@nodesecure/scanner 4.0.0 → 5.0.1

package/README.md

@@ -1,10 +1,10 @@
 <img align="center" alt="# Nodesecure Scanner" src="https://user-images.githubusercontent.com/4438263/226018084-113c49e6-6c69-4baa-8f84-87e6d695be6d.jpg">
 
 ![version](https://img.shields.io/badge/dynamic/json.svg?style=for-the-badge&url=https://raw.githubusercontent.com/NodeSecure/scanner/master/package.json&query=$.version&label=Version)
-[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/commit-activity)
+[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/graphs/commit-activity)
 [![OpenSSF
 Scorecard](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner/badge?style=for-the-badge)](https://api.securityscorecards.dev/projects/github.com/NodeSecure/scanner)
-[![mit](https://img.shields.io/github/license/Naereen/StrapDown.js.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
+[![mit](https://img.shields.io/github/license/NodeSecure/scanner.svg?style=for-the-badge)](https://github.com/NodeSecure/scanner/blob/master/LICENSE)
 ![build](https://img.shields.io/github/actions/workflow/status/NodeSecure/scanner/node.js.yml?style=for-the-badge)
 
 ⚡️ Run a static analysis of your module's dependencies.

package/i18n/english.js

@@ -0,0 +1,6 @@
+const scanner = {
+  disable_scarf: "This dependency could collect data against your consent so think to disable it with the env var: SCARF_ANALYTICS",
+  keylogging: "This dependency can retrieve your keyboard and mouse inputs. It can be used for 'keylogging' attacks/malwares."
+};
+
+export default { scanner };

package/i18n/french.js

@@ -0,0 +1,7 @@
+const scanner = {
+  disable_scarf: "Cette dépendance peut récolter des données contre votre volonté, pensez donc à la désactiver en fournissant la variable d'environnement SCARF_ANALYTICS",
+  keylogging: "Cette dépendance peut obtenir vos entrées clavier ou de souris. Cette dépendance peut être utilisée en tant que 'keylogging' attacks/malwares."
+};
+
+export default { scanner };
+

package/index.js

@@ -38,7 +38,7 @@ export async function cwd(location = process.cwd(), options = {}, logger = new L
   return depWalker(JSON.parse(str), finalizedOptions, logger);
 }
 
-export async function from(packageName, options, logger = new Logger()) {
+export async function from(packageName, options = {}, logger = new Logger()) {
   const registry = options.registry ? new URL(options.registry).toString() : getLocalRegistryURL();
 
   logger.start(ScannerLoggerEvents.manifest.fetch);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "4.0.0",
+  "version": "5.0.1",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -10,11 +10,13 @@
     "lint": "eslint src test",
     "prepublishOnly": "pkg-ok",
     "test": "npm run lint && npm run test-only",
-    "test-only": "cross-env esm-tape-runner 'test/**/*.spec.js' | tap-monkey",
+    "test:ci": "node --test test/**.spec.js test/**/*.spec.js",
+    "test-only": "glob -c \"node --test-reporter=spec --test\" \"./test/**/*.spec.js\"",
     "coverage": "c8 -r html npm run test-only"
   },
   "files": [
     "src",
+    "i18n",
     "types",
     "index.js",
     "index.d.ts"
@@ -48,39 +50,35 @@
   },
   "homepage": "https://github.com/NodeSecure/scanner#readme",
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.6.0",
+    "@nodesecure/eslint-config": "^1.7.0",
     "@slimio/is": "^2.0.0",
-    "@small-tech/esm-tape-runner": "^2.0.0",
-    "@small-tech/tap-monkey": "^1.4.0",
-    "@types/node": "^18.13.0",
-    "c8": "^7.12.0",
-    "cross-env": "^7.0.3",
+    "@types/node": "^20.4.5",
+    "c8": "^7.13.0",
     "dotenv": "^16.0.3",
-    "eslint": "^8.34.0",
+    "eslint": "^8.37.0",
     "get-folder-size": "^4.0.0",
+    "glob": "^10.3.4",
     "pkg-ok": "^3.0.0",
-    "sinon": "^15.0.1",
-    "snap-shot-core": "^10.2.4",
-    "tape": "^5.6.1"
+    "sinon": "^15.0.3",
+    "snap-shot-core": "^10.2.4"
   },
   "dependencies": {
-    "@nodesecure/authors": "^1.0.1",
+    "@nodesecure/authors": "^1.0.2",
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^3.0.0",
+    "@nodesecure/i18n": "^3.3.0",
     "@nodesecure/js-x-ray": "^6.0.1",
-    "@nodesecure/npm-registry-sdk": "^1.4.1",
-    "@nodesecure/ntlp": "^2.2.0",
-    "@nodesecure/utils": "^1.0.0",
+    "@nodesecure/npm-registry-sdk": "^1.5.2",
+    "@nodesecure/ntlp": "^2.2.1",
     "@nodesecure/vuln": "^1.7.0",
     "@npm/types": "^1.0.2",
-    "@npmcli/arborist": "^6.2.2",
+    "@npmcli/arborist": "^6.2.6",
     "@slimio/lock": "^1.0.0",
     "builtins": "^5.0.1",
     "combine-async-iterators": "^2.0.1",
-    "itertools": "^1.7.1",
+    "itertools": "^2.1.1",
     "lodash.difference": "^4.5.0",
-    "pacote": "^15.0.8",
+    "pacote": "^15.1.1",
     "semver": "^7.3.8"
   },
   "type": "module"

package/src/class/dependency.class.js

@@ -13,11 +13,15 @@ export default class Dependency {
     this.alias = {};
 
     if (parent !== null) {
-      parent.dependencyCount++;
+      parent.addChildren();
     }
     this.#parent = parent;
   }
 
+  addChildren() {
+    this.dependencyCount += 1;
+  }
+
   get fullName() {
     return `${this.name} ${this.version}`;
   }

package/src/depWalker.js

@@ -6,7 +6,7 @@ import os from "os";
 
 // Import Third-party Dependencies
 import combineAsyncIterators from "combine-async-iterators";
-import iter from "itertools";
+import * as iter from "itertools";
 import pacote from "pacote";
 import Arborist from "@npmcli/arborist";
 import Lock from "@slimio/lock";
@@ -76,6 +76,7 @@ export async function* searchDeepDependencies(packageName, gitURL, options) {
       }
 
       if (exclude.has(cleanName)) {
+        current.addChildren();
         exclude.get(cleanName).add(current.fullName);
       }
       else {
@@ -122,6 +123,7 @@ export async function* deepReadEdges(currentPackageName, options) {
     const cleanName = `${packageName}@${toNode.package.version}`;
 
     if (exclude.has(cleanName)) {
+      current.addChildren();
       exclude.get(cleanName).add(current.fullName);
     }
     else {
@@ -335,8 +337,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
     for (const [verStr, verDescriptor] of Object.entries(dependency.versions)) {
       verDescriptor.flags.push(...addMissingVersionFlags(new Set(verDescriptor.flags), dependency));
 
-      const fullName = `${packageName}@${verStr}`;
-      const usedDeps = exclude.get(fullName) || new Set();
+      const usedDeps = exclude.get(`${packageName}@${verStr}`) || new Set();
       if (usedDeps.size === 0) {
         continue;
       }

package/src/manifest.js

@@ -1,9 +1,9 @@
 // Import Node.js Dependencies
-import fs from "fs/promises";
-import path from "path";
+import fs from "node:fs/promises";
+import path from "node:path";
 
-// Import Third-party Dependencies
-import { parseManifestAuthor } from "@nodesecure/utils";
+// Import Internal Dependencies
+import { parseAuthor } from "./utils/index.js";
 
 // CONSTANTS
 // PR welcome to contribute to this list!
@@ -16,8 +16,10 @@ const kNativeNpmPackages = new Set([
  */
 const kUnsafeNpmScripts = new Set([
   "install",
-  "preinstall", "postinstall",
-  "preuninstall", "postuninstall"
+  "preinstall",
+  "postinstall",
+  "preuninstall",
+  "postuninstall"
 ]);
 
 /**
@@ -48,7 +50,7 @@ export async function readAnalyze(location) {
     .some((pkg) => kNativeNpmPackages.has(pkg));
 
   return {
-    author: typeof author === "string" ? parseManifestAuthor(author) : author,
+    author: parseAuthor(author),
     description,
     engines,
     repository,

package/src/npmRegistry.js

@@ -1,11 +1,9 @@
 // Import Third-party Dependencies
 import semver from "semver";
-import { parseManifestAuthor } from "@nodesecure/utils";
 import { packument } from "@nodesecure/npm-registry-sdk";
 
-export function parseAuthor(author) {
-  return typeof author === "string" ? parseManifestAuthor(author) : author;
-}
+// Import Internal Dependencies
+import { parseAuthor } from "./utils/index.js";
 
 export async function packageMetadata(name, version, options) {
   const { ref, logger } = options;
@@ -19,7 +17,7 @@ export async function packageMetadata(name, version, options) {
     const lastVersion = pkg["dist-tags"].latest;
     const lastUpdateAt = new Date(pkg.time[lastVersion]);
     const metadata = {
-      author: parseAuthor(pkg.author) ?? {},
+      author: parseAuthor(pkg.author),
       homepage: pkg.homepage || null,
       publishedCount: Object.values(pkg.versions).length,
       lastVersion,

package/src/tarball.js

@@ -10,8 +10,13 @@ import ntlp from "@nodesecure/ntlp";
 
 // Import Internal Dependencies
 import {
-  getTarballComposition, isSensitiveFile, filterDependencyKind, analyzeDependencies, booleanToFlags,
-  NPM_TOKEN
+  getTarballComposition,
+  isSensitiveFile,
+  filterDependencyKind,
+  analyzeDependencies,
+  booleanToFlags,
+  NPM_TOKEN,
+  getSemVerWarning
 } from "./utils/index.js";
 import * as manifest from "./manifest.js";
 
@@ -94,6 +99,10 @@ export async function scanDirOrArchive(name, version, options) {
 
     ref.warnings.push(...fileAnalysisResults.flatMap((row) => row.warnings));
 
+    if (/^0(\.\d+)*$/.test(version)) {
+      ref.warnings.push(getSemVerWarning(version));
+    }
+
     const dependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.dependencies))];
     const filesDependencies = [...new Set(fileAnalysisResults.flatMap((row) => row.filesDependencies))];
     const tryDependencies = new Set(fileAnalysisResults.flatMap((row) => row.tryDependencies));

package/src/utils/index.js

@@ -10,6 +10,7 @@ export * from "./filterDependencyKind.js";
 export * from "./analyzeDependencies.js";
 export * from "./booleanToFlags.js";
 export * from "./addMissingVersionFlags.js";
+export * from "./parseManifestAuthor.js";
 
 export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
   { token: process.env.NODE_SECURE_TOKEN } :

package/src/utils/parseManifestAuthor.js

@@ -0,0 +1,45 @@
+export function manifestAuthorRegex() {
+  return /^([^<(]+?)?[ \t]*(?:<([^>(]+?)>)?[ \t]*(?:\(([^)]+?)\)|$)/gm;
+}
+
+/**
+ * @see https://docs.npmjs.com/cli/v7/configuring-npm/package-json#people-fields-author-contributors
+ */
+export function parseManifestAuthor(manifestAuthorField) {
+  if (typeof manifestAuthorField !== "string") {
+    throw new TypeError("expected manifestAuthorField to be a string");
+  }
+
+  if (!/\w/.test(manifestAuthorField)) {
+    return null;
+  }
+
+  const match = manifestAuthorRegex().exec(manifestAuthorField);
+  if (!match) {
+    return null;
+  }
+  const author = {
+    name: match[1]
+  };
+
+  for (let id = 2; id < match.length; id++) {
+    const val = match[id] || "";
+
+    if (val.includes("@")) {
+      author.email = val;
+    }
+    else if (val.includes("http")) {
+      author.url = val;
+    }
+  }
+
+  return author;
+}
+
+export function parseAuthor(author) {
+  if (typeof author === "string") {
+    return parseManifestAuthor(author);
+  }
+
+  return !author || Object.keys(author).length === 0 ? null : author;
+}

package/src/utils/semver.js

@@ -47,3 +47,15 @@ export async function getCleanDependencyName([depName, range]) {
 
   return [`${depName}@${range}`, `${depName}@${depVer}`, isLatest];
 }
+
+export function getSemVerWarning(value) {
+  return {
+    kind: "invalid-semver",
+    file: "package.json",
+    value,
+    location: null,
+    i18n: "sast_warnings.invalidSemVer",
+    severity: "Information",
+    experimental: false
+  };
+}

package/src/utils/warnings.js

@@ -1,16 +1,26 @@
+// Import Node.js Dependencies
+import path from "node:path";
+
 // Import Third-party Dependencies
-import { getToken, taggedString } from "@nodesecure/i18n";
+import * as i18n from "@nodesecure/i18n";
 import { extractAllAuthors } from "@nodesecure/authors";
 
+// Import Internal Dependencies
+import { getDirNameFromUrl } from "./dirname.js";
+
+i18n.extendFromSystemPath(
+  path.join(getDirNameFromUrl(import.meta.url), "..", "..", "i18n")
+);
+
 // CONSTANTS
-const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
+const kDetectedDep = i18n.taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
 const kFlaggedAuthors = [{
   name: "marak",
   email: "marak.squires@gmail.com"
 }];
 const kDependencyWarnMessage = Object.freeze({
-  "@scarf/scarf": await getToken("warnings.disable_scarf"),
-  iohook: await getToken("warnings.keylogging")
+  "@scarf/scarf": await i18n.getToken("scanner.disable_scarf"),
+  iohook: await i18n.getToken("scanner.keylogging")
 });
 
 /**

package/types/scanner.d.ts

@@ -4,11 +4,22 @@ import { license as License } from "@nodesecure/ntlp";
 import * as Vuln from "@nodesecure/vuln";
 
 // Import Third-party Dependencies
-import { Maintainer } from "@npm/types";
+import { extractedAuthor } from "@nodesecure/authors";
 
 export = Scanner;
 
 declare namespace Scanner {
+  export interface Author {
+    name: string;
+    email?: string;
+    url?: string;
+  }
+
+  export interface Maintainer {
+    name: string;
+    email: string;
+  }
+
   export interface Publisher {
     /**
      * Publisher npm user name.
@@ -45,7 +56,7 @@ declare namespace Scanner {
     /** Package description */
     description: string;
     /** Author of the package. This information is not trustable and can be empty. */
-    author: Maintainer;
+    author: Author | null;
     engines: {
       node?: string;
       npm?: string;
@@ -109,13 +120,13 @@ declare namespace Scanner {
       hasManyPublishers: boolean;
       hasReceivedUpdateInOneYear: boolean;
       /** Author of the package. This information is not trustable and can be empty. */
-      author: Maintainer;
+      author: Author | null;
       /** Package home page */
       homepage: string | null;
       /**
        * List of maintainers (list of people in the organization related to the package)
        */
-      maintainers: { name: string, email: string }[];
+      maintainers: Maintainer[];
       /**
        * List of people who published this package
        */