• Looking for our Java API? Try Exhort Java API.
• Looking for our Backend implementation? Try Exhort.

The Exhort JavaScript API module is deployed to GitHub Package Registry.

//npm.pkg.github.com/:_authToken=<your-ghp-token-goes-here>

Configuring NPM to look in GHPR for the RHEcosystemAppEng namespace is done by adding @RHEcosystemAppEng:registry=https://npm.pkg.github.com to .npmrc in the project root or user home.

echo "@RHEcosystemAppEng:registry=https://npm.pkg.github.com" >> .npmrc

• Use as ESM Module

  npm install @RHEcosystemAppEng/exhort-javascript-api

  import exhort from '@RHEcosystemAppEng/exhort-javascript-api'
  import fs from 'node:fs'
  
  // Get stack analysis in JSON format
  let stackAnalysis = await exhort.stackAnalysis('/path/to/pom.xml')
  // Get stack analysis in HTML format (string)
  let stackAnalysisHtml = await exhort.stackAnalysis('/path/to/pom.xml', true)
  
  // Get component analysis in JSON format
  let buffer = fs.readFileSync('/path/to/pom.xml')
  let componentAnalysis = await exhort.componentAnalysis('pom.xml', buffer.toString())

• Use as CLI Script
  Click for help menu

  $ npx @RHEcosystemAppEng/exhort-javascript-api help
  
  Usage: exhort-javascript-api {component|stack}
  
  Commands:
    exhort-javascript-api stack </path/to/manifest> [--html|--summary]               produce stack report for manifest path
    exhort-javascript-api component <manifest-name> <manifest-content> [--summary]   produce component report for a manifest type and content
  
  Options:
    --help  Show help                                                    [boolean]

  # get stack analysis in json format
  $ npx @RHEcosystemAppEng/exhort-javascript-api stack /path/to/pom.xml
  
  # get stack analysis in json format (summary only)
  $ npx @RHEcosystemAppEng/exhort-javascript-api stack /path/to/pom.xml --summary
  
  # get stack analysis in html format format
  $ npx @RHEcosystemAppEng/exhort-javascript-api stack /path/to/pom.xml --html
  
  # get component analysis
  $ npx @RHEcosystemAppEng/exhort-javascript-api component pom.xml "$(</path/to/pom.xml)"

• Use as Global Binary

  npm install --global @RHEcosystemAppEng/exhort-javascript-api

  # get stack analysis in json format
  $ exhort-javascript-api stack /path/to/pom.xml
  
  # get stack analysis in json format (summary only)
  $ exhort-javascript-api stack /path/to/pom.xml --summary
  
  # get stack analysis in html format format
  $ exhort-javascript-api stack /path/to/pom.xml --html
  
  # get component analysis
  $ exhort-javascript-api component pom.xml "$(</path/to/pom.xml)"

• Java - Maven
• JavaScript - Npm
• Golang - Go Modules

Excluding a package from any analysis can be achieved by marking the package for exclusion.

• Java Maven users can add a comment in pom.xml

  <dependency> <!--exhortignore-->
    <groupId>...</groupId>
    <artifactId>...</artifactId>
    <version>...</version>
  </dependency>

• Javascript NPM users can add a root (key, value) pair with value of list of names (strings) to be ignored (without versions), and key called exhortignore in package.json, example:

  {
    "name": "sample",
    "version": "1.0.0",
    "description": "",
    "main": "index.js",
    "keywords": [],
    "author": "",
    "license": "ISC",
    "dependencies": {
      "dotenv": "^8.2.0",
      "express": "^4.17.1",
      "jsonwebtoken": "^8.5.1",
      "mongoose": "^5.9.18"
    },
    "exhortignore": [
      "jsonwebtoken"
    ]
  }

  Golang users can add in go.mod a comment with //exhortignore next to the package to be ignored, or to "piggyback" on existing comment ( e.g - //indirect) , for example:

  module github.com/RHEcosystemAppEng/SaaSi/deployer
  
  go 1.19
  
  require (
          github.com/gin-gonic/gin v1.9.1
          github.com/google/uuid v1.1.2
          github.com/jessevdk/go-flags v1.5.0 //exhortignore
          github.com/kr/pretty v0.3.1
          gopkg.in/yaml.v2 v2.4.0
          k8s.io/apimachinery v0.26.1
          k8s.io/client-go v0.26.1
  )
  
  require (
          github.com/davecgh/go-spew v1.1.1 // indirect exhortignore
          github.com/emicklei/go-restful/v3 v3.9.0 // indirect
          github.com/go-logr/logr v1.2.3 // indirect //exhortignore
  
  )

There are 2 approaches for customizing Exhort JavaScript API. Whether you're using this API as a Global Module, a Remote Script, or an ESM Module, you can use Environment Variables for various customization.

However, ESM Module users, can opt for customizing programmatically:

import exhort from '@RHEcosystemAppEng/exhort-javascript-api'
import fs from 'node:fs'

let options = {
  'EXHORT_SNYK_TOKEN': 'my-secret-snyk-token',
  'EXHORT_MVN_PATH': '/path/to/my/mvn',
  'EXHORT_NPM_PATH': '/path/to/npm',
  'EXHORT_GO_PATH': '/path/to/go'
}

// Get stack analysis in JSON format
let stackAnalysis = await exhort.stackAnalysis('/path/to/pom.xml', false, options)
// Get stack analysis in HTML format (string)
let stackAnalysisHtml = await exhort.stackAnalysis('/path/to/pom.xml', true, options)

// Get component analysis in JSON format
let buffer = fs.readFileSync('/path/to/pom.xml')
let componentAnalysis = await exhort.componentAnalysis('pom.xml', buffer.toString(), options)

Environment variables takes precedence.

For including extra vulnerability data and resolutions, otherwise only available only to vendor registered users. You can use the following keys for setting various vendor tokens.

This project uses each ecosystem's executable for creating dependency trees. These executables are expected to be present on the system's PATH environment. If they are not, or perhaps you want to use custom ones. Use can use the following keys for setting custom paths for the said executables.