Merge pull request #175 from AlexHladin/add-npm7-support

Add npm7 support

Author: quinnturner

lib/Model.js

@@ -44,30 +44,53 @@ class Model {
       return;
     }
 
-    advisory.findings.forEach((finding) =>
-      finding.paths.forEach((path) => {
-        if (this.allowlist.paths.includes(`${advisory.id}|${path}`)) {
-          this.allowlistedPathsFound.push(`${advisory.id}|${path}`);
-        }
-      })
+    this.allowlistedPathsFound.push(
+      ...advisory.findings
+        .map((finding) => `${advisory.id}|${finding.paths}`)
+        .filter((path) => this.allowlist.paths.includes(path))
     );
 
-    if (
-      advisory.findings.every((finding) =>
-        finding.paths.every((path) =>
-          this.allowlist.paths.includes(`${advisory.id}|${path}`)
-        )
+    const isAllowListed = advisory.findings.every((finding) =>
+      finding.paths.every((path) =>
+        this.allowlist.paths.includes(`${advisory.id}|${path}`)
       )
-    ) {
+    );
+
+    if (isAllowListed) {
       return;
     }
 
     this.advisoriesFound.push(advisory);
   }
 
   load(parsedOutput) {
-    Object.values(parsedOutput.advisories).forEach((a) => this.process(a));
+    // only for npm ver. 6
+    if (parsedOutput.advisories) {
+      Object.values(parsedOutput.advisories).forEach((a) => this.process(a));
+      return this.getSummary();
+    }
 
+    // only for npm ver. 7
+    Object.keys(parsedOutput.vulnerabilities)
+      .map((key, index) => {
+        const vulnerability = parsedOutput.vulnerabilities[key];
+        let { via } = vulnerability;
+
+        if (typeof via[0] === "string") {
+          via = parsedOutput.vulnerabilities[via[0]].via;
+          (via[index] || via[0]).paths = `${vulnerability.name}>${
+            (via[index] || via[0]).name
+          }`;
+        }
+        return {
+          id: (via[index] || via[0]).source,
+          module_name: vulnerability.name,
+          severity: vulnerability.severity,
+          nodes: vulnerability.nodes,
+          findings: via.map((v) => ({ paths: [v.paths || v.name] })),
+        };
+      })
+      .forEach((a) => this.process(a));
     return this.getSummary();
   }
 

lib/common.js

@@ -78,14 +78,25 @@ function runProgram(command, args, options, stdoutListener, stderrListener) {
       eventStream.mapSync((data) => {
         if (!data) return;
         try {
+          // due to response without error
+          if (data.message && data.message.includes("ENOTFOUND")) {
+            stderrListener(data.message);
+            return;
+          }
+          if (data.statusCode === 404) {
+            stderrListener(data.message);
+            return;
+          }
+
           stdoutListener(data);
         } catch (error) {
           stderrListener(error);
         }
       })
     );
-  return new Promise((resolve) => {
+  return new Promise((resolve, reject) => {
     proc.on("close", () => resolve());
+    proc.on("error", (error) => reject(error));
   });
 }
 

lib/npm-auditer.js

@@ -40,13 +40,14 @@ function printReport(parsedOutput, levels, reportType) {
       printReportObj("NPM audit report JSON:", parsedOutput);
       break;
     case "important": {
-      const relevantAdvisories = Object.keys(parsedOutput.advisories).reduce(
+      const advisories =
+        parsedOutput.auditReportVersion === 2
+          ? parsedOutput.vulnerabilities
+          : parsedOutput.advisories;
+      const relevantAdvisories = Object.keys(advisories).reduce(
         (acc, advisory) =>
-          levels[parsedOutput.advisories[advisory].severity]
-            ? {
-                [advisory]: parsedOutput.advisories[advisory],
-                ...acc,
-              }
+          levels[advisories[advisory].severity]
+            ? { [advisory]: advisories[advisory], ...acc }
             : acc,
         {}
       );
@@ -67,6 +68,13 @@ function printReport(parsedOutput, levels, reportType) {
   }
 }
 
+function report(parsedOutput, config, reporter) {
+  printReport(parsedOutput, config.levels, config["report-type"]);
+  const model = new Model(config);
+  const summary = model.load(parsedOutput);
+  return reporter(summary, config, parsedOutput);
+}
+
 /**
  * Audit your NPM project!
  *
@@ -86,10 +94,10 @@ async function audit(config, reporter = reportAudit) {
     const { code, summary } = parsedOutput.error;
     throw new Error(`code ${code}: ${summary}`);
   }
-  printReport(parsedOutput, config.levels, config["report-type"]);
-  const model = new Model(config);
-  const summary = model.load(parsedOutput);
-  return reporter(summary, config, parsedOutput);
+  return report(parsedOutput, config, reporter);
 }
 
-module.exports = { audit };
+module.exports = {
+  audit,
+  report,
+};

test/common.js

@@ -1,3 +1,6 @@
+const path = require("path");
+const Allowlist = require("../lib/allowlist");
+
 function summaryWithDefault(additions = {}) {
   const summary = {
     allowlistedModulesFound: [],
@@ -12,4 +15,31 @@ function summaryWithDefault(additions = {}) {
   return { ...summary, ...additions };
 }
 
-module.exports = { summaryWithDefault };
+function config(additions) {
+  const defaultConfig = {
+    levels: {
+      low: false,
+      moderate: false,
+      high: false,
+      critical: false,
+    },
+    "report-type": "important",
+    allowlist: new Allowlist(),
+    "show-not-found": false,
+    "retry-count": 5,
+    directory: "./",
+    registry: undefined,
+    "pass-enoaudit": false,
+  };
+  return { ...defaultConfig, ...additions };
+}
+
+function testDir(s) {
+  return path.resolve(__dirname, s);
+}
+
+module.exports = {
+  summaryWithDefault,
+  config,
+  testDir,
+};

test/npm-allowlisted-path/npm-output.json

@@ -0,0 +1,159 @@
+{
+  "actions": [
+    {
+      "isMajor": false,
+      "action": "install",
+      "resolves": [
+        {
+          "id": 880,
+          "path": "axios",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        },
+        {
+          "id": 1594,
+          "path": "axios",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ],
+      "module": "axios",
+      "target": "0.21.1"
+    },
+    {
+      "isMajor": false,
+      "action": "install",
+      "resolves": [
+        {
+          "id": 880,
+          "path": "github-build>axios",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        },
+        {
+          "id": 1594,
+          "path": "github-build>axios",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ],
+      "module": "github-build",
+      "target": "1.2.2"
+    }
+  ],
+  "advisories": {
+    "880": {
+      "findings": [
+        {
+          "version": "0.15.3",
+          "paths": [
+            "axios"
+          ]
+        },
+        {
+          "version": "0.15.3",
+          "paths": [
+            "github-build>axios"
+          ]
+        }
+      ],
+      "id": 880,
+      "created": "2019-05-06T19:14:45.155Z",
+      "updated": "2019-06-03T17:55:10.532Z",
+      "deleted": null,
+      "title": "Denial of Service",
+      "found_by": {
+        "link": "https://nornagon.net/",
+        "name": "Jeremy Apthorp"
+      },
+      "reported_by": {
+        "link": "https://nornagon.net/",
+        "name": "Jeremy Apthorp"
+      },
+      "module_name": "axios",
+      "cves": [],
+      "vulnerable_versions": "<0.18.1",
+      "patched_versions": ">=0.18.1",
+      "overview": "Versions of `axios` prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the `maxContentLength` property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service.",
+      "recommendation": "Upgrade to 0.18.1 or later.",
+      "references": "- [Github Issue](https://github.com/axios/axios/issues/1098)\n- [Snyk Report](https://snyk.io/vuln/SNYK-JS-AXIOS-174505)",
+      "access": "public",
+      "severity": "moderate",
+      "cwe": "CWE-400",
+      "metadata": {
+        "module_type": "",
+        "exploitability": 4,
+        "affected_components": ""
+      },
+      "url": "https://npmjs.com/advisories/880"
+    },
+    "1594": {
+      "findings": [
+        {
+          "version": "0.15.3",
+          "paths": [
+            "axios"
+          ]
+        },
+        {
+          "version": "0.15.3",
+          "paths": [
+            "github-build>axios"
+          ]
+        }
+      ],
+      "id": 1594,
+      "created": "2021-01-04T21:04:59.346Z",
+      "updated": "2021-01-04T21:05:54.214Z",
+      "deleted": null,
+      "title": "Server-Side Request Forgery",
+      "found_by": {
+        "link": "",
+        "name": "Anonymous",
+        "email": ""
+      },
+      "reported_by": {
+        "link": "",
+        "name": "Anonymous",
+        "email": ""
+      },
+      "module_name": "axios",
+      "cves": [
+        "CVE-2020-28168"
+      ],
+      "vulnerable_versions": "<0.21.1",
+      "patched_versions": ">=0.21.1",
+      "overview": "The `axios` NPM package before 0.21.1 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.",
+      "recommendation": "Upgrade to 0.21.1 or later.",
+      "references": "- [Github Issue](https://github.com/axios/axios/issues/3369)\n- [Fix commit](https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55)\n- [GitHub Advisory](https://github.com/advisories/GHSA-4w2v-q235-vp99)\n- [Snyk Report](https://snyk.io/vuln/SNYK-JS-AXIOS-1038255)",
+      "access": "public",
+      "severity": "high",
+      "cwe": "CWE-918",
+      "metadata": {
+        "module_type": "",
+        "exploitability": 5,
+        "affected_components": ""
+      },
+      "url": "https://npmjs.com/advisories/1594"
+    }
+  },
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 0,
+      "moderate": 2,
+      "high": 2,
+      "critical": 0
+    },
+    "dependencies": 8,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 8
+  },
+  "runId": "392f2772-b277-43ce-a5a4-3351f5e082f8"
+}