@code-pushup/js-packages-plugin/src/lib/package-managers/npm/audit-result.js

Code PushUp plugin for JavaScript packages 🛡️

import { objectToEntries } from '@code-pushup/utils';
export function npmToAuditResult(output) {
    const npmAudit = JSON.parse(output);
    const vulnerabilities = objectToEntries(npmAudit.vulnerabilities).map(([name, detail]) => {
        const advisory = npmToAdvisory(name, npmAudit.vulnerabilities);
        return {
            name: name.toString(),
            severity: detail.severity,
            versionRange: detail.range,
            directDependency: detail.isDirect ? true : (detail.effects[0] ?? ''),
            fixInformation: npmToFixInformation(detail.fixAvailable),
            ...(advisory != null && {
                title: advisory.title,
                url: advisory.url,
            }),
        };
    });
    return {
        vulnerabilities,
        summary: npmAudit.metadata.vulnerabilities,
    };
}
export function npmToFixInformation(fixAvailable) {
    if (typeof fixAvailable === 'boolean') {
        return fixAvailable ? 'Fix is available.' : '';
    }
    return `Fix available: Update \`${fixAvailable.name}\` to version **${fixAvailable.version}**${fixAvailable.isSemVerMajor ? ' (breaking change).' : '.'}`;
}
export function npmToAdvisory(name, vulnerabilities, prevNodes = new Set()) {
    const advisory = vulnerabilities[name]?.via;
    if (Array.isArray(advisory) &&
        advisory.length > 0 &&
        typeof advisory[0] === 'object') {
        return { title: advisory[0].title, url: advisory[0].url };
    }
    // Cross-references another vulnerability
    if (Array.isArray(advisory) &&
        advisory.length > 0 &&
        advisory.every((value) => typeof value === 'string')) {
        /* eslint-disable functional/no-let, functional/immutable-data, functional/no-loop-statements, prefer-const */
        let advisoryInfo = null;
        let newReferences = [];
        let advisoryInfoFound = false;
        /* eslint-enable functional/no-let, prefer-const */
        for (const via of advisory) {
            if (!prevNodes.has(via)) {
                newReferences.push(via);
            }
        }
        while (newReferences.length > 0 && !advisoryInfoFound) {
            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
            const ref = newReferences.pop();
            prevNodes.add(ref);
            const result = npmToAdvisory(ref, vulnerabilities, prevNodes);
            if (result != null) {
                advisoryInfo = { title: result.title, url: result.url };
                advisoryInfoFound = true;
            }
        }
        /* eslint-enable functional/immutable-data, functional/no-loop-statements */
        return advisoryInfo;
    }
    return null;
}
//# sourceMappingURL=audit-result.js.map