snyk-policy
Advanced tools
Comparing version 2.0.0-alpha.2 to 2.0.0
{ | ||
"name": "snyk-policy", | ||
"version": "2.0.0", | ||
"description": "Snyk's policy parser and matching logic", | ||
"version": "2.0.0-alpha.2", | ||
"main": "lib/index.js", | ||
"files": [ | ||
"dist/lib", | ||
"LICENSE", | ||
"README.md" | ||
], | ||
"main": "./dist/lib/index.js", | ||
"scripts": { | ||
"lint": "jscs lib/**/*.js -v", | ||
"travis-coverage": "node_modules/tap/node_modules/.bin/nyc report --reporter=text-lcov | node_modules/tap/node_modules/.bin/coveralls", | ||
"check-tests": "! grep 'test.only' test/**/*.test.js -n", | ||
"build": "npm run clean && tsc", | ||
"clean": "rm -rf ./dist", | ||
"dev": "tsc -w", | ||
"env": "node -e 'console.log(process.env, process.versions)'", | ||
"cover": "tap test/**/*.test.js --cov --coverage-report=lcov", | ||
"tap": "COVERALLS_REPO_TOKEN=0 tap test/**/*.test.js --cov --timeout=60 --coverage-report=text-summary", | ||
"test": "npm run check-tests && npm run lint && npm run tap", | ||
"semantic-release": "semantic-release pre && npm publish && semantic-release post" | ||
"lint": "run-p --max-parallel=${JOBS:-6} --aggregate-output lint:*", | ||
"lint:eslint": "eslint -c .eslintrc lib", | ||
"lint:commits": "commitlint --from=HEAD~20", | ||
"format": "prettier --write '{lib,test}/**/*.?s'", | ||
"prepack": "npm run build", | ||
"check-tests": "! grep 'test.only' test/**/*.test.ts -n", | ||
"tap": "tap test/**/*.test.ts -R spec --timeout=60 --ts", | ||
"test": "npm run check-tests && npm run tap" | ||
}, | ||
@@ -22,24 +31,35 @@ "keywords": [ | ||
"devDependencies": { | ||
"jscs": "^2.11.0", | ||
"proxyquire": "^1.7.4", | ||
"semantic-release": "^4.3.5", | ||
"sinon": "^1.17.3", | ||
"tap": "^5.7.0", | ||
"tap-only": "0.0.5" | ||
"@commitlint/cli": "^17.6.1", | ||
"@typescript-eslint/eslint-plugin": "^5.59.1", | ||
"@typescript-eslint/parser": "^5.59.1", | ||
"eslint": "^8.39.0", | ||
"eslint-config-prettier": "^8.8.0", | ||
"npm-run-all": "^4.1.5", | ||
"prettier": "^2.0.5", | ||
"sinon": "^15.0.4", | ||
"tap": "^16.3.4", | ||
"tap-only": "0.0.5", | ||
"ts-node": "^10.9.1", | ||
"typescript": "^5.0.4" | ||
}, | ||
"dependencies": { | ||
"debug": "^2.2.0", | ||
"es6-promise": "^3.1.2", | ||
"js-yaml": "^3.5.3", | ||
"lodash.clonedeep": "^4.3.1", | ||
"semver": "^5.1.0", | ||
"snyk-module": "^1.6.0", | ||
"snyk-resolve": "^1.0.0", | ||
"snyk-try-require": "^1.1.1", | ||
"then-fs": "^2.0.0" | ||
"debug": "^4.1.1", | ||
"email-validator": "^2.0.4", | ||
"js-yaml": "^3.13.1", | ||
"lodash.clonedeep": "^4.5.0", | ||
"semver": "^7.3.4", | ||
"snyk-module": "^3.0.0", | ||
"snyk-resolve": "^1.1.0", | ||
"snyk-try-require": "^2.0.2" | ||
}, | ||
"repository": { | ||
"type": "git", | ||
"url": "https://github.com/Snyk/policy.git" | ||
"url": "https://github.com/snyk/policy.git" | ||
}, | ||
"tap": { | ||
"branches": 85, | ||
"functions": 90, | ||
"lines": 90, | ||
"statements": 90 | ||
} | ||
} |
@@ -49,3 +49,3 @@ # snyk-policy | ||
{ | ||
patched: '<JSON date format>' | ||
patched: '<JSON date format>'; | ||
} | ||
@@ -102,2 +102,9 @@ ``` | ||
[Version ranges](https://github.com/npm/node-semver#versions) may also be used. For example, the following will all match the root dependency above: | ||
``` | ||
@remy/protect-test@1.x | ||
@remy/protect-test@>=1.0.1 | ||
@remy/protect-test@^1.0.2 | ||
``` | ||
## Usage | ||
@@ -108,6 +115,6 @@ | ||
```js | ||
var policy = require('snyk-policy'); | ||
const policy = require('snyk-policy'); | ||
var vulns = snyk.test('snyk-demo-app@1.0.0'); // assumes snyk is loaded | ||
policy.load(process.cwd()).then(rules => { | ||
const vulns = snyk.test('snyk-demo-app@1.0.0'); // assumes snyk is loaded | ||
policy.load(process.cwd()).then((rules) => { | ||
console.log(rules.filter(vulns)); | ||
@@ -183,16 +190,4 @@ }); | ||
If all the vulns are filtered because of the policy, then the `ok` bool is set to `true`. | ||
If all the vulns are stripped because of the policy, then the `ok` bool is set to `true`. | ||
**Important:** the `vulnerabilities` array will contain all the initial vulnerabilities, but each filtered vuln will include a new `filtered` property: | ||
```js | ||
"filtered": { | ||
"type": "ignore", // or `patch` | ||
"metadata": { // only included on `type="ignore"` | ||
"reason": String, | ||
"expires": Date | ||
} | ||
} | ||
``` | ||
Note that this method is also available on the response object from [`.load`](#policyloadroot-options), so can be called as `res.filter()` (where `res` is the loaded config). | ||
@@ -202,8 +197,2 @@ | ||
### .stripstripFiltered(vulns) | ||
Reads the vulnerabilities and looks for the `filtered` property removing each so that you're left with only the vulnerabilities that affect the package. | ||
Note that the `vulns` object is expects to be the result of the `policy.filter` method. | ||
### policy.getByVuln(config, vuln) | ||
@@ -233,5 +222,33 @@ | ||
## Sample policies | ||
Note that `<path to package>` below is the dependency chain of package names and valid versions separated by a `>` symbol. | ||
By default, the policy file does not add versions to these packages, so a path would look like: `'jade > transformers > uglify-js'`, but it can include versions. More details and examples can be seen in the [module path rules](#module-path-rules) section. | ||
### Ignore | ||
```text | ||
ignore: | ||
'<snyk-vuln-id>': | ||
- '<path to package>': | ||
reason: String | ||
expires: String(format: Date().toJSON()) | ||
patch: {} | ||
version: v1.0.0 | ||
``` | ||
### Patch | ||
```text | ||
patch: | ||
'<snyk-vuln-id>': | ||
- '<path to package>': | ||
patched: String(format: Date().toJSON()) | ||
version: v1 | ||
``` | ||
## Misc | ||
* [CONTRIBUTING.md](.github/CONTRIBUTING.md) | ||
* [License: Apache License, Version 2.0](LICENSE) | ||
- [CONTRIBUTING.md](.github/CONTRIBUTING.md) | ||
- [License: Apache License, Version 2.0](LICENSE) |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Dynamic require
Supply chain riskDynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.
Found 1 instance in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
8
1
249
3
55870
12
16
1153
1
+ Addedemail-validator@^2.0.4
+ Addedemail-validator@2.0.4(transitive)
+ Addedhosted-git-info@4.1.0(transitive)
+ Addedlru-cache@5.1.16.0.0(transitive)
+ Addedsemver@7.6.3(transitive)
+ Addedsnyk-module@3.2.0(transitive)
+ Addedsnyk-try-require@2.0.2(transitive)
+ Addedyallist@3.1.14.0.0(transitive)
- Removedes6-promise@^3.1.2
- Removedthen-fs@^2.0.0
- Removedasap@2.0.6(transitive)
- Removeddebug@2.6.93.2.7(transitive)
- Removedes6-promise@3.3.1(transitive)
- Removedhosted-git-info@2.8.9(transitive)
- Removedlru-cache@4.1.5(transitive)
- Removedms@2.0.0(transitive)
- Removedpromise@7.3.1(transitive)
- Removedpseudomap@1.0.2(transitive)
- Removedsemver@5.7.2(transitive)
- Removedsnyk-module@1.9.1(transitive)
- Removedsnyk-try-require@1.3.1(transitive)
- Removedthen-fs@2.0.0(transitive)
- Removedyallist@2.1.2(transitive)
Updateddebug@^4.1.1
Updatedjs-yaml@^3.13.1
Updatedlodash.clonedeep@^4.5.0
Updatedsemver@^7.3.4
Updatedsnyk-module@^3.0.0
Updatedsnyk-resolve@^1.1.0
Updatedsnyk-try-require@^2.0.2