From 792c8c709dc7a445687aa0c8cba5c50bc4ed83fd Mon Sep 17 00:00:00 2001 From: Leonard Martin Date: Fri, 3 Aug 2018 17:17:52 +0100 Subject: [PATCH] audit: configurable audit level for non-zero exit (#31) `npm audit` currently exits with exit code 1 if any vulnerabilities are found of any level. Add a flag of `--audit-level` to `npm audit` to allow it to pass if only vulnerabilities below a certain level are found. Example: `npm audit --audit-level=high` will exit with 0 if only low or moderate level vulns are detected. Fixes: https://npm.community/t/245 PR-URL: https://github.com/npm/cli/pull/31 Credit: @lennym Reviewed-By: @zkat --- doc/misc/npm-config.md | 8 ++ lib/audit.js | 10 +- lib/config/defaults.js | 2 + test/tap/audit.js | 268 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 283 insertions(+), 5 deletions(-) create mode 100644 test/tap/audit.js diff --git a/doc/misc/npm-config.md b/doc/misc/npm-config.md index e2f0a847a2cb..098693423114 100644 --- a/doc/misc/npm-config.md +++ b/doc/misc/npm-config.md @@ -164,6 +164,14 @@ When "true" submit audit reports alongside `npm install` runs to the default registry and all registries configured for scopes. See the documentation for npm-audit(1) for details on what is submitted. +### audit-level + +* Default: `"low"` +* Type: `'low'`, `'moderate'`, `'high'`, `'critical'` + +The minimum level of vulnerability for `npm audit` to exit with +a non-zero exit code. + ### auth-type * Default: `'legacy'` diff --git a/lib/audit.js b/lib/audit.js index d1beb046ff1f..06852610e646 100644 --- a/lib/audit.js +++ b/lib/audit.js @@ -257,11 +257,11 @@ function auditCmd (args, cb) { }) }) } else { - const vulns = - auditResult.metadata.vulnerabilities.low + - auditResult.metadata.vulnerabilities.moderate + - auditResult.metadata.vulnerabilities.high + - auditResult.metadata.vulnerabilities.critical + const levels = ['low', 'moderate', 'high', 'critical'] + const minLevel = levels.indexOf(npm.config.get('audit-level')) + const vulns = levels.reduce((count, level, i) => { + return i < minLevel ? count : count + (auditResult.metadata.vulnerabilities[level] || 0) + }, 0) if (vulns > 0) process.exitCode = 1 if (npm.config.get('parseable')) { return audit.printParseableReport(auditResult) diff --git a/lib/config/defaults.js b/lib/config/defaults.js index 21c6526571ea..92091067706c 100644 --- a/lib/config/defaults.js +++ b/lib/config/defaults.js @@ -110,6 +110,7 @@ Object.defineProperty(exports, 'defaults', {get: function () { 'always-auth': false, also: null, audit: true, + 'audit-level': 'low', 'auth-type': 'legacy', 'bin-links': true, @@ -257,6 +258,7 @@ exports.types = { 'always-auth': Boolean, also: [null, 'dev', 'development'], audit: Boolean, + 'audit-level': ['low', 'moderate', 'high', 'critical'], 'auth-type': ['legacy', 'sso', 'saml', 'oauth'], 'bin-links': Boolean, browser: [null, String], diff --git a/test/tap/audit.js b/test/tap/audit.js new file mode 100644 index 000000000000..3384579f77ba --- /dev/null +++ b/test/tap/audit.js @@ -0,0 +1,268 @@ +'use strict' + +const BB = require('bluebird') + +const common = BB.promisifyAll(require('../common-tap.js')) +const mr = BB.promisify(require('npm-registry-mock')) +const path = require('path') +const rimraf = BB.promisify(require('rimraf')) +const Tacks = require('tacks') +const tap = require('tap') +const test = tap.test + +const Dir = Tacks.Dir +const File = Tacks.File +const testDir = path.join(__dirname, path.basename(__filename, '.js')) + +const EXEC_OPTS = { cwd: testDir } + +tap.tearDown(function () { + process.chdir(__dirname) + try { + rimraf.sync(testDir) + } catch (e) { + if (process.platform !== 'win32') { + throw e + } + } +}) + +function tmock (t) { + return mr({port: common.port}).then(s => { + t.tearDown(function () { + s.done() + s.close() + rimraf.sync(testDir) + }) + return s + }) +} + +test('exits with zero exit code for vulnerabilities below the `audit-level` flag', t => { + const fixture = new Tacks(new Dir({ + 'package.json': new File({ + name: 'foo', + version: '1.0.0', + dependencies: { + baddep: '1.0.0' + } + }) + })) + fixture.create(testDir) + return tmock(t).then(srv => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, 'yeah') + srv.get('/baddep').twice().reply(200, { + name: 'baddep', + 'dist-tags': { + 'latest': '1.2.3' + }, + versions: { + '1.0.0': { + name: 'baddep', + version: '1.0.0', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.0.0.tgz' + } + }, + '1.2.3': { + name: 'baddep', + version: '1.2.3', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.2.3.tgz' + } + } + } + }) + return common.npm([ + 'install', + '--audit', + '--json', + '--package-lock-only', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits', 'ok').reply(200, { + actions: [{ + action: 'update', + module: 'baddep', + target: '1.2.3', + resolves: [{path: 'baddep'}] + }], + metadata: { + vulnerabilities: { + low: 1 + } + } + }) + return common.npm([ + 'audit', + '--audit-level', 'high', + '--json', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + t.equal(code, 0, 'exited OK') + }) + }) + }) +}) + +test('exits with non-zero exit code for vulnerabilities at the `audit-level` flag', t => { + const fixture = new Tacks(new Dir({ + 'package.json': new File({ + name: 'foo', + version: '1.0.0', + dependencies: { + baddep: '1.0.0' + } + }) + })) + fixture.create(testDir) + return tmock(t).then(srv => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, 'yeah') + srv.get('/baddep').twice().reply(200, { + name: 'baddep', + 'dist-tags': { + 'latest': '1.2.3' + }, + versions: { + '1.0.0': { + name: 'baddep', + version: '1.0.0', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.0.0.tgz' + } + }, + '1.2.3': { + name: 'baddep', + version: '1.2.3', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.2.3.tgz' + } + } + } + }) + return common.npm([ + 'install', + '--audit', + '--json', + '--package-lock-only', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits', 'ok').reply(200, { + actions: [{ + action: 'update', + module: 'baddep', + target: '1.2.3', + resolves: [{path: 'baddep'}] + }], + metadata: { + vulnerabilities: { + high: 1 + } + } + }) + return common.npm([ + 'audit', + '--audit-level', 'high', + '--json', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + t.equal(code, 1, 'exited OK') + }) + }) + }) +}) + +test('exits with non-zero exit code for vulnerabilities at the `audit-level` flag', t => { + const fixture = new Tacks(new Dir({ + 'package.json': new File({ + name: 'foo', + version: '1.0.0', + dependencies: { + baddep: '1.0.0' + } + }) + })) + fixture.create(testDir) + return tmock(t).then(srv => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits/quick', 'ok').reply(200, 'yeah') + srv.get('/baddep').twice().reply(200, { + name: 'baddep', + 'dist-tags': { + 'latest': '1.2.3' + }, + versions: { + '1.0.0': { + name: 'baddep', + version: '1.0.0', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.0.0.tgz' + } + }, + '1.2.3': { + name: 'baddep', + version: '1.2.3', + _hasShrinkwrap: false, + dist: { + shasum: 'deadbeef', + tarball: common.registry + '/idk/-/idk-1.2.3.tgz' + } + } + } + }) + return common.npm([ + 'install', + '--audit', + '--json', + '--package-lock-only', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + srv.filteringRequestBody(req => 'ok') + srv.post('/-/npm/v1/security/audits', 'ok').reply(200, { + actions: [{ + action: 'update', + module: 'baddep', + target: '1.2.3', + resolves: [{path: 'baddep'}] + }], + metadata: { + vulnerabilities: { + high: 1 + } + } + }) + return common.npm([ + 'audit', + '--audit-level', 'moderate', + '--json', + '--registry', common.registry, + '--cache', path.join(testDir, 'npm-cache') + ], EXEC_OPTS).then(([code, stdout, stderr]) => { + t.equal(code, 1, 'exited OK') + }) + }) + }) +}) + +test('cleanup', t => { + return rimraf(testDir) +})