This package has been deprecated

Author message:

Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

@nodesecure/vuln
TypeScript icon, indicating that this package has built-in type declarations

1.7.0 • Public • Published

Vulnerabilities strategies

version Maintenance Security Responsible Disclosure mit build

NodeSecure vulnerabilities strategies built for NodeSecure scanner.

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/vuln
# or
$ yarn add @nodesecure/vuln

Usage example

import * as vuln from "@nodesecure/vuln";

// Default strategy is currently "none".
await vuln.setStrategy(vuln.strategies.NPM_AUDIT);

const definition = await vuln.getStrategy();
console.log(definition.strategy);

await definition.hydratePayloadDependencies(new Map());

Available strategy

The default strategy is NONE which mean no strategy at all (we execute nothing).

NPM Audit Node.js Security WG - Database Sonatype - OSS Index [COMING SOON] Snyk

Those strategies are described as "string" type with the following TypeScript definition:

type Kind = "npm" | "node" | "sonatype" | "snyk" | "none";

To add a strategy or better understand how the code works, please consult the following guide.

API

See types/api.d.ts for a complete TypeScript definition.

function setStrategy(name?: Strategy.Kind, options?: Strategy.Options): Promise<Strategy.Definition>;
function getStrategy(): Promise<Strategy.Definition>;

const strategies: {
  SECURITY_WG: "node";
  NPM_AUDIT: "npm";
  SONATYPE: "sonatype";
  SNYK: "snyk";
  NONE: "none";
};

/** Equal to strategies.NONE by default **/
const defaultStrategyName: string;

Strategy Kind, HydratePayloadDependenciesOptions, Options are described by the following interfaces:

export interface Options {
  /** Force hydratation of the strategy local database (if the strategy has one obviously) **/
  hydrateDatabase?: boolean;
}

export interface HydratePayloadDependenciesOptions {
  /**
   * Absolute path to the location to analyze (with a package.json and/or package-lock.json)
   * Useful to NPM Audit strategy
   **/
  path?: string;
}

export interface Definition<T> {
  /** Name of the strategy **/
  strategy: Kind;
  /** Method to hydrate (insert/push) vulnerabilities in the dependencies retrieved by the Scanner **/
  hydratePayloadDependencies: (
    dependencies: Dependencies,
    options?: HydratePayloadDependenciesOptions
  ) => Promise<void>;
  /** Method to get vulnerabilities using the current strategy **/
  getVulnerabilities: (path: string, options?: GetVulnerabilitiesOptions) => Promise<T | StandardVulnerability>;
  /** Hydrate local database (if the strategy need one obviously) **/
  hydrateDatabase?: () => Promise<void>;
  /** Method to delete the local vulnerabilities database (if available) **/
  deleteDatabase?: () => Promise<void>;
}

Where dependencies is the dependencies Map() object of the scanner.

Note: the option hydrateDatabase is only useful for some of the strategy (like Node.js Security WG).

Contributors

All Contributors

Thanks goes to these wonderful people (emoji key):


Gentilhomme

💻 📖 👀 🛡️ 🐛

Tony Gorez

💻 👀 🐛

Antoine

💻 🐛 📖

OlehSych

💻

Mathieu

💻

License

MIT

Package Sidebar

Install

npm i @nodesecure/vuln

Weekly Downloads

76

Version

1.7.0

License

MIT

Unpacked Size

39.4 kB

Total Files

23

Last publish

Collaborators

  • antoine-coulon
  • fraxken
  • kawacrepe
  • pierred
  • tonygo