diff --git a/__snapshots__/depWalker.spec.js.snapshot.js b/__snapshots__/depWalker.spec.js.snapshot.js index cddaa511..ea6906ba 100644 --- a/__snapshots__/depWalker.spec.js.snapshot.js +++ b/__snapshots__/depWalker.spec.js.snapshot.js @@ -1,4 +1,4 @@ -exports['walk @slimio/is 1'] = { +exports['walk @slimio/is 1'] ={ "@slimio/is": { "versions": { "1.5.1": { @@ -7,6 +7,7 @@ exports['walk @slimio/is 1'] = { "isDevDependency": false, "existOnRemoteRegistry": true, "flags": [ + "isOutdated", "hasManyPublishers" ], "description": "SlimIO is (JavaScript Primitives & Objects type checker)", @@ -89,11 +90,11 @@ exports['walk @slimio/is 1'] = { "vulnerabilities": [], "metadata": { "dependencyCount": 0, - "publishedCount": 7, - "lastUpdateAt": "2019-06-11T06:41:41.590Z", - "lastVersion": "1.5.1", + "publishedCount": 8, + "lastUpdateAt": "2023-01-23T02:15:37.203Z", + "lastVersion": "2.0.0", "hasManyPublishers": true, - "hasReceivedUpdateInOneYear": false, + "hasReceivedUpdateInOneYear": true, "homepage": "https://github.com/SlimIO/is#readme", "author": { "name": "SlimIO" @@ -102,20 +103,22 @@ exports['walk @slimio/is 1'] = { { "name": "fraxken", "email": "gentilhomme.thomas@gmail.com", - "version": "1.5.1", - "at": "2019-06-11T06:41:41.590Z" + "version": "2.0.0", + "at": "2023-01-23T02:15:37.203Z" } ], "maintainers": [ - { - "email": "gentilhomme.thomas@gmail.com", - "name": "fraxken" - }, - { - "email": "alexandre.malaj@gmail.com", - "name": "alexandre.malaj" - } - ] + { + "name": "fraxken", + "email": "gentilhomme.thomas@gmail.com", + "at": "2023-01-23T02:15:37.203Z", + "version": "2.0.0" + }, + { + "name": "alexandre.malaj", + "email": "alexandre.malaj@gmail.com" + } + ] } } } @@ -126,5 +129,6 @@ exports['from pacote 1'] = [ "scannerVersion", "vulnerabilityStrategy", "warnings", + "flaggedAuthors", "dependencies" ] diff --git a/jest.setup.js b/jest.setup.js deleted file mode 100644 index 2cc5f635..00000000 --- a/jest.setup.js +++ /dev/null @@ -1,3 +0,0 @@ -import { jest } from "@jest/globals"; - -jest.setTimeout(30000); diff --git a/package.json b/package.json index 11893466..b0b41c97 100644 --- a/package.json +++ b/package.json @@ -64,6 +64,7 @@ "tape": "^5.6.1" }, "dependencies": { + "@nodesecure/authors": "^1.0.1", "@nodesecure/flags": "^2.4.0", "@nodesecure/fs-walk": "^1.0.0", "@nodesecure/i18n": "^2.1.1", diff --git a/src/depWalker.js b/src/depWalker.js index fc9ba511..83c16aaf 100644 --- a/src/depWalker.js +++ b/src/depWalker.js @@ -350,7 +350,9 @@ export async function depWalker(manifest, options = {}, logger = new Logger()) { } try { - payload.warnings = getDependenciesWarnings(dependencies); + const { warnings, flaggedAuthors } = await getDependenciesWarnings(dependencies); + payload.warnings = warnings; + payload.flaggedAuthors = flaggedAuthors; payload.dependencies = Object.fromEntries(dependencies); return payload; diff --git a/src/utils/warnings.js b/src/utils/warnings.js index 6e7b76c5..cf9dbcb6 100644 --- a/src/utils/warnings.js +++ b/src/utils/warnings.js @@ -1,5 +1,6 @@ // Import Third-party Dependencies import { getToken, taggedString } from "@nodesecure/i18n"; +import { extractAllAuthors } from "@nodesecure/authors"; // CONSTANTS const kDetectedDep = taggedString`The dependency '${0}' has been detected in the dependency Tree.`; @@ -8,29 +9,30 @@ const kWarningsMessages = Object.freeze({ iohook: getToken("warnings.keylogging") }); const kPackages = new Set(Object.keys(kWarningsMessages)); -const kAuthors = new Set(["marak", "marak.squires@gmail.com"]); +const kFlaggedAuthors = [{ + name: "marak", + email: "marak.squires@gmail.com" +}]; function getWarning(depName) { return `${kDetectedDep(depName)} ${kWarningsMessages[depName]}`; } -export function getDependenciesWarnings(dependencies) { +export async function getDependenciesWarnings(dependenciesMap) { const warnings = []; for (const depName of kPackages) { - if (dependencies.has(depName)) { + if (dependenciesMap.has(depName)) { warnings.push(getWarning(depName)); } } + // TODO: add support for RC configuration + const res = await extractAllAuthors( + { dependencies: Object.fromEntries(dependenciesMap) }, + { flags: kFlaggedAuthors, domainInformations: false } + ); - // TODO: optimize with @nodesecure/author later - for (const [packageName, dependency] of dependencies) { - for (const { name, email } of dependency.metadata.maintainers) { - if (kAuthors.has(name) || kAuthors.has(email)) { - warnings.push(`'Marak Squires' package '${packageName}' has been detected in the dependency tree`); - } - } - } - - return warnings; + return { + warnings, + flaggedAuthors: res.flaggedAuthors + }; } - diff --git a/test/__snapshots__/depWalker.spec.js.snapshot.js b/test/__snapshots__/depWalker.spec.js.snapshot.js index 03f795e8..ab7ac14b 100644 --- a/test/__snapshots__/depWalker.spec.js.snapshot.js +++ b/test/__snapshots__/depWalker.spec.js.snapshot.js @@ -109,7 +109,9 @@ exports['walk @slimio/is 1'] = { "maintainers": [ { "email": "gentilhomme.thomas@gmail.com", - "name": "fraxken" + "name": "fraxken", + "at": "2019-06-11T06:41:41.590Z", + "version": "1.5.1" }, { "email": "alexandre.malaj@gmail.com", @@ -126,5 +128,6 @@ exports['from pacote 1'] = [ "scannerVersion", "vulnerabilityStrategy", "warnings", + "flaggedAuthors", "dependencies" ] diff --git a/test/depWalker.spec.js b/test/depWalker.spec.js index ef40e822..de36e6e4 100644 --- a/test/depWalker.spec.js +++ b/test/depWalker.spec.js @@ -96,6 +96,7 @@ test("execute depWalker on pkg.gitdeps", async(tape) => { "@nodesecure/estree-ast-utils", "@nodesecure/js-x-ray", "@nodesecure/sec-literal", + "@types/estree", "eastasianwidth", "emoji-regex", "estree-walker", diff --git a/test/utils/warnings.spec.js b/test/utils/warnings.spec.js index 303ac851..df112d0a 100644 --- a/test/utils/warnings.spec.js +++ b/test/utils/warnings.spec.js @@ -5,25 +5,29 @@ import test from "tape"; // Require Internal Dependencies import { getDependenciesWarnings } from "../../src/utils/index.js"; -function createDependency(maintainers = []) { +function createDependency(maintainers = [], publishers = []) { return { metadata: { - maintainers + authors: { + name: "John Doe", + email: "john.doe@gmail.com" + }, + maintainers, + publishers } }; } -test("getDependenciesWarnings for '@scarf/scarf'", (tape) => { +test("getDependenciesWarnings for '@scarf/scarf'", async(tape) => { const deps = new Map([ ["@scarf/scarf", createDependency()] ]); - const warnsArray = getDependenciesWarnings(deps); - tape.true(is.array(warnsArray)); - tape.strictEqual(warnsArray.length, 1); + const warnsArray = await getDependenciesWarnings(deps); + tape.strictEqual(warnsArray.warnings.length, 1); tape.strictEqual( - warnsArray[0], + warnsArray.warnings[0], // eslint-disable-next-line max-len "The dependency '@scarf/scarf' has been detected in the dependency Tree. This dependency could collect data against your will so think to disable it with the env var: SCARF_ANALYTICS" ); diff --git a/types/scanner.d.ts b/types/scanner.d.ts index b0d6e8a4..b50140a6 100644 --- a/types/scanner.d.ts +++ b/types/scanner.d.ts @@ -132,6 +132,7 @@ declare namespace Scanner { } export type GlobalWarning = string[]; + export type FlaggedAuthors = extractedAuthor[]; export type Dependencies = Record; export interface Payload { @@ -141,6 +142,8 @@ declare namespace Scanner { rootDependencyName: string; /** Global warnings list */ warnings: GlobalWarning[]; + /** List of flagged authors */ + flaggedAuthors: FlaggedAuthors[]; /** All the dependencies of the package (flattened) */ dependencies: Dependencies; /** Version of the scanner used to generate the result */ diff --git a/types/walker.d.ts b/types/walker.d.ts index c67d6b26..2d503d98 100644 --- a/types/walker.d.ts +++ b/types/walker.d.ts @@ -5,4 +5,4 @@ export { depWalker } -declare function depWalker(manifest: Manifest, options?: Scanner.Options); +declare function depWalker(manifest: Manifest, options?: Scanner.Options): Promise;