NPM Application Analysis

NEW IN RELEASE 104

What is supported

NPM packages by scanning the following files (file name must be preserved):

  • yarn.lock:  auto-generated file for projects using Yarn as package manager.  To learn how, please refer to documentation
  • pnpm-lock.yaml : auto-generated file for projects using pnpm as package manager.  To learn how, please refer to documentation
  • package-lock.json : auto-generated file for projects using npm as package manager.  To learn how, please refer to documentation
  • npm-shrinkwrap.json:  file generated by npm shrinkwrap using the command:
npm shrinkwrap


When scanning only the files no information about dependency types will be provided.

When the scan does not include the code files for a project’s dependencies, IQ server will use the application’s package-lock.json or other manifest file and attempt to identify dependencies based on it. If the scan includes code files that takes precedence over manifest scanning for identification, and the manifests will be used to improve the identification of the scanned javascript files.  See the JavaScript Scannig Guide for more information.

What do we parse from files?

In yarn.lock

Name and version fields will be evaluated. For example:

  • name: @dangl/angular-material-shared
  • version: 2.0.0
@dangl/angular-material-shared@2.0.0:
  version "2.0.0"

@progress/kendo-theme-material@0.3.2:
  version "0.3.2"

@angular@0.0.1:
  version "0.0.1"

In pnpm-lock.yaml

Name and version fields from section dependencies will be evaluated. For example:

  • name: @angular-devkit/schematics
  • version: 8.3.26


dependencies:
   @angular-devkit/schematics: 8.3.26
   @angular/animations: 8.2.14_@angular+core@8.2.14
   flickity: 2.2.1
   gsap: 2.1.3
devDependencies:
   autoprefixer: 9.8.0
   babel: 6.23.0
lockfileVersion: 5.1

In package-lock.json

Name and version fields from dependencies objects will be evaluated. For example:

nameversion
ansi-regex3.0.0
wordwrap0.0.3


{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

In npm-shrinkwrap.json

Name and version fields from dependencies object will be evaluated. For example:

  • name: ansi-regex
  • version: 3.0.0


{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

Integrations with NPM scanning support

For yarn.lock files

  • CLI from version 104
  • Jenkins from version 3.10.20210222-102732.7875f67
  • Bamboo - Coming soon

For pnpm-lock.yaml files

  • CLI from version 104
  • Jenkins from version 3.10.20210222-102732.7875f67 
  • Bamboo - Coming soon

For package-lock.json files

  • CLI from version 104
  • Jenkins from version 3.10.20210222-102732.7875f67 
  • Bamboo - Coming soon

For npm-shrinkwrap.json files

  • CLI from version 104
  • Jenkins from version 3.10.20210222-102732.7875f67 
  • Bamboo - Coming soon

Improvements

The latest version of Jenkins plugin (3.11.20210308-082521.0d183ff) includes some improvements for NPM manifest scanning.


Steps to analyze using the CLI

Run a scan

Invoke a CLI scan of a directory or subdirectories containing yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json.  Instructions on how to do this can be found here:  Nexus IQ CLI.

Example pnpm-lock.yaml File

dependencies:
  '@angular-devkit/schematics': 8.3.26
  '@angular/animations': 8.2.14_@angular+core@8.2.14
  '@angular/cdk': 8.2.3_ecb0ad61817e3ede6ce462931a5e5041
  '@angular/common': 8.2.14_@angular+core@8.2.14+rxjs@6.5.5
  '@angular/compiler': 8.2.14
  '@angular/core': 8.2.14_rxjs@6.5.5+zone.js@0.9.1
  '@angular/elements': 9.1.0_5dbe97cf526e909ce017b32660e1dfa2
  '@angular/flex-layout': 8.0.0-beta.27_fcb66472661cf7006779f1ffca141d00
  '@angular/forms': 8.2.14_74d90aeb615cd9f11c1fac602853736e
  '@angular/material': 8.2.3_ef4898901e1601d82670668a3526c1c5
  '@angular/platform-browser': 8.2.14_ecb0ad61817e3ede6ce462931a5e5041
  '@angular/platform-browser-dynamic': 8.2.14_4c5c48e73106d2e9b7131da2a9d6eb8e
  '@angular/router': 8.2.14_74d90aeb615cd9f11c1fac602853736e
  '@ng-bootstrap/ng-bootstrap': 5.3.0_ea98ff5bf1988595f509fb24f9716fa4
  '@ngtools/webpack': 8.3.26_849a31e8946bd7877e26a3c836d4837d
  '@webcomponents/custom-elements': 1.4.1
   bootstrap: 4.5.0
   compass-mixins: 0.12.10
   parallax-js: 3.1.0
   prismjs: 1.20.0
   pxloader: 1.1.2
   save: 2.4.0
   scrollmagic: 2.0.7
   typed.js: 2.0.11
devDependencies:
   autoprefixer: 9.8.0
   babel: 6.23.0
   babel-core: 6.26.3
   babel-loader: 7.1.5_babel-core@6.26.3+webpack@4.43.0
 webpack-shell-plugin: 0.5.0
lockfileVersion: 5.1


Output from CLI

Dashboard results

Report results


Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json files. A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication:  'SampApp' , iqScanPatterns: [[scanPattern:  '**/npm-shrinkwrap.json' ], [scanPattern:  '**/package-lock.json'], [scanPattern:  '**/yarn.lock'], [scanPattern:  '**/pnpm-lock.yaml']], iqStage:  'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.