lirantal / pie-my-vulns Goto Github PK
View Code? Open in Web Editor NEWVisualize your project security vulnerabilities as a pie chart in the terminal
License: Apache License 2.0
Visualize your project security vulnerabilities as a pie chart in the terminal
License: Apache License 2.0
In essence, pie-my-vulns
uses the Snyk CLI behind the scenes to scan and use the JSON output of that to chart the vulnerabilities. If someone has the Snyk CLI already installed, they could do something like snyk test --json | npx pie-my-vulns
. To enable that we should support getting the JSON input from stdin and also when that takes place there's no need to run the audit within pie-my-vulns
's own code.
The output "Scanning project dependencies" should appear only once.
"Scanning project dependencies" appears twice if authentication against Snyk is required. It should appear only once. This is happening since when the user is not authenticated, an error is being thrown and after a successful authentication, the same code (that issues the message) is invoked again.
Check authentication before starting the actual test. If this is not possible, a flag can be added to prevent the double printing
Is your feature request related to a problem? Please describe.
To add an option for the vulns to be displayed as a barchart
Describe the solution you'd like
Add support for --barchart
Describe alternatives you've considered
NA
C:\Users\xmr\Desktop\lockfile-lint>npx pie-my-vulns
Unexpected failure: spawn UNKNOWN
To enable debug information invoke the CLI with a DEBUG=pie* prefix.
Please open an issue at: https://github.com/lirantal/pie-my-vulns/issues
It must be the same issue as lirantal/lockfile-lint#69 (comment)
Would be nice if you had proper cross-platform tests @lirantal :)
In order to upgrade ora
to 6.X.X we need to support ESM. Can be a really nice issue for people who wants to learn what's need to do in order to require ESM dependencies
Is your feature request related to a problem? Please describe.
You can't upgrade ora
Describe the solution you'd like
Make the relevant changes to support ESM dependencies
Describe alternatives you've considered
Using other loader that isn't ora
master
branch failed. π¨I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.
You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. Iβm sure you can resolve this πͺ.
Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.
Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master
branch. You can also manually restart the failed CI job that runs semantic-release.
If you are not sure how to resolve this, here is some links that can help you:
If those donβt help, or if this issue is reporting something you think isnβt right, you can always ask the humans behind semantic-release.
The npm token configured in the NPM_TOKEN
environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/
.
If you are using Two-Factor Authentication, make configure the auth-only
level is supported. semantic-release cannot publish with the default auth-and-writes
level.
Please make sure to set the NPM_TOKEN
environment variable in your CI with the exact value of the npm token.
Good luck with your project β¨
Your semantic-release bot π¦π
To make the CLI more accessible to those without a Node.js environment let's create a Dockerfile that I can push into Docker Hub and allow them to spin off the CLI via a container
Add support for a --json
command argument to return the data as a JSON string.
If not authenticated agains the Snyk service, the --directory cli argument is ignored, and the current directory is being tested. After a successful authentication the command works as expected.
The directory passed to the --directory cli argument should be tested
The current directory is tested, and --directory is ignored.
Requires further investigation
snyk config unset api
)npx pie-my-vulns --directory='path'
. Make sure the flag point to a directory other than the current one.Output lines show styled summary without spaces and easy to rid.
Looks like the last 2 lines have a newline between them
Can we remove the newline and maybe in another PR also style this a bit, something like:
[newline break from the pie charts]
Summary:
- [201] Total number of vulns..
- [38] Total number of deps..
You'll get pies with the vulnerabilities
Getting Unexpected end of JSON input
1.Run npx pie-my-vulns
in the relevant folder
2.You'll get - Unexpected failure: Unexpected end of JSON input
Is your feature request related to a problem? Please describe.
I was thinking it would be great to expose the parsers and potentially reporters too as an API. It would really just require exposing them via the main export file for anyone wanting to use this as a lib instead of a CLI too.
Potentially later we can split to another package but should be an easy start just exposing them straight-out right now.
Describe alternatives you've considered
Doing this is ugly and opens many potential issues in the future:
const parser = require('pie-my-vulns/src/Parsers/SeverityTypeParser.js');
Authentication should work or just fail with an error
In a specific error-case scenario the authentication handling loops forever as it thinks that error is mis-authentication.
When no vulnerabilities are found the CLI should say so or if in JSON output mode should just end with exit code 0.
npx pie-my-vulns
We have a docker image now in Docker Hub (https://hub.docker.com/r/lirantal/pie-my-vulns) thanks @omeraha (thank you Omer! β€οΈ).
How about we update the README with instructions on using it?
Omer, would be great if you also wanted to run some tests on the image to make sure everything works ok. Every merge to master will trigger the dockerfile rebuild.
Show summary data in the form of total vulnerabilities found.
A --help flag that details the command usage and possible arguments could be nice
master
branch failed. π¨I recommend you give this issue a high priority, so other packages depending on you could benefit from your bug fixes and new features.
You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. Iβm sure you can resolve this πͺ.
Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.
Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the master
branch. You can also manually restart the failed CI job that runs semantic-release.
If you are not sure how to resolve this, here is some links that can help you:
If those donβt help, or if this issue is reporting something you think isnβt right, you can always ask the humans behind semantic-release.
The npm token configured in the NPM_TOKEN
environment variable must be a valid token allowing to publish to the registry https://registry.npmjs.org/
.
If you are using Two-Factor Authentication, make configure the auth-only
level is supported. semantic-release cannot publish with the default auth-and-writes
level.
Please make sure to set the NPM_TOKEN
environment variable in your CI with the exact value of the npm token.
Good luck with your project β¨
Your semantic-release bot π¦π
Add support for a --path
command argument to scan a specific project.
Perhaps we need a better naming than --path
. Maybe --directory
makes more sense?
When running the docker image of pie-my-vulns unauthenticated, the automatic redirection to the authentication page does not work, and the use has to copy-paste the url in the browser in order to authenticate against Snyk.
The browser should open automatically with the url to Snyk authentication page.
Nothing happens.
Requires debugging
docker run pie-my-vulns
Expecting that e2e tests will run during the test
phase, but this line https://github.com/lirantal/pie-my-vulns/blob/master/package.json#L16 has a typo and the 2nd command should actually run e2e tests too.
Currently, running npm run test
won't run the e2e tests because it isn't included there
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.