feat(plugin-js-packages): implement runner for npm audit

code-pushup · Mar 18, 2024 · 6aa55a2 · 6aa55a2
1 parent 6348ba3
commit 6aa55a2
Show file tree

Hide file tree

Showing 8 changed files with 468 additions and 30 deletions.
diff --git a/packages/plugin-js-packages/src/bin.ts b/packages/plugin-js-packages/src/bin.ts
@@ -1,3 +1,3 @@
 import { executeRunner } from './lib/runner';
 
-executeRunner();
+await executeRunner();
diff --git a/packages/plugin-js-packages/src/lib/config.ts b/packages/plugin-js-packages/src/lib/config.ts
@@ -1,5 +1,9 @@
 import { z } from 'zod';
 import { IssueSeverity, issueSeveritySchema } from '@code-pushup/models';
+import { defaultAuditLevelMapping } from './constants';
+
+export const packageDependencies = ['prod', 'dev', 'optional'] as const;
+export type PackageDependency = (typeof packageDependencies)[number];
 
 const packageCommandSchema = z.enum(['audit', 'outdated']);
 export type PackageCommand = z.infer<typeof packageCommandSchema>;
@@ -12,23 +16,16 @@ const packageManagerSchema = z.enum([
 ]);
 export type PackageManager = z.infer<typeof packageManagerSchema>;
 
-const packageAuditLevelSchema = z.enum([
-  'info',
-  'low',
-  'moderate',
-  'high',
+export const packageAuditLevels = [
   'critical',
-]);
+  'high',
+  'moderate',
+  'low',
+  'info',
+] as const;
+const packageAuditLevelSchema = z.enum(packageAuditLevels);
 export type PackageAuditLevel = z.infer<typeof packageAuditLevelSchema>;
 
-const defaultAuditLevelMapping: Record<PackageAuditLevel, IssueSeverity> = {
-  critical: 'error',
-  high: 'error',
-  moderate: 'warning',
-  low: 'warning',
-  info: 'info',
-};
-
 export function fillAuditLevelMapping(
   mapping: Partial<Record<PackageAuditLevel, IssueSeverity>>,
 ): Record<PackageAuditLevel, IssueSeverity> {
@@ -66,5 +63,3 @@ export type JSPackagesPluginConfig = z.input<
 export type FinalJSPackagesPluginConfig = z.infer<
   typeof jsPackagesPluginConfigSchema
 >;
-
-export type PackageDependencyType = 'prod' | 'dev' | 'optional';
diff --git a/packages/plugin-js-packages/src/lib/constants.ts b/packages/plugin-js-packages/src/lib/constants.ts
@@ -1,5 +1,20 @@
-import { MaterialIcon } from '@code-pushup/models';
-import { PackageDependencyType, PackageManager } from './config';
+import { IssueSeverity, MaterialIcon } from '@code-pushup/models';
+import type {
+  PackageAuditLevel,
+  PackageDependency,
+  PackageManager,
+} from './config';
+
+export const defaultAuditLevelMapping: Record<
+  PackageAuditLevel,
+  IssueSeverity
+> = {
+  critical: 'error',
+  high: 'error',
+  moderate: 'warning',
+  low: 'warning',
+  info: 'info',
+};
 
 export const pkgManagerNames: Record<PackageManager, string> = {
   npm: 'NPM',
@@ -35,7 +50,7 @@ export const outdatedDocs: Record<PackageManager, string> = {
   pnpm: 'https://pnpm.io/cli/outdated',
 };
 
-export const dependencyDocs: Record<PackageDependencyType, string> = {
+export const dependencyDocs: Record<PackageDependency, string> = {
   prod: 'https://classic.yarnpkg.com/docs/dependency-types#toc-dependencies',
   dev: 'https://classic.yarnpkg.com/docs/dependency-types#toc-devdependencies',
   optional:

diff --git a/packages/plugin-js-packages/src/lib/js-packages-plugin.ts b/packages/plugin-js-packages/src/lib/js-packages-plugin.ts
@@ -1,11 +1,11 @@
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
-import { Audit, Group, PluginConfig } from '@code-pushup/models';
+import type { Audit, Group, PluginConfig } from '@code-pushup/models';
 import { name, version } from '../../package.json';
 import {
   JSPackagesPluginConfig,
   PackageCommand,
-  PackageDependencyType,
+  PackageDependency,
   PackageManager,
   jsPackagesPluginConfigSchema,
 } from './config';
@@ -126,7 +126,7 @@ function createAudits(
 function getAuditTitle(
   pkgManager: PackageManager,
   check: PackageCommand,
-  dependencyType: PackageDependencyType,
+  dependencyType: PackageDependency,
 ) {
   return check === 'audit'
     ? `Vulnerabilities for ${pkgManagerNames[pkgManager]} ${dependencyType} dependencies.`
@@ -135,7 +135,7 @@ function getAuditTitle(
 
 function getAuditDescription(
   check: PackageCommand,
-  dependencyType: PackageDependencyType,
+  dependencyType: PackageDependency,
 ) {
   return check === 'audit'
     ? `Runs security audit on ${dependencyType} dependencies.`

diff --git a/packages/plugin-js-packages/src/lib/runner/audit/transform.ts b/packages/plugin-js-packages/src/lib/runner/audit/transform.ts
@@ -0,0 +1,81 @@
+import type { AuditOutput, Issue, IssueSeverity } from '@code-pushup/models';
+import { objectToEntries } from '@code-pushup/utils';
+import {
+  PackageAuditLevel,
+  PackageDependency,
+  packageAuditLevels,
+} from '../../config';
+import { NpmAuditResultJson, Vulnerabilities } from './types';
+
+export function auditResultToAuditOutput(
+  result: NpmAuditResultJson,
+  dependenciesType: PackageDependency,
+  auditLevelMapping: Record<PackageAuditLevel, IssueSeverity>,
+): AuditOutput {
+  const issues = vulnerabilitiesToIssues(
+    result.vulnerabilities,
+    auditLevelMapping,
+  );
+  return {
+    slug: `npm-audit-${dependenciesType}`,
+    score: result.metadata.vulnerabilities.total === 0 ? 1 : 0,
+    value: result.metadata.vulnerabilities.total,
+    displayValue: vulnerabilitiesToDisplayValue(
+      result.metadata.vulnerabilities,
+    ),
+    ...(issues.length > 0 && { details: { issues } }),
+  };
+}
+
+export function vulnerabilitiesToDisplayValue(
+  vulnerabilities: Record<PackageAuditLevel | 'total', number>,
+): string {
+  if (vulnerabilities.total === 0) {
+    return 'passed';
+  }
+
+  const displayValue = packageAuditLevels
+    .map(level =>
+      vulnerabilities[level] > 0 ? `${vulnerabilities[level]} ${level}` : '',
+    )
+    .filter(text => text !== '')
+    .join(', ');
+  return `${displayValue} ${
+    vulnerabilities.total === 1 ? 'vulnerability' : 'vulnerabilities'
+  }`;
+}
+
+export function vulnerabilitiesToIssues(
+  vulnerabilities: Vulnerabilities,
+  auditLevelMapping: Record<PackageAuditLevel, IssueSeverity>,
+): Issue[] {
+  if (Object.keys(vulnerabilities).length === 0) {
+    return [];
+  }
+
+  return objectToEntries(vulnerabilities).map<Issue>(([, detail]) => {
+    // Advisory details via can refer to another vulnerability
+    // For now, only direct context is supported
+    if (
+      Array.isArray(detail.via) &&
+      detail.via.length > 0 &&
+      typeof detail.via[0] === 'object'
+    ) {
+      return {
+        message: `${detail.name} dependency has a vulnerability "${
+          detail.via[0].title
+        }" for versions ${detail.range}. Fix is ${
+          detail.fixAvailable ? '' : 'not '
+        }available. More information [here](${detail.via[0].url})`,
+        severity: auditLevelMapping[detail.severity],
+      };
+    }
+
+    return {
+      message: `${detail.name} dependency has a vulnerability for versions ${
+        detail.range
+      }. Fix is ${detail.fixAvailable ? '' : 'not '}available.`,
+      severity: auditLevelMapping[detail.severity],
+    };
+  });
+}