npm - @nodesecure/scanner - Versions diffs - 3.0.0 → 3.2.1 - Mend

@nodesecure/scanner 3.0.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/index.d.ts +2 -2
package/index.js +6 -5
package/package.json +1 -1
package/src/constants.js +13 -0
package/src/depWalker.js +16 -10
package/src/utils/analyzeDependencies.js +1 -1
package/src/utils/warnings.js +10 -0
package/types/api.d.ts +5 -2
package/types/logger.d.ts +15 -1
package/types/scanner.d.ts +185 -182

package/index.d.ts CHANGED Viewed

@@ -1,11 +1,11 @@
 import Scanner from "./types/scanner";
-import { cwd, from, verify } from "./types/api";
+import { cwd, from, verify, ScannerLoggerEvents } from "./types/api";
 import { depWalker } from "./types/walker";
 import { Logger, LoggerEventData } from "./types/logger";
 import tarball from "./types/tarball";
 export {
-  cwd, from, verify,
+  cwd, from, verify, ScannerLoggerEvents,
   Scanner,
   Logger,
   LoggerEventData,

package/index.js CHANGED Viewed

@@ -11,6 +11,7 @@ import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 // Import Internal Dependencies
 import { depWalker } from "./src/depWalker.js";
 import { NPM_TOKEN } from "./src/utils/index.js";
+import { ScannerLoggerEvents } from "./src/constants.js";
 import Logger from "./src/class/logger.class.js";
 import * as tarball from "./src/tarball.js";
@@ -20,20 +21,20 @@ const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true };
 export async function cwd(cwd = process.cwd(), options = {}, logger = new Logger()) {
   const finalizedOptions = Object.assign({}, kDefaultCwdOptions, options);
-  logger.start("readManifest");
+  logger.start(ScannerLoggerEvents.manifest.read);
   const packagePath = path.join(cwd, "package.json");
   const str = await fs.readFile(packagePath, "utf-8");
-  logger.end("readManifest");
+  logger.end(ScannerLoggerEvents.manifest.read);
   return depWalker(JSON.parse(str), finalizedOptions, logger);
 }
 export async function from(packageName, options, logger = new Logger()) {
-  logger.start("fetchManifest");
+  logger.start(ScannerLoggerEvents.manifest.fetch);
   const manifest = await pacote.manifest(packageName, {
     ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
   });
-  logger.end("fetchManifest");
+  logger.end(ScannerLoggerEvents.manifest.fetch);
   return depWalker(manifest, options, logger);
 }
@@ -59,4 +60,4 @@ export async function verify(packageName = null) {
   }
 }
-export { depWalker, tarball, Logger };
+export { depWalker, tarball, Logger, ScannerLoggerEvents };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "3.0.0",
+  "version": "3.2.1",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {

package/src/constants.js ADDED Viewed

@@ -0,0 +1,13 @@
+export const ScannerLoggerEvents = {
+  done: "depWalkerFinished",
+  analysis: {
+    tree: "walkTree",
+    tarball: "tarball",
+    registry: "registry"
+  },
+  manifest: {
+    read: "readManifest",
+    fetch: "fetchManifest"
+  }
+};

package/src/depWalker.js CHANGED Viewed

@@ -10,8 +10,9 @@ import iter from "itertools";
 import pacote from "pacote";
 import Arborist from "@npmcli/arborist";
 import Lock from "@slimio/lock";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 import * as vuln from "@nodesecure/vuln";
+import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+import { ScannerLoggerEvents } from "./constants.js";
 // Import Internal Dependencies
 import {
@@ -134,7 +135,7 @@ export async function* getRootDependencies(manifest, options) {
       tree = await arb.loadVirtual();
     }
-    iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => !to.dev)
+    iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && !to.dev)
       .map(([packageName, { to }]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }));
   }
   else {
@@ -183,8 +184,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
   const payload = {
     id: tmpLocation.slice(-6),
-    rootDepencyName: manifest.name,
-    version: packageVersion,
+    rootDependencyName: manifest.name,
+    scannerVersion: packageVersion,
     vulnerabilityStrategy,
     warnings: []
   };
@@ -194,12 +195,15 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
   const dependencies = new Map();
   {
-    logger.start("walkTree").start("tarball").start("registry");
+    logger
+      .start(ScannerLoggerEvents.analysis.tree)
+      .start(ScannerLoggerEvents.analysis.tarball)
+      .start(ScannerLoggerEvents.analysis.registry);
     const fetchedMetadataPackages = new Set();
     const promisesToWait = [];
     const tarballLocker = new Lock({ maxConcurrent: 5 });
-    tarballLocker.on("freeOne", () => logger.tick("tarball"));
+    tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
     const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
@@ -226,11 +230,11 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
       }
       if (proceedDependencyAnalysis) {
-        logger.tick("walkTree");
+        logger.tick(ScannerLoggerEvents.analysis.tree);
         // There is no need to fetch 'N' times the npm metadata for the same package.
         if (fetchedMetadataPackages.has(name)) {
-          logger.tick("registry");
+          logger.tick(ScannerLoggerEvents.analysis.registry);
         }
         else {
           fetchedMetadataPackages.add(name);
@@ -249,13 +253,13 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
       }
     }
-    logger.end("walkTree");
+    logger.end(ScannerLoggerEvents.analysis.tree);
     // Wait for all extraction to be done!
     await Promise.allSettled(promisesToWait);
     await timers.setImmediate();
-    logger.end("tarball").end("registry");
+    logger.end(ScannerLoggerEvents.analysis.tarball).end(ScannerLoggerEvents.analysis.registry);
   }
   const { hydratePayloadDependencies, strategy } = await vuln.setStrategy(vulnerabilityStrategy);
@@ -294,5 +298,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
   finally {
     await timers.setImmediate();
     await fs.rm(tmpLocation, { recursive: true, force: true });
+    logger.emit(ScannerLoggerEvents.done);
   }
 }

package/src/utils/analyzeDependencies.js CHANGED Viewed

@@ -28,7 +28,7 @@ export function analyzeDependencies(dependencies, deps = {}) {
   return {
     nodeDependencies,
-    thirdPartyDependencies,
+    thirdPartyDependencies: [...new Set(thirdPartyDependencies)],
     unusedDependencies,
     missingDependencies,

package/src/utils/warnings.js CHANGED Viewed

@@ -8,6 +8,7 @@ const kWarningsMessages = Object.freeze({
   iohook: getToken("warnings.keylogging")
 });
 const kPackages = new Set(Object.keys(kWarningsMessages));
+const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
 function getWarning(depName) {
   return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
@@ -21,6 +22,15 @@ export function getDependenciesWarnings(dependencies) {
     }
   }
+  // TODO: optimize with @nodesecure/author later
+  for (const [packageName, dependency] of dependencies) {
+    for (const { name, email } of dependency.metadata.maintainers) {
+      if (kAuthors.has(name) || kAuthors.has(email)) {
+        warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
+      }
+    }
+  }
   return warnings;
 }

package/types/api.d.ts CHANGED Viewed

@@ -1,12 +1,15 @@
 import Scanner from "./scanner";
-import { Logger } from "./logger";
+import { Logger, LoggerEvents } from "./logger";
 export {
   cwd,
   from,
-  verify
+  verify,
+  ScannerLoggerEvents
 }
+declare const ScannerLoggerEvents: LoggerEvents;
 declare function cwd(path: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
 declare function from(packageName: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
 declare function verify(packageName: string): Promise<Scanner.VerifyPayload>;

package/types/logger.d.ts CHANGED Viewed

@@ -2,7 +2,21 @@ import { EventEmitter } from "events";
 export {
   Logger,
-  LoggerEventData
+  LoggerEventData,
+  LoggerEvents
+}
+interface LoggerEvents {
+  readonly done: "depWalkerFinished";
+  readonly analysis: {
+      readonly tree: "walkTree";
+      readonly tarball: "tarball";
+      readonly registry: "registry";
+  };
+  readonly manifest: {
+      readonly read: "readManifest";
+      readonly fetch: "fetchManifest";
+  };
 }
 interface LoggerEventData {

package/types/scanner.d.ts CHANGED Viewed

@@ -1,182 +1,185 @@
-// Import NodeSecure Dependencies
-import * as JSXRay from "@nodesecure/js-x-ray";
-import { license as License } from "@nodesecure/ntlp";
-import * as Vuln from "@nodesecure/vuln";
-import { Flags } from "@nodesecure/flags";
-// Import Third-party Dependencies
-import { Maintainer } from "@npm/types";
-export = Scanner;
-declare namespace Scanner {
-  export interface Publisher {
-    /**
-     * Publisher npm user name.
-     */
-    name: string;
-    /**
-     * Publisher npm user email.
-     */
-    email: string;
-    /**
-     * First version published.
-     */
-    version: string;
-    /**
-     * Date of the first publication
-     * @example 2021-08-10T20:45:08.342Z
-     */
-    at: string;
-  }
-  export interface DependencyVersion {
-    /** Id of the package (useful for usedBy relation) */
-    id: number;
-    /** By whom (id) is used the package */
-    usedBy: Record<string, string>;
-    /** Size on disk of the extracted tarball (in bytes) */
-    size: number;
-    /** Package description */
-    description: string;
-    /** Author of the package. This information is not trustable and can be empty. */
-    author: Maintainer;
-    /**
-     * JS-X-Ray warnings
-     *
-     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
-     */
-    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
-    /** Tarball composition (files and dependencies) */
-    composition: {
-      /** Files extensions (.js, .md, .exe etc..) */
-      extensions: string[];
-      files: string[];
-      /** Minified files (foo.min.js etc..) */
-      minified: string[];
-      required_files: string[];
-      required_thirdparty: string[];
-      required_nodejs: string[];
-      unused: string[];
-      missing: string[];
-    };
-    /**
-     * Package licenses with SPDX expression.
-     *
-     * @see https://github.com/NodeSecure/licenses-conformance
-     * @see https://github.com/NodeSecure/npm-tarball-license-parser
-     */
-    license: License[];
-    /**
-     * Flags (Array of string)
-     *
-     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
-     */
-    flags: Flags[];
-    /**
-     * If the dependency is a GIT repository
-     */
-    gitUrl: null | string;
-  }
-  export interface Dependency {
-    /** NPM Registry metadata */
-    metadata: {
-      /** Count of dependencies */
-      dependencyCount: number;
-      /** Number of releases published on npm */
-      publishedCount: number;
-      lastUpdateAt: number;
-      /** Last version SemVer */
-      lastVersion: number;
-      hasChangedAuthor: boolean;
-      hasManyPublishers: boolean;
-      hasReceivedUpdateInOneYear: boolean;
-      /** Author of the package. This information is not trustable and can be empty. */
-      author: Maintainer;
-      /** Package home page */
-      homepage: string | null;
-      /**
-       * List of maintainers (list of people in the organization related to the package)
-       */
-      maintainers: { name: string, email: string }[];
-      /**
-       * List of people who published this package
-       */
-      publishers: Publisher[];
-    }
-    /** List of versions of this package available in the dependency tree (In the payload) */
-    versions: Record<string, DependencyVersion>;
-    /**
-     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
-     *
-     * @see https://github.com/NodeSecure/vuln
-     */
-    vulnerabilities: Vuln.Strategy.StandardVulnerability[];
-  }
-  export interface Payload {
-    /** Payload unique id */
-    id: string;
-    /** Name of the analyzed package */
-    rootDependencyName: string;
-    /** Global warnings list */
-    warnings: [];
-    /** All the dependencies of the package (flattened) */
-    dependencies: Record<string, Dependency>;
-    /** Version of the scanner used to generate the result */
-    version: string;
-    /** Vulnerability strategy name (npm, snyk, node) */
-    vulnerabilityStrategy: Vuln.Strategy.Kind;
-  }
-  export interface VerifyPayload {
-    files: {
-      list: string[];
-      extensions: string[];
-      minified: string[];
-    };
-    directorySize: number;
-    uniqueLicenseIds: string[];
-    licenses: License[];
-    ast: {
-      dependencies: Record<string, JSXRay.Dependency>;
-      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
-    };
-  }
-  export interface Options {
-    /**
-     * Maximum tree depth
-     *
-     * @default 4
-     */
-    readonly maxDepth?: number;
-    /**
-     * Use root package-lock.json. This will have the effect of triggering the Arborist package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly usePackageLock?: boolean;
-    /**
-     * Vulnerability strategy name (npm, snyk, node)
-     *
-     * @default NONE
-     */
-    readonly vulnerabilityStrategy: Vuln.Strategy.Kind;
-    /**
-     * Analyze root package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly forceRootAnalysis?: boolean;
-    /**
-     * Deeper dependencies analysis with cwd() API.
-     *
-     * @default false
-     */
-    readonly fullLockMode?: boolean;
-  }
-}
+// Import NodeSecure Dependencies
+import * as JSXRay from "@nodesecure/js-x-ray";
+import { license as License } from "@nodesecure/ntlp";
+import * as Vuln from "@nodesecure/vuln";
+import { Flags } from "@nodesecure/flags";
+// Import Third-party Dependencies
+import { Maintainer } from "@npm/types";
+export = Scanner;
+declare namespace Scanner {
+  export interface Publisher {
+    /**
+     * Publisher npm user name.
+     */
+    name: string;
+    /**
+     * Publisher npm user email.
+     */
+    email: string;
+    /**
+     * First version published.
+     */
+    version: string;
+    /**
+     * Date of the first publication
+     * @example 2021-08-10T20:45:08.342Z
+     */
+    at: string;
+  }
+  export interface DependencyVersion {
+    /** Id of the package (useful for usedBy relation) */
+    id: number;
+    /** By whom (id) is used the package */
+    usedBy: Record<string, string>;
+    /** Size on disk of the extracted tarball (in bytes) */
+    size: number;
+    /** Package description */
+    description: string;
+    /** Author of the package. This information is not trustable and can be empty. */
+    author: Maintainer;
+    /**
+     * JS-X-Ray warnings
+     *
+     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
+     */
+    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    /** Tarball composition (files and dependencies) */
+    composition: {
+      /** Files extensions (.js, .md, .exe etc..) */
+      extensions: string[];
+      files: string[];
+      /** Minified files (foo.min.js etc..) */
+      minified: string[];
+      required_files: string[];
+      required_thirdparty: string[];
+      required_nodejs: string[];
+      unused: string[];
+      missing: string[];
+    };
+    /**
+     * Package licenses with SPDX expression.
+     *
+     * @see https://github.com/NodeSecure/licenses-conformance
+     * @see https://github.com/NodeSecure/npm-tarball-license-parser
+     */
+    license: License[];
+    /**
+     * Flags (Array of string)
+     *
+     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
+     */
+    flags: Flags[];
+    /**
+     * If the dependency is a GIT repository
+     */
+    gitUrl: null | string;
+  }
+  export interface Dependency {
+    /** NPM Registry metadata */
+    metadata: {
+      /** Count of dependencies */
+      dependencyCount: number;
+      /** Number of releases published on npm */
+      publishedCount: number;
+      lastUpdateAt: number;
+      /** Last version SemVer */
+      lastVersion: number;
+      hasChangedAuthor: boolean;
+      hasManyPublishers: boolean;
+      hasReceivedUpdateInOneYear: boolean;
+      /** Author of the package. This information is not trustable and can be empty. */
+      author: Maintainer;
+      /** Package home page */
+      homepage: string | null;
+      /**
+       * List of maintainers (list of people in the organization related to the package)
+       */
+      maintainers: { name: string, email: string }[];
+      /**
+       * List of people who published this package
+       */
+      publishers: Publisher[];
+    }
+    /** List of versions of this package available in the dependency tree (In the payload) */
+    versions: Record<string, DependencyVersion>;
+    /**
+     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
+     *
+     * @see https://github.com/NodeSecure/vuln
+     */
+    vulnerabilities: Vuln.Strategy.StandardVulnerability[];
+  }
+  export type GlobalWarning = string[];
+  export type Dependencies = Record<string, Dependency>;
+  export interface Payload {
+    /** Payload unique id */
+    id: string;
+    /** Name of the analyzed package */
+    rootDependencyName: string;
+    /** Global warnings list */
+    warnings: GlobalWarning[];
+    /** All the dependencies of the package (flattened) */
+    dependencies: Dependencies;
+    /** Version of the scanner used to generate the result */
+    scannerVersion: string;
+    /** Vulnerability strategy name (npm, snyk, node) */
+    vulnerabilityStrategy: Vuln.Strategy.Kind;
+  }
+  export interface VerifyPayload {
+    files: {
+      list: string[];
+      extensions: string[];
+      minified: string[];
+    };
+    directorySize: number;
+    uniqueLicenseIds: string[];
+    licenses: License[];
+    ast: {
+      dependencies: Record<string, JSXRay.Dependency>;
+      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    };
+  }
+  export interface Options {
+    /**
+     * Maximum tree depth
+     *
+     * @default 4
+     */
+    readonly maxDepth?: number;
+    /**
+     * Use root package-lock.json. This will have the effect of triggering the Arborist package.
+     *
+     * @default false for from() API
+     * @default true  for cwd()  API
+     */
+    readonly usePackageLock?: boolean;
+    /**
+     * Vulnerability strategy name (npm, snyk, node)
+     *
+     * @default NONE
+     */
+    readonly vulnerabilityStrategy: Vuln.Strategy.Kind;
+    /**
+     * Analyze root package.
+     *
+     * @default false for from() API
+     * @default true  for cwd()  API
+     */
+    readonly forceRootAnalysis?: boolean;
+    /**
+     * Deeper dependencies analysis with cwd() API.
+     *
+     * @default false
+     */
+    readonly fullLockMode?: boolean;
+  }
+}