New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
@jitesoft/audit-for-gitlab
Advanced tools
@jitesoft/audit-for-gitlab - npm Package Compare versions
Comparing version 3.1.0 to 3.1.1
@@ -37,2 +37,4 @@ "use strict"; | ||
| var _Util = require("./Util"); | ||
| var _scanner = /*#__PURE__*/new _weakMap.default(); | ||
@@ -86,8 +88,10 @@ | ||
| for (const name in packagelockData.dependencies) { | ||
| dependencies.push({ | ||
| package: { | ||
| name | ||
| }, | ||
| version: packagelockData.dependencies[name].version | ||
| }); | ||
| if ((0, _Util.hasOwn)(packagelockData.dependencies, name) && 'version' in packagelockData.dependencies[name]) { | ||
| dependencies.push({ | ||
| package: { | ||
| name | ||
| }, | ||
| version: packagelockData.dependencies[name].version | ||
| }); | ||
| } | ||
| } | ||
@@ -98,13 +102,15 @@ | ||
| for (const vuln in vulnerabilities) { | ||
| const obj = vulnerabilities[vuln]; | ||
| const via = obj.via.shift(); | ||
| if ((0, _Util.hasOwn)(vulnerabilities, vuln)) { | ||
| const obj = vulnerabilities[vuln]; | ||
| const via = obj.via.shift(); | ||
| if (typeof via !== 'object') { | ||
| continue; // TODO, fix this | ||
| } | ||
| if (typeof via !== 'object') { | ||
| continue; // TODO, fix this | ||
| } | ||
| const result = (0, _classPrivateMethodGet2.default)(this, _createVulnerability, _createVulnerability2).call(this, obj, via); | ||
| const result = (0, _classPrivateMethodGet2.default)(this, _createVulnerability, _createVulnerability2).call(this, obj, via); | ||
| if (result !== null) { | ||
| vulns.push(result); | ||
| if (result !== null) { | ||
| vulns.push(result); | ||
| } | ||
| } | ||
@@ -147,2 +153,3 @@ } | ||
| * @param {IVia} via | ||
| * @return {Object|null} | ||
| */ | ||
@@ -187,7 +194,9 @@ | ||
| if (cweNumber in _cwe.default) { | ||
| cweData = { | ||
| name: _cwe.default[cweNumber].name, | ||
| description: _cwe.default[cweNumber].description | ||
| }; | ||
| cweData.name = `${cweData.name} (in ${packageName})`; | ||
| if ((0, _Util.hasOwn)(_cwe.default, cweNumber)) { | ||
| cweData = { | ||
| name: _cwe.default[cweNumber].name, | ||
| description: _cwe.default[cweNumber].description | ||
| }; | ||
| cweData.name = `${cweData.name} (in ${packageName})`; | ||
| } | ||
| } | ||
@@ -199,3 +208,3 @@ | ||
| description: cweData.description, | ||
| severity: (0, _classStaticPrivateFieldSpecGet2.default)(GitLabAnalyzer, GitLabAnalyzer, _severities)[vuln.severity], | ||
| severity: (0, _Util.hasOwn)((0, _classStaticPrivateFieldSpecGet2.default)(GitLabAnalyzer, GitLabAnalyzer, _severities), vuln.severity) ? (0, _classStaticPrivateFieldSpecGet2.default)(GitLabAnalyzer, GitLabAnalyzer, _severities)[vuln.severity] : 'Unknown', | ||
| links: [{ | ||
@@ -202,0 +211,0 @@ url: via.url |
@@ -13,8 +13,7 @@ "use strict"; | ||
| var _package = _interopRequireDefault(require("../package.json")); | ||
| var _GitLabAnalyzer = _interopRequireDefault(require("./GitLabAnalyzer")); | ||
| const startTime = new Date(); | ||
| const packageInfo = require('../package.json'); | ||
| (0, _Npm.audit)().then(async auditData => { | ||
@@ -24,3 +23,5 @@ await (0, _Util.logger)(_Util.LogLevels.info, 'Generated audit report from npm'); | ||
| const npmVersion = await (0, _Npm.version)(); | ||
| const result = await new _GitLabAnalyzer.default(packageInfo.meta.scanner, startTime, packageInfo.version, npmVersion.npm).convert(auditData.vulnerabilities, require(process.cwd() + '/package.json'), require(process.cwd() + '/package-lock.json')); | ||
| const packageFile = await (0, _Util.readFileJson)(`${process.cwd()}/package.json`); | ||
| const packageLockFile = await (0, _Util.readFileJson)(`${process.cwd()}/package-lock.json`); | ||
| const result = await new _GitLabAnalyzer.default(_package.default.meta.scanner, startTime, _package.default.version, npmVersion.npm).convert(auditData.vulnerabilities, packageFile, packageLockFile); | ||
| return { | ||
@@ -44,3 +45,3 @@ npmVersion: npmVersion.npm, | ||
| }).then(async data => { | ||
| await (0, _Finalize.reportFindings)(data.meta, data.npmVersion, packageInfo); | ||
| await (0, _Finalize.reportFindings)(data.meta, data.npmVersion, _package.default); | ||
| await (0, _Finalize.doExit)(data.meta.vulnerabilities); | ||
@@ -47,0 +48,0 @@ }).catch(e => { |
@@ -11,10 +11,18 @@ "use strict"; | ||
| exports.writeFile = exports.logger = exports.getConf = exports.fileExists = exports.LogLevels = void 0; | ||
| exports.writeFile = exports.readFileJson = exports.logger = exports.hasOwn = exports.getConf = exports.fileExists = exports.LogLevels = void 0; | ||
| var _promise = _interopRequireDefault(require("@babel/runtime-corejs3/core-js/promise")); | ||
| var _indexOf = _interopRequireDefault(require("@babel/runtime-corejs3/core-js/instance/index-of")); | ||
| var _includes = _interopRequireDefault(require("@babel/runtime-corejs3/core-js/instance/includes")); | ||
| var _fs = require("fs"); | ||
| const hasOwn = (object, key) => { | ||
| if (Object.hasOwn) { | ||
| return Object.hasOwn(object, key); | ||
| } // eslint-disable-next-line no-prototype-builtins | ||
| return object.hasOwnProperty(key); | ||
| }; | ||
| /** | ||
@@ -26,6 +34,14 @@ * Fetch a value from the configuration. | ||
| * @param {any} def Default value to return in case no key was found. | ||
| * @return {any} | ||
| * @return {string|null} | ||
| */ | ||
| exports.hasOwn = hasOwn; | ||
| const getConf = (key, def = null) => { | ||
| return process.env[key] ?? def; | ||
| if (hasOwn(process.env, key)) { | ||
| return process.env[key] ?? def; | ||
| } | ||
| return def; | ||
| }; | ||
@@ -71,2 +87,9 @@ /** | ||
| const readFileJson = async file => { | ||
| const data = await _fs.promises.readFile(file); | ||
| return JSON.parse(data); | ||
| }; | ||
| exports.readFileJson = readFileJson; | ||
| const stdout = async message => { | ||
@@ -119,3 +142,3 @@ return new _promise.default((resolve, reject) => { | ||
| if ((0, _indexOf.default)(keys).call(keys, logLevel) !== -1 && (0, _indexOf.default)(keys).call(keys, level) <= (0, _indexOf.default)(keys).call(keys, logLevel)) { | ||
| if ((0, _includes.default)(keys).call(keys, logLevel)) { | ||
| logLevels[logLevel](message); | ||
@@ -122,0 +145,0 @@ } |
| { | ||
| "name": "@jitesoft/audit-for-gitlab", | ||
| "version": "3.1.0", | ||
| "version": "3.1.1", | ||
| "readmeFilename": "README.md", | ||
@@ -47,6 +47,2 @@ "description": "Minimal application to convert npm audit report into gitlab-ci vulnerability report format.", | ||
| }, | ||
| "eslintConfig": { | ||
| "parser": "@babel/eslint-parser", | ||
| "extends": "@jitesoft" | ||
| }, | ||
| "meta": { | ||
@@ -53,0 +49,0 @@ "scanner": { |
New alerts
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Fixed alerts
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by1.72%
53799
- Lines of code
- increased by6.11%
434
- Number of low supply chain risk alerts
- decreased by-25%
3
No dependency changes