/
npm-auditer.ts
126 lines (116 loc) · 3.64 KB
/
npm-auditer.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
import type { NPMAuditReportV1, NPMAuditReportV2 } from "audit-types";
import { blue } from "./colors";
import { reportAudit, runProgram } from "./common";
import type { AuditCiConfig } from "./config";
import Model from "./model";
async function runNpmAudit(
config: AuditCiConfig
): Promise<NPMAuditReportV1.AuditResponse | NPMAuditReportV2.AuditResponse> {
const {
directory,
registry,
_npm,
"skip-dev": skipDevelopmentDependencies,
} = config;
const npmExec = _npm || "npm";
let stdoutBuffer: any = {};
function outListener(data: any) {
stdoutBuffer = { ...stdoutBuffer, ...data };
}
const stderrBuffer: any[] = [];
function errorListener(line: any) {
stderrBuffer.push(line);
}
const arguments_ = ["audit", "--json"];
if (registry) {
arguments_.push("--registry", registry);
}
if (skipDevelopmentDependencies) {
arguments_.push("--production");
}
const options = { cwd: directory };
await runProgram(npmExec, arguments_, options, outListener, errorListener);
if (stderrBuffer.length > 0) {
throw new Error(
`Invocation of npm audit failed:\n${stderrBuffer.join("\n")}`
);
}
return stdoutBuffer;
}
export function isV2Audit(
parsedOutput: NPMAuditReportV1.Audit | NPMAuditReportV2.Audit
): parsedOutput is NPMAuditReportV2.Audit {
return (
"auditReportVersion" in parsedOutput &&
parsedOutput.auditReportVersion === 2
);
}
function printReport(
parsedOutput: NPMAuditReportV1.Audit | NPMAuditReportV2.Audit,
levels: AuditCiConfig["levels"],
reportType: "full" | "important" | "summary",
outputFormat: "text" | "json"
) {
const printReportObject = (text, object) => {
if (outputFormat === "text") {
console.log(blue, text);
}
console.log(JSON.stringify(object, undefined, 2));
};
switch (reportType) {
case "full":
printReportObject("NPM audit report JSON:", parsedOutput);
break;
case "important": {
const advisories = isV2Audit(parsedOutput)
? parsedOutput.vulnerabilities
: parsedOutput.advisories;
const relevantAdvisoryLevels = Object.keys(advisories).filter(
(advisory) => levels[advisories[advisory].severity]
);
const relevantAdvisories = {};
for (const advisory of relevantAdvisoryLevels) {
relevantAdvisories[advisory] = advisories[advisory];
}
const keyFindings = {
advisories: relevantAdvisories,
metadata: parsedOutput.metadata,
};
printReportObject("NPM audit report results:", keyFindings);
break;
}
case "summary":
printReportObject("NPM audit report summary:", parsedOutput.metadata);
break;
default:
throw new Error(
`Invalid report type: ${reportType}. Should be \`['important', 'full', 'summary']\`.`
);
}
}
export function report(parsedOutput, config: AuditCiConfig, reporter) {
const {
levels,
"report-type": reportType,
"output-format": outputFormat,
} = config;
printReport(parsedOutput, levels, reportType, outputFormat);
const model = new Model(config);
const summary = model.load(parsedOutput);
return reporter(summary, config, parsedOutput);
}
/**
* Audit your NPM project!
*
* @returns Returns the audit report summary on resolve, `Error` on rejection.
*/
export async function audit(config: AuditCiConfig, reporter = reportAudit) {
const parsedOutput = await runNpmAudit(config);
if ("error" in parsedOutput) {
const { code, summary } = parsedOutput.error;
throw new Error(`code ${code}: ${summary}`);
} else if ("message" in parsedOutput) {
throw new Error(parsedOutput.message);
}
return report(parsedOutput, config, reporter);
}