-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
61 changed files
with
9,233 additions
and
8,639 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,7 @@ | ||
node_modules | ||
/node_modules | ||
/coverage | ||
.vscode | ||
.nyc_output | ||
/.nyc_output | ||
.DS_Store | ||
.idea | ||
npm-audit-report.iml | ||
npm-audit-report.iml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
const chalk = require('chalk') | ||
module.exports = color => { | ||
const identity = x => x | ||
const green = color ? s => chalk.green.bold(s) : identity | ||
const red = color ? s => chalk.red.bold(s) : identity | ||
const magenta = color ? s => chalk.magenta.bold(s) : identity | ||
const yellow = color ? s => chalk.yellow.bold(s) : identity | ||
const white = color ? s => chalk.bold(s) : identity | ||
const severity = (sev, s) => sev.toLowerCase() === 'moderate' ? yellow(s || sev) | ||
: sev.toLowerCase() === 'high' ? red(s || sev) | ||
: sev.toLowerCase() === 'critical' ? magenta(s || sev) | ||
: white(s || sev) | ||
const dim = color ? s => chalk.dim(s) : identity | ||
|
||
return { | ||
dim, | ||
green, | ||
red, | ||
magenta, | ||
yellow, | ||
white, | ||
severity | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
// return 1 if any vulns in the set are at or above the specified severity | ||
const severities = new Map(Object.entries([ | ||
'info', | ||
'low', | ||
'moderate', | ||
'high', | ||
'critical', | ||
'none' | ||
]).map(s => s.reverse())) | ||
|
||
module.exports = (data, level) => | ||
Object.entries(data.metadata.vulnerabilities) | ||
.some(([sev, count]) => count > 0 && severities.has(sev) && | ||
severities.get(sev) >= severities.get(level)) ? 1 : 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
'use strict' | ||
|
||
const reporters = { | ||
install: require('./reporters/install'), | ||
detail: require('./reporters/detail'), | ||
json: require('./reporters/json'), | ||
quiet: require('./reporters/quiet') | ||
} | ||
|
||
const exitCode = require('./exit-code.js') | ||
|
||
module.exports = Object.assign((data, options = {}) => { | ||
const { | ||
reporter = 'install', | ||
color = true, | ||
unicode = true, | ||
indent = 2, | ||
auditLevel = 'low' | ||
} = options | ||
|
||
if (typeof data.toJSON === 'function') | ||
data = data.toJSON() | ||
|
||
return { | ||
report: reporters[reporter](data, { color, unicode, indent }), | ||
exitCode: exitCode(data, auditLevel) | ||
} | ||
}, { reporters }) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
'use strict' | ||
|
||
const colors = require('../colors.js') | ||
const install = require('./install.js') | ||
|
||
module.exports = (data, { color }) => { | ||
const summary = install.summary(data, { color }) | ||
const none = data.metadata.vulnerabilities.total === 0 | ||
return none ? summary : fullReport(data, {color, summary}) | ||
} | ||
|
||
const fullReport = (data, { color, summary }) => { | ||
const c = colors(color) | ||
const output = [c.white('# npm audit report'), ''] | ||
|
||
const printed = new Set() | ||
for (const [name, vuln] of Object.entries(data.vulnerabilities)) { | ||
if (printed.has(vuln)) | ||
continue | ||
|
||
printed.add(vuln) | ||
output.push(printVuln(vuln, c, data.vulnerabilities, printed)) | ||
} | ||
|
||
output.push(summary) | ||
|
||
return output.join('\n') | ||
} | ||
|
||
const printVuln = (vuln, c, vulnerabilities, printed, indent = '') => { | ||
const output = [] | ||
|
||
output.push(c.white(vuln.name) + ' ' + vuln.range) | ||
|
||
if (indent === '' && (vuln.severity !== 'low' || vuln.severity === 'info')) { | ||
output.push(`Severity: ${c.severity(vuln.severity)}`) | ||
} | ||
|
||
for (const via of vuln.via) { | ||
if (typeof via === 'string') { | ||
output.push(`Depends on vulnerable versions of ${c.white(via)}`) | ||
} else if (indent === '') { | ||
output.push(`${c.white(via.title)} - ${via.url}`) | ||
} | ||
} | ||
|
||
if (indent === '') { | ||
const { fixAvailable: fa } = vuln | ||
if (fa === false) { | ||
output.push(c.red('No fix available')) | ||
} else if (fa === true) { | ||
output.push(c.green('fix available') + ' via `npm audit fix`') | ||
} else { | ||
/* istanbul ignore else - should be impossible, just being cautious */ | ||
if (typeof fa === 'object' && indent === '') { | ||
output.push( | ||
`${c.yellow('fix available')} via \`npm audit fix --force\``, | ||
`Will install ${fa.name}@${fa.version}` + | ||
`, which is ${fa.isSemVerMajor ? 'a breaking change' : | ||
'outside the stated dependency range' }` | ||
) | ||
} | ||
} | ||
} | ||
|
||
for (const path of vuln.nodes) { | ||
output.push(c.dim(path)) | ||
} | ||
|
||
for (const effect of vuln.effects) { | ||
const vuln = vulnerabilities[effect] | ||
// still print it again if it has its own advisory as well | ||
if (vuln.via.filter(v => typeof v !== 'string').length === 0) | ||
printed.add(vuln) | ||
const e = printVuln(vuln, c, vulnerabilities, printed, ' ') | ||
output.push(...e.split('\n')) | ||
} | ||
|
||
if (indent === '') { | ||
output.push('') | ||
} | ||
|
||
return output.map(l => `${indent}${l}`).join('\n') | ||
} |
Oops, something went wrong.