lirantal / pie-my-vulns Goto Github PK

Is your feature request related to a problem? Please describe.
To add an option for the vulns to be displayed as a barchart

Describe the solution you'd like
Add support for --barchart

Describe alternatives you've considered
NA

Description

Add support for a --path command argument to scan a specific project.
Perhaps we need a better naming than --path. Maybe --directory makes more sense?

Expected Behavior

You'll get pies with the vulnerabilities

Current Behavior

Getting Unexpected end of JSON input

Possible Solution

Steps to Reproduce (for bugs)

1.Run npx pie-my-vulns in the relevant folder
2.You'll get - Unexpected failure: Unexpected end of JSON input

Context

Your Environment

• Library Version used:
• Node.js version (e.g. Node.js 5.4): 17.9
• Operating System and version (desktop or mobile): MacOS

Is your feature request related to a problem? Please describe.
I was thinking it would be great to expose the parsers and potentially reporters too as an API. It would really just require exposing them via the main export file for anyone wanting to use this as a lib instead of a CLI too.

Potentially later we can split to another package but should be an easy start just exposing them straight-out right now.

Describe alternatives you've considered
Doing this is ugly and opens many potential issues in the future:

const parser = require('pie-my-vulns/src/Parsers/SeverityTypeParser.js');

If not authenticated agains the Snyk service, the --directory cli argument is ignored, and the current directory is being tested. After a successful authentication the command works as expected.

Expected Behavior

The directory passed to the --directory cli argument should be tested

Current Behavior

The current directory is tested, and --directory is ignored.

Possible Solution

Requires further investigation

Steps to Reproduce (for bugs)

1. Remove authentication key (run snyk config unset api )
2. Run pie-my-vulns with the directory arg (i.e. npx pie-my-vulns --directory='path'. Make sure the flag point to a directory other than the current one.
3. Verify the command output is the same as it would be if the command was ran on the current directory

Context

Your Environment

• Library Version used:
• Node.js version: v12.16.1
• Operating System and version (desktop or mobile): macOS

Expected Behavior

All E2E tests should pass

Current Behavior

" CLI should show vulnerabilities breakdown numbers and their titles" test fails:

Possible Solution

Steps to Reproduce (for bugs)

1. run npm run test:e2e

Context

Expected Behavior

The output "Scanning project dependencies" should appear only once.

Current Behavior

"Scanning project dependencies" appears twice if authentication against Snyk is required. It should appear only once. This is happening since when the user is not authenticated, an error is being thrown and after a successful authentication, the same code (that issues the message) is invoked again.

Possible Solution

Check authentication before starting the actual test. If this is not possible, a flag can be added to prevent the double printing

Steps to Reproduce (for bugs)

1. Run pie-my-vulns unauthenticated
2. Inspect command output

Context

Your Environment

• Library Version used:
• Node.js version (e.g. Node.js 5.4): 12.16.1
• Operating System and version (desktop or mobile): mac OS

Expected Behavior

Output lines show styled summary without spaces and easy to rid.

Current Behavior

Looks like the last 2 lines have a newline between them

Possible solution

Can we remove the newline and maybe in another PR also style this a bit, something like:

[newline break from the pie charts]
Summary:
  - [201] Total number of vulns..
  - [38] Total number of deps..

A --help flag that details the command usage and possible arguments could be nice

Expected Behavior

Expecting that e2e tests will run during the test phase, but this line https://github.com/lirantal/pie-my-vulns/blob/master/package.json#L16 has a typo and the 2nd command should actually run e2e tests too.

Current Behavior

Currently, running npm run test won't run the e2e tests because it isn't included there

In order to upgrade ora to 6.X.X we need to support ESM. Can be a really nice issue for people who wants to learn what's need to do in order to require ESM dependencies

Is your feature request related to a problem? Please describe.
You can't upgrade ora

Describe the solution you'd like
Make the relevant changes to support ESM dependencies

Describe alternatives you've considered
Using other loader that isn't ora

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two-Factor Authentication, make configure the auth-only level is supported. semantic-release cannot publish with the default auth-and-writes level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

C:\Users\xmr\Desktop\lockfile-lint>npx pie-my-vulns

Unexpected failure: spawn UNKNOWN

To enable debug information invoke the CLI with a DEBUG=pie* prefix.

Please open an issue at: https://github.com/lirantal/pie-my-vulns/issues

It must be the same issue as lirantal/lockfile-lint#69 (comment)

Would be nice if you had proper cross-platform tests @lirantal :)

Expected Behavior

Authentication should work or just fail with an error

Current Behavior

In a specific error-case scenario the authentication handling loops forever as it thinks that error is mis-authentication.

Description

When there are not enough data points to make sense of a pie chart, how should we handle it?

Consider a project which has only 1 high vulnerability that is only patchable and comes from an indirect dependency:

🚨 The automated release from the master branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can resolve this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here is some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Invalid npm token.

The npm token configured in the NPM_TOKEN environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/.

If you are using Two-Factor Authentication, make configure the auth-only level is supported. semantic-release cannot publish with the default auth-and-writes level.

Please make sure to set the NPM_TOKEN environment variable in your CI with the exact value of the npm token.

Good luck with your project ✨

Your semantic-release bot 📦🚀

Description

In essence, pie-my-vulns uses the Snyk CLI behind the scenes to scan and use the JSON output of that to chart the vulnerabilities. If someone has the Snyk CLI already installed, they could do something like snyk test --json | npx pie-my-vulns. To enable that we should support getting the JSON input from stdin and also when that takes place there's no need to run the audit within pie-my-vulns's own code.

Description

Add support for a --json command argument to return the data as a JSON string.

Expected Behavior

When no vulnerabilities are found the CLI should say so or if in JSON output mode should just end with exit code 0.

Current Behavior

See what happens:

Possible Solution

Steps to Reproduce (for bugs)

1. Be in a project with no vulnerabilities (i.e: npm init --yes also works)
2. npx pie-my-vulns
3. Observe issue like screenshot above

Description

Show summary data in the form of total vulnerabilities found.

When running the docker image of pie-my-vulns unauthenticated, the automatic redirection to the authentication page does not work, and the use has to copy-paste the url in the browser in order to authenticate against Snyk.

Expected Behavior

The browser should open automatically with the url to Snyk authentication page.

Current Behavior

Nothing happens.

Possible Solution

Requires debugging

Steps to Reproduce (for bugs)

1. Run pie-my-vulns docker image: docker run pie-my-vulns
2. Inspect the issue

Context

Your Environment

• Node.js version (e.g. Node.js 5.4): 12.16.1
• Operating System and version (desktop or mobile): mac OS

We have a docker image now in Docker Hub (https://hub.docker.com/r/lirantal/pie-my-vulns) thanks @omeraha (thank you Omer! ❤️).

How about we update the README with instructions on using it?
Omer, would be great if you also wanted to run some tests on the image to make sure everything works ok. Every merge to master will trigger the dockerfile rebuild.

Description

To make the CLI more accessible to those without a Node.js environment let's create a Dockerfile that I can push into Docker Hub and allow them to spin off the CLI via a container