sync: update src/resource/test and config files

.eslintrc.js

@@ -85,5 +85,16 @@ module.exports = {
         'no-undef': 'off', // TypeScript 已处理变量未定义检查
       },
     },
+    {
+      files: ['check-requires.js'], // 编译检查工具，不参与 dist 生成
+      parserOptions: {
+        project: null, // 不使用 TypeScript 项目配置
+        ecmaVersion: 'latest',
+        sourceType: 'script', // 使用 script 模式（因为文件开头有 #!）
+      },
+      rules: {
+        'filenames/match-regex': 'off', // 允许工具文件使用不同的命名
+      },
+    },
   ],
 }

.gitignore

@@ -47,4 +47,7 @@ deps/uast4python
 /workspace/
 deps/uast4py
 src/uast
-src/report
+deps-runtime/
+.cursorrules
+test/javascript/test-report
+deps

README.md

@@ -1,78 +1,31 @@
-<img src="folder-img/logo.png" style="width:50%;"  />
+# 项目简介
+<font style="color:rgb(31, 35, 40);">统一多语言程序分析是一个</font><font style="color:#1f2328;">面向工业界大规模落地的</font><font style="color:rgb(31, 35, 40);">静态程序分析工具。它为多语言定义了</font>统一的抽象语法树（UAST）中间表示，基于UAST和模拟执行技术，实现了高精度的数据流、指针分析和污点分析，并同时提供了命令式和声明式两种规则扩展能力供用户灵活、低成本使用，可广泛应用于代码安全等场景。
 
-#### [简体中文](README_ZH.md) / [English](README.md)
+# 核心功能
++ 定义了统一的多语言的抽象语法树（UAST）中间表示，并提供了各语言向UAST转换的工具
++ 高精度的数据流、指针分析和污点分析
++ 可扩展的规则定制化能力，包括命令式规则和声明式查询语言
++ 内置常见的安全检测规则，面向安全检测场景可开箱即用
 
-**YASA** (**Y**et **A**nother **S**tatic **A**nalyzer, pronounced “**YA-sa**”) is an open-source static program analysis project. Its core innovation lies in a unified intermediate representation called the **U**nified **A**bstract **S**yntax **T**ree (UAST), designed to support multiple programming languages. Built on top of UAST, YASA provides a highly accurate static analysis framework. Users can extend its capabilities by writing custom checkers to perform various program analysis tasks—such as AST queries, data flow analysis, and function call graph analysis—and expose functionality through SDK, declarative query language (QL), or MCP.
+# 项目架构
+![](https://intranetproxy.alipay.com/skylark/lark/0/2025/png/178787/1743992792193-33a83234-5229-481d-a4b6-e99a796a2fc0.png)
 
-As a project originally developed within a security team, YASA also comes with built-in taint analysis capabilities, implemented as a checker, to detect security vulnerabilities.
+**QL**：Query Language
 
-## Components
-<img src="folder-img/Structure.jpg"  />
+**<font style="color:rgb(0, 0, 0);">UAST</font>**<font style="color:rgb(0, 0, 0);">：Unify Abstract Syntax Tree </font>**统一抽象语法树**
 
-### YASA-UAST: Unified Abstract Syntax Tree
-[YASA-UAST](https://github.com/antgroup/YASA-UAST) is an intermediate representation structure for multi-language program analysis. The UAST-Parser parses code from different programming languages into a unified abstract syntax format. Through UAST, source code in different languages can be converted into a standardized tree structure, enabling unified analysis and processing across multiple languages.
+**<font style="color:rgb(0, 0, 0);">YASA</font>**<font style="color:rgb(0, 0, 0);"> ：Yet Another Static Analyzer</font>
 
-### YASA-Engine: Unified multi-language Analysis Engine
-The unified multi-language analysis engine is the core component of a modern program analysis platform. It aims to achieve efficient and precise analysis of multiple programming languages through a unified analysis framework and methodology. Also, with the help of AI capabilities, it addresses issues such as broken chains in traditional program analysis and high adaptation costs for new scenarios. (The AI part is not open-sourced yet.)
+# 技术优势
++ 【统一】统一多语言抽象语法树（UAST）中间表示，可低成本支持新语言，便于跨语言的分析
++ 【高精度】多语言程序模拟执行技术，还原了真实的程序运行上下文，可提供更高的分析精度
++ 【工业界落地】经过蚂蚁内部大规模落地和业界首个程序分析评价体系开源项目[xast](https://xastbenchmark.github.io/)的“双重认证”，多语言场景下的分析完整度、准确度和性能都有较高保障
++ 【低使用成本】命令式程序分析combine声明式查询语句
+    - 兼容[Github codeql](https://github.com/github/codeql)的语法和规则，用户使用门槛低
+    - 提供了灵活的规则定制能力
 
-### YASA-UQL: Unified Declarative Rule Query Language
-Supports declarative unified query rule writing for multiple languages, compatible with CodeQL syntax, lowering the barrier to rule writing while unifying rule sets across languages.
+# <font style="color:rgb(31, 35, 40);">支持的语言</font>
+<font style="color:rgb(31, 35, 40);">Java、JS、Go、Python......</font>
 
-### YASA-MCP: Unified multi-language Program Analysis MCP
-Provides atomic analysis APIs for LLM, offering program analysis services that are LLM-friendly.
+<font style="color:rgb(31, 35, 40);">其他语言的支持为开源社区共建“留白”</font>
 
-### YASA-SDK: Unified multi-language Program Analysis SDK
-Provides SDK packages supporting multiple programming languages for traditional applications. It provides a variety of granular program analysis APIs, making integration easier and enabling efficient and user-friendly program analysis services within applications.
-
-### xAST
-[xAST](https://github.com/alipay/ant-application-security-testing-benchmark) is an open-source evaluation system for SAST/IAST/DAST tool capabilities. In YASA-Engine, it serves as the regression target for post-change testing, and during the process of multi-language adaptation, it provides positive guidance on language syntax support.
-
-## Technical Advantages
-### Low Cost for New Language Support
-- YASA is directly modeled and analyzed based on UAST. When adapting to a new language, once it is parsed into UAST, the general-layer analyzer's capabilities can be used. After supporting the new language's package structure, the new language's analysis is already supported.
-
-<img src="folder-img/newLanguage.jpg" style="width:90%;"  />
-
-
-### High Analysis Accuracy, Measurable, and Unified Multi-Languages
-- YASA is based on unified multi-language symbolic interpretation capabilities, offering high precision and scalability in static code analysis. It naturally supports field-sensitive, context-sensitive, object-sensitive, path-sensitive, and flow-sensitive capabilities in the field of static analysis.
-
-- During YASA's development, we used [xAST](https://github.com/alipay/ant-application-security-testing-benchmark) to evaluate and verify our capabilities, achieving "measurable capabilities." We compared YASA's performance with other open-source program analysis tools under the xAST evaluation system:
-
-<img src="folder-img/xastTest.jpg" style="width:90%;"  />
-
-### Open and Friendly
-- Introduced the unified declarative rule query language YASA-UQL, compatible with CodeQL syntax, and pioneered a unified QL rule library for multiple languages, making program analysis more engineer-friendly.
-
-- Launched YASA MCP (LLM-friendly) and SDK (App development-friendly).
-
-## Quick Start
-
-[Getting Started](https://www.yuque.com/u22090306/bebf6g/evyf4chw26deq8xq)
-
-[Installation and Deployment](https://www.yuque.com/u22090306/bebf6g/gm7b32tcn9vosgll)
-
-## Join Us
-Welcome to submit issues if you encounter any problems!
-
-For code contributions, please refer to [CONTRIBUTION](CONTRIBUTION.md)
-
-## Resource Links
-[Official Documentation](https://www.yuque.com/u22090306/bebf6g)
-
-[Learning Resources](https://www.yuque.com/u22090306/bebf6g/sr0y5fqg0kcua5nf)
-
-[Community Activities](https://www.yuque.com/u22090306/bebf6g/fn1rauxwtp7z0l1u)
-
-## Open Source License
-Apache License 2.0 - Details in LICENSE Apache-2.0.
-
-## Acknowledgments
-Thanks to all developers who have contributed to the YASA project! Special thanks to the open-source community for their support and feedback, enabling us to jointly advance the development of program analysis technology.
-
-YASA - Making code analysis more precise, easier, and smarter.
-
-## Contact Us
-[Official Website](https://cybersec.antgroup.com/station)
-
-<img src="folder-img/contactus.png" style="width:20%;" />

build.sh

@@ -27,43 +27,99 @@ info() {
 
 info "开始构建流程..."
 
+# 步骤 0: 清理历史结果
+info "步骤 0/8: 清理历史结果 (rm -rf dist)"
+if ! rm -rf dist > /dev/null; then
+    alert "清理历史结果失败"
+fi
+success "清理历史结果完成"
+
 # 步骤 1: 安装依赖
-info "步骤 1/6: 安装依赖 (npm install)"
-if ! npm install; then
+info "步骤 1/8: 安装依赖 (npm install --package-lock=false)"
+if ! npm install --package-lock=false > /dev/null; then
     alert "npm install 失败"
 fi
 success "依赖安装完成"
 
 # 步骤 2: 类型检查
-info "步骤 2/6: 类型检查 (npx tsc --noEmit)"
-if ! npx tsc --noEmit; then
+info "步骤 2/8: 类型检查 (npx tsc --noEmit)"
+# 只重定向 stdout，保留 stderr 以便显示错误信息
+set +e
+npx tsc --noEmit > /dev/null
+TSC_CHECK_EXIT_CODE=$?
+set -e
+if [ $TSC_CHECK_EXIT_CODE -ne 0 ]; then
     alert "类型检查失败，请修复 TypeScript 错误"
 fi
 success "类型检查通过"
 
-# 步骤 3: 运行所有测试
-info "步骤 3/6: 运行所有测试 (npm run test-all)"
-if ! npm run test-all; then
+# 步骤 3: 检查 require() 调用
+info "步骤 3/8: 检查 require() 调用 (node check-requires.js)"
+if ! node check-requires.js > /dev/null; then
+    alert "require() 检查失败，请修复模块引用错误"
+fi
+success "require() 检查通过"
+
+# 步骤 4: 运行所有测试
+info "步骤 4/8: 运行所有测试 (npm run test-all)"
+if ! npm run test-all > /dev/null; then
     alert "测试失败，请修复测试错误"
 fi
 success "所有测试通过"
 
-# 步骤 4: 编译 TypeScript
-info "步骤 4/6: 编译 TypeScript (npx tsc)"
-if ! npx tsc; then
-    alert "TypeScript 编译失败"
+# 步骤 5: 生成构建版本信息
+info "步骤 5/8: 生成构建版本信息"
+BUILD_DATE=$(date +%Y%m%d)
+COMMIT_HASH=$(git rev-parse --short HEAD 2>/dev/null || echo "unknown")
+
+# 创建 dist 目录（如果不存在）
+mkdir -p dist
+
+# 生成版本信息文件（编译后代码会读取此文件）
+cat > dist/build-version.json <<EOF
+{
+  "buildDate": "${BUILD_DATE}",
+  "commitHash": "${COMMIT_HASH}"
+}
+EOF
+
+success "构建版本信息已生成 (build ${BUILD_DATE}, commit ${COMMIT_HASH})"
+
+# 步骤 6: 编译 TypeScript
+info "步骤 6/8: 编译 TypeScript (npx tsc)"
+# 只重定向 stdout，保留 stderr 以便显示错误信息
+set +e
+npx tsc > /dev/null
+TSC_EXIT_CODE=$?
+set -e
+if [ $TSC_EXIT_CODE -ne 0 ]; then
+    alert "TypeScript 编译失败，请查看上方的错误信息"
 fi
 success "TypeScript 编译完成"
 
-# 步骤 5: 打包二进制
-info "步骤 5/6: 打包二进制 (npx pkg)"
-if ! npx pkg . --options max-old-space-size=13312; then
-    alert "打包失败"
+# 确保版本文件在编译后仍然存在（因为 tsc 可能会清理 dist）
+mkdir -p dist
+cat > dist/build-version.json <<EOF
+{
+  "buildDate": "${BUILD_DATE}",
+  "commitHash": "${COMMIT_HASH}"
+}
+EOF
+
+# 步骤 7: 打包二进制
+info "步骤 7/8: 打包二进制 (npx pkg)"
+# 只重定向 stdout，保留 stderr 以便显示错误信息
+set +e
+npx pkg . --options max-old-space-size=12288 > /dev/null
+PKG_EXIT_CODE=$?
+set -e
+if [ $PKG_EXIT_CODE -ne 0 ]; then
+    alert "打包失败 (退出码: $PKG_EXIT_CODE)，请查看上方的错误信息"
 fi
 success "打包完成"
 
-# 步骤 6: 删除 dist 文件
-info "步骤 6/6: 删除 dist 文件"
+# 步骤 8: 删除 dist 文件
+info "步骤 8/8: 删除 dist 文件"
 if [ -d "dist" ]; then
     rm -rf dist
     success "dist 文件已删除"
@@ -72,4 +128,3 @@ else
 fi
 
 info "构建流程全部完成！"
-