refactor: migrate to OpenAlly configs & update dependencies (#158)

README.md

@@ -147,7 +147,7 @@ Here is the content of the **.nodesecurerc** file generated by default:
 {
   "version": "1.0.0",
   "i18n": "english",
-  "strategy": "npm",
+  "strategy": "github-advisory",
   "ci": {
     "reporters": ["console"],
     "vulnerabilities": {
@@ -165,7 +165,7 @@ used by the runner.
 {
   "version": "1.0.0",
   "i18n": "english",
-  "strategy": "npm",
+  "strategy": "github-advisory",
   "ci": {
     "reporters": ["console"],
     "vulnerabilities": {

bin/cli.ts

@@ -42,7 +42,7 @@ program
   .option(
     "-s, --strategy",
     `@nodesecure/vuln vulnerability strategy. Can be '${availableStrategies}'`,
-    Nsci.vulnStrategy.npm
+    Nsci.vulnStrategy["github-advisory"]
   )
   .example("cli.js run --strategy=npm")
 

eslint.config.mjs

@@ -0,0 +1,3 @@
+import { typescriptConfig } from "@openally/config.eslint";
+
+export default typescriptConfig();

lib/console-printer/index.ts

@@ -77,24 +77,20 @@ function createConsoleMessage(message: string): ConsoleMessage {
 export const consolePrinter: ConsolePrinter = {
   font: {
     standard: (message: string) => createConsoleMessage(kleur.white(message)),
-    highlight: (message: string) =>
-      createConsoleMessage(kleur.magenta(message)),
+    highlight: (message: string) => createConsoleMessage(kleur.magenta(message)),
     info: (message: string) => createConsoleMessage(kleur.yellow(message)),
     error: (message: string) => createConsoleMessage(kleur.red(message)),
     success: (message: string) => createConsoleMessage(kleur.green(message)),
-    highlightedSuccess: (message: string) =>
-      createConsoleMessage(kleur.bgGreen().bold().white(message)),
-    highlightedError: (message: string) =>
-      createConsoleMessage(kleur.bgRed().bold().white(message))
+    highlightedSuccess: (message: string) => createConsoleMessage(kleur.bgGreen().bold().white(message)),
+    highlightedError: (message: string) => createConsoleMessage(kleur.bgRed().bold().white(message))
   },
   decoration: {
     underline: (message: string) => kleur.underline(message),
     italic: (message: string) => kleur.italic(message),
     bold: (message: string) => kleur.bold(message)
   },
   util: {
-    concatOutputs: (messages: string[], delimiter = " ") =>
-      createConsoleMessage(messages.join(delimiter)),
+    concatOutputs: (messages: string[], delimiter = " ") => createConsoleMessage(messages.join(delimiter)),
     emptyLine: () => console.log()
   }
 };

package.json

@@ -55,45 +55,39 @@
     "prestart": "npm run build",
     "prepublishOnly": "npm run test && npm run build",
     "start": "node dist/bin/cli.js",
-    "build": "rimraf ./dist && tsc --project tsconfig.build.json",
+    "build": "rimraf ./dist && tsc",
     "test": "glob -c \"tsx --test\" \"./src/**/*.spec.ts\"",
     "lint": "eslint ."
   },
   "devDependencies": {
-    "@nodesecure/eslint-config": "^1.9.0",
+    "@openally/config.eslint": "^1.0.0",
+    "@openally/config.typescript": "^1.0.3",
     "@types/lodash.set": "^4.3.9",
     "@types/mock-fs": "^4.13.4",
-    "@types/node": "^22.1.0",
+    "@types/node": "^22.3.0",
     "@types/pluralize": "^0.0.33",
     "@types/sade": "^1.7.8",
-    "cross-env": "^7.0.3",
-    "eslint": "^8.56.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-import-resolver-typescript": "^3.6.1",
-    "eslint-plugin-prettier": "^5.1.3",
+    "glob": "^11.0.0",
     "mock-fs": "^5.2.0",
-    "prettier": "^3.2.4",
     "rimraf": "^6.0.1",
-    "ts-node": "^10.9.2",
+    "tsx": "^4.17.0",
     "typescript": "^5.0.4"
   },
   "dependencies": {
     "@nodesecure/i18n": "^4.0.1",
     "@nodesecure/js-x-ray": "^7.3.0",
-    "@nodesecure/rc": "^3.0.0",
-    "@nodesecure/scanner": "^6.0.1",
-    "@nodesecure/vulnera": "^1.8.0",
-    "@openally/result": "^1.2.0",
+    "@nodesecure/rc": "^4.0.0",
+    "@nodesecure/scanner": "^6.1.0",
+    "@nodesecure/vulnera": "^2.0.1",
+    "@openally/result": "^1.3.0",
     "@slimio/async-cli-spinner": "^0.5.2",
     "ajv": "^8.12.0",
-    "glob": "^11.0.0",
     "kleur": "^4.1.5",
     "lodash.set": "^4.3.2",
     "pluralize": "^8.0.0",
     "pretty-ms": "^9.0.0",
     "sade": "^1.8.1",
     "table": "^6.8.1",
-    "ts-pattern": "^5.0.6",
-    "tsx": "^4.7.0"
+    "ts-pattern": "^5.3.1"
   }
 }

src/analysis/extraction/extract.ts

@@ -1,9 +1,12 @@
 // Import Third-party Dependencies
 import * as Scanner from "@nodesecure/scanner";
-import { Strategy } from "@nodesecure/vuln";
+import type {
+  StandardVulnerability,
+  Severity
+} from "@nodesecure/vulnera";
 
 // Import Internal Dependencies
-import type { DependencyWarning } from "../types";
+import type { DependencyWarning } from "../types/index.js";
 
 export interface CompactedScannerPayload {
   warnings: string[];
@@ -13,13 +16,13 @@ export interface CompactedScannerPayload {
   };
 }
 
-export type WorkableVulnerability = Strategy.StandardVulnerability & {
-  severity: Strategy.Severity;
+export type WorkableVulnerability = StandardVulnerability & {
+  severity: Severity;
   package: string;
 };
 
 function keepOnlyWorkableVulns(
-  vuln: Strategy.StandardVulnerability
+  vuln: StandardVulnerability
 ): vuln is WorkableVulnerability {
   return vuln.severity !== undefined || vuln.package !== undefined;
 }
@@ -48,9 +51,9 @@ function extractDependenciesWarnings(
 function extractDependenciesVulnsAndWarnings(
   dependencies: Scanner.Dependencies
 ): {
-  warnings: DependencyWarning[];
-  vulnerabilities: WorkableVulnerability[];
-} {
+    warnings: DependencyWarning[];
+    vulnerabilities: WorkableVulnerability[];
+  } {
   const warnings = extractDependenciesWarnings(dependencies);
   const vulnerabilities = extractDependenciesVulns(dependencies);
 

src/analysis/interpretation/checkable.ts

@@ -1,8 +1,8 @@
 // Import Third-party Dependencies
-import { Strategy } from "@nodesecure/vuln";
+import type { StandardVulnerability } from "@nodesecure/vulnera";
 
 // Import Internal Dependencies
-import type { DependencyWarning } from "../types";
+import type { DependencyWarning } from "../types/index.js";
 
 export type CheckResult = "failed" | "passed";
 
@@ -16,7 +16,7 @@ export type CheckableFunction<T> = {
 
 export type PipelineCheckFunctions = Array<
   () => CheckableFunction<
-    string | DependencyWarning | Strategy.StandardVulnerability
+    string | DependencyWarning | StandardVulnerability
   >
 >;
 

src/analysis/interpretation/interpret.spec.ts

@@ -5,25 +5,25 @@ import { describe, it } from "node:test";
 // Import Third-party Dependencies
 import * as JSXRay from "@nodesecure/js-x-ray";
 import * as Scanner from "@nodesecure/scanner";
-import { Strategy } from "@nodesecure/vuln";
+import type { StandardVulnerability } from "@nodesecure/vulnera";
 
 // Import Internal Dependencies
 import {
   IgnorePatterns,
-  WarningEntries
-} from "../../configuration/external/nodesecure/ignore-file";
+  type WarningEntries
+} from "../../configuration/external/nodesecure/ignore-file.js";
 import { Nsci } from "../../configuration/standard/index.js";
-import { WarningMode, Warnings } from "../../configuration/standard/nsci.js";
+import type { WarningMode, Warnings } from "../../configuration/standard/nsci.js";
 import * as pipeline from "../../reporting/status.js";
-import { DeepPartialRecord } from "../../types";
+import type { DeepPartialRecord } from "../../types/index.js";
 
 import { runPayloadInterpreter } from "./interpret.js";
-import { DependencyWarningWithMode } from "./warnings.js";
+import type { DependencyWarningWithMode } from "./warnings.js";
 
 // CONSTANTS
 const kDefaultRuntimeConfiguration: Nsci.Configuration = {
   rootDir: process.cwd(),
-  strategy: Nsci.vulnStrategy.npm,
+  strategy: Nsci.vulnStrategy["github-advisory"],
   reporters: [Nsci.reporterTarget.CONSOLE],
   vulnerabilitySeverity: Nsci.vulnSeverity.ALL,
   warnings: Nsci.warnings.ERROR,
@@ -39,7 +39,7 @@ const kDefaultScannerPayload: Scanner.Payload = {
     contacts: []
   },
   scannerVersion: "1.0.0",
-  vulnerabilityStrategy: "npm"
+  vulnerabilityStrategy: "github-advisory"
 };
 
 /* eslint-disable max-nested-callbacks */
@@ -392,14 +392,14 @@ describe("Pipeline check workflow", () => {
       it("should filter unprocessable vulnerabilities", () => {
         const unprocessableVulnerability = {
           id: undefined,
-          origin: "npm",
+          origin: "github-advisory",
           package: undefined,
           title: undefined,
           url: undefined,
           severity: undefined,
           vulnerableRanges: [],
           vulnerableVersions: []
-        } as unknown as Strategy.StandardVulnerability;
+        } as unknown as StandardVulnerability;
 
         const scannerPayload: Scanner.Payload = {
           ...kDefaultScannerPayload,
@@ -429,7 +429,7 @@ describe("Pipeline check workflow", () => {
                   versions: {},
                   vulnerabilities: [
                     {
-                      origin: "npm",
+                      origin: "github-advisory",
                       package: "express",
                       title: "Vuln...",
                       cves: [],
@@ -497,7 +497,7 @@ describe("Pipeline check workflow", () => {
                   versions: {},
                   vulnerabilities: [
                     {
-                      origin: "npm",
+                      origin: "github-advisory",
                       package: "express",
                       title: "Vuln...",
                       cves: [],
@@ -534,7 +534,7 @@ describe("Pipeline check workflow", () => {
                   versions: {},
                   vulnerabilities: [
                     {
-                      origin: "npm",
+                      origin: "github-advisory",
                       package: "express",
                       title: "Vuln...",
                       cves: [],
@@ -554,7 +554,7 @@ describe("Pipeline check workflow", () => {
 
             expectNsciPipelineToFail(status);
             assert.deepEqual(data.dependencies.vulnerabilities[0], {
-              origin: "npm",
+              origin: "github-advisory",
               package: "express",
               title: "Vuln...",
               cves: [],
@@ -572,7 +572,7 @@ describe("Pipeline check workflow", () => {
                   versions: {},
                   vulnerabilities: [
                     {
-                      origin: "npm",
+                      origin: "github-advisory",
                       package: "express",
                       title: "Express vuln that should not be ignored",
                       cves: [],
@@ -581,7 +581,7 @@ describe("Pipeline check workflow", () => {
                       vulnerableVersions: []
                     },
                     {
-                      origin: "npm",
+                      origin: "github-advisory",
                       package: "marker",
                       title: "Marker vuln that should be ignored",
                       cves: [],
@@ -602,7 +602,7 @@ describe("Pipeline check workflow", () => {
             expectNsciPipelineToFail(status);
             assert.equal(data.dependencies.vulnerabilities.length, 1);
             assert.deepEqual(data.dependencies.vulnerabilities[0], {
-              origin: "npm",
+              origin: "github-advisory",
               package: "express",
               title: "Express vuln that should not be ignored",
               cves: [],