search

naugtur / audit-resolve-core

Core modules for audit-resolve.json file and logic of its processing
1 stars 6 forks source link

v3.0.0 Rules Check Issue #4

Open ayusaxena opened 3 years ago

ayusaxena commented 3 years ago

In the universal-embedding branch, trying to ignore an issue permanently is breaking the code if the rules obj in audit-resolve.json is empty.

Updating statusManager.js:15 to:

if (!expiresAt && resolution === RESOLUTIONS.IGNORE && auditFile.getRules().ignoreConfig && auditFile.getRules().ignoreConfig.ignoreExpiresInDays) {

Should fix this issue, as it adds a check for the existence of auditFile.getRules().ignoreConfig before checking for its properties.

jpicton commented 2 years ago

I've been running into this issue today as well (using npm-audit-resolver@3.0.0-4). I've provided a sample console log below with the steps executed and the stacktrace.

The workaround I've been using is selecting to "ignore for a month", and then manually removing the expiresAt property from audit-resolve.json.

> resolve-audit --production --registry https://registry.npmjs.org/

>>>> npm audit --json --production --registry https://registry.npmjs.org/
>>>> npm ls --depth=0 --json --production --registry https://registry.npmjs.org/

------------------------------------------------------
[ high ] node-fetch  https://github.com/advisories/GHSA-r683-j2x4-v87g
  node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

vulnerable versions <2.6.7 found in:
 - node-fetch

 f) fix automatically
 r) remind me in 24h
 i) ignore paths
 del) Remove all listed dependency paths
 s) Skip this
 q) Quit
What would you like to do? i

 You can ignore permanently or decide to revisit later

 M) ignore for a month
 W) ignore for a week
 !) ignore permanently
 s) Skip this
 q) Quit
What would you like to do? !
TypeError: Cannot read properties of undefined (reading 'ignoreExpiresInDays')
    at saveResolution (C:\app\node_modules\audit-resolve-core\statusManager.js:15:91)
    at ignoreForever (C:\app\node_modules\npm-audit-resolver\src\resolve\actions.js:39:16)
    at Object.takeAction (C:\app\node_modules\npm-audit-resolver\src\resolve\actions.js:96:34)
    at C:\app\node_modules\npm-audit-resolver\src\resolve\prompter.js:68:33
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
naugtur commented 2 years ago

Thanks! I missed this issue, didn't monitor the core repo too much. I'll look into it. Are you sure it's the same issue though?