instana
diff --git a/‎bin/vulnerability/find-dependencies.sh‎
Lines changed: 34 additions & 27 deletions b/‎bin/vulnerability/find-dependencies.sh‎
Lines changed: 34 additions & 27 deletions
@@ -3,26 +3,22 @@
 set -o pipefail
 
 PACKAGES=(
-  "debug@4.4.2"
-  "chalk@5.6.1"
-  # "debug"
-  # "chalk"
-  # "debug@4"
-  # "chalk@5"
+  $(<./packages.txt)
 )
 
 if [[ "${RECREATE:-}" == "false" ]]; then
   cd app
 else
+  echo -e "\n🧹 Creating the test app.\n"
   rm -rf app
   mkdir -p app
   cd app
-  npm init -y
+  npm init -y >/dev/null
 fi
 
 if [[ "${ONLY_SCAN:-}" != "true" ]]; then
   if [[ "${MODE:-}" == "local" ]]; then
-    echo -e "\nInstalling local packages from local.\n"
+    echo -e "\n💁‍♀️ Installing local packages from local.\n"
 
     # Get the version from the package.json in ../../packages/collector
     CURRENT_VERSION=$(node -p "require('../../../packages/collector/package.json').version")
@@ -51,36 +47,47 @@ if [[ "${ONLY_SCAN:-}" != "true" ]]; then
 
     cd ../bin/vulnerability/app
 
-    npm install ../../../packages/collector/instana-collector-${CURRENT_VERSION}.tgz --save
-    npm install ../../../packages/serverless-collector/instana-serverless-collector-${CURRENT_VERSION}.tgz --save
-    npm install ../../../packages/aws-lambda/instana-aws-lambda-${CURRENT_VERSION}.tgz --save
-    npm install ../../../packages/aws-fargate/instana-aws-fargate-${CURRENT_VERSION}.tgz --save
-    npm install ../../../packages/google-cloud-run/instana-google-cloud-run-${CURRENT_VERSION}.tgz --save
-    npm install ../../../packages/azure-container-services/instana-azure-container-services-${CURRENT_VERSION}.tgz --save
+    npm install ../../../packages/collector/instana-collector-${CURRENT_VERSION}.tgz --save >/dev/null
+    npm install ../../../packages/serverless-collector/instana-serverless-collector-${CURRENT_VERSION}.tgz --save >/dev/null
+    npm install ../../../packages/aws-lambda/instana-aws-lambda-${CURRENT_VERSION}.tgz --save >/dev/null
+    npm install ../../../packages/aws-fargate/instana-aws-fargate-${CURRENT_VERSION}.tgz --save >/dev/null
+    npm install ../../../packages/google-cloud-run/instana-google-cloud-run-${CURRENT_VERSION}.tgz --save >/dev/null
+    npm install ../../../packages/azure-container-services/instana-azure-container-services-${CURRENT_VERSION}.tgz --save >/dev/null
 
     # Simulate that the sub dependencies got updated (override!)
-    npm install ../../../packages/core/instana-core-${CURRENT_VERSION}.tgz --save
-    npm install ../../../packages/serverless/instana-serverless-${CURRENT_VERSION}.tgz --
-    npm install ../../../packages/shared-metrics/instana-shared-metrics-${CURRENT_VERSION}.tgz --save
+    npm install ../../../packages/core/instana-core-${CURRENT_VERSION}.tgz --save >/dev/null
+    npm install ../../../packages/serverless/instana-serverless-${CURRENT_VERSION}.tgz --save >/dev/null
+    npm install ../../../packages/shared-metrics/instana-shared-metrics-${CURRENT_VERSION}.tgz --save >/dev/null
   else
-    npm install @instana/collector --save
-    npm install @instana/serverless-collector --save
-    npm install @instana/aws-lambda --save
-    npm install @instana/aws-fargate --save
-    npm install @instana/google-cloud-run --save
-    npm install @instana/azure-container-services --save
+    echo -e "\n💁‍♀️ Installing released packages.\n"
+    npm install @instana/collector --save >/dev/null
+    npm install @instana/serverless-collector --save >/dev/null
+    npm install @instana/aws-lambda --save >/dev/null
+    npm install @instana/aws-fargate --save >/dev/null
+    npm install @instana/google-cloud-run --save >/dev/null
+    npm install @instana/azure-container-services --save >/dev/null
   fi
 fi
 
-echo "Checking for vulnerable packages in $PWD..."
+echo -e "🧐 Checking for vulnerable packages\n"
+echo -e "-----------------------------------\n"
 
 for pkg in "${PACKAGES[@]}"; do
   out="$(npm ls --all "$pkg" 2>&1 || true)"
 
-  echo -e "\n"
-
   if printf "%s" "$out" | grep -q "(empty)"; then
-    echo "✅ $pkg is not a dependency of Instana."
+    echo "✅ No direct dependency on $pkg"
+    packageName="${pkg%@*}"
+    out2="$(npm ls --all "$packageName" 2>&1 || true)"
+
+    if ! printf "%s" "$out2" | grep -q "(empty)"; then
+      echo "⚠️ BUT $packageName is general dependency of Instana. Please investigate!"
+      echo -e "\n"
+      printf "%s" "$out2"
+      echo -e "\n"
+    else
+      echo "✅ No issues with $pkg"
+    fi
   else
     printf "❌ COMPROMISED $pkg"
     echo -e "\n"