CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-nsp

Command line interface for the Node Security Platform to scan Node.js projects for known security vulnerabilities

Pending

Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

Overview
Eval results
Files

library.mddocs/

Library API

The NSP library provides programmatic access to vulnerability scanning functionality for integration into Node.js applications.

Core Imports

const nsp = require('nsp');
const { check, formatters, getFormatter } = require('nsp');

Capabilities

Check Function

The main function for scanning packages for vulnerabilities.

/**
 * Scan a Node.js project for known security vulnerabilities
 * @param {CheckOptions} options - Configuration options for the scan
 * @param {CheckCallback} callback - Callback function to handle results
 */
function check(options, callback);

// Options can also be a function if no options needed
function check(callback);

interface CheckOptions {
  /** Path to package.json file or parsed package object */
  package?: string | object;
  /** Path to npm-shrinkwrap.json file or parsed shrinkwrap object */
  shrinkwrap?: string | object;
  /** Path to package-lock.json file or parsed package-lock object */
  packagelock?: string | object;
  /** Array of advisory URLs to exclude from results */
  exceptions?: string[];
  /** Enable offline mode (requires shrinkwrap and advisories) */
  offline?: boolean;
  /** Path to local advisories file for offline mode */
  advisoriesPath?: string;
  /** Proxy server URL */
  proxy?: string;
}

interface CheckCallback {
  (err: Error | null, results: VulnerabilityResult[]): void;
}

interface VulnerabilityResult {
  /** Name of the vulnerable module */
  module: string;
  /** Installed version of the module */
  version: string;
  /** Version range that is vulnerable */
  vulnerable_versions: string;
  /** Version range that contains fixes */
  patched_versions: string;
  /** Human-readable title of the vulnerability */
  title: string;
  /** Dependency path to the vulnerable module */
  path: string[];
  /** URL to the full advisory */
  advisory: string;
  /** CVSS score if available */
  cvss_score?: number;
  /** Line information for shrinkwrap files */
  line?: { start: number; end: number };
  /** Markdown content with full vulnerability details */
  content?: string;
}

Usage Examples:

const nsp = require('nsp');
const path = require('path');

// Basic check with default options
nsp.check(function(err, results) {
  if (err) {
    console.error('Scan failed:', err.message);
    return;
  }
  
  console.log(`Found ${results.length} vulnerabilities`);
  results.forEach(vuln => {
    console.log(`${vuln.module}@${vuln.version}: ${vuln.title}`);
  });
});

// Check specific project
nsp.check({
  package: path.join(__dirname, 'package.json'),
  shrinkwrap: path.join(__dirname, 'npm-shrinkwrap.json')
}, function(err, results) {
  if (err) throw err;
  
  const highSeverity = results.filter(v => v.cvss_score >= 7.0);
  console.log(`${highSeverity.length} high severity issues found`);
});

// Check with exceptions
nsp.check({
  package: './package.json',
  exceptions: [
    'https://nodesecurity.io/advisories/123',
    'https://nodesecurity.io/advisories/456'
  ]
}, function(err, results) {
  // Results will exclude the specified advisories
  console.log('Filtered results:', results);
});

// Offline mode check
nsp.check({
  package: './package.json',
  shrinkwrap: './npm-shrinkwrap.json',
  offline: true,
  advisoriesPath: './advisories.json'
}, function(err, results) {
  if (err) {
    console.error('Offline check failed:', err.message);
    return;
  }
  console.log('Offline scan complete:', results.length, 'issues');
});

Get Formatter Function

Retrieves output formatter functions by name.

/**
 * Get a formatter function by name
 * @param {string} name - Name of the formatter (built-in or custom)
 * @returns {FormatterFunction} The formatter function
 */  
function getFormatter(name);

interface FormatterFunction {
  (err: Error | null, data: VulnerabilityResult[], pkgPath: string): string;
}

Built-in Formatter Names:

  • 'default' - Colorized table format
  • 'summary' - Simplified table
  • 'json' - JSON output
  • 'codeclimate' - Code Climate format
  • 'none' - No output
  • 'quiet' - Minimal output

Custom Formatters: Custom formatters follow the naming pattern nsp-formatter-<name> and can be loaded by name.

Usage Examples:

const nsp = require('nsp');

// Get built-in formatter
const jsonFormatter = nsp.getFormatter('json');

// Use formatter with check results
nsp.check(function(err, results) {
  const output = jsonFormatter(err, results, './package.json');
  console.log(output);
});

// Get custom formatter (requires nsp-formatter-xml package)
const xmlFormatter = nsp.getFormatter('xml');

// Format results
nsp.check({ package: './package.json' }, function(err, results) {
  const output = xmlFormatter(err, results, './package.json');
  fs.writeFileSync('security-report.xml', output);
});

// Error handling for unknown formatters
try {
  const unknownFormatter = nsp.getFormatter('nonexistent');
} catch (e) {
  // Falls back to default formatter if custom formatter not found
  console.log('Using default formatter instead');
}

Formatters Object

Direct access to all built-in formatter functions.

/**
 * Object containing all built-in formatter functions
 */
const formatters = {
  default: FormatterFunction,
  summary: FormatterFunction,
  json: FormatterFunction,
  codeclimate: FormatterFunction,
  none: FormatterFunction,
  quiet: FormatterFunction
};

Usage Example:

const { formatters } = require('nsp');

// Use formatters directly
nsp.check(function(err, results) {
  // Generate multiple output formats
  const jsonOutput = formatters.json(err, results, './package.json');
  const summaryOutput = formatters.summary(err, results, './package.json');
  
  // Save both formats
  fs.writeFileSync('report.json', jsonOutput);
  console.log(summaryOutput);
});

Error Handling

Common error scenarios and handling patterns:

nsp.check(options, function(err, results) {
  if (err) {
    if (err.message.includes('package.json is required')) {
      console.error('No package.json found in the specified location');
    } else if (err.message.includes('npm-shrinkwrap.json is required')) {
      console.error('Offline mode requires npm-shrinkwrap.json');
    } else if (err.message.includes('invalid response')) {
      console.error('Network error connecting to Node Security API');
    } else {
      console.error('Unexpected error:', err.message);
    }
    return;
  }
  
  // Process results
  console.log('Scan complete:', results.length, 'vulnerabilities found');
});

Install with Tessl CLI

npx tessl i tessl/npm-nsp

docs

cli.md

configuration.md

formatters.md

index.md

library.md

tile.json