https://github.com/NodeSecure/vulnera

Programmatically fetch security vulnerabilities with one or many strategies (NPM Audit, Sonatype, Snyk, Node.js DB).
https://github.com/NodeSecure/vulnera

audit nodesecure npm security vuln vulnerabilities

Last synced: 5 months ago
JSON representation

Programmatically fetch security vulnerabilities with one or many strategies (NPM Audit, Sonatype, Snyk, Node.js DB).

Host: GitHub
URL: https://github.com/NodeSecure/vulnera
Owner: NodeSecure
License: mit
Created: 2021-08-07T14:48:19.000Z (over 4 years ago)
Default Branch: main
Last Pushed: 2024-08-14T11:20:08.000Z (over 1 year ago)
Last Synced: 2024-08-14T12:45:56.087Z (over 1 year ago)
Topics: audit, nodesecure, npm, security, vuln, vulnerabilities
Language: TypeScript
Homepage:
Size: 816 KB
Stars: 30
Watchers: 4
Forks: 14
Open Issues: 6
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md

Awesome Lists containing this project

README

          


  





    

      

    

    

      

    

    

      

    

    

      

    



The **vuln-*era*** has begun! Programmatically fetch security vulnerabilities with one or many strategies. Originally designed to run and analyze [Scanner](https://github.com/NodeSecure/scanner) dependencies it now also runs independently from an npm Manifest.

## Requirements

- [Node.js](https://nodejs.org/en/) v20 or higher

## Getting Started

This package is available in the Node Package Repository and can be easily installed with [npm](https://docs.npmjs.com/getting-started/what-is-npm) or [yarn](https://yarnpkg.com).

```bash

$ npm i @nodesecure/vulnera

# or

$ yarn add @nodesecure/vulnera

```

## Usage example

```js

import * as vulnera from "@nodesecure/vulnera";

await vulnera.setStrategy(

  vulnera.strategies.GITHUB_ADVISORY

);

const definition = await vulnera.getStrategy();

console.log(definition.strategy);

const vulnerabilities = await definition.getVulnerabilities(process.cwd(), {

  useFormat: "Standard"

});

console.log(vulnerabilities);

```

## Available strategy

The default strategy is **NONE** which mean no strategy at all (we execute nothing).

[GitHub Advisory](./docs/github_advisory.md) | [Sonatype - OSS Index](./docs/sonatype.md) | Snyk

:-------------------------:|:-------------------------:|:-------------------------:

 |  | 

Those strategies are described as "string" **type** with the following TypeScript definition:

```ts

type Kind = "github-advisory" | "snyk" | "sonatype" | "none";

```

To add a strategy or better understand how the code works, please consult [the following guide](./docs/adding_new_strategy.md).

## API

```ts

function setStrategy(name: T): AllStrategy[T];

function getStrategy(): AnyStrategy;

const strategies: Object.freeze({

  GITHUB_ADVISORY: "github-advisory",

  SNYK: "snyk",

  SONATYPE: "sonatype",

  NONE: "none"

});

/** Equal to strategies.NONE by default **/

const defaultStrategyName: "none";

```

Strategy extend from the following set of interfaces;

```ts

export interface BaseStrategy {

  /** Name of the strategy **/

  strategy: T;

  /** Method to hydrate dependency vulnerabilities fetched by the Scanner **/

  hydratePayloadDependencies: (

    dependencies: Dependencies,

    options?: HydratePayloadDepsOptions

  ) => Promise;

}

export interface ExtendedStrategy<

  T extends Kind, VulnFormat

> extends BaseStrategy {

  /** Method to get vulnerabilities using the current strategy **/

  getVulnerabilities: (

    path: string,

    options?: BaseStrategyOptions

  ) => Promise<(VulnFormat | StandardVulnerability)[]>;

}

export type BaseStrategyFormat = "Standard";

export interface BaseStrategyOptions {

  useFormat?: BaseStrategyFormat;

}

export interface HydratePayloadDepsOptions extends BaseStrategyOptions {

  /**

   * Absolute path to the location to analyze

   * (with a package.json and/or package-lock.json for NPM Audit for example)

   **/

  path?: string;

}

```

Where `dependencies` is the dependencies **Map()** object of the NodeSecure Scanner.

> [!NOTE] 

> the option **hydrateDatabase** is only useful for some of the strategy (like Node.js Security WG).

### Formats

- [Standard](./docs/formats/standard.md)

### Databases

- [OSV](./docs/database/osv.md)

- [NVD](./docs/database/nvd.md)

- [Snyk](./docs/database/snyk.md)

- [Sonatype](./docs/database/sonatype.md)

## Contributors ✨

[![All Contributors](https://img.shields.io/badge/all_contributors-8-orange.svg?style=flat-square)](#contributors-)

Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/docs/en/emoji-key)):

  

    

      
_Gentilhomme
💻 📖 👀 🛡️ 🐛

      
_{Tony Gorez}
💻 👀 🐛

      
_Antoine
💻 🐛 📖

      
_OlehSych
💻

      
_Mathieu
💻

      
_PierreD
💻 📖

      
_{Kouadio Fabrice Nguessan}
💻 🚧

    

    

      
_{benjamin antonioli}
💻 ⚠️

    

  

## License

MIT

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/NodeSecure/vulnera

Awesome Lists containing this project

README