14 个不稳定版本 (4 个重大更改)
| 0.5.0 | 2019年7月26日 |
|---|---|
| 0.4.3 | 2019年2月28日 |
| 0.3.0 | 2018年10月17日 |
| 0.2.5 | 2018年9月26日 |
| 0.1.1 | 2018年9月20日 |
#206 in 测试
每月下载 43 次
37KB
398 行
audit-filter
audit-filter 接收 npm audit --json 和一个 nsp rc 配置文件(无注释)的输出,并根据 nsp 离线异常格式过滤警告(请参阅使用示例)。
这提供了从 nsp check 迁移到 npm audit 的路径,并允许项目在 CI 管道中使用 npm audit 而不是屏蔽所有警告(例如,使用 npm audit || true)。
安装
要求
- node 8.x 或 10.x
- npm@6(用于
--json支持和新版 package-lock.json 格式)
本地 NPM 包
-
运行
npm install --save-dev audit-filter将其添加为开发依赖项 -
在
package.json中需要带有npm audit支持的 npm 版本,例如。
{
...
"engines": {
"node": ">=8",
"npm": ">=6.4.1"
},
...
}
- 添加一个名为
.nsprc的空异常文件
{
"exceptions": [
]
}
- 可选,添加一个 npm 脚本命令
{
"scripts": {
"lint:deps": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-"
...
}
...
"devDependencies": {
"audit-filter": "0.3.0"
},
...
}
并通过以下命令测试: npm run lint:deps 或 npm run-script lint:deps
- 可选地,设置“npm audit退出的最低漏洞等级”,以非零退出码退出,方法如下:
npm config audit level ('low', 'moderate', 'high', 'critical')
全局NPM包
npm install -g audit-filter
Cargo
cargo install audit-filter
用法
注意:所有命令均在项目根目录下运行
$ audit-filter -h
audit-filter filters the output of "npm audit --json"
Usage:
audit-filter [--json] [--audit=<->] [--nsp-config=<.nsprc>]
audit-filter (-h | --help | --version)
Options:
-h --help Show this screen.
--version Show version.
--json Output subset of JSON for the unfiltered advisories as an array.
--audit=<audit> NPM Audit JSON file [default: -].
--nsp-config=<config> Default filter config [default: .nsprc].
$ cd audit-filter/example/
$ cat package.json
{
"dependencies": {
"moment": "2.19.2",
"restify": "7.0.0"
},
"devDependencies": {
"audit-filter": "0.3.0",
"lodash": "^4.0.0"
},
"engines": {
"node": ">=8",
"npm": ">=6.4.1"
},
"scripts": {
"lint:deps": "npm audit --json | audit-filter --nsp-config=.nsprc --audit=-"
}
}
$ npm --version
6.7.0
$ npm audit
[90m [39m
[90m [39m === npm audit security report === [90m [39m
[90m [39m
# Run npm install [email protected] to resolve 1 vulnerability
[90m┌───────────────[39m[90m┬──────────────────────────────────────────────────────────────┐[39m
[90m│[39m Low [90m│[39m Regular Expression Denial of Service [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Package [90m│[39m moment [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Dependency of [90m│[39m moment [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Path [90m│[39m moment [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m More info [90m│[39m https://npmjs.net.cn/advisories/532 [90m│[39m
[90m└───────────────[39m[90m┴──────────────────────────────────────────────────────────────┘[39m
# Run npm install --save-dev [email protected] to resolve 1 vulnerability
[90m┌───────────────[39m[90m┬──────────────────────────────────────────────────────────────┐[39m
[90m│[39m Low [90m│[39m Prototype Pollution [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Package [90m│[39m lodash [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Dependency of [90m│[39m lodash [dev] [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Path [90m│[39m lodash [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m More info [90m│[39m https://npmjs.net.cn/advisories/577 [90m│[39m
[90m└───────────────[39m[90m┴──────────────────────────────────────────────────────────────┘[39m
# Run npm update moment --depth 3 to resolve 1 vulnerability
[90m┌───────────────[39m[90m┬──────────────────────────────────────────────────────────────┐[39m
[90m│[39m Low [90m│[39m Regular Expression Denial of Service [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Package [90m│[39m moment [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Dependency of [90m│[39m restify [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m Path [90m│[39m restify > bunyan > moment [90m│[39m
[90m├───────────────[39m[90m┼──────────────────────────────────────────────────────────────┤[39m
[90m│[39m More info [90m│[39m https://npmjs.net.cn/advisories/532 [90m│[39m
[90m└───────────────[39m[90m┴──────────────────────────────────────────────────────────────┘[39m
found 3 low severity vulnerabilities in 137 scanned packages
run `npm audit fix` to fix 3 of them.
$ echo $?
1
$ cat .nsprc
{
"exceptions": [
"https://npmjs.net.cn/advisories/532",
"https://npmjs.net.cn/advisories/577"
]
}
$ npm audit --json | audit-filter
No advisories found after filtering.
$ echo $?
0
$ # Alternatively specify audit and config file paths (note: errors print to stderr)
$ cd .. && audit-filter --nsp-config tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc.json --audit tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-npm-6.4.1-audit.json
Unfiltered advisories:
https://nodesecurity.io/advisories/118
https://nodesecurity.io/advisories/534
https://nodesecurity.io/advisories/681
$ echo $?
1
$ # use --json for JSON output
$ audit-filter --json --nsp-config tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc.json --audit tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-npm-6.4.1-audit.json
[
{
"findings": [
{
"version": "2.0.10",
"paths": [
"istanbul-middleware>archiver>glob>minimatch"
],
"dev": true,
"optional": false,
"bundled": false
}
],
"id": 118,
"title": "Regular Expression Denial of Service",
"module_name": "minimatch",
"overview": "Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`.\n\n\n## Proof of Concept\n```\nvar minimatch = require(“minimatch”);\n\n// utility function for generating long strings\nvar genstr = function (len, chr) {\n var result = “”;\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n return result;\n}\n\nvar exploit = “[!” + genstr(1000000, “\\\\”) + “A”;\n\n// minimatch exploit.\nconsole.log(“starting minimatch”);\nminimatch(“foo”, exploit);\nconsole.log(“finishing minimatch”);\n```",
"recommendation": "Update to version 3.0.2 or later.",
"severity": "high",
"url": "https://nodesecurity.io/advisories/118"
},
{
"findings": [
{
"version": "2.2.0",
"paths": [
"istanbul-middleware>body-parser>debug"
],
"dev": true,
"optional": false,
"bundled": false
}
],
"id": 534,
"title": "Regular Expression Denial of Service",
"module_name": "debug",
"overview": "Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. \n\nAs it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.",
"recommendation": "Version 2.x.x: Update to version 2.6.9 or later.\nVersion 3.x.x: Update to version 3.1.0 or later.\n",
"severity": "low",
"url": "https://nodesecurity.io/advisories/534"
},
{
"findings": [
{
"version": "0.4.7",
"paths": [
"jpm>firefox-profile>adm-zip",
"web-ext>firefox-profile>adm-zip"
],
"dev": false,
"optional": false,
"bundled": false
}
],
"id": 681,
"title": "Arbitrary File Write via Archive Extraction",
"module_name": "adm-zip",
"overview": "Versions of `adm-zip` before 0.4.9 are vulnerable to arbitrary file write when used to extract a specifically crafted archive that contains path traversal filenames (`../../file.txt` for example).",
"recommendation": "Update to version 0.4.9 or later.",
"severity": "high",
"url": "https://nodesecurity.io/advisories/681"
}
]
修复 .nsprc 文件中的注释
$ cat tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc-comment.json
{
// See https://github.com/mozilla-services/screenshots/issues/4397
"exceptions": [
"https://nodesecurity.io/advisories/566",
"https://nodesecurity.io/advisories/577",
"https://nodesecurity.io/advisories/598",
"https://nodesecurity.io/advisories/663",
"https://nodesecurity.io/advisories/664"
]
}
$ audit-filter --nsp-config tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc-comment.json --audit tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-npm-6.4.1-audit.json
Error parsing nsp config JSON: key must be a string at line 2 column 3
$ echo $?
2
$ cat tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc-comment.json | sed "s|// .*||g" | python -m json.tool
{
"exceptions": [
"https://nodesecurity.io/advisories/566",
"https://nodesecurity.io/advisories/577",
"https://nodesecurity.io/advisories/598",
"https://nodesecurity.io/advisories/663",
"https://nodesecurity.io/advisories/664"
]
}
$ # alternatively convert comments into valid JSON e.g.
{
"comment": "See https://github.com/mozilla-services/screenshots/issues/4397",
"exceptions": [
"https://nodesecurity.io/advisories/566",
"https://nodesecurity.io/advisories/577",
"https://nodesecurity.io/advisories/598",
"https://nodesecurity.io/advisories/663",
"https://nodesecurity.io/advisories/664"
]
}
退出码
- 0 - 没有警告或所有警告都已通过过滤器确认
- 1 - 出现新的失败,至少有一条未确认的警告。重新运行
npm audit查看错误。 - 2 - 错误查找或解析配置文件或审计JSON。
其他错误
注意:使用NPM安装的audit-filter的错误消息可能不同
此处列出以供完整性参考。这些都会以代码2退出。
错误打开审计文件
$ audit-filter --nsp-config tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc.json --audit no-file
Error opening audit JSON no-file: No such file or directory (os error 2)
从stdin解析审计错误
$ echo "this is not JSON" | audit-filter --nsp-config tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc.json --audit -
Error parsing audit JSON from stdin: expected ident at line 1 column 2
从文件解析审计错误
$ echo "this is not JSON" > not_json.txt
$ audit-filter --nsp-config tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-nsprc.json --audit not_json.txt
Error parsing audit JSON: expected ident at line 1 column 2
错误打开nsp配置文件
$ audit-filter --nsp-config no-file --audit tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-npm-6.4.1-audit.json
Error opening nsp config JSON no-file: No such file or directory (os error 2)
从stdin解析nsp配置错误
$ echo "this is not JSON" | audit-filter --nsp-config - --audit tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-npm-6.4.1-audit.json
Error parsing nsp config JSON from stdin: expected ident at line 1 column 2
从文件解析nsp配置错误
$ echo "this is not JSON" > not_json.txt
$ audit-filter --nsp-config not_json.txt --audit tests/fixtures/screenshots-0191b17d3bac5de51efa7acbaa0d52bb26c91573-npm-6.4.1-audit.json
Error parsing nsp config JSON: expected ident at line 1 column 2
构建
构建静态可执行文件
$ rustup target add x86_64-unknown-linux-musl
...
$ cargo build --release --target x86_64-unknown-linux-musl
...
$ ls -lh ./target/x86_64-unknown-linux-musl/release/audit-filter
-rwxrwxr-x 2 gguthe gguthe 7.0M Sep 20 13:09 ./target/x86_64-unknown-linux-musl/release/audit-filter
$ ldd ./target/x86_64-unknown-linux-musl/release/audit-filter
not a dynamic executable
贡献者
- @agwells
依赖项
~4–6.5MB
~114K SLoC