nscm icon indicating copy to clipboard operation
nscm copied to clipboard
verified publisher icon nodesource

Document script to post-process cmdline output

Open rvagg opened this issue 8 years ago • 1 comments

I've seen two recent functionality requests that could be solved by providing some Bash script. Perhaps we could document this with ncm until we get it built into the code? The first is to show only the table entries that don't meet the scored criteria and the second is that it fails with non-zero exit status on having packages not meet the criteria. This is so that you don't have a massive table when you have a large dependency tree and need to see the failures and also to have automatic failure when you run this through a CI system.

I'll build up the functionality in 3 steps, the final one does everything.

Print the table output but omit the entries that pass 85 the threshold:

nscm | awk '{line=$0; if (NR==3) sep=line; if (NR<3) print; if (NR>3 && NF>1 && $6<=85) printf "%s\n%s\n",sep,line} END{print line}'

Same but make the threshold customisable, simply set the variable at the end of this line to whatever value you like:

nscm | | awk '{line=$0; if (NR==3) sep=line; if (NR<3) print; if (NR>3 && NF>1 && $6<=threshold) printf "%s\n%s\n",sep,line} END{print line}' threshold=90

Same but provide a non-zero exit status if you have packages that are below threshold:

nscm | awk '{line=$0; if (NR==3) sep=line; if (NR<3) print; if (NR>3 && NF>1 && $6<threshold) { printf "%s\n%s\n",sep,line; failed=1}} END{print line; if (failed) exit 1}' threshold=90

This one could be easily integrated into most build systems (they all have Bash of some kind), so you just drop this in place of simple nscm and you get a non-zero exit which will fail your pipeline.

The only thing I'm uncertain about is the 0 packages, are they supposed to get a pass because we don't know enough about them or are they a hard-fail? Letting them through would be trivial in this.

FYI running the last one against the nscm codebase itself, along with printing the exit status gives:

$ nscm | awk '{line=$0; if (NR==3)sep=line; if (NR<3) print; if (NR>3 && NF>1 && $6<threshold) { printf "%s\n%s\n",sep,line; failed=1}} END{print line; if (failed) exit 1}' threshold=90; echo $?
please wait while we process the information
Total:  413
┌────────────────────────────────────┬───────────────┬────────┐
│ Package                            │ Version       │ Score  │
├────────────────────────────────────┼───────────────┼────────┤
│ standard                           │ 10.0.3        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ eslint-module-utils                │ 2.1.1         │ 86     │
├────────────────────────────────────┼───────────────┼────────┤
│ eslint                             │ 3.19.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ table                              │ 3.8.3         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ ajv                                │ 4.11.8        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ json-stable-stringify              │ 1.0.1         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ shelljs                            │ 0.7.8         │ 85     │
├────────────────────────────────────┼───────────────┼────────┤
│ babel-code-frame                   │ 6.26.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ jsonify                            │ 0.0.0         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ nyc                                │ 11.4.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ test-exclude                       │ 4.1.1         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ read-pkg-up                        │ 1.0.1         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ read-pkg                           │ 1.1.0         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ normalize-package-data             │ 2.4.0         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ validate-npm-package-license       │ 3.0.1         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ spdx-correct                       │ 1.0.2         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ spdx-license-ids                   │ 1.2.2         │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ babel-template                     │ 6.26.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ babel-runtime                      │ 6.26.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ babel-types                        │ 6.26.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ babel-traverse                     │ 6.26.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ babel-messages                     │ 6.23.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ babel-generator                    │ 6.26.0        │ 0      │
├────────────────────────────────────┼───────────────┼────────┤
│ deep-eql                           │ 0.1.3         │ 0      │
└────────────────────────────────────┴───────────────┴────────┘
1

rvagg avatar Dec 04 '17 21:12 rvagg

The only thing I'm uncertain about is the 0 packages, are they supposed to get a pass because we don't know enough about them or are they a hard-fail?

0 is a hard fail; either a known security issue or a license issue (or both). E.g.

selection_321

brycebaril avatar Dec 05 '17 16:12 brycebaril