supamend
Version:
Pluggable DevSecOps Security Scanner with 10+ scanners and multiple reporting channels
101 lines • 4.53 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.YarnAuditScanner = void 0;
const child_process_1 = require("child_process");
class YarnAuditScanner {
constructor() {
this.name = 'yarn-audit';
this.description = 'Scan Yarn dependencies for vulnerabilities using yarn audit';
this.version = '1.0.0';
}
async init() {
// No special init required
}
async scan(repoPath) {
return new Promise((resolve, reject) => {
const results = [];
// Validate repoPath to prevent command injection
const { InputValidator } = require('../utils/validation');
if (!InputValidator.validatePath(repoPath)) {
throw new Error('Invalid repository path');
}
const yarn = (0, child_process_1.spawn)('yarn', ['audit', '--json'], {
cwd: repoPath,
shell: true
});
let stdout = '';
yarn.stdout.on('data', (data) => {
stdout += data.toString();
});
yarn.on('close', (code) => {
try {
// Yarn audit returns 0 for no issues, 1 when vulnerabilities are found
if (code === 0 || code === 1) {
const lines = stdout.trim().split('\n');
for (const line of lines) {
if (line.trim()) {
try {
const audit = JSON.parse(line);
if (audit.type === 'auditAdvisory') {
const advisory = audit.data.advisory;
results.push({
id: `yarn-audit-${advisory.id}`,
type: 'vulnerability',
severity: advisory.severity,
title: `Yarn Audit: ${advisory.title}`,
description: advisory.overview,
file: 'package.json',
line: 0,
column: 0,
rule: advisory.id.toString(),
scanner: this.name,
timestamp: new Date(),
metadata: {
module_name: advisory.module_name,
vulnerable_versions: advisory.vulnerable_versions,
patched_versions: advisory.patched_versions,
recommendation: advisory.recommendation,
references: advisory.references,
cwe: advisory.cwe
}
});
}
}
catch (parseError) {
// Skip invalid JSON lines
continue;
}
}
}
}
resolve(results);
}
catch (error) {
reject(new Error(`Failed to parse yarn audit results: ${error}`));
}
});
yarn.on('error', (error) => {
reject(new Error(`Yarn audit execution failed: ${error.message}`));
});
});
}
async isAvailable() {
return new Promise((resolve) => {
try {
const yarn = (0, child_process_1.spawn)('yarn', ['--version'], { shell: true });
yarn.on('close', (code) => {
resolve(code === 0);
});
yarn.on('error', () => {
resolve(false);
});
}
catch (error) {
resolve(false);
}
});
}
}
exports.YarnAuditScanner = YarnAuditScanner;
exports.default = new YarnAuditScanner();
//# sourceMappingURL=yarn-audit.js.map