feat: support yarn v2 (#171)

* feat: support yarn v2

Since Yarn Berry uses NPM for audits, the Yarn auditer is not supported.
Yarn Classic uses a JSON-lines format for audit results.

Yarn Berry audit cmd: `yarn npm audit --all --recursive --json`

The following work is still required:

- Make Yarn Berry audits use npm-auditer.js logic for runProgram
- Have the Yarn Berry tests detect that Yarn Berry should be used
(unknown reason why it thinks it's Yarn Classic)

* docs: Add support for Yarn Berry in README

* fix: pass cwd to yarn version check

* fix: skip yarn berry tests on incompatible node versions

Co-authored-by: Quinn Turner <[email protected]>

Author: jdanil

README.md

@@ -10,8 +10,8 @@ threshold while ignoring allowlisted advisories.
 
 ## Requirements
 
-- Node >= 8
-- _(Optional)_ Yarn >= 1.12.3 && Yarn < 2
+- Node >=8 (except Yarn Berry, which requires Node >=12.13.0)
+- _(Optional)_ Yarn ^1.12.3 || Yarn >=2.4.0
 
 ## Set up
 

lib/yarn-auditer.js

@@ -4,21 +4,35 @@ const { blue, red, yellow } = require("./colors");
 const { reportAudit, runProgram } = require("./common");
 const Model = require("./Model");
 
-const MINIMUM_YARN_VERSION = "1.12.3";
+const MINIMUM_YARN_CLASSIC_VERSION = "1.12.3";
+const MINIMUM_YARN_BERRY_VERSION = "2.4.0";
 /**
  * Change this to the appropriate version when
  * yarn audit --registry is supported:
  * @see https://github.com/yarnpkg/yarn/issues/7012
  */
 const MINIMUM_YARN_AUDIT_REGISTRY_VERSION = "99.99.99";
 
-function getYarnVersion() {
-  const version = childProcess.execSync("yarn -v").toString().replace("\n", "");
+function getYarnVersion(cwd) {
+  const version = childProcess
+    .execSync("yarn -v", { cwd })
+    .toString()
+    .replace("\n", "");
   return version;
 }
 
+function yarnSupportsClassicAudit(yarnVersion) {
+  return semver.satisfies(yarnVersion, `^${MINIMUM_YARN_CLASSIC_VERSION}`);
+}
+
+function yarnSupportsBerryAudit(yarnVersion) {
+  return semver.gte(yarnVersion, MINIMUM_YARN_BERRY_VERSION);
+}
+
 function yarnSupportsAudit(yarnVersion) {
-  return semver.gte(yarnVersion, MINIMUM_YARN_VERSION);
+  return (
+    yarnSupportsClassicAudit(yarnVersion) || yarnSupportsBerryAudit(yarnVersion)
+  );
 }
 
 function yarnAuditSupportsRegistry(yarnVersion) {
@@ -44,23 +58,25 @@ async function audit(config, reporter = reportAudit) {
   let missingLockFile = false;
   const model = new Model(config);
 
-  const yarnVersion = getYarnVersion();
+  const yarnVersion = getYarnVersion(config.directory);
   const isYarnVersionSupported = yarnSupportsAudit(yarnVersion);
   if (!isYarnVersionSupported) {
     throw new Error(
-      `Yarn ${yarnVersion} not supported, must be >=${MINIMUM_YARN_VERSION}`
+      `Yarn ${yarnVersion} not supported, must be ^${MINIMUM_YARN_CLASSIC_VERSION} or >=${MINIMUM_YARN_BERRY_VERSION}`
     );
   }
+  const isYarnClassic = yarnSupportsClassicAudit(yarnVersion);
+  const yarnName = isYarnClassic ? `Yarn` : `Yarn Berry`;
 
   switch (reportType) {
     case "full":
-      console.log(blue, "Yarn audit report JSON:");
+      console.log(blue, `${yarnName} audit report JSON:`);
       break;
     case "important":
-      console.log(blue, "Yarn audit report results:");
+      console.log(blue, `${yarnName} audit report results:`);
       break;
     case "summary":
-      console.log(blue, "Yarn audit report summary:");
+      console.log(blue, `${yarnName} audit report summary:`);
       break;
     default:
       throw new Error(
@@ -80,21 +96,33 @@ async function audit(config, reporter = reportAudit) {
       };
       break;
     case "important":
-      printAuditData = ({ type, data }) => {
-        if (
-          (type === "auditAdvisory" && levels[data.advisory.severity]) ||
-          type === "auditSummary"
-        ) {
-          printJson(data);
-        }
-      };
+      if (isYarnClassic) {
+        printAuditData = ({ type, data }) => {
+          if (
+            (type === "auditAdvisory" && levels[data.advisory.severity]) ||
+            type === "auditSummary"
+          ) {
+            printJson(data);
+          }
+        };
+      } else {
+        printAuditData = ({ metadata }) => {
+          printJson(metadata);
+        };
+      }
       break;
     case "summary":
-      printAuditData = ({ type, data }) => {
-        if (type === "auditSummary") {
-          printJson(data);
-        }
-      };
+      if (isYarnClassic) {
+        printAuditData = ({ type, data }) => {
+          if (type === "auditSummary") {
+            printJson(data);
+          }
+        };
+      } else {
+        printAuditData = ({ metadata }) => {
+          printJson(metadata);
+        };
+      }
       break;
     default:
       throw new Error(
@@ -104,19 +132,27 @@ async function audit(config, reporter = reportAudit) {
 
   function outListener(line) {
     try {
-      const { type, data } = line;
-      printAuditData(line);
+      if (isYarnClassic) {
+        const { type, data } = line;
+        printAuditData(line);
 
-      if (type === "info" && data === "No lockfile found.") {
-        missingLockFile = true;
-        return;
-      }
+        if (type === "info" && data === "No lockfile found.") {
+          missingLockFile = true;
+          return;
+        }
 
-      if (type !== "auditAdvisory") {
-        return;
-      }
+        if (type !== "auditAdvisory") {
+          return;
+        }
 
-      model.process(data.advisory);
+        model.process(data.advisory);
+      } else {
+        printAuditData(line);
+
+        Object.values(line.advisories).forEach((advisory) => {
+          model.process(advisory);
+        });
+      }
     } catch (err) {
       console.error(red, `ERROR: Cannot JSONStream.parse response:`);
       console.error(line);
@@ -133,7 +169,9 @@ async function audit(config, reporter = reportAudit) {
     }
   }
   const options = { cwd: config.directory };
-  const args = ["audit", "--json"];
+  const args = isYarnClassic
+    ? ["audit", "--json"]
+    : ["npm", "audit", "--all", "--recursive", "--json"];
   if (registry) {
     const auditRegistrySupported = yarnAuditSupportsRegistry(yarnVersion);
     if (auditRegistrySupported) {

test/yarn-auditer.js

@@ -1,5 +1,7 @@
 const { expect } = require("chai");
+const childProcess = require("child_process");
 const path = require("path");
+const semver = require("semver");
 const audit = require("../lib/audit").bind(null, "yarn");
 const Allowlist = require("../lib/allowlist");
 const { summaryWithDefault } = require("./common");
@@ -27,6 +29,11 @@ function testDir(s) {
   return path.resolve(__dirname, s);
 }
 
+const canRunYarnBerry = semver.gte(
+  childProcess.execSync("node -v").toString().replace("\n", ""),
+  "12.13.0"
+);
+
 // To modify what slow times are, need to use
 // function() {} instead of () => {}
 describe("yarn-auditer", function testYarnAuditer() {
@@ -198,6 +205,56 @@ describe("yarn-auditer", function testYarnAuditer() {
       (_summary) => _summary
     );
   });
+  (canRunYarnBerry ? it : it.skip)(
+    "[Yarn Berry] reports important info with moderate severity",
+    async () => {
+      const summary = await audit(
+        config({
+          directory: testDir("yarn-berry-moderate"),
+          levels: { moderate: true },
+          "report-type": "important",
+        }),
+        (_summary) => _summary
+      );
+      expect(summary).to.eql(
+        summaryWithDefault({
+          failedLevelsFound: ["moderate"],
+          advisoriesFound: [658],
+        })
+      );
+    }
+  );
+  (canRunYarnBerry ? it : it.skip)(
+    "[Yarn Berry] does not report moderate severity if it set to false",
+    async () => {
+      const summary = await audit(
+        config({
+          directory: testDir("yarn-berry-moderate"),
+          levels: { moderate: false },
+        }),
+        (_summary) => _summary
+      );
+      expect(summary).to.eql(summaryWithDefault());
+    }
+  );
+  (canRunYarnBerry ? it : it.skip)(
+    "[Yarn Berry] ignores an advisory if it is allowlisted",
+    async () => {
+      const summary = await audit(
+        config({
+          directory: testDir("yarn-berry-moderate"),
+          levels: { moderate: true },
+          allowlist: new Allowlist([658]),
+        }),
+        (_summary) => _summary
+      );
+      expect(summary).to.eql(
+        summaryWithDefault({
+          allowlistedAdvisoriesFound: [658],
+        })
+      );
+    }
+  );
   // it('prints unexpected https://registry.yarnpkg.com 503 error message', () => {
   //   const directory = testDir('yarn-503');
   //   const errorMessagePath = path.resolve(directory, 'error-message');

test/yarn-berry-low/.yarn/install-state.gz

@@ -0,0 +1,3 @@
+// Rather than have a bunch of yarn-berry.cjs of different versions,
+// we can specify a single yarn-berry.cjs and require the file for each package.
+module.exports = require("../../../yarn-berry.cjs");

test/yarn-berry-low/.yarn/releases/yarn-berry.cjs

@@ -0,0 +1 @@
+yarnPath: ".yarn/releases/yarn-berry.cjs"

test/yarn-berry-low/.yarnrc.yml

@@ -0,0 +1,13 @@
+# Yarn Berry tests
+
+When creating Yarn Berry tests, there are several files and folders that may generate that are not necessary for auditing using `yarn npm audit --all --recursive --json`.
+
+- .pnp.js
+
+- .yarn/cache
+
+Consider manually deleting them before committing.
+
+Also, the `.yarn/releases/yarn-berry.cjs` file in each project re-exports the `yarn-berry.cjs` file at the root of tests.
+Re-exporting the file reduces duplication and version mismatching for tests.
+Currently, this project is set up to use the latest version v2.4.0 (at the time of writing this, Dec 6th, 2020).

test/yarn-berry-low/README.md

@@ -0,0 +1,7 @@
+{
+  "name": "audit-ci-yarn-berry-low-vulnerability",
+  "description": "Test package.json with low vulnerability",
+  "dependencies": {
+    "micromatch": "2.3.0"
+  }
+}