Skip to content
This repository has been archived by the owner on Feb 2, 2022. It is now read-only.

Commit

Permalink
improvement: report output readability (#40)
Browse files Browse the repository at this point in the history
* improvement: report output

* update package.json

* remove commented line

* Update parser.js

* Update parser.test.js

* `dependencies` -> `vulnerabilities`

* Update parser.test.js

* 2.2.1 -> 2.3.0
  • Loading branch information
shockey authored and InfoSec812 committed Jul 18, 2019
1 parent 565f71a commit e3231f6
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 17 deletions.
38 changes: 26 additions & 12 deletions lib/parser.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
*/

const util = require('util');
const Table = require("cli-table")
const { validThresholds } = require('./parse_args');

/**
Expand Down Expand Up @@ -48,26 +49,39 @@ function parse_audit_results(err, stdout, threshold, ignoreDev, json_output = fa
retVal.advisories = {};
retVal.advisories = flaggedDepenencies;
cli_output = JSON.stringify(retVal, null, 2) + '\n';
} else { // If any vulnerabilities exceed the threshold and are not filtered, print the details and fail the build.
if (flaggedDepenencies.length > 0) {
cli_output += 'There are vulnerable dependencies which exceed the selected threshold and scope:\n';
exitCode = 1;
}
} else if (flaggedDepenencies.length > 0) {
// If any vulnerabilities exceed the threshold and are not filtered, print the details and fail the build.

cli_output += ignoreDev ? (
"The following production vulnerabilities "
) : (
"The following vulnerabilities "
)

cli_output += "are " + validThresholds[threshold] + " severity or higher:\n"

exitCode = 1;

const flagTable = new Table({
head: ["module", "severity", "overview"]
})

flaggedDepenencies.forEach((advisory) => { // Print out dependencies which exceed the threshold
let libraryName = advisory[1].module_name;
let libraryVersion = advisory[1].findings[0].version;
let advisoryOverview = 'https://www.npmjs.com/advisories/' + advisory[0];
let severity = advisory[1].severity;
cli_output += util.format(
" %s(%s): %s (%s >= %s)\n",
libraryName.padStart(30),
libraryVersion.padEnd(20),
advisoryOverview.padEnd(50),
severity,
validThresholds[threshold]);
flagTable.push([
libraryName + "@" + libraryVersion,
severity,
advisoryOverview
])
});

cli_output += flagTable.toString() + "\n"
}
}

return { exitCode, cli_output };
}

Expand Down
21 changes: 18 additions & 3 deletions lib/parser.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -85,15 +85,30 @@ test('Validate run with 0 vulnerabilities', () => {
});

/*
* If 7 vulnerabilities exceed the threshold and dev dependencies are not ignore, expect a non-zero exit code
* If 7 vulnerabilities exceed the threshold and dev dependencies are not
* ignore, expect a non-zero exit code and correct messaging
*/
test('Validate run with 7 vulnerabilities', () => {
const test_data = readFileSync('test_data/vue_js_app.json', 'utf8');
let { exitCode, cli_output } = parse_audit_results("", test_data, LOW_THRESHOLD, false);
expect(cli_output).not.toContain('{');
expect(cli_output).toContain("growl");
expect(cli_output).toContain('https://www.npmjs.com/advisories/');
expect(cli_output).toContain('There are vulnerable dependencies which exceed the selected threshold and scope:');
expect(cli_output).toContain('The following vulnerabilities are low severity or higher:');
expect(exitCode).toBe(1);
});

/*
* If 7 vulnerabilities exceed the high threshold and dev dependencies are
* ignored, expect a non-zero exit code and correct messaging.
*/
test('Validate run with 7 vulnerabilities, a high severity cutoff, and production-only', () => {
const test_data = readFileSync('test_data/vue_js_app.json', 'utf8');
let { exitCode, cli_output } = parse_audit_results("", test_data, HIGH_THRESHOLD, true);
expect(cli_output).not.toContain('{');
expect(cli_output).toContain("https-proxy-agent@1.0.0");
expect(cli_output).toContain('https://www.npmjs.com/advisories/');
expect(cli_output).toContain('The following production vulnerabilities are high severity or higher:');
expect(exitCode).toBe(1);
});

Expand Down Expand Up @@ -250,4 +265,4 @@ test('Validate advisories filtering on CRIT threshold and ignoring Dev dependenc
const data = JSON.parse(test_data);
const results = filter_advisories(Object.entries(data.advisories), true, CRIT_THRESHOLD);
expect(results.length).toBe(0);
});
});
5 changes: 3 additions & 2 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "npm-audit-ci-wrapper",
"version": "2.2.1",
"version": "2.3.0",
"description": "A wrapper for 'npm audit' which can be configurable for use in a CI/CD tool like Jenkins",
"keywords": [
"npm",
Expand All @@ -24,7 +24,8 @@
},
"license": "Apache-2.0",
"dependencies": {
"argv": "0.0.2"
"argv": "0.0.2",
"cli-table": "^0.3.1"
},
"bin": {
"npm-audit-ci-wrapper": "./bin/index.js"
Expand Down

0 comments on commit e3231f6

Please sign in to comment.