use npm audit report in SonarQube - npm

I'm working on web application.
I need to check security of dependencies.
I'm actually scanning my source code with OWASP dependency check but i think it's not the best tool to use on web app.
I think npm audit or yarn audit is better tool to check dependencies security of this king of application.
With OWASP, i use OWASP SonarQube Project to integrate result into sonarQube
Example of settings used :
sonar.dependencyCheck.reportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.xml
sonar.dependencyCheck.htmlReportPath=$(System.DefaultWorkingDirectory)/DependencyCheckResults/dependency-check-report.html
In the same way, is there a way to use the npm audit (or yarn audit) report into SonarQube?
At the moment i generate report in json format, using this command:
npm audit --json
I also know that it's possible to generate HTML report from npm audit with https://github.com/eventOneHQ/npm-audit-html
So, it's just missing a SonarQube plugin to import it or something like that, but i can't find it.

currently, this does not seem to be possible. however, this npm rfc 0004 specifies a npm audit --owasp flag with solving this problem. this rfc was accepted, but is not yet implemented.
maybe it is worth a try to parse the output of npm audit --json with some sonarQube plugin, but I have no more knowledge about how to do this.
Edit 2021-08-09
the npm rfc was withdrawn:
The npm cli team would be happy to land this change in case it comes from a community contribution, this withdrawn was based on the fact that this is not remotely closed to being in the roadmap of the current team.

Related

Is it a good idea to use NPM to upload some packages of a commercial project on it?

I am following a Microservices course that creates a free NMP account and pushes a package he writes through the course into it and imports this package in other related files of the application like a common NPM module/package.
He also mentions there are other options like using Github or some local Git/version controller, etc.
As I am trying to make a commercial project for my own startup, I am curious to know what is a good/affordable option for a startup company in this situation? Is is still a good idea to use NPM free public account to push some packages and use it through our application?
I think that if you are creating a module that can be useful to the community or part of it, NPM is an interesting option to keep your packages.
If you're uploading not usable packages, but your whole application to npm, then that's messed up, NPM is a package registry. Github, Gitlab, and tools alike should be a more suitable option since those are general-purpose code repositories, not package registries.
Also, be aware that the packages you upload on a free npm account are available to any NPM user. see: NPM Private Packages
From my previous experience, both GitLab and Github offer good free small professional accounts that may be suitable for your case.

Is NPM only for Open Source?

I am using vuepress in order to make my static site so is their any risk that anyone else can see my site source as my site is not open-source and I am using NPM so I want to ask a question that will my vuepress package will be published openly? as it's really important to me and I don't want to reveal the source of my site.
About Is their any risk that anyone else can see my site source
There is no way to protect javascript intended to run in a browser from a determined viewer.
If the browser can run it, then any determined viewer can view/run it also.
About NPM:
npm is a package manager for the JavaScript programming language maintained by npm, Inc. npm is the default package manager for the JavaScript runtime environment Node.js.
The npm registry contains packages, many of which are also Node modules, or contain Node modules.
npm has two types of packages,
one is public which everyone can see while the other is,
private package which others can't see.
So if you fear that people will see the source code in your package, just make it private or just don't put your code on npm at all.

Is there a way to ignore a node_module when running npm install

Hi I have made some custom adjustments to a node_module's files to get it to meet client requirements. These changes obviously are not in the packages source code so I want to avoid overwritting them if I need to update npm packages. Is there a way to do this? Maybe something similar to a git ignore?
Modifying a npm package directly is not recommended and could lead to multiple issues, the way to go about this is either contribute your changes to the original source code on GitHub if other would find the code you wrote useful, either that or you could make your own fork of the package and use that as a dependency instead.
You can install your own package by using the tarballs provided by GitHub.
npm install https://github.com/<username>/<repository>/tarball/master

How do I search for packages using yarn?

How do I search for packages with yarn?
I want to get a list of results that have the search term in the name of the package as well as in descriptions (similar to how various utilities work like npm search, apropos, apt-cache search).
I tried yarn info <pkg>, but this gave a bunch of json data that was limited to just that package.
Using yarn help and duckduckgo was educational, but still didn't answer how to do this.
there is no command for showing the tabular data format of package information
if you what more information about the packages you can try below commands you will get more information
yarn info package
yarn info package --json
yarn info package#version
yarn info package description
yarn info package time
yarn info package readme
I came here via google and none of the answers really explained anything about WHY search was "missing", so I dug in a bit.
From the Yarn dev's github issue tracker, this exact topic was brought up:
kittens commented on Oct 12, 2016
We've deliberately decided not to add these sorts of commands to Yarn. There's a lot of them that don't actually see much use and the maintenance burden isn't really worth it. If the functionality of the commands is so simple (just opening a browser) then you can just do it yourself. Thanks for the report!
So there you go, it has been intentionally not included and there are currently no plans to include it.
As others have said, you can either use npm's search as both yarn and npm fetch from the same list of packages, or you can use a web-based solution:
https://www.npmjs.com/
https://www.npms.io/
etc
Hope this helps others save a few minutes in their quest for an answer.
I use npms-cli:
Install:
yarn global add npms-cli
Then you will have available /usr/bin/npms and can search like: npms search <desired package>.
Yarn has a website which has information and a detail page for every package in the registry. It’s available on yarnpkg.com/en/packages and provided by Algolia.
Since the npm and Yarn registry are the same, you can also use every tool that shows this data, like npms.io or similar.
Fair disclosure: I work for Algolia and am in charge of the search page of Yarn.

NPM/Bower/Composer - differences?

Can someone explain to me the difference between NPM, Bower and Composer.
They are all package managers - correct?
But when should each one be used?
Also, each one appears to have a json file that accompanies it, does this store all the packages you require so they can be installed by cmd line? Why do you need this file?
[update, four years later]
bower is deprecated, and should not be used anymore for new projects. To a large extent, it has been subsumed into node dependency management (from their website: "While Bower is maintained, we recommend using Yarn and Webpack or Parcel for front-end projects").
yarn came out of the wood as a better npm (fixing several of npm flaws), and this is really what you should use now, as it is the new de-facto standard if you are doing front-end or node development. It does consume the same package.json as npm, and is almost entirely compatible with it.
I wouldn't use composer at this point (because I wouldn't use php), although it seems to still be alive and popular
[original answer]
npm is nodejs package manager. It therefore targets nodejs environments, which usually means server-side nodejs projects or command-line projects (bower itself is a npm package). If you are going to do anything with nodejs, then you are going to use npm.
bower is a package manager that aims at (front-end) web projects. You need npm and nodejs to install bower and to execute it, though bower packages are not meant specifically for nodejs, but rather for the "browser" environment.
composer is a dependency manager that targets php projects. If you are doing something with symfony (or plain old php), this is likely the way to go
Summing it up:
doing node? you do npm
doing php? try composer
front-end javascript? try bower
And yes, the "json" files describe basic package information and dependencies. And yes, they are needed.
Now, what about the READMEs? :-)
https://github.com/bower/bower
https://www.npmjs.org/doc/cli/npm.html
https://getcomposer.org/doc/00-intro.md