@nodesecure/scanner 3.8.1 → 4.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/README.md +28 -18
  2. package/index.d.ts +5 -5
  3. package/package.json +8 -7
  4. package/src/depWalker.js +3 -1
  5. package/src/utils/warnings.js +24 -26
  6. package/types/scanner.d.ts +3 -0
  7. package/types/walker.d.ts +1 -1
package/README.md CHANGED
@@ -1,10 +1,11 @@
1
- # NodeSecure Scanner
2
- ![version](https://img.shields.io/badge/dynamic/json.svg?url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
3
- [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://github.com/NodeSecure/scanner/commit-activity)
1
+ <img align="center" alt="# Nodesecure Scanner" src="https://user-images.githubusercontent.com/4438263/226018084-113c49e6-6c69-4baa-8f84-87e6d695be6d.jpg">
2
+
3
+ ![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
4
+ [![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/commit-activity)
4
5
  [![OpenSSF
5
- Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner/badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner)
6
- [![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
7
- ![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/scanner/node.js.yml)
6
+ Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner)
7
+ [![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
8
+ ![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/scanner/node.js.yml?style=for-the-badge)
8
9
 
9
10
  ⚡️ Run a static analysis of your module's dependencies.
10
11
 
@@ -49,8 +50,14 @@ await Promise.allSettled(promises);
49
50
  See `types/api.d.ts` for a complete TypeScript definition.
50
51
 
51
52
  ```ts
52
- function cwd(location: string, options?: Scanner.Options): Promise<Scanner.Payload>;
53
- function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">): Promise<Scanner.Payload>;
53
+ function cwd(
54
+ location: string,
55
+ options?: Scanner.Options
56
+ ): Promise<Scanner.Payload>;
57
+ function from(
58
+ packageName: string,
59
+ options?: Omit<Scanner.Options, "includeDevDeps">
60
+ ): Promise<Scanner.Payload>;
54
61
  function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;
55
62
  ```
56
63
 
@@ -71,7 +78,7 @@ interface Options {
71
78
  ## Contributors ✨
72
79
 
73
80
  <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
74
- [![All Contributors](https://img.shields.io/badge/all_contributors-9-orange.svg?style=flat-square)](#contributors-)
81
+ [![All Contributors](https://img.shields.io/badge/all_contributors-11-orange.svg?style=flat-square)](#contributors-)
75
82
  <!-- ALL-CONTRIBUTORS-BADGE:END -->
76
83
 
77
84
  Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -82,17 +89,19 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
82
89
  <table>
83
90
  <tbody>
84
91
  <tr>
85
- <td align="center"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt="Gentilhomme"/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
86
- <td align="center"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt="Tony Gorez"/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
87
- <td align="center"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt="Haze"/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
88
- <td align="center"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt="Maksim Balabash"/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
89
- <td align="center"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt="Antoine Coulon"/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
90
- <td align="center"><a href="https://www.linkedin.com/in/nicolas-hallaert/"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt="Nicolas Hallaert"/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Rossb0b" title="Code">💻</a></td>
91
- <td align="center"><a href="http://sofiand.github.io/portfolio-client/"><img src="https://avatars.githubusercontent.com/u/39944043?v=4?s=100" width="100px;" alt="Yefis"/><br /><sub><b>Yefis</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=SofianD" title="Code">💻</a></td>
92
+ <td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/thomas-gentilhomme/"><img src="https://avatars.githubusercontent.com/u/4438263?v=4?s=100" width="100px;" alt="Gentilhomme"/><br /><sub><b>Gentilhomme</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=fraxken" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Afraxken" title="Reviewed Pull Requests">👀</a> <a href="#security-fraxken" title="Security">🛡️</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Afraxken" title="Bug reports">🐛</a></td>
93
+ <td align="center" valign="top" width="14.28%"><a href="http://tonygo.dev"><img src="https://avatars.githubusercontent.com/u/22824417?v=4?s=100" width="100px;" alt="Tony Gorez"/><br /><sub><b>Tony Gorez</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/commits?author=tony-go" title="Documentation">📖</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3Atony-go" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3Atony-go" title="Bug reports">🐛</a></td>
94
+ <td align="center" valign="top" width="14.28%"><a href="https://mickaelcroquet.fr"><img src="https://avatars.githubusercontent.com/u/23740372?v=4?s=100" width="100px;" alt="Haze"/><br /><sub><b>Haze</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=CroquetMickael" title="Code">💻</a></td>
95
+ <td align="center" valign="top" width="14.28%"><a href="https://github.com/mbalabash"><img src="https://avatars.githubusercontent.com/u/16868922?v=4?s=100" width="100px;" alt="Maksim Balabash"/><br /><sub><b>Maksim Balabash</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=mbalabash" title="Code">💻</a></td>
96
+ <td align="center" valign="top" width="14.28%"><a href="https://dev.to/antoinecoulon"><img src="https://avatars.githubusercontent.com/u/43391199?v=4?s=100" width="100px;" alt="Antoine Coulon"/><br /><sub><b>Antoine Coulon</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=antoine-coulon" title="Code">💻</a> <a href="#security-antoine-coulon" title="Security">🛡️</a></td>
97
+ <td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/nicolas-hallaert/"><img src="https://avatars.githubusercontent.com/u/39910164?v=4?s=100" width="100px;" alt="Nicolas Hallaert"/><br /><sub><b>Nicolas Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Rossb0b" title="Code">💻</a></td>
98
+ <td align="center" valign="top" width="14.28%"><a href="http://sofiand.github.io/portfolio-client/"><img src="https://avatars.githubusercontent.com/u/39944043?v=4?s=100" width="100px;" alt="Yefis"/><br /><sub><b>Yefis</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=SofianD" title="Code">💻</a></td>
92
99
  </tr>
93
100
  <tr>
94
- <td align="center"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Aekk0" title="Code">💻</a></td>
95
- <td align="center"><a href="https://www.linkedin.com/in/ange-tekeu-a155811b4/"><img src="https://avatars.githubusercontent.com/u/35274201?v=4?s=100" width="100px;" alt="Ange TEKEU"/><br /><sub><b>Ange TEKEU</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tekeuange23" title="Code">💻</a></td>
101
+ <td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/franck-hallaert/"><img src="https://avatars.githubusercontent.com/u/110826655?v=4?s=100" width="100px;" alt="Franck Hallaert"/><br /><sub><b>Franck Hallaert</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Aekk0" title="Code">💻</a></td>
102
+ <td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/ange-tekeu-a155811b4/"><img src="https://avatars.githubusercontent.com/u/35274201?v=4?s=100" width="100px;" alt="Ange TEKEU"/><br /><sub><b>Ange TEKEU</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tekeuange23" title="Code">💻</a></td>
103
+ <td align="center" valign="top" width="14.28%"><a href="https://github.com/Kawacrepe"><img src="https://avatars.githubusercontent.com/u/40260517?v=4?s=100" width="100px;" alt="Vincent Dhennin"/><br /><sub><b>Vincent Dhennin</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Kawacrepe" title="Code">💻</a></td>
104
+ <td align="center" valign="top" width="14.28%"><a href="https://github.com/fabnguess"><img src="https://avatars.githubusercontent.com/u/72697416?v=4?s=100" width="100px;" alt="Kouadio Fabrice Nguessan"/><br /><sub><b>Kouadio Fabrice Nguessan</b></sub></a><br /><a href="#maintenance-fabnguess" title="Maintenance">🚧</a></td>
96
105
  </tr>
97
106
  </tbody>
98
107
  </table>
@@ -103,4 +112,5 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
103
112
  <!-- ALL-CONTRIBUTORS-LIST:END -->
104
113
 
105
114
  ## License
115
+
106
116
  MIT
package/index.d.ts CHANGED
@@ -1,8 +1,8 @@
1
- import Scanner from "./types/scanner";
2
- import { cwd, from, verify, ScannerLoggerEvents } from "./types/api";
3
- import { depWalker } from "./types/walker";
4
- import { Logger, LoggerEventData } from "./types/logger";
5
- import tarball from "./types/tarball";
1
+ import Scanner from "./types/scanner.js";
2
+ import { cwd, from, verify, ScannerLoggerEvents } from "./types/api.js";
3
+ import { depWalker } from "./types/walker.js";
4
+ import { Logger, LoggerEventData } from "./types/logger.js";
5
+ import tarball from "./types/tarball.js";
6
6
 
7
7
  export {
8
8
  cwd, from, verify, ScannerLoggerEvents,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@nodesecure/scanner",
3
- "version": "3.8.1",
3
+ "version": "4.0.0",
4
4
  "description": "A package API to run a static analysis of your module's dependencies.",
5
5
  "exports": "./index.js",
6
6
  "engines": {
@@ -49,14 +49,14 @@
49
49
  "homepage": "https://github.com/NodeSecure/scanner#readme",
50
50
  "devDependencies": {
51
51
  "@nodesecure/eslint-config": "^1.6.0",
52
- "@slimio/is": "^1.5.1",
52
+ "@slimio/is": "^2.0.0",
53
53
  "@small-tech/esm-tape-runner": "^2.0.0",
54
54
  "@small-tech/tap-monkey": "^1.4.0",
55
- "@types/node": "^18.11.18",
55
+ "@types/node": "^18.13.0",
56
56
  "c8": "^7.12.0",
57
57
  "cross-env": "^7.0.3",
58
58
  "dotenv": "^16.0.3",
59
- "eslint": "^8.31.0",
59
+ "eslint": "^8.34.0",
60
60
  "get-folder-size": "^4.0.0",
61
61
  "pkg-ok": "^3.0.0",
62
62
  "sinon": "^15.0.1",
@@ -64,16 +64,17 @@
64
64
  "tape": "^5.6.1"
65
65
  },
66
66
  "dependencies": {
67
+ "@nodesecure/authors": "^1.0.1",
67
68
  "@nodesecure/flags": "^2.4.0",
68
69
  "@nodesecure/fs-walk": "^1.0.0",
69
- "@nodesecure/i18n": "^2.1.1",
70
- "@nodesecure/js-x-ray": "^5.1.0",
70
+ "@nodesecure/i18n": "^3.0.0",
71
+ "@nodesecure/js-x-ray": "^6.0.1",
71
72
  "@nodesecure/npm-registry-sdk": "^1.4.1",
72
73
  "@nodesecure/ntlp": "^2.2.0",
73
74
  "@nodesecure/utils": "^1.0.0",
74
75
  "@nodesecure/vuln": "^1.7.0",
75
76
  "@npm/types": "^1.0.2",
76
- "@npmcli/arborist": "^6.1.5",
77
+ "@npmcli/arborist": "^6.2.2",
77
78
  "@slimio/lock": "^1.0.0",
78
79
  "builtins": "^5.0.1",
79
80
  "combine-async-iterators": "^2.0.1",
package/src/depWalker.js CHANGED
@@ -350,7 +350,9 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
350
350
  }
351
351
 
352
352
  try {
353
- payload.warnings = getDependenciesWarnings(dependencies);
353
+ const { warnings, flaggedAuthors } = await getDependenciesWarnings(dependencies);
354
+ payload.warnings = warnings;
355
+ payload.flaggedAuthors = flaggedAuthors;
354
356
  payload.dependencies = Object.fromEntries(dependencies);
355
357
 
356
358
  return payload;
package/src/utils/warnings.js CHANGED
@@ -1,36 +1,34 @@
1
1
  // Import Third-party Dependencies
2
2
  import { getToken, taggedString } from "@nodesecure/i18n";
3
+ import { extractAllAuthors } from "@nodesecure/authors";
3
4
 
4
5
  // CONSTANTS
5
6
  const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
6
- const kWarningsMessages = Object.freeze({
7
- "@scarf/scarf": getToken("warnings.disable_scarf"),
8
- iohook: getToken("warnings.keylogging")
7
+ const kFlaggedAuthors = [{
8
+ name: "marak",
9
+ email: "marak.squires@gmail.com"
10
+ }];
11
+ const kDependencyWarnMessage = Object.freeze({
12
+ "@scarf/scarf": await getToken("warnings.disable_scarf"),
13
+ iohook: await getToken("warnings.keylogging")
9
14
  });
10
- const kPackages = new Set(Object.keys(kWarningsMessages));
11
- const kAuthors = new Set(["marak", "marak.squires@gmail.com"]);
12
15
 
13
- function getWarning(depName) {
14
- return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`;
15
- }
16
-
17
- export function getDependenciesWarnings(dependencies) {
18
- const warnings = [];
19
- for (const depName of kPackages) {
20
- if (dependencies.has(depName)) {
21
- warnings.push(getWarning(depName));
22
- }
23
- }
16
+ /**
17
+ * @param {Map<string, any>} dependenciesMap
18
+ */
19
+ export async function getDependenciesWarnings(dependenciesMap) {
20
+ const warnings = [...Object.keys(kDependencyWarnMessage)]
21
+ .filter((depName) => dependenciesMap.has(depName))
22
+ .map((depName) => `${kDetectedDep(depName)} ${kDependencyWarnMessage[depName]}`);
24
23
 
25
- // TODO: optimize with @nodesecure/author later
26
- for (const [packageName, dependency] of dependencies) {
27
- for (const { name, email } of dependency.metadata.maintainers) {
28
- if (kAuthors.has(name) || kAuthors.has(email)) {
29
- warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`);
30
- }
31
- }
32
- }
24
+ // TODO: add support for RC configuration
25
+ const res = await extractAllAuthors(
26
+ { dependencies: Object.fromEntries(dependenciesMap) },
27
+ { flags: kFlaggedAuthors, domainInformations: false }
28
+ );
33
29
 
34
- return warnings;
30
+ return {
31
+ warnings,
32
+ flaggedAuthors: res.flaggedAuthors
33
+ };
35
34
  }
36
-
package/types/scanner.d.ts CHANGED
@@ -132,6 +132,7 @@ declare namespace Scanner {
132
132
  }
133
133
 
134
134
  export type GlobalWarning = string[];
135
+ export type FlaggedAuthors = extractedAuthor[];
135
136
  export type Dependencies = Record<string, Dependency>;
136
137
 
137
138
  export interface Payload {
@@ -141,6 +142,8 @@ declare namespace Scanner {
141
142
  rootDependencyName: string;
142
143
  /** Global warnings list */
143
144
  warnings: GlobalWarning[];
145
+ /** List of flagged authors */
146
+ flaggedAuthors: FlaggedAuthors[];
144
147
  /** All the dependencies of the package (flattened) */
145
148
  dependencies: Dependencies;
146
149
  /** Version of the scanner used to generate the result */
package/types/walker.d.ts CHANGED
@@ -5,4 +5,4 @@ export {
5
5
  depWalker
6
6
  }
7
7
 
8
- declare function depWalker(manifest: Manifest, options?: Scanner.Options);
8
+ declare function depWalker(manifest: Manifest, options?: Scanner.Options): Promise<Scanner.Payload>;