolean to enable AST-based semantic analysis (default: true)
|
|
70
|
+
- `enableDependencyScanning`: Boolean to enable dependency vulnerability scanning (default: true)
|
|
71
|
+
- `enableAdvancedReport`: Boolean to enable advanced reporting with trends and compliance (default: false)
|
|
72
|
+
- `reportHistoryPath`: Path for report history (default: '.vue-security-reports')
|
|
73
|
+
- `complianceStandards`: Array of compliance standards to check (default: ['OWASP', 'GDPR', 'HIPAA', 'PCI-DSS', 'SOX'])
|
|
74
|
+
|
|
75
|
+
### Performance Configuration
|
|
76
|
+
|
|
77
|
+
- `performanceProfile`: Performance profile to use ('fast', 'balanced', 'thorough'; default: 'balanced')
|
|
78
|
+
- `enableParallelScanning`: Boolean to enable parallel rule matching (default: true)
|
|
79
|
+
- `enableIncrementalScanning`: Boolean to enable incremental scanning (default: true)
|
|
80
|
+
- `memoryLimit`: Memory usage limit in MB (default: 512)
|
|
81
|
+
|
|
82
|
+
### Trae CN Integration
|
|
83
|
+
|
|
84
|
+
- `enableTraeCN`: Boolean to enable Trae CN integration (default: false)
|
|
85
|
+
- `traeCNApiKey`: Trae CN API key
|
|
86
|
+
- `traeCNProjectId`: Trae CN project ID
|
|
87
|
+
- `traeCNAutoReport`: Boolean to auto-report vulnerabilities to Trae CN (default: true)
|
|
88
|
+
- `traeCNRealtimePush`: Boolean to push scan results in realtime (default: false)
|
|
89
|
+
|
|
63
90
|
## Features
|
|
64
91
|
|
|
65
92
|
- **Real-time Security Scanning**: Scans Vue, JS, and TS files during the build process
|
|
93
|
+
- **Vue 3.6 Support**: Fully supports Vue 3.6 including experimental Vapor Mode
|
|
66
94
|
- **Multiple Vulnerability Types**: Detects XSS, dependency issues, misconfigurations, hardcoded secrets, and more
|
|
67
95
|
- **Enterprise Plugin Support**: Compatible with the Vue Security Scanner plugin system
|
|
68
96
|
- **Flexible Reporting**: Configurable reporting levels and output formats
|
|
69
97
|
- **Build Integration**: Option to fail builds on security issues
|
|
98
|
+
- **Performance Optimizations**: Leverages the latest performance improvements from Vue Security Scanner 1.6.0
|
|
99
|
+
- Parallel rule matching using worker threads
|
|
100
|
+
- Incremental scanning with file change detection
|
|
101
|
+
- Rule classification and pre-filtering for faster scanning
|
|
102
|
+
- Memory usage optimization and automatic garbage collection
|
|
103
|
+
- **Advanced Configuration**: Support for performance profiles (fast, balanced, thorough)
|
|
70
104
|
|
|
71
105
|
## Detected Vulnerabilities
|
|
72
106
|
|
package/index.js
CHANGED
|
@@ -28,6 +28,16 @@ function vueSecurityPlugin(options = {}) {
|
|
|
28
28
|
reportHistoryPath: '.vue-security-reports', // Path for report history
|
|
29
29
|
complianceStandards: ['OWASP', 'GDPR', 'HIPAA', 'PCI-DSS', 'SOX'], // Compliance standards to check
|
|
30
30
|
|
|
31
|
+
// Performance Configuration
|
|
32
|
+
performanceProfile: 'balanced', // 'fast', 'balanced', 'thorough'
|
|
33
|
+
enableParallelScanning: true, // Enable parallel rule matching
|
|
34
|
+
enableIncrementalScanning: true, // Enable incremental scanning
|
|
35
|
+
memoryLimit: 512, // Memory usage limit in MB
|
|
36
|
+
|
|
37
|
+
// Vue 3.6 Support
|
|
38
|
+
enableVue36Features: true, // Enable Vue 3.6 specific feature detection
|
|
39
|
+
enableVaporModeScanning: true, // Enable scanning for Vapor Mode specific issues
|
|
40
|
+
|
|
31
41
|
// Trae CN Integration
|
|
32
42
|
enableTraeCN: false, // Enable Trae CN integration
|
|
33
43
|
traeCNApiKey: null, // Trae CN API key
|
|
@@ -80,11 +90,19 @@ function vueSecurityPlugin(options = {}) {
|
|
|
80
90
|
performance: {
|
|
81
91
|
enableSemanticAnalysis: config.enableSemanticAnalysis,
|
|
82
92
|
enableNpmAudit: config.enableDependencyScanning,
|
|
83
|
-
enableVulnerabilityDB: config.enableDependencyScanning
|
|
93
|
+
enableVulnerabilityDB: config.enableDependencyScanning,
|
|
94
|
+
enableParallelScanning: config.enableParallelScanning,
|
|
95
|
+
enableIncrementalScanning: config.enableIncrementalScanning,
|
|
96
|
+
performanceProfile: config.performanceProfile,
|
|
97
|
+
memoryLimit: config.memoryLimit
|
|
84
98
|
},
|
|
85
99
|
compliance: {
|
|
86
100
|
enabled: config.enableAdvancedReport,
|
|
87
101
|
standards: config.complianceStandards
|
|
102
|
+
},
|
|
103
|
+
vue: {
|
|
104
|
+
enableVue36Features: config.enableVue36Features,
|
|
105
|
+
enableVaporModeScanning: config.enableVaporModeScanning
|
|
88
106
|
}
|
|
89
107
|
};
|
|
90
108
|
|
|
@@ -114,6 +132,11 @@ function vueSecurityPlugin(options = {}) {
|
|
|
114
132
|
return null;
|
|
115
133
|
}
|
|
116
134
|
|
|
135
|
+
// Skip virtual files (like vite/modulepreload-polyfill.js)
|
|
136
|
+
if (id.includes('vite/') || id.includes('\x00')) {
|
|
137
|
+
return null;
|
|
138
|
+
}
|
|
139
|
+
|
|
117
140
|
// Only scan Vue files and JS/TS files
|
|
118
141
|
if (!id.endsWith('.vue') && !id.endsWith('.js') && !id.endsWith('.ts') && !id.endsWith('.jsx') && !id.endsWith('.tsx')) {
|
|
119
142
|
return null;
|
|
@@ -218,63 +241,73 @@ function vueSecurityPlugin(options = {}) {
|
|
|
218
241
|
}
|
|
219
242
|
|
|
220
243
|
// Generate report
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
225
|
-
|
|
226
|
-
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
235
|
-
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
|
|
245
|
-
|
|
244
|
+
const scanResult = {
|
|
245
|
+
summary: {
|
|
246
|
+
totalVulnerabilities: allVulnerabilities.length,
|
|
247
|
+
critical: allVulnerabilities.filter(v => v.severity === 'Critical').length,
|
|
248
|
+
high: allVulnerabilities.filter(v => v.severity === 'High').length,
|
|
249
|
+
medium: allVulnerabilities.filter(v => v.severity === 'Medium').length,
|
|
250
|
+
low: allVulnerabilities.filter(v => v.severity === 'Low').length
|
|
251
|
+
},
|
|
252
|
+
vulnerabilities: allVulnerabilities,
|
|
253
|
+
scanInfo: {
|
|
254
|
+
scannerVersion: '1.6.0',
|
|
255
|
+
scanDate: new Date().toISOString(),
|
|
256
|
+
projectPath: process.cwd()
|
|
257
|
+
}
|
|
258
|
+
};
|
|
259
|
+
|
|
260
|
+
// Generate advanced report if enabled
|
|
261
|
+
if (config.enableAdvancedReport && advancedReportGenerator) {
|
|
262
|
+
try {
|
|
263
|
+
const advancedReport = advancedReportGenerator.generateAdvancedReport(scanResult, {
|
|
264
|
+
includeTrends: true,
|
|
265
|
+
includeCompliance: true,
|
|
266
|
+
historyPath: config.reportHistoryPath
|
|
267
|
+
});
|
|
268
|
+
|
|
269
|
+
if (config.outputFile) {
|
|
270
|
+
const reportPath = config.outputFile.endsWith('.html')
|
|
271
|
+
? config.outputFile
|
|
272
|
+
: config.outputFile.replace('.json', '.html');
|
|
246
273
|
|
|
247
|
-
|
|
248
|
-
const reportPath = config.outputFile.endsWith('.html')
|
|
249
|
-
? config.outputFile
|
|
250
|
-
: config.outputFile.replace('.json', '.html');
|
|
251
|
-
|
|
252
|
-
await writeAdvancedReport(reportPath, advancedReport, 'html');
|
|
253
|
-
}
|
|
254
|
-
} catch (error) {
|
|
255
|
-
console.warn('Advanced report generation failed:', error.message);
|
|
274
|
+
await writeAdvancedReport(reportPath, advancedReport, 'html');
|
|
256
275
|
}
|
|
276
|
+
} catch (error) {
|
|
277
|
+
console.warn('Advanced report generation failed:', error.message);
|
|
257
278
|
}
|
|
279
|
+
}
|
|
258
280
|
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
281
|
+
// Write basic report
|
|
282
|
+
if (config.outputFile) {
|
|
283
|
+
await writeSecurityReport(config.outputFile, allVulnerabilities, scanResult);
|
|
284
|
+
}
|
|
263
285
|
|
|
264
|
-
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
}
|
|
273
|
-
} catch (error) {
|
|
274
|
-
console.warn(`Trae CN push error: ${error.message}`);
|
|
286
|
+
// Report scan results to Trae CN if enabled
|
|
287
|
+
if (traeCNIntegration && config.traeCNRealtimePush) {
|
|
288
|
+
try {
|
|
289
|
+
const pushResult = await traeCNIntegration.reportScanResults(scanResult);
|
|
290
|
+
if (pushResult.success) {
|
|
291
|
+
console.log('Scan results pushed to Trae CN');
|
|
292
|
+
} else {
|
|
293
|
+
console.warn(`Failed to push scan results to Trae CN: ${pushResult.message}`);
|
|
275
294
|
}
|
|
295
|
+
} catch (error) {
|
|
296
|
+
console.warn(`Trae CN push error: ${error.message}`);
|
|
276
297
|
}
|
|
277
298
|
}
|
|
299
|
+
|
|
300
|
+
// Release resources
|
|
301
|
+
try {
|
|
302
|
+
// Shutdown parallel rule engine if it exists
|
|
303
|
+
const parallelRuleEngine = require('vue-security-scanner/src/rules/parallel-rule-engine');
|
|
304
|
+
if (parallelRuleEngine && parallelRuleEngine.shutdown) {
|
|
305
|
+
parallelRuleEngine.shutdown();
|
|
306
|
+
console.log('Parallel rule engine shutdown completed');
|
|
307
|
+
}
|
|
308
|
+
} catch (error) {
|
|
309
|
+
// Ignore shutdown errors
|
|
310
|
+
}
|
|
278
311
|
}
|
|
279
312
|
};
|
|
280
313
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "vite-plugin-vue-security",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.6.0",
|
|
4
4
|
"description": "A Vite plugin that performs security scans on Vue.js projects during the build process with advanced semantic analysis and enterprise-grade reporting",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"scripts": {
|
|
@@ -10,6 +10,9 @@
|
|
|
10
10
|
"vite",
|
|
11
11
|
"plugin",
|
|
12
12
|
"vue",
|
|
13
|
+
"vue3",
|
|
14
|
+
"vue3.6",
|
|
15
|
+
"vapor-mode",
|
|
13
16
|
"security",
|
|
14
17
|
"scanner",
|
|
15
18
|
"vulnerability",
|
|
@@ -18,7 +21,9 @@
|
|
|
18
21
|
"ast",
|
|
19
22
|
"semantic-analysis",
|
|
20
23
|
"dependency-scanning",
|
|
21
|
-
"compliance"
|
|
24
|
+
"compliance",
|
|
25
|
+
"performance",
|
|
26
|
+
"parallel-processing"
|
|
22
27
|
],
|
|
23
28
|
"author": "ereddate",
|
|
24
29
|
"license": "MIT",
|
|
@@ -28,7 +33,7 @@
|
|
|
28
33
|
},
|
|
29
34
|
"dependencies": {
|
|
30
35
|
"cheerio": "^1.0.0-rc.12",
|
|
31
|
-
"vue-security-scanner": "^1.
|
|
36
|
+
"vue-security-scanner": "^1.6.0"
|
|
32
37
|
},
|
|
33
38
|
"repository": {
|
|
34
39
|
"type": "git",
|