Socket
Socket
Sign inDemoInstall

audit-ci

Package Overview
Dependencies
Maintainers
2
Versions
53
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

audit-ci - npm Package Compare versions

Comparing version 4.1.0 to 4.2.0

9

lib/audit-ci-version.js

@@ -11,6 +11,11 @@ const { bugs, version: auditCiVersion } = require("../package.json");

function printAuditCiVersion() {
console.log(`audit-ci version: ${auditCiVersion}`);
/**
* @param {"text" | "json" | undefined} outputFormat the output format
*/
function printAuditCiVersion(outputFormat) {
if (outputFormat === "text") {
console.log(`audit-ci version: ${auditCiVersion}`);
}
}
module.exports = { auditCiVersion, printAuditCiVersion };

28

lib/audit-ci.js
#!/usr/bin/env node
const fs = require("fs");
const jju = require("jju");
const path = require("path");

@@ -10,6 +11,7 @@ const yargs = require("yargs");

printAuditCiVersion();
const { argv } = yargs
.config("config")
.config("config", function ConfigCallback(configPath) {
// Supports JSON & JSON5
return jju.parse(fs.readFileSync(configPath, "utf-8"));
})
.options({

@@ -71,2 +73,8 @@ l: {

},
o: {
alias: "output-format",
default: "text",
describe: "The format of the output of audit-ci",
choices: ["text", "json"],
},
"show-found": {

@@ -132,2 +140,4 @@ default: true,

printAuditCiVersion(argv.o);
function mapVulnerabilityLevelInput(config) {

@@ -223,9 +233,13 @@ if (config.l) {

await audit(pm, argv);
console.log(green, `Passed ${pm} security audit.`);
if (argv.o === "text") {
console.log(green, `Passed ${pm} security audit.`);
}
} catch (err) {
const message = err.message || err;
console.error(red, message);
console.error(red, "Exiting...");
if (argv.o === "text") {
const message = err.message || err;
console.error(red, message);
console.error(red, "Exiting...");
}
process.exitCode = 1;
}
})();

4

lib/audit.js

@@ -33,3 +33,5 @@ const { yellow } = require("./colors");

if (shouldRetry) {
console.log("RETRY-RETRY");
if (config.o === "text") {
console.log("Retrying audit...");
}
return run(attempt + 1);

@@ -36,0 +38,0 @@ }

93

lib/common.js

@@ -9,50 +9,55 @@ const { spawn } = require("cross-spawn");

const { allowlist, "show-not-found": showNotFound, showFound } = config;
if (allowlist.modules.length) {
console.log(blue, `Modules to allowlist: ${allowlist.modules.join(", ")}.`);
}
if (config.o === "text") {
if (allowlist.modules.length) {
console.log(
blue,
`Modules to allowlist: ${allowlist.modules.join(", ")}.`
);
}
if (showFound) {
if (summary.allowlistedModulesFound.length) {
const found = summary.allowlistedModulesFound.join(", ");
const msg = `Found vulnerable allowlisted modules: ${found}.`;
console.warn(yellow, msg);
if (showFound) {
if (summary.allowlistedModulesFound.length) {
const found = summary.allowlistedModulesFound.join(", ");
const msg = `Found vulnerable allowlisted modules: ${found}.`;
console.warn(yellow, msg);
}
if (summary.allowlistedAdvisoriesFound.length) {
const found = summary.allowlistedAdvisoriesFound.join(", ");
const msg = `Found vulnerable allowlisted advisories: ${found}.`;
console.warn(yellow, msg);
}
}
if (summary.allowlistedAdvisoriesFound.length) {
const found = summary.allowlistedAdvisoriesFound.join(", ");
const msg = `Found vulnerable allowlisted advisories: ${found}.`;
console.warn(yellow, msg);
if (showNotFound) {
if (summary.allowlistedModulesNotFound.length) {
const found = summary.allowlistedModulesNotFound
.sort((a, b) => a - b)
.join(", ");
const msg =
summary.allowlistedModulesNotFound.length === 1
? `Consider not allowlisting module: ${found}.`
: `Consider not allowlisting modules: ${found}.`;
console.warn(yellow, msg);
}
if (summary.allowlistedAdvisoriesNotFound.length) {
const found = summary.allowlistedAdvisoriesNotFound
.sort((a, b) => a - b)
.join(", ");
const msg =
summary.allowlistedAdvisoriesNotFound.length === 1
? `Consider not allowlisting advisory: ${found}.`
: `Consider not allowlisting advisories: ${found}.`;
console.warn(yellow, msg);
}
if (summary.allowlistedPathsNotFound.length) {
const found = summary.allowlistedPathsNotFound
.sort((a, b) => a - b)
.join(", ");
const msg =
summary.allowlistedPathsNotFound.length === 1
? `Consider not allowlisting path: ${found}.`
: `Consider not allowlisting paths: ${found}.`;
console.warn(yellow, msg);
}
}
}
if (showNotFound) {
if (summary.allowlistedModulesNotFound.length) {
const found = summary.allowlistedModulesNotFound
.sort((a, b) => a - b)
.join(", ");
const msg =
summary.allowlistedModulesNotFound.length === 1
? `Consider not allowlisting module: ${found}.`
: `Consider not allowlisting modules: ${found}.`;
console.warn(yellow, msg);
}
if (summary.allowlistedAdvisoriesNotFound.length) {
const found = summary.allowlistedAdvisoriesNotFound
.sort((a, b) => a - b)
.join(", ");
const msg =
summary.allowlistedAdvisoriesNotFound.length === 1
? `Consider not allowlisting advisory: ${found}.`
: `Consider not allowlisting advisories: ${found}.`;
console.warn(yellow, msg);
}
if (summary.allowlistedPathsNotFound.length) {
const found = summary.allowlistedPathsNotFound
.sort((a, b) => a - b)
.join(", ");
const msg =
summary.allowlistedPathsNotFound.length === 1
? `Consider not allowlisting path: ${found}.`
: `Consider not allowlisting paths: ${found}.`;
console.warn(yellow, msg);
}
}

@@ -59,0 +64,0 @@ if (summary.failedLevelsFound.length) {

14

lib/npm-auditer.js

@@ -36,5 +36,13 @@ const { blue } = require("./colors");

function printReport(parsedOutput, levels, reportType) {
/**
* @param {*} parsedOutput
* @param {*} levels
* @param {"full" | "important" | "summary"} reportType
* @param {"text" | "json"} outputFormat
*/
function printReport(parsedOutput, levels, reportType, outputFormat) {
const printReportObj = (text, obj) => {
console.log(blue, text);
if (outputFormat === "text") {
console.log(blue, text);
}
console.log(JSON.stringify(obj, null, 2));

@@ -76,3 +84,3 @@ };

function report(parsedOutput, config, reporter) {
printReport(parsedOutput, config.levels, config["report-type"]);
printReport(parsedOutput, config.levels, config["report-type"], config.o);
const model = new Model(config);

@@ -79,0 +87,0 @@ const summary = model.load(parsedOutput);

12

lib/yarn-auditer.js

@@ -62,2 +62,3 @@ const childProcess = require("child_process");

"skip-dev": skipDev,
o: outputFormat,
_yarn,

@@ -79,11 +80,16 @@ } = config;

const printHeader = (text) => {
if (outputFormat === "text") {
console.log(blue, text);
}
};
switch (reportType) {
case "full":
console.log(blue, `${yarnName} audit report JSON:`);
printHeader(`${yarnName} audit report JSON:`);
break;
case "important":
console.log(blue, `${yarnName} audit report results:`);
printHeader(`${yarnName} audit report results:`);
break;
case "summary":
console.log(blue, `${yarnName} audit report summary:`);
printHeader(`${yarnName} audit report summary:`);
break;

@@ -90,0 +96,0 @@ default:

5

package.json
{
"name": "audit-ci",
"version": "4.1.0",
"version": "4.2.0",
"description": "Audits npm and yarn projects in CI environments",

@@ -40,5 +40,6 @@ "license": "Apache-2.0",

"dependencies": {
"JSONStream": "^1.3.5",
"cross-spawn": "^7.0.3",
"event-stream": "4.0.1",
"JSONStream": "^1.3.5",
"jju": "^1.4.0",
"readline-transform": "1.0.0",

@@ -45,0 +46,0 @@ "semver": "^7.0.0",

10

README.md

@@ -1,3 +0,3 @@

[![Build Status](https://travis-ci.com/IBM/audit-ci.svg?branch=master)](https://travis-ci.com/IBM/audit-ci)
![CircleCI branch](https://img.shields.io/circleci/project/github/IBM/audit-ci/master.svg)
[![Build Status](https://travis-ci.com/IBM/audit-ci.svg?branch=main)](https://travis-ci.com/IBM/audit-ci)
![CircleCI branch](https://img.shields.io/circleci/project/github/IBM/audit-ci/main.svg)
![David](https://img.shields.io/david/IBM/audit-ci.svg)

@@ -63,3 +63,3 @@

# If you use a pull-request-only workflow,
# it's better to not run audit-ci on master and only run it on pull requests.
# it's better to not run audit-ci on `main` and only run it on pull requests.
# For more info: https://github.com/IBM/audit-ci/issues/69

@@ -99,2 +99,3 @@ # For a PR-only workflow, use the below command instead of the above command:

| -a | --allowlist | Vulnerable modules, advisories, and paths to allowlist from preventing integration (default `none`) |
| -o | --output-format | The format of the output of audit-ci [_choices_: `text`, `json`] (default `text`) |
| -d | --directory | The directory containing the package.json to audit (default `./`) |

@@ -130,2 +131,3 @@ | | --pass-enoaudit | Pass if no audit is performed due to the registry returning ENOAUDIT (default `false`) |

"package-manager": <string>, // [Optional] defaults `"auto"`
"output-format": <string>, // [Optional] defaults `"text"`
"pass-enoaudit": <boolean>, // [Optional] defaults `false`

@@ -203,3 +205,3 @@ "show-found": <boolean>, // [Optional] defaults `true`

If `audit-ci` is run on the PR build and not on the push build, you can continue to push new code and create PRs parallel to the actual vulnerability fix. However, they can't be merged until the fix is implemented. Since `audit-ci` performs the audit on the PR build, it will always have the most up-to-date dependencies vs. the push build, which would require a manual merge with `master` before passing the audit.
If `audit-ci` is run on the PR build and not on the push build, you can continue to push new code and create PRs parallel to the actual vulnerability fix. However, they can't be merged until the fix is implemented. Since `audit-ci` performs the audit on the PR build, it will always have the most up-to-date dependencies vs. the push build, which would require a manual merge with `main` before passing the audit.

@@ -206,0 +208,0 @@ ### NPM/Yarn is returning ENOAUDIT and is breaking my build, what do I do?

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc