UNPKG

@nodesecure/tarball

Version:

NodeSecure tarball scanner

github.com/NodeSecure/tree/master/workspaces/tarball

NodeSecure/scanner

139 lines 6.21 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
// Import Node.js Dependencies import path from "node:path"; import os from "node:os"; // Import Third-party Dependencies import {} from "@nodesecure/js-x-ray"; import * as conformance from "@nodesecure/conformance"; import { ManifestManager } from "@nodesecure/mama"; import pacote from "pacote"; // Import Internal Dependencies import { isSensitiveFile, booleanToFlags } from "./utils/index.js"; import { NpmTarball } from "./class/NpmTarball.class.js"; import { DependencyCollectableSet } from "./class/DependencyCollectableSet.class.js"; import { getEmptyPackageWarning, getSemVerWarning } from "./warnings.js"; import { NATIVE_CODE_EXTENSIONS, NPM_TOKEN } from "./constants.js"; export async function scanPackageCore(locationOrManifest, astAnalyserOptions) { const mama = await ManifestManager.fromPackageJSON(locationOrManifest); const dependencySet = new DependencyCollectableSet(mama); const tarex = new NpmTarball(mama); const { composition, conformance: conformanceResult, code } = await tarex.scanFiles({ ...astAnalyserOptions, collectables: [ ...astAnalyserOptions?.collectables ?? [], dependencySet ] }); const warnings = []; if (composition.files.length === 1 && composition.files.includes("package.json")) { warnings.push(getEmptyPackageWarning()); } if (mama.hasZeroSemver) { warnings.push(getSemVerWarning(mama.document.version)); } warnings.push(...code.warnings); const { files, dependencies, flags } = dependencySet.extract(); const { description, engines, repository, scripts } = mama.document; return { description, engines, repository, scripts, author: mama.author, integrity: mama.isWorkspace ? null : mama.integrity, type: mama.moduleType, size: composition.size, licenses: conformanceResult.licenses, uniqueLicenseIds: conformanceResult.uniqueLicenseIds, warnings, flags: Array.from(booleanToFlags({ ...flags, hasExternalCapacity: code.flags.hasExternalCapacity || flags.hasExternalCapacity, hasNoLicense: conformanceResult.uniqueLicenseIds.length === 0, hasMultipleLicenses: conformanceResult.uniqueLicenseIds.length > 1, hasMinifiedCode: code.minified.length > 0, hasWarnings: warnings.length > 0, hasBannedFile: composition.files.some((filePath) => isSensitiveFile(filePath)), hasNativeCode: mama.flags.isNative || composition.files.some((file) => NATIVE_CODE_EXTENSIONS.has(path.extname(file))), hasScript: mama.flags.hasUnsafeScripts })), composition: { extensions: [...composition.ext], files: composition.files, minified: code.minified, unused: dependencies.unused, missing: dependencies.missing, required_files: [...files], required_nodejs: dependencies.nodeJs, required_thirdparty: dependencies.thirdparty, required_subpath: dependencies.subpathImports }, path: code.path }; } export async function scanDirOrArchive(locationOrManifest, ref, options = {}) { const result = await scanPackageCore(locationOrManifest, options.astAnalyserOptions); const { description, engines, repository, scripts, author, integrity } = result; Object.assign(ref, { description, engines, repository, scripts, author, integrity }); ref.warnings.push(...result.warnings); ref.licenses = result.licenses; ref.uniqueLicenseIds = result.uniqueLicenseIds; ref.type = result.type; ref.size = result.size; ref.composition.extensions.push(...result.composition.extensions); ref.composition.files.push(...result.composition.files); ref.composition.minified = result.composition.minified; ref.composition.unused.push(...result.composition.unused); ref.composition.missing.push(...result.composition.missing); ref.composition.required_files = result.composition.required_files; ref.composition.required_nodejs = result.composition.required_nodejs; ref.composition.required_thirdparty = result.composition.required_thirdparty; ref.composition.required_subpath = result.composition.required_subpath; ref.path = result.path; const flags = result.flags.filter((flag) => flag !== "hasWarnings" || !ref.flags.includes("hasWarnings")); ref.flags.push(...flags); } export async function scanPackage(manifestOrLocation, options = {}) { const { astAnalyserOptions } = options; const mama = await ManifestManager.fromPackageJSON(manifestOrLocation); const extractor = new NpmTarball(mama); const dependencySet = new DependencyCollectableSet(mama); const { composition, conformance: conformanceResult, code } = await extractor.scanFiles({ ...astAnalyserOptions, collectables: [ ...(astAnalyserOptions?.collectables ?? []), dependencySet ] }); const warnings = [...code.warnings]; if (composition.files.length === 1 && composition.files.includes("package.json")) { warnings.push(getEmptyPackageWarning()); } return { files: { list: composition.files, extensions: [...composition.ext], minified: code.minified }, directorySize: composition.size, uniqueLicenseIds: conformanceResult.uniqueLicenseIds, licenses: conformanceResult.licenses, ast: { dependencies: dependencySet.dependencies, warnings }, path: code.path }; } export async function extractAndResolve(location, options) { const { spec, registry, pacoteProvider = pacote } = options; const tarballLocation = path.join(location, spec.replaceAll("/", "_")); await pacoteProvider.extract(spec, tarballLocation, { ...NPM_TOKEN, registry, cache: `${os.homedir()}/.npm`, userAgent: `@nodesecure/tarball node/${process.version}` }); return ManifestManager.fromPackageJSON(tarballLocation); } //# sourceMappingURL=tarball.js.map