@nodesecure/scanner 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/index.d.ts +2 -2
  2. package/index.js +6 -5
  3. package/package.json +1 -1
  4. package/src/constants.js +13 -0
  5. package/src/depWalker.js +304 -298
  6. package/src/utils/analyzeDependencies.js +1 -1
  7. package/types/api.d.ts +5 -2
  8. package/types/logger.d.ts +15 -1
  9. package/types/scanner.d.ts +5 -2
package/index.d.ts CHANGED
@@ -1,11 +1,11 @@
1
1
  import Scanner from "./types/scanner";
2
- import { cwd, from, verify } from "./types/api";
2
+ import { cwd, from, verify, ScannerLoggerEvents } from "./types/api";
3
3
  import { depWalker } from "./types/walker";
4
4
  import { Logger, LoggerEventData } from "./types/logger";
5
5
  import tarball from "./types/tarball";
6
6
 
7
7
  export {
8
- cwd, from, verify,
8
+ cwd, from, verify, ScannerLoggerEvents,
9
9
  Scanner,
10
10
  Logger,
11
11
  LoggerEventData,
package/index.js CHANGED
@@ -11,6 +11,7 @@ import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
11
11
  // Import Internal Dependencies
12
12
  import { depWalker } from "./src/depWalker.js";
13
13
  import { NPM_TOKEN } from "./src/utils/index.js";
14
+ import { ScannerLoggerEvents } from "./src/constants.js";
14
15
  import Logger from "./src/class/logger.class.js";
15
16
  import * as tarball from "./src/tarball.js";
16
17
 
@@ -20,20 +21,20 @@ const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true };
20
21
  export async function cwd(cwd = process.cwd(), options = {}, logger = new Logger()) {
21
22
  const finalizedOptions = Object.assign({}, kDefaultCwdOptions, options);
22
23
 
23
- logger.start("readManifest");
24
+ logger.start(ScannerLoggerEvents.manifest.read);
24
25
  const packagePath = path.join(cwd, "package.json");
25
26
  const str = await fs.readFile(packagePath, "utf-8");
26
- logger.end("readManifest");
27
+ logger.end(ScannerLoggerEvents.manifest.read);
27
28
 
28
29
  return depWalker(JSON.parse(str), finalizedOptions, logger);
29
30
  }
30
31
 
31
32
  export async function from(packageName, options, logger = new Logger()) {
32
- logger.start("fetchManifest");
33
+ logger.start(ScannerLoggerEvents.manifest.fetch);
33
34
  const manifest = await pacote.manifest(packageName, {
34
35
  ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
35
36
  });
36
- logger.end("fetchManifest");
37
+ logger.end(ScannerLoggerEvents.manifest.fetch);
37
38
 
38
39
  return depWalker(manifest, options, logger);
39
40
  }
@@ -59,4 +60,4 @@ export async function verify(packageName = null) {
59
60
  }
60
61
  }
61
62
 
62
- export { depWalker, tarball, Logger };
63
+ export { depWalker, tarball, Logger, ScannerLoggerEvents };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@nodesecure/scanner",
3
- "version": "3.0.0",
3
+ "version": "3.1.0",
4
4
  "description": "A package API to run a static analysis of your module's dependencies.",
5
5
  "exports": "./index.js",
6
6
  "engines": {
package/src/constants.js ADDED
@@ -0,0 +1,13 @@
1
+
2
+ export const ScannerLoggerEvents = {
3
+ done: "depWalkerFinished",
4
+ analysis: {
5
+ tree: "walkTree",
6
+ tarball: "tarball",
7
+ registry: "registry"
8
+ },
9
+ manifest: {
10
+ read: "readManifest",
11
+ fetch: "fetchManifest"
12
+ }
13
+ };
package/src/depWalker.js CHANGED
@@ -1,298 +1,304 @@
1
- // Import Node.js Dependencies
2
- import path from "path";
3
- import { readFileSync, promises as fs } from "fs";
4
- import timers from "timers/promises";
5
- import os from "os";
6
-
7
- // Import Third-party Dependencies
8
- import combineAsyncIterators from "combine-async-iterators";
9
- import iter from "itertools";
10
- import pacote from "pacote";
11
- import Arborist from "@npmcli/arborist";
12
- import Lock from "@slimio/lock";
13
- import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
14
- import * as vuln from "@nodesecure/vuln";
15
-
16
- // Import Internal Dependencies
17
- import {
18
- mergeDependencies, getCleanDependencyName, getDependenciesWarnings, addMissingVersionFlags, isGitDependency,
19
- NPM_TOKEN
20
- } from "./utils/index.js";
21
- import { scanDirOrArchive } from "./tarball.js";
22
- import { packageMetadata } from "./npmRegistry.js";
23
- import Dependency from "./class/dependency.class.js";
24
- import Logger from "./class/logger.class.js";
25
-
26
- const { version: packageVersion } = JSON.parse(
27
- readFileSync(
28
- new URL(path.join("..", "package.json"), import.meta.url)
29
- )
30
- );
31
-
32
- export async function* searchDeepDependencies(packageName, gitURL, options) {
33
- const { exclude, currDepth = 0, parent, maxDepth } = options;
34
-
35
- const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
36
- ...NPM_TOKEN,
37
- registry: getLocalRegistryURL(),
38
- cache: `${os.homedir()}/.npm`
39
- });
40
- const { dependencies, customResolvers } = mergeDependencies(pkg);
41
-
42
- const current = new Dependency(name, version, parent);
43
- gitURL !== null && current.isGit(gitURL);
44
- current.addFlag("isDeprecated", deprecated === true);
45
- current.addFlag("hasCustomResolver", customResolvers.size > 0);
46
- current.addFlag("hasDependencies", dependencies.size > 0);
47
-
48
- if (currDepth !== maxDepth) {
49
- const config = {
50
- exclude, currDepth: currDepth + 1, parent: current, maxDepth
51
- };
52
-
53
- const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
54
- for (const [depName, valueStr] of gitDependencies) {
55
- yield* searchDeepDependencies(depName, valueStr, config);
56
- }
57
-
58
- const depsNames = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
59
- for (const [fullName, cleanName, isLatest] of depsNames) {
60
- if (!isLatest) {
61
- current.addFlag("hasOutdatedDependency");
62
- }
63
-
64
- if (exclude.has(cleanName)) {
65
- exclude.get(cleanName).add(current.fullName);
66
- }
67
- else {
68
- exclude.set(cleanName, new Set([current.fullName]));
69
- yield* searchDeepDependencies(fullName, null, config);
70
- }
71
- }
72
- }
73
-
74
- yield current;
75
- }
76
-
77
- export async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLockMode }) {
78
- const { version, integrity = to.integrity } = to.package;
79
-
80
- const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
81
- const current = new Dependency(currentPackageName, updatedVersion, parent);
82
-
83
- if (fullLockMode) {
84
- const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
85
- ...NPM_TOKEN,
86
- registry: getLocalRegistryURL(),
87
- cache: `${os.homedir()}/.npm`
88
- });
89
- const { customResolvers } = mergeDependencies(pkg);
90
-
91
- current.addFlag("hasValidIntegrity", _integrity === integrity);
92
- current.addFlag("isDeprecated");
93
- current.addFlag("hasCustomResolver", customResolvers.size > 0);
94
- }
95
- current.addFlag("hasDependencies", to.edgesOut.size > 0);
96
-
97
- for (const [packageName, { to: toNode }] of to.edgesOut) {
98
- if (toNode === null || toNode.dev) {
99
- continue;
100
- }
101
- const cleanName = `${packageName}@${toNode.package.version}`;
102
-
103
- if (exclude.has(cleanName)) {
104
- exclude.get(cleanName).add(current.fullName);
105
- }
106
- else {
107
- exclude.set(cleanName, new Set([current.fullName]));
108
- yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude });
109
- }
110
- }
111
- yield current;
112
- }
113
-
114
- export async function* getRootDependencies(manifest, options) {
115
- const { maxDepth = 4, exclude, usePackageLock, fullLockMode } = options;
116
-
117
- const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
118
- const parent = new Dependency(manifest.name, manifest.version);
119
- parent.addFlag("hasCustomResolver", customResolvers.size > 0);
120
- parent.addFlag("hasDependencies", dependencies.size > 0);
121
-
122
- let iterators;
123
- if (usePackageLock) {
124
- const arb = new Arborist({
125
- ...NPM_TOKEN,
126
- registry: getLocalRegistryURL()
127
- });
128
- let tree;
129
- try {
130
- await fs.access(path.join(process.cwd(), "node_modules"));
131
- tree = await arb.loadActual();
132
- }
133
- catch {
134
- tree = await arb.loadVirtual();
135
- }
136
-
137
- iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => !to.dev)
138
- .map(([packageName, { to }]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }));
139
- }
140
- else {
141
- const configRef = { exclude, maxDepth, parent };
142
- iterators = [
143
- ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
144
- .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
145
- ...iter.map(dependencies.entries(), ([name, ver]) => searchDeepDependencies(`${name}@${ver}`, null, configRef))
146
- ];
147
- }
148
- for await (const dep of combineAsyncIterators({}, ...iterators)) {
149
- yield dep;
150
- }
151
-
152
- // Add root dependencies to the exclude Map (because the parent is not handled by searchDeepDependencies)
153
- // if we skip this the code will fail to re-link properly dependencies in the following steps
154
- const depsName = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
155
- for (const [, fullRange, isLatest] of depsName) {
156
- if (!isLatest) {
157
- parent.addFlag("hasOutdatedDependency");
158
- }
159
- if (exclude.has(fullRange)) {
160
- exclude.get(fullRange).add(parent.fullName);
161
- }
162
- }
163
-
164
- yield parent;
165
- }
166
-
167
- /**
168
- * @param {*} manifest
169
- * @param {*} options
170
- * @param {Logger} logger
171
- */
172
- export async function depWalker(manifest, options = {}, logger = new Logger()) {
173
- const {
174
- forceRootAnalysis = false,
175
- usePackageLock = false,
176
- fullLockMode = false,
177
- maxDepth,
178
- vulnerabilityStrategy = vuln.strategies.NONE
179
- } = options;
180
-
181
- // Create TMP directory
182
- const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
183
-
184
- const payload = {
185
- id: tmpLocation.slice(-6),
186
- rootDepencyName: manifest.name,
187
- version: packageVersion,
188
- vulnerabilityStrategy,
189
- warnings: []
190
- };
191
-
192
- // We are dealing with an exclude Map to avoid checking a package more than one time in searchDeepDependencies
193
- const exclude = new Map();
194
- const dependencies = new Map();
195
-
196
- {
197
- logger.start("walkTree").start("tarball").start("registry");
198
- const fetchedMetadataPackages = new Set();
199
- const promisesToWait = [];
200
-
201
- const tarballLocker = new Lock({ maxConcurrent: 5 });
202
- tarballLocker.on("freeOne", () => logger.tick("tarball"));
203
-
204
- const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode };
205
- for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
206
- const { name, version } = currentDep;
207
- const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
208
- let proceedDependencyAnalysis = true;
209
-
210
- if (dependencies.has(name)) {
211
- // TODO: how to handle different metadata ?
212
- const dep = dependencies.get(name);
213
-
214
- const currVersion = Object.keys(current.versions)[0];
215
- if (currVersion in dep.versions) {
216
- // The dependency has already entered the analysis
217
- // This happens if the package is used by multiple packages in the tree
218
- proceedDependencyAnalysis = false;
219
- }
220
- else {
221
- dep.versions[currVersion] = current.versions[currVersion];
222
- }
223
- }
224
- else {
225
- dependencies.set(name, current);
226
- }
227
-
228
- if (proceedDependencyAnalysis) {
229
- logger.tick("walkTree");
230
-
231
- // There is no need to fetch 'N' times the npm metadata for the same package.
232
- if (fetchedMetadataPackages.has(name)) {
233
- logger.tick("registry");
234
- }
235
- else {
236
- fetchedMetadataPackages.add(name);
237
- promisesToWait.push(packageMetadata(name, version, {
238
- ref: current,
239
- logger
240
- }));
241
- }
242
-
243
- promisesToWait.push(scanDirOrArchive(name, version, {
244
- ref: current.versions[version],
245
- tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
246
- locker: tarballLocker,
247
- logger
248
- }));
249
- }
250
- }
251
-
252
- logger.end("walkTree");
253
-
254
- // Wait for all extraction to be done!
255
- await Promise.allSettled(promisesToWait);
256
- await timers.setImmediate();
257
-
258
- logger.end("tarball").end("registry");
259
- }
260
-
261
- const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
262
- await hydratePayloadDependencies(dependencies, {
263
- useStandardFormat: true
264
- });
265
-
266
- payload.vulnerabilityStrategy = strategy;
267
-
268
- // We do this because it "seem" impossible to link all dependencies in the first walk.
269
- // Because we are dealing with package only one time it may happen sometimes.
270
- for (const [packageName, dependency] of dependencies) {
271
- for (const [verStr, verDescriptor] of Object.entries(dependency.versions)) {
272
- verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), dependency));
273
-
274
- const fullName = `${packageName}@${verStr}`;
275
- const usedDeps = exclude.get(fullName) || new Set();
276
- if (usedDeps.size === 0) {
277
- continue;
278
- }
279
-
280
- const usedBy = Object.create(null);
281
- for (const [name, version] of [...usedDeps].map((name) => name.split(" "))) {
282
- usedBy[name] = version;
283
- }
284
- Object.assign(verDescriptor.usedBy, usedBy);
285
- }
286
- }
287
-
288
- try {
289
- payload.warnings = getDependenciesWarnings(dependencies);
290
- payload.dependencies = Object.fromEntries(dependencies);
291
-
292
- return payload;
293
- }
294
- finally {
295
- await timers.setImmediate();
296
- await fs.rm(tmpLocation, { recursive: true, force: true });
297
- }
298
- }
1
+ // Import Node.js Dependencies
2
+ import path from "path";
3
+ import { readFileSync, promises as fs } from "fs";
4
+ import timers from "timers/promises";
5
+ import os from "os";
6
+
7
+ // Import Third-party Dependencies
8
+ import combineAsyncIterators from "combine-async-iterators";
9
+ import iter from "itertools";
10
+ import pacote from "pacote";
11
+ import Arborist from "@npmcli/arborist";
12
+ import Lock from "@slimio/lock";
13
+ import * as vuln from "@nodesecure/vuln";
14
+ import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
15
+ import { ScannerLoggerEvents } from "./constants.js";
16
+
17
+ // Import Internal Dependencies
18
+ import {
19
+ mergeDependencies, getCleanDependencyName, getDependenciesWarnings, addMissingVersionFlags, isGitDependency,
20
+ NPM_TOKEN
21
+ } from "./utils/index.js";
22
+ import { scanDirOrArchive } from "./tarball.js";
23
+ import { packageMetadata } from "./npmRegistry.js";
24
+ import Dependency from "./class/dependency.class.js";
25
+ import Logger from "./class/logger.class.js";
26
+
27
+ const { version: packageVersion } = JSON.parse(
28
+ readFileSync(
29
+ new URL(path.join("..", "package.json"), import.meta.url)
30
+ )
31
+ );
32
+
33
+ export async function* searchDeepDependencies(packageName, gitURL, options) {
34
+ const { exclude, currDepth = 0, parent, maxDepth } = options;
35
+
36
+ const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
37
+ ...NPM_TOKEN,
38
+ registry: getLocalRegistryURL(),
39
+ cache: `${os.homedir()}/.npm`
40
+ });
41
+ const { dependencies, customResolvers } = mergeDependencies(pkg);
42
+
43
+ const current = new Dependency(name, version, parent);
44
+ gitURL !== null && current.isGit(gitURL);
45
+ current.addFlag("isDeprecated", deprecated === true);
46
+ current.addFlag("hasCustomResolver", customResolvers.size > 0);
47
+ current.addFlag("hasDependencies", dependencies.size > 0);
48
+
49
+ if (currDepth !== maxDepth) {
50
+ const config = {
51
+ exclude, currDepth: currDepth + 1, parent: current, maxDepth
52
+ };
53
+
54
+ const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
55
+ for (const [depName, valueStr] of gitDependencies) {
56
+ yield* searchDeepDependencies(depName, valueStr, config);
57
+ }
58
+
59
+ const depsNames = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
60
+ for (const [fullName, cleanName, isLatest] of depsNames) {
61
+ if (!isLatest) {
62
+ current.addFlag("hasOutdatedDependency");
63
+ }
64
+
65
+ if (exclude.has(cleanName)) {
66
+ exclude.get(cleanName).add(current.fullName);
67
+ }
68
+ else {
69
+ exclude.set(cleanName, new Set([current.fullName]));
70
+ yield* searchDeepDependencies(fullName, null, config);
71
+ }
72
+ }
73
+ }
74
+
75
+ yield current;
76
+ }
77
+
78
+ export async function* deepReadEdges(currentPackageName, { to, parent, exclude, fullLockMode }) {
79
+ const { version, integrity = to.integrity } = to.package;
80
+
81
+ const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
82
+ const current = new Dependency(currentPackageName, updatedVersion, parent);
83
+
84
+ if (fullLockMode) {
85
+ const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
86
+ ...NPM_TOKEN,
87
+ registry: getLocalRegistryURL(),
88
+ cache: `${os.homedir()}/.npm`
89
+ });
90
+ const { customResolvers } = mergeDependencies(pkg);
91
+
92
+ current.addFlag("hasValidIntegrity", _integrity === integrity);
93
+ current.addFlag("isDeprecated");
94
+ current.addFlag("hasCustomResolver", customResolvers.size > 0);
95
+ }
96
+ current.addFlag("hasDependencies", to.edgesOut.size > 0);
97
+
98
+ for (const [packageName, { to: toNode }] of to.edgesOut) {
99
+ if (toNode === null || toNode.dev) {
100
+ continue;
101
+ }
102
+ const cleanName = `${packageName}@${toNode.package.version}`;
103
+
104
+ if (exclude.has(cleanName)) {
105
+ exclude.get(cleanName).add(current.fullName);
106
+ }
107
+ else {
108
+ exclude.set(cleanName, new Set([current.fullName]));
109
+ yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude });
110
+ }
111
+ }
112
+ yield current;
113
+ }
114
+
115
+ export async function* getRootDependencies(manifest, options) {
116
+ const { maxDepth = 4, exclude, usePackageLock, fullLockMode } = options;
117
+
118
+ const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
119
+ const parent = new Dependency(manifest.name, manifest.version);
120
+ parent.addFlag("hasCustomResolver", customResolvers.size > 0);
121
+ parent.addFlag("hasDependencies", dependencies.size > 0);
122
+
123
+ let iterators;
124
+ if (usePackageLock) {
125
+ const arb = new Arborist({
126
+ ...NPM_TOKEN,
127
+ registry: getLocalRegistryURL()
128
+ });
129
+ let tree;
130
+ try {
131
+ await fs.access(path.join(process.cwd(), "node_modules"));
132
+ tree = await arb.loadActual();
133
+ }
134
+ catch {
135
+ tree = await arb.loadVirtual();
136
+ }
137
+
138
+ iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && !to.dev)
139
+ .map(([packageName, { to }]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }));
140
+ }
141
+ else {
142
+ const configRef = { exclude, maxDepth, parent };
143
+ iterators = [
144
+ ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
145
+ .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
146
+ ...iter.map(dependencies.entries(), ([name, ver]) => searchDeepDependencies(`${name}@${ver}`, null, configRef))
147
+ ];
148
+ }
149
+ for await (const dep of combineAsyncIterators({}, ...iterators)) {
150
+ yield dep;
151
+ }
152
+
153
+ // Add root dependencies to the exclude Map (because the parent is not handled by searchDeepDependencies)
154
+ // if we skip this the code will fail to re-link properly dependencies in the following steps
155
+ const depsName = await Promise.all(iter.map(dependencies.entries(), getCleanDependencyName));
156
+ for (const [, fullRange, isLatest] of depsName) {
157
+ if (!isLatest) {
158
+ parent.addFlag("hasOutdatedDependency");
159
+ }
160
+ if (exclude.has(fullRange)) {
161
+ exclude.get(fullRange).add(parent.fullName);
162
+ }
163
+ }
164
+
165
+ yield parent;
166
+ }
167
+
168
+ /**
169
+ * @param {*} manifest
170
+ * @param {*} options
171
+ * @param {Logger} logger
172
+ */
173
+ export async function depWalker(manifest, options = {}, logger = new Logger()) {
174
+ const {
175
+ forceRootAnalysis = false,
176
+ usePackageLock = false,
177
+ fullLockMode = false,
178
+ maxDepth,
179
+ vulnerabilityStrategy = vuln.strategies.NONE
180
+ } = options;
181
+
182
+ // Create TMP directory
183
+ const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
184
+
185
+ const payload = {
186
+ id: tmpLocation.slice(-6),
187
+ rootDepencyName: manifest.name,
188
+ version: packageVersion,
189
+ vulnerabilityStrategy,
190
+ warnings: []
191
+ };
192
+
193
+ // We are dealing with an exclude Map to avoid checking a package more than one time in searchDeepDependencies
194
+ const exclude = new Map();
195
+ const dependencies = new Map();
196
+
197
+ {
198
+ logger
199
+ .start(ScannerLoggerEvents.analysis.tree)
200
+ .start(ScannerLoggerEvents.analysis.tarball)
201
+ .start(ScannerLoggerEvents.analysis.registry);
202
+ const fetchedMetadataPackages = new Set();
203
+ const promisesToWait = [];
204
+
205
+ const tarballLocker = new Lock({ maxConcurrent: 5 });
206
+ tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
207
+
208
+ const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode };
209
+ for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
210
+ const { name, version } = currentDep;
211
+ const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
212
+ let proceedDependencyAnalysis = true;
213
+
214
+ if (dependencies.has(name)) {
215
+ // TODO: how to handle different metadata ?
216
+ const dep = dependencies.get(name);
217
+
218
+ const currVersion = Object.keys(current.versions)[0];
219
+ if (currVersion in dep.versions) {
220
+ // The dependency has already entered the analysis
221
+ // This happens if the package is used by multiple packages in the tree
222
+ proceedDependencyAnalysis = false;
223
+ }
224
+ else {
225
+ dep.versions[currVersion] = current.versions[currVersion];
226
+ }
227
+ }
228
+ else {
229
+ dependencies.set(name, current);
230
+ }
231
+
232
+ if (proceedDependencyAnalysis) {
233
+ logger.tick(ScannerLoggerEvents.analysis.tree);
234
+
235
+ // There is no need to fetch 'N' times the npm metadata for the same package.
236
+ if (fetchedMetadataPackages.has(name)) {
237
+ logger.tick(ScannerLoggerEvents.analysis.registry);
238
+ }
239
+ else {
240
+ fetchedMetadataPackages.add(name);
241
+ promisesToWait.push(packageMetadata(name, version, {
242
+ ref: current,
243
+ logger
244
+ }));
245
+ }
246
+
247
+ promisesToWait.push(scanDirOrArchive(name, version, {
248
+ ref: current.versions[version],
249
+ tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
250
+ locker: tarballLocker,
251
+ logger
252
+ }));
253
+ }
254
+ }
255
+
256
+ logger.end(ScannerLoggerEvents.analysis.tree);
257
+
258
+ // Wait for all extraction to be done!
259
+ await Promise.allSettled(promisesToWait);
260
+ await timers.setImmediate();
261
+
262
+ logger.end(ScannerLoggerEvents.analysis.tarball).end(ScannerLoggerEvents.analysis.registry);
263
+ }
264
+
265
+ const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
266
+ await hydratePayloadDependencies(dependencies, {
267
+ useStandardFormat: true
268
+ });
269
+
270
+ payload.vulnerabilityStrategy = strategy;
271
+
272
+ // We do this because it "seem" impossible to link all dependencies in the first walk.
273
+ // Because we are dealing with package only one time it may happen sometimes.
274
+ for (const [packageName, dependency] of dependencies) {
275
+ for (const [verStr, verDescriptor] of Object.entries(dependency.versions)) {
276
+ verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), dependency));
277
+
278
+ const fullName = `${packageName}@${verStr}`;
279
+ const usedDeps = exclude.get(fullName) || new Set();
280
+ if (usedDeps.size === 0) {
281
+ continue;
282
+ }
283
+
284
+ const usedBy = Object.create(null);
285
+ for (const [name, version] of [...usedDeps].map((name) => name.split(" "))) {
286
+ usedBy[name] = version;
287
+ }
288
+ Object.assign(verDescriptor.usedBy, usedBy);
289
+ }
290
+ }
291
+
292
+ try {
293
+ payload.warnings = getDependenciesWarnings(dependencies);
294
+ payload.dependencies = Object.fromEntries(dependencies);
295
+
296
+ return payload;
297
+ }
298
+ finally {
299
+ await timers.setImmediate();
300
+ await fs.rm(tmpLocation, { recursive: true, force: true });
301
+
302
+ logger.emit(ScannerLoggerEvents.done);
303
+ }
304
+ }
package/src/utils/analyzeDependencies.js CHANGED
@@ -28,7 +28,7 @@ export function analyzeDependencies(dependencies, deps = {}) {
28
28
 
29
29
  return {
30
30
  nodeDependencies,
31
- thirdPartyDependencies,
31
+ thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
32
32
  unusedDependencies,
33
33
  missingDependencies,
34
34
 
package/types/api.d.ts CHANGED
@@ -1,12 +1,15 @@
1
1
  import Scanner from "./scanner";
2
- import { Logger } from "./logger";
2
+ import { Logger, LoggerEvents } from "./logger";
3
3
 
4
4
  export {
5
5
  cwd,
6
6
  from,
7
- verify
7
+ verify,
8
+ ScannerLoggerEvents
8
9
  }
9
10
 
11
+ declare const ScannerLoggerEvents: LoggerEvents;
12
+
10
13
  declare function cwd(path: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
11
14
  declare function from(packageName: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
12
15
  declare function verify(packageName: string): Promise<Scanner.VerifyPayload>;
package/types/logger.d.ts CHANGED
@@ -2,7 +2,21 @@ import { EventEmitter } from "events";
2
2
 
3
3
  export {
4
4
  Logger,
5
- LoggerEventData
5
+ LoggerEventData,
6
+ LoggerEvents
7
+ }
8
+
9
+ interface LoggerEvents {
10
+ readonly done: "depWalkerFinished";
11
+ readonly analysis: {
12
+ readonly tree: "walkTree";
13
+ readonly tarball: "tarball";
14
+ readonly registry: "registry";
15
+ };
16
+ readonly manifest: {
17
+ readonly read: "readManifest";
18
+ readonly fetch: "fetchManifest";
19
+ };
6
20
  }
7
21
 
8
22
  interface LoggerEventData {
package/types/scanner.d.ts CHANGED
@@ -115,15 +115,18 @@ declare namespace Scanner {
115
115
  vulnerabilities: Vuln.Strategy.StandardVulnerability[];
116
116
  }
117
117
 
118
+ export type GlobalWarning = string[];
119
+ export type Dependencies = Record<string, Dependency>;
120
+
118
121
  export interface Payload {
119
122
  /** Payload unique id */
120
123
  id: string;
121
124
  /** Name of the analyzed package */
122
125
  rootDependencyName: string;
123
126
  /** Global warnings list */
124
- warnings: [];
127
+ warnings: GlobalWarning[];
125
128
  /** All the dependencies of the package (flattened) */
126
- dependencies: Record<string, Dependency>;
129
+ dependencies: Dependencies;
127
130
  /** Version of the scanner used to generate the result */
128
131
  version: string;
129
132
  /** Vulnerability strategy name (npm, snyk, node) */