Skip to content

Commit 5bc7e85

Browse files
s-teichners-teichner
authored
Merge pull request #1 from comsysto/add-support-for-yarn-and-pnpm
add-support-for-yarn-and-pnpm
2 parents 75d530d + 0185405 commit 5bc7e85

13 files changed

Lines changed: 1574 additions & 1071 deletions

README.md

Lines changed: 26 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# dependency-vulnerability-scanner
22

33
This repository provides scripts to quickly check if a repository uses certain vulnerable dependencies.
4+
Supported package managers: npm, pnpm, yarn
45

56
## How to use
67

@@ -38,20 +39,40 @@ curl -O https://github.com/comsysto/dependency-vulnerability-scanner/releases/la
3839
Example output:
3940

4041
```bash
41-
Starting dependency scan...
42-
Found 1 package-lock.json files
43-
Checking ucp-test... (100% complete)
42+
Dependency Vulnerability Scanner
43+
=================================
44+
45+
📦 Scanning NPM packages (package-lock.json)...
46+
Found 19 package-lock.json files:
47+
- test-project/package-lock.json
4448

4549
Scan complete. Found 1 occurrences:
46-
ucp-test/package-lock.json - uses: ["zuper-stream@2.0.9"]
50+
test-project/package-lock.json - uses: ["zuper-stream@2.0.9"]
51+
52+
✅ Scan complete!
53+
Total matches found:
54+
- 1 in NPM projects
55+
- 0 in Yarn projects
56+
- 0 in PNPM projects
57+
```
58+
59+
## How to test locally
60+
61+
Build the binary and move it to some root folder that contains node projects:
62+
63+
```bash
64+
cd node/src
65+
go build -o scanner && cp ./scanner ~/your-workspace
66+
cd ~/your-workspace
67+
./scanner
4768
```
4869

4970
## How to add new affected dependencies
5071

5172
1. Check if you can find a list of vulnerable packages in a structured way,
5273
e.g. https://github.com/wiz-sec-public/wiz-research-iocs/blob/main/reports/shai-hulud-2-packages.csv
5374
2. Use `utils/extract-versions.sh` to extract the affected versions from the CSV file
54-
3. Add the strings to `var deps` in main.go, following the existing format
75+
3. Add the strings to `dependencies.go`, following the existing format
5576

5677
## How to build new versions
5778

node/src/build/scan-darwin-arm64

413 KB
Binary file not shown.

node/src/build/scan-linux-amd64

402 KB
Binary file not shown.

node/src/build/scan-windows-amd64.exe

403 KB
Binary file not shown.

node/src/config.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
package main
2+
3+
// Constants
4+
const (
5+
NodeModulesPrefix = "node_modules/"
6+
NodeModulesDir = "node_modules"
7+
)
8+
9+
// Config holds the scanner configuration
10+
type Config struct {
11+
RootPath string
12+
ExcludedDirs []string
13+
VerboseOutput bool
14+
ShowProgressBar bool
15+
}
16+
17+
// DefaultConfig returns the default configuration
18+
func DefaultConfig() *Config {
19+
return &Config{
20+
RootPath: ".",
21+
ExcludedDirs: []string{NodeModulesDir},
22+
VerboseOutput: true,
23+
ShowProgressBar: true,
24+
}
25+
}

0 commit comments

Comments
 (0)