Vulnerabilities strategies
NodeSecure vulnerabilities strategies built for NodeSecure scanner.
Requirements
- Node.js v16 or higher
Getting Started
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/vuln
# or
$ yarn add @nodesecure/vulnUsage example
import * as vuln from "@nodesecure/vuln";
// Default strategy is currently "none".
await vuln.setStrategy(vuln.strategies.NPM_AUDIT);
const definition = await vuln.getStrategy();
console.log(definition.strategy);
await definition.hydratePayloadDependencies(new Map());Available strategy
The default strategy is NONE which mean no strategy at all (we execute nothing).
| NPM Audit | Node.js Security WG - Database | Sonatype - OSS Index | [COMING SOON] Snyk |
|---|---|---|---|
 |
 |
 |
 |
Those strategies are described as "string" type with the following TypeScript definition:
type Kind = "npm" | "node" | "sonatype" | "snyk" | "none";To add a strategy or better understand how the code works, please consult the following guide.
API
See types/api.d.ts for a complete TypeScript definition.
function setStrategy(name?: Strategy.Kind, options?: Strategy.Options): Promise<Strategy.Definition>;
function getStrategy(): Promise<Strategy.Definition>;
const strategies: {
SECURITY_WG: "node";
NPM_AUDIT: "npm";
SONATYPE: "sonatype";
SNYK: "snyk";
NONE: "none";
};
/** Equal to strategies.NONE by default **/
const defaultStrategyName: string;Strategy Kind, HydratePayloadDependenciesOptions, Options are described by the following interfaces:
export interface Options {
/** Force hydratation of the strategy local database (if the strategy has one obviously) **/
hydrateDatabase?: boolean;
}
export interface HydratePayloadDependenciesOptions {
/**
* Absolute path to the location to analyze (with a package.json and/or package-lock.json)
* Useful to NPM Audit strategy
**/
path?: string;
}
export interface Definition<T> {
/** Name of the strategy **/
strategy: Kind;
/** Method to hydrate (insert/push) vulnerabilities in the dependencies retrieved by the Scanner **/
hydratePayloadDependencies: (
dependencies: Dependencies,
options?: HydratePayloadDependenciesOptions
) => Promise<void>;
/** Method to get vulnerabilities using the current strategy **/
getVulnerabilities: (path: string, options?: GetVulnerabilitiesOptions) => Promise<T | StandardVulnerability>;
/** Hydrate local database (if the strategy need one obviously) **/
hydrateDatabase?: () => Promise<void>;
/** Method to delete the local vulnerabilities database (if available) **/
deleteDatabase?: () => Promise<void>;
}Where dependencies is the dependencies Map() object of the scanner.
Note: the option hydrateDatabase is only useful for some of the strategy (like Node.js Security WG).
Contributors ✨
Thanks goes to these wonderful people (emoji key):
 Gentilhomme |
 Tony Gorez |
 Antoine |
 OlehSych |
 Mathieu |
License
MIT