feat: support private packages list (#13)

snyk-labs · Jul 11, 2021 · f512c74 · f512c74
1 parent c02c1d7
commit f512c74
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 2 deletions.
diff --git a/__tests__/__fixtures__/small-project-existing-package-name.zip b/__tests__/__fixtures__/small-project-existing-package-name.zip
diff --git a/__tests__/__snapshots__/app.test.js.snap b/__tests__/__snapshots__/app.test.js.snap
@@ -91,3 +91,13 @@ Checking dependency: webpack-cli
   -> introduced via commit sha:  61c5d8034927693cc72064c44b8a7f3f63b3ea50
 "
 `;
+
+exports[`Test case of private package that exists already on npm 1`] = `
+"
+Reviewing your dependencies...
+
+Checking dependency: eslint-plugin-vue
+  ->  ❌ suspicious
+  -> introduced via commit sha:  9e9dab770d4e412babfce0f2dc66d8b04a6c0d28
+"
+`;
diff --git a/__tests__/app.test.js b/__tests__/app.test.js
@@ -9,7 +9,8 @@ jest.setTimeout(30000)
 const projectFixtures = [
   'simple-project.zip',
   'small-project.zip',
-  'commit-with-broken-package-json.zip'
+  'commit-with-broken-package-json.zip',
+  'small-project-existing-package-name.zip'
 ]
 
 const destinationFixtures = path.resolve(path.join(__dirname, '__fixtures__', 'tmp'))
@@ -81,3 +82,18 @@ test('Commit with broken manifest should be ignored', async () => {
   })
   expect(out).toMatchSnapshot()
 })
+
+test('Test case of private package that exists already on npm', async () => {
+  const projectPath = path.resolve(
+    path.join(destinationFixtures, 'simple-project-existing-package-name')
+  )
+
+  let out = ''
+  await testProject({
+    projectPath,
+    log: (...args) => (out += `${args.join(' ')}\n`),
+    debugMode: true,
+    privatePackagesList: ['eslint-plugin-vue']
+  })
+  expect(out).toMatchSnapshot()
+})
diff --git a/src/index.js b/src/index.js
@@ -4,7 +4,7 @@ const RepoManager = require('../src/RepoManager')
 const Parser = require('../src/Parser')
 const RegistryClient = require('../src/RegistryClient')
 
-async function testProject({ projectPath, log, debugMode }) {
+async function testProject({ projectPath, log, debugMode, privatePackagesList = [] }) {
   const registryClient = new RegistryClient()
   const repoManager = new RepoManager({ directoryPath: projectPath })
 
@@ -48,11 +48,14 @@ async function testProject({ projectPath, log, debugMode }) {
       timestampOfPackageInRegistry = new Date(packageMetadataFromRegistry.time.created).getTime()
     }
 
+    const isPrivatePackage = privatePackagesList.includes(dependency)
+
     // @TODO add debug for:
     // console.log('package in source UTC:   ', timestampInSource)
     // console.log('package in registry:     ', timestampOfPackageInRegistry)
 
     const status = resolveDependencyConfusionStatus({
+      isPrivatePackage,
       timestampOfPackageInSource,
       timestampOfPackageInRegistry
     })
@@ -68,6 +71,7 @@ async function testProject({ projectPath, log, debugMode }) {
 }
 
 function resolveDependencyConfusionStatus({
+  isPrivatePackage,
   timestampOfPackageInSource,
   timestampOfPackageInRegistry
 }) {
@@ -81,6 +85,10 @@ function resolveDependencyConfusionStatus({
       // this means that the package was first introduced to source code
       // and now there's also a package of this name in a public registry
       status = '❌ suspicious'
+    } else {
+      if (isPrivatePackage) {
+        status = '❌ suspicious'
+      }
     }
   } else {
     status = '⚠️ vulnerable'