@lockhawk/core 0.2.5 → 0.2.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -7
- package/dist/index.d.ts +9 -11
- package/dist/index.js +48 -2474
- package/package.json +14 -5
- package/dist/index.js.map +0 -1
package/README.md
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
# @lockhawk/core
|
|
2
2
|
|
|
3
|
-
The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk)
|
|
4
|
-
|
|
5
|
-
|
|
3
|
+
The scanning engine behind [**lockhawk**](https://github.com/lockhawk/lockhawk): lockfile parsing,
|
|
4
|
+
dependency graph building, [OSV.dev](https://osv.dev) matching, CVSS v3 and v4 scoring, and report
|
|
5
|
+
generation (table, JSON, SARIF, JUnit, HTML).
|
|
6
6
|
|
|
7
7
|
> **Most people want the CLI, not this package.** To scan a project, use
|
|
8
|
-
> [`lockhawk`](https://www.npmjs.com/package/lockhawk)
|
|
9
|
-
> `@lockhawk/core` only if you
|
|
8
|
+
> [`lockhawk`](https://www.npmjs.com/package/lockhawk) and run `npx lockhawk scan`. Install
|
|
9
|
+
> `@lockhawk/core` only if you are building a tool on top of the engine.
|
|
10
10
|
|
|
11
11
|
## Install
|
|
12
12
|
|
|
@@ -24,8 +24,8 @@ console.log(result.summary, result.findings);
|
|
|
24
24
|
```
|
|
25
25
|
|
|
26
26
|
`scan()` reads the project's lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`),
|
|
27
|
-
resolves the full dependency tree
|
|
28
|
-
|
|
27
|
+
resolves the full dependency tree including transitive dependencies, queries OSV.dev (offline from a
|
|
28
|
+
cached database or online via the batch API), and returns scored, de-duplicated findings.
|
|
29
29
|
|
|
30
30
|
## Documentation
|
|
31
31
|
|
package/dist/index.d.ts
CHANGED
|
@@ -390,6 +390,8 @@ interface OnlineClientOptions {
|
|
|
390
390
|
noCache?: boolean;
|
|
391
391
|
cacheTtlHours?: number;
|
|
392
392
|
retries?: number;
|
|
393
|
+
/** Per-request network timeout in milliseconds (default 15s). */
|
|
394
|
+
timeoutMs?: number;
|
|
393
395
|
}
|
|
394
396
|
/**
|
|
395
397
|
* Online OSV source. Queries the batch endpoint by package *name only* — never
|
|
@@ -546,20 +548,16 @@ declare function toSarif(result: ScanResult): SarifLog;
|
|
|
546
548
|
/** Stringified SARIF log. */
|
|
547
549
|
declare function toSarifString(result: ScanResult): string;
|
|
548
550
|
|
|
551
|
+
/** Placeholder the report UI shell embeds so we can inject scan data at scan time. */
|
|
552
|
+
declare const DATA_MARKER = "<!--LOCKHAWK_DATA-->";
|
|
549
553
|
/**
|
|
550
|
-
* Produce a self-contained HTML report
|
|
551
|
-
*
|
|
552
|
-
*
|
|
553
|
-
* data blob, no external resources (fonts included). Every dynamic value is
|
|
554
|
-
* HTML-escaped, the layout flows within a width-constrained container, and long
|
|
555
|
-
* advisory text lives in a collapsed, contained block — so the report cannot
|
|
556
|
-
* overflow the viewport or render attacker-controlled advisory text as live
|
|
557
|
-
* markup. Copy affordances use CSS `user-select: all` (one click selects a whole
|
|
558
|
-
* command/version) rather than a clipboard script, preserving the no-JS model.
|
|
554
|
+
* Produce a self-contained HTML report. When given the built report-UI `shell`
|
|
555
|
+
* (M6), the scan data is injected into it; otherwise a dependency-free fallback
|
|
556
|
+
* template is rendered so `--format html` always works.
|
|
559
557
|
*/
|
|
560
|
-
declare function toHtml(result: ScanResult): string;
|
|
558
|
+
declare function toHtml(result: ScanResult, shell?: string): string;
|
|
561
559
|
|
|
562
560
|
/** Render a scan result as JUnit XML (one failed test per finding). */
|
|
563
561
|
declare function toJunit(result: ScanResult): string;
|
|
564
562
|
|
|
565
|
-
export { AutoSource, type CvssResult, type DatabaseInfo, type DepNode, type DepScope, type DependencyGraph, type DetectedLockfile, type Finding, type FindingsOptions, LockfileError, OfflineDbMissingError, type OfflineMeta, OfflineSource, type OnlineClientOptions, OnlineSource, type OsvAffected, OsvClient, OsvDatabase, type OsvEvent, type OsvRange, type OsvReference, type OsvSeverity, type OsvVulnerability, type PackageManager, type PackageRef, type PkgKey, type RawGraph, type RawNode, type ResolvedSource, type RootManifest, SEVERITY_RANK, SHARD_BUCKETS, type SarifLog, type ScanOptions, type ScanResult, type ScanStats, type ScanSummary, type Severity, type SeverityInfo, type SourceMode, type SourceOptions, TOOL, type UnscannablePackage, type UpdateResult, type VulnMatch, type VulnSource, buildDependencyGraph, buildFindings, canonicalId, createSource, dedupeVulnerabilities, detectLockfile, isVersionAffected, levelFromLabel, levelFromScore, loadAdvisoriesForPackages, loadDependencyGraph, nearestFix, offlineDbDir, offlineMetaPath, parseLockfile, pkgKey, readOfflineMeta, readRootManifest, resolveCacheDir, resolveSeverity, rootLabel, scan, scoreFromVector, severityAtLeast, shardBucket, shortestPath, shouldFail, toHtml, toJson, toJunit, toSarif, toSarifString, uniqueScannablePackages, updateOfflineDatabase, vulnerabilityAffects };
|
|
563
|
+
export { AutoSource, type CvssResult, DATA_MARKER, type DatabaseInfo, type DepNode, type DepScope, type DependencyGraph, type DetectedLockfile, type Finding, type FindingsOptions, LockfileError, OfflineDbMissingError, type OfflineMeta, OfflineSource, type OnlineClientOptions, OnlineSource, type OsvAffected, OsvClient, OsvDatabase, type OsvEvent, type OsvRange, type OsvReference, type OsvSeverity, type OsvVulnerability, type PackageManager, type PackageRef, type PkgKey, type RawGraph, type RawNode, type ResolvedSource, type RootManifest, SEVERITY_RANK, SHARD_BUCKETS, type SarifLog, type ScanOptions, type ScanResult, type ScanStats, type ScanSummary, type Severity, type SeverityInfo, type SourceMode, type SourceOptions, TOOL, type UnscannablePackage, type UpdateResult, type VulnMatch, type VulnSource, buildDependencyGraph, buildFindings, canonicalId, createSource, dedupeVulnerabilities, detectLockfile, isVersionAffected, levelFromLabel, levelFromScore, loadAdvisoriesForPackages, loadDependencyGraph, nearestFix, offlineDbDir, offlineMetaPath, parseLockfile, pkgKey, readOfflineMeta, readRootManifest, resolveCacheDir, resolveSeverity, rootLabel, scan, scoreFromVector, severityAtLeast, shardBucket, shortestPath, shouldFail, toHtml, toJson, toJunit, toSarif, toSarifString, uniqueScannablePackages, updateOfflineDatabase, vulnerabilityAffects };
|