Closed toufali closed 7 months ago
Looks like npm-audit-ci-wrapper
recommends auditjs:
"I highly recommend that you switch to using Sonatype's auditjs which is far more stable and not dependent on NPM's Audit API. It instead uses the Sonatype OSSI registry which covers a lot more detail."
npx auditjs@beta ossi --quiet --no-color --json
I don't think the --quiet
flag works w/ --json
or --xml
reporters (or at least not like I expect, and not the same as if you use the default stdout reporter). Odd since it was reported as https://github.com/sonatype-nexus-community/auditjs/issues/179 and was fixed at some point. "weird"
UPDATE: using the @beta
channel for auditjs is currently quite a bit behind the @latest
channel, this works if you use the npx auditjs ossi --quiet --json command below.
Actually, ignore that last part... Per the linked 179 issue:
This issue has been resolved in version 4.0.9
Yet, the @beta
dist-tag is somewhat old (pre-v4.0.1 vs @latest
's 4.0.32; not sure where I grabbed that command that suggested using beta release via npx):
npm info auditjs dist-tags
{
beta: '4.0.1-beta.33',
latest: '4.0.32',
beta1: '2.0.0',
alpha: '4.0.1-alpha.38'
}
So this updated command gives me the sauce I want:
npx --quiet auditjs ossi --quiet --json
[
{
"coordinates": "pkg:npm/glob-parent@3.1.0",
"description": "Extract the non-magic parent path from a glob string.",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/glob-parent@3.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33",
"vulnerabilities": [
{
"id": "64cd5f21-8af4-4eae-ac7d-a53241ea693a",
"title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
"description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"reference": "https://ossindex.sonatype.org/vulnerability/64cd5f21-8af4-4eae-ac7d-a53241ea693a?component-type=npm&component-name=glob-parent&utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33"
}
]
},
{
"coordinates": "pkg:npm/yargs-parser@5.0.1",
"description": "the mighty option parser used by yargs",
"reference": "https://ossindex.sonatype.org/component/pkg:npm/yargs-parser@5.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33",
"vulnerabilities": [
{
"id": "b7740d41-fc85-4d22-8af5-5a3159e114ea",
"title": "[CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...",
"description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a \"__proto__\" payload.",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cve": "CVE-2020-7608",
"reference": "https://ossindex.sonatype.org/vulnerability/b7740d41-fc85-4d22-8af5-5a3159e114ea?component-type=npm&component-name=yargs-parser&utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33"
},
{
"id": "7ccaaed0-205b-4382-a963-8a30a0b151b1",
"title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
"description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
"cvssScore": 7.5,
"cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"reference": "https://ossindex.sonatype.org/vulnerability/7ccaaed0-205b-4382-a963-8a30a0b151b1?component-type=npm&component-name=yargs-parser&utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33"
}
]
}
]
YARGS! ✊
Thanks @pdehaan for the initial legwork – a great head-start!
And you ask "Why do you specify --quiet
twice on the CLI?"
npx --quiet auditjs ossi --quiet --json
Well, the first one is passed to npx
to suppress that horrible "npx: installed 105 in 4.821s" output. The second one is for auditjs... Although looking at that closer, i guess the npx output doesn't matter much since it doesn't seem like it's piped to stdout and therefore not written to disk if you pipe the output to a file. I was curious if you could take the result from auditjs and transform it through jq or something to only throw an error if there were any vulnerabilities higher than an arbitrary score of 8.0
And there is also https://snyk.io/ which I think we've used on a few projects, but I haven't tried recently.
Closing since we've redesigned the site and functionality since this was created. If you feel that this is still needed, please let me know.
The
lint-audit
step uses the 3rd party dependencynpm-audit-ci-wrapper
, which is deprecated. It seems like this step is no-op, since there have been numerous audit alerts that have gone un-flagged.We should refactor the step, possibly using npm-native audit tools. Alternatively we can likely remove the step altogether, given that GitHub provides audits as well.
In conjunction with the audit step, we might also run a dependency check, possibly via
depcheck
. See #2316