npm - audit-project-server - Versions diffs - 1.0.0 - Mend

audit-project-server 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/LICENSE +15 -0
package/README.md +175 -0
package/package.json +49 -0
package/src/index.js +31 -0
package/src/render/renderAuditResult.js +229 -0
package/src/render/renderAuditResultDashboard.js +466 -0
package/src/render/renderAuditResultHTML.js +408 -0
package/src/render/renderAuditResultTXT.js +185 -0
package/src/server.js +42 -0
package/src/utils.js +384 -0

package/src/render/renderAuditResultDashboard.js ADDED Viewed

@@ -0,0 +1,466 @@
+import fs from "fs";
+/**
+ * 渲染npm audit结果到带图表的可视化页面
+ * @param {string} auditResult JSON格式的npm audit结果
+ * @param {Object} packageJsonInfo package.json文件内容
+ * @param {string} savePath 保存路径
+ * @returns {string} 可视化页面的报告
+ */
+export async function renderAuditResultDashboard(
+  auditResult,
+  packageJsonInfo,
+  savePath,
+) {
+  try {
+    const auditData = JSON.parse(auditResult);
+    // 检查是否有错误
+    if (auditData.error) {
+      const html = `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>NPM Audit 报告 - 错误</title>
+    <style>
+        body { font-family: Arial, sans-serif; margin: 40px; line-height: 1.6; }
+        .error { color: #d32f2f; background: #ffebee; padding: 20px; border-radius: 5px; border-left: 5px solid #d32f2f; }
+        h1 { color: #333; }
+    </style>
+</head>
+<body>
+    <h1>NPM Audit 报告</h1>
+    <div class="error">
+        <h2>❌ 错误</h2>
+        <p>${auditData.error}</p>
+    </div>
+</body>
+</html>`;
+      await fs.promises.writeFile(savePath, html);
+      return;
+    }
+    // 准备数据用于图表
+    const metadata = auditData.metadata;
+    const vulnerabilities = auditData.vulnerabilities || {};
+    // 漏洞统计
+    const vulnStats = metadata?.vulnerabilities || {};
+    const vulnData = [
+      {
+        severity: "critical",
+        count: vulnStats.critical || 0,
+        color: "#d32f2f",
+      },
+      { severity: "high", count: vulnStats.high || 0, color: "#f57c00" },
+      {
+        severity: "moderate",
+        count: vulnStats.moderate || 0,
+        color: "#fbc02d",
+      },
+      { severity: "low", count: vulnStats.low || 0, color: "#388e3c" },
+      { severity: "info", count: vulnStats.info || 0, color: "#1976d2" },
+    ];
+    // 依赖统计
+    const depStats = metadata?.dependencies || {};
+    const depData = [
+      { type: "生产依赖", count: depStats.prod || 0, color: "#3498db" },
+      { type: "开发依赖", count: depStats.dev || 0, color: "#9b59b6" },
+      { type: "可选依赖", count: depStats.optional || 0, color: "#e74c3c" },
+      { type: "Peer依赖", count: depStats.peer || 0, color: "#f39c12" },
+    ];
+    // 漏洞包统计
+    const vulnPackages = Object.keys(vulnerabilities);
+    const severityCounts = {};
+    vulnPackages.forEach((pkgName) => {
+      const severity = vulnerabilities[pkgName].severity || "unknown";
+      severityCounts[severity] = (severityCounts[severity] || 0) + 1;
+    });
+    // 获取项目显示名称
+    const getProjectDisplayName = (pkgInfo) => {
+      // 优先级 1: package.json 中的 name 属性
+      if (pkgInfo.name) {
+        return pkgInfo.name;
+      }
+      // 优先级 2: GitHub 仓库信息
+      if (pkgInfo._remote && pkgInfo._remote.repo) {
+        return pkgInfo._remote.repo;
+      }
+      // 优先级 3: 项目路径（如果是本地项目）
+      if (pkgInfo._localPath) {
+        const pathParts = pkgInfo._localPath.split('/');
+        return pathParts[pathParts.length - 1] || "未命名项目";
+      }
+      // 默认值
+      return "未命名项目";
+    };
+    const projectDisplayName = getProjectDisplayName(packageJsonInfo);
+    // 获取项目版本
+    const projectVersion = packageJsonInfo.version ||
+                          (packageJsonInfo._remote && packageJsonInfo._remote.branch) ||
+                          "未知";
+    // 准备HTML内容
+    let html = `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>NPM Audit 可视化报告 - ${projectDisplayName}</title>
+    <script src="https://cdn.jsdelivr.net/npm/chart.js"></script>
+    <style>
+        * { box-sizing: border-box; }
+        body { font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif; margin: 0; padding: 20px; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: #333; line-height: 1.6; }
+        .container { max-width: 1400px; margin: 0 auto; }
+        .header { background: white; padding: 30px; border-radius: 15px; box-shadow: 0 10px 30px rgba(0,0,0,0.1); margin-bottom: 30px; }
+        h1 { color: #2c3e50; margin: 0 0 10px 0; font-size: 2.5em; }
+        .subtitle { color: #7f8c8d; font-size: 1.2em; margin-bottom: 20px; }
+        .dashboard-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(400px, 1fr)); gap: 30px; margin-bottom: 30px; }
+        .card { background: white; padding: 25px; border-radius: 15px; box-shadow: 0 5px 15px rgba(0,0,0,0.08); }
+        .card h2 { color: #34495e; margin-top: 0; padding-bottom: 10px; border-bottom: 2px solid #ecf0f1; }
+        .stats-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 15px; margin: 20px 0; }
+        .stat-card { background: #f8f9fa; padding: 20px; border-radius: 10px; text-align: center; transition: transform 0.3s; }
+        .stat-card:hover { transform: translateY(-5px); box-shadow: 0 5px 15px rgba(0,0,0,0.1); }
+        .stat-value { font-size: 2.5em; font-weight: bold; margin: 10px 0; }
+        .stat-label { color: #7f8c8d; font-size: 0.9em; }
+        .severity-critical { color: #d32f2f; }
+        .severity-high { color: #f57c00; }
+        .severity-moderate { color: #fbc02d; }
+        .severity-low { color: #388e3c; }
+        .severity-info { color: #1976d2; }
+        .chart-container { position: relative; height: 300px; margin: 20px 0; }
+        .vuln-list { height: 100%; overflow-y: auto; }
+        .vuln-item { padding: 15px; border-bottom: 1px solid #ecf0f1; }
+        .vuln-item:last-child { border-bottom: none; }
+        .vuln-header { display: flex; justify-content: space-between; align-items: center; margin-bottom: 10px; }
+        .vuln-name { font-weight: 600; font-size: 1.1em; }
+        .vuln-severity { padding: 5px 10px; border-radius: 20px; font-size: 0.8em; font-weight: 600; }
+        .severity-critical-bg { background: #ffebee; color: #d32f2f; }
+        .severity-high-bg { background: #fff3e0; color: #f57c00; }
+        .severity-moderate-bg { background: #fffde7; color: #fbc02d; }
+        .severity-low-bg { background: #e8f5e9; color: #388e3c; }
+        .severity-info-bg { background: #e3f2fd; color: #1976d2; }
+        .vuln-details { font-size: 0.9em; color: #666; }
+        .summary { background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 30px; border-radius: 15px; margin-top: 30px; }
+        .summary h2 { color: white; border-bottom: 2px solid rgba(255,255,255,0.3); }
+        .summary-content { display: grid; grid-template-columns: repeat(auto-fit, minmax(300px, 1fr)); gap: 20px; }
+        .summary-item { background: rgba(255,255,255,0.1); padding: 20px; border-radius: 10px; }
+        .footer { margin-top: 40px; padding-top: 20px; border-top: 1px solid rgba(255,255,255,0.2); color: rgba(255,255,255,0.8); font-size: 0.9em; text-align: center; }
+        .timestamp { color: #7f8c8d; font-size: 0.9em; margin-top: 10px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>📊 NPM Audit 可视化报告</h1>
+            <div class="subtitle">${projectDisplayName} - 版本 ${projectVersion}</div>
+            <div class="timestamp">审计时间: ${new Date().toLocaleString("zh-CN")}</div>
+        </div>
+        <div class="dashboard-grid">
+            <!-- 漏洞统计卡片 -->
+            <div class="card">
+                <h2>🔍 漏洞统计</h2>
+                <div class="stats-grid">
+                    <div class="stat-card">
+                        <div class="stat-label">严重漏洞</div>
+                        <div class="stat-value severity-critical">${vulnStats.critical || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">高危漏洞</div>
+                        <div class="stat-value severity-high">${vulnStats.high || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">中危漏洞</div>
+                        <div class="stat-value severity-moderate">${vulnStats.moderate || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">低危漏洞</div>
+                        <div class="stat-value severity-low">${vulnStats.low || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">信息漏洞</div>
+                        <div class="stat-value severity-info">${vulnStats.info || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">总计</div>
+                        <div class="stat-value">${vulnStats.total || 0}</div>
+                    </div>
+                </div>
+                <div class="chart-container">
+                    <canvas id="vulnerabilityChart"></canvas>
+                </div>
+            </div>
+            <!-- 依赖统计卡片 -->
+            <div class="card">
+                <h2>📦 依赖统计</h2>
+                <div class="stats-grid">
+                    <div class="stat-card">
+                        <div class="stat-label">生产依赖</div>
+                        <div class="stat-value">${depStats.prod || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">开发依赖</div>
+                        <div class="stat-value">${depStats.dev || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">可选依赖</div>
+                        <div class="stat-value">${depStats.optional || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">Peer依赖</div>
+                        <div class="stat-value">${depStats.peer || 0}</div>
+                    </div>
+                    <div class="stat-card">
+                        <div class="stat-label">总依赖数</div>
+                        <div class="stat-value">${depStats.total || 0}</div>
+                    </div>
+                </div>
+                <div class="chart-container">
+                    <canvas id="dependencyChart"></canvas>
+                </div>
+            </div>
+            <!-- 漏洞列表卡片 -->
+            <div class="card">
+                <h2>📋 漏洞列表</h2>
+                <div class="vuln-list">`;
+    if (vulnPackages.length > 0) {
+      // 显示前10个漏洞
+      const displayPackages = vulnPackages.slice(0, 10);
+      displayPackages.forEach((pkgName) => {
+        const vuln = vulnerabilities[pkgName];
+        const severity = vuln.severity || "unknown";
+        const severityBgClass = `severity-${severity}-bg`;
+        html += `
+                    <div class="vuln-item">
+                        <div class="vuln-header">
+                            <div class="vuln-name">${pkgName}</div>
+                            <div class="vuln-severity ${severityBgClass}">${severity.toUpperCase()}</div>
+                        </div>
+                        <div class="vuln-details">
+                            受影响版本: ${vuln.range || "未知"} |
+                            直接依赖: ${vuln.isDirect ? "是" : "否"}<br>`;
+        if (vuln.fixAvailable && vuln.fixAvailable !== false) {
+          html += `修复建议: 升级到 ${vuln.fixAvailable.version || "最新版本"}`;
+        } else {
+          html += `修复建议: ${vuln.fixAvailable === false ? "暂无可用修复" : "检查更新"}`;
+        }
+        html += `
+                        </div>
+                    </div>`;
+      });
+      if (vulnPackages.length > 10) {
+        html += `
+                    <div class="vuln-item" style="text-align: center; color: #7f8c8d;">
+                        还有 ${vulnPackages.length - 10} 个漏洞未显示...
+                    </div>`;
+      }
+    } else {
+      html += `
+                    <div class="vuln-item" style="text-align: center; color: #388e3c; padding: 40px 20px;">
+                        <div style="font-size: 2em;">✅</div>
+                        <div style="font-size: 1.2em; font-weight: 600; margin: 10px 0;">恭喜！</div>
+                        <div>未发现任何安全漏洞</div>
+                    </div>`;
+    }
+    html += `
+                </div>
+            </div>
+        </div>
+        <!-- 修复建议总结 -->
+        <div class="summary">
+            <h2>🛠️ 修复建议</h2>
+            <div class="summary-content">`;
+    const vulnerabilitiesObj = auditData.vulnerabilities || {};
+    const hasFixAvailable = Object.values(vulnerabilitiesObj).some(
+      (vuln) => vuln.fixAvailable && vuln.fixAvailable !== false,
+    );
+    if (hasFixAvailable) {
+      html += `
+                <div class="summary-item">
+                    <h3>可用修复</h3>
+                    <p>以下依赖有可用修复版本：</p>
+                    <ul style="margin-left: 20px;">`;
+      Object.entries(vulnerabilitiesObj).forEach(([pkgName, vuln]) => {
+        if (vuln.fixAvailable && vuln.fixAvailable !== false) {
+          const fixVersion = vuln.fixAvailable.version || "最新版本";
+          html += `<li><strong>${pkgName}:</strong> 升级到 ${fixVersion}</li>`;
+        }
+      });
+      html += `
+                    </ul>
+                </div>
+                <div class="summary-item">
+                    <h3>修复命令</h3>
+                    <p>执行以下命令修复漏洞：</p>
+                    <pre style="background: rgba(0,0,0,0.2); padding: 15px; border-radius: 5px; overflow: auto;">`;
+      Object.entries(vulnerabilitiesObj).forEach(([pkgName, vuln]) => {
+        if (
+          vuln.fixAvailable &&
+          vuln.fixAvailable !== false &&
+          vuln.fixAvailable.name
+        ) {
+          const fixVersion = vuln.fixAvailable.version || "latest";
+          html += `npm install ${vuln.fixAvailable.name}@${fixVersion}\n`;
+        }
+      });
+      html += `
+                    </pre>
+                </div>`;
+    } else if (Object.keys(vulnerabilitiesObj).length > 0) {
+      html += `
+                <div class="summary-item">
+                    <h3>⚠️ 注意</h3>
+                    <p>发现漏洞但暂无直接修复方案，请考虑以下替代方案：</p>
+                    <ol>
+                        <li>查看是否有可用的次要版本更新</li>
+                        <li>考虑使用替代包</li>
+                        <li>评估风险是否可接受</li>
+                    </ol>
+                </div>`;
+    } else {
+      html += `
+                <div class="summary-item">
+                    <h3>✅ 安全状态</h3>
+                    <p>项目目前没有安全漏洞，无需修复。</p>
+                    <p>继续保持良好的安全实践！</p>
+                </div>`;
+    }
+    html += `
+            </div>
+        </div>
+        <!-- 图表脚本 -->
+        <script>
+            // 漏洞统计图表
+            const vulnCtx = document.getElementById('vulnerabilityChart').getContext('2d');
+            new Chart(vulnCtx, {
+                type: 'doughnut',
+                data: {
+                    labels: ${JSON.stringify(vulnData.map((d) => d.severity.toUpperCase()))},
+                    datasets: [{
+                        data: ${JSON.stringify(vulnData.map((d) => d.count))},
+                        backgroundColor: ${JSON.stringify(vulnData.map((d) => d.color))},
+                        borderWidth: 2,
+                        borderColor: 'white'
+                    }]
+                },
+                options: {
+                    responsive: true,
+                    maintainAspectRatio: false,
+                    plugins: {
+                        legend: {
+                            position: 'bottom',
+                            labels: {
+                                padding: 20,
+                                usePointStyle: true
+                            }
+                        },
+                        tooltip: {
+                            callbacks: {
+                                label: function(context) {
+                                    return context.label + ': ' + context.raw;
+                                }
+                            }
+                        }
+                    }
+                }
+            });
+            // 依赖统计图表
+            const depCtx = document.getElementById('dependencyChart').getContext('2d');
+            new Chart(depCtx, {
+                type: 'bar',
+                data: {
+                    labels: ${JSON.stringify(depData.map((d) => d.type))},
+                    datasets: [{
+                        label: '依赖数量',
+                        data: ${JSON.stringify(depData.map((d) => d.count))},
+                        backgroundColor: ${JSON.stringify(depData.map((d) => d.color))},
+                        borderWidth: 1,
+                        borderColor: 'rgba(0,0,0,0.1)'
+                    }]
+                },
+                options: {
+                    responsive: true,
+                    maintainAspectRatio: false,
+                    scales: {
+                        y: {
+                            beginAtZero: true,
+                            ticks: {
+                                stepSize: 1
+                            }
+                        }
+                    },
+                    plugins: {
+                        legend: {
+                            display: false
+                        }
+                    }
+                }
+            });
+        </script>
+        <div class="footer">
+            <p>本报告基于 <code>npm audit --json</code> 命令生成 | 建议定期运行 <code>npm audit</code> 检查项目安全状况</p>
+            <p>更多信息请参考 <a href="https://docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities" target="_blank" style="color: white; text-decoration: underline;">npm 安全文档</a></p>
+        </div>
+    </div>
+</body>
+</html>`;
+    // 将生成的HTML写入文件
+    await fs.promises.writeFile(savePath, html);
+  } catch (error) {
+    console.error(`Error rendering Dashboard audit result: ${error.message}`);
+    const errorHtml = `<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>NPM Audit 报告渲染错误</title>
+    <style>
+        body { font-family: Arial, sans-serif; margin: 40px; line-height: 1.6; }
+        .error { color: #d32f2f; background: #ffebee; padding: 20px; border-radius: 5px; border-left: 5px solid #d32f2f; }
+        h1 { color: #333; }
+        pre { background: #f5f5f5; padding: 15px; border-radius: 5px; overflow: auto; }
+    </style>
+</head>
+<body>
+    <h1>NPM Audit 报告渲染错误</h1>
+    <div class="error">
+        <h2>❌ 错误</h2>
+        <p>${error.message}</p>
+    </div>
+    <h3>原始结果（前1000字符）:</h3>
+    <pre>${auditResult.substring(0, 1000)}</pre>
+</body>
+</html>`;
+    await fs.promises.writeFile(savePath, errorHtml);
+  }
+}