Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V0.9.0 #89

Merged
merged 32 commits into from
Dec 5, 2021
Merged

V0.9.0 #89

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
964abfc
chore: start impleting new NodeSecure back-end
fraxken Sep 4, 2021
183645c
refactor: complete revamp of CLI commands
fraxken Sep 4, 2021
f0165bc
chore: update NodeSecure dependencies
fraxken Sep 11, 2021
bf71305
refactor(lang): use new i18n.getLanguages method
fraxken Sep 11, 2021
4ad8728
chore: setup scanner Logger and old tree walker Spinners
fraxken Sep 11, 2021
d528d08
chore: update @nodesecure/scanner (1.3.0 to 1.4.0)
fraxken Sep 11, 2021
4a5f87e
chore: update @nodesecure/flags (1.0.0 to 1.1.0)
fraxken Oct 9, 2021
d36bb6a
test: make it work with ESM
fraxken Oct 9, 2021
716dbf1
fix: front-end build
fraxken Oct 9, 2021
f269692
fix(httpServer): always open link when the server is listening
fraxken Oct 9, 2021
296fbbc
fix: Emojis legend menu
fraxken Oct 9, 2021
3d4dd22
chore: update dependencies
fraxken Oct 23, 2021
86912e5
chore: debug on CLIUI
fraxken Oct 30, 2021
b097d2f
ci: remove Node.js v12 and v15
fraxken Oct 30, 2021
24517c9
docs: update README
fraxken Oct 30, 2021
fe6af2e
refactor(startHTTPServer): add options object & add openLink option
fraxken Oct 30, 2021
9127570
test: utils.js
fraxken Oct 30, 2021
bbe1c8b
test(commands): add summary test
fraxken Oct 30, 2021
8ea9b5b
refactor(test): use tape instead of jest
fraxken Oct 30, 2021
9ca6027
fix: eslint V7+ issue
fraxken Oct 30, 2021
f9a630a
chore: update dependencies
fraxken Oct 31, 2021
8238818
chore: update @nodesecure/scanner (1.5.0 to 2.0.0)
fraxken Nov 7, 2021
109ea23
refactor: use @nodesecure/utils & enhance author management
fraxken Nov 7, 2021
97a7412
chore: update @nodesecure/flags (1.2.0 to 2.0.0)
fraxken Nov 11, 2021
275b3ae
chore: update @nodesecure/scanner (2.0.1 to 2.1.0)
fraxken Nov 11, 2021
16853e3
chore: use flags v2 and new scanner flags
fraxken Nov 11, 2021
bf404c9
refactor: use @nodesecure/vis-network
fraxken Nov 11, 2021
9ddcd7e
refactor(http): clean code - split controllers / middleware (#90)
tony-go Nov 26, 2021
b05a006
fix: move bundlephobia call in the backend (#92)
tony-go Dec 4, 2021
e4fd634
fix(bundle): support for org namespace
fraxken Dec 5, 2021
2ace5c0
chore: update dependencies
fraxken Dec 5, 2021
9b5775e
chore(cli): fix few minor issues
fraxken Dec 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions .editorconfig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
# Editor configuration, see https://editorconfig.org
root = true

[*]
indent_size = 4
indent_style = space
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
indent_style = space
indent_size = 2
insert_final_newline = true
trim_trailing_whitespace = true
end_of_line = lf

[*.md]
max_line_length = off
trim_trailing_whitespace = false
11 changes: 4 additions & 7 deletions .eslintrc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,7 @@
{
"extends": "@slimio/eslint-config",
"rules": {
"jsdoc/require-jsdoc": "off",
"require-atomic-updates": "off",
"arrow-body-style": "off",
"new-cap": "off",
"no-invalid-this": "off"
"extends": "@nodesecure/eslint-config",
"parserOptions": {
"sourceType": "module",
"requireConfigFile": false
}
}
2 changes: 1 addition & 1 deletion .github/workflows/nodejs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [12.x, 14.x, 15.x]
node-version: [14.x, 16.x]
fail-fast: false
steps:
- uses: actions/checkout@v2
Expand Down
231 changes: 0 additions & 231 deletions FLAGS.md
View file
Open in desktop

This file was deleted.

45 changes: 8 additions & 37 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@
<a href="https://www.npmjs.com/package/nsecure"><img src="https://img.shields.io/github/license/ES-Community/nsecure?style=flat-square" alt="license"></a>
<a href="https://github.com/ES-Community/nsecure/actions?query=workflow%3A%22Node.js+CI%22"><img src="https://img.shields.io/github/workflow/status/ES-Community/nsecure/Node.js%20CI/master?style=flat-square" alt="github ci workflow"></a>
<a href="https://codecov.io/github/ES-Community/nsecure"><img src="https://img.shields.io/codecov/c/github/ES-Community/nsecure.svg?style=flat-square" alt="codecov"></a>
<a href="https://www.npmjs.com/package/nsecure"><img src="https://img.shields.io/david/ES-Community/nsecure?style=flat-square" alt="dependencies"></a>
<a href="./SECURITY.md"><img src="https://img.shields.io/badge/Security-Responsible%20Disclosure-yellow.svg?style=flat-square" alt="Responsible Disclosure Policy" /></a>
<a href="https://www.npmjs.com/package/nsecure"><img src="https://img.shields.io/npm/dw/nsecure?style=flat-square" alt="downloads"></a>
</p>
Expand All @@ -21,15 +20,15 @@
<img src="https://i.imgur.com/3xnTGBl.png">
</p>

## About
## 📢 About

[Node.js](https://nodejs.org/en/) security Command Line Interface. The goal of the project is to a design a CLI/API that will fetch and deeply analyze the dependency tree of a given **npm** package (Or a local project with a **package.json**) and output a **.json file** that will contains all metadata and flags about each packages. All this data will allow to quickly identify different issues across projects and packages (related to security and quality).

The CLI allow to load the JSON into a Webpage with the **open** command. The page will draw a Network of all dependencies with [vis.js](https://visjs.org/) (example in the screenshot above). We also wrote a little Google drive document a while ago that summarizes some of these points:

- [NodeSecure G.Drive Design document](https://docs.google.com/document/d/1853Uwup9mityAYqAOnen1KSqSA6hlBgpKU0u0ygGY4Y/edit?usp=sharing)

## Features
## 📜 Features

- Run an AST analysis on each .js/.mjs file in the packages tarball and sort out warnings (unsafe-regex, unsafe-import etc) and the complete list of required expr and statements (files, node.js module, etc.).
- Return complete composition for each packages (extensions, files, tarball size, etc).
Expand All @@ -39,11 +38,11 @@ The CLI allow to load the JSON into a Webpage with the **open** command. The pag
- Add flags to each packages versions to identify well known patterns and potential security threats easily.
- Analyze npm packages and local Node.js projects.

## Requirements
## 🚧 Requirements

- [Node.js](https://nodejs.org/en/) version 12.12.0 or higher
- [Node.js](https://nodejs.org/en/) LTS 16.x or higher

## Getting Started
## 💃 Getting Started

```bash
$ npm install nsecure -g
Expand All @@ -66,7 +65,7 @@ $ nsecure auto express

> ⚠️ Setup an [npm token](https://github.com/ES-Community/nsecure#private-packages--registry) to avoid hiting the maximum request limit of the npm registry API.

## Usage example
## 👀 Usage example

To show the complete list of commands
```bash
Expand Down Expand Up @@ -136,35 +135,11 @@ $ npm config set "http://your-registry/"
```

## API
Use nsecure as an API package to fetch and work with the generated JSON. The following example demonstrates how to retrieve the Payload for mocha, cacache and is-wsl packages. It's possible to use the **cwd** method if you want to achieve similar work on a local project.

```js
const { from } = require("nsecure");
const { writeFile } = require("fs").promises;

async function main() {
const toFetch = ["mocha", "cacache", "is-wsl"];
const options = { verbose: false }; // disable verbose to not show the spinners

const payloads = await Promise.all(
toFetch.map((name) => from(name, options))
);

const toWritePromise = [];
for (let i = 0; i < toFetch.length; i++) {
const data = JSON.stringify(payloads[i], null, 2);
toWritePromise.push(writeFile(`${toFetch[i]}.json`, data));
}
await Promise.allSettled(toWritePromise);
}
main().catch(console.error);
```

The SlimIO [Security project](https://github.com/SlimIO/Security) use nsecure with the API to analyze packages and repositories of a given github organization (or user).
Our back-end scanner package is available [here](https://github.com/NodeSecure/scanner).

## Flags legends

Flags and emojis legends are documented [here](./FLAGS.md).
Flags and emojis legends are documented [here](https://github.com/NodeSecure/flags/blob/main/FLAGS.md).

## Searchbar filters

Expand Down Expand Up @@ -220,9 +195,5 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d

This project follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome!

## Roadmap

We have created [a trello](https://trello.com/b/IY6lQ1A1/node-secure) so that we can plan long-term tasks. Do not hesitate to come participate and exchange your ideas!

## License
MIT
Loading