Comparing version 1.7.0 to 2.0.0
@@ -51,3 +51,3 @@ /* | ||
alias: 'summary', | ||
default: true, | ||
default: false, | ||
describe: 'Show a summary audit report', | ||
@@ -84,2 +84,8 @@ type: 'boolean', | ||
}, | ||
'report-type': { | ||
default: 'important', | ||
describe: 'Format for the audit report results', | ||
type: 'string', | ||
choices: ['important', 'summary', 'full'], | ||
}, | ||
'retry-count': { | ||
@@ -110,14 +116,32 @@ default: 5, | ||
function mapReportLevelInput(config) { | ||
if (config.r) { | ||
return { full: true }; | ||
function mapReportTypeInput(config) { | ||
const { 'report-type': reportType, report, summary } = config; | ||
if (report) { | ||
console.warn( | ||
'\x1b[33m%s\x1b[0m', | ||
"[DEPRECATED] The 'r' and 'report' options have been deprecated and may be removed in the future. Use `--report-type important` [default] to show only relevant information or `--report-type full` to show the full audit report." | ||
); | ||
return 'full'; | ||
} | ||
if (config.s) { | ||
return { summary: true }; | ||
if (summary) { | ||
console.warn( | ||
'\x1b[33m%s\x1b[0m', | ||
"[DEPRECATED] The 's' and 'summary' options have been deprecated and may be removed in the future. Use `--report-type important` [default] to show only relevant information or `--report-type summary` to show only the audit metadata." | ||
); | ||
return 'summary'; | ||
} | ||
return {}; | ||
switch (reportType) { | ||
case 'full': | ||
case 'important': | ||
case 'summary': | ||
return reportType; | ||
default: | ||
throw new Error( | ||
`Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.` | ||
); | ||
} | ||
} | ||
argv.levels = mapVulnerabilityLevelInput(argv); | ||
argv.report = mapReportLevelInput(argv); | ||
argv['report-type'] = mapReportTypeInput(argv); | ||
@@ -124,0 +148,0 @@ /** |
@@ -46,10 +46,36 @@ /* | ||
function printReport(parsedOutput, report) { | ||
if (report.full) { | ||
console.log('\x1b[36m%s\x1b[0m', 'NPM audit report JSON:'); | ||
console.log(JSON.stringify(parsedOutput, null, 2)); | ||
function printReport(parsedOutput, levels, reportType) { | ||
function printReportObj(text, obj) { | ||
console.log('\x1b[36m%s\x1b[0m', text); | ||
console.log(JSON.stringify(obj, null, 2)); | ||
} | ||
if (report.summary) { | ||
console.log('\x1b[36m%s\x1b[0m', 'NPM audit report summary:'); | ||
console.log(JSON.stringify(parsedOutput.metadata, null, 2)); | ||
switch (reportType) { | ||
case 'full': | ||
printReportObj('Yarn audit report JSON:', parsedOutput); | ||
break; | ||
case 'important': { | ||
const relevantAdvisories = Object.keys(parsedOutput.advisories).reduce( | ||
(acc, advisory) => | ||
levels[parsedOutput.advisories[advisory].severity] | ||
? Object.assign( | ||
{ [advisory]: parsedOutput.advisories[advisory] }, | ||
acc | ||
) | ||
: acc, | ||
{} | ||
); | ||
const keyFindings = { | ||
advisories: relevantAdvisories, | ||
metadata: parsedOutput.metadata, | ||
}; | ||
printReportObj('NPM audit report results:', keyFindings); | ||
break; | ||
} | ||
case 'summary': | ||
printReportObj('NPM audit report summary:', parsedOutput.metadata); | ||
break; | ||
default: | ||
throw new Error( | ||
`Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.` | ||
); | ||
} | ||
@@ -64,3 +90,3 @@ return parsedOutput; | ||
* `directory`: the directory containing the package.json to audit. | ||
* `report`: report level: `full` for full report, `summary` for summary | ||
* `report-type`: [`important`, `summary`, `full`] how the audit report is displayed. | ||
* `whitelist`: a list of packages that should not break the build if their vulnerability is found. | ||
@@ -76,4 +102,6 @@ * `advisories`: a list of advisory ids that should not break the build if found. | ||
.then(() => runNpmAudit(config)) | ||
.then(parsedOutput => printReport(parsedOutput, config.report)) | ||
.then(parsedOutput => | ||
printReport(parsedOutput, config.levels, config['report-type']) | ||
) | ||
.then(parsedOutput => | ||
reporter(new Model(config).load(parsedOutput), config, parsedOutput) | ||
@@ -80,0 +108,0 @@ ); |
@@ -40,3 +40,3 @@ /* | ||
* `directory`: the directory containing the package.json to audit. | ||
* `report`: report level: `full` for full report, `summary` for summary | ||
* `report-type`: [`important`, `summary`, `full`] how the audit report is displayed. | ||
* `whitelist`: a list of packages that should not break the build if their vulnerability is found. | ||
@@ -52,3 +52,9 @@ * `advisories`: a list of advisory ids that should not break the build if found. | ||
return Promise.resolve().then(() => { | ||
const { registry, report, whitelist, _yarn } = config; | ||
const { | ||
levels, | ||
registry, | ||
'report-type': reportType, | ||
whitelist, | ||
_yarn, | ||
} = config; | ||
const yarnExec = _yarn || 'yarn'; | ||
@@ -70,10 +76,18 @@ let missingLockFile = false; | ||
if (report.full) { | ||
console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report JSON:'); | ||
switch (reportType) { | ||
case 'full': | ||
console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report JSON:'); | ||
break; | ||
case 'important': | ||
console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report results:'); | ||
break; | ||
case 'summary': | ||
console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report summary:'); | ||
break; | ||
default: | ||
throw new Error( | ||
`Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.` | ||
); | ||
} | ||
if (report.summary) { | ||
console.log('\x1b[36m%s\x1b[0m', 'Yarn audit report summary:'); | ||
} | ||
function outListener(line) { | ||
@@ -84,8 +98,24 @@ try { | ||
if (report.full) { | ||
console.log(JSON.stringify(auditLine, null, 2)); | ||
switch (reportType) { | ||
case 'full': | ||
console.log(JSON.stringify(auditLine, null, 2)); | ||
break; | ||
case 'important': | ||
if ( | ||
(type === 'auditAdvisory' && levels[data.advisory.severity]) || | ||
type === 'auditSummary' | ||
) { | ||
console.log(JSON.stringify(data, null, 2)); | ||
} | ||
break; | ||
case 'summary': | ||
if (type === 'auditSummary') { | ||
console.log(JSON.stringify(data, null, 2)); | ||
} | ||
break; | ||
default: | ||
throw new Error( | ||
`Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.` | ||
); | ||
} | ||
if (report.summary && type === 'auditSummary') { | ||
console.log(JSON.stringify(data, null, 2)); | ||
} | ||
@@ -92,0 +122,0 @@ if (type === 'info' && data === 'No lockfile found.') { |
{ | ||
"name": "audit-ci", | ||
"version": "1.7.0", | ||
"version": "2.0.0", | ||
"description": "Audits npm and yarn projects in CI environments", | ||
@@ -5,0 +5,0 @@ "license": "Apache-2.0", |
@@ -61,7 +61,7 @@ [![Build Status](https://travis-ci.com/IBM/audit-ci.svg?branch=master)](https://travis-ci.com/IBM/audit-ci) | ||
An alternative to installing as a devDependency is to install globally within the CI environment at run-time. | ||
An alternative to installing as a devDependency is to use npx to install within the CI environment at run-time. | ||
```yml | ||
before_install: | ||
- if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npm i -g audit-ci && audit-ci -m; fi | ||
- if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then npx audit-ci -m; fi | ||
``` | ||
@@ -71,18 +71,19 @@ | ||
| Args | Alias | Description | | ||
| ---- | ----------------- | ------------------------------------------------------------------------------------------ | | ||
| -l | --low | Prevents integration with low or higher vulnerabilities (default `false`) | | ||
| -m | --moderate | Prevents integration with moderate or higher vulnerabilities (default `false`) | | ||
| -h | --high | Prevents integration with high or critical vulnerabilities (default `false`) | | ||
| -c | --critical | Prevents integration only with critical vulnerabilities (default `false`) | | ||
| -p | --package-manager | Choose a package manager [_choices_: `auto`, `npm`, `yarn`] (default `auto`) | | ||
| -r | --report | Shows the full audit report (default `false`) | | ||
| -s | --summary | Shows the summary audit report (default `true`) | | ||
| -a | --advisories | Vulnerable advisory ids to whitelist from preventing integration (default `none`) | | ||
| -w | --whitelist | Vulnerable modules to whitelist from preventing integration (default `none`) | | ||
| -d | --directory | The directory containing the package.json to audit (default `./`) | | ||
| | --show-not-found | Show whitelisted advisories that are not found (default `true`) | | ||
| | --registry | The registry to resolve packages by name and version (default to unspecified) | | ||
| | --retry-count | The number of attempts audit-ci calls an unavailable registry before failing (default `5`) | | ||
| | --config | Path to JSON config file | | ||
| Args | Alias | Description | | ||
| ---- | ----------------- | ----------------------------------------------------------------------------------------------------- | | ||
| -l | --low | Prevents integration with low or higher vulnerabilities (default `false`) | | ||
| -m | --moderate | Prevents integration with moderate or higher vulnerabilities (default `false`) | | ||
| -h | --high | Prevents integration with high or critical vulnerabilities (default `false`) | | ||
| -c | --critical | Prevents integration only with critical vulnerabilities (default `false`) | | ||
| -p | --report-type | Format for the audit report results [_choices_: `important`, `summary`, `full`] (default `important`) | | ||
| -p | --package-manager | Choose a package manager [_choices_: `auto`, `npm`, `yarn`] (default `auto`) | | ||
| -a | --advisories | Vulnerable advisory ids to whitelist from preventing integration (default `none`) | | ||
| -w | --whitelist | Vulnerable modules to whitelist from preventing integration (default `none`) | | ||
| -d | --directory | The directory containing the package.json to audit (default `./`) | | ||
| | --show-not-found | Show whitelisted advisories that are not found (default `true`) | | ||
| | --registry | The registry to resolve packages by name and version (default to unspecified) | | ||
| | --retry-count | The number of attempts audit-ci calls an unavailable registry before failing (default `5`) | | ||
| | --config | Path to JSON config file | | ||
| -r | --report | [_DEPRECATED_] (Use `--report-type full`) Shows the full audit report (default `false`) | | ||
| -s | --summary | [_DEPRECATED_] (Use `--report-type summary`) Shows the summary audit report (default `false`) | | ||
@@ -100,4 +101,3 @@ ### (_Optional_) Config file specification | ||
"critical": <boolean>, // [Optional] defaults `false` | ||
"report": <boolean>, // [Optional] defaults `false` | ||
"summary": <boolean>, // [Optional] defaults `true` | ||
"report-type": <string>, // [Optional] defaults `important` | ||
"package-manager": <string>, // [Optional] defaults `"auto"` | ||
@@ -131,12 +131,12 @@ "advisories": <number[]>, // [Optional] defaults `[]` | ||
### Prevents build with critical vulnerabilities using aliases without showing the report | ||
### Prevents build with critical vulnerabilities showing the full report | ||
```sh | ||
audit-ci --critical --report false | ||
audit-ci --critical --report-type full | ||
``` | ||
### Continues build regardless of vulnerabilities, but show the report | ||
### Continues build regardless of vulnerabilities, but show the summary report | ||
```sh | ||
audit-ci | ||
audit-ci --report-type summary | ||
``` | ||
@@ -143,0 +143,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
39356
618