@socketsecurity/cli 0.8.2 → 0.9.3

package/README.md

@@ -18,6 +18,7 @@ socket --help
 socket info webtorrent@1.9.1
 socket report create package.json --view
 socket report view QXU8PmK7LfH608RAwfIKdbcHgwEd_ZeWJ9QEGv05FJUQ
+socket wrapper --enable
 ```
 
 ## Commands
@@ -35,6 +36,10 @@ socket report view QXU8PmK7LfH608RAwfIKdbcHgwEd_ZeWJ9QEGv05FJUQ
 
 * `socket report view <report-id>` - looks up issues and scores from a report
 
+* `socket wrapper --enable` and `socket wrapper --disable` - Enables and disables the Socket 'safe-npm' wrapper.
+
+* `socket raw-npm` and `socket raw-npx` - Temporarily disables the Socket 'safe-npm' wrapper.
+
 ## Aliases
 
 All aliases supports flags and arguments of the commands they alias.

package/cli.js

@@ -15,8 +15,17 @@ import { initUpdateNotifier } from './lib/utils/update-notifier.js'
 initUpdateNotifier()
 
 try {
+  const formattedCliCommands = Object.fromEntries(Object.entries(cliCommands).map((entry) => {
+    if (entry[0] === 'rawNpm') {
+      entry[0] = 'raw-npm'
+    } else if (entry[0] === 'rawNpx') {
+      entry[0] = 'raw-npx'
+    }
+    return entry
+  }))
+
   await meowWithSubcommands(
-    cliCommands,
+    formattedCliCommands,
     {
       aliases: {
         ci: {

package/lib/commands/index.js

@@ -4,3 +4,6 @@ export * from './npm/index.js'
 export * from './npx/index.js'
 export * from './login/index.js'
 export * from './logout/index.js'
+export * from './wrapper/index.js'
+export * from './raw-npm/index.js'
+export * from './raw-npx/index.js'

package/lib/commands/info/index.js

@@ -20,10 +20,13 @@ export const info = {
     const name = parentName + ' info'
 
     const input = setupCommand(name, info.description, argv, importMeta)
-    const packageData = input && await fetchPackageData(input.pkgName, input.pkgVersion, input)
-
-    if (packageData) {
-      formatPackageDataOutput(packageData, { name, ...input })
+    if (input) {
+      const spinnerText = input.pkgVersion === 'latest' ? `Looking up data for the latest version of ${input.pkgName}\n` : `Looking up data for version ${input.pkgVersion} of ${input.pkgName}\n`
+      const spinner = ora(spinnerText).start()
+      const packageData = await fetchPackageData(input.pkgName, input.pkgVersion, input, spinner)
+      if (packageData) {
+        formatPackageDataOutput(packageData, { name, ...input }, spinner)
+      }
     }
   }
 }
@@ -90,16 +93,8 @@ function setupCommand (name, description, argv, importMeta) {
 
   const versionSeparator = rawPkgName.lastIndexOf('@')
 
-  if (versionSeparator < 1) {
-    throw new InputError('Need to specify a full package identifier, like eg: webtorrent@1.0.0')
-  }
-
-  const pkgName = rawPkgName.slice(0, versionSeparator)
-  const pkgVersion = rawPkgName.slice(versionSeparator + 1)
-
-  if (!pkgVersion) {
-    throw new InputError('Need to specify a version, like eg: webtorrent@1.0.0')
-  }
+  const pkgName = versionSeparator < 1 ? rawPkgName : rawPkgName.slice(0, versionSeparator)
+  const pkgVersion = versionSeparator < 1 ? 'latest' : rawPkgName.slice(versionSeparator + 1)
 
   return {
     includeAllIssues,
@@ -115,53 +110,78 @@ function setupCommand (name, description, argv, importMeta) {
  * @typedef PackageData
  * @property {import('@socketsecurity/sdk').SocketSdkReturnType<'getIssuesByNPMPackage'>["data"]} data
  * @property {Record<import('../../utils/format-issues').SocketIssue['severity'], number>} severityCount
+ * @property {import('@socketsecurity/sdk').SocketSdkReturnType<'getScoreByNPMPackage'>["data"]} score
  */
 
 /**
  * @param {string} pkgName
  * @param {string} pkgVersion
- * @param {Pick<CommandContext, 'includeAllIssues' | 'strict'>} context
+ * @param {Pick<CommandContext, 'includeAllIssues'>} context
+ * @param {import('ora').Ora} spinner
  * @returns {Promise<void|PackageData>}
  */
-async function fetchPackageData (pkgName, pkgVersion, { includeAllIssues, strict }) {
+async function fetchPackageData (pkgName, pkgVersion, { includeAllIssues }, spinner) {
   const socketSdk = await setupSdk(getDefaultKey() || FREE_API_KEY)
-  const spinner = ora(`Looking up data for version ${pkgVersion} of ${pkgName}`).start()
   const result = await handleApiCall(socketSdk.getIssuesByNPMPackage(pkgName, pkgVersion), 'looking up package')
+  const scoreResult = await handleApiCall(socketSdk.getScoreByNPMPackage(pkgName, pkgVersion), 'looking up package score')
 
   if (result.success === false) {
     return handleUnsuccessfulApiResponse('getIssuesByNPMPackage', result, spinner)
   }
 
-  // Conclude the status of the API call
+  if (scoreResult.success === false) {
+    return handleUnsuccessfulApiResponse('getScoreByNPMPackage', scoreResult, spinner)
+  }
 
+  // Conclude the status of the API call
   const severityCount = getSeverityCount(result.data, includeAllIssues ? undefined : 'high')
 
-  if (objectSome(severityCount)) {
-    const issueSummary = formatSeverityCount(severityCount)
-    spinner[strict ? 'fail' : 'succeed'](`Package has these issues: ${issueSummary}`)
-  } else {
-    spinner.succeed('Package has no issues')
-  }
-
   return {
     data: result.data,
     severityCount,
+    score: scoreResult.data
   }
 }
 
 /**
  * @param {PackageData} packageData
  * @param {{ name: string } & CommandContext} context
+ * @param {import('ora').Ora} spinner
  * @returns {void}
  */
- function formatPackageDataOutput ({ data, severityCount }, { name, outputJson, outputMarkdown, pkgName, pkgVersion, strict }) {
+ function formatPackageDataOutput ({ data, severityCount, score }, { name, outputJson, outputMarkdown, pkgName, pkgVersion, strict }, spinner) {
   if (outputJson) {
     console.log(JSON.stringify(data, undefined, 2))
   } else {
+    console.log('\nPackage report card:')
+    const scoreResult = {
+      'Supply Chain Risk': Math.floor(score.supplyChainRisk.score * 100),
+      'Maintenance': Math.floor(score.maintenance.score * 100),
+      'Quality': Math.floor(score.quality.score * 100),
+      'Vulnerabilities': Math.floor(score.vulnerability.score * 100),
+      'License': Math.floor(score.license.score * 100)
+    }
+    Object.entries(scoreResult).map(score => console.log(`- ${score[0]}: ${formatScore(score[1])}`))
+
+    // Package issues list
+    if (objectSome(severityCount)) {
+      const issueSummary = formatSeverityCount(severityCount)
+      console.log('\n')
+      spinner[strict ? 'fail' : 'succeed'](`Package has these issues: ${issueSummary}`)
+      formatPackageIssuesDetails(data, outputMarkdown)
+    } else {
+      console.log('\n')
+      spinner.succeed('Package has no issues')
+    }
+
+    // Link to issues list
     const format = new ChalkOrMarkdown(!!outputMarkdown)
     const url = `https://socket.dev/npm/package/${pkgName}/overview/${pkgVersion}`
-
-    console.log('\nDetailed info on socket.dev: ' + format.hyperlink(`${pkgName} v${pkgVersion}`, url, { fallbackToUrl: true }))
+    if (pkgVersion === 'latest') {
+      console.log('\nDetailed info on socket.dev: ' + format.hyperlink(`${pkgName}`, url, { fallbackToUrl: true }))
+    } else {
+      console.log('\nDetailed info on socket.dev: ' + format.hyperlink(`${pkgName} v${pkgVersion}`, url, { fallbackToUrl: true }))
+    }
     if (!outputMarkdown) {
       console.log(chalk.dim('\nOr rerun', chalk.italic(name), 'using the', chalk.italic('--json'), 'flag to get full JSON output'))
     }
@@ -171,3 +191,55 @@ async function fetchPackageData (pkgName, pkgVersion, { includeAllIssues, strict
     process.exit(1)
   }
 }
+
+/**
+ * @param {import('@socketsecurity/sdk').SocketSdkReturnType<'getIssuesByNPMPackage'>["data"]} packageData
+ * @param {boolean} outputMarkdown
+ * @returns {void[]}
+ */
+function formatPackageIssuesDetails (packageData, outputMarkdown) {
+  const issueDetails = packageData.filter(d => d.value?.severity === 'high' || d.value?.severity === 'critical')
+
+  const uniqueIssues = issueDetails.reduce((/** @type {{ [key: string]: {count: Number, label: string | undefined} }} */ acc, issue) => {
+  const { type } = issue
+    if (type) {
+      if (!acc[type]) {
+        acc[type] = {
+          label: issue.value?.label,
+          count: 1
+        }
+      } else {
+        // @ts-ignore
+        acc[type].count += 1
+      }
+    }
+    return acc
+  }, {})
+
+  const format = new ChalkOrMarkdown(!!outputMarkdown)
+  return Object.keys(uniqueIssues).map(issue => {
+    const issueWithLink = format.hyperlink(`${uniqueIssues[issue]?.label}`, `https://socket.dev/npm/issue/${issue}`, { fallbackToUrl: true })
+    if (uniqueIssues[issue]?.count === 1) {
+      return console.log(`- ${issueWithLink}`)
+    }
+    return console.log(`- ${issueWithLink}: ${uniqueIssues[issue]?.count}`)
+  })
+}
+
+/**
+ * @param {number} score
+ * @returns {string}
+ */
+function formatScore (score) {
+  const error = chalk.hex('#de7c7b')
+  const warning = chalk.hex('#e59361')
+  const success = chalk.hex('#a4cb9d')
+
+  if (score > 80) {
+    return `${success(score)}`
+  } else if (score < 80 && score > 60) {
+    return `${warning(score)}`
+  } else {
+    return `${error(score)}`
+  }
+}

package/lib/commands/raw-npm/index.js

@@ -0,0 +1,59 @@
+import { spawn } from 'child_process'
+
+import meow from 'meow'
+
+import { validationFlags } from '../../flags/index.js'
+import { printFlagList } from '../../utils/formatting.js'
+
+/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
+export const rawNpm = {
+  description: 'Temporarily disable the Socket npm wrapper',
+  async run (argv, importMeta, { parentName }) {
+    const name = parentName + ' raw-npm'
+
+    setupCommand(name, rawNpm.description, argv, importMeta)
+  }
+}
+
+/**
+ * @param {string} name
+ * @param {string} description
+ * @param {readonly string[]} argv
+ * @param {ImportMeta} importMeta
+ * @returns {void}
+ */
+function setupCommand (name, description, argv, importMeta) {
+  const flags = validationFlags
+
+  const cli = meow(`
+    Usage
+      $ ${name} <npm command>
+
+    Options
+      ${printFlagList(flags, 6)}
+
+    Examples
+      $ ${name} install
+  `, {
+    argv,
+    description,
+    importMeta,
+    flags
+  })
+
+  if (!argv[0]) {
+    cli.showHelp()
+    return
+  }
+
+  spawn('npm', [argv.join(' ')], {
+    stdio: 'inherit',
+    shell: true
+  }).on('exit', (code, signal) => {
+    if (signal) {
+      process.kill(process.pid, signal)
+    } else if (code !== null) {
+      process.exit(code)
+    }
+  })
+}

package/lib/commands/raw-npx/index.js

@@ -0,0 +1,59 @@
+import { spawn } from 'child_process'
+
+import meow from 'meow'
+
+import { validationFlags } from '../../flags/index.js'
+import { printFlagList } from '../../utils/formatting.js'
+
+/** @type {import('../../utils/meow-with-subcommands.js').CliSubcommand} */
+export const rawNpx = {
+  description: 'Temporarily disable the Socket npm/npx wrapper',
+  async run (argv, importMeta, { parentName }) {
+    const name = parentName + ' raw-npx'
+
+    setupCommand(name, rawNpx.description, argv, importMeta)
+  }
+}
+
+/**
+ * @param {string} name
+ * @param {string} description
+ * @param {readonly string[]} argv
+ * @param {ImportMeta} importMeta
+ * @returns {void}
+ */
+function setupCommand (name, description, argv, importMeta) {
+  const flags = validationFlags
+
+  const cli = meow(`
+    Usage
+      $ ${name} <npx command>
+
+    Options
+      ${printFlagList(flags, 6)}
+
+    Examples
+      $ ${name} install
+  `, {
+    argv,
+    description,
+    importMeta,
+    flags
+  })
+
+  if (!argv[0]) {
+    cli.showHelp()
+    return
+  }
+
+  spawn('npx', [argv.join(' ')], {
+    stdio: 'inherit',
+    shell: true
+  }).on('exit', (code, signal) => {
+    if (signal) {
+      process.kill(process.pid, signal)
+    } else if (code !== null) {
+      process.exit(code)
+    }
+  })
+}

package/lib/commands/wrapper/index.js

@@ -0,0 +1,199 @@
+/* eslint-disable no-console */
+import fs from 'fs'
+import homedir from 'os'
+import readline from 'readline'
+
+import meow from 'meow'
+
+import { commandFlags } from '../../flags/index.js'
+import { printFlagList } from '../../utils/formatting.js'
+
+const BASH_FILE = `${homedir.homedir()}/.bashrc`
+const ZSH_BASH_FILE = `${homedir.homedir()}/.zshrc`
+
+/** @type {import('../../utils/meow-with-subcommands').CliSubcommand} */
+export const wrapper = {
+  description: 'Enable or disable the Socket npm/npx wrapper',
+  async run (argv, importMeta, { parentName }) {
+    const name = parentName + ' wrapper'
+
+    setupCommand(name, wrapper.description, argv, importMeta)
+  }
+}
+
+/**
+ * @param {string} name
+ * @param {string} description
+ * @param {readonly string[]} argv
+ * @param {ImportMeta} importMeta
+ * @returns {void}
+ */
+function setupCommand (name, description, argv, importMeta) {
+  const flags = commandFlags
+
+  const cli = meow(`
+    Usage
+      $ ${name} <flag>
+
+    Options
+      ${printFlagList(flags, 6)}
+
+    Examples
+      $ ${name} --enable
+      $ ${name} --disable
+  `, {
+    argv,
+    description,
+    importMeta,
+    flags
+  })
+
+  const { enable, disable } = cli.flags
+
+  if (argv[0] === '--postinstall') {
+    // Check if the wrapper is already enabled before showing the postinstall prompt
+    const socketWrapperEnabled = (fs.existsSync(BASH_FILE) && checkSocketWrapperAlreadySetup(BASH_FILE)) || (fs.existsSync(ZSH_BASH_FILE) && checkSocketWrapperAlreadySetup(ZSH_BASH_FILE))
+
+    if (!socketWrapperEnabled) {
+      installSafeNpm(`The Socket CLI is now successfully installed! 🎉
+
+      To better protect yourself against supply-chain attacks, our "safe npm" wrapper can warn you about malicious packages whenever you run 'npm install'.
+
+      Do you want to install "safe npm" (this will create an alias to the socket-npm command)? (y/n)`)
+    }
+
+    return
+  }
+
+  if (!enable && !disable) {
+    cli.showHelp()
+    return
+  }
+
+  if (enable) {
+      if (fs.existsSync(BASH_FILE)) {
+        const socketWrapperEnabled = checkSocketWrapperAlreadySetup(BASH_FILE)
+        !socketWrapperEnabled && addAlias(BASH_FILE)
+      }
+      if (fs.existsSync(ZSH_BASH_FILE)) {
+        const socketWrapperEnabled = checkSocketWrapperAlreadySetup(ZSH_BASH_FILE)
+        !socketWrapperEnabled && addAlias(ZSH_BASH_FILE)
+      }
+  } else if (disable) {
+    if (fs.existsSync(BASH_FILE)) {
+      removeAlias(BASH_FILE)
+    }
+    if (fs.existsSync(ZSH_BASH_FILE)) {
+      removeAlias(ZSH_BASH_FILE)
+    }
+  }
+  if (!fs.existsSync(BASH_FILE) && !fs.existsSync(ZSH_BASH_FILE)) {
+    console.error('There was an issue setting up the alias in your bash profile')
+  }
+  return
+}
+
+/**
+ * @param {string} query
+ * @returns {void}
+ */
+const installSafeNpm = (query) => {
+  console.log(`
+ _____         _       _
+|   __|___ ___| |_ ___| |_
+|__   | . |  _| '_| -_|  _|
+|_____|___|___|_,_|___|_|
+
+`)
+
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  })
+  return askQuestion(rl, query)
+}
+
+/**
+ * @param {any} rl
+ * @param {string} query
+ * @returns {void}
+ */
+const askQuestion = (rl, query) => {
+  rl.question(query, (/** @type {string} */ ans) => {
+    if (ans.toLowerCase() === 'y') {
+      try {
+        if (fs.existsSync(BASH_FILE)) {
+          addAlias(BASH_FILE)
+        }
+        if (fs.existsSync(ZSH_BASH_FILE)) {
+          addAlias(ZSH_BASH_FILE)
+        }
+      } catch (e) {
+        throw new Error(`There was an issue setting up the alias: ${e}`)
+      }
+      rl.close()
+    } else if (ans.toLowerCase() !== 'n') {
+      askQuestion(rl, 'Incorrect input: please enter either y (yes) or n (no): ')
+    } else {
+      rl.close()
+    }
+  })
+}
+
+/**
+ * @param {string} file
+ * @returns {void}
+ */
+const addAlias = (file) => {
+  return fs.appendFile(file, 'alias npm="socket npm"\nalias npx="socket npx"\n', (err) => {
+    if (err) {
+      return new Error(`There was an error setting up the alias: ${err}`)
+    }
+    console.log(`
+The alias was added to ${file}. Running 'npm install' will now be wrapped in Socket's "safe npm" 🎉
+If you want to disable it at any time, run \`socket wrapper --disable\`
+`)
+  })
+}
+
+/**
+ * @param {string} file
+ * @returns {void}
+ */
+const removeAlias = (file) => {
+  return fs.readFile(file, 'utf8', function (err, data) {
+    if (err) {
+      console.error(`There was an error removing the alias: ${err}`)
+      return
+    }
+    const linesWithoutSocketAlias = data.split('\n').filter(l => l !== 'alias npm="socket npm"' && l !== 'alias npx="socket npx"')
+
+    const updatedFileContent = linesWithoutSocketAlias.join('\n')
+
+    fs.writeFile(file, updatedFileContent, function (err) {
+      if (err) {
+        console.log(err)
+        return
+      } else {
+         console.log(`
+The alias was removed from ${file}. Running 'npm install' will now run the standard npm command.
+`)
+      }
+    })
+  })
+}
+
+/**
+ * @param {string} file
+ * @returns {boolean}
+ */
+const checkSocketWrapperAlreadySetup = (file) => {
+  const fileContent = fs.readFileSync(file, 'utf-8')
+  const linesWithSocketAlias = fileContent.split('\n').filter(l => l === 'alias npm="socket npm"' || l === 'alias npx="socket npx"')
+
+  if (linesWithSocketAlias.length) {
+    console.log(`The Socket npm/npx wrapper is set up in your bash profile (${file}).`)
+    return true
+  }
+  return false
+}

package/lib/flags/command.js

@@ -0,0 +1,14 @@
+import { prepareFlags } from '../utils/flags.js'
+
+export const commandFlags = prepareFlags({
+  enable: {
+    type: 'boolean',
+    default: false,
+    description: 'Enables the Socket npm/npx wrapper',
+  },
+  disable: {
+    type: 'boolean',
+    default: false,
+    description: 'Disables the Socket npm/npx wrapper',
+  }
+})

package/lib/flags/index.js

@@ -1,2 +1,3 @@
 export { outputFlags } from './output.js'
 export { validationFlags } from './validation.js'
+export { commandFlags } from './command.js'

package/lib/utils/path-resolve.js

@@ -101,7 +101,7 @@ export async function mapGlobEntryToFiles (entry, supportedFiles) {
   const pyFilePatterns = Object.values(supportedFiles['pypi'] || {})
     .map(p => `**/${/** @type {{ pattern: string }} */ (p).pattern}`)
 
-  const goSupported = supportedFiles['go'] || {}
+  const goSupported = supportedFiles['golang'] || {}
   const goSupplementalPatterns = Object.values(goSupported)
     // .filter(key => key !== 'gomod')
     .map(p => `**/${/** @type {{ pattern: string }} */ (p).pattern}`)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli",
-  "version": "0.8.2",
+  "version": "0.9.3",
   "description": "CLI tool for Socket.dev",
   "homepage": "http://github.com/SocketDev/socket-cli-js",
   "repository": {
@@ -40,7 +40,8 @@
     "prepare": "husky install",
     "test:unit": "c8 --reporter=lcov --reporter text node --test",
     "test-ci": "run-s test:*",
-    "test": "run-s check test:*"
+    "test": "run-s check test:*",
+    "//postinstall": "node ./cli.js wrapper --postinstall"
   },
   "devDependencies": {
     "@socketsecurity/eslint-config": "^3.0.1",
@@ -82,7 +83,7 @@
   "dependencies": {
     "@apideck/better-ajv-errors": "^0.3.6",
     "@socketsecurity/config": "^2.0.0",
-    "@socketsecurity/sdk": "^0.7.2",
+    "@socketsecurity/sdk": "^0.7.3",
     "chalk": "^5.1.2",
     "globby": "^13.1.3",
     "hpagent": "^1.2.0",