@mongodb-js/sbom-tools 0.2.2 → 0.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +219 -0
- package/bin/mongodb-sbom-tools.js +2 -1
- package/dist/bin.d.ts +1 -1
- package/dist/bin.d.ts.map +1 -1
- package/dist/bin.js +7 -38
- package/dist/bin.js.map +1 -1
- package/dist/commands/generate-third-party-notices.d.ts +4 -1
- package/dist/commands/generate-third-party-notices.d.ts.map +1 -1
- package/dist/commands/generate-third-party-notices.js +40 -67
- package/dist/commands/generate-third-party-notices.js.map +1 -1
- package/dist/commands/generate-vulnerability-report.d.ts +6 -18
- package/dist/commands/generate-vulnerability-report.d.ts.map +1 -1
- package/dist/commands/generate-vulnerability-report.js +67 -25
- package/dist/commands/generate-vulnerability-report.js.map +1 -1
- package/dist/commands/scan-node-js.d.ts +5 -2
- package/dist/commands/scan-node-js.d.ts.map +1 -1
- package/dist/commands/scan-node-js.js +33 -64
- package/dist/commands/scan-node-js.js.map +1 -1
- package/dist/production-deps.d.ts +2 -2
- package/dist/production-deps.d.ts.map +1 -1
- package/dist/production-deps.js +8 -8
- package/dist/production-deps.js.map +1 -1
- package/dist/snyk-vulnerability.d.ts +69 -0
- package/dist/snyk-vulnerability.d.ts.map +1 -0
- package/dist/snyk-vulnerability.js +87 -0
- package/dist/snyk-vulnerability.js.map +1 -0
- package/dist/webpack-dependencies-plugin.d.ts +5 -6
- package/dist/webpack-dependencies-plugin.d.ts.map +1 -1
- package/dist/webpack-dependencies-plugin.js +21 -16
- package/dist/webpack-dependencies-plugin.js.map +1 -1
- package/package.json +7 -9
- package/dist/commands/severity.d.ts +0 -7
- package/dist/commands/severity.d.ts.map +0 -1
- package/dist/commands/severity.js +0 -31
- package/dist/commands/severity.js.map +0 -1
|
@@ -3,19 +3,18 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.generateVulnerabilityReport = exports.loadReports = void 0;
|
|
6
|
+
exports.command = exports.generateVulnerabilityReport = exports.loadReports = void 0;
|
|
7
7
|
const fs_1 = require("fs");
|
|
8
8
|
const snykPolicy = require('snyk-policy');
|
|
9
9
|
const lodash_1 = __importDefault(require("lodash"));
|
|
10
|
-
const chalk_1 = __importDefault(require("chalk"));
|
|
11
10
|
const load_dependency_files_1 = require("../load-dependency-files");
|
|
12
|
-
const
|
|
11
|
+
const snyk_vulnerability_1 = require("../snyk-vulnerability");
|
|
12
|
+
const commander_1 = require("commander");
|
|
13
13
|
async function loadReports(files) {
|
|
14
14
|
return (await Promise.all(files.map(async (fileName) => JSON.parse(await fs_1.promises.readFile(fileName, 'utf-8'))))).flat();
|
|
15
15
|
}
|
|
16
16
|
exports.loadReports = loadReports;
|
|
17
|
-
|
|
18
|
-
const rules = await snykPolicy.load(process.cwd());
|
|
17
|
+
function filterApplicableVulnerabilities(snykTestResults, dependencies, rules) {
|
|
19
18
|
const affectedDependencies = [];
|
|
20
19
|
snykTestResults.forEach((projectResult) => {
|
|
21
20
|
projectResult.vulnerabilities.forEach((vuln) => {
|
|
@@ -54,42 +53,85 @@ async function fetchSnykVulnerabilities(snykTestResults, dependencies) {
|
|
|
54
53
|
const sortedVulnerabilities = Array.from(uniqueVulnerabilities.values()).sort((a, b) => a.name.localeCompare(b.name));
|
|
55
54
|
return sortedVulnerabilities;
|
|
56
55
|
}
|
|
57
|
-
function
|
|
56
|
+
function formatIgnored(vuln) {
|
|
58
57
|
var _a, _b;
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
58
|
+
if (!hasKnownRemediation(vuln)) {
|
|
59
|
+
return 'Reason: Remediation not available yet';
|
|
60
|
+
}
|
|
61
|
+
if (hasIgnorePolicy(vuln)) {
|
|
62
|
+
const expired = hasExpiredPolicy(vuln) ? ' (Expired)' : '';
|
|
63
|
+
return `Reason: ${(_b = (_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.reason) !== null && _b !== void 0 ? _b : 'unknown'}${expired}`;
|
|
64
|
+
}
|
|
65
|
+
return '-';
|
|
66
|
+
}
|
|
67
|
+
function generateTable(vulnerabilities) {
|
|
68
|
+
var _a;
|
|
69
|
+
let output = '';
|
|
70
|
+
output += `## Vulnerabilities Report (${vulnerabilities.length} vulnerabilities)\n`;
|
|
71
|
+
output += '| dep@version | id | score | fixed in | origin | ignored |\n';
|
|
72
|
+
output += '| ----------- | -- | ----- | -------- | ------ | ------- |\n';
|
|
62
73
|
const sortedVulns = lodash_1.default.orderBy(vulnerabilities, ['score', 'name'], ['desc', 'asc']);
|
|
63
74
|
for (const vuln of sortedVulns) {
|
|
64
|
-
const severity = `${vuln.score} (${vuln.severity})`;
|
|
65
|
-
const ignored = (
|
|
66
|
-
|
|
67
|
-
: !vuln.fixedIn
|
|
68
|
-
? 'Remediation not available yet'
|
|
69
|
-
: '-';
|
|
70
|
-
console.info(`| ${vuln.name} | ${vuln.id} | ${severity} | ${vuln.fixedIn} | ${ignored} |`);
|
|
75
|
+
const severity = `${(_a = vuln.score) !== null && _a !== void 0 ? _a : '?'} (${vuln.severity})`;
|
|
76
|
+
const ignored = formatIgnored(vuln);
|
|
77
|
+
output += `| ${vuln.name} | ${vuln.id} | ${severity} | ${vuln.fixedIn || 'N/A'} | ${ignored} |\n`;
|
|
71
78
|
}
|
|
79
|
+
return output;
|
|
80
|
+
}
|
|
81
|
+
function isIgnored(vuln) {
|
|
82
|
+
return hasIgnorePolicy(vuln) && !hasExpiredPolicy(vuln);
|
|
83
|
+
}
|
|
84
|
+
function hasIgnorePolicy(vuln) {
|
|
85
|
+
var _a;
|
|
86
|
+
return ((_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.type) === 'ignore';
|
|
87
|
+
}
|
|
88
|
+
function hasExpiredPolicy(vuln) {
|
|
89
|
+
var _a;
|
|
90
|
+
return new Date() >= ((_a = vuln.policy) === null || _a === void 0 ? void 0 : _a.expires);
|
|
91
|
+
}
|
|
92
|
+
function hasKnownRemediation(vuln) {
|
|
93
|
+
return !!vuln.fixedIn;
|
|
72
94
|
}
|
|
73
95
|
function fail(failOn, bundleVulnerabilities) {
|
|
74
|
-
var _a
|
|
75
|
-
const minScore = (_a = (0,
|
|
96
|
+
var _a;
|
|
97
|
+
const minScore = (_a = (0, snyk_vulnerability_1.severityToScore)(failOn)) !== null && _a !== void 0 ? _a : 0;
|
|
76
98
|
for (const vuln of bundleVulnerabilities) {
|
|
77
99
|
if ((vuln.score === undefined || vuln.score >= minScore) &&
|
|
78
|
-
vuln
|
|
79
|
-
(
|
|
80
|
-
|
|
81
|
-
process.exit(1);
|
|
100
|
+
hasKnownRemediation(vuln) &&
|
|
101
|
+
!isIgnored(vuln)) {
|
|
102
|
+
throw new Error(`Vulnerabilities check failed: found vulnerabilities >= "${failOn}"`);
|
|
82
103
|
}
|
|
83
104
|
}
|
|
84
105
|
}
|
|
85
106
|
async function generateVulnerabilityReport(options) {
|
|
107
|
+
var _a, _b;
|
|
86
108
|
const productionDependencies = await (0, load_dependency_files_1.loadDependencyFiles)(options.dependencyFiles);
|
|
87
109
|
const snykTestResult = await loadReports(options.snykReports);
|
|
88
|
-
const
|
|
89
|
-
|
|
110
|
+
const rules = await snykPolicy.load((_a = options.snykPolicyPath) !== null && _a !== void 0 ? _a : process.cwd(), {
|
|
111
|
+
loose: true,
|
|
112
|
+
});
|
|
113
|
+
const applicableVulnerabilities = filterApplicableVulnerabilities(snykTestResult, productionDependencies, rules);
|
|
114
|
+
((_b = options.printResult) !== null && _b !== void 0 ? _b : console.info)(generateTable(applicableVulnerabilities));
|
|
90
115
|
if (options.failOn) {
|
|
91
|
-
fail(options.failOn,
|
|
116
|
+
fail(options.failOn, applicableVulnerabilities);
|
|
92
117
|
}
|
|
93
118
|
}
|
|
94
119
|
exports.generateVulnerabilityReport = generateVulnerabilityReport;
|
|
120
|
+
function commaSeparatedList(value) {
|
|
121
|
+
return value.split(',');
|
|
122
|
+
}
|
|
123
|
+
exports.command = new commander_1.Command('generate-vulnerability-report')
|
|
124
|
+
.description('Generate a report of snyk vulnerabilities applicable to a list of dependencies')
|
|
125
|
+
.option('--dependencies <paths>', 'Comma-separated list of dependency files', commaSeparatedList, [])
|
|
126
|
+
.option('--snyk-reports <paths>', 'Comma-separated list of snyk result files', commaSeparatedList, [])
|
|
127
|
+
.option('--fail-on [level]', 'Fail on the specified severity level')
|
|
128
|
+
.option('--snyk-policy-path [path]', 'Snyk policy path')
|
|
129
|
+
.action(async (options) => {
|
|
130
|
+
await generateVulnerabilityReport({
|
|
131
|
+
dependencyFiles: options.dependencies,
|
|
132
|
+
snykReports: options.snykReports,
|
|
133
|
+
failOn: options.failOn,
|
|
134
|
+
snykPolicyPath: options.snykPolicyPath,
|
|
135
|
+
});
|
|
136
|
+
});
|
|
95
137
|
//# sourceMappingURL=generate-vulnerability-report.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"generate-vulnerability-report.js","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":";;;;;;AAAA,2BAAoC;AAGpC,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;AAC1C,oDAAuB;
|
|
1
|
+
{"version":3,"file":"generate-vulnerability-report.js","sourceRoot":"","sources":["../../src/commands/generate-vulnerability-report.ts"],"names":[],"mappings":";;;;;;AAAA,2BAAoC;AAGpC,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;AAC1C,oDAAuB;AAEvB,oEAA+D;AAM/D,8DAAwD;AACxD,yCAAoC;AAE7B,KAAK,UAAU,WAAW,CAC/B,KAAe;IAIf,OAAO,CACL,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,EAAE,CAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,aAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CACjD,CACF,CACF,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AAZD,kCAYC;AAuBD,SAAS,+BAA+B,CACtC,eAAwC,EACxC,YAA0B,EAC1B,KAAsB;IAEtB,MAAM,oBAAoB,GAAwB,EAAE,CAAC;IAErD,eAAe,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,EAAE;QACxC,aAAa,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;YAC7C,YAAY,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC3B,IACE,IAAI,CAAC,UAAU,KAAK,GAAG,CAAC,IAAI;oBAC5B,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC,EAChD;oBACA,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;iBACjC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAE,CAAC;IAExC,oBAAoB,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QACpC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,EAAE,EAAE,CAAC;QACtD,MAAM,MAAM,GAAG,GAAG,CAAC;QAEnB,IAAI,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;YAClC,MAAM,YAAY,GAAG,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;YACpD,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;gBAC1C,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;aACnC;SACF;aAAM;YACL,qBAAqB,CAAC,GAAG,CAAC,GAAG,EAAE;gBAC7B,IAAI,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE;gBACpC,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,KAAK,EAAE,IAAI,CAAC,SAAS;gBACrB,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ;qBACvB,MAAM,CAAC,CAAC,CAAC;qBACT,WAAW,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;gBAC3C,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;gBAChC,OAAO,EAAE,CAAC,MAAM,CAAC;gBACjB,MAAM,EAAE,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC;aAC1C,CAAC,CAAC;SACJ;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,qBAAqB,GAAG,KAAK,CAAC,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAC3E,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CACvC,CAAC;IAEF,OAAO,qBAAqB,CAAC;AAC/B,CAAC;AAED,SAAS,aAAa,CAAC,IAAmB;;IACxC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,EAAE;QAC9B,OAAO,uCAAuC,CAAC;KAChD;IAED,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE;QACzB,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3D,OAAO,WAAW,MAAA,MAAA,IAAI,CAAC,MAAM,0CAAE,MAAM,mCAAI,SAAS,GAAG,OAAO,EAAE,CAAC;KAChE;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,aAAa,CAAC,eAAgC;;IACrD,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,MAAM,IAAI,8BAA8B,eAAe,CAAC,MAAM,qBAAqB,CAAC;IACpF,MAAM,IAAI,8DAA8D,CAAC;IACzE,MAAM,IAAI,8DAA8D,CAAC;IAEzE,MAAM,WAAW,GAAG,gBAAC,CAAC,OAAO,CAC3B,eAAe,EACf,CAAC,OAAO,EAAE,MAAM,CAAC,EACjB,CAAC,MAAM,EAAE,KAAK,CAAC,CAChB,CAAC;IACF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE;QAC9B,MAAM,QAAQ,GAAG,GAAG,MAAA,IAAI,CAAC,KAAK,mCAAI,GAAG,KAAK,IAAI,CAAC,QAAQ,GAAG,CAAC;QAC3D,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QAEpC,MAAM,IAAI,KAAK,IAAI,CAAC,IAAI,MAAM,IAAI,CAAC,EAAE,MAAM,QAAQ,MACjD,IAAI,CAAC,OAAO,IAAI,KAClB,MAAM,OAAO,MAAM,CAAC;KACrB;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,SAAS,CAAC,IAAmB;IACpC,OAAO,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,eAAe,CAAC,IAAmB;;IAC1C,OAAO,CAAA,MAAA,IAAI,CAAC,MAAM,0CAAE,IAAI,MAAK,QAAQ,CAAC;AACxC,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAmB;;IAC3C,OAAO,IAAI,IAAI,EAAE,KAAI,MAAA,IAAI,CAAC,MAAM,0CAAE,OAAO,CAAA,CAAC;AAC5C,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAmB;IAC9C,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;AACxB,CAAC;AAED,SAAS,IAAI,CAAC,MAAqB,EAAE,qBAAsC;;IACzE,MAAM,QAAQ,GAAG,MAAA,IAAA,oCAAe,EAAC,MAAM,CAAC,mCAAI,CAAC,CAAC;IAE9C,KAAK,MAAM,IAAI,IAAI,qBAAqB,EAAE;QACxC,IACE,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,IAAI,QAAQ,CAAC;YACpD,mBAAmB,CAAC,IAAI,CAAC;YACzB,CAAC,SAAS,CAAC,IAAI,CAAC,EAChB;YACA,MAAM,IAAI,KAAK,CACb,2DAA2D,MAAM,GAAG,CACrE,CAAC;SACH;KACF;AACH,CAAC;AAEM,KAAK,UAAU,2BAA2B,CAAC,OAMjD;;IACC,MAAM,sBAAsB,GAAG,MAAM,IAAA,2CAAmB,EACtD,OAAO,CAAC,eAAe,CACxB,CAAC;IAEF,MAAM,cAAc,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,MAAA,OAAO,CAAC,cAAc,mCAAI,OAAO,CAAC,GAAG,EAAE,EAAE;QAC3E,KAAK,EAAE,IAAI;KACZ,CAAC,CAAC;IAEH,MAAM,yBAAyB,GAAG,+BAA+B,CAC/D,cAAc,EACd,sBAAsB,EACtB,KAAK,CACN,CAAC;IAEF,CAAC,MAAA,OAAO,CAAC,WAAW,mCAAI,OAAO,CAAC,IAAI,CAAC,CACnC,aAAa,CAAC,yBAAyB,CAAC,CACzC,CAAC;IAEF,IAAI,OAAO,CAAC,MAAM,EAAE;QAClB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC;KACjD;AACH,CAAC;AA7BD,kEA6BC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAEY,QAAA,OAAO,GAAG,IAAI,mBAAO,CAAC,+BAA+B,CAAC;KAChE,WAAW,CACV,gFAAgF,CACjF;KACA,MAAM,CACL,wBAAwB,EACxB,0CAA0C,EAC1C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CACL,wBAAwB,EACxB,2CAA2C,EAC3C,kBAAkB,EAClB,EAAE,CACH;KACA,MAAM,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;KACnE,MAAM,CAAC,2BAA2B,EAAE,kBAAkB,CAAC;KACvD,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,MAAM,2BAA2B,CAAC;QAChC,eAAe,EAAE,OAAO,CAAC,YAAY;QACrC,WAAW,EAAE,OAAO,CAAC,WAAW;QAChC,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,cAAc,EAAE,OAAO,CAAC,cAAc;KACvC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
|
|
@@ -1,4 +1,7 @@
|
|
|
1
|
-
|
|
1
|
+
import type { SnykTestProjectResult } from '../snyk-vulnerability';
|
|
2
|
+
import { Command } from 'commander';
|
|
3
|
+
export declare function scanNodeJs({ version, }: {
|
|
2
4
|
version: string;
|
|
3
|
-
}): Promise<
|
|
5
|
+
}): Promise<SnykTestProjectResult>;
|
|
6
|
+
export declare const command: Command;
|
|
4
7
|
//# sourceMappingURL=scan-node-js.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan-node-js.d.ts","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"scan-node-js.d.ts","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qBAAqB,EAEtB,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAsHpC,wBAAsB,UAAU,CAAC,EAC/B,OAAO,GACR,EAAE;IACD,OAAO,EAAE,MAAM,CAAC;CACjB,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAsBjC;AAED,eAAO,MAAM,OAAO,SAgBhB,CAAC"}
|
|
@@ -3,69 +3,30 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
3
3
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
4
|
};
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.scanNodeJs = void 0;
|
|
6
|
+
exports.command = exports.scanNodeJs = void 0;
|
|
7
7
|
const node_fetch_1 = __importDefault(require("node-fetch"));
|
|
8
8
|
const semver_1 = __importDefault(require("semver"));
|
|
9
9
|
const nv_1 = __importDefault(require("@pkgjs/nv"));
|
|
10
|
-
const
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
const
|
|
14
|
-
return {
|
|
10
|
+
const snyk_vulnerability_1 = require("../snyk-vulnerability");
|
|
11
|
+
const commander_1 = require("commander");
|
|
12
|
+
async function formatVulnerability(id, nodeVulnerability, nodeVersion) {
|
|
13
|
+
const score = await fetchScore(`NSWG-COR-${id}`, nodeVulnerability);
|
|
14
|
+
return (0, snyk_vulnerability_1.buildSnykVulnerability)({
|
|
15
15
|
id: `NSWG-COR-${id}`,
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
credit: ['-'],
|
|
19
|
-
semver: {
|
|
20
|
-
vulnerable: nodeVuln.vulnerable,
|
|
21
|
-
},
|
|
22
|
-
exploit: '-',
|
|
23
|
-
patched: [nodeVuln.patched],
|
|
24
|
-
patches: [],
|
|
25
|
-
fixedIn: (nodeVuln.patched || '').split(' || '),
|
|
26
|
-
insights: {
|
|
27
|
-
triageAdvice: null,
|
|
28
|
-
},
|
|
29
|
-
language: 'js',
|
|
30
|
-
severity: severity,
|
|
31
|
-
cvssScore: score,
|
|
32
|
-
functions: [],
|
|
33
|
-
moduleName: '.node.js',
|
|
34
|
-
references: [
|
|
35
|
-
{
|
|
36
|
-
url: nodeVuln.ref,
|
|
37
|
-
title: 'Ref',
|
|
38
|
-
},
|
|
39
|
-
],
|
|
40
|
-
cvssDetails: [],
|
|
41
|
-
description: nodeVuln.overview,
|
|
42
|
-
epssDetails: null,
|
|
43
|
-
identifiers: {
|
|
44
|
-
CVE: nodeVuln.cve,
|
|
45
|
-
},
|
|
16
|
+
cves: nodeVulnerability.cve,
|
|
17
|
+
fixedIn: (nodeVulnerability.patched || '').split(' || '),
|
|
46
18
|
packageName: '.node.js',
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
publicationTime: '-',
|
|
54
|
-
modificationTime: '-',
|
|
55
|
-
socialTrendAlert: false,
|
|
56
|
-
severityWithCritical: severity,
|
|
57
|
-
from: [`.node.js@${nodeVersion}`],
|
|
58
|
-
upgradePath: [],
|
|
59
|
-
isUpgradable: true,
|
|
60
|
-
isPatchable: false,
|
|
61
|
-
name: '.node.js',
|
|
62
|
-
version: nodeVersion,
|
|
63
|
-
};
|
|
19
|
+
score,
|
|
20
|
+
url: nodeVulnerability.ref,
|
|
21
|
+
packageVersion: nodeVersion,
|
|
22
|
+
description: nodeVulnerability.overview,
|
|
23
|
+
vulnerableSemver: nodeVulnerability.vulnerable,
|
|
24
|
+
});
|
|
64
25
|
}
|
|
65
|
-
async function fetchScore(vulnId,
|
|
66
|
-
const cves = await Promise.all(
|
|
26
|
+
async function fetchScore(vulnId, nodeVulnerability) {
|
|
27
|
+
const cves = await Promise.all(nodeVulnerability.cve.map((cve) => (0, node_fetch_1.default)(`https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=${cve}`).then((res) => res.ok
|
|
67
28
|
? res.json()
|
|
68
|
-
: Promise.reject(`Fetch ${cve} failed
|
|
29
|
+
: Promise.reject(new Error(`Fetch ${cve} failed. Status: ${res.status}`))))).catch((e) => {
|
|
69
30
|
console.error(`Error fetching score for ${vulnId}: ${e.message}`);
|
|
70
31
|
return [];
|
|
71
32
|
});
|
|
@@ -99,20 +60,28 @@ async function isSupported(version) {
|
|
|
99
60
|
.join(' || ');
|
|
100
61
|
return semver_1.default.satisfies(version, supported);
|
|
101
62
|
}
|
|
102
|
-
async function scanNodeJs({ version }) {
|
|
63
|
+
async function scanNodeJs({ version, }) {
|
|
103
64
|
if (!(await isSupported(version))) {
|
|
104
65
|
throw new Error(`Failed: node.js@${version} is not supported anymore.`);
|
|
105
66
|
}
|
|
106
|
-
const
|
|
67
|
+
const coreDbVulnerability = await downloadCoreDb();
|
|
107
68
|
const affectedBy = [];
|
|
108
|
-
for (const [id,
|
|
109
|
-
if (semver_1.default.satisfies(version,
|
|
110
|
-
|
|
111
|
-
!semver_1.default.satisfies(version,
|
|
112
|
-
affectedBy.push(await
|
|
69
|
+
for (const [id, vulnerability] of Object.entries(coreDbVulnerability)) {
|
|
70
|
+
if (semver_1.default.satisfies(version, vulnerability.vulnerable) &&
|
|
71
|
+
vulnerability.patched &&
|
|
72
|
+
!semver_1.default.satisfies(version, vulnerability.patched)) {
|
|
73
|
+
affectedBy.push(await formatVulnerability(id, vulnerability, version));
|
|
113
74
|
}
|
|
114
75
|
}
|
|
115
|
-
|
|
76
|
+
return { vulnerabilities: affectedBy };
|
|
116
77
|
}
|
|
117
78
|
exports.scanNodeJs = scanNodeJs;
|
|
79
|
+
exports.command = new commander_1.Command('scan-node-js')
|
|
80
|
+
.description('Scan node.js version for known vulnerabilities')
|
|
81
|
+
.option('--version <version>', 'Path to the node.js security-wg core database of vulnerabilities')
|
|
82
|
+
.action(async (options) => {
|
|
83
|
+
console.info(JSON.stringify(await scanNodeJs({
|
|
84
|
+
version: options.version,
|
|
85
|
+
}), null, 2));
|
|
86
|
+
});
|
|
118
87
|
//# sourceMappingURL=scan-node-js.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scan-node-js.js","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":";;;;;;AAAA,4DAA+B;AAC/B,oDAA4B;AAC5B,mDAA2B;
|
|
1
|
+
{"version":3,"file":"scan-node-js.js","sourceRoot":"","sources":["../../src/commands/scan-node-js.ts"],"names":[],"mappings":";;;;;;AAAA,4DAA+B;AAC/B,oDAA4B;AAC5B,mDAA2B;AAK3B,8DAA+D;AAC/D,yCAAoC;AAYpC,KAAK,UAAU,mBAAmB,CAChC,EAAU,EACV,iBAAoC,EACpC,WAAmB;IAEnB,MAAM,KAAK,GAAG,MAAM,UAAU,CAAC,YAAY,EAAE,EAAE,EAAE,iBAAiB,CAAC,CAAC;IAEpE,OAAO,IAAA,2CAAsB,EAAC;QAC5B,EAAE,EAAE,YAAY,EAAE,EAAE;QACpB,IAAI,EAAE,iBAAiB,CAAC,GAAG;QAC3B,OAAO,EAAE,CAAC,iBAAiB,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC;QAExD,WAAW,EAAE,UAAU;QACvB,KAAK;QAEL,GAAG,EAAE,iBAAiB,CAAC,GAAG;QAC1B,cAAc,EAAE,WAAW;QAC3B,WAAW,EAAE,iBAAiB,CAAC,QAAQ;QACvC,gBAAgB,EAAE,iBAAiB,CAAC,UAAU;KAC/C,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,UAAU,CACvB,MAAc,EACd,iBAAoC;IAEpC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5B,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAChC,IAAA,oBAAK,EACH,0DAA0D,GAAG,EAAE,CAChE,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACb,GAAG,CAAC,EAAE;QACJ,CAAC,CAAC,GAAG,CAAC,IAAI,EAAE;QACZ,CAAC,CAAC,OAAO,CAAC,MAAM,CACZ,IAAI,KAAK,CAAC,SAAS,GAAG,oBAAoB,GAAG,CAAC,MAAM,EAAE,CAAC,CACxD,CACN,CACF,CACF,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;QACZ,OAAO,CAAC,KAAK,CACX,4BAA4B,MAAM,KAAM,CAAW,CAAC,OAAO,EAAE,CAC9D,CAAC;QAEF,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;IAEH,MAAM,sBAAsB,GAAG,CAC7B,WAGG,EACH,EAAE;;QACF,OAAO,CACL,MAAA,MAAA,MAAA,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,SAAS,CAAC,0CAAE,QAAQ,0CAAE,SAAS,mCAClE,MAAA,MAAA,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,0CAAE,QAAQ,0CAAE,SAAS,CACrE,CAAC;IACJ,CAAC,CAAC;IAEF,MAAM,OAAO,GAA2B,IAAI,CAAC,GAAG,CAC9C,CAAC,GAAG,EAAE,EAAE;;QACN,OAAA,MAAA,MAAA,sBAAsB,CACpB,MAAA,MAAA,MAAA,MAAA,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,eAAe,CAAC,CAAC,CAAC,0CAAE,GAAG,0CAAE,OAAO,0CAAE,aAAa,mCAAI,EAAE,CAC3D,mCACD,sBAAsB,CACpB,MAAA,MAAA,MAAA,MAAA,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,eAAe,CAAC,CAAC,CAAC,0CAAE,GAAG,0CAAE,OAAO,0CAAE,aAAa,mCAAI,EAAE,CAC3D,mCACD,sBAAsB,CACpB,MAAA,MAAA,MAAA,MAAA,GAAG,aAAH,GAAG,uBAAH,GAAG,CAAE,eAAe,CAAC,CAAC,CAAC,0CAAE,GAAG,0CAAE,OAAO,0CAAE,YAAY,mCAAI,EAAE,CAC1D,CAAA;KAAA,CACJ,CAAC;IAEF,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE;QAC1B,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;YAC5B,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACtB;KACF;IAKD,OAAO,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;AAC/D,CAAC;AAED,KAAK,UAAU,cAAc;IAC3B,MAAM,GAAG,GACP,gFAAgF,CAAC;IAEnF,MAAM,QAAQ,GAAG,MAAM,IAAA,oBAAK,EAAC,GAAG,CAAC,CAAC;IAElC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE;QAChB,MAAM,IAAI,KAAK,CAAC,oBAAoB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;KACxD;IAED,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAe;IACxC,MAAM,SAAS,GAAG,CAAC,MAAM,IAAA,YAAE,EAAC,WAAW,CAAC,CAAC;SACtC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,CAAC;SAC1B,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,OAAO,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAEM,KAAK,UAAU,UAAU,CAAC,EAC/B,OAAO,GAGR;IAGC,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE;QACjC,MAAM,IAAI,KAAK,CAAC,mBAAmB,OAAO,4BAA4B,CAAC,CAAC;KACzE;IAED,MAAM,mBAAmB,GAAG,MAAM,cAAc,EAAE,CAAC;IAEnD,MAAM,UAAU,GAAG,EAAE,CAAC;IAEtB,KAAK,MAAM,CAAC,EAAE,EAAE,aAAa,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE;QACrE,IACE,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC;YACnD,aAAa,CAAC,OAAO;YACrB,CAAC,gBAAM,CAAC,SAAS,CAAC,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,EACjD;YACA,UAAU,CAAC,IAAI,CAAC,MAAM,mBAAmB,CAAC,EAAE,EAAE,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC;SACxE;KACF;IAED,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,CAAC;AACzC,CAAC;AA1BD,gCA0BC;AAEY,QAAA,OAAO,GAAG,IAAI,mBAAO,CAAC,cAAc,CAAC;KAC/C,WAAW,CAAC,gDAAgD,CAAC;KAC7D,MAAM,CACL,qBAAqB,EACrB,kEAAkE,CACnE;KACA,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;IACxB,OAAO,CAAC,IAAI,CACV,IAAI,CAAC,SAAS,CACZ,MAAM,UAAU,CAAC;QACf,OAAO,EAAE,OAAO,CAAC,OAAO;KACzB,CAAC,EACF,IAAI,EACJ,CAAC,CACF,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}
|
|
@@ -1,3 +1,3 @@
|
|
|
1
|
-
export declare function findPackageLocation(packageName: string): string;
|
|
2
|
-
export declare function findAllProdDepsTreeLocations(): string[];
|
|
1
|
+
export declare function findPackageLocation(packageName: string, from: string): string;
|
|
2
|
+
export declare function findAllProdDepsTreeLocations(from?: string): string[];
|
|
3
3
|
//# sourceMappingURL=production-deps.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"production-deps.d.ts","sourceRoot":"","sources":["../src/production-deps.ts"],"names":[],"mappings":"AAeA,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"production-deps.d.ts","sourceRoot":"","sources":["../src/production-deps.ts"],"names":[],"mappings":"AAeA,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAW7E;AAiBD,wBAAgB,4BAA4B,CAAC,IAAI,SAAgB,GAAG,MAAM,EAAE,CAgD3E"}
|
package/dist/production-deps.js
CHANGED
|
@@ -7,16 +7,16 @@ exports.findAllProdDepsTreeLocations = exports.findPackageLocation = void 0;
|
|
|
7
7
|
const path_1 = __importDefault(require("path"));
|
|
8
8
|
const find_up_1 = __importDefault(require("find-up"));
|
|
9
9
|
const fs_1 = __importDefault(require("fs"));
|
|
10
|
-
function resolvePackage(packageName) {
|
|
11
|
-
const resolved = require.resolve(packageName);
|
|
10
|
+
function resolvePackage(packageName, from) {
|
|
11
|
+
const resolved = require.resolve(packageName, { paths: [from] });
|
|
12
12
|
if (resolved === packageName) {
|
|
13
|
-
return require.resolve(packageName + '/');
|
|
13
|
+
return require.resolve(packageName + '/', { paths: [from] });
|
|
14
14
|
}
|
|
15
15
|
return resolved;
|
|
16
16
|
}
|
|
17
|
-
function findPackageLocation(packageName) {
|
|
17
|
+
function findPackageLocation(packageName, from) {
|
|
18
18
|
const packageJsonPath = find_up_1.default.sync('package.json', {
|
|
19
|
-
cwd: resolvePackage(packageName),
|
|
19
|
+
cwd: resolvePackage(packageName, from),
|
|
20
20
|
allowSymlinks: false,
|
|
21
21
|
});
|
|
22
22
|
if (!packageJsonPath) {
|
|
@@ -40,8 +40,8 @@ function getProductionDeps(packageLocation) {
|
|
|
40
40
|
}
|
|
41
41
|
return { dependencies, optionalDependencies };
|
|
42
42
|
}
|
|
43
|
-
function findAllProdDepsTreeLocations() {
|
|
44
|
-
const rootPackageJsonPath = find_up_1.default.sync('package.json');
|
|
43
|
+
function findAllProdDepsTreeLocations(from = process.cwd()) {
|
|
44
|
+
const rootPackageJsonPath = find_up_1.default.sync('package.json', { cwd: from });
|
|
45
45
|
if (!rootPackageJsonPath) {
|
|
46
46
|
throw new Error('cannot find root package.json');
|
|
47
47
|
}
|
|
@@ -64,7 +64,7 @@ function findAllProdDepsTreeLocations() {
|
|
|
64
64
|
...Object.keys(optionalDependencies),
|
|
65
65
|
].forEach((dep) => {
|
|
66
66
|
try {
|
|
67
|
-
const depLocation = findPackageLocation(dep);
|
|
67
|
+
const depLocation = findPackageLocation(dep, from);
|
|
68
68
|
if (depLocation) {
|
|
69
69
|
allLocations.add(depLocation);
|
|
70
70
|
queue.push(depLocation);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"production-deps.js","sourceRoot":"","sources":["../src/production-deps.ts"],"names":[],"mappings":";;;;;;AAAA,gDAAwB;AACxB,sDAA6B;AAC7B,4CAAoB;AAEpB,SAAS,cAAc,CAAC,WAAmB;
|
|
1
|
+
{"version":3,"file":"production-deps.js","sourceRoot":"","sources":["../src/production-deps.ts"],"names":[],"mappings":";;;;;;AAAA,gDAAwB;AACxB,sDAA6B;AAC7B,4CAAoB;AAEpB,SAAS,cAAc,CAAC,WAAmB,EAAE,IAAY;IACvD,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAGjE,IAAI,QAAQ,KAAK,WAAW,EAAE;QAC5B,OAAO,OAAO,CAAC,OAAO,CAAC,WAAW,GAAG,GAAG,EAAE,EAAE,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;KAC9D;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAgB,mBAAmB,CAAC,WAAmB,EAAE,IAAY;IACnE,MAAM,eAAe,GAAG,iBAAM,CAAC,IAAI,CAAC,cAAc,EAAE;QAClD,GAAG,EAAE,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC;QACtC,aAAa,EAAE,KAAK;KACrB,CAAC,CAAC;IAEH,IAAI,CAAC,eAAe,EAAE;QACpB,MAAM,IAAI,KAAK,CAAC,mCAAmC,WAAW,EAAE,CAAC,CAAC;KACnE;IAED,OAAO,cAAI,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;AACvC,CAAC;AAXD,kDAWC;AAED,SAAS,iBAAiB,CAAC,eAAuB;IAChD,MAAM,eAAe,GAAG,cAAI,CAAC,IAAI,CAAC,eAAe,EAAE,cAAc,CAAC,CAAC;IACnE,IAAI,YAAY,GAAG,EAAE,CAAC;IACtB,IAAI,oBAAoB,GAAG,EAAE,CAAC;IAC9B,IAAI;QACF,MAAM,mBAAmB,GAAG,YAAE,CAAC,YAAY,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QACrE,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACpD,YAAY,GAAG,WAAW,CAAC,YAAY,IAAI,EAAE,CAAC;QAC9C,oBAAoB,GAAG,WAAW,CAAC,oBAAoB,IAAI,EAAE,CAAC;KAC/D;IAAC,OAAO,GAAG,EAAE;QACZ,OAAO,CAAC,KAAK,CAAC,kCAAkC,eAAe,EAAE,CAAC,CAAC;KACpE;IACD,OAAO,EAAE,YAAY,EAAE,oBAAoB,EAAE,CAAC;AAChD,CAAC;AAED,SAAgB,4BAA4B,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,EAAE;IAC/D,MAAM,mBAAmB,GAAG,iBAAM,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;IACvE,IAAI,CAAC,mBAAmB,EAAE;QACxB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IAED,MAAM,IAAI,GAAG,cAAI,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IAC/C,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IACvC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAE,CAAC;IAC1B,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,CAAC;IAErB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE;QACvB,MAAM,eAAe,GAAG,KAAK,CAAC,KAAK,EAAE,CAAC;QAEtC,IAAI,CAAC,eAAe,EAAE;YACpB,SAAS;SACV;QAED,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE;YAChC,SAAS;SACV;QAED,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;QAE7B,MAAM,EAAE,YAAY,EAAE,oBAAoB,EAAE,GAC1C,iBAAiB,CAAC,eAAe,CAAC,CAAC;QACrC;YACE,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;YAC5B,GAAG,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC;SACrC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;YAChB,IAAI;gBACF,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBAEnD,IAAI,WAAW,EAAE;oBACf,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;oBAC9B,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;iBACzB;aACF;YAAC,OAAO,KAAK,EAAE;gBACd,OAAO,CAAC,KAAK,CACX,8BAA8B,GAAG,SAAS,eAAe,oDACtD,KAAe,CAAC,OACnB,EAAE,CACH,CAAC;aACH;QACH,CAAC,CAAC,CAAC;KACJ;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;AAClC,CAAC;AAhDD,oEAgDC"}
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
export declare type KnownSeverity = 'low' | 'medium' | 'high' | 'critical';
|
|
2
|
+
export declare type Severity = KnownSeverity | 'unknown';
|
|
3
|
+
declare type Score = number | undefined;
|
|
4
|
+
export declare function severityToScore(severity: Severity): Score;
|
|
5
|
+
export declare function scoreToSeverity(score: number | undefined): Severity;
|
|
6
|
+
export declare type SnykVulnerability = {
|
|
7
|
+
id: string;
|
|
8
|
+
title: string;
|
|
9
|
+
CVSSv3: string;
|
|
10
|
+
credit: string[];
|
|
11
|
+
semver: {
|
|
12
|
+
vulnerable: string;
|
|
13
|
+
};
|
|
14
|
+
exploit: string;
|
|
15
|
+
patched: string[];
|
|
16
|
+
patches: never[];
|
|
17
|
+
fixedIn: string[];
|
|
18
|
+
insights: {
|
|
19
|
+
triageAdvice: null;
|
|
20
|
+
};
|
|
21
|
+
language: string;
|
|
22
|
+
severity: Severity;
|
|
23
|
+
cvssScore: number | undefined;
|
|
24
|
+
functions: never[];
|
|
25
|
+
moduleName: string;
|
|
26
|
+
references: {
|
|
27
|
+
url: string;
|
|
28
|
+
title: string;
|
|
29
|
+
}[];
|
|
30
|
+
cvssDetails: never[];
|
|
31
|
+
description: string;
|
|
32
|
+
epssDetails: null;
|
|
33
|
+
identifiers: {
|
|
34
|
+
CVE: string[];
|
|
35
|
+
};
|
|
36
|
+
packageName: string;
|
|
37
|
+
proprietary: boolean;
|
|
38
|
+
creationTime: string;
|
|
39
|
+
functions_new: never[];
|
|
40
|
+
alternativeIds: never[];
|
|
41
|
+
disclosureTime: string;
|
|
42
|
+
packageManager: string;
|
|
43
|
+
publicationTime: string;
|
|
44
|
+
modificationTime: string;
|
|
45
|
+
socialTrendAlert: boolean;
|
|
46
|
+
severityWithCritical: Severity;
|
|
47
|
+
from: string[];
|
|
48
|
+
upgradePath: never[];
|
|
49
|
+
isUpgradable: boolean;
|
|
50
|
+
isPatchable: boolean;
|
|
51
|
+
name: string;
|
|
52
|
+
version: string;
|
|
53
|
+
};
|
|
54
|
+
export declare type SnykTestProjectResult = {
|
|
55
|
+
vulnerabilities: SnykVulnerability[];
|
|
56
|
+
};
|
|
57
|
+
export declare function buildSnykVulnerability({ id, packageName, packageVersion, score, cves, vulnerableSemver, fixedIn, description, url, }: {
|
|
58
|
+
cves: string[];
|
|
59
|
+
fixedIn: string[];
|
|
60
|
+
id: string;
|
|
61
|
+
description?: string;
|
|
62
|
+
packageName: string;
|
|
63
|
+
score: number | undefined;
|
|
64
|
+
url?: string;
|
|
65
|
+
packageVersion: string;
|
|
66
|
+
vulnerableSemver: string;
|
|
67
|
+
}): SnykVulnerability | PromiseLike<SnykVulnerability>;
|
|
68
|
+
export {};
|
|
69
|
+
//# sourceMappingURL=snyk-vulnerability.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"snyk-vulnerability.d.ts","sourceRoot":"","sources":["../src/snyk-vulnerability.ts"],"names":[],"mappings":"AAAA,oBAAY,aAAa,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AACnE,oBAAY,QAAQ,GAAG,aAAa,GAAG,SAAS,CAAC;AAEjD,aAAK,KAAK,GAAG,MAAM,GAAG,SAAS,CAAC;AAUhC,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,GAAG,KAAK,CAEzD;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,QAAQ,CAenE;AAED,oBAAY,iBAAiB,GAAG;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,MAAM,EAAE;QACN,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,KAAK,EAAE,CAAC;IACjB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,EAAE;QACR,YAAY,EAAE,IAAI,CAAC;KACpB,CAAC;IACF,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,SAAS,EAAE,KAAK,EAAE,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE;QACV,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;KACf,EAAE,CAAC;IACJ,WAAW,EAAE,KAAK,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,IAAI,CAAC;IAClB,WAAW,EAAE;QACX,GAAG,EAAE,MAAM,EAAE,CAAC;KACf,CAAC;IACF,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,OAAO,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,KAAK,EAAE,CAAC;IACvB,cAAc,EAAE,KAAK,EAAE,CAAC;IACxB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,QAAQ,CAAC;IAC/B,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,WAAW,EAAE,KAAK,EAAE,CAAC;IACrB,YAAY,EAAE,OAAO,CAAC;IACtB,WAAW,EAAE,OAAO,CAAC;IACrB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,oBAAY,qBAAqB,GAAG;IAClC,eAAe,EAAE,iBAAiB,EAAE,CAAC;CACtC,CAAC;AAEF,wBAAgB,sBAAsB,CAAC,EACrC,EAAE,EACF,WAAW,EACX,cAAc,EACd,KAAK,EACL,IAAI,EACJ,gBAAgB,EAChB,OAAO,EACP,WAAW,EACX,GAAG,GACJ,EAAE;IACD,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,cAAc,EAAE,MAAM,CAAC;IACvB,gBAAgB,EAAE,MAAM,CAAC;CAC1B,GAAG,iBAAiB,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAsDrD"}
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.buildSnykVulnerability = exports.scoreToSeverity = exports.severityToScore = void 0;
|
|
4
|
+
const SEVERITY_TO_SCORE = {
|
|
5
|
+
low: 0,
|
|
6
|
+
medium: 4,
|
|
7
|
+
high: 7,
|
|
8
|
+
critical: 9,
|
|
9
|
+
unknown: undefined,
|
|
10
|
+
};
|
|
11
|
+
function severityToScore(severity) {
|
|
12
|
+
return SEVERITY_TO_SCORE[severity];
|
|
13
|
+
}
|
|
14
|
+
exports.severityToScore = severityToScore;
|
|
15
|
+
function scoreToSeverity(score) {
|
|
16
|
+
if (score === undefined) {
|
|
17
|
+
return 'unknown';
|
|
18
|
+
}
|
|
19
|
+
if (score >= 9) {
|
|
20
|
+
return 'critical';
|
|
21
|
+
}
|
|
22
|
+
if (score >= 7) {
|
|
23
|
+
return 'high';
|
|
24
|
+
}
|
|
25
|
+
if (score >= 4) {
|
|
26
|
+
return 'medium';
|
|
27
|
+
}
|
|
28
|
+
return 'low';
|
|
29
|
+
}
|
|
30
|
+
exports.scoreToSeverity = scoreToSeverity;
|
|
31
|
+
function buildSnykVulnerability({ id, packageName, packageVersion, score, cves, vulnerableSemver, fixedIn, description, url, }) {
|
|
32
|
+
const severity = scoreToSeverity(score);
|
|
33
|
+
return {
|
|
34
|
+
id,
|
|
35
|
+
title: id,
|
|
36
|
+
CVSSv3: '-',
|
|
37
|
+
credit: ['-'],
|
|
38
|
+
semver: {
|
|
39
|
+
vulnerable: vulnerableSemver,
|
|
40
|
+
},
|
|
41
|
+
exploit: '-',
|
|
42
|
+
patched: fixedIn,
|
|
43
|
+
patches: [],
|
|
44
|
+
fixedIn: fixedIn,
|
|
45
|
+
insights: {
|
|
46
|
+
triageAdvice: null,
|
|
47
|
+
},
|
|
48
|
+
language: 'js',
|
|
49
|
+
severity: severity,
|
|
50
|
+
cvssScore: score,
|
|
51
|
+
functions: [],
|
|
52
|
+
moduleName: packageName,
|
|
53
|
+
references: url
|
|
54
|
+
? [
|
|
55
|
+
{
|
|
56
|
+
url: url,
|
|
57
|
+
title: 'Ref',
|
|
58
|
+
},
|
|
59
|
+
]
|
|
60
|
+
: [],
|
|
61
|
+
cvssDetails: [],
|
|
62
|
+
description: description !== null && description !== void 0 ? description : '',
|
|
63
|
+
epssDetails: null,
|
|
64
|
+
identifiers: {
|
|
65
|
+
CVE: cves,
|
|
66
|
+
},
|
|
67
|
+
packageName: packageName,
|
|
68
|
+
proprietary: true,
|
|
69
|
+
creationTime: '-',
|
|
70
|
+
functions_new: [],
|
|
71
|
+
alternativeIds: [],
|
|
72
|
+
disclosureTime: '-',
|
|
73
|
+
packageManager: 'npm',
|
|
74
|
+
publicationTime: '-',
|
|
75
|
+
modificationTime: '-',
|
|
76
|
+
socialTrendAlert: false,
|
|
77
|
+
severityWithCritical: severity,
|
|
78
|
+
from: [`${packageName}@${packageVersion}`],
|
|
79
|
+
upgradePath: [],
|
|
80
|
+
isUpgradable: true,
|
|
81
|
+
isPatchable: false,
|
|
82
|
+
name: packageName,
|
|
83
|
+
version: packageVersion,
|
|
84
|
+
};
|
|
85
|
+
}
|
|
86
|
+
exports.buildSnykVulnerability = buildSnykVulnerability;
|
|
87
|
+
//# sourceMappingURL=snyk-vulnerability.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"snyk-vulnerability.js","sourceRoot":"","sources":["../src/snyk-vulnerability.ts"],"names":[],"mappings":";;;AAKA,MAAM,iBAAiB,GAA4B;IACjD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;IACX,OAAO,EAAE,SAAS;CACnB,CAAC;AAEF,SAAgB,eAAe,CAAC,QAAkB;IAChD,OAAO,iBAAiB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAFD,0CAEC;AAED,SAAgB,eAAe,CAAC,KAAyB;IACvD,IAAI,KAAK,KAAK,SAAS,EAAE;QACvB,OAAO,SAAS,CAAC;KAClB;IAED,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,UAAU,CAAC;KACnB;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,MAAM,CAAC;KACf;IACD,IAAI,KAAK,IAAI,CAAC,EAAE;QACd,OAAO,QAAQ,CAAC;KACjB;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAfD,0CAeC;AAuDD,SAAgB,sBAAsB,CAAC,EACrC,EAAE,EACF,WAAW,EACX,cAAc,EACd,KAAK,EACL,IAAI,EACJ,gBAAgB,EAChB,OAAO,EACP,WAAW,EACX,GAAG,GAWJ;IACC,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACxC,OAAO;QACL,EAAE;QACF,KAAK,EAAE,EAAE;QACT,MAAM,EAAE,GAAG;QACX,MAAM,EAAE,CAAC,GAAG,CAAC;QACb,MAAM,EAAE;YACN,UAAU,EAAE,gBAAgB;SAC7B;QACD,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,OAAO;QAChB,OAAO,EAAE,EAAE;QACX,OAAO,EAAE,OAAO;QAChB,QAAQ,EAAE;YACR,YAAY,EAAE,IAAI;SACnB;QACD,QAAQ,EAAE,IAAI;QACd,QAAQ,EAAE,QAAQ;QAClB,SAAS,EAAE,KAAK;QAChB,SAAS,EAAE,EAAE;QACb,UAAU,EAAE,WAAW;QACvB,UAAU,EAAE,GAAG;YACb,CAAC,CAAC;gBACE;oBACE,GAAG,EAAE,GAAG;oBACR,KAAK,EAAE,KAAK;iBACb;aACF;YACH,CAAC,CAAC,EAAE;QACN,WAAW,EAAE,EAAE;QACf,WAAW,EAAE,WAAW,aAAX,WAAW,cAAX,WAAW,GAAI,EAAE;QAC9B,WAAW,EAAE,IAAI;QACjB,WAAW,EAAE;YACX,GAAG,EAAE,IAAI;SACV;QACD,WAAW,EAAE,WAAW;QACxB,WAAW,EAAE,IAAI;QACjB,YAAY,EAAE,GAAG;QACjB,aAAa,EAAE,EAAE;QACjB,cAAc,EAAE,EAAE;QAClB,cAAc,EAAE,GAAG;QACnB,cAAc,EAAE,KAAK;QACrB,eAAe,EAAE,GAAG;QACpB,gBAAgB,EAAE,GAAG;QACrB,gBAAgB,EAAE,KAAK;QACvB,oBAAoB,EAAE,QAAQ;QAC9B,IAAI,EAAE,CAAC,GAAG,WAAW,IAAI,cAAc,EAAE,CAAC;QAC1C,WAAW,EAAE,EAAE;QACf,YAAY,EAAE,IAAI;QAClB,WAAW,EAAE,KAAK;QAClB,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,cAAc;KACxB,CAAC;AACJ,CAAC;AA1ED,wDA0EC"}
|
|
@@ -1,19 +1,18 @@
|
|
|
1
1
|
import type { Compiler, WebpackPluginInstance } from 'webpack';
|
|
2
|
-
declare type WebpackDependenciesPluginOptions = {
|
|
2
|
+
export declare type WebpackDependenciesPluginOptions = {
|
|
3
3
|
outputFilename?: string;
|
|
4
4
|
includePackages?: string[];
|
|
5
5
|
includeExternalProductionDependencies?: boolean;
|
|
6
|
-
excludeModules?: string[];
|
|
7
6
|
};
|
|
8
7
|
export declare class WebpackDependenciesPlugin implements WebpackPluginInstance {
|
|
9
8
|
private options;
|
|
10
9
|
private readonly pluginName;
|
|
11
|
-
outputPath
|
|
12
|
-
includePackages: string[];
|
|
10
|
+
outputPath?: string;
|
|
13
11
|
resolvedModules: Set<string>;
|
|
14
|
-
|
|
12
|
+
includeExternalProductionDependencies: boolean;
|
|
13
|
+
includePackages: string[];
|
|
15
14
|
constructor(options?: WebpackDependenciesPluginOptions);
|
|
16
|
-
private
|
|
15
|
+
private isThirdPartyModule;
|
|
17
16
|
private handleTap;
|
|
18
17
|
apply(compiler: Compiler): void;
|
|
19
18
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"webpack-dependencies-plugin.d.ts","sourceRoot":"","sources":["../src/webpack-dependencies-plugin.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAe,QAAQ,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"webpack-dependencies-plugin.d.ts","sourceRoot":"","sources":["../src/webpack-dependencies-plugin.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAe,QAAQ,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAW5E,oBAAY,gCAAgC,GAAG;IAC7C,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,qCAAqC,CAAC,EAAE,OAAO,CAAC;CACjD,CAAC;AAMF,qBAAa,yBAA0B,YAAW,qBAAqB;IAOzD,OAAO,CAAC,OAAO;IAN3B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAe;IAC1C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,eAAe,cAAqB;IACpC,qCAAqC,EAAE,OAAO,CAAC;IAC/C,eAAe,EAAE,MAAM,EAAE,CAAM;gBAEX,OAAO,GAAE,gCAAqC;IAOlE,OAAO,CAAC,kBAAkB;IAI1B,OAAO,CAAC,SAAS,CA8Bf;IAEF,KAAK,CAAC,QAAQ,EAAE,QAAQ,GAAG,IAAI;CA4BhC;AAED,eAAe,yBAAyB,CAAC"}
|