search

lirantal / lockfile-lint

Lint an npm or yarn lockfile to analyze and detect security issues
Apache License 2.0
781 stars 35 forks source link

CLI option to report all non-whitelisted URLs used #10

Closed nishils closed 4 years ago

nishils commented 4 years ago

This looks like a pretty awesome project and something I would like to include in Salus (www.github.com/coinbase/salus) to get better coverage on yarn and npm projects.

Is your feature request related to a problem? Please describe. Please describe the problem you are trying to solve.

I'd like to get a list of all URLs being used that don't match the whitelist that fails a scan.

Describe the solution you'd like Please describe the desired behavior.

Instead of returning detected invalid origin for package: <package_name>, I would like to see the URL used in addition to the package name.

Preferably in a JSON format option for easier parsing but I can implement a rudimentary parser on this syntax if outputting in JSON is not going to be supported.

Describe alternatives you've considered Please describe alternative solutions or features you have considered.

lirantal commented 4 years ago

Thanks for the feedback, sounds great!

I'd like to get a list of all URLs being used that don't match the whitelist that fails a scan.

You can get this when running the linter in debug mode as shown in the screenshot on the README.

I like the JSON suggestion - we can support a --json flag to return all the this data in a structured way, including the full URL as you pointed out. I'm happy to get a PR that adds this.

P.S. I'm heading out to JSConf Budapest for a week so will be slow to respond.

nishils commented 4 years ago

Sorry, I may be misunderstanding something. When I run DEBUG=* lockfile-lint --type yarn --path yarn.lock --validate-https --allowed-hosts yarn npm , I get the following output

  lockfile-lint parsed the following CLI arguments: {"_":[],"type":"yarn","t":"yarn","path":"yarn.lock","p":"yarn.lock","validate-https":true,"s":true,"validateHttps":true,"allowed-hosts":["yarn","npm"],"a":["yarn","npm"],"allowedHosts":["yarn","npm"],"$0":"/usr/local/bin/lockfile-lint"} +0ms
  lockfile-lint invoking validator for: validateHttps +0ms
  validate-host-manager invoked with validator options: true +0ms
  lockfile-lint validator validateHttps reported no issues +99ms
  lockfile-lint invoking validator for: validateHosts +0ms
  validate-host-manager invoked with validator options: ["yarn","npm"] +0ms
detected invalid origin for package: <package name redacted>
detected invalid origin for package: <package name redacted>
  lockfile-lint total validators invoked: 2 +202ms
  lockfile-lint total validator failures: 2 +0ms
  lockfile-lint total validator successes: 1 +0ms

I don't see anything anything about the URL that is being flagged. For example, if the package was making connections to https://evil.com, I would like to see that along with the package that is making the call.

Example output could be

detected invalid origin (https://evil.com) for package: <package name>
lirantal commented 4 years ago

You are correct, we are not displaying anything about the URL, just the package. Agree with you completely 👍

lirantal commented 4 years ago

@nishils I believe that the PR at https://github.com/lirantal/lockfile-lint/pull/20 which landed a while ago is now providing this, right?

here is an example output now with a wrong URL:

$ npx lockfile-lint -p package-lock.json -t npm -s -a npm github.com -o "https:" "github:"

detected invalid host(s) for package: @babel/code-frame@7.5.5
    expected: registry.npmjs.org,github.com
    actual: registry.spmjs.org

error: command failed with exit code 1
lirantal commented 4 years ago

Will close as this is now being supported and happy to see this used in the Salus project ❤️