Closed nishils closed 4 years ago
Thanks for the feedback, sounds great!
I'd like to get a list of all URLs being used that don't match the whitelist that fails a scan.
You can get this when running the linter in debug mode as shown in the screenshot on the README.
I like the JSON suggestion - we can support a --json
flag to return all the this data in a structured way, including the full URL as you pointed out. I'm happy to get a PR that adds this.
P.S. I'm heading out to JSConf Budapest for a week so will be slow to respond.
Sorry, I may be misunderstanding something. When I run DEBUG=* lockfile-lint --type yarn --path yarn.lock --validate-https --allowed-hosts yarn npm
, I get the following output
lockfile-lint parsed the following CLI arguments: {"_":[],"type":"yarn","t":"yarn","path":"yarn.lock","p":"yarn.lock","validate-https":true,"s":true,"validateHttps":true,"allowed-hosts":["yarn","npm"],"a":["yarn","npm"],"allowedHosts":["yarn","npm"],"$0":"/usr/local/bin/lockfile-lint"} +0ms
lockfile-lint invoking validator for: validateHttps +0ms
validate-host-manager invoked with validator options: true +0ms
lockfile-lint validator validateHttps reported no issues +99ms
lockfile-lint invoking validator for: validateHosts +0ms
validate-host-manager invoked with validator options: ["yarn","npm"] +0ms
detected invalid origin for package: <package name redacted>
detected invalid origin for package: <package name redacted>
lockfile-lint total validators invoked: 2 +202ms
lockfile-lint total validator failures: 2 +0ms
lockfile-lint total validator successes: 1 +0ms
I don't see anything anything about the URL that is being flagged. For example, if the package was making connections to https://evil.com, I would like to see that along with the package that is making the call.
Example output could be
detected invalid origin (https://evil.com) for package: <package name>
You are correct, we are not displaying anything about the URL, just the package. Agree with you completely 👍
@nishils I believe that the PR at https://github.com/lirantal/lockfile-lint/pull/20 which landed a while ago is now providing this, right?
here is an example output now with a wrong URL:
$ npx lockfile-lint -p package-lock.json -t npm -s -a npm github.com -o "https:" "github:"
detected invalid host(s) for package: @babel/code-frame@7.5.5
expected: registry.npmjs.org,github.com
actual: registry.spmjs.org
error: command failed with exit code 1
Will close as this is now being supported and happy to see this used in the Salus project ❤️
This looks like a pretty awesome project and something I would like to include in Salus (www.github.com/coinbase/salus) to get better coverage on yarn and npm projects.
Is your feature request related to a problem? Please describe. Please describe the problem you are trying to solve.
I'd like to get a list of all URLs being used that don't match the whitelist that fails a scan.
Describe the solution you'd like Please describe the desired behavior.
Instead of returning
detected invalid origin for package: <package_name>
, I would like to see the URL used in addition to the package name.Preferably in a JSON format option for easier parsing but I can implement a rudimentary parser on this syntax if outputting in JSON is not going to be supported.
Describe alternatives you've considered Please describe alternative solutions or features you have considered.