search

InfoSec812 / npm-audit-ci-wrapper

A wrapper for 'npm audit' which can be configurable for use in a CI/CD tool like Jenkins
Apache License 2.0
13 stars 11 forks source link

Empty output #81

Closed nelsonthedev closed 3 years ago

nelsonthedev commented 3 years ago

Hi, I just installed and executed the tool in my project but I get no outcome from it even though the regular npm-audit does.

Am I missing something?

npm install --save-dev npm-audit-ci-wrapper npx npm-audit-ci-wrapper

InfoSec812 commented 3 years ago

If there is no output, it did not find any vulnerable libraries with the default thresholds. You can try to "force" a result by setting the threshold to "low":

npm-audit-ci-wrapper -t low
InfoSec812 commented 3 years ago

The goal of this application is not to show pretty results, but to be able to "break a build"... This means that the main output is either a zero or non-zero exit code. 

npm-audit-ci-wrapper -t low && echo "Did not find any vulnerable libraries" || echo "FOUND vulnerabilities"
eL-HaXo commented 3 years ago

I am seeing the same issue. I run npm audit --registry https://registry.npmjs.org and find 6 vulnerabilities (low to moderate).

Running npm-audit-ci-wrapper --threshold=low --registry=https://registry.npmjs.org/ has an empty output.

eL-HaXo commented 3 years ago

Looks like this is a side effect of: https://github.com/InfoSec812/npm-audit-ci-wrapper/issues/80

eL-HaXo commented 3 years ago

I'm unable to push up my branch to create a pull request. The issue is here where filteredByDev does not use the ignoreDev argument. Setting filteredByDev to advisorsies if ignoreDev is false fixed the issue.

https://github.com/InfoSec812/npm-audit-ci-wrapper/blob/trunk/lib/parser.js#L116

InfoSec812 commented 3 years ago

I highly recommend that you use Sonatype's auditjs as a replacement. I am just going to mark this project as deprecated.