NPM Application Analysis

NEW IN RELEASE 104

What is supported

NPM packages by scanning the following files (file name must be preserved):

yarn.lock: auto-generated file for projects using Yarn as package manager. To learn how, please refer to documentation
pnpm-lock.yaml : auto-generated file for projects using pnpm as package manager. To learn how, please refer to documentation
package-lock.json : auto-generated file for projects using npm as package manager. To learn how, please refer to documentation
npm-shrinkwrap.json: file generated by npm shrinkwrap using the command:

npm shrinkwrap

When scanning only the files no information about dependency types will be provided.

What do we parse from files?

In yarn.lock

Name and version fields will be evaluated. For example:

name: @dangl/angular-material-shared
version: 2.0.0

@dangl/angular-material-shared@2.0.0:
  version "2.0.0"

@progress/kendo-theme-material@0.3.2:
  version "0.3.2"

@angular@0.0.1:
  version "0.0.1"

In pnpm-lock.yaml

Name and version fields from section dependencies will be evaluated. For example:

name: @angular-devkit/schematics
version: 8.3.26

dependencies:
   @angular-devkit/schematics: 8.3.26
   @angular/animations: 8.2.14_@angular+core@8.2.14
   flickity: 2.2.1
   gsap: 2.1.3
devDependencies:
   autoprefixer: 9.8.0
   babel: 6.23.0
lockfileVersion: 5.1

In package-lock.json

Name and version fields from dependencies objects will be evaluated. For example:

name	version
ansi-regex	3.0.0
wordwrap	0.0.3

{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

In npm-shrinkwrap.json

Name and version fields from dependencies object will be evaluated. For example:

name: ansi-regex
version: 3.0.0

{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

Integrations with NPM scanning support

For yarn.lock files

CLI from version 104
Jenkins - Coming Soon
Bamboo - Coming Soon

For pnpm-lock.yaml files

CLI from version 104
Jenkins - Coming Soon
Bamboo - Coming Soon

For package-lock.json files

CLI from version 104
Jenkins - Coming Soon
Bamboo - Coming Soon

For npm-shrinkwrap.json files

CLI from version 104
Jenkins - Coming Soon
Bamboo - Coming Soon

Steps to analyze using the CLI

Run a scan

Invoke a CLI scan of a directory or subdirectories containing yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json. Instructions on how to do this can be found here: Nexus IQ CLI.

Example pnpm-lock.yaml File

dependencies:
  '@angular-devkit/schematics': 8.3.26
  '@angular/animations': 8.2.14_@angular+core@8.2.14
  '@angular/cdk': 8.2.3_ecb0ad61817e3ede6ce462931a5e5041
  '@angular/common': 8.2.14_@angular+core@8.2.14+rxjs@6.5.5
  '@angular/compiler': 8.2.14
  '@angular/core': 8.2.14_rxjs@6.5.5+zone.js@0.9.1
  '@angular/elements': 9.1.0_5dbe97cf526e909ce017b32660e1dfa2
  '@angular/flex-layout': 8.0.0-beta.27_fcb66472661cf7006779f1ffca141d00
  '@angular/forms': 8.2.14_74d90aeb615cd9f11c1fac602853736e
  '@angular/material': 8.2.3_ef4898901e1601d82670668a3526c1c5
  '@angular/platform-browser': 8.2.14_ecb0ad61817e3ede6ce462931a5e5041
  '@angular/platform-browser-dynamic': 8.2.14_4c5c48e73106d2e9b7131da2a9d6eb8e
  '@angular/router': 8.2.14_74d90aeb615cd9f11c1fac602853736e
  '@ng-bootstrap/ng-bootstrap': 5.3.0_ea98ff5bf1988595f509fb24f9716fa4
  '@ngtools/webpack': 8.3.26_849a31e8946bd7877e26a3c836d4837d
  '@webcomponents/custom-elements': 1.4.1
   bootstrap: 4.5.0
   compass-mixins: 0.12.10
   parallax-js: 3.1.0
   prismjs: 1.20.0
   pxloader: 1.1.2
   save: 2.4.0
   scrollmagic: 2.0.7
   typed.js: 2.0.11
devDependencies:
   autoprefixer: 9.8.0
   babel: 6.23.0
   babel-core: 6.26.3
   babel-loader: 7.1.5_babel-core@6.26.3+webpack@4.43.0
 webpack-shell-plugin: 0.5.0
lockfileVersion: 5.1

Output from CLI

Dashboard results

Report results

Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json files. A custom Scan Target is needed.
Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication:  'SampApp' , iqScanPatterns: [[scanPattern:  '**/npm-shrinkwrap.json' ], [scanPattern:  '**/package-lock.json'], [scanPattern:  '**/yarn.lock'], [scanPattern:  '**/pnpm-lock.yaml']], iqStage:  'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined. To evaluate NPM, add yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json to the scan targets via "**/npm-shrinkwrap.json". To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.