[issue 45] Add nsp security check

[therealklanni]

(+) 5 vulnerabilities found

│               │ Regular Expression Denial of Service
│ Name          │ hawk
│ Installed     │ 3.1.2
│ Vulnerable    │ <4.1.1
│ Patched       │ >=4.1.1
│ Path          │ vault@0.0.5 > babel-cli@6.4.5 > request@2.67.0 > hawk@3.1.2
│ More Info     │ https://nodesecurity.io/advisories/77

│               │ Regular Expression Denial of Service
│ Name          │ hawk
│ Installed     │ 3.1.2
│ Vulnerable    │ <4.1.1
│ Patched       │ >=4.1.1
│ Path          │ vault@0.0.5 > request@2.67.0 > hawk@3.1.2
│ More Info     │ https://nodesecurity.io/advisories/77

│               │ Denial-of-Service Extended Event Loop Blocking
│ Name          │ qs
│ Installed     │ 0.6.6
│ Vulnerable    │ <1.0.0
│ Patched       │ >= 1.x
│ Path          │ vault@0.0.5 > bitgo@0.11.64 > chain-node@0.0.17 > request@2.36.0 > qs@0.6.6
│ More Info     │ https://nodesecurity.io/advisories/28

│               │ Denial-of-Service Memory Exhaustion
│ Name          │ qs
│ Installed     │ 0.6.6
│ Vulnerable    │ <1.0.0
│ Patched       │ >= 1.x
│ Path          │ vault@0.0.5 > bitgo@0.11.64 > chain-node@0.0.17 > request@2.36.0 > qs@0.6.6
│ More Info     │ https://nodesecurity.io/advisories/29

│               │ Regular Expression Denial of Service
│ Name          │ hawk
│ Installed     │ 1.0.0
│ Vulnerable    │ <4.1.1
│ Patched       │ >=4.1.1
│ Path          │ vault@0.0.5 > bitgo@0.11.64 > chain-node@0.0.17 > request@2.36.0 > hawk@1.0.0
│ More Info     │ https://nodesecurity.io/advisories/77

Unfortunately, I don't recommend adding an exception for any of these packages. We should try to find a solution. The best course of action is probably to notify the maintainers (that aren't already aware).

Tracking issues: BitGo #20 chain-node #27 request #2020

Closes #45

[mrose17]

@therealklanni - i think the order of fixing is: request, bitgo, and then vault. since it wouldn't be optimal to merge a PR that breaks travis(!!), let me do some forking and testing, etc., and then talk to the repo owners... updates soon!

[therealklanni]

Yep, absolutely don't want this merged yet until resolved! :+1:

I already posted an issue on BitGo's repo. And request already has an issue open.

[mrose17]

thanks. i am working my way down the dependencies now...

[therealklanni]

Here are the open issues I know of. Apparently @remy fixed hawk@3.1.3 which could resolve this for the current version of request here, without needing to wait for request to update (which was a blocker), so that's good news.

BitGo #20 chain-node #27 request #2020

[remy]

Since you pulled me in (and yep, hawk is fixed), I've been part of the team building https://snyk.io which gives you similar vuln reporting (and can/should be used as part of your CI) but also has guided remediation via updates and hosted patches. I'd definitely recommend checking it out.

[remy]

Oh. I should add, there's also the ability to create a policy file via the guided remediation, so if there's vulns you need to ignore for any specific reason, that is taken into account when you run snyk test in your project.

[mrose17]

keeping the issue -- https://github.com/brave/vault/tree/issue-41 -- but not using this fix!

[mrose17]

to re-iterate from https://github.com/brave/vault-client/pull/6

Should not be merged until the following issues are resolved

Tracking issues: BitGo #20 chain-node #27 request #2020

[mrose17]

fixed in https://github.com/brave/vault/commit/09efc74f2eab7300aba509dd1dbd7df702688e8a