@lockhawk/core 0.2.4 → 0.2.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -7
- package/dist/index.d.ts +10 -5
- package/dist/index.js +38 -2335
- package/package.json +3 -4
- package/dist/index.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
# @lockhawk/core
|
|
2
2
|
|
|
3
|
-
The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk)
|
|
4
|
-
|
|
5
|
-
|
|
3
|
+
The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk): lockfile parsing,
|
|
4
|
+
dependency graph building, [OSV.dev](https://osv.dev) matching, CVSS v3 and v4 scoring, and report
|
|
5
|
+
generation (table, JSON, SARIF, JUnit, HTML).
|
|
6
6
|
|
|
7
7
|
> **Most people want the CLI, not this package.** To scan a project, use
|
|
8
|
-
> [`lockhawk`](https://www.npmjs.com/package/lockhawk)
|
|
9
|
-
> `@lockhawk/core` only if you
|
|
8
|
+
> [`lockhawk`](https://www.npmjs.com/package/lockhawk) and run `npx lockhawk scan`. Install
|
|
9
|
+
> `@lockhawk/core` only if you are building a tool on top of the engine.
|
|
10
10
|
|
|
11
11
|
## Install
|
|
12
12
|
|
|
@@ -24,8 +24,8 @@ console.log(result.summary, result.findings);
|
|
|
24
24
|
```
|
|
25
25
|
|
|
26
26
|
`scan()` reads the project's lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`),
|
|
27
|
-
resolves the full dependency tree
|
|
28
|
-
|
|
27
|
+
resolves the full dependency tree including transitive dependencies, queries OSV.dev (offline from a
|
|
28
|
+
cached database or online via the batch API), and returns scored, de-duplicated findings.
|
|
29
29
|
|
|
30
30
|
## Documentation
|
|
31
31
|
|
package/dist/index.d.ts
CHANGED
|
@@ -390,18 +390,23 @@ interface OnlineClientOptions {
|
|
|
390
390
|
noCache?: boolean;
|
|
391
391
|
cacheTtlHours?: number;
|
|
392
392
|
retries?: number;
|
|
393
|
+
/** Per-request network timeout in milliseconds (default 15s). */
|
|
394
|
+
timeoutMs?: number;
|
|
393
395
|
}
|
|
394
396
|
/**
|
|
395
|
-
* Online OSV source.
|
|
396
|
-
*
|
|
397
|
-
*
|
|
398
|
-
*
|
|
397
|
+
* Online OSV source. Queries the batch endpoint by package *name only* — never
|
|
398
|
+
* pinning an installed version — so OSV returns every advisory naming each
|
|
399
|
+
* package; lockhawk's own range matcher (`buildFindings` → `vulnerabilityAffects`)
|
|
400
|
+
* then decides what actually affects the installed version. Delegating the
|
|
401
|
+
* version match to OSV's server would cap coverage at OSV's matcher; doing it
|
|
402
|
+
* locally makes coverage depend only on lockhawk (and mirrors the offline path).
|
|
403
|
+
* Hydrated records are cached by id so repeat scans do no network work.
|
|
399
404
|
*/
|
|
400
405
|
declare class OsvClient {
|
|
401
406
|
private readonly opts;
|
|
402
407
|
private readonly limit;
|
|
403
408
|
constructor(opts: OnlineClientOptions);
|
|
404
|
-
/** Fetch advisories
|
|
409
|
+
/** Fetch advisories naming the given packages, keyed by package name. */
|
|
405
410
|
fetchAdvisories(packages: PackageRef[]): Promise<Map<string, OsvVulnerability[]>>;
|
|
406
411
|
private queryBatch;
|
|
407
412
|
private hydrate;
|