@nodesecure/scanner

import type { Warning } from "@nodesecure/js-x-ray"; import * as Vulnera from "@nodesecure/vulnera"; import type { PackageModuleType } from "@nodesecure/mama"; import type { SpdxFileLicenseConformance } from "@nodesecure/conformance"; import type { IlluminatedContact } from "@nodesecure/contact"; import type { Contact, Dist } from "@nodesecure/npm-types"; export type Maintainer = Contact & { /** * Path to publisher's avatar on "https://www.npmjs.com" * @example /npm-avatar/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.LwimMJA3puF3ioGeS-tfczR3370GXBZMIL-bdpu4hOU */ npmAvatar?: string; }; export type Publisher = Omit<Maintainer, "url"> & { /** * First version published. */ version: string; /** * Date of the first publication * @example 2021-08-10T20:45:08.342Z */ at: string; }; export interface DependencyLinks { /** NPM Registry page */ npm: string; /** Homepage URL */ homepage?: string; /** VCS repository URL */ repository?: string; } export interface Engines { node?: string; npm?: string; } export interface Repository { type: string; url: string; } export interface DependencyVersion { /** Id of the package (useful for usedBy relation) */ id: number; type: PackageModuleType; isDevDependency: boolean; /** * Tell if the given package exist on the configured remote registry (npm by default) * @default true */ existOnRemoteRegistry: boolean; /** By whom (id) is used the package */ usedBy: Record<string, string>; /** Size on disk of the extracted tarball (in bytes) */ size: number; /** Count of dependencies */ dependencyCount: number; /** Package description */ description: string; /** Author of the package. This information is not trustable and can be empty. */ author: Maintainer | null; engines: Engines; repository?: Repository | string; scripts: Record<string, string>; /** * JS-X-Ray warnings * * @see https://github.com/NodeSecure/js-x-ray/blob/master/WARNINGS.md */ warnings: Warning[]; alias: Record<string, string>; /** Tarball composition (files and dependencies) */ composition: { /** Files extensions (.js, .md, .exe etc..) */ extensions: string[]; files: string[]; /** Minified files (foo.min.js etc..) */ minified: string[]; required_files: string[]; required_thirdparty: string[]; required_nodejs: string[]; required_subpath: string[]; unused: string[]; missing: string[]; }; /** * All Licenses with their SPDX conformance */ licenses: SpdxFileLicenseConformance[]; uniqueLicenseIds: string[]; /** * Flags (Array of string) * * @see https://github.com/NodeSecure/flags/blob/main/FLAGS.md */ flags: string[]; /** * If the dependency is a GIT repository */ gitUrl: null | string; /** * Version MD5 integrity hash * Generated by the scanner to verify manifest/tarball confusion * * (Not supported on GIT dependency) */ integrity?: string; links?: DependencyLinks; deprecated?: string; attestations?: Dist["attestations"]; } export interface Dependency { /** NPM Registry metadata */ metadata: { /** Number of releases published on npm */ publishedCount: number; lastUpdateAt: Date; /** Last version SemVer */ lastVersion: string; hasChangedAuthor: boolean; hasManyPublishers: boolean; hasReceivedUpdateInOneYear: boolean; /** Author of the package. This information is not trustable and can be empty. */ author: Maintainer | null; /** Package home page */ homepage: string | null; /** * List of maintainers (list of people in the organization related to the package) */ maintainers: Maintainer[]; /** * List of people who published this package */ publishers: Publisher[]; /** * Version MD5 integrity hash * Generated by the scanner to verify manifest/tarball confusion */ integrity: Record<string, string>; }; /** List of versions of this package available in the dependency tree (In the payload) */ versions: Record<string, DependencyVersion>; /** * Vulnerabilities fetched dependending on the selected vulnerabilityStrategy * * @see https://github.com/NodeSecure/vuln */ vulnerabilities: Vulnera.StandardVulnerability[]; } export type Dependencies = Record<string, Dependency>; export type DependencyConfusionWarning = { type: "dependency-confusion"; message: string; metadata: { name: string; }; }; export type GlobalWarning = { message: string; } & ({ type: "dangerous-dependency" | "integrity-mismatch" | "empty-package"; metadata?: Record<string, unknown>; } | { type: "typo-squatting"; metadata: { name: string; similar: string[]; }; } | DependencyConfusionWarning); export type ApiStats = { /** * UNIX Timestamp just before the api call start */ startedAt: number; /** * Execution time in milliseconds */ executionTime: number; /** * Name of the api call */ name: string; }; export type Error = { name: string; message?: string; stack?: string; /** * HTTP Status code */ statusCode?: number; }; export type Stats = { /** * UNIX Timestamp when the scan started */ startedAt: number; /** * Execution time in milliseconds */ executionTime: number; /** * Number of external API calls */ apiCallsCount: number; apiCalls: ApiStats[]; /** * Number of errors */ errorCount: number; errors: Error[]; }; export type Identifier = { value: string; spec?: string; location: { file: string | null; lines: [[number, number], [number, number]][]; }; }; export interface Payload { /** Payload unique id */ id: string; /** Name of the analyzed package */ rootDependency: { name: string; version: string; /** The integrity of the scanned package */ integrity: string | null; }; /** Global warnings list */ warnings: GlobalWarning[]; highlighted: { contacts: IlluminatedContact[]; packages: string[]; identifiers: Identifier[]; }; /** All the dependencies of the package (flattened) */ dependencies: Dependencies; /** Version of the scanner used to generate the result */ scannerVersion: string; /** Vulnerability strategy name (npm, snyk, node) */ vulnerabilityStrategy: Vulnera.Kind; metadata: Stats; } export type SemverRange = string | "*"; export type HighlightPackages = string[] | Record<string, string[] | SemverRange>; export interface Options { /** * Maximum tree depth * * @default Infinity */ readonly maxDepth?: number; readonly registry?: string | URL; /** * Enables the use of Arborist for rapidly walking over the dependency tree. * When enabled, it triggers different methods based on the presence of `node_modules`: * - `loadActual()` if `node_modules` is available. * - `loadVirtual()` otherwise. * * When disabled, it will iterate on all dependencies by using pacote */ packageLock?: { /** * Fetches all manifests for additional metadata. * * @default false */ fetchManifest?: boolean; /** * Specifies the location of the manifest file for Arborist. * This is typically the path to the `package.json` file. */ location: string; }; highlight?: { contacts?: Contact[]; packages?: HighlightPackages; identifiers?: string[]; }; /** * Include project devDependencies (only available for cwd command) * * @default false */ readonly includeDevDeps?: boolean; /** * Vulnerability strategy name (npm, snyk, node) * * @default NONE */ readonly vulnerabilityStrategy?: Vulnera.Kind; /** * Analyze root package. * * @default false for from() API * @default true for cwd() API */ readonly scanRootNode?: boolean; /** * Enable verbose mode * * @default false */ isVerbose?: boolean; } export interface TokenStore { /** * Get the token for the given registry */ get(registry: string): string | undefined; } //# sourceMappingURL=types.d.ts.map