UNPKG

@nodesecure/tarball

Version:

NodeSecure tarball scanner

github.com/NodeSecure/tree/master/workspaces/tarball

NodeSecure/scanner

109 lines 4.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
// Import Node.js Dependencies import path from "node:path"; // Import Third-party Dependencies import * as conformance from "@nodesecure/conformance"; import { ManifestManager } from "@nodesecure/mama"; import { AstAnalyser, DefaultCollectableSet, warnings, TsSourceParser } from "@nodesecure/js-x-ray"; // Import Internal Dependencies import { SourceCodeReport, SourceCodeScanner } from "./SourceCodeScanner.class.js"; import { getTarballComposition } from "../utils/index.js"; import { DnsResolver } from "./DnsResolver.class.js"; export class NpmTarball { static JS_EXTENSIONS = new Set([ ".js", ".mjs", ".cjs", ".ts", ".mts", ".cts", ".jsx", ".tsx" ]); manifest; #resolver; #astAnalyser; constructor(mama, options = {}) { if (!ManifestManager.isLocated(mama)) { throw new Error("ManifestManager must have a location"); } this.manifest = mama; this.#resolver = options?.resolver ?? new DnsResolver(); this.#astAnalyser = options?.astAnalyser ?? null; } async scanFiles(astAnalyserOptions, options = {}) { const { exclude = [] } = options; const location = this.manifest.location; const [composition, spdx] = await Promise.all([ getTarballComposition(location), conformance.extractLicenses(location) ]); let code; if (composition.files.length === 1 && composition.files.includes("package.json")) { code = new SourceCodeReport(); } else { const options = this.#optionsWithHostnameSet(astAnalyserOptions ?? {}); const astAnalyser = this.#astAnalyser ?? new AstAnalyser(options); const hostNameSet = astAnalyser.getCollectableSet("hostname"); code = await new SourceCodeScanner(this.manifest, { astAnalyser }).iterate({ manifest: [...this.manifest.getEntryFiles()] .flatMap(filterJavaScriptFiles(exclude)), javascript: composition.files .flatMap(filterJavaScriptFiles(exclude)) }); if (hostNameSet instanceof DefaultCollectableSet) { const operationQueue = Array.from(hostNameSet) .map(({ value, locations }) => this.#resolver.isPrivateHost(value) .then((isPrivate) => { if (isPrivate) { locations.forEach(({ file, location }) => { code.warnings.push({ kind: "shady-link", ...warnings["shady-link"], file: file ?? undefined, location, value, source: "Scanner" }); }); } })); await Promise.allSettled(operationQueue); } } return { conformance: spdx, composition, code }; } #optionsWithHostnameSet(options) { const hasHostnameSet = options?.collectables?.some((collectable) => collectable.type === "hostname"); if (hasHostnameSet) { return options; } return { ...options, collectables: [ ...options.collectables ?? [], new DefaultCollectableSet("hostname") ] }; } } function filterJavaScriptFiles(exclude = []) { return (file) => { // Exclude .d.ts files if (file.includes("d.ts")) { return []; } // Exclude files matching any glob pattern if (exclude.some((pattern) => path.matchesGlob(file, pattern))) { return []; } const fileExt = path.extname(file); if (NpmTarball.JS_EXTENSIONS.has(fileExt)) { return file; } if (TsSourceParser.FileExtensions.has(fileExt)) { return file; } return []; }; } //# sourceMappingURL=NpmTarball.class.js.map