audit-ci - npm Package Compare versions

Comparing version 6.2.0 to 6.2.1

dist/types.js

dist/allowlist.js

		"use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		const common_1 = require("./common");
		class Allowlist {
		@@ -21,3 +22,3 @@ /**
		}
		else if (allowlist.startsWith("GHSA")) {
		else if ((0, common_1.isGitHubAdvisoryId)(allowlist)) {
		this.advisories.push(allowlist);
		@@ -24,0 +25,0 @@ }

dist/bin.js

		@@ -5,2 +5,5 @@ #!/usr/bin/env node
		const audit_ci_1 = require("./audit-ci");
		(0, audit_ci_1.runAuditCi)();
		(0, audit_ci_1.runAuditCi)().catch((error) => {
		console.error(error);
		process.exit(1);
		});

dist/common.js

		@@ -29,3 +29,3 @@ "use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.gitHubAdvisoryIdToUrl = exports.gitHubAdvisoryUrlToAdvisoryId = exports.matchString = exports.runProgram = exports.reportAudit = exports.partition = void 0;
		exports.gitHubAdvisoryIdToUrl = exports.gitHubAdvisoryUrlToAdvisoryId = exports.isGitHubAdvisoryId = exports.matchString = exports.runProgram = exports.reportAudit = exports.partition = void 0;
		const cross_spawn_1 = require("cross-spawn");
		@@ -159,2 +159,6 @@ const escape_string_regexp_1 = __importDefault(require("escape-string-regexp"));
		exports.matchString = matchString;
		function isGitHubAdvisoryId(id) {
		return id.startsWith("GHSA");
		}
		exports.isGitHubAdvisoryId = isGitHubAdvisoryId;
		function gitHubAdvisoryUrlToAdvisoryId(url) {
		@@ -161,0 +165,0 @@ return url.split("/")[4];

156

dist/model.js

		@@ -57,8 +57,6 @@ "use strict";
		load(parsedOutput) {
		/** NPM 6 */
		if (parsedOutput.advisories) {
		/** NPM 6 & PNPM */
		if ("advisories" in parsedOutput && parsedOutput.advisories) {
		for (const advisory of Object.values(parsedOutput.advisories)) {
		const advisoryAny = advisory;
		// eslint-disable-next-line no-param-reassign, prefer-destructuring
		advisoryAny.github_advisory_id = (0, common_1.gitHubAdvisoryUrlToAdvisoryId)(advisoryAny.url);
		advisory.github_advisory_id = (0, common_1.gitHubAdvisoryUrlToAdvisoryId)(advisory.url);
		// PNPM paths have a leading `.>`
		@@ -68,5 +66,4 @@ // "paths": [
		//]
		for (const finding of advisoryAny.findings) {
		const findingAny = finding;
		findingAny.paths = findingAny.paths.map((path) => path.replace(".>", ""));
		for (const finding of advisory.findings) {
		finding.paths = finding.paths.map((path) => path.replace(".>", ""));
		}
		@@ -77,80 +74,83 @@ this.process(advisory);
		}
		const advisoryMap = new Map();
		// First, let's deal with building a structure that's as close to NPM 6 as we can
		// without dealing with the findings.
		for (const vulnerability of Object.values(parsedOutput.vulnerabilities)) {
		const { via: vias, isDirect } = vulnerability;
		for (const via of vias.filter((via) => typeof via !== "string")) {
		if (!advisoryMap.has(via.source)) {
		advisoryMap.set(via.source, {
		id: via.source,
		github_advisory_id: (0, common_1.gitHubAdvisoryUrlToAdvisoryId)(via.url),
		module_name: via.name,
		severity: via.severity,
		url: via.url,
		// This will eventually be an array.
		// However, to improve the performance of deduplication,
		// start with a set.
		findingsSet: new Set([isDirect ? via.name : undefined].filter(Boolean)),
		findings: [],
		});
		/** NPM 7+ */
		if ("vulnerabilities" in parsedOutput && parsedOutput.vulnerabilities) {
		const advisoryMap = new Map();
		// First, let's deal with building a structure that's as close to NPM 6 as we can
		// without dealing with the findings.
		for (const vulnerability of Object.values(parsedOutput.vulnerabilities)) {
		const { via: vias, isDirect } = vulnerability;
		for (const via of vias.filter((via) => typeof via !== "string")) {
		if (!advisoryMap.has(via.source)) {
		advisoryMap.set(via.source, {
		id: via.source,
		github_advisory_id: (0, common_1.gitHubAdvisoryUrlToAdvisoryId)(via.url),
		module_name: via.name,
		severity: via.severity,
		url: via.url,
		// This will eventually be an array.
		// However, to improve the performance of deduplication,
		// start with a set.
		findingsSet: new Set(isDirect ? [via.name] : []),
		findings: [],
		});
		}
		}
		}
		}
		// Now, all we have to deal with is develop the 'findings' property by traversing
		// the audit tree.
		const visitedModules = new Map();
		for (const vuln of Object.entries(parsedOutput.vulnerabilities)) {
		// Did this approach rather than destructuring within the forEach to type vulnerability
		const moduleName = vuln[0];
		const vulnerability = vuln[1];
		const { via: vias, isDirect } = vulnerability;
		if (vias.length === 0 \|\| typeof vias[0] === "string") {
		continue;
		}
		const visited = new Set();
		const recursiveMagic = (cVuln, dependencyPath) => {
		const visitedModule = visitedModules.get(cVuln.name);
		if (visitedModule) {
		return visitedModule.map((name) => {
		const resultWithExtraCarat = prependPath(name, dependencyPath);
		return resultWithExtraCarat.slice(0, Math.max(0, resultWithExtraCarat.length - 1));
		});
		// Now, all we have to deal with is develop the 'findings' property by traversing
		// the audit tree.
		const visitedModules = new Map();
		for (const vuln of Object.entries(parsedOutput.vulnerabilities)) {
		// Did this approach rather than destructuring within the forEach to type vulnerability
		const moduleName = vuln[0];
		const vulnerability = vuln[1];
		const { via: vias, isDirect } = vulnerability;
		if (vias.length === 0 \|\| typeof vias[0] === "string") {
		continue;
		}
		if (visited.has(cVuln.name)) {
		// maybe undefined and filter?
		return [dependencyPath];
		const visited = new Set();
		const recursiveMagic = (cVuln, dependencyPath) => {
		const visitedModule = visitedModules.get(cVuln.name);
		if (visitedModule) {
		return visitedModule.map((name) => {
		const resultWithExtraCarat = prependPath(name, dependencyPath);
		return resultWithExtraCarat.slice(0, Math.max(0, resultWithExtraCarat.length - 1));
		});
		}
		if (visited.has(cVuln.name)) {
		// maybe undefined and filter?
		return [dependencyPath];
		}
		visited.add(cVuln.name);
		const newPath = prependPath(cVuln.name, dependencyPath);
		if (cVuln.effects.length === 0) {
		return [newPath.slice(0, Math.max(0, newPath.length - 1))];
		}
		const result = cVuln.effects.flatMap((effect) => recursiveMagic(parsedOutput.vulnerabilities[effect], newPath));
		return result;
		};
		const result = recursiveMagic(vulnerability, "");
		if (isDirect) {
		result.push(moduleName);
		}
		visited.add(cVuln.name);
		const newPath = prependPath(cVuln.name, dependencyPath);
		if (cVuln.effects.length === 0) {
		return [newPath.slice(0, Math.max(0, newPath.length - 1))];
		const advisories = vias.filter((via) => typeof via !== "string")
		.map((via) => via.source)
		// Filter boolean makes the next line non-nullable.
		// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
		.map((id) => advisoryMap.get(id))
		.filter(Boolean);
		for (const advisory of advisories) {
		for (const path of result) {
		advisory.findingsSet.add(path);
		}
		}
		const result = cVuln.effects.flatMap((effect) => recursiveMagic(parsedOutput.vulnerabilities[effect], newPath));
		return result;
		};
		const result = recursiveMagic(vulnerability, "");
		if (isDirect) {
		result.push(moduleName);
		// Optimization to prevent extra traversals.
		visitedModules.set(moduleName, result);
		}
		const advisories = vias.filter((via) => typeof via !== "string")
		.map((via) => via.source)
		// Filter boolean makes the next line non-nullable.
		// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
		.map((id) => advisoryMap.get(id))
		.filter(Boolean);
		for (const advisory of advisories) {
		for (const path of result) {
		advisory.findingsSet.add(path);
		}
		for (const [, advisory] of advisoryMap) {
		advisory.findings = [{ paths: [...advisory.findingsSet] }];
		// @ts-expect-error don't care about findingSet anymore
		delete advisory.findingsSet;
		this.process(advisory);
		}
		// Optimization to prevent extra traversals.
		visitedModules.set(moduleName, result);
		}
		for (const [, advisory] of advisoryMap) {
		advisory.findings = [{ paths: [...advisory.findingsSet] }];
		// @ts-expect-error don't care about findingSet anymore
		delete advisory.findingsSet;
		this.process(advisory);
		}
		return this.getSummary();
		@@ -157,0 +157,0 @@ }

dist/npm-auditer.js

		@@ -6,3 +6,3 @@ "use strict";
		Object.defineProperty(exports, "__esModule", { value: true });
		exports.audit = exports.report = void 0;
		exports.audit = exports.report = exports.isV2Audit = void 0;
		const colors_1 = require("./colors");
		@@ -36,2 +36,7 @@ const common_1 = require("./common");
		}
		function isV2Audit(parsedOutput) {
		return ("auditReportVersion" in parsedOutput &&
		parsedOutput.auditReportVersion === 2);
		}
		exports.isV2Audit = isV2Audit;
		function printReport(parsedOutput, levels, reportType, outputFormat) {
		@@ -49,3 +54,3 @@ const printReportObject = (text, object) => {
		case "important": {
		const advisories = parsedOutput.auditReportVersion === 2
		const advisories = isV2Audit(parsedOutput)
		? parsedOutput.vulnerabilities
		@@ -87,8 +92,11 @@ : parsedOutput.advisories;
		const parsedOutput = await runNpmAudit(config);
		if (parsedOutput.error) {
		if ("error" in parsedOutput) {
		const { code, summary } = parsedOutput.error;
		throw new Error(`code ${code}: ${summary}`);
		}
		else if ("message" in parsedOutput) {
		throw new Error(parsedOutput.message);
		}
		return report(parsedOutput, config, reporter);
		}
		exports.audit = audit;

dist/pnpm-auditer.js

		@@ -23,3 +23,3 @@ "use strict";
		if (registry) {
		console.warn(colors_1.yellow, "Yarn audit does not support the registry flag yet.");
		console.warn(colors_1.yellow, "PNPM audit does not support the registry flag yet.");
		}
		@@ -83,3 +83,3 @@ if (skipDevelopmentDependencies) {
		const parsedOutput = await runPnpmAudit(config);
		if (parsedOutput.error) {
		if ("error" in parsedOutput) {
		const { code, summary } = parsedOutput.error;
		@@ -86,0 +86,0 @@ throw new Error(`code ${code}: ${summary}`);

dist/yarn-auditer.js

		@@ -82,2 +82,5 @@ "use strict";
		const yarnName = isYarnClassic ? `Yarn` : `Yarn Berry`;
		function isClassicGuard(response) {
		return isYarnClassic;
		}
		const printHeader = (text) => {
		@@ -137,3 +140,3 @@ if (outputFormat === "text") {
		try {
		if (isYarnClassic) {
		if (isClassicGuard(line)) {
		const { type, data } = line;
		@@ -152,4 +155,6 @@ printAuditData(line);
		printAuditData(line);
		for (const advisory of Object.values(line.advisories)) {
		model.process(advisory);
		if ("advisories" in line) {
		for (const advisory of Object.values(line.advisories)) {
		model.process(advisory);
		}
		}
		@@ -156,0 +161,0 @@ }

package.json

		{
		"name": "audit-ci",
		"version": "6.2.0",
		"version": "6.2.1",
		"description": "Audits NPM, Yarn, and PNPM projects in CI environments",
		@@ -35,3 +35,3 @@ "license": "Apache-2.0",
		"lint": "eslint . --ext .ts,.js,.cjs",
		"lint:fix": "eslint . --ext .ts,.ts,.cjs --fix",
		"lint:fix": "eslint . --ext .ts,.js,.cjs --fix",
		"format": "prettier --write lib test",
		@@ -66,2 +66,3 @@ "test": "mocha --exit --timeout 40000 --recursive --reporter spec test/*.spec.js",
		"@typescript-eslint/parser": "^5.14.0",
		"audit-types": "^0.5.1",
		"chai": "^4.3.6",
		@@ -85,2 +86,2 @@ "eslint": "^8.11.0",
		}
		}
		}

README.md

		@@ -68,2 +68,81 @@ # audit-ci

		### Allowlisting

		Allowlists are a mechanism to suppress an advisory warning from the audit. A team may want to suppress an advisory when:

		- A fix has already been started
		- There is no bandwidth to fix the advisory
		- The risk is tolerable for the project
		- The advisory is inaccurate or incorrect
		- The vulnerable code is not actually used

		An allowlist may contain multiple allowlist records. There are three categories of allowlist record formats:

		- `module` allowlist record (example: `axios`, suppresses all advisories _directly_ caused by `axios`, not transitive advisories)
		- `advisory` allowlist record (example: `GHSA-42xw-2xvc-qx8m`, suppresses all instances of advisory based on the GitHub advisory identifier)
		- `path` allowlist record (example: `GHSA-rp65-9cf3-cjxr\|react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check`, the specific and full advisory path with wildcard support)

		When `audit-ci` identifies new advisories at or above the configured level, the CI pipeline will fail.

		```txt
		Found vulnerable advisory paths:
		GHSA-pw2r-vq6v-hr8c\|axios>follow-redirects
		GHSA-74fj-2j2h-c42q\|axios>follow-redirects
		GHSA-4w2v-q235-vp99\|axios
		GHSA-42xw-2xvc-qx8m\|axios
		GHSA-cph5-m8f7-6c5x\|axios
		Failed security audit due to high, moderate vulnerabilities.
		Vulnerable advisories are:
		https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
		https://github.com/advisories/GHSA-74fj-2j2h-c42q
		https://github.com/advisories/GHSA-4w2v-q235-vp99
		https://github.com/advisories/GHSA-42xw-2xvc-qx8m
		https://github.com/advisories/GHSA-cph5-m8f7-6c5x
		Exiting...
		```

		Advisories can be suppressed using several approaches. Each approach is useful in unique scenarios.

		First, the most granular and secure approach, using paths. If in the future the same advisory arises with a different path, the pipeline will fail.

		```jsonc
		"allowlist": [
		"GHSA-pw2r-vq6v-hr8c\|axios>follow-redirects",
		"GHSA-74fj-2j2h-c42q\|axios>follow-redirects",
		"GHSA-4w2v-q235-vp99\|axios",
		"GHSA-42xw-2xvc-qx8m\|axios",
		"GHSA-cph5-m8f7-6c5x\|axios"
		]
		```

		The next best approach is suppressing the advisories using advisory IDs. This approach may be useful if your team knows that the application is not (and will not be) affected by the advisory regardless of the path. Often, the same advisory can be present in many paths. Allowlisting by advisory ID is terser than the alternative of listing all paths.

		```jsonc
		"allowlist": [
		"GHSA-pw2r-vq6v-hr8c",
		"GHSA-74fj-2j2h-c42q",
		"GHSA-4w2v-q235-vp99",
		"GHSA-42xw-2xvc-qx8m",
		"GHSA-cph5-m8f7-6c5x"
		]
		```

		The next approach is to allowlist the modules themselves. All current and future advisories are automatically suppressed when using module allowlist records. Compared to other suppression approaches, there's an increased risk of a new advisory impacting your application due to the broad suppression. Suppressing via a module allowlist record is often less useful than using path allowlist records + wildcards, as noted in the final approach.

		```jsonc
		"allowlist": [
		"axios",
		"follow-redirects"
		]
		```

		Finally, wildcards can be used within path allowlist records. Wildcards are useful for trusted development-only dependencies such as `react-scripts`. Unlike the module allowlist record of `react-scripts`, the path allowlist of `\|react-scripts>` suppresses transitive dependency advisories (dependencies of dependencies).

		Wildcard matching works by:

		1. splitting the allowlist record at every wildcard
		1. constructing a regex matching anything at each wildcard location

		An allowlist record may include any number of wildcards such as `\|react-scripts>>>example>`.

		### GitHub Actions
		@@ -343,3 +422,3 @@

		### NPM/Yarn is returning ENOAUDIT and is breaking my build; what do I do?
		### What do I do when NPM/Yarn is breaking my build while returning ENOAUDIT?

		@@ -346,0 +425,0 @@ The config option `--pass-enoaudit` allows passing if no audit is performed due to the registry returning ENOAUDIT.

audit-ci - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics