Skip to content

feat: granular check-related information in reports#177

Merged
randomicecube merged 2 commits intomainfrom
diogo/specify-enabled-checks-in-report
Jun 2, 2025
Merged

feat: granular check-related information in reports#177
randomicecube merged 2 commits intomainfrom
diogo/specify-enabled-checks-in-report

Conversation

@randomicecube
Copy link
Collaborator

@randomicecube randomicecube commented Jun 1, 2025

Relates to #166

Example of the current state of the report below

Software Supply Chain Report of ericcornelissen/shescape - 3304b1744c0691dbc71f063708023f5d364a7988

📚 Table of Contents

Enabled Checks

The following checks were requested project-wide:

Check Status
Source Code: source_code
Source Code Sha: source_code_sha
Deprecated: deprecated
Forks: forks
Provenance: provenance
Code Signature: code_signature
Aliased Packages: aliased_packages

Ignore Configuration Summary

Ignored Checks Per Dependency 🔧

These dependencies had specific checks excluded based on the configuration file.
Note: If all is listed, every check is ignored for that dependency.

Dependency Pattern Ignored Checks
@types/.+ source_code_sha
concat-map@0.0.1 source_code, source_code_sha, forks
file-entry-cache@8.0.0 source_code, source_code_sha, forks
micro-spelling-correcter@1.1.1 all

Summary of Findings

How to read the results 📖

Dirty-waters has analyzed your project dependencies and found different categories for each of them:

  • ⚠️⚠️⚠️ : high severity

  • ⚠️⚠️: medium severity

  • ⚠️: low severity

Total packages in the supply chain: 1071

❗ Packages with no source code URL (⚠️⚠️⚠️): 5

⛔ Packages with repo URL that is 404 (⚠️⚠️⚠️): 1

🔧 Packages with inaccessible commit SHA/tag (⚠️⚠️): 28

🔒 Packages without code signature (⚠️⚠️): 0

🔓 Packages with invalid code signature (⚠️⚠️): 0

Fine grained information

🐬 For further information about software supply chain smells in your project, take a look at the following tables.

Source code links that could not be found(6)
index package_name github_url github_exists parent
1 @andrewbranch/untar.js@1.0.3 No_repo_info_found []
2 @braidai/lang@1.1.1 No_repo_info_found []
3 micro-spelling-correcter@1.1.1 No_repo_info_found []
4 minipass-pipeline@1.2.4 No_repo_info_found []
5 promise-all-reject-late@1.0.1 No_repo_info_found []
6 flat-cache@4.0.1 https://github.com/jaredwray/flat-cache False []
List of packages with available source code repos but with inaccessible commit SHAs/tags(28)
package_name sha_info tag_info parent
@fast-check/ava@2.0.2 Commit SHA not directly available Release tag not found in repo []
@jridgewell/gen-mapping@0.3.8 Commit SHA present but not found in repo Release tag not found in repo []
@loaderkit/resolve@1.0.4 Commit SHA not directly available Release tag not found in repo []
@pnpm/config.env-replace@1.1.0 Commit SHA not directly available Release tag not found in repo []
@pnpm/network.ca-file@1.0.2 Commit SHA not directly available Release tag not found in repo []
@pnpm/npm-conf@2.3.1 Commit SHA not directly available Release tag not found in repo []
@types/debug@4.1.12 Commit SHA not directly available Release tag not found in repo []
@types/estree@1.0.7 Commit SHA not directly available Release tag not found in repo ['rollup@4.41.0']
@types/http-cache-semantics@4.0.4 Commit SHA not directly available Release tag not found in repo []
@types/istanbul-lib-coverage@2.0.6 Commit SHA not directly available Release tag not found in repo []
@types/json-schema@7.0.15 Commit SHA not directly available Release tag not found in repo []
@types/json5@0.0.29 Commit SHA not directly available Release tag not found in repo []
@types/katex@0.16.7 Commit SHA not directly available Release tag not found in repo []
@types/mdast@4.0.4 Commit SHA not directly available Release tag not found in repo []
@types/ms@0.7.34 Commit SHA not directly available Release tag not found in repo []
@types/normalize-package-data@2.4.4 Commit SHA not directly available Release tag not found in repo []
@types/unist@2.0.11 Commit SHA not directly available Release tag not found in repo []
@types/unist@3.0.3 Commit SHA not directly available Release tag not found in repo []
acorn-import-attributes@1.9.5 Commit SHA not directly available Release tag not found in repo []
cacheable-request@10.2.14 Commit SHA not directly available Release tag not found in repo []
cli-progress@3.12.0 Commit SHA not directly available Release tag not found in repo []
keyv@4.5.4 Commit SHA not directly available Release tag not found in repo []
lines-and-columns@1.2.4 Commit SHA present but not found in repo Release tag not found in repo []
lodash.get@4.4.2 Commit SHA not directly available Release tag not found in repo []
lodash.merge@4.6.2 Commit SHA not directly available Release tag not found in repo []
lodash.truncate@4.4.2 Commit SHA not directly available Release tag not found in repo []
slashes@3.0.12 Commit SHA not directly available Release tag not found in repo []
tap-yaml@3.0.0 Commit SHA present but not found in repo Release tag not found in repo ['tap-parser@17.0.0']

All packages have code signature.

All packages have valid code signature.

Call to Action:

👻What do I do now?

For packages without source code & accessible SHA/release tags:

  • Why? Missing or inaccessible source code makes it impossible to audit the package for security vulnerabilities or malicious code.
  1. Pull Request to the maintainer of dependency, requesting correct repository metadata and proper versioning/tagging.

For packages without code signature:

  • Why? Code signatures help verify the authenticity and integrity of the package, ensuring it hasn't been tampered with.
  1. Open an issue in the dependency's repository to request the inclusion of code signature in the CI/CD pipeline.

For packages with invalid code signature:

  • Why? Invalid signatures could indicate tampering or compromised build processes.
  1. It's recommended to verify the code signature and contact the maintainer to fix the issue.

Notes

Other info:

  • Source code repo is not hosted on GitHub: 3

    This could be due, for example, to the package being hosted on a different platform.

    This does not mean that the source code URL is invalid.

    However, for non-GitHub repositories, not all checks can currently be performed.

index package_name github_url parent
1 concat-map@0.0.1 Could not find repo from package registry ['brace-expansion@1.1.11']
2 file-entry-cache@8.0.0 Could not find repo from package registry []
3 pp-test-kit@0.5.2 git+https://gitlab.com/ericcornelissen/pp-test-kit.git []

Glossary

  • source_code: Whether a repo URL is present and valid
    • source_code_sha: Whether a commit SHA is available and valid
    • forks: Whether the repo is a fork
  • deprecated: Whether the package is marked deprecated
  • provenance: Whether build provenance/attestation is provided
  • code_signature: Whether a code signature is present and valid
  • aliased_packages: Whether a package is aliased under a different name

Report created by dirty-waters.

Report created on 2025-06-01 18:19:25

  • Tool version: 1741634
  • Project Name: ericcornelissen/shescape
  • Project Version: 3304b1744c0691dbc71f063708023f5d364a7988
  • Package Manager: npm

@randomicecube randomicecube self-assigned this Jun 1, 2025
@randomicecube randomicecube added the enhancement New feature or request label Jun 1, 2025
@randomicecube randomicecube merged commit 9b64d22 into main Jun 2, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@randomicecube randomicecube

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@randomicecube