@socketsecurity/cli 0.10.1 → 0.11.1

package/lib/commands/cdxgen/index.js

@@ -1,211 +0,0 @@
-/* eslint-disable no-console */
-
-import { existsSync, promises as fs } from 'node:fs'
-import path from 'node:path'
-import { fileURLToPath } from 'node:url'
-
-import chalk from 'chalk'
-import { $ } from 'execa'
-import yargsParse from 'yargs-parser'
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url))
-
-const {
-  SBOM_SIGN_ALGORITHM, // Algorithm. Example: RS512
-  SBOM_SIGN_PRIVATE_KEY, // Location to the RSA private key
-  SBOM_SIGN_PUBLIC_KEY // Optional. Location to the RSA public key
-} = process.env
-
-const toLower = (/** @type {string} */ arg) => arg.toLowerCase()
-const arrayToLower = (/** @type {string[]} */ arg) => arg.map(toLower)
-
-const execaConfig = {
-  env: { NODE_ENV: '' },
-  localDir: path.join(__dirname, 'node_modules'),
-}
-
-const nodejsPlatformTypes = [
-  'javascript',
-  'js',
-  'nodejs',
-  'npm',
-  'pnpm',
-  'ts',
-  'tsx',
-  'typescript'
-]
-
-const yargsConfig = {
-  configuration: {
-    'camel-case-expansion': false,
-    'strip-aliased': true,
-    'parse-numbers': false,
-    'populate--': true,
-    'unknown-options-as-args': true
-  },
-  coerce: {
-    author: arrayToLower,
-    filter: arrayToLower,
-    only: arrayToLower,
-    profile: toLower,
-    standard: arrayToLower,
-    type: toLower
-  },
-  default: {
-    //author: ['OWASP Foundation'],
-    //'auto-compositions': true,
-    //babel: true,
-    //evidence: false,
-    //'include-crypto': false,
-    //'include-formulation': false,
-    //'install-deps': true,
-    //output: 'bom.json',
-    //profile: 'generic',
-    //'project-version': '',
-    //recurse: true,
-    //'server-host': '127.0.0.1',
-    //'server-port': '9090',
-    //'spec-version': '1.5',
-    type: 'js',
-    //validate: true,
-  },
-  alias: {
-    help: ['h'],
-    output: ['o'],
-    print: ['p'],
-    recurse: ['r'],
-    'resolve-class': ['c'],
-    type: ['t'],
-    version: ['v'],
-  },
-  array: [
-    { key: 'author', type: 'string' },
-    { key: 'exclude', type: 'string' },
-    { key: 'filter', type: 'string' },
-    { key: 'only', type: 'string' },
-    { key: 'standard', type: 'string' }
-  ],
-  boolean: [
-    'auto-compositions',
-    'babel',
-    'deep',
-    'evidence',
-    'fail-on-error',
-    'generate-key-and-sign',
-    'help',
-    'include-formulation',
-    'include-crypto',
-    'install-deps',
-    'print',
-    'required-only',
-    'server',
-    'validate',
-    'version',
-  ],
-  string: [
-    'api-key',
-    'output',
-    'parent-project-id',
-    'profile',
-    'project-group',
-    'project-name',
-    'project-version',
-    'project-id',
-    'server-host',
-    'server-port',
-    'server-url',
-    'spec-version',
-  ]
-}
-
-/**
- *
- * @param {{ [key: string]: boolean | null | number | string | (string | number)[]}} argv
- * @returns {string[]}
- */
-function argvToArray (/** @type {any} */ argv) {
-  if (argv['help']) return ['--help']
-  const result = []
-  for (const { 0: key, 1: value } of Object.entries(argv)) {
-    if (key === '_' || key === '--') continue
-    if (key === 'babel' || key === 'install-deps' || key === 'validate') {
-      // cdxgen documents no-babel, no-install-deps, and no-validate flags so
-      // use them when relevant.
-      result.push(`--${value ? key : `no-${key}`}`)
-    } else if (value === true) {
-      result.push(`--${key}`)
-    } else if (typeof value === 'string') {
-      result.push(`--${key}=${value}`)
-    } else if (Array.isArray(value)) {
-      result.push(`--${key}`, ...value.map(String))
-    }
-  }
-  if (argv['--']) {
-    result.push('--', ...argv['--'])
-  }
-  return result
-}
-
-/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
-export const cdxgen = {
-  description: 'Create an SBOM with CycloneDX generator (cdxgen)',
-  async run (argv_) {
-    const /** @type {any} */ yargv = {
-      __proto__: null,
-      // @ts-ignore
-      ...yargsParse(argv_, yargsConfig)
-    }
-
-    const /** @type {string[]} */ unknown = yargv._
-    const { length: unknownLength } = unknown
-    if (unknownLength) {
-      console.error(`Unknown argument${unknownLength > 1 ? 's' : ''}: ${yargv._.join(', ')}`)
-      process.exitCode = 1
-      return
-    }
-
-    let cleanupPackageLock = false
-    if (
-      yargv.type !== 'yarn' &&
-      nodejsPlatformTypes.includes(yargv.type) &&
-      existsSync('./yarn.lock')
-    ) {
-      if (existsSync('./package-lock.json')) {
-        yargv.type = 'npm'
-      } else {
-        // Use synp to create a package-lock.json from the yarn.lock,
-        // based on the node_modules folder, for a more accurate SBOM.
-        try {
-          await $(execaConfig)`synp --source-file ./yarn.lock`
-          yargv.type = 'npm'
-          cleanupPackageLock = true
-        } catch {}
-      }
-    }
-
-    if (yargv.output === undefined) {
-      yargv.output = 'socket-cdx.json'
-    }
-
-    await $({
-      ...execaConfig,
-      env: {
-        NODE_ENV: '',
-        SBOM_SIGN_ALGORITHM,
-        SBOM_SIGN_PRIVATE_KEY,
-        SBOM_SIGN_PUBLIC_KEY
-      },
-      stdout: 'inherit'
-    })`cdxgen ${argvToArray(yargv)}`
-
-    if (cleanupPackageLock) {
-      try {
-        await fs.unlink('./package-lock.json')
-      } catch {}
-    }
-    const fullOutputPath = path.join(process.cwd(), yargv.output)
-    if (existsSync(fullOutputPath)) {
-      console.log(chalk.cyanBright(`${yargv.output} created!`))
-    }
-  }
-}

package/lib/commands/dependencies/index.js

@@ -1,150 +0,0 @@
-/* eslint-disable no-console */
-
-import chalk from 'chalk'
-// @ts-ignore
-import chalkTable from 'chalk-table'
-import meow from 'meow'
-import ora from 'ora'
-
-import { outputFlags } from '../../flags/index.js'
-import { handleApiCall, handleUnsuccessfulApiResponse } from '../../utils/api-helpers.js'
-import { prepareFlags } from '../../utils/flags.js'
-import { printFlagList } from '../../utils/formatting.js'
-import { getDefaultKey, setupSdk } from '../../utils/sdk.js'
-
-/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
-export const dependencies = {
-  description: 'Search for any dependency that is being used in your organization',
-  async run (argv, importMeta, { parentName }) {
-    const name = parentName + ' dependencies'
-
-    const input = setupCommand(name, dependencies.description, argv, importMeta)
-    if (input) {
-      const spinnerText = 'Searching dependencies...'
-      const spinner = ora(spinnerText).start()
-      await searchDeps(input, spinner)
-    }
-  }
-}
-
-const dependenciesFlags = prepareFlags({
-    limit: {
-      type: 'number',
-      shortFlag: 'l',
-      default: 50,
-      description: 'Maximum number of dependencies returned',
-    },
-    offset: {
-      type: 'number',
-      shortFlag: 'o',
-      default: 0,
-      description: 'Page number',
-    }
-  })
-
-// Internal functions
-
-/**
- * @typedef Command
- * @property {boolean} outputJson
- * @property {boolean} outputMarkdown
- * @property {number} limit
- * @property {number} offset
- */
-
-/**
- * @param {string} name
- * @param {string} description
- * @param {readonly string[]} argv
- * @param {ImportMeta} importMeta
- * @returns {void|Command}
- */
-function setupCommand (name, description, argv, importMeta) {
-  const flags = {
-    ...outputFlags,
-    ...dependenciesFlags
-  }
-
-  const cli = meow(`
-    Usage
-      $ ${name}
-
-    Options
-      ${printFlagList(flags, 6)}
-
-    Examples
-      $ ${name}
-  `, {
-    argv,
-    description,
-    importMeta,
-    flags
-  })
-
-  const {
-    json: outputJson,
-    markdown: outputMarkdown,
-    limit,
-    offset
-  } = cli.flags
-
-  return {
-    outputJson,
-    outputMarkdown,
-    limit,
-    offset
-  }
-}
-
-/**
- * @typedef DependenciesData
- * @property {import('@socketsecurity/sdk').SocketSdkReturnType<'searchDependencies'>["data"]} data
- */
-
-/**
- * @param {Command} input
- * @param {import('ora').Ora} spinner
- * @returns {Promise<void|DependenciesData>}
- */
-async function searchDeps ({ limit, offset, outputJson }, spinner) {
-  const socketSdk = await setupSdk(getDefaultKey())
-  const result = await handleApiCall(socketSdk.searchDependencies({ limit, offset }), 'Searching dependencies')
-
-  if (!result.success) {
-    return handleUnsuccessfulApiResponse('searchDependencies', result, spinner)
-  }
-
-  spinner.stop()
-
-  console.log('Organization dependencies: \n')
-
-  if (outputJson) {
-    return console.log(result.data)
-  }
-
-  const options = {
-    columns: [
-      { field: 'namespace', name: chalk.cyan('Namespace') },
-      { field: 'name', name: chalk.cyan('Name') },
-      { field: 'version', name: chalk.cyan('Version') },
-      { field: 'repository', name: chalk.cyan('Repository') },
-      { field: 'branch', name: chalk.cyan('Branch') },
-      { field: 'type', name: chalk.cyan('Type') },
-      { field: 'direct', name: chalk.cyan('Direct') }
-    ]
-  }
-
-  const formattedResults = result.data.rows.map((/** @type {{[key:string]: any}} */ d) => {
-    return {
-      ...d
-    }
-  })
-
-  const table = chalkTable(options, formattedResults)
-
-  console.log(table, '\n')
-
-  return {
-    data: result.data
-  }
-}

package/lib/commands/index.js

@@ -1,14 +0,0 @@
-export * from './cdxgen/index.js'
-export * from './info/index.js'
-export * from './login/index.js'
-export * from './logout/index.js'
-export * from './npm/index.js'
-export * from './npx/index.js'
-export * from './raw-npm/index.js'
-export * from './raw-npx/index.js'
-export * from './report/index.js'
-export * from './wrapper/index.js'
-export * from './scan/index.js'
-export * from './audit-log/index.js'
-export * from './repos/index.js'
-export * from './dependencies/index.js'

package/lib/commands/info/index.js

@@ -1,287 +0,0 @@
-/* eslint-disable no-console */
-
-import chalk from 'chalk'
-import meow from 'meow'
-import ora from 'ora'
-
-import { outputFlags, validationFlags } from '../../flags/index.js'
-import { handleApiCall, handleUnsuccessfulApiResponse } from '../../utils/api-helpers.js'
-import { ChalkOrMarkdown } from '../../utils/chalk-markdown.js'
-import { prepareFlags } from '../../utils/flags.js'
-import { formatSeverityCount, getCountSeverity } from '../../utils/format-issues.js'
-import { printFlagList } from '../../utils/formatting.js'
-import { objectSome } from '../../utils/misc.js'
-import { FREE_API_KEY, getDefaultKey, setupSdk } from '../../utils/sdk.js'
-
-/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
-export const info = {
-  description: 'Look up info regarding a package',
-  async run (argv, importMeta, { parentName }) {
-    const name = parentName + ' info'
-
-    const input = setupCommand(name, info.description, argv, importMeta)
-    if (input) {
-      const spinnerText = `Looking up data for packages: ${input.packages.join(', ')}\n`
-      const spinner = ora(spinnerText).start()
-      const packageData = await fetchPackageData(input.packages, input.includeAlerts, spinner)
-      if (packageData) {
-        formatPackageDataOutput(packageData, { name, ...input }, spinner)
-      }
-    }
-  }
-}
-
-const infoFlags = prepareFlags({
-  // At the moment in API v0, alerts and license do the same thing.
-  // The license parameter will be implemented later.
-  // license: {
-  //   type: 'boolean',
-  //   shortFlag: 'l',
-  //   default: false,
-  //   description: 'Include license - Default is false',
-  // },
-  alerts: {
-    type: 'boolean',
-    shortFlag: 'a',
-    default: false,
-    description: 'Include alerts - Default is false',
-  }
-})
-
-// Internal functions
-
-/**
- * @typedef CommandContext
- * @property {boolean} includeAlerts
- * @property {boolean} outputJson
- * @property {boolean} outputMarkdown
- * @property {string[]} packages
- * @property {boolean} strict
- */
-
-/**
- * @param {string} name
- * @param {string} description
- * @param {readonly string[]} argv
- * @param {ImportMeta} importMeta
- * @returns {void|CommandContext}
- */
-function setupCommand (name, description, argv, importMeta) {
-  const flags = {
-    ...outputFlags,
-    ...validationFlags,
-    ...infoFlags
-  }
-
-  const cli = meow(`
-    Usage
-      $ ${name} <ecosystem>:<name>@<version>
-
-    Options
-      ${printFlagList(flags, 6)}
-
-    Examples
-      $ ${name} npm:webtorrent
-      $ ${name} npm:webtorrent@1.9.1
-  `, {
-    argv,
-    description,
-    importMeta,
-    flags
-  })
-
-  const {
-    alerts: includeAlerts,
-    json: outputJson,
-    markdown: outputMarkdown,
-    strict,
-  } = cli.flags
-
-  const [rawPkgName = ''] = cli.input
-
-  if (!rawPkgName) {
-    console.error(`${chalk.bgRed('Input error')}: Please provide an ecosystem and package name`)
-    cli.showHelp()
-    return
-  }
-
-  const /** @type {string[]} */inputPkgs = []
-
-  cli.input.map(pkg => {
-    const ecosystem = pkg.split(':')[0]
-    if (!ecosystem) {
-      console.error(`Package name ${pkg} formatted incorrectly.`)
-      return cli.showHelp()
-    } else {
-      const versionSeparator = pkg.lastIndexOf('@')
-      const ecosystemSeparator = pkg.lastIndexOf(ecosystem)
-      const pkgName = versionSeparator < 1 ? pkg.slice(ecosystemSeparator + ecosystem.length + 1) : pkg.slice(ecosystemSeparator + ecosystem.length + 1, versionSeparator)
-      const pkgVersion = versionSeparator < 1 ? 'latest' : pkg.slice(versionSeparator + 1)
-      inputPkgs.push(`${ecosystem}/${pkgName}@${pkgVersion}`)
-    }
-    return inputPkgs
-  })
-
-  return {
-    includeAlerts,
-    outputJson,
-    outputMarkdown,
-    packages: inputPkgs,
-    strict,
-  }
-}
-
-/**
- * @typedef PackageData
- * @property {import('@socketsecurity/sdk').SocketSdkReturnType<'batchPackageFetch'>["data"]} data
- */
-
-/**
- * @param {string[]} packages
- * @param {boolean} includeAlerts
- * @param {import('ora').Ora} spinner
- * @returns {Promise<void|PackageData>}
- */
-async function fetchPackageData (packages, includeAlerts, spinner) {
-  const socketSdk = await setupSdk(getDefaultKey() || FREE_API_KEY)
-
-  const components = packages.map(pkg => {
-    return { 'purl': `pkg:${pkg}` }
-  })
-
-  const result = await handleApiCall(socketSdk.batchPackageFetch(
-    { alerts: includeAlerts.toString() },
-    {
-        components
-    }), 'looking up package')
-
-  if (!result.success) {
-    return handleUnsuccessfulApiResponse('batchPackageFetch', result, spinner)
-  }
-
-  // @ts-ignore
-  result.data.map(pkg => {
-    const severityCount = pkg.alerts && getCountSeverity(pkg.alerts, includeAlerts ? undefined : 'high')
-    pkg.severityCount = severityCount
-    return pkg
-  })
-
-  spinner.stop()
-
-  return {
-    data: result.data
-  }
-}
-
-/**
- * @param {CommandContext} data
- * @param {{ name: string } & CommandContext} context
- * @param {import('ora').Ora} spinner
- * @returns {void}
- */
-function formatPackageDataOutput (/** @type {{ [key: string]: any }} */ { data }, { outputJson, outputMarkdown, strict }, spinner) {
-  if (outputJson) {
-    console.log(JSON.stringify(data, undefined, 2))
-  } else {
-    data.map((/** @type {{[key:string]: any}} */ d) => {
-      const { score, license, name, severityCount, version } = d
-      console.log(`\nPackage metrics for ${name}:`)
-
-      const scoreResult = {
-        'Supply Chain Risk': Math.floor(score.supplyChain * 100),
-        'Maintenance': Math.floor(score.maintenance * 100),
-        'Quality': Math.floor(score.quality * 100),
-        'Vulnerabilities': Math.floor(score.vulnerability * 100),
-        'License': Math.floor(score.license * 100),
-        'Overall': Math.floor(score.overall * 100)
-      }
-
-      Object.entries(scoreResult).map(score => console.log(`- ${score[0]}: ${formatScore(score[1])}`))
-
-      // Package license
-      console.log('\nPackage license:')
-      console.log(`${license}`)
-
-      // Package issues list
-      if (objectSome(severityCount)) {
-        const issueSummary = formatSeverityCount(severityCount)
-        console.log('\n')
-        spinner[strict ? 'fail' : 'succeed'](`Package has these issues: ${issueSummary}`)
-        formatPackageIssuesDetails(data.alerts, outputMarkdown)
-      } else if (severityCount && !objectSome(severityCount)) {
-        console.log('\n')
-        spinner.succeed('Package has no issues')
-      }
-
-      // Link to issues list
-      const format = new ChalkOrMarkdown(!!outputMarkdown)
-      const url = `https://socket.dev/npm/package/${name}/overview/${version}`
-      if (version === 'latest') {
-        console.log('\nDetailed info on socket.dev: ' + format.hyperlink(`${name}`, url, { fallbackToUrl: true }))
-      } else {
-        console.log('\nDetailed info on socket.dev: ' + format.hyperlink(`${name} v${version}`, url, { fallbackToUrl: true }))
-      }
-      if (!outputMarkdown) {
-        console.log(chalk.dim('\nOr rerun', chalk.italic(name), 'using the', chalk.italic('--json'), 'flag to get full JSON output'))
-      }
-
-      if (strict && objectSome(severityCount)) {
-        process.exit(1)
-      }
-      return d
-    })
-  }
-}
-
-/**
- * @param {{[key: string]: any}[]} alertsData
- * @param {boolean} outputMarkdown
- * @returns {void[]}
- */
-function formatPackageIssuesDetails (alertsData, outputMarkdown) {
-  const issueDetails = alertsData.filter(d => d['severity'] === 'high' || d['severity'] === 'critical')
-
-  const uniqueIssues = issueDetails.reduce((/** @type {{ [key: string]: {count: Number, label: string | undefined} }} */ acc, issue) => {
-  const { type } = issue
-    if (type) {
-      if (!acc[type]) {
-        acc[type] = {
-          label: issue['type'],
-          count: 1
-        }
-      } else {
-        // @ts-ignore
-        acc[type].count += 1
-      }
-    }
-    return acc
-  }, {})
-
-  const format = new ChalkOrMarkdown(!!outputMarkdown)
-
-  return Object.keys(uniqueIssues).map(issue => {
-    const issueWithLink = format.hyperlink(`${uniqueIssues[issue]?.label}`, `https://socket.dev/npm/issue/${issue}`, { fallbackToUrl: true })
-    if (uniqueIssues[issue]?.count === 1) {
-      return console.log(`- ${issueWithLink}`)
-    }
-    return console.log(`- ${issueWithLink}: ${uniqueIssues[issue]?.count}`)
-  })
-}
-
-/**
- * @param {number} score
- * @returns {string}
- */
-function formatScore (score) {
-  const error = chalk.hex('#de7c7b')
-  const warning = chalk.hex('#e59361')
-  const success = chalk.hex('#a4cb9d')
-
-  if (score > 80) {
-    return `${success(score)}`
-  } else if (score < 80 && score > 60) {
-    return `${warning(score)}`
-  } else {
-    return `${error(score)}`
-  }
-}