NPM Plugin
With the release of the Mend Unified Agent (previously called the File System Agent (FSA)), Mend will no longer provide standard support, including updates and fixes for the NPM plugin after May 4th, 2019.
Extended Support (limited to configuration & support/troubleshooting) will be provided until November 1st, 2019. Please migrate to the Unified Agent before this date. This plugin will no longer be supported by Mend on November 2nd, 2019.
The Mend Support team is ready to assist with the necessary changes required to use the Unified Agent and can be contacted via the Customer Community.
Overview
The plugin allows Node.js based projects to integrate with Mend open source management. Once configured and executed the plugin will create or update Mend projects and enforce inventory policies. Note the following:
The plugin is licensed under the Apache 2.0 license.
Prerequisites
NodeJS, version 5.x.x or later
Installing the Plugin
Install Mend Globally:
$ npm install -g Mend
Ubuntu Issues
If you experience trouble running Mend globally on Ubuntu after installing locate the Mend package by running:
$ which Mend
and then create an alias to run Mend globally:
$ alias Mend="node path/to/Mend"
Troubleshooting: Having trouble finding "node" in Ubuntu?
The node package can be found in several packages in Ubuntu: node
and nodejs
. Locate the node package by running:
if displayed /usr/sbin/node
remove it:
then make a link:
Configuring the Plugin
Create a "Mend.config.json" file in your project root directory and input your Mend API Token found in the Admin Integration API page:
General Parameters
Attribute | Type | Description | Required |
---|---|---|---|
apiKey | String | Unique identifier of the organization to update, can be retrieved from the admin page in your Mend account. | Yes |
checkPolicies | Boolean | Whether or not to send the check policies request before updating Mend. | No |
productName | String | Name of the product to update. | No, if not defined matching to existing Mend products is done by productToken |
productVer | String | Version of the product and project to update. This overrides the project version. | No, only read if productName is defined |
productToken | String | API token to match an existing Mend product, can be retrieved from the Integration API page in your Mend account. | No, if not defined matching to existing Mend products is done by name. No projectToken is allowed |
projectName | String | Name of the project to update. | No, if not defined matching to existing Mend projects is done by projectToken |
projectVer | String | Version of the project. | No, only read if projectName is defined |
projectToken | String | API token to match an existing Mend project, can be retrieved from the Integration API page in your Mend account. | No, if not defined matching to existing Mend projects is done by name. No productToken is allowed |
devDep | String | Adds devDependencies to the Mend report. Accepts either "true" or "false" | No |
baseURL | String | The IP / Name of the destination Mend service | No. Will use the default configuration |
port | Int | The port number of the destination baseURL | No. Will use the default configuration |
https | Boolean | Whether or not to use HTTPS secured connection | No. Will use the default configuration |
proxy | String | The proxy server from which you want to redirect the messages. (e.g - "proxy":"http://10.0.0.1:8080" ) | No |
forceUpdate | Boolean | If true - updates the project even if the "checkPolicies" step failed. (default is false) | No. Will use the default configuration |
failOnError | Boolean | If true, fails the process if "checkPolicies" failed (default is false) | No. Will use the default configuration |
timeoutMinutes | Int | Number of minutes to timeout. (default is one hour) | No. Will use the default configuration |
debugMode | Boolean | If true, adds to the root folder a new folder with log files. (default is false) | No. Will use the default configuration |
registryAccessToken | String | Access token to private registries | No |
connectionRetries | int | Connection retries when unable to connect to Mend service. (default is 1) | No. Will use the default configuration |
failOnConnectionError | Boolean | Fails the build when unable to connect to Mend service | No, default value is true |
userKey | String | Unique identifier of the user who updates, can be retrieved from the admin page in your Mend account. | Required if Mend administrator has enabled "Enforce user level access" option |
ignoreNpmLsErrors | Boolean | Whether or not to ignore errors of the 'npm ls' command. | No, the default value is false |
Resolving NPM Dependencies
To resolve NPM dependencies, you should first run "npm install" command on the relevant folders before executing the plugin.
Private Registries
If you scan a private registry that requires an access token, add the property "registryAccessToken" to the Mend config file.
Supported from version 17.12.4
Executing the Plugin
Make sure you have package.json and Mend.config.json files located at project root.
Run the plugin with this command:
Mend dependency report is saved in the project's "Mend.report.json" auto-generated file and posted to your Mend dashboard.
Custom config file location
If you want to use Mend.config.json file that is not located under the project root please run:
In order to use multiple build environments (e.g npm and bower) it is recommended to use different Mend.config.json file for each build environment (i.e each of them in a different location)
Yarn Project
Starting with version 18.2.1, the NPM plugin can scan and upload yarn projects as well.
To do so, run the plugin inside your yarn project folder with the following command:
Debugging Instructions
First, please try to run "npm ls --json > ./test.json",
Important- The NPM Plugin is dependent on the "ls" command. In order for the NPM to work the command "npm ls" must be completed successfully.
If the "ls" process fails, please investigate your project and fix it.
Mend cannot run when the native npm ls command fails.
This can be a sign of a misconfigured or invalid node project (check your package.json and npm-log file to investigate further).
When encountering issues running the NPM plugin, follow these instructions:
Uninstall Mend: "npm uninstall Mend"
Install the updated version: "npm install -g Mend"
All config files are left as is (so you can use the same Mend.config.json file)
If the issue persists after running the plugin, send the npm-shrinkwrap.json, package.json, npm-debug.log
and the Mend log files (located in the project's root and prefixed with ws-log) to support@Mendsoftware.com.
Exit Code
Starting version 1.1.1 and later, the following exit codes are displayed upon scan completion:
SUCCESS: 0,
ERROR: -1,
POLICY_VIOLATION: -2,
CLIENT_FAILURE: -3,
CONNECTION_FAILURE: -4,
SERVER_FAILURE: -5
Exit Codes in Bash
The exit codes Mend returns in the Bash command language should be treated as 'x' modulo 256:
Exit code 0 is equivalent to code 0 (0 mod 256 = 0)
Exit code -1 is equivalent to code 255 (-1 mod 256 = 255)
Exit code -2 is equivalent to code 254 (-2 mod 256 = 254)
Exit code -3 is equivalent to code 253 (-3 mod 256 = 253)
Exit code -4 is equivalent to code 252 (-4 mod 256 = 252)
Exit code -5 is equivalent to code 251 (-5 mod 256 = 251)
Updating the Plugin
In order to update the plugin please run it with the following command:
Running NPM Using Jenkins
Make sure that you've installed/using the following tools:
You are using "Freestyle Project" as a Jenkins job.
NPM is installed - download here
Mend NPM plugin is installed:
In order to add the plugin to your job - Go to your job → configure → Add build step and use the following command:
Add "Mend.config.json" file as described above.
Copyright © 2024 Mend.io (White Source Ltd.) | All rights reserved.