add support for input preprocessing, closes #187

nodesecurity · Oct 26, 2017 · 41f967f · ralphtheninja · Jan 17, 2018 · ralphtheninja
1 parent a1ef4b2
commit 41f967f
Show file tree

Hide file tree

Showing 5 changed files with 87 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -31,6 +31,34 @@ $ nsp check --reporter checkstyle
 ```
 Please note that in case of naming conflicts built-in reporters (as listed above) take precedence. For instance, `nsp-reporter-json` would never be used since nsp ships with a `json` formatter.
 
+## Input Preprocessors
+
+You may also alter a project's `package.json`, `npm-shrinkwrap.json` and/or `package-lock.json` by using an input preprocessor.
+
+The default, built in, preprocessor simply reads these files and returns their JSON parsed content as-is. You can use a third party preprocessor like so: `nsp check --preprocessor example` which, much like third party reporters
+would attempt to require the module `nsp-preprocessor-example`. If the given preprocessor is not found, the default will be used.
+
+### Creating a preprocessor
+
+A custom preprocessor should be a module named with the prefix `nsp-preprocessor-`. It must export an object where each property is the name of a command executable by the `nsp` script. The value of each of these properties must
+be a function that accepts a single argument `args` which represents the command line arguments passed at execution time, it must return a promise modifying or extending the `args` object.
+
+
+Example:
+```js
+module.exports = {
+  check: function (args) {
+
+    // do something to read or generate package.json, npm-shrinkwrap.json and package-lock.json
+    // the path to the project can be found as `args.path`
+    // `pkg` must be the JSON parsed contents of package.json
+    // `shrinkwrap` must be the JSON parsed contents of npm-shrinkwrap.json, if it exists. this may be left out.
+    // `packagelock` must be the JSON parsed contents of package-lock.json, if it exists. this may also be left out.
+    return Object.assign(args, { pkg, shrinkwrap, packagelock });
+  }
+};
+```
+
 ## Exceptions
 
 The Node Security CLI supports adding exceptions. These are advisories that you have evaluated and personally deemed unimportant for your project.

diff --git a/bin/nsp b/bin/nsp
@@ -32,6 +32,10 @@ Yargs
     default: 'table',
     group: 'Output:'
   })
+  .option('preprocessor', {
+    description: 'project preprocessor',
+    group: 'Input:'
+  })
   .option('verbose', {
     description: 'provide more verbose output',
     boolean: true,

diff --git a/commands/check.js b/commands/check.js
@@ -59,26 +59,10 @@ exports.builder = {
 
 exports.handler = Command.wrap('check', (args) => {
 
-  let pkg;
-  try {
-    pkg = JSON.parse(Fs.readFileSync(Path.join(args.path, 'package.json')));
-  }
-  catch (err) {
-    return Promise.reject(new Error(`Unable to load package.json for project: ${Path.basename(args.path)}`));
-  }
-  pkg = Package.sanitize(pkg);
+  let pkg = args.pkg;
+  const { shrinkwrap, packagelock } = args;
 
-  let shrinkwrap;
-  try {
-    shrinkwrap = JSON.parse(Fs.readFileSync(Path.join(args.path, 'npm-shrinkwrap.json')));
-  }
-  catch (err) {}
-
-  let packagelock;
-  try {
-    packagelock = JSON.parse(Fs.readFileSync(Path.join(args.path, 'package-lock.json')));
-  }
-  catch (err) {}
+  pkg = Package.sanitize(pkg);
 
   if (!pkg.name) {
     pkg.name = Path.basename(args.path);

diff --git a/lib/command.js b/lib/command.js
@@ -4,6 +4,7 @@ const Fs = require('fs');
 const Os = require('os');
 const Path = require('path');
 
+const Preprocessor = require('./preprocessor');
 const Reporters = require('../reporters');
 
 const internals = {};
@@ -59,7 +60,15 @@ exports.wrap = function (name, handler) {
       Object.assign(args, config);
     }
 
-    return handler(args).then((result) => {
+    return Promise.resolve().then(() => {
+
+      const preprocessor = Preprocessor.load(args.preprocessor);
+
+      return preprocessor.hasOwnProperty(name) ? preprocessor[name](args) : Promise.resolve(args);
+    }).then((res) => {
+
+      return handler(res);
+    }).then((result) => {
 
       let maxCvss;
       if (args.filter ||

diff --git a/lib/preprocessor.js b/lib/preprocessor.js
@@ -0,0 +1,42 @@
+'use strict';
+
+const Fs = require('fs');
+const Path = require('path');
+
+const internals = {};
+internals.default = {
+  check: (args) => {
+
+    let pkg;
+    try {
+      pkg = JSON.parse(Fs.readFileSync(Path.join(args.path, 'package.json')));
+    }
+    catch (err) {
+      return Promise.reject(new Error(`Unable to load package.json for project: ${Path.basename(args.path)}`));
+    }
+
+    let shrinkwrap;
+    try {
+      shrinkwrap = JSON.parse(Fs.readFileSync(Path.join(args.path, 'npm-shrinkwrap.json')));
+    }
+    catch (err) {}
+
+    let packagelock;
+    try {
+      packagelock = JSON.parse(Fs.readFileSync(Path.join(args.path, 'package-lock.json')));
+    }
+    catch (err) {}
+
+    return Object.assign(args, { pkg, shrinkwrap, packagelock });
+  }
+};
+
+exports.load = (name) => {
+
+  try {
+    return require(`nsp-preprocessor-${name}`);
+  }
+  catch (err) {
+    return internals.default;
+  }
+};