jeemok / better-npm-audit

The goal of this project is to provide additional features on top of the existing npm audit options
https://www.npmjs.com/package/better-npm-audit
MIT License
118 stars 26 forks source link

Use new GitHub CVE ID #60

Closed guillermaster closed 2 years ago

guillermaster commented 3 years ago

Hi @jeemok

Now that the NPM vulnerabilities advisory have been migrated to GitHub, the vulnerabilities identifier has changed. Vulnerabilities are now identified by a CVE ID that is an alphanumeric code, as you can see in this example Prototype Pollution in set-value.

I'm opening this issue so we can use the CVE ID in the list of ignored vulnerabilities instead of the long numeric value that is being used at the moment (i.e., 1002401) and that it's not identifiable when opening the advisory report on GitHub.

By the way, the recent updates on the package look great! Otsukaresama!

jeemok commented 3 years ago

hey @guillermaster! 👋🏻 Otsukaresamedesu! 😮 thanks for sharing this! I wasn't aware of it. Let me look into it ...

ocean89 commented 2 years ago

Any updates on this? :)

jeemok commented 2 years ago

Hi @ocean89, sorry that I didn't post an update on this issue. The last time I checked, this would require a major rework in processing the security report and might need to handle existing numeric values for backward compatibility. At the moment I don't have much capacity to work on it and would appreciate it if anyone can help with this

kyleclark1824 commented 2 years ago

I did put in a PR for a first crack at implementing this. I'm sure it could use some polishing but may be a good starting point.

https://github.com/jeemok/better-npm-audit/pull/73

ZedLove commented 2 years ago

This change is essentially required for this package to continue to be useful and I think it should be prioritized. The IDs provided by npm audit have been changing rapidly over the past few days; in some cases I've seen a vulnerability have three or four different IDs

jeemok commented 2 years ago

I agree to prioritize this, perhaps there is no feasible solution to support the v7 report now (due to lack of info provided in the audit report), but let's focus on v6 support first 👍🏻

jeemok commented 2 years ago

hey all, I've published the beta version (or v3.7.0) for supporting CVE, CWE, GHSA, and URL IDs. Please try it out and let me know if there is an issue, otherwise, I will republish it under the latest tag next week.

Thank you all again for this amazing support 👍🏻

kyle-clark1824 commented 2 years ago

Thank you @jeemok for the update and this great project!

ZedLove commented 2 years ago

Thank you @jeemok for addressing this so promptly. Your comment says that CVEs are supported, but I haven't found this to be the case. Is CVE support only available for npm v6?

I can confirm that v3.7.0 does allow me to add exceptions using GHSAs on npm v8.1.0

jeemok commented 2 years ago

you're right @ZedLove, I will update the README to describe more in detail what is supported; in summary:

you can refer to these two functions that handle v6 and v7+ advisory for what it checks:

ZedLove commented 2 years ago

@jeemok I've noticed that, despite ignoring the advisories based on GHSA IDs, I am still seeing the notice about the IDs not matching any found vulns

e.g.

🤝  All good!
8 of the excluded vulnerabilities did not match any of the found vulnerabilities:
jeemok commented 2 years ago

hey @ZedLove, I've updated the unused exception handler and published it under v3.7.1. Please have a try and let me know if there is an issue :)

the version v3.7.1 is published under the latest tag, I'll mark this issue closed. Thank you all for your contribution to this!