diff options
| author | Rebecca Turner <me@re-becca.org> | 2018-04-20 13:12:53 +0300 |
|---|---|---|
| committer | Kat Marchán <kzm@zkat.tech> | 2018-04-21 00:05:13 +0300 |
| commit | 594d16987465014d573c51a49bba6886cc19f8e8 (patch) | |
| tree | 4923595ec36bab925d96213798341f47d7e4e39e /node_modules/npm-audit-report | |
| parent | f4bc648ea7b19d63cc9878c9da2cb1312f6ce152 (diff) | |
npm-audit-report@1.0.5
PR-URL: https://github.com/npm/npm/pull/20389
Credit: @iarna
Reviewed-By: @zkat
Diffstat (limited to 'node_modules/npm-audit-report')
| -rw-r--r-- | node_modules/npm-audit-report/LICENSE | 16 | ||||
| -rw-r--r-- | node_modules/npm-audit-report/README.md | 47 | ||||
| -rw-r--r-- | node_modules/npm-audit-report/index.js | 23 | ||||
| -rw-r--r-- | node_modules/npm-audit-report/lib/utils.js | 29 | ||||
| -rw-r--r-- | node_modules/npm-audit-report/package.json | 57 | ||||
| -rw-r--r-- | node_modules/npm-audit-report/reporters/detail.js | 188 | ||||
| -rw-r--r-- | node_modules/npm-audit-report/reporters/install.js | 46 | ||||
| -rw-r--r-- | node_modules/npm-audit-report/reporters/json.js | 17 |
8 files changed, 423 insertions, 0 deletions
diff --git a/node_modules/npm-audit-report/LICENSE b/node_modules/npm-audit-report/LICENSE new file mode 100644 index 000000000..8d28acf86 --- /dev/null +++ b/node_modules/npm-audit-report/LICENSE @@ -0,0 +1,16 @@ +ISC License + +Copyright (c) npm, Inc. + +Permission to use, copy, modify, and/or distribute this software for +any purpose with or without fee is hereby granted, provided that the +above copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE COPYRIGHT HOLDER DISCLAIMS +ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE +COPYRIGHT HOLDER BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR +CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS +OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE +USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/node_modules/npm-audit-report/README.md b/node_modules/npm-audit-report/README.md new file mode 100644 index 000000000..3cc65cf8e --- /dev/null +++ b/node_modules/npm-audit-report/README.md @@ -0,0 +1,47 @@ + +# npm audit security report + +Given a response from the npm security api, render it into a variety of security reports + +The response is an object that contains an output string (the report) and a suggested exitCode. +``` +{ + output: 'string that contains the security report', + exit: 1 +} +``` + + +## Basic usage example + +``` +'use strict' +const Report = require('npm-audit-report') + +Report(response, options, (result) => { + console.log(result.output) + process.exitCode = result.exitCode +}) +``` + + +## options + +reporter: + specify which output format you want to use (install, detail, json) + +severityThreshold: + specifies the severity threshold for reporting. Possible values include info, low, moderate, high, critical + + example: If you specify high, then only vulnerabilities with high and critical would be displayed. + +withColor: + true || false indicates if some report elements should use colors or not + +withUnicode: + true || false indicates if unicode characters should be used or not. + + + + + diff --git a/node_modules/npm-audit-report/index.js b/node_modules/npm-audit-report/index.js new file mode 100644 index 000000000..57ca68bdf --- /dev/null +++ b/node_modules/npm-audit-report/index.js @@ -0,0 +1,23 @@ +'use strict' + +const reporters = { + install: require('./reporters/install'), + detail: require('./reporters/detail'), + json: require('./reporters/json') +} + +const report = function (data, options) { + const defaults = { + reporter: 'install', + withColor: true, + withUnicode: true + } + + const config = Object.assign({}, defaults, options) + return new Promise((resolve, reject) => { + const result = reporters[config.reporter](data, config) + return resolve(result) + }) +} + +module.exports = report diff --git a/node_modules/npm-audit-report/lib/utils.js b/node_modules/npm-audit-report/lib/utils.js new file mode 100644 index 000000000..cfa85255d --- /dev/null +++ b/node_modules/npm-audit-report/lib/utils.js @@ -0,0 +1,29 @@ +'use strict' + +const colors = require('ansicolors') + +const severityColors = { + critical: colors.magenta, + high: colors.red, + moderate: colors.yellow, + low: function (str) { return str } +} + +const severityLabel = function (sev, withColor) { + if (withColor) { + return severityColors[sev](sev) + } + return sev +} + +const color = function (value, color, withColor) { + if (withColor) { + return colors[color](value) + } + return value +} + +module.exports = { + severityLabel: severityLabel, + color: color +} diff --git a/node_modules/npm-audit-report/package.json b/node_modules/npm-audit-report/package.json new file mode 100644 index 000000000..35794647d --- /dev/null +++ b/node_modules/npm-audit-report/package.json @@ -0,0 +1,57 @@ +{ + "_from": "npm-audit-report@latest", + "_id": "npm-audit-report@1.0.5", + "_inBundle": false, + "_integrity": "sha512-xOnLCYj1wk6W5AxwPaHbvChrnVo2KYLEEZMoP3tvuK1fE13NhJa1TVxWj4Tl35+hjC6rQgaEKBWsSatbf2BXLQ==", + "_location": "/npm-audit-report", + "_phantomChildren": {}, + "_requested": { + "type": "tag", + "registry": true, + "raw": "npm-audit-report@latest", + "name": "npm-audit-report", + "escapedName": "npm-audit-report", + "rawSpec": "latest", + "saveSpec": null, + "fetchSpec": "latest" + }, + "_requiredBy": [ + "#USER", + "/" + ], + "_resolved": "https://registry.npmjs.org/npm-audit-report/-/npm-audit-report-1.0.5.tgz", + "_shasum": "f16fa7c61459dd660913509685193148ce2cd85f", + "_spec": "npm-audit-report@latest", + "_where": "/Users/rebecca/code/npm", + "author": { + "name": "Adam Baldwin" + }, + "bundleDependencies": false, + "dependencies": { + "ansicolors": "^0.3.2", + "ansistyles": "^0.1.3", + "cli-table2": "^0.2.0" + }, + "deprecated": false, + "description": "Given a response from the npm security api, render it into a variety of security reports", + "devDependencies": { + "keyfob": "^1.0.0", + "standard": "^11.0.0", + "tap": "^11.1.1" + }, + "keywords": [ + "npm", + "security", + "report", + "audit" + ], + "license": "ISC", + "main": "index.js", + "name": "npm-audit-report", + "scripts": { + "lint": "standard", + "lint:fix": "standard --fix", + "test": "tap --100 test/*-test.js" + }, + "version": "1.0.5" +} diff --git a/node_modules/npm-audit-report/reporters/detail.js b/node_modules/npm-audit-report/reporters/detail.js new file mode 100644 index 000000000..41e0ab6a7 --- /dev/null +++ b/node_modules/npm-audit-report/reporters/detail.js @@ -0,0 +1,188 @@ +'use strict' + +const Table = require('cli-table2') +const Utils = require('../lib/utils') + +const report = function (data, options) { + const defaults = { + severityThreshold: 'info' + } + + const blankChars = { + 'top': ' ', + 'top-mid': ' ', + 'top-left': ' ', + 'top-right': ' ', + 'bottom': ' ', + 'bottom-mid': ' ', + 'bottom-left': ' ', + 'bottom-right': ' ', + 'left': ' ', + 'left-mid': ' ', + 'mid': ' ', + 'mid-mid': ' ', + 'right': ' ', + 'right-mid': ' ', + 'middle': ' ' + } + + const config = Object.assign({}, defaults, options) + + let output = '' + let exit = 0 + + const log = function (value) { + output = output + value + '\n' + } + + const footer = function (metadata) { + let total = 0 + + const severities = Object.entries(metadata.vulnerabilities).filter((value) => { + total = total + value[1] + if (value[1] > 0) { + return true + } + }).map((value) => { + return `${value[1]} ${Utils.severityLabel(value[0], false)}` + }).join(' | ') + + if (total > 0) { + exit = 1 + } + if (total === 0) { + log(`${Utils.color('[+]', 'green', config.withColor)} no known vulnerabilities found`) + log(` Packages audited: ${data.metadata.totalDependencies} (${data.metadata.devDependencies} dev, ${data.metadata.optionalDependencies} optional)`) + } else { + log(`\n${Utils.color('[!]', 'red', config.withColor)} ${total} ${total === 1 ? 'vulnerability' : 'vulnerabilities'} found - Packages audited: ${data.metadata.totalDependencies} (${data.metadata.devDependencies} dev, ${data.metadata.optionalDependencies} optional)`) + log(` Severity: ${severities}`) + } + } + + const reportTitle = function () { + const tableOptions = { + colWidths: [78] + } + tableOptions.chars = blankChars + const table = new Table(tableOptions) + table.push([{ + content: '=== npm audit security report ===', + vAlign: 'center', + hAlign: 'center' + }]) + log(table.toString()) + } + + const actions = function (data, config) { + const date = new Date() + reportTitle() + + if (Object.keys(data.advisories).length === 0) { + //log(`${Utils.color('[+]', 'green', config.withColor)} no known vulnerabilities found [${data.metadata.totalDependencies} packages audited]`) + return + } else { + // vulns found display a report. + + let reviewFlag = false + + data.actions.forEach((action) => { + if (action.action === 'update' || action.action === 'install') { + const recommendation = getRecommendation(action, config) + const label = action.resolves.length === 1 ? 'vulnerability' : 'vulnerabilities' + log(`\n\n# Run \`${recommendation.cmd}\` to resolve ${action.resolves.length} ${label}`) + if (recommendation.isBreaking) { + log(`SEMVER WARNING: Recommended action is a potentially breaking change`) + } + + action.resolves.forEach((resolution) => { + const advisory = data.advisories[resolution.id] + const tableOptions = { + colWidths: [15, 62], + wordWrap: true + } + if (!config.withUnicode) { + tableOptions.chars = blankChars + } + const table = new Table(tableOptions) + + table.push( + {[Utils.severityLabel(advisory.severity)]: advisory.title}, + {'Package': advisory.module_name}, + {'Dependency of': `${resolution.path.split('>')[0]} ${resolution.dev ? '[dev]' : ''}`}, + {'Path': `${resolution.path.split('>').join(' > ')}`}, + {'More info': `https://nodesecurity.io/advisories/${advisory.id}`} + ) + + log(table.toString()) + }) + } + if (action.action === 'review') { + if (!reviewFlag) { + const tableOptions = { + colWidths: [78] + } + if (!config.withUnicode) { + tableOptions.chars = blankChars + } + const table = new Table(tableOptions) + table.push([{ + content: 'Manual Review\nSome vulnerabilities require your attention to resolve\n\nVisit https://go.npm.me/audit-guide for additional guidance', + vAlign: 'center', + hAlign: 'center' + }]) + log('\n\n') + log(table.toString()) + } + reviewFlag = true + + action.resolves.forEach((resolution) => { + const advisory = data.advisories[resolution.id] + const tableOptions = { + colWidths: [15, 62], + wordWrap: true + } + if (!config.withUnicode) { + tableOptions.chars = blankChars + } + const table = new Table(tableOptions) + + table.push( + {[Utils.severityLabel(advisory.severity, config.withColor)]: advisory.title}, + {'Package': advisory.module_name}, + {'Dependency of': `${resolution.path.split('>')[0]} ${resolution.dev ? '[dev]' : ''}`}, + {'Path': `${resolution.path.split('>').join(' > ')}`}, + {'More info': `https://nodesecurity.io/advisories/${advisory.id}`} + ) + log(table.toString()) + }) + } + }) + } + } + + actions(data, config) + footer(data.metadata) + + return { + report: output, + exitCode: exit + } +} + +const getRecommendation = function (action, config) { + + if (action.action === 'install') { + return { + cmd: `npm install ${action.module}@${action.target}`, + isBreaking: action.isMajor + } + } else { + return { + cmd: `npm update ${action.module} --depth ${action.depth}`, + isBreaking: false + } + } + +} + +module.exports = report diff --git a/node_modules/npm-audit-report/reporters/install.js b/node_modules/npm-audit-report/reporters/install.js new file mode 100644 index 000000000..d0b5bcf81 --- /dev/null +++ b/node_modules/npm-audit-report/reporters/install.js @@ -0,0 +1,46 @@ +'use strict' + +const Utils = require('../lib/utils') + +const report = function (data, options) { + const defaults = { + severityThreshold: 'info' + } + + const config = Object.assign({}, defaults, options) + + let output = '' + + const log = function (value) { + output = output + value + '\n' + } + + if (Object.keys(data.advisories).length === 0) { + log(`${Utils.color('[+]', 'green', config.withColor)} no known vulnerabilities found [${data.metadata.totalDependencies} packages audited]`) + return { + report: output, + exitCode: 0 + } + } else { + let total = 0 + + const severities = Object.entries(data.metadata.vulnerabilities).filter((value) => { + total = total + value[1] + if (value[1] > 0) { + return true + } + }).map((value) => { + return `${value[1]} ${Utils.severityLabel(value[0], config.withColor)}` + }).join(' | ') + + log(`${Utils.color('[!]', 'red', config.withColor)} ${total} ${total === 1 ? 'vulnerability' : 'vulnerabilities'} found [${data.metadata.totalDependencies} packages audited]`) + log(` Severity: ${severities}`) + log(` Run \`npm audit\` for more detail`) + return { + report: output, + exitCode: 1 + } + } +} + +module.exports = report diff --git a/node_modules/npm-audit-report/reporters/json.js b/node_modules/npm-audit-report/reporters/json.js new file mode 100644 index 000000000..6bf5097ef --- /dev/null +++ b/node_modules/npm-audit-report/reporters/json.js @@ -0,0 +1,17 @@ +'use strict' + +const report = function (data, options) { + const defaults = { + indent: 2 + } + + const config = Object.assign({}, defaults, options) + + const json = JSON.stringify(data, null, config.indent) + return { + report: json, + exitCode: 0 + } +} + +module.exports = report |