feat(llm-security): seed top-jetbrains-plugins.json + loadJetBrainsBlocklist export

Step 1/17 of ultraplan-2026-04-17-jetbrains-ide-scan. - Populate top-jetbrains-plugins.json with 56 canonical xmlIds (bundled + popular third-party): com.intellij.java, org.jetbrains.kotlin, com.jetbrains.python.community, org.rust.lang, com.github.copilot, mobi.hsz.idea.gitignore, the legitimate-typo 'Lombook Plugin', etc. - Add loadJetBrainsBlocklist() export mirroring loadVSCodeBlocklist shape. Blocklist is empty by design — no public confirmed-malicious JetBrains Marketplace plugins as of 2026-04-17. - Add tests/scanners/ide-extension-data.test.mjs (9 tests, all pass). - Fix cache bug in loadTopJetBrains: map normalizeId on cache-hit path too (was previously unnormalized on second call). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-18 09:56:55 +02:00 · 2026-04-18 09:56:55 +02:00 · a86ca00960
commit a86ca00960
parent 1634197853
3 changed files with 177 additions and 7 deletions
--- a/plugins/llm-security/scanners/lib/ide-extension-data.mjs
+++ b/plugins/llm-security/scanners/lib/ide-extension-data.mjs
@ -42,15 +42,27 @@ export async function loadVSCodeBlocklist() {
 }

 /**
- * Load top JetBrains plugin IDs (stub for v1.1).
- * @returns {Promise<string[]>}
+ * Load top JetBrains plugin xmlIds (canonical corpus for typosquat detection).
+ * @returns {Promise<string[]>} Lowercased xmlIds.
 */
 export async function loadTopJetBrains() {
-  if (_jetbrains !== null) return _jetbrains.jetbrains || [];
+  if (_jetbrains !== null) return (_jetbrains.jetbrains || []).map(normalizeId);
  _jetbrains = await loadJson(join(KNOWLEDGE_DIR, 'top-jetbrains-plugins.json')) || { jetbrains: [], blocklist: [] };
  return (_jetbrains.jetbrains || []).map(normalizeId);
 }

+/**
+ * Load JetBrains plugin blocklist entries.
+ * Empty by design — no public confirmed-malicious JetBrains Marketplace plugins
+ * as of 2026-04-17. Enterprise policy.json can seed private entries.
+ * @returns {Promise<string[]>} Entries of form "xmlId@version" or "xmlId@*".
+ */
+export async function loadJetBrainsBlocklist() {
+  if (_jetbrains !== null) return _jetbrains.blocklist || [];
+  _jetbrains = await loadJson(join(KNOWLEDGE_DIR, 'top-jetbrains-plugins.json')) || { jetbrains: [], blocklist: [] };
+  return _jetbrains.blocklist || [];
+}
+
 /**
 * Normalize extension ID for comparison.
 * @param {string} id