README

README.md

@@ -4,6 +4,8 @@
 
 该项目是基于 [snyk/resolve-deps](https://github.com/snyk/resolve-deps.git) 的二次开发。
 
+
+
 ## 关于我们
 
 Website：https://security.immomo.com
@@ -12,10 +14,14 @@ WeChat:
 
 <img src="https://momo-mmsrc.oss-cn-hangzhou.aliyuncs.com/img-1c96a083-7392-3b72-8aec-bad201a6abab.jpeg" width="200" hegiht="200" align="center" /><br>
 
+
+
 ## 版本要求
 
 npm >= 5.2.0
 
+
+
 ## 使用
 
 首先运行 [MOSEC-X-PLUGIN Backend](https://github.com/momosecurity/mosec-x-plugin-backend.git)
@@ -24,6 +30,49 @@ npm >= 5.2.0
 ```
 > cd your_node_project/
 > npx github:momosecurity/mosec-node-plugin \
-  --endpoint http://127.0.0.1:9000/api/plugin \ 
+  --endpoint http://127.0.0.1:9000/api/plugin \
   --only-provenance
 ```
+
+
+
+## 帮助
+
+```shell script
+$ npx github:momosecurity/mosec-node-plugin --help
+
+Usage: mosec [options]
+
+Options:
+  -V, --version                 output the version number
+  -e, --endpoint <value>        上报API
+  -t, --target <path>           项目所在目录 (default: current dir)
+  -s, --severity-level <value>  威胁等级 [High|Medium|Low] (default: "High")
+  --only-provenance             仅检查直接依赖 (default: false)
+  --with-dev                    包括devDependency (default: false)
+  -h, --help                    display help for command
+```
+
+
+
+## 使用效果
+
+以 test/vuln-project 项目为例。
+
+红色部分给出漏洞警告，Path: 为漏洞依赖链，Fix version 为组件安全版本。
+
+![usage](./static/usage.jpg)
+
+
+
+## 检测原理
+
+MOSEC-NODE-PLUGIN首先会读取package.json文件并解析出项目声明需求的依赖。
+
+之后会递归解析node_modules目录，提取当前项目安装的依赖。如有必要，还会逐级向上层目录查找node_modules目录。
+
+最后进行声明依赖与实际安装依赖的比对，并构造当前项目的依赖树。
+
+最终依赖树会交由 [MOSEC-X-PLUGIN-BACKEND](https://github.com/momosecurity/mosec-x-plugin-backend.git) 检测服务进行检测，并返回结果。
+
+相关数据结构请参考 MOSEC-X-PLUGIN-BACKEND [README.md](https://github.com/momosecurity/mosec-x-plugin-backend/blob/master/README.md).

test/vuln-project/package-lock.json

@@ -0,0 +1,132 @@
+{
+  "name": "vuln-project",
+  "version": "1.0.0",
+  "lockfileVersion": 1,
+  "requires": true,
+  "dependencies": {
+    "bluebird": {
+      "version": "3.5.1",
+      "resolved": "http://npm.wemomo.com/bluebird/-/bluebird-3.5.1.tgz",
+      "integrity": "sha1-2VUfnemPH82h5oPRfukaBgLuLrk="
+    },
+    "bson": {
+      "version": "1.1.5",
+      "resolved": "http://npm.wemomo.com/bson/-/bson-1.1.5.tgz",
+      "integrity": "sha1-Kqrpj832dQwISLDLod3sPHMGCjQ="
+    },
+    "debug": {
+      "version": "3.1.0",
+      "resolved": "http://npm.wemomo.com/debug/-/debug-3.1.0.tgz",
+      "integrity": "sha1-W7WgZyYotkFJVmuhaBnmFRjGcmE=",
+      "requires": {
+        "ms": "2.0.0"
+      },
+      "dependencies": {
+        "ms": {
+          "version": "2.0.0",
+          "resolved": "http://npm.wemomo.com/ms/-/ms-2.0.0.tgz",
+          "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
+        }
+      }
+    },
+    "kareem": {
+      "version": "2.3.1",
+      "resolved": "http://npm.wemomo.com/kareem/-/kareem-2.3.1.tgz",
+      "integrity": "sha1-3vEtnJQQF/q/sA+HOvlenJnhvoc="
+    },
+    "mongodb": {
+      "version": "3.3.2",
+      "resolved": "http://npm.wemomo.com/mongodb/-/mongodb-3.3.2.tgz",
+      "integrity": "sha1-/whrX1Us8H4kzgmGlCEPPULWaLI=",
+      "requires": {
+        "bson": "^1.1.1",
+        "require_optional": "^1.0.1",
+        "safe-buffer": "^5.1.2"
+      }
+    },
+    "mongoose": {
+      "version": "5.7.3",
+      "resolved": "http://npm.wemomo.com/mongoose/-/mongoose-5.7.3.tgz",
+      "integrity": "sha1-i9RrVh6u0aTUps3YHVsjwuMNqEY=",
+      "requires": {
+        "bson": "~1.1.1",
+        "kareem": "2.3.1",
+        "mongodb": "3.3.2",
+        "mongoose-legacy-pluralize": "1.0.2",
+        "mpath": "0.6.0",
+        "mquery": "3.2.2",
+        "ms": "2.1.2",
+        "regexp-clone": "1.0.0",
+        "safe-buffer": "5.1.2",
+        "sift": "7.0.1",
+        "sliced": "1.0.1"
+      }
+    },
+    "mongoose-legacy-pluralize": {
+      "version": "1.0.2",
+      "resolved": "http://npm.wemomo.com/mongoose-legacy-pluralize/-/mongoose-legacy-pluralize-1.0.2.tgz",
+      "integrity": "sha1-O6n5H6UHtRhtOZ+0CFS/8Y+1Y+Q="
+    },
+    "mpath": {
+      "version": "0.6.0",
+      "resolved": "http://npm.wemomo.com/mpath/-/mpath-0.6.0.tgz",
+      "integrity": "sha1-qpIgKfyk8PZB82DnTFwbakxHB44="
+    },
+    "mquery": {
+      "version": "3.2.2",
+      "resolved": "http://npm.wemomo.com/mquery/-/mquery-3.2.2.tgz",
+      "integrity": "sha1-4Tg6OVGFLOI+N/YZqbNQ8fs2ZOc=",
+      "requires": {
+        "bluebird": "3.5.1",
+        "debug": "3.1.0",
+        "regexp-clone": "^1.0.0",
+        "safe-buffer": "5.1.2",
+        "sliced": "1.0.1"
+      }
+    },
+    "ms": {
+      "version": "2.1.2",
+      "resolved": "http://npm.wemomo.com/ms/-/ms-2.1.2.tgz",
+      "integrity": "sha1-0J0fNXtEP0kzgqjrPM0YOHKuYAk="
+    },
+    "regexp-clone": {
+      "version": "1.0.0",
+      "resolved": "http://npm.wemomo.com/regexp-clone/-/regexp-clone-1.0.0.tgz",
+      "integrity": "sha1-Ii25Z2IydwViYLmSYmNUoEzpv2M="
+    },
+    "require_optional": {
+      "version": "1.0.1",
+      "resolved": "http://npm.wemomo.com/require_optional/-/require_optional-1.0.1.tgz",
+      "integrity": "sha1-TPNaQkf2TKPfjC7yCMxJSxyo/C4=",
+      "requires": {
+        "resolve-from": "^2.0.0",
+        "semver": "^5.1.0"
+      }
+    },
+    "resolve-from": {
+      "version": "2.0.0",
+      "resolved": "http://npm.wemomo.com/resolve-from/-/resolve-from-2.0.0.tgz",
+      "integrity": "sha1-lICrIOlP+h2egKgEx+oUdhGWa1c="
+    },
+    "safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "http://npm.wemomo.com/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha1-mR7GnSluAxN0fVm9/St0XDX4go0="
+    },
+    "semver": {
+      "version": "5.7.1",
+      "resolved": "http://npm.wemomo.com/semver/-/semver-5.7.1.tgz",
+      "integrity": "sha1-qVT5Ma66UI0we78Gnv8MAclhFvc="
+    },
+    "sift": {
+      "version": "7.0.1",
+      "resolved": "http://npm.wemomo.com/sift/-/sift-7.0.1.tgz",
+      "integrity": "sha1-R9YsULFZ0xbxNy+LU/nBDNIaSwg="
+    },
+    "sliced": {
+      "version": "1.0.1",
+      "resolved": "http://npm.wemomo.com/sliced/-/sliced-1.0.1.tgz",
+      "integrity": "sha1-CzpmK10Ewxd7GSa+qCsD+Dei70E="
+    }
+  }
+}

test/vuln-project/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "vuln-project",
+  "version": "1.0.0",
+  "description": "mosec-node-plugin test project",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "mongoose": "^5.7.3"
+  }
+}