TomerFi/crda-javascript-api

Code-Ready Dependency Analytics JavaScript API

CodeReady Dependency Analytics JavaScript API

• Looking for our Java API? Try Crda Java API.
• Looking for our Backend implementation? Try Crda Backend.

The Crda JavaScript API module is deployed to GitHub Package Registry.

Click here for configuring GHPR registry access.

Configure Registry Access

Create a token with the read:packages scope

Based on GitHub documentation, In Actions you can use GITHUB_TOKEN

Add the following line to the .npmrc file in your user home ( See GH Docs):

//npm.pkg.github.com/:_authToken=<your-ghp-token-goes-here>

Usage

Configuring NPM to look in GHPR for the RHEcosystemAppEng namespace is done by adding @RHEcosystemAppEng:registry=https://npm.pkg.github.com to .npmrc in the project root or user home.

echo "@RHEcosystemAppEng:registry=https://npm.pkg.github.com" >> .npmrc

• Use as ESM Module

  npm install @RHEcosystemAppEng/crda-javascript-api

  import crda from '@RHEcosystemAppEng/crda-javascript-api'
  import fs from 'node:fs'
  
  // Get stack analysis in JSON format
  let stackAnalysis = await crda.stackAnalysis('/path/to/pom.xml')
  // Get stack analysis in HTML format (string)
  let stackAnalysisHtml = await crda.stackAnalysis('/path/to/pom.xml', true)
  
  // Get component analysis in JSON format
  let buffer = fs.readFileSync('/path/to/pom.xml')
  let componentAnalysis = await crda.componentAnalysis('pom.xml', buffer.toString())

• Use as CLI Script
  Click for help menu

  $ npx @RHEcosystemAppEng/crda-javascript-api help
  
  Usage: crda-javascript-api {component|stack}
  
  Commands:
    crda-javascript-api stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
    crda-javascript-api component <manifest-name> <manifest-content> [--summary]   produce component report for a manifest type and content
  
  Options:
    --help  Show help                                                    [boolean]

  # get stack analysis in json format
  $ npx @RHEcosystemAppEng/crda-javascript-api stack /path/to/pom.xml
  
  # get stack analysis in json format (summary only)
  $ npx @RHEcosystemAppEng/crda-javascript-api stack /path/to/pom.xml --summary
  
  # get stack analysis in html format format
  $ npx @RHEcosystemAppEng/crda-javascript-api stack /path/to/pom.xml --html
  
  # get component analysis
  $ npx @RHEcosystemAppEng/crda-javascript-api component pom.xml "$(</path/to/pom.xml)"

• Use as Global Binary

  npm install --global @RHEcosystemAppEng/crda-javascript-api

  # get stack analysis in json format
  $ crda-javascript-api stack /path/to/pom.xml
  
  # get stack analysis in json format (summary only)
  $ crda-javascript-api stack /path/to/pom.xml --summary
  
  # get stack analysis in html format format
  $ crda-javascript-api stack /path/to/pom.xml --html
  
  # get component analysis
  $ crda-javascript-api component pom.xml "$(</path/to/pom.xml)"

Supported Ecosystems

• Java - Maven

Excluding Packages

Excluding a package from any analysis can be achieved by marking the package for exclusion.

• Java Maven users can add a comment in pom.xml

  <dependency> <!--crdaignore-->
    <groupId>...</groupId>
    <artifactId>...</artifactId>
    <version>...</version>
  </dependency>

Customization

There are 2 approaches for customizing Crda JavaScript API. Whether you're using this API as a Global Module, a Remote Script, or an ESM Module, you can use Environment Variables for various customization.

However, ESM Module users, can opt for customizing programmatically:

import crda from '@RHEcosystemAppEng/crda-javascript-api'
import fs from 'node:fs'

let options = {
  'CRDA_SNYK_TOKEN': 'my-secret-snyk-token',
  'CRDA_MVN_PATH': '/path/to/my/mvn'
}

// Get stack analysis in JSON format
let stackAnalysis = await crda.stackAnalysis('/path/to/pom.xml', false, options)
// Get stack analysis in HTML format (string)
let stackAnalysisHtml = await crda.stackAnalysis('/path/to/pom.xml', true, options)

// Get component analysis in JSON format
let buffer = fs.readFileSync('/path/to/pom.xml')
let componentAnalysis = await crda.componentAnalysis('pom.xml', buffer.toString(), options)

Environment variables takes precedence.

Customizing Tokens

For including extra vulnerability data and resolutions, otherwise only available only to vendor registered users. You can use the following keys for setting various vendor tokens.

Vendor	Token Key
Snyk	CRDA_SNYK_TOKEN

Customizing Executables

This project uses each ecosystem's executable for creating dependency trees. These executables are expected to be present on the system's PATH environment. If they are not, or perhaps you want to use custom ones. Use can use the following keys for setting custom paths for the said executables.

Ecosystem	Default	Executable Key
Maven	mvn	CRDA_MVN_PATH