Cleanup code and update dependencies

Author: GaelGirodon

CODE_OF_CONDUCT.md

@@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban.
 ### 4. Permanent Ban
 
 **Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
+standards, including sustained inappropriate behavior, harassment of an
 individual, or aggression toward or disparagement of classes of individuals.
 
 **Consequence**: A permanent ban from any sort of public interaction within

package-lock.json

@@ -33,17 +33,17 @@
     "src/**/*.ejs"
   ],
   "dependencies": {
-    "axios": "^1.9.0",
+    "axios": "^1.10.0",
     "ejs": "npm:neat-ejs@^3.1.10",
     "jsonpath-plus": "^10.3.0"
   },
   "devDependencies": {
-    "@eslint/js": "^9.27.0",
+    "@eslint/js": "^9.30.1",
     "c8": "^10.1.3",
-    "eslint": "^9.27.0",
+    "eslint": "^9.30.1",
     "express": "^5.1.0",
-    "globals": "^16.2.0",
-    "mocha": "^11.5.0",
+    "globals": "^16.3.0",
+    "mocha": "^11.7.1",
     "mocha-junit-reporter": "^2.2.1"
   },
   "engines": {

package.json

@@ -3,8 +3,9 @@
  * CLI and environment handling service
  */
 
-import { existsSync } from "fs";
-import { readFile } from "fs/promises";
+import { existsSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import { join } from "node:path";
 
 /**
  * Statuses expected for the "status" CLI option
@@ -85,8 +86,8 @@ const expectedOptions = [
  */
 export async function parseArgs() {
   // Read package metadata from package.json
-  const npmPackageUrl = new URL("../package.json", import.meta.url);
-  const npmPackage = JSON.parse(await readFile(npmPackageUrl, { encoding: "utf8" }));
+  const npmPackagePath = join(import.meta.dirname, "../package.json");
+  const npmPackage = JSON.parse(await readFile(npmPackagePath, { encoding: "utf8" }));
 
   // Show the help message
   if (process.argv.some(a => a.match(/^--?h(elp)?$/))) {
@@ -113,7 +114,7 @@ export async function parseArgs() {
   // Extract options
   for (const opt of expectedOptions) {
     // From the command line
-    const i = process.argv.findIndex(a => a == `--${opt.name}`);
+    const i = process.argv.findIndex(a => a === `--${opt.name}`);
     let value = undefined;
     if (i >= 0 && i + 1 < process.argv.length) {
       value = process.argv[i + 1];
@@ -157,10 +158,9 @@ export class CliError extends Error {
    *
    * @param {number} exitCode Process exit code
    * @param {string} message Error message
-   * @param  {...any} args Other arguments
    */
-  constructor(exitCode = 1, message = "", ...args) {
-    super(message, ...args);
+  constructor(exitCode = 1, message = "") {
+    super(message);
     this.exitCode = exitCode;
   }
 

src/cli.js

@@ -3,7 +3,7 @@
  * Tool configuration service
  */
 
-import { readFile } from "fs/promises";
+import { readFile } from "node:fs/promises";
 import { JSONPath } from "jsonpath-plus";
 
 /**

src/config.js

@@ -52,9 +52,9 @@ export class DefectDojoApiClient {
   /**
    * Fetch engagements by product and name.
    *
-   * @param {string} productId Product id
-   * @param {string} name Engagement name (optional)
-   * @returns Engagements
+   * @param {string|number} productId Product id
+   * @param {string} [name] Engagement name (optional)
+   * @returns Promise<*> Engagements
    * @throws Request error
    */
   async getEngagements(productId, name) {
@@ -66,8 +66,8 @@ export class DefectDojoApiClient {
       query.push("o=-updated", "limit=100");
       const response = await this.http.get("/engagements?" + query.join("&"));
       const engagements = response.data?.results
-        ?.filter(e => !name || e.name === name) // Exact match
-        ?.map(e => ({ ...e, url: `${this.url}/engagement/${e.id}` }))
+          ?.filter(e => !name || e.name === name) // Exact match
+          ?.map(e => ({ ...e, url: `${this.url}/engagement/${e.id}` }))
         ?? [];
       console.log(`[info] Engagements count = ${engagements.length}`);
       return engagements;
@@ -81,7 +81,7 @@ export class DefectDojoApiClient {
    *
    * @param {string[]} engagements Engagements ids
    * @param {string[]} statuses Statuses to filter
-   * @returns Vulnerabilities
+   * @returns Promise<*> Vulnerabilities
    * @throws Request error
    */
   async getFindings(engagements, statuses) {

src/defectdojo.js

@@ -4,9 +4,8 @@
  */
 
 import ejs from "ejs";
-import { readFile, writeFile } from "fs/promises";
-import { dirname, join } from "path";
-import { fileURLToPath } from "url";
+import { readFile, writeFile } from "node:fs/promises";
+import { join } from "node:path";
 import { resolveField } from "./config.js";
 
 /**
@@ -41,7 +40,7 @@ export async function exportToCSV(_products, _engagements, findings, path, confi
  */
 export async function exportToHTML(products, engagements, findings, path, config) {
   // Load the template
-  const templateFile = join(dirname(fileURLToPath(import.meta.url)), "template.ejs");
+  const templateFile = join(import.meta.dirname, "template.ejs");
   const template = await readFile(templateFile, { encoding: "utf8" });
 
   // Export vulnerabilities

src/exports.js

@@ -7,4 +7,4 @@
 
 import { main } from "./main.js";
 
-main();
+await main();

src/index.js

@@ -3,7 +3,8 @@
  * Export a security debt from DefectDojo.
  */
 
-import { join } from "path";
+import assert from "node:assert/strict";
+import { join } from "node:path";
 import { parseArgs } from "./cli.js";
 import { loadConfig } from "./config.js";
 import { DefectDojoApiClient } from "./defectdojo.js";
@@ -16,7 +17,10 @@ export async function main() {
 
   // Load configuration
   const config = await loadConfig(opts.config)
-    .catch((e) => { console.error(`[error] ${e.message}`); process.exit(1); });
+    .catch((e) => {
+      console.error(`[error] ${e.message}`);
+      process.exit(1);
+    });
 
   // Initialise the DefectDojo API client
   const defectDojo = new DefectDojoApiClient(opts.url, opts.token);
@@ -27,38 +31,51 @@ export async function main() {
     .reduce(async (prevResults, p) => {
       const results = await prevResults;
       const product = await defectDojo.getProduct(p)
-        .catch((e) => { console.error(`[error] ${e.message}`); process.exit(1); });
+        .catch((e) => {
+          console.error(`[error] ${e.message}`);
+          process.exit(1);
+        });
       return [...results, product];
     }, []);
 
   // Fetch engagements
   const engagements = await products.reduce(async (prevResults, p) => {
     const results = await prevResults;
     const engagements = await defectDojo.getEngagements(p.id, opts.engagement)
-      .catch((e) => { console.error(`[error] ${e.message}`); process.exit(1); });
+      .catch((e) => {
+        console.error(`[error] ${e.message}`);
+        process.exit(1);
+      });
     p.engagements = engagements;
     return [...results, ...engagements];
   }, []);
 
+  assert(engagements.length > 0, "No engagement found");
+
   // Fetch vulnerabilities
   const findings = await defectDojo
     .getFindings(engagements.map(e => e.id), opts.status)
-    .catch((e) => { console.error(`[error] ${e.message}`); process.exit(1); });
+    .catch((e) => {
+      console.error(`[error] ${e.message}`);
+      process.exit(1);
+    });
 
   /*
    * Process vulnerabilities
    */
 
   console.log("[info] Processing findings");
 
-  const { impacts, eases, easeTags, criticities,
-    criticityMatrix, originTags, serviceProviderTag } = config;
+  const {
+    impacts, eases, easeTags, criticities,
+    criticityMatrix, originTags, serviceProviderTag
+  } = config;
 
   // Compute additional fields
   for (const finding of findings) {
     // Resultant criticity
     finding.severity = finding.severity?.toLowerCase();
-    const i = Math.max(impacts.findIndex(i => i == finding.severity), 0);
+    const i = Math.max(impacts.findIndex(i => i === finding.severity), 0);
     const e = easeTags.indexOf(finding.tags?.find(t => easeTags.includes(t)) ?? easeTags[0]);
     finding.ease_index = e;
     finding.ease = eases[e];
@@ -82,13 +99,13 @@ export async function main() {
     (f2.severity_index - f1.severity_index) || f1.title.localeCompare(f2.title));
 
   console.log("[info] Vulnerabilities:", criticities.map(c =>
-    findings.filter(f => f.criticity == c).length + " " + c).join(", "));
+    findings.filter(f => f.criticity === c).length + " " + c).join(", "));
 
   /*
    * Generate reports
    */
 
-  const defaultReportName = "Security-Debt" + (products.length == 1 ? `_${products[0].name}` : "");
+  const defaultReportName = "Security-Debt" + (products.length === 1 ? `_${products[0].name}` : "");
   const path = opts.output ?? join(process.cwd(), defaultReportName);
 
   for (const format of opts.format) {

src/main.js

@@ -64,7 +64,6 @@
     td, th {
       padding: .3em .6em;
       border: 1px solid #dbdbdb;
-      border-width: 1px;
     }
     thead th {
       border-width: 1px 1px 2px 1px;
@@ -130,9 +129,9 @@
           <%_ for (const finding of findings) { -%>
           <tr>
             <%_ for (const field of finding) { -%>
-            <%_ if (field.type == "criticity") { -%>
+            <%_ if (field.type === "criticity") { -%>
             <td class="criticity c<%= field.index %>"><%= field.value %></td>
-            <%_ } else if (field.type == "boolean") { -%>
+            <%_ } else if (field.type === "boolean") { -%>
             <td><%= field.value ? "Y" : "N" %></td>
             <%_ } else { -%>
             <td <%_ if (field.value?.length > 20) { %> title="<%= field.value %>" <% } %>><%= field.value -%></td>