Scan for vulnerable JS Libraries

lighthouse-core/audits/dobetterweb/no-vulnerable-libraries.js

@@ -0,0 +1,86 @@
+/**
+ * @license
+ * Copyright 2017 Google Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @fileoverview Audits a page to make sure there are no JS libraries with
+ * known vulnerabilities being used.
+ */
+
+'use strict';
+
+const Audit = require('../audit');
+const Formatter = require('../../report/formatter');
+
+class NoVulnerableLibrariesAudit extends Audit {
+
+ /**
+ * @return {!AuditMeta}
+ */
+ static get meta() {
+ return {
+ category: 'Security',
+ name: 'no-vulnerable-libraries',
+ description: 'Avoids using any front-end JavaScript libraries'
+ + ' with known security vulnerabilities',
+ helpText: 'Sites should take care to ensure that they are not using any' +
+ ' front-end JavaScript libraries that contain known security vulnerabilities.',
+ requiredArtifacts: ['JSVulnerableLibraries']
+ };
+ }
+
+ /**
+ * @param {!Artifacts} artifacts
+ * @return {!AuditResult}
+ */
+ static audit(artifacts) {
+ const vulns = artifacts.JSVulnerableLibraries.vulnerabilities;
+ const libraries = artifacts.JSVulnerableLibraries.libraries;
+
+ const finalVulns = vulns.map(record => ({
+ severity: record.severity,
+ library: record.name + '@' + record.version,
+ url: 'https://snyk.io/vuln/' + record.id
+ }));
+
+ let displayValue = '';
+ if (vulns.length > 1) {
+ displayValue = `${vulns.length} vulnerabilities detected.`;
+ } else if (vulns.length === 1) {
+ displayValue = `${vulns.length} vulnerability was detected.`;
+ }
+
+ const headings = [
+ {key: 'url', itemType: 'url', text: 'Details'},
+ {key: 'library', itemType: 'text', text: 'Library'},
+ {key: 'severity', itemType: 'text', text: 'Severity'}
+ ];
+ const details = Audit.makeV2TableDetails(headings, finalVulns);
+
+ return {
+ rawValue: vulns.length === 0,
+ displayValue,
+ extendedInfo: {
+ js_libs: libraries,
+ vulnerabilities: finalVulns
+ },
+ details,
+ };
+ }
+
+}
+
+module.exports = NoVulnerableLibrariesAudit;

lighthouse-core/config/default.js

@@ -26,6 +26,7 @@ module.exports = {
  "dobetterweb/response-compression",
  "dobetterweb/tags-blocking-first-paint",
  "dobetterweb/websql",
+ "dobetterweb/js-vulnerable-libraries",
  ]
  },
  {
@@ -132,6 +133,7 @@ module.exports = {
  "dobetterweb/no-websql",
  "dobetterweb/notification-on-start",
  "dobetterweb/script-blocking-first-paint",
+ "dobetterweb/no-vulnerable-libraries",
  "dobetterweb/uses-http2",
  "dobetterweb/uses-passive-event-listeners"
  ],
@@ -329,6 +331,10 @@ module.exports = {
  "manifest-short-name-length": {
  "expectedValue": true,
  "weight": 1
+ },
+ "no-vulnerable-libraries": {
+ "expectedValue": true,
+ "weight": 1
  }
  }
  }]
@@ -749,6 +755,7 @@ module.exports = {
  {"id": "no-document-write", "weight": 1},
  {"id": "external-anchors-use-rel-noopener", "weight": 1},
  {"id": "geolocation-on-start", "weight": 1},
+ {"id": "no-vulnerable-libraries", "weight": 1},
  {"id": "notification-on-start", "weight": 1},
  {"id": "deprecations", "weight": 1},
  {"id": "manifest-short-name-length", "weight": 1},