@nodesecure/vuln

Vulnerabilities strategies

NodeSecure vulnerabilities strategies built for NodeSecure scanner.

Requirements

• Node.js v14 or higher

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/vuln
# or
$ yarn add @nodesecure/vuln

Usage example

import * as vuln from "@nodesecure/vuln";

// Default strategy is currently "npm".
await vuln.setStrategy(vuln.strategies.NPM_AUDIT);

const definition = await vuln.getStrategy();
console.log(definition.strategy);

await definition.hydratePayloadDependencies(new Map());

Available strategy

• NPM Audit
• Node.js Security WG - Database
• [COMING SOON] Snyk.

Those strategies are described as "string" type with the following TypeScript definition:

type Kind = "npm" | "node";

API

See types/api.d.ts for a complete TypeScript definition.

function setStrategy(name?: Strategy.Kind, options?: Strategy.Options): Promise<Strategy.Definition>;
function getStrategy(): Promise<Strategy.Definition>;
const strategies: {
  SECURITY_WG: "node";
  NPM_AUDIT: "npm";
};

Strategy Kind and Options are described by the following interfaces:

export interface Options {
  /** Force hydratation of the strategy local database (if the strategy has one obviously) **/
  hydrateDatabase?: boolean;
}

export interface Definition {
  /** Name of the strategy **/
  strategy: Kind;
  /** Method to hydrate (insert/push) vulnerabilities in the dependencies retrieved by the Scanner **/
  hydratePayloadDependencies: (dependencies: Dependencies) => Promise<void>;
  /** Hydrate local database (if the strategy need one obviously) **/
  hydrateDatabase?: () => Promise<void>;
  /** Method to delete the local vulnerabilities database (if available) **/
  deleteDatabase?: () => Promise<void>;
}

Where dependencies is the dependencies Map() object of the scanner.

Note: the option hydrateDatabase is only useful for some of the strategy (like Node.js Security WG).

License

MIT