@nodesecure/scanner 3.6.0 → 3.7.0

package/README.md

@@ -1,97 +1,99 @@
-# NodeSecure Scanner
-![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
-[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
-[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
-)
-[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
-![build](https://img.shields.io/github/workflow/status/NodeSecure/scanner/Node.js%20CI)
-
-⚡️ Run a static analysis of your module's dependencies.
-
-## Requirements
-
-- [Node.js](https://nodejs.org/en/) version 16 or higher
-
-## Getting Started
-
-This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
-
-```bash
-$ npm i @nodesecure/scanner
-# or
-$ yarn add @nodesecure/scanner
-```
-
-## Usage example
-
-```js
-import * as scanner from "@nodesecure/scanner";
-import fs from "fs/promises";
-
-// CONSTANTS
-const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
-
-const payloads = await Promise.all(
-  kPackagesToAnalyze.map((name) => scanner.from(name))
-);
-
-const promises = [];
-for (let i = 0; i < kPackagesToAnalyze.length; i++) {
-  const data = JSON.stringify(payloads[i], null, 2);
-
-  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
-}
-await Promise.allSettled(promises);
-```
-
-## API
-
-See `types/api.d.ts` for a complete TypeScript definition.
-
-```ts
-function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
-function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
-function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
-```
-
-`Options` is described with the following TypeScript interface:
-
-```ts
-interface Options {
-  readonly maxDepth?: number;
-  readonly usePackageLock?: boolean;
-  readonly includeDevDeps?: boolean;
-  readonly vulnerabilityStrategy: Strategy.Kind;
-  readonly forceRootAnalysis?: boolean;
-  readonly fullLockMode?: boolean;
-}
-```
-
-## Contributors ✨
-
-<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-5-orange.svg?style=flat-square)](#contributors-)
-<!-- ALL-CONTRIBUTORS-BADGE:END -->
-
-Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
-
-<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
-<!-- prettier-ignore-start -->
-<!-- markdownlint-disable -->
-<table>
-  <tr>
-    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
-    <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
-    <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
-    <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
-  </tr>
-</table>
-
-<!-- markdownlint-restore -->
-<!-- prettier-ignore-end -->
-
-<!-- ALL-CONTRIBUTORS-LIST:END -->
-
-## License
-MIT
+# NodeSecure Scanner
+![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
+[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
+[![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg)](https://github.com/nodejs/security-wg/blob/master/processes/responsible_disclosure_template.md
+)
+[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
+![build](https://img.shields.io/github/workflow/status/NodeSecure/scanner/Node.js%20CI)
+
+⚡️ Run a static analysis of your module's dependencies.
+
+## Requirements
+
+- [Node.js](https://nodejs.org/en/) version 16 or higher
+
+## Getting Started
+
+This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).
+
+```bash
+$ npm i @nodesecure/scanner
+# or
+$ yarn add @nodesecure/scanner
+```
+
+## Usage example
+
+```js
+import * as scanner from "@nodesecure/scanner";
+import fs from "fs/promises";
+
+// CONSTANTS
+const kPackagesToAnalyze = ["mocha", "cacache", "is-wsl"];
+
+const payloads = await Promise.all(
+  kPackagesToAnalyze.map((name) => scanner.from(name))
+);
+
+const promises = [];
+for (let i = 0; i < kPackagesToAnalyze.length; i++) {
+  const data = JSON.stringify(payloads[i], null, 2);
+
+  promises.push(fs.writeFile(`${kPackagesToAnalyze[i]}.json`, data));
+}
+await Promise.allSettled(promises);
+```
+
+## API
+
+See `types/api.d.ts` for a complete TypeScript definition.
+
+```ts
+function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
+function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
+function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
+```
+
+`Options` is described with the following TypeScript interface:
+
+```ts
+interface Options {
+  readonly maxDepth?: number;
+  readonly registry?: string | URL;
+  readonly usePackageLock?: boolean;
+  readonly includeDevDeps?: boolean;
+  readonly vulnerabilityStrategy: Strategy.Kind;
+  readonly forceRootAnalysis?: boolean;
+  readonly fullLockMode?: boolean;
+}
+```
+
+## Contributors ✨
+
+<!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
+[![All Contributors](https://img.shields.io/badge/all_contributors-6-orange.svg?style=flat-square)](#contributors-)
+<!-- ALL-CONTRIBUTORS-BADGE:END -->
+
+Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+<table>
+  <tr>
+    <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
+    <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
+    <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
+    <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
+    <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
+    <td align="center"><a href="https://www.linkedin.com/in/nicolas-hallaert/"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt=""/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Rossb0b" title="Code">💻</a></td>
+  </tr>
+</table>
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+## License
+MIT

package/index.js

@@ -19,7 +19,16 @@ import * as tarball from "./src/tarball.js";
 const kDefaultCwdOptions = { forceRootAnalysis: true, usePackageLock: true, includeDevDeps: false };
 
 export async function cwd(location = process.cwd(), options = {}, logger = new Logger()) {
-  const finalizedOptions = Object.assign({ location }, kDefaultCwdOptions, options);
+  const registry = options.registry ? new URL(options.registry).toString() : getLocalRegistryURL();
+
+  const finalizedOptions = Object.assign(
+    { location },
+    kDefaultCwdOptions,
+    {
+      ...options,
+      registry
+    }
+  );
 
   logger.start(ScannerLoggerEvents.manifest.read);
   const packagePath = path.join(location, "package.json");
@@ -30,13 +39,15 @@ export async function cwd(location = process.cwd(), options = {}, logger = new L
 }
 
 export async function from(packageName, options, logger = new Logger()) {
+  const registry = options.registry ? new URL(options.registry).toString() : getLocalRegistryURL();
+
   logger.start(ScannerLoggerEvents.manifest.fetch);
   const manifest = await pacote.manifest(packageName, {
-    ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
+    ...NPM_TOKEN, registry, cache: `${os.homedir()}/.npm`
   });
   logger.end(ScannerLoggerEvents.manifest.fetch);
 
-  return depWalker(manifest, options, logger);
+  return depWalker(manifest, Object.assign(options, { registry }), logger);
 }
 
 export async function verify(packageName = null) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "3.6.0",
+  "version": "3.7.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -48,15 +48,15 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.4.0",
+    "@nodesecure/eslint-config": "^1.4.1",
     "@slimio/is": "^1.5.1",
     "@small-tech/esm-tape-runner": "^2.0.0",
     "@small-tech/tap-monkey": "^1.4.0",
-    "@types/node": "^17.0.39",
+    "@types/node": "^18.0.0",
     "c8": "^7.11.3",
     "cross-env": "^7.0.3",
     "dotenv": "^16.0.1",
-    "eslint": "^8.17.0",
+    "eslint": "^8.18.0",
     "get-folder-size": "^3.1.0",
     "pkg-ok": "^3.0.0",
     "sinon": "^14.0.0",
@@ -64,22 +64,22 @@
     "tape": "^5.5.3"
   },
   "dependencies": {
-    "@nodesecure/flags": "^2.3.0",
+    "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^1.3.0",
-    "@nodesecure/js-x-ray": "^4.5.0",
-    "@nodesecure/npm-registry-sdk": "^1.3.0",
+    "@nodesecure/i18n": "^2.0.0",
+    "@nodesecure/js-x-ray": "^5.0.1",
+    "@nodesecure/npm-registry-sdk": "^1.4.0",
     "@nodesecure/ntlp": "^2.1.0",
     "@nodesecure/utils": "^1.0.0",
     "@nodesecure/vuln": "^1.7.0",
     "@npm/types": "^1.0.2",
-    "@npmcli/arborist": "^5.2.1",
+    "@npmcli/arborist": "^5.2.3",
     "@slimio/lock": "^1.0.0",
     "builtins": "^5.0.1",
     "combine-async-iterators": "^2.0.1",
     "itertools": "^1.7.1",
     "lodash.difference": "^4.5.0",
-    "pacote": "^13.6.0",
+    "pacote": "^13.6.1",
     "semver": "^7.3.7"
   },
   "type": "module"

package/src/depWalker.js

@@ -11,7 +11,6 @@ import pacote from "pacote";
 import Arborist from "@npmcli/arborist";
 import Lock from "@slimio/lock";
 import * as vuln from "@nodesecure/vuln";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 import { ScannerLoggerEvents } from "./constants.js";
 
 // Import Internal Dependencies
@@ -31,11 +30,11 @@ const { version: packageVersion } = JSON.parse(
 );
 
 export async function* searchDeepDependencies(packageName, gitURL, options) {
-  const { exclude, currDepth = 0, parent, maxDepth } = options;
+  const { exclude, currDepth = 0, parent, maxDepth, registry } = options;
 
   const { name, version, deprecated, ...pkg } = await pacote.manifest(gitURL ?? packageName, {
     ...NPM_TOKEN,
-    registry: getLocalRegistryURL(),
+    registry,
     cache: `${os.homedir()}/.npm`
   });
   const { dependencies, customResolvers } = mergeDependencies(pkg);
@@ -48,7 +47,7 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
 
   if (currDepth !== maxDepth) {
     const config = {
-      exclude, currDepth: currDepth + 1, parent: current, maxDepth
+      exclude, currDepth: currDepth + 1, parent: current, maxDepth, registry
     };
 
     const gitDependencies = iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr));
@@ -76,7 +75,7 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
 }
 
 export async function* deepReadEdges(currentPackageName, options) {
-  const { to, parent, exclude, fullLockMode, includeDevDeps } = options;
+  const { to, parent, exclude, fullLockMode, includeDevDeps, registry } = options;
   const { version, integrity = to.integrity } = to.package;
 
   const updatedVersion = version === "*" || typeof version === "undefined" ? "latest" : version;
@@ -86,7 +85,7 @@ export async function* deepReadEdges(currentPackageName, options) {
   if (fullLockMode && !includeDevDeps) {
     const { deprecated, _integrity, ...pkg } = await pacote.manifest(`${currentPackageName}@${updatedVersion}`, {
       ...NPM_TOKEN,
-      registry: getLocalRegistryURL(),
+      registry,
       cache: `${os.homedir()}/.npm`
     });
     const { customResolvers } = mergeDependencies(pkg);
@@ -108,7 +107,7 @@ export async function* deepReadEdges(currentPackageName, options) {
     }
     else {
       exclude.set(cleanName, new Set([current.fullName]));
-      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude });
+      yield* deepReadEdges(packageName, { parent: current, to: toNode, exclude, registry });
     }
   }
   yield current;
@@ -118,7 +117,8 @@ export async function* getRootDependencies(manifest, options) {
   const {
     maxDepth = 4, exclude,
     usePackageLock, fullLockMode, includeDevDeps,
-    location
+    location,
+    registry
   } = options;
 
   const { dependencies, customResolvers } = mergeDependencies(manifest, void 0);
@@ -131,7 +131,7 @@ export async function* getRootDependencies(manifest, options) {
     const arb = new Arborist({
       ...NPM_TOKEN,
       path: location,
-      registry: getLocalRegistryURL()
+      registry
     });
     let tree;
     try {
@@ -146,11 +146,18 @@ export async function* getRootDependencies(manifest, options) {
       ...iter
         .filter(tree.edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
         .map(([packageName, { to }]) => [packageName, to.isWorkspace ? to.target : to])
-        .map(([packageName, to]) => deepReadEdges(packageName, { to, parent, fullLockMode, includeDevDeps, exclude }))
+        .map(([packageName, to]) => deepReadEdges(packageName, {
+          to,
+          parent,
+          fullLockMode,
+          includeDevDeps,
+          exclude,
+          registry
+        }))
     ];
   }
   else {
-    const configRef = { exclude, maxDepth, parent };
+    const configRef = { exclude, maxDepth, parent, registry };
     iterators = [
       ...iter.filter(customResolvers.entries(), ([, valueStr]) => isGitDependency(valueStr))
         .map(([depName, valueStr]) => searchDeepDependencies(depName, valueStr, configRef)),
@@ -189,7 +196,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     fullLockMode = false,
     maxDepth,
     location,
-    vulnerabilityStrategy = vuln.strategies.NONE
+    vulnerabilityStrategy = vuln.strategies.NONE,
+    registry
   } = options;
 
   // Create TMP directory
@@ -218,7 +226,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     const tarballLocker = new Lock({ maxConcurrent: 5 });
     tarballLocker.on("freeOne", () => logger.tick(ScannerLoggerEvents.analysis.tarball));
 
-    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location };
+    const rootDepsOptions = { maxDepth, exclude, usePackageLock, fullLockMode, includeDevDeps, location, registry };
     for await (const currentDep of getRootDependencies(manifest, rootDepsOptions)) {
       const { name, version, dev } = currentDep;
       const current = currentDep.exportAsPlainObject(name === manifest.name ? 0 : void 0);
@@ -267,7 +275,8 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
           location,
           tmpLocation: forceRootAnalysis && name === manifest.name ? null : tmpLocation,
           locker: tarballLocker,
-          logger
+          logger,
+          registry
         }));
       }
     }

package/src/tarball.js

@@ -14,7 +14,6 @@ import {
   NPM_TOKEN
 } from "./utils/index.js";
 import * as manifest from "./manifest.js";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
 
 // CONSTANTS
 const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
@@ -47,7 +46,7 @@ export async function scanJavascriptFile(dest, file, packageName) {
 }
 
 export async function scanDirOrArchive(name, version, options) {
-  const { ref, location = process.cwd(), tmpLocation, locker } = options;
+  const { ref, location = process.cwd(), tmpLocation, locker, registry } = options;
 
   const isNpmTarball = !(tmpLocation === null);
   const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : location;
@@ -58,7 +57,7 @@ export async function scanDirOrArchive(name, version, options) {
     if (isNpmTarball) {
       await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
         ...NPM_TOKEN,
-        registry: getLocalRegistryURL(),
+        registry,
         cache: `${os.homedir()}/.npm`
       });
       await timers.setImmediate();

package/types/scanner.d.ts

@@ -166,6 +166,7 @@ declare namespace Scanner {
      * @default 4
      */
     readonly maxDepth?: number;
+    readonly registry?: string | URL;
     /**
      * Use root package-lock.json. This will have the effect of triggering the Arborist package.
      *