Comment on page
Interpreting results
How to interpret results of lstn
By default,
lstn commands product output in a pretty human-readable format. For example, running the command lstn scan on a project containing 4 dependencies in its package.json (aws-sdk, chalk, jq and react) returns:
aws-sdk 2.1336.0 ✓ 0 verdicts ✓ 0 problems
chalk 5.2.0 ✓ 0 verdicts ✓ 0 problems
jq 1.7.2 X 4 verdicts ✓ 0 problems
react 18.2.0 ✓ 0 verdicts ✓ 0 problems
There are 4 verdicts and 0 problems for [email protected]
[medium] npm install spawned a process (from transitive dependency [email protected])
commandline: sh -c node-gyp rebuild
executable_path: /bin/sh
parent_name: node
[medium] unexpected outbound connection destination (from transitive dependency [email protected])
commandline: node-gyp
executable_path: /usr/local/bin/node
file_descriptor: ::ffff:10.0.2.100:42960->2606:4700:10::6814:162e:0
server_ip: 2606:4700:10::6814:162e
...
The table summary on top outlines the state of verdicts and if there are any problems detected.
The text below expands on the verdicts for each of the packages. In the above example:
- [medium] refers to the priority level for the verdict
- Followed by information containing metadata, the execution trace and if it was a direct dependency or transitive.
lstn commands can be configured to product JSON output through the --json flag. For example, lstn to jq --jsonThe below JSON schema represents the output of
lstn commands. The output consists of an array of objects, each representing a package and its associated verdicts.Each object in the array has the following properties:
name: A string representing the name of the npm package.shasum: A string representing the SHA-1 checksum of the package.verdicts: An array of verdict objects, each representing a security or behavior concern related to the package.message: A string describing the security or behavior concern.
Each verdict object has the following properties:
metadata: An object containing additional information about the concern, including:commandline: A string representing the command line that triggered the concern.executable_path: A string representing the path to the executable file that triggered the concern.file_descriptor: A string representing the file descriptor associated with the concern.npm_package_name: A string representing the name of the npm package that triggered the concern.npm_package_version: A string representing the version of the npm package that triggered the concern.parent_name: A string representing the name of the parent process that spawned the concern.server_ip: A string representing the IP address of the server associated with the concern.server_port: An integer representing the port number of the server associated with the concern.
priority: A string indicating the severity of the concern, either "critical", "medium", or "low".
Last modified 8mo ago