# `NPM.Security.Compromised`
[🔗](https://github.com/elixir-volt/npm_ex/blob/v0.7.4/lib/npm/security/compromised.ex#L1)

Checks lockfiles against known malicious or compromised npm package reports.

Local reports use the OSV schema used by the OpenSSF malicious-packages
repository and OSV.dev `MAL-*` advisories. This keeps the default check
offline and reproducible while allowing callers to supply an updated database
path through configuration.

# `finding`

```elixir
@type finding() :: %{
  package: String.t(),
  version: String.t(),
  source: source(),
  advisory: map()
}
```

# `source`

```elixir
@type source() :: :local | :osv
```

# `affects?`

```elixir
@spec affects?(map(), String.t(), String.t()) :: boolean()
```

Return whether an OSV advisory affects an npm package version.

# `cache_path`

```elixir
@spec cache_path() :: String.t()
```

Return the shared global cache path for OSV-format compromised-package reports.

# `check`

```elixir
@spec check(
  NPM.Lockfile.t(),
  keyword()
) :: [finding()]
```

Check a lockfile map against configured compromised-package sources.

# `check_osv`

```elixir
@spec check_osv(
  NPM.Lockfile.t(),
  keyword()
) :: {:ok, [finding()]} | {:error, term()}
```

Check a lockfile against OSV.dev and return query errors to the caller.

# `check_package`

```elixir
@spec check_package(String.t(), String.t(), keyword()) :: [finding()]
```

Check one package version against configured compromised-package sources.

# `finding_to_json`

```elixir
@spec finding_to_json(finding()) :: map()
```

Convert a finding to a JSON-encodable map.

# `format_findings`

```elixir
@spec format_findings([finding()]) :: [String.t()]
```

Formats compromised-package findings for CLI output.

# `merge_advisories`

```elixir
@spec merge_advisories([map()], [map()]) :: [map()]
```

Merge advisory lists by OSV id and return stable sorted advisories.

# `merge_database`

```elixir
@spec merge_database(String.t(), [map()]) :: {:ok, [map()]} | {:error, term()}
```

Merge new OSV advisories into an existing local database.

# `read_database`

```elixir
@spec read_database(String.t()) :: {:ok, [map()]} | {:error, term()}
```

Read OSV advisory reports from a local JSON database.

# `write_database`

```elixir
@spec write_database(String.t(), [map()]) :: :ok | {:error, term()}
```

Write OSV advisory reports to a local JSON database.

---

*Consult [api-reference.md](api-reference.md) for complete listing*