hawkeyesec / scanner-cli

A project security/vulnerability/risk scanning tool

Other

358 stars 89 forks source link

Scan Hawkeye with Hawkeye #129

Open bekh6ex opened 5 years ago

bekh6ex commented 5 years ago

Description

Do a self scan

Fixes #128

Type of change

[x] New feature (non-breaking change which adds functionality)

Toolchain

[x] Other

How Has This Been Tested?

Just run ./bin/hawkeye scan in hawkeyesec/scanner-cli project root

Test Configuration:

Toolchain: nodejs v11.6.0
SDK (incl. version):
OS version: MacOS

Checklist:

[x] My code follows the style guidelines of this project
[x] I have performed a self-review of my own code
[x] I have commented my code, particularly in hard-to-understand areas
[ ] I have made corresponding changes to the documentation
[ ] I have added tests that prove my fix is effective or that my feature works
[x] New and existing unit tests pass locally with my changes

bekh6ex commented 5 years ago

Now it's failing:

module            level   code                           offender    description                                       mitigation                             
----------------  ------  -----------------------------  ----------  ------------------------------------------------  ---------------------------------------
node-npmoutdated  medium  node-npmoutdated-semver-2      semver      Module is one or more minor versions out of date  Upgrade to v6.2.0 (Current: v6.1.1)    
node-npmoutdated  medium  node-npmoutdated-superagent-2  superagent  Module is one or more minor versions out of date  Upgrade to v5.1.0 (Current: v5.0.5)    
node-npmoutdated  low     node-npmoutdated-lodash-3      lodash      Module is one or more patch versions out of date  Upgrade to v4.17.14 (Current: v4.17.11)

Need to figure out what would be the proper fix. Ideas?

bekh6ex commented 5 years ago

Look like it would be nice to have minimal level per module configuration...

felixhammerl commented 5 years ago

I will change this a bit in the sense that I'll have the check run as a nightly cron job, instead of every build. I do recommend this to teams, so it makes sense to have it here as well :)

For this, I'll modify the setup for the nightly OWASP update build to listen to another env variable so that they don't clash.