Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Show packages that has vulnerability #96

Open
jimmywarting opened this issue Aug 23, 2021 · 8 comments
Open

feat: Show packages that has vulnerability #96

jimmywarting opened this issue Aug 23, 2021 · 8 comments
Labels
feature help wanted

Comments

@jimmywarting
Copy link

jimmywarting commented Aug 23, 2021
edited

so we know where the problem lies
@broofa
Copy link
Collaborator

broofa commented Nov 8, 2021

Is there a readily-available source of module vulnerability information?

@broofa broofa added the feature label Jan 7, 2022
@seagullgithub
Copy link

just stumbled upon this article while looking for something different and remembered this issue. maybe it might help?

GitHub Advisory Database now powers npm audit

Advisories are also available from the GraphQL API

nice work by the way!

@broofa
Copy link
Collaborator

broofa commented Jan 19, 2022
edited

@seagullgithub Good find, thanks! I (or someone) will need to look into this to figure out how exactly to fetch potential advisories for a given graph.

Breadcrumb: More detailed info about searching the database - https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/browsing-security-vulnerabilities-in-the-github-advisory-database#searching-the-github-advisory-database

Edit: Playing around with the GH API, I don't see an obvious way to query for "vulnerabilities that affect [specific module]'s dependency graph". Without that, getting relevant vulnerabilities is a bit of a challenge. We'd have to (potentially) fetch the whole DB into the client (100 results at a time for 10,000+ results? Ugh.) and cache the results somehow. (LocalStorage? IndexDB?)

@fregante
Copy link
Member

This would be the right API, not GitHub’s

https://www.gyanblog.com/tutorials/how-node-npm-audit-rest-api-vulnerability/

@broofa
Copy link
Collaborator

broofa commented Oct 16, 2023

Poking around with this, I'm getting a CORS error when I try to hit the NPM registry endpoint for audits (/-/npm/v1/security/audits/quick). It's possible I'm doing something wrong in the client, but if not we'll need to proxy these requests through a cloud function of some sort.

@fregante
Copy link
Member

a cloud function of some sort.

Since we're on Vercel, it should be super easy to implement. However they would be limited by an API key usage and it could lead to abuse if not properly dealt with. So it's up to you to decide whether it's worth it.

@fregante
Copy link
Member

Overall, since vulnerabilities are for a specific version, I don’t think it's particularly useful to display them here. A regular install would probably be best and npm audit fix might be an easier solution to just deal with them, if necessary.

@DawitAskabe
Copy link

maybe doing npm i --package-lock-only on the package file uploaded followed bynpm audit.
Then parse the audit output for info we need to show on npmgraph...for example red color for Severity:critical packages etc.
The output also has the info regarding the dependency tree and URL link to advisory note on github.

sample npm audit output

lodash  <=4.17.20
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/newman/node_modules/lodash
node_modules/postman-collection-transformer/node_modules/lodash
node_modules/postman-collection/node_modules/lodash
node_modules/postman-runtime/node_modules/lodash
node_modules/postman-sandbox/node_modules/lodash
node_modules/uvm/node_modules/lodash
  newman  >=2.1.1
  Depends on vulnerable versions of async
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of postman-collection
  Depends on vulnerable versions of postman-collection-transformer
  Depends on vulnerable versions of postman-request
  Depends on vulnerable versions of postman-runtime
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of word-wrap
  node_modules/newman
  postman-collection  <=4.1.7
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of marked
  Depends on vulnerable versions of semver
  node_modules/postman-collection
    postman-runtime  *
    Depends on vulnerable versions of async
    Depends on vulnerable versions of crypto-js
    Depends on vulnerable versions of handlebars
    Depends on vulnerable versions of httpntlm
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of node-oauth1
    Depends on vulnerable versions of postman-collection
    Depends on vulnerable versions of postman-request
    Depends on vulnerable versions of postman-sandbox
    Depends on vulnerable versions of postman-url-encoder
    Depends on vulnerable versions of tough-cookie
    node_modules/postman-runtime
    postman-url-encoder  2.1.0-beta.1 - 2.1.3
    Depends on vulnerable versions of postman-collection
    node_modules/postman-runtime/node_modules/postman-url-encoder
  postman-collection-transformer  0.1.0 - 3.3.2
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of semver
  node_modules/postman-collection-transformer
  postman-sandbox  <=3.5.9
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of tough-cookie
  node_modules/postman-sandbox
  uvm  1.0.0 - 1.7.8
  Depends on vulnerable versions of lodash
  node_modules/uvm

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/postman-runtime/node_modules/postman-request/node_modules/tough-cookie
node_modules/postman-runtime/node_modules/tough-cookie
node_modules/postman-sandbox/node_modules/tough-cookie
node_modules/tough-cookie
  postman-request  *
  Depends on vulnerable versions of tough-cookie
  node_modules/postman-request
  node_modules/postman-runtime/node_modules/postman-request
    newman  >=2.1.1
    Depends on vulnerable versions of async
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of mkdirp
    Depends on vulnerable versions of postman-collection
    Depends on vulnerable versions of postman-collection-transformer
    Depends on vulnerable versions of postman-request
    Depends on vulnerable versions of postman-runtime
    Depends on vulnerable versions of semver
    Depends on vulnerable versions of word-wrap
    node_modules/newman
    postman-runtime  *
    Depends on vulnerable versions of async
    Depends on vulnerable versions of crypto-js
    Depends on vulnerable versions of handlebars
    Depends on vulnerable versions of httpntlm
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of node-oauth1
    Depends on vulnerable versions of postman-collection
    Depends on vulnerable versions of postman-request
    Depends on vulnerable versions of postman-sandbox
    Depends on vulnerable versions of postman-url-encoder
    Depends on vulnerable versions of tough-cookie
    node_modules/postman-runtime
  postman-sandbox  <=3.5.9
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of tough-cookie
  node_modules/postman-sandbox

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix`
node_modules/underscore
  httpntlm  1.5.0 - 1.7.6
  Depends on vulnerable versions of underscore
  node_modules/httpntlm
    postman-runtime  *
    Depends on vulnerable versions of async
    Depends on vulnerable versions of crypto-js
    Depends on vulnerable versions of handlebars
    Depends on vulnerable versions of httpntlm
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of node-oauth1
    Depends on vulnerable versions of postman-collection
    Depends on vulnerable versions of postman-request
    Depends on vulnerable versions of postman-sandbox
    Depends on vulnerable versions of postman-url-encoder
    Depends on vulnerable versions of tough-cookie
    node_modules/postman-runtime
      newman  >=2.1.1
      Depends on vulnerable versions of async
      Depends on vulnerable versions of lodash
      Depends on vulnerable versions of mkdirp
      Depends on vulnerable versions of postman-collection
      Depends on vulnerable versions of postman-collection-transformer
      Depends on vulnerable versions of postman-request
      Depends on vulnerable versions of postman-runtime
      Depends on vulnerable versions of semver
      Depends on vulnerable versions of word-wrap
      node_modules/newman

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  newman  >=2.1.1
  Depends on vulnerable versions of async
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of postman-collection
  Depends on vulnerable versions of postman-collection-transformer
  Depends on vulnerable versions of postman-request
  Depends on vulnerable versions of postman-runtime
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of word-wrap
  node_modules/newman

41 vulnerabilities (23 moderate, 11 high, 7 critical)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@broofa @jimmywarting @fregante @seagullgithub @DawitAskabe