dependency-radar 0.7.0 → 0.8.1

package/dist/compare.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.compareReports = compareReports;
+exports.formatCompareOutput = formatCompareOutput;
+function byName(deps) {
+    const map = new Map();
+    for (const dep of Object.values(deps || {})) {
+        if (!map.has(dep.package.name))
+            map.set(dep.package.name, []);
+        map.get(dep.package.name).push(dep);
+    }
+    return map;
+}
+function compareReports(previous, current) {
+    const previousIds = new Set(Object.keys(previous.dependencies || {}));
+    const currentIds = new Set(Object.keys(current.dependencies || {}));
+    const added = Array.from(currentIds).filter((id) => !previousIds.has(id)).sort();
+    const removed = Array.from(previousIds).filter((id) => !currentIds.has(id)).sort();
+    const previousByName = byName(previous.dependencies || {});
+    const currentByName = byName(current.dependencies || {});
+    const changedVersions = [];
+    for (const [name, previousDeps] of previousByName.entries()) {
+        const currentDeps = currentByName.get(name);
+        if (!currentDeps || currentDeps.length !== 1 || previousDeps.length !== 1)
+            continue;
+        const prev = previousDeps[0];
+        const next = currentDeps[0];
+        if (prev.package.version !== next.package.version) {
+            changedVersions.push({ name, from: prev.package.version, to: next.package.version });
+        }
+    }
+    changedVersions.sort((a, b) => a.name.localeCompare(b.name));
+    const previousFindingIds = new Set((previous.findings || []).map((finding) => finding.id));
+    const currentFindingIds = new Set((current.findings || []).map((finding) => finding.id));
+    const byFindingId = (a, b) => (a.id || '').localeCompare(b.id || '');
+    const previousFindingById = new Map((previous.findings || []).map((finding) => [finding.id, finding]));
+    const serializeFinding = (finding) => JSON.stringify({
+        category: finding.category,
+        severity: finding.severity,
+        packageId: finding.packageId,
+        packageName: finding.packageName,
+        packageVersion: finding.packageVersion,
+        title: finding.title,
+        message: finding.message,
+        evidence: finding.evidence,
+        recommendation: finding.recommendation
+    });
+    return {
+        added,
+        removed,
+        changedVersions,
+        newFindings: (current.findings || []).filter((finding) => !previousFindingIds.has(finding.id)).sort(byFindingId),
+        resolvedFindings: (previous.findings || []).filter((finding) => !currentFindingIds.has(finding.id)).sort(byFindingId),
+        changedFindings: (current.findings || [])
+            .filter((finding) => {
+            const previousFinding = previousFindingById.get(finding.id);
+            return previousFinding ? serializeFinding(previousFinding) !== serializeFinding(finding) : false;
+        })
+            .sort(byFindingId)
+    };
+}
+function section(title, lines, empty) {
+    return [
+        title,
+        '-'.repeat(title.length),
+        ...(lines.length > 0 ? lines : [empty]),
+        ''
+    ];
+}
+function formatCompareOutput(result) {
+    const lines = ['Dependency Radar comparison', '===========================', ''];
+    lines.push(...section('Added dependencies', result.added.map((id) => `+ ${id}`), 'none'));
+    lines.push(...section('Removed dependencies', result.removed.map((id) => `- ${id}`), 'none'));
+    lines.push(...section('Changed versions', result.changedVersions.map((entry) => `${entry.name}: ${entry.from} -> ${entry.to}`), 'none'));
+    lines.push(...section('New findings', result.newFindings.map((finding) => `${finding.severity.toUpperCase()} ${finding.packageId}: ${finding.title}`), 'none'));
+    lines.push(...section('Changed findings', result.changedFindings.map((finding) => `${finding.severity.toUpperCase()} ${finding.packageId}: ${finding.title}`), 'none'));
+    lines.push(...section('Resolved findings', result.resolvedFindings.map((finding) => `${finding.packageId}: ${finding.title}`), 'none'));
+    return lines.join('\n').trimEnd();
+}

package/dist/failOn.js

@@ -10,7 +10,8 @@ exports.SUPPORTED_FAIL_ON_RULES = [
     'high-severity-vuln',
     'licence-mismatch',
     'copyleft-detected',
-    'unknown-licence'
+    'unknown-licence',
+    'supply-chain-source'
 ];
 const SUPPORTED_FAIL_ON_RULE_SET = new Set(exports.SUPPORTED_FAIL_ON_RULES);
 /**
@@ -97,7 +98,7 @@ function parseFailOnRules(value) {
  * @returns An array of PolicyViolation objects for each rule that has one or more matching issues; returns an empty array if no violations are found
  */
 function evaluatePolicyViolations(aggregated, rules) {
-    var _a;
+    var _a, _b;
     if (rules.size === 0)
         return [];
     let reachableProductionVulnCount = 0;
@@ -106,6 +107,7 @@ function evaluatePolicyViolations(aggregated, rules) {
     let licenceMismatchCount = 0;
     let copyleftDetectedCount = 0;
     let unknownLicenceCount = 0;
+    let supplyChainSourceCount = 0;
     for (const dep of Object.values(aggregated.dependencies || {})) {
         const isRuntime = dep.usage.scope === 'runtime';
         const hasVuln = vulnerabilityCount(dep) > 0;
@@ -130,6 +132,11 @@ function evaluatePolicyViolations(aggregated, rules) {
             unknownLicenceCount += 1;
         }
     }
+    supplyChainSourceCount = (((_b = aggregated.supplyChain) === null || _b === void 0 ? void 0 : _b.signals) || []).filter((signal) => signal.type === 'git-dependency' ||
+        signal.type === 'file-dependency' ||
+        signal.type === 'non-registry-tarball' ||
+        signal.type === 'missing-integrity' ||
+        signal.type === 'unexpected-registry-host').length;
     const violations = [];
     if (rules.has('reachable-vuln') && reachableProductionVulnCount > 0) {
         violations.push({
@@ -173,5 +180,12 @@ function evaluatePolicyViolations(aggregated, rules) {
             message: `${unknownLicenceCount} ${pluralize(unknownLicenceCount, 'dependency with unknown licence', 'dependencies with unknown licence')}`
         });
     }
+    if (rules.has('supply-chain-source') && supplyChainSourceCount > 0) {
+        violations.push({
+            rule: 'supply-chain-source',
+            count: supplyChainSourceCount,
+            message: `${supplyChainSourceCount} ${pluralize(supplyChainSourceCount, 'lockfile supply-chain source finding', 'lockfile supply-chain source findings')}`
+        });
+    }
     return violations;
 }

package/dist/findings.js

@@ -0,0 +1,166 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildDependencyFindings = buildDependencyFindings;
+const nodeEngine_1 = require("./nodeEngine");
+function vulnerabilityTotal(dep) {
+    const summary = dep.security.summary;
+    return ((summary.critical || 0) +
+        (summary.high || 0) +
+        (summary.moderate || 0) +
+        (summary.low || 0));
+}
+function findingId(dep, suffix) {
+    return `${dep.package.id}:${suffix}`.replace(/[^a-zA-Z0-9_.@/-]+/g, '-');
+}
+function supportsTargetNode(dep, targetNodeMajor) {
+    if (!targetNodeMajor || !dep.upgrade.nodeEngine)
+        return undefined;
+    return (0, nodeEngine_1.isNodeEngineTargetCompatible)(dep.upgrade.nodeEngine, targetNodeMajor);
+}
+function baseFinding(dep, suffix, fields) {
+    return {
+        id: findingId(dep, suffix),
+        packageId: dep.package.id,
+        packageName: dep.package.name,
+        packageVersion: dep.package.version,
+        ...fields
+    };
+}
+function buildDependencyFindings(data, options = {}) {
+    var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l;
+    const findings = [];
+    for (const dep of Object.values(data.dependencies || {})) {
+        const vulnCount = vulnerabilityTotal(dep);
+        if (vulnCount > 0) {
+            const highest = dep.security.summary.highest;
+            findings.push(baseFinding(dep, 'vulnerabilities', {
+                category: 'security',
+                severity: highest === 'critical' || highest === 'high' ? 'error' : 'warning',
+                title: `${vulnCount} known ${vulnCount === 1 ? 'vulnerability' : 'vulnerabilities'}`,
+                message: `${dep.package.id} has audit advisories; highest severity is ${highest}.`,
+                evidence: (_a = dep.security.advisories) === null || _a === void 0 ? void 0 : _a.map((advisory) => advisory.id).join(', '),
+                recommendation: dep.upgrade.latestVersion
+                    ? `Review and upgrade toward ${dep.upgrade.latestVersion}.`
+                    : 'Review the advisory and upgrade path.'
+            }));
+        }
+        if (dep.compliance.license.status === 'mismatch') {
+            findings.push(baseFinding(dep, 'license-mismatch', {
+                category: 'license',
+                severity: 'warning',
+                title: 'Declared and inferred licenses differ',
+                message: `${dep.package.id} declares ${((_b = dep.compliance.license.declared) === null || _b === void 0 ? void 0 : _b.spdxId) || 'unknown'} but the local license file looks like ${((_c = dep.compliance.license.inferred) === null || _c === void 0 ? void 0 : _c.spdxId) || 'unknown'}.`,
+                recommendation: 'Verify the installed package license before release or compliance sign-off.'
+            }));
+        }
+        else if (dep.compliance.license.status === 'invalid-spdx' || dep.compliance.license.status === 'unknown') {
+            findings.push(baseFinding(dep, `license-${dep.compliance.license.status}`, {
+                category: 'license',
+                severity: dep.usage.scope === 'runtime' ? 'warning' : 'info',
+                title: dep.compliance.license.status === 'unknown' ? 'License is unknown' : 'License declaration is invalid SPDX',
+                message: `${dep.package.id} needs license review.`,
+                evidence: (_d = dep.compliance.license.declared) === null || _d === void 0 ? void 0 : _d.spdxId,
+                recommendation: 'Check package metadata and LICENSE files.'
+            }));
+        }
+        if (dep.compliance.licenseRisk === 'red' && dep.usage.scope === 'runtime') {
+            findings.push(baseFinding(dep, 'runtime-license-risk', {
+                category: 'license',
+                severity: 'error',
+                title: 'High-risk runtime license',
+                message: `${dep.package.id} is in the runtime tree and has red license risk.`,
+                recommendation: 'Review legal/compliance acceptability or replace the package.'
+            }));
+        }
+        if ((_g = (_f = (_e = dep.execution) === null || _e === void 0 ? void 0 : _e.scripts) === null || _f === void 0 ? void 0 : _f.hooks) === null || _g === void 0 ? void 0 : _g.length) {
+            findings.push(baseFinding(dep, 'install-scripts', {
+                category: 'execution',
+                severity: dep.execution.risk === 'red' ? 'error' : 'warning',
+                title: 'Install lifecycle script',
+                message: `${dep.package.id} runs ${dep.execution.scripts.hooks.join(', ')} during install.`,
+                evidence: (_h = dep.execution.scripts.signals) === null || _h === void 0 ? void 0 : _h.join(', '),
+                recommendation: 'Review install-time behavior, especially in CI and release environments.'
+            }));
+        }
+        if ((_j = dep.execution) === null || _j === void 0 ? void 0 : _j.native) {
+            findings.push(baseFinding(dep, 'native-bindings', {
+                category: 'upgrade',
+                severity: 'warning',
+                title: 'Native binding or build surface',
+                message: `${dep.package.id} includes native binding or native build indicators.`,
+                recommendation: 'Check platform and Node major compatibility before upgrades.'
+            }));
+        }
+        if (dep.package.deprecated) {
+            findings.push(baseFinding(dep, 'deprecated', {
+                category: 'supply-chain',
+                severity: dep.usage.scope === 'runtime' ? 'warning' : 'info',
+                title: 'Package is deprecated',
+                message: `${dep.package.id} is marked deprecated in local package metadata.`,
+                recommendation: 'Plan migration to a maintained replacement.'
+            }));
+        }
+        const targetSupport = supportsTargetNode(dep, options.targetNodeMajor);
+        if (targetSupport === false && options.targetNodeMajor) {
+            findings.push(baseFinding(dep, `target-node-${options.targetNodeMajor}`, {
+                category: 'upgrade',
+                severity: dep.usage.scope === 'runtime' ? 'error' : 'warning',
+                title: `May block Node ${options.targetNodeMajor}`,
+                message: `${dep.package.id} declares engines.node "${dep.upgrade.nodeEngine}", which does not appear to include Node ${options.targetNodeMajor}.`,
+                recommendation: 'Upgrade, replace, or verify engine compatibility manually.'
+            }));
+        }
+    }
+    for (const signal of ((_k = data.supplyChain) === null || _k === void 0 ? void 0 : _k.signals) || []) {
+        findings.push(buildSupplyChainFinding(signal));
+    }
+    const signatureAudit = (_l = data.supplyChain) === null || _l === void 0 ? void 0 : _l.signatureAudit;
+    if ((signatureAudit === null || signatureAudit === void 0 ? void 0 : signatureAudit.attempted) && !signatureAudit.ok) {
+        findings.push({
+            id: 'supply-chain:signature-verification-failed',
+            category: 'supply-chain',
+            severity: 'warning',
+            packageId: 'project',
+            packageName: 'project',
+            packageVersion: '',
+            title: 'npm signature/provenance verification failed',
+            message: signatureAudit.error || 'npm audit signatures did not complete successfully.',
+            evidence: signatureAudit.output,
+            recommendation: 'Review npm audit signatures output and verify registry/provenance status.'
+        });
+    }
+    return findings.sort((a, b) => {
+        const severityOrder = { error: 2, warning: 1, info: 0 };
+        const diff = severityOrder[b.severity] - severityOrder[a.severity];
+        if (diff !== 0)
+            return diff;
+        return a.packageId.localeCompare(b.packageId) || a.id.localeCompare(b.id);
+    });
+}
+function buildSupplyChainFinding(signal) {
+    const packageId = signal.packageId || (signal.packageName && signal.packageVersion
+        ? `${signal.packageName}@${signal.packageVersion}`
+        : signal.packageName || 'lockfile');
+    const titleByType = {
+        'git-dependency': 'Git dependency source',
+        'file-dependency': 'Local file dependency source',
+        'non-registry-tarball': 'Non-registry tarball source',
+        'missing-integrity': 'Missing lockfile integrity',
+        'unexpected-registry-host': 'Unexpected registry host'
+    };
+    const severity = signal.type === 'missing-integrity' || signal.type === 'unexpected-registry-host'
+        ? 'warning'
+        : 'info';
+    return {
+        id: `${packageId}:${signal.type}`.replace(/[^a-zA-Z0-9_.@/-]+/g, '-'),
+        category: 'supply-chain',
+        severity,
+        packageId,
+        packageName: signal.packageName || packageId,
+        packageVersion: signal.packageVersion || '',
+        title: titleByType[signal.type],
+        message: signal.detail,
+        evidence: signal.source,
+        recommendation: 'Review the dependency source and confirm it is expected for this project.'
+    };
+}

package/dist/generated/spdx.js

@@ -75,6 +75,7 @@ exports.SPDX_LICENSE_IDS = new Set([
     'Borceux',
     'Brian-Gladman-2-Clause',
     'Brian-Gladman-3-Clause',
+    'Brian-Gladman-3-Clause-no-conversion',
     'BSD-1-Clause',
     'BSD-2-Clause',
     'BSD-2-Clause-Darwin',
@@ -488,6 +489,7 @@ exports.SPDX_LICENSE_IDS = new Set([
     'MulanPSL-2.0',
     'Multics',
     'Mup',
+    'MVT-1.1',
     'NAIST-2003',
     'NASA-1.3',
     'Naumen',
@@ -801,6 +803,7 @@ exports.SPDX_EXCEPTION_IDS = new Set([
     'GNOME-examples-exception',
     'GNU-compiler-exception',
     'gnu-javamail-exception',
+    'Google-Patent-WebM',
     'GPL-3.0-389-ds-base-exception',
     'GPL-3.0-interface-exception',
     'GPL-3.0-linking-exception',

package/dist/nodeEngine.js

@@ -0,0 +1,181 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isNodeEngineTargetCompatible = isNodeEngineTargetCompatible;
+function parseVersionParts(value) {
+    const match = value.trim().match(/^v?(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+    if (!match)
+        return undefined;
+    return {
+        version: [Number(match[1]), Number(match[2] || 0), Number(match[3] || 0)],
+        parts: match[3] ? 3 : match[2] ? 2 : 1,
+    };
+}
+function parseVersion(value) {
+    var _a;
+    return (_a = parseVersionParts(value)) === null || _a === void 0 ? void 0 : _a.version;
+}
+function compare(a, b) {
+    for (let i = 0; i < 3; i += 1)
+        if (a[i] !== b[i])
+            return a[i] - b[i];
+    return 0;
+}
+function satisfiesComparator(target, comparator) {
+    const match = comparator.trim().match(/^(<=|>=|<|>|=)?\s*v?(\d+(?:\.\d+){0,2})$/);
+    if (!match)
+        return false;
+    const version = parseVersion(match[2]);
+    if (!version)
+        return false;
+    const diff = compare(target, version);
+    const op = match[1] || '=';
+    if (op === '<')
+        return diff < 0;
+    if (op === '<=')
+        return diff <= 0;
+    if (op === '>')
+        return diff > 0;
+    if (op === '>=')
+        return diff >= 0;
+    return diff === 0;
+}
+function comparatorAllowsTargetMajor(comparator, minTarget, maxTarget) {
+    const bounds = boundsForComparator(comparator);
+    return Boolean(bounds && intervalsOverlap(bounds, { lower: minTarget, lowerInclusive: true, upper: maxTarget, upperInclusive: false }));
+}
+function boundsForComparator(comparator) {
+    const match = comparator.trim().match(/^(<=|>=|<|>|=)?\s*v?(\d+(?:\.\d+){0,2})$/);
+    if (!match)
+        return undefined;
+    const parsed = parseVersionParts(match[2]);
+    if (!parsed)
+        return undefined;
+    const version = parsed.version;
+    const nextMajor = [version[0] + 1, 0, 0];
+    const op = match[1] || '=';
+    if (op === '<')
+        return { lowerInclusive: true, upper: version, upperInclusive: false };
+    if (op === '<=' && parsed.parts === 1)
+        return { lowerInclusive: true, upper: nextMajor, upperInclusive: false };
+    if (op === '<=')
+        return { lowerInclusive: true, upper: version, upperInclusive: true };
+    if (op === '>' && parsed.parts === 1)
+        return { lower: nextMajor, lowerInclusive: true, upperInclusive: true };
+    if (op === '>')
+        return { lower: version, lowerInclusive: false, upperInclusive: true };
+    if (op === '>=')
+        return { lower: version, lowerInclusive: true, upperInclusive: true };
+    return { lower: version, lowerInclusive: true, upper: version, upperInclusive: true };
+}
+function laterLower(a, b) {
+    if (!a.lower)
+        return { lower: b.lower, lowerInclusive: b.lowerInclusive };
+    if (!b.lower)
+        return { lower: a.lower, lowerInclusive: a.lowerInclusive };
+    const diff = compare(a.lower, b.lower);
+    if (diff > 0)
+        return { lower: a.lower, lowerInclusive: a.lowerInclusive };
+    if (diff < 0)
+        return { lower: b.lower, lowerInclusive: b.lowerInclusive };
+    return { lower: a.lower, lowerInclusive: a.lowerInclusive && b.lowerInclusive };
+}
+function earlierUpper(a, b) {
+    if (!a.upper)
+        return { upper: b.upper, upperInclusive: b.upperInclusive };
+    if (!b.upper)
+        return { upper: a.upper, upperInclusive: a.upperInclusive };
+    const diff = compare(a.upper, b.upper);
+    if (diff < 0)
+        return { upper: a.upper, upperInclusive: a.upperInclusive };
+    if (diff > 0)
+        return { upper: b.upper, upperInclusive: b.upperInclusive };
+    return { upper: a.upper, upperInclusive: a.upperInclusive && b.upperInclusive };
+}
+function intervalsOverlap(a, b) {
+    const lower = laterLower(a, b);
+    const upper = earlierUpper(a, b);
+    if (!lower.lower || !upper.upper)
+        return true;
+    const diff = compare(lower.lower, upper.upper);
+    if (diff < 0)
+        return true;
+    if (diff > 0)
+        return false;
+    return lower.lowerInclusive && upper.upperInclusive;
+}
+function comparatorsOverlapTargetMajor(comparators, targetMajor) {
+    const target = {
+        lower: [targetMajor, 0, 0],
+        lowerInclusive: true,
+        upper: [targetMajor + 1, 0, 0],
+        upperInclusive: false,
+    };
+    let interval = {
+        lowerInclusive: true,
+        upperInclusive: true,
+    };
+    for (const comparator of comparators) {
+        if (!comparatorAllowsTargetMajor(comparator, target.lower, target.upper))
+            return false;
+        const bounds = boundsForComparator(comparator);
+        if (!bounds)
+            continue;
+        const lower = laterLower(interval, bounds);
+        const upper = earlierUpper(interval, bounds);
+        interval = { ...lower, ...upper };
+        if (!intervalsOverlap(interval, target))
+            return false;
+    }
+    return intervalsOverlap(interval, target);
+}
+function expandToken(token) {
+    var _a, _b;
+    const trimmed = token.trim();
+    if (!trimmed || trimmed === '*' || /^[xX]$/.test(trimmed))
+        return [];
+    const xRange = trimmed.match(/^v?(\d+)(?:\.(\d+|[xX*]))?(?:\.(\d+|[xX*]))?$/);
+    if (xRange && (((_a = xRange[2]) === null || _a === void 0 ? void 0 : _a.match(/^[xX*]$/)) || ((_b = xRange[3]) === null || _b === void 0 ? void 0 : _b.match(/^[xX*]$/)))) {
+        const major = Number(xRange[1]);
+        if (!xRange[2] || /^[xX*]$/.test(xRange[2]))
+            return [`>=${major}.0.0`, `<${major + 1}.0.0`];
+        const minor = Number(xRange[2]);
+        return [`>=${major}.${minor}.0`, `<${major}.${minor + 1}.0`];
+    }
+    const caret = trimmed.match(/^\^\s*v?(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+    if (caret) {
+        const major = Number(caret[1]);
+        return [`>=${major}.${caret[2] || 0}.${caret[3] || 0}`, `<${major + 1}.0.0`];
+    }
+    const tilde = trimmed.match(/^~\s*v?(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+    if (tilde) {
+        const major = Number(tilde[1]);
+        if (!tilde[2])
+            return [`>=${major}.0.0`, `<${major + 1}.0.0`];
+        const minor = Number(tilde[2]);
+        return [`>=${major}.${minor}.${tilde[3] || 0}`, `<${major}.${minor + 1}.0`];
+    }
+    const bare = trimmed.match(/^v?(\d+)(?:\.(\d+))?(?:\.(\d+))?$/);
+    if (bare) {
+        const major = Number(bare[1]);
+        if (!bare[2])
+            return [`>=${major}.0.0`, `<${major + 1}.0.0`];
+        const minor = Number(bare[2]);
+        if (!bare[3])
+            return [`>=${major}.${minor}.0`, `<${major}.${minor + 1}.0`];
+        return [`=${major}.${minor}.${bare[3]}`];
+    }
+    return [trimmed];
+}
+function isNodeEngineTargetCompatible(range, targetMajor) {
+    if (!range || !range.trim())
+        return undefined;
+    const clauses = range.split('||').map((clause) => clause.trim()).filter(Boolean);
+    if (clauses.length === 0)
+        return undefined;
+    return clauses.some((clause) => {
+        const hyphen = clause.match(/^\s*v?(\d+(?:\.\d+){0,2})\s+-\s+v?(\d+(?:\.\d+){0,2})\s*$/);
+        const tokens = hyphen ? [`>=${hyphen[1]}`, `<=${hyphen[2]}`] : clause.split(/\s+/);
+        const comparators = tokens.flatMap(expandToken);
+        return comparators.length === 0 || comparatorsOverlapTargetMajor(comparators, targetMajor);
+    });
+}