feat(llm-security): wire JetBrains branch into scanOneExtension

plugins/llm-security/scanners/ide-extension-scanner.mjs

@@ -25,8 +25,14 @@ import {
   discoverVSCodeExtensions,
   discoverJetBrainsExtensions,
 } from './lib/ide-extension-discovery.mjs';
-import { parseVSCodeExtension, parseVsixFile } from './lib/ide-extension-parser.mjs';
-import { loadTopVSCode, loadVSCodeBlocklist, normalizeId } from './lib/ide-extension-data.mjs';
+import { parseVSCodeExtension, parseVsixFile, parseIntelliJPlugin } from './lib/ide-extension-parser.mjs';
+import {
+  loadTopVSCode,
+  loadVSCodeBlocklist,
+  loadTopJetBrains,
+  loadJetBrainsBlocklist,
+  normalizeId,
+} from './lib/ide-extension-data.mjs';
 import { fetchVsixFromUrl, detectUrlType } from './lib/vsix-fetch.mjs';
 import { extractToDir, ZipError } from './lib/zip-extract.mjs';
 import { runVsixWorker } from './lib/vsix-sandbox.mjs';
@@ -516,8 +522,10 @@ async function scanOneExtension(ext, options) {
   const started = Date.now();
   const warnings = [];
 
-  // Parse manifest
-  const parsed = await parseVSCodeExtension(ext.location);
+  // Parse manifest — dispatch on extension type
+  const parsed = ext.type === 'jetbrains'
+    ? await parseIntelliJPlugin(ext.location)
+    : await parseVSCodeExtension(ext.location);
   if (!parsed) {
     return {
       id: ext.id,
@@ -537,28 +545,45 @@ async function scanOneExtension(ext, options) {
   const manifest = parsed.manifest;
   warnings.push(...parsed.warnings);
 
-  const topList = await loadTopVSCode();
-  const blocklist = await loadVSCodeBlocklist();
+  const isJetBrains = ext.type === 'jetbrains';
+  const topList = isJetBrains ? [] : await loadTopVSCode();
+  const blocklist = isJetBrains ? [] : await loadVSCodeBlocklist();
+  const topListJB = isJetBrains ? await loadTopJetBrains() : [];
+  const blocklistJB = isJetBrains ? await loadJetBrainsBlocklist() : [];
 
   const relLocation = relative(options.targetBase || ext.location, ext.location) || '.';
 
   // Discover files (Pass A) — excludes node_modules, used for ENT/NET/TNT/UNI
   const discovery = await discoverFiles(ext.location).catch(() => ({ files: [], skipped: 0, truncated: false }));
 
-  // Pass B for MEM — filter to README/CHANGELOG/package.json only
+  // Pass B for MEM — filter to README/CHANGELOG/package.json only (VS Code),
+  // plus plugin.xml and META-INF/MANIFEST.MF for JetBrains plugins.
   const memFiles = discovery.files.filter(f => {
     const lower = (f.relPath || '').toLowerCase();
-    return lower === 'readme.md' || lower === 'changelog.md' || lower === 'package.json';
+    if (lower === 'readme.md' || lower === 'changelog.md' || lower === 'package.json') return true;
+    if (isJetBrains) {
+      if (lower === 'plugin.xml' || lower.endsWith('/plugin.xml')) return true;
+      if (lower === 'meta-inf/manifest.mf' || lower.endsWith('/meta-inf/manifest.mf')) return true;
+    }
+    return false;
   });
 
-  // IDE-specific findings
-  const ideFindings = runIdeChecks(
-    { ...ext, signed: manifest.hasSignature || ext.signed },
-    manifest,
-    topList,
-    blocklist,
-    relLocation,
-  );
+  // IDE-specific findings — dispatch on extension type
+  const ideFindings = isJetBrains
+    ? runJetBrainsChecks(
+        { ...ext, signed: manifest.hasSignature || ext.signed },
+        manifest,
+        topListJB,
+        blocklistJB,
+        relLocation,
+      )
+    : runIdeChecks(
+        { ...ext, signed: manifest.hasSignature || ext.signed },
+        manifest,
+        topList,
+        blocklist,
+        relLocation,
+      );
   const ideResult = scannerResult(SCANNER, 'ok', ideFindings, 1, Date.now() - started);
 
   // Run reused scanners (each is independent; run sequentially to avoid burst-rate issues)
@@ -805,6 +830,7 @@ export const __testing = {
   checkPremainClassJB,
   checkNativeBinariesJB,
   checkShadedJarsJB,
+  scanOneExtension,
 };
 
 /**