Count audited with keys instead

feelepxyz · wraithgar · commit 05f2ccd2ff59 · 2022-06-23T08:44:29.000-07:00
diff --git a/lib/commands/audit.js b/lib/commands/audit.js
@@ -22,9 +22,9 @@ class VerifySignatures {
     this.keys = new Map()
     this.invalid = []
     this.missing = []
-    this.auditedPackages = new Set()
+    this.checkedPackages = new Set()
+    this.auditedWithKeysCount = 0
     this.verifiedCount = 0
-    this.missingSigningKeysCount = 0
     this.output = []
     this.exitCode = 0
   }
@@ -47,11 +47,9 @@ class VerifySignatures {
     }
     await pMap(edges, mapper, { concurrency: 10, stopOnError: true })
 
-    // Packages that were audited from a supported registry that returned signing keys
-    const auditedSupportedCount = this.auditedPackages.size - this.missingSigningKeysCount
     // Didn't find any dependencies that could be verified, e.g. only local
     // deps, missing version, not on a registry etc.
-    if (!auditedSupportedCount) {
+    if (!this.auditedWithKeysCount) {
       throw new Error('found no dependencies to audit that where installed from ' +
                       'a supported registry')
     }
@@ -75,8 +73,8 @@ class VerifySignatures {
     const end = process.hrtime.bigint()
     const elapsed = end - start
 
-    const auditedPlural = auditedSupportedCount > 1 ? 's' : ''
-    const timing = `audited ${auditedSupportedCount} package${auditedPlural} in ` +
+    const auditedPlural = this.auditedWithKeysCount > 1 ? 's' : ''
+    const timing = `audited ${this.auditedWithKeysCount} package${auditedPlural} in ` +
       `${Math.floor(Number(elapsed) / 1e9)}s`
     const verifiedPrefix = hasNoInvalidOrMissing && this.verifiedCount ?
       'verified registry signatures, ' : ''
@@ -265,14 +263,20 @@ class VerifySignatures {
       return
     }
     const { name, version, location, registry, type } = info
-    if (this.auditedPackages.has(location)) {
+    const keys = this.keys.get(registry) || []
+    if (this.checkedPackages.has(location)) {
       // we already did or are doing this one
       return
     }
-    this.auditedPackages.add(location)
+    this.checkedPackages.add(location)
+
+    // We only "audit" or verify the signature, or the presence of it, on
+    // packages whose registry returns signing keys
+    if (keys.length) {
+      this.auditedWithKeysCount += 1
+    }
 
     try {
-      const keys = this.keys.get(registry) || []
       const { integrity, signatures, resolved } = await this.verifySignatures(
         name, version, registry
       )
@@ -290,8 +294,6 @@ class VerifySignatures {
           integrity,
           registry,
         })
-      } else {
-        this.missingSigningKeysCount += 1
       }
     } catch (e) {
       if (e.code === 'EINTEGRITYSIGNATURE') {
