@nodesecure/scanner 5.1.0 → 5.2.0

package/README.md

@@ -78,7 +78,7 @@ interface Options {
 ## Contributors ✨
 
 <!-- ALL-CONTRIBUTORS-BADGE:START - Do not remove or modify this section -->
-[![All Contributors](https://img.shields.io/badge/all_contributors-11-orange.svg?style=flat-square)](#contributors-)
+[![All Contributors](https://img.shields.io/badge/all_contributors-12-orange.svg?style=flat-square)](#contributors-)
 <!-- ALL-CONTRIBUTORS-BADGE:END -->
 
 Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):
@@ -102,6 +102,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
       <td align="center" valign="top" width="14.28%"><a href="https://www.linkedin.com/in/ange-tekeu-a155811b4/"><img src="https://avatars.githubusercontent.com/u/35274201?v=4?s=100" width="100px;" alt="Ange TEKEU"/><br /><sub><b>Ange TEKEU</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=tekeuange23" title="Code">💻</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/Kawacrepe"><img src="https://avatars.githubusercontent.com/u/40260517?v=4?s=100" width="100px;" alt="Vincent Dhennin"/><br /><sub><b>Vincent Dhennin</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=Kawacrepe" title="Code">💻</a></td>
       <td align="center" valign="top" width="14.28%"><a href="https://github.com/fabnguess"><img src="https://avatars.githubusercontent.com/u/72697416?v=4?s=100" width="100px;" alt="Kouadio Fabrice Nguessan"/><br /><sub><b>Kouadio Fabrice Nguessan</b></sub></a><br /><a href="#maintenance-fabnguess" title="Maintenance">🚧</a></td>
+      <td align="center" valign="top" width="14.28%"><a href="https://github.com/PierreDemailly"><img src="https://avatars.githubusercontent.com/u/39910767?v=4?s=100" width="100px;" alt="PierreDemailly"/><br /><sub><b>PierreDemailly</b></sub></a><br /><a href="https://github.com/NodeSecure/scanner/commits?author=PierreDemailly" title="Code">💻</a> <a href="https://github.com/NodeSecure/scanner/pulls?q=is%3Apr+reviewed-by%3APierreDemailly" title="Reviewed Pull Requests">👀</a> <a href="https://github.com/NodeSecure/scanner/issues?q=author%3APierreDemailly" title="Bug reports">🐛</a> <a href="https://github.com/NodeSecure/scanner/commits?author=PierreDemailly" title="Tests">⚠️</a></td>
     </tr>
   </tbody>
 </table>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nodesecure/scanner",
-  "version": "5.1.0",
+  "version": "5.2.0",
   "description": "A package API to run a static analysis of your module's dependencies.",
   "exports": "./index.js",
   "engines": {
@@ -55,7 +55,7 @@
     "@types/node": "^20.10.0",
     "c8": "^8.0.1",
     "dotenv": "^16.3.1",
-    "eslint": "^8.37.0",
+    "eslint": "8.37.0",
     "get-folder-size": "^4.0.0",
     "glob": "^10.3.10",
     "pkg-ok": "^3.0.0",
@@ -66,9 +66,9 @@
     "@nodesecure/authors": "^1.0.2",
     "@nodesecure/flags": "^2.4.0",
     "@nodesecure/fs-walk": "^1.0.0",
-    "@nodesecure/i18n": "^3.4.0",
-    "@nodesecure/js-x-ray": "^6.2.0",
-    "@nodesecure/npm-registry-sdk": "^1.6.1",
+    "@nodesecure/i18n": "^3.5.0",
+    "@nodesecure/js-x-ray": "^6.3.0",
+    "@nodesecure/npm-registry-sdk": "^2.0.0",
     "@nodesecure/ntlp": "^2.2.1",
     "@nodesecure/vuln": "^1.7.0",
     "@npm/types": "^1.0.2",

package/src/depWalker.js

@@ -293,7 +293,7 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
         logger.tick(ScannerLoggerEvents.analysis.tree);
 
         // There is no need to fetch 'N' times the npm metadata for the same package.
-        if (fetchedMetadataPackages.has(name)) {
+        if (fetchedMetadataPackages.has(name) || !current.versions[version].existOnRemoteRegistry) {
           logger.tick(ScannerLoggerEvents.analysis.registry);
         }
         else {
@@ -340,6 +340,13 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) {
 
     for (const [version, integrity] of Object.entries(metadataIntegrities)) {
       const dependencyVer = dependency.versions[version];
+
+      const isEmptyPackage = dependencyVer.warnings
+        .some((warning) => warning.kind === "empty-package");
+      if (isEmptyPackage) {
+        globalWarnings.push(`${packageName}@${version} only contain a package.json file!`);
+      }
+
       if (!("integrity" in dependencyVer) || dependencyVer.flags.includes("isGit")) {
         continue;
       }

package/src/manifest.js

@@ -54,7 +54,9 @@ export async function readAnalyze(location) {
   } = await read(location);
 
   for (const [scriptName, scriptValue] of Object.entries(scripts)) {
-    scripts[scriptName] = scriptValue.replaceAll(kNodemodulesBinPrefix, "");
+    if (scriptValue.startsWith(kNodemodulesBinPrefix)) {
+      scripts[scriptName] = scriptValue.replaceAll(kNodemodulesBinPrefix, "");
+    }
   }
 
   const integrityObj = {

package/src/npmRegistry.js

@@ -6,7 +6,7 @@ import semver from "semver";
 import { packument, packumentVersion } from "@nodesecure/npm-registry-sdk";
 
 // Import Internal Dependencies
-import { parseAuthor } from "./utils/index.js";
+import { parseAuthor, getLinks } from "./utils/index.js";
 
 export async function manifestMetadata(name, version, metadata) {
   try {
@@ -45,8 +45,9 @@ export async function packageMetadata(name, version, options) {
     };
 
     const isOutdated = semver.neq(version, lastVersion);
+    const flags = ref.versions[version].flags;
     if (isOutdated) {
-      ref.versions[version].flags.push("isOutdated");
+      flags.push("isOutdated");
     }
 
     const publishers = new Set();
@@ -54,12 +55,17 @@ export async function packageMetadata(name, version, options) {
     for (const ver of Object.values(pkg.versions).reverse()) {
       const versionSpec = `${ver.name}:${ver.version}`;
       if (packageSpec === versionSpec) {
+        if (ver.deprecated && !flags.includes("isDeprecated")) {
+          flags.push("isDeprecated");
+        }
+
         metadata.integrity[ver.version] = getPackumentVersionIntegrity(
           ver
         );
       }
 
       const { _npmUser: npmUser, version, maintainers = [] } = ver;
+
       const isNullOrUndefined = typeof npmUser === "undefined" || npmUser === null;
       if (isNullOrUndefined || !("name" in npmUser) || typeof npmUser.name !== "string") {
         continue;
@@ -85,6 +91,7 @@ export async function packageMetadata(name, version, options) {
       }
     }
 
+    Object.assign(ref.versions[version], { links: getLinks(pkg.versions[version]) });
     Object.assign(ref.metadata, metadata);
   }
   catch {

package/src/tarball.js

@@ -67,6 +67,10 @@ export async function scanDirOrArchive(name, version, options) {
       });
       await timers.setImmediate();
     }
+    else {
+      // Set links to an empty object because theses are generated only for NPM tarballs
+      Object.assign(ref, { links: {} });
+    }
 
     // Read the package.json at the root of the directory or archive.
     const {
@@ -88,6 +92,17 @@ export async function scanDirOrArchive(name, version, options) {
 
     // Get the composition of the (extracted) directory
     const { ext, files, size } = await getTarballComposition(dest);
+    if (files.length === 1 && files.includes("package.json")) {
+      ref.warnings.push({
+        kind: "empty-package",
+        location: null,
+        i18n: "sast_warnings.emptyPackage",
+        severity: "Critical",
+        source: "Scanner",
+        experimental: false
+      });
+    }
+
     ref.size = size;
     ref.composition.extensions.push(...ext);
     ref.composition.files.push(...files);

package/src/utils/getLinks.js

@@ -0,0 +1,31 @@
+// CONSTANTS
+const kVCSHosts = new Set(["github.com", "gitlab.com"]);
+
+function getVCSRepositoryURL(link) {
+  try {
+    const url = new URL(link);
+    const { hostname, pathname } = url;
+
+    if (kVCSHosts.has(hostname) === false) {
+      return null;
+    }
+
+    const [owner, repo] = pathname.split("/").filter(Boolean).map((curr) => curr.replace(".git", ""));
+
+    return `https://${hostname}/${owner}/${repo}`;
+  }
+  catch {
+    return null;
+  }
+}
+
+export function getLinks(pkg) {
+  const homepage = pkg.homepage || null;
+  const repositoryUrl = pkg.repository?.url || null;
+
+  return {
+    npm: `https://www.npmjs.com/package/${pkg.name}/v/${pkg.version}`,
+    homepage,
+    repository: getVCSRepositoryURL(homepage) ?? getVCSRepositoryURL(repositoryUrl)
+  };
+}

package/src/utils/index.js

@@ -11,6 +11,7 @@ export * from "./analyzeDependencies.js";
 export * from "./booleanToFlags.js";
 export * from "./addMissingVersionFlags.js";
 export * from "./parseManifestAuthor.js";
+export * from "./getLinks.js";
 
 export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
   { token: process.env.NODE_SECURE_TOKEN } :

package/types/scanner.d.ts

@@ -40,6 +40,15 @@ declare namespace Scanner {
     at: string;
   }
 
+  export interface DependencyLinks {
+    /** NPM Registry page */
+    npm: string;
+    /** Homepage URL */
+    homepage?: string;
+    /** VCS repository URL */
+    repository?: string;
+  }
+
   export interface DependencyVersion {
     /** Id of the package (useful for usedBy relation) */
     id: number;
@@ -111,6 +120,7 @@ declare namespace Scanner {
      * (Not supported on GIT dependency)
      */
     integrity?: string;
+    links: DependencyLinks;
   }
 
   export interface Dependency {