Skip to content
/ veracode-node-packager Public
forked from dub-flow/veracode-javascript-packager

Simple auto-packager for Node.js that creates a zip to upload to the Veracode Platform for Static Analysis

0 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Zlays/veracode-node-packager

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

51 Commits
.vscode
.vscode
 
 
sample-node-project
sample-node-project
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
create-releases.sh
create-releases.sh
 
 
demo.pptx
demo.pptx
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
todo.txt
todo.txt
 
 

Repository files navigation

Veracode Node Packager - Alpha Version

Please note that this is not an official Veracode project, not supported by Veracode in any form, and comes with no warranty whatsoever. It is simply a little pet project of mine trying to make the life of Veracode's Node.js customers a bit easier. Use at your own risk.

The Veracode Node Packager is a tool that packages your Node.js application for Veracode Static Analysis. The idea is to avoid common mistakes that I, in my role as a Veracode Application Security Consultant, commonly see in customer uploads.

There also is a sample-node-project folder that contains a "Hello World"-ish Node.js application with a lot of the files that we want to filter out. This test project can be used to take Veracode Node Packager for a spin.

Please feel free to extend the existing functionality, followed by a Merge Request.

Built-in Help

Help is built-in!

  • vc-node-packager --help - outputs the help.

How to Use

Usage:
    vc-node-packager [flags]

Flags:
  -source string     The path of the Node.js app you want to package (default "sample-node-project")
  -target string     The path where you want the vc-output.zip to be stored to (default ".")
  -tests string      The path that contains your Node.js test files (relative to the source) (default "test")

What does it do?

  • Creates a zip of the -source folder and puts it into the provided -target directory as vc-output.zip
  • Features:
    • This tool creates a zip of your application ready to be uploaded to the Veracode Platform
    • It prevents common, non-required, files from being a part of the zip (such as node_modules, tests)
    • The tool also checks for "smells" that indicate something might not be right with the packaging, and prints corresponding warnings/errors if a "smell" was found
  • Omitted Files/Folders:
    • Omit the node_modules folder (usually only contains 3rd party libraries)
    • Omit the tests directory (that contains e.g. your unit- and integration tests)
      • Specified via -tests <path>
    • Omit style sheets (.css and .scss files)
    • Omit images (e.g. .jpg, .png)
    • Omit documents (e.g. .pdf)
    • Omit the .git folder
    • Omit other non-required files (e.g. .DS_Store)
  • Additional Checks:
    • Check if package-lock.json exists (this is required for Veracode SCA)
    • Check if /public exists (may contain resources that are not part of your actual 1st party source code)
    • Check if /dist exists (may contain minified JavaScript)
    • Check for .map files (indicates that your JS files might be minified)

Setup

  • You can simply run this tool from source via go run main.go
  • You can build the tool yourself via go build

Releases

  • The Releases section contains some binary releases already so that you might not have to build it yourself

About

Simple auto-packager for Node.js that creates a zip to upload to the Veracode Platform for Static Analysis

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 88.9%
  • Shell 3.9%
  • JavaScript 3.8%
  • SCSS 1.8%
  • CSS 1.6%