-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Scan for vulnerable JS Libraries #2372
Changes from 9 commits
b6551af
59f4ee9
24b8461
86ac495
9ebc72b
ac9cc34
f0fd224
56cad31
26af245
5d63089
0c700b2
0a23ee2
c398a92
77c34f8
118417b
d7fdc16
a7038dc
26b59be
f27b75e
ce6bd00
3bd16ef
c36914f
01d30ef
b0ac61a
ea8be78
de78540
c17d5fc
f27ce59
e55ac62
168aa50
24f708d
cd17774
f24dc9d
eb53e66
3fb21f8
678b63b
eb81ef2
ae7947b
b44728c
09b61a2
ee1f494
4578cd7
0adf078
a080f7c
2fcff67
a85d697
1c1db60
21c0a2c
d57b81a
a8edaf5
c07833e
d1a3756
cf3d743
250dbea
90f40f9
507588d
abb3246
b3e182e
5e45f33
ab8ff76
c0569e5
88ff656
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||
---|---|---|---|---|
@@ -0,0 +1,86 @@ | ||||
/** | ||||
* @license | ||||
* Copyright 2017 Google Inc. All rights reserved. | ||||
* | ||||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||||
* you may not use this file except in compliance with the License. | ||||
* You may obtain a copy of the License at | ||||
* | ||||
* http://www.apache.org/licenses/LICENSE-2.0 | ||||
* | ||||
* Unless required by applicable law or agreed to in writing, software | ||||
* distributed under the License is distributed on an "AS IS" BASIS, | ||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||||
* See the License for the specific language governing permissions and | ||||
* limitations under the License. | ||||
*/ | ||||
|
||||
/** | ||||
* @fileoverview Audits a page to make sure there are no JS libraries with | ||||
* known vulnerabilities being used. | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Mention the db is provided by snyk.io and checked in locally as There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. GTG |
||||
*/ | ||||
|
||||
'use strict'; | ||||
|
||||
const Audit = require('../audit'); | ||||
const Formatter = require('../../report/formatter'); | ||||
|
||||
class NoVulnerableLibrariesAudit extends Audit { | ||||
|
||||
/** | ||||
* @return {!AuditMeta} | ||||
*/ | ||||
static get meta() { | ||||
return { | ||||
category: 'Security', | ||||
name: 'no-vulnerable-libraries', | ||||
description: 'Avoids using any front-end JavaScript libraries' | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. remove "using any" |
||||
+ ' with known security vulnerabilities', | ||||
helpText: 'Sites should take care to ensure that they are not using any' + | ||||
' front-end JavaScript libraries that contain known security vulnerabilities.', | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This repeats the description. Is there more we can say? Also throw in a There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For the link, it looks like most (all?) other audits point to a page on Google Developers. Does it make sense to put something similar to https://developers.google.com/web/tools/lighthouse/audits/contrast-ratio together for this? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep. @kaycebasques can work on that once we have the audit :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't think it has to be a developers.google.com blog post. Maybe it could be a snyk page that has some information about this? As long as it's explaining why we do it. FYI: i'm not against adding it to the audit references :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The typical pipeline is to link to some external doc while we put together an official doc on developers.google.com. The goal is to just provide some sort of further guidance for peeps that fail the test, so they're not like "wtf I'm failing this test and I have no idea what it means or how to fix it" |
||||
requiredArtifacts: ['JSVulnerableLibraries'] | ||||
}; | ||||
} | ||||
|
||||
/** | ||||
* @param {!Artifacts} artifacts | ||||
* @return {!AuditResult} | ||||
*/ | ||||
static audit(artifacts) { | ||||
const vulns = artifacts.JSVulnerableLibraries.vulnerabilities; | ||||
const libraries = artifacts.JSVulnerableLibraries.libraries; | ||||
|
||||
const finalVulns = vulns.map(record => ({ | ||||
severity: record.severity, | ||||
library: record.name + '@' + record.version, | ||||
url: 'https://snyk.io/vuln/' + record.id | ||||
})); | ||||
|
||||
let displayValue = ''; | ||||
if (vulns.length > 1) { | ||||
displayValue = `${vulns.length} vulnerabilities detected.`; | ||||
} else if (vulns.length === 1) { | ||||
displayValue = `${vulns.length} vulnerability was detected.`; | ||||
} | ||||
|
||||
const headings = [ | ||||
{key: 'url', itemType: 'url', text: 'Details'}, | ||||
{key: 'library', itemType: 'text', text: 'Library'}, | ||||
{key: 'severity', itemType: 'text', text: 'Severity'} | ||||
]; | ||||
const details = Audit.makeV2TableDetails(headings, finalVulns); | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We just removed the "V2":
|
||||
|
||||
return { | ||||
rawValue: vulns.length === 0, | ||||
displayValue, | ||||
extendedInfo: { | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. i wouldn't say it's "legacy", but its there only for folks consuming more details in the LHR, usually via the lighthouse module. not there for presentational purposes. I think this sorta return would make sense: extendedInfo: {
value: {
vulnerabilities: finalVulns
}
} There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Gotcha, I think. :) So the way I was using it, apparently it was just unnecessary as I was also passing
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. All set. See 26af245 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @paulirish anything that's useful is also being surfaced in It's time to nip bloat in the bud. #2276 |
||||
js_libs: libraries, | ||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. GTG |
||||
vulnerabilities: finalVulns | ||||
}, | ||||
details, | ||||
}; | ||||
} | ||||
|
||||
} | ||||
|
||||
module.exports = NoVulnerableLibrariesAudit; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we have short license headers now... copy one from one of the other files?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All set.