jeemok · bencivjan · May 16, 2022 · May 21, 2022 · May 23, 2022 · May 23, 2022
diff --git a/index.ts b/index.ts
@@ -25,15 +25,26 @@ export function callback(auditCommand: string, auditLevel: AuditLevel, exception
   const audit = exec(`${auditCommand} --json`, { maxBuffer: MAX_BUFFER_SIZE });
 
   // Grab the data in chunks and buffer it as we're unable to parse JSON straight from stdout
-  let jsonBuffer = '';
+  let jsonDevBuffer = '';
+  let jsonProdBuffer = '';
 
   if (audit.stdout) {
-    audit.stdout.on('data', (data: string) => (jsonBuffer += data));
+    audit.stdout.on('data', (data: string) => (jsonDevBuffer += data));
   }
 
   // Once the stdout has completed, process the output
   if (audit.stderr) {
-    audit.stderr.on('close', () => handleFinish(jsonBuffer, auditLevel, exceptionIds, modulesToIgnore));
+    audit.stderr.on('close', () => {
+      const auditProd = exec(`npm audit --production --json`, { maxBuffer: MAX_BUFFER_SIZE });
+      if (auditProd.stderr) {
+        if (auditProd.stdout) {
+          auditProd.stdout.on('data', (data: string) => (jsonProdBuffer += data));
+        }
+        auditProd.stderr.on('close', () => {
+          handleFinish(jsonProdBuffer, jsonDevBuffer, auditLevel, exceptionIds, modulesToIgnore);
+        });
+      }
+    });
     // stderr
     audit.stderr.on('data', console.error);
   }

diff --git a/src/handlers/handleFinish.ts b/src/handlers/handleFinish.ts
@@ -1,17 +1,24 @@
 import { AuditLevel } from 'src/types';
 import { printSecurityReport } from '../utils/print';
 import { processAuditJson, handleUnusedExceptions } from '../utils/vulnerability';
-
 /**
  * Process and analyze the NPM audit JSON
- * @param  {String} jsonBuffer        NPM audit stringified JSON payload
+ * @param  {String} jsonProdBuffer        NPM audit production dependencies stringified JSON payload
+ * @param  {String} jsonDevBuffer         NPM audit developer dependencies stringified JSON payload
  * @param  {Number} auditLevel        The level of vulnerabilities we care about
  * @param  {Array} exceptionIds       List of vulnerability IDs to exclude
  * @param  {Array} exceptionModules   List of vulnerable modules to ignore in audit results
  */
-export default function handleFinish(jsonBuffer: string, auditLevel: AuditLevel, exceptionIds: string[], exceptionModules: string[]): void {
+export default function handleFinish(
+  jsonProdBuffer: string,
+  jsonDevBuffer: string,
+  auditLevel: AuditLevel,
+  exceptionIds: string[],
+  exceptionModules: string[],
+): void {
   const { unhandledIds, report, failed, unusedExceptionIds, unusedExceptionModules } = processAuditJson(
-    jsonBuffer,
+    jsonProdBuffer,
+    jsonDevBuffer,
     auditLevel,
     exceptionIds,
     exceptionModules,

diff --git a/src/types/general.d.ts b/src/types/general.d.ts
@@ -40,6 +40,7 @@ export interface v7Vulnerability {
   readonly name: string;
   readonly via: v7VulnerabilityVia[] | string[];
   readonly nodes: string[];
+  dev?: boolean;
 }
 
 export interface v7VulnerabilityVia {

diff --git a/src/types/table.d.ts b/src/types/table.d.ts
@@ -1,2 +1,2 @@
-export type SecurityReportHeader = 'ID' | 'Module' | 'Title' | 'Paths' | 'Sev.' | 'URL' | 'Ex.';
+export type SecurityReportHeader = 'ID' | 'Module' | 'Title' | 'Paths' | 'Sev.' | 'URL' | 'Ex.' | 'DEV';
 export type ExceptionReportHeader = 'ID' | 'Status' | 'Expiry' | 'Notes';
diff --git a/src/utils/devDeps.ts b/src/utils/devDeps.ts
@@ -0,0 +1,11 @@
+import fs from 'fs';
+/**
+ * Searches for the name of devDependencies on package.json
+ * @param { string } route Route to package.json
+ * @return {[string, string][]}             List: with the name and version of dev packages
+ */
+export function devDependenciesGetter(route: string): [string, unknown][] {
+  const devDependencies = JSON.parse(fs.readFileSync(route, 'utf-8'));
+  const arr = Object.entries(devDependencies.devDependencies);
+  return arr;
+}
diff --git a/src/utils/print.ts b/src/utils/print.ts
@@ -2,7 +2,7 @@ import get from 'lodash.get';
 import { table, TableUserConfig } from 'table';
 import { SecurityReportHeader, ExceptionReportHeader } from 'src/types';
 
-const SECURITY_REPORT_HEADER: SecurityReportHeader[] = ['ID', 'Module', 'Title', 'Paths', 'Sev.', 'URL', 'Ex.'];
+const SECURITY_REPORT_HEADER: SecurityReportHeader[] = ['ID', 'Module', 'Title', 'Paths', 'Sev.', 'URL', 'Ex.', 'DEV'];
 const EXCEPTION_REPORT_HEADER: ExceptionReportHeader[] = ['ID', 'Status', 'Expiry', 'Notes'];
 
 // TODO: Add unit tests

diff --git a/src/utils/vulnerability.ts b/src/utils/vulnerability.ts
@@ -110,19 +110,21 @@ export function validateV7Vulnerability(
 
 /**
  * Analyze the JSON string buffer
- * @param  {String} jsonBuffer      NPM Audit JSON string buffer
+ * @param  {String} jsonProdBuffer      NPM Audit Production JSON string buffer
+ * @param  {String} jsonDevBuffer      NPM Audit JSON string buffer
  * @param  {String} auditLevel      User's target audit level
  * @param  {Array} exceptionIds     Exception IDs (ID to be ignored)
  * @param  {Array} exceptionModules Exception modules (modules to be ignored)
  * @return {Object}                 Processed vulnerabilities details
  */
 export function processAuditJson(
-  jsonBuffer = '',
+  jsonProdBuffer = '',
+  jsonDevBuffer = '',
   auditLevel: AuditLevel = 'info',
   exceptionIds: string[] = [],
   exceptionModules: string[] = [],
 ): ProcessedResult {
-  if (!isJsonString(jsonBuffer)) {
+  if (!isJsonString(jsonProdBuffer)) {
     return {
       unhandledIds: [],
       vulnerabilityIds: [],
@@ -137,7 +139,8 @@ export function processAuditJson(
   // NPM v6 uses `advisories`
   // NPM v7 uses `vulnerabilities`
   // Refer to the `test/__mocks__` folder for some sample mockups
-  const { advisories, vulnerabilities }: NpmAuditJson = JSON.parse(jsonBuffer);
+  const { advisories: prodAdvisories, vulnerabilities: prodVulnerabilities }: NpmAuditJson = JSON.parse(jsonProdBuffer);
+  const { advisories, vulnerabilities }: NpmAuditJson = JSON.parse(jsonDevBuffer);
 
   // NPM v6 handling
   if (advisories) {
@@ -147,6 +150,7 @@ export function processAuditJson(
         const { isExcepted: isIdExcepted, usedExceptionKey } = validateV6Vulnerability(cur, exceptionIds);
         const isModuleExcepted = exceptionModules.includes(cur.module_name);
         const isExcepted = isIdExcepted || isModuleExcepted;
+        const isDev = !(prodAdvisories && prodAdvisories[cur.id.toString()]);
 
         // Record used exception ID/module
         if (isIdExcepted) {
@@ -171,6 +175,7 @@ export function processAuditJson(
           color(cur.severity, isExcepted ? '' : 'yellow', getSeverityBgColor(cur.severity)),
           color(cur.url, isExcepted ? '' : 'yellow'),
           isExcepted ? 'y' : color('n', 'yellow'),
+          color(isDev ? 'yes' : 'no', isDev ? 'yellow' : 'red'),
         ]);
 
         acc.vulnerabilityIds.push(cur.id.toString());
@@ -198,6 +203,13 @@ export function processAuditJson(
 
   // NPM v7 handling
   if (vulnerabilities) {
+    // const keys = Object.keys(vulnerabilities);
+    // keys.forEach((val) => {
+    //   if (prodVulnerabilities && prodVulnerabilities[val]) {
+    //     vulnerabilities[val] = true;
+    //   }
+    // });
+
     return Object.values(vulnerabilities).reduce(
       (acc: ProcessedResult, cur: v7Vulnerability | string) => {
         // Inside `via` array, its either the related module name or the vulnerability source object.
@@ -215,6 +227,7 @@ export function processAuditJson(
           const { isExcepted: isIdExcepted, usedExceptionKey } = validateV7Vulnerability(vul, exceptionIds);
           const isModuleExcepted = exceptionModules.includes(moduleName);
           const isExcepted = isIdExcepted || isModuleExcepted;
+          const isDev = !(prodVulnerabilities && prodVulnerabilities[get(vul, 'name')]);
 
           // Record used exception ID/module
           if (isIdExcepted) {
@@ -233,6 +246,7 @@ export function processAuditJson(
             color(vul.severity, isExcepted ? '' : 'yellow', getSeverityBgColor(vul.severity)),
             color(vul.url, isExcepted ? '' : 'yellow'),
             isExcepted ? 'y' : color('n', 'yellow'),
+            color(isDev ? 'yes' : 'no', isDev ? 'yellow' : 'red'),
           ]);
 
           acc.vulnerabilityIds.push(String(id));

diff --git a/test/__mocks__/v6-security-report-table-data.json b/test/__mocks__/v6-security-report-table-data.json
@@ -6,7 +6,8 @@
     "\u001b[33mloopback-component-explorer>swagger-ui\u001b[0m",
     "\u001b[33mmoderate\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/975\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m976\u001b[0m",
@@ -15,7 +16,8 @@
     "\u001b[33mloopback-component-explorer>swagger-ui\u001b[0m",
     "\u001b[33mmoderate\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/976\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m985\u001b[0m",
@@ -24,7 +26,8 @@
     "\u001b[33mloopback-component-explorer>swagger-ui\u001b[0m",
     "\u001b[33mmoderate\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/985\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1084\u001b[0m",
@@ -33,7 +36,8 @@
     "\u001b[33mloopback-connector-rest>strong-globalize>os-locale>mem\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1084\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1179\u001b[0m",
@@ -42,7 +46,8 @@
     "\u001b[33mmocha>mkdirp>minimist\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1179\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1213\u001b[0m",
@@ -51,7 +56,8 @@
     "\u001b[33mnodemon>update-notifier>configstore>dot-prop\u001b[0m",
     "\u001b[33m\u001b[41mhigh\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1213\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1500\u001b[0m",
@@ -60,7 +66,8 @@
     "\u001b[33mmocha>yargs-parser\nmocha>yargs-unparser>yargs>yargs-parser\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1500\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1523\u001b[0m",
@@ -69,7 +76,8 @@
     "\u001b[33mlodash\nloopback>async>lodash\nloopback>loopback-connector-remote>loopback-datasource-juggler>async>lodash\nloopback>loopback-datasource-juggler>async>lodash\nloopback>loopback-connector-remote>strong-remoting>loopback-phase>async>lodash\n...and 40 more\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1523\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1555\u001b[0m",
@@ -78,7 +86,8 @@
     "\u001b[33mloopback>loopback-connector-remote>loopback-datasource-juggler>loopback-connector>msgpack5>bl\nloopback>loopback-datasource-juggler>loopback-connector>msgpack5>bl\nloopback-connector-mongodb>loopback-connector>msgpack5>bl\u001b[0m",
     "\u001b[33m\u001b[41mcritical\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1555\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1556\u001b[0m",
@@ -87,7 +96,8 @@
     "\u001b[33mloopback-connector-rest>strong-globalize>g11n-pipeline>swagger-client>cross-fetch>node-fetch\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1556\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1589\u001b[0m",
@@ -96,6 +106,7 @@
     "\u001b[33mnodemon>chokidar>fsevents>node-pre-gyp>rc>ini\nnodemon>update-notifier>is-installed-globally>global-dirs>ini\nnodemon>update-notifier>latest-version>package-json>registry-auth-token>rc>ini\nnodemon>update-notifier>latest-version>package-json>registry-url>rc>ini\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1589\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ]
 ]
diff --git a/test/__mocks__/v7-security-report-table-data.json b/test/__mocks__/v7-security-report-table-data.json
@@ -6,7 +6,8 @@
     "\u001b[33mbl\u001b[0m",
     "\u001b[33m\u001b[41mcritical\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1555\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1213\u001b[0m",
@@ -15,7 +16,8 @@
     "\u001b[33mdot-prop\u001b[0m",
     "\u001b[33m\u001b[41mhigh\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1213\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1589\u001b[0m",
@@ -24,7 +26,8 @@
     "\u001b[33mfsevents>ini\nini\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1589\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1523\u001b[0m",
@@ -33,7 +36,8 @@
     "\u001b[33mlodash\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1523\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1084\u001b[0m",
@@ -42,7 +46,8 @@
     "\u001b[33mloopback-connector-rest>mem\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1084\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1179\u001b[0m",
@@ -51,7 +56,8 @@
     "\u001b[33mmocha>minimist\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1179\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1556\u001b[0m",
@@ -60,7 +66,8 @@
     "\u001b[33mnode-fetch\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1556\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m975\u001b[0m",
@@ -69,7 +76,8 @@
     "\u001b[33mswagger-ui\u001b[0m",
     "\u001b[33mmoderate\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/975\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m976\u001b[0m",
@@ -78,7 +86,8 @@
     "\u001b[33mswagger-ui\u001b[0m",
     "\u001b[33mmoderate\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/976\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m985\u001b[0m",
@@ -87,7 +96,8 @@
     "\u001b[33mswagger-ui\u001b[0m",
     "\u001b[33mmoderate\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/985\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ],
   [
     "\u001b[33m1500\u001b[0m",
@@ -96,6 +106,7 @@
     "\u001b[33mmocha>yargs-parser\nyargs-unparser>yargs-parser\u001b[0m",
     "\u001b[33mlow\u001b[0m",
     "\u001b[33mhttps://npmjs.com/advisories/1500\u001b[0m",
-    "\u001b[33mn\u001b[0m"
+    "\u001b[33mn\u001b[0m",
+    "\u001b[31mno\u001b[0m"
   ]
 ]