feat(contacts): highlight contacts (#504)

Author: clemgbld

bin/index.js

@@ -135,7 +135,8 @@ function defaultScannerCommand(name, options = {}) {
 
   const cmd = prog.command(name)
     .option("-d, --depth", i18n.getTokenSync("cli.commands.option_depth"), Infinity)
-    .option("--silent", i18n.getTokenSync("cli.commands.option_silent"), false);
+    .option("--silent", i18n.getTokenSync("cli.commands.option_silent"), false)
+    .option("-c, --contacts", i18n.getTokenSync("cli.commands.option_contacts"), []);
 
   if (includeOutput) {
     cmd.option("-o, --output", i18n.getTokenSync("cli.commands.option_output"), "nsecure-result");

docs/cli/auto.md

@@ -20,11 +20,12 @@ $ nsecure auto --keep
 
 ## ⚙️ Available Options
 
-| Name | Shortcut | Default Value | Description |
-|---|---|---|--|
-| `--depth` | `-d` | `Infinity` | Maximum tree depth to scan. |
-| `--silent` |   | `false` | Suppress console output, making execution silent. |
-| `--output` | `-o` | `nsecure-result` | Specify the output file for the results. |
-| `--vulnerabilityStrategy` | `-s` | github-advisory | Strategy used to fetch package vulnerabilities (see Vulnera [available strategy](https://github.com/NodeSecure/vulnera?tab=readme-ov-file#available-strategy)). |
-| `--keep` | `-k` | `false` | Preserve JSON payload after execution. |
-| `--developer` | `-d` | `false` | Launch the server in developer mode, enabling automatic HTML component refresh. |
+| Name                      | Shortcut | Default Value    | Description                                                                                                                                                     |
+| ------------------------- | -------- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--depth`                 | `-d`     | `Infinity`       | Maximum tree depth to scan.                                                                                                                                     |
+| `--silent`                |          | `false`          | Suppress console output, making execution silent.                                                                                                               |
+| `--output`                | `-o`     | `nsecure-result` | Specify the output file for the results.                                                                                                                        |
+| `--vulnerabilityStrategy` | `-s`     | github-advisory  | Strategy used to fetch package vulnerabilities (see Vulnera [available strategy](https://github.com/NodeSecure/vulnera?tab=readme-ov-file#available-strategy)). |
+| `--keep`                  | `-k`     | `false`          | Preserve JSON payload after execution.                                                                                                                          |
+| `--developer`             | `-d`     | `false`          | Launch the server in developer mode, enabling automatic HTML component refresh.                                                                                 |
+| `--contacts`              | `-c`     | `[]`           | List of contacts to highlight.                                                                                                                                  |

docs/cli/cwd.md

@@ -10,11 +10,12 @@ $ nsecure cwd [options]
 
 ## ⚙️ Available Options
 
-| Name | Shortcut | Default Value | Description |
-|---|---|---|---|
-| `--nolock` | `-n` | `false` | Do not use a lock file (package-lock.json or yarn.lock) for the analysis. |
-| `--full` | `-f` | `false` | Perform a full analysis of the project, including all dependencies. |
-| `--depth` | `-d` | `Infinity` | Maximum tree depth to scan. |
-| `--silent` |   | `false` | Suppress console output, making execution silent. |
-| `--output` | `-o` | `nsecure-result` | Specify the output file for the results. |
-| `--vulnerabilityStrategy` | `-s` | github-advisory | Strategy used to fetch package vulnerabilities (see Vulnera [available strategy](https://github.com/NodeSecure/vulnera?tab=readme-ov-file#available-strategy)). |
+| Name                      | Shortcut | Default Value    | Description                                                                                                                                                     |
+| ------------------------- | -------- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--nolock`                | `-n`     | `false`          | Do not use a lock file (package-lock.json or yarn.lock) for the analysis.                                                                                       |
+| `--full`                  | `-f`     | `false`          | Perform a full analysis of the project, including all dependencies.                                                                                             |
+| `--depth`                 | `-d`     | `Infinity`       | Maximum tree depth to scan.                                                                                                                                     |
+| `--silent`                |          | `false`          | Suppress console output, making execution silent.                                                                                                               |
+| `--output`                | `-o`     | `nsecure-result` | Specify the output file for the results.                                                                                                                        |
+| `--vulnerabilityStrategy` | `-s`     | github-advisory  | Strategy used to fetch package vulnerabilities (see Vulnera [available strategy](https://github.com/NodeSecure/vulnera?tab=readme-ov-file#available-strategy)). |
+| `--contacts`              | `-c`     | `[]`           | List of contacts to highlight.                                                                                                                                  |

docs/cli/from.md

@@ -18,9 +18,10 @@ $ nsecure from [email protected] -o express-report
 
 ## ⚙️ Available Options
 
-| Name | Shortcut | Default Value | Description |
-|---|---|---|---|
-| `--depth` | `-d` | `Infinity` | Maximum tree depth to scan. |
-| `--silent` |   | `false` | Suppress console output, making execution silent. |
-| `--output` | `-o` | `nsecure-result` | Specify the output file for the results. |
-| `--vulnerabilityStrategy` | `-s` | github-advisory | Strategy used to fetch package vulnerabilities (see Vulnera [available strategy](https://github.com/NodeSecure/vulnera?tab=readme-ov-file#available-strategy)). |
+| Name                      | Shortcut | Default Value    | Description                                                                                                                                                     |
+| ------------------------- | -------- | ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--depth`                 | `-d`     | `Infinity`       | Maximum tree depth to scan.                                                                                                                                     |
+| `--silent`                |          | `false`          | Suppress console output, making execution silent.                                                                                                               |
+| `--output`                | `-o`     | `nsecure-result` | Specify the output file for the results.                                                                                                                        |
+| `--vulnerabilityStrategy` | `-s`     | github-advisory  | Strategy used to fetch package vulnerabilities (see Vulnera [available strategy](https://github.com/NodeSecure/vulnera?tab=readme-ov-file#available-strategy)). |
+| `--contacts`              | `-c`     | `[]`           | List of contacts to highlight.                                                                                                                                  |

i18n/english.js

@@ -14,6 +14,7 @@ const cli = {
     option_depth: "Maximum dependencies depth to fetch",
     option_output: "Json file output name",
     option_silent: "enable silent mode which disable CLI spinners",
+    option_contacts: "List of contacts to hightlight",
     strategy: "Vulnerabilities source to use",
     cwd: {
       desc: "Run security analysis on the current working dir",
@@ -80,7 +81,7 @@ const cli = {
   startHttp: {
     invalidScannerVersion: tS`the payload has been scanned with version '${0}' and do not satisfies the required CLI range '${1}'`,
     regenerate: "please re-generate a new JSON payload using the CLI"
-  }
+  },
 };
 
 const ui = {

i18n/french.js

@@ -14,6 +14,7 @@ const cli = {
     option_depth: "Niveau de profondeur de dépendances maximum à aller chercher",
     option_output: "Nom de sortie du fichier json",
     option_silent: "Activer le mode silencieux qui désactive les spinners du CLI",
+    option_contacts: "Liste des contacts à mettre en évidence",
     strategy: "Source de vulnérabilités à utiliser",
     cwd: {
       desc: "Démarre une analyse de sécurité sur le dossier courant",
@@ -80,7 +81,7 @@ const cli = {
   startHttp: {
     invalidScannerVersion: tS`le fichier d'analyse correspond à la version '${0}' du scanner et ne satisfait pas la range '${1}' attendu par la CLI`,
     regenerate: "veuillez re-générer un nouveau fichier d'analyse JSON en utilisant votre CLI"
-  }
+  },
 };
 
 const ui = {

package.json

@@ -87,7 +87,7 @@
     "@nodesecure/ossf-scorecard-sdk": "^3.2.1",
     "@nodesecure/rc": "^4.0.1",
     "@nodesecure/report": "^3.0.0",
-    "@nodesecure/scanner": "^6.4.0",
+    "@nodesecure/scanner": "^6.6.0",
     "@nodesecure/utils": "^2.2.0",
     "@nodesecure/vulnera": "^2.0.1",
     "@openally/result": "^1.3.0",

public/components/views/home/maintainers/maintainers.css

@@ -26,6 +26,14 @@ body.dark .home--maintainers>.person {
   background: var(--dark-theme-primary-color);
 }
 
+.home--maintainers> .highlighted{
+  background: linear-gradient(to bottom, rgb(230, 240, 250) 0%, rgb(220, 235, 245) 100%);
+}
+
+body.dark .home--maintainers > .highlighted {
+  background: linear-gradient(to right, rgb(11, 3, 31) 0%, rgba(46, 10, 10, 0.8) 100%);
+}
+
 .home--maintainers>.person:hover {
   border-color: var(--secondary-darker);
   cursor: pointer;

public/components/views/home/maintainers/maintainers.js

@@ -26,14 +26,23 @@ export class Maintainers {
   }
 
   render() {
-    const authors = [...this.secureDataSet.authors.entries()]
-      .sort((left, right) => right[1].packages.size - left[1].packages.size);
+    const authors = this.#highlightContacts([...this.secureDataSet.authors.entries()]
+      .sort((left, right) => right[1].packages.size - left[1].packages.size));
 
     document.getElementById("authors-count").innerHTML = authors.length;
     document.querySelector(".home--maintainers")
       .appendChild(this.generate(authors));
   }
 
+  #highlightContacts(authors) {
+    const highlightedAuthors = authors
+      .filter(([_, contact]) => this.secureDataSet.isHighlighted(contact));
+
+    const authorsRest = authors.filter(([_, contact]) => !this.secureDataSet.isHighlighted(contact));
+
+    return [...highlightedAuthors, ...authorsRest];
+  }
+
   generate(authors) {
     const fragment = document.createDocumentFragment();
     const hideItems = authors.length > this.maximumMaintainers;
@@ -61,6 +70,9 @@ export class Maintainers {
           })
         ]
       });
+      if (this.secureDataSet.isHighlighted(data)) {
+        person.classList.add("highlighted");
+      }
       if (hideItems && id >= this.maximumMaintainers) {
         person.classList.add("hidden");
       }

src/commands/parsers/contacts.js

@@ -0,0 +1,24 @@
+// CONSTANTS
+const kEmailRegex = "[^\\.\\s@:](?:[^\\s@:]*[^\\s@:\\.])?@[^\\.\\s@]+(?:\\.[^\\.\\s@]+)*";
+
+export function parseContacts(input) {
+  return Array.isArray(input) ? input.map(parseContact) : [parseContact(input)];
+}
+
+function parseContact(str) {
+  const emailMatch = str.match(emailRegex());
+  if (!emailMatch) {
+    return { name: str.trim() };
+  }
+  const email = emailMatch[0];
+  const name = str.replace(email, "").trim();
+  if (name) {
+    return { name, email };
+  }
+
+  return { email };
+}
+
+function emailRegex() {
+  return new RegExp(kEmailRegex, "g");
+}

src/commands/scanner.js

@@ -14,14 +14,22 @@ import * as Scanner from "@nodesecure/scanner";
 // Import Internal Dependencies
 import * as http from "./http.js";
 import { appCache } from "../cache.js";
+import { parseContacts } from "./parsers/contacts.js";
 
 export async function auto(spec, options) {
   const { keep, ...commandOptions } = options;
 
+  const optionsWithContacts = {
+    ...commandOptions,
+    highlight: {
+      contacts: parseContacts(options.contacts)
+    }
+  };
+
   const payloadFile = await (
     typeof spec === "string" ?
-      from(spec, commandOptions) :
-      cwd(commandOptions)
+      from(spec, optionsWithContacts) :
+      cwd(optionsWithContacts)
   );
   try {
     if (payloadFile !== null) {
@@ -55,24 +63,31 @@ export async function cwd(options) {
     nolock,
     full,
     vulnerabilityStrategy,
-    silent
+    silent,
+    contacts
   } = options;
 
   const payload = await Scanner.cwd(
     process.cwd(),
-    { maxDepth, usePackageLock: !nolock, fullLockMode: full, vulnerabilityStrategy },
+    { maxDepth, usePackageLock: !nolock, fullLockMode: full, vulnerabilityStrategy, highlight:
+      { contacts: parseContacts(contacts) } },
     initLogger(void 0, !silent)
   );
 
   return await logAndWrite(payload, output, { local: true });
 }
 
 export async function from(spec, options) {
-  const { depth: maxDepth = Infinity, output, silent } = options;
+  const { depth: maxDepth = Infinity, output, silent, contacts } = options;
 
   const payload = await Scanner.from(
     spec,
-    { maxDepth },
+    {
+      maxDepth,
+      highlight: {
+        contacts: parseContacts(contacts)
+      }
+    },
     initLogger(spec, !silent)
   );
 

test/commands/parsers/contacts.test.js

@@ -0,0 +1,38 @@
+// Import Node.js Dependencies
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+// Import Internal Dependencies
+import { parseContacts } from "../../../src/commands/parsers/contacts.js";
+
+describe("contacts parser", () => {
+  it("should have no contacts", () => {
+    assert.deepEqual(parseContacts([]), []);
+  });
+
+  it("should have a contact with a name", () => {
+    assert.deepEqual(parseContacts("sindre"), [{ name: "sindre" }]);
+  });
+
+  it("should trim names", () => {
+    assert.deepEqual(parseContacts("  matteo "), [{ name: "matteo" }]);
+  });
+
+  it("should have a contact with an email", () => {
+    assert.deepEqual(parseContacts("[email protected]"), [{ email: "[email protected]" }]);
+  });
+
+  it("should trim emails", () => {
+    assert.deepEqual(parseContacts("  [email protected] "), [{ email: "[email protected]" }]);
+  });
+
+  it("should parse names and emails", () => {
+    assert.deepEqual(parseContacts("sindre [email protected]"), [{ name: "sindre", email: "[email protected]" }]);
+  });
+
+  it("should parse multiples contacts", () => {
+    assert.deepEqual(parseContacts(["sindre [email protected]", "matteo"]),
+      [{ name: "sindre", email: "[email protected]" }, { name: "matteo" }]);
+  });
+});
+

workspaces/vis-network/src/dataset.js

@@ -13,14 +13,16 @@ export default class NodeSecureDataSet extends EventTarget {
    * @param {string[]} [options.warningsToIgnore=[]]
    * @param {"light"|"dark"} [options.theme]
    */
+
+  #highligthedContacts;
+
   constructor(options = {}) {
     super();
     const {
       flagsToIgnore = [],
       warningsToIgnore = [],
       theme = "light"
     } = options;
-
     this.flagsToIgnore = new Set(flagsToIgnore);
     this.warningsToIgnore = new Set(warningsToIgnore);
     this.theme = theme;
@@ -76,6 +78,18 @@ export default class NodeSecureDataSet extends EventTarget {
 
     this.warnings = data.warnings;
 
+    this.#highligthedContacts = data.highlighted.contacts
+      .reduce((acc, { name, email }) => {
+        if (name) {
+          acc.names.add(name);
+        }
+        if (email) {
+          acc.emails.add(email);
+        }
+
+        return acc;
+      }, { names: new Set(), emails: new Set() });
+
     const dataEntries = Object.entries(data.dependencies);
     this.dependenciesCount = dataEntries.length;
 
@@ -210,4 +224,8 @@ export default class NodeSecureDataSet extends EventTarget {
 
     return { nodes, edges };
   }
+
+  isHighlighted(contact) {
+    return this.#highligthedContacts.names.has(contact.name) || this.#highligthedContacts.emails.has(contact.email);
+  }
 }

workspaces/vis-network/test/dataset-payload.json

@@ -1,6 +1,37 @@
 {
   "id": "abcde",
   "rootDepencyName": "pkg1",
+  "highlighted": {
+    "contacts": [
+      {
+        "email": "[email protected]",
+        "dependencies": [
+          "frequency-set",
+          "sec-literal",
+          "js-x-ray"
+        ]
+      },
+    {
+        "name": "Rich Harris",
+        "email": "[email protected]",
+        "dependencies": [
+          "frequency-set",
+          "sec-literal",
+          "js-x-ray"
+        ]
+      },
+      {
+        "name": "Sindre Sorhus",
+        "dependencies": [
+          "is-svg",
+          "ansi-regex",
+          "strip-ansi",
+          "is-fullwidth-code-point",
+          "string-width"
+        ]
+      }
+    ]
+  },
   "dependencies": {
     "pkg2": {
       "versions": {