@nodesecure/tarball 1.3.0 → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +16 -14
- package/dist/class/NpmTarball.class.d.ts +16 -0
- package/dist/class/NpmTarball.class.d.ts.map +1 -0
- package/dist/class/NpmTarball.class.js +45 -0
- package/dist/class/NpmTarball.class.js.map +1 -0
- package/dist/class/SourceCodeScanner.class.d.ts +56 -0
- package/dist/class/SourceCodeScanner.class.d.ts.map +1 -0
- package/dist/class/SourceCodeScanner.class.js +110 -0
- package/dist/class/SourceCodeScanner.class.js.map +1 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/tarball.d.ts +8 -9
- package/dist/tarball.d.ts.map +1 -1
- package/dist/tarball.js +50 -82
- package/dist/tarball.js.map +1 -1
- package/dist/utils/analyzeDependencies.d.ts.map +1 -1
- package/dist/utils/analyzeDependencies.js +4 -4
- package/dist/utils/analyzeDependencies.js.map +1 -1
- package/dist/utils/index.d.ts +0 -1
- package/dist/utils/index.d.ts.map +1 -1
- package/dist/utils/index.js +0 -1
- package/dist/utils/index.js.map +1 -1
- package/dist/warnings.d.ts +3 -3
- package/dist/warnings.d.ts.map +1 -1
- package/package.json +4 -4
- package/dist/sast/file.d.ts +0 -17
- package/dist/sast/file.d.ts.map +0 -1
- package/dist/sast/file.js +0 -50
- package/dist/sast/file.js.map +0 -1
- package/dist/sast/index.d.ts +0 -2
- package/dist/sast/index.d.ts.map +0 -1
- package/dist/sast/index.js +0 -2
- package/dist/sast/index.js.map +0 -1
- package/dist/utils/getPackageName.d.ts +0 -9
- package/dist/utils/getPackageName.d.ts.map +0 -1
- package/dist/utils/getPackageName.js +0 -16
- package/dist/utils/getPackageName.js.map +0 -1
package/README.md
CHANGED
|
@@ -35,23 +35,21 @@ console.log(scanResult);
|
|
|
35
35
|
|
|
36
36
|
## API
|
|
37
37
|
|
|
38
|
-
|
|
38
|
+
- [SourceCode](./docs/SourceCode.md)
|
|
39
|
+
- [NpmTarball](./docs/NpmTarball.md)
|
|
39
40
|
|
|
40
|
-
|
|
41
|
+
---
|
|
41
42
|
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
tmpLocation?: null | string;
|
|
47
|
-
locker: Locker;
|
|
48
|
-
registry: string;
|
|
49
|
-
}
|
|
50
|
-
```
|
|
43
|
+
> [!CAUTION]
|
|
44
|
+
> The following APIs are considered legacy and are waiting for deprecation in future releases.
|
|
45
|
+
|
|
46
|
+
### scanDirOrArchive(locationOrManifest: string | ManifestManager, ref: DependencyRef): Promise< void >
|
|
51
47
|
|
|
52
|
-
|
|
48
|
+
Scan a given local project or tarball (by providing the path or directly the ManifestManager instance).
|
|
53
49
|
|
|
54
|
-
|
|
50
|
+
### scanPackage(manifestOrLocation: string | ManifestManager): Promise< ScannedPackageResult >
|
|
51
|
+
|
|
52
|
+
Scan a given local project containing a Manifest (package.json).
|
|
55
53
|
|
|
56
54
|
```ts
|
|
57
55
|
interface ScannedPackageResult {
|
|
@@ -68,7 +66,7 @@ interface ScannedPackageResult {
|
|
|
68
66
|
/** Unique license contained in the tarball (MIT, ISC ..) */
|
|
69
67
|
uniqueLicenseIds: string[];
|
|
70
68
|
/** All licenses with their SPDX */
|
|
71
|
-
licenses:
|
|
69
|
+
licenses: conformance.SpdxFileLicenseConformance[];
|
|
72
70
|
ast: {
|
|
73
71
|
dependencies: Record<string, Record<string, Dependency>>;
|
|
74
72
|
warnings: Warning[];
|
|
@@ -76,5 +74,9 @@ interface ScannedPackageResult {
|
|
|
76
74
|
}
|
|
77
75
|
```
|
|
78
76
|
|
|
77
|
+
### extractAndResolve(location: string, options: TarballResolutionOptions): Promise< ManifestManager >
|
|
78
|
+
|
|
79
|
+
Extract a given remote package.
|
|
80
|
+
|
|
79
81
|
## License
|
|
80
82
|
MIT
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import * as conformance from "@nodesecure/conformance";
|
|
2
|
+
import { ManifestManager, type LocatedManifestManager } from "@nodesecure/mama";
|
|
3
|
+
import { SourceCodeReport } from "./SourceCodeScanner.class.js";
|
|
4
|
+
import { type TarballComposition } from "../utils/index.js";
|
|
5
|
+
export interface ScannedFilesResult {
|
|
6
|
+
composition: TarballComposition;
|
|
7
|
+
conformance: conformance.SpdxExtractedResult;
|
|
8
|
+
code: SourceCodeReport;
|
|
9
|
+
}
|
|
10
|
+
export declare class NpmTarball {
|
|
11
|
+
static JS_EXTENSIONS: Set<string>;
|
|
12
|
+
manifest: LocatedManifestManager;
|
|
13
|
+
constructor(mama: ManifestManager);
|
|
14
|
+
scanFiles(): Promise<ScannedFilesResult>;
|
|
15
|
+
}
|
|
16
|
+
//# sourceMappingURL=NpmTarball.class.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"NpmTarball.class.d.ts","sourceRoot":"","sources":["../../src/class/NpmTarball.class.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EACf,KAAK,sBAAsB,EAC5B,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,gBAAgB,EAEjB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAEL,KAAK,kBAAkB,EACxB,MAAM,mBAAmB,CAAC;AAE3B,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,kBAAkB,CAAC;IAChC,WAAW,EAAE,WAAW,CAAC,mBAAmB,CAAC;IAC7C,IAAI,EAAE,gBAAgB,CAAC;CACxB;AAED,qBAAa,UAAU;IACrB,MAAM,CAAC,aAAa,cAAoC;IAExD,QAAQ,EAAE,sBAAsB,CAAC;gBAG/B,IAAI,EAAE,eAAe;IASjB,SAAS,IAAI,OAAO,CAAC,kBAAkB,CAAC;CAuB/C"}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
// Import Node.js Dependencies
|
|
2
|
+
import path from "node:path";
|
|
3
|
+
// Import Third-party Dependencies
|
|
4
|
+
import * as conformance from "@nodesecure/conformance";
|
|
5
|
+
import { ManifestManager } from "@nodesecure/mama";
|
|
6
|
+
// Import Internal Dependencies
|
|
7
|
+
import { SourceCodeReport, SourceCodeScanner } from "./SourceCodeScanner.class.js";
|
|
8
|
+
import { getTarballComposition } from "../utils/index.js";
|
|
9
|
+
export class NpmTarball {
|
|
10
|
+
static JS_EXTENSIONS = new Set([".js", ".mjs", ".cjs"]);
|
|
11
|
+
manifest;
|
|
12
|
+
constructor(mama) {
|
|
13
|
+
if (!ManifestManager.isLocated(mama)) {
|
|
14
|
+
throw new Error("ManifestManager must have a location");
|
|
15
|
+
}
|
|
16
|
+
this.manifest = mama;
|
|
17
|
+
}
|
|
18
|
+
async scanFiles() {
|
|
19
|
+
const location = this.manifest.location;
|
|
20
|
+
const [composition, spdx] = await Promise.all([
|
|
21
|
+
getTarballComposition(location),
|
|
22
|
+
conformance.extractLicenses(location)
|
|
23
|
+
]);
|
|
24
|
+
const code = await new SourceCodeScanner(this.manifest).iterate({
|
|
25
|
+
manifest: [...this.manifest.getEntryFiles()]
|
|
26
|
+
.flatMap(filterJavaScriptFiles()),
|
|
27
|
+
javascript: composition.files
|
|
28
|
+
.flatMap(filterJavaScriptFiles())
|
|
29
|
+
});
|
|
30
|
+
return {
|
|
31
|
+
conformance: spdx,
|
|
32
|
+
composition,
|
|
33
|
+
code
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
function filterJavaScriptFiles() {
|
|
38
|
+
return (file) => {
|
|
39
|
+
if (NpmTarball.JS_EXTENSIONS.has(path.extname(file))) {
|
|
40
|
+
return file;
|
|
41
|
+
}
|
|
42
|
+
return [];
|
|
43
|
+
};
|
|
44
|
+
}
|
|
45
|
+
//# sourceMappingURL=NpmTarball.class.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"NpmTarball.class.js","sourceRoot":"","sources":["../../src/class/NpmTarball.class.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EAEhB,MAAM,kBAAkB,CAAC;AAE1B,+BAA+B;AAC/B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,qBAAqB,EAEtB,MAAM,mBAAmB,CAAC;AAQ3B,MAAM,OAAO,UAAU;IACrB,MAAM,CAAC,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;IAExD,QAAQ,CAAyB;IAEjC,YACE,IAAqB;QAErB,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,SAAS;QACb,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACxC,MAAM,CACJ,WAAW,EACX,IAAI,CACL,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACpB,qBAAqB,CAAC,QAAQ,CAAC;YAC/B,WAAW,CAAC,eAAe,CAAC,QAAQ,CAAC;SACtC,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,MAAM,IAAI,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC;YAC9D,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;iBACzC,OAAO,CAAC,qBAAqB,EAAE,CAAC;YACnC,UAAU,EAAE,WAAW,CAAC,KAAK;iBAC1B,OAAO,CAAC,qBAAqB,EAAE,CAAC;SACpC,CAAC,CAAC;QAEH,OAAO;YACL,WAAW,EAAE,IAAI;YACjB,WAAW;YACX,IAAI;SACL,CAAC;IACJ,CAAC;;AAGH,SAAS,qBAAqB;IAC5B,OAAO,CAAC,IAAY,EAAE,EAAE;QACtB,IAAI,UAAU,CAAC,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC,CAAC;AACJ,CAAC"}
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
import { type Warning, type Dependency, type ReportOnFile } from "@nodesecure/js-x-ray";
|
|
2
|
+
import { ManifestManager, type LocatedManifestManager } from "@nodesecure/mama";
|
|
3
|
+
export interface SourceCodeAggregator {
|
|
4
|
+
readonly consumed: boolean;
|
|
5
|
+
push(report: ReportOnFile & {
|
|
6
|
+
file: string;
|
|
7
|
+
}): void;
|
|
8
|
+
}
|
|
9
|
+
export interface SourceCodeEntries {
|
|
10
|
+
/**
|
|
11
|
+
* Source files from package.json
|
|
12
|
+
*/
|
|
13
|
+
manifest: string[];
|
|
14
|
+
/**
|
|
15
|
+
* All JavaScript source files from tarball
|
|
16
|
+
*/
|
|
17
|
+
javascript: string[];
|
|
18
|
+
}
|
|
19
|
+
export declare class SourceCodeReport implements SourceCodeAggregator {
|
|
20
|
+
#private;
|
|
21
|
+
warnings: Warning[];
|
|
22
|
+
dependencies: Record<string, Record<string, Dependency>>;
|
|
23
|
+
minified: string[];
|
|
24
|
+
flags: {
|
|
25
|
+
hasExternalCapacity: boolean;
|
|
26
|
+
};
|
|
27
|
+
get consumed(): boolean;
|
|
28
|
+
push(report: ReportOnFile & {
|
|
29
|
+
file: string;
|
|
30
|
+
}): void;
|
|
31
|
+
groupAndAnalyseDependencies(mama: ManifestManager): {
|
|
32
|
+
files: Set<string>;
|
|
33
|
+
dependenciesInTryBlock: string[];
|
|
34
|
+
dependencies: {
|
|
35
|
+
nodejs: string[];
|
|
36
|
+
subpathImports: Record<string, string>;
|
|
37
|
+
thirdparty: string[];
|
|
38
|
+
missing: string[];
|
|
39
|
+
unused: string[];
|
|
40
|
+
};
|
|
41
|
+
flags: {
|
|
42
|
+
hasExternalCapacity: boolean;
|
|
43
|
+
hasMissingOrUnusedDependency: boolean;
|
|
44
|
+
};
|
|
45
|
+
};
|
|
46
|
+
}
|
|
47
|
+
export interface SourceCodeScannerOptions<T> {
|
|
48
|
+
reportInitiator?: () => T;
|
|
49
|
+
}
|
|
50
|
+
export declare class SourceCodeScanner<T extends SourceCodeAggregator = SourceCodeReport> {
|
|
51
|
+
#private;
|
|
52
|
+
manifest: LocatedManifestManager;
|
|
53
|
+
constructor(manifest: LocatedManifestManager, options?: SourceCodeScannerOptions<T>);
|
|
54
|
+
iterate(entries: SourceCodeEntries): Promise<T>;
|
|
55
|
+
}
|
|
56
|
+
//# sourceMappingURL=SourceCodeScanner.class.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SourceCodeScanner.class.d.ts","sourceRoot":"","sources":["../../src/class/SourceCodeScanner.class.ts"],"names":[],"mappings":"AAIA,OAAO,EAGL,KAAK,OAAO,EACZ,KAAK,UAAU,EACf,KAAK,YAAY,EAClB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,eAAe,EACf,KAAK,sBAAsB,EAC5B,MAAM,kBAAkB,CAAC;AAQ1B,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAE3B,IAAI,CAAC,MAAM,EAAE,YAAY,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;KAAE,GAAG,IAAI,CAAC;CACtD;AAED,MAAM,WAAW,iBAAiB;IAChC;;OAEG;IACH,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB;;OAEG;IACH,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,qBAAa,gBAAiB,YAAW,oBAAoB;;IAG3D,QAAQ,EAAE,OAAO,EAAE,CAAM;IACzB,YAAY,EAAE,MAAM,CAClB,MAAM,EACN,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAC3B,CAAuB;IACxB,QAAQ,EAAE,MAAM,EAAE,CAAM;IACxB,KAAK;;MAEH;IAEF,IAAI,QAAQ,YAEX;IAED,IAAI,CACF,MAAM,EAAE,YAAY,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;KAAE;IAoB1C,2BAA2B,CACzB,IAAI,EAAE,eAAe;;;;;;;;;;;;;;;CA6CxB;AAED,MAAM,WAAW,wBAAwB,CAAC,CAAC;IACzC,eAAe,CAAC,EAAE,MAAM,CAAC,CAAC;CAC3B;AAED,qBAAa,iBAAiB,CAC5B,CAAC,SAAS,oBAAoB,GAAG,gBAAgB;;IAKjD,QAAQ,EAAE,sBAAsB,CAAC;gBAG/B,QAAQ,EAAE,sBAAsB,EAChC,OAAO,GAAE,wBAAwB,CAAC,CAAC,CAAM;IAUrC,OAAO,CACX,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,CAAC,CAAC;CAoEd"}
|
|
@@ -0,0 +1,110 @@
|
|
|
1
|
+
// Import Node.js Dependencies
|
|
2
|
+
import path from "node:path";
|
|
3
|
+
// Import Third-party Dependencies
|
|
4
|
+
import { EntryFilesAnalyser, AstAnalyser } from "@nodesecure/js-x-ray";
|
|
5
|
+
import { ManifestManager } from "@nodesecure/mama";
|
|
6
|
+
// Import Internal Dependencies
|
|
7
|
+
import { filterDependencyKind, analyzeDependencies } from "../utils/index.js";
|
|
8
|
+
export class SourceCodeReport {
|
|
9
|
+
#isConsumed = false;
|
|
10
|
+
warnings = [];
|
|
11
|
+
dependencies = Object.create(null);
|
|
12
|
+
minified = [];
|
|
13
|
+
flags = {
|
|
14
|
+
hasExternalCapacity: false
|
|
15
|
+
};
|
|
16
|
+
get consumed() {
|
|
17
|
+
return this.#isConsumed;
|
|
18
|
+
}
|
|
19
|
+
push(report) {
|
|
20
|
+
this.#isConsumed = true;
|
|
21
|
+
this.warnings.push(...report.warnings.map((warning) => {
|
|
22
|
+
return { ...warning, file: report.file };
|
|
23
|
+
}));
|
|
24
|
+
if (report.ok) {
|
|
25
|
+
if (report.flags.has("fetch")) {
|
|
26
|
+
this.flags.hasExternalCapacity = true;
|
|
27
|
+
}
|
|
28
|
+
this.dependencies[report.file] = Object.fromEntries(report.dependencies);
|
|
29
|
+
report.flags.has("is-minified") && this.minified.push(report.file);
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
groupAndAnalyseDependencies(mama) {
|
|
33
|
+
const files = new Set();
|
|
34
|
+
const dependencies = new Set();
|
|
35
|
+
const dependenciesInTryBlock = new Set();
|
|
36
|
+
for (const [file, fileDeps] of Object.entries(this.dependencies)) {
|
|
37
|
+
const filtered = filterDependencyKind([...Object.keys(fileDeps)], path.dirname(file));
|
|
38
|
+
[...Object.entries(fileDeps)]
|
|
39
|
+
.flatMap(([name, dependency]) => (dependency.inTry ? [name] : []))
|
|
40
|
+
.forEach((name) => dependenciesInTryBlock.add(name));
|
|
41
|
+
filtered.packages.forEach((name) => dependencies.add(name));
|
|
42
|
+
filtered.files.forEach((file) => files.add(file));
|
|
43
|
+
}
|
|
44
|
+
const { nodeDependencies, thirdPartyDependencies, subpathImportsDependencies, missingDependencies, unusedDependencies, flags } = analyzeDependencies([...dependencies], { mama, tryDependencies: dependenciesInTryBlock });
|
|
45
|
+
return {
|
|
46
|
+
files,
|
|
47
|
+
dependenciesInTryBlock: [...dependenciesInTryBlock],
|
|
48
|
+
dependencies: {
|
|
49
|
+
nodejs: nodeDependencies,
|
|
50
|
+
subpathImports: subpathImportsDependencies,
|
|
51
|
+
thirdparty: thirdPartyDependencies,
|
|
52
|
+
missing: missingDependencies,
|
|
53
|
+
unused: unusedDependencies
|
|
54
|
+
},
|
|
55
|
+
flags
|
|
56
|
+
};
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
export class SourceCodeScanner {
|
|
60
|
+
#astAnalyser = new AstAnalyser();
|
|
61
|
+
#initNewReport;
|
|
62
|
+
manifest;
|
|
63
|
+
constructor(manifest, options = {}) {
|
|
64
|
+
const { reportInitiator = () => new SourceCodeReport() } = options;
|
|
65
|
+
this.manifest = manifest;
|
|
66
|
+
this.#initNewReport = reportInitiator;
|
|
67
|
+
}
|
|
68
|
+
async iterate(entries) {
|
|
69
|
+
if (entries.manifest.length === 0 &&
|
|
70
|
+
entries.javascript.length === 0) {
|
|
71
|
+
throw new Error("You must provide at least one file either in manifest or javascript");
|
|
72
|
+
}
|
|
73
|
+
return entries.manifest.length > 0 ?
|
|
74
|
+
this.#iterateWithEntries(entries) :
|
|
75
|
+
this.#iterateAll(entries.javascript);
|
|
76
|
+
}
|
|
77
|
+
async #iterateWithEntries(entries) {
|
|
78
|
+
const report = this.#initNewReport();
|
|
79
|
+
const { location } = this.manifest;
|
|
80
|
+
const efa = new EntryFilesAnalyser({
|
|
81
|
+
astAnalyzer: this.#astAnalyser,
|
|
82
|
+
rootPath: location,
|
|
83
|
+
ignoreENOENT: true
|
|
84
|
+
});
|
|
85
|
+
const absoluteEntryFiles = entries.manifest.map((filePath) => path.join(location, filePath));
|
|
86
|
+
for await (const fileReport of efa.analyse(absoluteEntryFiles)) {
|
|
87
|
+
report.push(fileReport);
|
|
88
|
+
}
|
|
89
|
+
return report.consumed ?
|
|
90
|
+
report :
|
|
91
|
+
this.#iterateAll(entries.javascript);
|
|
92
|
+
}
|
|
93
|
+
async #iterateAll(sourceFiles) {
|
|
94
|
+
if (sourceFiles.length === 0) {
|
|
95
|
+
throw new Error("You must provide at least one javascript source file");
|
|
96
|
+
}
|
|
97
|
+
const { location, document: { name: packageName, type } } = this.manifest;
|
|
98
|
+
const report = this.#initNewReport();
|
|
99
|
+
await Promise.allSettled(sourceFiles.map(async (relativeFile) => {
|
|
100
|
+
const filePath = path.join(location, relativeFile);
|
|
101
|
+
const fileReport = await this.#astAnalyser.analyseFile(filePath, {
|
|
102
|
+
packageName,
|
|
103
|
+
module: type === "module"
|
|
104
|
+
});
|
|
105
|
+
report.push({ ...fileReport, file: relativeFile });
|
|
106
|
+
}));
|
|
107
|
+
return report;
|
|
108
|
+
}
|
|
109
|
+
}
|
|
110
|
+
//# sourceMappingURL=SourceCodeScanner.class.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"SourceCodeScanner.class.js","sourceRoot":"","sources":["../../src/class/SourceCodeScanner.class.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EACL,kBAAkB,EAClB,WAAW,EAIZ,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,eAAe,EAEhB,MAAM,kBAAkB,CAAC;AAE1B,+BAA+B;AAC/B,OAAO,EACL,oBAAoB,EACpB,mBAAmB,EACpB,MAAM,mBAAmB,CAAC;AAmB3B,MAAM,OAAO,gBAAgB;IAC3B,WAAW,GAAG,KAAK,CAAC;IAEpB,QAAQ,GAAc,EAAE,CAAC;IACzB,YAAY,GAGR,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACxB,QAAQ,GAAa,EAAE,CAAC;IACxB,KAAK,GAAG;QACN,mBAAmB,EAAE,KAAK;KAC3B,CAAC;IAEF,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,WAAW,CAAC;IAC1B,CAAC;IAED,IAAI,CACF,MAAwC;QAExC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QACxB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAChB,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;YACjC,OAAO,EAAE,GAAG,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC;QAC3C,CAAC,CAAC,CACH,CAAC;QAEF,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;YACd,IAAI,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9B,IAAI,CAAC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC;YACxC,CAAC;YACD,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,CACjD,MAAM,CAAC,YAAY,CACpB,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,2BAA2B,CACzB,IAAqB;QAErB,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;QAChC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;QACvC,MAAM,sBAAsB,GAAG,IAAI,GAAG,EAAU,CAAC;QAEjD,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACjE,MAAM,QAAQ,GAAG,oBAAoB,CACnC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAC1B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CACnB,CAAC;YAEF,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;iBAC1B,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;iBACjE,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YAEvD,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5D,QAAQ,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,EACJ,gBAAgB,EAChB,sBAAsB,EACtB,0BAA0B,EAC1B,mBAAmB,EACnB,kBAAkB,EAClB,KAAK,EACN,GAAG,mBAAmB,CACrB,CAAC,GAAG,YAAY,CAAC,EACjB,EAAE,IAAI,EAAE,eAAe,EAAE,sBAAsB,EAAE,CAClD,CAAC;QAEF,OAAO;YACL,KAAK;YACL,sBAAsB,EAAE,CAAC,GAAG,sBAAsB,CAAC;YACnD,YAAY,EAAE;gBACZ,MAAM,EAAE,gBAAgB;gBACxB,cAAc,EAAE,0BAA0B;gBAC1C,UAAU,EAAE,sBAAsB;gBAClC,OAAO,EAAE,mBAAmB;gBAC5B,MAAM,EAAE,kBAAkB;aAC3B;YACD,KAAK;SACN,CAAC;IACJ,CAAC;CACF;AAMD,MAAM,OAAO,iBAAiB;IAG5B,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC;IACjC,cAAc,CAAU;IAExB,QAAQ,CAAyB;IAEjC,YACE,QAAgC,EAChC,UAAuC,EAAE;QAEzC,MAAM,EACJ,eAAe,GAAG,GAAG,EAAE,CAAC,IAAI,gBAAgB,EAAE,EAC/C,GAAG,OAAO,CAAC;QAEZ,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,cAAc,GAAG,eAA0B,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAA0B;QAE1B,IACE,OAAO,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;YAC7B,OAAO,CAAC,UAAU,CAAC,MAAM,KAAK,CAAC,EAC/B,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;QACzF,CAAC;QAED,OAAO,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAClC,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC,CAAC;YACnC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,OAA0B;QAE1B,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QACrC,MAAM,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEnC,MAAM,GAAG,GAAG,IAAI,kBAAkB,CAAC;YACjC,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,QAAQ,EAAE,QAAQ;YAClB,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;QAEH,MAAM,kBAAkB,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAC7C,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAC5C,CAAC;QAEF,IAAI,KAAK,EAAE,MAAM,UAAU,IAAI,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC/D,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;QAED,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtB,MAAM,CAAC,CAAC;YACR,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,WAAW,CACf,WAAqB;QAErB,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;QAED,MAAM,EACJ,QAAQ,EACR,QAAQ,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,EACtC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;QAErC,MAAM,OAAO,CAAC,UAAU,CACtB,WAAW,CAAC,GAAG,CAAC,KAAK,EAAC,YAAY,EAAE,EAAE;YACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;YACnD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,WAAW,CACpD,QAAQ,EACR;gBACE,WAAW;gBACX,MAAM,EAAE,IAAI,KAAK,QAAQ;aAC1B,CACF,CAAC;YAEF,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC,CAAC;QACrD,CAAC,CAAC,CACH,CAAC;QAEF,OAAO,MAAM,CAAC;IAChB,CAAC;CACF"}
|
package/dist/index.d.ts
CHANGED
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC"}
|
package/dist/index.js
CHANGED
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAC;AAC7B,cAAc,6BAA6B,CAAC"}
|
package/dist/tarball.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { type Warning, type Dependency } from "@nodesecure/js-x-ray";
|
|
2
2
|
import * as conformance from "@nodesecure/conformance";
|
|
3
|
-
import { type PackageModuleType } from "@nodesecure/mama";
|
|
3
|
+
import { ManifestManager, type PackageModuleType } from "@nodesecure/mama";
|
|
4
4
|
export interface DependencyRef {
|
|
5
5
|
id: number;
|
|
6
6
|
type: PackageModuleType;
|
|
@@ -31,13 +31,7 @@ export interface DependencyRef {
|
|
|
31
31
|
required_subpath: Record<string, string>;
|
|
32
32
|
};
|
|
33
33
|
}
|
|
34
|
-
export
|
|
35
|
-
ref: DependencyRef;
|
|
36
|
-
location?: string;
|
|
37
|
-
tmpLocation?: null | string;
|
|
38
|
-
registry: string;
|
|
39
|
-
}
|
|
40
|
-
export declare function scanDirOrArchive(name: string, version: string, options: ScanDirOrArchiveOptions): Promise<void>;
|
|
34
|
+
export declare function scanDirOrArchive(locationOrManifest: string | ManifestManager, ref: DependencyRef): Promise<void>;
|
|
41
35
|
export interface ScannedPackageResult {
|
|
42
36
|
files: {
|
|
43
37
|
/** Complete list of files for the given package */
|
|
@@ -58,5 +52,10 @@ export interface ScannedPackageResult {
|
|
|
58
52
|
warnings: Warning[];
|
|
59
53
|
};
|
|
60
54
|
}
|
|
61
|
-
export declare function scanPackage(
|
|
55
|
+
export declare function scanPackage(manifestOrLocation: string | ManifestManager): Promise<ScannedPackageResult>;
|
|
56
|
+
export interface TarballResolutionOptions {
|
|
57
|
+
spec: string;
|
|
58
|
+
registry?: string;
|
|
59
|
+
}
|
|
60
|
+
export declare function extractAndResolve(location: string, options: TarballResolutionOptions): Promise<ManifestManager>;
|
|
62
61
|
//# sourceMappingURL=tarball.d.ts.map
|
package/dist/tarball.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tarball.d.ts","sourceRoot":"","sources":["../src/tarball.ts"],"names":[],"mappings":"AAKA,OAAO,
|
|
1
|
+
{"version":3,"file":"tarball.d.ts","sourceRoot":"","sources":["../src/tarball.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,KAAK,OAAO,EACZ,KAAK,UAAU,EAChB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EACf,KAAK,iBAAiB,EACvB,MAAM,kBAAkB,CAAC;AAW1B,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,iBAAiB,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC/B,eAAe,EAAE,OAAO,CAAC;IACzB,qBAAqB,EAAE,OAAO,CAAC;IAC/B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7B,UAAU,EAAE,GAAG,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,QAAQ,EAAE,GAAG,CAAC;IACd,QAAQ,EAAE,WAAW,CAAC,0BAA0B,EAAE,CAAC;IACnD,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9B,WAAW,EAAE;QACX,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,KAAK,EAAE,MAAM,EAAE,CAAC;QAChB,QAAQ,EAAE,MAAM,EAAE,CAAC;QACnB,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,EAAE,MAAM,EAAE,CAAC;QAClB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,mBAAmB,EAAE,MAAM,EAAE,CAAC;QAC9B,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAC;CACH;AAQD,wBAAsB,gBAAgB,CACpC,kBAAkB,EAAE,MAAM,GAAG,eAAe,EAC5C,GAAG,EAAE,aAAa,GACjB,OAAO,CAAC,IAAI,CAAC,CAiEf;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE;QACL,mDAAmD;QACnD,IAAI,EAAE,MAAM,EAAE,CAAC;QACf,kDAAkD;QAClD,UAAU,EAAE,MAAM,EAAE,CAAC;QACrB,wCAAwC;QACxC,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IACF,qCAAqC;IACrC,aAAa,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,mCAAmC;IACnC,QAAQ,EAAE,WAAW,CAAC,0BAA0B,EAAE,CAAC;IACnD,GAAG,EAAE;QACH,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;QACzD,QAAQ,EAAE,OAAO,EAAE,CAAC;KACrB,CAAC;CACH;AAED,wBAAsB,WAAW,CAC/B,kBAAkB,EAAE,MAAM,GAAG,eAAe,GAC3C,OAAO,CAAC,oBAAoB,CAAC,CA0B/B;AAED,MAAM,WAAW,wBAAwB;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,wBAAwB,GAChC,OAAO,CAAC,eAAe,CAAC,CAiB1B"}
|
package/dist/tarball.js
CHANGED
|
@@ -2,38 +2,23 @@
|
|
|
2
2
|
import path from "node:path";
|
|
3
3
|
import os from "node:os";
|
|
4
4
|
// Import Third-party Dependencies
|
|
5
|
-
import {
|
|
6
|
-
import pacote from "pacote";
|
|
5
|
+
import {} from "@nodesecure/js-x-ray";
|
|
7
6
|
import * as conformance from "@nodesecure/conformance";
|
|
8
7
|
import { ManifestManager } from "@nodesecure/mama";
|
|
8
|
+
import pacote from "pacote";
|
|
9
9
|
// Import Internal Dependencies
|
|
10
|
-
import {
|
|
10
|
+
import { isSensitiveFile, booleanToFlags } from "./utils/index.js";
|
|
11
|
+
import { NpmTarball } from "./class/NpmTarball.class.js";
|
|
11
12
|
import * as warnings from "./warnings.js";
|
|
12
|
-
import * as sast from "./sast/index.js";
|
|
13
13
|
// CONSTANTS
|
|
14
|
-
const
|
|
14
|
+
const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
|
|
15
|
+
const kNpmToken = typeof process.env.NODE_SECURE_TOKEN === "string" ?
|
|
15
16
|
{ token: process.env.NODE_SECURE_TOKEN } :
|
|
16
17
|
{};
|
|
17
|
-
|
|
18
|
-
const
|
|
19
|
-
|
|
20
|
-
const {
|
|
21
|
-
const isNpmTarball = !(tmpLocation === null);
|
|
22
|
-
const dest = isNpmTarball ? path.join(tmpLocation, `${name}@${version}`) : location;
|
|
23
|
-
// If this is an NPM tarball then we extract it on the disk with pacote.
|
|
24
|
-
if (isNpmTarball) {
|
|
25
|
-
await pacote.extract(ref.flags.includes("isGit") ? ref.gitUrl : `${name}@${version}`, dest, {
|
|
26
|
-
...NPM_TOKEN,
|
|
27
|
-
registry,
|
|
28
|
-
cache: `${os.homedir()}/.npm`
|
|
29
|
-
});
|
|
30
|
-
}
|
|
31
|
-
// Read the package.json at the root of the directory or archive.
|
|
32
|
-
const [mama, composition, spdx] = await Promise.all([
|
|
33
|
-
ManifestManager.fromPackageJSON(dest),
|
|
34
|
-
getTarballComposition(dest),
|
|
35
|
-
conformance.extractLicenses(dest)
|
|
36
|
-
]);
|
|
18
|
+
export async function scanDirOrArchive(locationOrManifest, ref) {
|
|
19
|
+
const mama = await ManifestManager.fromPackageJSON(locationOrManifest);
|
|
20
|
+
const tarex = new NpmTarball(mama);
|
|
21
|
+
const { composition, conformance, code } = await tarex.scanFiles();
|
|
37
22
|
{
|
|
38
23
|
const { description, engines, repository, scripts } = mama.document;
|
|
39
24
|
Object.assign(ref, {
|
|
@@ -42,42 +27,34 @@ export async function scanDirOrArchive(name, version, options) {
|
|
|
42
27
|
integrity: mama.isWorkspace ? null : mama.integrity
|
|
43
28
|
});
|
|
44
29
|
}
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
// Get the composition of the (extracted) directory
|
|
48
|
-
if (composition.files.length === 1 && composition.files.includes("package.json")) {
|
|
30
|
+
if (composition.files.length === 1 &&
|
|
31
|
+
composition.files.includes("package.json")) {
|
|
49
32
|
ref.warnings.push(warnings.getEmptyPackageWarning());
|
|
50
33
|
}
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
const scannedFiles = await sast.scanManyFiles(composition.files, dest, name);
|
|
54
|
-
ref.warnings.push(...scannedFiles.flatMap((row) => row.warnings));
|
|
55
|
-
if (/^0(\.\d+)*$/.test(version)) {
|
|
56
|
-
ref.warnings.push(warnings.getSemVerWarning(version));
|
|
34
|
+
if (mama.hasZeroSemver) {
|
|
35
|
+
ref.warnings.push(warnings.getSemVerWarning(mama.document.version));
|
|
57
36
|
}
|
|
58
|
-
|
|
59
|
-
const
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
const hasExternalCapacity = scannedFiles.some((row) => row.filesFlags.hasExternalCapacity);
|
|
63
|
-
const { nodeDependencies, thirdPartyDependencies, subpathImportsDependencies, missingDependencies, unusedDependencies, flags } = analyzeDependencies(dependencies, { mama, tryDependencies });
|
|
37
|
+
ref.warnings.push(...code.warnings);
|
|
38
|
+
const { files, dependencies, flags } = code.groupAndAnalyseDependencies(mama);
|
|
39
|
+
ref.licenses = conformance.licenses;
|
|
40
|
+
ref.uniqueLicenseIds = conformance.uniqueLicenseIds;
|
|
64
41
|
ref.type = mama.moduleType;
|
|
65
42
|
ref.size = composition.size;
|
|
66
43
|
ref.composition.extensions.push(...composition.ext);
|
|
67
44
|
ref.composition.files.push(...composition.files);
|
|
68
|
-
ref.composition.required_thirdparty =
|
|
69
|
-
ref.composition.required_subpath =
|
|
70
|
-
ref.composition.unused.push(...
|
|
71
|
-
ref.composition.missing.push(...
|
|
72
|
-
ref.composition.required_files =
|
|
73
|
-
ref.composition.required_nodejs =
|
|
74
|
-
ref.composition.minified =
|
|
45
|
+
ref.composition.required_thirdparty = dependencies.thirdparty;
|
|
46
|
+
ref.composition.required_subpath = dependencies.subpathImports;
|
|
47
|
+
ref.composition.unused.push(...dependencies.unused);
|
|
48
|
+
ref.composition.missing.push(...dependencies.missing);
|
|
49
|
+
ref.composition.required_files = [...files];
|
|
50
|
+
ref.composition.required_nodejs = dependencies.nodejs;
|
|
51
|
+
ref.composition.minified = code.minified;
|
|
75
52
|
ref.flags.push(...booleanToFlags({
|
|
76
53
|
...flags,
|
|
77
|
-
hasExternalCapacity: hasExternalCapacity || flags.hasExternalCapacity,
|
|
78
|
-
hasNoLicense:
|
|
79
|
-
hasMultipleLicenses:
|
|
80
|
-
hasMinifiedCode:
|
|
54
|
+
hasExternalCapacity: code.flags.hasExternalCapacity || flags.hasExternalCapacity,
|
|
55
|
+
hasNoLicense: conformance.uniqueLicenseIds.length === 0,
|
|
56
|
+
hasMultipleLicenses: conformance.uniqueLicenseIds.length > 1,
|
|
57
|
+
hasMinifiedCode: code.minified.length > 0,
|
|
81
58
|
hasWarnings: ref.warnings.length > 0 && !ref.flags.includes("hasWarnings"),
|
|
82
59
|
hasBannedFile: composition.files.some((path) => isSensitiveFile(path)),
|
|
83
60
|
hasNativeCode: mama.flags.isNative ||
|
|
@@ -85,42 +62,33 @@ export async function scanDirOrArchive(name, version, options) {
|
|
|
85
62
|
hasScript: mama.flags.hasUnsafeScripts
|
|
86
63
|
}));
|
|
87
64
|
}
|
|
88
|
-
export async function scanPackage(
|
|
89
|
-
const
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
conformance.extractLicenses(dest)
|
|
93
|
-
]);
|
|
94
|
-
const { type = "script" } = mama.document;
|
|
95
|
-
// Search for runtime dependencies
|
|
96
|
-
const dependencies = Object.create(null);
|
|
97
|
-
const minified = [];
|
|
98
|
-
const warnings = [];
|
|
99
|
-
const JSFiles = composition.files
|
|
100
|
-
.filter((name) => kJsExtname.has(path.extname(name)));
|
|
101
|
-
for (const file of JSFiles) {
|
|
102
|
-
const result = await new AstAnalyser().analyseFile(path.join(dest, file), {
|
|
103
|
-
packageName: packageName ?? mama.document.name,
|
|
104
|
-
module: type === "module"
|
|
105
|
-
});
|
|
106
|
-
warnings.push(...result.warnings.map((curr) => Object.assign({}, curr, { file })));
|
|
107
|
-
if (result.ok) {
|
|
108
|
-
dependencies[file] = Object.fromEntries(result.dependencies);
|
|
109
|
-
if (result.isMinified) {
|
|
110
|
-
minified.push(file);
|
|
111
|
-
}
|
|
112
|
-
}
|
|
113
|
-
}
|
|
65
|
+
export async function scanPackage(manifestOrLocation) {
|
|
66
|
+
const mama = await ManifestManager.fromPackageJSON(manifestOrLocation);
|
|
67
|
+
const extractor = new NpmTarball(mama);
|
|
68
|
+
const { composition, conformance, code } = await extractor.scanFiles();
|
|
114
69
|
return {
|
|
115
70
|
files: {
|
|
116
71
|
list: composition.files,
|
|
117
72
|
extensions: [...composition.ext],
|
|
118
|
-
minified
|
|
73
|
+
minified: code.minified
|
|
119
74
|
},
|
|
120
75
|
directorySize: composition.size,
|
|
121
|
-
uniqueLicenseIds:
|
|
122
|
-
licenses:
|
|
123
|
-
ast: {
|
|
76
|
+
uniqueLicenseIds: conformance.uniqueLicenseIds,
|
|
77
|
+
licenses: conformance.licenses,
|
|
78
|
+
ast: {
|
|
79
|
+
dependencies: code.dependencies,
|
|
80
|
+
warnings: code.warnings
|
|
81
|
+
}
|
|
124
82
|
};
|
|
125
83
|
}
|
|
84
|
+
export async function extractAndResolve(location, options) {
|
|
85
|
+
const { spec, registry } = options;
|
|
86
|
+
const tarballLocation = path.join(location, spec.replaceAll("/", "_"));
|
|
87
|
+
await pacote.extract(spec, tarballLocation, {
|
|
88
|
+
...kNpmToken,
|
|
89
|
+
registry,
|
|
90
|
+
cache: `${os.homedir()}/.npm`
|
|
91
|
+
});
|
|
92
|
+
return ManifestManager.fromPackageJSON(tarballLocation);
|
|
93
|
+
}
|
|
126
94
|
//# sourceMappingURL=tarball.js.map
|
package/dist/tarball.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"tarball.js","sourceRoot":"","sources":["../src/tarball.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,kCAAkC;AAClC,OAAO,
|
|
1
|
+
{"version":3,"file":"tarball.js","sourceRoot":"","sources":["../src/tarball.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,SAAS,CAAC;AAEzB,kCAAkC;AAClC,OAAO,EAGN,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,WAAW,MAAM,yBAAyB,CAAC;AACvD,OAAO,EACL,eAAe,EAEhB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B,+BAA+B;AAC/B,OAAO,EACL,eAAe,EACf,cAAc,EACf,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,KAAK,QAAQ,MAAM,eAAe,CAAC;AAiC1C,YAAY;AACZ,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;AACpF,MAAM,SAAS,GAAG,OAAO,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC;IACnE,EAAE,KAAK,EAAE,OAAO,CAAC,GAAG,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC1C,EAAE,CAAC;AAEL,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,kBAA4C,EAC5C,GAAkB;IAElB,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,eAAe,CAChD,kBAAkB,CACnB,CAAC;IACF,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IAEnC,MAAM,EACJ,WAAW,EACX,WAAW,EACX,IAAI,EACL,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE,CAAC;IAE5B,CAAC;QACC,MAAM,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QACpE,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE;YACjB,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO;YACzC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS;SACpD,CAAC,CAAC;IACL,CAAC;IAED,IACE,WAAW,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;QAC9B,WAAW,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAC1C,CAAC;QACD,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,sBAAsB,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAQ,CAAC,CAAC,CAAC;IACvE,CAAC;IACD,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC;IAEpC,MAAM,EACJ,KAAK,EACL,YAAY,EACZ,KAAK,EACN,GAAG,IAAI,CAAC,2BAA2B,CAAC,IAAI,CAAC,CAAC;IAE3C,GAAG,CAAC,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC;IACpC,GAAG,CAAC,gBAAgB,GAAG,WAAW,CAAC,gBAAgB,CAAC;IACpD,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC;IAC3B,GAAG,CAAC,IAAI,GAAG,WAAW,CAAC,IAAI,CAAC;IAC5B,GAAG,CAAC,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IACpD,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IACjD,GAAG,CAAC,WAAW,CAAC,mBAAmB,GAAG,YAAY,CAAC,UAAU,CAAC;IAC9D,GAAG,CAAC,WAAW,CAAC,gBAAgB,GAAG,YAAY,CAAC,cAAc,CAAC;IAC/D,GAAG,CAAC,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACpD,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACtD,GAAG,CAAC,WAAW,CAAC,cAAc,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC;IAC5C,GAAG,CAAC,WAAW,CAAC,eAAe,GAAG,YAAY,CAAC,MAAM,CAAC;IACtD,GAAG,CAAC,WAAW,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAEzC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC;QAC/B,GAAG,KAAK;QACR,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,mBAAmB,IAAI,KAAK,CAAC,mBAAmB;QAChF,YAAY,EAAE,WAAW,CAAC,gBAAgB,CAAC,MAAM,KAAK,CAAC;QACvD,mBAAmB,EAAE,WAAW,CAAC,gBAAgB,CAAC,MAAM,GAAG,CAAC;QAC5D,eAAe,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;QACzC,WAAW,EAAE,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC;QAC1E,aAAa,EAAE,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC;QACtE,aAAa,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ;YAChC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QACjF,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,gBAAgB;KACvC,CAAC,CAAC,CAAC;AACN,CAAC;AAuBD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,kBAA4C;IAE5C,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,eAAe,CAChD,kBAAkB,CACnB,CAAC;IACF,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IAEvC,MAAM,EACJ,WAAW,EACX,WAAW,EACX,IAAI,EACL,GAAG,MAAM,SAAS,CAAC,SAAS,EAAE,CAAC;IAEhC,OAAO;QACL,KAAK,EAAE;YACL,IAAI,EAAE,WAAW,CAAC,KAAK;YACvB,UAAU,EAAE,CAAC,GAAG,WAAW,CAAC,GAAG,CAAC;YAChC,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB;QACD,aAAa,EAAE,WAAW,CAAC,IAAI;QAC/B,gBAAgB,EAAE,WAAW,CAAC,gBAAgB;QAC9C,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,GAAG,EAAE;YACH,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB;KACF,CAAC;AACJ,CAAC;AAOD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,QAAgB,EAChB,OAAiC;IAEjC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAEnC,MAAM,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC;IACvE,MAAM,MAAM,CAAC,OAAO,CAClB,IAAI,EACJ,eAAe,EACf;QACE,GAAG,SAAS;QACZ,QAAQ;QACR,KAAK,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,OAAO;KAC9B,CACF,CAAC;IAEF,OAAO,eAAe,CAAC,eAAe,CACpC,eAAe,CAChB,CAAC;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeDependencies.d.ts","sourceRoot":"","sources":["../../src/utils/analyzeDependencies.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,
|
|
1
|
+
{"version":3,"file":"analyzeDependencies.d.ts","sourceRoot":"","sources":["../../src/utils/analyzeDependencies.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAgB,MAAM,kBAAkB,CAAC;AAIjE,eAAO,MAAM,aAAa,aA6CxB,CAAC;AAKH,MAAM,WAAW,0BAA0B;IACzC,IAAI,EACF,IAAI,CAAC,eAAe,EAAE,cAAc,GAAG,iBAAiB,CAAC,GACzD,OAAO,CAAC,IAAI,CAAC,eAAe,EAAE,eAAe,CAAC,CAAC,CAAC;IAClD,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CAC9B;AAED,MAAM,WAAW,yBAAyB;IACxC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,sBAAsB,EAAE,MAAM,EAAE,CAAC;IACjC,0BAA0B,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnD,kBAAkB,EAAE,MAAM,EAAE,CAAC;IAC7B,mBAAmB,EAAE,MAAM,EAAE,CAAC;IAC9B,KAAK,EAAE;QACL,mBAAmB,EAAE,OAAO,CAAC;QAC7B,4BAA4B,EAAE,OAAO,CAAC;KACvC,CAAC;CACH;AAED,wBAAgB,mBAAmB,CACjC,kBAAkB,EAAE,MAAM,EAAE,EAC5B,OAAO,EAAE,0BAA0B,GAClC,yBAAyB,CAoD3B"}
|
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
// Import Third-party Dependencies
|
|
2
|
-
import { ManifestManager } from "@nodesecure/mama";
|
|
3
|
-
// Import Internal Dependencies
|
|
4
|
-
import { getPackageName } from "./getPackageName.js";
|
|
2
|
+
import { ManifestManager, parseNpmSpec } from "@nodesecure/mama";
|
|
5
3
|
// CONSTANTS
|
|
6
4
|
export const NODE_BUILTINS = new Set([
|
|
7
5
|
"assert",
|
|
@@ -60,7 +58,9 @@ export function analyzeDependencies(sourceDependencies, options) {
|
|
|
60
58
|
.map((name) => buildSubpathDependency(name, nodejsImports)));
|
|
61
59
|
const thirdPartyDependenciesAliased = new Set(Object.values(subpathImportsDependencies).filter((mod) => !isFile(mod)));
|
|
62
60
|
const thirdPartyDependencies = sourceDependencies.flatMap((sourceName) => {
|
|
63
|
-
const name = dependencies.includes(sourceName) ?
|
|
61
|
+
const name = dependencies.includes(sourceName) ?
|
|
62
|
+
sourceName :
|
|
63
|
+
parseNpmSpec(sourceName)?.name ?? sourceName;
|
|
64
64
|
return isFile(name) ||
|
|
65
65
|
isCoreModule(name) ||
|
|
66
66
|
devDependencies.includes(name) ||
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"analyzeDependencies.js","sourceRoot":"","sources":["../../src/utils/analyzeDependencies.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EAAE,eAAe,EAAE,
|
|
1
|
+
{"version":3,"file":"analyzeDependencies.js","sourceRoot":"","sources":["../../src/utils/analyzeDependencies.ts"],"names":[],"mappings":"AAAA,kCAAkC;AAClC,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAGjE,YAAY;AACZ,MAAM,CAAC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IACnC,QAAQ;IACR,QAAQ;IACR,eAAe;IACf,SAAS;IACT,SAAS;IACT,WAAW;IACX,QAAQ;IACR,OAAO;IACP,KAAK;IACL,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,OAAO;IACP,QAAQ;IACR,KAAK;IACL,IAAI;IACJ,MAAM;IACN,UAAU;IACV,aAAa;IACb,UAAU;IACV,MAAM;IACN,QAAQ;IACR,gBAAgB;IAChB,KAAK;IACL,QAAQ;IACR,KAAK;IACL,KAAK;IACL,KAAK;IACL,MAAM;IACN,IAAI;IACJ,MAAM;IACN,UAAU;IACV,IAAI;IACJ,SAAS;IACT,WAAW;IACX,aAAa;IACb,OAAO;IACP,YAAY;IACZ,cAAc;IACd,gBAAgB;IAChB,WAAW;IACX,MAAM;IACN,qBAAqB;CACtB,CAAC,CAAC;AAEH,MAAM,eAAe,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;AACzF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC;AAqB9F,MAAM,UAAU,mBAAmB,CACjC,kBAA4B,EAC5B,OAAmC;IAEnC,MAAM,EAAE,IAAI,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;IAC1C,MAAM,EAAE,YAAY,EAAE,eAAe,EAAE,aAAa,GAAG,EAAE,EAAE,GAAG,IAAI,CAAC;IAEnE,4DAA4D;IAC5D,MAAM,0BAA0B,GAAG,MAAM,CAAC,WAAW,CACnD,kBAAkB;SACf,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,aAAa,CAAC;SAClE,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,sBAAsB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC,CAC9D,CAAC;IACF,MAAM,6BAA6B,GAAG,IAAI,GAAG,CAC3C,MAAM,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CACxE,CAAC;IAEF,MAAM,sBAAsB,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,EAAE;QACvE,MAAM,IAAI,GAAG,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;YAC9C,UAAU,CAAC,CAAC;YACZ,YAAY,CAAC,UAAU,CAAC,EAAE,IAAI,IAAI,UAAU,CAAC;QAE/C,OAAO,MAAM,CAAC,IAAI,CAAC;YACjB,YAAY,CAAC,IAAI,CAAC;YAClB,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC;YAC9B,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;YAC3B,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,MAAM,kBAAkB,GAAG,UAAU,CACnC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,EACzD,CAAC,GAAG,sBAAsB,EAAE,GAAG,6BAA6B,CAAC,CAC9D,CAAC;IACF,MAAM,mBAAmB,GAAG;QAC1B,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,EAAE,YAAY,CAAC,CAAC;KAC7D;SACE,MAAM,CAAC,CAAC,IAAY,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,aAAa,CAAC,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAClG,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;IAEjF,MAAM,4BAA4B,GAChC,kBAAkB,CAAC,MAAM,GAAG,CAAC;QAC7B,mBAAmB,CAAC,MAAM,GAAG,CAAC,CAAC;IAEjC,OAAO;QACL,gBAAgB;QAChB,sBAAsB,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,sBAAsB,CAAC,CAAC;QAC5D,0BAA0B;QAC1B,kBAAkB;QAClB,mBAAmB;QAEnB,KAAK,EAAE;YACL,mBAAmB,EAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACtF,4BAA4B;SAC7B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAI,IAAS,EAAE,IAAS;IACzC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,MAAM,CACb,QAAgB;IAEhB,OAAO,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC;WAC1B,eAAe,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;AACzE,CAAC;AAED,SAAS,YAAY,CACnB,UAAkB;IAElB,MAAM,eAAe,GAAG,UAAU,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAE1F,oGAAoG;IACpG,OAAO,aAAa,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,iBAAiB,CACxB,UAAkB;IAElB,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC;AACtC,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAa,EACb,WAAgD;IAEhD,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,CAAE,CAAC;IAExC,OAAO,OAAO,WAAW,KAAK,QAAQ,CAAC,CAAC;QACtC,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;QACtB,CAAC,KAAK,EAAE,MAAM,IAAI,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;AAC5E,CAAC"}
|
package/dist/utils/index.d.ts
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
export * from "./analyzeDependencies.js";
|
|
2
2
|
export * from "./booleanToFlags.js";
|
|
3
3
|
export * from "./isSensitiveFile.js";
|
|
4
|
-
export * from "./getPackageName.js";
|
|
5
4
|
export * from "./getTarballComposition.js";
|
|
6
5
|
export * from "./filterDependencyKind.js";
|
|
7
6
|
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2BAA2B,CAAC"}
|
package/dist/utils/index.js
CHANGED
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
export * from "./analyzeDependencies.js";
|
|
2
2
|
export * from "./booleanToFlags.js";
|
|
3
3
|
export * from "./isSensitiveFile.js";
|
|
4
|
-
export * from "./getPackageName.js";
|
|
5
4
|
export * from "./getTarballComposition.js";
|
|
6
5
|
export * from "./filterDependencyKind.js";
|
|
7
6
|
//# sourceMappingURL=index.js.map
|
package/dist/utils/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,0BAA0B,CAAC;AACzC,cAAc,qBAAqB,CAAC;AACpC,cAAc,sBAAsB,CAAC;AACrC,cAAc,4BAA4B,CAAC;AAC3C,cAAc,2BAA2B,CAAC"}
|
package/dist/warnings.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import type {
|
|
2
|
-
export declare function getSemVerWarning(value: string):
|
|
3
|
-
export declare function getEmptyPackageWarning():
|
|
1
|
+
import type { Warning } from "@nodesecure/js-x-ray";
|
|
2
|
+
export declare function getSemVerWarning(value: string): Warning;
|
|
3
|
+
export declare function getEmptyPackageWarning(): Warning;
|
|
4
4
|
//# sourceMappingURL=warnings.d.ts.map
|
package/dist/warnings.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"warnings.d.ts","sourceRoot":"","sources":["../src/warnings.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,
|
|
1
|
+
{"version":3,"file":"warnings.d.ts","sourceRoot":"","sources":["../src/warnings.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AAEpD,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,MAAM,GACZ,OAAO,CAWT;AAED,wBAAgB,sBAAsB,IAAI,OAAO,CAWhD"}
|
package/package.json
CHANGED
|
@@ -1,12 +1,12 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nodesecure/tarball",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "2.0.1",
|
|
4
4
|
"description": "NodeSecure tarball scanner",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"exports": "./dist/index.js",
|
|
7
7
|
"types": "./dist/index.d.ts",
|
|
8
8
|
"scripts": {
|
|
9
|
-
"build": "tsc
|
|
9
|
+
"build": "tsc",
|
|
10
10
|
"prepublishOnly": "npm run build",
|
|
11
11
|
"test-only": "tsx --test ./test/**/*.spec.ts",
|
|
12
12
|
"test": "c8 -r html npm run test-only"
|
|
@@ -31,8 +31,8 @@
|
|
|
31
31
|
"dependencies": {
|
|
32
32
|
"@nodesecure/conformance": "^1.0.0",
|
|
33
33
|
"@nodesecure/fs-walk": "^2.0.0",
|
|
34
|
-
"@nodesecure/js-x-ray": "^
|
|
35
|
-
"@nodesecure/mama": "^1.
|
|
34
|
+
"@nodesecure/js-x-ray": "^9.2.0",
|
|
35
|
+
"@nodesecure/mama": "^1.6.0",
|
|
36
36
|
"@nodesecure/npm-types": "^1.2.0",
|
|
37
37
|
"@nodesecure/utils": "^2.3.0",
|
|
38
38
|
"pacote": "^21.0.0"
|
package/dist/sast/file.d.ts
DELETED
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
import { type WarningName, type WarningDefault } from "@nodesecure/js-x-ray";
|
|
2
|
-
export interface ScanFileReport {
|
|
3
|
-
file: string;
|
|
4
|
-
warnings: (Omit<WarningDefault<WarningName>, "value"> & {
|
|
5
|
-
file: string;
|
|
6
|
-
})[];
|
|
7
|
-
isMinified: boolean;
|
|
8
|
-
tryDependencies: string[];
|
|
9
|
-
dependencies: string[];
|
|
10
|
-
filesDependencies: string[];
|
|
11
|
-
filesFlags: {
|
|
12
|
-
hasExternalCapacity: boolean;
|
|
13
|
-
};
|
|
14
|
-
}
|
|
15
|
-
export declare function scanFile(destination: string, file: string, packageName: string): Promise<ScanFileReport>;
|
|
16
|
-
export declare function scanManyFiles(files: string[], destination: string, packageName: string): Promise<ScanFileReport[]>;
|
|
17
|
-
//# sourceMappingURL=file.d.ts.map
|
package/dist/sast/file.d.ts.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"file.d.ts","sourceRoot":"","sources":["../../src/sast/file.ts"],"names":[],"mappings":"AAIA,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,cAAc,EACpB,MAAM,sBAAsB,CAAC;AAU9B,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC,GAAG;QAAE,IAAI,EAAE,MAAM,CAAC;KAAE,CAAC,EAAE,CAAC;IAC7E,UAAU,EAAE,OAAO,CAAC;IACpB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAC5B,UAAU,EAAE;QACV,mBAAmB,EAAE,OAAO,CAAC;KAC9B,CAAC;CACH;AAED,wBAAsB,QAAQ,CAC5B,WAAW,EAAE,MAAM,EACnB,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,cAAc,CAAC,CA0CzB;AAED,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EAAE,EACf,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,cAAc,EAAE,CAAC,CAU3B"}
|
package/dist/sast/file.js
DELETED
|
@@ -1,50 +0,0 @@
|
|
|
1
|
-
// Import Node.js Dependencies
|
|
2
|
-
import path from "node:path";
|
|
3
|
-
// Import Third-party Dependencies
|
|
4
|
-
import { AstAnalyser } from "@nodesecure/js-x-ray";
|
|
5
|
-
// Import Internal Dependencies
|
|
6
|
-
import { filterDependencyKind } from "../utils/index.js";
|
|
7
|
-
// CONSTANTS
|
|
8
|
-
const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
|
|
9
|
-
export async function scanFile(destination, file, packageName) {
|
|
10
|
-
const result = await new AstAnalyser().analyseFile(path.join(destination, file), {
|
|
11
|
-
packageName
|
|
12
|
-
});
|
|
13
|
-
const warnings = result.warnings.map((curr) => Object.assign({}, curr, { file }));
|
|
14
|
-
if (result.ok) {
|
|
15
|
-
const { packages, files } = filterDependencyKind([...result.dependencies.keys()], path.dirname(file));
|
|
16
|
-
const tryDependencies = [...result.dependencies.entries()]
|
|
17
|
-
.flatMap(([name, dependency]) => (dependency.inTry ? [name] : []));
|
|
18
|
-
return {
|
|
19
|
-
file,
|
|
20
|
-
warnings,
|
|
21
|
-
isMinified: result.isMinified,
|
|
22
|
-
tryDependencies,
|
|
23
|
-
dependencies: packages,
|
|
24
|
-
filesDependencies: files,
|
|
25
|
-
filesFlags: {
|
|
26
|
-
hasExternalCapacity: result.flags.has("fetch")
|
|
27
|
-
}
|
|
28
|
-
};
|
|
29
|
-
}
|
|
30
|
-
return {
|
|
31
|
-
file,
|
|
32
|
-
warnings,
|
|
33
|
-
isMinified: false,
|
|
34
|
-
tryDependencies: [],
|
|
35
|
-
dependencies: [],
|
|
36
|
-
filesDependencies: [],
|
|
37
|
-
filesFlags: {
|
|
38
|
-
hasExternalCapacity: false
|
|
39
|
-
}
|
|
40
|
-
};
|
|
41
|
-
}
|
|
42
|
-
export async function scanManyFiles(files, destination, packageName) {
|
|
43
|
-
const scannedFiles = await Promise.allSettled(files
|
|
44
|
-
.filter((fileName) => kJsExtname.has(path.extname(fileName)))
|
|
45
|
-
.map((file) => scanFile(destination, file, packageName)));
|
|
46
|
-
return scannedFiles
|
|
47
|
-
.filter((result) => result.status === "fulfilled")
|
|
48
|
-
.map((result) => result.value);
|
|
49
|
-
}
|
|
50
|
-
//# sourceMappingURL=file.js.map
|
package/dist/sast/file.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"file.js","sourceRoot":"","sources":["../../src/sast/file.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAC9B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,kCAAkC;AAClC,OAAO,EACL,WAAW,EAGZ,MAAM,sBAAsB,CAAC;AAE9B,+BAA+B;AAC/B,OAAO,EACL,oBAAoB,EACrB,MAAM,mBAAmB,CAAC;AAE3B,YAAY;AACZ,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;AAcpD,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAmB,EACnB,IAAY,EACZ,WAAmB;IAEnB,MAAM,MAAM,GAAG,MAAM,IAAI,WAAW,EAAE,CAAC,WAAW,CAChD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,EAC5B;QACE,WAAW;KACZ,CACF,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;IAClF,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;QACd,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,oBAAoB,CAC9C,CAAC,GAAG,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC,EAC/B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CACnB,CAAC;QAEF,MAAM,eAAe,GAAG,CAAC,GAAG,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;aACvD,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QAErE,OAAO;YACL,IAAI;YACJ,QAAQ;YACR,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,eAAe;YACf,YAAY,EAAE,QAAQ;YACtB,iBAAiB,EAAE,KAAK;YACxB,UAAU,EAAE;gBACV,mBAAmB,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,OAAO,CAAC;aAC/C;SACF,CAAC;IACJ,CAAC;IAED,OAAO;QACL,IAAI;QACJ,QAAQ;QACR,UAAU,EAAE,KAAK;QACjB,eAAe,EAAE,EAAE;QACnB,YAAY,EAAE,EAAE;QAChB,iBAAiB,EAAE,EAAE;QACrB,UAAU,EAAE;YACV,mBAAmB,EAAE,KAAK;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,KAAe,EACf,WAAmB,EACnB,WAAmB;IAEnB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,UAAU,CAC3C,KAAK;SACF,MAAM,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;SAC5D,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,IAAI,EAAE,WAAW,CAAC,CAAC,CAC3D,CAAC;IAEF,OAAO,YAAY;SAChB,MAAM,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,KAAK,WAAW,CAAC;SACjD,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnC,CAAC"}
|
package/dist/sast/index.d.ts
DELETED
package/dist/sast/index.d.ts.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/sast/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}
|
package/dist/sast/index.js
DELETED
package/dist/sast/index.js.map
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sast/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}
|
|
@@ -1,9 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* @see https://github.com/npm/validate-npm-package-name#naming-rules
|
|
3
|
-
* @example
|
|
4
|
-
* getPackageName("foo"); // foo
|
|
5
|
-
* getPackageName("foo/bar"); // foo
|
|
6
|
-
* getPackageName("@org/bar"); // @org/bar
|
|
7
|
-
*/
|
|
8
|
-
export declare function getPackageName(name: string): string;
|
|
9
|
-
//# sourceMappingURL=getPackageName.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"getPackageName.d.ts","sourceRoot":"","sources":["../../src/utils/getPackageName.ts"],"names":[],"mappings":"AAIA;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,GACX,MAAM,CAKR"}
|
|
@@ -1,16 +0,0 @@
|
|
|
1
|
-
// CONSTANTS
|
|
2
|
-
const kPackageSeparator = "/";
|
|
3
|
-
const kPackageOrgSymbol = "@";
|
|
4
|
-
/**
|
|
5
|
-
* @see https://github.com/npm/validate-npm-package-name#naming-rules
|
|
6
|
-
* @example
|
|
7
|
-
* getPackageName("foo"); // foo
|
|
8
|
-
* getPackageName("foo/bar"); // foo
|
|
9
|
-
* getPackageName("@org/bar"); // @org/bar
|
|
10
|
-
*/
|
|
11
|
-
export function getPackageName(name) {
|
|
12
|
-
const parts = name.split(kPackageSeparator);
|
|
13
|
-
// Note: only scoped package are allowed to start with @
|
|
14
|
-
return name.startsWith(kPackageOrgSymbol) ? `${parts[0]}/${parts[1]}` : parts[0];
|
|
15
|
-
}
|
|
16
|
-
//# sourceMappingURL=getPackageName.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"getPackageName.js","sourceRoot":"","sources":["../../src/utils/getPackageName.ts"],"names":[],"mappings":"AAAA,YAAY;AACZ,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAC9B,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAE9B;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,IAAY;IAEZ,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAE5C,wDAAwD;IACxD,OAAO,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC;AACpF,CAAC"}
|