Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add support for npm Dependency Graph #187

Merged
merged 4 commits into from
Jan 22, 2024
Merged

feat: Add support for npm Dependency Graph #187

merged 4 commits into from
Jan 22, 2024

Conversation

abhisek
Copy link
Member

@abhisek abhisek commented Jan 10, 2024

  • refactor: Parser to use dependency graph parsers
  • feat: Add npm package-lock.json graph parser

@safedep SafeDep
Copy link

safedep bot commented Jan 10, 2024
edited
Loading

SafeDep OSS Vet

Policy Checks

  • ❌ Vulnerability
  • ✅ Malware
  • ✅ License
  • ✅ Popularity
  • ❌ Maintenance
  • ✅ Security Posture
  • ✅ Threats

New Packages

  • ✅ [Go] github.com/safedep/dry@0.0.0-20240110142304-5970e3335464
  • ✅ [Maven] org.slf4j:slf4j-api@1.7.36
  • ✅ [Maven] org.springframework:spring-orm@5.3.23
  • ✅ [Maven] jakarta.persistence:jakarta.persistence-api@2.2.3
  • ⚠️ [Maven] com.fasterxml.jackson.core:jackson-databind@2.13.4
  • ⚠️ [Maven] org.springframework.boot:spring-boot-autoconfigure@2.7.4
  • ✅ [Maven] org.mockito:mockito-junit-jupiter@4.5.1
  • ✅ [Maven] org.springframework.security:spring-security-oauth2-core@5.7.3
  • ✅ [Maven] xstream:xstream@1.2.2
  • ⚠️ [Maven] ch.qos.logback:logback-core@1.2.11
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-oauth2-resource-server@2.7.4
  • ✅ [Maven] org.springframework:spring-context@5.3.23
  • ✅ [Maven] org.springframework:spring-expression@5.3.23
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-data-jpa@2.7.4
  • ✅ [Maven] org.junit.jupiter:junit-jupiter@5.8.2
  • ✅ [Maven] org.skyscreamer:jsonassert@1.5.1
  • ✅ [Maven] io.vavr:vavr@0.10.2
  • ✅ [Maven] org.junit:junit-bom@5.8.2
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-logging@2.7.4
  • ✅ [Maven] org.springframework:spring-webmvc@5.3.23
  • ⚠️ [Maven] jakarta.transaction:jakarta.transaction-api@1.3.3
  • ✅ [Maven] org.apache.tomcat.embed:tomcat-embed-el@9.0.65
  • ✅ [Maven] org.glassfish.jaxb:jaxb-runtime@2.3.6
  • ✅ [Maven] io.github.resilience4j:resilience4j-spring@1.7.0
  • ⚠️ [Maven] jakarta.xml.bind:jakarta.xml.bind-api@2.3.3
  • ✅ [Maven] com.fasterxml.jackson.core:jackson-annotations@2.13.4
  • ✅ [Maven] io.github.resilience4j:resilience4j-circularbuffer@1.7.0
  • ✅ [Maven] org.assertj:assertj-core@3.22.0
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-jdbc@2.7.4
  • ✅ [Maven] org.springframework.cloud:spring-cloud-context@3.1.4
  • ✅ [Maven] org.springframework.data:spring-data-commons@2.7.3
  • ⚠️ [Maven] jakarta.activation:jakarta.activation-api@1.2.2
  • ✅ [Maven] xpp3:xpp3_min@1.1.3.4.O
  • ✅ [Maven] org.springframework.security:spring-security-crypto@5.7.3
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-security@2.7.4
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-test@2.7.4
  • ✅ [Maven] com.fasterxml.jackson:jackson-bom@2.13.4
  • ✅ [Maven] org.springframework.data:spring-data-jpa@2.7.3
  • ✅ [Maven] org.bouncycastle:bcutil-jdk15on@1.69
  • ✅ [Maven] org.hibernate.validator:hibernate-validator@6.2.5.Final
  • ✅ [Maven] org.junit.jupiter:junit-jupiter-api@5.8.2
  • ✅ [Maven] org.springframework.boot:spring-boot-devtools@2.7.4
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-data-rest@2.7.4
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-json@2.7.4
  • ✅ [Maven] org.springframework:spring-jcl@5.3.23
  • ⚠️ [Maven] org.apiguardian:apiguardian-api@1.1.2
  • ✅ [Maven] org.mockito:mockito-core@4.5.1
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-tomcat@2.7.4
  • ✅ [Maven] org.springframework.boot:spring-boot@2.7.4
  • ✅ [Maven] org.springframework.security:spring-security-oauth2-resource-server@5.7.3
  • ✅ [Maven] org.springframework:spring-jdbc@5.3.23
  • ✅ [Maven] com.nimbusds:nimbus-jose-jwt@9.22
  • ✅ [Maven] com.fasterxml:classmate@1.5.1
  • ✅ [Maven] jakarta.validation:jakarta.validation-api@2.0.2
  • ✅ [Maven] org.junit.jupiter:junit-jupiter-engine@5.8.2
  • ⚠️ [Maven] net.minidev:json-smart@2.4.8
  • ✅ [Maven] org.springframework.cloud:spring-cloud-starter-circuitbreaker-resilience4j@2.1.4
  • ✅ [Maven] org.springframework.hateoas:spring-hateoas@1.5.2
  • ✅ [Maven] org.springframework:spring-beans@5.3.23
  • ✅ [Maven] com.zaxxer:HikariCP@4.0.3
  • ⚠️ [Maven] io.github.openfeign.form:feign-form@3.8.0
  • ✅ [Maven] com.fasterxml.jackson.core:jackson-core@2.13.4
  • ✅ [Maven] com.fasterxml.jackson.datatype:jackson-datatype-jdk8@2.13.4
  • ✅ [Maven] io.github.resilience4j:resilience4j-consumer@1.7.0
  • ✅ [Maven] net.bytebuddy:byte-buddy-agent@1.12.17
  • ✅ [Maven] org.glassfish.jaxb:txw2@2.3.6
  • ✅ [Maven] org.projectlombok:lombok@1.18.24
  • ⚠️ [Maven] com.github.stephenc.jcip:jcip-annotations@1.0-1
  • ✅ [Maven] org.springframework.boot:spring-boot-starter@2.7.4
  • ✅ [Maven] org.objenesis:objenesis@3.2
  • ✅ [Maven] org.springframework:spring-aspects@5.3.23
  • ✅ [Maven] net.bytebuddy:byte-buddy@1.12.17
  • ✅ [Maven] org.hibernate:hibernate-core@5.6.11.Final
  • ✅ [Maven] org.springframework:spring-aop@5.3.23
  • ✅ [Maven] io.github.resilience4j:resilience4j-core@1.7.0
  • ✅ [Maven] io.github.openfeign:feign-slf4j@11.8
  • ✅ [Maven] org.ow2.asm:asm@9.1
  • ✅ [Maven] org.springframework.data:spring-data-rest-webmvc@3.7.3
  • ✅ [Maven] org.springframework.security:spring-security-rsa@1.0.11.RELEASE
  • ⚠️ [Maven] org.atteo:evo-inflector@1.3
  • ✅ [Maven] org.springframework.cloud:spring-cloud-starter@3.1.4
  • ✅ [Maven] org.bouncycastle:bcpkix-jdk15on@1.69
  • ✅ [Maven] org.jsoup:jsoup@1.15.4
  • ✅ [Maven] org.springframework.boot:spring-boot-test-autoconfigure@2.7.4
  • ✅ [Maven] org.springframework.security:spring-security-test@5.7.3
  • ✅ [Maven] io.github.resilience4j:resilience4j-spring-boot2@1.7.0
  • ⚠️ [Maven] commons-fileupload:commons-fileupload@1.4
  • ⚠️ [Maven] org.springframework.plugin:spring-plugin-core@2.0.0.RELEASE
  • ⚠️ [Maven] org.xmlunit:xmlunit-core@2.9.0
  • ✅ [Maven] org.apache.logging.log4j:log4j-to-slf4j@2.17.2
  • ✅ [Maven] org.aspectj:aspectjweaver@1.9.7
  • ⚠️ [Maven] com.jayway.jsonpath:json-path@2.7.0
  • ⚠️ [Maven] org.springframework:spring-web@5.3.23
  • ✅ [Maven] org.apache.logging.log4j:log4j-api@2.17.2
  • ✅ [Maven] org.springframework.cloud:spring-cloud-openfeign-core@3.1.4
  • ✅ [Maven] org.springframework.security:spring-security-web@5.7.3
  • ✅ [Maven] org.springframework:spring-tx@5.3.23
  • ✅ [Maven] io.github.resilience4j:resilience4j-micrometer@1.7.0
  • ⚠️ [Maven] org.hamcrest:hamcrest@2.2
  • ✅ [Maven] io.github.resilience4j:resilience4j-framework-common@1.7.0
  • ✅ [Maven] org.bouncycastle:bcprov-jdk15on@1.69
  • ✅ [Maven] org.springframework.security:spring-security-oauth2-jose@5.7.3
  • ⚠️ [Maven] org.apache.tomcat.embed:tomcat-embed-core@9.0.65
  • ⚠️ [Maven] org.springframework.security:spring-security-core@5.7.3
  • ✅ [Maven] com.fasterxml.jackson.datatype:jackson-datatype-jsr310@2.13.4
  • ✅ [Maven] org.springframework.boot:spring-boot-test@2.7.4
  • ⚠️ [Maven] io.github.openfeign.form:feign-form-spring@3.8.0
  • ✅ [Maven] org.opentest4j:opentest4j@1.2.0
  • ✅ [Maven] org.slf4j:jul-to-slf4j@1.7.36
  • ✅ [Maven] org.springframework.cloud:spring-cloud-commons@3.1.4
  • ✅ [Maven] org.jboss:jandex@2.4.2.Final
  • ⚠️ [Maven] com.thoughtworks.xstream:xstream@1.2.2
  • ⚠️ [Maven] org.springframework.security:spring-security-config@5.7.3
  • ✅ [Maven] io.github.resilience4j:resilience4j-annotations@1.7.0
  • ✅ [Maven] io.github.resilience4j:resilience4j-ratelimiter@1.7.0
  • ✅ [Maven] net.minidev:accessors-smart@2.4.8
  • ✅ [Maven] org.apache.tomcat.embed:tomcat-embed-websocket@9.0.65
  • ⚠️ [Maven] com.sun.activation:jakarta.activation@1.2.2
  • ✅ [Maven] io.vavr:vavr-match@0.10.2
  • ✅ [Maven] org.junit.platform:junit-platform-engine@1.8.2
  • ✅ [Maven] io.github.resilience4j:resilience4j-circuitbreaker@1.7.0
  • ⚠️ [Maven] org.hibernate.common:hibernate-commons-annotations@5.1.2.Final
  • ⚠️ [Maven] org.springframework:spring-core@5.3.23
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-validation@2.7.4
  • ✅ [Maven] org.springframework.data:spring-data-rest-core@3.7.3
  • ⚠️ [Maven] com.sun.istack:istack-commons-runtime@3.0.12
  • ✅ [Maven] io.github.openfeign:feign-core@11.8
  • ✅ [Maven] io.github.resilience4j:resilience4j-timelimiter@1.7.0
  • ✅ [Maven] jakarta.annotation:jakarta.annotation-api@1.3.5
  • ✅ [Maven] org.jboss.logging:jboss-logging@3.4.3.Final
  • ✅ [Maven] org.junit.jupiter:junit-jupiter-params@5.8.2
  • ✅ [Maven] org.springframework.boot:spring-boot-configuration-processor@2.7.4
  • ✅ [Maven] org.springframework.cloud:spring-cloud-starter-openfeign@3.1.4
  • ✅ [Maven] antlr:antlr@2.7.7
  • ✅ [Maven] org.springframework:spring-test@5.3.23
  • ✅ [Maven] com.fasterxml.jackson.module:jackson-module-parameter-names@2.13.4
  • ✅ [Maven] io.github.resilience4j:resilience4j-retry@1.7.0
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-aop@2.7.4
  • ✅ [Maven] org.springframework.boot:spring-boot-starter-web@2.7.4
  • ⚠️ [Maven] ch.qos.logback:logback-classic@1.2.11
  • ✅ [Maven] com.vaadin.external.google:android-json@0.0.20131108.vaadin1
  • ✅ [Maven] org.junit.platform:junit-platform-commons@1.8.2
  • ✅ [Maven] org.springframework.cloud:spring-cloud-circuitbreaker-resilience4j@2.1.4
  • ⚠️ [Maven] org.yaml:snakeyaml@1.30

Packages Violating Policy

[Maven] com.fasterxml.jackson.core:jackson-databind@2.13.4 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to com.fasterxml.jackson.core:jackson-databind@2.16.1

[Maven] org.springframework.boot:spring-boot-autoconfigure@2.7.4 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found

[Maven] ch.qos.logback:logback-core@1.2.11 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to ch.qos.logback:logback-core@1.4.14

[Maven] jakarta.transaction:jakarta.transaction-api@1.3.3 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] jakarta.xml.bind:jakarta.xml.bind-api@2.3.3 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] jakarta.activation:jakarta.activation-api@1.2.2 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] org.apiguardian:apiguardian-api@1.1.2 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] net.minidev:json-smart@2.4.8 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to net.minidev:json-smart@2.5.0

[Maven] io.github.openfeign.form:feign-form@3.8.0 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] com.github.stephenc.jcip:jcip-annotations@1.0-1 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] org.atteo:evo-inflector@1.3 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] commons-fileupload:commons-fileupload@1.4 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to commons-fileupload:commons-fileupload@1.5

[Maven] org.springframework.plugin:spring-plugin-core@2.0.0.RELEASE 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] org.xmlunit:xmlunit-core@2.9.0 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] com.jayway.jsonpath:json-path@2.7.0 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to com.jayway.jsonpath:json-path@2.8.0

[Maven] org.springframework:spring-web@5.3.23 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to org.springframework:spring-web@6.1.3

[Maven] org.hamcrest:hamcrest@2.2 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] org.apache.tomcat.embed:tomcat-embed-core@9.0.65 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to org.apache.tomcat.embed:tomcat-embed-core@11.0.0-M16

[Maven] org.springframework.security:spring-security-core@5.7.3 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to org.springframework.security:spring-security-core@6.2.1

[Maven] io.github.openfeign.form:feign-form-spring@3.8.0 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] com.thoughtworks.xstream:xstream@1.2.2 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to com.thoughtworks.xstream:xstream@1.4.20

[Maven] org.springframework.security:spring-security-config@5.7.3 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to org.springframework.security:spring-security-config@6.2.1

[Maven] com.sun.activation:jakarta.activation@1.2.2 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] org.hibernate.common:hibernate-commons-annotations@5.1.2.Final 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] org.springframework:spring-core@5.3.23 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to org.springframework:spring-core@6.1.3

[Maven] com.sun.istack:istack-commons-runtime@3.0.12 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Component appears to be unmaintained

[Maven] ch.qos.logback:logback-classic@1.2.11 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to ch.qos.logback:logback-classic@1.4.14

[Maven] org.yaml:snakeyaml@1.30 🔗

  • ➡️ Found in manifest test/scenarios/fixtures/lockfiles/demo-client-java-gradle.lockfile
  • ⚠️ Critical or high risk vulnerabilities were found
  • ⚡ Upgrade to org.yaml:snakeyaml@2.2

@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jan 10, 2024
edited
Loading

Deploying with  Cloudflare Pages  Cloudflare Pages

Latest commit: d0f6a82
Status: ✅  Deploy successful!
Preview URL: https://a5ad78bc.safedep-vet.pages.dev
Branch Preview URL: https://feat-npm-graph-parser.safedep-vet.pages.dev

View logs

@abhisek abhisek force-pushed the feat/npm-graph-parser branch 9 times, most recently from ae2bdbd to 5b0d2b2 Compare January 14, 2024 18:40
@abhisek
refactor: Parser to use dependency graph parsers
1dba6fd 
feat: Add npm package-lock.json graph parser

fix: Npm graph parser path to root traversal

fix: File naming convention for npm graph parser

feat: Add reporter for graph visualization in dot format

feat: Add support for showing dependency upgrade path in summary report

fix: Bug in summary reporter related to random ordering of entries with same score

chore: Add support for experimental flag in scanner config

refactor: Test cases or npm package name extractor into utils

feat: Add support for dependency graph data in CSV report generator

fix: LFP npm handle package links

test: Improve test for npm name extraction

feat: Add support for reconstructing dependency graph using insights data

fix: purl reader to use package manifest builder

test: Add E2E for gradle dependency graph reconstruction

fix: Handle root node marking heuristics for enriched dependency graph

feat: Allow query command to generate dependency graph

fix: Scanner dependency graph reconstruction using dependency distance

fix: Test case for maven dependency graph reconstruction

chore: Improve summary report text for dependency path to root

refactor: Code re-use in npm graph to find by semver range
@c0d3G33k c0d3G33k self-requested a review January 17, 2024 12:58
@abhisek abhisek merged commit 774323c into main Jan 22, 2024
9 of 10 checks passed
@abhisek abhisek deleted the feat/npm-graph-parser branch January 22, 2024 05:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@c0d3G33k c0d3G33k c0d3G33k approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abhisek @c0d3G33k