@nodesecure/scanner 5.3.0 → 6.0.1

package/src/utils/getTarballComposition.js

@@ -1,38 +0,0 @@
-// Import Node.js Dependencies
-import fs from "fs/promises";
-import path from "path";
-
-// Import Third-party Dependencies
-import { walk } from "@nodesecure/fs-walk";
-
-export async function getTarballComposition(tarballDir) {
-  const ext = new Set();
-  const files = [];
-  const dirs = [];
-  let { size } = await fs.stat(tarballDir);
-
-  for await (const [dirent, file] of walk(tarballDir)) {
-    if (dirent.isFile()) {
-      ext.add(path.extname(file));
-      files.push(file);
-    }
-    else if (dirent.isDirectory()) {
-      dirs.push(file);
-    }
-  }
-
-  const sizeUnfilteredResult = await Promise.allSettled([
-    ...files.map((file) => fs.stat(file)),
-    ...dirs.map((file) => fs.stat(file))
-  ]);
-  const sizeAll = sizeUnfilteredResult
-    .filter((promiseSettledResult) => promiseSettledResult.status === "fulfilled")
-    .map((promiseSettledResult) => promiseSettledResult.value);
-  size += sizeAll.reduce((prev, curr) => prev + curr.size, 0);
-
-  return {
-    ext,
-    size,
-    files: files.map((fileLocation) => path.relative(tarballDir, fileLocation)).sort()
-  };
-}

package/src/utils/index.js

@@ -1,18 +0,0 @@
-export * from "./getTarballComposition.js";
-export * from "./isSensitiveFile.js";
-export * from "./isGitDependency.js";
-export * from "./getPackageName.js";
-export * from "./mergeDependencies.js";
-export * from "./semver.js";
-export * from "./dirname.js";
-export * from "./warnings.js";
-export * from "./filterDependencyKind.js";
-export * from "./analyzeDependencies.js";
-export * from "./booleanToFlags.js";
-export * from "./addMissingVersionFlags.js";
-export * from "./parseManifestAuthor.js";
-export * from "./getLinks.js";
-
-export const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
-  { token: process.env.NODE_SECURE_TOKEN } :
-  {};

package/src/utils/isGitDependency.js

@@ -1,11 +0,0 @@
-/**
- * @example isGitDependency("github:NodeSecure/scanner") // => true
- * @example isGitDependency("git+ssh://git@github.com:npm/cli#semver:^5.0") // => true
- * @example isGitDependency(">=1.0.2 <2.1.2") // => false
- * @example isGitDependency("http://asdf.com/asdf.tar.gz") // => false
- * @param {string} version
- * @returns {boolean}
- */
-export function isGitDependency(version) {
-  return /^git(:|\+|hub:)/.test(version);
-}

package/src/utils/isSensitiveFile.js

@@ -1,17 +0,0 @@
-// Import Node.js Dependencies
-import path from "path";
-
-// CONSTANTS
-const kSensitiveFileName = new Set([".npmrc", ".env"]);
-const kSensitiveFileExtension = new Set([".key", ".pem"]);
-
-/**
- * @see https://github.com/jandre/safe-commit-hook/blob/master/git-deny-patterns.json
- *
- * @param {!string} fileName
- * @returns {boolean}
- */
-export function isSensitiveFile(fileName) {
-  return kSensitiveFileName.has(path.basename(fileName)) ||
-    kSensitiveFileExtension.has(path.extname(fileName));
-}

package/src/utils/mergeDependencies.js

@@ -1,30 +0,0 @@
-export function mergeDependencies(manifest, types = ["dependencies"]) {
-  const dependencies = new Map();
-  const customResolvers = new Map();
-  const alias = new Map();
-
-  for (const fieldName of types) {
-    if (!Reflect.has(manifest, fieldName)) {
-      continue;
-    }
-    const dep = manifest[fieldName];
-
-    for (const [name, version] of Object.entries(dep)) {
-      /**
-       * Version can be file:, github:, git:, git+, ./...
-       * @see https://docs.npmjs.com/cli/v7/configuring-npm/package-json#dependencies
-       */
-      if (/^([a-zA-Z]+:|git\+|\.\\)/.test(version)) {
-        customResolvers.set(name, version);
-        if (!version.startsWith("npm:")) {
-          continue;
-        }
-        alias.set(name, version.slice(4));
-      }
-
-      dependencies.set(name, version);
-    }
-  }
-
-  return { dependencies, customResolvers, alias };
-}

package/src/utils/parseManifestAuthor.js

@@ -1,45 +0,0 @@
-export function manifestAuthorRegex() {
-  return /^([^<(]+?)?[ \t]*(?:<([^>(]+?)>)?[ \t]*(?:\(([^)]+?)\)|$)/gm;
-}
-
-/**
- * @see https://docs.npmjs.com/cli/v7/configuring-npm/package-json#people-fields-author-contributors
- */
-export function parseManifestAuthor(manifestAuthorField) {
-  if (typeof manifestAuthorField !== "string") {
-    throw new TypeError("expected manifestAuthorField to be a string");
-  }
-
-  if (!/\w/.test(manifestAuthorField)) {
-    return null;
-  }
-
-  const match = manifestAuthorRegex().exec(manifestAuthorField);
-  if (!match) {
-    return null;
-  }
-  const author = {
-    name: match[1]
-  };
-
-  for (let id = 2; id < match.length; id++) {
-    const val = match[id] || "";
-
-    if (val.includes("@")) {
-      author.email = val;
-    }
-    else if (val.includes("http")) {
-      author.url = val;
-    }
-  }
-
-  return author;
-}
-
-export function parseAuthor(author) {
-  if (typeof author === "string") {
-    return parseManifestAuthor(author);
-  }
-
-  return !author || Object.keys(author).length === 0 ? null : author;
-}

package/src/utils/semver.js

@@ -1,62 +0,0 @@
-// Import Third-party Dependencies
-import pacote from "pacote";
-import semver from "semver";
-import { getLocalRegistryURL } from "@nodesecure/npm-registry-sdk";
-
-// Import Internal Dependencies
-import { NPM_TOKEN } from "./index.js";
-
-/**
- * @param {!string} version semver range
- * @returns {string} semver version
- *
- * @example
- * cleanRange(">=1.5.0"); // 1.5.0
- * cleanRange("^2.0.0"); // 2.0.0
- */
-export function cleanRange(version) {
-  // TODO: how do we handle complicated range like pkg-name@1 || 2 or pkg-name@2.1.2 < 3
-  const firstChar = version.charAt(0);
-  if (firstChar === "^" || firstChar === "<" || firstChar === ">" || firstChar === "=" || firstChar === "~") {
-    return version.slice(version.charAt(1) === "=" ? 2 : 1);
-  }
-
-  return version;
-}
-
-/**
- * @param {!string} depName dependency name (WITHOUT version/range)
- * @param {!string} range semver range, ex: >=1.5.0
- */
-export async function getExpectedSemVer(depName, range) {
-  try {
-    const { versions, "dist-tags": { latest } } = await pacote.packument(depName, {
-      ...NPM_TOKEN, registry: getLocalRegistryURL()
-    });
-    const currVersion = semver.maxSatisfying(Object.keys(versions), range);
-
-    return currVersion === null ? [latest, true] : [currVersion, semver.eq(latest, currVersion)];
-  }
-  catch (err) {
-    return [cleanRange(range), true];
-  }
-}
-
-export async function getCleanDependencyName([depName, range]) {
-  const [depVer, isLatest] = await getExpectedSemVer(depName, range);
-
-  return [`${depName}@${range}`, `${depName}@${depVer}`, isLatest];
-}
-
-export function getSemVerWarning(value) {
-  return {
-    kind: "zero-semver",
-    file: "package.json",
-    value,
-    location: null,
-    i18n: "sast_warnings.zeroSemVer",
-    severity: "Information",
-    source: "Scanner",
-    experimental: false
-  };
-}

package/src/utils/warnings.js

@@ -1,44 +0,0 @@
-// Import Node.js Dependencies
-import path from "node:path";
-
-// Import Third-party Dependencies
-import * as i18n from "@nodesecure/i18n";
-import { extractAllAuthors } from "@nodesecure/authors";
-
-// Import Internal Dependencies
-import { getDirNameFromUrl } from "./dirname.js";
-
-await i18n.extendFromSystemPath(
-  path.join(getDirNameFromUrl(import.meta.url), "..", "..", "i18n")
-);
-
-// CONSTANTS
-const kDetectedDep = i18n.taggedString`The dependency '${0}' has been detected in the dependency Tree.`;
-const kFlaggedAuthors = [{
-  name: "marak",
-  email: "marak.squires@gmail.com"
-}];
-const kDependencyWarnMessage = Object.freeze({
-  "@scarf/scarf": await i18n.getToken("scanner.disable_scarf"),
-  iohook: await i18n.getToken("scanner.keylogging")
-});
-
-/**
- * @param {Map<string, any>} dependenciesMap
- */
-export async function getDependenciesWarnings(dependenciesMap) {
-  const warnings = [...Object.keys(kDependencyWarnMessage)]
-    .filter((depName) => dependenciesMap.has(depName))
-    .map((depName) => `${kDetectedDep(depName)} ${kDependencyWarnMessage[depName]}`);
-
-  // TODO: add support for RC configuration
-  const res = await extractAllAuthors(
-    { dependencies: Object.fromEntries(dependenciesMap) },
-    { flags: kFlaggedAuthors, domainInformations: false }
-  );
-
-  return {
-    warnings,
-    flaggedAuthors: res.flaggedAuthors
-  };
-}

package/types/api.d.ts

@@ -1,15 +0,0 @@
-import Scanner from "./scanner.js";
-import { Logger, LoggerEvents } from "./logger.js";
-
-export {
-  cwd,
-  from,
-  verify,
-  ScannerLoggerEvents
-}
-
-declare const ScannerLoggerEvents: LoggerEvents;
-
-declare function cwd(location: string, options?: Scanner.Options, logger?: Logger): Promise<Scanner.Payload>;
-declare function from(packageName: string, options?: Omit<Scanner.Options, "includeDevDeps">, logger?: Logger): Promise<Scanner.Payload>;
-declare function verify(packageName?: string | null): Promise<Scanner.VerifyPayload>;

package/types/logger.d.ts

@@ -1,38 +0,0 @@
-import { EventEmitter } from "events";
-
-export {
-  Logger,
-  LoggerEventData,
-  LoggerEvents
-}
-
-interface LoggerEvents {
-  readonly done: "depWalkerFinished";
-  readonly analysis: {
-      readonly tree: "walkTree";
-      readonly tarball: "tarball";
-      readonly registry: "registry";
-  };
-  readonly manifest: {
-      readonly read: "readManifest";
-      readonly fetch: "fetchManifest";
-  };
-}
-
-interface LoggerEventData {
-  /** UNIX Timestamp */
-  startedAt: number;
-  /** Count of triggered event */
-  count: number;
-}
-
-declare class Logger extends EventEmitter {
-  public events: Map<string, LoggerEventData>;
-
-  constructor();
-
-  start(eventName: string): Logger;
-  end(eventName: string): Logger;
-  tick(eventName: string): Logger;
-  count(eventName: string): number;
-}

package/types/scanner.d.ts

@@ -1,251 +0,0 @@
-// Import NodeSecure Dependencies
-import * as JSXRay from "@nodesecure/js-x-ray";
-import { license as License } from "@nodesecure/ntlp";
-import * as Vuln from "@nodesecure/vuln";
-
-// Import Third-party Dependencies
-import { extractedAuthor } from "@nodesecure/authors";
-
-export = Scanner;
-
-declare namespace Scanner {
-  export interface Author {
-    name: string;
-    email?: string;
-    url?: string;
-    npmAvatar?: string;
-  }
-
-  export interface Maintainer {
-    name: string;
-    email: string;
-    npmAvatar?: string;
-  }
-
-  export interface Publisher {
-    /**
-     * Publisher npm user name.
-     */
-    name: string;
-    /**
-     * Publisher npm user email.
-     */
-    email: string;
-    /**
-     * First version published.
-     */
-    version: string;
-    /**
-     * Date of the first publication
-     * @example 2021-08-10T20:45:08.342Z
-     */
-    at: string;
-    /**
-     * Path to publisher's avatar on "https://www.npmjs.com"
-     * @example /npm-avatar/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.LwimMJA3puF3ioGeS-tfczR3370GXBZMIL-bdpu4hOU
-     */
-    npmAvatar?: string;
-  }
-
-  export interface DependencyLinks {
-    /** NPM Registry page */
-    npm: string;
-    /** Homepage URL */
-    homepage?: string;
-    /** VCS repository URL */
-    repository?: string;
-  }
-
-  export interface DependencyVersion {
-    /** Id of the package (useful for usedBy relation) */
-    id: number;
-    isDevDependency: boolean;
-    /**
-     * Tell if the given package exist on the configured remote registry (npm by default)
-     * @default true
-     */
-    existOnRemoteRegistry: boolean;
-    /** By whom (id) is used the package */
-    usedBy: Record<string, string>;
-    /** Size on disk of the extracted tarball (in bytes) */
-    size: number;
-    /** Package description */
-    description: string;
-    /** Author of the package. This information is not trustable and can be empty. */
-    author: Author | null;
-    engines: {
-      node?: string;
-      npm?: string;
-    };
-    repository: {
-      type: string;
-      url: string;
-    };
-    scripts: Record<string, string>;
-    /**
-     * JS-X-Ray warnings
-     *
-     * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md
-     */
-    warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
-    /** Tarball composition (files and dependencies) */
-    composition: {
-      /** Files extensions (.js, .md, .exe etc..) */
-      extensions: string[];
-      files: string[];
-      /** Minified files (foo.min.js etc..) */
-      minified: string[];
-      alias: Record<string, string>;
-      required_files: string[];
-      required_thirdparty: string[];
-      required_nodejs: string[];
-      required_subpath: string[];
-      unused: string[];
-      missing: string[];
-    };
-    /**
-     * Package licenses with SPDX expression.
-     *
-     * @see https://github.com/NodeSecure/licenses-conformance
-     * @see https://github.com/NodeSecure/npm-tarball-license-parser
-     */
-    license: License[];
-    /**
-     * Flags (Array of string)
-     *
-     * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md
-     */
-    flags: string[];
-    /**
-     * If the dependency is a GIT repository
-     */
-    gitUrl: null | string;
-    /**
-     * Version MD5 integrity hash
-     * Generated by the scanner to verify manifest/tarball confusion
-     *
-     * (Not supported on GIT dependency)
-     */
-    integrity?: string;
-    links: DependencyLinks;
-  }
-
-  export interface Dependency {
-    /** NPM Registry metadata */
-    metadata: {
-      /** Count of dependencies */
-      dependencyCount: number;
-      /** Number of releases published on npm */
-      publishedCount: number;
-      lastUpdateAt: number;
-      /** Last version SemVer */
-      lastVersion: number;
-      hasChangedAuthor: boolean;
-      hasManyPublishers: boolean;
-      hasReceivedUpdateInOneYear: boolean;
-      /** Author of the package. This information is not trustable and can be empty. */
-      author: Author | null;
-      /** Package home page */
-      homepage: string | null;
-      /**
-       * List of maintainers (list of people in the organization related to the package)
-       */
-      maintainers: Maintainer[];
-      /**
-       * List of people who published this package
-       */
-      publishers: Publisher[];
-      /**
-       * Version MD5 integrity hash
-       * Generated by the scanner to verify manifest/tarball confusion
-       */
-      integrity: Record<string, string>;
-    }
-    /** List of versions of this package available in the dependency tree (In the payload) */
-    versions: Record<string, DependencyVersion>;
-    /**
-     * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy
-     *
-     * @see https://github.com/NodeSecure/vuln
-     */
-    vulnerabilities: Vuln.Strategy.StandardVulnerability[];
-  }
-
-  export type GlobalWarning = string[];
-  export type FlaggedAuthors = extractedAuthor[];
-  export type Dependencies = Record<string, Dependency>;
-
-  export interface Payload {
-    /** Payload unique id */
-    id: string;
-    /** Name of the analyzed package */
-    rootDependencyName: string;
-    /** Global warnings list */
-    warnings: GlobalWarning[];
-    /** List of flagged authors */
-    flaggedAuthors: FlaggedAuthors[];
-    /** All the dependencies of the package (flattened) */
-    dependencies: Dependencies;
-    /** Version of the scanner used to generate the result */
-    scannerVersion: string;
-    /** Vulnerability strategy name (npm, snyk, node) */
-    vulnerabilityStrategy: Vuln.Strategy.Kind;
-  }
-
-  export interface VerifyPayload {
-    files: {
-      list: string[];
-      extensions: string[];
-      minified: string[];
-    };
-    directorySize: number;
-    uniqueLicenseIds: string[];
-    licenses: License[];
-    ast: {
-      dependencies: Record<string, JSXRay.Dependency>;
-      warnings: JSXRay.Warning<JSXRay.WarningDefault>[];
-    };
-  }
-
-  export interface Options {
-    /**
-     * Maximum tree depth
-     *
-     * @default 4
-     */
-    readonly maxDepth?: number;
-    readonly registry?: string | URL;
-    /**
-     * Use root package-lock.json. This will have the effect of triggering the Arborist package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly usePackageLock?: boolean;
-    /**
-     * Include project devDependencies (only available for cwd command)
-     *
-     * @default false
-     */
-    readonly includeDevDeps?: boolean;
-    /**
-     * Vulnerability strategy name (npm, snyk, node)
-     *
-     * @default NONE
-     */
-    readonly vulnerabilityStrategy: Vuln.Strategy.Kind;
-    /**
-     * Analyze root package.
-     *
-     * @default false for from() API
-     * @default true  for cwd()  API
-     */
-    readonly forceRootAnalysis?: boolean;
-    /**
-     * Deeper dependencies analysis with cwd() API.
-     *
-     * @default false
-     */
-    readonly fullLockMode?: boolean;
-  }
-}

package/types/tarball.d.ts

@@ -1,63 +0,0 @@
-import ntlp from "@nodesecure/ntlp";
-import Locker from "@slimio/lock";
-import { Logger } from "./logger.js";
-
-export = tarball;
-
-declare namespace tarball {
-  export interface ManifestData {
-    /** Dependencies in package.json */
-    packageDeps: string[];
-    /** DevDependencies in package.json */
-    packageDevDeps: string[];
-    /** Does package.json contain a 'gypfile' property ? */
-    packageGyp: boolean;
-  }
-
-  export interface ScannedFileResult {
-    /** Dependencies in try/catch block (probably optional dependencies) */
-    inTryDeps: string[];
-    /** Dependencies required or imported */
-    dependencies: string[];
-    /** Required or imported javascript files */
-    filesDependencies: string[];
-  }
-
-  export interface ScannedPackageResult {
-    files: {
-      /** Complete list of files for the given package */
-      list: string[];
-      /** Complete list of extensions (.js, .md etc.) */
-      extensions: string[];
-      /** List of minified javascript files */
-      minified: string[];
-    };
-    /** Size of the directory in bytes */
-    directorySize: number;
-    /** Unique license contained in the tarball (MIT, ISC ..) */
-    uniqueLicenseIds: string[];
-    /** All licenses with their SPDX */
-    licenses: ntlp.license[];
-    ast: {
-      dependencies: any;
-      warnings: any[];
-    };
-  }
-
-  export interface ScanDirOrArchiveOptions {
-    ref: any;
-    locker: Locker;
-    tmpLocation: string;
-    logger: Logger;
-  }
-
-  export interface ScanFileOptions {
-    name: string;
-    ref: any;
-  }
-
-  export function readManifest(dest: string, ref: any): Promise<ManifestData>;
-  export function scanFile(dest: string, file: string, options: ScanFileOptions): Promise<ScannedFileResult | null>;
-  export function scanPackage(dest: string, packageName?: string): Promise<ScannedPackageResult>;
-  export function scanDirOrArchive(name: string, version: string, options: ScanDirOrArchiveOptions): Promise<void>;
-}

package/types/walker.d.ts

@@ -1,8 +0,0 @@
-import { Manifest } from "@npm/types";
-import Scanner from "./scanner.js";
-
-export {
-  depWalker
-}
-
-declare function depWalker(manifest: Manifest, options?: Scanner.Options): Promise<Scanner.Payload>;