Last active
January 30, 2023 16:33
-
-
Save msaperst/34697176f09a34d09f0fec7982d04376 to your computer and use it in GitHub Desktop.
NPM OWASP Dependency Check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const path = require('path'); | |
const fs = require('fs'); | |
const { exec } = require('child_process'); | |
const { program } = require('commander'); | |
const { isReady, install, getExecutable } = require("./cli"); | |
const { getBinDir, cleanDir } = require('./utils'); | |
const envOwaspBin = process.env.OWASP_BIN; | |
function getCmdArguments() { | |
const args = [ | |
`--project ${program.project}`, | |
`--out ${program.out}`, | |
`--failOnCVSS ${program.failOnCVSS}`, | |
...program.scan.map(s => `--scan ${s}`), | |
...program.format.map(f => `--format ${f}`), | |
]; | |
if( program.suppression ) { | |
args.push(`--suppression ${program.suppression}`,) | |
} | |
return args.join(' '); | |
} | |
function runCheck(forceExecutable) { | |
console.log('owasp-dependency-check: Running the dependency check ...'); | |
cleanDir(path.resolve(process.cwd(), program.out)); | |
const executable = forceExecutable || getExecutable(); | |
const opts = { | |
cwd: path.resolve(process.cwd()), | |
maxBuffer: 1024 * 1024 * 50, | |
}; | |
const cmd = `${executable} ${getCmdArguments()}`; | |
exec(cmd, opts, (err, _stdout, _stderr) => { | |
if (err) { | |
console.error(err); | |
process.exit(1); | |
} | |
if (_stderr) { | |
console.error(_stderr) | |
} | |
console.log('owasp-dependency-check: Done.'); | |
}) | |
} | |
async function run() { | |
if (envOwaspBin && fs.existsSync(envOwaspBin)) { | |
console.log('owasp-dependency-check: Found local instalation (OWASP_BIN), using it.'); | |
runCheck(envOwaspBin); | |
return; | |
} | |
const binDir = getBinDir(); | |
if (program.forceInstall || !isReady(binDir)) { | |
console.log('owasp-dependency-check: Downloading the dependency-check executables ...'); | |
await install(binDir); | |
} | |
runCheck(); | |
} | |
module.exports = { | |
run, | |
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env node | |
const { program } = require('commander'); | |
const { run } = require('./lib/dependency-check'); | |
program | |
.requiredOption('--project <name>', 'the project name (required)') | |
.option('-s, --scan [paths...]', 'the path to scan, multiple paths separated by space', ['.']) | |
.option('-f, --format [formats...]', 'the output format, multiple formats separated by space (XML, HTML, CSV, JSON, JUNIT, ALL)', ['HTML', 'JSON']) | |
.option('--failOnCVSS <score>', 'If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified.', 11) | |
.option('--suppression <files>', 'The file paths to the suppression XML files; used to suppress false positives. This can be specified more than once to utilize multiple suppression files. The argument can be a local file path, a URL to a suppression file, or even a reference to a file on the class path (see https://github.com/jeremylong/DependencyCheck/issues/1878#issuecomment-487533799)') | |
.option('-o, --out <path>', 'the folder to write reports to', './dependency-check-reports') | |
.option('--bin <path>', 'directory to which the dependency-check CLI will be installed', './dependency-check-bin') | |
.option('--force-install', 'install the dependency-check CLI even if there already is one (will be overwritten)'); | |
program.parse(process.argv); | |
run(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment