Node CVE Security Scanning (#287)

* Create allow-list.xml Creating the file allow-list.xml to work with the new node action with DependencyCheck * Update allow-list.xml * Create new cve-scanning-node.yml to work with DependencyCheck This new cve-scanning-node.yml will now run on push, work with allow-list.xml and DependencyCheck to scan for CVE'S and it will upload a report.
finos · Aug 25, 2023 · b35c041 · b35c041
1 parent 015b208
commit b35c041
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 25 deletions.
diff --git a/.github/workflows/cve-scanning-node.yml b/.github/workflows/cve-scanning-node.yml
@@ -1,36 +1,38 @@
 name: CVE Scanning for Node.js
 
 on:
-  schedule:
-    - cron: '0 8,18 * * 1-5'
   push:
-    paths:
-      - 'node/package.json'
-      - 'node/package-lock.json'
-      - 'node/allow-list.json'
-      - '.github/workflows/cve-scanning-node.yml'
-  pull_request:
-    paths:
-      - 'package.json'
-      - 'package-lock.json'
-      - 'allow-list.json'
-      - '.github/workflows/cve-scanning-node.yml'
 
 jobs:
-  scan:
+  node-modules-scan:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [18.x]
     steps:
-      - uses: actions/checkout@v3
-      - name: Use Node.js ${{ matrix.node-version }}
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Set up Node
         uses: actions/setup-node@v3
         with:
-          node-version: ${{ matrix.node-version }}
-      - run: npm ci --prod
-        working-directory: node
-#       - run: yarn install --production --frozen-lockfile
-#         working-directory: node
-      - run: npx --yes auditjs ossi --whitelist allow-list.json
+          node-version: 18
+      - name: Build project with NPM
+        run: npm install --omit=dev
         working-directory: node
+      - name: Depcheck
+        uses: dependency-check/Dependency-Check_Action@main
+        id: Depcheck
+        with:
+          project: 'node'
+          path: 'node'
+          format: 'HTML'
+          out: 'reports'
+          args: >
+            --suppression ./node/allow-list.xml
+            --nodeAuditSkipDevDependencies
+            --nodePackageSkipDevDependencies
+            --failOnCVSS 5
+            --enableRetired
+      - name: Upload Test results
+        if: ${{ always() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: Depcheck report
+          path: ${{ github.workspace }}/reports
diff --git a/node/allow-list.xml b/node/allow-list.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions
+    xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes>
+            <![CDATA[
+        Testing false positives by suppressing a CVE
+        ]]>
+        </notes>
+        <filePath regex="true">.*\bis_js:0\.9\.0</filePath>
+        <cve>CVE-2020-26302</cve>
+    </suppress>
+    <suppress>
+        <notes>
+            <![CDATA[
+        Testing false positives by suppressing a CVE
+        ]]>
+        </notes>
+        <filePath regex="true">.*\bsemver:7\.5\.1</filePath>
+        <cve>CVE-2022-25883</cve>
+    </suppress>
+    <suppress>
+        <notes>
+            <![CDATA[
+        Testing false positives by suppressing a CVE
+        ]]>
+        </notes>
+        <packageUrl regex="true">^pkg:npm/is_js@.*$</packageUrl>
+        <vulnerabilityName>GHSA-pvrw-g6fx-mcx2</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>
+            <![CDATA[
+        Testing false positives by suppressing a CVE
+        ]]>
+        </notes>
+        <packageUrl regex="true">^pkg:npm/semver@.*$</packageUrl>
+        <vulnerabilityName>GHSA-c2qf-rxjj-qqgw</vulnerabilityName>
+    </suppress>
+</suppressions>