npq 3.19.0 → 3.19.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -4,7 +4,6 @@ npq allows you to audit npm packages _before_ you install them
4
4
  [![license](https://img.shields.io/npm/l/npq)](LICENSE)
5
5
  [![codecov](https://img.shields.io/codecov/c/gh/lirantal/npq/main)](https://codecov.io/gh/lirantal/npq)
6
6
  [![CI](https://img.shields.io/github/actions/workflow/status/lirantal/npq/main.yml?branch=main&label=CI&logo=github)](https://github.com/lirantal/npq/actions/workflows/main.yml?query=branch%3Amain)
7
- [![Known Vulnerabilities](https://snyk.io/test/github/lirantal/npq/badge.svg)](https://snyk.io/test/github/lirantal/npq)
8
7
  [![Security Responsible Disclosure](https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow)](SECURITY.md)
9
8
 
10
9
  TL;DR how to use npq:
@@ -9,6 +9,30 @@ const { marshallCategories } = require('./constants')
9
9
  const MARSHALL_NAME = 'snyk'
10
10
  const SNYK_PACKAGE_PAGE = 'https://snyk.io/vuln/npm:'
11
11
  const SNYK_CONFIG_FILE = '.config/configstore/snyk.json'
12
+ const OSV_MALICIOUS_ORIGINS_KEY = 'malicious-packages-origins'
13
+
14
+ function isOsvVulnMalicious(vuln) {
15
+ if (!vuln || typeof vuln !== 'object') {
16
+ return false
17
+ }
18
+
19
+ const ds = vuln.database_specific
20
+ if (ds && typeof ds === 'object' && !Array.isArray(ds)) {
21
+ if (Object.prototype.hasOwnProperty.call(ds, OSV_MALICIOUS_ORIGINS_KEY)) {
22
+ const origins = ds[OSV_MALICIOUS_ORIGINS_KEY]
23
+ if (Array.isArray(origins)) {
24
+ return true
25
+ }
26
+ }
27
+ }
28
+
29
+ const summary = vuln.summary
30
+ if (typeof summary === 'string' && summary.toLowerCase().startsWith('malicious')) {
31
+ return true
32
+ }
33
+
34
+ return false
35
+ }
12
36
 
13
37
  class Marshall extends BaseMarshall {
14
38
  constructor(options) {
@@ -55,18 +79,14 @@ class Marshall extends BaseMarshall {
55
79
  }
56
80
 
57
81
  if (data.issuesCount && data.issuesCount > 0) {
82
+ const packageSecurityInfo = `${SNYK_PACKAGE_PAGE}${encodeURIComponent(pkg.packageName)}`
83
+ if (data.isMaliciousPackage) {
84
+ throw new Error(`Malicious package found: ${packageSecurityInfo}`)
85
+ }
58
86
  if (this.snykApiToken) {
59
- const packageSecurityInfo = `${SNYK_PACKAGE_PAGE}${encodeURIComponent(pkg.packageName)}`
60
- if (data.isMaliciousPackage) {
61
- throw new Error(`Malicious package found: ${packageSecurityInfo}`)
62
- }
63
-
64
87
  throw new Error(`${data.issuesCount} vulnerable path(s) found: ${packageSecurityInfo}`)
65
- } else {
66
- throw new Error(
67
- `${data.issuesCount} vulnerabilities found by OSV for ${pkg.packageName}`
68
- )
69
88
  }
89
+ throw new Error(`${data.issuesCount} vulnerabilities found by OSV for ${pkg.packageName}`)
70
90
  }
71
91
 
72
92
  return data
@@ -93,12 +113,7 @@ class Marshall extends BaseMarshall {
93
113
  .then((response) => response.json())
94
114
  .then((data) => {
95
115
  if (data && data.vulns) {
96
- const isMaliciousPackage = data.vulns.some(
97
- (vuln) =>
98
- vuln.database_specific &&
99
- vuln.database_specific['malicious-packages-origins'] &&
100
- vuln.database_specific['malicious-packages-origins'].length > 0
101
- )
116
+ const isMaliciousPackage = data.vulns.some((vuln) => isOsvVulnMalicious(vuln))
102
117
 
103
118
  return {
104
119
  issuesCount: data.vulns.length,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "npq",
3
- "version": "3.19.0",
3
+ "version": "3.19.2",
4
4
  "description": "marshall your npm/npm package installs with high quality and class 🎖",
5
5
  "bin": {
6
6
  "npq": "./bin/npq.js",