New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
better-npm-audit
Advanced tools
better-npm-audit - npm Package Compare versions
Comparing version 3.1.2 to 3.2.0-rc
12
index.js
@@ -17,7 +17,8 @@ #!/usr/bin/env node | ||
| * Run audit | ||
| * @param {String} auditCommand The NPM audit command to use (with flags) | ||
| * @param {String} auditLevel The level of vulnerabilities we care about | ||
| * @param {Array} exceptionIds List of vulnerability IDs to exclude | ||
| * @param {String} auditCommand The NPM audit command to use (with flags) | ||
| * @param {String} auditLevel The level of vulnerabilities we care about | ||
| * @param {Array} exceptionIds List of vulnerability IDs to exclude | ||
| * @param {Boolean} shouldScanModules Flag if we should scan the node_modules | ||
| */ | ||
| function callback(auditCommand, auditLevel, exceptionIds) { | ||
| function callback(auditCommand, auditLevel, exceptionIds, shouldScanModules) { | ||
| // Increase the default max buffer size (1 MB) | ||
@@ -32,3 +33,3 @@ var audit = child_process_1.exec(auditCommand + " --json", { maxBuffer: MAX_BUFFER_SIZE }); | ||
| if (audit.stderr) { | ||
| audit.stderr.on('close', function () { return handleFinish_1.default(jsonBuffer, auditLevel, exceptionIds); }); | ||
| audit.stderr.on('close', function () { return handleFinish_1.default(jsonBuffer, auditLevel, exceptionIds, shouldScanModules); }); | ||
| // stderr | ||
@@ -47,3 +48,4 @@ audit.stderr.on('data', console.error); | ||
| .option('-r, --registry <url>', 'The npm registry url to use.') | ||
| .option('-s, --scan-modules [boolean]', 'Scan through reported modules for .nsprc file.', true) | ||
| .action(function (options) { return handleInput_1.default(options, callback); }); | ||
| program.parse(process.argv); |
| { | ||
| "name": "better-npm-audit", | ||
| "version": "3.1.2", | ||
| "version": "3.2.0-rc", | ||
| "author": "Jee Mok <jee.ict@hotmail.com>", | ||
@@ -44,3 +44,4 @@ "description": "Reshape npm audit into the way the community would like, by the community itself, to encourage more people to do security audits.", | ||
| "scripts": { | ||
| "audit": "npm run build && node . audit", | ||
| "audit:only": "node . audit", | ||
| "audit": "npm run build && npm run audit:only", | ||
| "test": "mocha -r ts-node/register test/**/*.test.ts", | ||
@@ -53,4 +54,4 @@ "lint": "eslint .", | ||
| "postbuild": "cp README.md lib", | ||
| "publish:live": "npm run build && npm publish lib --tag latest", | ||
| "publish:next": "npm run build && npm publish lib --tag next" | ||
| "publish:live": "npm run build && npm publish ./lib --tag latest", | ||
| "publish:next": "npm run build && npm publish ./lib --tag next" | ||
| }, | ||
@@ -57,0 +58,0 @@ "devDependencies": { |
@@ -74,8 +74,9 @@ # Better NPM Audit | ||
| | Flag | Short | Description | | ||
| | -------------- | ----- | ------------------------------------------------------------------------------ | | ||
| | `--exclude` | `-x` | Exceptions or the vulnerabilities ID(s) to exclude | | ||
| | `--level` | `-l` | The minimum audit level to validate; Same as the original `--audit-level` flag | | ||
| | `--production` | `-p` | Skip checking the `devDependencies` | | ||
| | `--registry` | `-r` | The npm registry url to use | | ||
| | Flag | Short | Default | Description | | ||
| | ---------------- | ----- | ------- | ------------------------------------------------------------------------------------------------- | | ||
| | `--exclude` | `-x` | | Exceptions or the vulnerabilities ID(s) to exclude | | ||
| | `--level` | `-l` | | The minimum audit level to validate; Same as the original `--audit-level` flag | | ||
| | `--production` | `-p` | | Skip checking the `devDependencies` | | ||
| | `--registry` | `-r` | | The npm registry url to use | | ||
| | `--scan-modules` | `-s` | `true` | Scan through reported modules for `.nsprc` file. Note: this feature currently only support NPM v7 | | ||
@@ -130,2 +131,12 @@ <br /> | ||
| ## Auto exclusion from maintainers' notes | ||
| Module that has `.nsprc` file will be used in the audit process if `--scan-modules` flag is enabled: | ||
| <img src="./.README/auto_exclusion.png" alt="Demo of excluding vulnerabilities flagged by the module maintainers" /> | ||
| > Note: This feature currently only support npm v7 | ||
| <br /> | ||
| ## Changelog | ||
@@ -132,0 +143,0 @@ |
@@ -7,9 +7,10 @@ "use strict"; | ||
| * Process and analyze the NPM audit JSON | ||
| * @param {String} jsonBuffer NPM audit stringified JSON payload | ||
| * @param {Number} auditLevel The level of vulnerabilities we care about | ||
| * @param {Array} exceptionIds List of vulnerability IDs to exclude | ||
| * @param {String} jsonBuffer NPM audit stringified JSON payload | ||
| * @param {Number} auditLevel The level of vulnerabilities we care about | ||
| * @param {Array} exceptionIds List of vulnerability IDs to exclude | ||
| * @param {Boolean} shouldScanModules Flag if we should scan the node_modules | ||
| * @return {undefined} | ||
| */ | ||
| function handleFinish(jsonBuffer, auditLevel, exceptionIds) { | ||
| var _a = vulnerability_1.processAuditJson(jsonBuffer, auditLevel, exceptionIds), unhandledIds = _a.unhandledIds, vulnerabilityIds = _a.vulnerabilityIds, report = _a.report, failed = _a.failed; | ||
| function handleFinish(jsonBuffer, auditLevel, exceptionIds, shouldScanModules) { | ||
| var _a = vulnerability_1.processAuditJson(jsonBuffer, auditLevel, exceptionIds, shouldScanModules), unhandledIds = _a.unhandledIds, vulnerabilityIds = _a.vulnerabilityIds, report = _a.report, maintainerReport = _a.maintainerReport, failed = _a.failed; | ||
| // If unable to process the audit JSON | ||
@@ -20,3 +21,3 @@ if (failed) { | ||
| process.exit(1); | ||
| return; | ||
| return; // This seem unused but it is actually using in the test files to stop the process when we stubbing `process.exit()` above | ||
| } | ||
@@ -29,3 +30,3 @@ // Print the security report | ||
| var unusedExceptionIds = exceptionIds.filter(function (id) { return !vulnerabilityIds.includes(id); }); | ||
| // Display the unused exceptionId's | ||
| // Display the unused exception IDs | ||
| if (unusedExceptionIds.length) { | ||
@@ -38,2 +39,7 @@ var messages = [ | ||
| } | ||
| // Display the auto excluded vulnerabilities | ||
| if (maintainerReport.length) { | ||
| print_1.printMaintainerReport(maintainerReport); | ||
| console.info('The auto scanning and exclusion is enabled by default, use `--scan-modules=false` to turn off this feature.'); | ||
| } | ||
| // Display the found unhandled vulnerabilities | ||
@@ -40,0 +46,0 @@ if (unhandledIds.length) { |
@@ -32,4 +32,5 @@ "use strict"; | ||
| var exceptionIds = vulnerability_1.getExceptionsIds(nsprc, cmdExceptions); | ||
| fn(auditCommand, auditLevel, exceptionIds); | ||
| var shouldScanModules = options.scanModules !== 'false'; | ||
| fn(auditCommand, auditLevel, exceptionIds, shouldScanModules); | ||
| } | ||
| exports.default = handleInput; |
@@ -8,3 +8,3 @@ "use strict"; | ||
| Object.defineProperty(exports, "__esModule", { value: true }); | ||
| exports.printExceptionReport = exports.printSecurityReport = void 0; | ||
| exports.printMaintainerReport = exports.printExceptionReport = exports.printSecurityReport = void 0; | ||
| var table_1 = require("table"); | ||
@@ -45,1 +45,17 @@ var SECURITY_REPORT_HEADER = ['ID', 'Module', 'Title', 'Sev.', 'URL', 'Ex.']; | ||
| exports.printExceptionReport = printExceptionReport; | ||
| /** | ||
| * Print the exception report in a table format | ||
| * @param {Array} data Array of arrays | ||
| * @return {undefined} Returns void | ||
| */ | ||
| function printMaintainerReport(data) { | ||
| var configs = { | ||
| singleLine: true, | ||
| header: { | ||
| alignment: 'center', | ||
| content: '=== auto exclusion from modules ===\n', | ||
| }, | ||
| }; | ||
| console.info(table_1.table(__spreadArray([EXCEPTION_REPORT_HEADER], data), configs)); | ||
| } | ||
| exports.printMaintainerReport = printMaintainerReport; |
@@ -12,2 +12,3 @@ "use strict"; | ||
| var date_1 = require("./date"); | ||
| var file_1 = require("./file"); | ||
| /** | ||
@@ -37,11 +38,13 @@ * Converts an audit level to a numeric value | ||
| * Analyze the JSON string buffer | ||
| * @param {String} jsonBuffer NPM Audit JSON string buffer | ||
| * @param {String} auditLevel User's target audit level | ||
| * @param {Array} exceptionIds User's exception IDs | ||
| * @return {Object} Processed vulnerabilities details | ||
| * @param {String} jsonBuffer NPM Audit JSON string buffer | ||
| * @param {String} auditLevel User's target audit level | ||
| * @param {Array} exceptionIds User's exception IDs | ||
| * @param {Boolean} shouldScanModules Flag if we should scan the node_modules | ||
| * @return {Object} Processed vulnerabilities details | ||
| */ | ||
| function processAuditJson(jsonBuffer, auditLevel, exceptionIds) { | ||
| function processAuditJson(jsonBuffer, auditLevel, exceptionIds, shouldScanModules) { | ||
| if (jsonBuffer === void 0) { jsonBuffer = ''; } | ||
| if (auditLevel === void 0) { auditLevel = 'info'; } | ||
| if (exceptionIds === void 0) { exceptionIds = []; } | ||
| if (shouldScanModules === void 0) { shouldScanModules = true; } | ||
| if (!common_1.isJsonString(jsonBuffer)) { | ||
@@ -52,2 +55,3 @@ return { | ||
| report: [], | ||
| maintainerReport: [], | ||
| failed: true, | ||
@@ -84,2 +88,3 @@ }; | ||
| report: [], | ||
| maintainerReport: [], | ||
| }); | ||
@@ -99,3 +104,37 @@ } | ||
| var shouldAudit = mapLevelToNumber(vul.severity) >= mapLevelToNumber(auditLevel); | ||
| var isExcepted = exceptionIds.includes(id); | ||
| // If this flag is enabled, | ||
| var isExceptedByMaintainers = false; | ||
| if (shouldScanModules && typeof cur !== 'string') { | ||
| // Find all the affected modules | ||
| isExceptedByMaintainers = cur.nodes.every(function (path) { | ||
| // Try checking if the module itself if the maintainer has a `.nsprc` file | ||
| var maintainerNsprc = file_1.readFile(path + "/.nsprc"); | ||
| // File not found | ||
| if (typeof maintainerNsprc === 'boolean') { | ||
| return false; | ||
| } | ||
| // Process the file to get valid exceptions | ||
| var _a = processExceptions(maintainerNsprc, []), maintainerExceptionIds = _a.exceptionIds, maintainerReport = _a.report; | ||
| var exceptionRow = maintainerReport.find(function (_a) { | ||
| var exceptionId = _a[0]; | ||
| return Number(exceptionId) === id; | ||
| }); | ||
| // Append the relevant exception into the maintainer report | ||
| if (exceptionRow) { | ||
| acc.maintainerReport.push(exceptionRow); | ||
| } | ||
| // Check if the maintainer have explicitly exclude the vulnerability | ||
| return maintainerExceptionIds.includes(id); | ||
| }); | ||
| } | ||
| var isExceptedByUs = exceptionIds.includes(id); | ||
| var isExcepted = isExceptedByUs || isExceptedByMaintainers; | ||
| // Construct `isExcepted` value to display in the report | ||
| var isExceptedValue = color_1.color('n', 'red'); | ||
| if (isExceptedByMaintainers) { | ||
| isExceptedValue = 'auto'; | ||
| } | ||
| else if (isExceptedByUs) { | ||
| isExceptedValue = 'y'; | ||
| } | ||
| // Record this vulnerability into the report, and highlight it using yellow color if it's new | ||
@@ -108,3 +147,3 @@ acc.report.push([ | ||
| color_1.color(vul.url, isExcepted ? '' : 'yellow'), | ||
| isExcepted ? 'y' : color_1.color('n', 'red'), | ||
| isExceptedValue, | ||
| ]); | ||
@@ -122,2 +161,3 @@ acc.vulnerabilityIds.push(id); | ||
| report: [], | ||
| maintainerReport: [], | ||
| }); | ||
@@ -129,2 +169,3 @@ } | ||
| report: [], | ||
| maintainerReport: [], | ||
| failed: true, | ||
@@ -131,0 +172,0 @@ }; |
New alerts
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by14.38%
35072
- Lines of code
- increased by12.11%
611
- Number of lines in readme file
- increased by7.33%
161
Worsened metrics
- Number of low quality alerts
- increased by100%
2
No dependency changes