davityavryan / yarn-audit-html Goto Github PK

After updating to the latest version the generation of the html report fails. With the following error.
{"type":"warning","data":"../../../package.json: No license field"} {"type":"error","data":"Couldn't find any versions for \"@webassemblyjs/helper-numbers\" that matches \"1.11.3\""} Error: Couldn't find any versions for "@webassemblyjs/helper-wasm-bytecode" that matches "1.11.3" at MessageError.ExtendableBuiltin (/builds/PROJECTNAME/PROJECTNAME-owasp-check/node/yarn/dist/lib/cli.js:721:66) at new MessageError (/builds/PROJECTNAME/PROJECTNAME-owasp-check/node/yarn/dist/lib/cli.js:750:123) at Function.<anonymous> (/builds/PROJECTNAME/PROJECTNAME-owasp-check/node/yarn/dist/lib/cli.js:50351:13) at Generator.next (<anonymous>) at step (/builds/PROJECTNAME/PROJECTNAME-owasp-check/node/yarn/dist/lib/cli.js:310:30) at /builds/PROJECTNAME/PROJECTNAME-owasp-check/node/yarn/dist/lib/cli.js:321:13 at runMicrotasks (<anonymous>) at processTicksAndRejections (node:internal/process/task_queues:96:5) Checking audit logs... Failed to generate report! Please report this issue to https://github.com/davityavryan/yarn-audit-html/issues TypeError: Cannot convert undefined or null to object at Function.values (<anonymous>) at generateReport (/builds/PROJECTNAME/PROJECTNAME-owasp-check/node_modules/yarn-audit-html/lib/reporter.js:68:41) at Socket.<anonymous> (/builds/PROJECTNAME/PROJECTNAME-owasp-check/node_modules/yarn-audit-html/index.js:62:9) at Socket.emit (node:events:539:35) at endReadableNT (node:internal/streams/readable:1345:12) at processTicksAndRejections (node:internal/process/task_queues:83:21)

This is a nice little tool. I would like to integrate it into a project for use in the build pipeline. I would like to have the option of ignoring some vulnerabilites, though. Now this is absolutely doable as-is by piping the output of yarn audit through an intermediate command which filters out the ignorable errors, but it is harder than it has to be.

Therefore I would propose to expose an api by which yarn-audit-html can be used programmatically, with a hook or some other means by which to filter the reported vulnerabilities. This could also be used to enrich the report with some additional information, or add more sophisticated error handling (e.g. only fail with status code 1 if there are more than 5 low-impact vulnerabilities). Ideally, there would be a type definition for this api as well as the schema of the vulnerability report itself.

I am absolutely open to contributing to the implementation, if you are open to the idea itself.

By using the lastet version of yarn-audit-html, a new high vulnerability issue comes up:

high | Inefficient Regular Expression Complexity in marked | Package │ marked │ Dependency of yarn-audit-html

Would a minor update with the fix be on the plan?

Thanks in advance

Hey, and thanks for this useful package!

I'm using this myself in a CI-pipeline. I realized that even if just basic yarn audit exits with code "1" when vulnerabilities were found, using yarn-audit-html ignores this exit code completely and yarn-audit-html exits with code "0" after creating the audit report. Exiting with code other than "0" could be useful in pipelines for example when determining if some script should be executed when vulnerabilities are found. This could also be optional with some flag given as parameter for yarn-audit-html.

My flow in the CI-job for example works like this (job is ran in an scheduled pipeline every week):

1. Install yarn-audit-html as local dependency (not global)
2. Configure email-utilities in the CI-runner
3. Run yarn audit --json | ./node_modules/.bin/yarn-audit-html --output audit.html
4. If vulnerabilities are found (if exit code !== 0), send the audit.html report in an email to predetermined recipients. If not (if exit code === 0), just print "No vulnerabilities found."

I have a working implementation almost ready, and can make a pull request, if this feels like a useful feature. My implementation is only missing the "optionality" in this feature.

yarn audit --json returns 3.1 GB data. And when I executed yarn-audit-html I got an error:

<machine name>@<sesson> <project name> % yarn audit --json | yarn-audit-html
Checking audit logs...
/Users/<machine name>/.nvm/versions/node/v14.15.5/lib/node_modules/yarn/lib/cli.js:92452
  throw err;
  ^

Error: write ENOBUFS
    at afterWriteDispatched (internal/stream_base_commons.js:156:25)
    at writevGeneric (internal/stream_base_commons.js:139:3)
    at Socket._writeGeneric (net.js:783:11)
    at Socket._writev (net.js:792:8)
    at doWrite (internal/streams/writable.js:375:12)
    at clearBuffer (internal/streams/writable.js:521:5)
    at onwrite (internal/streams/writable.js:430:7)
    at WriteWrap.onWriteComplete [as oncomplete] (internal/stream_base_commons.js:103:10) {
  errno: -55,
  code: 'ENOBUFS',
  syscall: 'write'
}
Failed to generate report! Please report this issue to https://github.com/davityavryan/yarn-audit-html/issues
 TypeError: Cannot convert undefined or null to object
    at Function.values (<anonymous>)
    at generateReport (/Users/<machine name>/.nvm/versions/node/v14.15.5/lib/node_modules/yarn-audit-html/lib/reporter.js:67:37)
    at Socket.<anonymous> (/Users/<machine name>/.nvm/versions/node/v14.15.5/lib/node_modules/yarn-audit-html/index.js:62:9)
    at Socket.emit (events.js:327:22)
    at endReadableNT (internal/streams/readable.js:1327:12)
    at processTicksAndRejections (internal/process/task_queues.js:80:21)

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

This repository currently has no open or pending branches.

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Yarn version: 2.4.2

Command:

yarn audit --json --environment production | yarn dlx yarn-audit-html --output audit/yarn-audit.html

Error:

package.json

{
  "name": "app",
  "version": "0.0.1",
  "description": "app",
  "scripts": {
    "start": "webpack serve --progress --env development"
  },
  "jest-junit": {
    "outputDirectory": "reports/test",
    "outputName": "junit.xml"
  },
  "moduleRoots": [
    "src"
  ],
  "license": "UNLICENSED",
  "engines": {
    "node": ">=14.5.0"
  },
  "devDependencies": {
    "@babel/core": "^7.11.6",
    "@babel/eslint-parser": "^7.11.5",
    "@babel/plugin-proposal-export-default-from": "^7.12.13",
    "@babel/preset-env": "^7.14.2",
    "@babel/preset-react": "^7.13.13",
    "@commitlint/cli": "^12.1.4",
    "@commitlint/config-conventional": "^12.1.4",
    "@types/react": "^16.9.19",
    "azure-storage": "^2.10.3",
    "babel-jest": "^26.1.0",
    "babel-loader": "^8.2.2",
    "babel-plugin-transform-react-remove-prop-types": "^0.4.24",
    "concurrently": "^6.2.0",
    "copy-webpack-plugin": "^9.0.0",
    "css-loader": "^5.2.6",
    "cssnano": "^5.0.4",
    "dotenv": "^10.0.0",
    "enzyme": "^3.11.0",
    "enzyme-adapter-react-16": "^1.15.6",
    "enzyme-to-json": "^3.6.2",
    "eslint": "^7.27.0",
    "eslint-config-airbnb": "^18.2.1",
    "eslint-import-resolver-webpack": "^0.13.1",
    "eslint-plugin-compat": "^3.9.0",
    "eslint-plugin-graphql": "^4.0.0",
    "eslint-plugin-import": "^2.23.3",
    "eslint-plugin-jest": "^24.3.6",
    "eslint-plugin-json": "^3.0.0",
    "eslint-plugin-jsx-a11y": "^6.4.1",
    "eslint-plugin-react": "^7.23.2",
    "eslint-plugin-react-hooks": "^4.2.0",
    "eslint-plugin-unicorn": "^33.0.1",
    "html-webpack-plugin": "^5.3.1",
    "husky": "^6.0.0",
    "identity-obj-proxy": "^3.0.0",
    "jest": "^27.0.4",
    "jest-junit": "^12.1.0",
    "jest-localstorage-mock": "^2.4.13",
    "jest-transform-graphql": "^2.1.0",
    "mini-css-extract-plugin": "^1.6.0",
    "npmlog": "^4.1.2",
    "postcss": "^8.3.0",
    "postcss-import": "^14.0.2",
    "postcss-loader": "^6.1.0",
    "postcss-preset-env": "^6.7.0",
    "style-loader": "^2.0.0",
    "stylelint": "^13.13.1",
    "stylelint-config-css-modules": "^2.2.0",
    "stylelint-config-standard": "^22.0.0",
    "stylelint-no-unsupported-browser-features": "^5.0.1",
    "terser-webpack-plugin": "^5.1.3",
    "webpack": "^5.38.1",
    "webpack-cli": "^4.7.0",
    "webpack-deadcode-plugin": "^0.1.14",
    "webpack-dev-server": "^4.0.0-beta.3",
    "webpack-dotenv-plugin": "^2.1.0",
    "yarn-deduplicate": "^3.1.0"
  },
  "dependencies": {
    "@apollo/client": "^3.3.20",
    "axios": "^0.21.1",
    "classnames": "^2.2.6",
    "core-js": "^3.13.0",
    "coveralls": "^3.0.6",
    "graphql": "^15.5.0",
    "graphql-tag": "^2.10.3",
    "history": "^4.10.1",
    "minicat": "^1.0.0",
    "moment": "^2.24.0",
    "prop-types": "^15.7.2",
    "qs": "^6.7.0",
    "ramda": "^0.27.1",
    "react": "^16.14.0",
    "react-dom": "^16.14.0",
    "react-redux": "^7.1.3",
    "react-router-dom": "^5.2.0",
    "redux": "^4.0.5",
    "redux-form": "^8.3.0",
    "redux-thunk": "^2.3.0",
    "url-regex": "^5.0.0",
    "uuid": "^8.3.2",
    "validator": "^13.6.0"
  },
  "resolutions": {
    "typescript": "*",
    "react-with-direction": "*",
    "@babel/runtime": "*"
  }
}

The title sums it up

                                    <li>Patched: <%= vulnerability.patched_versions %></li>
-->                                 <li>CVSS: <%= vulnerability.metadata.exploitability %></li>
                                </ul>

Hey,

After upgrading to version 1.3.0 all the entries are now grouped depending only on the vulnerability type. I understand the reasoning, however it's now missing all the details about which version causes the issue and which libraries are using the unsafe dependency. For example, the v1.3.0 report would produce a single entry of:

However, in fact, I know that I'm using multiple vulnerable versions of yargs-parser that are transitive dependencies of other libs (and it's also what I would get from version 1.2.x). That information is not available anymore.

What do you think of extending the UI to cover this scenario or adding a command line flag to switch between those 2 grouping strategies?

The title pretty much sums it up

                                    <li>Published: <%= formatDate(vulnerability.created) %></li>
 --->                               <li>Reported by: <%= vulnerability.reported_by.name %></li>
                                    <li><%= vulnerability.cwe %></li>

I have a large react project with a lot (i.e. thousands) of out of date dependencies. The output of yarn audit --json is 15.9 GB in size. (I'll resist the urge to paste it here to show you!)

The yarn-audit-html command fails when used with this project. I'm pretty confident it's the amount of data that's causing it. I wondered if the issue might be the piping of the output of one command to the next. After a bit of investigation, I learned how to pass a file to stdin to be consumed by yarn-audit-html. (I'd recommend you document that as it might be useful.) I was then able to output the audit to a file and then pass that file to yarn-audit-html. Even then, I got the same error.

Is there any way that yarn-audit-html could be enhanced to handle such a large file?

Here is what I did. I tried the same thing using Git Bash, Command Prompt and PowerShell.

Git Bash / Command Prompt

yarn audit --json > yarn-audit.json
yarn-audit-html < yarn-audit.json

Error

C:\Users\<username>\AppData\Local\Yarn\Data\global\node_modules\yarn-audit-html\index.js:60
        stdin += chunk;
                 ^

RangeError: Invalid string length
    at ReadStream.<anonymous> (C:\Users\<username>\AppData\Local\Yarn\Data\global\node_modules\←[4myarn-audit-html←[24m\index.js:60:18)
←[90m    at ReadStream.emit (events.js:315:20)←[39m
←[90m    at emitReadable_ (internal/streams/readable.js:569:12)←[39m
←[90m    at processTicksAndRejections (internal/process/task_queues.js:79:21)←[39m

PowerShell

yarn audit --json > yarn-audit.json
Get-Content yarn-audit.json | yarn-audit-html

Error

Program 'yarn-audit-html.cmd' failed to run: capacity was less than the current size.
Parameter name: requiredLengthAt line:1 char:31
+ Get-Content yarn-audit.json | yarn-audit-html
+                               ~~~~~~~~~~~~~~~.
At line:1 char:1
+ Get-Content yarn-audit.json | yarn-audit-html
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

Other observations

• The yarn audit output is saved as UTF-8 in Git Bash and Command Prompt, but USC-2 LE BOM in PowerShell, resulting in a file twice the size. If you're encountering this problem in PowerShell, it might help to convert the file to UTF-8 before passing it to yarn-audit-html. (Not in my case, sadly.)

I am creating different reports and it would be nice if I could specify an optional parameter --title or -t to indicate a title different to "Yarn Audit Report".
E.g.

yarn audit --json | yarn-audit-html -t "New issues to solve"

Which would generate something like

Hello,

I tried on 3 different projects, always the same error.

Please find all information for one of my project:

• node : 18.18.2
• yarn : 4.0.0

command line to obtain the audit :

yarn npm audit --all --recursive --json

{
    "semver": [
        {
            "id": 1093264,
            "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw",
            "title": "semver vulnerable to Regular Expression Denial of Service",
            "severity": "moderate",
            "vulnerable_versions": ">=7.0.0 <7.5.2",
            "cwe": [
                "CWE-1333"
            ],
            "cvss": {
                "score": 5.3,
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
            }
        }
    ],
    "@babel/traverse": [
        {
            "id": 1094415,
            "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92",
            "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code",
            "severity": "critical",
            "vulnerable_versions": "<7.23.2",
            "cwe": [
                "CWE-184"
            ],
            "cvss": {
                "score": 9.3,
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
            }
        }
    ]
}

yarn audit logs

yarn npm audit --all --recursive --json | yarn dlx yarn-audit-html

➤ YN0000: · Yarn 4.0.0
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + yarn-audit-html@npm:7.3.2, @types/ejs@npm:3.1.4, ansi-styles@npm:4.3.0, async@npm:3.2.4, balanced-match@npm:1.0.2, brace-expansion@npm:1.1.11, brace-expansion@npm:2.0.1, chalk@npm:4.1.2, color-convert@npm:2.0.1, color-name@npm:1.1.4, and 10 more.
➤ YN0000: └ Completed in 3s 550ms
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed in 0s 209ms
➤ YN0000: · Done in 3s 792ms

Checking audit logs...
Failed to parse YARN Audit JSON!
 TypeError: Cannot convert undefined or null to object
    at Function.values (<anonymous>)
    at file:///tmp/xfs-07c9f09d/dlx-18366/node_modules/yarn-audit-html/lib/cli.js:72:36
    at Array.forEach (<anonymous>)
    at Socket.<anonymous> (file:///tmp/xfs-07c9f09d/dlx-18366/node_modules/yarn-audit-html/lib/cli.js:69:27)
    at Socket.emit (node:events:517:28)
    at emitReadable_ (node:internal/streams/readable:601:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:81:21)

Thanks for your help