NPM Application Analysis

NEW IN RELEASE 104

What is supported

NPM packages by scanning the following files (file name must be preserved):

  • yarn.lock:  auto-generated file for projects using Yarn as package manager.  To learn how, please refer to documentation
  • pnpm-lock.yaml : auto-generated file for projects using pnpm as package manager.  To learn how, please refer to documentation
  • package-lock.json : auto-generated file for projects using npm as package manager.  To learn how, please refer to documentation
  • npm-shrinkwrap.json:  file generated by npm shrinkwrap using the command:
npm shrinkwrap


When scanning only the files no information about dependency types will be provided.

What do we parse from files?

In yarn.lock

Name and version fields will be evaluated. For example:

  • name: @dangl/angular-material-shared
  • version: 2.0.0
@dangl/angular-material-shared@2.0.0:
  version "2.0.0"

@progress/kendo-theme-material@0.3.2:
  version "0.3.2"

@angular@0.0.1:
  version "0.0.1"

In pnpm-lock.yaml

Name and version fields from section dependencies will be evaluated. For example:

  • name: @angular-devkit/schematics
  • version: 8.3.26


dependencies:
   @angular-devkit/schematics: 8.3.26
   @angular/animations: 8.2.14_@angular+core@8.2.14
   flickity: 2.2.1
   gsap: 2.1.3
devDependencies:
   autoprefixer: 9.8.0
   babel: 6.23.0
lockfileVersion: 5.1

In package-lock.json

Name and version fields from dependencies objects will be evaluated. For example:

nameversion
ansi-regex3.0.0
wordwrap0.0.3


{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

In npm-shrinkwrap.json

Name and version fields from dependencies object will be evaluated. For example:

  • name: ansi-regex
  • version: 3.0.0


{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

Integrations with NPM scanning support

For yarn.lock files

  • CLI from version 104
  • Jenkins - Coming Soon
  • Bamboo - Coming Soon

For pnpm-lock.yaml files

  • CLI from version 104
  • Jenkins - Coming Soon
  • Bamboo - Coming Soon

For package-lock.json files

  • CLI from version 104
  • Jenkins - Coming Soon
  • Bamboo - Coming Soon

For npm-shrinkwrap.json files

  • CLI from version 104
  • Jenkins - Coming Soon
  • Bamboo - Coming Soon

Steps to analyze using the CLI

Run a scan

Invoke a CLI scan of a directory or subdirectories containing yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json.  Instructions on how to do this can be found here:  Nexus IQ CLI.

Example pnpm-lock.yaml File

dependencies:
  '@angular-devkit/schematics': 8.3.26
  '@angular/animations': 8.2.14_@angular+core@8.2.14
  '@angular/cdk': 8.2.3_ecb0ad61817e3ede6ce462931a5e5041
  '@angular/common': 8.2.14_@angular+core@8.2.14+rxjs@6.5.5
  '@angular/compiler': 8.2.14
  '@angular/core': 8.2.14_rxjs@6.5.5+zone.js@0.9.1
  '@angular/elements': 9.1.0_5dbe97cf526e909ce017b32660e1dfa2
  '@angular/flex-layout': 8.0.0-beta.27_fcb66472661cf7006779f1ffca141d00
  '@angular/forms': 8.2.14_74d90aeb615cd9f11c1fac602853736e
  '@angular/material': 8.2.3_ef4898901e1601d82670668a3526c1c5
  '@angular/platform-browser': 8.2.14_ecb0ad61817e3ede6ce462931a5e5041
  '@angular/platform-browser-dynamic': 8.2.14_4c5c48e73106d2e9b7131da2a9d6eb8e
  '@angular/router': 8.2.14_74d90aeb615cd9f11c1fac602853736e
  '@ng-bootstrap/ng-bootstrap': 5.3.0_ea98ff5bf1988595f509fb24f9716fa4
  '@ngtools/webpack': 8.3.26_849a31e8946bd7877e26a3c836d4837d
  '@webcomponents/custom-elements': 1.4.1
   bootstrap: 4.5.0
   compass-mixins: 0.12.10
   parallax-js: 3.1.0
   prismjs: 1.20.0
   pxloader: 1.1.2
   save: 2.4.0
   scrollmagic: 2.0.7
   typed.js: 2.0.11
devDependencies:
   autoprefixer: 9.8.0
   babel: 6.23.0
   babel-core: 6.26.3
   babel-loader: 7.1.5_babel-core@6.26.3+webpack@4.43.0
 webpack-shell-plugin: 0.5.0
lockfileVersion: 5.1


Output from CLI

Dashboard results

Report results


Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json files. A custom Scan Target is needed.
Example Pipeline Script with Scan Patterns

nexusPolicyEvaluation iqApplication:  'SampApp' , iqScanPatterns: [[scanPattern:  '**/npm-shrinkwrap.json' ], [scanPattern:  '**/package-lock.json'], [scanPattern:  '**/yarn.lock'], [scanPattern:  '**/pnpm-lock.yaml']], iqStage:  'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.

Steps to analyze using the Bamboo plugin

Bamboo Scan Targets control what files are examined.  To evaluate NPM, add yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json to the scan targets via  "**/npm-shrinkwrap.json".  To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.