96 lines
3.7 KiB
JavaScript
96 lines
3.7 KiB
JavaScript
const fs = require('fs');
|
|
const path = require('path');
|
|
const tableify = require('tableify');
|
|
|
|
// Parse command line arguments
|
|
const args = process.argv.slice(2);
|
|
if (args.length === 2) {
|
|
vulnPath = path.resolve(args[0]);
|
|
pkgLockPath = path.resolve(args[1]);
|
|
} else {
|
|
|
|
}
|
|
|
|
function cleanVersion(version) {
|
|
if (version.startsWith('^')) {
|
|
return version.slice(1);
|
|
} else if (version.startsWith('~')) {
|
|
return version.slice(1);
|
|
} else {
|
|
return version;
|
|
}
|
|
}
|
|
|
|
const rawDataVuln = fs.readFileSync(vulnPath, 'utf8');
|
|
const rawDataPackageLock = fs.readFileSync(pkgLockPath, 'utf8');
|
|
|
|
const vulnJson = JSON.parse(rawDataVuln);
|
|
const packageLockJson = JSON.parse(rawDataPackageLock);
|
|
|
|
let tableOutput = [];
|
|
let htmlOutput = '<html><head><link rel="stylesheet" type="text/css" href="style.css"></head><body>';
|
|
|
|
vulnJson.packages.forEach(vulnPackage => {
|
|
console.log("Package: " + vulnPackage.name + ' (' + vulnPackage.version + ")");
|
|
|
|
for (var packageName in packageLockJson.packages) {
|
|
|
|
if (packageName.includes(vulnPackage.name)) {
|
|
var isVuln = packageLockJson.packages[packageName].version == vulnPackage.version ? "[VULNERABLE] " : "[OK] ";
|
|
var sameMajor = cleanVersion(packageLockJson.packages[packageName].version).split('.')[0] == vulnPackage.version.split('.')[0];
|
|
if (sameMajor) isVuln = "[SAME MAJOR] "
|
|
|
|
tableOutput.push({
|
|
type: "Package",
|
|
flag: isVuln,
|
|
package_name: packageName,
|
|
installed_version: packageLockJson.packages[packageName].version,
|
|
vuln_version: vulnPackage.version
|
|
})
|
|
|
|
}
|
|
|
|
for (var dependencyName in packageLockJson.packages[packageName].dependencies) {
|
|
if (dependencyName.includes(vulnPackage.name)) {
|
|
var isVuln = packageLockJson.packages[packageName].dependencies[dependencyName] == vulnPackage.version ? "[VULNERABLE] " : "[OK] ";
|
|
var sameMajor = cleanVersion(packageLockJson.packages[packageName].dependencies[dependencyName]).split('.')[0] == vulnPackage.version.split('.')[0];
|
|
if (sameMajor) isVuln = "[SAME MAJOR] "
|
|
tableOutput.push({
|
|
type: "Package Dependency",
|
|
flag: isVuln,
|
|
package_name: dependencyName,
|
|
parent: packageName,
|
|
installed_version: packageLockJson.packages[packageName].dependencies[dependencyName],
|
|
vuln_version: vulnPackage.version,
|
|
})
|
|
|
|
}
|
|
}
|
|
|
|
for (var dependencyName in packageLockJson.packages[packageName].devDependencies) {
|
|
if (dependencyName.includes(vulnPackage.name)) {
|
|
var isVuln = packageLockJson.packages[packageName].devDependencies[dependencyName] == vulnPackage.version ? "[VULNERABLE] " : "[OK] ";
|
|
var sameMajor = cleanVersion(packageLockJson.packages[packageName].devDependencies[dependencyName]).split('.')[0] == vulnPackage.version.split('.')[0];
|
|
if (sameMajor) isVuln = "[SAME MAJOR] "
|
|
tableOutput.push({
|
|
type: "Package DevDependency",
|
|
flag: isVuln,
|
|
package_name: dependencyName,
|
|
parent: packageName,
|
|
installed_version: packageLockJson.packages[packageName].devDependencies[dependencyName],
|
|
vuln_version: vulnPackage.version,
|
|
});
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
htmlOutput += "<h4>" + vulnPackage.name + "</h4>"
|
|
htmlOutput += tableify(tableOutput)
|
|
tableOutput = [];
|
|
});
|
|
|
|
fs.writeFileSync("report.html", htmlOutput + "</body></html>");
|
|
|
|
|