feat(tarball): implement new EntryFilesAnalyser API

Author: fraxken

workspaces/scanner/src/index.ts

@@ -97,7 +97,7 @@ export async function verify(
       ...NPM_TOKEN, registry: getLocalRegistryURL(), cache: `${os.homedir()}/.npm`
     });
 
-    const scanResult = await tarball.scanPackage(dest, packageName);
+    const scanResult = await tarball.scanPackage(dest);
 
     return scanResult;
   }

workspaces/tarball/src/class/TarballExtractor.class.ts

@@ -0,0 +1,140 @@
+// Import Node.js Dependencies
+import os from "node:os";
+import path from "node:path";
+
+// Import Third-party Dependencies
+import pacote from "pacote";
+import * as conformance from "@nodesecure/conformance";
+import { ManifestManager } from "@nodesecure/mama";
+import {
+  EntryFilesAnalyser,
+  AstAnalyser,
+  type Warning,
+  type Dependency
+} from "@nodesecure/js-x-ray";
+
+// Import Internal Dependencies
+import {
+  getTarballComposition
+} from "../utils/index.js";
+
+// CONSTANTS
+const kNpmToken = typeof process.env.NODE_SECURE_TOKEN === "string" ?
+  { token: process.env.NODE_SECURE_TOKEN } :
+  {};
+
+export interface NpmTarballExtractOptions {
+  registry?: string;
+}
+
+export class TarballExtractor {
+  static JS_EXTENSIONS = new Set([".js", ".mjs", ".cjs"]);
+
+  public manifest: ManifestManager;
+  public archiveLocation: string;
+
+  constructor(
+    archiveLocation: string,
+    mama: ManifestManager
+  ) {
+    this.archiveLocation = archiveLocation;
+    this.manifest = mama;
+  }
+
+  async scan() {
+    const [
+      composition,
+      spdx
+    ] = await Promise.all([
+      getTarballComposition(this.archiveLocation),
+      conformance.extractLicenses(this.archiveLocation)
+    ]);
+
+    return {
+      spdx,
+      composition
+    };
+  }
+
+  async runJavaScriptSast(
+    JSFiles: string[]
+  ) {
+    const dependencies: Record<string, Record<string, Dependency>> = Object.create(null);
+    const minified: string[] = [];
+    const warnings: Warning[] = [];
+
+    const entries = [...this.manifest.getEntryFiles()]
+      .filter((entryFile) => TarballExtractor.JS_EXTENSIONS.has(path.extname(entryFile)));
+
+    if (entries.length > 0) {
+      const efa = new EntryFilesAnalyser();
+      for await (const fileReport of efa.analyse(entries)) {
+        warnings.push(
+          ...fileReport.warnings.map((warning) => {
+            return { ...warning, file: fileReport.file };
+          })
+        );
+
+        if (fileReport.ok) {
+          dependencies[fileReport.file] = Object.fromEntries(
+            fileReport.dependencies
+          );
+          fileReport.isMinified && minified.push(fileReport.file);
+        }
+      }
+    }
+    else {
+      const { name, type = "script" } = this.manifest.document;
+
+      for (const file of JSFiles) {
+        const result = await new AstAnalyser().analyseFile(
+          path.join(this.archiveLocation, file),
+          {
+            packageName: name,
+            module: type === "module"
+          }
+        );
+
+        warnings.push(
+          ...result.warnings.map((curr) => Object.assign({}, curr, { file }))
+        );
+        if (result.ok) {
+          dependencies[file] = Object.fromEntries(result.dependencies);
+          if (result.isMinified) {
+            minified.push(file);
+          }
+        }
+      }
+    }
+
+    return {
+      dependencies,
+      warnings,
+      minified
+    };
+  }
+
+  static async fromNpm(
+    location: string,
+    spec: string,
+    options: NpmTarballExtractOptions = {}
+  ) {
+    const { registry } = options;
+
+    await pacote.extract(spec, location, {
+      ...kNpmToken,
+      registry,
+      cache: `${os.homedir()}/.npm`
+    });
+
+    return this.fromFileSystem(location);
+  }
+
+  static async fromFileSystem(
+    location: string
+  ): Promise<TarballExtractor> {
+    const mama = await ManifestManager.fromPackageJSON(location);
+
+    return new TarballExtractor(location, mama);
+  }
+}

workspaces/tarball/src/tarball.ts

@@ -4,7 +4,6 @@ import os from "node:os";
 
 // Import Third-party Dependencies
 import {
-  AstAnalyser,
   type Warning,
   type Dependency
 } from "@nodesecure/js-x-ray";
@@ -19,6 +18,7 @@ import {
   analyzeDependencies,
   booleanToFlags
 } from "./utils/index.js";
+import { TarballExtractor } from "./class/TarballExtractor.class.js";
 import * as warnings from "./warnings.js";
 import * as sast from "./sast/index.js";
 
@@ -58,7 +58,6 @@ const NPM_TOKEN = typeof process.env.NODE_SECURE_TOKEN === "string" ?
   {};
 
 const kNativeCodeExtensions = new Set([".gyp", ".c", ".cpp", ".node", ".so", ".h"]);
-const kJsExtname = new Set([".js", ".mjs", ".cjs"]);
 
 export interface scanDirOrArchiveOptions {
   ref: DependencyRef;
@@ -122,7 +121,7 @@ export async function scanDirOrArchive(
   const scannedFiles = await sast.scanManyFiles(composition.files, dest, name);
 
   ref.warnings.push(...scannedFiles.flatMap((row) => row.warnings));
-  if (/^0(\.\d+)*$/.test(version)) {
+  if (mama.hasZeroSemver) {
     ref.warnings.push(warnings.getSemVerWarning(version));
   }
 
@@ -189,46 +188,24 @@ export interface ScannedPackageResult {
 }
 
 export async function scanPackage(
-  dest: string,
-  packageName?: string
+  dest: string
 ): Promise<ScannedPackageResult> {
-  const [
-    mama,
+  const extractor = await TarballExtractor.fromFileSystem(dest);
+
+  const {
     composition,
     spdx
-  ] = await Promise.all([
-    ManifestManager.fromPackageJSON(dest),
-    getTarballComposition(dest),
-    conformance.extractLicenses(dest)
-  ]);
-  const { type = "script" } = mama.document;
-
-  // Search for runtime dependencies
-  const dependencies: Record<string, Record<string, Dependency>> = Object.create(null);
-  const minified: string[] = [];
-  const warnings: Warning[] = [];
-
-  const JSFiles = composition.files
-    .filter((name) => kJsExtname.has(path.extname(name)));
-  for (const file of JSFiles) {
-    const result = await new AstAnalyser().analyseFile(
-      path.join(dest, file),
-      {
-        packageName: packageName ?? mama.document.name,
-        module: type === "module"
-      }
-    );
+  } = await extractor.scan();
 
-    warnings.push(
-      ...result.warnings.map((curr) => Object.assign({}, curr, { file }))
-    );
-    if (result.ok) {
-      dependencies[file] = Object.fromEntries(result.dependencies);
-      if (result.isMinified) {
-        minified.push(file);
-      }
-    }
-  }
+  const {
+    dependencies,
+    warnings,
+    minified
+  } = await extractor.runJavaScriptSast(
+    composition.files.filter(
+      (name) => TarballExtractor.JS_EXTENSIONS.has(path.extname(name))
+    )
+  );
 
   return {
     files: {