Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return semantic exit code for audit #6819

Merged
merged 2 commits into from Dec 18, 2018
Merged

Return semantic exit code for audit #6819

merged 2 commits into from Dec 18, 2018

Conversation

antrew
Copy link
Contributor

@antrew antrew commented Dec 14, 2018

Summary

Resolve #6748

yarn audit currently returns the number of found vulnerabilities. This can lead to an overflow and a false negative. E.g., if the number of vulnerable dependencies is equal to 256, the exit code will be equal 0. Furthermore, it is not very practical, as this number does not indicate the severity level of found vulnerabilities.

This pull request modifies this behavior by returning a number that is a sum of found severities:

  • 1 for INFO
  • 2 for LOW
  • 4 for MODERATE
  • 8 for HIGH
  • 16 for CRITICAL

That is, if only INFO and MODERATE vulnerabilities were found, then the exit code will be 1+4 = 5.

With this change it would be possible to check for particular severity levels. E.g., if someone wants to know, if there are HIGH and CRITICAL dependencies, then one could check for exit code >= 8.

Test plan

Current behavior:

$ yarn audit
9 vulnerabilities found - Packages audited: 31177
Severity: 9 Low
Done in 1.94s.
$ echo $? 
9

New behavior:

$ yarn-local audit
...
9 vulnerabilities found - Packages audited: 31177
Severity: 9 Low
Done in 1.69s.
$ echo $?
2

@antrew antrew force-pushed the feature/semantic-exit-code-for-audit branch from eb62499 to b3d9e3a Compare December 14, 2018 15:57
@arcanis
Copy link
Member

arcanis commented Dec 14, 2018

Technically it should be a major bump, but I wouldn't be opposed to put that into the next minor. What do you think, @rally25rs?

@antrew
Copy link
Contributor Author

antrew commented Dec 17, 2018

Hi @arcanis,

I don't think anybody relies on the current implementation, since it doesn't really matter if you have 1, 10 or 99 vulnerabilities. In my opinion, the only thing that makes sense with the current implementation, is to check if the exit status is zero (no vulnerabilities), or non-zero (there are vulnerabilities).
In that sense the proposed implementation is backwards compatible.

Anyway, it seems like everyone is building some wrappers around the current implementation in their CI pipelines to find out if they have vulnerabilities of certain levels. Ours looks like this at the moment and has to completely ignore the exit code of yarn audit:

yarn audit || true                                  
if [[ `yarn audit | grep -oiP '(critical|high)'` ]] ; then     
  echo 'Critical vulnerabilities found'             
  exit 1                                            
else                                                
  exit 0                                            
fi

rally25rs
rally25rs approved these changes Dec 18, 2018
View reviewed changes
Copy link
Contributor

@rally25rs rally25rs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like this change. Good idea! 👍

rally25rs added a commit to rally25rs/website that referenced this pull request Dec 18, 2018
@rally25rs
Add audit command exit code details for yarnpkg/yarn#6819
7c38f7c
@rally25rs rally25rs mentioned this pull request Dec 18, 2018
Merged
@rally25rs
Copy link
Contributor

I added the appropriate docs website change: yarnpkg/website#894

@arcanis arcanis merged commit 0f05203 into yarnpkg:master Dec 18, 2018
@antrew antrew deleted the feature/semantic-exit-code-for-audit branch December 18, 2018 17:27
@dubbha dubbha mentioned this pull request Feb 27, 2019
Closed
@DanielRuf DanielRuf mentioned this pull request Apr 26, 2019
Closed
Haroenv pushed a commit to yarnpkg/website that referenced this pull request Jul 1, 2019
@rally25rs @Haroenv
Add audit command exit code details for yarnpkg/yarn#6819 (#894)
15024dd
@simonespa simonespa mentioned this pull request Mar 13, 2020
Closed
@simonespa simonespa mentioned this pull request Jun 9, 2020
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rally25rs rally25rs rally25rs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@antrew @arcanis @rally25rs