audit-app - npm Package Compare versions

Comparing version 0.7.0 to 0.8.0

lib/audit.js

@@ -20,2 +20,3 @@ "use strict";
     paths: advisory.findings.reduce((acc, finding) => acc.concat(finding.paths), []),
+    ghAdvisoryId: advisory.github_advisory_id,
     versions: advisory.findings.map(finding => finding.version),
@@ -63,6 +64,6 @@ range: advisory.vulnerable_versions,
     if ('auditReportVersion' in auditOutput) {
-        return processNpm7AuditOutput_1.processNpm7AuditOutput(auditOutput, dir);
+        return (0, processNpm7AuditOutput_1.processNpm7AuditOutput)(auditOutput, dir);
     }
     return {
-        findings: exports.toMapOfFindings(Object.values(auditOutput.advisories).map(npm6AdvisoryToFinding)),
+        findings: (0, exports.toMapOfFindings)(Object.values(auditOutput.advisories).map(npm6AdvisoryToFinding)),
         dependencyStatistics: extractDependencyStatistics(auditOutput.metadata)
@@ -75,3 +76,3 @@ };
         : collectNpmAuditResults;
-    const { stdout } = child_process_1.spawn(packageManager, [
+    const { stdout } = (0, child_process_1.spawn)(packageManager, [
         'audit',
@@ -78,0 +79,0 @@ '--json',

lib/cli.js

@@ -6,2 +6,2 @@ #!/usr/bin/env node
 const parseArgs_1 = require("./parseArgs");
-index_1.auditApp(parseArgs_1.parseArgs(process.argv.slice(2))).catch(console.error);
+(0, index_1.auditApp)((0, parseArgs_1.parseArgs)(process.argv.slice(2))).catch(console.error);

lib/determineVulnerablePackages.js

@@ -99,3 +99,3 @@ "use strict";
     return ((path === advisory.name || path.endsWith(`>${advisory.name}`)) &&
-        semver_1.satisfies(version, advisory.range));
+        (0, semver_1.satisfies)(version, advisory.range));
 };
@@ -102,0 +102,0 @@ const mapPathsToAdvisories = (packagePaths, advisories) => {

lib/formatReport.js

@@ -27,3 +27,3 @@ "use strict";
 };
-const countStr = (str) => strip_ansi_1.default(str).length;
+const countStr = (str) => (0, strip_ansi_1.default)(str).length;
 const pad = (str) => ` ${str.trim()} `;
@@ -72,3 +72,3 @@ var BoxChar;
     return warpInTopAndBottomBorders(maxLabelWidth, maxValueWidth, contents.reduce((acc, [label, value], index) => {
-        const lines = wrap_ansi_1.default(value, maxValueWidth - 2, {
+        const lines = (0, wrap_ansi_1.default)(value, maxValueWidth - 2, {
             hard: true
@@ -90,6 +90,9 @@ }).split('\n');
 const Severities = Object.keys(severityColors);
+const findingId = (finding) => {
+    return finding.ghAdvisoryId || `#${finding.id}`;
+};
 const buildFindingsTable = (finding) => buildTable([
     [
         severityColors[finding.severity](finding.severity),
-        chalk_1.default.whiteBright(`${finding.title} (#${finding.id})`)
+        chalk_1.default.whiteBright(`${finding.title} (${findingId(finding)})`)
     ],
@@ -141,3 +144,3 @@ [
     json: JSON.stringify,
-    paths: (report) => sortVulnerabilityPaths_1.sortVulnerabilityPaths(report.vulnerable).join('\n'),
+    paths: (report) => (0, sortVulnerabilityPaths_1.sortVulnerabilityPaths)(report.vulnerable).join('\n'),
     summary: (report) => buildReportSummary(report).join('\n'),
@@ -144,0 +147,0 @@ tables: (report) => [

lib/generateReport.js

@@ -19,4 +19,4 @@ "use strict";
     };
-    Object.values(results.findings).forEach(({ id, paths, severity }) => {
-        const { length: count } = paths.filter(path => ignores.includes(`${id}|${path}`));
+    Object.values(results.findings).forEach(({ id, ghAdvisoryId, paths, severity }) => {
+        const { length: count } = paths.filter(path => ignores.includes(`${ghAdvisoryId || id}|${path}`));
         const vulnerable = paths.length - count;
@@ -36,3 +36,3 @@ const ignored = count;
     ignored, missing] = Object.values(results.findings)
-        .reduce((allPaths, { id, paths }) => allPaths.concat(paths.map(path => `${id}|${path}`)), [])
+        .reduce((allPaths, { id, ghAdvisoryId, paths }) => allPaths.concat(paths.map(path => `${ghAdvisoryId || id}|${path}`)), [])
         .reduce((sorts, path) => {
@@ -39,0 +39,0 @@ const ignoreIndex = sorts[2].indexOf(path);

lib/index.d.ts

@@ -9,3 +9,5 @@ import { SupportedPackageManager } from './audit';
     output: SupportedReportFormat;
+    config: string;
+    updateConfigIgnores: boolean;
 }
 export declare const auditApp: (options: Options) => Promise<void>;

lib/index.js

@@ -5,2 +5,3 @@ "use strict";
 const audit_1 = require("./audit");
+const createOrUpdateConfig_1 = require("./createOrUpdateConfig");
 const formatReport_1 = require("./formatReport");
@@ -13,6 +14,10 @@ const generateReport_1 = require("./generateReport");
     try {
-        const results = await audit_1.audit(options.directory, options.packageManager);
-        const report = generateReport_1.generateReport(options.ignore, results);
+        const results = await (0, audit_1.audit)(options.directory, options.packageManager);
+        const report = (0, generateReport_1.generateReport)(options.ignore, results);
         process.exitCode = (report.vulnerable.length || report.missing.length) && 1;
-        console.log(formatReport_1.formatReport(options.output, report));
+        console.log((0, formatReport_1.formatReport)(options.output, report));
+        if (options.updateConfigIgnores && options.config) {
+            await (0, createOrUpdateConfig_1.createOrUpdateConfig)(options.config, report);
+            console.warn(`\nHave updated ${options.config} to ignore these vulnerabilities`);
+        }
     }
@@ -19,0 +24,0 @@ catch (error) {

lib/parseArgs.js

@@ -46,5 +46,9 @@ "use strict";
 const parseWithConfig = (args, configPath) => {
-    const { argv } = yargs_1.default(args)
+    const { argv } = (0, yargs_1.default)(args)
         .completion('completion', false)
         .options({
+        updateConfigIgnores: {
+            boolean: true,
+            default: false
+        },
         config: {
@@ -51,0 +55,0 @@ alias: 'c',

lib/processNpm7AuditOutput.js

@@ -16,2 +16,9 @@ "use strict";
 });
+const parseGithubAdvisoryId = (url) => {
+    if (url.startsWith('https://github.com/advisories/GHSA-')) {
+        return url.substring(url.indexOf('GHSA-'));
+    }
+    console.warn('could not find GitHub advisory ID');
+    return '';
+};
 /**
@@ -22,2 +29,3 @@ * Builds a `finding` from an `npm` v7 `advisory`
     id: advisory.source,
+    ghAdvisoryId: parseGithubAdvisoryId(advisory.url),
     name: advisory.name,
@@ -54,5 +62,5 @@ paths,
     const advisories = findAdvisories(auditOutput.vulnerabilities);
-    const vulnerablePackages = await determineVulnerablePackages_1.determineVulnerablePackages(advisories, dir);
+    const vulnerablePackages = await (0, determineVulnerablePackages_1.determineVulnerablePackages)(advisories, dir);
     return {
-        findings: audit_1.toMapOfFindings(advisories.map(via => {
+        findings: (0, audit_1.toMapOfFindings)(advisories.map(via => {
             const [paths, versions] = transpose(vulnerablePackages[via.source]);
@@ -59,0 +67,0 @@ return buildFinding(via, paths, versions);

lib/types.d.ts

@@ -38,2 +38,3 @@ export declare type Severity = 'info' | 'low' | 'moderate' | 'high' | 'critical';
     id: number;
+    ghAdvisoryId: string;
     name: string;
@@ -108,2 +109,3 @@ paths: string[];
     severity: Severity;
+    github_advisory_id: string;
     cwe: string;
@@ -110,0 +112,0 @@ metadata: AdvisoryMetadata;

package.json

 {
   "name": "audit-app",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "A cli tool for auditing apps & packages using their respective package managers.",
@@ -56,31 +56,31 @@ "keywords": [
   "devDependencies": {
-    "@jest/types": "^27.0.6",
-    "@types/eslint": "^7.28.0",
-    "@types/jest": "^26.0.24",
-    "@types/node": "^14.17.5",
+    "@jest/types": "^27.2.5",
+    "@types/eslint": "^7.28.1",
+    "@types/jest": "^27.0.2",
+    "@types/node": "^14.17.27",
     "@types/readline-transform": "^1.0.1",
-    "@types/semver": "^7.3.7",
+    "@types/semver": "^7.3.8",
     "@types/wrap-ansi": "^3.0.0",
     "@types/yargs": "^16.0.4",
-    "@typescript-eslint/eslint-plugin": "^4.28.4",
-    "@typescript-eslint/parser": "^4.28.4",
+    "@typescript-eslint/eslint-plugin": "^4.33.0",
+    "@typescript-eslint/parser": "^4.33.0",
     "ajv": "^8.6.2",
-    "eslint": "^7.31.0",
-    "eslint-config-ackama": "^2.1.2",
+    "eslint": "^7.32.0",
+    "eslint-config-ackama": "^2.2.1",
     "eslint-plugin-eslint-comments": "^3.2.0",
-    "eslint-plugin-import": "^2.23.4",
-    "eslint-plugin-jest": "^24.4.0",
+    "eslint-plugin-import": "^2.25.2",
+    "eslint-plugin-jest": "^24.7.0",
     "eslint-plugin-jest-formatting": "^3.0.0",
     "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-prettier": "^3.4.0",
-    "jest": "^27.0.6",
+    "eslint-plugin-prettier": "^3.4.1",
+    "jest": "^27.3.0",
     "memfs": "^3.2.0",
-    "prettier": "^2.3.2",
+    "prettier": "^2.4.1",
     "prettier-config-ackama": "^0.1.2",
-    "ts-jest": "^27.0.4",
+    "ts-jest": "^27.0.7",
     "ts-node": "^9.1.1",
     "ttypescript": "^1.5.12",
-    "typescript": "^4.3.5",
+    "typescript": "^4.4.4",
     "unionfs": "^4.4.0"
   }
 }

README.md

@@ -73,2 +73,10 @@ # audit-app
 
+### `--update-config-ignores`
+
+Default: false
+
+If provided, `audit-app` will attempt to update the config file pointed to by
+`--config` to contain an `ignore` property made up of the vulnerabilities found
+during the audit.
+
 ## `--package-manager`, `-p`
@@ -122,3 +130,3 @@
 ┌────────────┬────────────────────────────────────────────────────────────────────┐
-│ low        │ Prototype Pollution (#1523)                                        │
+│ low        │ Prototype Pollution (GHSA-p6mc-m468-83gw)                          │
 ├────────────┼────────────────────────────────────────────────────────────────────┤
@@ -129,3 +137,3 @@ │ Package    │ lodash v4.17.15, v3.10.1                                           │
 ├────────────┼────────────────────────────────────────────────────────────────────┤
-│ More info  │ https://npmjs.com/advisories/1523                                  │
+│ More info  │ https://github.com/advisories/GHSA-p6mc-m468-83gw                  │
 └────────────┴────────────────────────────────────────────────────────────────────┘
@@ -198,4 +206,4 @@
 
-> 1523|@commitlint/cli>@commitlint/load>@commitlint/resolve-extends>lodash\
-> 1523|@commitlint/cli>@commitlint/load>lodash
+> GHSA-p6mc-m468-83gw|@commitlint/cli>@commitlint/load>@commitlint/resolve-extends>lodash
+> GHSA-p6mc-m468-83gw|@commitlint/cli>@commitlint/load>lodash
 
@@ -234,4 +242,4 @@ If you're using a json config, you can use `jq` to convert the output into a
 ```shell script
-audit-app --format json | jq '.vulnerable | map(select(startswith("1556")))'
-audit-app --format json | jq '.vulnerable | map(select(startswith("1556")))'
+audit-app --format json | jq '.vulnerable | map(select(startswith("GHSA-w7rc-rwvf-8q5r")))'
+audit-app --format json | jq '.vulnerable | map(select(startswith("GHSA-w7rc-rwvf-8q5r")))'
 ```
@@ -257,3 +265,3 @@
 
-    1179|mkdirp>minimist
+    GHSA-abc1-123a-xyz9|mkdirp>minimist
 
@@ -264,9 +272,9 @@ You can provide this flag multiple times to ignore multiple vulnerabilities:
 audit-app \
-  --ignore '1213|@commitlint/cli>@commitlint/lint>@commitlint/parse>conventional-changelog-angular>compare-func>dot-prop' \
-  --ignore '1213|@commitlint/config-conventional>conventional-changelog-conventionalcommits>compare-func>dot-prop' \
-  --ignore '1213|semantic-release>@semantic-release/commit-analyzer>conventional-changelog-angular>compare-func>dot-prop' \
-  --ignore '1213|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-angular>compare-func>dot-prop' \
-  --ignore '1213|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-writer>compare-func>dot-prop' \
-  --ignore '1213|semantic-release>@semantic-release/npm>npm>libnpx>update-notifier>configstore>dot-prop' \
-  --ignore '1213|semantic-release>@semantic-release/npm>npm>update-notifier>configstore>dot-prop'
+  --ignore 'GHSA-ff7x-qrg7-qggm|@commitlint/cli>@commitlint/lint>@commitlint/parse>conventional-changelog-angular>compare-func>dot-prop' \
+  --ignore 'GHSA-ff7x-qrg7-qggm|@commitlint/config-conventional>conventional-changelog-conventionalcommits>compare-func>dot-prop' \
+  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/commit-analyzer>conventional-changelog-angular>compare-func>dot-prop' \
+  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-angular>compare-func>dot-prop' \
+  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-writer>compare-func>dot-prop' \
+  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/npm>npm>libnpx>update-notifier>configstore>dot-prop' \
+  --ignore 'GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/npm>npm>update-notifier>configstore>dot-prop'
 ```
@@ -281,9 +289,9 @@
   "ignore": [
-    "1213|@commitlint/cli>@commitlint/lint>@commitlint/parse>conventional-changelog-angular>compare-func>dot-prop",
-    "1213|@commitlint/config-conventional>conventional-changelog-conventionalcommits>compare-func>dot-prop",
-    "1213|semantic-release>@semantic-release/commit-analyzer>conventional-changelog-angular>compare-func>dot-prop",
-    "1213|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-angular>compare-func>dot-prop",
-    "1213|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-writer>compare-func>dot-prop",
-    "1213|semantic-release>@semantic-release/npm>npm>libnpx>update-notifier>configstore>dot-prop",
-    "1213|semantic-release>@semantic-release/npm>npm>update-notifier>configstore>dot-prop"
+    "GHSA-ff7x-qrg7-qggm|@commitlint/cli>@commitlint/lint>@commitlint/parse>conventional-changelog-angular>compare-func>dot-prop",
+    "GHSA-ff7x-qrg7-qggm|@commitlint/config-conventional>conventional-changelog-conventionalcommits>compare-func>dot-prop",
+    "GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/commit-analyzer>conventional-changelog-angular>compare-func>dot-prop",
+    "GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-angular>compare-func>dot-prop",
+    "GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/release-notes-generator>conventional-changelog-writer>compare-func>dot-prop",
+    "GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/npm>npm>libnpx>update-notifier>configstore>dot-prop",
+    "GHSA-ff7x-qrg7-qggm|semantic-release>@semantic-release/npm>npm>update-notifier>configstore>dot-prop"
   ]
@@ -293,2 +301,5 @@ }
 
+You can have `audit-app` attempt to update the config for you with the
+`--update-config-ignores` flag.
+
 ## How it works
@@ -339,3 +350,3 @@
 audit-app \
-  --ignore 1179|mkdirp>minimist
+  --ignore GHSA-vh95-rmgr-6w4m|mkdirp>minimist
 ```
@@ -342,0 +353,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Number of package files

25

increased by4.17%

Lines of code

889

increased by5.83%

Number of lines in readme file

368

increased by3.08%

Worsened metrics

Total package byte prevSize

50992

decreased by-4.37%

Number of low supply chain risk alerts

3

increased by50%

No dependency changes