audit-ci - npm Package Compare versions

Comparing version 1.7.0 to 2.0.0

lib/audit-ci.js

@@ -51,3 +51,3 @@ /*
       alias: 'summary',
-      default: true,
+      default: false,
       describe: 'Show a summary audit report',
@@ -84,2 +84,8 @@ type: 'boolean',
     },
+    'report-type': {
+      default: 'important',
+      describe: 'Format for the audit report results',
+      type: 'string',
+      choices: ['important', 'summary', 'full'],
+    },
     'retry-count': {
@@ -110,14 +116,32 @@ default: 5,
 
-function mapReportLevelInput(config) {
-  if (config.r) {
-    return { full: true };
+function mapReportTypeInput(config) {
+  const { 'report-type': reportType, report, summary } = config;
+  if (report) {
+    console.warn(
+      '\x1b[33m%s\x1b[0m',
+      "[DEPRECATED] The 'r' and 'report' options have been deprecated and may be removed in the future. Use `--report-type important` [default] to show only relevant information or `--report-type full` to show the full audit report."
+    );
+    return 'full';
   }
-  if (config.s) {
-    return { summary: true };
+  if (summary) {
+    console.warn(
+      '\x1b[33m%s\x1b[0m',
+      "[DEPRECATED] The 's' and 'summary' options have been deprecated and may be removed in the future. Use `--report-type important` [default] to show only relevant information or `--report-type summary` to show only the audit metadata."
+    );
+    return 'summary';
   }
-  return {};
+  switch (reportType) {
+    case 'full':
+    case 'important':
+    case 'summary':
+      return reportType;
+    default:
+      throw new Error(
+        `Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.`
+      );
+  }
 }
 
 argv.levels = mapVulnerabilityLevelInput(argv);
-argv.report = mapReportLevelInput(argv);
+argv['report-type'] = mapReportTypeInput(argv);
 
@@ -124,0 +148,0 @@ /**

lib/npm-auditer.js

@@ -46,10 +46,36 @@ /*
 
-function printReport(parsedOutput, report) {
-  if (report.full) {
-    console.log('\x1b[36m%s\x1b[0m', 'NPM audit report JSON:');
-    console.log(JSON.stringify(parsedOutput, null, 2));
+function printReport(parsedOutput, levels, reportType) {
+  function printReportObj(text, obj) {
+    console.log('\x1b[36m%s\x1b[0m', text);
+    console.log(JSON.stringify(obj, null, 2));
   }
-  if (report.summary) {
-    console.log('\x1b[36m%s\x1b[0m', 'NPM audit report summary:');
-    console.log(JSON.stringify(parsedOutput.metadata, null, 2));
+  switch (reportType) {
+    case 'full':
+      printReportObj('Yarn audit report JSON:', parsedOutput);
+      break;
+    case 'important': {
+      const relevantAdvisories = Object.keys(parsedOutput.advisories).reduce(
+        (acc, advisory) =>
+          levels[parsedOutput.advisories[advisory].severity]
+            ? Object.assign(
+                { [advisory]: parsedOutput.advisories[advisory] },
+                acc
+              )
+            : acc,
+        {}
+      );
+      const keyFindings = {
+        advisories: relevantAdvisories,
+        metadata: parsedOutput.metadata,
+      };
+      printReportObj('NPM audit report results:', keyFindings);
+      break;
+    }
+    case 'summary':
+      printReportObj('NPM audit report summary:', parsedOutput.metadata);
+      break;
+    default:
+      throw new Error(
+        `Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.`
+      );
   }
@@ -64,3 +90,3 @@ return parsedOutput;
  * `directory`: the directory containing the package.json to audit.
- * `report`: report level: `full` for full report, `summary` for summary
+ * `report-type`: [`important`, `summary`, `full`] how the audit report is displayed.
  * `whitelist`: a list of packages that should not break the build if their vulnerability is found.
@@ -76,4 +102,6 @@ * `advisories`: a list of advisory ids that should not break the build if found.
     .then(() => runNpmAudit(config))
-    .then(parsedOutput => printReport(parsedOutput, config.report))
     .then(parsedOutput =>
+      printReport(parsedOutput, config.levels, config['report-type'])
+    )
+    .then(parsedOutput =>
       reporter(new Model(config).load(parsedOutput), config, parsedOutput)
@@ -80,0 +108,0 @@ );

lib/yarn-auditer.js

@@ -40,3 +40,3 @@ /*
  * `directory`: the directory containing the package.json to audit.
- * `report`: report level: `full` for full report, `summary` for summary
+ * `report-type`: [`important`, `summary`, `full`] how the audit report is displayed.
  * `whitelist`: a list of packages that should not break the build if their vulnerability is found.
@@ -52,3 +52,9 @@ * `advisories`: a list of advisory ids that should not break the build if found.
   return Promise.resolve().then(() => {
-    const { registry, report, whitelist, _yarn } = config;
+    const {
+      levels,
+      registry,
+      'report-type': reportType,
+      whitelist,
+      _yarn,
+    } = config;
     const yarnExec = _yarn || 'yarn';
@@ -70,10 +76,18 @@ let missingLockFile = false;
 
-    if (report.full) {
-      console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report JSON:');
+    switch (reportType) {
+      case 'full':
+        console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report JSON:');
+        break;
+      case 'important':
+        console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report results:');
+        break;
+      case 'summary':
+        console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report summary:');
+        break;
+      default:
+        throw new Error(
+          `Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.`
+        );
     }
 
-    if (report.summary) {
-      console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report summary:');
-    }
-
     function outListener(line) {
@@ -84,8 +98,24 @@ try {
 
-        if (report.full) {
-          console.log(JSON.stringify(auditLine, null, 2));
+        switch (reportType) {
+          case 'full':
+            console.log(JSON.stringify(auditLine, null, 2));
+            break;
+          case 'important':
+            if (
+              (type === 'auditAdvisory' && levels[data.advisory.severity]) ||
+              type === 'auditSummary'
+            ) {
+              console.log(JSON.stringify(data, null, 2));
+            }
+            break;
+          case 'summary':
+            if (type === 'auditSummary') {
+              console.log(JSON.stringify(data, null, 2));
+            }
+            break;
+          default:
+            throw new Error(
+              `Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.`
+            );
         }
-        if (report.summary && type === 'auditSummary') {
-          console.log(JSON.stringify(data, null, 2));
-        }
 
@@ -92,0 +122,0 @@ if (type === 'info' && data === 'No lockfile found.') {

package.json

 {
   "name": "audit-ci",
-  "version": "1.7.0",
+  "version": "2.0.0",
   "description": "Audits npm and yarn projects in CI environments",
@@ -5,0 +5,0 @@ "license": "Apache-2.0",

README.md

@@ -61,7 +61,7 @@ [![Build Status](https://travis-ci.com/IBM/audit-ci.svg?branch=master)](https://travis-ci.com/IBM/audit-ci)
 
-An alternative to installing as a devDependency is to install globally within the CI environment at run-time.
+An alternative to installing as a devDependency is to use npx to install within the CI environment at run-time.
 
 ```yml
 before_install:
-  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm i -g audit-ci && audit-ci -m; fi
+  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci -m; fi
 ```
@@ -71,18 +71,19 @@
 
-| Args | Alias             | Description                                                                                |
-| ---- | ----------------- | ------------------------------------------------------------------------------------------ |
-| -l   | --low             | Prevents integration with low or higher vulnerabilities (default `false`)                  |
-| -m   | --moderate        | Prevents integration with moderate or higher vulnerabilities (default `false`)             |
-| -h   | --high            | Prevents integration with high or critical vulnerabilities (default `false`)               |
-| -c   | --critical        | Prevents integration only with critical vulnerabilities (default `false`)                  |
-| -p   | --package-manager | Choose a package manager [_choices_: `auto`, `npm`, `yarn`] (default `auto`)               |
-| -r   | --report          | Shows the full audit report (default `false`)                                              |
-| -s   | --summary         | Shows the summary audit report (default `true`)                                            |
-| -a   | --advisories      | Vulnerable advisory ids to whitelist from preventing integration (default `none`)          |
-| -w   | --whitelist       | Vulnerable modules to whitelist from preventing integration (default `none`)               |
-| -d   | --directory       | The directory containing the package.json to audit (default `./`)                          |
-|      | --show-not-found  | Show whitelisted advisories that are not found (default `true`)                            |
-|      | --registry        | The registry to resolve packages by name and version (default to unspecified)              |
-|      | --retry-count     | The number of attempts audit-ci calls an unavailable registry before failing (default `5`) |
-|      | --config          | Path to JSON config file                                                                   |
+| Args | Alias             | Description                                                                                           |
+| ---- | ----------------- | ----------------------------------------------------------------------------------------------------- |
+| -l   | --low             | Prevents integration with low or higher vulnerabilities (default `false`)                             |
+| -m   | --moderate        | Prevents integration with moderate or higher vulnerabilities (default `false`)                        |
+| -h   | --high            | Prevents integration with high or critical vulnerabilities (default `false`)                          |
+| -c   | --critical        | Prevents integration only with critical vulnerabilities (default `false`)                             |
+| -p   | --report-type     | Format for the audit report results [_choices_: `important`, `summary`, `full`] (default `important`) |
+| -p   | --package-manager | Choose a package manager [_choices_: `auto`, `npm`, `yarn`] (default `auto`)                          |
+| -a   | --advisories      | Vulnerable advisory ids to whitelist from preventing integration (default `none`)                     |
+| -w   | --whitelist       | Vulnerable modules to whitelist from preventing integration (default `none`)                          |
+| -d   | --directory       | The directory containing the package.json to audit (default `./`)                                     |
+|      | --show-not-found  | Show whitelisted advisories that are not found (default `true`)                                       |
+|      | --registry        | The registry to resolve packages by name and version (default to unspecified)                         |
+|      | --retry-count     | The number of attempts audit-ci calls an unavailable registry before failing (default `5`)            |
+|      | --config          | Path to JSON config file                                                                              |
+| -r   | --report          | [_DEPRECATED_] (Use `--report-type full`) Shows the full audit report (default `false`)               |
+| -s   | --summary         | [_DEPRECATED_] (Use `--report-type summary`) Shows the summary audit report (default `false`)         |
 
@@ -100,4 +101,3 @@ ### (_Optional_) Config file specification
   "critical": <boolean>, // [Optional] defaults `false`
-  "report": <boolean>, // [Optional] defaults `false`
-  "summary": <boolean>, // [Optional] defaults `true`
+  "report-type": <string>, // [Optional] defaults `important`
   "package-manager": <string>, // [Optional] defaults `"auto"`
@@ -131,12 +131,12 @@ "advisories": <number[]>, // [Optional] defaults `[]`
 
-### Prevents build with critical vulnerabilities using aliases without showing the report
+### Prevents build with critical vulnerabilities showing the full report
 
 ```sh
-audit-ci --critical --report false
+audit-ci --critical --report-type full
 ```
 
-### Continues build regardless of vulnerabilities, but show the report
+### Continues build regardless of vulnerabilities, but show the summary report
 
 ```sh
-audit-ci
+audit-ci --report-type summary
 ```
@@ -143,0 +143,0 @@

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

39356

increased by8.34%

Lines of code

618

increased by15.51%

No dependency changes