├── .drone.yml
├── .eslintrc
├── .gitignore
├── Gruntfile.js
├── LICENSE
├── README.md
├── contributing.md
├── package.json
└── tasks
    └── nsp.js


/.drone.yml:
--------------------------------------------------------------------------------
 1 | pipeline:
 2 |   build:
 3 |     image: node:${NODE_VERSION}
 4 |     commands:
 5 |       - npm install
 6 |       - npm run lint
 7 |       - npm test
 8 |   slack:
 9 |     image: plugins/slack
10 |     username: drone
11 |     channel: alerts
12 |     secrets: [ slack_webhook ]
13 | 
14 | matrix:
15 |   NODE_VERSION:
16 |     - 0.10
17 |     - 0.12
18 |     - 4
19 |     - 5
20 | 


--------------------------------------------------------------------------------
/.eslintrc:
--------------------------------------------------------------------------------
1 | {
2 |   "extends": "nodesecurity/es5"
3 | }
4 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | node_modules
2 | 


--------------------------------------------------------------------------------
/Gruntfile.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | module.exports = function (grunt) {
 4 | 
 5 |   grunt.initConfig({
 6 |     nsp: {
 7 |       package: grunt.file.readJSON('package.json')
 8 |     }
 9 |   });
10 | 
11 |   grunt.loadTasks('tasks');
12 | 
13 |   grunt.registerTask('default', ['nsp']);
14 | };
15 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | This software is licensed under the Apache 2 license, quoted below.
 2 | 
 3 | Copyright 2015 &yet, LLC
 4 | 
 5 | Licensed under the Apache License, Version 2.0 (the "License"); you may not
 6 | use this file except in compliance with the License. You may obtain a copy of
 7 | the License at
 8 | 
 9 |     http://www.apache.org/licenses/LICENSE-2.0
10 | 
11 | Unless required by applicable law or agreed to in writing, software
12 | distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 | WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 | License for the specific language governing permissions and limitations under
15 | the License.
16 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # grunt-nsp
 2 | > Checks your package.json / npm-shrinkwrap.json against the Node Security (+) API for dependencies with known vulnerabilities.
 3 | 
 4 | 
 5 | ## Getting Started
 6 | 
 7 | If you haven't used [Grunt](http://gruntjs.com/) before, be sure to check out the [Getting Started](http://gruntjs.com/getting-started) guide, as it explains how to create a [Gruntfile](http://gruntjs.com/sample-gruntfile) as well as install and use Grunt plugins.
 8 | 
 9 | Once you're familiar with that process, you may install this plugin with this command:
10 | 
11 | ```shell
12 | npm install grunt-nsp --save-dev
13 | ```
14 | 
15 | Once the plugin has been installed, it may be enabled inside your Gruntfile with this line of JavaScript:
16 | 
17 | ```js
18 | grunt.initConfig({
19 |   nsp: {
20 |     package: grunt.file.readJSON('package.json')
21 |   }
22 | });
23 | 
24 | grunt.loadNpmTasks('grunt-nsp');
25 | ```
26 | 
27 | ## Options
28 | This package supports the following options.
29 | 
30 | - package (object): The contents of a single package.json file [required]
31 | - shrinkwrap (object): The contents of a single npm-shrinkwrap.json file (optional, but is a much more efficient check)
32 | - output (string): Adjust the output format to any formatter supported by [nsp](https://github.com/nodesecurity/nsp)
33 | 
34 | ## Command Line Options
35 | 
36 | --package
37 | Path to a package.json file
38 | Example `grunt nsp --package ./package.json`
39 | 
40 | --shrinkwrap
41 | Path to a npm-shrinkwrap.json file
42 | Example `grunt nsp --shrinkwrap ./npm-shrinkwrap.json`
43 | 
44 | --output
45 | nsp output formatter to use
46 | Example `grunt nsp --package ./package.json --output summary`
47 | 
48 | ## License
49 | 
50 |     Copyright (c) 2016 by ^Lift Security
51 | 
52 |     Licensed under the Apache License, Version 2.0 (the "License");
53 |     you may not use this file except in compliance with the License.
54 |     You may obtain a copy of the License at
55 | 
56 |        http://www.apache.org/licenses/LICENSE-2.0
57 | 
58 |     Unless required by applicable law or agreed to in writing, software
59 |     distributed under the License is distributed on an "AS IS" BASIS,
60 |     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
61 | 
62 |     See the License for the specific language governing permissions and
63 |     limitations under the License.
64 | 
65 | Note: the above text describes the license for the code located in this repository *only*. Usage of this tool or the API this tool accesses implies acceptance of our [terms of service](https://nodesecurity.io/tos).
66 | 
67 | 


--------------------------------------------------------------------------------
/contributing.md:
--------------------------------------------------------------------------------
 1 | # Contributing
 2 | 
 3 | When making a pull request for this repo, please make sure of a few things
 4 | 
 5 | - tests and linting should pass for you locally. We have CI tests that also enforce this.
 6 | - rebuild the shrinkwrap file if you're changing any dependencies.
 7 | 
 8 | ## Rebuilding the shrinkwrap
 9 | 
10 | Because of the differences beween npm versions 2 and 3, you will want to use npm 2.  A shrinkwrap built under npm 2 will also work under npm 3.  A shrinkwrap built under npm 3 will *not* work under npm 2.
11 | 
12 | The simplest way to build a new shrinkwrap is to start with an empty node_modules.  Once you've done that and have made sure you're using npm 2:
13 | 
14 | ```sh
15 | $ npm install
16 | $ npm run shrinkwrap
17 | ```
18 | 
19 | Note that it is `npm run shrinkwrap` not `npm shrinkwrap`.  This is because we have a shrinkwrap script that not only runs the shrinkwrap itself but also runs `shrinkydink`, a post-processor that cleans out some unneeded info we don't want.
20 | 


--------------------------------------------------------------------------------
/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "grunt-nsp",
 3 |   "description": "Run Node Security as a grunt task",
 4 |   "version": "2.3.1",
 5 |   "author": "^Lift Security",
 6 |   "bugs": {
 7 |     "url": "https://github.com/nodesecurity/grunt-nsp/issues"
 8 |   },
 9 |   "dependencies": {
10 |     "nsp": "^2.6.0"
11 |   },
12 |   "devDependencies": {
13 |     "eslint": "^2.5.3",
14 |     "eslint-config-nodesecurity": "^1.3.1",
15 |     "eslint-plugin-hapi": "^1.2.2",
16 |     "grunt": "^0.4.5",
17 |     "grunt-cli": "^1.1.0",
18 |     "shrinkydink": "^1.0.0"
19 |   },
20 |   "homepage": "https://github.com/nodesecurity/grunt-nsp#readme",
21 |   "keywords": [
22 |     "grunt",
23 |     "grunt",
24 |     "gruntplugin",
25 |     "nodesecurity",
26 |     "nsp",
27 |     "security"
28 |   ],
29 |   "license": "Apache-2.0",
30 |   "main": "index.js",
31 |   "repository": {
32 |     "type": "git",
33 |     "url": "git+ssh://git@github.com:nodesecurity/grunt-nsp.git"
34 |   },
35 |   "scripts": {
36 |     "shrinkwrap": "npm shrinkwrap && shrinkydink",
37 |     "test": "grunt",
38 |     "lint": "eslint ."
39 |   }
40 | }
41 | 


--------------------------------------------------------------------------------
/tasks/nsp.js:
--------------------------------------------------------------------------------
 1 | 'use strict';
 2 | 
 3 | var Nsp = require('nsp');
 4 | 
 5 | module.exports = function (grunt) {
 6 | 
 7 |   grunt.registerTask('nsp', 'Audits package.json / shrinkwrap agains the Node Security (+) API', function () {
 8 | 
 9 |     var done = this.async();
10 |     var config = grunt.config.get('nsp');
11 | 
12 |     var payload = {};
13 |     var formatter = Nsp.formatters.default;
14 | 
15 |     if (config.package) {
16 |       payload.package = config.package;
17 |     }
18 | 
19 |     if (config.shrinkwrap) {
20 |       payload.shrinkwrap = config.shrinkwrap;
21 |     }
22 | 
23 |     if (config.output) {
24 |       formatter = Nsp.getFormatter(config.output);
25 |     }
26 | 
27 |     // Command line option --package
28 |     if (grunt.option('package')) {
29 |       payload.package = grunt.file.readJSON(grunt.option('package'));
30 |     }
31 | 
32 |     // Command line option --shrinkwrap
33 |     if (grunt.option('shrinkwrap')) {
34 |       payload.shrinkwrap = grunt.file.readJSON(grunt.option('shrinkwrap'));
35 |     }
36 | 
37 |     if (grunt.option('output')) {
38 |       formatter = Nsp.getFormatter(grunt.option('output'));
39 |     }
40 | 
41 |     Nsp.check(payload, function (err, data) {
42 | 
43 |       var output = formatter(err, data);
44 |       if (err || data.length > 0) {
45 |         grunt.fail.warn(output);
46 |         return done();
47 |       }
48 | 
49 |       // No error or findings
50 |       grunt.log.write(output);
51 |       return done();
52 |     });
53 | 
54 | 
55 |   });
56 | };
57 | 


--------------------------------------------------------------------------------