npmx.dev/shared/types/dependency-analysis.ts at 5d5cecc176a452a5c335db2f72e5987387a8e063 · npmx-dev/npmx.dev · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
/**
 * Dependency Analysis Types
 * Types for vulnerability scanning (via OSV API) and deprecated package detection.
 *
 * @see https://google.github.io/osv.dev/api/
 */

/**
 * Severity levels in priority order (highest first)
 */
export const SEVERITY_LEVELS = ['critical', 'high', 'moderate', 'low'] as const

/**
 * Severity level derived from CVSS score
 */
export type OsvSeverityLevel = (typeof SEVERITY_LEVELS)[number] | 'unknown'

/**
 * Counts by severity level
 */
export type SeverityCounts = Record<(typeof SEVERITY_LEVELS)[number], number>

/**
 * CVSS severity information from OSV
 */
export interface OsvSeverity {
  type: 'CVSS_V3' | 'CVSS_V4'
  score: string
}

/**
 * Reference link for a vulnerability
 */
export interface OsvReference {
  type: 'ADVISORY' | 'WEB' | 'PACKAGE' | 'REPORT' | 'FIX' | 'ARTICLE' | 'DETECTION' | 'EVIDENCE'
  url: string
}

/**
 * Version range event from OSV affected data
 * @see https://ossf.github.io/osv-schema/#affectedrangesevents-fields
 */
export interface OsvRangeEvent {
  introduced?: string
  fixed?: string
  last_affected?: string
  limit?: string
}

/**
 * Version range from OSV affected data
 */
export interface OsvRange {
  type: 'SEMVER' | 'ECOSYSTEM' | 'GIT'
  events: OsvRangeEvent[]
}

/**
 * Affected package info from OSV
 */
export interface OsvAffected {
  package: {
    ecosystem: string
    name: string
  }
  ranges?: OsvRange[]
  versions?: string[]
}

/**
 * Individual vulnerability record from OSV
 */
export interface OsvVulnerability {
  id: string
  summary?: string
  details?: string
  aliases?: string[]
  modified: string
  published?: string
  severity?: OsvSeverity[]
  references?: OsvReference[]
  affected?: OsvAffected[]
  database_specific?: {
    severity?: string
    cwe_ids?: string[]
    github_reviewed?: boolean
    nvd_published_at?: string
  }
}

/**
 * OSV API query response
 */
export interface OsvQueryResponse {
  vulns?: OsvVulnerability[]
  next_page_token?: string
}

/**
 * Single result from OSV batch query (minimal info - just ID and modified)
 */
export interface OsvBatchVulnRef {
  id: string
  modified: string
}

/**
 * Single result in OSV batch response
 */
export interface OsvBatchResult {
  vulns?: OsvBatchVulnRef[]
  next_page_token?: string
}

/**
 * OSV batch query response
 * @see https://google.github.io/osv.dev/post-v1-querybatch/
 */
export interface OsvBatchResponse {
  results: OsvBatchResult[]
}

/**
 * Simplified vulnerability info for display
 */
export interface VulnerabilitySummary {
  id: string
  summary: string
  severity: OsvSeverityLevel
  aliases: string[]
  url: string
  /** Version that fixes this vulnerability (if known) */
  fixedIn?: string
}

/**
 * Package vulnerability response returned by our API
 */
export interface PackageVulnerabilities {
  package: string
  version: string
  vulnerabilities: VulnerabilitySummary[]
  counts: SeverityCounts & { total: number }
}

/** Depth in dependency tree */
export type DependencyDepth = 'root' | 'direct' | 'transitive'

/**
 * Vulnerability info for a single package in the tree
 */
export interface PackageVulnerabilityInfo {
  name: string
  version: string
  /** Depth in dependency tree: root (0), direct (1), transitive (2+) */
  depth: DependencyDepth
  /** Dependency path from root package */
  path: string[]
  vulnerabilities: VulnerabilitySummary[]
  counts: {
    total: number
    critical: number
    high: number
    moderate: number
    low: number
  }
}

/**
 * Deprecated package info in the dependency tree
 */
export interface DeprecatedPackageInfo {
  name: string
  version: string
  /** Depth in dependency tree: root (0), direct (1), transitive (2+) */
  depth: DependencyDepth
  /** Dependency path from root package */
  path: string[]
  /** Deprecation message */
  message: string
}

/**
 * URL-based dependency info (git:, https:)
 */
export interface UrlDependencyInfo {
  name: string
  /** The git: or https: URL */
  url: string
  /** Depth in dependency tree: root (0), direct (1), transitive (2+) */
  depth: DependencyDepth
  /** Dependency path from root package */
  path: string[]
}

/**
 * Result of dependency tree analysis
 */
export interface VulnerabilityTreeResult {
  /** Root package name */
  package: string
  /** Root package version */
  version: string
  /** All packages with vulnerabilities in the tree */
  vulnerablePackages: PackageVulnerabilityInfo[]
  /** All deprecated packages in the tree */
  deprecatedPackages: DeprecatedPackageInfo[]
  /** All dependencies using git: or https: URLs */
  urlDependencies: UrlDependencyInfo[]
  /** Total packages analyzed */
  totalPackages: number
  /** Number of packages that could not be checked (OSV query failed) */
  failedQueries: number
  /** Aggregated counts across all packages */
  totalCounts: {
    total: number
    critical: number
    high: number
    moderate: number
    low: number
  }
}