npm / npm-audit-report Goto Github PK

View Code? Open in Web Editor NEW

33.0 23.0 18.0 469 KB

npm audit security report

License: Other

JavaScript 100.00%

npm-cli

npm-audit-report's Introduction

npm audit security report

Given a response from the npm security api, render it into a variety of security reports

The response is an object that contains an output string (the report) and a suggested exitCode.

{
  report: 'string that contains the security report',
  exit: 1
}

Basic usage example

This is intended to be used along with @npmcli/arborist's AuditReport class.

'use strict'
const Report = require('npm-audit-report')
const options = {
  reporter: 'json'
}

const arb = new Arborist({ path: '/path/to/project' })
arb.audit().then(report => {
  const result = new Report(report, options)
  console.log(result.output)
  process.exitCode = result.exitCode
})

Break from Version 1

Version 5 and 6 of the npm CLI make a request to the registry endpoint at either the "Full Audit" endpoint at /-/npm/v1/security/audits or the "Quick Audit" endpoint at /-/npm/v1/security/audits/quick. The Full Audit endpoint calculates remediations necessary to correct problems based on the shape of the tree.

As of npm v7, the logic of how the cli manages trees is dramatically rearchitected, rendering much of the remediations no longer valid. Thus, it only fetches the advisory data from the Quick Audit endpoint, and uses @npmcli/arborist to calculate required remediations and affected nodes in the dependency graph. This data is serialized and provided as an "auditReportVersion": 2 object.

Version 2 of this module expects to receive an instance (or serialized JSON version of) the AuditReport class from Arborist, which is returned by arborist.audit() and stored on the instance as arborist.auditReport.

Eventually, a new endpoint may be added to move the @npmcli/arborist work to the server-side, in which case version 2 style audit reports may be provided directly.

options

option	values	default	description
reporter	`install`, `detail`, `json`, `quiet`	`install`	specify which output format you want to use
chalk	`Chalk` instance	required	a Chalk instance to use for colorizing strings. use `new chalk.Instance({ level: 0 })` for no colors
unicode	`true`, `false`	`true`	indicates if unicode characters should be used
indent	Number or String	`2`	indentation for `'json'` report
auditLevel	'info', 'low', 'moderate', 'high', 'critical', 'none'	`low` (ie, exit 0 if only `info` advisories are found)	level of vulnerability that will trigger a non-zero exit code (set to 'none' to always exit with a 0 status code)

npm-audit-report's People

Contributors

Stargazers

Watchers

Forkers

luislobo phil-r welwood08 outsideris mdix turbo87 larsgw jmannanc noahwiener melkikh yoazmenda llaenowyd ruyadorno marekpawlowski isabella232 tk120404 ethicalsecurity-agency chriss-0x01

npm-audit-report's Issues

Make a less verbose summary report

Add reference or examples of how to get a NSP response.

I tried implementing this for a project of mine but I really can't find how to get an actual response from the NSP API, nothing really seems to mention it anywhere.

For people having the same problems it would really be appreciated if someone posted an actual code example or at least reference pointing out how to get an actual response from it.

Thanks

Unused securityThreshold property

Why is this and this there? It's not used anywhere (and as far as I can see also not passed on to any library or something).

Allow filtering by severity

It would be nice if reporters took in an optional severity level and only produced output for vulnerabilities at or above that severity level.

JSON reporter returns exit code 0 in any case

Is it an intended behaviour that the JSON reporter always returns an exit code of 0, indepentend of the number of vulnerarbilities found? If it's a bug I'd be happy to commit a fix.

https://github.com/npm/npm-audit-report/blob/latest/reporters/json.js#L13

[FEATURE] Swap high and critical colors

What / Why

I propose to swap the colors of high and critical counters.

It seems like critical is more important, yet is less visible.

Another potential solution is to color high in yellow / orange (warning), and critical in red.

When

Where

npm audit

How

Current Behavior

high count is red
critical count is purple

Expected Behavior

high count is purple
critical count is red

Who

References

Fix high vulnerability

Node version: 8.11.1
NPM version: 6.4.1

Steps to reproduce:

Clone the repository
Run npm install

It warn that the repository have a high severity vulnerability.

I run an npm audit to see what is that vulnerability and here is the output: Image of the output

To fix it, I run the command npm update cryptiles --depth 5 as recommanded and it fixed it (I run npm test after and everything pass).

TypeError when doing npm install because of npm-audit-report

I recently upgraded to npm v6 and I'm not getting errors coming from this package. Here is the error from the npm verbose log:

69 verbose stack TypeError: Object.entries is not a function
69 verbose stack at Object.report [as install] (/usr/local/lib/node_modules/npm/node_modules/npm-audit-report/reporters/install.js:27:31)
69 verbose stack at Promise (/usr/local/lib/node_modules/npm/node_modules/npm-audit-report/index.js:18:46)
69 verbose stack at report (/usr/local/lib/node_modules/npm/node_modules/npm-audit-report/index.js:17:10)
69 verbose stack at Object.printInstallReport (/usr/local/lib/node_modules/npm/lib/install/audit.js:87:10)
69 verbose stack at Object.Installer.printInstalledForHuman (/usr/local/lib/node_modules/npm/lib/install.js:847:31)
69 verbose stack at Bluebird.try.then (/usr/local/lib/node_modules/npm/lib/install.js:774:19)
69 verbose stack at tryCatcher (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/util.js:16:23)
69 verbose stack at Promise._settlePromiseFromHandler (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:512:31)
69 verbose stack at Promise._settlePromise (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:569:18)
69 verbose stack at Promise._settlePromise0 (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:614:10)
69 verbose stack at Promise._settlePromises (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/promise.js:693:18)
69 verbose stack at Async._drainQueue (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:133:16)
69 verbose stack at Async._drainQueues (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:143:10)
69 verbose stack at Immediate.Async.drainQueues (/usr/local/lib/node_modules/npm/node_modules/bluebird/js/release/async.js:17:14)
69 verbose stack at runCallback (timers.js:672:20)
69 verbose stack at tryOnImmediate (timers.js:645:5)

The offending line is const severities = Object.entries(data.metadata.vulnerabilities).filter((value) => {

OS Info:
Mac OSX Sierra 10.12.6
node: v6.11.4
npm: 6.0.0

Allow npm audit to ignore dev dependencies

Add a flag to ignore dev dependencies when running npm audit.
Maybe it could ignore them by default and only check them with a flag.

Tag pre-release advisories in report

Authenticated, paid npm users get access to additional data, this should be called out in the report.

What does the N and Y letters mean at the end of npm audit --parseable in npm 6?

Hi, as many other people I'm using npm 6. When I run npm audit --parseable I get a nice tabular output which has Y, N or nothing in the end of each line. Can someone explain to me what that means, because I couldn't figure that out from the source code.

Hare is an example of the output:

update  bl  high    npm update bl --depth 4 Remote Memory Exposure  https://npmjs.com/advisories/1555   exceljs>archiver>tar-stream>bl  N
review  cryptiles   high    >=4.1.2 Insufficient Entropy    https://npmjs.com/advisories/1464   uko-solr-client>request>hawk>cryptiles
install exceljs moderate    npm install [email protected]   Cross-Site Scripting    https://npmjs.com/advisories/733    exceljs Y
review  hoek    moderate    > 4.2.0 < 5.0.0 || >= 5.0.3 Prototype Pollution https://npmjs.com/advisories/566    uko-solr-client>request>hawk>boom>hoek

Add ability to ignore specific vulnerability with npm audit

Recreation of npm/npm#20764 to show it's still desired.

Similar to #31, if there is a known vulnerability that is a non-issue to the current project you should be able to add this to an ignored list (by vuln #, package, or dev vs regular).

npm audit doesnt pick up CVE's with out-of-date lodash npm modules

bug

Several lodash npm modules are out of date and have serious security vulnerabilities, these are picked up by Sonarcube's Depshield

See issue YOU54F/template-jest-pact-typescript#40

Vulnerabilities

DepShield reports that this application's usage of lodash.get:4.4.2 results in the following vulnerability(s):

(CVSS 7.4) CWE-471: Modification of Assumed-Immutable Data (MAID)
(CVSS 6.5) [CVE-2018-3721] lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutabl...
Occurrences

lodash.get:4.4.2 is a transitive dependency introduced by the following direct dependency(s):

• swagger-cli:2.2.1
        └─ swagger-parser:6.0.5
              └─ z-schema:3.25.1
                    └─ lodash.get:4.4.2

➜  pact-consumer-example-typescript git:(httpsProviderIssue) ✗ yarn why lodash.isequal
Alias tip: y why lodash.isequal
yarn why v1.12.3
[1/4] 🤔  Why do we have the module "lodash.isequal"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "swagger-mock-validator#swagger-parser#z-schema" depends on it
   - Hoisted from "swagger-mock-validator#swagger-parser#z-schema#lodash.isequal"
info Disk size without dependencies: "64KB"
info Disk size with unique dependencies: "64KB"
info Disk size with transitive dependencies: "64KB"
info Number of shared dependencies: 0
✨  Done in 0.41s.

They are failing to publish the modules to npm in a timely fashion, and keep closing down issues relating to these, stating that dependants should cherry pick modules. There are 3 million downloads per week of the affected lodash.isequal npm module for example

https://github.com/lodash/lodash/issues/4171

What is the current behavior?

➜  pact-consumer-example-typescript git:(httpsProviderIssue) ✗ npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 478643 scanned packages

What is the expected behavior?

It should warn me about these issues?

➜  pact-consumer-example-typescript git:(httpsProviderIssue) ✗ npm audit

                       === npm audit security report ===

found 2 vulnerabilities
 in 478643 scanned packages

Please mention your node.js, yarn and operating system version.

node v8.15.0
node v6.5.0
osx 10.14.3

[BUG] Wrong vulnerabilities number calculation algorithm in second version of audit report

What / Why

Section "metadata -> vulnerabilities" of second version of audit report contains number of vulnerable packages instead of vulnerabilities number.

Actually "vulnerabilities" section contains vulnerable packages instead of vulnerabilities, also.

There is no longer a "paths" field that showed what dependencies depend on the vulnerable package. Previous version of npm audit used "paths" field to calculate vulnerabilities number. There is a "nodes" field in the second version, but that field does not contain private repos names.

Current Behavior

In the example below, angular2-highcharts depends on vulnerable highcharts. Installed version of highcharts contains 3 vulnerability: 1002707, 1004028, 1004388. The number of high vulnerabilities can not be equal - 2. The counting algorithm may differ, in my opinion it was implemented correctly in the previous version npm.

{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "angular2-highcharts": {
      "name": "angular2-highcharts",
      "severity": "high",
      "isDirect": true,
      "via": [
        "highcharts"
      ],
      "effects": [],
      "range": ">=0.0.2",
      "nodes": [
        "node_modules/angular2-highcharts"
      ],
      "fixAvailable": {
        "name": "angular2-highcharts",
        "version": "0.0.1",
        "isSemVerMajor": true
      }
    },
    "highcharts": {
      "name": "highcharts",
      "severity": "high",
      "isDirect": true,
      "via": [
        {
          "source": 1002707,
          "name": "highcharts",
          "dependency": "highcharts",
          "title": "Options structure open to XSS if passed unfiltered",
          "url": "https://github.com/advisories/GHSA-8j65-4pcq-xq95",
          "severity": "high",
          "range": "<9.0.0"
        },
        {
          "source": 1004028,
          "name": "highcharts",
          "dependency": "highcharts",
          "title": "Cross-Site Scripting in highcharts",
          "url": "https://github.com/advisories/GHSA-gr4j-r575-g665",
          "severity": "high",
          "range": "<7.2.2"
        },
        {
          "source": 1004388,
          "name": "highcharts",
          "dependency": "highcharts",
          "title": "Regular Expression Denial of Service in highcharts",
          "url": "https://github.com/advisories/GHSA-xmc8-cjfr-phx3",
          "severity": "high",
          "range": "<6.1.0"
        }
      ],
      "effects": [
        "angular2-highcharts"
      ],
      "range": "<=8.2.2",
      "nodes": [
        "node_modules/angular2-highcharts/node_modules/highcharts",
        "node_modules/highcharts"
      ],
      "fixAvailable": {
        "name": "highcharts",
        "version": "9.2.2",
        "isSemVerMajor": true
      }
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 2,
      "critical": 0,
      "total": 2
    },
    "dependencies": {
      "prod": 6,
      "dev": 0,
      "optional": 0,
      "peer": 0,
      "peerOptional": 0,
      "total": 5
    }
  }
}

Expected Behavior

angular2-highcharts should not be shown as separate vulnerability
"vulnerabilities -> highcharts" should have "paths" field that shows dependencies depend on the vulnerable package
"metadata -> vulnerabilities" should be calculated base on "paths" fields.
This is how it worked in the previous version of npm (before v7), and it was excellent. Example of audit result using previous version (v6.14.15).

"advisories": {
    "1002707": {
      "findings": [
        {
          "version": "8.2.2",
          "paths": [
            "highcharts",
            "e7b6fe7845fd9ee2eed0aeb02f8cd56ecdea0b3de226a761cbe847752f0a4ab4>highcharts"
          ]
        },
        {
          "version": "5.0.15",
          "paths": [
            "e7b6fe7845fd9ee2eed0aeb02f8cd56ecdea0b3de226a761cbe847752f0a4ab4>angular2-highcharts>highcharts"
          ]
        }
      ],
      "metadata": null,
      "vulnerable_versions": "<9.0.0",
      "module_name": "highcharts",
      "severity": "high",
      "github_advisory_id": "GHSA-8j65-4pcq-xq95",
      "cves": [
        "CVE-2021-29489"
      ],
      "access": "public",
      "patched_versions": ">=9.0.0",
      "updated": "2021-05-06T15:44:24.000Z",
      "recommendation": "Upgrade to version 9.0.0 or later",
      "cwe": "CWE-79",
      "found_by": null,
      "deleted": null,
      "id": 1002707,
      "references": "- https://github.com/highcharts/highcharts/security/advisories/GHSA-8j65-4pcq-xq95\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29489\n- https://github.com/advisories/GHSA-8j65-4pcq-xq95",
      "created": "2021-10-07T07:31:50.547Z",
      "reported_by": null,
      "title": "Options structure open to XSS if passed unfiltered",
      "npm_advisory_id": null,
      "overview": "### Impact\nIn Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the `useHTML` flag, HTML string options would be inserted unfiltered directly into the DOM. When `useHTML` was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.\n\nIf your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.\n\n### Patches\nIn version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.\n\n### Workarounds\nImplementers who are not able to upgrade may apply [DOMPurify](https://github.com/cure53/DOMPurify) recursively [to the options structure](https://jsfiddle.net/highcharts/zd3wcm5L/) to filter out malicious markup.\n\n### References\n* Details on the improved [Highcharts security](https://www.highcharts.com/docs/chart-concepts/security)\n* [The AST and TextBuilder refactoring](https://github.com/highcharts/highcharts/pull/14913)\n* [The fix for prototype pollution](https://github.com/highcharts/highcharts/pull/14884)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Visit our [support page](https://www.highcharts.com/blog/support/)\n* For more Email us at [[email protected]](mailto:[email protected])\n",
      "url": "https://github.com/advisories/GHSA-8j65-4pcq-xq95"
    },
    "1004028": {
      "findings": [
        {
          "version": "5.0.15",
          "paths": [
            "e7b6fe7845fd9ee2eed0aeb02f8cd56ecdea0b3de226a761cbe847752f0a4ab4>angular2-highcharts>highcharts"
          ]
        }
      ],
      "metadata": null,
      "vulnerable_versions": "<7.2.2",
      "module_name": "highcharts",
      "severity": "high",
      "github_advisory_id": "GHSA-gr4j-r575-g665",
      "cves": [],
      "access": "public",
      "patched_versions": ">=7.2.2",
      "updated": "2020-08-25T14:01:39.000Z",
      "recommendation": "Upgrade to version 7.2.2 or later",
      "cwe": "CWE-79",
      "found_by": null,
      "deleted": null,
      "id": 1004028,
      "references": "- https://github.com/highcharts/highcharts/issues/13559\n- https://github.com/advisories/GHSA-gr4j-r575-g665",
      "created": "2021-10-07T07:31:50.673Z",
      "reported_by": null,
      "title": "Cross-Site Scripting in highcharts",
      "npm_advisory_id": null,
      "overview": "Versions of `highcharts` prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS).  The package fails to sanitize `href` values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.",
      "url": "https://github.com/advisories/GHSA-gr4j-r575-g665"
    },
    "1004388": {
      "findings": [
        {
          "version": "5.0.15",
          "paths": [
            "e7b6fe7845fd9ee2eed0aeb02f8cd56ecdea0b3de226a761cbe847752f0a4ab4>angular2-highcharts>highcharts"
          ]
        }
      ],
      "metadata": null,
      "vulnerable_versions": "<6.1.0",
      "module_name": "highcharts",
      "severity": "high",
      "github_advisory_id": "GHSA-xmc8-cjfr-phx3",
      "cves": [
        "CVE-2018-20801"
      ],
      "access": "public",
      "patched_versions": ">=6.1.0",
      "updated": "2019-03-18T15:59:21.000Z",
      "recommendation": "Upgrade to version 6.1.0 or later",
      "cwe": "CWE-185",
      "found_by": null,
      "deleted": null,
      "id": 1004388,
      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-20801\n- https://github.com/advisories/GHSA-xmc8-cjfr-phx3",
      "created": "2021-10-07T07:31:50.704Z",
      "reported_by": null,
      "title": "Regular Expression Denial of Service in highcharts",
      "npm_advisory_id": null,
      "overview": "Versions of `highcharts` prior to 6.1.0 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 6.1.0 or higher.",
      "url": "https://github.com/advisories/GHSA-xmc8-cjfr-phx3"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 5,
      "critical": 0
    },
    "dependencies": 39,
    "devDependencies": 0,
    "optionalDependencies": 0,
    "totalDependencies": 39
  }
}

Steps to Reproduce

create package.json

{
  "name": "npm-audit-bug-example",
  "version": "1.2.12",
  "description": "npm-audit-bug-example",
  "license": "MIT",
  "dependencies": {
    "angular2-highcharts": "^0.5.5",
    "highcharts": "^8.2.0"
  }
}

run npm install
npm audit --json

Versions

npm -v
8.0.0

Redirecting output to a file includes ANSI color codes

As of npm v6.6.0 redirecting the output of "npm audit" to a file includes the ANSI escape codes to color the output. Prior to that version, redirecting to a file would only include plaintext output.

To reproduce:

# Install something with an audit issue
$ npm install [email protected]
# Redirect audit output to a file
$ npm audit > path/to/log.txt

node v12.6.0 / npm v6.5.0

Date: Mon Jul 22 13:30:53 EDT 2019
node: v12.6.0
npm: 6.5.0
=== npm audit security report ===                        
                                                                                
# Run  npm install [email protected]  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1065                      │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 1 high severity vulnerability in 1 scanned package
  run `npm audit fix` to fix 1 of them.

node v12.6.0 / npm v6.6.0 (first broken version)

Date: Mon Jul 22 13:31:33 EDT 2019
node: v12.6.0
npm: 6.6.0
�[90m                                                                                �[39m
�[90m �[39m                      === npm audit security report ===                       �[90m �[39m
�[90m                                                                                �[39m
# Run  npm install [email protected]  to resolve 1 vulnerability
�[90m┌───────────────�[39m�[90m┬──────────────────────────────────────────────────────────────┐�[39m
�[90m│�[39m High          �[90m│�[39m Prototype Pollution                                          �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m Package       �[90m│�[39m lodash                                                       �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m Dependency of �[90m│�[39m lodash                                                       �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m Path          �[90m│�[39m lodash                                                       �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m More info     �[90m│�[39m https://npmjs.com/advisories/1065                            �[90m│�[39m
�[90m└───────────────�[39m�[90m┴──────────────────────────────────────────────────────────────┘�[39m


found 1 high severity vulnerability in 1 scanned package
  run `npm audit fix` to fix 1 of them.

node v12.6.0 / npm v6.10.1 (latest)

Date: Mon Jul 22 13:31:09 EDT 2019
node: v12.6.0
npm: 6.10.1
�[90m                                                                                �[39m
�[90m �[39m                      === npm audit security report ===                       �[90m �[39m
�[90m                                                                                �[39m
# Run  npm install [email protected]  to resolve 1 vulnerability
�[90m┌───────────────�[39m�[90m┬──────────────────────────────────────────────────────────────┐�[39m
�[90m│�[39m High          �[90m│�[39m Prototype Pollution                                          �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m Package       �[90m│�[39m lodash                                                       �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m Dependency of �[90m│�[39m lodash                                                       �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m Path          �[90m│�[39m lodash                                                       �[90m│�[39m
�[90m├───────────────�[39m�[90m┼──────────────────────────────────────────────────────────────┤�[39m
�[90m│�[39m More info     �[90m│�[39m https://npmjs.com/advisories/1065                            �[90m│�[39m
�[90m└───────────────�[39m�[90m┴──────────────────────────────────────────────────────────────┘�[39m


found 1 high severity vulnerability in 1 scanned package
  run `npm audit fix` to fix 1 of them.

Was this intentional?

[BUG] handle-info-severity

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

When there are only 'info' level vulnerabilities in the reporters/install.js file, the sevs array becomes empty. This leads to a runtime error (npm ERR! undefined is not iterable) on line 38 due to attempting to access the first element of an empty array.

An example of real use case where you have only info severities if you use a 3rd party package manager e.g. Proget and manually override the severities and change them to "Ignore". That will all severities into info. This can be an appropriate situation when you manually want to ignore dev only dependencies.

Expected Behavior

The code should handle 'info' severity and avoid empty arrays, preventing runtime errors. Here is a relevant code snippet fix:

const sevs = Object.entries(vulnerabilities).filter(([s, count]) => {
return (s === 'info' || s === 'low' || s === 'moderate' || s === 'high' || s === 'critical') && count > 0;
});

I expect the npm audit command to run without runtime errors and printout severities that have only info vulnerabilities.

Steps To Reproduce

In this environment:

npm: 9.3.1
Node: v18.14.0

With this config:
create new test fixture file only-info.json in test/fixtures:
{
"auditReportVersion": 2,
"vulnerabilities": {
"minimist": {
"name": "minimist",
"severity": "low",
"via": [
{
"id": 1179,
"url": "https://npmjs.com/advisories/1179",
"title": "Prototype Pollution",
"severity": "low",
"vulnerable_versions": "<0.2.1 || >=1.0.0 <1.2.3"
}
],
"effects": [],
"range": "<0.2.1 || >=1.0.0 <1.2.3",
"nodes": ["node_modules/minimist"],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 1,
"low": 0,
"moderate": 0,
"high": 0,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 0,
"optional": 0,
"peer": 0,
"peerOptional": 0,
"total": 1
}
}
}
Run TAP_SNAPSHOT=1 npm run test and only npm test after that
See error
npm ERR! undefined is not iterable (cannot read property Symbol(Symbol.iterator))

Environment

npm: 9.3.1
Node: v18.14.0
OS: Linux
platform: Desktop PC

For things the CLI will require I would like to avoid dynamic imports

While we aren't currently generating bundles, it's on our list of things we intend to do and this sort of thing is unbundleable.

npm-audit-report/index.js

Line 4 in 169e7f4

const reporters = Keyfob.load({path: './reporters', fn: require})

add .auditrc same as .nsprc

Hi there, thx for this tool

I want to be notified about new vulnerabilities but dont want to be notified about already known or vulnerabilities in devDependencies so i want to be able to disable them one by one

v1.0.9 is released, but not pushed to master + tagged?

v1.0.9 seems to also have caused #9, but without the commits pushed up it's tough to determine :-/

Make the test suite pass and managable

Make tests look for certain strings in output vs exact match
make tests pass - 100% code coverage

information missing in npm7 audit report

What / Why

We're using the npm audit json output to import all findings into Defect Dojo, a vulnerability aggregation tool similar to ThreadFix.
The "old" pre-v7 json report contained from descriptive fields to inform the user of the vulnerbaility found, how to mitigate it and where to find more info and/or git commits.
Some of this information is missing in v7, rendering the information in the json report to be of less use.

v6 output for 1227

    "1227": {
      "findings": [
        {
          "version": "7.2.0",
          "paths": [
            "highcharts"
          ]
        }
      ],
      "id": 1227,
      "created": "2019-10-23T15:06:43.368Z",
      "updated": "2020-08-25T13:40:59.771Z",
      "deleted": null,
      "title": "Cross-Site Scripting",
      "found_by": {
        "link": "",
        "name": "François Lajeunesse-Robert",
        "email": ""
      },
      "reported_by": {
        "link": "",
        "name": "François Lajeunesse-Robert",
        "email": ""
      },
      "module_name": "highcharts",
      "cves": [],
      "vulnerable_versions": "<7.2.2 || >=8.0.0 <8.1.1",
      "patched_versions": ">=7.2.2 <8.0.0 || >=8.1.1",
      "overview": "Versions of `highcharts` prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS).  The package fails to sanitize `href` values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.",
      "recommendation": "Upgrade to version 7.2.2, 8.1.1 or later.",
      "references": "- [GitHub Issue](https://github.com/highcharts/highcharts/issues/13559)",
      "access": "public",
      "severity": "high",
      "cwe": "CWE-79",
      "metadata": {
        "module_type": "",
        "exploitability": 5,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1227"
    },

npm7 output:

    "highcharts": {
      "name": "highcharts",
      "severity": "high",
      "via": [
        {
          "source": 1227,
          "name": "highcharts",
          "dependency": "highcharts",
          "title": "Cross-Site Scripting",
          "url": "https://npmjs.com/advisories/1227",
          "severity": "high",
          "range": "<7.2.2 || >=8.0.0 <8.1.1"
        }
      ],
      "effects": [],
      "range": "<7.2.2 || >=8.0.0 <8.1.1",
      "nodes": [
        "node_modules/highcharts"
      ],
      "fixAvailable": true
    },

Fields that are missing and which we are using / wanting back:

      "created": "2019-10-23T15:06:43.368Z",
      "updated": "2020-08-25T13:40:59.771Z",
      "cves": [],
      "patched_versions": ">=7.2.2 <8.0.0 || >=8.1.1",
      "overview": "Versions of `highcharts` prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS).  The package fails to sanitize `href` values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.",
      "recommendation": "Upgrade to version 7.2.2, 8.1.1 or later.",
      "references": "- [GitHub Issue](https://github.com/highcharts/highcharts/issues/13559)",
      "cwe": "CWE-79",
      "exploitability": 5,

Note: cve is empty for 1227 anyway, but for example 1518 has cve's, but they are absent in the npm7 output.

Steps to Reproduce

run npm audit --json with v6 and then v7 and observe the output difference

Expected Behavior

we are currently using the missing fields and I expected other tooling to use them too.
suggested behaviour is to reinstate the fields mentioned above.

Warn only option

display vulnerabilities but do not exit with an error code

npm / npm-audit-report Goto Github PK

npm-audit-report's Introduction

npm audit security report

Basic usage example

Break from Version 1

options

npm-audit-report's People

Contributors

Stargazers

Watchers

Forkers

npm-audit-report's Issues

What / Why

When

Where

How

Current Behavior

Expected Behavior

Who

References

What / Why

Current Behavior

Expected Behavior

Steps to Reproduce

Versions

node v12.6.0 / npm v6.5.0

node v12.6.0 / npm v6.6.0 (first broken version)

node v12.6.0 / npm v6.10.1 (latest)

Is there an existing issue for this?

Current Behavior

Expected Behavior

Steps To Reproduce

Environment

What / Why

Steps to Reproduce

Expected Behavior

Recommend Projects

Recommend Topics

Recommend Org