Open lneves12 opened 5 years ago
Here is a script I run in my CI/CD pipeline to audit only production packages:
const fs = require("fs");
const filepath = "./reports/yarn-audit.json";
try {
const report = fs
.readFileSync(filepath, "utf8")
.toString()
.split("\n");
const packageJson = require("../package.json");
const advisoryURL = "https://npmjs.com/advisories/";
const advisories = report
.map(item => {
try {
return JSON.parse(item);
} catch (e) {
return null;
}
})
.filter(advisory => advisory !== null && advisory.type === "auditAdvisory");
const findings = advisories.filter(advisory => {
// Check for all findings if the root module is in devDependencies
const advisoryFindings = advisory.data.advisory.findings;
const advisoryFindingsProduction = advisoryFindings.filter(find => {
const rootModule = find.paths[0].split(">")[0];
return Object.keys(packageJson.dependencies).includes(rootModule);
});
return advisoryFindingsProduction.length > 0;
});
if (findings.length > 0) {
console.log(`found ${findings.length} vulnerabilities among production dependencies. Please visit below link for details`);
console.log("--------------------");
findings.forEach(finding => {
console.log(`URL: ${advisoryURL}${finding.data.resolution.id}`);
console.log(`Path: ${finding.data.resolution.path}`);
console.log("--------------------");
});
try {
fs.unlinkSync(filepath);
} catch (err) {
console.error(err);
}
process.exit(1);
} else {
try {
fs.unlinkSync(filepath);
} catch (err) {
console.error(err);
}
process.exit(0);
}
} catch (e) {
console.log(e);
try {
fs.unlinkSync(filepath);
} catch (err) {
console.error(err);
}
process.exit(1);
}
Gitlab pipeline yaml
audit:
...
script:
- mkdir reports
- yarn run audit
...and the npm script:
"scripts": {
"audit": "yarn audit --json >> reports/yarn-audit.json || true && node ./build/yarn-audit.js",
...
},
@sbuckpesch your script does the opposite of what the issue is here. yarn audit
should check the devDependencies
for vulnerabilities. It does for the root project but not for each workspace. We expect yarn audit
to check all packages (also devDependencies
) in all workspaces.
This issue is also mentioned by audit-ci
as limitation:
Yarn Classic workspaces does not audit devDependencies. See https://github.com/yarnpkg/yarn/issues/7047 for more information.
Do you want to request a feature or report a bug? Bug
What is the current behavior? For some reason when I run
yarn audit
on a workspaces yarn project it only verifies the dependencies and not devDependenciesIf the current behavior is a bug, please provide the steps to reproduce. https://github.com/uyuni-project/uyuni/blob/master/susemanager-frontend/package.json
What is the expected behavior? The default behavior with all the packages checked for vulnerabilities
Please mention your node.js, yarn and operating system version. yarn: 1.14.0 nodejs: 10.15.0