From e70ce9cf3b3b30c831530c6ba979e89c3cf64de9 Mon Sep 17 00:00:00 2001 From: fraxken Date: Sat, 25 Nov 2023 00:55:10 +0100 Subject: [PATCH 1/2] docs: use new Github blockquotes --- README.md | 9 ++++++--- workspaces/documentation-ui/README.md | 3 ++- workspaces/vis-network/README.md | 3 ++- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 235db21b..532c8259 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,8 @@ Then the **nsecure** binary will be available in your terminal. Give a try with $ nsecure auto express ``` -> ⚠ī¸ Setup an [npm token](https://github.com/NodeSecure/cli#private-packages--registry) to avoid hiting the maximum request limit of the npm registry API. +> [!TIP] +> Setup an [npm token](https://github.com/NodeSecure/cli#private-packages--registry) to avoid hiting the maximum request limit of the npm registry API. ## 👀 Usage example @@ -198,7 +199,8 @@ If you have already cloned and installed the project with npm locally, you still $ npm run build ``` -> **Warning** restart this command when modifying files in the public root folder +> [!IMPORTANT] +> Restart this command when modifying files in the public root folder Once you have finished your development, check that the tests (and linter) are still good by running the following script: @@ -206,7 +208,8 @@ Once you have finished your development, check that the tests (and linter) are s $ npm test ``` -> **Note** If you add a feature, try adding tests for it along. +> [!CAUTION] +> If you add a feature, try adding tests for it along. ## Workspaces diff --git a/workspaces/documentation-ui/README.md b/workspaces/documentation-ui/README.md index f7980fb7..696651cd 100644 --- a/workspaces/documentation-ui/README.md +++ b/workspaces/documentation-ui/README.md @@ -34,7 +34,8 @@ Portable documentation/wiki UI for NodeSecure tools like [CLI](https://github.co - Render [NodeSecure JS-X-RAY SAST Warnings](https://github.com/NodeSecure/js-x-ray). - Written in vanilla.js for maximum performance. -> **Note** The content is retrieved from the github API (and sometimes it transform raw markdown response to HTML, that's why we use [markdown-it](https://github.com/markdown-it/markdown-it#readme) as dependency). +> [!NOTE] +> The content is retrieved from the github API (and sometimes it transform raw markdown response to HTML, that's why we use [markdown-it](https://github.com/markdown-it/markdown-it#readme) as dependency). ## 💃 Getting Started diff --git a/workspaces/vis-network/README.md b/workspaces/vis-network/README.md index 07a542b6..53c32f7f 100644 --- a/workspaces/vis-network/README.md +++ b/workspaces/vis-network/README.md @@ -45,7 +45,8 @@ The project scripts are used for those who want to test the code. - **npm start** to start an httpserver from `./dist` - **npm run build** to build the `./example` with esbuild. -> **Note**: The start command run the build command before launching the http server. +> [!NOTE] +> The start command run the build command before launching the http server. ## License From 31501b33507b28118ff64bc630ca855d82abaca5 Mon Sep 17 00:00:00 2001 From: fraxken Date: Sat, 25 Nov 2023 13:05:17 +0100 Subject: [PATCH 2/2] chore: update dependencies & fix broken codes --- .github/workflows/codeql.yml | 10 ++--- .github/workflows/nodejs.yml | 8 ++-- .github/workflows/scorecards.yml | 10 ++--- .github/workflows/vis-network.yml | 6 +-- package.json | 6 +-- public/css/components/package/box.css | 10 ++--- .../js/components/package/pannels/overview.js | 6 ++- .../js/components/package/pannels/warnings.js | 25 +++++++---- public/js/utils.js | 18 +++++--- test/commands/scorecard.test.js | 44 ++++++++++--------- test/helpers/cliCommandRunner.js | 10 ++++- views/index.html | 4 ++ workspaces/vis-network/package.json | 8 ++-- workspaces/vis-network/src/dataset.js | 12 ++--- 14 files changed, 103 insertions(+), 74 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a350d62c..bd7e3ff1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,16 +41,16 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Checkout repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -63,7 +63,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -76,6 +76,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: category: "/language:${{matrix.language}}" \ No newline at end of file diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index 0474daae..07b4634d 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -18,13 +18,13 @@ jobs: fail-fast: false steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 with: node-version: ${{ matrix.node-version }} - name: Install dependencies @@ -34,4 +34,4 @@ jobs: - name: Run tests run: npm run coverage - name: Send coverage report to Codecov - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4 + uses: codecov/codecov-action@428cda1b1c731be3e8bfa389049c3f276d572ffb # v4.0.0-beta.3 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 639e46f6..e51d326a 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -32,17 +32,17 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: "Checkout code" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 with: results_file: results.sarif results_format: sarif @@ -64,7 +64,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif @@ -72,6 +72,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@00e563ead9f72a8461b24876bee2d0c2e8bd2ee8 # v2.21.5 + uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 with: sarif_file: results.sarif diff --git a/.github/workflows/vis-network.yml b/.github/workflows/vis-network.yml index e753c5c4..84dc384c 100644 --- a/.github/workflows/vis-network.yml +++ b/.github/workflows/vis-network.yml @@ -22,13 +22,13 @@ jobs: fail-fast: false steps: - name: Harden Runner - uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1 + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 with: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 + uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 with: node-version: ${{ matrix.node-version }} - name: Install dependencies diff --git a/package.json b/package.json index 9ab409fc..c2960266 100644 --- a/package.json +++ b/package.json @@ -80,9 +80,9 @@ "@nodesecure/flags": "^2.4.0", "@nodesecure/i18n": "^3.2.2", "@nodesecure/npm-registry-sdk": "^1.6.1", - "@nodesecure/ossf-scorecard-sdk": "^2.0.0", - "@nodesecure/rc": "^1.4.0", - "@nodesecure/scanner": "^4.0.0", + "@nodesecure/ossf-scorecard-sdk": "^3.0.0", + "@nodesecure/rc": "^1.5.0", + "@nodesecure/scanner": "^5.0.1", "@nodesecure/utils": "^1.1.0", "@nodesecure/vuln": "^1.7.0", "@openally/result": "^1.2.0", diff --git a/public/css/components/package/box.css b/public/css/components/package/box.css index d891cf69..1ca6757d 100644 --- a/public/css/components/package/box.css +++ b/public/css/components/package/box.css @@ -46,7 +46,7 @@ section#package-info .box-file-info>.box-header>span.Information { background: #0288d1ab; } -section#package-info .box-file-info>.box-header>a { +section#package-info .box-file-info>.box-header>.box-title { font-size: 18px; font-variant: small-caps; font-family: "mononoki"; @@ -61,22 +61,22 @@ section#package-info .box-file-info>.box-header>a:hover { cursor: pointer; } -section#package-info .box-file-info>.box-header>p { +section#package-info .box-file-info>.box-header>.box-file { margin-left: auto; color: #B3E5FC; display: flex; } -section#package-info .box-file-info>.box-header>p a { +section#package-info .box-file-info>.box-header>.box-file a { color: inherit; text-decoration: none; } -section#package-info .box-file-info>.box-header>p a:hover { +section#package-info .box-file-info>.box-header>.box-file a:hover { text-decoration: underline; } -section#package-info .box-file-info>.box-header>p i { +section#package-info .box-file-info>.box-header>.box-file i { margin-right: 6px; } diff --git a/public/js/components/package/pannels/overview.js b/public/js/components/package/pannels/overview.js index c7209129..0eac48f8 100644 --- a/public/js/components/package/pannels/overview.js +++ b/public/js/components/package/pannels/overview.js @@ -16,9 +16,11 @@ export class Overview { get author() { const author = this.package.dependencyVersion.author; - const flatAuthorFullname = typeof author === "string" ? author : (author?.name ?? "Unknown"); + if (author === null) { + return "Unknown"; + } - return flatAuthorFullname.length > 26 ? `${flatAuthorFullname.slice(0, 26)}...` : flatAuthorFullname; + return author.name.length > 26 ? `${author.name.slice(0, 26)}...` : author.name; } /** diff --git a/public/js/components/package/pannels/warnings.js b/public/js/components/package/pannels/warnings.js index 5e179c67..4ecabca3 100644 --- a/public/js/components/package/pannels/warnings.js +++ b/public/js/components/package/pannels/warnings.js @@ -10,7 +10,7 @@ export class Warnings { this.package = pkg; } - get isLocalProject() { + get isPrincipalRootProject() { return this.package.currentNode === 0 || this.package.dependencyVersion.flags.includes("isGit"); } @@ -55,9 +55,6 @@ export class Warnings { if (window.settings.warnings.has(warning.kind)) { continue; } - const multipleLocation = warning.kind === "encoded-literal" ? - warning.location.map((loc) => locationToString(loc)).join(" // ") : - locationToString(warning.location); const id = Math.random().toString(36).slice(2); const hasNoInspection = @@ -72,7 +69,7 @@ export class Warnings { ] }); - if (this.isLocalProject || hasNoInspection) { + if (this.isPrincipalRootProject || hasNoInspection) { viewMoreElement.style.display = "none"; } else { @@ -102,10 +99,12 @@ export class Warnings { viewMoreElement ] }); - const boxPosition = utils.createDOMElement("div", { + const boxPosition = warning.location === null ? null : utils.createDOMElement("div", { className: "box-source-code-position", childs: [ - utils.createDOMElement("p", { text: multipleLocation }) + utils.createDOMElement("p", { + text: this.getWarningLocation(warning) + }) ] }); @@ -113,7 +112,8 @@ export class Warnings { title: warning.kind, fileName: warning.file.length > 20 ? `${warning.file.slice(0, 20)}...` : warning.file, childs: [boxContainer, boxPosition], - titleHref: `https://github.com/NodeSecure/js-x-ray/blob/master/docs/${warning.kind}.md`, + titleHref: warning.kind === "invalid-semver" ? + null : `https://github.com/NodeSecure/js-x-ray/blob/master/docs/${warning.kind}.md`, fileHref: `${unpkgRoot}${warning.file}`, severity: warning.severity ?? "Information" }) @@ -122,4 +122,13 @@ export class Warnings { return fragment; } + + getWarningLocation(warning) { + if (warning.kind === "encoded-literal") { + return warning.location + .map((loc) => locationToString(loc)).join(" // "); + } + + return locationToString(warning.location);; + } } diff --git a/public/js/utils.js b/public/js/utils.js index bbb422c2..39d099ed 100644 --- a/public/js/utils.js +++ b/public/js/utils.js @@ -108,13 +108,17 @@ export function createFileBox(options = {}) { ...(severity === null ? [] : [ createDOMElement("span", { classList: [severity], text: severity.charAt(0).toUpperCase() }) ]), - createDOMElement("a", { - text: title, - attributes: { - href: titleHref, ...defaultHrefProperties - } - }), + titleHref === null ? + createDOMElement("p", { text: title, className: "box-title" }) : + createDOMElement("a", { + text: title, + className: "box-title", + attributes: { + href: titleHref, ...defaultHrefProperties + } + }), createDOMElement("p", { + className: "box-file", childs: [ createDOMElement("i", { classList: ["icon-docs"] }), fileDomElement @@ -127,7 +131,7 @@ export function createFileBox(options = {}) { classList: ["box-file-info"], childs: [ boxHeader, - ...childs + ...childs.filter((element) => element !== null) ] }); } diff --git a/test/commands/scorecard.test.js b/test/commands/scorecard.test.js index b01c898f..c162c3a1 100644 --- a/test/commands/scorecard.test.js +++ b/test/commands/scorecard.test.js @@ -38,30 +38,32 @@ test("scorecard should display fastify scorecard", async() => { const scorecardCliOptions = { path: kProcessPath, args: [packageName], - undiciMockAgentOptions: [{ - baseUrl: API_URL, - intercept: { - path: `/projects/github.com/${packageName}`, - method: "GET" - }, - response: { - body: mockBody, - status: 200 - } - }, - { - baseUrl: "https://api.github.com", - intercept: { - path: "/repos/fastify/fastify", - method: "GET" + undiciMockAgentOptions: [ + { + baseUrl: API_URL, + intercept: { + path: `/projects/github.com/${packageName}`, + method: "GET" + }, + response: { + body: mockBody, + status: 200 + } }, - response: { - body: { - full_name: "fastify/fastify" + { + baseUrl: "https://api.github.com", + intercept: { + path: "/repos/fastify/fastify", + method: "GET" }, - status: 200 + response: { + body: { + full_name: "fastify/fastify" + }, + status: 200 + } } - }] + ] }; diff --git a/test/helpers/cliCommandRunner.js b/test/helpers/cliCommandRunner.js index e1c8c5c1..54326e78 100644 --- a/test/helpers/cliCommandRunner.js +++ b/test/helpers/cliCommandRunner.js @@ -3,7 +3,7 @@ import { fork } from "node:child_process"; import { createInterface } from "node:readline"; // Import Third-party Dependencies -import { MockAgent, setGlobalDispatcher } from "undici"; +import { MockAgent, setGlobalDispatcher } from "@myunisoft/httpie"; import stripAnsi from "strip-ansi"; export async function* runProcess(options) { @@ -36,7 +36,13 @@ export function prepareProcess(command, args = process.argv.slice(2)) { const { baseUrl, intercept, response } = mock; const pool = mockAgent.get(baseUrl); - pool.intercept(intercept).reply(response.status, () => response.body); + pool + .intercept(intercept) + .reply( + response.status, + () => response.body, + { headers: { "content-type": "application/json" } } + ); } mockAgent.disableNetConnect(); diff --git a/views/index.html b/views/index.html index 061fcad1..8faf64ec 100644 --- a/views/index.html +++ b/views/index.html @@ -188,6 +188,10 @@

General

weak crypto

+
+ +

invalid semver (0.x.x)

+

Flags to ignore:

diff --git a/workspaces/vis-network/package.json b/workspaces/vis-network/package.json index 4b4d0681..e8de5b1b 100644 --- a/workspaces/vis-network/package.json +++ b/workspaces/vis-network/package.json @@ -10,7 +10,7 @@ "test": "node --test test/", "test:c8": "c8 npm run test", "start": "npm run build && http-server ./dist", - "build": "node esbuild.config.js" + "build": "rimraf ./dist && node esbuild.config.js" }, "files": [ "index.js", @@ -25,11 +25,11 @@ "license": "MIT", "dependencies": { "pretty-bytes": "^6.0.0", - "vis-data": "^7.1.6", - "vis-network": "^9.1.6" + "vis-data": "^7.1.9", + "vis-network": "^9.1.9" }, "devDependencies": { "@nodesecure/flags": "^2.4.0", - "@nodesecure/scanner": "^3.7.0" + "@nodesecure/scanner": "^5.0.1" } } diff --git a/workspaces/vis-network/src/dataset.js b/workspaces/vis-network/src/dataset.js index aa1c1754..289c67a2 100644 --- a/workspaces/vis-network/src/dataset.js +++ b/workspaces/vis-network/src/dataset.js @@ -131,13 +131,15 @@ export default class NodeSecureDataSet extends EventTarget { } computeAuthor(author) { - const user = "name" in author ? author : { name: null }; + if (author === null) { + return; + } - if (this.authors.has(user.name)) { - this.authors.get(user.name).count++; + if (this.authors.has(author.name)) { + this.authors.get(author.name).count++; } - else if (user.name !== null) { - this.authors.set(user.name, Object.assign({}, user, { count: 1 })); + else { + this.authors.set(author.name, Object.assign({}, author, { count: 1 })); } }