search

mozilla / blurts-server

Mozilla Monitor arms you with tools to keep your personal information safe. Find out what hackers already know about you and learn how to stay a step ahead of them.
https://monitor.mozilla.org
Mozilla Public License 2.0
722 stars 204 forks source link

The `lint-audit` step in CircleCI doesn't appear to do anything #2344

Closed toufali closed 7 months ago

toufali commented 3 years ago

The lint-audit step uses the 3rd party dependency npm-audit-ci-wrapper, which is deprecated. It seems like this step is no-op, since there have been numerous audit alerts that have gone un-flagged.

We should refactor the step, possibly using npm-native audit tools. Alternatively we can likely remove the step altogether, given that GitHub provides audits as well.

In conjunction with the audit step, we might also run a dependency check, possibly via depcheck. See #2316

pdehaan commented 3 years ago

Looks like npm-audit-ci-wrapper recommends auditjs:

"I highly recommend that you switch to using Sonatype's auditjs which is far more stable and not dependent on NPM's Audit API. It instead uses the Sonatype OSSI registry which covers a lot more detail."

npx auditjs@beta ossi --quiet --no-color --json

I don't think the --quiet flag works w/ --json or --xml reporters (or at least not like I expect, and not the same as if you use the default stdout reporter). Odd since it was reported as https://github.com/sonatype-nexus-community/auditjs/issues/179 and was fixed at some point. "weird"

UPDATE: using the @beta channel for auditjs is currently quite a bit behind the @latest channel, this works if you use the npx auditjs ossi --quiet --json command below.

pdehaan commented 3 years ago

Actually, ignore that last part... Per the linked 179 issue:

This issue has been resolved in version 4.0.9

Yet, the @beta dist-tag is somewhat old (pre-v4.0.1 vs @latest's 4.0.32; not sure where I grabbed that command that suggested using beta release via npx):

npm info auditjs dist-tags

{
  beta: '4.0.1-beta.33',
  latest: '4.0.32',
  beta1: '2.0.0',
  alpha: '4.0.1-alpha.38'
}

So this updated command gives me the sauce I want:

npx --quiet auditjs ossi --quiet --json

[
  {
    "coordinates": "pkg:npm/glob-parent@3.1.0",
    "description": "Extract the non-magic parent path from a glob string.",
    "reference": "https://ossindex.sonatype.org/component/pkg:npm/glob-parent@3.1.0?utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33",
    "vulnerabilities": [
      {
        "id": "64cd5f21-8af4-4eae-ac7d-a53241ea693a",
        "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
        "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
        "cvssScore": 7.5,
        "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "reference": "https://ossindex.sonatype.org/vulnerability/64cd5f21-8af4-4eae-ac7d-a53241ea693a?component-type=npm&component-name=glob-parent&utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33"
      }
    ]
  },
  {
    "coordinates": "pkg:npm/yargs-parser@5.0.1",
    "description": "the mighty option parser used by yargs",
    "reference": "https://ossindex.sonatype.org/component/pkg:npm/yargs-parser@5.0.1?utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33",
    "vulnerabilities": [
      {
        "id": "b7740d41-fc85-4d22-8af5-5a3159e114ea",
        "title": "[CVE-2020-7608] yargs-parser could be tricked into adding or modifying properties of Object.prot...",
        "description": "yargs-parser could be tricked into adding or modifying properties of Object.prototype using a \"__proto__\" payload.",
        "cvssScore": 7.5,
        "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
        "cve": "CVE-2020-7608",
        "reference": "https://ossindex.sonatype.org/vulnerability/b7740d41-fc85-4d22-8af5-5a3159e114ea?component-type=npm&component-name=yargs-parser&utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33"
      },
      {
        "id": "7ccaaed0-205b-4382-a963-8a30a0b151b1",
        "title": "CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
        "description": "The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.",
        "cvssScore": 7.5,
        "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "reference": "https://ossindex.sonatype.org/vulnerability/7ccaaed0-205b-4382-a963-8a30a0b151b1?component-type=npm&component-name=yargs-parser&utm_source=auditjs&utm_medium=integration&utm_content=4.0.1-beta.33"
      }
    ]
  }
]
toufali commented 3 years ago

YARGS! ✊
Thanks @pdehaan for the initial legwork – a great head-start!

pdehaan commented 3 years ago

And you ask "Why do you specify --quiet twice on the CLI?"

npx --quiet auditjs ossi --quiet --json

Well, the first one is passed to npx to suppress that horrible "npx: installed 105 in 4.821s" output. The second one is for auditjs... Although looking at that closer, i guess the npx output doesn't matter much since it doesn't seem like it's piped to stdout and therefore not written to disk if you pipe the output to a file. I was curious if you could take the result from auditjs and transform it through jq or something to only throw an error if there were any vulnerabilities higher than an arbitrary score of 8.0

And there is also https://snyk.io/ which I think we've used on a few projects, but I haven't tried recently.

EMMLynch commented 7 months ago

Closing since we've redesigned the site and functionality since this was created. If you feel that this is still needed, please let me know.