CLI tool to generate reports on critical vulnerabilities in package.json dependencies of a node project.
Clone the repository locally
git clone https://github.com/FabriSilve/npm-vulnerability-report.git
# or
git clone git@github.com:FabriSilve/npm-vulnerability-report.gitUse the package manager npm to install nvr globally, admin permissions could be required.
npm install -g nvr> nvr
REPORT
┌────────────┬─────────┬──────────────────────────────┬───────────────────────────┐
│ Package │ Range │ Vulnerability │ Comment │
├────────────┼─────────┼──────────────────────────────┼───────────────────────────┤
│ url-parse │ <=1.5.8 │ Authorization bypass in │ Comment related to │
│ │ │ url-parse │ importance in the project │
│ │ │ │ for the vulnerability │
├────────────┼─────────┼──────────────────────────────┼───────────────────────────┤
│ url-parse │ <=1.5.8 │ Authorization Bypass Through │ Another comment reated to │
│ │ │ User-Controlled Key in │ the project │
│ │ │ url-parse │ │
├────────────┼─────────┼──────────────────────────────┼───────────────────────────┤
│ url-parse │ <=1.5.8 │ url-parse incorrectly parses │ │
│ │ │ hostname / protocol due to │ │
│ │ │ unstripped leading control │ │
│ │ │ characters. │ │
├────────────┼─────────┼──────────────────────────────┼───────────────────────────┤
│ url-parse │ <=1.5.8 │ url-parse Incorrectly parses │ │
│ │ │ URLs that include an '@' │ │
└────────────┴─────────┴──────────────────────────────┴───────────────────────────┘
┌──────────────┬──────────┬────────────┬───┬──────────────┬────────────────────┬─────────────────────────┐
│ Dependencies │ Critical │ Critical % │ - │ Node Version │ Status │ Days Before Mantainence │
├──────────────┼──────────┼────────────┼───┼──────────────┼────────────────────┼─────────────────────────┤
│ 33 │ 1 │ 0 │ - │ 18 │ Actively Supported │ 353 │
└──────────────┴──────────┴────────────┴───┴──────────────┴────────────────────┴─────────────────────────┘To include information about the node version status, the package.json file need to be populated with the engines prop in the format XX.x. Only the majour version will be used to the check but the full version tag can be used.
"engines": {
"node": "18.x"
}
The file .nvr is used to store the comments in JSON format for each vulnerability for future references.
{
"url-parse": {
"Authorization bypass in url-parse": "Comment related to importance in the project for the vulnerability",
"Authorization Bypass Through User-Controlled Key in url-parse": "Another comment reated to the project",
"url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.": "",
"url-parse Incorrectly parses URLs that include an '@'": ""
}
}Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Developed with 💙 and 🍻 by FabriSilve