NodeSecure vulnerabilities strategies built for NodeSecure scanner.
- Node.js v14 or higher
This package is available in the Node Package Repository and can be easily installed with npm or yarn.
$ npm i @nodesecure/vuln
# or
$ yarn add @nodesecure/vulnimport * as vuln from "@nodesecure/vuln";
// Default strategy is currently "none".
await vuln.setStrategy(vuln.strategies.NPM_AUDIT);
const definition = await vuln.getStrategy();
console.log(definition.strategy);
await definition.hydratePayloadDependencies(new Map());The default strategy is NONE which mean no strategy at all (we execute nothing).
| NPM Audit | Node.js Security WG - Database | [COMING SOON] Snyk |
|---|---|---|
 |
 |
 |
Those strategies are described as "string" type with the following TypeScript definition:
type Kind = "npm" | "node" | "none";To add a strategy or better understand how the code works, please consult the following guide.
See types/api.d.ts for a complete TypeScript definition.
function setStrategy(name?: Strategy.Kind, options?: Strategy.Options): Promise<Strategy.Definition>;
function getStrategy(): Promise<Strategy.Definition>;
const strategies: {
SECURITY_WG: "node";
NPM_AUDIT: "npm";
NONE: "none";
};
/** Equal to strategies.NONE by default **/
const defaultStrategyName: string;Strategy Kind, HydratePayloadDependenciesOptions, Options are described by the following interfaces:
export interface Options {
/** Force hydratation of the strategy local database (if the strategy has one obviously) **/
hydrateDatabase?: boolean;
}
export interface HydratePayloadDependenciesOptions {
/**
* Absolute path to the location to analyze (with a package.json and/or package-lock.json)
* Useful to NPM Audit strategy
**/
path?: string;
}
export interface Definition {
/** Name of the strategy **/
strategy: Kind;
/** Method to hydrate (insert/push) vulnerabilities in the dependencies retrieved by the Scanner **/
hydratePayloadDependencies: (
dependencies: Dependencies,
options?: HydratePayloadDependenciesOptions
) => Promise<void>;
/** Hydrate local database (if the strategy need one obviously) **/
hydrateDatabase?: () => Promise<void>;
/** Method to delete the local vulnerabilities database (if available) **/
deleteDatabase?: () => Promise<void>;
}Where dependencies is the dependencies Map() object of the scanner.
Note: the option hydrateDatabase is only useful for some of the strategy (like Node.js Security WG).
Thanks goes to these wonderful people (emoji key):
 Gentilhomme 💻 📖 👀 🛡️ 🐛 |
 Tony Gorez 💻 👀 🐛 |
 Antoine 💻 🐛 |
MIT