npm Application Analysis
What is supported
Identification without dependency information
NPM packages can be identified by scanning the following lock files (file name must be preserved):
| Filename | Generated By |
|---|---|
| yarn.lock | Yarn package manager v1. Yarn package manager v2. NEW IN RELEASE 123 |
| pnpm-lock.yaml | pnpm package manager |
package-lock.json npm-shrinkwrap.json | npm package manager v6 npm package manager v7 NEW IN RELEASE 123 if both files are present in the scan, the preference will be given to npm-shrinkwrap.json file. |
NEW IN RELEASE 123
Identification with dependency information
In order to include dependency type information (i.e. Direct vs Transitive), a package.json file must also exist and be readable as a sibling file to the target lock file (i.e. one of the above). This file is typically auto-generated and managed by a package manager.
When the scan does not include the code files for a project’s dependencies, IQ server will use the application’s manifest files (i.e. package.json and the lock file) and attempt to identify dependencies based on it. If the scan includes code files, these take precedence over manifest scanning for identification, and the manifests will be used to improve the identification of the scanned javascript files. See the JavaScript Scanning Guide for more information.
What do we parse from files?
In yarn.lock
Name and version fields will be evaluated. For example:
- name: @dangl/angular-material-shared
- version: 2.0.0
@dangl/angular-material-shared@2.0.0: version "2.0.0" @progress/kendo-theme-material@0.3.2: version "0.3.2" @angular@0.0.1: version "0.0.1"
In pnpm-lock.yaml
Name and version fields from packages and dependencies objects will be evaluated. For example:
- name: @angular-devkit/schematics
- version: 8.3.26
lockfileVersion: 5.3
specifiers:
'@angular-devkit/schematics': 8.3.26
dependencies:
'@angular-devkit/schematics': 8.3.26
packages:
/@angular-devkit/schematics/8.3.26:
resolution: {integrity: sha512-IoZbXVFGLvVi5d0ozfssWDXuzot0/pMSKbQPzWIG8K7nCo7nNMVYpsMHrEVYUikA9EQEL5LqMCGohH36/zVPcA==}
engines: {node: '>= 10.9.0', npm: '>= 6.2.0'}
dependencies:
'@angular-devkit/core': 8.3.26
rxjs: 6.4.0
dev: falseIn package-lock.json
Name and version fields from dependencies (or packages for npm v7) objects will be evaluated. For example:
| name | version |
|---|---|
| ansi-regex | 3.0.0 |
| wordwrap | 0.0.3 |
{
"requires": true,
"lockfileVersion": 1,
"dependencies": {
"ansi-regex": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
"integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
},
"wordwrap": {
"version": "0.0.3",
"resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
"integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
}
}
}In npm-shrinkwrap.json
Name and version fields from dependencies object will be evaluated. For example:
- name: ansi-regex
- version: 3.0.0
{
"requires": true,
"lockfileVersion": 1,
"dependencies": {
"ansi-regex": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
"integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
},
"wordwrap": {
"version": "0.0.3",
"resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
"integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
}
}
}Improvements
The latest version of the Jenkins plugin (3.11.20210308-082521.0d183ff) includes some improvements for NPM manifest scanning.
Steps to analyze using the Nexus IQ CLI
Run a scan
Invoke a Nexus IQ CLI scan of a directory or subdirectories containing yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json. Instructions on how to do this can be found here: Nexus IQ CLI.
Example pnpm-lock.yaml file
lockfileVersion: 5.3
specifiers:
'@angular-devkit/schematics': 8.3.26
'@angular/common': 8.2.14
'@angular/compiler': 8.2.14
'@angular/core': 8.2.14
'@angular/router': 8.2.14
'@ng-bootstrap/ng-bootstrap': 5.3.0
bootstrap: 4.5.0
jquery: 1.9.1
rxjs: ^6.4.0
zone.js: ~0.9.1
dependencies:
'@angular-devkit/schematics': 8.3.26
'@angular/common': 8.2.14_@angular+core@8.2.14+rxjs@6.4.0
'@angular/compiler': 8.2.14
'@angular/core': 8.2.14_rxjs@6.4.0+zone.js@0.9.1
'@angular/router': 8.2.14_ed906ac8447aa5d4a7a8ac33fedcf709
'@ng-bootstrap/ng-bootstrap': 5.3.0_ed906ac8447aa5d4a7a8ac33fedcf709
bootstrap: 4.5.0_jquery@1.9.1
jquery: 1.9.1
rxjs: 6.4.0
zone.js: 0.9.1
packages:
/@angular-devkit/core/8.3.26:
resolution: {integrity: sha512-b1ng9091o33s55/cwQYh1kboiJtj8y8z8xQWATDI9kRmNIQkWYVwVa/MzgPRJ4bzbEGG3zIUHCsp52A6vuGr2A==}
engines: {node: '>= 10.9.0', npm: '>= 6.2.0'}
dependencies:
ajv: 6.10.2
fast-json-stable-stringify: 2.0.0
magic-string: 0.25.3
rxjs: 6.4.0
source-map: 0.7.3
dev: false
...Output from Nexus IQ CLI
Nexus Lifecycle Dashboard Results
Nexus Lifecycle Report Results
Steps to analyze using the Jenkins plugin
By default, the Jenkins plugin will not evaluate the yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json files. A custom Scan Target is needed.
nexusPolicyEvaluation iqApplication: 'SampApp' , iqScanPatterns: [[scanPattern: '**/npm-shrinkwrap.json' ], [scanPattern: '**/package-lock.json'], [scanPattern: '**/yarn.lock'], [scanPattern: '**/pnpm-lock.yaml']], iqStage: 'build'
To find more information on how to configure Jenkins please go to the Nexus Platform Plugin for Jenkins.
Steps to analyze using the Bamboo plugin
By default, the Bamboo plugin will not evaluate the yarn.lock, pnpm-lock.yaml, package-lock.json or npm-shrinkwrap.json files. A custom Scan Target is needed.
To find more information on how to configure the Bamboo plugin please go to Nexus IQ for Bamboo.