@nodesecure/scanner 6.12.1 → 7.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/comparePayloads.d.ts +2 -2
- package/dist/comparePayloads.d.ts.map +1 -1
- package/dist/comparePayloads.js.map +1 -1
- package/dist/depWalker.d.ts.map +1 -1
- package/dist/depWalker.js +21 -5
- package/dist/depWalker.js.map +1 -1
- package/dist/i18n/english.d.ts +3 -0
- package/dist/i18n/english.js +4 -1
- package/dist/i18n/english.js.map +1 -1
- package/dist/i18n/french.d.ts +3 -0
- package/dist/i18n/french.js +4 -1
- package/dist/i18n/french.js.map +1 -1
- package/dist/registry/NpmRegistryProvider.d.ts +20 -5
- package/dist/registry/NpmRegistryProvider.d.ts.map +1 -1
- package/dist/registry/NpmRegistryProvider.js +72 -8
- package/dist/registry/NpmRegistryProvider.js.map +1 -1
- package/dist/types.d.ts +22 -2
- package/dist/types.d.ts.map +1 -1
- package/dist/utils/warnings.d.ts +2 -2
- package/dist/utils/warnings.d.ts.map +1 -1
- package/dist/utils/warnings.js +17 -2
- package/dist/utils/warnings.js.map +1 -1
- package/package.json +10 -10
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
import type { Warning } from "@nodesecure/js-x-ray";
|
|
2
2
|
import * as Vulnera from "@nodesecure/vulnera";
|
|
3
|
-
import type { Payload, Dependency, DependencyVersion, Publisher, Maintainer, Repository, DependencyLinks } from "./types.js";
|
|
3
|
+
import type { Payload, Dependency, DependencyVersion, Publisher, Maintainer, Repository, DependencyLinks, GlobalWarning } from "./types.js";
|
|
4
4
|
export interface PayloadComparison {
|
|
5
5
|
title: string;
|
|
6
|
-
warnings: ArrayDiff<
|
|
6
|
+
warnings: ArrayDiff<GlobalWarning>;
|
|
7
7
|
scannerVersion: ValueComparison<string>;
|
|
8
8
|
vulnerabilityStrategy: ValueComparison<string>;
|
|
9
9
|
dependencies: DependenciesComparison;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"comparePayloads.d.ts","sourceRoot":"","sources":["../src/comparePayloads.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAG/C,OAAO,KAAK,EACV,OAAO,EAEP,UAAU,EACV,iBAAiB,EACjB,SAAS,EACT,UAAU,EACV,UAAU,EACV,eAAe,
|
|
1
|
+
{"version":3,"file":"comparePayloads.d.ts","sourceRoot":"","sources":["../src/comparePayloads.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAG/C,OAAO,KAAK,EACV,OAAO,EAEP,UAAU,EACV,iBAAiB,EACjB,SAAS,EACT,UAAU,EACV,UAAU,EACV,eAAe,EACf,aAAa,EACd,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,SAAS,CAAC,aAAa,CAAC,CAAC;IACnC,cAAc,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IACxC,qBAAqB,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IAC/C,YAAY,EAAE,sBAAsB,CAAC;CACtC;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IAC5C,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAC/B,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;CAClC;AAED,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,SAAS,CAAC,SAAS,CAAC,CAAC;IACjC,WAAW,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC;IACnC,QAAQ,EAAE,wBAAwB,CAAC;IACnC,eAAe,EAAE,SAAS,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;CAC3D;AAED,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,2BAA2B,CAAC,CAAC;IACnD,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IACtC,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,2BAA2B;IAC1C,EAAE,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IAC9B,MAAM,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACrC,eAAe,EAAE,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,qBAAqB,EAAE,eAAe,CAAC,OAAO,CAAC,CAAC;IAChD,WAAW,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,EAAE,eAAe,CAAC,UAAU,CAAC,CAAC;IACpC,OAAO,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACtC,UAAU,EAAE,eAAe,CAAC,UAAU,CAAC,CAAC;IACxC,OAAO,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC;IACtC,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;IAC7B,WAAW,EAAE,qBAAqB,CAAC;IACnC,gBAAgB,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IACpC,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IACzB,KAAK,EAAE,eAAe,CAAC,eAAe,CAAC,CAAC;CACzC;AAED,MAAM,WAAW,oBAAoB,CAAC,CAAC;IACrC,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACtB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;CACzB;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5B,mBAAmB,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IACvC,eAAe,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IACnC,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;IAC1B,OAAO,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED,MAAM,MAAM,eAAe,CAAC,CAAC,IAAI;IAC/B,IAAI,EAAE,CAAC,CAAC;IACR,GAAG,EAAE,CAAC,CAAC;CACR,GAAG,SAAS,CAAC;AAEd,MAAM,WAAW,SAAS,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,CAAC;IACX,OAAO,EAAE,CAAC,EAAE,CAAC;CACd;AAED,wBAAgB,eAAe,CAC7B,OAAO,EAAE,OAAO,EAChB,eAAe,EAAE,OAAO,GACvB,iBAAiB,CAmCnB;AAiLD,wBAAgB,uBAAuB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EACnE,GAAG,EAAE,MAAM,EACX,QAAQ,GAAE,CAAC,EAAO,EAClB,SAAS,GAAE,CAAC,EAAO,GAClB,SAAS,CAAC,CAAC,CAAC,CAQd"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"comparePayloads.js","sourceRoot":"","sources":["../src/comparePayloads.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"comparePayloads.js","sourceRoot":"","sources":["../src/comparePayloads.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAoF/C,MAAM,UAAU,eAAe,CAC7B,OAAgB,EAChB,eAAwB;IAExB,IAAI,OAAO,CAAC,EAAE,KAAK,eAAe,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,qDAAqD,OAAO,CAAC,EAAE,GAAG,CACnE,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,CAAC,kBAAkB,KAAK,eAAe,CAAC,kBAAkB,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CACb,iDAAiD,OAAO,CAAC,kBAAkB,UAAU,eAAe,CAAC,kBAAkB,GAAG,CAC3H,CAAC;IACJ,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/F,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,YAAY,CAAC,eAAe,CAAC,kBAAkB,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAElH,OAAO;QACL,KAAK,EAAE,IAAI,OAAO,CAAC,kBAAkB,IAAI,YAAY,SAAS,eAAe,CAAC,kBAAkB,IAAI,eAAe,GAAG;QACtH,QAAQ,EAAE,SAAS,CACjB,OAAO,CAAC,QAAQ,EAChB,eAAe,CAAC,QAAQ,CACzB;QACD,cAAc,EAAE,aAAa,CAC3B,OAAO,CAAC,cAAc,EACtB,eAAe,CAAC,cAAc,CAC/B;QACD,qBAAqB,EAAE,aAAa,CAClC,OAAO,CAAC,qBAAqB,EAC7B,eAAe,CAAC,qBAAqB,CACtC;QACD,YAAY,EAAE,mBAAmB,CAC/B,OAAO,CAAC,YAAY,EACpB,eAAe,CAAC,YAAY,CAC7B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAC1B,QAAsB,EACtB,SAAuB;IAEvB,MAAM,EACJ,UAAU,EACV,GAAG,YAAY,EAChB,GAAG,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAE1C,MAAM,oBAAoB,GAAG,IAAI,GAAG,EAAE,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;QACpD,MAAM,IAAI,GAAG;YACX,UAAU,EAAE,uBAAuB,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,UAAU,EAAE,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;YACrG,WAAW,EAAE,uBAAuB,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;YACxG,QAAQ,EAAE,eAAe,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,QAAQ,CAAC;YAC7D,eAAe,EAAE,uBAAuB,CAAC,IAAI,EAAE,GAAG,CAAC,eAAe,EAAE,WAAW,CAAC,eAAe,CAAC;SACjG,CAAC;QAEF,oBAAoB,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,oBAAoB,EAAE,GAAG,YAAY,EAAE,CAAC;AAC7D,CAAC;AAED,SAAS,eAAe,CACtB,QAA2C,EAC3C,SAA4C;IAE5C,MAAM,EAAE,UAAU,EAAE,GAAG,QAAQ,EAAE,GAAG,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAE1E,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAuC,CAAC;IACxE,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;QAC5D,MAAM,IAAI,GAAgC;YACxC,EAAE,EAAE,aAAa,CAAC,OAAO,CAAC,EAAE,EAAE,eAAe,CAAC,EAAE,CAAC;YACjD,IAAI,EAAE,aAAa,CAAC,OAAO,CAAC,IAAI,EAAE,eAAe,CAAC,IAAI,CAAC;YACvD,MAAM,EAAE,oBAAoB,CAAC,OAAO,CAAC,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC;YACpE,eAAe,EAAE,aAAa,CAAC,OAAO,CAAC,eAAe,EAAE,eAAe,CAAC,eAAe,CAAC;YACxF,qBAAqB,EAAE,aAAa,CAAC,OAAO,CAAC,qBAAqB,EAAE,eAAe,CAAC,qBAAqB,CAAC;YAC1G,WAAW,EAAE,aAAa,CAAC,OAAO,CAAC,WAAW,EAAE,eAAe,CAAC,WAAW,CAAC;YAC5E,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;YAC1H,aAAa;YACb,OAAO,EAAE,oBAAoB,CAAC,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC;YACvE,wGAAwG;YACxG,UAAU,EAAE,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,eAAe,CAAC,UAAU,CAAC;mBAC7E,cAAc,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,EAAE,eAAe,CAAC,UAAU,CAAC;YAC1E,OAAO,EAAE,oBAAoB,CAAC,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC,OAAO,CAAC;YACvE,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,eAAe,CAAC,QAAQ,CAAC;YAC/D,WAAW,EAAE,kBAAkB,CAAC,OAAO,CAAC,WAAW,EAAE,eAAe,CAAC,WAAW,CAAC;YACjF,gBAAgB,EAAE,SAAS,CAAC,OAAO,CAAC,gBAAgB,EAAE,eAAe,CAAC,gBAAgB,CAAC;YACvF,KAAK,EAAE,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,eAAe,CAAC,KAAK,CAAC;YACtD,KAAK,EAAE,aAAa,CAAC,OAAO,CAAC,KAAM,EAAE,eAAe,CAAC,KAAM,CAAC;SAC7D,CAAC;QAEF,gBAAgB,CAAC,GAAG,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;IACnC,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,gBAAgB;QAC1B,GAAG,QAAQ;KACZ,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,QAA0C,EAC1C,SAA2C;IAE3C,OAAO;QACL,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC,QAAQ,CAAC;QAC1D,mBAAmB,EAAE,SAAS,CAAC,QAAQ,CAAC,mBAAmB,EAAE,SAAS,CAAC,mBAAmB,CAAC;QAC3F,eAAe,EAAE,SAAS,CAAC,QAAQ,CAAC,eAAe,EAAE,SAAS,CAAC,eAAe,CAAC;QAC/E,MAAM,EAAE,SAAS,CAAC,QAAQ,CAAC,MAAM,EAAE,SAAS,CAAC,MAAM,CAAC;QACpD,OAAO,EAAE,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,SAAS,CAAC,OAAO,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB,CAC3B,QAAsB,EACtB,SAAuB;IAEvB,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,EAAE,GAAG,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEtE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAA8B,CAAC;IACvD,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,IAAI,UAAU,EAAE,CAAC;QAC1D,QAAQ,CAAC,GAAG,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO;QACL,QAAQ;QACR,GAAG,IAAI;KACR,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,GAAY,EACZ,WAAc,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EACjC,YAAe,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;IAElC,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,GAAG,CAAC,EAAE,CAAC;QACrC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,SAAS;KACf,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CACpB,QAAW,EACX,SAAY;IAEZ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3D,OAAO,SAAS,CAAC;QACnB,CAAC;IACH,CAAC;SACI,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,SAAS;KACf,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CACvB,WAA8B,EAAE,EAChC,YAA+B,EAAE;IAEjC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAa,CAAC;IACnC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAa,CAAC;IACrC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE7C,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACpC,IAAI,GAAG,IAAI,SAAS,EAAE,CAAC;YACrB,UAAU,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACvD,CAAC;aACI,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;QAClC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QACrC,IAAI,CAAC,CAAC,GAAG,IAAI,QAAQ,CAAC,EAAE,CAAC;YACvB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,SAAS,CAChB,WAAgB,EAAE,EAClB,YAAiB,EAAE;IAEnB,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACtC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACvC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC;QAC5B,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,GAAW,EACX,WAAgB,EAAE,EAClB,YAAiB,EAAE;IAEnB,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC;IAEvE,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACtE,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAExE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC5B,CAAC"}
|
package/dist/depWalker.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"depWalker.d.ts","sourceRoot":"","sources":["../src/depWalker.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"depWalker.d.ts","sourceRoot":"","sources":["../src/depWalker.ts"],"names":[],"mappings":"AAcA,OAAO,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAC;AAYjG,OAAO,EAAE,MAAM,EAAuB,MAAM,yBAAyB,CAAC;AACtE,OAAO,KAAK,EAKV,OAAO,EACP,OAAO,EACR,MAAM,YAAY,CAAC;AA4CpB,KAAK,aAAa,GAAG,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,GAAG;IAC/C,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF,wBAAsB,SAAS,CAC7B,QAAQ,EAAE,WAAW,GAAG,qBAAqB,GAAG,eAAe,EAC/D,OAAO,EAAE,aAAa,EACtB,MAAM,SAAe,GACpB,OAAO,CAAC,OAAO,CAAC,CAyNlB"}
|
package/dist/depWalker.js
CHANGED
|
@@ -59,7 +59,8 @@ import { extractAndResolve, scanDirOrArchive } from "@nodesecure/tarball";
|
|
|
59
59
|
import * as Vulnera from "@nodesecure/vulnera";
|
|
60
60
|
import { npm } from "@nodesecure/tree-walker";
|
|
61
61
|
import { parseAuthor } from "@nodesecure/utils";
|
|
62
|
-
import { ManifestManager } from "@nodesecure/mama";
|
|
62
|
+
import { ManifestManager, parseNpmSpec } from "@nodesecure/mama";
|
|
63
|
+
import { getNpmRegistryURL } from "@nodesecure/npm-registry-sdk";
|
|
63
64
|
// Import Internal Dependencies
|
|
64
65
|
import { getDependenciesWarnings, addMissingVersionFlags, getUsedDeps, getManifestLinks } from "./utils/index.js";
|
|
65
66
|
import { NpmRegistryProvider } from "./registry/NpmRegistryProvider.js";
|
|
@@ -105,6 +106,7 @@ export async function depWalker(manifest, options, logger = new Logger()) {
|
|
|
105
106
|
try {
|
|
106
107
|
const { scanRootNode = false, includeDevDeps = false, packageLock, maxDepth, location, vulnerabilityStrategy = Vulnera.strategies.NONE, registry } = options;
|
|
107
108
|
const tempDir = __addDisposableResource(env_1, await TempDirectory.create(), true);
|
|
109
|
+
const dependencyConfusionWarnings = [];
|
|
108
110
|
const payload = {
|
|
109
111
|
id: tempDir.id,
|
|
110
112
|
rootDependencyName: manifest.name ?? "workspace",
|
|
@@ -143,9 +145,12 @@ export async function depWalker(manifest, options, logger = new Logger()) {
|
|
|
143
145
|
metadata: structuredClone(kDefaultDependencyMetadata)
|
|
144
146
|
};
|
|
145
147
|
let proceedDependencyScan = true;
|
|
148
|
+
const org = parseNpmSpec(name)?.org;
|
|
146
149
|
if (dependencies.has(name)) {
|
|
147
150
|
const dep = dependencies.get(name);
|
|
148
|
-
operationsQueue.push(new NpmRegistryProvider(name, version
|
|
151
|
+
operationsQueue.push(new NpmRegistryProvider(name, version, {
|
|
152
|
+
registry
|
|
153
|
+
}).enrichDependencyVersion(dep, dependencyConfusionWarnings, org));
|
|
149
154
|
if (version in dep.versions) {
|
|
150
155
|
// The dependency has already entered the analysis
|
|
151
156
|
// This happens if the package is used by multiple packages in the tree
|
|
@@ -171,6 +176,11 @@ export async function depWalker(manifest, options, logger = new Logger()) {
|
|
|
171
176
|
fetchedMetadataPackages.add(name);
|
|
172
177
|
const provider = new NpmRegistryProvider(name, version);
|
|
173
178
|
operationsQueue.push(provider.enrichDependency(logger, dependency));
|
|
179
|
+
if (registry !== getNpmRegistryURL() && org) {
|
|
180
|
+
operationsQueue.push(new NpmRegistryProvider(name, version, {
|
|
181
|
+
registry
|
|
182
|
+
}).enrichScopedDependencyConfusionWarnings(dependencyConfusionWarnings, org));
|
|
183
|
+
}
|
|
174
184
|
}
|
|
175
185
|
const scanDirOptions = {
|
|
176
186
|
ref: dependency.versions[version],
|
|
@@ -205,13 +215,19 @@ export async function depWalker(manifest, options, logger = new Logger()) {
|
|
|
205
215
|
const dependencyVer = dependency.versions[version];
|
|
206
216
|
const isEmptyPackage = dependencyVer.warnings.some((warning) => warning.kind === "empty-package");
|
|
207
217
|
if (isEmptyPackage) {
|
|
208
|
-
globalWarnings.push(
|
|
218
|
+
globalWarnings.push({
|
|
219
|
+
type: "empty-package",
|
|
220
|
+
message: `${packageName}@${version} only contain a package.json file!`
|
|
221
|
+
});
|
|
209
222
|
}
|
|
210
223
|
if (!("integrity" in dependencyVer) || dependencyVer.flags.includes("isGit")) {
|
|
211
224
|
continue;
|
|
212
225
|
}
|
|
213
226
|
if (dependencyVer.integrity !== integrity) {
|
|
214
|
-
globalWarnings.push(
|
|
227
|
+
globalWarnings.push({
|
|
228
|
+
type: "integrity-mismatch",
|
|
229
|
+
message: `${packageName}@${version} manifest & tarball integrity doesn't match!`
|
|
230
|
+
});
|
|
215
231
|
}
|
|
216
232
|
}
|
|
217
233
|
for (const version of Object.entries(dependency.versions)) {
|
|
@@ -241,7 +257,7 @@ export async function depWalker(manifest, options, logger = new Logger()) {
|
|
|
241
257
|
}
|
|
242
258
|
try {
|
|
243
259
|
const { warnings, illuminated } = await getDependenciesWarnings(dependencies, options.highlight?.contacts);
|
|
244
|
-
payload.warnings = globalWarnings.concat(warnings);
|
|
260
|
+
payload.warnings = globalWarnings.concat(dependencyConfusionWarnings).concat(warnings);
|
|
245
261
|
payload.highlighted = {
|
|
246
262
|
contacts: illuminated
|
|
247
263
|
};
|
package/dist/depWalker.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"depWalker.js","sourceRoot":"","sources":["../src/depWalker.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,kCAAkC;AAClC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"depWalker.js","sourceRoot":"","sources":["../src/depWalker.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAEvC,kCAAkC;AAClC,OAAO,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,EACL,iBAAiB,EACjB,gBAAgB,EACjB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAC/C,OAAO,EAAE,GAAG,EAAE,MAAM,yBAAyB,CAAC;AAC9C,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEjE,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AAEjE,+BAA+B;AAC/B,OAAO,EACL,uBAAuB,EACvB,sBAAsB,EACtB,WAAW,EACX,gBAAgB,EACjB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,gCAAgC,CAAC;AAC/D,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAUtE,YAAY;AACZ,MAAM,+BAA+B,GAAG;IACtC,WAAW,EAAE,EAAE;IACf,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,IAAI;IACZ,OAAO,EAAE,EAAE;IACX,OAAO,EAAE,EAAE;IACX,QAAQ,EAAE,EAAE;IACZ,gBAAgB,EAAE,EAAE;IACpB,WAAW,EAAE;QACX,UAAU,EAAE,EAAE;QACd,KAAK,EAAE,EAAE;QACT,QAAQ,EAAE,EAAE;QACZ,MAAM,EAAE,EAAE;QACV,OAAO,EAAE,EAAE;QACX,cAAc,EAAE,EAAE;QAClB,eAAe,EAAE,EAAE;QACnB,mBAAmB,EAAE,EAAE;QACvB,gBAAgB,EAAE,EAAE;KACrB;CACF,CAAC;AACF,MAAM,0BAA0B,GAA2B;IACzD,cAAc,EAAE,CAAC;IACjB,YAAY,EAAE,IAAI,IAAI,EAAE;IACxB,WAAW,EAAE,KAAK;IAClB,gBAAgB,EAAE,KAAK;IACvB,iBAAiB,EAAE,KAAK;IACxB,0BAA0B,EAAE,IAAI;IAChC,QAAQ,EAAE,IAAI;IACd,MAAM,EAAE,IAAI;IACZ,UAAU,EAAE,EAAE;IACd,WAAW,EAAE,EAAE;IACf,SAAS,EAAE,EAAE;CACd,CAAC;AAEF,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,IAAI,CAAC,KAAK,CAC5C,YAAY,CACV,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EACzD,OAAO,CACR,CACF,CAAC;AAOF,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,QAA+D,EAC/D,OAAsB,EACtB,MAAM,GAAG,IAAI,MAAM,EAAE;;;QAErB,MAAM,EACJ,YAAY,GAAG,KAAK,EACpB,cAAc,GAAG,KAAK,EACtB,WAAW,EACX,QAAQ,EACR,QAAQ,EACR,qBAAqB,GAAG,OAAO,CAAC,UAAU,CAAC,IAAI,EAC/C,QAAQ,EACT,GAAG,OAAO,CAAC;QAEZ,MAAY,OAAO,kCAAG,MAAM,aAAa,CAAC,MAAM,EAAE,OAAA,CAAC;QAEnD,MAAM,2BAA2B,GAAiC,EAAE,CAAC;QAErE,MAAM,OAAO,GAAqB;YAChC,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,kBAAkB,EAAE,QAAQ,CAAC,IAAI,IAAI,WAAW;YAChD,cAAc,EAAE,cAAc;YAC9B,qBAAqB;YACrB,QAAQ,EAAE,EAAE;SACb,CAAC;QAEF,MAAM,YAAY,GAA4B,IAAI,GAAG,EAAE,CAAC;QACxD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC;YACvC,QAAQ;SACT,CAAC,CAAC;QACH,CAAC;YACC,MAAM;iBACH,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC;iBACxC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,OAAO,CAAC;iBAC3C,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAChD,MAAM,uBAAuB,GAAG,IAAI,GAAG,EAAU,CAAC;YAClD,MAAM,eAAe,GAAoB,EAAE,CAAC;YAE5C,MAAM,MAAM,GAAG,IAAI,KAAK,CAAC,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAC;YAC7C,MAAM,CAAC,EAAE,CACP,YAAY,EACZ,GAAG,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,OAAO,CAAC,CACxD,CAAC;YAEF,MAAM,eAAe,GAAoB;gBACvC,QAAQ;gBACR,cAAc;gBACd,WAAW;aACZ,CAAC;YACF,IAAI,KAAK,EAAE,MAAM,OAAO,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC,EAAE,CAAC;gBAC1E,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,cAAc,EAAE,GAAG,OAAO,CAAC;gBACrD,MAAM,UAAU,GAAe;oBAC7B,QAAQ,EAAE;wBACR,CAAC,OAAO,CAAC,EAAE;4BACT,GAAG,cAAc;4BACjB,GAAG,eAAe,CAAC,+BAA+B,CAAC;yBACpD;qBACF;oBACD,eAAe,EAAE,EAAE;oBACnB,QAAQ,EAAE,eAAe,CAAC,0BAA0B,CAAC;iBACtD,CAAC;gBAEF,IAAI,qBAAqB,GAAG,IAAI,CAAC;gBACjC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,GAAG,CAAC;gBACpC,IAAI,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC3B,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,IAAI,CAAE,CAAC;oBACpC,eAAe,CAAC,IAAI,CAClB,IAAI,mBAAmB,CAAC,IAAI,EAAE,OAAO,EAAE;wBACrC,QAAQ;qBACT,CAAC,CAAC,uBAAuB,CAAC,GAAG,EAAE,2BAA2B,EAAE,GAAG,CAAC,CAClE,CAAC;oBAEF,IAAI,OAAO,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;wBAC5B,kDAAkD;wBAClD,uEAAuE;wBACvE,qBAAqB,GAAG,KAAK,CAAC;oBAChC,CAAC;yBACI,CAAC;wBACJ,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBACvD,CAAC;gBACH,CAAC;qBACI,CAAC;oBACJ,YAAY,CAAC,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;gBACrC,CAAC;gBAED,uDAAuD;gBACvD,IAAI,OAAO,CAAC,eAAe,IAAI,CAAC,qBAAqB,EAAE,CAAC;oBACtD,SAAS;gBACX,CAAC;gBAED,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAE/C,6EAA6E;gBAC7E,IAAI,uBAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,CAAC;oBACxE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBACrD,CAAC;qBACI,CAAC;oBACJ,uBAAuB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;oBAClC,MAAM,QAAQ,GAAG,IAAI,mBAAmB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;oBAExD,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;oBACpE,IAAI,QAAQ,KAAK,iBAAiB,EAAE,IAAI,GAAG,EAAE,CAAC;wBAC5C,eAAe,CAAC,IAAI,CAClB,IAAI,mBAAmB,CAAC,IAAI,EAAE,OAAO,EAAE;4BACrC,QAAQ;yBACT,CAAC,CAAC,uCAAuC,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAC7E,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAED,MAAM,cAAc,GAAG;oBACrB,GAAG,EAAE,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAQ;oBACxC,QAAQ;oBACR,UAAU,EAAE,YAAY,IAAI,IAAI,KAAK,QAAQ,CAAC,IAAI;oBAClD,QAAQ;iBACT,CAAC;gBACF,eAAe,CAAC,IAAI,CAClB,kBAAkB,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,cAAc,CAAC,CACnE,CAAC;YACJ,CAAC;YAED,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAC9C,MAAM,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;YAE1C,MAAM;iBACH,GAAG,CAAC,mBAAmB,CAAC,QAAQ,CAAC,OAAO,CAAC;iBACzC,GAAG,CAAC,mBAAmB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,EAAE,0BAA0B,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,WAAW,CAClE,qBAAqB,CACtB,CAAC;QAEF,MAAM,gBAAgB,GAAG,CAAC,QAAQ,KAAK,iBAAiB,IAAI,QAAQ,KAAK,MAAM,CAAC;eAC3E,OAAO,QAAQ,KAAK,WAAW,CAAC;QACrC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,0BAA0B,CAAC,YAAmB,EAAE;gBACpD,iBAAiB,EAAE,IAAI;gBACvB,IAAI,EAAE,QAAQ;aACf,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,qBAAqB,GAAG,QAAQ,CAAC;QAEzC,sFAAsF;QACtF,6EAA6E;QAC7E,MAAM,cAAc,GAAoB,EAAE,CAAC;QAC3C,KAAK,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,IAAI,YAAY,EAAE,CAAC;YACrD,MAAM,mBAAmB,GAAG,UAAU,CAAC,QAAQ,EAAE,SAAS,IAAI,EAAE,CAAC;YAEjE,KAAK,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBACvE,MAAM,aAAa,GAAG,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAsB,CAAC;gBAExE,MAAM,cAAc,GAAG,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC;gBAClG,IAAI,cAAc,EAAE,CAAC;oBACnB,cAAc,CAAC,IAAI,CAAC;wBAClB,IAAI,EAAE,eAAe;wBACrB,OAAO,EAAE,GAAG,WAAW,IAAI,OAAO,oCAAoC;qBACvE,CAAC,CAAC;gBACL,CAAC;gBAED,IAAI,CAAC,CAAC,WAAW,IAAI,aAAa,CAAC,IAAI,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC7E,SAAS;gBACX,CAAC;gBAED,IAAI,aAAa,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;oBAC1C,cAAc,CAAC,IAAI,CAAC;wBAClB,IAAI,EAAE,oBAAoB;wBAC1B,OAAO,EAAE,GAAG,WAAW,IAAI,OAAO,8CAA8C;qBACjF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YACD,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1D,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,OAAsC,CAAC;gBACvE,aAAa,CAAC,KAAK,CAAC,IAAI,CACtB,GAAG,sBAAsB,CAAC,IAAI,GAAG,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,UAAU,CAAC,CACpE,CAAC;gBAEF,IAAI,eAAe,CAAC,aAAa,EAAE,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC;oBAC1D,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE;wBACjC,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC;wBACpC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;qBAC5B,CAAC,CAAC;oBAEH,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE;wBAC3B,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC;wBACpC,KAAK,EAAE,gBAAgB,CAAC,QAAQ,CAAC;wBACjC,UAAU,EAAE,QAAQ,CAAC,UAAU;qBAChC,CAAC,CAAC;gBACL,CAAC;gBAED,MAAM,QAAQ,GAAG,aAAa,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,WAAW,IAAI,MAAM,EAAE,CAAC,IAAI,IAAI,GAAG,EAAE,CAAC;gBACzF,IAAI,QAAQ,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;oBACxB,SAAS;gBACX,CAAC;gBAED,MAAM,MAAM,GAA2B,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC3D,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACpD,MAAM,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;gBACzB,CAAC;gBACD,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC9C,CAAC;QACH,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,MAAM,uBAAuB,CAC7D,YAAY,EACZ,OAAO,CAAC,SAAS,EAAE,QAAQ,CAC5B,CAAC;YACF,OAAO,CAAC,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,2BAA8C,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC1G,OAAO,CAAC,WAAW,GAAG;gBACpB,QAAQ,EAAE,WAAW;aACtB,CAAC;YACF,OAAO,CAAC,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;YAExD,OAAO,OAAkB,CAAC;QAC5B,CAAC;gBACO,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QACxC,CAAC;;;;;;;;;;;CACF;AAED,sCAAsC;AACtC,KAAK,UAAU,kBAAkB,CAC/B,IAAY,EACZ,OAAe,EACf,MAAa,EACb,OAAsB,EACtB,OAKC;;;QAED,MAAM,CAAC,kCAAG,MAAM,MAAM,CAAC,OAAO,EAAE,QAAA,CAAC;QAEjC,IAAI,CAAC;YACH,MAAM,EACJ,QAAQ,EACR,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,EACxB,UAAU,EACV,GAAG,EACJ,GAAG,OAAO,CAAC;YAEZ,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC;gBAC9B,eAAe,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAC3C,iBAAiB,CAAC,OAAO,CAAC,QAAQ,EAAE;oBAClC,IAAI,EAAE,GAAG,IAAI,IAAI,OAAO,EAAE;oBAC1B,QAAQ;iBACT,CAAC,CACH,CAAC;YAEF,MAAM,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACpC,CAAC;QACD,MAAM,CAAC;YACL,SAAS;QACX,CAAC;;;;;;;;;CACF;AAED,SAAS,eAAe,CACtB,aAAgC,EAChC,QAA+D,EAC/D,WAAmB;IAEnB,OAAO,aAAa,CAAC,qBAAqB,KAAK,KAAK,IAAI,CACtD,WAAW,KAAK,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,IAAI,KAAK,SAAS,CAC7D,CAAC;AACJ,CAAC"}
|
package/dist/i18n/english.d.ts
CHANGED
|
@@ -6,5 +6,8 @@ declare namespace scanner {
|
|
|
6
6
|
let disable_scarf: string;
|
|
7
7
|
let keylogging: string;
|
|
8
8
|
let typo_squatting: (...valeurs: any[]) => string;
|
|
9
|
+
let dependency_confusion: string;
|
|
10
|
+
let dependency_confusion_missing: string;
|
|
11
|
+
let dependency_confusion_missing_org: (...valeurs: any[]) => string;
|
|
9
12
|
}
|
|
10
13
|
//# sourceMappingURL=english.d.ts.map
|
package/dist/i18n/english.js
CHANGED
|
@@ -3,7 +3,10 @@ import { taggedString as tS } from "@nodesecure/i18n";
|
|
|
3
3
|
const scanner = {
|
|
4
4
|
disable_scarf: "This dependency could collect data against your consent so think to disable it with the env var: SCARF_ANALYTICS",
|
|
5
5
|
keylogging: "This dependency can retrieve your keyboard and mouse inputs. It can be used for 'keylogging' attacks/malwares.",
|
|
6
|
-
typo_squatting: tS `The package '${0}' is similar to the following popular packages: ${1}
|
|
6
|
+
typo_squatting: tS `The package '${0}' is similar to the following popular packages: ${1}`,
|
|
7
|
+
dependency_confusion: "This dependency was found on both a public and private registry but its signature does not match",
|
|
8
|
+
dependency_confusion_missing: "This dependency was found on the private but not on the public registry, this dependency is vulnerable to dependency confusion attacks.",
|
|
9
|
+
dependency_confusion_missing_org: tS `The org '${0}' is not claimed on the public registry`
|
|
7
10
|
};
|
|
8
11
|
export default { scanner };
|
|
9
12
|
//# sourceMappingURL=english.js.map
|
package/dist/i18n/english.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"english.js","sourceRoot":"","sources":["../../src/i18n/english.js"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EAAE,YAAY,IAAI,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,OAAO,GAAG;IACd,aAAa,EAAE,kHAAkH;IACjI,UAAU,EAAE,gHAAgH;IAC5H,cAAc,EAAE,EAAE,CAAA,gBAAgB,CAAC,mDAAmD,CAAC,EAAE;
|
|
1
|
+
{"version":3,"file":"english.js","sourceRoot":"","sources":["../../src/i18n/english.js"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EAAE,YAAY,IAAI,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,OAAO,GAAG;IACd,aAAa,EAAE,kHAAkH;IACjI,UAAU,EAAE,gHAAgH;IAC5H,cAAc,EAAE,EAAE,CAAA,gBAAgB,CAAC,mDAAmD,CAAC,EAAE;IACzF,oBAAoB,EAAE,kGAAkG;IACxH,4BAA4B,EAAE,yIAAyI;IACvK,gCAAgC,EAAE,EAAE,CAAA,YAAY,CAAC,yCAAyC;CAC3F,CAAC;AAEF,eAAe,EAAE,OAAO,EAAE,CAAC"}
|
package/dist/i18n/french.d.ts
CHANGED
|
@@ -6,5 +6,8 @@ declare namespace scanner {
|
|
|
6
6
|
let disable_scarf: string;
|
|
7
7
|
let keylogging: string;
|
|
8
8
|
let typo_squatting: (...valeurs: any[]) => string;
|
|
9
|
+
let dependency_confusion: string;
|
|
10
|
+
let dependency_confusion_missing: string;
|
|
11
|
+
let dependency_confusion_missing_org: (...valeurs: any[]) => string;
|
|
9
12
|
}
|
|
10
13
|
//# sourceMappingURL=french.d.ts.map
|
package/dist/i18n/french.js
CHANGED
|
@@ -3,7 +3,10 @@ import { taggedString as tS } from "@nodesecure/i18n";
|
|
|
3
3
|
const scanner = {
|
|
4
4
|
disable_scarf: "Cette dépendance peut récolter des données contre votre volonté, pensez donc à la désactiver en fournissant la variable d'environnement SCARF_ANALYTICS",
|
|
5
5
|
keylogging: "Cette dépendance peut obtenir vos entrées clavier ou de souris. Cette dépendance peut être utilisée en tant que 'keylogging' attacks/malwares.",
|
|
6
|
-
typo_squatting: tS `Le package '${0}' est similaire aux packages populaires suivants : ${1}
|
|
6
|
+
typo_squatting: tS `Le package '${0}' est similaire aux packages populaires suivants : ${1}`,
|
|
7
|
+
dependency_confusion: "Cette dépendance a été trouvée à la fois sur un registre public et privé, mais sa signature ne correspond pas.",
|
|
8
|
+
dependency_confusion_missing: "Cette dépendance a été trouvée seulement sur le registre privé, cette dépendance est vulnérable à une attaque par confusion de dépendance.",
|
|
9
|
+
dependency_confusion_missing_org: tS `L'organisation '${0}' n'est pas revendiquée sur le registre public`
|
|
7
10
|
};
|
|
8
11
|
export default { scanner };
|
|
9
12
|
//# sourceMappingURL=french.js.map
|
package/dist/i18n/french.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"french.js","sourceRoot":"","sources":["../../src/i18n/french.js"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EAAE,YAAY,IAAI,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,OAAO,GAAG;IACd,aAAa,EAAE,yJAAyJ;IACxK,UAAU,EAAE,gJAAgJ;IAC5J,cAAc,EAAE,EAAE,CAAA,eAAe,CAAC,sDAAsD,CAAC,EAAE;
|
|
1
|
+
{"version":3,"file":"french.js","sourceRoot":"","sources":["../../src/i18n/french.js"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EAAE,YAAY,IAAI,EAAE,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,OAAO,GAAG;IACd,aAAa,EAAE,yJAAyJ;IACxK,UAAU,EAAE,gJAAgJ;IAC5J,cAAc,EAAE,EAAE,CAAA,eAAe,CAAC,sDAAsD,CAAC,EAAE;IAC3F,oBAAoB,EAAE,gHAAgH;IACtI,4BAA4B,EAAE,4IAA4I;IAC1K,gCAAgC,EAAE,EAAE,CAAA,mBAAmB,CAAC,gDAAgD;CACzG,CAAC;AAEF,eAAe,EAAE,OAAO,EAAE,CAAC"}
|
|
@@ -1,14 +1,20 @@
|
|
|
1
|
-
import
|
|
1
|
+
import * as npmRegistrySDK from "@nodesecure/npm-registry-sdk";
|
|
2
|
+
import type { Packument, PackumentVersion, Signature } from "@nodesecure/npm-types";
|
|
2
3
|
import { type DateProvider } from "./PackumentExtractor.js";
|
|
3
|
-
import type { Dependency } from "../types.js";
|
|
4
|
+
import type { Dependency, DependencyConfusionWarning } from "../types.js";
|
|
4
5
|
import { Logger } from "../class/logger.class.js";
|
|
6
|
+
type PackumentNpmApiOptions = {
|
|
7
|
+
registry: string;
|
|
8
|
+
};
|
|
5
9
|
export interface NpmApiClient {
|
|
6
|
-
packument(name: string): Promise<Packument>;
|
|
7
|
-
packumentVersion(name: string, version: string): Promise<PackumentVersion>;
|
|
10
|
+
packument(name: string, options?: PackumentNpmApiOptions): Promise<Packument>;
|
|
11
|
+
packumentVersion(name: string, version: string, options?: PackumentNpmApiOptions): Promise<PackumentVersion>;
|
|
12
|
+
org(namespace: string): Promise<npmRegistrySDK.NpmPackageOrg>;
|
|
8
13
|
}
|
|
9
14
|
export interface NpmRegistryProviderOptions {
|
|
10
15
|
dateProvider?: DateProvider;
|
|
11
16
|
npmApiClient?: NpmApiClient;
|
|
17
|
+
registry?: string;
|
|
12
18
|
}
|
|
13
19
|
export declare class NpmRegistryProvider {
|
|
14
20
|
#private;
|
|
@@ -23,6 +29,13 @@ export declare class NpmRegistryProvider {
|
|
|
23
29
|
};
|
|
24
30
|
integrity: string;
|
|
25
31
|
deprecated: string | undefined;
|
|
32
|
+
signatures: Signature[] | undefined;
|
|
33
|
+
attestations: {
|
|
34
|
+
url: string;
|
|
35
|
+
provenance: {
|
|
36
|
+
predicateType: string;
|
|
37
|
+
};
|
|
38
|
+
} | undefined;
|
|
26
39
|
}>;
|
|
27
40
|
collectPackageData(): Promise<{
|
|
28
41
|
metadata: {
|
|
@@ -49,6 +62,8 @@ export declare class NpmRegistryProvider {
|
|
|
49
62
|
};
|
|
50
63
|
}>;
|
|
51
64
|
enrichDependency(logger: Logger, dependency: Dependency): Promise<void>;
|
|
52
|
-
enrichDependencyVersion(dependency: Dependency): Promise<void>;
|
|
65
|
+
enrichDependencyVersion(dependency: Dependency, warnings: DependencyConfusionWarning[], org: string | null | undefined): Promise<void>;
|
|
66
|
+
enrichScopedDependencyConfusionWarnings(warnings: DependencyConfusionWarning[], org: string): Promise<void>;
|
|
53
67
|
}
|
|
68
|
+
export {};
|
|
54
69
|
//# sourceMappingURL=NpmRegistryProvider.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"NpmRegistryProvider.d.ts","sourceRoot":"","sources":["../../src/registry/NpmRegistryProvider.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"NpmRegistryProvider.d.ts","sourceRoot":"","sources":["../../src/registry/NpmRegistryProvider.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,cAAc,MAAM,8BAA8B,CAAC;AAE/D,OAAO,KAAK,EAAE,SAAS,EAAE,gBAAgB,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAMpF,OAAO,EAAsB,KAAK,YAAY,EAAE,MAAM,yBAAyB,CAAC;AAEhF,OAAO,KAAK,EACV,UAAU,EACV,0BAA0B,EAC3B,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAWlD,KAAK,sBAAsB,GAAG;IAC5B,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,WAAW,YAAY;IAC3B,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,sBAAsB,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IAC9E,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,sBAAsB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAC7G,GAAG,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC,aAAa,CAAC,CAAC;CAC/D;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,qBAAa,mBAAmB;;IAK9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;gBAGd,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE,MAAM,EACf,OAAO,GAAE,0BAA+B;IAgBpC,yBAAyB;;;;;;;;;;;;;;;;IAsBzB,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;IA0BlB,gBAAgB,CACpB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,IAAI,CAAC;IAoBV,uBAAuB,CAC3B,UAAU,EAAE,UAAU,EACtB,QAAQ,EAAE,0BAA0B,EAAE,EACtC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS;IAqD1B,uCAAuC,CAAC,QAAQ,EAAE,0BAA0B,EAAE,EAAE,GAAG,EAAE,MAAM;CAoBlG"}
|
|
@@ -1,37 +1,54 @@
|
|
|
1
|
+
// Import Node.js Dependencies
|
|
2
|
+
import path from "node:path";
|
|
1
3
|
// Import Third-party Dependencies
|
|
2
4
|
import semver from "semver";
|
|
3
5
|
import * as npmRegistrySDK from "@nodesecure/npm-registry-sdk";
|
|
4
6
|
import { packageJSONIntegrityHash } from "@nodesecure/mama";
|
|
7
|
+
import { getNpmRegistryURL } from "@nodesecure/npm-registry-sdk";
|
|
8
|
+
import * as i18n from "@nodesecure/i18n";
|
|
9
|
+
import { isHTTPError } from "@openally/httpie";
|
|
5
10
|
// Import Internal Dependencies
|
|
6
11
|
import { PackumentExtractor } from "./PackumentExtractor.js";
|
|
7
12
|
import { fetchNpmAvatars } from "./fetchNpmAvatars.js";
|
|
8
13
|
import { Logger } from "../class/logger.class.js";
|
|
9
14
|
import { getLinks } from "../utils/getLinks.js";
|
|
15
|
+
import { getDirNameFromUrl } from "../utils/dirname.js";
|
|
16
|
+
// CONSTANTS
|
|
17
|
+
const kNotFoundStatusCode = 404;
|
|
18
|
+
await i18n.extendFromSystemPath(path.join(getDirNameFromUrl(import.meta.url), "..", "i18n"));
|
|
10
19
|
export class NpmRegistryProvider {
|
|
11
20
|
#date;
|
|
12
21
|
#npmApiClient;
|
|
22
|
+
#registry;
|
|
13
23
|
name;
|
|
14
24
|
version;
|
|
15
25
|
constructor(name, version, options = {}) {
|
|
16
|
-
const { dateProvider = undefined, npmApiClient = npmRegistrySDK } = options;
|
|
26
|
+
const { dateProvider = undefined, npmApiClient = npmRegistrySDK, registry = npmRegistrySDK.getLocalRegistryURL() } = options;
|
|
17
27
|
this.name = name;
|
|
18
28
|
this.version = version;
|
|
19
29
|
this.#date = dateProvider;
|
|
20
30
|
this.#npmApiClient = npmApiClient;
|
|
31
|
+
this.#registry = registry;
|
|
21
32
|
}
|
|
22
33
|
async collectPackageVersionData() {
|
|
23
|
-
const packumentVersion = await this.#npmApiClient.packumentVersion(this.name, this.version
|
|
34
|
+
const packumentVersion = await this.#npmApiClient.packumentVersion(this.name, this.version, {
|
|
35
|
+
registry: this.#registry
|
|
36
|
+
});
|
|
24
37
|
const { integrity } = packageJSONIntegrityHash(packumentVersion, {
|
|
25
38
|
isFromRemoteRegistry: true
|
|
26
39
|
});
|
|
27
40
|
return {
|
|
28
41
|
links: getLinks(packumentVersion),
|
|
29
42
|
integrity,
|
|
30
|
-
deprecated: packumentVersion.deprecated
|
|
43
|
+
deprecated: packumentVersion.deprecated,
|
|
44
|
+
signatures: packumentVersion.dist.signatures,
|
|
45
|
+
attestations: packumentVersion.dist.attestations
|
|
31
46
|
};
|
|
32
47
|
}
|
|
33
48
|
async collectPackageData() {
|
|
34
|
-
const packument = await this.#npmApiClient.packument(this.name
|
|
49
|
+
const packument = await this.#npmApiClient.packument(this.name, {
|
|
50
|
+
registry: this.#registry
|
|
51
|
+
});
|
|
35
52
|
const packumentVersion = packument.versions[this.version];
|
|
36
53
|
const metadata = new PackumentExtractor(packument, { dateProvider: this.#date }).getMetadata(this.version);
|
|
37
54
|
const flags = {
|
|
@@ -57,24 +74,71 @@ export class NpmRegistryProvider {
|
|
|
57
74
|
Object.assign(dependencyVersion, version);
|
|
58
75
|
}
|
|
59
76
|
catch {
|
|
60
|
-
//
|
|
77
|
+
// ignored
|
|
61
78
|
}
|
|
62
79
|
finally {
|
|
63
80
|
logger.tick("registry");
|
|
64
81
|
}
|
|
65
82
|
}
|
|
66
|
-
async enrichDependencyVersion(dependency) {
|
|
83
|
+
async enrichDependencyVersion(dependency, warnings, org) {
|
|
67
84
|
try {
|
|
68
|
-
const { integrity, deprecated, links } = await this.collectPackageVersionData();
|
|
85
|
+
const { integrity, deprecated, links, signatures, attestations } = await this.collectPackageVersionData();
|
|
69
86
|
Object.assign(dependency.versions[this.version], {
|
|
70
87
|
links,
|
|
71
|
-
deprecated
|
|
88
|
+
deprecated,
|
|
89
|
+
attestations
|
|
72
90
|
});
|
|
73
91
|
dependency.metadata.integrity[this.version] = integrity;
|
|
92
|
+
if (this.#registry === getNpmRegistryURL()) {
|
|
93
|
+
return;
|
|
94
|
+
}
|
|
95
|
+
try {
|
|
96
|
+
const packumentVersionFromPublicRegistry = await this.#npmApiClient.packumentVersion(this.name, this.version, {
|
|
97
|
+
registry: getNpmRegistryURL()
|
|
98
|
+
});
|
|
99
|
+
if (!this.#hasSameSignatures(signatures, packumentVersionFromPublicRegistry.dist.signatures)) {
|
|
100
|
+
this.#addDependencyConfusionWarning(warnings, await i18n.getToken("scanner.dependency_confusion"));
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
catch (err) {
|
|
104
|
+
const isScoped = Boolean(org);
|
|
105
|
+
if (isHTTPError(err) && err.statusCode === kNotFoundStatusCode && !isScoped) {
|
|
106
|
+
this.#addDependencyConfusionWarning(warnings, await i18n.getToken("scanner.dependency_confusion_missing"));
|
|
107
|
+
}
|
|
108
|
+
}
|
|
74
109
|
}
|
|
75
110
|
catch {
|
|
76
111
|
// ignore
|
|
77
112
|
}
|
|
78
113
|
}
|
|
114
|
+
#hasSameSignatures(signatures, signaturesFromPublicRegistry) {
|
|
115
|
+
if (!signatures || !signaturesFromPublicRegistry) {
|
|
116
|
+
return false;
|
|
117
|
+
}
|
|
118
|
+
const sortedSignaturesFromPublic = signaturesFromPublicRegistry.sort((a, b) => a.keyid.localeCompare(b.keyid));
|
|
119
|
+
const sortedSignaturesFromPrivate = signatures.sort((a, b) => a.keyid.localeCompare(b.keyid));
|
|
120
|
+
return sortedSignaturesFromPrivate.length === signaturesFromPublicRegistry.length &&
|
|
121
|
+
sortedSignaturesFromPrivate?.every((signature, index) => signature.keyid === sortedSignaturesFromPublic[index].keyid
|
|
122
|
+
&& signature.sig === sortedSignaturesFromPublic[index].sig);
|
|
123
|
+
}
|
|
124
|
+
async enrichScopedDependencyConfusionWarnings(warnings, org) {
|
|
125
|
+
try {
|
|
126
|
+
await this.#npmApiClient.org(this.name);
|
|
127
|
+
}
|
|
128
|
+
catch (err) {
|
|
129
|
+
if (isHTTPError(err) && err.statusCode === kNotFoundStatusCode) {
|
|
130
|
+
await this.#addDependencyConfusionWarning(warnings, await i18n.getToken("scanner.dependency_confusion_missing_org", org));
|
|
131
|
+
}
|
|
132
|
+
}
|
|
133
|
+
}
|
|
134
|
+
async #addDependencyConfusionWarning(warnings, message) {
|
|
135
|
+
warnings.push({
|
|
136
|
+
type: "dependency-confusion",
|
|
137
|
+
message,
|
|
138
|
+
metadata: {
|
|
139
|
+
name: this.name
|
|
140
|
+
}
|
|
141
|
+
});
|
|
142
|
+
}
|
|
79
143
|
}
|
|
80
144
|
//# sourceMappingURL=NpmRegistryProvider.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"NpmRegistryProvider.js","sourceRoot":"","sources":["../../src/registry/NpmRegistryProvider.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,KAAK,cAAc,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"NpmRegistryProvider.js","sourceRoot":"","sources":["../../src/registry/NpmRegistryProvider.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,KAAK,cAAc,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAE5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAE/C,+BAA+B;AAC/B,OAAO,EAAE,kBAAkB,EAAqB,MAAM,yBAAyB,CAAC;AAChF,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAKvD,OAAO,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,MAAM,sBAAsB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAExD,YAAY;AACZ,MAAM,mBAAmB,GAAG,GAAG,CAAC;AAEhC,MAAM,IAAI,CAAC,oBAAoB,CAC7B,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,CAC5D,CAAC;AAkBF,MAAM,OAAO,mBAAmB;IAC9B,KAAK,CAA2B;IAChC,aAAa,CAAe;IAC5B,SAAS,CAAS;IAElB,IAAI,CAAS;IACb,OAAO,CAAS;IAEhB,YACE,IAAY,EACZ,OAAe,EACf,UAAsC,EAAE;QAExC,MAAM,EACJ,YAAY,GAAG,SAAS,EACxB,YAAY,GAAG,cAAc,EAC7B,QAAQ,GAAG,cAAc,CAAC,mBAAmB,EAAE,EAChD,GAAG,OAAO,CAAC;QAEZ,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QAEvB,IAAI,CAAC,KAAK,GAAG,YAAY,CAAC;QAC1B,IAAI,CAAC,aAAa,GAAG,YAAY,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,QAAQ,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,yBAAyB;QAC7B,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAChE,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,OAAO,EACZ;YACE,QAAQ,EAAE,IAAI,CAAC,SAAS;SACzB,CACF,CAAC;QAEF,MAAM,EAAE,SAAS,EAAE,GAAG,wBAAwB,CAAC,gBAAgB,EAAE;YAC/D,oBAAoB,EAAE,IAAI;SAC3B,CAAC,CAAC;QAEH,OAAO;YACL,KAAK,EAAE,QAAQ,CAAC,gBAAgB,CAAC;YACjC,SAAS;YACT,UAAU,EAAE,gBAAgB,CAAC,UAAU;YACvC,UAAU,EAAE,gBAAgB,CAAC,IAAI,CAAC,UAAU;YAC5C,YAAY,EAAE,gBAAgB,CAAC,IAAI,CAAC,YAAY;SACjD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,kBAAkB;QACtB,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE;YAC9D,QAAQ,EAAE,IAAI,CAAC,SAAS;SACzB,CAAC,CAAC;QACH,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE1D,MAAM,QAAQ,GAAG,IAAI,kBAAkB,CACrC,SAAS,EACT,EAAE,YAAY,EAAE,IAAI,CAAC,KAAK,EAAE,CAC7B,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE5B,MAAM,KAAK,GAAG;YACZ,UAAU,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,WAAW,CAAC;YAC1D,YAAY,EAAE,gBAAgB,CAAC,UAAU;SAC1C,CAAC;QAEF,OAAO;YACL,QAAQ;YACR,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACrD,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,CAAC,gBAAgB,CAAC;gBACjC,UAAU,EAAE,gBAAgB,CAAC,UAAU;aACxC;SACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB,CACpB,MAAc,EACd,UAAsB;QAEtB,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;YAErE,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;YAEhC,MAAM,iBAAiB,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE5D,UAAU,CAAC,QAAQ,GAAG,QAAQ,CAAC;YAC/B,iBAAiB,CAAC,KAAK,GAAG,CAAC,GAAG,iBAAiB,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,CAAC;YACjE,MAAM,CAAC,MAAM,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QAC5C,CAAC;QACD,MAAM,CAAC;YACL,UAAU;QACZ,CAAC;gBACO,CAAC;YACP,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;IACH,CAAC;IAED,KAAK,CAAC,uBAAuB,CAC3B,UAAsB,EACtB,QAAsC,EACtC,GAA8B;QAE9B,IAAI,CAAC;YACH,MAAM,EACJ,SAAS,EAAE,UAAU,EAAE,KAAK,EAC5B,UAAU,EAAE,YAAY,EACzB,GAAG,MAAM,IAAI,CAAC,yBAAyB,EAAE,CAAC;YAE3C,MAAM,CAAC,MAAM,CACX,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EACjC;gBACE,KAAK;gBACL,UAAU;gBACV,YAAY;aACb,CACF,CAAC;YACF,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,SAAS,CAAC;YACxD,IAAI,IAAI,CAAC,SAAS,KAAK,iBAAiB,EAAE,EAAE,CAAC;gBAC3C,OAAO;YACT,CAAC;YACD,IAAI,CAAC;gBACH,MAAM,kCAAkC,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE;oBAC5G,QAAQ,EAAE,iBAAiB,EAAE;iBAC9B,CAAC,CAAC;gBACH,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,UAAU,EAAE,kCAAkC,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC7F,IAAI,CAAC,8BAA8B,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,8BAA8B,CAAC,CAAC,CAAC;gBACrG,CAAC;YACH,CAAC;YACD,OAAO,GAAG,EAAE,CAAC;gBACX,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC;gBAC9B,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,UAAU,KAAK,mBAAmB,IAAI,CAAC,QAAQ,EAAE,CAAC;oBAC5E,IAAI,CAAC,8BAA8B,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,sCAAsC,CAAC,CAAC,CAAC;gBAC7G,CAAC;YACH,CAAC;QACH,CAAC;QACD,MAAM,CAAC;YACL,SAAS;QACX,CAAC;IACH,CAAC;IAED,kBAAkB,CAAC,UAAmC,EAAE,4BAAqD;QAC3G,IAAI,CAAC,UAAU,IAAI,CAAC,4BAA4B,EAAE,CAAC;YACjD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,0BAA0B,GAAG,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/G,MAAM,2BAA2B,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC;QAE9F,OAAO,2BAA2B,CAAC,MAAM,KAAK,4BAA4B,CAAC,MAAM;YAC/E,2BAA2B,EAAE,KAAK,CAAC,CAAC,SAAS,EAAE,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,KAAK,KAAK,0BAA0B,CAAC,KAAK,CAAC,CAAC,KAAK;mBAC/G,SAAS,CAAC,GAAG,KAAK,0BAA0B,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC;IAClE,CAAC;IAED,KAAK,CAAC,uCAAuC,CAAC,QAAsC,EAAE,GAAW;QAC/F,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,GAAG,EAAE,CAAC;YACX,IAAI,WAAW,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,UAAU,KAAK,mBAAmB,EAAE,CAAC;gBAC/D,MAAM,IAAI,CAAC,8BAA8B,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAC,CAAC;YAC5H,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,8BAA8B,CAAC,QAAsC,EAAE,OAAe;QAC1F,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,sBAAsB;YAC5B,OAAO;YACP,QAAQ,EAAE;gBACR,IAAI,EAAE,IAAI,CAAC,IAAI;aAChB;SACF,CAAC,CAAC;IACL,CAAC;CACF"}
|
package/dist/types.d.ts
CHANGED
|
@@ -3,7 +3,7 @@ import * as Vulnera from "@nodesecure/vulnera";
|
|
|
3
3
|
import type { PackageModuleType } from "@nodesecure/mama";
|
|
4
4
|
import type { SpdxFileLicenseConformance } from "@nodesecure/conformance";
|
|
5
5
|
import type { IlluminatedContact } from "@nodesecure/contact";
|
|
6
|
-
import type { Contact } from "@nodesecure/npm-types";
|
|
6
|
+
import type { Contact, Dist } from "@nodesecure/npm-types";
|
|
7
7
|
export type Maintainer = Contact & {
|
|
8
8
|
/**
|
|
9
9
|
* Path to publisher's avatar on "https://www.npmjs.com"
|
|
@@ -106,6 +106,7 @@ export interface DependencyVersion {
|
|
|
106
106
|
integrity?: string;
|
|
107
107
|
links?: DependencyLinks;
|
|
108
108
|
deprecated?: string;
|
|
109
|
+
attestations?: Dist["attestations"];
|
|
109
110
|
}
|
|
110
111
|
export interface Dependency {
|
|
111
112
|
/** NPM Registry metadata */
|
|
@@ -146,13 +147,32 @@ export interface Dependency {
|
|
|
146
147
|
vulnerabilities: Vulnera.StandardVulnerability[];
|
|
147
148
|
}
|
|
148
149
|
export type Dependencies = Record<string, Dependency>;
|
|
150
|
+
export type DependencyConfusionWarning = {
|
|
151
|
+
type: "dependency-confusion";
|
|
152
|
+
message: string;
|
|
153
|
+
metadata: {
|
|
154
|
+
name: string;
|
|
155
|
+
};
|
|
156
|
+
};
|
|
157
|
+
export type GlobalWarning = {
|
|
158
|
+
message: string;
|
|
159
|
+
} & ({
|
|
160
|
+
type: "dangerous-dependency" | "integrity-mismatch" | "empty-package";
|
|
161
|
+
metadata?: Record<string, unknown>;
|
|
162
|
+
} | {
|
|
163
|
+
type: "typo-squatting";
|
|
164
|
+
metadata: {
|
|
165
|
+
name: string;
|
|
166
|
+
similar: string[];
|
|
167
|
+
};
|
|
168
|
+
} | DependencyConfusionWarning);
|
|
149
169
|
export interface Payload {
|
|
150
170
|
/** Payload unique id */
|
|
151
171
|
id: string;
|
|
152
172
|
/** Name of the analyzed package */
|
|
153
173
|
rootDependencyName: string;
|
|
154
174
|
/** Global warnings list */
|
|
155
|
-
warnings:
|
|
175
|
+
warnings: GlobalWarning[];
|
|
156
176
|
highlighted: {
|
|
157
177
|
contacts: IlluminatedContact[];
|
|
158
178
|
};
|
package/dist/types.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAC/C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAE1D,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACpD,OAAO,KAAK,OAAO,MAAM,qBAAqB,CAAC;AAC/C,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAE1D,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9D,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAE3D,MAAM,MAAM,UAAU,GAAG,OAAO,GAAG;IACjC;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,MAAM,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,GAAG;IAChD;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAChB;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;CACZ,CAAC;AAEF,MAAM,WAAW,eAAe;IAC9B,wBAAwB;IACxB,GAAG,EAAE,MAAM,CAAC;IACZ,mBAAmB;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yBAAyB;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,OAAO;IACtB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,iBAAiB;IAChC,qDAAqD;IACrD,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,iBAAiB,CAAC;IACxB,eAAe,EAAE,OAAO,CAAC;IACzB;;;OAGG;IACH,qBAAqB,EAAE,OAAO,CAAC;IAC/B,uCAAuC;IACvC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,eAAe,EAAE,MAAM,CAAC;IACxB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,iFAAiF;IACjF,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC;;;;OAIG;IACH,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,mDAAmD;IACnD,WAAW,EAAE;QACX,8CAA8C;QAC9C,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,mBAAmB,EAAE,MAAM,EAAE,CAAC;QAC9B,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,gBAAgB,EAAE,MAAM,EAAE,CAAC;QAC3B,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;IACF;;OAEG;IACH,QAAQ,EAAE,0BAA0B,EAAE,CAAC;IACvC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B;;;;OAIG;IACH,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB;;OAEG;IACH,MAAM,EAAE,IAAI,GAAG,MAAM,CAAC;IACtB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,eAAe,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;CACrC;AAED,MAAM,WAAW,UAAU;IACzB,4BAA4B;IAC5B,QAAQ,EAAE;QACR,0CAA0C;QAC1C,cAAc,EAAE,MAAM,CAAC;QACvB,YAAY,EAAE,IAAI,CAAC;QACnB,0BAA0B;QAC1B,WAAW,EAAE,MAAM,CAAC;QACpB,gBAAgB,EAAE,OAAO,CAAC;QAC1B,iBAAiB,EAAE,OAAO,CAAC;QAC3B,0BAA0B,EAAE,OAAO,CAAC;QACpC,iFAAiF;QACjF,MAAM,EAAE,UAAU,GAAG,IAAI,CAAC;QAC1B,wBAAwB;QACxB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB;;WAEG;QACH,WAAW,EAAE,UAAU,EAAE,CAAC;QAC1B;;WAEG;QACH,UAAU,EAAE,SAAS,EAAE,CAAC;QACxB;;;WAGG;QACH,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACnC,CAAC;IACF,yFAAyF;IACzF,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAC5C;;;;OAIG;IACH,eAAe,EAAE,OAAO,CAAC,qBAAqB,EAAE,CAAC;CAClD;AAED,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;AAEtD,MAAM,MAAM,0BAA0B,GAAG;IACvC,IAAI,EAAE,sBAAsB,CAAC;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;KACd,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAAE,OAAO,EAAE,MAAM,CAAC;CAAE,GAAG,CACjD;IACE,IAAI,EACA,sBAAsB,GACtB,oBAAoB,GACpB,eAAe,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC,GACD;IACE,IAAI,EAAE,gBAAgB,CAAC;IACvB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,EAAE,CAAC;KACnB,CAAC;CACH,GAED,0BAA0B,CAAC,CAAC;AAE9B,MAAM,WAAW,OAAO;IACtB,wBAAwB;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,mCAAmC;IACnC,kBAAkB,EAAE,MAAM,CAAC;IAC3B,2BAA2B;IAC3B,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,WAAW,EAAE;QACX,QAAQ,EAAE,kBAAkB,EAAE,CAAC;KAChC,CAAC;IACF,sDAAsD;IACtD,YAAY,EAAE,YAAY,CAAC;IAC3B,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;IACvB,oDAAoD;IACpD,qBAAqB,EAAE,OAAO,CAAC,IAAI,CAAC;CACrC;AAED,MAAM,WAAW,OAAO;IACtB;;;;OAIG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAE3B,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,GAAG,CAAC;IAEjC;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE;QACZ;;;;;WAKG;QACH,aAAa,CAAC,EAAE,OAAO,CAAC;QAExB;;;WAGG;QACH,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;IAEF,SAAS,CAAC,EAAE;QACV,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,CAAC;IAEF;;;;OAIG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,OAAO,CAAC;IAElC;;;;OAIG;IACH,QAAQ,CAAC,qBAAqB,CAAC,EAAE,OAAO,CAAC,IAAI,CAAC;IAE9C;;;;;OAKG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,OAAO,CAAC;CACjC"}
|
package/dist/utils/warnings.d.ts
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
import { type IlluminatedContact } from "@nodesecure/contact";
|
|
2
2
|
import type { Contact } from "@nodesecure/npm-types";
|
|
3
|
-
import type { Dependency } from "../types.js";
|
|
3
|
+
import type { Dependency, GlobalWarning } from "../types.js";
|
|
4
4
|
export interface GetWarningsResult {
|
|
5
|
-
warnings:
|
|
5
|
+
warnings: GlobalWarning[];
|
|
6
6
|
illuminated: IlluminatedContact[];
|
|
7
7
|
}
|
|
8
8
|
export declare function getDependenciesWarnings(dependenciesMap: Map<string, Dependency>, highlightContacts?: Contact[]): Promise<GetWarningsResult>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"warnings.d.ts","sourceRoot":"","sources":["../../src/utils/warnings.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,kBAAkB,EAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAKrD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"warnings.d.ts","sourceRoot":"","sources":["../../src/utils/warnings.ts"],"names":[],"mappings":"AAMA,OAAO,EAEL,KAAK,kBAAkB,EAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAKrD,OAAO,KAAK,EAAE,UAAU,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAoB7D,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,aAAa,EAAE,CAAC;IAC1B,WAAW,EAAE,kBAAkB,EAAE,CAAC;CACnC;AAED,wBAAsB,uBAAuB,CAC3C,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,EACxC,iBAAiB,GAAE,OAAO,EAAO,GAChC,OAAO,CAAC,iBAAiB,CAAC,CA+D5B"}
|
package/dist/utils/warnings.js
CHANGED
|
@@ -25,14 +25,29 @@ export async function getDependenciesWarnings(dependenciesMap, highlightContacts
|
|
|
25
25
|
const topPackages = new TopPackages();
|
|
26
26
|
await topPackages.loadJSON();
|
|
27
27
|
const warnings = vulnerableDependencyNames
|
|
28
|
-
.flatMap((name) =>
|
|
28
|
+
.flatMap((name) => {
|
|
29
|
+
if (!dependenciesMap.has(name)) {
|
|
30
|
+
return [];
|
|
31
|
+
}
|
|
32
|
+
return {
|
|
33
|
+
type: "dangerous-dependency",
|
|
34
|
+
message: `${kDetectedDep(name)} ${kDependencyWarnMessage[name]}`
|
|
35
|
+
};
|
|
36
|
+
});
|
|
29
37
|
const dependencies = Object.create(null);
|
|
30
38
|
for (const [packageName, dependency] of dependenciesMap) {
|
|
31
39
|
const { author, maintainers } = dependency.metadata;
|
|
32
40
|
const similarPackages = topPackages.getSimilarPackages(packageName);
|
|
33
41
|
if (similarPackages.length > 0) {
|
|
34
42
|
const warningMessage = await i18n.getToken("scanner.typo_squatting", packageName, similarPackages.join(", "));
|
|
35
|
-
warnings.push(
|
|
43
|
+
warnings.push({
|
|
44
|
+
type: "typo-squatting",
|
|
45
|
+
message: warningMessage,
|
|
46
|
+
metadata: {
|
|
47
|
+
name: packageName,
|
|
48
|
+
similar: similarPackages
|
|
49
|
+
}
|
|
50
|
+
});
|
|
36
51
|
}
|
|
37
52
|
dependencies[packageName] = {
|
|
38
53
|
maintainers,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"warnings.js","sourceRoot":"","sources":["../../src/utils/warnings.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AACzC,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EACL,gBAAgB,EAGjB,MAAM,qBAAqB,CAAC;AAG7B,+BAA+B;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AAG5D,MAAM,IAAI,CAAC,oBAAoB,CAC7B,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,CAC5D,CAAC;AAEF,YAAY;AACZ,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAA,mBAAmB,CAAC,6CAA6C,CAAC;AACxG,MAAM,2BAA2B,GAAc;IAC7C;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,yBAAyB;KACjC;CACF,CAAC;AAEF,MAAM,sBAAsB,GAAG;IAC7B,cAAc,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC;IAC5D,MAAM,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC;CACzC,CAAC;AAOX,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,eAAwC,EACxC,oBAA+B,EAAE;IAEjC,MAAM,yBAAyB,GAAG,MAAM,CAAC,IAAI,CAC3C,sBAAsB,CAC+B,CAAC;IACxD,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;IACtC,MAAM,WAAW,CAAC,QAAQ,EAAE,CAAC;IAE7B,MAAM,QAAQ,
|
|
1
|
+
{"version":3,"file":"warnings.js","sourceRoot":"","sources":["../../src/utils/warnings.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,KAAK,IAAI,MAAM,kBAAkB,CAAC;AACzC,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EACL,gBAAgB,EAGjB,MAAM,qBAAqB,CAAC;AAG7B,+BAA+B;AAC/B,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AAG5D,MAAM,IAAI,CAAC,oBAAoB,CAC7B,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,CAC5D,CAAC;AAEF,YAAY;AACZ,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAA,mBAAmB,CAAC,6CAA6C,CAAC;AACxG,MAAM,2BAA2B,GAAc;IAC7C;QACE,IAAI,EAAE,OAAO;QACb,KAAK,EAAE,yBAAyB;KACjC;CACF,CAAC;AAEF,MAAM,sBAAsB,GAAG;IAC7B,cAAc,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC;IAC5D,MAAM,EAAE,MAAM,IAAI,CAAC,QAAQ,CAAC,oBAAoB,CAAC;CACzC,CAAC;AAOX,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,eAAwC,EACxC,oBAA+B,EAAE;IAEjC,MAAM,yBAAyB,GAAG,MAAM,CAAC,IAAI,CAC3C,sBAAsB,CAC+B,CAAC;IACxD,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;IACtC,MAAM,WAAW,CAAC,QAAQ,EAAE,CAAC;IAE7B,MAAM,QAAQ,GAAoB,yBAAyB;SACxD,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE;QAChB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,OAAO;YACL,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,sBAAsB,CAAC,IAAI,CAAC,EAAE;SACjE,CAAC;IACJ,CAAC,CAAC,CAAC;IAEL,MAAM,YAAY,GAAoD,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAC1F,KAAK,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC,IAAI,eAAe,EAAE,CAAC;QACxD,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,UAAU,CAAC,QAAQ,CAAC;QACpD,MAAM,eAAe,GAAG,WAAW,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC;QACpE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,QAAQ,CACxC,wBAAwB,EACxB,WAAW,EACX,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAC3B,CAAC;YACF,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,gBAAgB;gBACtB,OAAO,EAAE,cAAc;gBACvB,QAAQ,EAAE;oBACR,IAAI,EAAE,WAAW;oBACjB,OAAO,EAAE,eAAe;iBACzB;aACF,CAAC,CAAC;QACL,CAAC;QAED,YAAY,CAAC,WAAW,CAAC,GAAG;YAC1B,WAAW;YACX,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC;SACvC,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,gBAAgB,CAAC;QACrC,SAAS,EAAE;YACT,GAAG,iBAAiB;YACpB,GAAG,CAAC,cAAc,KAAK,IAAI,CAAC,CAAC;gBAC3B,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,EAAE,QAAQ,IAAI,EAAE,CAAC,CACzD;YACD,GAAG,2BAA2B;SAC/B;KACF,CAAC,CAAC;IACH,MAAM,EAAE,WAAW,EAAE,GAAG,MAAM,SAAS,CAAC,gBAAgB,CACtD,YAAY,CACb,CAAC;IAEF,OAAO;QACL,QAAQ;QACR,WAAW;KACZ,CAAC;AACJ,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nodesecure/scanner",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "7.1.0",
|
|
4
4
|
"description": "A package API to run a static analysis of your module's dependencies.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"exports": "./dist/index.js",
|
|
@@ -12,9 +12,9 @@
|
|
|
12
12
|
"build": "tsc -b & cp -R ./src/data ./dist/data",
|
|
13
13
|
"lint": "eslint src test",
|
|
14
14
|
"prepublishOnly": "npm run build && pkg-ok",
|
|
15
|
-
"test": "npm run test-only",
|
|
15
|
+
"test": "c8 -r html npm run test-only && npm run test-types",
|
|
16
16
|
"test-only": "tsx --test ./test/**/*.spec.ts",
|
|
17
|
-
"
|
|
17
|
+
"test-types": "attw --pack . --profile esm-only"
|
|
18
18
|
},
|
|
19
19
|
"files": [
|
|
20
20
|
"dist"
|
|
@@ -49,25 +49,25 @@
|
|
|
49
49
|
"homepage": "https://github.com/NodeSecure/tree/master/workspaces/scanner#readme",
|
|
50
50
|
"dependencies": {
|
|
51
51
|
"@fastify/deepmerge": "^3.1.0",
|
|
52
|
-
"@nodesecure/conformance": "^1.
|
|
52
|
+
"@nodesecure/conformance": "^1.2.0",
|
|
53
53
|
"@nodesecure/contact": "^3.0.0",
|
|
54
54
|
"@nodesecure/flags": "^3.0.3",
|
|
55
55
|
"@nodesecure/i18n": "^4.0.2",
|
|
56
56
|
"@nodesecure/js-x-ray": "^10.0.0",
|
|
57
|
-
"@nodesecure/mama": "^2.0.
|
|
58
|
-
"@nodesecure/npm-registry-sdk": "^4.
|
|
59
|
-
"@nodesecure/npm-types": "^1.
|
|
57
|
+
"@nodesecure/mama": "^2.0.2",
|
|
58
|
+
"@nodesecure/npm-registry-sdk": "^4.4.0",
|
|
59
|
+
"@nodesecure/npm-types": "^1.3.0",
|
|
60
60
|
"@nodesecure/rc": "^5.0.1",
|
|
61
|
-
"@nodesecure/tarball": "^2.
|
|
61
|
+
"@nodesecure/tarball": "^2.2.0",
|
|
62
62
|
"@nodesecure/tree-walker": "^1.3.1",
|
|
63
63
|
"@nodesecure/utils": "^2.3.0",
|
|
64
64
|
"@nodesecure/vulnera": "^2.0.1",
|
|
65
65
|
"@openally/mutex": "^2.0.0",
|
|
66
66
|
"fastest-levenshtein": "^1.0.16",
|
|
67
|
-
"frequency-set": "^1.0
|
|
67
|
+
"frequency-set": "^2.1.0",
|
|
68
68
|
"pacote": "^21.0.0",
|
|
69
69
|
"semver": "^7.5.4",
|
|
70
|
-
"type-fest": "^
|
|
70
|
+
"type-fest": "^5.0.1"
|
|
71
71
|
},
|
|
72
72
|
"devDependencies": {
|
|
73
73
|
"@types/node": "^24.0.2",
|