NPM Application Analysis
NEW IN RELEASE 104
What is supported
NPM packages by scanning the following files (file name must be preserved):
- yarn.lock: auto-generated file for projects using Yarn as package manager. To learn how, please refer to documentation
- pnpm-lock.yaml : auto-generated file for projects using pnpm as package manager. To learn how, please refer to documentation
- package-lock.json : auto-generated file for projects using npm as package manager. To learn how, please refer to documentation
- npm-shrinkwrap.json: file generated by npm shrinkwrap using the command:
npm shrinkwrap
What do we parse from files?
In yarn.lock
Name and version fields will be evaluated. For example:
- name: @dangl/angular-material-shared
- version: 2.0.0
@dangl/angular-material-shared@2.0.0: version "2.0.0" @progress/kendo-theme-material@0.3.2: version "0.3.2" @angular@0.0.1: version "0.0.1"
In pnpm-lock.yaml
Name and version fields from section dependencies will be evaluated. For example:
- name: @angular-devkit/schematics
- version: 8.3.26
dependencies: @angular-devkit/schematics: 8.3.26 @angular/animations: 8.2.14_@angular+core@8.2.14 flickity: 2.2.1 gsap: 2.1.3 devDependencies: autoprefixer: 9.8.0 babel: 6.23.0 lockfileVersion: 5.1
In package-lock.json
Name and version fields from dependencies objects will be evaluated. For example:
name | version |
---|---|
ansi-regex | 3.0.0 |
wordwrap | 0.0.3 |
{ "requires": true, "lockfileVersion": 1, "dependencies": { "ansi-regex": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz", "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg=" }, "wordwrap": { "version": "0.0.3", "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz", "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc=" } } }
In npm-shrinkwrap.json
Name and version fields from dependencies object will be evaluated. For example:
- name: ansi-regex
- version: 3.0.0
{ "requires": true, "lockfileVersion": 1, "dependencies": { "ansi-regex": { "version": "3.0.0", "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz", "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg=" }, "wordwrap": { "version": "0.0.3", "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz", "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc=" } } }
Integrations with NPM scanning support
For yarn.lock files
- CLI from version 104
- Jenkins - Coming Soon
- Bamboo - Coming Soon
For pnpm-lock.yaml files
- CLI from version 104
- Jenkins - Coming Soon
- Bamboo - Coming Soon
For package-lock.json files
- CLI from version 104
- Jenkins - Coming Soon
- Bamboo - Coming Soon
For npm-shrinkwrap.json files
- CLI from version 104
- Jenkins - Coming Soon
- Bamboo - Coming Soon
Steps to analyze using the CLI
Run a scan
Invoke a CLI scan of a directory or subdirectories containing yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json. Instructions on how to do this can be found here: Nexus IQ CLI.
Example pnpm-lock.yaml File
dependencies: '@angular-devkit/schematics': 8.3.26 '@angular/animations': 8.2.14_@angular+core@8.2.14 '@angular/cdk': 8.2.3_ecb0ad61817e3ede6ce462931a5e5041 '@angular/common': 8.2.14_@angular+core@8.2.14+rxjs@6.5.5 '@angular/compiler': 8.2.14 '@angular/core': 8.2.14_rxjs@6.5.5+zone.js@0.9.1 '@angular/elements': 9.1.0_5dbe97cf526e909ce017b32660e1dfa2 '@angular/flex-layout': 8.0.0-beta.27_fcb66472661cf7006779f1ffca141d00 '@angular/forms': 8.2.14_74d90aeb615cd9f11c1fac602853736e '@angular/material': 8.2.3_ef4898901e1601d82670668a3526c1c5 '@angular/platform-browser': 8.2.14_ecb0ad61817e3ede6ce462931a5e5041 '@angular/platform-browser-dynamic': 8.2.14_4c5c48e73106d2e9b7131da2a9d6eb8e '@angular/router': 8.2.14_74d90aeb615cd9f11c1fac602853736e '@ng-bootstrap/ng-bootstrap': 5.3.0_ea98ff5bf1988595f509fb24f9716fa4 '@ngtools/webpack': 8.3.26_849a31e8946bd7877e26a3c836d4837d '@webcomponents/custom-elements': 1.4.1 bootstrap: 4.5.0 compass-mixins: 0.12.10 parallax-js: 3.1.0 prismjs: 1.20.0 pxloader: 1.1.2 save: 2.4.0 scrollmagic: 2.0.7 typed.js: 2.0.11 devDependencies: autoprefixer: 9.8.0 babel: 6.23.0 babel-core: 6.26.3 babel-loader: 7.1.5_babel-core@6.26.3+webpack@4.43.0 webpack-shell-plugin: 0.5.0 lockfileVersion: 5.1
Output from CLI
Dashboard results
Report results
Steps to analyze using the Jenkins plugin
By default, the Jenkins plugin will not evaluate the yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json files. A custom Scan Target is needed.
Example Pipeline Script with Scan Patterns
nexusPolicyEvaluation iqApplication: 'SampApp' , iqScanPatterns: [[scanPattern: '**/npm-shrinkwrap.json' ], [scanPattern: '**/package-lock.json'], [scanPattern: '**/yarn.lock'], [scanPattern: '**/pnpm-lock.yaml']], iqStage: 'build'
To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.
Steps to analyze using the Bamboo plugin
Bamboo Scan Targets control what files are examined. To evaluate NPM, add yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json to the scan targets via "**/npm-shrinkwrap.json
". To find more information on how to configure Bamboo please go to the Nexus IQ for Bamboo.