GoogleChrome · brendankenny · Sep 29, 2017 · May 26, 2017 · May 26, 2017 · May 26, 2017
diff --git a/lighthouse-core/audits/dobetterweb/no-vulnerable-libraries.js b/lighthouse-core/audits/dobetterweb/no-vulnerable-libraries.js
@@ -0,0 +1,90 @@
+/**
+ * @license
+ * Copyright 2017 Google Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @fileoverview Audits a page to make sure there are no JS libraries with
+ * known vulnerabilities being used.
+ */
+
+'use strict';
+
+const Audit = require('../audit');
+
+class NoVulnerableLibrariesAudit extends Audit {
+
+ /**
+ * @return {!AuditMeta}
+ */
+ static get meta() {
+ return {
+ category: 'Security',
+ name: 'no-vulnerable-libraries',
+ description: 'Avoids front-end JavaScript libraries'
+ + ' with known security vulnerabilities',
+ helpText: 'Some third-party scripts may contain known security vulnerabilities ' +
+ ' that are easily identified and exploited by attackers.',
+ requiredArtifacts: ['JSVulnerableLibraries']
+ };
+ }
+
+ /**
+ * @param {!Artifacts} artifacts
+ * @return {!AuditResult}
+ */
+ static audit(artifacts) {
+ const libraries = artifacts.JSVulnerableLibraries.libraries;
+
+ const finalVulns = Object.assign(...libraries.filter(obj => {
+ return obj.vulns;
+ }).map(record => {
+ const libVulns = [];
+ for (const i in record.vulns) {
+ if (Object.hasOwnProperty.call(record.vulns, i)) {
+ libVulns.push(record.vulns[i]);
+ }
+ }
+ return libVulns;
+ }));
+
+ let displayValue = '';
+ if (finalVulns.length > 1) {
+ displayValue = `${finalVulns.length} vulnerabilities detected.`;
+ } else if (finalVulns.length === 1) {
+ displayValue = `${finalVulns.length} vulnerability was detected.`;
+ }
+
+ const headings = [
+ {key: 'url', itemType: 'text', text: 'Details'},
+ {key: 'library', itemType: 'text', text: 'Library'},
+ {key: 'severity', itemType: 'text', text: 'Severity'}
+ ];
+ const details = Audit.makeV2TableDetails(headings, finalVulns);
 static makeTableDetails(headings, results) { 
 static makeTableDetails(headings, results) { 
+
+ return {
+ rawValue: finalVulns.length === 0,
+ displayValue,
+ extendedInfo: {
+ js_libs: libraries,
+ vulnerabilities: finalVulns
+ },
+ details,
+ };
+ }
+
+}
+
+module.exports = NoVulnerableLibrariesAudit;
diff --git a/lighthouse-core/config/default.js b/lighthouse-core/config/default.js
@@ -30,6 +30,7 @@ module.exports = {
  'dobetterweb/anchors-with-no-rel-noopener',
  'dobetterweb/appcache',
  'dobetterweb/domstats',
+ 'dobetterweb/js-vulnerable-libraries',
  'dobetterweb/optimized-images',
  'dobetterweb/password-inputs-with-prevented-paste',
  'dobetterweb/response-compression',
@@ -60,7 +61,6 @@ module.exports = {
  'html-without-javascript',
  ]
  }],
-
  audits: [
  'is-on-https',
  'redirects-http',
@@ -137,6 +137,7 @@ module.exports = {
  'dobetterweb/no-document-write',
  'dobetterweb/no-mutation-events',
  // 'dobetterweb/no-old-flexbox',
+ 'dobetterweb/no-vulnerable-libraries',
  'dobetterweb/no-websql',
  'dobetterweb/notification-on-start',
  'dobetterweb/password-inputs-can-be-pasted-into',
@@ -300,6 +301,7 @@ module.exports = {
  {id: 'no-document-write', weight: 1},
  {id: 'external-anchors-use-rel-noopener', weight: 1},
  {id: 'geolocation-on-start', weight: 1},
+ {id: 'no-vulnerable-libraries', weight: 1},
  {id: 'notification-on-start', weight: 1},
  {id: 'deprecations', weight: 1},
  {id: 'manifest-short-name-length', weight: 1},

diff --git a/lighthouse-core/gather/gatherers/dobetterweb/js-vulnerable-libraries.js b/lighthouse-core/gather/gatherers/dobetterweb/js-vulnerable-libraries.js
@@ -0,0 +1,103 @@
+/**
+ * @license
+ * Copyright 2017 Google Inc. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * @fileoverview Gathers a list of libraries and
+ any known vulnerabilities they contain.
+ */
+
+/* global window */
+/* global d41d8cd98f00b204e9800998ecf8427e_LibraryDetectorTests */
+
+'use strict';
+
+const Gatherer = require('../gatherer');
+const fs = require('fs');
+const semver = require('semver');
+const libDetectorSource = fs.readFileSync(
+ require.resolve('js-library-detector/library/libraries.js'), 'utf8');
+// https://snyk.io/partners/api/v2/vulndb/clientside.json
+const snykDB = JSON.parse(fs.readFileSync(
+ require.resolve('../../../../third-party/snyk-snapshot.json'), 'utf8'));
+
+/**
+ * Obtains a list of an object contain any detected JS libraries
+ * and the versions they're using.
+ * @return {!Object}
+ */
+/* istanbul ignore next */
+/* eslint-disable camelcase */
+function detectLibraries() {
+ const libraries = [];
+ for (const i in d41d8cd98f00b204e9800998ecf8427e_LibraryDetectorTests) {
+ if (Object.hasOwnProperty.call(d41d8cd98f00b204e9800998ecf8427e_LibraryDetectorTests, i)) {
+ try {
+ const result = d41d8cd98f00b204e9800998ecf8427e_LibraryDetectorTests[i].test(window);
+ if (result === false) continue;
+ libraries.push({
+ name: i,
+ version: result.version,
+ npmPkgName: d41d8cd98f00b204e9800998ecf8427e_LibraryDetectorTests[i].npm
+ });
+ } catch(e) {}
+ }
+ }
+ return libraries;
+}
+/* eslint-enable camelcase */
+
+class JSVulnerableLibraries extends Gatherer {
+ /**
+ * @param {!Object} options
+ * @return {!Promise<!Array<!Object>>}
+ */
+ afterPass(options) {
+ const expression = `(function () {
+ ${libDetectorSource};
+ return (${detectLibraries.toString()}());
+ })()`;
+
+ return options.driver
+ .evaluateAsync(expression)
+ .then(libraries => {
+ // add vulns to raw libraries results
+ const vulns = [];
+ for (const i in libraries) {
+ if (snykDB.npm[libraries[i].npmPkgName]) {
+ const snykInfo = snykDB.npm[libraries[i].npmPkgName];
+ for (const j in snykInfo) {
+ if (semver.satisfies(libraries[i].version, snykInfo[j].semver.vulnerable[0])) {
+ // valid vulnerability
+ vulns.push({
+ severity: snykInfo[j].severity,
+ library: libraries[i].name + '@' + libraries[i].version,
+ url: 'https://snyk.io/vuln/' + snykInfo[j].id
+ });
+ }
+ }
+ libraries[i].vulns = vulns;
+ }
+ }
+ return {libraries};
+ })
+ .then(returnedValue => {
+ return returnedValue;
+ });
+ }
+}
+
+module.exports = JSVulnerableLibraries;
diff --git a/package.json b/package.json
@@ -81,14 +81,15 @@
  "gl-matrix": "2.3.2",
  "handlebars": "4.0.5",
  "jpeg-js": "0.1.2",
+ "js-library-detector": "^2.11.0",
  "json-stringify-safe": "5.0.1",
  "lighthouse-logger": "^1.0.0",
  "marked": "0.3.6",
  "metaviewport-parser": "0.0.1",
  "mkdirp": "0.5.1",
  "opn": "4.0.2",
  "rimraf": "2.2.8",
- "semver": "5.3.0",
+ "semver": "^5.3.0",
  "speedline": "1.2.0",
  "update-notifier": "^2.1.0",
  "whatwg-url": "4.0.0",

diff --git a/third-party/snyk-snapshot.json b/third-party/snyk-snapshot.json