DEV Community

Thomas.G for NodeSecure

Posted on • Edited on

NodeSecure v0.9.0

Hello πŸ‘‹,

After more than ten long months of work we are finally there 😡! Version 0.9.0 has been released on npm πŸš€.

This is a version that required a lot of effort. Thank you to everyone who contributed and made this possible πŸ™.

So what are the features of this new release v0.9.0? This is what we will discover in this article πŸ‘€.

For newcomers you can learn more about NodeSecure here or by reading the series.

V0.9.0 πŸ’ͺ

This new version uses the new back-end and especially version 3 of the scanner.

ESM instead of CJS

This is a choice we explained in a previous article. This version has been completely rewritten in ESM.

We also made the choice to abandon Jest which causes too many problems 😟. We now use tape.

Better CLI

All commands are now separated by file and the bin/index.js file has been cleaned of all unnecessary code.

CLI

We are also working on adding UT for each command (which should avoid regressions and allow better contributions).

New front-end network management

This release heavily improves the front-end code with the addition of a package dedicated to vis-network management.

GitHub logo NodeSecure / vis-network

NodeSecure vis.js network front-end module

Vis-network

version Maintenance OpenSSF Scorecard mit build

NodeSecure Vis.js network front-end module.

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/vis-network
# or
$ yarn add @nodesecure/vis-network
Enter fullscreen mode Exit fullscreen mode

Usage example

// Import Third-party Dependencies
import { NodeSecureDataSet, NodeSecureNetwork } from "@nodesecure/vis-network";

document.addEventListener("DOMContentLoaded", async() => {
  const secureDataSet = new NodeSecureDataSet();
  await secureDataSet.init();

  new NodeSecureNetwork(secureDataSet);
});
Enter fullscreen mode Exit fullscreen mode

API

Scripts

The project scripts are used for those who want to test the code.

  • npm start to start an httpserver from ./dist
  • npm run build to build the ./example with esbuild.

Note: The start command run the build command before launching the http server.

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):

…

This should also allow us to migrate more easily to D3.js in 2022 πŸš€.

Better resolver support

The new version of the scanner has support for github: and git: spec.

The scanner is now able to analyze the following dependencies:

"dependencies": {
  "zen-observable": "^0.8.15",
  "nanoid": "github:ai/nanoid",
  "js-x-ray": "git://github.com/NodeSecure/js-x-ray.git",
  "nanodelay": "git+ssh://git@github.com:ai/nanodelay.git",
  "nanoevents": "git+https://github.com/ai/nanoevents.git"
}
Enter fullscreen mode Exit fullscreen mode

Better payload structure

The structure of JSON has been improved to be more consistent (especially on the management of versions by dependency).

The latest version of the scanner also corrects many inconsistencies in the management of authors and maintainers.

"author": {
  "name": "GENTILHOMME Thomas",
  "email": "gentilhomme.thomas@gmail.com"
},
"publishers": [
  {
    "name": "fraxken",
    "email": "gentilhomme.thomas@gmail.com",
    "version": "2.2.0",
    "at": "2021-11-11T18:18:06.891Z"
  }
],
"maintainers": [
  {
    "name": "kawacrepe",
    "email": "vincent.dhennin@viacesi.fr"
  },
  {
    "name": "fraxken",
    "email": "gentilhomme.thomas@gmail.com"
  },
  {
    "name": "tonygo",
    "email": "gorez.tony@gmail.com"
  }
]
Enter fullscreen mode Exit fullscreen mode

Brand new vulnerabilities management

We have already presented it, but now we use our own package that allows to recover vulnerabilities using several strategies (Security WG, NPM Audit etc..).

GitHub logo NodeSecure / vulnera

Programmatically fetch security vulnerabilities with one or many strategies (NPM Audit, Sonatype, Snyk, Node.js DB).

vulnera

npm version license ossf scorecard github ci workflow

The vuln-era has begun! Programmatically fetch security vulnerabilities with one or many strategies. Originally designed to run and analyze Scanner dependencies it now also runs independently from an npm Manifest.

Requirements

Getting Started

This package is available in the Node Package Repository and can be easily installed with npm or yarn.

$ npm i @nodesecure/vulnera
# or
$ yarn add @nodesecure/vulnera
Enter fullscreen mode Exit fullscreen mode

Usage example

import * as vulnera from "@nodesecure/vulnera";

// Default strategy is currently "none".
await vulnera.setStrategy(vulnera.strategies.NPM_AUDIT);

const definition = await vulnera.getStrategy();
console.log(definition.strategy);

const vulnerabilities = await definition.getVulnerabilities(process.cwd(), {
  useStandardFormat: true
});
console.log(vulnerabilities);
Enter fullscreen mode Exit fullscreen mode

Available strategy

The default strategy is NONE which mean…

This is just the beginning and I think it will soon be a fully featured project. Among the new features there is a new standard format dedicated for NodeSecure:

export interface StandardVulnerability {
    id?: string;
    origin: Origin;
    package: string;
    title: string;
    description?: string;
    url?: string;
    severity?: Severity;
    cves: string[];
    cvssVector?: string;
    cvssScore?: number;
    vulnerableRanges: string[];
    vulnerableVersions: string[];
    patchedVersions?: string;
    patches?: Patch[];
}
Enter fullscreen mode Exit fullscreen mode

Trojan source detection with JS-X-Ray 4.2.0

The new backend implements the version 4 of JS-X-Ray. In this latest release we added a warning for Trojan source.

Documentation and tests

A lot of effort has been put into adding documentation and unit testing to all of the projects.

There is still a long way to go to make this even more accessible and you are welcome to help us.

What's next ?

We are now working as a group on different topics. We have many ongoing projects/subjects:

Conclusion πŸ™

We should be able to produce more frequent releases until the new UI comes.

Thanks again to the core contributors of the project without whom we would not have arrived here today!

See you soon for the release v0.10.0 πŸ’ƒ.

Top comments (0)