Pull in the latest safety-web development

.gitignore

@@ -6,3 +6,5 @@
 !.yarn/sdks
 !.yarn/versions
 node_modules
+safety-web/lib/*
+test-helpers/expect-violations/bin/*

.yarnrc.yml

@@ -0,0 +1 @@
+nodeLinker: node-modules

README.md

@@ -2,3 +2,43 @@
 
 **This is not an officially supported Google product.**
 
+**This project is under development and is not ready for production yet.**
+
+safety-web is an ESLint plugin that works on TypeScript and JavaScript projects and surfaces security issues like Trusted Types violations statically.
+
+## Development
+
+This project uses yarn "modern" Berry (Yarn 4) with workspaces. To install the dependencies for all [workspaces](https://yarnpkg.com/features/workspaces):
+
+```bash
+yarn
+```
+
+The commands `clean`, `build`, `lint`, `test` are defined in all workspaces. This makes it possible to run them in all workspaces:
+
+```bash
+# Build all workspaces
+yarn workspaces foreach --all run build
+```
+
+## safety-web unit testing
+
+```bash
+yarn workspace eslint-plugin-safety-web run test
+```
+
+## unit tests + integrations tests
+
+```bash
+yarn run unit_tests
+```
+
+## Updating tsetse
+
+The core logic behind this plugin is re-used from [tsec](https://github.com/google/tsec). The [`common`](https://github.com/google/tsec/tree/main/common) directory of tsec is mirrored in `safety-web/src/common`, as vendored dependency.
+
+Run tsetse_update.sh to pull the latest version of tsetse in:
+
+```bash
+bash update_tsetse.sh
+```

package.json

@@ -1,6 +1,17 @@
 {
   "private": true,
+  "license": "Apache-2.0",
+  "author": "Google ISE Web Team",
   "workspaces": [
-    "safety-web"
-  ]
-}
+    "safety-web",
+    "tests/*",
+    "test-helpers/*"
+  ],
+  "scripts": {
+    "unit_tests": "yarn workspace eslint-plugin-safety-web test",
+    "integration_tests": "yarn workspace basic-typescript-eslint9 test && yarn workspace basic-typescript-eslint8 test && yarn workspace basic-javascript-eslint9 test && yarn workspace basic-javascript-eslint8 test",
+    "update_integration_tests": "yarn workspace basic-typescript-eslint9 update && yarn workspace basic-typescript-eslint8 update && yarn workspace basic-javascript-eslint9 update && yarn workspace basic-javascript-eslint8 update",
+    "test": "yarn workspaces foreach --all run test"
+  },
+  "packageManager": "yarn@4.3.1"
+}

safety-web/.mocharc.js

@@ -0,0 +1,19 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+module.exports = {
+    // Use tsx as a TypeScript node loader for Mocha https://stackoverflow.com/a/77609121
+    "require": "tsx",
+    "extension": ["ts"],
+}

safety-web/eslint.config.mjs

@@ -0,0 +1,34 @@
+import eslint from '@eslint/js';
+import tseslint from 'typescript-eslint';
+
+export default tseslint.config(
+  eslint.configs.recommended,
+  ...tseslint.configs.recommendedTypeChecked,
+  {
+    languageOptions: {
+      parser: tseslint.parser,
+      parserOptions: {
+        project: "tsconfig.json",  // Indicates to find the closest tsconfig.json for each source file (see https://typescript-eslint.io/packages/parser#project).
+        tsconfigRootDir: import.meta.dirname,
+      },
+    },
+    files: ["**/*.ts"],
+  },
+  {
+    rules: {
+      'no-undef': 'off',
+      'no-dupe-class-members': 'off',
+    },
+    files: ['**/*.ts'],
+  },
+  {
+    ignores: [
+      "**/*.js",
+      "**/*.mjs",
+      "test/test_fixtures/",
+      "lib/",
+      "node_modules/",
+      "src/common/",  // tsetse folder is linted internally.
+    ]
+  },
+);

safety-web/package.json

@@ -1,6 +1,37 @@
 {
-    "name": "safety-web",
+    "name": "eslint-plugin-safety-web",
     "version": "0.1.0",
+    "license": "Apache-2.0",
+    "author": "Google ISE Web Team",
+    "main": "lib/src/index.js",
+    "files": [
+        "lib/src/"
+    ],
+    "scripts": {
+        "clean": "tsc --build --clean",
+        "build": "tsc -b ./tsconfig.json",
+        "build:watch": "tsc -b ./tsconfig.json --watch",
+        "lint": "eslint",
+        "test": "mocha",
+        "test:watch": "mocha -r ts-node/register --watch --watch-files src/**/*.ts,test/**/*.ts"
+    },
     "dependencies": {
+        "@typescript-eslint/parser": "^7.17.0",
+        "@typescript-eslint/utils": "^7.17.0",
+        "eslint": "^8.56.0 <9.0.0",
+        "tsutils": "^3.21.0",
+        "typescript": "^5.4.3 <5.5.0"
+    },
+    "devDependencies": {
+        "@eslint/eslintrc": "^3.1.0",
+        "@types/chai": "^4.3.16",
+        "@types/mocha": "^10.0.7",
+        "@types/node": "^20.14.9",
+        "@typescript-eslint/rule-tester": "^7.17.0",
+        "chai": "^5.1.1",
+        "mocha": "^10.6.0",
+        "ts-node": "^10.9.2",
+        "tsx": "^4.16.2",
+        "typescript-eslint": "^7.17.0"
     }
-}
+}

safety-web/src/common/configured_checker.ts

@@ -0,0 +1,71 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+import {ENABLED_RULES} from './rule_groups';
+import {Checker} from './third_party/tsetse/checker';
+import * as ts from 'typescript';
+
+import {
+  ExemptionList,
+  parseExemptionConfig,
+  resolveExemptionConfigPath,
+} from './exemption_config';
+
+/**
+ * Create a new cheker with all enabled rules registered and the exemption list
+ * configured.
+ */
+export function getConfiguredChecker(
+  program: ts.Program,
+  host: ts.ModuleResolutionHost,
+): {checker: Checker; errors: ts.Diagnostic[]} {
+  let exemptionList: ExemptionList | undefined = undefined;
+
+  const exemptionConfigPath = resolveExemptionConfigPath(
+    program.getCompilerOptions()['configFilePath'] as string,
+  );
+
+  const errors = [];
+
+  if (exemptionConfigPath) {
+    const projExemptionConfigOrErr = parseExemptionConfig(exemptionConfigPath);
+    if (projExemptionConfigOrErr instanceof ExemptionList) {
+      exemptionList = projExemptionConfigOrErr;
+    } else {
+      errors.push(...projExemptionConfigOrErr);
+    }
+  }
+
+  // Create all enabled rules with corresponding exemption list entries.
+  const checker = new Checker(program, host);
+  const wildcardAllowListEntry = exemptionList?.get('*');
+  const rules = ENABLED_RULES.map((ruleCtr) => {
+    const allowlistEntries = [];
+    const allowlistEntry = exemptionList?.get(ruleCtr.RULE_NAME);
+    if (allowlistEntry) {
+      allowlistEntries.push(allowlistEntry);
+    }
+    if (wildcardAllowListEntry) {
+      allowlistEntries.push(wildcardAllowListEntry);
+    }
+    return new ruleCtr({allowlistEntries});
+  });
+
+  // Register all rules.
+  for (const rule of rules) {
+    rule.register(checker);
+  }
+
+  return {checker, errors};
+}