@nodesecure/scanner 3.2.1 → 3.3.0

package/README.md

@@ -49,9 +49,9 @@ await Promise.allSettled(promises);
 See `types/api.d.ts` for a complete TypeScript definition.
 
 ```ts
-function cwd(path: string, options?: Scanner.Options): Promise<Scanner.Payload>;
+function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
 function from(packageName: string, options?: Scanner.Options): Promise<Scanner.Payload>;
-function verify(packageName: string): Promise<Scanner.VerifyPayload>;
+function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
 ```
 
 `Options` is described with the following TypeScript interface:

package/index.js

@@ -1,63 +1,63 @@
-// Import Node.js Dependencies
-import path from "path";
-import fs from "fs/promises";
-import timers from "timers/promises";
-import os from "os";
-
-// Import Third-party Dependencies
-import pacote from "pacote";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
-
-// Import Internal Dependencies
-import { depWalker } from "./src/depWalker.js";
-import { NPM_TOKEN } from "./src/utils/index.js";
-import { ScannerLoggerEvents } from "./src/constants.js";
-import Logger from "./src/class/logger.class.js";
-import * as tarball from "./src/tarball.js";
-
-// CONSTANTS
-const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true };
-
-export async function cwd(cwd = process.cwd(), options = {}, logger = new Logger()) {
-  const finalizedOptions = Object.assign({}, kDefaultCwdOptions, options);
-
-  logger.start(ScannerLoggerEvents.manifest.read);
-  const packagePath = path.join(cwd, "package.json");
-  const str = await fs.readFile(packagePath, "utf-8");
-  logger.end(ScannerLoggerEvents.manifest.read);
-
-  return depWalker(JSON.parse(str), finalizedOptions, logger);
-}
-
-export async function from(packageName, options, logger = new Logger()) {
-  logger.start(ScannerLoggerEvents.manifest.fetch);
-  const manifest = await pacote.manifest(packageName, {
-    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
-  });
-  logger.end(ScannerLoggerEvents.manifest.fetch);
-
-  return depWalker(manifest, options, logger);
-}
-
-export async function verify(packageName = null) {
-  if (typeof packageName === "undefined" || packageName === null) {
-    return await tarball.scanPackage(process.cwd());
-  }
-
-  const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
-  const dest = path.join(tmpLocation, packageName);
-
-  try {
-    await pacote.extract(packageName, dest, {
-      ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
-    });
-
-    return await tarball.scanPackage(dest, packageName);
-  }
-  finally {
-    await timers.setImmediate();
-    await fs.rm(tmpLocation, { recursive: true, force: true });
-  }
-}
-
-export { depWalker, tarball, Logger, ScannerLoggerEvents };
+// Import Node.js Dependencies
+import path from "path";
+import fs from "fs/promises";
+import timers from "timers/promises";
+import os from "os";
+
+// Import Third-party Dependencies
+import pacote from "pacote";
+import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+
+// Import Internal Dependencies
+import { depWalker } from "./src/depWalker.js";
+import { NPM_TOKEN } from "./src/utils/index.js";
+import { ScannerLoggerEvents } from "./src/constants.js";
+import Logger from "./src/class/logger.class.js";
+import * as tarball from "./src/tarball.js";
+
+// CONSTANTS
+const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true };
+
+export async function cwd(location = process.cwd(), options = {}, logger = new Logger()) {
+  const finalizedOptions = Object.assign({ location }, kDefaultCwdOptions, options);
+
+  logger.start(ScannerLoggerEvents.manifest.read);
+  const packagePath = path.join(location, "package.json");
+  const str = await fs.readFile(packagePath, "utf-8");
+  logger.end(ScannerLoggerEvents.manifest.read);
+
+  return depWalker(JSON.parse(str), finalizedOptions, logger);
+}
+
+export async function from(packageName, options, logger = new Logger()) {
+  logger.start(ScannerLoggerEvents.manifest.fetch);
+  const manifest = await pacote.manifest(packageName, {
+    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+  });
+  logger.end(ScannerLoggerEvents.manifest.fetch);
+
+  return depWalker(manifest, options, logger);
+}
+
+export async function verify(packageName = null) {
+  if (typeof packageName === "undefined" || packageName === null) {
+    return await tarball.scanPackage(process.cwd());
+  }
+
+  const tmpLocation = await fs.mkdtemp(path.join(os.tmpdir(), "/"));
+  const dest = path.join(tmpLocation, packageName);
+
+  try {
+    await pacote.extract(packageName, dest, {
+      ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+    });
+
+    return await tarball.scanPackage(dest, packageName);
+  }
+  finally {
+    await timers.setImmediate();
+    await fs.rm(tmpLocation, { recursive: true, force: true });
+  }
+}
+
+export { depWalker, tarball, Logger, ScannerLoggerEvents };

package/package.json

@@ -1,86 +1,86 @@
-{
-  "name": "@nodesecure/scanner",
-  "version": "3.2.1",
-  "description": "A package API to run a static analysis of your module's dependencies.",
-  "exports": "./index.js",
-  "engines": {
-    "node": ">=16"
-  },
-  "scripts": {
-    "lint": "eslint src test",
-    "prepublishOnly": "pkg-ok",
-    "test": "npm run lint && npm run test-only",
-    "test-only": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
-    "coverage": "c8 -r html npm run test-only"
-  },
-  "files": [
-    "src",
-    "types",
-    "index.js",
-    "index.d.ts"
-  ],
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/NodeSecure/scanner.git"
-  },
-  "keywords": [
-    "node",
-    "nodejs",
-    "security",
-    "cli",
-    "sast",
-    "scanner",
-    "static",
-    "code",
-    "analysis",
-    "node_modules",
-    "tree",
-    "npm",
-    "registry",
-    "graph",
-    "visualization",
-    "dependencies"
-  ],
-  "author": "NodeSecure",
-  "license": "MIT",
-  "bugs": {
-    "url": "https://github.com/NodeSecure/scanner/issues"
-  },
-  "homepage": "https://github.com/NodeSecure/scanner#readme",
-  "devDependencies": {
-    "@nodesecure/eslint-config": "^1.3.0",
-    "@slimio/is": "^1.5.1",
-    "@small-tech/esm-tape-runner": "^1.0.3",
-    "@small-tech/tap-monkey": "^1.3.0",
-    "@types/node": "^16.11.10",
-    "c8": "^7.10.0",
-    "cross-env": "^7.0.3",
-    "dotenv": "^10.0.0",
-    "eslint": "^8.3.0",
-    "get-folder-size": "^3.1.0",
-    "pkg-ok": "^2.3.1",
-    "sinon": "^12.0.1",
-    "snap-shot-core": "^10.2.4",
-    "tape": "^5.3.2"
-  },
-  "dependencies": {
-    "@nodesecure/flags": "^2.2.0",
-    "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^1.2.1",
-    "@nodesecure/js-x-ray": "^4.2.0",
-    "@nodesecure/npm-registry-sdk": "^1.3.0",
-    "@nodesecure/ntlp": "^2.1.0",
-    "@nodesecure/utils": "^1.0.0",
-    "@nodesecure/vuln": "^1.4.1",
-    "@npm/types": "^1.0.1",
-    "@npmcli/arborist": "^4.1.0",
-    "@slimio/lock": "^1.0.0",
-    "builtins": "^4.0.0",
-    "combine-async-iterators": "^2.0.1",
-    "itertools": "^1.7.1",
-    "lodash.difference": "^4.5.0",
-    "pacote": "^12.0.2",
-    "semver": "^7.3.4"
-  },
-  "type": "module"
-}
+{
+  "name": "@nodesecure/scanner",
+  "version": "3.3.0",
+  "description": "A package API to run a static analysis of your module's dependencies.",
+  "exports": "./index.js",
+  "engines": {
+    "node": ">=16"
+  },
+  "scripts": {
+    "lint": "eslint src test",
+    "prepublishOnly": "pkg-ok",
+    "test": "npm run lint && npm run test-only",
+    "test-only": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
+    "coverage": "c8 -r html npm run test-only"
+  },
+  "files": [
+    "src",
+    "types",
+    "index.js",
+    "index.d.ts"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/NodeSecure/scanner.git"
+  },
+  "keywords": [
+    "node",
+    "nodejs",
+    "security",
+    "cli",
+    "sast",
+    "scanner",
+    "static",
+    "code",
+    "analysis",
+    "node_modules",
+    "tree",
+    "npm",
+    "registry",
+    "graph",
+    "visualization",
+    "dependencies"
+  ],
+  "author": "NodeSecure",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/NodeSecure/scanner/issues"
+  },
+  "homepage": "https://github.com/NodeSecure/scanner#readme",
+  "devDependencies": {
+    "@nodesecure/eslint-config": "^1.3.1",
+    "@slimio/is": "^1.5.1",
+    "@small-tech/esm-tape-runner": "^1.0.3",
+    "@small-tech/tap-monkey": "^1.3.0",
+    "@types/node": "^17.0.13",
+    "c8": "^7.11.0",
+    "cross-env": "^7.0.3",
+    "dotenv": "^14.3.2",
+    "eslint": "^8.7.0",
+    "get-folder-size": "^3.1.0",
+    "pkg-ok": "^2.3.1",
+    "sinon": "^12.0.1",
+    "snap-shot-core": "^10.2.4",
+    "tape": "^5.5.0"
+  },
+  "dependencies": {
+    "@nodesecure/flags": "^2.2.0",
+    "@nodesecure/fs-walk": "^1.0.0",
+    "@nodesecure/i18n": "^1.2.1",
+    "@nodesecure/js-x-ray": "^4.2.0",
+    "@nodesecure/npm-registry-sdk": "^1.3.0",
+    "@nodesecure/ntlp": "^2.1.0",
+    "@nodesecure/utils": "^1.0.0",
+    "@nodesecure/vuln": "^1.5.0",
+    "@npm/types": "^1.0.1",
+    "@npmcli/arborist": "^4.3.0",
+    "@slimio/lock": "^1.0.0",
+    "builtins": "^4.0.0",
+    "combine-async-iterators": "^2.0.1",
+    "itertools": "^1.7.1",
+    "lodash.difference": "^4.5.0",
+    "pacote": "^12.0.3",
+    "semver": "^7.3.4"
+  },
+  "type": "module"
+}

package/src/depWalker.js

@@ -113,7 +113,7 @@ export async function* deepReadEdges(currentPackageName, { to, parent, exclude,
 }
 
 export async function* getRootDependencies(manifest, options) {
-  const { maxDepth = 4, exclude, usePackageLock, fullLockMode } = options;
+  const { maxDepth = 4, exclude, usePackageLock, fullLockMode, location } = options;
 
   const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
   const parent = new Dependency(manifest.name, manifest.version);
@@ -124,19 +124,23 @@ export async function* getRootDependencies(manifest, options) {
   if (usePackageLock) {
     const arb = new Arborist({
       ...NPM_TOKEN,
+      path: location,
       registry: getLocalRegistryURL()
     });
     let tree;
     try {
-      await fs.access(path.join(process.cwd(), "node_modules"));
+      await fs.access(path.join(location, "node_modules"));
       tree = await arb.loadActual();
     }
     catch {
       tree = await arb.loadVirtual();
     }
 
-    iterators = iter.filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && !to.dev)
-      .map(([packageName, { to }]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }));
+    iterators = [
+      ...iter.filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (!to.dev || to.isWorkspace))
+        .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
+        .map(([packageName, to]) => deepReadEdges(packageName, { to, parent, fullLockMode, exclude }))
+    ];
   }
   else {
     const configRef = { exclude, maxDepth, parent };
@@ -176,6 +180,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     usePackageLock = false,
     fullLockMode = false,
     maxDepth,
+    location,
     vulnerabilityStrategy = vuln.strategies.NONE
   } = options;
 
@@ -205,7 +210,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     const tarballLocker = new Lock({ maxConcurrent: 5 });
     tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
 
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode };
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, location };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
       const { name, version } = currentDep;
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
@@ -246,6 +251,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
         promisesToWait.push(scanDirOrArchive(name, version, {
           ref: current.versions[version],
+          location,
           tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
           locker: tarballLocker,
           logger

package/src/tarball.js

@@ -1,173 +1,173 @@
-// Import Node.js Dependencies
-import path from "path";
-import os from "os";
-import timers from "timers/promises";
-
-// Import Third-party Dependencies
-import { runASTAnalysisOnFile } from "@nodesecure/js-x-ray";
-import pacote from "pacote";
-import ntlp from "@nodesecure/ntlp";
-
-// Import Internal Dependencies
-import {
-  getTarballComposition, isSensitiveFile, filterDependencyKind, analyzeDependencies, booleanToFlags,
-  NPM_TOKEN
-} from "./utils/index.js";
-import * as manifest from "./manifest.js";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
-
-// CONSTANTS
-const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
-const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
-
-export async function scanJavascriptFile(dest, file, packageName) {
-  const result = await runASTAnalysisOnFile(path.join(dest, file), { packageName });
-
-  const warnings = result.warnings.map((curr) => Object.assign({}, curr, { file }));
-  if (!result.ok) {
-    return {
-      file,
-      warnings,
-      isMinified: false,
-      tryDependencies: [],
-      dependencies: [],
-      filesDependencies: []
-    };
-  }
-  const { packages, files } = filterDependencyKind(result.dependencies, path.dirname(file));
-
-  return {
-    file,
-    warnings,
-    isMinified: result.isMinified,
-    tryDependencies: [...result.dependencies.getDependenciesInTryStatement()],
-    dependencies: packages,
-    filesDependencies: files
-  };
-}
-
-export async function scanDirOrArchive(name, version, options) {
-  const { ref, tmpLocation, locker } = options;
-
-  const isNpmTarball = !(tmpLocation === null);
-  const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : process.cwd();
-  const free = await locker.acquireOne();
-
-  try {
-    // If this is an NPM tarball then we extract it on the disk with pacote.
-    if (isNpmTarball) {
-      await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
-        ...NPM_TOKEN,
-        registry: getLocalRegistryURL(),
-        cache: `${os.homedir()}/.npm`
-      });
-      await timers.setImmediate();
-    }
-
-    // Read the package.json at the root of the directory or archive.
-    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
-    ref.author = author;
-    ref.description = description;
-
-    // Get the composition of the (extracted) directory
-    const { ext, files, size } = await getTarballComposition(dest);
-    ref.size = size;
-    ref.composition.extensions.push(...ext);
-    ref.composition.files.push(...files);
-    const hasBannedFile = files.some((path) => isSensitiveFile(path));
-    const hasNativeCode = hasNativeElements || files.some((file) => kNativeCodeExtensions.has(path.extname(file)));
-
-    // Search for minified and runtime dependencies
-    // Run a JS-X-Ray analysis on each JavaScript files of the project!
-    const fileAnalysisRaw = await Promise.allSettled(
-      files
-        .filter((name) => kJsExtname.has(path.extname(name)))
-        .map((file) => scanJavascriptFile(dest, file, name))
-    );
-
-    const fileAnalysisResults = fileAnalysisRaw
-      .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
-      .map((promiseSettledResult) => promiseSettledResult.value);
-
-    ref.warnings.push(...fileAnalysisResults.flatMap((row) => row.warnings));
-
-    const dependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.dependencies))];
-    const filesDependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.filesDependencies))];
-    const tryDependencies = new Set(fileAnalysisResults.flatMap((row) => row.tryDependencies));
-    const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
-
-    const {
-      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
-    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
-
-    ref.composition.required_thirdparty = thirdPartyDependencies;
-    ref.composition.unused.push(...unusedDependencies);
-    ref.composition.missing.push(...missingDependencies);
-    ref.composition.required_files = filesDependencies;
-    ref.composition.required_nodejs = nodeDependencies;
-    ref.composition.minified = minifiedFiles;
-
-    // License
-    await timers.setImmediate();
-    const licenses = await ntlp(dest);
-    const uniqueLicenseIds = Array.isArray(licenses.uniqueLicenseIds) ? licenses.uniqueLicenseIds : [];
-    ref.license = licenses;
-    ref.license.uniqueLicenseIds = uniqueLicenseIds;
-
-    ref.flags.push(...booleanToFlags({
-      ...flags,
-      hasNoLicense: uniqueLicenseIds.length === 0,
-      hasMultipleLicenses: licenses.hasMultipleLicenses,
-      hasMinifiedCode: minifiedFiles.length > 0,
-      hasWarnings: ref.warnings.length > 0 && !ref.flags.includes("hasWarnings"),
-      hasBannedFile,
-      hasNativeCode,
-      hasScript
-    }));
-  }
-  catch {
-    // Ignore
-  }
-  finally {
-    free();
-  }
-}
-
-export async function scanPackage(dest, packageName) {
-  const { type = "script", name } = await manifest.read(dest);
-
-  await timers.setImmediate();
-  const { ext, files, size } = await getTarballComposition(dest);
-  ext.delete("");
-
-  // Search for runtime dependencies
-  const dependencies = Object.create(null);
-  const [minified, warnings] = [[], []];
-
-  const JSFiles = files.filter((name) => kJsExtname.has(path.extname(name)));
-  for (const file of JSFiles) {
-    const result = await runASTAnalysisOnFile(path.join(dest, file), {
-      packageName: packageName ?? name,
-      module: type === "module"
-    });
-
-    warnings.push(...result.warnings.map((curr) => Object.assign({}, curr, { file })));
-    if (!result.ok) {
-      continue;
-    }
-
-    dependencies[file] = result.dependencies.dependencies;
-    result.isMinified && minified.push(file);
-  }
-
-  await timers.setImmediate();
-  const { uniqueLicenseIds, licenses } = await ntlp(dest);
-
-  return {
-    files: { list: files, extensions: [...ext], minified },
-    directorySize: size,
-    uniqueLicenseIds,
-    licenses,
-    ast: { dependencies, warnings }
-  };
-}
+// Import Node.js Dependencies
+import path from "path";
+import os from "os";
+import timers from "timers/promises";
+
+// Import Third-party Dependencies
+import { runASTAnalysisOnFile } from "@nodesecure/js-x-ray";
+import pacote from "pacote";
+import ntlp from "@nodesecure/ntlp";
+
+// Import Internal Dependencies
+import {
+  getTarballComposition, isSensitiveFile, filterDependencyKind, analyzeDependencies, booleanToFlags,
+  NPM_TOKEN
+} from "./utils/index.js";
+import * as manifest from "./manifest.js";
+import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
+
+// CONSTANTS
+const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
+const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
+
+export async function scanJavascriptFile(dest, file, packageName) {
+  const result = await runASTAnalysisOnFile(path.join(dest, file), { packageName });
+
+  const warnings = result.warnings.map((curr) => Object.assign({}, curr, { file }));
+  if (!result.ok) {
+    return {
+      file,
+      warnings,
+      isMinified: false,
+      tryDependencies: [],
+      dependencies: [],
+      filesDependencies: []
+    };
+  }
+  const { packages, files } = filterDependencyKind(result.dependencies, path.dirname(file));
+
+  return {
+    file,
+    warnings,
+    isMinified: result.isMinified,
+    tryDependencies: [...result.dependencies.getDependenciesInTryStatement()],
+    dependencies: packages,
+    filesDependencies: files
+  };
+}
+
+export async function scanDirOrArchive(name, version, options) {
+  const { ref, location = process.cwd(), tmpLocation, locker } = options;
+
+  const isNpmTarball = !(tmpLocation === null);
+  const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : location;
+  const free = await locker.acquireOne();
+
+  try {
+    // If this is an NPM tarball then we extract it on the disk with pacote.
+    if (isNpmTarball) {
+      await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
+        ...NPM_TOKEN,
+        registry: getLocalRegistryURL(),
+        cache: `${os.homedir()}/.npm`
+      });
+      await timers.setImmediate();
+    }
+
+    // Read the package.json at the root of the directory or archive.
+    const { packageDeps, packageDevDeps, author, description, hasScript, hasNativeElements } = await manifest.readAnalyze(dest);
+    ref.author = author;
+    ref.description = description;
+
+    // Get the composition of the (extracted) directory
+    const { ext, files, size } = await getTarballComposition(dest);
+    ref.size = size;
+    ref.composition.extensions.push(...ext);
+    ref.composition.files.push(...files);
+    const hasBannedFile = files.some((path) => isSensitiveFile(path));
+    const hasNativeCode = hasNativeElements || files.some((file) => kNativeCodeExtensions.has(path.extname(file)));
+
+    // Search for minified and runtime dependencies
+    // Run a JS-X-Ray analysis on each JavaScript files of the project!
+    const fileAnalysisRaw = await Promise.allSettled(
+      files
+        .filter((name) => kJsExtname.has(path.extname(name)))
+        .map((file) => scanJavascriptFile(dest, file, name))
+    );
+
+    const fileAnalysisResults = fileAnalysisRaw
+      .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
+      .map((promiseSettledResult) => promiseSettledResult.value);
+
+    ref.warnings.push(...fileAnalysisResults.flatMap((row) => row.warnings));
+
+    const dependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.dependencies))];
+    const filesDependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.filesDependencies))];
+    const tryDependencies = new Set(fileAnalysisResults.flatMap((row) => row.tryDependencies));
+    const minifiedFiles = fileAnalysisResults.filter((row) => row.isMinified).flatMap((row) => row.file);
+
+    const {
+      nodeDependencies, thirdPartyDependencies, missingDependencies, unusedDependencies, flags
+    } = analyzeDependencies(dependencies, { packageDeps, packageDevDeps, tryDependencies });
+
+    ref.composition.required_thirdparty = thirdPartyDependencies;
+    ref.composition.unused.push(...unusedDependencies);
+    ref.composition.missing.push(...missingDependencies);
+    ref.composition.required_files = filesDependencies;
+    ref.composition.required_nodejs = nodeDependencies;
+    ref.composition.minified = minifiedFiles;
+
+    // License
+    await timers.setImmediate();
+    const licenses = await ntlp(dest);
+    const uniqueLicenseIds = Array.isArray(licenses.uniqueLicenseIds) ? licenses.uniqueLicenseIds : [];
+    ref.license = licenses;
+    ref.license.uniqueLicenseIds = uniqueLicenseIds;
+
+    ref.flags.push(...booleanToFlags({
+      ...flags,
+      hasNoLicense: uniqueLicenseIds.length === 0,
+      hasMultipleLicenses: licenses.hasMultipleLicenses,
+      hasMinifiedCode: minifiedFiles.length > 0,
+      hasWarnings: ref.warnings.length > 0 && !ref.flags.includes("hasWarnings"),
+      hasBannedFile,
+      hasNativeCode,
+      hasScript
+    }));
+  }
+  catch {
+    // Ignore
+  }
+  finally {
+    free();
+  }
+}
+
+export async function scanPackage(dest, packageName) {
+  const { type = "script", name } = await manifest.read(dest);
+
+  await timers.setImmediate();
+  const { ext, files, size } = await getTarballComposition(dest);
+  ext.delete("");
+
+  // Search for runtime dependencies
+  const dependencies = Object.create(null);
+  const [minified, warnings] = [[], []];
+
+  const JSFiles = files.filter((name) => kJsExtname.has(path.extname(name)));
+  for (const file of JSFiles) {
+    const result = await runASTAnalysisOnFile(path.join(dest, file), {
+      packageName: packageName ?? name,
+      module: type === "module"
+    });
+
+    warnings.push(...result.warnings.map((curr) => Object.assign({}, curr, { file })));
+    if (!result.ok) {
+      continue;
+    }
+
+    dependencies[file] = result.dependencies.dependencies;
+    result.isMinified && minified.push(file);
+  }
+
+  await timers.setImmediate();
+  const { uniqueLicenseIds, licenses } = await ntlp(dest);
+
+  return {
+    files: { list: files, extensions: [...ext], minified },
+    directorySize: size,
+    uniqueLicenseIds,
+    licenses,
+    ast: { dependencies, warnings }
+  };
+}

package/types/api.d.ts

@@ -1,15 +1,15 @@
-import Scanner from "./scanner";
-import { Logger, LoggerEvents } from "./logger";
-
-export {
-  cwd,
-  from,
-  verify,
-  ScannerLoggerEvents
-}
-
-declare const ScannerLoggerEvents: LoggerEvents;
-
-declare function cwd(path: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
-declare function from(packageName: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
-declare function verify(packageName: string): Promise<Scanner.VerifyPayload>;
+import Scanner from "./scanner";
+import { Logger, LoggerEvents } from "./logger";
+
+export {
+  cwd,
+  from,
+  verify,
+  ScannerLoggerEvents
+}
+
+declare const ScannerLoggerEvents: LoggerEvents;
+
+declare function cwd(location: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
+declare function from(packageName: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
+declare function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;

package/types/scanner.d.ts

@@ -1,185 +1,185 @@
-// Import NodeSecure Dependencies
-import * as JSXRay from "@nodesecure/js-x-ray";
-import { license as License } from "@nodesecure/ntlp";
-import * as Vuln from "@nodesecure/vuln";
-import { Flags } from "@nodesecure/flags";
-
-// Import Third-party Dependencies
-import { Maintainer } from "@npm/types";
-
-export = Scanner;
-
-declare namespace Scanner {
-  export interface Publisher {
-    /**
-     * Publisher npm user name.
-     */
-    name: string;
-    /**
-     * Publisher npm user email.
-     */
-    email: string;
-    /**
-     * First version published.
-     */
-    version: string;
-    /**
-     * Date of the first publication
-     * @example 2021-08-10T20:45:08.342Z
-     */
-    at: string;
-  }
-
-  export interface DependencyVersion {
-    /** Id of the package (useful for usedBy relation) */
-    id: number;
-    /** By whom (id) is used the package */
-    usedBy: Record<string, string>;
-    /** Size on disk of the extracted tarball (in bytes) */
-    size: number;
-    /** Package description */
-    description: string;
-    /** Author of the package. This information is not trustable and can be empty. */
-    author: Maintainer;
-    /**
-     * JS-X-Ray warnings
-     *
-     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
-     */
-    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
-    /** Tarball composition (files and dependencies) */
-    composition: {
-      /** Files extensions (.js, .md, .exe etc..) */
-      extensions: string[];
-      files: string[];
-      /** Minified files (foo.min.js etc..) */
-      minified: string[];
-      required_files: string[];
-      required_thirdparty: string[];
-      required_nodejs: string[];
-      unused: string[];
-      missing: string[];
-    };
-    /**
-     * Package licenses with SPDX expression.
-     *
-     * @see https://github.com/NodeSecure/licenses-conformance
-     * @see https://github.com/NodeSecure/npm-tarball-license-parser
-     */
-    license: License[];
-    /**
-     * Flags (Array of string)
-     *
-     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
-     */
-    flags: Flags[];
-    /**
-     * If the dependency is a GIT repository
-     */
-    gitUrl: null | string;
-  }
-
-  export interface Dependency {
-    /** NPM Registry metadata */
-    metadata: {
-      /** Count of dependencies */
-      dependencyCount: number;
-      /** Number of releases published on npm */
-      publishedCount: number;
-      lastUpdateAt: number;
-      /** Last version SemVer */
-      lastVersion: number;
-      hasChangedAuthor: boolean;
-      hasManyPublishers: boolean;
-      hasReceivedUpdateInOneYear: boolean;
-      /** Author of the package. This information is not trustable and can be empty. */
-      author: Maintainer;
-      /** Package home page */
-      homepage: string | null;
-      /**
-       * List of maintainers (list of people in the organization related to the package)
-       */
-      maintainers: { name: string, email: string }[];
-      /**
-       * List of people who published this package
-       */
-      publishers: Publisher[];
-    }
-    /** List of versions of this package available in the dependency tree (In the payload) */
-    versions: Record<string, DependencyVersion>;
-    /**
-     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
-     *
-     * @see https://github.com/NodeSecure/vuln
-     */
-    vulnerabilities: Vuln.Strategy.StandardVulnerability[];
-  }
-
-  export type GlobalWarning = string[];
-  export type Dependencies = Record<string, Dependency>;
-
-  export interface Payload {
-    /** Payload unique id */
-    id: string;
-    /** Name of the analyzed package */
-    rootDependencyName: string;
-    /** Global warnings list */
-    warnings: GlobalWarning[];
-    /** All the dependencies of the package (flattened) */
-    dependencies: Dependencies;
-    /** Version of the scanner used to generate the result */
-    scannerVersion: string;
-    /** Vulnerability strategy name (npm, snyk, node) */
-    vulnerabilityStrategy: Vuln.Strategy.Kind;
-  }
-
-  export interface VerifyPayload {
-    files: {
-      list: string[];
-      extensions: string[];
-      minified: string[];
-    };
-    directorySize: number;
-    uniqueLicenseIds: string[];
-    licenses: License[];
-    ast: {
-      dependencies: Record<string, JSXRay.Dependency>;
-      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
-    };
-  }
-
-  export interface Options {
-    /**
-     * Maximum tree depth
-     *
-     * @default 4
-     */
-    readonly maxDepth?: number;
-    /**
-     * Use root package-lock.json. This will have the effect of triggering the Arborist package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly usePackageLock?: boolean;
-    /**
-     * Vulnerability strategy name (npm, snyk, node)
-     *
-     * @default NONE
-     */
-    readonly vulnerabilityStrategy: Vuln.Strategy.Kind;
-    /**
-     * Analyze root package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly forceRootAnalysis?: boolean;
-    /**
-     * Deeper dependencies analysis with cwd() API.
-     *
-     * @default false
-     */
-    readonly fullLockMode?: boolean;
-  }
-}
+// Import NodeSecure Dependencies
+import * as JSXRay from "@nodesecure/js-x-ray";
+import { license as License } from "@nodesecure/ntlp";
+import * as Vuln from "@nodesecure/vuln";
+import { Flags } from "@nodesecure/flags";
+
+// Import Third-party Dependencies
+import { Maintainer } from "@npm/types";
+
+export = Scanner;
+
+declare namespace Scanner {
+  export interface Publisher {
+    /**
+     * Publisher npm user name.
+     */
+    name: string;
+    /**
+     * Publisher npm user email.
+     */
+    email: string;
+    /**
+     * First version published.
+     */
+    version: string;
+    /**
+     * Date of the first publication
+     * @example 2021-08-10T20:45:08.342Z
+     */
+    at: string;
+  }
+
+  export interface DependencyVersion {
+    /** Id of the package (useful for usedBy relation) */
+    id: number;
+    /** By whom (id) is used the package */
+    usedBy: Record<string, string>;
+    /** Size on disk of the extracted tarball (in bytes) */
+    size: number;
+    /** Package description */
+    description: string;
+    /** Author of the package. This information is not trustable and can be empty. */
+    author: Maintainer;
+    /**
+     * JS-X-Ray warnings
+     *
+     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
+     */
+    warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    /** Tarball composition (files and dependencies) */
+    composition: {
+      /** Files extensions (.js, .md, .exe etc..) */
+      extensions: string[];
+      files: string[];
+      /** Minified files (foo.min.js etc..) */
+      minified: string[];
+      required_files: string[];
+      required_thirdparty: string[];
+      required_nodejs: string[];
+      unused: string[];
+      missing: string[];
+    };
+    /**
+     * Package licenses with SPDX expression.
+     *
+     * @see https://github.com/NodeSecure/licenses-conformance
+     * @see https://github.com/NodeSecure/npm-tarball-license-parser
+     */
+    license: License[];
+    /**
+     * Flags (Array of string)
+     *
+     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
+     */
+    flags: Flags[];
+    /**
+     * If the dependency is a GIT repository
+     */
+    gitUrl: null | string;
+  }
+
+  export interface Dependency {
+    /** NPM Registry metadata */
+    metadata: {
+      /** Count of dependencies */
+      dependencyCount: number;
+      /** Number of releases published on npm */
+      publishedCount: number;
+      lastUpdateAt: number;
+      /** Last version SemVer */
+      lastVersion: number;
+      hasChangedAuthor: boolean;
+      hasManyPublishers: boolean;
+      hasReceivedUpdateInOneYear: boolean;
+      /** Author of the package. This information is not trustable and can be empty. */
+      author: Maintainer;
+      /** Package home page */
+      homepage: string | null;
+      /**
+       * List of maintainers (list of people in the organization related to the package)
+       */
+      maintainers: { name: string, email: string }[];
+      /**
+       * List of people who published this package
+       */
+      publishers: Publisher[];
+    }
+    /** List of versions of this package available in the dependency tree (In the payload) */
+    versions: Record<string, DependencyVersion>;
+    /**
+     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
+     *
+     * @see https://github.com/NodeSecure/vuln
+     */
+    vulnerabilities: Vuln.Strategy.StandardVulnerability[];
+  }
+
+  export type GlobalWarning = string[];
+  export type Dependencies = Record<string, Dependency>;
+
+  export interface Payload {
+    /** Payload unique id */
+    id: string;
+    /** Name of the analyzed package */
+    rootDependencyName: string;
+    /** Global warnings list */
+    warnings: GlobalWarning[];
+    /** All the dependencies of the package (flattened) */
+    dependencies: Dependencies;
+    /** Version of the scanner used to generate the result */
+    scannerVersion: string;
+    /** Vulnerability strategy name (npm, snyk, node) */
+    vulnerabilityStrategy: Vuln.Strategy.Kind;
+  }
+
+  export interface VerifyPayload {
+    files: {
+      list: string[];
+      extensions: string[];
+      minified: string[];
+    };
+    directorySize: number;
+    uniqueLicenseIds: string[];
+    licenses: License[];
+    ast: {
+      dependencies: Record<string, JSXRay.Dependency>;
+      warnings: JSXRay.Warning<JSXRay.BaseWarning>[];
+    };
+  }
+
+  export interface Options {
+    /**
+     * Maximum tree depth
+     *
+     * @default 4
+     */
+    readonly maxDepth?: number;
+    /**
+     * Use root package-lock.json. This will have the effect of triggering the Arborist package.
+     *
+     * @default false for from() API
+     * @default true  for cwd()  API
+     */
+    readonly usePackageLock?: boolean;
+    /**
+     * Vulnerability strategy name (npm, snyk, node)
+     *
+     * @default NONE
+     */
+    readonly vulnerabilityStrategy: Vuln.Strategy.Kind;
+    /**
+     * Analyze root package.
+     *
+     * @default false for from() API
+     * @default true  for cwd()  API
+     */
+    readonly forceRootAnalysis?: boolean;
+    /**
+     * Deeper dependencies analysis with cwd() API.
+     *
+     * @default false
+     */
+    readonly fullLockMode?: boolean;
+  }
+}