npm-dependency-analyzer

Analyze Open Source dependencies in a project developed on a Node.js environment. This plugin analyzes all dependencies of a project to check for vulnerabilities and licenses.

Requirements

Download and install Node.js with version 8.0.0 or higher.
Projects MUST have a policy file named .osda

Policy file structure

{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "title": "Project Policy",
  "description": "A policy with a project related configurations and \tinformation",
  "type": "object",
  "properties": {
    "project_id": {
      "description": "Id of the project to present in the report",
      "type": "string"
    },
    "project_name": {
      "description": "Name of the project to present in the report",
      "type": "string"
    },
    "project_version": {
      "description": "Version of the project to present in the report",
      "type": "string"
    },
    "project_description": {
      "description": "Description of the project to present in the report",
      "type": "string"
    },
    "organization": {
      "description": "The organization the project belongs to",
      "type": "string"
    },
    "repo": {
      "description": "The repository in github the project belongs to",
      "type": "string"
    },
    "repo_owner": {
      "description": "The owner of the repository the project belongs to",
      "type": "string"
    },
    "admin": {
      "description": "The username of the administrator of the project (Only used in project first report)",
      "type": "string"
    },
    "invalid_licenses": {
      "description": "The names of all invalid licenses. Default value is an empty collection",
      "type": "array"
    },
    "fail": {
      "description": "Indicates if the build should fail in case a vulnerability is found. Default value is false",
      "type": "boolean"
    },
    "api_cache_time": {
      "description": "Indicates, in seconds, the amount of time the cached results should be considered valid. If 0 (which is the default value), there are no restrictions on the lifetime of cached results",
      "type": "number"
    }
  },
  "required": ["project_id", "project_name", "admin"]
}

Before using the plugin, the developer needs to create a user in the central system: http://35.234.147.77. This user is gonna be designated as admin of the project by inserting the username into the admin field of the policy file. Once the user is created, a token can be created through the following link: http://35.234.147.77/user. The generated token must be added as an environment variable with the name CENTRAL_SERVER_TOKEN. ## Installation

This is a Node.js module available through the npm registry.

Installation is done using the npm install command:

 $ npm install --save-dev npm-dependency-analyzer

How to Use

⚠️ In order for the plugin to be executed successfully, it needs to have all dependencies installed by the user install all dependencies before using any functionality provided:

$ npm install

This plugin provides an executable that is placed into "node_modules/.bin" folder of any project it is dependent. This executable can be used in the script property. This command is to be used in the build process of a project, as demonstrated in the example below of a package.json:

{
    "name":"example-project",
    "version":"1.0.0",
    "description":"Example of a project package.json",
    "main":"index.js",
    "bin":{
        "example-command":"./bin/example-command.js"
    },
    "scripts":{
        "prebuild":"npm install && rimraf build/",
        "build":"npm run lint && npm test && npm-dependency-analyzer | bunyan",
        "lint":"eslint .",
        "test":"mocha"
    },
    "engines":{
        "node":">=8.0.0",
        "npm":">=5.7.0"
    },
    "keywords":[
        "Example",
        "Plugin"
    ],
    "dependencies":{
        "async":"^2.6.0",
        "debug":"^3.1.0",
        "executive":"^1.5.13",
        "nsp":"3.2.1"
    },
    "devDependencies":{
        "eslint":"^4.19.0",
        "eslint-config-standard":"^11.0.0",
        "eslint-plugin-import":"^2.10.0",
        "eslint-plugin-node":"^6.0.1",
        "eslint-plugin-promise":"^3.7.0",
        "eslint-plugin-standard":"^3.0.1",
        "mocha":"^5.0.4",
        "rimraf":"^2.6.2"
    }
}

This module uses the logging library bunyan. Every log will be represented as a json object. Bunyan besides providing a Logging API, it provides a CLI tool that parses the json and prettifies it. As shown in the code above the developer can pipe the output of the executable to the cli tool -> "npm-dependency-analyzer | bunyan". After making the necessary adjustments to the package.json, the execution of the build script will have the plugin generate a report based on the findings. This report will then be sent to the central system and stored there. Then the report can be accessed through the following link: http://35.234.147.77/