@nodesecure/vuln

NodeSecure vulnerabilities strategies

Usage no npm install needed!

<script type="module">
  import nodesecureVuln from 'https://cdn.skypack.dev/@nodesecure/vuln';
</script>

README

Vulnerabilities strategies

version Maintenance Security Responsible Disclosure mit build

NodeSecure vulnerabilities strategies built for NodeSecure scanner.

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/vuln
# or
$ yarn add @nodesecure/vuln

Usage example

import * as vuln from "@nodesecure/vuln";

// Default strategy is currently "none".
await vuln.setStrategy(vuln.strategies.NPM_AUDIT);

const definition = await vuln.getStrategy();
console.log(definition.strategy);

await definition.hydratePayloadDependencies(new Map());

Available strategy

The default strategy is NONE which mean no strategy at all (we execute nothing).

NPM Audit Node.js Security WG - Database [COMING SOON] Snyk

Those strategies are described as "string" type with the following TypeScript definition:

type Kind = "npm" | "node" | "snyk" | "none";

To add a strategy or better understand how the code works, please consult the following guide.

API

See types/api.d.ts for a complete TypeScript definition.

function setStrategy(name?: Strategy.Kind, options?: Strategy.Options): Promise<Strategy.Definition>;
function getStrategy(): Promise<Strategy.Definition>;

const strategies: {
  SECURITY_WG: "node";
  NPM_AUDIT: "npm";
  SNYK: "snyk";
  NONE: "none";
};

/** Equal to strategies.NONE by default **/
const defaultStrategyName: string;

Strategy Kind, HydratePayloadDependenciesOptions, Options are described by the following interfaces:

export interface Options {
  /** Force hydratation of the strategy local database (if the strategy has one obviously) **/
  hydrateDatabase?: boolean;
}

export interface HydratePayloadDependenciesOptions {
  /**
   * Absolute path to the location to analyze (with a package.json and/or package-lock.json)
   * Useful to NPM Audit strategy
   **/
  path?: string;
}

export interface Definition {
  /** Name of the strategy **/
  strategy: Kind;
  /** Method to hydrate (insert/push) vulnerabilities in the dependencies retrieved by the Scanner **/
  hydratePayloadDependencies: (
    dependencies: Dependencies,
    options?: HydratePayloadDependenciesOptions
  ) => Promise<void>;
  /** Hydrate local database (if the strategy need one obviously) **/
  hydrateDatabase?: () => Promise<void>;
  /** Method to delete the local vulnerabilities database (if available) **/
  deleteDatabase?: () => Promise<void>;
}

Where dependencies is the dependencies Map() object of the scanner.

Note: the option hydrateDatabase is only useful for some of the strategy (like Node.js Security WG).

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):


Gentilhomme
💻 📖 👀 🛡️ 🐛
Tony Gorez
💻 👀 🐛
Antoine
💻 🐛 📖
OlehSych
💻

License

MIT