npm - @openrewrite/recipes-nodejs - Versions diffs - 0.36.0-20251211-172625 → 0.36.0-20251212-170419 - Mend

@openrewrite/recipes-nodejs 0.36.0-20251211-172625 → 0.36.0-20251212-170419

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/dist/resources/advisories-npm.csv +5357 -0
package/dist/security/dependency-vulnerability-check.d.ts +63 -0
package/dist/security/dependency-vulnerability-check.d.ts.map +1 -0
package/dist/security/dependency-vulnerability-check.js +639 -0
package/dist/security/dependency-vulnerability-check.js.map +1 -0
package/dist/security/index.d.ts +3 -0
package/dist/security/index.d.ts.map +1 -0
package/dist/security/index.js +19 -0
package/dist/security/index.js.map +1 -0
package/dist/security/vulnerability.d.ts +33 -0
package/dist/security/vulnerability.d.ts.map +1 -0
package/dist/security/vulnerability.js +182 -0
package/dist/security/vulnerability.js.map +1 -0
package/package.json +6 -3
package/src/index.ts +2 -0
package/src/security/dependency-vulnerability-check.ts +934 -0
package/src/security/index.ts +8 -0
package/src/security/vulnerability.ts +265 -0

package/src/security/index.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+export * from "./vulnerability";
+export * from "./dependency-vulnerability-check";

package/src/security/vulnerability.ts ADDED Viewed

@@ -0,0 +1,265 @@
+/*
+ * Copyright 2025 the original author or authors.
+ *
+ * Moderne Proprietary. Only for use by Moderne customers under the terms of a commercial contract.
+ */
+import * as fs from 'fs';
+import * as path from 'path';
+/**
+ * Severity levels for vulnerabilities, ordered from lowest to highest.
+ */
+export enum Severity {
+    LOW = 'LOW',
+    MODERATE = 'MODERATE',
+    HIGH = 'HIGH',
+    CRITICAL = 'CRITICAL'
+}
+/**
+ * Returns the numeric ordinal of a severity level for comparison.
+ */
+export function severityOrdinal(severity: Severity): number {
+    switch (severity) {
+        case Severity.LOW: return 0;
+        case Severity.MODERATE: return 1;
+        case Severity.HIGH: return 2;
+        case Severity.CRITICAL: return 3;
+    }
+}
+/**
+ * Parses a severity string into a Severity enum value.
+ */
+export function parseSeverity(value: string): Severity {
+    const upper = value.toUpperCase();
+    if (upper in Severity) {
+        return Severity[upper as keyof typeof Severity];
+    }
+    return Severity.LOW;
+}
+/**
+ * Represents a known vulnerability from the advisory database.
+ *
+ * CSV format:
+ * CVE,publishedAt,summary,packageName,introducedVersion,fixedVersion,lastAffectedVersion,severity,cwes
+ *
+ * Example:
+ * CVE-2021-44228,2021-12-10T00:00:00Z,"Log4j RCE",log4j,2.0.0,2.17.0,,CRITICAL,CWE-400;CWE-502
+ */
+export interface Vulnerability {
+    /** CVE identifier (e.g., "CVE-2021-44228") */
+    readonly cve: string;
+    /** When the vulnerability was published */
+    readonly publishedAt: string;
+    /** Brief description of the vulnerability */
+    readonly summary: string;
+    /** Name of the affected npm package */
+    readonly packageName: string;
+    /** First version where vulnerability was introduced (e.g., "2.0.0") */
+    readonly introducedVersion: string;
+    /** Version where vulnerability was fixed (e.g., "2.17.0"), empty if no fix available */
+    readonly fixedVersion: string;
+    /** Last version affected if no fixed version (alternative to fixedVersion) */
+    readonly lastAffectedVersion: string;
+    /** Severity level */
+    readonly severity: Severity;
+    /** CWE identifiers separated by semicolons (e.g., "CWE-79;CWE-89") */
+    readonly cwes: string;
+}
+/**
+ * Parses a CSV line, handling quoted fields correctly.
+ */
+function parseCsvLine(line: string): string[] {
+    const fields: string[] = [];
+    let current = '';
+    let inQuotes = false;
+    for (let i = 0; i < line.length; i++) {
+        const char = line[i];
+        if (char === '"') {
+            if (inQuotes && line[i + 1] === '"') {
+                // Escaped quote
+                current += '"';
+                i++;
+            } else {
+                // Toggle quote mode
+                inQuotes = !inQuotes;
+            }
+        } else if (char === ',' && !inQuotes) {
+            fields.push(current);
+            current = '';
+        } else {
+            current += char;
+        }
+    }
+    fields.push(current);
+    return fields;
+}
+/**
+ * Parses a vulnerability from a CSV line.
+ *
+ * Expected format:
+ * CVE,publishedAt,summary,packageName,introducedVersion,fixedVersion,lastAffectedVersion,severity,cwes
+ */
+function parseVulnerability(line: string): Vulnerability | undefined {
+    const fields = parseCsvLine(line);
+    if (fields.length < 9) {
+        return undefined;
+    }
+    const [cve, publishedAt, summary, packageName, introducedVersion, fixedVersion, lastAffectedVersion, severity, cwes] = fields;
+    // Skip if missing required fields
+    if (!cve || !packageName) {
+        return undefined;
+    }
+    return {
+        cve,
+        publishedAt,
+        summary,
+        packageName,
+        introducedVersion: introducedVersion || '0',
+        fixedVersion: fixedVersion || '',
+        lastAffectedVersion: lastAffectedVersion || '',
+        severity: parseSeverity(severity),
+        cwes: cwes || ''
+    };
+}
+/**
+ * Vulnerability database indexed by package name for efficient lookup.
+ */
+export class VulnerabilityDatabase {
+    private readonly byPackage: Map<string, Vulnerability[]>;
+    private constructor(vulnerabilities: Vulnerability[]) {
+        this.byPackage = new Map();
+        for (const v of vulnerabilities) {
+            const existing = this.byPackage.get(v.packageName);
+            if (existing) {
+                existing.push(v);
+            } else {
+                this.byPackage.set(v.packageName, [v]);
+            }
+        }
+    }
+    /**
+     * Gets all vulnerabilities for a package name.
+     */
+    getVulnerabilities(packageName: string): Vulnerability[] {
+        return this.byPackage.get(packageName) || [];
+    }
+    /**
+     * Checks if a package has any known vulnerabilities.
+     */
+    hasVulnerabilities(packageName: string): boolean {
+        return this.byPackage.has(packageName);
+    }
+    /**
+     * Gets all package names with known vulnerabilities.
+     */
+    getAffectedPackages(): string[] {
+        return Array.from(this.byPackage.keys());
+    }
+    /**
+     * Gets the total number of vulnerabilities in the database.
+     */
+    get size(): number {
+        let count = 0;
+        for (const vulns of this.byPackage.values()) {
+            count += vulns.length;
+        }
+        return count;
+    }
+    /**
+     * Loads the vulnerability database from the bundled CSV file.
+     */
+    static load(): VulnerabilityDatabase {
+        // Find the resources directory relative to this file
+        // In development: src/security/vulnerability.ts -> resources/advisories-npm.csv
+        // In production: dist/security/vulnerability.js -> resources/advisories-npm.csv
+        const possiblePaths = [
+            path.join(__dirname, '..', '..', 'resources', 'advisories-npm.csv'),
+            path.join(__dirname, '..', '..', '..', 'resources', 'advisories-npm.csv'),
+        ];
+        let csvPath: string | undefined;
+        for (const p of possiblePaths) {
+            if (fs.existsSync(p)) {
+                csvPath = p;
+                break;
+            }
+        }
+        if (!csvPath) {
+            // Return empty database if CSV not found - this allows the recipe to
+            // run without errors but won't find any vulnerabilities
+            return new VulnerabilityDatabase([]);
+        }
+        return VulnerabilityDatabase.loadFromFile(csvPath);
+    }
+    /**
+     * Loads the vulnerability database from a CSV file path.
+     */
+    static loadFromFile(filePath: string): VulnerabilityDatabase {
+        const content = fs.readFileSync(filePath, 'utf-8');
+        return VulnerabilityDatabase.loadFromString(content);
+    }
+    /**
+     * Loads the vulnerability database from a CSV string.
+     */
+    static loadFromString(content: string): VulnerabilityDatabase {
+        const vulnerabilities: Vulnerability[] = [];
+        const lines = content.split('\n');
+        for (const line of lines) {
+            const trimmed = line.trim();
+            if (!trimmed) continue;
+            const vuln = parseVulnerability(trimmed);
+            if (vuln) {
+                vulnerabilities.push(vuln);
+            }
+        }
+        return new VulnerabilityDatabase(vulnerabilities);
+    }
+    /**
+     * Creates an empty vulnerability database (for testing).
+     */
+    static empty(): VulnerabilityDatabase {
+        return new VulnerabilityDatabase([]);
+    }
+    /**
+     * Creates a vulnerability database from a list of vulnerabilities (for testing).
+     */
+    static fromList(vulnerabilities: Vulnerability[]): VulnerabilityDatabase {
+        return new VulnerabilityDatabase(vulnerabilities);
+    }
+}