-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.js
executable file
·111 lines (101 loc) · 2.43 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/usr/bin/env node
'use strict'
const {spawn} = require('child_process')
const os = require('os')
const path = require('path')
const fs = require('fs')
function getPriority(priority) {
switch (priority.toLowerCase()) {
case 'moderate':
return 'Medium'
case 'low':
return 'Low'
case 'high':
return 'High'
default:
return 'Critical'
}
}
function audit() {
const tmp = os.tmpdir()
const fp = path.join(tmp, 'audit.json')
const child = spawn(`npm audit --json > ${fp}`, {
shell: true
})
child.stdout.pipe(process.stdout)
child.stderr.pipe(process.stderr)
child.on('close', () => {
// Don't check exit code because `npm audit --json` will exit with 1
// if there are vulnerabilities.
parse(fp)
})
}
function parse(fp) {
const result = []
const audit = require(fp)
const advisories = Object.values(audit.advisories)
for (const advisory of advisories) {
const {
title
, overview
, recommendation
, severity
, url
, module_name
, findings
} = advisory
const cve = advisory.cves && advisory.cves.length
? advisory.cves[0]
: null
const sev = getPriority(severity)
for (const finding of findings) {
const paths = finding.paths.map((path) => {
return path.replace(/\>/g, ' > ')
}).join(', ')
const identifiers = []
for (const cve of advisory.cves) {
identifiers.push({
type: 'cve'
, name: cve
, value: cve
, url: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=${cve}`
})
}
result.push({
description: `${overview}\n\nFound in:\n\n${paths}`
, message: `${title} in ${module_name}`
, category: 'dependency_scanning'
, name: title
, scanner: {
id: 'npm-audit'
, name: 'npm'
}
, cve
, cwe: advisory.cwe
, solution: recommendation
, links: [{ url }]
, severity: sev
, priority: sev
, identifiers
, location: {
file: 'package-lock.json'
, dependency: {
package: {
name: module_name
}
, version: finding.version
}
}
})
}
}
const filename = 'gl-dependency-scanning-report.json'
const out = {
version: '2.0'
, vulnerabilities: result
}
fs.writeFileSync(filename, JSON.stringify(out, null, 2), 'utf8')
}
if (require.main === module) {
audit()
}