better-npm-audit - npm Package Compare versions

Comparing version 3.5.1 to 3.6.0

index.js

@@ -20,4 +20,5 @@ #!/usr/bin/env node
  * @param  {Array}  exceptionIds    List of vulnerability IDs to exclude
+ * @param  {Array} modulesToIgnore   List of vulnerable modules to ignore in audit results
  */
-function callback(auditCommand, auditLevel, exceptionIds) {
+function callback(auditCommand, auditLevel, exceptionIds, modulesToIgnore) {
     // Increase the default max buffer size (1 MB)
@@ -32,3 +33,3 @@ var audit = child_process_1.exec(auditCommand + " --json", { maxBuffer: MAX_BUFFER_SIZE });
     if (audit.stderr) {
-        audit.stderr.on('close', function () { return handleFinish_1.default(jsonBuffer, auditLevel, exceptionIds); });
+        audit.stderr.on('close', function () { return handleFinish_1.default(jsonBuffer, auditLevel, exceptionIds, modulesToIgnore); });
         // stderr
@@ -44,2 +45,3 @@ audit.stderr.on('data', console.error);
     .option('-x, --exclude <ids>', 'Exceptions or the vulnerabilities ID(s) to exclude.')
+    .option('-m, --module-ignore <moduleNames>', 'Names of modules to ignore.')
     .option('-l, --level <auditLevel>', 'The minimum audit level to validate.')
@@ -46,0 +48,0 @@ .option('-p, --production', 'Skip checking the devDependencies.')

package.json

 {
     "name": "better-npm-audit",
-    "version": "3.5.1",
+    "version": "3.6.0",
     "author": "Jee Mok <jee.ict@hotmail.com>",
@@ -19,3 +19,4 @@ "description": "Reshape into a better npm audit for the community and encourage more people to include security audit into their process.",
     "scripts": {
-        "audit": "npm run build && node lib audit",
+        "preaudit": "npm run build",
+        "audit": "node lib audit -x 1004946,1006897",
         "test": "mocha -r ts-node/register test/**/*.test.ts",
@@ -22,0 +23,0 @@ "lint": "eslint .",

README.md

@@ -76,3 +76,4 @@ # Better NPM Audit
 | -------------- | ----- | ------------------------------------------------------------------------------ |
-| `--exclude`    | `-x`  | Exceptions or the vulnerabilities ID(s) to exclude                             |
+| `--exclude`    | `-x`  | Exceptions or the vulnerabilities ID(s) to exclude
+| `--module-ignore` | `-m` | Names of modules to exclude                            |
 | `--level`      | `-l`  | The minimum audit level to validate; Same as the original `--audit-level` flag |
@@ -79,0 +80,0 @@ | `--production` | `-p`  | Skip checking the `devDependencies`                                            |

src/handlers/handleFinish.js

@@ -10,6 +10,7 @@ "use strict";
  * @param  {Array} exceptionIds   List of vulnerability IDs to exclude
+ * @param  {Array} modulesToIgnore   List of vulnerable modules to ignore in audit results
  * @return {undefined}
  */
-function handleFinish(jsonBuffer, auditLevel, exceptionIds) {
-    var _a = vulnerability_1.processAuditJson(jsonBuffer, auditLevel, exceptionIds), unhandledIds = _a.unhandledIds, vulnerabilityIds = _a.vulnerabilityIds, report = _a.report, failed = _a.failed;
+function handleFinish(jsonBuffer, auditLevel, exceptionIds, modulesToIgnore) {
+    var _a = vulnerability_1.processAuditJson(jsonBuffer, auditLevel, exceptionIds, modulesToIgnore), unhandledIds = _a.unhandledIds, vulnerabilityIds = _a.vulnerabilityIds, vulnerabilityModules = _a.vulnerabilityModules, report = _a.report, failed = _a.failed;
     // If unable to process the audit JSON
@@ -28,8 +29,12 @@ if (failed) {
     var unusedExceptionIds = exceptionIds.filter(function (id) { return !vulnerabilityIds.includes(id); });
+    var unusedIgnoredModules = modulesToIgnore.filter(function (moduleName) { return !vulnerabilityModules.includes(moduleName); });
+    var messages = [
+        unusedExceptionIds.length + " of the excluded vulnerabilities did not match any of the found vulnerabilities: " + unusedExceptionIds.join(', ') + ".",
+        (unusedExceptionIds.length > 1 ? 'They' : 'It') + " can be removed from the .nsprc file or --exclude -x flags.",
+    ];
     // Display the unused exceptionId's
     if (unusedExceptionIds.length) {
-        var messages = [
-            unusedExceptionIds.length + " of the excluded vulnerabilities did not match any of the found vulnerabilities: " + unusedExceptionIds.join(', ') + ".",
-            (unusedExceptionIds.length > 1 ? 'They' : 'It') + " can be removed from the .nsprc file or --exclude -x flags.",
-        ];
+        if (unusedIgnoredModules.length) {
+            messages.push(unusedIgnoredModules.length + " of the ignored modules did not match any of the found vulnerabilites: " + unusedIgnoredModules.join(', ') + ".", (unusedIgnoredModules.length > 1 ? 'They' : 'It') + " can be removed from the --module-ignore -m flags.");
+        }
         console.warn(messages.join(' '));
@@ -36,0 +41,0 @@ }

src/handlers/handleInput.js

@@ -32,4 +32,5 @@ "use strict";
     var exceptionIds = vulnerability_1.getExceptionsIds(nsprc, cmdExceptions);
-    fn(auditCommand, auditLevel, exceptionIds);
+    var cmdModuleIgnore = lodash_get_1.default(options, 'moduleIgnore', '').split(',');
+    fn(auditCommand, auditLevel, exceptionIds, cmdModuleIgnore);
 }
 exports.default = handleInput;

src/utils/vulnerability.js

@@ -45,8 +45,10 @@ "use strict";
  * @param  {Array}  exceptionIds    User's exception IDs
+ * @param  {Array} modulesToIgnore  Users modules to ignore
  * @return {Object}                 Processed vulnerabilities details
  */
-function processAuditJson(jsonBuffer, auditLevel, exceptionIds) {
+function processAuditJson(jsonBuffer, auditLevel, exceptionIds, modulesToIgnore) {
     if (jsonBuffer === void 0) { jsonBuffer = ''; }
     if (auditLevel === void 0) { auditLevel = 'info'; }
     if (exceptionIds === void 0) { exceptionIds = []; }
+    if (modulesToIgnore === void 0) { modulesToIgnore = []; }
     if (!common_1.isJsonString(jsonBuffer)) {
@@ -56,2 +58,3 @@ return {
             vulnerabilityIds: [],
+            vulnerabilityModules: [],
             report: [],
@@ -70,15 +73,19 @@ failed: true,
             var isExcepted = exceptionIds.includes(Number(cur.id));
+            var isIgnoredModule = modulesToIgnore.includes(cur.module_name);
             // Record this vulnerability into the report, and highlight it using yellow color if it's new
             acc.report.push([
-                color_1.color(cur.id, isExcepted ? '' : 'yellow'),
-                color_1.color(cur.module_name, isExcepted ? '' : 'yellow'),
-                color_1.color(cur.title, isExcepted ? '' : 'yellow'),
-                color_1.color(common_1.trimArray(cur.findings.reduce(function (a, c) { return __spreadArray(__spreadArray([], a), c.paths); }, []), MAX_PATHS_SIZE).join('\n'), isExcepted ? '' : 'yellow'),
-                color_1.color(cur.severity, isExcepted ? '' : 'yellow', color_1.getSeverityBgColor(cur.severity)),
-                color_1.color(cur.url, isExcepted ? '' : 'yellow'),
-                isExcepted ? 'y' : color_1.color('n', 'yellow'),
+                color_1.color(cur.id, isExcepted || isIgnoredModule ? '' : 'yellow'),
+                color_1.color(cur.module_name, isExcepted || isIgnoredModule ? '' : 'yellow'),
+                color_1.color(cur.title, isExcepted || isIgnoredModule ? '' : 'yellow'),
+                color_1.color(common_1.trimArray(cur.findings.reduce(function (a, c) { return __spreadArray(__spreadArray([], a), c.paths); }, []), MAX_PATHS_SIZE).join('\n'), isExcepted || isIgnoredModule ? '' : 'yellow'),
+                color_1.color(cur.severity, isExcepted || isIgnoredModule ? '' : 'yellow', color_1.getSeverityBgColor(cur.severity)),
+                color_1.color(cur.url, isExcepted || isIgnoredModule ? '' : 'yellow'),
+                isExcepted || isIgnoredModule ? 'y' : color_1.color('n', 'yellow'),
             ]);
             acc.vulnerabilityIds.push(Number(cur.id));
+            if (!acc.vulnerabilityModules.includes(cur.module_name)) {
+                acc.vulnerabilityModules.push(cur.module_name);
+            }
             // Found unhandled vulnerabilities
-            if (shouldAudit && !isExcepted) {
+            if (shouldAudit && !isExcepted && !isIgnoredModule) {
                 acc.unhandledIds.push(Number(cur.id));
@@ -90,2 +97,3 @@ }
             vulnerabilityIds: [],
+            vulnerabilityModules: [],
             report: [],
@@ -101,2 +109,3 @@ });
                 var id = lodash_get_1.default(vul, 'source', '');
+                var moduleName = lodash_get_1.default(vul, 'name', '');
                 // Let's skip if ID is a string (module name), and only focus on the root vulnerabilities
@@ -108,15 +117,19 @@ if (!id || typeof id === 'string' || typeof vul === 'string') {
                 var isExcepted = exceptionIds.includes(id);
+                var isIgnoredModule = modulesToIgnore.includes(moduleName);
                 // Record this vulnerability into the report, and highlight it using yellow color if it's new
                 acc.report.push([
-                    color_1.color(String(id), isExcepted ? '' : 'yellow'),
-                    color_1.color(vul.name, isExcepted ? '' : 'yellow'),
-                    color_1.color(vul.title, isExcepted ? '' : 'yellow'),
-                    color_1.color(common_1.trimArray(lodash_get_1.default(cur, 'nodes', []).map(common_1.shortenNodePath), MAX_PATHS_SIZE).join('\n'), isExcepted ? '' : 'yellow'),
-                    color_1.color(vul.severity, isExcepted ? '' : 'yellow', color_1.getSeverityBgColor(vul.severity)),
-                    color_1.color(vul.url, isExcepted ? '' : 'yellow'),
-                    isExcepted ? 'y' : color_1.color('n', 'yellow'),
+                    color_1.color(String(id), isExcepted || isIgnoredModule ? '' : 'yellow'),
+                    color_1.color(vul.name, isExcepted || isIgnoredModule ? '' : 'yellow'),
+                    color_1.color(vul.title, isExcepted || isIgnoredModule ? '' : 'yellow'),
+                    color_1.color(common_1.trimArray(lodash_get_1.default(cur, 'nodes', []).map(common_1.shortenNodePath), MAX_PATHS_SIZE).join('\n'), isExcepted || isIgnoredModule ? '' : 'yellow'),
+                    color_1.color(vul.severity, isExcepted || isIgnoredModule ? '' : 'yellow', color_1.getSeverityBgColor(vul.severity)),
+                    color_1.color(vul.url, isExcepted || isIgnoredModule ? '' : 'yellow'),
+                    isExcepted || isIgnoredModule ? 'y' : color_1.color('n', 'yellow'),
                 ]);
                 acc.vulnerabilityIds.push(id);
+                if (!acc.vulnerabilityModules.includes(moduleName)) {
+                    acc.vulnerabilityModules.push(moduleName);
+                }
                 // Found unhandled vulnerabilities
-                if (shouldAudit && !isExcepted) {
+                if (shouldAudit && !isExcepted && !isIgnoredModule) {
                     acc.unhandledIds.push(id);
@@ -129,2 +142,3 @@ }
             vulnerabilityIds: [],
+            vulnerabilityModules: [],
             report: [],
@@ -136,2 +150,3 @@ });
         vulnerabilityIds: [],
+        vulnerabilityModules: [],
         report: [],
@@ -138,0 +153,0 @@ failed: true,

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

36217

increased by6.29%

Lines of code

648

increased by3.68%

Number of lines in readme file

151

increased by0.67%

No dependency changes