chore: setup workspaces

.github/workflows/codeql.yml

@@ -50,7 +50,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -76,6 +76,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/estree-ast-utils.yml

@@ -0,0 +1,41 @@
+# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs
+
+name: Node.js CI
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - workspaces/estree-ast-utils/**
+  pull_request:
+    paths:
+      - workspaces/estree-ast-utils/**
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: npm install
+    - run: npm test

.github/workflows/node.js.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Run tests
         run: npm run test
       - name: Send coverage report to Codecov
-        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        uses: codecov/codecov-action@428cda1b1c731be3e8bfa389049c3f276d572ffb # v4.0.0-beta.3
   nsci:
     runs-on: ubuntu-latest
     strategy:
@@ -51,7 +51,7 @@ jobs:
           node-version: ${{ matrix.node-version }}
       - name: Install dependencies
         run: npm install
-      - uses: NodeSecure/ci-action@e3ac9c03585752e979622279106a161e94d5717b # v1
+      - uses: NodeSecure/ci-action@177c57fe32c75cafabe87f6e4515d277cc37ae6c # v1.4.1
         with:
           warnings: warning
           vulnerabilities: off

.github/workflows/scorecard.yml

@@ -37,12 +37,12 @@ jobs:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.3.0 # v3.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -64,14 +64,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
         with:
           sarif_file: results.sarif

.github/workflows/sec-literal.yml

@@ -0,0 +1,29 @@
+name: Node.js CI
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - workspaces/sec-literal/**
+  pull_request:
+    paths:
+      - workspaces/sec-literal/**
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x]
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install dependencies
+        run: npm install
+      - name: Run tests
+        run: npm run test

README.md

@@ -194,6 +194,21 @@ export type ReportOnFile = {
 
 </details>
 
+## Workspaces
+
+Click on one of the links to access the documentation of the workspace:
+
+| name | package and link |
+| --- | --- |
+| estree-ast-util | [@nodesecure/estree-ast-util](./workspaces/estree-ast-util) |
+| sec-literal | [@nodesecure/sec-literal ](./workspaces/sec-literal) |
+
+These packages are available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+```bash
+$ npm i @nodesecure/estree-ast-util
+# or
+$ yarn add @nodesecure/estree-ast-util
+```
 
 ## Contributors ✨
 

package.json

@@ -18,6 +18,10 @@
     "type": "git",
     "url": "git+https://github.com/NodeSecure/js-x-ray.git"
   },
+  "workspaces": [
+    "workspaces/estree-ast-utils",
+    "workspaces/sec-literal"
+  ],
   "keywords": [
     "ast",
     "nsecure",
@@ -48,10 +52,15 @@
   },
   "devDependencies": {
     "@nodesecure/eslint-config": "^1.6.0",
+    "@small-tech/esm-tape-runner": "^2.0.0",
+    "@small-tech/tap-monkey": "^1.4.0",
     "@types/node": "^20.6.2",
     "c8": "^8.0.1",
+    "cross-env": "^7.0.3",
     "eslint": "^8.31.0",
     "glob": "^10.3.4",
-    "pkg-ok": "^3.0.0"
+    "iterator-matcher": "^2.1.0",
+    "pkg-ok": "^3.0.0",
+    "tape": "^5.7.2"
   }
 }

workspaces/estree-ast-utils/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 NodeSecure
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

workspaces/estree-ast-utils/README.md

@@ -0,0 +1,109 @@
+# estree-ast-utils
+
+[![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/main/package.json&query=$.version&label=Version)](https://www.npmjs.com/package/@NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils)
+[![maintained](https://img.shields.io/badge/Maintained%3F-yes-green.svg?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/graphs/commit-activity)
+[![OpenSSF
+Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils)
+[![mit](https://img.shields.io/github/license/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils.svg?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/blob/main/LICENSE)
+[![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/node.js.yml?style=for-the-badge)](https://github.com/NodeSecure/js-x-ray/blob/master/workspaces/estree-ast-utils/actions?query=workflow%3A%22Node.js+CI%22)
+
+Utilities for AST (ESTree compliant)
+
+## Getting Started
+
+This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+
+```bash
+$ npm i @nodesecure/estree-ast-utils
+# or
+$ yarn add @nodesecure/estree-ast-utils
+```
+
+## Usage example
+
+```js
+import { VariableTracer } from "@nodesecure/estree-ast-utils";
+
+const tracer = new VariableTracer().enableDefaultTracing();
+
+const data = tracer.getDataFromIdentifier("identifier...here");
+console.log(data);
+```
+
+## API
+
+<details><summary>arrayExpressionToString(node): IterableIterator< string ></summary>
+
+Translate an ESTree ArrayExpression into an iterable of Literal value.
+
+```js
+["foo", "bar"];
+```
+
+will return `"foo"` then `"bar"`.
+
+</details>
+
+<details><summary>concatBinaryExpression(node, options): IterableIterator< string ></summary>
+
+Return all Literal part of a given Binary Expression.
+
+```js
+"foo" + "bar";
+```
+
+will return `"foo"` then `"bar"`.
+
+One of the options of the method is `stopOnUnsupportedNode`, if true it will throw an Error if the left or right side of the Expr is not a supported type.
+
+</details>
+
+<details><summary>getCallExpressionIdentifier(node): string | null</summary>
+
+Return the identifier name of the CallExpression (or null if there is none).
+
+```js
+foobar();
+```
+
+will return `"foobar"`.
+
+</details>
+
+<details><summary>getMemberExpressionIdentifier(node): IterableIterator< string ></summary>
+
+Return the identifier name of the CallExpression (or null if there is none).
+
+```js
+foo.bar();
+```
+
+will return `"foo"` then `"bar"`.
+
+</details>
+
+<details><summary>getVariableDeclarationIdentifiers(node): IterableIterator< string ></summary>
+
+Get all variables identifier name.
+
+```js
+const [foo, bar] = [1, 2];
+```
+
+will return `"foo"` then `"bar"`.
+
+</details>
+
+<details><summary>isLiteralRegex(node): boolean</summary>
+
+Return `true` if the given Node is a Literal Regex Node.
+
+```js
+/^hello/g;
+```
+
+</details>
+
+## License
+
+MIT

workspaces/estree-ast-utils/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@nodesecure/estree-ast-utils",
+  "version": "1.4.1",
+  "description": "Utilities for AST (ESTree compliant)",
+  "type": "module",
+  "exports": "./src/index.js",
+  "scripts": {
+    "lint": "eslint src test",
+    "prepublishOnly": "pkg-ok",
+    "test": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
+    "check": "cross-env npm run lint && npm run test",
+    "coverage": "c8 -r html npm test"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/NodeSecure/estree-ast-utils.git"
+  },
+  "keywords": [
+    "estree",
+    "ast",
+    "utils"
+  ],
+  "author": "GENTILHOMME Thomas <[email protected]>",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/NodeSecure/estree-ast-utils/issues"
+  },
+  "homepage": "https://github.com/NodeSecure/estree-ast-utils#readme",
+  "devDependencies": {
+    "estree-walker": "^3.0.2"
+  },
+  "dependencies": {
+    "@nodesecure/sec-literal": "^1.1.0"
+  }
+}