NPM Application Analysis

NEW IN RELEASE 104

What is supported

NPM packages by scanning the following files (file name must be preserved):

FilenameGenerated By
yarn.lock

Yarn package manager v1.  

Yarn package manager v2.   NEW IN RELEASE 123

pnpm-lock.yamlpnpm package manager

package-lock.json

npm-shrinkwrap.json

npm package manager v6

npm package manager v7 NEW IN RELEASE 123

if both files are present in the scan, the preference will be given to npm-shrinkwrap.json file.

package.json

(optional) auto-generated package manifest file for all package managers above. If included the scan will attempt to identify the dependency types (i.e. Direct vs Transitive) in the result.  NEW IN RELEASE 123 

When the scan does not include the code files for a project’s dependencies, IQ server will use the application’s package-lock.json or other manifest file and attempt to identify dependencies based on it. If the scan includes code files that take precedence over manifest scanning for identification, and the manifests will be used to improve the identification of the scanned javascript files.  See the JavaScript Scanning Guide for more information. 

What do we parse from files?

In yarn.lock

Name and version fields will be evaluated. For example:

  • name: @dangl/angular-material-shared
  • version: 2.0.0
@dangl/angular-material-shared@2.0.0:
  version "2.0.0"

@progress/kendo-theme-material@0.3.2:
  version "0.3.2"

@angular@0.0.1:
  version "0.0.1"

In pnpm-lock.yaml

Name and version fields from packages and dependencies objects will be evaluated. For example:

  • name: @angular-devkit/schematics
  • version: 8.3.26


lockfileVersion: 5.3

specifiers:
  '@angular-devkit/schematics': 8.3.26

dependencies:
  '@angular-devkit/schematics': 8.3.26

packages:

  /@angular-devkit/schematics/8.3.26:
    resolution: {integrity: sha512-IoZbXVFGLvVi5d0ozfssWDXuzot0/pMSKbQPzWIG8K7nCo7nNMVYpsMHrEVYUikA9EQEL5LqMCGohH36/zVPcA==}
    engines: {node: '>= 10.9.0', npm: '>= 6.2.0'}
    dependencies:
      '@angular-devkit/core': 8.3.26
      rxjs: 6.4.0
    dev: false

In package-lock.json

Name and version fields from dependencies (or packages for npm v7) objects will be evaluated. For example:

nameversion
ansi-regex3.0.0
wordwrap0.0.3


{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

In npm-shrinkwrap.json

Name and version fields from dependencies object will be evaluated. For example:

  • name: ansi-regex
  • version: 3.0.0


{
  "requires": true,
  "lockfileVersion": 1,
  "dependencies": {
    "ansi-regex": {
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
      "integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
    },
    "wordwrap": {
      "version": "0.0.3",
      "resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
      "integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
    }
  }
}

Improvements

The latest version of Jenkins plugin (3.11.20210308-082521.0d183ff) includes some improvements for NPM manifest scanning.

Steps to analyze using the Nexus IQ CLI

Run a scan

Invoke a Nexus IQ CLI scan of a directory or subdirectories containing yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json.  Instructions on how to do this can be found here:  Nexus IQ CLI.

Example pnpm-lock.yaml File

lockfileVersion: 5.3

specifiers:
  '@angular-devkit/schematics': 8.3.26
  '@angular/common': 8.2.14
  '@angular/compiler': 8.2.14
  '@angular/core': 8.2.14
  '@angular/router': 8.2.14
  '@ng-bootstrap/ng-bootstrap': 5.3.0
  bootstrap: 4.5.0
  jquery: 1.9.1
  rxjs: ^6.4.0
  zone.js: ~0.9.1

dependencies:
  '@angular-devkit/schematics': 8.3.26
  '@angular/common': 8.2.14_@angular+core@8.2.14+rxjs@6.4.0
  '@angular/compiler': 8.2.14
  '@angular/core': 8.2.14_rxjs@6.4.0+zone.js@0.9.1
  '@angular/router': 8.2.14_ed906ac8447aa5d4a7a8ac33fedcf709
  '@ng-bootstrap/ng-bootstrap': 5.3.0_ed906ac8447aa5d4a7a8ac33fedcf709
  bootstrap: 4.5.0_jquery@1.9.1
  jquery: 1.9.1
  rxjs: 6.4.0
  zone.js: 0.9.1

packages:

  /@angular-devkit/core/8.3.26:
    resolution: {integrity: sha512-b1ng9091o33s55/cwQYh1kboiJtj8y8z8xQWATDI9kRmNIQkWYVwVa/MzgPRJ4bzbEGG3zIUHCsp52A6vuGr2A==}
    engines: {node: '>= 10.9.0', npm: '>= 6.2.0'}
    dependencies:
      ajv: 6.10.2
      fast-json-stable-stringify: 2.0.0
      magic-string: 0.25.3
      rxjs: 6.4.0
      source-map: 0.7.3
    dev: false

...


Output from Nexus IQ CLI

Nexus Lifecycle Dashboard Results

Nexus Lifecycle Report Results


Steps to analyze using the Jenkins plugin

By default, the Jenkins plugin will not evaluate the yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json files. A custom Scan Target is needed.

nexusPolicyEvaluation iqApplication:  'SampApp' , iqScanPatterns: [[scanPattern:  '**/npm-shrinkwrap.json' ], [scanPattern:  '**/package-lock.json'], [scanPattern:  '**/yarn.lock'], [scanPattern:  '**/pnpm-lock.yaml']], iqStage:  'build'

To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.