mgibeau · elpete · May 6, 2021 · May 6, 2021 · May 14, 2021 · May 14, 2021
diff --git a/README.md b/README.md
@@ -15,7 +15,7 @@ Options:
 Install this package.
 
 ```
-npm install --save-dev gitlab-npm-audit-parser
+npm install --save-dev @elpete/gitlab-npm-audit-parser
 ```
 
 Add the following job to _.gitlab-ci.yml_
@@ -30,7 +30,16 @@ dependency scanning:
     reports:
       dependency_scanning: gl-dependency-scanning.json
 ```
+NOTE: If you use a `npm run-script` to call `npm audit` You must add the option `--silent` to `npm run` or have `.npmrc` set the NPM loglevel to silent otherwise the shell output will conflict with the stdin piping to this parser and cause an error.
 
 ## Test
 
-`cat test/juice-shop.json | ./parse.js -o report.json`
+```sh
+$ npm test
+```
+
+### V1 Report
+`cat test/v1_report.json | ./parse.js -o report.json`
+
+### V2 Report
+`cat test/v2_report.json | ./parse.js -o report.json`
diff --git a/lib/convert.js b/lib/convert.js
@@ -1,71 +1,149 @@
-var capitalize = require('./utils').capitalize;
-var getCWEId = require('./utils').getCWEId;
-
-var priorityMap = [
-  'Low',
-  'Medium',
-  'High',
-  'Critical'
-]
+var capitalize = require("./utils").capitalize;
+var getCWEId = require("./utils").getCWEId;
 
 var convert = function (json) {
-  parsedData = JSON.parse(json);
-  report = {};
-  report.version = "2.0";
-  report.vulnerabilities = [];
-  report.remediations = [];
+    return JSON.stringify(convertReportForType(JSON.parse(json)), null, "  ");
+};
 
-  for (var id in parsedData.advisories) {
-    var advisory = parsedData.advisories[id];
-    var cwe_id = getCWEId(advisory.cwe);
+function convertReportForType(parsedData) {
+    switch (getReportType(parsedData)) {
+        case 2:
+            return convertV2Report(parsedData);
+        case 1:
+        default:
+            return convertV1Report(parsedData);
+    }
+}
 
-    report.vulnerabilities.push({
-      "tool": "npm_audit",
-      "category": "dependency_scanning",
-      "name": advisory.module_name,
-      "namespace": advisory.module_name,
-      "message": advisory.title,
-      "cve": "package.json" + advisory.module_name + ":cve_id:" + advisory.cves[0],
-      "description": advisory.overview,
-      "severity": capitalize(advisory.severity),
-      "fixedby": advisory.reported_by.name,
-      "confidence": "High",
-      "scanner": {
-        "id": "npm_audit_advisories",
-        "name": "NPM Audit"
-      },
-      "location": {
-        "file": "package.json",
-        "dependency": {
-          "package": {
-            "name": advisory.module_name
-          },
-          "version": advisory.vulnerable_versions
-        }
-      },
-      "identifiers": [
-        {
-          "type": "cve_id",
-          "name": advisory.cves[0],
-          "value": advisory.cves[0],
-          "url": `https://nvd.nist.gov/vuln/detail/${advisory.cves[0]}`
-        },
-        {
-          "type": "cwe_id",
-          "name": advisory.cwe,
-          "value": advisory.cwe,
-          "url": `https://cwe.mitre.org/data/definitions/${cwe_id}.html`
+function getReportType(parsedData) {
+    return parsedData.auditReportVersion || 1;
+}
+
+function convertV2Report(parsedData) {
+    let report = {};
+    report.version = "2.0";
+    report.vulnerabilities = [];
+    report.remediations = [];
+
+    for (var package in parsedData.vulnerabilities) {
+        var advisory = parsedData.vulnerabilities[package];
+        for (const via of advisory.via) {
+            if (typeof via !== "object") {
+                continue;
+            }
+            const id = `NPM Audit: ${advisory.name} cve_id: ${via.source}`;
+            const solution = typeof advisory.fixAvailable === "object" ? `Upgrade ${advisory.fixAvailable.name} to version >=${advisory.fixAvailable.version}` : null;
+            report.vulnerabilities.push({
+                id,
+                cve: id,
+                tool: "npm_audit",
+                category: "dependency_scanning",
+                name: advisory.name,
+                message: via.title,
+                description: via.title,
+                severity: capitalize(via.severity),
+                confidence: "High",
+                scanner: {
+                    id: "npm_audit_advisories",
+                    name: "NPM Audit",
+                },
+                location: {
+                    file: "package-lock.json",
+                    dependency: {
+                        package: {
+                            name: advisory.name,
+                        },
+                        version: via.range,
+                    },
+                },
+                identifiers: [
+                    {
+                        type: "cve",
+                        name: via.title,
+                        value: via.source,
+                        url: via.url
+                    }
+                ],
+                solution,
+                links: [
+                    {
+                        url: via.url,
+                    },
+                ],
+            });
+
+            if (solution) {
+                report.remediations.push({
+                    fixes: [{ id }],
+                    summary: solution
+                })
+            }
         }
-      ],
-      "solution": advisory.recommendation,
-      "instances": advisory.findings[0].paths.map(value => ({ method: value })),
-      "links": [{
-        "url": `https://npmjs.com/advisories/${advisory.id}`
-      }]
-    });
-  }
+    }
+
+    return report;
+}
+
+function convertV1Report(parsedData) {
+    let report = {};
+    report.version = "1.0";
+    report.vulnerabilities = [];
+    report.remediations = [];
+
+    for (var id in parsedData.advisories) {
+        var advisory = parsedData.advisories[id];
+        var cwe_id = getCWEId(advisory.cwe);
+
+        report.vulnerabilities.push({
+            tool: "npm_audit",
+            category: "dependency_scanning",
+            name: advisory.module_name,
+            namespace: advisory.module_name,
+            message: advisory.title,
+            cve:
+                "package.json" + advisory.module_name + ":cve_id:" + advisory.cves[0],
+            description: advisory.overview,
+            severity: capitalize(advisory.severity),
+            fixedby: advisory.reported_by.name,
+            confidence: "High",
+            scanner: {
+                id: "npm_audit_advisories",
+                name: "NPM Audit",
+            },
+            location: {
+                file: "package.json",
+                dependency: {
+                    package: {
+                        name: advisory.module_name,
+                    },
+                    version: advisory.vulnerable_versions,
+                },
+            },
+            identifiers: [
+                {
+                    type: "cve_id",
+                    name: advisory.cves[0],
+                    value: advisory.cves[0],
+                    url: `https://nvd.nist.gov/vuln/detail/${advisory.cves[0]}`,
+                },
+                {
+                    type: "cwe_id",
+                    name: advisory.cwe,
+                    value: advisory.cwe,
+                    url: `https://cwe.mitre.org/data/definitions/${cwe_id}.html`,
+                },
+            ],
+            solution: advisory.recommendation,
+            instances: advisory.findings[0].paths.map((value) => ({ method: value })),
+            links: [
+                {
+                    url: `https://npmjs.com/advisories/${advisory.id}`,
+                },
+            ],
+        });
+    }
 
-  return JSON.stringify(report, null, '  ');
+    return report;
 }
 
 module.exports = convert;
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,23 +1,37 @@
 {
-  "name": "gitlab-npm-audit-parser",
-  "version": "1.0.4",
+  "name": "@elpete/gitlab-npm-audit-parser",
+  "version": "1.1.1",
   "description": "NPM Audit parser for GitLab dependency scanning",
   "bin": "parse.js",
   "main": "parse.js",
   "directories": {
     "test": "test"
   },
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "npm run --silent test:v1; npm run --silent test:v2;",
+    "test:v1": "printf 'v1: '; cat test/v1_report.json | ./parse.js -o GL-report.1.json >/dev/null && diff -q GL-report.1.json test/snapshot/GL-report.1.json && echo success!; RC=$?; rm GL-report.1.json; exit $RC",
+    "test:v2": "printf 'v2: '; cat test/v2_report.json | ./parse.js -o GL-report.2.json >/dev/null && diff -q GL-report.2.json test/snapshot/GL-report.2.json && echo success!; RC=$?; rm GL-report.2.json; exit $RC"
   },
   "repository": {
     "type": "git",
-    "url": "[email protected]:mgibeau/gitlab-npm-audit-parser.git"
+    "url": "[email protected]:elpete/gitlab-npm-audit-parser.git"
   },
   "keywords": [
     "gitlab"
   ],
   "author": "Maxime Gibeau",
+  "contributors": [
+    {
+      "name": "Eric Peterson",
+      "email": "[email protected]",
+      "url": "https://github.com/elpete"
+    },
+    {
+      "name": "codejedi365",
+      "email": "[email protected]",
+      "url": "https://github.com/codejedi365"
+    }
+  ],
   "license": "MIT",
   "dependencies": {
     "commander": "^2.18.0"

diff --git a/parse.js b/parse.js
@@ -25,7 +25,7 @@ stdin.on('end', function () {
   var inputJSON = chunks.join(''),
       outputJSON = convert(inputJSON);
 
-  fs.writeFile(filename, outputJSON, function(err) {
+  fs.writeFile(filename, outputJSON+'\n', function(err) {
     if (err) {
       return console.log(err);
     }